not-a-virus:AdWare.Win32.Lollipop.qo (Kaspersky), Application.Bundler.DomaIQ.Q (AdAware), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: b30d4237736d4a63d13b3c14feb5dc38
SHA1: d3f21910a661b60f969536170dce914f2b703924
SHA256: ccc9e54f438d4c2ea4f3027195be5ed6d231899a00a7933cdd45e400cedb42f5
SSDeep: 6144:z K03Pn0NShKvAPBGxr4mbOlq1QTiZZaN9BJvilHKMiRE3Ywk:a3 AmhYqa59iFiO5k
Size: 322056 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-07-14 23:09:38
Analyzed on: WindowsXPESX SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Application creates the following process(es):
%original file name%.exe:3636
The Application injects its code into the following process(es):
%original file name%.exe:3488
Mutexes
The following mutexes were created/opened:
CTF.TimListCache.FMPDefaultS-1-5-21-796845957-1563985344-1801674531-1003MUTEX.DefaultS-1-5-21-796845957-1563985344-1801674531-1003CTF.TMD.MutexDefaultS-1-5-21-796845957-1563985344-1801674531-1003CTF.Layouts.MutexDefaultS-1-5-21-796845957-1563985344-1801674531-1003CTF.Asm.MutexDefaultS-1-5-21-796845957-1563985344-1801674531-1003CTF.Compart.MutexDefaultS-1-5-21-796845957-1563985344-1801674531-1003CTF.LBES.MutexDefaultS-1-5-21-796845957-1563985344-1801674531-1003ShimCacheMutexRasPbFile!PrivacIE!SharedMemory!MutexZonesCounterMutex!IETld!MutexZoneAttributeCacheCounterMutexDDrawWindowListMutexZonesCacheCounterMutexZonesLockedCacheCounterMutex_!MSFTHISTORY!_c:!documents and settings!adm!local settings!temporary internet files!content.ie5!c:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!history!history.ie5!WininetStartupMutexWininetConnectionMutexWininetProxyRegistryMutexDDrawDriverObjectListMutex__DDrawExclMode____DDrawCheckExclMode__
File activity
The process %original file name%.exe:3636 makes changes in the file system.
The Application creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsiB3.tmp\nsisdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\465ff7c14db84a079d0b97406e3a8ff6.txt (7864 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\%original file name%.exe.config (767 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\res.txt (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\%original file name%.exe (1431 bytes)
The Application deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\res.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiB3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdB2.tmp (0 bytes)
The process %original file name%.exe:3488 makes changes in the file system.
The Application creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\screen-geaudioconverter.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\position3D.css (539 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\percentage-bg.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\temp\PPI OptimizerProinfo.dfe (3505 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\temp\Dockings.dfe (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\temp\MyBackupPcinfo.dfe (611 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\position2B.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\bullet-short.gif (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\optimizerpro-logo-big.png (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\vuupc.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\optimizerpro-logo.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\position3A.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\Vuupc\info.html (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\check.png (398 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\exe\options.html (965 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\base.css (344 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\config.dmc (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\position2C.css (578 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\MyBackupPc\info.html (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\bullet-shortw.gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\exe\box.html (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\boton.jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\less.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\progress_small.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\exe\instalando.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\position4A.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\logo-win.jpg (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\optimizerpro2.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\check.jpg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\check-close.png (243 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\boton_xl.jpg (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\screen-vafmusic.png (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\bullet.gif (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\progress_small_bg.png (3 bytes)
%System%\wbem\Logs\wbemprox.log (354 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\jquery.min.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\bg_app.png (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\position3C.css (638 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\butplay.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\screen-zipper.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\position3B.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\screen-vafplayer.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\progress.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\exe\group.html (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\more.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\optimizerpro-img.png (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\PPI OptimizerPro\info.html (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\hide.png (160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\cross.jpg (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\position1A.css (421 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\exe\welcome.html (151 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\show.png (235 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\screen-miul.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\mypcbackup.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\screen-gevideoconverter.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\mypcbackup.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\butpause.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\exe\close.html (384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\position2A.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\doma[1].js (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\style.css (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\temp\templateDisplays.dfe (611 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\temp\Vuupcinfo.dfe (741 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\screen-olivebrowser.png (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\screen-printpdf.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\exe\finish.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\screen-ifish.png (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\temp\templateStyle.dfe (5690 bytes)
Registry activity
The process %original file name%.exe:3636 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A 87 56 D7 23 16 0C 8C 38 9F 56 1C 22 6F B5 11"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
The process %original file name%.exe:3488 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD 25 65 8A 0D 1A 10 26 5E 6A 16 CC 5F D2 1A A0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1381828954"
"Name" = "%original file name%.exe"
The Application modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Application modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Application modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Application deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
MD5 | File path |
---|---|
93f88a2379be0d22ed1039e87771e3f5 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\%original file name%.exe |
1dadb63a5dfaa0679485c5dbaf96033f | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsiB3.tmp\nsisdl.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:3636
- Delete the original Application file.
- Delete or disinfect the following files created/modified by the Application:
%Documents and Settings%\%current user%\Local Settings\Temp\nsiB3.tmp\nsisdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\465ff7c14db84a079d0b97406e3a8ff6.txt (7864 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\%original file name%.exe.config (767 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\res.txt (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\screen-geaudioconverter.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\position3D.css (539 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\percentage-bg.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\temp\PPI OptimizerProinfo.dfe (3505 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\temp\Dockings.dfe (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\temp\MyBackupPcinfo.dfe (611 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\position2B.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\bullet-short.gif (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\optimizerpro-logo-big.png (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\vuupc.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\optimizerpro-logo.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\position3A.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\Vuupc\info.html (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\check.png (398 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\exe\options.html (965 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\base.css (344 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\config.dmc (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\position2C.css (578 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\MyBackupPc\info.html (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\bullet-shortw.gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\exe\box.html (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\boton.jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\less.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\progress_small.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\exe\instalando.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\position4A.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\logo-win.jpg (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\optimizerpro2.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\check.jpg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\check-close.png (243 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\boton_xl.jpg (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\screen-vafmusic.png (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\bullet.gif (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\progress_small_bg.png (3 bytes)
