Trojan.NSIS.StartPage_7d4b556f36 – Adaware

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

TFFFL1BTSQ==107:508
TFFFL1BTSQ==29820.exe:236
wmic.exe:1336
%original file name%.exe:1772

The Trojan injects its code into the following process(es):

beehjjcbdh.exe:644

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process TFFFL1BTSQ==107:508 makes changes in the file system.

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp (0 bytes)

The process TFFFL1BTSQ==29820.exe:236 makes changes in the file system.

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp (0 bytes)

The process wmic.exe:1336 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\81450579259.txt (238 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\81450579259.txt (0 bytes)

The process %original file name%.exe:1772 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\beehjjcbdh.exe (19233 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsi1.tmp (0 bytes)

The process beehjjcbdh.exe:644 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QCSHYWFB\dc[1].js (1327 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OCA8BILW\DynamicOfferScreen[1].htm (2083 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\81450579259\TFFFL1BTSQ==29820.exe (2773 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ADSQWDZ1\OperaChecker25-6[1].exe (3762 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OCA8BILW\button[1].png (458 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\VB2DLJ79\button_over[1].png (921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\81450579259\TFFFL1BTSQ==10700.exe (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\VB2DLJ79\XPLimitChecker[1].exe (6666 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ADSQWDZ1\bodyImg[1].png (1 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\81450579259.txt (0 bytes)

Registry activity

The process TFFFL1BTSQ==107:508 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 61 58 84 48 53 42 E9 4C C1 93 2F 57 81 1A 29"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\OperaOB]
"Install" = "1"

The process TFFFL1BTSQ==29820.exe:236 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 2D B7 E1 9B 0B 45 B1 AD 86 36 F6 0C DE EB DC"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\xplmtOB]
"Install" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process wmic.exe:1336 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF 8C A3 90 A3 14 4D 40 AC 8F 4A DB AC CB 69 8F"

The process %original file name%.exe:1772 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "69 AF 69 8D 89 73 2D 8A 27 A9 64 7D 54 82 A1 04"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process beehjjcbdh.exe:644 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA 02 4C C8 1B 12 23 67 53 55 8D BE 2D C8 44 A9"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5	File path
10ffabc748d68c40b68f883058c9b932	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\81450579259\TFFFL1BTSQ==10700.exe
b6631cd12092841cac0763c854828c50	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\81450579259\TFFFL1BTSQ==29820.exe
1bea8f62a73cf66e445bfd963845c8b7	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\beehjjcbdh.exe
10ffabc748d68c40b68f883058c9b932	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\ADSQWDZ1\OperaChecker25-6[1].exe
b6631cd12092841cac0763c854828c50	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\VB2DLJ79\XPLimitChecker[1].exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
TFFFL1BTSQ==107:508
TFFFL1BTSQ==29820.exe:236
wmic.exe:1336
%original file name%.exe:1772
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\81450579259.txt (238 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\beehjjcbdh.exe (19233 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QCSHYWFB\dc[1].js (1327 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OCA8BILW\DynamicOfferScreen[1].htm (2083 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\81450579259\TFFFL1BTSQ==29820.exe (2773 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ADSQWDZ1\OperaChecker25-6[1].exe (3762 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OCA8BILW\button[1].png (458 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\VB2DLJ79\button_over[1].png (921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\81450579259\TFFFL1BTSQ==10700.exe (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\VB2DLJ79\XPLimitChecker[1].exe (6666 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ADSQWDZ1\bodyImg[1].png (1 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: CGJTA
Product Name: CGJTA
Product Version: 773.151120.1374.5770
Legal Copyright: CGJTA
Legal Trademarks: CGJTA
Original Filename:
Internal Name:
File Version: 773.151120.1374.5770
File Description: CGJTA
Comments: CGJTA
Language: English (United States)

Company Name: CGJTAProduct Name: CGJTAProduct Version: 773.151120.1374.5770Legal Copyright: CGJTALegal Trademarks: CGJTAOriginal Filename: Internal Name: File Version: 773.151120.1374.5770File Description: CGJTAComments: CGJTALanguage: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	23628	24064	4.46304	c52a72deb0170941d392ec38c6aeafd0
.rdata	28672	4764	5120	3.4982	dc77f8a1e6985a4361c55642680ddb4f
.data	36864	298072	1024	3.32453	723ad80df002dc5421798f4307abe5cf
.ndata	335872	311296	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	647168	54360	54784	2.83685	1497236056b7ef8b553448fb47c71fdf

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 117
03654a08e7f65aec190ee7e37246bb5f
a212f888d46a7e2d8802888390ff3c63
470ab50ccb81409a49b2abb4c05af91f
ee0edf52085544dd5ffae3892bd06855
07da75d17d57e9bbfa0916a2ad8b95b6
e74d8056cde545c3960d49ca018101bb
e5c5fddf9ff161c0d6de11988f8358c7
38623bf8200680f3967022fd39f52daf
fad9fe2f4d34a9a3943bbf54dfc38c01
1b45146c52aa1976ffcf47b50c6e4c7c
27967ee4c772b29835d5dba868867879
22dc967254eef4719b3c514ab7029cdb
18ed19164cd0f258338a661057321695
e9197129bf89c13fa74f5e0219c735ae
32d708fbb109abf91c1a372351481a8e
cae50b748f98679ee3004f13687fdc34
c2297a50a1f58665aa97177a0357616e
9398d852900b4c351c5b8e38699dcd70
2f81cfbd26709f9f88985ed83777256d
562eb5ad8564d3591007404a367df858
02c83ab655f98711ad1fbb3123b78438
6daeb82e5bcd31515b4a926d6cba88b3
f9b90420cd1aef0263de7ca339f8947b
63745fe6fef243a667c80f8d31228f33
ad9ae311a36924f84d2f4d7c9571f8a2

