Installer.Win32.InnoSetup.2.FD, Trojan.Win32.Sasfis.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, Installer
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: fbf8aff0800f4ccf305ff2a8076cd3c8
SHA1: 5e54750ec5780293de162592743e4d28fa52146e
SHA256: 156af0b6900af238e2e5dc5202c971c8014cbcd87c76623c08c48156fa2a9784
SSDeep: 24576:nEXNqmU6keDenWP /IsaCaddRHsEPcYyfbA:nAgmUPWoIsXafeEUjA
Size: 1008776 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: SecuredDownload
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit
Summary: Installer. An installation package.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Installer creates the following process(es):No processes have been created.The Installer injects its code into the following process(es):
%original file name%.exe:1928
Mutexes
The following mutexes were created/opened:
__DDrawCheckExclMode____DDrawExclMode__DDrawDriverObjectListMutexDDrawWindowListMutexCTF.TMD.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Layouts.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Asm.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Compart.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.LBES.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003RasPbFileWininetProxyRegistryMutexWininetConnectionMutexWininetStartupMutexc:!documents and settings!adm!local settings!history!history.ie5!c:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!temporary internet files!content.ie5!_!MSFTHISTORY!_ShimCacheMutexZonesLockedCacheCounterMutexZonesCacheCounterMutexZonesCounterMutex
File activity
The process %original file name%.exe:1928 makes changes in the file system.
The Installer creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\sponsored.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\locale\FR.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\iconp[1].png (787 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\001222C2.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\ProgressBar.png (276 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\locale\ES.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00122870.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0012292B.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\css\sdk-ui\images\progress-bg2.png (978 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\Pause_Button.png (577 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\Grey_Button.png (183 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\form.bmp.Mask (244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\css\sdk-ui\checkbox.css (190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\css\sdk-ui\progress-bar.css (506 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\css\sdk-ui\images\progress-bg.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\locale\DE.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\Progress.png (311 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\css\ie6_main.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\Grey_Button_Hover.png (184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\bootstrap_17710.html (156 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\locale\PT.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\locale\EN.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\Quick_Specs.png (221 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\css\sdk-ui\browse.css (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\in1C2ACCFB\04ADD711_stp.EXE.part (3012 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\in1C2ACCFB\04ADD711_stp.EXE (439589 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\Color_Button.png (186 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\csshover3.htc (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\BG.jpg (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\Color_Button_Hover.png (186 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\css\sdk-ui\images\button-bg.png (131 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\Close.png (562 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\css\main.css (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\Resume_Button.png (718 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\Loader.gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\locale\JA.locale (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\css\sdk-ui\button.css (417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
The Installer deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\bootstrap_17710.html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\001222C2.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0012292B.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00122870.log (0 bytes)
Registry activity
The process %original file name%.exe:1928 makes changes in the system registry.
The Installer creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 28 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "708992537"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6E C2 72 33 48 89 CD 7E 0A 06 35 85 34 E3 34 04"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Installer modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Installer modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Installer modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Installer deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
MD5 | File path |
---|---|
d3899694be017e0ba51825237b3bbe15 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\in1C2ACCFB\04ADD711_stp.EXE |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Installer file.
- Delete or disinfect the following files created/modified by the Installer:
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\sponsored.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\locale\FR.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\iconp[1].png (787 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\001222C2.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\ProgressBar.png (276 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\locale\ES.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00122870.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0012292B.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\css\sdk-ui\images\progress-bg2.png (978 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\Pause_Button.png (577 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\Grey_Button.png (183 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\form.bmp.Mask (244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\css\sdk-ui\checkbox.css (190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\css\sdk-ui\progress-bar.css (506 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\css\sdk-ui\images\progress-bg.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\locale\DE.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\Progress.png (311 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\css\ie6_main.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\Grey_Button_Hover.png (184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\bootstrap_17710.html (156 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\locale\PT.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\locale\EN.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\Quick_Specs.png (221 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\css\sdk-ui\browse.css (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\in1C2ACCFB\04ADD711_stp.EXE.part (3012 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\Color_Button.png (186 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\csshover3.htc (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\BG.jpg (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\Color_Button_Hover.png (186 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\css\sdk-ui\images\button-bg.png (131 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\Close.png (562 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\css\main.css (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\Resume_Button.png (718 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\Loader.gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\locale\JA.locale (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\css\sdk-ui\button.css (417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\css\sdk-ui\images\progress-bg-corner.png (1 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: SecuredDownload
Product Name: Program Setup
Product Version: 1.0.5.a0.1_53762
Legal Copyright: SecuredDownload
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.5.a0.1_53762
File Description: Program Setup
Comments: This installation was built with Inno Setup.