%System%\wbem\Logs\wbemprox.log (354 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\jquery.min.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\bg_app.png (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\position3C.css (638 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\butplay.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\screen-zipper.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\position3B.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\screen-vafplayer.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\progress.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\exe\group.html (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\more.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\optimizerpro-img.png (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\PPI OptimizerPro\info.html (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\hide.png (160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\cross.jpg (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\position1A.css (421 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\exe\welcome.html (151 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\show.png (235 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\screen-miul.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\mypcbackup.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\screen-gevideoconverter.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\mypcbackup.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\butpause.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\exe\close.html (384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\position2A.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\doma[1].js (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\style.css (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\temp\templateDisplays.dfe (611 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\temp\Vuupcinfo.dfe (741 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\screen-olivebrowser.png (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\screen-printpdf.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\exe\finish.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\bin\css\images\screen-ifish.png (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\temp\templateStyle.dfe (5690 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 23148 | 23552 | 4.44633 | 1c619949741a76b63a54c1e6c4d6b2f8 |
.rdata | 28672 | 4558 | 4608 | 3.62955 | 6c31e0693072284f258d2c4a271de506 |
.data | 36864 | 110520 | 1024 | 3.36948 | 78f5760d9fafb71fdbc88c3497afef46 |
.ndata | 147456 | 61440 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 208896 | 17000 | 17408 | 3.5656 | 7fae611f3f73978e9992534a50a87055 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 1546
24dfc5735ffdc44ab04ecaf68c5c37c0
06fb90b7081f8881f62cf9a1912ce90d
61786c35bdbbdbee8d8167359fe4c006
de0142141abde6286d0f1d1411e3b743
1aa2c540070a3fc070648c3439e76e3a
3769e46ead3f1f03a6f592e17a55f03a
3f9c8f78e5f622f4798e840a91ef9331
6a7ab12a471271c6b6d2b7e5ab75aa49
a15e3163b8b3bb0fd7e358bc9463b0f2
3cc49afc567afd78de810cecd2331a51
03af95d2db790ef4fd0fc67992b3fa34
b32f2d9bdc802fd71488a1b25225c135
c1aa9894e43eece9d16da59cab758d1b
3928afae406e3f808f6087e5dbfe750b
b8f83f5316971b925c153a2a609e5813
c29b34bdbafbaf60a830a2ecaf10002d
dff9c91218427199a7f530647221fd5f
7ba577817c32ac2d586e4167b98ef660
657d39d063cf5a1e530b16c94500a362
716f95a4a54169322100b0765c8245fa
64cb934e5261377004abae209e4f0c1f
c2f5e9657bb65d08da1efd7754ed31bb
8469f7c58f3cdf13f1410c65c6321b3a
8f219358f07cfca28da6f98458031aee
e712a6e10e590a49603d33c110c495bf
Network Activity
URLs
URL | IP |
---|---|
hxxp://dtrack.sslsecure1.com/debug/Version/4_0_6_27/Nsis/Start | 204.11.56.45 |
hxxp://dtrack.sslsecure1.com/debug/Version/4_0_6_27/Nsis/GetInfo | 204.11.56.45 |
hxxp://dtrack.sslsecure1.com/debug/Version/4_0_6_27/Nsis/CopyFiles | 204.11.56.45 |
hxxp://dtrack.sslsecure1.com/debug/Version/4_0_6_27/Nsis/GetParameters | 204.11.56.45 |
hxxp://dtrack.sslsecure1.com/debug/Version/4_0_6_27/Nsis/PreRun | 204.11.56.45 |
hxxp://staticrr.tgusrv.com/test.html | |
hxxp://dtrack.sslsecure1.com/test.html | 204.11.56.45 |
hxxp://Track-903226030.us-west-2.elb.amazonaws.com/test.html | |
hxxp://API-XML-1918203848.us-west-2.elb.amazonaws.com/test.html | |
hxxp://API-XML-1918203848.us-west-2.elb.amazonaws.com/index.php/api/256/Browser_Update/502/703/English.xml | |
hxxp://staticrr.tgusrv.com//Dictionaries/English.xml | |
hxxp://s3-website-us-east-1.amazonaws.com/7f1df2ad776e148c4007facb815b9b4a/Cloud_Backup_Setup.exe | |
hxxp://dl.softservers.net/111001899/OptimizerPro.exe | 184.154.145.171 |
hxxp://staticrr.tgusrv.com//Styles/Templates/e9c1a9ca_Win_A_Banner_DeclineLink.zip | |
hxxp://staticrr.tgusrv.com//Displays/Templates/4934e143_Win_A_Banner-NoLink-DeclineLink.zip | |
hxxp://staticrr.tgusrv.com//Docking/Docking.zip | |
hxxp://staticrr.tgusrv.com//Styles/Softwares/e7bf26c3_mypcbackup.zip | |
hxxp://staticrr.tgusrv.com//Displays/Softwares/16220985_display.html | |
hxxp://staticrr.tgusrv.com//Styles/Softwares/db393704_vuupc.zip | |
hxxp://staticrr.tgusrv.com//Displays/Softwares/1d58e78d_display.html | |
hxxp://staticrr.tgusrv.com//Styles/Softwares/0ba5df4c_optimizerpro2.zip | |
hxxp://staticrr.tgusrv.com//Displays/Softwares/7f3e6cee_display.html | |
hxxp://staticrr.tgusrv.com/sdb/doma.js | |
hxxp://staticrr.paleokits.net//Displays/Templates/4934e143_Win_A_Banner-NoLink-DeclineLink.zip | 85.12.5.2 |
hxxp://api.v2.sslsecure2.com/test.html | 204.11.56.45 |
hxxp://staticrr.paleokits.net//Styles/Softwares/e7bf26c3_mypcbackup.zip | 85.12.5.2 |
hxxp://track.v2.sslsecure3.com/test.html | 204.11.56.45 |
hxxp://staticrr.paleokits.net/sdb/doma.js | 85.12.5.2 |
hxxp://api.v2.sslsecure3.com/test.html | 204.11.56.45 |
hxxp://aff-software.s3-website-us-east-1.amazonaws.com/7f1df2ad776e148c4007facb815b9b4a/Cloud_Backup_Setup.exe | 54.231.2.204 |
hxxp://staticrr.paleokits.net//Docking/Docking.zip | 85.12.5.2 |
hxxp://staticrr.paleokits.net//Displays/Softwares/1d58e78d_display.html | 85.12.5.2 |
hxxp://track.v2.sslsecure1.com/test.html | 204.11.56.45 |
hxxp://api.v2.sslsecure4.com/index.php/api/256/Browser_Update/502/703/English.xml | 54.200.36.178 |
hxxp://staticrr.paleokits.net/test.html | 85.12.5.2 |
hxxp://staticrr.paleokits.net//Styles/Templates/e9c1a9ca_Win_A_Banner_DeclineLink.zip | 85.12.5.2 |
hxxp://api.v2.sslsecure1.com/test.html | 204.11.56.45 |
hxxp://api.v2.sslsecure4.com/test.html | 54.200.36.178 |
hxxp://staticrr.paleokits.net//Displays/Softwares/7f3e6cee_display.html | 85.12.5.2 |
hxxp://staticrr.paleokits.net//Styles/Softwares/0ba5df4c_optimizerpro2.zip | 85.12.5.2 |
hxxp://track.v2.sslsecure4.com/test.html | 54.186.105.91 |
hxxp://staticrr.paleokits.net//Styles/Softwares/db393704_vuupc.zip | 85.12.5.2 |
hxxp://staticrr.paleokits.net//Displays/Softwares/16220985_display.html | 85.12.5.2 |
hxxp://staticrr.paleokits.net//Dictionaries/English.xml | 85.12.5.2 |
hxxp://track.v2.sslsecure2.com/test.html | 204.11.56.45 |
s3.amazonaws.com | 54.231.17.136 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /test.html HTTP/1.1
Host: api.v2.sslsecure3.com
Connection: Close
HTTP/1.0 500 Internal Server Error
Date: Mon, 12 Jan 2015 22:31:00 GMT
Server: Apache
Set-Cookie: vsid=916vr1686474605802126; expires=Sat, 11-Jan-2020 22:31:00 GMT; path=/; domain=api.v2.sslsecure3.com; httponly
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
GET //Displays/Softwares/7f3e6cee_display.html HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net
Accept-Encoding: gzip, deflate
Connection: Close
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 12 Jan 2015 22:31:11 GMT
Content-Type: text/html
Last-Modified: Tue, 08 Jul 2014 14:47:05 GMT
Transfer-Encoding: chunked
Connection: close
Content-Encoding: gzip
f06.............._o......O1....(.u....b.I.8.`.5..`....-w7.G4.1......3K.....8.E...?..{............_.u.7..~x...o...k...|...W..w....WZ...o...~.>.z.>,....6<;[.U.c...X..e....YSw..uu...P.[W7}.._C......K...?..<q.xv........P..mp}..M..Zt.WW]..|..........k.6....s...C.>._}[\]n...;...W./X..........o...w:.af.lC.\.......s....U.).b.v....:_..t.v.>....z.....*."Ta.{.j...7 }.:>.....9-..B....7....j....Ky.._..?".JZNP..u....D1.s-P......*w..8..~......;.O.v._.y(...U...D.........nU........l......v.../..n_...y!.....w...?Zv..j.N<........|.gvh.... ...}.e...?....:\.%......}..j.wW..`.\V.l......%.MX.M.....GZ_...#)y.m...'..@...G.`...24..)......&.......{...{..2P..Z.....Ca."...%..&(..jg........`..RB.......F..Vv....... f.]...[n|....M...."../Ff.F[a...,u...|VC..-...|jf..>.,.F(.z....=......X.a.z..(i.hU..\...v..P ....C.....V..~.V.....~-$r.=.b*bKTS.,.f..#..!.p...a..#.....o..R.A..e_;Y9S..T...._..."..nXla..c..6f...)..beU..Y..J..Wl..3......r;sa..._.^....e{..M-.=. F.0`....a.4.6T.{y..vu[X....\.........Q)}p.aS.O.....Y.....4U..%.E........o....~. ...0.E.r.a.r..O.ai.JQ\..li.9....l...#.)...thA.H..$..:8.G.......U..N...n..............,.>...P...j....dmr9.5....0.h....O.....N@o)..!...... Z.1cjsC.]...%..wUY...L.T3.T?..@W.....15B.]...........e;...V.|....^!..'U.:......:%\.>|..AE...* ?KUQ/.C2m..E....#.e\.~o...D.cx.Q..w0K.H..Q>)... .. ......YP.D........,....Ci...w..8A.Nz......%JB.-..0^....@ ..h..}.....hH.$h.D.;zB.QY.co...t..j.8.......{.W<=.4..4.#..I..u....%..6...Z..^q...$R1.k.3)i.{C,....;......%&m.R..q_..X.r.>J,....$..F...?..M@.
