Trojan.Win32.IEDummy_3231f14f72

Dynamic Analysis

Payload

Behaviour	Description
WormAutorun	A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:928

The Trojan injects its code into the following process(es):No processes have been created.

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

No files have been created.

Registry activity

The process %original file name%.exe:928 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 E4 46 2B A5 FB 18 4A 78 66 44 74 1C C8 B0 46"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"DisableRegistryTools" = "0"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "Explorer.exe"

The Trojan deletes the following value(s) in system registry:

The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Yahoo Messengger"

"Yahoo Messenger"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):

   %original file name%.exe:928

2. Delete the original Trojan file.
   
3. Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):

   [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   "Shell" = "Explorer.exe"

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: iSergiwa Software - www.sergiwa.com
Product Name: SRT - iSergiwa Software
Product Version: 2.00
Legal Copyright: All rights reserved
Legal Trademarks: Free for personal use ONLY!
Original Filename: SRT.exe
Internal Name: SRT
File Version: 2.00
File Description: A free tool to remove Sohanad virus and friends!
Comments: A free tool to remove Sohanad virus and friends!
Language: Language Neutral

Company Name: iSergiwa Software - www.sergiwa.comProduct Name: SRT - iSergiwa SoftwareProduct Version: 2.00Legal Copyright: All rights reservedLegal Trademarks: Free for personal use ONLY!Original Filename: SRT.exeInternal Name: SRTFile Version: 2.00File Description: A free tool to remove Sohanad virus and friends!Comments: A free tool to remove Sohanad virus and friends!Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	63464	65536	4.60914	dbdb619d298278ef4ea91ad9d82ccc62
.data	69632	3096	4096	0	620f0b67a91f7f74151bc5be745b7110
.rsrc	73728	2392	4096	1.62887	49c874cbaebac12c5370c6f199b6d5e6

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://sergiwa.com/modules/mydownloads/singlefile.php?cid=2&lid=6
hxxp://sedoparking.com/
hxxp://vip1.g5.cachefly.net/js/jquery-1.4.2.min.js
hxxp://sedoparking.com/images/js_preloader.gif
hxxp://sedoparking.com/search/tsc.php?&ses=1463718019f040e932a28694b67f42c5aa3fc6dac5&200=MjMxMDQyOTg1&21=MTk0LjI0Mi45Ni4yMTg=&681=MTQ2MzcxODAxOWYwNDBlOTMyYTI4Njk0YjY3ZjQyYzVhYTNmYzZkYWM1&682=&616=&crc=48ca082ccc3156ee64036354d684be64ce306b9d&cv=1
hxxp://sedoparking.com/search/redirect.php?f=http://zd1.november-lax.com/zcvisitor/293d5924-1e42-11e6-b462-12ce168cfdfd&v=YTlkZDlmYWIxODZmMjM2NDU3NDVhMTM4YTljMDQxOTcJMQl3dzEuc2VyZ2l3YS5jb201NzNlOTA4MmJiMDI2NS45ODY0MDkxMAl3dzEuc2VyZ2l3YS5jb201NzNlOTA4MmJiMGU0My41ODY5OTMwNgkxNDYzNzE4MDE5CWFkXzMxXzA=&l=NQlBRFMJZDBhZWU2MmM5OGM2NjcwOWYyMzc5Njc1ZGY0MTM5MDYJMC4wMDAxCTAJMTMJCTMxCTEJMQkwCWFjYjcyMDg0ZTIwOTliMGI5OWUxMTM5MzU0NDlmMTZjCQkyMzEwNDI5ODUJYwk3NTE4MjY4MQkJc2VyZ2l3YQkxMTAxCTMxCTMxCTM1CTE0NjM3MTgwMTkJMC4wMDAxNwlOCTAJMAkwCQkwLjAwMDEJCQkJCQl3dzEuc2VyZ2l3YS5jb201NzNlOTA4MmJiMDI2NS45ODY0MDkxMAkwLjAwMDE3CTAJCTEJMAkxMzc0CTkyMDY2ODI5CQkxOTQuMjQyLjk2LjIxOA==
hxxp://sedoparking.com/search/tcerider.php?f=http://zd1.november-lax.com/zcvisitor/293d5924-1e42-11e6-b462-12ce168cfdfd&v=YTlkZDlmYWIxODZmMjM2NDU3NDVhMTM4YTljMDQxOTcJMQl3dzEuc2VyZ2l3YS5jb201NzNlOTA4MmJiMDI2NS45ODY0MDkxMAl3dzEuc2VyZ2l3YS5jb201NzNlOTA4MmJiMGU0My41ODY5OTMwNgkxNDYzNzE4MDE5CWFkXzMxXzA=&l=NQlBRFMJZDBhZWU2MmM5OGM2NjcwOWYyMzc5Njc1ZGY0MTM5MDYJMC4wMDAxCTAJMTMJCTMxCTEJMQkwCWFjYjcyMDg0ZTIwOTliMGI5OWUxMTM5MzU0NDlmMTZjCQkyMzEwNDI5ODUJYwk3NTE4MjY4MQkJc2VyZ2l3YQkxMTAxCTMxCTMxCTM1CTE0NjM3MTgwMTkJMC4wMDAxNwlOCTAJMAkwCQkwLjAwMDEJCQkJCQl3dzEuc2VyZ2l3YS5jb201NzNlOTA4MmJiMDI2NS45ODY0MDkxMAkwLjAwMDE3CTAJCTEJMAkxMzc0CTkyMDY2ODI5CQkxOTQuMjQyLjk2LjIxOA==
hxxp://zd1.november-lax.com/zcvisitor/293d5924-1e42-11e6-b462-12ce168cfdfd	54.88.117.14
hxxp://zd1.november-lax.com/zcredirect?visitid=293d5924-1e42-11e6-b462-12ce168cfdfd&type=js&browserWidth=0&browserHeight=0&iframeDetected=false	54.88.117.14
hxxp://i4mqv.trackvoluum.com/zp-redirect?target=http://lzy9000.blueprint1.cpa.clicksure.com/?lp=4&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70&caid=99737be6-2ea4-4523-be9f-85692b529ef9&zpid=293d5924-1e42-11e6-b462-12ce168cfdfd&cid=wPOJS4587E672CUS0RUM8J70&rt=R
hxxp://lzy9000.blueprint1.cpa.clicksure.com/?lp=4&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70	78.137.119.123
hxxp://www.millionaires-blueprint.co/promo-offer/?c=IL&aff_id=4926&clickID=1132560031&aff=&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70&campaignid=32133	37.220.94.196
hxxp://www.millionaires-blueprint.co/promo-offer/css/styles.css	37.220.94.196
hxxp://www.millionaires-blueprint.co/promo-offer/css/video-js.css	37.220.94.196
hxxp://www.millionaires-blueprint.co/includes/bootstrap.min.css	37.220.94.196
hxxp://www.millionaires-blueprint.co/promo-offer/css/members.css	37.220.94.196
hxxp://www.millionaires-blueprint.co/promo-offer/css/font/vjs.eot?	37.220.94.196
hxxp://www.millionaires-blueprint.co/fonts/glyphicons-halflings-regular.eot?	37.220.94.196
hxxp://www.millionaires-blueprint.co/promo-offer/images/speaker.jpg	37.220.94.196
hxxp://www-google-analytics.l.google.com/analytics.js
hxxp://www.millionaires-blueprint.co/promo-offer/js/jquery-1.9.1.min.js	37.220.94.196
hxxp://splitter.binarypromos.com/api/v1/funnel.min.js?v=1.1&product=millionairesblueprint	104.20.79.100
hxxp://www.millionaires-blueprint.co/promo-offer/js/video.js	37.220.94.196
hxxp://www.millionaires-blueprint.co/includes/exit.js	37.220.94.196
hxxp://c.global-ssl.fastly.net/nr-918.min.js
hxxp://bam.nr-data.net/1/4915dfb183?a=8404545&v=918.2e0ff1d&to=YgFaNUJTC0BYBkFdXFtLbRNZHRVBVghaGVxTAl0TH1sLV1wdG0RbRQ==&rst=2407&ap=53&fe=2219&dc=2219&f=["err","ins"]&at=TkZZQwpJGE4=&jsonp=NREUM.setToken	50.31.164.173
hxxp://ww1.sergiwa.com/search/redirect.php?f=http://zd1.november-lax.com/zcvisitor/293d5924-1e42-11e6-b462-12ce168cfdfd&v=YTlkZDlmYWIxODZmMjM2NDU3NDVhMTM4YTljMDQxOTcJMQl3dzEuc2VyZ2l3YS5jb201NzNlOTA4MmJiMDI2NS45ODY0MDkxMAl3dzEuc2VyZ2l3YS5jb201NzNlOTA4MmJiMGU0My41ODY5OTMwNgkxNDYzNzE4MDE5CWFkXzMxXzA=&l=NQlBRFMJZDBhZWU2MmM5OGM2NjcwOWYyMzc5Njc1ZGY0MTM5MDYJMC4wMDAxCTAJMTMJCTMxCTEJMQkwCWFjYjcyMDg0ZTIwOTliMGI5OWUxMTM5MzU0NDlmMTZjCQkyMzEwNDI5ODUJYwk3NTE4MjY4MQkJc2VyZ2l3YQkxMTAxCTMxCTMxCTM1CTE0NjM3MTgwMTkJMC4wMDAxNwlOCTAJMAkwCQkwLjAwMDEJCQkJCQl3dzEuc2VyZ2l3YS5jb201NzNlOTA4MmJiMDI2NS45ODY0MDkxMAkwLjAwMDE3CTAJCTEJMAkxMzc0CTkyMDY2ODI5CQkxOTQuMjQyLjk2LjIxOA==	72.52.4.90
hxxp://zd1.zeroredirect11.com/zcredirect?visitid=293d5924-1e42-11e6-b462-12ce168cfdfd&type=js&browserWidth=0&browserHeight=0&iframeDetected=false	54.88.117.14
hxxp://js-agent.newrelic.com/nr-918.min.js	185.31.17.175
hxxp://en.sergiwa.com/modules/mydownloads/singlefile.php?cid=2&lid=6
hxxp://track.trackbyme.info/zp-redirect?target=http://lzy9000.blueprint1.cpa.clicksure.com/?lp=4&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70&caid=99737be6-2ea4-4523-be9f-85692b529ef9&zpid=293d5924-1e42-11e6-b462-12ce168cfdfd&cid=wPOJS4587E672CUS0RUM8J70&rt=R	52.28.41.125
hxxp://img.sedoparking.com/js/jquery-1.4.2.min.js	205.234.175.175
hxxp://ww1.sergiwa.com/	72.52.4.90
hxxp://ww1.sergiwa.com/search/tsc.php?&ses=1463718019f040e932a28694b67f42c5aa3fc6dac5&200=MjMxMDQyOTg1&21=MTk0LjI0Mi45Ni4yMTg=&681=MTQ2MzcxODAxOWYwNDBlOTMyYTI4Njk0YjY3ZjQyYzVhYTNmYzZkYWM1&682=&616=&crc=48ca082ccc3156ee64036354d684be64ce306b9d&cv=1	72.52.4.90
hxxp://www.google-analytics.com/analytics.js	173.194.113.198
hxxp://ww1.sergiwa.com/search/tcerider.php?f=http://zd1.november-lax.com/zcvisitor/293d5924-1e42-11e6-b462-12ce168cfdfd&v=YTlkZDlmYWIxODZmMjM2NDU3NDVhMTM4YTljMDQxOTcJMQl3dzEuc2VyZ2l3YS5jb201NzNlOTA4MmJiMDI2NS45ODY0MDkxMAl3dzEuc2VyZ2l3YS5jb201NzNlOTA4MmJiMGU0My41ODY5OTMwNgkxNDYzNzE4MDE5CWFkXzMxXzA=&l=NQlBRFMJZDBhZWU2MmM5OGM2NjcwOWYyMzc5Njc1ZGY0MTM5MDYJMC4wMDAxCTAJMTMJCTMxCTEJMQkwCWFjYjcyMDg0ZTIwOTliMGI5OWUxMTM5MzU0NDlmMTZjCQkyMzEwNDI5ODUJYwk3NTE4MjY4MQkJc2VyZ2l3YQkxMTAxCTMxCTMxCTM1CTE0NjM3MTgwMTkJMC4wMDAxNwlOCTAJMAkwCQkwLjAwMDEJCQkJCQl3dzEuc2VyZ2l3YS5jb201NzNlOTA4MmJiMDI2NS45ODY0MDkxMAkwLjAwMDE3CTAJCTEJMAkxMzc0CTkyMDY2ODI5CQkxOTQuMjQyLjk2LjIxOA==	72.52.4.90