Language: Language Neutral
Company Name: SecuredDownloadProduct Name: Program SetupProduct Version: 1.0.5.a0.1_53762Legal Copyright: SecuredDownloadLegal Trademarks: Original Filename: Internal Name: File Version: 1.0.5.a0.1_53762File Description: Program Setup Comments: This installation was built with Inno Setup.Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
CODE | 4096 | 40240 | 40448 | 4.66598 | 523babd3bc84e86d17f91946b91f4019 |
DATA | 45056 | 592 | 1024 | 1.90742 | 1ee71d84f1c77af85f1f5c278f880572 |
BSS | 49152 | 3724 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.idata | 53248 | 2384 | 2560 | 3.07115 | bb5485bf968b970e5ea81292af2acdba |
.tls | 57344 | 8 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rdata | 61440 | 24 | 512 | 0.14174 | 9ba824905bf9c7922b6fc87a38b74366 |
.reloc | 65536 | 2244 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 69632 | 11264 | 11264 | 3.10346 | 87a15d8e70d5e677112187b1ecb13245 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://downloadbst.com/assets/iconp.png | 136.243.40.69 |
hxxp://os.dudaran2.com/SecuredDownload/?v=6.0&c=1445015402&t=1193937 | 54.229.110.27 |
hxxp://downloadian.com/softwares/14710/ChromeStandaloneSetup29.exe | 136.243.43.26 |
hxxp://downloadian.com/system/softwares/files/000/014/710/original/ChromeStandaloneSetup29.exe | 136.243.43.26 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /system/softwares/files/000/014/710/original/ChromeStandaloneSetup29.exe HTTP/1.1
Range: bytes=0-35763831
Accept: */*
Host: downloadian.com
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)
Connection: Keep-Alive
HTTP/1.1 206 Partial Content
Date: Sat, 09 Apr 2016 23:35:01 GMT
Server: Apache/2.4.7 (Ubuntu)
Last-Modified: Fri, 19 Jun 2015 14:02:44 GMT
ETag: "221b678-518df60cb86b8"
Accept-Ranges: bytes
Content-Length: 35763832
Content-Range: bytes 0-35763831/35763832
Keep-Alive: timeout=1, max=400
Connection: Keep-Alive
Content-Type: application/x-msdos-program
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...G...G...G.......G.......G.......G.......G.......G...G..RG.......G.......G...G...G.......G..Rich.G..................PE..L....y.O.................\...>!......[.......p....@...........................!.....XT"...@..................................y..........t.!...........!.x.....!......r...............................................p...............................text....[.......\.................. ..`.rdata..$....p.......`..............@..@.data...\............t..............@....rsrc...t.!.......!..x..............@..@.reloc........!.......!.............@..B........................................................................................................................................................................................................................................................................................................................................3..|$.....j....j.j.H........P..xp@....t,...t ...t..."t...Pt.h.@.......hW.....h.......V.t$....t$....p@...u.^.WP...p@.....t'.t$..t$....p@......v.;.s.N....|O.u.;.r.3...f..f....#._^..D$....@...j.P.t$...Xp@...u..P.t$..D$..x...YY.SUVW3..t.@.W....Q..3.E.:..u<.D$....@W...Pj.V..`p@...t.P.D$.V.4.......YYu.U....Q..E....u.3._^][......H........J........P.R...........@.3...$....Vj......p@.WV.D$.P...q@......p@...t.h.@...c.....$......^3...A.........U...........@.3..E.Vj......p@.WV......P...q@......p@...t.h.@.........
<<< skipped >>>
HEAD /system/softwares/files/000/014/710/original/ChromeStandaloneSetup29.exe HTTP/1.1
Accept: */*
Host: downloadian.com
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sat, 09 Apr 2016 23:35:01 GMT
Server: Apache/2.4.7 (Ubuntu)
Last-Modified: Fri, 19 Jun 2015 14:02:44 GMT
ETag: "221b678-518df60cb86b8"
Accept-Ranges: bytes
Content-Length: 35763832
Keep-Alive: timeout=1, max=400
Connection: Keep-Alive
Content-Type: application/x-msdos-program
POST /SecuredDownload/?v=6.0&c=1445015402&t=1193937 HTTP/1.1
Accept: */*
Host: os.dudaran2.com
User-Agent: ICAS
Content-Length: 1280
Cache-Control: no-cache
.I..~...$$.......04A"8....`[.....W..(4..L<..1..|..`...}...k.u..&..'...9...'.....F..._y..e.gJ].........>.. .`..?|...}..3.b...P......I.R.26.1.I...