<<< skipped >>>
GET //Displays/Softwares/1d58e78d_display.html HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net
Accept-Encoding: gzip, deflate
Connection: Close
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 12 Jan 2015 22:31:10 GMT
Content-Type: text/html
Last-Modified: Fri, 10 Jan 2014 15:52:57 GMT
Transfer-Encoding: chunked
Connection: close
Content-Encoding: gzip
18ea...............r.Fr..5OQ..ks"H..$.B....P..rH..9.s..6.l...^...^..7~.?..&~...V..n....{...* ....U8.....]]].=.q.oo.O...O....Swpp..H.?..L......K.1..\....&..l........y.4...u..m^....: ..{....`.#..^.-.vy....."[N.?e..Ze..\...y..IQd..fm.v...'uz.f... .?....7.\.._..G.o...uv.cU....B.f^gY.r.....j\...".\...q..B..9&...l......W-.Q.N..jD.../i....>. .....L.]Vf..u..Z.8X..Y..,i.:k..n...o.y.4..Z,.....V...=.H......h}|tw....O...........Y.......6....2....Cz.. .:.G...d...\x......UU...".g6.=W<..OU....8.WA..^.....a.u...aU..Ev.....q.0..v.,...)._'e..e..Jn72l..q{.j.hz]'M....re............................C6..#.6....Zg.61?..yw|#..j.F..|..g....(............6....W......=2_f./.gl._|.N..z../......tm.s..q.W..X.m../0x.......E.zuy5;?=.@.....;7{.....S......;.9s'....;P...tsv...rv..~v.........;9==..M.[W7..................=........Y.u;.....S7..q..I....[........w?!....]|.........o ....).l...........;w>.w.o?.=...=so.xR"...~....G....CG~t==(H..^....:uW?.(........gw........%}:......FEi...C.m..~Y../.....O.nf'@.|............n.y:;...$......l:Eb.8..Z....}...1..8.....".[An..Cg.._..........U....^....../....E........t...K.....F1.....,...'...y!.....x..zy2.oM^..iL...=....j.)$.... .......~|....?.*.2..[....>......C."q...9..l....J.AF`.z.S.}...{..d..O..~....Vush..f..Zk..l,0y..x%3.Y.N.:...d.}.`.J21ODd.wk...m.|.f.D.M.'-?d.........h.u...$..<.&Q..k.Di..u.A.^R......h........GO..H........p...v..v{..e..u~.D...M.C.....<en..0a"#a.......Y...=...)4.ZFc......T.W..,L0..)a...<.....8...... .m..J/.X.'."..5IK........6eQ%>:.....M'......O^=.._O.1...\.......%"j."
<<< skipped >>>
GET /test.html HTTP/1.1
Host: track.v2.sslsecure3.com
Connection: Close
HTTP/1.0 500 Internal Server Error
Date: Mon, 12 Jan 2015 22:30:58 GMT
Server: Apache
Set-Cookie: vsid=920vr1686474586003694; expires=Sat, 11-Jan-2020 22:30:58 GMT; path=/; domain=track.v2.sslsecure3.com; httponly
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
GET //Displays/Softwares/16220985_display.html HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net
Accept-Encoding: gzip, deflate
Connection: Close
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 12 Jan 2015 22:31:08 GMT
Content-Type: text/html
Last-Modified: Thu, 03 Oct 2013 10:28:07 GMT
Transfer-Encoding: chunked
Connection: close
Content-Encoding: gzip
1f87...............r..u...W....UEB..{..\.!..`...@i.?.!0$g.`..@.}...\`..t.L..j7UIU*.dE.3.O....>3..rp.....7..;.xq..t..vy..?w.......;8x.s...........?._N..n....w'.b....:(..n2.....eY...\.....b=w....*.|Z/................*V..v...|6)..[.nu..aqU/.8...",.u.Y..i^O..&.}}.L..v.|.^...?.jz.........?../....O.^.....I9..wZ..c=..|..E.....].r....).rYQ.;#/.t]6......}...{\y.~...b...E~]..uU.]$6.Vy.wy.ZWy.t.z9.....mV....:.:...S6.....I.O.O./&oL.|.'.>\.....Y..$ci....{Q..m.>..p.EU.......r]..b.....gF,%YVhe1-..}w.M...X...DO..;-. e....Y.....a..PV.,.\.....j.9.g...K&...Sz.3.|..*.......w{.J.Z._VY.c.H.i.yi......\..^.y...$_Lr..a..|.....^.........=vG.a..r0.......b{......V..r{.F..w...m..b(en..d3...1.....c.v{y.WTh.;gg.t......,V...........U9.V.'...U...k.....?*.....;.g~.f.....iU...,[...|.mc..Fj...Ww.X.2 &.Y.....-&.n....d..rM].....J>-.}....}....fX..(m...e.`.......t.......].WnQ....."...U.H..q.)qd.i....|.kj...L...{.^.V......V..*..6..JTb1R.Bz.......3.....}.b..UW....f.&m...v...n.....'..^.Pp.....>c.H.S..........4..$.-.$ru....2........5:1.W..Rh...|t....;.................y..>t..z......;....?.G=wi_..].../...........z.8....._..k.]5..OG.....Q".A..w.=...w6.....:>wg....C*.=v.....w.a....H<$......._...j......;.w~...%\%.:;.e....B...TX.7..gv.z.^9.............s.W.{.v.b...75/...r6..<...C..d...I..0ay../.4.......C..q..5..L6..E..Z..0...]...Y...b......!S..56G.-...#...*......0=.yg..A.]........8;..y..Ir.~.r..W.eU.....P.....Kp@s..a-.S.S..'.).".bv.q.|...=yM......<H...p$8 I...*....ky$N.FU.........s.p........7.._...?....u...q"...............BHk. t.E
<<< skipped >>>
GET //Docking/Docking.zip HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net
Accept-Encoding: gzip, deflate
Connection: Close
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 12 Jan 2015 22:31:07 GMT
Content-Type: application/zip
Content-Length: 37048
Last-Modified: Tue, 26 Nov 2013 13:00:11 GMT
Connection: close
ETag: "52949b5b-90b8"
Accept-Ranges: bytes
PK........1Q.A..T.............position1A.css.....0.D..W\.n....H.Q... .~@l...Ii"*..k.......9..]..t.jp.../.......6.<7Th...5L....}..E.. ....L.S...........V*...8.;r...,6..r..'.?WC......yX.'c............&.XHA...PK........,g.B^P.]............position2A.css.S.N.0.}n..b.K...m$p^v.j%^...~..............!.RB....c.9s.L~f...[r.....y.x..\.V.7d.-..L..}o.3k.........Dp.....99....x...P)3....(..V........EL..I..B.G.A..{.y........en....<.&.l...[..~.U..'..7..sCC.....O.Z....H.J..G.p;...`.>.....-V ..g6R.......qQ%.Ua....E.7>..o...W.....f..k.L.ME.....cTSF.....s|....#..%....| ..hBv...Lqf(..@.w=...~P$<p.E...y.u..........W.k0[...w.Z......fye.../...&Q.....c.q........1.0.g..ay......|.gI....W.4...GJ...R..e...;.....}b.5.3.^\...A[..O.FX..'5o.%r......F..:....PK.........H.@....Z...........position2B.css.Q.N.0.....D..a..Fp.1B............]....mA......$=.|?=.uF.U.....[ot..~...9Ld.Y.......N.y`~................#.||..j)y.(/..n.....^....45.....\.."..k$. ...0..@C'.$....Q..V.:k&.Z%.U ?.X.-..F..E.Ra.<u..;($g...}.......Ah...)...L.*5.Q0(.M.v.....t`....ho..........d/4.p...A.7.....Ee.$*J...S..r.=.<.... l..%.|!j..6..c"...%:.d.......Hen.[xK...O./....U.}fuV..PK.........lMBjre.....B.......position2C.css.....0....S...bL/....A...P}....h3%....nE.*..Y...}.]..FZ.m7s:.%..0MS...PIm.g....7...U..,VK..}....c..c..-b.g.FS...(.P.x.0.\.?\.'TS...k.2!WG4.....#G%l.. .'.{.....ix...B.}a..m..R.v......(.........,..#E.3'8.._....?...z.PK........VG.@! h.............position3A.css..Qo.0....S.:...-..R.........}..N.f|..k...}6Ic.%.:x;.......TT.l....._..Y._]..r._.x..Ppq.C
<<< skipped >>>