Network Activity

URLs

URL	IP
hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/Installer/OperaBrowser/OperaChecker25-6.exe
hxxp://d2vubraihqcany.cloudfront.net/Installer/XP/XPLimitChecker.exe	216.137.59.225
hxxp://smartinstaller.elasticbeanstalk.com/Installer/Track?pubid=16434&distid=30338&productid=29565&subpubid=0&campaignid=0&networkid=1&reqid=382014019&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:8A:8B:37&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&cookieproductname=85-112-100-97-116-101-115&cookieeula=&cookieprivacy=&hb=5&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=77.241.45.41&downloadtime=11/20/2015 6:14:41 AM&clickid=&status=2&installedid=29820&z=1&offerscreenid=655&offerorder=-1&downloadduration=-1&installduration=-1&issecond=0
hxxp://smartinstaller.elasticbeanstalk.com//offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0&
hxxp://stats.l.doubleclick.net/dc.js
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/topComp.png
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/topLine.jpg
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/bgImg.jpg
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/bodyImg.png
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/bottomLine.jpg
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/nextCase.jpg
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/button_over.png
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/button.png
hxxp://srv.serverdatasrv.com//offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0&	54.225.173.140
hxxp://static.revenyou.com/offers/images/Theme12/nextCase.jpg	198.232.124.224
hxxp://static.revenyou.com/offers/images/Theme12/bgImg.jpg	198.232.124.224
hxxp://srv.DESK-TOP-APP.INFO/Installer/Flow?pubid=16434&distid=30338&productid=29565&subpubid=0&campaignid=0&networkid=1&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:8A:8B:37&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&cookieproductname=85-112-100-97-116-101-115&cookieeula=&cookieprivacy=&hb=5&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=77.241.45.41&downloadtime=11/20/2015 6:14:41 AM&clickid=&version=6.12
hxxp://static.revenyou.com/offers/images/Theme12/bodyImg.png	198.232.124.224
hxxp://srv.DESK-TOP-APP.INFO/Installer/Track?pubid=16434&distid=30338&productid=29565&subpubid=0&campaignid=0&networkid=1&reqid=382014019&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:8A:8B:37&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&cookieproductname=85-112-100-97-116-101-115&cookieeula=&cookieprivacy=&hb=5&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=77.241.45.41&downloadtime=11/20/2015 6:14:41 AM&clickid=&status=2&installedid=10700&z=1&offerscreenid=234&offerorder=-1&downloadduration=-1&installduration=-1&issecond=0
hxxp://static.revenyou.com/offers/images/Theme12/topComp.png	198.232.124.224
hxxp://srv.DESK-TOP-APP.INFO/Installer/Track?pubid=16434&distid=30338&productid=29565&subpubid=0&campaignid=0&networkid=1&reqid=382014019&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:8A:8B:37&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&cookieproductname=85-112-100-97-116-101-115&cookieeula=&cookieprivacy=&hb=5&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=77.241.45.41&downloadtime=11/20/2015 6:14:41 AM&clickid=&status=2&installedid=29820&z=1&offerscreenid=655&offerorder=-1&downloadduration=-1&installduration=-1&issecond=0
hxxp://stats.g.doubleclick.net/dc.js	64.233.165.156
hxxp://srv.DESK-TOP-APP.INFO/Installer/Flow?pubid=16434&distid=30338&productid=29565&subpubid=0&campaignid=0&networkid=1&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:8A:8B:37&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&cookieproductname=85-112-100-97-116-101-115&cookieeula=&cookieprivacy=&hb=5&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=77.241.45.41&downloadtime=11/20/2015 6:14:41 AM&clickid=&version=6.12&nipids=-29408-28693-28657-29219-29736&secondcall=1&reqid=382014019
hxxp://static.revenyou.com/offers/images/Theme12/topLine.jpg	198.232.124.224
hxxp://cdn.download4desktop.com/Installer/OperaBrowser/OperaChecker25-6.exe	198.232.124.192
hxxp://static.revenyou.com/offers/images/Theme12/bottomLine.jpg	198.232.124.224
hxxp://static.revenyou.com/offers/images/Theme12/button.png	198.232.124.224
hxxp://static.revenyou.com/offers/images/Theme12/button_over.png	198.232.124.224
srv.desk-top-app.info	23.21.167.85

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET //offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0& HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: srv.serverdatasrv.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html; charset=utf-8