......\fr.......#....e\..]B.E..Y........3.....!..6.R...8...7W.0xe.........5L....k,.3p....b..[PI [.m.gs.A....._..W..u..L..
.#..B...'iX.......1...KcJ&.......ul,!.%.I...."..H7....r..R).,..H.l..NQ.e.~.eG..$..H..Z.:..o.A...>..OhX..h
........q..Q ..f.g.?..........N...4}*o..l.. <.4tX..1O.r....d...@...{I>4..y.ClSQm......q..D..gis...^..i.......E....hC."..FH.t%....1.........M...)._.....{.......B3.~y.......&. _x..T...f^j...>Q......C ...J2@.f.@..~...N......HW...`......$.6..HI>.)..EglT.(....nY...rY.U....l..m. .h.......f. v......S.....|..L...L(I}(.A.....j..K..... .._......d.<Gc:|E..u...\z.n..PX...q.8...,."R..3.zI.6=Rl....... ..E6.@...c.:.S..~.T..../MM..}.....z.VV..WYq..A.G.(.]_Jd3tT..L...
..._Y/.g....Yl.>w.W..J._n9b.6..u...|@.!m[$.......4&.o..~ot.D..IG.........La..W-.s..h
D.UG:...;N[Zb...|Ii...*....6Wwe`..Q..;|.......n.p^C..ma.p..e..<4tJ.G@:.. E/...bv.)f..=.W....~i...I........nyf.m..-.......e"<.........%...1.I!...</...Y....;.).........z..`..G..............}..`W_.}..<k`p"ca.p.b...9......J..h........>U...<~ ..@Bu.
Y.h....I..q..8{.....yuX.pV.....SJ......@]...%.....4.)...?..O...5.;.n....,.....Wi...1 .S ..s..e..h...Pl.F..arc.
HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: text/plain
Date: Sat, 09 Apr 2016 23:35:01 GMT
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: nginx
X-ICSCT-CC: UA
X-ICSCT-CITY: Kharkiv
X-ICSCT-GICSET: global13712a
X-ICSCT-IP: 37.57.16.189
X-ICSCT-SERVER-NAME: ads.slave-131-prod-eu-west-1b-6ec3c8e3
X-ICSCT-TIMESTAMP: 20160409183501505
X-ICSCT-VERSION: 1.3.1
X-ICSCT-XC: 1f3cfb072bc5ded412eb0f20eaa0b3fa349c056a
X-Robots-Tag: none
transfer-encoding: chunked
Connection: keep-alive
1f00.....\.U.\.V...&u.1s.a...x}!.p..$.-.8:&'.|..<..Dr9.do|..2..W*...`:.!..E..p.@....7..A.C.#.}>0O..x..tN...j.s.Nu.|..\..krmoq{6...........=....O..E...:.z..jz.6.J.z#..?..QMiB.w.%&q.".......X)y*..8 .,rF..k...V0)q.....*...o.z:...E.$u..L.. $r..nkjZlu8...D.-......go................{."..t..'.9..H#......E....f.I.8...`....G;n...D.n.d.&A.s_..a.8...l...fD.;%.S.#...._.....x..l\...t5......]...&.........(b._z......b<....[qh....x.._0{..aZ,5.,..!F..:.._A..*..bs.*B.E.aZ/..'$.c,.q.H..................D0.[..z|,..T......SA..v`.....".....c.ZN.....i.....f..3I.g&...s....wm....a#}.i.8...x.......X*.kx.y.d..#}z..(..#..i. ...x.y....&x.......{....=.."...x...tj.k..`/a..az.i..7.k..).x..%..P.z... .4.d.b...9..R.2y.i....cx...x...\...x...$.I.X*..y.i.H7K.j..;x.).(.......(...z...X..#v.............o.8..#u.w.6<..y.i.h....9L.q..Sx....p%.4l....-;T..b>.h......Q/Y....@...{.C.|l6.?x..H..#~.,I.]..*.y.fc..p.>.c...H....................JK........d.........*......s....h...o.#}:.......gb\x... .x....,*...N.M.._.../G%...Rl................z..258.U.l.........K..........k...&.R.......$TE......#.2s~(.................;..7...u.;....q.>.....$....Z...R...]...a..|T.f......{:a...f...{.\...=....x.......P.n.$..qV.P>c.z......O<5...y^=.H.$.............."%.g.-..0..x5.".F..s...._.YHcrqnA....r....%V..M...Z$....;q.\....O..tl4.......A..?........IY..J...^..i......;q.:y.T........G..H.....xj..E.....|$.h.>.....v.S.)...O.N-..6..~*|;."&k.......3..CW..:IXMC.i:.|G....t=jd,..^3.-.....GLP...V.(.,C....#....J.?{.~3....wy."u...b;.....%/......&.4.$...w.9.b...@HSo.