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /zcredirect?visitid=293d5924-1e42-11e6-b462-12ce168cfdfd&type=js&browserWidth=0&browserHeight=0&iframeDetected=false HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: zd1.zeroredirect11.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: no-store, no-cache, pre-check=0, post-check=0

content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline'

x-content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline'

X-WebKit-CSP: default-src 'self'; script-src 'self' 'unsafe-inline'

redirected: JS

Content-Type: text/html;charset=UTF-8

Transfer-Encoding: chunked

Date: Fri, 20 May 2016 04:20:19 GMT

Server: ZeroPark-Traffic

36a..<!DOCTYPE html>.<html>..<head>...<META http-equiv="refresh" content="1;URL='hXXp://track.trackbyme.info/zp-redirect?target=http://lzy9000.blueprint1.cpa.clicksure.com/?lp=4&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70&caid=99737be6-2ea4-4523-be9f-85692b529ef9&zpid=293d5924-1e42-11e6-b462-12ce168cfdfd&cid=wPOJS4587E672CUS0RUM8J70&rt=R'">..</head>..<body>...<script type="text/javascript">....window.location="hXXp://track.trackbyme.info/zp-redirect?target=http://lzy9000.blueprint1.cpa.clicksure.com/?lp=4&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70&caid=99737be6-2ea4-4523-be9f-85692b529ef9&zpid=293d5924-1e42-11e6-b462-12ce168cfdfd&cid=wPOJS4587E672CUS0RUM8J70&rt=R";...</script>..</body>.</html>..0..HTTP/1.1 200 OK..Cache-Control: no-store, no-cache, pre-check=0, post-check=0..content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline'..x-content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline'..X-WebKit-CSP: default-src 'self'; script-src 'self' 'unsafe-inline'..redirected: JS..Content-Type: text/html;charset=UTF-8..Transfer-Encoding: chunked..Date: Fri, 20 May 2016 04:20:19 GMT..Server: ZeroPark-Traffic..36a..<!DOCTYPE html>.<html>..<head>...<META http-equiv="refresh" content="1;URL='hXXp://track.trackbyme.info/zp-red

<<< skipped >>>

GET /?lp=4&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: lzy9000.blueprint1.cpa.clicksure.com

Connection: Keep-Alive

HTTP/1.1 302 Found

Server: nginx/1.6.2

Content-Type: text/html; charset=UTF-8

X-Powered-By: PHP/5.5.21

Cache-Control: no-cache

Location: hXXp://VVV.millionaires-blueprint.co/promo-offer/?c=IL&aff_id=4926&clickID=1132560031&aff=&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70&campaignid=32133

P3P: policyref="hXXp://cpa.clicksure.com/w3c/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OUR SAMo UNRo OTRo BUS COM NAV DEM STA PRE"

Set-Cookie: laravel_session=1b2e164e2738839563d1a71715084c94c656190e; expires=Fri, 20-May-2016 06:20:21 GMT; Max-Age=7200; path=/; domain=cpa.clicksure.com; httponly

Set-Cookie: campaign_lp_aff_8733603=00f0ba0efbf0ece132ad4117c7903afd01ddf3cd+2016-05-20; expires=Sat, 21-May-2016 04:20:21 GMT; Max-Age=86400; path=/; domain=cpa.clicksure.com; httponly

Set-Cookie: campaign_216183=85ae5b5d7ab7c5e53daee987bbc681b82a945ebc+{"click":1132560031,"tracked":[],"tracked_time":1463718021}; expires=Sun, 19-Jun-2016 04:20:21 GMT; Max-Age=2592000; path=/; domain=cpa.clicksure.com; httponly

X-Cacheable: NO:Not Cacheable

Content-Length: 5205

Accept-Ranges: bytes

Date: Fri, 20 May 2016 04:20:21 GMT

Age: 0

Connection: keep-alive

X-Cache: MISS

Via: WebCelerate

<!DOCTYPE html>.<html>. <head>. <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><script type="text/javascript">window.NREUM||(NREUM={}),__nr_require=function(e,t,n){function r(n){if(!t[n]){var o=t[n]={exports:{}};e[n][0].call(o.exports,function(t){var o=e[n][1][t];return r(o||t)},o,o.exports)}return t[n].exports}if("function"==typeof __nr_require)return __nr_require;for(var o=0;o<n.length;o )r(n[o]);return r}({1:[function(e,t,n){function r(e,t){return function(){o(e,[(new Date).getTime()].concat(a(arguments)),null,t)}}var o=e("handle"),i=e(2),a=e(3);"undefined"==typeof window.newrelic&&(newrelic=NREUM);var u=["setPageViewName","addPageAction","setCustomAttribute","finished","addToTrace","inlineHit"],c=["addPageAction"],f="api-";i(u,function(e,t){newrelic[t]=r(f t,"api")}),i(c,function(e,t){newrelic[t]=r(f t)}),t.exports=newrelic,newrelic.noticeError=function(e){"string"==typeof e&&(e=new Error(e)),o("err",[e,(new Date).getTime()])}},{}],2:[function(e,t,n){function r(e,t){var n=[],r="",i=0;for(r in e)o.call(e,r)&&(n[i]=t(r,e[r]),i =1);return n}var o=Object.prototype.hasOwnProperty;t.exports=r},{}],3:[function(e,t,n){function r(e,t,n){t||(t=0),"undefined"==typeof n&&(n=e?e.length:0);for(var r=-1,o=n-t||0,i=Array(0>o?0:o); r<o;)i[r]=e[t r];return i}t.exports=r},{}],ee:[function(e,t,n){function r(){}function o(e){function t(e){return e&&e instanceof r?e:e?u(e,a,i):i()}function n(n,r,o){e&&e(n,r,o);for(var i=t(o),a=l(n),u=a.length,c=0;u>c;c

<<< skipped >>>

GET /nr-918.min.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.millionaires-blueprint.co/promo-offer/?c=IL&aff_id=4926&clickID=1132560031&aff=&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70&campaignid=32133

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: js-agent.newrelic.com

Connection: Keep-Alive

HTTP/1.1 200 OK

x-amz-id-2: 6J/6rr52Hu9KiLf5QffVi3DYIBt9QCYHvjGmU7pQQlw2kn8qyqXj3Ko6PcfnW Kxeef2bJCR7 I=

x-amz-request-id: 6F1F1FD74C007491

Last-Modified: Mon, 28 Mar 2016 18:05:52 GMT

ETag: "07fddb3720b5e77e10d486281e40571d"