Date: Sun, 20 Dec 2015 02:41:06 GMT

Server: Microsoft-IIS/8.0

X-AspNet-Version: 4.0.30319

X-AspNetMvc-Version: 4.0

X-Powered-By: ASP.NET

Content-Length: 12892

Connection: keep-alive

<html>. <head>. <title>5 - NonProduct (Download Manager)</title><script type='text/javascript'>var _gaq = _gaq || [];_gaq.push(['_setAccount', 'UA-37348037-1']);_gaq.push(['_setDomainName', 'ppdownload.com']);_gaq.push(['_setAllowLinker', true]);.. _gaq.push(['_trackPageview']);.. (function() {.. var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;.. ga.src = ('https:' == document.location.protocol ? 'hXXps://' : 'hXXp://') 'stats.g.doubleclick.net/dc.js';.. var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);.. })();</script><style type='text/css'>body { width:100%; height:100%; margin:0px; padding:0px; font-size:font-family:helvetica; font-size:12px;} .divLeadpName { border-bottom-style:groove;border-bottom-width: thin; padding-left:61px; padding-top:9px; font-size:font-family:helvetica; font-style:italic; font-size:25px; font-weight:bold; color:black; position:absolute; width: 100%; background-color: #fff; ba} #divTop {display: none} #divMiddle {background-color: #efecec; height: 100%;} #middle {background-color: #fff;} .divOnNext { position:absolute;

<<< skipped >>>

GET /offers/images/Theme12/topComp.png HTTP/1.1

Accept: */*

Referer: hXXp://srv.serverdatasrv.com//offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0&

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: static.revenyou.com

Connection: Keep-Alive

HTTP/1.1 404 Not Found

Date: Sun, 20 Dec 2015 02:41:07 GMT

Content-Type: text/html

Content-Length: 1245

Connection: keep-alive

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>..<title>404 - File or directory not found.</title>..<style type="text/css">....</style>..</head>..<body>..<div id="header"><h1>Server Error</h1></div>..<div id="content">.. <div class="content-container"><fieldset>.. <h2>404 - File or directory not found.</h2>.. <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>.. </fieldset></div>..</div>..</body>..</html>......

<<< skipped >>>

GET /offers/images/Theme12/bgImg.jpg HTTP/1.1

Accept: */*

Referer: hXXp://srv.serverdatasrv.com//offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0&

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: static.revenyou.com

Connection: Keep-Alive

HTTP/1.1 404 Not Found

Date: Sun, 20 Dec 2015 02:41:07 GMT

Content-Type: text/html

Content-Length: 1245

Connection: keep-alive

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>..<title>404 - File or directory not found.</title>..<style type="text/css">....</style>..</head>..<body>..<div id="header"><h1>Server Error</h1></div>..<div id="content">.. <div class="content-container"><fieldset>.. <h2>404 - File or directory not found.</h2>.. <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>.. </fieldset></div>..</div>..</body>..</html>......

<<< skipped >>>

GET /offers/images/Theme12/nextCase.jpg HTTP/1.1

Accept: */*

Referer: hXXp://srv.serverdatasrv.com//offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0&

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: static.revenyou.com

Connection: Keep-Alive

HTTP/1.1 404 Not Found

Date: Sun, 20 Dec 2015 02:41:08 GMT

Content-Type: text/html

Content-Length: 1245

Connection: keep-alive

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>..<title>404 - File or directory not found.</title>..<style type="text/css">....</style>..</head>..<body>..<div id="header"><h1>Server Error</h1></div>..<div id="content">.. <div class="content-container"><fieldset>.. <h2>404 - File or directory not found.</h2>.. <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>.. </fieldset></div>..</div>..</body>..</html>..HTTP/1.1 404 Not Found..Date: Sun, 20 Dec 2015 02:41:08 GMT..Content-Type: text/html..Content-Length: 1245..Connection: keep-aliv

<<< skipped >>>

GET /offers/images/Theme12/topLine.jpg HTTP/1.1

Accept: */*

Referer: hXXp://srv.serverdatasrv.com//offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0&

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: static.revenyou.com

Connection: Keep-Alive

HTTP/1.1 404 Not Found

Date: Sun, 20 Dec 2015 02:41:07 GMT

Content-Type: text/html

Content-Length: 1245

Connection: keep-alive

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>..<title>404 - File or directory not found.</title>..<style type="text/css">....</style>..</head>..<body>..<div id="header"><h1>Server Error</h1></div>..<div id="content">.. <div class="content-container"><fieldset>.. <h2>404 - File or directory not found.</h2>.. <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>.. </fieldset></div>..</div>..</body>..</html>......

<<< skipped >>>

GET /offers/images/Theme12/bodyImg.png HTTP/1.1

Accept: */*

Referer: hXXp://srv.serverdatasrv.com//offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0&

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: static.revenyou.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sun, 20 Dec 2015 02:41:07 GMT

Content-Type: image/png

Content-Length: 1914

Connection: keep-alive

Cache-Control: max-age=604800

Last-Modified: Mon, 05 Aug 2013 10:27:32 GMT

ETag: "36dd864c691ce1:0"