<<< skipped >>>
HEAD /softwares/14710/ChromeStandaloneSetup29.exe HTTP/1.1
Accept: */*
Host: downloadian.com
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 302 Found
Date: Sat, 09 Apr 2016 23:35:01 GMT
Server: Apache/2.4.7 (Ubuntu)
Cache-Control: no-cache
X-Request-Id: 1a24d9093edd1bdceb8832b268163e44
X-UA-Compatible: IE=Edge,chrome=1
X-Runtime: 0.010965
X-Powered-By: Phusion Passenger 5.0.10
Transfer-Encoding: chunked
Location: hXXp://downloadian.com/system/softwares/files/000/014/710/original/ChromeStandaloneSetup29.exe
Status: 302 Found
Keep-Alive: timeout=1, max=400
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
GET /assets/iconp.png HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: downloadbst.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sat, 09 Apr 2016 23:35:01 GMT
Server: Apache/2.4.7 (Ubuntu)
Last-Modified: Thu, 18 Jun 2015 16:46:26 GMT
ETag: "d05-518cd8c6c4277"
Accept-Ranges: bytes
Content-Length: 3333
Keep-Alive: timeout=5, max=1000
Connection: Keep-Alive
Content-Type: image/png
.PNG........IHDR...$...$.............bKGD..............pHYs.................tIME......:.P......IDATX.....].Y...{....}..{./..&q...I.fi(!..BB ..PU.!.....U.|.J-..*.J.D.hB....S...o.m..}<..{..gy.>.x..Tm".J..s......y.MXk..o..I......J..\HOg..zz.4~..s.....3..........J).....s.s.......y...*Q..8. .).s.,,...#.}./-S.T.\....t...._....!2F..{.;.t..}Om....B....7g/].. ...(.x.(~\.........s...k..w..;..Z...^.."I.t..z..w...{F.:}........B..E....)....o{...E......g.RO=~....9.?.:.?=?.B....5D.R,.".......#.=....K.f...--...\.-...7..M17m..?.nx@|.u....*....?..}...a.........7......gfy...yT.H./!...).....3._.. w......>p.c.....kk_\... ..1.....w.u.5....B.V.=......P..3..........l.......f..D=.qma....e=.hY..!.d.@b...$..R..(..T.....2t..l6W.-l..$..F..VkDk.8*Y.RkUk.R.....^n...~!e...#.XQcq......^'...[G...V......b..=4. .w.n.Fe...4..#.C.."B...........2A./.(.Mu ..8]...|q...1...D...pR....C.......bRH.BJ..r....`..$nV.:5.(..PD..........|rt...n..].....4.j...\.......a....x....H<L....q.. ..".......m..l*....4n&%..4..$..gh.{.Qw.4U.- .tQ.m.q...N.p.......GX..`.......M.m^.......5Q...UI...K..DQD.G.i.c$.......dm.....T.x2....c.hm..A.H6<...Yp..#1.&......1(...:Q.c.DkC.Q&M.VK..P."...!...(.W...1..8n.N..2...*.(..b3K.......u.q......c5.(.q.4I...e..#4.*.f..|u.i<..$V.X...A..f...!..j=j.=7..&..j<.i.6cC`.M.X\c0Z... Fa.Xkh.u.I...>>.....w...........5.....'u..mX.JR5. ...7....BK...ND.t.)r.:B`7..1.T... ..(6....&.R.f.pw...w..@....:...1..]@...2.d:...... M.......zcj.{[#...k. .S.....J%.L.p,.....@)%HA.....:.s..3.w..JM.h...,...$..u..Gw....A}qr|Y.ji.(...5.....C.......
<<< skipped >>>
Map
The Installer connects to the servers at the folowing location(s):