Content-Type: application/javascript

Server: AmazonS3

Content-Length: 22729

Accept-Ranges: bytes

Date: Fri, 20 May 2016 04:20:23 GMT

Via: 1.1 varnish

Connection: keep-alive

X-Served-By: cache-fra1239-FRA

X-Cache: HIT

X-Cache-Hits: 183

X-Timer: S1463718023.806905,VS0,VE0

Vary: Accept-Encoding

Cache-Control: public, max-age=3600

!function(n,e,t){function r(t,i){if(!e[t]){if(!n[t]){var a="function"==typeof __nr_require&&__nr_require;if(!i&&a)return a(t,!0);if(o)return o(t,!0);throw new Error("Cannot find module '" t "'")}var s=e[t]={exports:{}};n[t][0].call(s.exports,function(e){var o=n[t][1][e];return r(o||e)},s,s.exports)}return e[t].exports}for(var o="function"==typeof __nr_require&&__nr_require,i=0;i<t.length;i )r(t[i]);return r}({1:[function(n,e,t){e.exports=function(n,e){return"addEventListener"in window?addEventListener(n,e,!1):"attachEvent"in window?attachEvent("on" n,e):void 0}},{}],2:[function(n,e,t){function r(n,e,t,r){l("bstAgg",[n,e,t,r]),p[n]||(p[n]={});var i=p[n][e];return i||(i=p[n][e]={params:t||{}}),i.metrics=o(r,i.metrics),i}function o(n,e){return e||(e={count:0}),e.count =1,c(n,function(n,t){e[n]=i(t,e[n])}),e}function i(n,e){return e?(e&&!e.c&&(e={t:e.t,min:e.t,max:e.t,sos:e.t*e.t,c:1}),e.c =1,e.t =n,e.sos =n*n,n>e.max&&(e.max=n),n<e.min&&(e.min=n),e):{t:n}}function a(n,e){return e?p[n]&&p[n][e]:p[n]}function s(n){for(var e={},t="",r=!1,o=0;o<n.length;o )t=n[o],e[t]=u(p[t]),e[t].length&&(r=!0),delete p[t];return r?e:null}function u(n){return"object"!=typeof n?[]:c(n,f)}function f(n,e){return e}var c=n(30),l=n("handle"),p={};e.exports={store:r,take:s,get:a}},{}],3:[function(n,e,t){function r(n,e,t){"string"==typeof e&&("/"!==e.charAt(0)&&(e="/" e),d.customTransaction=(t||"hXXp://custom.transaction") e)}function o(n,e){var t=e||n;f.store("cm","finished",{name:"finished"},{time:t-d.offset}),i(n,{name:"fin

<<< skipped >>>

GET /search/tsc.php?&ses=1463718019f040e932a28694b67f42c5aa3fc6dac5&200=MjMxMDQyOTg1&21=MTk0LjI0Mi45Ni4yMTg=&681=MTQ2MzcxODAxOWYwNDBlOTMyYTI4Njk0YjY3ZjQyYzVhYTNmYzZkYWM1&682=&616=&crc=48ca082ccc3156ee64036354d684be64ce306b9d&cv=1 HTTP/1.1

x-requested-with: XMLHttpRequest

Accept-Language: en-us

Referer: hXXp://ww1.sergiwa.com/

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ww1.sergiwa.com

Connection: Keep-Alive

Cookie: tu=c6643c217733cb748736e5135c86d86c; NSC_tfep-83 63 5 01-91=ffffffff516a73d445525d5f4f58455e445a4a423660

HTTP/1.0 200 OK

Date: Fri, 20 May 2016 04:20:19 GMT

Server: Apache/2.2.22 (Debian)

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 20

Content-Type: text/html; charset=UTF-8

X-Cache: MISS from 440444

nnCoection: close

Connection: Keep-Alive

........................

GET /search/redirect.php?f=http://zd1.november-lax.com/zcvisitor/293d5924-1e42-11e6-b462-12ce168cfdfd&v=YTlkZDlmYWIxODZmMjM2NDU3NDVhMTM4YTljMDQxOTcJMQl3dzEuc2VyZ2l3YS5jb201NzNlOTA4MmJiMDI2NS45ODY0MDkxMAl3dzEuc2VyZ2l3YS5jb201NzNlOTA4MmJiMGU0My41ODY5OTMwNgkxNDYzNzE4MDE5CWFkXzMxXzA=&l=NQlBRFMJZDBhZWU2MmM5OGM2NjcwOWYyMzc5Njc1ZGY0MTM5MDYJMC4wMDAxCTAJMTMJCTMxCTEJMQkwCWFjYjcyMDg0ZTIwOTliMGI5OWUxMTM5MzU0NDlmMTZjCQkyMzEwNDI5ODUJYwk3NTE4MjY4MQkJc2VyZ2l3YQkxMTAxCTMxCTMxCTM1CTE0NjM3MTgwMTkJMC4wMDAxNwlOCTAJMAkwCQkwLjAwMDEJCQkJCQl3dzEuc2VyZ2l3YS5jb201NzNlOTA4MmJiMDI2NS45ODY0MDkxMAkwLjAwMDE3CTAJCTEJMAkxMzc0CTkyMDY2ODI5CQkxOTQuMjQyLjk2LjIxOA== HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ww1.sergiwa.com

Connection: Keep-Alive

Cookie: tu=c6643c217733cb748736e5135c86d86c; NSC_tfep-83 63 5 01-91=ffffffff516a73d445525d5f4f58455e445a4a423660

HTTP/1.0 302 Moved Temporarily

Date: Fri, 20 May 2016 04:20:19 GMT

Server: Apache

X-Powered-By: PHP/5.3.3-7 squeeze28

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Last-Modified: Fri, 20 May 2016 04:20:19 GMT

Cache-Control: no-store, no-cache, must-revalidate

Cache-Control: post-check=0, pre-check=0

Pragma: no-cache

Location: hXXp://ww1.sergiwa.com/search/tcerider.php?f=http://zd1.november-lax.com/zcvisitor/293d5924-1e42-11e6-b462-12ce168cfdfd&v=YTlkZDlmYWIxODZmMjM2NDU3NDVhMTM4YTljMDQxOTcJMQl3dzEuc2VyZ2l3YS5jb201NzNlOTA4MmJiMDI2NS45ODY0MDkxMAl3dzEuc2VyZ2l3YS5jb201NzNlOTA4MmJiMGU0My41ODY5OTMwNgkxNDYzNzE4MDE5CWFkXzMxXzA=&l=NQlBRFMJZDBhZWU2MmM5OGM2NjcwOWYyMzc5Njc1ZGY0MTM5MDYJMC4wMDAxCTAJMTMJCTMxCTEJMQkwCWFjYjcyMDg0ZTIwOTliMGI5OWUxMTM5MzU0NDlmMTZjCQkyMzEwNDI5ODUJYwk3NTE4MjY4MQkJc2VyZ2l3YQkxMTAxCTMxCTMxCTM1CTE0NjM3MTgwMTkJMC4wMDAxNwlOCTAJMAkwCQkwLjAwMDEJCQkJCQl3dzEuc2VyZ2l3YS5jb201NzNlOTA4MmJiMDI2NS45ODY0MDkxMAkwLjAwMDE3CTAJCTEJMAkxMzc0CTkyMDY2ODI5CQkxOTQuMjQyLjk2LjIxOA==

Vary: User-Agent,Accept-Encoding

Content-Encoding: gzip

Content-Length: 20

Content-Type: text/html

X-Cache: MISS from 190779

Cneonction: close

Connection: Keep-Alive

........................

GET /search/tcerider.php?f=http://zd1.november-lax.com/zcvisitor/293d5924-1e42-11e6-b462-12ce168cfdfd&v=YTlkZDlmYWIxODZmMjM2NDU3NDVhMTM4YTljMDQxOTcJMQl3dzEuc2VyZ2l3YS5jb201NzNlOTA4MmJiMDI2NS45ODY0MDkxMAl3dzEuc2VyZ2l3YS5jb201NzNlOTA4MmJiMGU0My41ODY5OTMwNgkxNDYzNzE4MDE5CWFkXzMxXzA=&l=NQlBRFMJZDBhZWU2MmM5OGM2NjcwOWYyMzc5Njc1ZGY0MTM5MDYJMC4wMDAxCTAJMTMJCTMxCTEJMQkwCWFjYjcyMDg0ZTIwOTliMGI5OWUxMTM5MzU0NDlmMTZjCQkyMzEwNDI5ODUJYwk3NTE4MjY4MQkJc2VyZ2l3YQkxMTAxCTMxCTMxCTM1CTE0NjM3MTgwMTkJMC4wMDAxNwlOCTAJMAkwCQkwLjAwMDEJCQkJCQl3dzEuc2VyZ2l3YS5jb201NzNlOTA4MmJiMDI2NS45ODY0MDkxMAkwLjAwMDE3CTAJCTEJMAkxMzc0CTkyMDY2ODI5CQkxOTQuMjQyLjk2LjIxOA== HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ww1.sergiwa.com

Connection: Keep-Alive

Cookie: tu=c6643c217733cb748736e5135c86d86c; NSC_tfep-83 63 5 01-91=ffffffff516a73d445525d5f4f58455e445a4a423660

HTTP/1.0 302 Moved Temporarily

Date: Fri, 20 May 2016 04:20:19 GMT

Server: Apache

X-Powered-By: PHP/5.3.3-7 squeeze28

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Last-Modified: Fri, 20 May 2016 04:20:19 GMT

Cache-Control: no-store, no-cache, must-revalidate

Cache-Control: post-check=0, pre-check=0

Pragma: no-cache

Location: hXXp://zd1.november-lax.com/zcvisitor/293d5924-1e42-11e6-b462-12ce168cfdfd

Vary: User-Agent,Accept-Encoding

Content-Encoding: gzip

Content-Length: 185

Content-Type: text/html

X-Cache: MISS from 100825

Cneonction: close

Connection: Keep-Alive

............A.. .....n...kc.8..c..(.."-J....j..n..........m..!k.r.cx<.$..].....!..e.9...$.....ed...-$.......L~.9&....5...*.....U.$n..{....J.Uo.} ..XTY.O(.9.......9H..!HP...J.7|.........HTTP/1.0 302 Moved Temporarily..Date: Fri, 20 May 2016 04:20:19 GMT..Server: Apache..X-Powered-By: PHP/5.3.3-7 squeeze28..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Last-Modified: Fri, 20 May 2016 04:20:19 GMT..Cache-Control: no-store, no-cache, must-revalidate..Cache-Control: post-check=0, pre-check=0..Pragma: no-cache..Location: hXXp://zd1.november-lax.com/zcvisitor/293d5924-1e42-11e6-b462-12ce168cfdfd..Vary: User-Agent,Accept-Encoding..Content-Encoding: gzip..Content-Length: 185..Content-Type: text/html..X-Cache: MISS from 100825..Cneonction: close..Connection: Keep-Alive..............A.. .....n...kc.8..c..(.."-J....j..n..........m..!k.r.cx<.$..].....!..e.9...$.....ed...-$.......L~.9&....5...*.....U.$n..{....J.Uo.} ..XTY.O(.9.......9H..!HP...J.7|...........