GET //Styles/Templates/e9c1a9ca_Win_A_Banner_DeclineLink.zip HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate,gzip, deflate
Host: staticrr.paleokits.net
Connection: Close
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 12 Jan 2015 22:31:06 GMT
Content-Type: application/zip
Content-Length: 344899
Last-Modified: Fri, 07 Mar 2014 11:17:00 GMT
Connection: close
ETag: "5319aaac-54343"
Accept-Ranges: bytes
PK.........YgD..l>9....c......style.css..ko......?....M-G.#q...m...p.-..^...D.... ..w....S")JvrIp-b#.I.3...p.....\....,Z.PZ.......Q..._D.,*.%h.K..a.*..r8......R.s]....<.*T............^.Sx?,QD....A..<._..$.>_..|;<..`........#..!(s...:.....< VC..|].A.6.,.... X,p:u..A.......!.......u...3.}.D...eIVL...9}...j9=;w..-..^,.i0.e.8..... j]..,......,.S.k:....Q...Q1O.....1Jy......y..t...I.rX@.g)*@....J~. F....-.U..,&.P......arr.>%.1..W..........l%..p.W..h.........LJ....<....m..U..........!H..vN`:s........D....{D4..e.i.........%..t...!~\......F..^..Sgt...."...x...<.-.`...t..w..@..8....X.. (."=U.....(....(.....JL-..@...=...W..1.p..2.j..y...rlK.l..{|D....s.%.2....3.\ 'H3.... ......'.....iu....D..D....D!..A.....Q....@..y(`>.3b0?;..1..CW... ..V.W.gd.......R1..2.P.|.......^..p.."...5..L."mF.......R..8...[.PB..#]}F8- .....%E.......F#.D.!....."..:.,.:R\Y...g>...R.u].....B...B....@C./.DP.Zc.....g.d#i.2.A......af.D.4;.@~WW.......&..Srfk.8--.....n..s..b....d).......e..W.d......?l=...5...GG...G......$&..=.......tV.W....p...1........p...xF. ..1..pL.sD....;......._,....3..,....a.....s<.L...<..`.....)9.4...x(...P2...w...e......a....wqIe...6.8.....5..mx.gD.1G.....`.IA...>.X.<.... .~..b..dq..8.^...uN>.d..!...8*.2.W.. .....H.U........7. ...w..D.O_r.W....9....0.F..._..L.........V.VI5Y.s..sZ ]` #%Z..p ..Z .;olx.........M.C..^.....7.......p.....O.6.m.....zd.<..G.,g...Y.j.|..TP...|...d2.r.....K.6......b....vu..|..s.. ... 7.....9'.c..[...sD0C........F..,I..R....IcL._...I ...(ZB....LZ.m.2.....;h
<<< skipped >>>
GET /debug/Version/4_0_6_27/Nsis/Start HTTP/1.0
Host: dtrack.sslsecure1.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Date: Mon, 12 Jan 2015 22:30:38 GMT
Server: Apache
Set-Cookie: vsid=914vr1686474385710320; expires=Sat, 11-Jan-2020 22:30:38 GMT; path=/; domain=dtrack.sslsecure1.com; httponly
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "hXXp://VVV.w3.org/TR/html4/strict.dtd">..<html>..<head><meta name="tids" content="a='471' b='1912' c='sslsecure1.com' d='manual_mapped'" /><title>sslsecure1.com</title>..<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">..<style type="text/css">../*RESET*/..body,div,dl,dt,dd,ul,ol,li,h1,h2,h3,h4,h5,h6,pre,form,fieldset,input,textarea,p,blockquote,th,td{margin:0;padding:0;}table{border-collapse:collapse;border-spacing:0;}fieldset,img{border:0;}address,caption,cite,code,dfn,th,var{font-style:normal;font-weight:normal;}ol,ul {list-style:none;}caption,th {text-align:left;}h1,h2,h3,h4,h5,h6{font-size:100%;font-weight:normal;}q:before,q:after{content:'';}abbr,acronym {border:0;}../*COMMON*/...wrapper {text-align: center;}...img {margin:0px; margin-bottom:-11px !important;}...wrapper table { text-align: left; margin: 0 auto; font-family: arial, sans-serif; color: #515151; font-size: 12px;.}...h-list {background: url(hXXp://i1.cdn-image.com/__media__/pics/471/top-nav-bg.gif) repeat-x left top;}...h-list li {display: inline; text-align:left;}...h-list li strong {color: #358a35;}..h2 {color: #63ad63; font-size: 14px; font-weight: bold;}../*HEADER*/..#header {border-top: 4px solid #358a35; padding-top: 8px;}..#header .cufondiv h1 a {...color: #63ad63;...font-weight: bold;...font-size: 35px;...text-decoration: none;...font-family: "ChunkFive", arial, serif;...font-weight:bold;...}..#header .normalfondiv h1 a
<<< skipped >>>
GET /test.html HTTP/1.1
Host: track.v2.sslsecure2.com
Connection: Close
HTTP/1.0 500 Internal Server Error
Date: Mon, 12 Jan 2015 22:30:58 GMT
Server: Apache
Set-Cookie: vsid=916vr1686474583427928; expires=Sat, 11-Jan-2020 22:30:58 GMT; path=/; domain=track.v2.sslsecure2.com; httponly
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
GET /debug/Version/4_0_6_27/Nsis/GetParameters HTTP/1.0
Host: dtrack.sslsecure1.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Date: Mon, 12 Jan 2015 22:30:41 GMT
Server: Apache
Set-Cookie: vsid=911vr1686474414929741; expires=Sat, 11-Jan-2020 22:30:41 GMT; path=/; domain=dtrack.sslsecure1.com; httponly
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "hXXp://VVV.w3.org/TR/html4/strict.dtd">..<html>..<head><meta name="tids" content="a='471' b='1912' c='sslsecure1.com' d='manual_mapped'" /><title>sslsecure1.com</title>..<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">..<style type="text/css">../*RESET*/..body,div,dl,dt,dd,ul,ol,li,h1,h2,h3,h4,h5,h6,pre,form,fieldset,input,textarea,p,blockquote,th,td{margin:0;padding:0;}table{border-collapse:collapse;border-spacing:0;}fieldset,img{border:0;}address,caption,cite,code,dfn,th,var{font-style:normal;font-weight:normal;}ol,ul {list-style:none;}caption,th {text-align:left;}h1,h2,h3,h4,h5,h6{font-size:100%;font-weight:normal;}q:before,q:after{content:'';}abbr,acronym {border:0;}../*COMMON*/...wrapper {text-align: center;}...img {margin:0px; margin-bottom:-11px !important;}...wrapper table { text-align: left; margin: 0 auto; font-family: arial, sans-serif; color: #515151; font-size: 12px;.}...h-list {background: url(hXXp://i1.cdn-image.com/__media__/pics/471/top-nav-bg.gif) repeat-x left top;}...h-list li {display: inline; text-align:left;}...h-list li strong {color: #358a35;}..h2 {color: #63ad63; font-size: 14px; font-weight: bold;}../*HEADER*/..#header {border-top: 4px solid #358a35; padding-top: 8px;}..#header .cufondiv h1 a {...color: #63ad63;...font-weight: bold;...font-size: 35px;...text-decoration: none;...font-family: "ChunkFive", arial, serif;...font-weight:bold;...}..#header .normalfondiv h1 a
<<< skipped >>>
GET /test.html HTTP/1.1
Host: api.v2.sslsecure4.com
Connection: Close
HTTP/1.1 200 OK
Content-Type: text/html
Date: Mon, 12 Jan 2015 22:31:00 GMT
Server: nginx
Content-Length: 8
Connection: Close
correct...