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2

Expires: Sun, 27 Dec 2015 02:41:07 GMT

X-Cache: HIT

Accept-Ranges: bytes

.PNG........IHDR.......:.....j.......sRGB.........gAMA......a.... cHRM..z&..............u0...`..:....p..Q<...0PLTE................................................{.......IDATx......:..`..p..J.4.ty.:......)v..\....,.fwv..U...!.....b.f.....Cy(..OW......w......]R..l..2My}<..]..8hn{*..X.).m..4w.U.J.....u..l.J...<...>uJ.....i.>o.%......I.\..S......U.D.}OK..J`......sJ`.}..M.9%..A....u.T.%........K....OQ..._..d.>..L....]I. U.].c.Je...|.W.U?..E.}...*.vZ...K...M....).W...^V..>).e(.].Z.}dg%@....S.*/...........Y.W.]}...|.SgO........rrj...4UY../..r.~.....Z.ep.wui.sP^..X.g%$(.......C........Ze....4yn}....U.({.V..{o..}O...w.G.Q.^..r..p....0y............8......6.v....zz~....-...F*..f.F]...R..*. -......e{mO.s.i.9.U....zz.6.f.T>.f.DQ%.. ...l.q\N."eA({_W7..Q.....d........>...Y.."e.\....s,.. .Li)%....R.o.....C.9wQ....8........KNY..t..)...k...v)P*.....I...4&../.{)..qe..R.'...2..*..d.z&.T;y..)Q*....)R..2..)Tj.B..)V..b..)W......QB!rj.B.J)..N)b*...R)q..<S...z%.LPr..%.LQ2.4e.....q&*c.De,..J.x& ig...g..b.(.g..p.)Qf..uf*1g..af .Y...... .;(.....s......r.v. ...s'...K.0wS.....sG%.......-.R..}......4S.....W.....=.9eN(..OS..Jt(...<...P.(..DJ;_)..Y. ..7.>.@.Bi....HS)eM.qi;...........$.z%.[..P...SJzT*E]......2zT.t..L%6.TJ..Y.a...}.V..J...,.....H... ....;..2_._/[.^/[.\.W.\.!..%oT*y.Z....#Q.Bw.FI.7...H..2Jt.*..../........2.F..X.....gqJ.q:.U.q.. V...B..s.(.J2.x..()#1@.'d4.Hh.h.J.I.i.G.#.;.J....*Q$Z..?.........sR..D.<...| ......2.1b.A3...v.....X.y{..R....{h..pzJ.I.).Y..Kn.z;%Jn..c.W...bL........t..!...A..(..*

<<< skipped >>>

GET /offers/images/Theme12/bottomLine.jpg HTTP/1.1

Accept: */*

Referer: hXXp://srv.serverdatasrv.com//offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0&

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: static.revenyou.com

Connection: Keep-Alive

HTTP/1.1 404 Not Found

Date: Sun, 20 Dec 2015 02:41:07 GMT

Content-Type: text/html

Content-Length: 1245

Connection: keep-alive

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>..<title>404 - File or directory not found.</title>..<style type="text/css">....</style>..</head>..<body>..<div id="header"><h1>Server Error</h1></div>..<div id="content">.. <div class="content-container"><fieldset>.. <h2>404 - File or directory not found.</h2>.. <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>.. </fieldset></div>..</div>..</body>..</html>......

<<< skipped >>>

GET /offers/images/Theme12/button_over.png HTTP/1.1

Accept: */*

Referer: hXXp://srv.serverdatasrv.com//offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0&

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: static.revenyou.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sun, 20 Dec 2015 02:41:07 GMT

Content-Type: image/png

Content-Length: 921

Connection: keep-alive

Cache-Control: max-age=604800

Last-Modified: Mon, 05 Aug 2013 17:21:05 GMT

ETag: "f072da2a092ce1:0"

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2

Expires: Sun, 27 Dec 2015 02:41:07 GMT

X-Cache: HIT

Accept-Ranges: bytes

.PNG........IHDR...Y............m....tEXtSoftware.Adobe ImageReadyq.e<...;IDATx..Z;o.1..Y.D...W."$=D..*=BPR@..5..........DHi...M.i...e.r............;..N.h..=.|..x6..f..pf...n...yX...>z......`87.3...t.e:.sh..e..z.A....G.p..IZ.z...?Ra8........Y......O.......[........sL..?@.o....y..-.....Lc.0......O..|z.O/...k.....e...n..!......G.p...9....3. .'?7 ..GD@..{.<....C$....N.........Q...<.,@...].;Q.'<.(.X.r.,.6.......QrB..h..d&r....6....G..Shr.... .....4r..= ..f.....B.qP..l.K........YB.Z....H....../:.l.(.S.D...nM7..P.%R........&_uR.H6A..(raP.H9...[\D. .(....d...`.8.A......r5Q..........:v.e....u.....-&.1.....&.........Z.|....).L...$....)K%a-....b..a*{<(W..P<..w7_Z.....h.%6.N........*\FB...A...#..f.N...C..(.p...........K.|..5d..3u-........(.k. 7..6..tsvP!.U0.q.......9z.e ..0.ALt..@l..2iR.2............. .>=...{WVim....f.c6.:...|.....0X.yk...../z..!.SHW.d......o.s........a..8..g.|zvg...o6......@..........n.^......IEND.B`.....