<<< skipped >>>

GET /modules/mydownloads/singlefile.php?cid=2&lid=6 HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: en.sergiwa.com

Connection: Keep-Alive

HTTP/1.1 302 Found

Date: Fri, 20 May 2016 04:20:18 GMT

Server: Apache/2.2.15 (Linux)

X-Powered-By: PHP/5.5.35

Location: hXXp://ww1.sergiwa.com

Content-Length: 1

Connection: close

Content-Type: text/html; charset=UTF-8

...

GET /zcvisitor/293d5924-1e42-11e6-b462-12ce168cfdfd HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: zd1.november-lax.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: no-store, no-cache, pre-check=0, post-check=0

content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline'

x-content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline'

X-WebKit-CSP: default-src 'self'; script-src 'self' 'unsafe-inline'

Content-Type: text/html;charset=UTF-8

Transfer-Encoding: chunked

Date: Fri, 20 May 2016 04:20:19 GMT

Server: ZeroPark-Traffic

3ef..<!DOCTYPE html>.<html>..<head>...<META http-equiv="refresh" content="1;URL='hXXp://zd1.zeroredirect11.com/zcredirect?visitid=293d5924-1e42-11e6-b462-12ce168cfdfd&type=meta'">..</head>..<body>...<script type="text/javascript">....setTimeout(function () {.....var pageWidth = window.innerWidth ? window.innerWidth : (document.documentElement && document.documentElement.clientWidth ? document.documentElement.clientWidth : document.getElementsByTagName('body')[0].clientWidth);.....var pageHeight = window.innerHeight ? window.innerHeight : (document.documentElement && document.documentElement.clientHeight ? document.documentElement.clientHeight : document.getElementsByTagName('body')[0].clientHeight);.....var iframeDetected = window.self !== window.top;.....window.location="hXXp://zd1.zeroredirect11.com/zcredirect?visitid=293d5924-1e42-11e6-b462-12ce168cfdfd&type=js&browserWidth=" pageWidth "&browserHeight=" pageHeight "&iframeDetected=" iframeDetected;....}, 1);...</script>..</body>.</html>..0..

GET /1/4915dfb183?a=8404545&v=918.2e0ff1d&to=YgFaNUJTC0BYBkFdXFtLbRNZHRVBVghaGVxTAl0TH1sLV1wdG0RbRQ==&rst=2407&ap=53&fe=2219&dc=2219&f=["err","ins"]&at=TkZZQwpJGE4=&jsonp=NREUM.setToken HTTP/1.1

Accept: */*

Referer: hXXp://VVV.millionaires-blueprint.co/promo-offer/?c=IL&aff_id=4926&clickID=1132560031&aff=&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70&campaignid=32133

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: bam.nr-data.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Set-Cookie: JSESSIONID=a5ad3657d0b93b5a;Path=/;Domain=.nr-data.net

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Content-Type: text/javascript;charset=ISO-8859-1

Content-Length: 57

NREUM.setToken({'stn':0,'err':0,'ins':0,'cap':0,'spa':0})HTTP/1.1 200 OK..Set-Cookie: JSESSIONID=a5ad3657d0b93b5a;Path=/;Domain=.nr-data.net..Expires: Thu, 01 Jan 1970 00:00:00 GMT..Content-Type: text/javascript;charset=ISO-8859-1..Content-Length: 57..NREUM.setToken({'stn':0,'err':0,'ins':0,'cap':0,'spa':0})..

GET /zp-redirect?target=http://lzy9000.blueprint1.cpa.clicksure.com/?lp=4&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70&caid=99737be6-2ea4-4523-be9f-85692b529ef9&zpid=293d5924-1e42-11e6-b462-12ce168cfdfd&cid=wPOJS4587E672CUS0RUM8J70&rt=R HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: track.trackbyme.info

Connection: Keep-Alive

HTTP/1.1 302 Found

Cache-Control: no-store, no-cache, pre-check=0, post-check=0

Date: Fri, 20 May 2016 04:20:20 GMT

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Location: hXXp://lzy9000.blueprint1.cpa.clicksure.com/?lp=4&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70

Pragma: no-cache

Server: Voluum-Traffic/1.0

Set-Cookie: 99737be6-2ea4-4523-be9f-85692b529ef9-v4=99737be6-2ea4-4523-be9f-85692b529ef9; Domain=track.trackbyme.info; Path=/; HttpOnly

Set-Cookie: voluum-cid-v4={ "cid" : "wPOJS4587E672CUS0RUM8J70", "caid" : "99737be6-2ea4-4523-be9f-85692b529ef9"}; Domain=track.trackbyme.info; Expires=Sat, 20-May-2017 04:20:20 GMT; Path=/; HttpOnly

X-Robots-Tag: noindex, nofollow

Content-Length: 0

Connection: keep-alive

HTTP/1.1 302 Found..Cache-Control: no-store, no-cache, pre-check=0, post-check=0..Date: Fri, 20 May 2016 04:20:20 GMT..Expires: Thu, 01 Jan 1970 00:00:00 GMT..Location: hXXp://lzy9000.blueprint1.cpa.clicksure.com/?lp=4&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70..Pragma: no-cache..Server: Voluum-Traffic/1.0..Set-Cookie: 99737be6-2ea4-4523-be9f-85692b529ef9-v4=99737be6-2ea4-4523-be9f-85692b529ef9; Domain=track.trackbyme.info; Path=/; HttpOnly..Set-Cookie: voluum-cid-v4={ "cid"%20: "wPOJS4587E672CUS0RUM8J70", "caid" : %2299737be6-2ea4-4523-be9f-85692b529ef9"}; Domain=track.trackbyme.info; Expires=Sat, 20-May-2017 04:20:20 GMT; Path=/; HttpOnly..X-Robots-Tag: noindex, nofollow..Content-Length: 0..Connection: keep-alive..

<<< skipped >>>

GET /api/v1/funnel.min.js?v=1.1&product=millionairesblueprint HTTP/1.1

Accept: */*

Referer: hXXp://VVV.millionaires-blueprint.co/promo-offer/?c=IL&aff_id=4926&clickID=1132560031&aff=&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70&campaignid=32133

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: splitter.binarypromos.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 20 May 2016 04:20:22 GMT

Content-Type: application/javascript

Content-Length: 10294

Connection: keep-alive

Set-Cookie: __cfduid=d5232066c47f627b36d04e2389074ef8a1463718022; expires=Sat, 20-May-17 04:20:22 GMT; path=/; domain=.binarypromos.com; HttpOnly

Last-Modified: Mon, 21 Dec 2015 17:27:52 GMT

ETag: "8b40-5276bcf09ad7d-gzip"

Cache-Control: public, max-age=290304000

Expires: Fri, 01 Aug 2025 04:20:22 GMT

Content-Encoding: gzip

CF-Cache-Status: HIT

Accept-Ranges: bytes

Server: cloudflare-nginx

CF-RAY: 2a5cfeeb61e405b5-ARN

...........}k{.H.... l6...FR2........xb;....H.O.-.-..P....~....E..=...<..}........[...7.........a7...87..|8O|.')..Q..C.. .6.d...=...F..:M...C.c.-.Q..(.....u...Qm...)..o...k..:..... L7p.0.....'...'.<.a..lt...8.I..C....`$......v:..!.`./..q.....3.XC#.n).Pt...I.g.......u..._7..).[......kkg..Ds.8.f.=..4.n..Cn.......C.@.......O0:.r ..&.... I.<...\..:.....7.."......u..O.>pc......|_........%.7....'~.....<2......i<;....`.......m......=g.Q.O.,.Pw:@..>.;....~.F:Z..'.7..n...z@.B7.,...........}.(p..^....HN.a...0,'O..o4=%.5.Q.hP%...2..Oz|...G .lr.....[.....E...z....}..5..c.....V|..S.....9..|1<0.........@]g.*..4...1"......`Y..$...0..f.....6...........:.n....d.2.S.......=,.E....,.:X.V...eF.p,..|,..2.....v..=c" ....q.$...W........._..Z....H.......H.4I.]......8..b..(b\.... ...&..q.!?'......... !..i.p....jC.~.#.k......w..pGN......fI.g....Zq..._....@.0.S..%....i...Q...Y..,aj...n#..I.h' ......;P.d.............gs..!.....k..-r".jeN.... . .Y.J>..$Li.....w....d1..5.....*.B..f......P.).tB.....ng.dg1....[2.....v..BT..]..<....6....$q..R.0.5h..)._k..}...Q^V..g...J. .....g........?../....W..W_7...T7...>....'.......D_..}..}.#...../.I...j=....W.....}.......R_.....n8....&3....%9...TO..z^;.#v.....^.T.i~.w}...Z....!.~.O.....Z...zn....z.x..z...k=b......... .F..o. .j. ....oso.4....o.J....o.dy...[=3.m"6W..N/.......wz..N.-..4...Vw.wz..NO.wzvx.W{.....G}.^...y..^.........'..?....=;....'.........;..}._..G....Q......Z\..R.\....Y.$?.Y...fR!...K...{...........|^.\....9.\...7..u.s= ...;oJhep=Q...|.....Fu....=./...B....Kr.W.