GET //Displays/Templates/4934e143_Win_A_Banner-NoLink-DeclineLink.zip HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net
Accept-Encoding: gzip, deflate
Connection: Close
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 12 Jan 2015 22:31:07 GMT
Content-Type: application/zip
Content-Length: 7828
Last-Modified: Mon, 03 Mar 2014 12:56:47 GMT
Connection: close
ETag: "53147c0f-1e94"
Accept-Ranges: bytes
PK.........gcD...qV...........box.html.V.n.8.}v......&E%...4.e q..@.x.e/O.%..k.TI*...'.?.P..q.d...F3g...R.....G.....\..........?..Ap.]._..O...?.HSi..JR...k.$..h..l6.gg... .......n.....S.....n.q..i.=8'...ux..h..?.....E#o.......4...@..:.\G!..Kh..*,g.......?....e.z..`...*$..m..u ..6...(...............Jc.....2....o....i6.....1AL..qA@3..c....1K.b.&k... .m..p.m..B..I4/0..d.)$ay.._P...[.Kf...A.r..1...j.... .x.....P..e.4Vs.E.D.....P.I.o.\.(sI........j<f..)...V..g,..m....6.xj....?7....`I.....2V...D.4$.J....O.......az..Rbs...ct0.G...ZH.R...)..R...@].n.. ......).L......V..6...-'hu..^.*[......u.../;.p..f..n..V.j...>e&.zBW....h..M.....V.....-/..w..j...q..X..$.m8=..........F.(`$.......)....(...<Y.i..#..h........X....`.B_R.....4.E qIy....I.w.7.p8.2U3.5.4.1G.v..:...}-...B.E[............s....t.S...u....Y9....6.C.A5#'../.&.......R".3...ZM4.....x.f2.....hd........,..7..!..vI.|...SNZ....;..,V..a.......=..L.".D^..Vfx.o..R.U..c.%.eQZ..Eh.......QXl...U...>....q.-i..Ty..1.@E.j..E.....T..u.j..U.[jC.*E...{......C.......>..-...u../..$a.....$k..z..z..6g....5.)].l.I.|=..H.V....T:..y.My..B.|&...g.&..{I?.......8<x!..P.=.p3.=.O~....W........H..B..6.....P.......?PK.........F.C.2..............close.html]PAN.0.</..09p }.f.x.G.M.."8U.".=N.E .....L2>.....'..4d.:..p..v...E.n0 .a...^2D.....u>z.Q@..N.q[ryK....].c...)...E.f.F.K.#..e..D@6R.9s..EH..8.a.W........x-KN.S...A.....G.....f.....U.3M...77.~.....fB........Eiw..9t........z.~.PK..........$C~...h...........finish.html.TM..0.=.R.....!...R.I..Jp.".8p....1....4._......j.d%.y
<<< skipped >>>
GET /7f1df2ad776e148c4007facb815b9b4a/Cloud_Backup_Setup.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Host: aff-software.s3-website-us-east-1.amazonaws.com
Connection: Close
HTTP/1.1 200 OK
x-amz-id-2: HRUd6mTasJKkgUc6niHb0BmA7L0DSem4FrTCLr0XMXpKgGjaIf8cS4fdmFzrg5gPDNYke6bg5WQ=
x-amz-request-id: 52B4062A478CC5E0
Date: Mon, 12 Jan 2015 22:31:05 GMT
Last-Modified: Tue, 08 Jul 2014 14:34:06 GMT
ETag: "af37247590f4e4b8a8a214a091ea6067"
Content-Type: application/octet-stream
Content-Length: 73816
Server: AmazonS3
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@.................................|........................................t..........0m..............p............................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc...0m.......n...z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
GET //Styles/Softwares/db393704_vuupc.zip HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net
Accept-Encoding: gzip, deflate
Connection: Close
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 12 Jan 2015 22:31:10 GMT
Content-Type: application/zip
Content-Length: 741
Last-Modified: Fri, 10 Jan 2014 15:21:49 GMT
Connection: close
ETag: "52d0100d-2e5"
Accept-Ranges: bytes
PK.........^.B................images/PK........op*D.r.8....C.......vuupc.css.S.N.0.=7R.a......@.:.].B...@{v.7.p<...e .}mC.[....!q2~o.....53-.pr.wM.'y.......~b.5\Y8..._...Pb.u.....G....Q..o~..........YD9g...Q...... ...f.....A#....jK.T...h4....}.....t7{.<P..3C.h..I..Dik:..>..J(z.8.H......*KZ...4...EF.a.W$IC.R.Z.G.P..8.V.j..M. ...]aN......DC...$../........c:. .B..rb..B".T.E.@...........>.=On...5-_[f8.}..^.K..x..v......k.,..A).,..!.n4%7...iQ...W!.....u."........37..a...)`........b..E.E..^.'=.......I.....,\.............[.....>.k..11......PK...........^.B..............$...............images/.. ............A.V...B]......B].....PK..........op*D.r.8....C.....$....... ...%...vuupc.css.. ...........k.....R.[.....R.[.....PK......................