GET /offers/images/Theme12/button.png HTTP/1.1

Accept: */*

Referer: hXXp://srv.serverdatasrv.com//offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0&

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: static.revenyou.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sun, 20 Dec 2015 02:41:08 GMT

Content-Type: image/png

Content-Length: 458

Connection: keep-alive

Cache-Control: max-age=604800

Last-Modified: Mon, 05 Aug 2013 17:21:12 GMT

ETag: "1b5642f092ce1:0"

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2

Expires: Sun, 27 Dec 2015 02:41:08 GMT

X-Cache: HIT

Accept-Ranges: bytes

.PNG........IHDR...Y............m....tEXtSoftware.Adobe ImageReadyq.e<...lIDATx...1..p....at.`...[_)...&.........~...C..V$z.J.w.Wi........../..<........R.H)s..i....t.....}2M...9i.&..(..c.....l.&.0`.&a..f...p...R.Jr....bA....$.....cr....u....sq..x....?..> ..pu`.h..C.......$w$..gY. .....%9MS...V.....IF'..0].;..HF..]b..Hr..pW...k..{..EQD.....-L.....#..H.u.. ..lF....j".,<........<. ......18....\.....oI...^.....:..._......rU.<Z`..d..E.|.0.......B.....IEND.B`.HTTP/1.1 200 OK..Date: Sun, 20 Dec 2015 02:41:08 GMT..Content-Type: image/png..Content-Length: 458..Connection: keep-alive..Cache-Control: max-age=604800..Last-Modified: Mon, 05 Aug 2013 17:21:12 GMT..ETag: "1b5642f092ce1:0"..X-Powered-By: ASP.NET..Server: NetDNA-cache/2.2..Expires: Sun, 27 Dec 2015 02:41:08 GMT..X-Cache: HIT..Accept-Ranges: bytes...PNG........IHDR...Y............m....tEXtSoftware.Adobe ImageReadyq.e<...lIDATx...1..p....at.`...[_)...&.........~...C..V$z.J.w.Wi........../..<........R.H)s..i....t.....}2M...9i.&..(..c.....l.&.0`.&a..f...p...R.Jr....bA....$.....cr....u....sq..x....?..> ..pu`.h..C.......$w$..gY. .....%9MS...V.....IF'..0].;..HF..]b..Hr..pW...k..{..EQD.....-L.....#..H.u.. ..lF....j".,<........<. ......18....\.....oI...^.....:..._......rU.<Z`..d..E.|.0.......B.....IEND.B`...

<<< skipped >>>

GET /dc.js HTTP/1.1

Accept: */*

Referer: hXXp://srv.serverdatasrv.com//offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0&

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: stats.g.doubleclick.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Strict-Transport-Security: max-age=10886400

Date: Sun, 20 Dec 2015 01:16:03 GMT

Expires: Sun, 20 Dec 2015 03:16:03 GMT

Last-Modified: Thu, 05 Nov 2015 22:24:16 GMT

X-Content-Type-Options: nosniff

Content-Type: text/javascript

Vary: Accept-Encoding

Content-Encoding: gzip

Server: Golfe2

Content-Length: 15977

Cache-Control: public, max-age=7200

Age: 5104

...........}kW....w~........pk..f......Z.R..Y.C 8i.pi......b..}.>g..Kl...}4....d....O...-.....`~...E...]7..>..>....Pf.a.yU."HCC...i...T*..b.....'..Olf[.Y.[c6P/.....'n.m'..m.... !_XXll..&..(..E..V=/.u.X..%.w...i..rDoT.....?>z..1`.D...y...y7. \...5ZI...TA..........C...p3..A..x.k.q4.2...?L.k=.v....4.:sB[...l.w.o {.....?Nc....|..........q.........[.n..2..X~.......S.f.]h~....7:.n...m.C#6...........#....y...7.|..f.W.>..wS......)..Q....i......z......D.`...7N....y.C;....`1....x..p.tG.L..=..1r...M..2..)xa...{0!..5...^...7..."..........J8... ...5.O....l...r...|....R...P.0ok.8.Z.2....i|...S.y.od...~..k.>.....0vGr.mI.....0.&&yg.sf2......m.....G=0..B.6..u....A.h.A.0.V.:.-...j..L.....5.E.[...Q.{2imA......T........~. ...0*%.....>......hX...ga1./$......f.#..d,.|www5/XX...c5..D-.....p.h..8D.@./.X,.....&gTV..5..,.x..?.....(.>?6Sy.].`.]...'-"....-...........(.n.@_"p"`.*...T.1.$..t.....o?.."../.kX.)L.....-.....E1M.....@..T.F9.,HP........# ....d...-,.......-.j..BS....9...%.~Sug,...`."...4a..@.p]..yn.i(5.....U.r..$j..0{|.i.5........H}.......A=..&.Vq....4<..*7c.<b.....OQ8X...&..a/a.....aI.j.7.E.:cuV=.P.q..d.....X....#..@.T...q......U.T~.@.C......S.#....Q.....K......A.y._....z|..9...9.zM......%m........m).?4.Q...c.....PTDB&..7.-G....E.....E.7.t.V..G....._..!.....xt..}.......Ev..x..a.{...d.. .q./..OB|..6..{....a^.......@?.......o.....*T.;/Oa.......J..........I.)......J..#..A....FS.....t.H..h...W..|B.~..t.6..........t"<..z..||.......8..B9......x.a....m.V[.=...K!..\.....w."d...=>.B..(K...u.....~.".@b

<<< skipped >>>

GET /Installer/Track?pubid=16434&distid=30338&productid=29565&subpubid=0&campaignid=0&networkid=1&reqid=382014019&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:8A:8B:37&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&cookieproductname=85-112-100-97-116-101-115&cookieeula=&cookieprivacy=&hb=5&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=77.241.45.41&downloadtime=11/20/2015 6:14:41 AM&clickid=&status=2&installedid=29820&z=1&offerscreenid=655&offerorder=-1&downloadduration=-1&installduration=-1&issecond=0 HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19

