Resolved tommyslav.name to 184.108.40.206
I saw Malekal tweet that someone was using an exploit kit on adf.ly to distribute andromeda.
I had already posted the andromeda, and had suspected that it was the cracked version. I just entered the gate info into the builder, ran the build and watched it download this.
Gate file: /panell/landing/gate.php
Ransom page tds: /panell/landing/redirme.php
Nice of the owner to leave info pages on the server.
Hosting infos: http://whois.domaintools.com/220.127.116.11
EDIT: an additional winlocker panel is hosted in the same ip
Gate file: /panel/landing/gate.php
Ransom page tds: /panel/landing/redirme.php