GET /debug/Version/4_0_6_27/Nsis/CopyFiles HTTP/1.0
Host: dtrack.sslsecure1.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Date: Mon, 12 Jan 2015 22:30:40 GMT
Server: Apache
Set-Cookie: vsid=913vr1686474405623145; expires=Sat, 11-Jan-2020 22:30:40 GMT; path=/; domain=dtrack.sslsecure1.com; httponly
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "hXXp://VVV.w3.org/TR/html4/strict.dtd">..<html>..<head><meta name="tids" content="a='471' b='1912' c='sslsecure1.com' d='manual_mapped'" /><title>sslsecure1.com</title>..<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">..<style type="text/css">../*RESET*/..body,div,dl,dt,dd,ul,ol,li,h1,h2,h3,h4,h5,h6,pre,form,fieldset,input,textarea,p,blockquote,th,td{margin:0;padding:0;}table{border-collapse:collapse;border-spacing:0;}fieldset,img{border:0;}address,caption,cite,code,dfn,th,var{font-style:normal;font-weight:normal;}ol,ul {list-style:none;}caption,th {text-align:left;}h1,h2,h3,h4,h5,h6{font-size:100%;font-weight:normal;}q:before,q:after{content:'';}abbr,acronym {border:0;}../*COMMON*/...wrapper {text-align: center;}...img {margin:0px; margin-bottom:-11px !important;}...wrapper table { text-align: left; margin: 0 auto; font-family: arial, sans-serif; color: #515151; font-size: 12px;.}...h-list {background: url(hXXp://i2.cdn-image.com/__media__/pics/471/top-nav-bg.gif) repeat-x left top;}...h-list li {display: inline; text-align:left;}...h-list li strong {color: #358a35;}..h2 {color: #63ad63; font-size: 14px; font-weight: bold;}../*HEADER*/..#header {border-top: 4px solid #358a35; padding-top: 8px;}..#header .cufondiv h1 a {...color: #63ad63;...font-weight: bold;...font-size: 35px;...text-decoration: none;...font-family: "ChunkFive", arial, serif;...font-weight:bold;...}..#header .normalfondiv h1 a
<<< skipped >>>
GET /111001899/OptimizerPro.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Host: dl.softservers.net
Connection: Close
HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Mon, 12 Jan 2015 22:31:05 GMT
Content-Type: application/octet-stream
Content-Length: 6049272
Last-Modified: Mon, 12 Jan 2015 16:49:56 GMT
Connection: close
ETag: "54b3fb34-5c4df8"
Content-Disposition: attachment; filename=OptimizerPro.exe
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................(.......................%.......................,....... .....Rich............................PE..L...J..T.................N....Z.....[q.......`....@...........................\.....R.\...@.....................................d.........Z..........0\...... \......a..............................P...@............`...............................text....M.......N.................. ..`.rdata..NS...`...T...R..............@..@.data....4..........................@....rsrc.....Z.......Z.................@..@.reloc..xV... \..X....[.............@..B..................................................................................................................................................................................................................................................................................................................................................@bA..JM.......U..V....@bA..4M...E..t.V..K.......^]............U..j.h.YA.d.....P...SV...A.3.P.E.d......u.3.S...TF...]..^..^..^..^..^..^..^..^ .E..;.u(.E.P.M..E...A..OL..h..A..M.Q.E..bA...d..WV.LC........M.d......Y^[..].....U..j.h.XA.d.....PVW...A.3.P.E.d......u.V.E.......B...F.3....;.t.P.;P......~..F.;.t.P.(P......~..F.;.t.P..P......~..F.;.t.P..P........~..E......}E...M.d......Y_^..].............U...E.VP....L.....bA...^].......U..QV..j..M...E...F....s.@.F..M...E..^..].......U..QVW..j..M...D...G...t....s.H.
<<< skipped >>>
GET /test.html HTTP/1.1
Host: api.v2.sslsecure1.com
Connection: Close
HTTP/1.0 500 Internal Server Error
Date: Mon, 12 Jan 2015 22:30:59 GMT
Server: Apache
Set-Cookie: vsid=914vr1686474600210261; expires=Sat, 11-Jan-2020 22:31:00 GMT; path=/; domain=api.v2.sslsecure1.com; httponly
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
GET /test.html HTTP/1.1
Host: api.v2.sslsecure2.com
Connection: Close
HTTP/1.0 500 Internal Server Error
Date: Mon, 12 Jan 2015 22:31:00 GMT
Server: Apache
Set-Cookie: vsid=911vr1686474603006292; expires=Sat, 11-Jan-2020 22:31:00 GMT; path=/; domain=api.v2.sslsecure2.com; httponly
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
GET /test.html HTTP/1.1
Host: staticrr.paleokits.net
Connection: Close
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 12 Jan 2015 22:30:56 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
8..correct...0..
GET /7f1df2ad776e148c4007facb815b9b4a/Cloud_Backup_Setup.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Host: aff-software.s3-website-us-east-1.amazonaws.com
Connection: Close
HTTP/1.1 200 OK
x-amz-id-2: 1Az407UJdTbB4g/fg8iQ2idt5hfYWWyZYCuohkKUUK/kjzI vlW6eq4feoHTlKmEwdnAKgB3udk=
x-amz-request-id: 693A476A6FB6EA2B
Date: Mon, 12 Jan 2015 22:31:05 GMT
Last-Modified: Tue, 08 Jul 2014 14:34:06 GMT
ETag: "af37247590f4e4b8a8a214a091ea6067"
Content-Type: application/octet-stream
Content-Length: 73816
Server: AmazonS3
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@.................................|........................................t..........0m..............p............................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc...0m.......n...z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
GET /debug/Version/4_0_6_27/Nsis/GetInfo HTTP/1.0
Host: dtrack.sslsecure1.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Date: Mon, 12 Jan 2015 22:30:39 GMT
Server: Apache
Set-Cookie: vsid=920vr1686474395903694; expires=Sat, 11-Jan-2020 22:30:39 GMT; path=/; domain=dtrack.sslsecure1.com; httponly
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "hXXp://VVV.w3.org/TR/html4/strict.dtd">..<html>..<head><meta name="tids" content="a='471' b='1912' c='sslsecure1.com' d='manual_mapped'" /><title>sslsecure1.com</title>..<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">..<style type="text/css">../*RESET*/..body,div,dl,dt,dd,ul,ol,li,h1,h2,h3,h4,h5,h6,pre,form,fieldset,input,textarea,p,blockquote,th,td{margin:0;padding:0;}table{border-collapse:collapse;border-spacing:0;}fieldset,img{border:0;}address,caption,cite,code,dfn,th,var{font-style:normal;font-weight:normal;}ol,ul {list-style:none;}caption,th {text-align:left;}h1,h2,h3,h4,h5,h6{font-size:100%;font-weight:normal;}q:before,q:after{content:'';}abbr,acronym {border:0;}../*COMMON*/...wrapper {text-align: center;}...img {margin:0px; margin-bottom:-11px !important;}...wrapper table { text-align: left; margin: 0 auto; font-family: arial, sans-serif; color: #515151; font-size: 12px;.}...h-list {background: url(hXXp://i4.cdn-image.com/__media__/pics/471/top-nav-bg.gif) repeat-x left top;}...h-list li {display: inline; text-align:left;}...h-list li strong {color: #358a35;}..h2 {color: #63ad63; font-size: 14px; font-weight: bold;}../*HEADER*/..#header {border-top: 4px solid #358a35; padding-top: 8px;}..#header .cufondiv h1 a {...color: #63ad63;...font-weight: bold;...font-size: 35px;...text-decoration: none;...font-family: "ChunkFive", arial, serif;...font-weight:bold;...}..#header .normalfondiv h1 a
<<< skipped >>>
GET /test.html HTTP/1.1
Host: track.v2.sslsecure4.com
Connection: Close
HTTP/1.1 200 OK
Content-Type: text/html
Date: Mon, 12 Jan 2015 22:30:58 GMT
Server: nginx
Content-Length: 8
Connection: Close
correct...