Host: srv.DESK-TOP-APP.INFO

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html; charset=utf-8

Date: Sun, 20 Dec 2015 02:41:06 GMT

Server: Microsoft-IIS/8.0

X-AspNet-Version: 4.0.30319

X-AspNetMvc-Version: 4.0

X-Powered-By: ASP.NET

Content-Length: 8

Connection: keep-alive

..OK..HTTP/1.1 200 OK..Cache-Control: private..Content-Type: text/html; charset=utf-8..Date: Sun, 20 Dec 2015 02:41:06 GMT..Server: Microsoft-IIS/8.0..X-AspNet-Version: 4.0.30319..X-AspNetMvc-Version: 4.0..X-Powered-By: ASP.NET..Content-Length: 8..Connection: keep-alive....OK....

GET /Installer/Flow?pubid=16434&distid=30338&productid=29565&subpubid=0&campaignid=0&networkid=1&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:8A:8B:37&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&cookieproductname=85-112-100-97-116-101-115&cookieeula=&cookieprivacy=&hb=5&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=77.241.45.41&downloadtime=11/20/2015 6:14:41 AM&clickid=&version=6.12 HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19

Host: srv.DESK-TOP-APP.INFO

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html; charset=utf-8

Date: Sun, 20 Dec 2015 02:41:04 GMT

Server: Microsoft-IIS/8.0

X-AspNet-Version: 4.0.30319

X-AspNetMvc-Version: 4.0

X-Powered-By: ASP.NET

Content-Length: 17120

Connection: keep-alive

..Sv.NlmsAxc.2..*.JqaEv`.5. ).Bkmnjf`grQsoa"8,$.Fmkcsez_oajgRvjdo"8.(.% O_fGew.2.AIBS^?UPM=IM]RMDN Qj^op_o_[XAkd_j.nsv.x FF=TXARLQANRZMN>P.Mnbtu\j`UZJ[hh.PpTW:kfanEnqoYgeco.qbr '.M^eH_x24 5.CDCVYBQRP@FOXSP?Q.SmalrZpbV[=mgbg.ity.{.HI@QZ<SOLDJT]PK@K.Piepw_m]WUK^ck*RsWT<fgdiHjsr\dg^p.len"*.J`imonM]mc.2.:kfan>rmrk`k ).Onobp[oBB.4154.3$.:jt[xoOda]m.8-&!EsU\ao?moCmot_gd.3/).DteSMD.3 ensl:-*Yhbel\hj.a_fhZgi(qq/?habhBfmsni`)]s^ ).DteSMD-.8.bspp8*'\fgdiaen,^\if_ff-nu-<ed`mAcrprg]&`qc.&!?okhYi]Jfhd.: ..<fgdiCesrma]'cu_.)-qdd`gr.',nfp8/32/43.)-s\Wm_p:=G=NL@DZ066 65 (e\dc*^dbasgl8*.*'o]rri]mXlbq^qrj8`omn7).iebdYghed_q*rs*Ykb-p[uaPmnl]Zah9skkci5hBA>mNLJ0ok!`sf^< _]BMD=$pcf9$]ZKD@$lpq9$]ZGQK$o_e9764)22$`bh`=00*3.a^cc925/.ornb7`iiej..% L`earSMD.3 ensl:-*kmo,P?QREP?9O:QOP-_ok*'j_dblr DwiYhbaL`earQ^j`^l<iebepd\8/12 onobp[obb:,8006!\dlrf^</01.0!ec^^o9270.0.alomprwd\8 4/ rus`dl8,0#]nkkg`hmhbr]sjak`5Pib^ndo&baZ8)$e\<1&gnYb`;. uarqdgi64 1"evo]mg_i7/., MYo^ 7'0("?_\dmglh`hD_oY.3 .&!=nrdndksp_rNeeF]tl 7.ZY"*.H\rmrn!6-/'.@_db]sevc.2(**.JqkmmoajgP^nd.: ,$.=gp]qap_i[tK_q_!6-/'.Necbj@btcmAilr^fk.:.'.Qbpqo`hOda]m<mjg`jdJdf`.8kokh, >YiKsk;r?hc^c]hv.4snuc'.MnlFh@cgp`knbtbCmot_gd`k 7.0., MmiBlO_fql_mAilr^fkar 5.,.*.JqaEv`J`lsinSark.2.) ).OneCs]M^qrfsRajp].3 -. .Pmnl@qcO_rqlrO]mf 7./., KgnmCu_QassglQZjr_!6"..$.ImpnQagI`q. 7.GGEWZ;PKPBHS[UQ@J.Lmcnv]rcWT<fgdi.lvz.t.AIBS^?UPM=IM]RMDN Qj^op_o_[XM_dd)K

<<< skipped >>>

GET /Installer/Track?pubid=16434&distid=30338&productid=29565&subpubid=0&campaignid=0&networkid=1&reqid=382014019&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:8A:8B:37&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&cookieproductname=85-112-100-97-116-101-115&cookieeula=&cookieprivacy=&hb=5&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=77.241.45.41&downloadtime=11/20/2015 6:14:41 AM&clickid=&status=2&installedid=10700&z=1&offerscreenid=234&offerorder=-1&downloadduration=-1&installduration=-1&issecond=0 HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19