<<< skipped >>>

GET / HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ww1.sergiwa.com

Connection: Keep-Alive

HTTP/1.0 200 OK

Date: Fri, 20 May 2016 04:20:18 GMT

Server: Apache

X-Powered-By: PHP/5.3.3-7 squeeze29

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Last-Modified: Fri, 20 May 2016 04:20:18 GMT

Cache-Control: no-store, no-cache, must-revalidate

Cache-Control: post-check=0, pre-check=0

Pragma: no-cache

Set-Cookie: tu=c6643c217733cb748736e5135c86d86c; expires=Tue, 31-Dec-2019 23:00:00 GMT; path=/; domain=sergiwa.com; httponly

X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_KoCF4Mdr2JMnAS7DASaKopPFXXseO5fU xwzWvHGID7usWBQ9i8yO JspLiVfv5YIpOoVyGqVEzq6qrj5KVDOw==

Vary: User-Agent,Accept-Encoding

Content-Encoding: gzip

Content-Length: 2907

Content-Type: text/html; charset=UTF-8

X-Cache: MISS from 891047

nnCoection: close

Connection: Keep-Alive

Set-Cookie: NSC_tfep-83 63 5 01-91=ffffffff516a73d445525d5f4f58455e445a4a423660;path=/;httponly

...........X........_..35]a..V.....(.C....q..........M...fb....".9'.d~...~..Sg.....L./.._..J..r.$s..k&=y^...._2s.T.....t.r...7.8e.S..k...2..........L.U4...w........h....$K.s...h.....b...-..1iX.... ...y.]O&.z.fsRvs\.O.f....%;...C...q.....Z.Knt)..5..../.g).. .X..l...;.}._..z.qj=.. b.r.|N..B..........y.C._>.e.xH...I.....).P....|...N...am..,}8.......}..."...W ..E..c..V.f.......$<.H.%.^.dy.\J$t.S...aj...|.{H.{.I.K.....l..h.).MU.F_.?c..l....A.v..z...9......A....n.&....\O.....f*.........(.I.U.....<@.<&..R..*...H...?\=........MCs.....G..p.N.&...v..<V..]fm..Iw..S[.8.F...h._rWR=..#`. ..'`.}.i.....H.twm.w......O.....f..c....<P..)g. s..<.".3.K.@..Ge.F.M...{.g....k.A.2.aJ........GD......y......TKW.1s.Z....%\B:9..2......SR.6R.l....X..).8.%.G....A..4.......).... ..f...'....=a......3.D....H.[.....^...9.*....BC...$..?.XI.|2.q` yC....R.sO..6..`.i........4?...8Zy...Z.pf.."........1.j..e....;s.....f'0..9]....BP.xk.L...].....j(.....<..qr...;U.....jeF.....[m..kB.E^.4A..sY.I-bI........4r.|g..'v...yg/..=.o..Bv..G...&...`&&o6....C..S. .!W;Q....R.@od..oQ.spu.n.....-.P .........\.ZZC=....D..K......'{...Wu.K..S.]...[=ncM.......t.............t}.......l....b._..c....._..................E.....4..J.~3..Q.....n6.W....\.*....5.jRy.*.K.._...#.I.(f.2 ..:.9.....M.|.(K...@.......1.?....Z.C9...U..4.b...c...............^.k.^f..%..m...g....i5*..Y......W&...%..Y.F.tfb..*...{..)A-n*..A.U.w...(..%...`t....I.-.d.Kt.i..%..}fJ.c.....!..I-..1...;*.f..wI.).p..V....O.f%a......z..l,b.z....Dl.....V.......)......t.$.E..b..s=YF........k.-.L

<<< skipped >>>

GET /js/jquery-1.4.2.min.js HTTP/1.1

Accept: */*

Referer: hXXp://ww1.sergiwa.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: img.sedoparking.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 20 May 2016 04:20:19 GMT

Content-Type: application/x-javascript

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

Access-Control-Allow-Origin: *

X-CFHash: "0d658c3f0a7efaa05a6fcee9758231b3"

Last-Modified: Mon, 18 Apr 2016 10:42:48 GMT

X-CF3: M

CF4Age: 0

CF4ttl: 31536000.000

X-CF2: H

Server: CFS 0213

X-CF1: 11696:fB.fra2:cf:cacheA.fra2-v:H

Content-Encoding: gzip

6876..............y_........Y.<n......e......`..*....K.........%....s....?-j..%2.....~$'......?8 ...B...A.8(dAaX.......B.0 .....0._..J...BRX-..G.].J..p..>..|......B..M..-......q....a....?..>=L.O...R...U..ne<p%Jq.\.......~.t..?*...$.f..?.._...^...a.$ .......u.....nw.0...n.U.......2..F..H.T.g]......w........r...........~....k..x.......e.......y...?...........QfB...........(./].W....u.})....Z!.Z.......=..Zg..J=.......A..'.....[.,..............O{.....>.{.....(....B..KA7.le...?.}.q%..O....o.KA.....o....,/L....t.........2..|.......~...o...*...N.Ui.A.K.<....V...... .... ..J|....u."..;.....A.._...............z.Cj.J....A.d.^...v..z)....M..~.4v..:.J........N..........T..X.0..................M...V..RR.......n.7.Pa.....o.'.R..V...I....J...nL?....u..........\....=.r.......`.|.Q..'s.nyF..QiW.........T..W... ....r.........U}^j......k-z..i...nmT..{..=.....(b.......n<.....{...L.../.)<..R%l...Ye.O.5....wzc_..J......}....G:r....5..~X...8T9C.3z.].f.u-....?~.P..Vx......v1.T Q1..^..MP.....6...w..&..,.]5....X....._...R.p....-..vc7..p..P6...{.....:.......M.......{.V..X.....'.00..@.....BI...B........{V.X)....Rq..P,....qg9...a&l0^..n`......z.zj...k...j..M....... ..w}..O'.C..~.m......P..2.m..$H.k.O.U(..;.G[%........b.^..u.{.R=*..bY.^..q.F.o..%..QX. C.Q_pU.Zo.B.?.\....y..T.h..U..A.A...[G..u..Q....J...u. ...O&7.A........A..X`8...A<..S&1.$.e.......b 7. .N.....\.b..).'..[.~... .;...._J ...V...".R8Vu.....v..K).^./...|..:.n.}o%>..c..X.,>-.T.Ss.....)......... .u..v....`.vP....v^tuw..P.-...zaaTb...:.t...[.AG....M

<<< skipped >>>

GET /promo-offer/?c=IL&aff_id=4926&clickID=1132560031&aff=&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70&campaignid=32133 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.millionaires-blueprint.co

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Content-Type: text/html

Vary: Accept-Encoding

Set-Cookie: aff=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/

Set-Cookie: clickID=1132560031; expires=Sun, 19-Jun-2016 04:20:38 GMT; path=/

Set-Cookie: clickId=1132560031; expires=Sun, 19-Jun-2016 04:20:38 GMT; path=/

Content-Encoding: gzip

X-Cacheable: YES

Content-Length: 7099

Accept-Ranges: bytes

Date: Fri, 20 May 2016 04:20:21 GMT

Age: 0

Connection: keep-alive

X-Cache: MISS

...........<.v.8....4gW!..%..M2.......i.Iw.Z'."!..E.y....A...e[..$(Qq:.{69.&q)..^..G{>..e..Y6...v.../.i...o.IM#...5......h../....e..f4IY..y6i?57.gY....yp......=>.i..Cf...2.......2..(.. ..D.53v.u...*[.ck.D>_8.W.....Y...Z...r...3...Swu..~..4}z......Ez...._O.?..z.....9J>'.n..I.yY.# #.D..x7..........^.....>. v..$K...z.A..;r<...wT.)..b......h..,Op.~w..5...h.U'.T4.....h....O.}......&<.....?...E.l6...6.n.Gv...Z...o.#.WY.\...>.!k....d..k.f....^.5I.f...i..O.C..@..B.n..`.2..)s.,{...e..'!.....q......5.....jY%~.^..{{.....v{.$...i.A.......|5(J^.a..<..jn....d. .ID.6K......^@4'.......k..&...GKz.W.fX.e^\..../..7....O.o/....w./..<0B..o...Jk`..dq.../<...a..'.Z...o3.[HB.d.....^?..".C...-...G..,;..X.A..tK.t....).p...1......e...H'.R...ON&...pie. %...4...Im...[.[.....9s.. .nvwg.#..Hc.d3#........."..9...1?.y...Wo]&.. bnT-.Q.Jre...-...m....K.y..S...O.....U..G._..{=...{..Q .K..A-.H6..w....,...q:.VE..^.B.A....0......ML .....m..M.T`...je. .9......C......F..6h..}..d....R......-5....b..n....O.|m.....i..........6W...G).J....Jc_.. J.{9..>..n@.1f......o.9Y0..ic. |.eI....5.S....m..S).O.A...,.b... (...............x..h..~....mz..q.}.........\..\..&.....#....O*..DB...]..P..`.4H..J|P|P.v.T.:...&~.Q..........f.Q ......9.......el.z.=.O.E51.=.f"8..........-3......P....`.=.6.'%.bO..yu5l.M...M..t..B)...q.kX@e9Ij.8.L`x..M.,...~..W.M.v..X..........l.5..?. 1x.{#6..H....C&....G~k.W.....;.za..U.[K...>._.....@......"z.p.l..r{`3.r..y.R.:2.A.....9.~o.$.v...c..0'...m......9B."b.Z8.\..p......{l[T.)S.....wo_Cfx%.......1..