GET /sdb/doma.js HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)
Host: staticrr.paleokits.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 12 Jan 2015 22:31:15 GMT
Content-Type: application/x-javascript
Content-Length: 2184
Last-Modified: Wed, 07 Aug 2013 11:37:24 GMT
Connection: keep-alive
ETag: "52023174-888"
Accept-Ranges: bytes
.. //muestra una capa y oculta otra.. function changeVisibility(capamostrar,capaocultar) {.. div = document.getElementById(capamostrar);.. div.style.display = "";.. div = document.getElementById(capaocultar);.. div.style.display = "none";.. }.. // funcion para mostrar u ocultar el progreso de la instalacion separado por ofertas.. function mostrardiv() {.. div = document.getElementById('multipleProgress');.. div.style.display = "";.. div = document.getElementById('ocultar');.. div.style.display = "";.. }.. function cerrar() {.. ..
GET /111001899/OptimizerPro.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Host: dl.softservers.net
Connection: Close
HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Mon, 12 Jan 2015 22:31:05 GMT
Content-Type: application/octet-stream
Content-Length: 6049272
Last-Modified: Mon, 12 Jan 2015 16:49:56 GMT
Connection: close
ETag: "54b3fb34-5c4df8"
Content-Disposition: attachment; filename=OptimizerPro.exe
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................(.......................%.......................,....... .....Rich............................PE..L...J..T.................N....Z.....[q.......`....@...........................\.....R.\...@.....................................d.........Z..........0\...... \......a..............................P...@............`...............................text....M.......N.................. ..`.rdata..NS...`...T...R..............@..@.data....4..........................@....rsrc.....Z.......Z.................@..@.reloc..xV... \..X....[.............@..B..................................................................................................................................................................................................................................................................................................................................................@bA..JM.......U..V....@bA..4M...E..t.V..K.......^]............U..j.h.YA.d.....P...SV...A.3.P.E.d......u.3.S...TF...]..^..^..^..^..^..^..^..^ .E..;.u(.E.P.M..E...A..OL..h..A..M.Q.E..bA...d..WV.LC........M.d......Y^[..].....U..j.h.XA.d.....PVW...A.3.P.E.d......u.V.E.......B...F.3....;.t.P.;P......~..F.;.t.P.(P......~..F.;.t.P..P......~..F.;.t.P..P........~..E......}E...M.d......Y_^..].............U...E.VP....L.....bA...^].......U..QV..j..M...E...F....s.@.F..M...E..^..].......U..QVW..j..M...D...G...t....s.H.
<<< skipped >>>
GET //Styles/Softwares/0ba5df4c_optimizerpro2.zip HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net
Accept-Encoding: gzip, deflate
Connection: Close
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 12 Jan 2015 22:31:10 GMT
Content-Type: application/zip
Content-Length: 65688
Last-Modified: Tue, 08 Jul 2014 14:49:06 GMT
Connection: close
ETag: "53bc04e2-10098"
Accept-Ranges: bytes
PK.........i.D................images/PK.........N.C..mT............images/optimizerpro-img.png....~.PNG........IHDR..............L......pHYs................OiCCPPhotoshop ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE...........Q,......!.........{.k........>...........H3Q5...B..........@..$p....d!s.#...~<< ".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I. .6a.a.@..y..2.4..............x.....6..._-...."bb.....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<......$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?....D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/.@.4.Qh..p...U..=p..a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9., .......3...!.[..b@q..S.(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9...IK......h.h.i..t.....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._... .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).)..4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.n.....^..Lo..y....}/.T.m...G.X...$...
<<< skipped >>>
GET /index.php/api/256/Browser_Update/502/703/English.xml HTTP/1.1
Accept-Encoding: gzip, deflate,gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: api.v2.sslsecure4.com
Connection: Close
HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Encoding: gzip
Content-Type: text/xml; charset=utf-8
Date: Mon, 12 Jan 2015 22:31:03 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Server: nginx
Set-Cookie: symfony=qs8fr43jga7490i21ainjdelq5; path=/
transfer-encoding: chunked
Connection: Close
1ac7.............}.s.8...I...x.*S.Uc...3N.......XNr...\...<.H.I..l..~.....h..................._....W.'~...Ak.?(4..]?.~..0.m9?.....W..p.e........].x.l................P....k...\....w..<...y.......9...C3.dI.i.....c......4m.O._..#.Og...3....l...?7..f..r... u..n.....<&..d.....FtS7..>.A\.0.W.. kr....f..f;.n........lb...h..-.....UU..Y.....E;....0..yQ.x............4/..^..&4fl..n.4...LR/.;q.H..M...m...n#.i3.V.{]mD..q....q............^1V....N.P/.i.<...~r.`c0'...I.t....~..H$a.wI..|.4.W7.f.W...j.j....o...~.ek.v.~@....~Tt5....."x..J..>Mx...7.L......R...*KR...a...h.o .......w\~......p.Y..".......~..../S..7..'.~.G}....D.. .Q...n......M&......7~.~...Q..i....,<%..._.}...aB'.;.r\(.S.wW........i.m_.lN..nN.U>............\|...mt.A.r......f..j._.?.WL....]..7.~Ih^.H|..z.....).L.>.R.... R.....N.....)...%.....>....N_..@C..v6.......cd...QZ7H...bq..&.g:.e......2..p..r`w..(...M.1...}.s.....6....=...^..'..q=...Y.|.K..>....$...)2...rJ#....qYb.Nh.Ba.. .].x.2mqw.."N^...UQ...K.2{;X&.:..yI]f......8..<SO.=j...`..5oB..A.!.`..Cf....S...b.r..[..x.3c.(S-Z./.2..Y.n.....$Sc....F...o..?.~..~{.M.......E..p.Nc......F{.....|W.....I.:.di.z.i}oY.F.ic.V7.}.V.yf6|..0hubJ..,dR4..l...[. ...V....;..wc.V....Y....u...2...N)..e...!NV...K..........=....../{U..F....1..l...s...........0.|".~.c....Dp.-.$.......M...=....n_v...-..`}.g.g.<.........2}...{.....d!Mx.q.|(UJ......|.....J';.L...h..yh..L....i.....0j.o......r......S..........i.yi..q{....!..=.-@Y..o.D....U.2%..nh. ..r..I...Lj..k.J...A.|.TJ.w.V..|...y}.N.9.R~.hBd...K.....U....