Host: srv.DESK-TOP-APP.INFO

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html; charset=utf-8

Date: Sun, 20 Dec 2015 02:41:07 GMT

Server: Microsoft-IIS/8.0

X-AspNet-Version: 4.0.30319

X-AspNetMvc-Version: 4.0

X-Powered-By: ASP.NET

Content-Length: 8

Connection: keep-alive

..OK..HTTP/1.1 200 OK..Cache-Control: private..Content-Type: text/html; charset=utf-8..Date: Sun, 20 Dec 2015 02:41:07 GMT..Server: Microsoft-IIS/8.0..X-AspNet-Version: 4.0.30319..X-AspNetMvc-Version: 4.0..X-Powered-By: ASP.NET..Content-Length: 8..Connection: keep-alive....OK......

GET /Installer/Flow?pubid=16434&distid=30338&productid=29565&subpubid=0&campaignid=0&networkid=1&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:8A:8B:37&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&cookieproductname=85-112-100-97-116-101-115&cookieeula=&cookieprivacy=&hb=5&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=77.241.45.41&downloadtime=11/20/2015 6:14:41 AM&clickid=&version=6.12&nipids=-29408-28693-28657-29219-29736&secondcall=1&reqid=382014019 HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19

Host: srv.DESK-TOP-APP.INFO

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html; charset=utf-8

Date: Sun, 20 Dec 2015 02:41:06 GMT

Server: Microsoft-IIS/8.0

X-AspNet-Version: 4.0.30319

X-AspNetMvc-Version: 4.0

X-Powered-By: ASP.NET

Content-Length: 18274

Connection: keep-alive

..Sv.NlmsAxc.2..*.JqaEv`.5. ).Bkmnjf`grQsoa"83$.Fmkcsez_oajgRvjdo"8.(( .*,3)25(*0.*.LdcKct.5. ).QagI`q1- 7.!("P`hjkrK[la"8.9QH ).Onobp[oBB.40("?go\rqL`ear 5('.GpQ`etDjjDgqq[kh"8,$.>vbOQH"8..'.Cu_TNL0.2..*.=nim_i\Gblb.9."*.Ga_coOQH"8.`omn7).ort)K@KTBLC=T?NJQ'alg. oda]ml-Asm]mg^Ga_coMbneci7j_dblh`=2.)!igam<.92 0( 6332)261-2&06,05&bdkobb:-//36!d`Zbm715540.^hsknquib8*1 $psr^ir8 -.alijeenmg_naqh`ie;Ph_Zrbm%`f`8(!a`:/%es_b_8*$s_qoimi51'// dttcmf\e;-. .R_o].3 .&!=dbdldhl^fC]t_.2. 71*7)2611.&05043-04*,2 ).@jtgqamnqbmQagI`qn.8.. .P_tgpm 7'0("Ca^`\rfpd.: ,$.IplgnpimiJ\mc.4,-, ?an\pbj`jcwMYo^ 7'0("Qg]`i?cndnIlnl\ej.4/("Tdjon_iIebep>ghf_k^Kenc.2..*.=`jRsi9n<fb]j^ov.2oksb&!NulDf<`eo_roit`Ailr^fkar 5..% OomEnP`_pe_oCmot_gd`k 7.!("Nm]@qcO_rqlrO]mf 7.!("Nm]@qcO_rqlrQYgnc.4!., KgnmCu_QassglO^pj.9."*.HjlrBrdNeqpdoO_iod.: .$.ImpnQagI`q. 7.!("NjkoKcdEdu62.2..{)u!Loqo=s^ 7.!("Nm]@qc.4!., >ghimk_mpTwk].3/).LkngoauZrfimPyn`k.3 -. .RcbC`r 7.GGEWZ;PKPBHS[UQ@J.Lmcnv]rcWT<fgdi.lvz.t.AIBS^?UPM=IM]RMDN Qj^op_o_[XM_dd)KsYV@iiejAilr^fkar.m^m.*.LdcKct./.8.BJAY]>MMKCKN^QSCM.Nhdqq`neZW9hbel.or|.w.CDCVYBQRP@FOXSP?Q.SmalrZpbV[Iagg&MnZY;legmDfnm_ifdn paj.% O_okrrIYh^ 7.@iiej:mhup_q., Kjj]s`nH@"8-1/)6).@hw_tkJ_dbl!60*.AnP_fnEkrGikoZji.9-, @p`NPI.9.hroh5(-^ghco`df)\bkg`el,mm*:kfan@iqojd[,brd., @p`NPI,!6"folk3-,[legm]ai'aahl]ij)jp(?jcfkDgnlmb` _wa"*.;jfk^hcHil`.5...;legm?anmpf

<<< skipped >>>

GET /Installer/XP/XPLimitChecker.exe HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: d2vubraihqcany.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Content-Length: 50053

Connection: keep-alive

Date: Thu, 10 Dec 2015 04:01:33 GMT

Last-Modified: Mon, 04 May 2015 10:45:00 GMT

ETag: "b6631cd12092841cac0763c854828c50"

Accept-Ranges: bytes

Server: AmazonS3

Age: 58623

X-Cache: Hit from cloudfront

Via: 1.1 cbb439ecf760e902d3e0e61532befa44.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 6ToIHSzlvCevjx-oE-X31SHNGakUJ2nznCSaQFx-0754AyVLT2u9zw==

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^....... ...0.......p....@..........................0...............................................t..........(C...........................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X............v..............@....ndata....... ...........................rsrc...(C.......D...z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.E..H.P.u..u..u...Hr@..B...SV.5p.E..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.D.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....E...Si.. ..VW.T.....tO.q.3.;5..E.sB..i.. ...D.......t.G.....t...O..t .....u...3....3...F.. ..;5..E.r._^[...U..QQ.U.SV..i.. .