<<< skipped >>>

GET /promo-offer/css/styles.css HTTP/1.1

Accept: */*

Referer: hXXp://VVV.millionaires-blueprint.co/promo-offer/?c=IL&aff_id=4926&clickID=1132560031&aff=&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70&campaignid=32133

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.millionaires-blueprint.co

Connection: Keep-Alive

Cookie: clickID=1132560031; clickId=1132560031

HTTP/1.1 200 OK

Server: nginx

Content-Type: text/css

Last-Modified: Thu, 03 Mar 2016 17:18:35 GMT

Cache-Control: max-age=7200 public

reset-client-side-age: 1

X-Cacheable: YES

Content-Length: 2156

Accept-Ranges: bytes

Date: Fri, 20 May 2016 04:20:21 GMT

Age: 6289

Connection: keep-alive

X-Cache: HIT

body {. font-family: 'Helvetica', 'Arial', sans-serif;. text-align: center;. line-height: 2em;. background-color: black;. color: white;.}.body h1 {. margin: 30px 0 0 0;. padding: 0;. line-height: 1em;.}.body h1 strong {. color: red;.}.body h3 {. margin: 10px 0;. padding: 0;. line-height: 1em;.}.body h3 strong {. font-size: 1.7em;. color: yellow;.}.body h5 {. margin: 0 0 10px 0;. padding: 0;. font-size: 1em;. color: white;.}.body h4 {. font-size: 1.5em;. color: yellow;.}.body iframe.wistia_embed {. width: 650px;. height: 365px;. margin: 0 auto;. border: none;.}.body .form {. width: 40%;. margin: 10px auto;. padding: 10px;. background: #0f0f0f;. border-radius: 3px;. -moz-border-radius: 3px;. -webkit-border-radius: 3px;.}.body .form h4 {. margin: 0;. padding: 10px;. color: #fff;.}.body .form form {. display: block;.}.body .form form input {. width: 85%;. margin: 10px auto;. display: block;.}.body .form form input[type="text"] {. padding: 10px;. border: 3px solid #000;. border-radius: 6px;. -moz-border-radius: 6px;. -webkit-border-radius: 6px;. font-size: 1.2em;. color: #000;.}.body .form form input[type="submit"] {. width: 450px;. height: 98px;. display: block;. background: url('../images/register_now_button.png') center no-repeat transparent;. border: 0;. box-shadow: none;. text-indent: -10000%;.}.body .form form input[type="submit"]:hover {. cursor: pointe

<<< skipped >>>

GET /includes/bootstrap.min.css HTTP/1.1

Accept: */*

Referer: hXXp://VVV.millionaires-blueprint.co/promo-offer/?c=IL&aff_id=4926&clickID=1132560031&aff=&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70&campaignid=32133

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.millionaires-blueprint.co

Connection: Keep-Alive

Cookie: clickID=1132560031; clickId=1132560031

HTTP/1.1 200 OK

Server: nginx

Content-Type: text/css

Last-Modified: Thu, 03 Mar 2016 17:18:35 GMT

Cache-Control: max-age=7200 public

reset-client-side-age: 1

X-Cacheable: YES

Content-Length: 122540

Accept-Ranges: bytes

Date: Fri, 20 May 2016 04:20:21 GMT

Age: 6301

Connection: keep-alive

X-Cache: HIT

/*!. * Bootstrap v3.3.5 (hXXp://getbootstrap.com). * Copyright 2011-2015 Twitter, Inc.. * Licensed under MIT (hXXps://github.com/twbs/bootstrap/blob/master/LICENSE). *//*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */html{font-family:sans-serif;-webkit-text-size-adjust:100%;-ms-text-size-adjust:100%}body{margin:0}article,aside,details,figcaption,figure,footer,header,hgroup,main,menu,nav,section,summary{display:block}audio,canvas,progress,video{display:inline-block;vertical-align:baseline}audio:not([controls]){display:none;height:0}[hidden],template{display:none}a{background-color:transparent}a:active,a:hover{outline:0}abbr[title]{border-bottom:1px dotted}b,strong{font-weight:700}dfn{font-style:italic}h1{margin:.67em 0;font-size:2em}mark{color:#000;background:#ff0}small{font-size:80%}sub,sup{position:relative;font-size:75%;line-height:0;vertical-align:baseline}sup{top:-.5em}sub{bottom:-.25em}img{border:0}svg:not(:root){overflow:hidden}figure{margin:1em 40px}hr{height:0;-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box}pre{overflow:auto}code,kbd,pre,samp{font-family:monospace,monospace;font-size:1em}button,input,optgroup,select,textarea{margin:0;font:inherit;color:inherit}button{overflow:visible}button,select{text-transform:none}button,html input[type=button],input[type=reset],input[type=submit]{-webkit-appearance:button;cursor:pointer}button[disabled],html input[disabled]{cursor:default}button::-moz-focus-inner,input::-moz-focus-inner{padding:0;border:0}

<<< skipped >>>

GET /promo-offer/images/speaker.jpg HTTP/1.1

Accept: */*

Referer: hXXp://VVV.millionaires-blueprint.co/promo-offer/?c=IL&aff_id=4926&clickID=1132560031&aff=&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70&campaignid=32133

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.millionaires-blueprint.co

Connection: Keep-Alive

Cookie: clickID=1132560031; clickId=1132560031

HTTP/1.1 200 OK

Server: nginx

Content-Type: image/jpeg

Last-Modified: Thu, 03 Mar 2016 17:18:35 GMT

Cache-Control: max-age=7200 public

reset-client-side-age: 1

X-Cacheable: YES

Content-Length: 1816

Accept-Ranges: bytes

Date: Fri, 20 May 2016 04:20:22 GMT

Age: 6297

Connection: keep-alive

X-Cache: HIT

......Exif..II*.................Ducky.......P.....1hXXp://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02 "> <rdf:RDF xmlns:rdf="http://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC 2014 (Macintosh)" xmpMM:InstanceID="xmp.iid:712A2F87BF4B11E499FB949779439A45" xmpMM:DocumentID="xmp.did:712A2F88BF4B11E499FB949779439A45"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:712A2F85BF4B11E499FB949779439A45" stRef:documentID="xmp.did:712A2F86BF4B11E499FB949779439A45"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d..............................................................................................................................................................................................................................................!.1.345."2b.T.Qaq..BRr.............................!1A..Q..a..2..."#............?.(.}..N....h^H.W..R.o..P)...y[@Mn...h..sE.x.l..Z.....*t.2.U..~.Yp.H)S~k"...I.R!....[.L.DD...a....]..h}....n.e..;...l........E.s@H....h.. ....\...W<9DL.v.W............8..p.....G...q..m.[..&.6..Q..1...=....B..G$^...0.....@..............1.....8u9w.._:e@.Ur..c2b0...,....g..bl.jFdY....6.

<<< skipped >>>

GET /promo-offer/js/video.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.millionaires-blueprint.co/promo-offer/?c=IL&aff_id=4926&clickID=1132560031&aff=&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70&campaignid=32133

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.millionaires-blueprint.co

Connection: Keep-Alive

Cookie: clickID=1132560031; clickId=1132560031; _ga=GA1.2.1661237672.1463718029; _gat=1

HTTP/1.1 200 OK

Server: nginx

Content-Type: application/x-javascript

Last-Modified: Thu, 03 Mar 2016 17:18:35 GMT

Cache-Control: max-age=7200 public

reset-client-side-age: 1

X-Cacheable: YES

Content-Length: 117730

Accept-Ranges: bytes

Date: Fri, 20 May 2016 04:20:23 GMT

Age: 6298

Connection: keep-alive

X-Cache: HIT

/*! Video.js v4.12.5 Copyright 2014 Brightcove, Inc. hXXps://github.com/videojs/video.js/blob/master/LICENSE */ .(function() {var b=void 0,f=!0,j=null,l=!1;function m(){return function(){}}function n(a){return function(){return this[a]}}function q(a){return function(){return a}}var s;document.createElement("video");document.createElement("audio");document.createElement("track");.function t(a,c,d){if("string"===typeof a){0===a.indexOf("#")&&(a=a.slice(1));if(t.Aa[a])return c&&t.log.warn('Player "' a '" is already initialised. Options will not be applied.'),d&&t.Aa[a].I(d),t.Aa[a];a=t.m(a)}if(!a||!a.nodeName)throw new TypeError("The element or ID supplied is not valid. (videojs)");return a.player||new t.Player(a,c,d)}var videojs=window.videojs=t;t.ic="4.12";t.vd="https:"==document.location.protocol?"hXXps://":"hXXp://";t.VERSION="4.12.5";.t.options={techOrder:["html5","flash"],html5:{},flash:{},width:300,height:150,defaultVolume:0,playbackRates:[],inactivityTimeout:2E3,children:{mediaLoader:{},posterImage:{},loadingSpinner:{},textTrackDisplay:{},bigPlayButton:{},controlBar:{},errorDisplay:{},textTrackSettings:{}},language:document.getElementsByTagName("html")[0].getAttribute("lang")||navigator.languages&&navigator.languages[0]||navigator.If||navigator.language||"en",languages:{},notSupportedMessage:"No compatible source was found for this video."};."GENERATED_CDN_VSN"!==t.ic&&(videojs.options.flash.swf=t.vd "vjs.zencdn.net/" t.ic "/video-js.swf");t.Jd=function(a,c){t.options.languages[a]=t.options.languages[a]!==

<<< skipped >>>

GET /analytics.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.millionaires-blueprint.co/promo-offer/?c=IL&aff_id=4926&clickID=1132560031&aff=&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70&campaignid=32133

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google-analytics.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 20 May 2016 04:13:44 GMT

Expires: Fri, 20 May 2016 06:13:44 GMT

Last-Modified: Mon, 09 May 2016 22:17:11 GMT

X-Content-Type-Options: nosniff

Content-Type: text/javascript

Vary: Accept-Encoding

Content-Encoding: gzip

Server: Golfe2

Content-Length: 11491

Age: 398

Cache-Control: public, max-age=7200

...........}is....w....GCF0%.N..r....$.......XR.-$.U...u7...2.....T..6...F.@...H$.....ox.d].).{.I.........ys]..h......c..h....T[h.Fb,U.{..8r.u<hwX.............a.....N....!Oz..`.=..s..=.....~.5q0=..w..3pv_..z...........?~.|rz................p4....dzs{w.P.onm?{....6~8...h7qq....5#.L.......G..x....y.?.F.#u.Hl.o}..qs#.]P.c.#.C..5........k...zMN........SY.:..}...\.....x.....B....".(Jq,.Ia[t..3.A....s.p....s...._...M.k^s..f..h.#.....t.cAN. ....9.^..=..*.<.."~......#.d|.D.Q..|0pu5.q.~....../..J./.7.;...x.'.T$...k..GR.._......_X63T-.4..!..W.........bT../..;^.Tfii..e.....YR.B.../"...z..j..N...j..m_&......w{...H...D8gS...s.............x8....O...>..6oLc.....I...."..l...3&..N..?r.K.......D.T.Z....T.^......U...G....@So.x"z...a..z.9..............!..-_...2...rE.8,,...D......../...JX....c..C.......:;.........O....C../..DUW....5`..u4}a..H.........pS..<...`.P...Y.......0&lD3`....w..PeC.k...........6VQ.R..P.`.U.r.d.F...%.$n..;..c.0T..'..9. ....k.S.5...d..i..0.....x...4.i.....sv.z.D.JE...@...4.V..zY.....9sK.!0G.Z]=%.z.t:@...Y....9..p$.7B@T....S...dtZ... .....7g.|.............`P.f\...h..CY........y..n....!H$;.J...d.0..#..x>.w.......l}..?~.......x.4s.vi[..(9T.~...E_.. VO...O...qh.[..A..P..H._...$H..n.`.b.<.8.....o.....q..4.............6r............i.#4.W|...,.b.'.Wd.;U..;rJ....:PJ`...%.......|v..|...q.o.a .b..............3|.m..V.6..c<6?..x..%...q......y8P..}.>K.&.x=.c....F|...rY....>.:,B...K..17.....U..e...x|.......]..U.>......|.....| N.%.......d...5.;..^Z..@.e........1Dh.].x.L.>.%....z.*.. .Z.zC.

<<< skipped >>>

GET /r/collect?v=1&_v=j43&a=599973280&t=pageview&_s=1&dl=http://VVV.millionaires-blueprint.co/promo-offer/?c=IL&aff_id=4926&clickID=1132560031&aff=&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70&campaignid=32133&ul=en-us&de=utf-8&dt=FREE Access - Millionaire's Blueprint&sd=32-bit&sr=1276x846&vp=263x1320&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=457202612&cid=1661237672.1463718029&tid=UA-66137886-1&_r=1&z=1681974947 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.millionaires-blueprint.co/promo-offer/?c=IL&aff_id=4926&clickID=1132560031&aff=&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70&campaignid=32133

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google-analytics.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Date: Fri, 20 May 2016 04:20:22 GMT

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Cache-Control: no-cache, no-store, must-revalidate

Last-Modified: Sun, 17 May 1998 03:00:00 GMT

X-Content-Type-Options: nosniff

Content-Type: image/gif

Server: Golfe2

Content-Length: 35

GIF89a.............,...........D..;HTTP/1.1 200 OK..Access-Control-Allow-Origin: *..Date: Fri, 20 May 2016 04:20:22 GMT..Pragma: no-cache..Expires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, no-store, must-revalidate..Last-Modified: Sun, 17 May 1998 03:00:00 GMT..X-Content-Type-Options: nosniff..Content-Type: image/gif..Server: Golfe2..Content-Length: 35..GIF89a.............,...........D..;..

GET /promo-offer/css/video-js.css HTTP/1.1

Accept: */*

Referer: hXXp://VVV.millionaires-blueprint.co/promo-offer/?c=IL&aff_id=4926&clickID=1132560031&aff=&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70&campaignid=32133

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.millionaires-blueprint.co

Connection: Keep-Alive

Cookie: clickID=1132560031; clickId=1132560031

HTTP/1.1 200 OK

Server: nginx

Content-Type: text/css

Last-Modified: Thu, 03 Mar 2016 17:18:35 GMT

Cache-Control: max-age=7200 public

reset-client-side-age: 1

X-Cacheable: YES

Content-Length: 27990

Accept-Ranges: bytes

Date: Fri, 20 May 2016 04:20:21 GMT

Age: 6301

Connection: keep-alive

X-Cache: HIT

/*!.Video.js Default Styles (hXXp://videojs.com).Version 4.12.5.Create your own skin at hXXp://designer.videojs.com.*/./* SKIN.================================================================================.The main class name for all skin-specific styles. To make your own skin,.replace all occurrences of 'vjs-default-skin' with a new name. Then add your new.skin name to your video tag instead of the default skin..e.g. <video class="video-js my-skin-name">.*/..vjs-default-skin {. color: #cccccc;.}./* Custom Icon Font.--------------------------------------------------------------------------------.The control icons are from a custom font. Each icon corresponds to a character.(e.g. "\e001"). Font icons allow for easy scaling and coloring of icons..*/.@font-face {. font-family: 'VideoJS';. src: url('font/vjs.eot');. src: url('font/vjs.eot?#iefix') format('embedded-opentype'), url('font/vjs.woff') format('woff'), url('font/vjs.ttf') format('truetype'), url('font/vjs.svg#icomoon') format('svg');. font-weight: normal;. font-style: normal;.}./* Base UI Component Classes.--------------------------------------------------------------------------------.*/./* Slider - used for Volume bar and Seek bar */..vjs-default-skin .vjs-slider {. /* Replace browser focus highlight with handle highlight */. outline: 0;. position: relative;. cursor: pointer;. padding: 0;. /* background-color-with-alpha */. background-color: #333333;. background-color: rgba(51, 51, 51, 0.9);.}..vjs-default-skin .vjs-slider:focus {.

<<< skipped >>>

GET /promo-offer/css/members.css HTTP/1.1

Accept: */*

Referer: hXXp://VVV.millionaires-blueprint.co/promo-offer/?c=IL&aff_id=4926&clickID=1132560031&aff=&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70&campaignid=32133

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.millionaires-blueprint.co

Connection: Keep-Alive

Cookie: clickID=1132560031; clickId=1132560031

HTTP/1.1 200 OK

Server: nginx

Content-Type: text/css

Last-Modified: Thu, 03 Mar 2016 17:18:35 GMT

Cache-Control: max-age=7200 public

reset-client-side-age: 1

X-Cacheable: YES

Content-Length: 10570

Accept-Ranges: bytes

Date: Fri, 20 May 2016 04:20:21 GMT

Age: 6295

Connection: keep-alive

X-Cache: HIT

body {. margin: 0;. padding: 0 0 100px 0;. font-family: 'Helvetica', 'Arial', sans-serif;. font-weight: normal;. font-size: 14px;. line-height: 1.5em;. background-color: #000 !important;. color: #fff !important;.}..body.funnel {. margin: 0;. font-family: 'Helvetica', 'Arial', sans-serif;. font-weight: normal;. font-size: 14px;. line-height: 1.5em;. background-color: #000 !important;. color: #fff !important;. padding: 0 0 20px 0;.}...container {. max-width: 960px !important;. margin: 0 auto;. padding: 0;. display: block;.}...container-form-alt {. max-width: 644px;. margin: 30px auto;. padding: 20px;. display: block;. border: 1px solid #d2d2d2;. border-radius: 6px;. -webkit-border-radius: 6px;. -moz-border-radius: 6px;. background: url('../images/arrow-bg.jpg') no-repeat;. background-color: #fff;. background-position: 50% 85%;.}...header {. margin: 20px auto 10px auto;. padding: 0 0 20px 0;. display: block;. background: url('../images/horizontal_rule.png') bottom center no-repeat transparent;.}...header .left,..header .right {. width: 49%;. margin: 0;. padding: 0;. display: inline-block;. vertical-align: middle;.}...intro {. display: block;.}...intro h1 {. font-weight: normal;. text-align: center;. line-height: 1.2em;. font-size:26px;. margin: 0 0 10px 0;.}...intro h1 span {. font-weight: bold;. color: yellow;.}...video {. display: block;. margin-top: 15px;.}...vide

<<< skipped >>>

GET /promo-offer/css/font/vjs.eot? HTTP/1.1

Accept: */*

Referer: hXXp://VVV.millionaires-blueprint.co/promo-offer/?c=IL&aff_id=4926&clickID=1132560031&aff=&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70&campaignid=32133

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.millionaires-blueprint.co

Connection: Keep-Alive

Cookie: clickID=1132560031; clickId=1132560031

HTTP/1.1 404 Not Found

Server: nginx

Content-Type: text/html

Vary: Accept-Encoding

Content-Encoding: gzip

Cache-Control: max-age=5, must-revalidate

X-Cacheable: YES

Content-Length: 195

Accept-Ranges: bytes

Date: Fri, 20 May 2016 04:20:21 GMT

Age: 0

Connection: keep-alive

X-Cache: MISS

..........U.=..0..wN.....1.......M...(.?.=......Y.e.,Y.2E.-W./LK.a...r.../..F.^.vz.l..6.....<..v.o.._.:.v..V...'..!I.U/..8k..d.......X...]x.......pA.sr.....gM.Ir....D...%M..\X..~Ni..5....P.$.'...HTTP/1.1 404 Not Found..Server: nginx..Content-Type: text/html..Vary: Accept-Encoding..Content-Encoding: gzip..Cache-Control: max-age=5, must-revalidate..X-Cacheable: YES..Content-Length: 195..Accept-Ranges: bytes..Date: Fri, 20 May 2016 04:20:21 GMT..Age: 0..Connection: keep-alive..X-Cache: MISS............U.=..0..wN.....1.......M...(.?.=......Y.e.,Y.2E.-W./LK.a...r.../..F.^.vz.l..6.....<..v.o.._.:.v..V...'..!I.U/..8k..d.......X...]x.......pA.sr.....gM.Ir....D...%M..\X..~Ni..5....P.$.'...t>....

GET /fonts/glyphicons-halflings-regular.eot? HTTP/1.1

Accept: */*

Referer: hXXp://VVV.millionaires-blueprint.co/promo-offer/?c=IL&aff_id=4926&clickID=1132560031&aff=&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70&campaignid=32133

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.millionaires-blueprint.co

Connection: Keep-Alive

Cookie: clickID=1132560031; clickId=1132560031

HTTP/1.1 404 Not Found

Server: nginx

Content-Type: text/html

Vary: Accept-Encoding

Content-Encoding: gzip

Cache-Control: max-age=5, must-revalidate

X-Cacheable: YES

Content-Length: 195

Accept-Ranges: bytes

Date: Fri, 20 May 2016 04:20:22 GMT

Age: 0

Connection: keep-alive

X-Cache: MISS

..........U.=..0..wN.....1.......M...(.?.=......Y.e.,Y.2E.-W./LK.a...r.../..F.^.vz.l..6.....<..v.o.._.:.v..V...'..!I.U/..8k..d.......X...]x.......pA.sr.....gM.Ir....D...%M..\X..~Ni..5....P.$.'.......

GET /promo-offer/js/jquery-1.9.1.min.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.millionaires-blueprint.co/promo-offer/?c=IL&aff_id=4926&clickID=1132560031&aff=&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70&campaignid=32133

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.millionaires-blueprint.co

Connection: Keep-Alive

Cookie: clickID=1132560031; clickId=1132560031

HTTP/1.1 200 OK

Server: nginx

Content-Type: application/x-javascript

Last-Modified: Thu, 03 Mar 2016 17:18:35 GMT

Cache-Control: max-age=7200 public

reset-client-side-age: 1

X-Cacheable: YES

Content-Length: 111588

Accept-Ranges: bytes

Date: Fri, 20 May 2016 04:20:22 GMT

Age: 6296

Connection: keep-alive

X-Cache: HIT

..../*! jQuery v1.9.1 | (c) 2005, 2012 jQuery Foundation, Inc. | jquery.org/license.//@ sourceMappingURL=jquery.min.map.*/.(function (e, t) {. var n, r, i = typeof t, o = e.document, a = e.location, s = e.jQuery, u = e.$, l = {}, c = [], p = "1.9.1", f = c.concat, d = c.push, h = c.slice, g = c.indexOf, m = l.toString, y = l.hasOwnProperty, v = p.trim, b = function (e, t) { return new b.fn.init(e, t, r) }, x = /[ -]?(?:\d*\.|)\d (?:[eE][ -]?\d |)/.source, w = /\S /g, T = /^[\s\uFEFF\xA0] |[\s\uFEFF\xA0] $/g, N = /^(?:(<[\w\W] >)[^>]*|#([\w-]*))$/, C = /^<(\w )\s*\/?>(?:<\/\1>|)$/, k = /^[\],:{}\s]*$/, E = /(?:^|:|,)(?:\s*\[) /g, S = /\\(?:["\\\/bfnrt]|u[\da-fA-F]{4})/g, A = /"[^"\\\r\n]*"|true|false|null|-?(?:\d \.|)\d (?:[eE][ -]?\d |)/g, j = /^-ms-/, D = /-([\da-z])/gi, L = function (e, t) { return t.toUpperCase() }, H = function (e) { (o.addEventListener || "load" === e.type || "complete" === o.readyState) && (q(), b.ready()) }, q = function () { o.addEventListener ? (o.removeEventListener("DOMContentLoaded", H, !1), e.removeEventListener("load", H, !1)) : (o.detachEvent("onreadystatechange", H), e.detachEvent("onload", H)) }; b.fn = b.prototype = { jquery: p, constructor: b, init: function (e, n, r) { var i, a; if (!e) return this; if ("string" == typeof e) { if (i = "<" === e.charAt(0) && ">" === e.charAt(e.length - 1) && e.length >= 3 ? [null, e, null] : N.exec(e), !i || !i[1] && n) return !n || n.jquery ? (n || r).find(e) : this.constructor(n).find(e); if (i[1]) { if (n =

<<< skipped >>>

GET /includes/exit.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.millionaires-blueprint.co/promo-offer/?c=IL&aff_id=4926&clickID=1132560031&aff=&s1=99737be6-2ea4-4523-be9f-85692b529ef9&s2=15d6970a-0ab5-46f5-91a8-c31da1f01eb0&s3=wPOJS4587E672CUS0RUM8J70&campaignid=32133

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.millionaires-blueprint.co

Connection: Keep-Alive

Cookie: clickID=1132560031; clickId=1132560031; _ga=GA1.2.1661237672.1463718029; _gat=1

HTTP/1.1 200 OK

Server: nginx

Content-Type: application/x-javascript

Last-Modified: Thu, 03 Mar 2016 17:18:35 GMT

Cache-Control: max-age=7200 public

reset-client-side-age: 1

X-Cacheable: YES

Content-Length: 784

Accept-Ranges: bytes

Date: Fri, 20 May 2016 04:20:23 GMT

Age: 6297

Connection: keep-alive

X-Cache: HIT

(function() {. setTimeout(function() {. var _tags = ['button', 'input', 'a', '.btn'], _els, _i, _i2;. for(_i in _tags) {. _els = document.getElementsByTagName(_tags[_i]);. for(_i2 in _els) {. if((_tags[_i] == 'input' && _els[_i2].type != 'button' && _els[_i2].type != 'submit' && _els[_i2].type != 'image') || _els[_i2].target == '_blank') continue;. _els[_i2].onclick = function() {window.onbeforeunload = function(){};}. }. }.. window.onbeforeunload = function() {. setTimeout(function() {. window.onbeforeunload = function() {};. setTimeout(function() {. document.location.href = _exit_url;. }, 500);. },5);. return _exit_message;. }. }, 500);.})();HTTP/1.1 200 OK..Server: nginx..Content-Type: application/x-javascript..Last-Modified: Thu, 03 Mar 2016 17:18:35 GMT..Cache-Control: max-age=7200 public..reset-client-side-age: 1..X-Cacheable: YES..Content-Length: 784..Accept-Ranges: bytes..Date: Fri, 20 May 2016 04:20:23 GMT..Age: 6297..Connection: keep-alive..X-Cache: HIT..(function() {. setTimeout(function() {. var _tags = ['button', 'input', 'a', '.btn'], _els, _i, _i2;. for(_i in _tags) {. _els = document.getElementsByTagName(_tags[_i]);. for(_i2 in _els) {. if((_tags[_i] == 'input' && _els[_i2].type != 'button' && _els[_i2].type != 'submit' && _els[_i2].type != 'image') || _els[_i2].target == '_blank') continue;. _els[_i2].onclick = function(

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_928:

.text

.text

`.data

`.data

.rsrc

.rsrc

ad:%C

ad:%C

R.eD/

R.eD/

Click to visit iSergiwa Software web site for more free tools

Click to visit iSergiwa Software web site for more free tools

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

C:\Windows\system32\MSVBVM60.DLL\3

C:\Windows\system32\MSVBVM60.DLL\3

VBA6.DLL

VBA6.DLL

MSVBVM60.DLL

MSVBVM60.DLL

A*\AE:\1\DATA\MyTopSecret\MyVB\MyPubPros\SRT\SRT 2.0\SRT.vbp

A*\AE:\1\DATA\MyTopSecret\MyVB\MyPubPros\SRT\SRT 2.0\SRT.vbp

WScript.Shell

WScript.Shell

\program files\Internet explorer\iexplore hXXp://en.sergiwa.com/modules/mydownloads/singlefile.php?cid=2&lid=6

\program files\Internet explorer\iexplore hXXp://en.sergiwa.com/modules/mydownloads/singlefile.php?cid=2&lid=6

Software\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows\CurrentVersion

reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f

reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /f

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Explorer.exe

Explorer.exe

SSCVIIHOST.exe

SSCVIIHOST.exe

blastclnnn.exe

blastclnnn.exe

autorun.ini

autorun.ini

setting.ini

setting.ini

\program files\Internet explorer\iexplore hXXp://VVV.sergiwa.com

\program files\Internet explorer\iexplore hXXp://VVV.sergiwa.com

autorun.inf

autorun.inf

VVV.sergiwa.com

VVV.sergiwa.com

@*\AE:\1\DATA\MyTopSecret\MyVB\MyPubPros\SRT\SRT 2.0\SRT.vbp

@*\AE:\1\DATA\MyTopSecret\MyVB\MyPubPros\SRT\SRT 2.0\SRT.vbp

iSergiwa Software - VVV.sergiwa.com

iSergiwa Software - VVV.sergiwa.com

SRT.exe

SRT.exe

iexplore.exe_1460:

%?9-*09,*19}*09

%?9-*09,*19}*09

.text

.text

`.data

`.data

.rsrc

.rsrc

msvcrt.dll

msvcrt.dll

KERNEL32.dll

KERNEL32.dll

NTDLL.DLL

NTDLL.DLL

USER32.dll

USER32.dll

SHLWAPI.dll

SHLWAPI.dll

SHDOCVW.dll

SHDOCVW.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

IE-X-X

IE-X-X

rsabase.dll

rsabase.dll

System\CurrentControlSet\Control\Windows

System\CurrentControlSet\Control\Windows

dw15 -x -s %u

dw15 -x -s %u

watson.microsoft.com

watson.microsoft.com

IEWatsonURL

IEWatsonURL

%s -h %u

%s -h %u

iedw.exe

iedw.exe

Iexplore.XPExceptionFilter

Iexplore.XPExceptionFilter

jscript.DLL

jscript.DLL

mshtml.dll

mshtml.dll

mlang.dll

mlang.dll

urlmon.dll

urlmon.dll

wininet.dll

wininet.dll

shdocvw.DLL

shdocvw.DLL

browseui.DLL

browseui.DLL

comctl32.DLL

comctl32.DLL

IEXPLORE.EXE

IEXPLORE.EXE

iexplore.pdb

iexplore.pdb

ADVAPI32.dll

ADVAPI32.dll

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

IExplorer.EXE

IExplorer.EXE

IIIIIB(II<.fg>

IIIIIB(II<.fg>

7?_____ZZSSH%

7?_____ZZSSH%

)z.UUUUUUUU

)z.UUUUUUUU

,....Qym

,....Qym

````2```

````2```

{.QLQIIIKGKGKGKGKGKG

{.QLQIIIKGKGKGKGKGKG

;33;33;0

;33;33;0

8888880

8888880

8887080

8887080

browseui.dll

browseui.dll

shdocvw.dll

shdocvw.dll

6.00.2900.5512 (xpsp.080413-2105)

6.00.2900.5512 (xpsp.080413-2105)

Windows

Windows

Operating System

Operating System

6.00.2900.5512

6.00.2900.5512