<<< skipped >>>
GET //Styles/Softwares/e7bf26c3_mypcbackup.zip HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net
Accept-Encoding: gzip, deflate
Connection: Close
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 12 Jan 2015 22:31:08 GMT
Content-Type: application/zip
Content-Length: 7774
Last-Modified: Tue, 15 Oct 2013 10:54:23 GMT
Connection: close
ETag: "525d1edf-1e5e"
Accept-Ranges: bytes
PK.........]OC................images/PK.........fJC..2.....T.......images/bullet-shortw.gifs.t..L.d.dh`d......#|..\.K....}EAbrvj.BRjzf........2Sl..M}.|..S32=..R...B....-S....l*.*r.rSK..*rs...*l..S..R..l.....XII...#HB.d.s~Q.....n...........................X..Y.. @......4. .7.]@..RFII...~yy.^..^~Q.....%..##]...........be......E..%..y. ~bR~i........pc......K....H,.7.3.GR..._in.\uqIPj.~..!....A....E..@.. ..V.E..%.E!..9.P..././../Pp.6S..ML....h.u..Zy...$.%.z..*.E.23S..L.,.M,..,....]....M....,......\.z.z]..KsS.J`zS.z-p..%............\....2q....yP.)..b.S.>.1.hQ........p...I?5............~......._>.......o^.z.....O.?z.....wn..y....W._.x....gN.:y....G..:x`...{v...c...[6o..a...kV.Z.b...K./Z.`...sf..9c...S&O.8................................ ?/7'; 3#=-5%9)1!>.6&:*2"<,4$8(0................................@_OWG[KSC]MUEYIQA^NVFZJRB\LTDXHP.................A.'..dd.a..P.........{...........PK.........N.C.U.?}...w.......images/mypcbackup.png}X.T.....CW....tH(...".wA..B.PBS..."H/"..).D:"E.*M.P..D@........[..Y_.9..=g...Y.....J......T.jJ..w(.f!'.?/....40...C.=.....P.C..@.n6.(...]......@t....c..%.D.......w...)2r..6H...d.rprG..Z:. ';.......PD9:.=.B.>.1B>rA...r. ..)<...c..wsu...G........!`._......A.j....^(.LHT...............@"Pa........I...D$@.,`|o^v.R.J*....B..1..)....O.OT.........8DD..........Awo....P.H/'.......mc... ......./Zw.....0....DX..._...........1.(.....(...1@y.}..........R.B.`.^Fh...Y.sDc...h....8.G.........B[[J...c..D. !.x.......TY...S.T.... .((....%....I...%..*..>n(w..X..cU. .....Fy9...T..n...-...b
<<< skipped >>>
GET //Dictionaries/English.xml HTTP/1.1
Host: staticrr.paleokits.net
Connection: Close
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 12 Jan 2015 22:31:04 GMT
Content-Type: text/xml
Content-Length: 626
Last-Modified: Fri, 12 Apr 2013 09:51:55 GMT
Connection: close
ETag: "5167d93b-272"
Accept-Ranges: bytes
<dictionary>. <installed> Installed </installed> . <installing>Installing</installing> . <installingetc>Installing...</installingetc> . <downloadError>An Error has occurred</downloadError> . <takeFewMinutes>It may take a few seconds</takeFewMinutes> . <confirmExit>Are you sure you want to exit?</confirmExit> . <installClose>Do you want to install the remaining offers?</installClose> . <welcome>Welcome</welcome> . <license>Welcome</license> . <options>Additional Options</options> . <instalando>Installing</instalando> . <finish>Finished</finish>. <downloadingetc>Downloading...</downloadingetc> .</dictionary>..
GET /test.html HTTP/1.1
Host: track.v2.sslsecure1.com
Connection: Close
HTTP/1.0 500 Internal Server Error
Date: Mon, 12 Jan 2015 22:30:57 GMT
Server: Apache
Set-Cookie: vsid=927vr1686474579924832; expires=Sat, 11-Jan-2020 22:30:57 GMT; path=/; domain=track.v2.sslsecure1.com; httponly
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
GET /debug/Version/4_0_6_27/Nsis/PreRun HTTP/1.0
Host: dtrack.sslsecure1.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Date: Mon, 12 Jan 2015 22:30:42 GMT
Server: Apache
Set-Cookie: vsid=904vr1686474423107647; expires=Sat, 11-Jan-2020 22:30:42 GMT; path=/; domain=dtrack.sslsecure1.com; httponly
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "hXXp://VVV.w3.org/TR/html4/strict.dtd">..<html>..<head><meta name="tids" content="a='471' b='1912' c='sslsecure1.com' d='manual_mapped'" /><title>sslsecure1.com</title>..<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">..<style type="text/css">../*RESET*/..body,div,dl,dt,dd,ul,ol,li,h1,h2,h3,h4,h5,h6,pre,form,fieldset,input,textarea,p,blockquote,th,td{margin:0;padding:0;}table{border-collapse:collapse;border-spacing:0;}fieldset,img{border:0;}address,caption,cite,code,dfn,th,var{font-style:normal;font-weight:normal;}ol,ul {list-style:none;}caption,th {text-align:left;}h1,h2,h3,h4,h5,h6{font-size:100%;font-weight:normal;}q:before,q:after{content:'';}abbr,acronym {border:0;}../*COMMON*/...wrapper {text-align: center;}...img {margin:0px; margin-bottom:-11px !important;}...wrapper table { text-align: left; margin: 0 auto; font-family: arial, sans-serif; color: #515151; font-size: 12px;.}...h-list {background: url(hXXp://i4.cdn-image.com/__media__/pics/471/top-nav-bg.gif) repeat-x left top;}...h-list li {display: inline; text-align:left;}...h-list li strong {color: #358a35;}..h2 {color: #63ad63; font-size: 14px; font-weight: bold;}../*HEADER*/..#header {border-top: 4px solid #358a35; padding-top: 8px;}..#header .cufondiv h1 a {...color: #63ad63;...font-weight: bold;...font-size: 35px;...text-decoration: none;...font-family: "ChunkFive", arial, serif;...font-weight:bold;...}..#header .normalfondiv h1 a
<<< skipped >>>
Map
The Application connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_3636:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
... %d%%
... %d%%
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
"C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\%original file name%.exe" /path="c:\%original file name%.exe" ""
"C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\%original file name%.exe" /path="c:\%original file name%.exe" ""
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsiB3.tmp\nsisdl.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsiB3.tmp\nsisdl.dll
c14feb5dc38.exe\6f0efff71bae4c2888f2c012b6f3e336\%original file name%.exe->C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\parent.txt
c14feb5dc38.exe\6f0efff71bae4c2888f2c012b6f3e336\%original file name%.exe->C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336\parent.txt
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsiB3.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsiB3.tmp
6d4a63d13b3c14feb5dc38.exe\6f0efff71bae4c2888f2c012b6f3e336\parent.txt
6d4a63d13b3c14feb5dc38.exe\6f0efff71bae4c2888f2c012b6f3e336\parent.txt
c14feb5dc38.exe\6f0efff71bae4c2888f2c012b6f3e336\%original file name%.exe
c14feb5dc38.exe\6f0efff71bae4c2888f2c012b6f3e336\%original file name%.exe
).YJ}B
).YJ}B
v2.0.50727
v2.0.50727
setup.exe
setup.exe
CallUrl
CallUrl
.ctor
.ctor
System.Resources
System.Resources
System.Reflection
System.Reflection
System.Runtime.InteropServices
System.Runtime.InteropServices
System.Runtime.CompilerServices
System.Runtime.CompilerServices
System.IO
System.IO
System.Net
System.Net
WebRequest
WebRequest
HttpWebRequest
HttpWebRequest
IWebProxy
IWebProxy
get_DefaultWebProxy
get_DefaultWebProxy
WebResponse
WebResponse
HttpWebResponse
HttpWebResponse
Password
Password
{69D79557-607E-461D-AA40-846B7DB81F90}
{69D79557-607E-461D-AA40-846B7DB81F90}
System.Security.Cryptography
System.Security.Cryptography
PasswordDeriveBytes
PasswordDeriveBytes
set_Key
set_Key
4.0.6.27
4.0.6.27
$4359678b-701f-494d-b0af-34df5ab92876
$4359678b-701f-494d-b0af-34df5ab92876
_CorExeMain
_CorExeMain
mscoree.dll
mscoree.dll
.BR\|g
.BR\|g
=LB9a*R.YI>
=LB9a*R.YI>
e.yeAH8
e.yeAH8
QE .Qk
QE .Qk
%original file name%.exe
%original file name%.exe
B30D42~1.EXE
B30D42~1.EXE
14feb5dc38.exe\6f0efff71bae4c2888f2c012b6f3e336\parent.txt
14feb5dc38.exe\6f0efff71bae4c2888f2c012b6f3e336\parent.txt
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsiB3.tmp
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsiB3.tmp
c:\%original file name%.exe
c:\%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\%original file name%.exe\6f0efff71bae4c2888f2c012b6f3e336
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsdB2.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsdB2.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
Nullsoft Install System v3.0a1
Nullsoft Install System v3.0a1
465ff7c14db84a079d0b97406e3a8ff6.txt
465ff7c14db84a079d0b97406e3a8ff6.txt
%original file name%.exe_3488_rwx_00E50000_00009000:
2;.yP
2;.yP
%original file name%.exe_3488_rwx_00E80000_00010000:
.QxY^
.QxY^