<<< skipped >>>

GET /Installer/OperaBrowser/OperaChecker25-6.exe HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn.download4desktop.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sun, 20 Dec 2015 02:41:05 GMT

Content-Type: application/octet-stream

Content-Length: 50225

Connection: keep-alive

x-amz-id-2: CoAEnAYr vtTssgqA80wgkeF0t8KiUctOp019VhfUpMyTBpnOjgf2Bj9tqGzQjfzCG6rKyk8Pyo=

x-amz-request-id: 653592A504321CA5

Last-Modified: Wed, 25 Jun 2014 14:41:23 GMT

ETag: "10ffabc748d68c40b68f883058c9b932"

Server: NetDNA-cache/2.2

Content-Disposition: attachment

X-Cache: HIT

Accept-Ranges: bytes

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................................................................t..........PC...........................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc...PC.......D...z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_1772:

.text

`.rdata

@.data

.ndata

.rsrc

uDSSh

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegEnumKeyA

RegCreateKeyExA

RegCloseKey

RegDeleteKeyA

RegOpenKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

verifying installer: %d%%

hXXp://nsis.sf.net/NSIS_Error

... %d%%

~nsu.tmp

%u.%u%s%s

RegDeleteKeyExA

%s=%s

*?|/":

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\beehjjcbdh.exe 4!0!5!6!0!8!9!4!4!8!4 K1BEPj0pLTAvLBwrU1A8UEE7OSwYK0pFT1FPSkJFQDUtHC8/Q1NMQEA5KywvMzMaLztAQDkoHCtQTUlETTpQW0FAOTI0LzYtFytPPU5SRU1ZVUpDOWRscGw6Kilzam0qQD1PRy1PSVAlOExMJkVKRkoaLztDRT9DRUA9GylEKTQpLRgrQDI4JzEYJkAvNSktICo NDUkLRwnQDE9KCsgJ0dOSzxRP1RaSlJBTT0/UTkcL0tMTzxMP1BXQVFMPDcgJ0dOSzxRP1RaSEFFPDlRaGBddGBtICc8VEFXUU5MOGJ0bGc2Kydga3dpZm9ZWylvXW5yZW1tLltmaStLdW9JaWBvJ01LT2xxXi5gcmUYJkFUPVs/TT9GSUY8ORwnREtTT1lCSkZTTz1OOTUbKVRAOEpHUUtRX1BMTDUXK1JFOS4gKj5TKTQcK0pRSlRER0VXTkFIO0tJRURHQT88UU5EORwvRE1fSkxKUEFJQT1vbHVdFytOPVBRUklDTj9WUU89TltEPFNTNSkcK0BFQEVTNzEYJkVPV0BVTjxHSTtWQUo7TlVQTz9ENV1daGthHC8/SVdGQ0s9PFtFUDgxNyYpMC0mMDEuLysgJ0c9TjlISEVHWUlGSlA9REg5dG1vZRgmUEVFQTkxLy44KCcsLDAtHC8/SVdGQ0s9PFtQSUg/PSkoKy4oKy4wLC8qLjEtMDIwLSo8Rw==

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp

beehjjcbdh.exe

8 8$8(8,80848

Certification Services Division1806

hXXp://t2.symcb.com0

!hXXp://t1.symcb.com/ThawtePCA.crl0

hXXp://tl.symcb.com/tl.crl0

hXXps://VVV.thawte.com/cps0/

!hXXps://VVV.thawte.com/repository0

hXXp://tl.symcd.com0&

hXXp://tl.symcb.com/tl.crt0

.?AV?$CAtlExeModuleT@VCSmartInstallerModule@@@ATL@@

.?AVCWebPage@@

:,:0:4:8:

9Å“9P9g9

9#9'9-91999

9"9/999_9

="=&=*=.=

WinHttpCrackUrl

WinHttpOpen

WinHttpCloseHandle

WinHttpConnect

WinHttpReadData

WinHttpWriteData

WinHttpQueryDataAvailable

WinHttpSetOption

WinHttpSetTimeouts

WinHttpOpenRequest

WinHttpAddRequestHeaders

WinHttpSendRequest

WinHttpReceiveResponse

WinHttpQueryHeaders

WinHttpGetProxyForUrl

WinHttpGetIEProxyConfigForCurrentUser

WINHTTP.dll

PSAPI.DLL

GetProcessHeap

c:\%original file name%.exe

%original file name%.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi1.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

Nullsoft Install System v2.46

{8856F961-340A-11D0-A96B-00C04FD705A2}

00000000

773.151120.1374.5770

beehjjcbdh.exe_644:

.text

`.rdata

@.data

.rsrc

@.reloc

tCPjB

r%f;M

j.Yf;

_tcPVj@

.PjRW

%d/%d/%d %d:%d:%d

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps