WormAutoItGen.YR, GenericAutorunWorm.YR (Lavasoft MAS)Behaviour: Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: b9242fe81a7c95a53dc79ded71c30a4c
SHA1: 0529bccab3f016bdd330ef25a46f5e55677b38b9
SHA256: ccd2d1a84cbf2e1a5b7b0447ed93c717dc12b625c2647554245c1172cfa75388
SSDeep: 12288:rxpJfslZtuaVd9lpmhwQbift489IVGD4xJFl6Xqb5Kbmkg8SH:lp9sVuaVdvgVbmgGDijyikg5H
Size: 840936 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-07-15 19:29:31
Analyzed on: Windows7Ada SP1 64-bit
Summary: Worm. A program that is primarily replicating on networks or removable drives.
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Worm creates the following process(es):
TPAutoConnSvc.exe:1844
tdtjpd.exe:3016
%original file name%.exe:2836
%original file name%.exe:992
vcredist.exe:2708
vcredist.exe:816
The Worm injects its code into the following process(es):
%original file name%.exe:720
Upd4terSrv.exe:2920
Mutexes
The following mutexes were created/opened:
ZonesCacheCounterMutexZonesLockedCacheCounterMutexDBWinMutex!IECompat!MutexMidiMapper_modLongMessage_RefCnt_!SHMSFTHISTORY!_
File activity
The process tdtjpd.exe:3016 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Program Files% (x86)\SoftwareUpdater\translations.xml (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsaBF69.tmp\nsisunz.dll (251 bytes)
%Program Files% (x86)\SoftwareUpdater\Upd4terSrv.exe (60025 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SH2TVRCI\vcredist_x86[1].exe (62511768 bytes)
%Program Files% (x86)\SoftwareUpdater\AppsUpd4ter.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\update.zip (22676 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsaBF69.tmp\nsURL.dll (1910 bytes)
%Program Files% (x86)\SoftwareUpdater\Interop.Shell32.dll (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsaBF69.tmp\nsExec.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsaBF69.tmp\System.dll (23 bytes)
%Program Files% (x86)\SoftwareUpdater\config.xml (1654 bytes)
%Program Files% (x86)\SoftwareUpdater\AppsUpd4ter.exe (77321 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\vcredist.exe (818135 bytes)
%Program Files% (x86)\SoftwareUpdater\uninstall.exe (2749 bytes)
The process %original file name%.exe:2836 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsz896C.tmp (6522 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsz896D.tmp\LuaBridge.dll (1921 bytes)
The process %original file name%.exe:720 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\customNsWeb.dll (812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaSocket\lua\socket\tp.lua (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\index.html (2617 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\52\stormwatch_tidy_double_628_3.mht (12588 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\win32_constants.lua (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\ButtonEvent.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\41\tidy_stormwatch_optimizerpro_triple_628_3.mht (12988 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\UACInfo.dll (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\packaged_app.lua (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\animatedProgress.gif (1177 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\data_injection.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\DownloadThread.lua (579 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\service_registry.lua (462 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\downloads.lua (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\versioninfo.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\36\knctr_stormwatch_tidy_updateadmin_628.mht (10204 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\res\patches.js (73 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaSocket\mime\core.dll (1909 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\un.package.exe (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\browserutils.dll (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\callbackproxy.lua (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\nsisunz.dll (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\env.lua (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\21\arcadegiant_stormwatch_optimizerpro_updateadmin_628.mht (10204 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarA44E.tmp (2784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\33\wordproser_stormwatch_optimizerpro_triple_628_2.mht (10204 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\Events.lua (912 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\50\optimizerpro_tidy_double628.mht (9476 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\47\tidy_stormwatch_pcoptpro_628_3.mht (12988 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\nsis7z.dll (6360 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\api_substitution.lua (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\wininet\url.lua (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaXml_lib.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\save.gif (73 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SH2TVRCI\iconCheck.gif (740 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\scheduler.lua (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SH2TVRCI\wbk13B5.tmp (242 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\wininet\wininet_h.lua (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\wininet\http.lua (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\GuiInit.lua (5520 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaSocket\lua\socket.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\offer_filters.lua (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SH2TVRCI\knockout-2.0.js (10370 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\accept_green.gif (73 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771 (1688 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\System.dll (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\uistate.lua (310 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\wininet\core.lua (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D47DBD2F9E3365FBBE008D71FB06716F_835A2FD7EE5F1F37B7872C78D42A88BF (1504 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\net_utils.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaSocket\lua\socket\url.lua (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\conditional_engine.lua (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse8AC3.tmp (49287 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\151\findwide_nocheckboxes_628.mht (676 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\processfreefile.lua (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\5\findwide_updateadmin_combo_628.mht (8844 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SH2TVRCI\wbkB70E.tmp (4850 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\FloatingProgress.dll (812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\1\vittalia_primary_combo_2.mht (7772 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D47DBD2F9E3365FBBE008D71FB06716F_835A2FD7EE5F1F37B7872C78D42A88BF (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\res\common.css (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D266D9E1E69FA1EEFB9699B009B34C8_8CA7164968F366C9A94AC8E71C4BDD9B (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D (1720 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\__web.xml (142125 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\44\wordproser_stormwatch_optimizerpro_triple_628_2.mht (10204 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\res\jquery.js (6360 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\wininet\wintypes.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\2\tdtjpd.exe (221 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\wininet\defs.lua (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\ffi.dll (7392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\wininet\io.lua (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\lua51.dll (9582 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\data_stores.lua (703 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\decline.gif (73 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaSocket\lua\ltn12.lua (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\2\tgtudp.exe (29140 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SH2TVRCI\wbkAEA3.tmp (1442 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\offer_stats.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\notifyicon.lua (302 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\BrowserControl.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\generic_icon.gif (73 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\run.gif (73 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\IntegratedOffer.lua (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\bit.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2427C246DCF85A06DD675914EDA68038_EEE52A74DEE31B064E156E492FD05217 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\17\contentexplorer_stormwatch_optimizerpro_updateadmin_628.mht (10204 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\definitions.lua (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\win32_pipeserver.dll (2392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin.zip (4708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaSocket\lua\socket\smtp.lua (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\54\optimizerpro_stormwatch_combo_628_3.mht (12588 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\show.gif (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\close.gif (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\luacom.dll (4992 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\AdvancedTests.lua (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\218\allgenius_628.mht (3172 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BA41173F3FB1502C814D759E3B8A6FFF_80D945C561FF63F9F3DD59EE0F29FDE9 (1752 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\1\do_tracking_hit.lua (913 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\async_tracking.lua (799 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\25\arcadegiant_stormwatch_optimizerpro_updateadmin_628.mht (10204 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\res\knockout.js (6360 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\utils.lua (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\bundleinstall.lua (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\extension.tlb (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\open.gif (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\vm_details.lua (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\generic_icon.ico (337 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\survey_environment.lua (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\2\softwareupdater_628.mht (388 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\29\knctr_stormwatch_optimizerpro_updateadmin_628.mht (10204 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\eagerinstall.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SH2TVRCI\AutoFeatureModel.js (386 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\options.json (273 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 (370 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2427C246DCF85A06DD675914EDA68038_EEE52A74DEE31B064E156E492FD05217 (1480 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaSocket\lua\socket\ftp.lua (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\luaxml.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaSocket\socket\core.dll (2473 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\tucow_bga1.gif (337 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\wininet\ltn12.lua (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaSocket\lua\socket\http.lua (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\wininet\ftp.lua (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\exit.gif (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\3\findwide_updateadmin_combo_628.mht (8844 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaBridge.dll (1921 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BA41173F3FB1502C814D759E3B8A6FFF_80D945C561FF63F9F3DD59EE0F29FDE9 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_8CA7164968F366C9A94AC8E71C4BDD9B (1504 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\json.lua (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\res\common.js (3616 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabA44D.tmp (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SH2TVRCI\OfferScreenParameters.js (50 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\DownloadList.lua (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\wininet\compat.lua (392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaSocket\lua\mime.lua (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 (378 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\sandbox.lua (8 bytes)
The process %original file name%.exe:992 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsz86AE.tmp (6522 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso86BE.tmp\LuaBridge.dll (1921 bytes)
The process vcredist.exe:2708 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\BootstrapperApplicationData.xml (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\thm.xml (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.be\vcredist_x86.exe (58408 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\wixstdba.dll (2485 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\cabB3E1576D1FEFBB979E13B1A5379E0B16 (75717 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1 (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\logo.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_vcredist_x86_20141218152947.log (24538 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcRuntimeAdditional_x86 (2132 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f} (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\thm.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\license.rtf (327 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\cab54A5CABBE7274D8A22EB58060AAB7623 (11824 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcRuntimeMinimum_x86 (1712 bytes)
The process vcredist.exe:816 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_vcredist_x86_20141218152947_1_vcRuntimeAdditional_x86.log (76054 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_vcredist_x86_20141218152947_0_vcRuntimeMinimum_x86.log (74578 bytes)
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm (1352 bytes)
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe (2321 bytes)
Registry activity
The process TPAutoConnSvc.exe:1844 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\ThinPrint\TPPrnUI\HP LaserJet Professional M1212nf MFP#:3]
"TrayData" = "2,Tray 3, 3,Tray 2, 1,Tray 1, 4,Manual Feed, 7,Auto Select"
"FormData" = "1,2159,2794,Letter¶40,40,2086,2712, 5,2159,3556,Legal¶40,40,2086,3474, 9,2100,2970,A4¶39,39,2032,2890, 7,1842,2667,Executive¶40,40,1761,2585, 258,2159,3302,8.5 x 13 (custom)¶40,40,2086,3220, 11,1480,2100,A5¶39,39,1408,2020, 70,1050,1480,A6¶39,39,975,1399, 13,1820,2570,B5 (JIS)¶39,39,1747,2490, 264,1950,2700,16K 195x270¶39,39,1882,2620, 263,1840,2600,16K 184x260¶39,39,1761,2520, 257,1970,2730,16K 197x273¶39,39,1896,2650, 43,1000,1480,Japanese Postcard¶39,39,921,1399, 82,1480,2000,Double Japan Postcard Rotated¶39,39,1408,1919, 20,1046,2413,Envelope #10¶40,40,975,2331, 37,983,1905,Envelope Monarch¶40,40,907,1823, 34,1760,2500,Envelope B5¶39,39,1693,2420, 28,1620,2290,Envelope C5¶39,39,1544,2209, 27,1100,2200,Envelope DL¶39,39,1029,2120"
"DelAfterCreate" = "1"
[HKU\.DEFAULT\Printers\DevModes2]
"HP LaserJet Professional M1212nf MFP#:3" = "48 00 50 00 20 00 4C 00 61 00 73 00 65 00 72 00"
The Worm deletes the following registry key(s):
[HKLM\SOFTWARE\ThinPrint\TPPrnUI\HP LaserJet Professional M1212nf MFP#:3]
The process tdtjpd.exe:3016 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdater]
"DisplayName" = "SoftwareUpdater"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ef-0d-5d]
"WpadDecision" = "0"
"WpadDecisionTime" = "9A 85 11 0C C6 1A D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadNetworkName" = "Network"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ef-0d-5d]
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadDecisionReason" = "1"
[HKLM\SOFTWARE\Wow6432Node\SoftwareUpdater]
"versionUpdaterSw" = "1.1.8.14351"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ef-0d-5d]
"WpadDetectedUrl" = ""
[HKLM\SOFTWARE\Wow6432Node\SoftwareUpdater]
"UpdaterPath" = "%Program Files% (x86)\SoftwareUpdater\AppsUpd4ter.exe"
"channel_id" = "1033"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadDecision" = "0"
[HKLM\SOFTWARE\Wow6432Node\SoftwareUpdater]
"enduser_id" = "188998987"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadDecisionTime" = "87 21 C1 AF C6 1A D0 01"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdater]
"UninstallString" = "%Program Files% (x86)\SoftwareUpdater\uninstall.exe"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadDetectedUrl"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ef-0d-5d]
"WpadDetectedUrl"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
The process %original file name%.exe:2836 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\31ec1c24\PUPautoinsaller_v1.exe, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\31ec1c24\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\6c88b866\python.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\6c88b866\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsz896D.tmp\LuaBridge.dll,"
The process %original file name%.exe:720 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm]
"fdwSupport" = "1"
"aFormatTagCache" = "01 00 00 00 10 00 00 00 02 00 00 00 32 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ef-0d-5d]
"WpadDecision" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711]
"cFormatTags" = "3"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm]
"fdwSupport" = "1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm]
"cFormatTags" = "2"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711]
"cFilterTags" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm]
"cFilterTags" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadDecision" = "0"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610]
"fdwSupport" = "1"
"cFilterTags" = "0"
"cFormatTags" = "2"
"aFormatTagCache" = "01 00 00 00 10 00 00 00 31 00 00 00 14 00 00 00"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711]
"fdwSupport" = "1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm]
"aFormatTagCache" = "01 00 00 00 10 00 00 00 11 00 00 00 14 00 00 00"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm]
"cFilterTags" = "0"
[HKCU\Software\Classes\Local Settings\MuiCache\2B\52C64B7E]
"LanguageList" = "en-US, en"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3D 00 00 00 09 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ef-0d-5d]
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadDecisionReason" = "1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm]
"cFormatTags" = "2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadNetworkName" = "Network"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4]
"Blob" = "0F 00 00 00 01 00 00 00 14 00 00 00 5D 82 AD B9"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ef-0d-5d]
"WpadDecisionTime" = "9A 85 11 0C C6 1A D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadDecisionTime" = "9A 85 11 0C C6 1A D0 01"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711]
"aFormatTagCache" = "01 00 00 00 10 00 00 00 06 00 00 00 12 00 00 00"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Worm deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoDetect"
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ef-0d-5d]
"WpadDetectedUrl"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadDetectedUrl"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"2796BAE63F1801E277261BA0D77770028F20EEE4"
The process vcredist.exe:816 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}]
"BundleTag" = "Type: REG_SZ, Length: 0"
[HKCR\Installer\Dependencies\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}]
"Version" = "11.0.61030.0"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}]
"QuietUninstallString" = "C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe /uninstall /quiet"
"BundleAddonCode" = "Type: REG_MULTI_SZ, Length: 0"
"BundleDetectCode" = "Type: REG_MULTI_SZ, Length: 0"
"BundleCachePath" = "C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe"
"NoElevateOnModify" = "1"
"DisplayIcon" = "C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe,0"
"BundlePatchCode" = "Type: REG_MULTI_SZ, Length: 0"
[HKCU\Software\Classes\Local Settings\MuiCache\2B\52C64B7E]
"LanguageList" = "en-US, en"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}]
"ModifyPath" = "C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe /modify"
"DisplayName" = "Microsoft Visual C 2012 Redistributable (x86) - 11.0.61030"
"Installed" = "1"
"EstimatedSize" = "17800"
"EngineVersion" = "3.6.3542.0"
"BundleVersion" = "11.0.61030.0"
"BundleProviderKey" = "{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}"
"DisplayVersion" = "11.0.61030.0"
"Publisher" = "Microsoft Corporation"
"UninstallString" = "C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe /uninstall"
"Resume" = "1"
"BundleUpgradeCode" = "{0B65F2F3-A845-36BB-848A-5D939826EBE4}"
[HKCR\Installer\Dependencies\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}]
"DisplayName" = "Microsoft Visual C 2012 Redistributable (x86) - 11.0.61030"
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}" = "C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe /burn.log.append C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_vcredist_x86_20141218152947.log /quiet ignored /burn.runonce"
The Worm deletes the following value(s) in system registry:
[HKCR\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v11\Dependents\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}]
"MinVersion"
[HKCR\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditional_x86,v11\Dependents\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}]
"MaxVersion"
"MinVersion"
[HKCR\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimum_x86,v11\Dependents\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}]
"MinVersion"
[HKCR\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v11\Dependents\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}]
"MaxVersion"
"MinVersion"
[HKCR\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimum_x86,v11\Dependents\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}]
"MaxVersion"
[HKCR\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v11\Dependents\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}]
"MaxVersion"
The Worm disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}"
Dropped PE files
| MD5 | File path |
|---|---|
| a990de9edf0145ca5b01761978f49432 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso86BE.tmp\LuaBridge.dll |
| fad9d09fc0267e8513b8628e767b2604 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\ButtonEvent.dll |
| 0f26c6d34d3841e93145dd00d0175651 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\FloatingProgress.dll |
| a990de9edf0145ca5b01761978f49432 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaBridge.dll |
| 4a4845ba1666907f708c9c10a31ec227 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaSocket\mime\core.dll |
| 4bf7db111acfa7c28ad36606107b3322 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaSocket\socket\core.dll |
| 7292b642bd958aeb7fd7cfd19e45b068 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaXml_lib.dll |
| 7e3c808299aa2c405dffa864471ddb7f | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\System.dll |
| d02a497be5f89c44827f142c4662f591 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\UACInfo.dll |
| 0a29e1b270ccea61aba7d7cdd10e0388 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\bit.dll |
| dd8a05024e825f75d3d151ea84bf414e | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\browserutils.dll |
| e6f8bce5bd3b59c5b1f3225d8f8d3b14 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\customNsWeb.dll |
| e390287499549de31da007f7f0ae4d10 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\ffi.dll |
| fceee0026aafd237afdb4aea4ecd3557 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\lua51.dll |
| b991f57d815ca821cdb42d2792db366f | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\luacom.dll |
| 692479f7c07a64a6a632148e382f0e22 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\nsis7z.dll |
| 5f13dbc378792f23e598079fc1e4422b | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\nsisunz.dll |
| 5694e7daf20c47c8d5e73d4a838c2ee6 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\un.package.exe |
| ebc5bb904cdac1c67ada3fa733229966 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\versioninfo.dll |
| e626f4baffc82488c1efd873c250fb09 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\win32_pipeserver.dll |
| a990de9edf0145ca5b01761978f49432 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsz896D.tmp\LuaBridge.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
TPAutoConnSvc.exe:1844
tdtjpd.exe:3016
%original file name%.exe:2836
%original file name%.exe:992
vcredist.exe:2708
vcredist.exe:816 - Delete the original Worm file.
- Delete or disinfect the following files created/modified by the Worm:
%Program Files% (x86)\SoftwareUpdater\translations.xml (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsaBF69.tmp\nsisunz.dll (251 bytes)
%Program Files% (x86)\SoftwareUpdater\Upd4terSrv.exe (60025 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SH2TVRCI\vcredist_x86[1].exe (62511768 bytes)
%Program Files% (x86)\SoftwareUpdater\AppsUpd4ter.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\update.zip (22676 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsaBF69.tmp\nsURL.dll (1910 bytes)
%Program Files% (x86)\SoftwareUpdater\Interop.Shell32.dll (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsaBF69.tmp\nsExec.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsaBF69.tmp\System.dll (23 bytes)
%Program Files% (x86)\SoftwareUpdater\config.xml (1654 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\vcredist.exe (818135 bytes)
%Program Files% (x86)\SoftwareUpdater\uninstall.exe (2749 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsz896C.tmp (6522 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsz896D.tmp\LuaBridge.dll (1921 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\customNsWeb.dll (812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaSocket\lua\socket\tp.lua (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\index.html (2617 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\52\stormwatch_tidy_double_628_3.mht (12588 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\win32_constants.lua (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\ButtonEvent.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\41\tidy_stormwatch_optimizerpro_triple_628_3.mht (12988 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\UACInfo.dll (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\packaged_app.lua (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\animatedProgress.gif (1177 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\data_injection.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\DownloadThread.lua (579 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\service_registry.lua (462 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\downloads.lua (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\versioninfo.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\36\knctr_stormwatch_tidy_updateadmin_628.mht (10204 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\res\patches.js (73 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaSocket\mime\core.dll (1909 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\un.package.exe (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\browserutils.dll (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\callbackproxy.lua (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\nsisunz.dll (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\env.lua (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\21\arcadegiant_stormwatch_optimizerpro_updateadmin_628.mht (10204 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarA44E.tmp (2784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\33\wordproser_stormwatch_optimizerpro_triple_628_2.mht (10204 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\Events.lua (912 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\50\optimizerpro_tidy_double628.mht (9476 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\47\tidy_stormwatch_pcoptpro_628_3.mht (12988 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\nsis7z.dll (6360 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\api_substitution.lua (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\wininet\url.lua (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaXml_lib.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\save.gif (73 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SH2TVRCI\iconCheck.gif (740 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\scheduler.lua (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SH2TVRCI\wbk13B5.tmp (242 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\wininet\wininet_h.lua (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\wininet\http.lua (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\GuiInit.lua (5520 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaSocket\lua\socket.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\offer_filters.lua (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SH2TVRCI\knockout-2.0.js (10370 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\accept_green.gif (73 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771 (1688 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\System.dll (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\uistate.lua (310 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\wininet\core.lua (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D47DBD2F9E3365FBBE008D71FB06716F_835A2FD7EE5F1F37B7872C78D42A88BF (1504 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\net_utils.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaSocket\lua\socket\url.lua (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\conditional_engine.lua (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse8AC3.tmp (49287 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\151\findwide_nocheckboxes_628.mht (676 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\processfreefile.lua (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\5\findwide_updateadmin_combo_628.mht (8844 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SH2TVRCI\wbkB70E.tmp (4850 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\FloatingProgress.dll (812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\1\vittalia_primary_combo_2.mht (7772 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D47DBD2F9E3365FBBE008D71FB06716F_835A2FD7EE5F1F37B7872C78D42A88BF (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\res\common.css (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D266D9E1E69FA1EEFB9699B009B34C8_8CA7164968F366C9A94AC8E71C4BDD9B (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D (1720 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\__web.xml (142125 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\44\wordproser_stormwatch_optimizerpro_triple_628_2.mht (10204 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\res\jquery.js (6360 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\wininet\wintypes.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\2\tdtjpd.exe (221 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\wininet\defs.lua (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\ffi.dll (7392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\wininet\io.lua (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\lua51.dll (9582 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\data_stores.lua (703 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\decline.gif (73 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaSocket\lua\ltn12.lua (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\2\tgtudp.exe (29140 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SH2TVRCI\wbkAEA3.tmp (1442 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\offer_stats.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\notifyicon.lua (302 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\BrowserControl.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\generic_icon.gif (73 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\run.gif (73 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\IntegratedOffer.lua (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\bit.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2427C246DCF85A06DD675914EDA68038_EEE52A74DEE31B064E156E492FD05217 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\17\contentexplorer_stormwatch_optimizerpro_updateadmin_628.mht (10204 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\definitions.lua (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\win32_pipeserver.dll (2392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin.zip (4708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaSocket\lua\socket\smtp.lua (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\54\optimizerpro_stormwatch_combo_628_3.mht (12588 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\show.gif (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\close.gif (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\luacom.dll (4992 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\AdvancedTests.lua (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\218\allgenius_628.mht (3172 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BA41173F3FB1502C814D759E3B8A6FFF_80D945C561FF63F9F3DD59EE0F29FDE9 (1752 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\1\do_tracking_hit.lua (913 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\async_tracking.lua (799 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\25\arcadegiant_stormwatch_optimizerpro_updateadmin_628.mht (10204 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\res\knockout.js (6360 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\utils.lua (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\bundleinstall.lua (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\extension.tlb (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\open.gif (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\vm_details.lua (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\generic_icon.ico (337 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\survey_environment.lua (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\2\softwareupdater_628.mht (388 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\29\knctr_stormwatch_optimizerpro_updateadmin_628.mht (10204 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\eagerinstall.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SH2TVRCI\AutoFeatureModel.js (386 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\options.json (273 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 (370 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2427C246DCF85A06DD675914EDA68038_EEE52A74DEE31B064E156E492FD05217 (1480 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaSocket\lua\socket\ftp.lua (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\luaxml.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaSocket\socket\core.dll (2473 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\tucow_bga1.gif (337 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\wininet\ltn12.lua (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaSocket\lua\socket\http.lua (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\wininet\ftp.lua (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\exit.gif (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\3\findwide_updateadmin_combo_628.mht (8844 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaBridge.dll (1921 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BA41173F3FB1502C814D759E3B8A6FFF_80D945C561FF63F9F3DD59EE0F29FDE9 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_8CA7164968F366C9A94AC8E71C4BDD9B (1504 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\json.lua (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\res\common.js (3616 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabA44D.tmp (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SH2TVRCI\OfferScreenParameters.js (50 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\DownloadList.lua (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\wininet\compat.lua (392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaSocket\lua\mime.lua (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 (378 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\sandbox.lua (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsz86AE.tmp (6522 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso86BE.tmp\LuaBridge.dll (1921 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\BootstrapperApplicationData.xml (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\thm.xml (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.be\vcredist_x86.exe (58408 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\wixstdba.dll (2485 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\cabB3E1576D1FEFBB979E13B1A5379E0B16 (75717 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\logo.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_vcredist_x86_20141218152947.log (24538 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcRuntimeAdditional_x86 (2132 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\thm.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\license.rtf (327 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\cab54A5CABBE7274D8A22EB58060AAB7623 (11824 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcRuntimeMinimum_x86 (1712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_vcredist_x86_20141218152947_1_vcRuntimeAdditional_x86.log (76054 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_vcredist_x86_20141218152947_0_vcRuntimeMinimum_x86.log (74578 bytes)
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm (1352 bytes)
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe (2321 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}" = "C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe /burn.log.append C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_vcredist_x86_20141218152947.log /quiet ignored /burn.runonce" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: Language Neutral
Company Name: Product Name: Product Version: Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: File Description: Comments: Language: Language Neutral
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 23306 | 23552 | 4.47645 | 325c988d9f77e7ce27fe1fa6f6fd93f7 |
| .rdata | 28672 | 5397 | 5632 | 3.61721 | 64bdba47e612466214b378a9e0d4057c |
| .data | 36864 | 109756 | 512 | 0.972488 | c11d691b44d2912a53e6b566fedf2406 |
| .ndata | 147456 | 147456 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 294912 | 191960 | 192000 | 2.99591 | 27689cb0ad69a7df7e0617c8c171883d |
| .reloc | 487424 | 2682 | 3072 | 0 | d2a70550489de356a2cd6bfc40711204 |
Dropped from:
Downloaded by:
Similar by SSDeep:
34902d76df577323848946aa29f635a0dc52da4e4036b4c82097baacc8fd8f3f2f542ce0f14198cbc2239600d0315291f2221f189b066370e19140e942404345cb61db838c861137ca801b2fe5a0b5c574bf47bb984c747fb7a127b5db9e7f4d64499cdac945ca9f7a7bfba7ef1029982cd4f157f519ed55f36e32e677d599d9b19181162637518d4f11ab2e3d55981e517aa200f936831c34421940aef6ded34b974b1daccd6b0d1ffac5ef67189b04e8f8febb586d5cdcc7e8ce5e4d652e2f82f9d8edba9b824fb09811f9effab56960223014c6416ce3c62fdfff2541aeed590a3a3dcc0044b213cbe0c854c83935e329326a088fad15c7482d2f0f40438d28010505b9bf00f9b44a59de1a6b9a3caea0f8a202300f5bc80d3dbb5555d15e1330818f0dc6331731b1247d90b4495653bda3e498b733bc656879f5cac2d66a2b6ed41f3b28a11594c254d8df9e429ece2b4aa216c72e8fff0ea64a41016175fc4fbbb65ef407d5b8668cf334bfad37cb312aa040112d7a85bb98447c7feaa187e3ff911209b4ed5f3fd7178527fc60e49c2d10fc40f3ddedb3ffcd8bbc2b809c2d1bd031fd5226b1956b7ec60e6c92a9594adeb6b0ed7ed1f47c0c9ed1d903e3d0c35811697ad2941d4a869f8e00b35bb0950a80b9244dd82a49f65ad946c5f2521699ece1f47629064bf4faf55c6edfcf2adb31669775dc3fe3615e089caaf241bd6843d04785be0feab753be2055be9c1adad6f958c6aaf674b31c576d8ec1b492a3dac3e2319e34b0f3628bc0da9dc7f44b345144142f2402abb160cf46318e1cb469b94411b5a963b312c89cec7d0f1a89435a5ac9c74175ded1944deacf9fe811b403027538b339859cd5fcf41ac22b0ced6de010d8d2ff65454ae529d932f91fc6b7894d6f5351f7b774f6890da1a4d4c8a1c9bd6afbf99df6433486
Similar by Lavasoft Polymorphic Checker:
Total found: 74
34902d76df577323848946aa29f635a0
8eb47c153cd199692a21f8d9fb1e65e5
0da1a4d4c8a1c9bd6afbf99df6433486
d932f91fc6b7894d6f5351f7b774f689
1ac22b0ced6de010d8d2ff65454ae529
cf9fe811b403027538b339859cd5fcf4
ace89f1a23c3dd68c1ffcf5691025bc9
9681eb345cd8f44c015d294213628554
7d0f1a89435a5ac9c74175ded1944dea
318e1cb469b94411b5a963b312c89cec
9dc7f44b345144142f2402abb160cf46
c1b492a3dac3e2319e34b0f3628bc0da
be9c1adad6f958c6aaf674b31c576d8e
f241bd6843d04785be0feab753be2055
7b35c7d77e7f085ecc2b27df162b45b5
6c952fc5dc1ef5268b486be33288b580
dfcf2adb31669775dc3fe3615e089caa
0be99f5e427f4036ee08c3f3c2193a69
bc5d4e2634bab073018a021c14810f2b
c78b866300a6ef85867eb0888b134c7e
0843a3a880954d87a72efbc23aaff077
f2521699ece1f47629064bf4faf55c6e
5bb0950a80b9244dd82a49f65ad946c5
e3d0c35811697ad2941d4a869f8e00b3
a9594adeb6b0ed7ed1f47c0c9ed1d903
435f9e4f9070acc5bfe80a0f61f4b412
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://service.downloadadmin.com/external-install?bc=1162530&pid=vittalia&brand=freempr13.bertrejota.com&aid=FREESOFTSTORECOM&s=FREESO030Zec25d5ec3750a12b89bdaf3236b1f0ed&c=VELISMEDIA2&osName=Windows&osVersion=Vista&browserName=IE&browserVersion=9&secure=true&productKey=m7izpsc3q6c6a6odoxbkvnqqt666qqkp | 50.22.63.138 |
| hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?15561099d5d16a9f | |
| hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?2a50e63961c067a9 | |
| hxxp://ocsp.godaddy.com.akadns.net//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH+3ahq1OMCAxvnFQ== | 72.167.239.239 |
| hxxp://ocsp.godaddy.com.akadns.net//MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQdI2+OBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc= | 72.167.239.239 |
| hxxp://ocsp.godaddy.com.akadns.net//MEgwRjBEMEIwQDAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CB0sVHV5/pAc= | 72.167.239.239 |
| hxxp://a728.g.akamai.net/skins/da/03122014/DownloadAdmin-Generic-DLM.zip | |
| hxxp://a728.g.akamai.net/binstallers/BM2/vittalia/ipage/vittalia_primary_combo_2.mht | |
| hxxp://a728.g.akamai.net/binstallers/BM2/api/do_tracking_hit.lua | |
| hxxp://a728.g.akamai.net/products/BM2/softwareupdater/ipage/softwareupdater_628.mht | |
| hxxp://a728.g.akamai.net/products/BM2/findwidetoolbar/ipage/findwide_updateadmin_combo_628.mht | |
| hxxp://a728.g.akamai.net/products/BM2/combos/contentexplorer_stormwatch_optimizerpro_updateadmin_628.mht | |
| hxxp://a728.g.akamai.net/products/BM2/combos/arcadegiant_stormwatch_optimizerpro_updateadmin_628.mht | |
| hxxp://a728.g.akamai.net/products/BM2/combos/knctr_stormwatch_optimizerpro_updateadmin_628.mht | |
| hxxp://a728.g.akamai.net/products/BM2/combos/wordproser_stormwatch_optimizerpro_triple_628_2.mht | |
| hxxp://a728.g.akamai.net/products/BM2/combos/knctr_stormwatch_tidy_updateadmin_628.mht | |
| hxxp://a728.g.akamai.net/products/BM2/combos/tidy_stormwatch_optimizerpro_triple_628_3.mht | |
| hxxp://a728.g.akamai.net/products/BM2/combos/tidy_stormwatch_pcoptpro_628_3.mht | |
| hxxp://a728.g.akamai.net/products/BM2/628/uniform/optimizerpro_tidy_double628.mht | |
| hxxp://a728.g.akamai.net/products/BM2/combos/stormwatch_tidy_double_628_3.mht | |
| hxxp://a728.g.akamai.net/products/BM2/combos/optimizerpro_stormwatch_combo_628_3.mht | |
| hxxp://a728.g.akamai.net/products/BM2/findwidetoolbar/ipage/findwide_nocheckboxes_628.mht | |
| hxxp://a728.g.akamai.net/products/BM2/allgenius/ipage/allgenius_628.mht | |
| hxxp://web1.upsa1a.com/tgtudp.exe | 93.189.32.145 |
| hxxp://web1.upsa1a.com/tdtjpd.exe | 93.189.32.145 |
| hxxp://a728.g.akamai.net/tnt2/freshy/FreshyToolbar.exe | |
| hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEDWXMYfzhzoHMn7OWAybfto= | |
| hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEG7MeqWnAyAJuM689OlS1JE= | |
| hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQMgSk4dLKWKRB+2DViUmQEUw3ggwQUDURcFlNEwYJ+HSCrJfQBY9i+eaUCECyLOOAjYRltRQP8lkAE25w= | |
| hxxp://d1.arcadegiant.com/aj/bundle/1048 | 74.120.16.148 |
| hxxp://a728.g.akamai.net/products/BM2/knctr/exe/knctr_02262014.exe | |
| hxxp://a728.g.akamai.net/products/BM2/wordproser/exe/wordproser_11042014.exe | |
| hxxp://a728.g.akamai.net/tn/TidyNetwork.exe | |
| hxxp://dl.softservers.net/111001042/OptimizerPro.exe | 108.163.210.20 |
| hxxp://a1269.d.akamai.net/sd?is=tr | |
| hxxp://a1363.g.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl | |
| hxxp://a1363.g.akamai.net/pki/crl/products/microsoftrootcert.crl | |
| hxxp://a1363.g.akamai.net/pki/crl/products/WinPCA.crl | |
| hxxp://a1363.g.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl | |
| hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= | |
| hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= | |
| hxxp://e6845.ce.akamaiedge.net/pca3.crl | |
| hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= | |
| hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= | |
| hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= | |
| hxxp://e6845.ce.akamaiedge.net/CSC3-2010.cer | |
| hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= | |
| hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEFfypMGYcmbFYnz/tUJymgs= | |
| hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl | 87.245.202.16 |
| hxxp://csc3-2010-aia.verisign.com/CSC3-2010.cer | 23.43.133.163 |
| hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= | 23.43.139.27 |
| hxxp://mirror.mirror-files.com/products/BM2/combos/arcadegiant_stormwatch_optimizerpro_updateadmin_628.mht | 87.245.202.65 |
| hxxp://ocsp.godaddy.com//MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQdI2+OBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc= | 72.167.239.239 |
| hxxp://mirror.mirror-files.com/products/BM2/combos/tidy_stormwatch_optimizerpro_triple_628_3.mht | 87.245.202.65 |
| hxxp://mirror.mirror-files.com/products/BM2/findwidetoolbar/ipage/findwide_nocheckboxes_628.mht | 87.245.202.65 |
| hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl | 87.245.202.16 |
| hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?15561099d5d16a9f | 87.245.202.24 |
| hxxp://service.downloadadmin.com/env?browserVersion=9&osVersion=Vista&s=FREESO030Zec25d5ec3750a12b89bdaf3236b1f0ed&browserName=IE&c=VELISMEDIA2&brand=freempr13.bertrejota.com&pid=vittalia&aid=FREESOFTSTORECOM&bc=1162530&osName=Windows&country=UA | 50.22.63.138 |
| hxxp://install-cdn.allgenius.info/sd?is=tr | 213.155.152.187 |
| hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= | 23.43.139.27 |
| hxxp://mirror.mirror-files.com/products/BM2/628/uniform/optimizerpro_tidy_double628.mht | 87.245.202.65 |
| hxxp://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH+3ahq1OMCAxvnFQ== | 72.167.239.239 |
| hxxp://mirror.mirror-files.com/tn/TidyNetwork.exe | 87.245.202.65 |
| hxxp://mirror.mirror-files.com/products/BM2/combos/knctr_stormwatch_optimizerpro_updateadmin_628.mht | 87.245.202.65 |
| hxxp://mirror.mirror-files.com/binstallers/BM2/api/do_tracking_hit.lua | 87.245.202.65 |
| hxxp://mirror.mirror-files.com/products/BM2/wordproser/exe/wordproser_11042014.exe | 87.245.202.65 |
| hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl | 87.245.202.16 |
| hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?2a50e63961c067a9 | 87.245.202.24 |
| hxxp://mirror.mirror-files.com/products/BM2/findwidetoolbar/ipage/findwide_updateadmin_combo_628.mht | 87.245.202.65 |
| hxxp://mirror.mirror-files.com/products/BM2/combos/knctr_stormwatch_tidy_updateadmin_628.mht | 87.245.202.65 |
| hxxp://mirror.mirror-files.com/products/BM2/combos/contentexplorer_stormwatch_optimizerpro_updateadmin_628.mht | 87.245.202.65 |
| hxxp://mirror.mirror-files.com/products/BM2/combos/wordproser_stormwatch_optimizerpro_triple_628_2.mht | 87.245.202.65 |
| hxxp://mirror.mirror-files.com/skins/da/03122014/DownloadAdmin-Generic-DLM.zip | 87.245.202.65 |
| hxxp://mirror.mirror-files.com/products/BM2/knctr/exe/knctr_02262014.exe | 87.245.202.65 |
| hxxp://mirror.mirror-files.com/products/BM2/allgenius/ipage/allgenius_628.mht | 87.245.202.65 |
| hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= | 23.43.139.27 |
| hxxp://mirror.mirror-files.com/products/BM2/combos/stormwatch_tidy_double_628_3.mht | 87.245.202.65 |
| hxxp://mirror.mirror-files.com/products/BM2/softwareupdater/ipage/softwareupdater_628.mht | 87.245.202.65 |
| hxxp://mirror.mirror-files.com/products/BM2/combos/optimizerpro_stormwatch_combo_628_3.mht | 87.245.202.65 |
| hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= | 23.43.139.27 |
| hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEFfypMGYcmbFYnz/tUJymgs= | 23.43.139.27 |
| hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= | 23.43.139.27 |
| hxxp://mirror.mirror-files.com/tnt2/freshy/FreshyToolbar.exe | 87.245.202.65 |
| hxxp://sd.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQMgSk4dLKWKRB+2DViUmQEUw3ggwQUDURcFlNEwYJ+HSCrJfQBY9i+eaUCECyLOOAjYRltRQP8lkAE25w= | 23.43.139.27 |
| hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl | 87.245.202.16 |
| hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEG7MeqWnAyAJuM689OlS1JE= | 23.43.139.27 |
| hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= | 23.43.139.27 |
| hxxp://ocsp.godaddy.com//MEgwRjBEMEIwQDAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CB0sVHV5/pAc= | 72.167.239.239 |
| hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEDWXMYfzhzoHMn7OWAybfto= | 23.43.139.27 |
| hxxp://pf.dlcvit.com/s/2/2/228488-676828-adobe-flash-player.exe | 87.98.229.151 |
| hxxp://crl.verisign.com/pca3.crl | 23.43.133.163 |
| hxxp://mirror.mirror-files.com/binstallers/BM2/vittalia/ipage/vittalia_primary_combo_2.mht | 87.245.202.65 |
| hxxp://mirror.mirror-files.com/products/BM2/combos/tidy_stormwatch_pcoptpro_628_3.mht | 87.245.202.65 |
| s3.amazonaws.com | 54.231.244.0 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
HEAD /sd?is=tr HTTP/1.1
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: install-cdn.allgenius.info
Content-Length: 0
Connection: Keep-Alive
HTTP/1.1 200 OK
Pragma: no-cache
Content-Type: application/octet-stream
Server: Microsoft-IIS/7.5
Content-Disposition: attachment; filename=allgeniusSetup.exe
X-AspNet-Version: 4.0.30319
SVR: SP003C2
X-Powered-By: ASP.NET
p3p: CP="CAO PSA OUR"
Content-Length: 583472
Cache-Control: private, max-age=86400
Expires: Fri, 19 Dec 2014 13:25:39 GMT
Date: Thu, 18 Dec 2014 13:25:39 GMT
Connection: keep-alive
HTTP/1.1 200 OK..Pragma: no-cache..Content-Type: application/octet-stream..Server: Microsoft-IIS/7.5..Content-Disposition: attachment; filename=allgeniusSetup.exe..X-AspNet-Version: 4.0.30319..SVR: SP003C2..X-Powered-By: ASP.NET..p3p: CP="CAO PSA OUR"..Content-Length: 583472..Cache-Control: private, max-age=86400..Expires: Fri, 19 Dec 2014 13:25:39 GMT..Date: Thu, 18 Dec 2014 13:25:39 GMT..Connection: keep-alive..
GET /skins/da/03122014/DownloadAdmin-Generic-DLM.zip HTTP/1.1
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "f4474d468a32b9ec78bf53ceffffcb3b:1402673048"
Last-Modified: Fri, 13 Jun 2014 15:24:08 GMT
Accept-Ranges: bytes
Content-Length: 35976
Content-Type: application/zip
Date: Thu, 18 Dec 2014 13:25:18 GMT
Connection: keep-alive
PK......../{kD.(......?.......GenericDLM/accept_green.gif.TgTS.....4..FT....RnB...$."-.. .......b.$X#...::.RDA.'... AQAQQ..."E.t.(.8........u..g..}....=/..C......(`.s......2....h.......$zq....~.;..s.......t.....1.%.....za;=.!%..;...S..\`.*.B....A>....I...nqvA.x3'SJ..!.%.....vY<....p4....z.....%s.?...E..==..x-T7.....&..l.8..8E........5N..\PrG.y.q.E...\...;...:... ..."....[i1mt..bl._.5...y.mr.3.....:R.kz. ZX-.Cl?>>.._.......d.U|........"..L./.....W#A....&r .<@. .Z..E....V%.(B..\....%r.H....$....#.B.2.Uw...H..D.HG2..@}...B..1.h....$..G .H8...px,.{Hh..J$Q.d....eS....,...t....R..XlJJ.&..#S.cq..E...G..he.T.W..J...,.R...Ub.....e.d....hA"..V..|k.#.I.j....@...r8...H.....Q.?...T...!R........'....._%S.d...[.&.T2e.L..D.@w._ ........5X.T...Q0...y0b......l..M...q.@.?D$.q..&.........d.d.H......%L..../.H!^)...2...i.x.Zp....W8y-.I.X]1.......~......../.......`...?>...................]...o.^.j}.....O..<j..........i.}..........h..T.v...Ry....K.........N...8^p,?/7.hv.....:..........k.....n....ic....uk..^..NY..R*V.eRIR.rqB|.H(X._......^.0&zA./2.'..pNXhHp.<v .....K..R)>d.....AX.......6.......vt...5s....m..~..07CL.jjbld..M1.M..p......B?...qM...K...e...;v...g....(B......}4'7/.X....E'O..,y...?..p...RE.....Tkk.M=my!W.o.n.s.bH.ID....Z.?y.......^?1y..........g2ohxdt.....>....80X.0P.[....3..$.Z..sH.%9x}..........m...`...g.G..{.T...$8lo.:q..O.......r...:......E.}.\.;........,.;.1#m4.0..j..Z....[ux...Z..m|.WF.PO.eP.J. ....g5~..,..\.~9...3...k............4L.....AZ.&...5q..).{.......7?>........g.-....c....wi.".
<<< skipped >>>
GET /binstallers/BM2/vittalia/ipage/vittalia_primary_combo_2.mht HTTP/1.1
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "034d0615e36f0f9524de959ba10ca481:1417452401"
Last-Modified: Mon, 01 Dec 2014 16:46:41 GMT
Accept-Ranges: bytes
Content-Length: 62297
Content-Type: text/plain
Date: Thu, 18 Dec 2014 13:25:25 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Product Name..Date: Mon, 1 Dec 2014 11:32:43 -0500..MIME-Version: 1.0..Content-Type: multipart/related;...type="text/html";...boundary="----=_NextPart_000_000B_01D00D5A.85DFD180"..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609..This is a multi-part message in MIME format...------=_NextPart_000_000B_01D00D5A.85DFD180..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: file://C:\offerscreen\vitallia_primary_10.html..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =.."hXXp://VVV.w3c.org/TR/1999/REC-html401-19991224/loose.dtd">..<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =.."hXXp://VVV.w3c.org/TR/1999/REC-html401-19991224/loose.dtd"><HTML><HEAD><=..META=20..content=3D"IE=3D11.0000" http-equiv=3D"X-UA-Compatible">..<META http-equiv=3D"X-UA-Compatible" content=3D"IE=3D11.0000">=20..<META http-equiv=3D"X-UA-Compatible" content=3D"IE=3D11.0000"> =20..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0.js" =..type=3D"text/javascript"></SCRIPT>.. =20..<SCRIPT src=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/javascript"></SCRIPT>.. =20..<SCRIPT src=3D"file:///C:/offerscreen/OfferScreenParameters.js" =..type=3D"text/javascript"></SCRIPT>.. <TITLE =..data-bind=3D"text:$root.customParameters()['ProductName']">Product=20.. Name</TITLE>=20..<META http-equiv=3D
<<< skipped >>>
GET /binstallers/BM2/api/do_tracking_hit.lua HTTP/1.1
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "9cc9c7aa05eddd412b09d5b37d446f81:1404848561"
Last-Modified: Tue, 08 Jul 2014 19:42:41 GMT
Accept-Ranges: bytes
Content-Length: 913
Content-Type: text/plain
Date: Thu, 18 Dec 2014 13:25:25 GMT
Connection: keep-alive
--[[.-- Lua Script to perform tracking hits IT can be run at start offer or finish and has aacces tot he variables.--]]..local http=require("wininet.http");.local json=require("json");..local main=function(). -- Need GuiInit. local guiinit=require("GuiInit");. local _Downloads=require("Downloads");. local target=current.file._a_.Options -- Get the options blob. -- No Target is specified then do nothing. if target == "" or not target then. return; -- Blank so do nothing . end. target=current.expand_path(target);. -- Get the command line and look for an option . --[[local cli=current.expand_path("$CMDLINE");. local opts=string.match(cli or "","--custom.p.tid=([^ ] )");. ]]. -- Make a reques to the target Url. local r,c,h = http.request{. method="POST",. url=target ,. proxy=_Downloads.proxyForUrl(target). }..end...return main();.....
GET /products/BM2/softwareupdater/ipage/softwareupdater_628.mht HTTP/1.1
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "c9ea80af3548458c96bb102b6107a2ff:1414182019"
Last-Modified: Fri, 24 Oct 2014 20:20:19 GMT
Accept-Ranges: bytes
Content-Length: 11587
Content-Type: text/plain
Date: Thu, 18 Dec 2014 13:25:25 GMT
Connection: keep-alive
From: "Saved by Windows Internet Explorer 8"..Subject: 628 by 282 Icy Offer..Date: Fri, 24 Oct 2014 16:19:18 -0400..MIME-Version: 1.0..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: hXXp://install.downloadadmin.com/BM_OFFERS_628/Advertisers/softwareupdater/uniform_eula.php?mode=preview..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17514..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =.."http://VVV.w3c.org/TR/1999/REC-html401-19991224/loose.dtd">..<HTML><HEAD><TITLE>628 by 282 Icy Offer</TITLE>..<META content=3D"text/html; charset=3DUTF-8" =..http-equiv=3DContent-Type><!-- =0A=..=0A=..Edited by: Insert Initials & Date=0A=..Template Name: 628_Icy_2col_toolbar_EULA.php=0A=..=0A=..-->..<STYLE>BODY {...PADDING-BOTTOM: 0px; BACKGROUND-COLOR: #fff; MARGIN: 0px; PADDING-LEFT: =..0px; PADDING-RIGHT: 0px; FONT-FAMILY: arial, verdana, sans serif; COLOR: =..#707271; PADDING-TOP: 0px..}..#content {...POSITION: relative; BACKGROUND-COLOR: #ebeef0; WIDTH: 628px; DISPLAY: =..block; HEIGHT: 282px; OVERFLOW: hidden..}..#headline {...POSITION: absolute..}..#toolbar {...POSITION: absolute..}..#copy {...POSITION: absolute..}..#eula {...POSITION: absolute..}..#disclaimer {...POSITION: absolute..}..#headline {...WIDTH: 598px; HEIGHT: 30px; TOP: 15px; LEFT: 15px..}..#toolbar {...WIDTH: 260px; HEIGHT: 30px; TOP: 50px; LEFT: 15px..}..#copy {...WIDTH: 260px; HEIGHT: 145px; TOP: 80px; LEFT: 15px..}..#
<<< skipped >>>
GET /products/BM2/findwidetoolbar/ipage/findwide_updateadmin_combo_628.mht HTTP/1.1
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "2e0aefadbcdd20a1b1437a97926bcd1b:1416948312"
Last-Modified: Tue, 25 Nov 2014 20:45:12 GMT
Accept-Ranges: bytes
Content-Length: 69228
Content-Type: text/plain
Date: Thu, 18 Dec 2014 13:25:25 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: 628 by 282 Icy Offer..Date: Tue, 25 Nov 2014 15:44:30 -0500..MIME-Version: 1.0..Content-Type: multipart/related;...type="text/html";...boundary="----=_NextPart_000_0007_01D008C6.B36A2850"..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609..This is a multi-part message in MIME format...------=_NextPart_000_0007_01D008C6.B36A2850..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: file://C:\offerscreen\findwide_updateadmin_combo_628.html..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =.."hXXp://VVV.w3c.org/TR/1999/REC-html401-19991224/loose.dtd">..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" =.."http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><HTML><HEAD><ME=..TA=20..content=3D"IE=3D11.0000" http-equiv=3D"X-UA-Compatible">..=20..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT src=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/javascript"></SCRIPT>.. <TITLE>628 by 282 Icy Offer</TITLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/html; =..charset=3DUTF-8"> <!-- =0A=..=0A=..Edited by: Insert Initials & Date=0A=..Template Name: 628_Icy_2col_toolbar_EULA.php=0A=..=0A=..-->=20..<STYLE>=0A=../* Overall page settings... */=0A=..=0A=..body {background-color:#fff;margin:0;padding:0;font-family: a
<<< skipped >>>
GET /products/BM2/findwidetoolbar/ipage/findwide_updateadmin_combo_628.mht HTTP/1.1
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "2e0aefadbcdd20a1b1437a97926bcd1b:1416948312"
Last-Modified: Tue, 25 Nov 2014 20:45:12 GMT
Accept-Ranges: bytes
Content-Length: 69228
Content-Type: text/plain
Date: Thu, 18 Dec 2014 13:25:26 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: 628 by 282 Icy Offer..Date: Tue, 25 Nov 2014 15:44:30 -0500..MIME-Version: 1.0..Content-Type: multipart/related;...type="text/html";...boundary="----=_NextPart_000_0007_01D008C6.B36A2850"..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609..This is a multi-part message in MIME format...------=_NextPart_000_0007_01D008C6.B36A2850..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: file://C:\offerscreen\findwide_updateadmin_combo_628.html..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =.."hXXp://VVV.w3c.org/TR/1999/REC-html401-19991224/loose.dtd">..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" =.."http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><HTML><HEAD><ME=..TA=20..content=3D"IE=3D11.0000" http-equiv=3D"X-UA-Compatible">..=20..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT src=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/javascript"></SCRIPT>.. <TITLE>628 by 282 Icy Offer</TITLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/html; =..charset=3DUTF-8"> <!-- =0A=..=0A=..Edited by: Insert Initials & Date=0A=..Template Name: 628_Icy_2col_toolbar_EULA.php=0A=..=0A=..-->=20..<STYLE>=0A=../* Overall page settings... */=0A=..=0A=..body {background-color:#fff;margin:0;padding:0;font-family: a
<<< skipped >>>
GET /products/BM2/combos/contentexplorer_stormwatch_optimizerpro_updateadmin_628.mht HTTP/1.1
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "42be207ed658280b3f4ef5728e13fdec:1418845600"
Last-Modified: Wed, 17 Dec 2014 19:46:40 GMT
Accept-Ranges: bytes
Content-Length: 76325
Content-Type: text/plain
Date: Thu, 18 Dec 2014 13:25:26 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282..Date: Fri, 24 Oct 2014 11:42:51 -0400..MIME-Version: 1.0..Content-Type: multipart/related;...type="text/html";...boundary="----=_NextPart_000_0000_01CFEF7F.A431DCD0"..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609..This is a multi-part message in MIME format...------=_NextPart_000_0000_01CFEF7F.A431DCD0..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: file://C:\offerscreen\storm_alerts_quad_1.html..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML><HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-Compatible">..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT src=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/javascript"></SCRIPT>.. <TITLE>Search.com 628 by 282</TITLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/html; =..charset=3Dutf-8">=20..<STYLE>=0A=..=0A=../* set the background color to match the offer. */=0A=..body {background-color:#e3e3e3;margin:0;padding:0;font-family: arial, =..verdana, sans serif;color:#222;position:relative;height: 282px;width: =..628px;}=0A=..table{background-repeat: no-repeat;}=0A=..h1 {font-size: 18px;font-weight: bold;margin-bottom: 4px;margin-top: 0;}=0A=..p {margin: 0;font-size: 12px}=0A=..td{vertical-align:top; }=0A=..a{COLOR:#0858a8; text-decoration
<<< skipped >>>
GET /products/BM2/combos/arcadegiant_stormwatch_optimizerpro_updateadmin_628.mht HTTP/1.1
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "f81f9435b0f7bf2d51e92ba4bc6311a3:1418845601"
Last-Modified: Wed, 17 Dec 2014 19:46:41 GMT
Accept-Ranges: bytes
Content-Length: 76276
Content-Type: text/plain
Date: Thu, 18 Dec 2014 13:25:26 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282..Date: Fri, 24 Oct 2014 11:42:51 -0400..MIME-Version: 1.0..Content-Type: multipart/related;...type="text/html";...boundary="----=_NextPart_000_0000_01CFEF7F.A431DCD0"..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609..This is a multi-part message in MIME format...------=_NextPart_000_0000_01CFEF7F.A431DCD0..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: file://C:\offerscreen\storm_alerts_quad_1.html..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML><HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-Compatible">..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT src=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/javascript"></SCRIPT>.. <TITLE>Search.com 628 by 282</TITLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/html; =..charset=3Dutf-8">=20..<STYLE>=0A=..=0A=../* set the background color to match the offer. */=0A=..body {background-color:#e3e3e3;margin:0;padding:0;font-family: arial, =..verdana, sans serif;color:#222;position:relative;height: 282px;width: =..628px;}=0A=..table{background-repeat: no-repeat;}=0A=..h1 {font-size: 18px;font-weight: bold;margin-bottom: 4px;margin-top: 0;}=0A=..p {margin: 0;font-size: 12px}=0A=..td{vertical-align:top; }=0A=..a{COLOR:#0858a8; text-decoration
<<< skipped >>>
GET /products/BM2/combos/arcadegiant_stormwatch_optimizerpro_updateadmin_628.mht HTTP/1.1
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "f81f9435b0f7bf2d51e92ba4bc6311a3:1418845601"
Last-Modified: Wed, 17 Dec 2014 19:46:41 GMT
Accept-Ranges: bytes
Content-Length: 76276
Content-Type: text/plain
Date: Thu, 18 Dec 2014 13:25:26 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282..Date: Fri, 24 Oct 2014 11:42:51 -0400..MIME-Version: 1.0..Content-Type: multipart/related;...type="text/html";...boundary="----=_NextPart_000_0000_01CFEF7F.A431DCD0"..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609..This is a multi-part message in MIME format...------=_NextPart_000_0000_01CFEF7F.A431DCD0..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: file://C:\offerscreen\storm_alerts_quad_1.html..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML><HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-Compatible">..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT src=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/javascript"></SCRIPT>.. <TITLE>Search.com 628 by 282</TITLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/html; =..charset=3Dutf-8">=20..<STYLE>=0A=..=0A=../* set the background color to match the offer. */=0A=..body {background-color:#e3e3e3;margin:0;padding:0;font-family: arial, =..verdana, sans serif;color:#222;position:relative;height: 282px;width: =..628px;}=0A=..table{background-repeat: no-repeat;}=0A=..h1 {font-size: 18px;font-weight: bold;margin-bottom: 4px;margin-top: 0;}=0A=..p {margin: 0;font-size: 12px}=0A=..td{vertical-align:top; }=0A=..a{COLOR:#0858a8; text-decoration
<<< skipped >>>
GET /products/BM2/combos/knctr_stormwatch_optimizerpro_updateadmin_628.mht HTTP/1.1
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "bee859f72942202b8c08083235f6e488:1418845600"
Last-Modified: Wed, 17 Dec 2014 19:46:40 GMT
Accept-Ranges: bytes
Content-Length: 76285
Content-Type: text/plain
Date: Thu, 18 Dec 2014 13:25:27 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282..Date: Fri, 24 Oct 2014 11:42:51 -0400..MIME-Version: 1.0..Content-Type: multipart/related;...type="text/html";...boundary="----=_NextPart_000_0000_01CFEF7F.A431DCD0"..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609..This is a multi-part message in MIME format...------=_NextPart_000_0000_01CFEF7F.A431DCD0..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: file://C:\offerscreen\storm_alerts_quad_1.html..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML><HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-Compatible">..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT src=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/javascript"></SCRIPT>.. <TITLE>Search.com 628 by 282</TITLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/html; =..charset=3Dutf-8">=20..<STYLE>=0A=..=0A=../* set the background color to match the offer. */=0A=..body {background-color:#e3e3e3;margin:0;padding:0;font-family: arial, =..verdana, sans serif;color:#222;position:relative;height: 282px;width: =..628px;}=0A=..table{background-repeat: no-repeat;}=0A=..h1 {font-size: 18px;font-weight: bold;margin-bottom: 4px;margin-top: 0;}=0A=..p {margin: 0;font-size: 12px}=0A=..td{vertical-align:top; }=0A=..a{COLOR:#0858a8; text-decoration
<<< skipped >>>
GET /products/BM2/combos/wordproser_stormwatch_optimizerpro_triple_628_2.mht HTTP/1.1
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "df30d43158cf98a36ac67d50fdf29c26:1413906113"
Last-Modified: Tue, 21 Oct 2014 15:41:53 GMT
Accept-Ranges: bytes
Content-Length: 75833
Content-Type: text/plain
Date: Thu, 18 Dec 2014 13:25:27 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282..Date: Thu, 11 Sep 2014 14:02:12 -0400..MIME-Version: 1.0..Content-Type: multipart/related;...type="text/html";...boundary="----=_NextPart_000_0007_01CFCDC8.FC55D2F0"..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609..This is a multi-part message in MIME format...------=_NextPart_000_0007_01CFCDC8.FC55D2F0..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: file://C:\offerscreen\searchsnacks_stormwatch_optimizerpro_triple_628.html..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML><HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-Compatible">..<TITLE>Search.com 628 by 282</TITLE>..<META content=3DIE=3D5.0000 http-equiv=3DX-UA-Compatible>..<SCRIPT type=3Dtext/javascript=20..src=3D"file:///C:/offerscreen/knockout-2.0.js"></SCRIPT>..<SCRIPT type=3Dtext/javascript=20..src=3D"file:///C:/offerscreen/AutoFeatureModel.js"></SCRIPT>..<META content=3D"text/html; charset=3Dutf-8" http-equiv=3DContent-Type>..<STYLE>BODY {...HEIGHT: 282px; FONT-FAMILY: arial, verdana, sans serif; WIDTH: 628px; =..POSITION: relative; COLOR: #222; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; =..PADDING-LEFT: 0px; MARGIN: 0px; PADDING-RIGHT: 0px; BACKGROUND-COLOR: =..#e3e3e3..}..TABLE {...BACKGROUND-REPEAT: no-repeat..}..H1 {...MARGIN-BOTTOM: 4px; FONT-SIZE: 18px; FONT-WEIGHT: bold; MARGIN-TOP: 0px..}..P
<<< skipped >>>
GET /products/BM2/combos/knctr_stormwatch_tidy_updateadmin_628.mht HTTP/1.1
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "c83d95e89ada6b4ceb5ae4ccf3a56e23:1418845600"
Last-Modified: Wed, 17 Dec 2014 19:46:40 GMT
Accept-Ranges: bytes
Content-Length: 76353
Content-Type: text/plain
Date: Thu, 18 Dec 2014 13:25:27 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282..Date: Fri, 24 Oct 2014 11:42:51 -0400..MIME-Version: 1.0..Content-Type: multipart/related;...type="text/html";...boundary="----=_NextPart_000_0000_01CFEF7F.A431DCD0"..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609..This is a multi-part message in MIME format...------=_NextPart_000_0000_01CFEF7F.A431DCD0..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: file://C:\offerscreen\storm_alerts_quad_1.html..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML><HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-Compatible">..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT src=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/javascript"></SCRIPT>.. <TITLE>Search.com 628 by 282</TITLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/html; =..charset=3Dutf-8">=20..<STYLE>=0A=..=0A=../* set the background color to match the offer. */=0A=..body {background-color:#e3e3e3;margin:0;padding:0;font-family: arial, =..verdana, sans serif;color:#222;position:relative;height: 282px;width: =..628px;}=0A=..table{background-repeat: no-repeat;}=0A=..h1 {font-size: 18px;font-weight: bold;margin-bottom: 4px;margin-top: 0;}=0A=..p {margin: 0;font-size: 12px}=0A=..td{vertical-align:top; }=0A=..a{COLOR:#0858a8; text-decoration
<<< skipped >>>
GET /products/BM2/combos/tidy_stormwatch_optimizerpro_triple_628_3.mht HTTP/1.1
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "d56c3fa053a4272761f497a4b1b53156:1410460246"
Last-Modified: Thu, 11 Sep 2014 18:30:46 GMT
Accept-Ranges: bytes
Content-Length: 102694
Content-Type: text/plain
Date: Thu, 18 Dec 2014 13:25:27 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282..Date: Thu, 11 Sep 2014 14:28:18 -0400..MIME-Version: 1.0..Content-Type: multipart/related;...type="text/html";...boundary="----=_NextPart_000_0007_01CFCDCC.A1C309D0"..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609..This is a multi-part message in MIME format...------=_NextPart_000_0007_01CFCDCC.A1C309D0..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: file://C:\offerscreen\tidy_stormwatch_optimizerpro_triple_628_3.html..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML><HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-Compatible">..<TITLE>Search.com 628 by 282</TITLE>..<META content=3DIE=3D5.0000 http-equiv=3DX-UA-Compatible>..<SCRIPT type=3Dtext/javascript=20..src=3D"file:///C:/offerscreen/knockout-2.0.js"></SCRIPT>..<SCRIPT type=3Dtext/javascript=20..src=3D"file:///C:/offerscreen/AutoFeatureModel.js"></SCRIPT>..<META content=3D"text/html; charset=3Dutf-8" http-equiv=3DContent-Type>..<STYLE>BODY {...HEIGHT: 282px; FONT-FAMILY: arial, verdana, sans serif; WIDTH: 628px; =..POSITION: relative; COLOR: #222; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; =..PADDING-LEFT: 0px; MARGIN: 0px; PADDING-RIGHT: 0px; BACKGROUND-COLOR: =..#e3e3e3..}..TABLE {...BACKGROUND-REPEAT: no-repeat..}..H1 {...MARGIN-BOTTOM: 4px; FONT-SIZE: 18px; FONT-WEIGHT: bold; MARGIN-TOP: 0px..}..P {...FO
<<< skipped >>>
GET /products/BM2/combos/wordproser_stormwatch_optimizerpro_triple_628_2.mht HTTP/1.1
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "df30d43158cf98a36ac67d50fdf29c26:1413906113"
Last-Modified: Tue, 21 Oct 2014 15:41:53 GMT
Accept-Ranges: bytes
Content-Length: 75833
Content-Type: text/plain
Date: Thu, 18 Dec 2014 13:25:28 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282..Date: Thu, 11 Sep 2014 14:02:12 -0400..MIME-Version: 1.0..Content-Type: multipart/related;...type="text/html";...boundary="----=_NextPart_000_0007_01CFCDC8.FC55D2F0"..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609..This is a multi-part message in MIME format...------=_NextPart_000_0007_01CFCDC8.FC55D2F0..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: file://C:\offerscreen\searchsnacks_stormwatch_optimizerpro_triple_628.html..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML><HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-Compatible">..<TITLE>Search.com 628 by 282</TITLE>..<META content=3DIE=3D5.0000 http-equiv=3DX-UA-Compatible>..<SCRIPT type=3Dtext/javascript=20..src=3D"file:///C:/offerscreen/knockout-2.0.js"></SCRIPT>..<SCRIPT type=3Dtext/javascript=20..src=3D"file:///C:/offerscreen/AutoFeatureModel.js"></SCRIPT>..<META content=3D"text/html; charset=3Dutf-8" http-equiv=3DContent-Type>..<STYLE>BODY {...HEIGHT: 282px; FONT-FAMILY: arial, verdana, sans serif; WIDTH: 628px; =..POSITION: relative; COLOR: #222; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; =..PADDING-LEFT: 0px; MARGIN: 0px; PADDING-RIGHT: 0px; BACKGROUND-COLOR: =..#e3e3e3..}..TABLE {...BACKGROUND-REPEAT: no-repeat..}..H1 {...MARGIN-BOTTOM: 4px; FONT-SIZE: 18px; FONT-WEIGHT: bold; MARGIN-TOP: 0px..}..P
<<< skipped >>>
GET /products/BM2/combos/tidy_stormwatch_pcoptpro_628_3.mht HTTP/1.1
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "c366cf4b06414069658f45fed9f6c0b9:1410460245"
Last-Modified: Thu, 11 Sep 2014 18:30:45 GMT
Accept-Ranges: bytes
Content-Length: 102884
Content-Type: text/plain
Date: Thu, 18 Dec 2014 13:25:28 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282..Date: Thu, 11 Sep 2014 14:29:43 -0400..MIME-Version: 1.0..Content-Type: multipart/related;...type="text/html";...boundary="----=_NextPart_000_001A_01CFCDCC.D453FC10"..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609..This is a multi-part message in MIME format...------=_NextPart_000_001A_01CFCDCC.D453FC10..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: file://C:\offerscreen\tidy_stormwatch_pcoptpro_628_3.html..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML><HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-Compatible">..<TITLE>Search.com 628 by 282</TITLE>..<META content=3DIE=3D5.0000 http-equiv=3DX-UA-Compatible>..<SCRIPT type=3Dtext/javascript=20..src=3D"file:///C:/offerscreen/knockout-2.0.js"></SCRIPT>..<SCRIPT type=3Dtext/javascript=20..src=3D"file:///C:/offerscreen/AutoFeatureModel.js"></SCRIPT>..<META content=3D"text/html; charset=3Dutf-8" http-equiv=3DContent-Type>..<STYLE>BODY {...HEIGHT: 282px; FONT-FAMILY: arial, verdana, sans serif; WIDTH: 628px; =..POSITION: relative; COLOR: #222; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; =..PADDING-LEFT: 0px; MARGIN: 0px; PADDING-RIGHT: 0px; BACKGROUND-COLOR: =..#e3e3e3..}..TABLE {...BACKGROUND-REPEAT: no-repeat..}..H1 {...MARGIN-BOTTOM: 4px; FONT-SIZE: 18px; FONT-WEIGHT: bold; MARGIN-TOP: 0px..}..P {...FONT-SIZE: 12
<<< skipped >>>
GET /products/BM2/628/uniform/optimizerpro_tidy_double628.mht HTTP/1.1
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "5ea69c34d5cfb247b87389148c42810c:1377526515"
Last-Modified: Mon, 26 Aug 2013 14:15:15 GMT
Accept-Ranges: bytes
Content-Length: 72537
Content-Type: text/plain
Date: Thu, 18 Dec 2014 13:25:28 GMT
Connection: keep-alive
From: "Saved by Windows Internet Explorer 9"..Subject: 628 by 282 Icy Offer..Date: Mon, 7 Jan 2013 11:23:06 -0500..MIME-Version: 1.0..Content-Type: multipart/related;...type="text/html";...boundary="----=_NextPart_000_0010_01CDECC9.5D450B40"..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609..This is a multi-part message in MIME format...------=_NextPart_000_0010_01CDECC9.5D450B40..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: file://C:\offerscreen\strongvault_tidy_double628.html..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =.."hXXp://VVV.w3c.org/TR/1999/REC-html401-19991224/loose.dtd">..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" =.."http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><HTML><HEAD>..<SCRIPT type=3D"text/javascript" =..src=3D"file:///C:/offerscreen/knockout-2.0.js"></SCRIPT>..<SCRIPT type=3D"text/javascript" =..src=3D"file:///C:/offerscreen/AutoFeatureModel.js"></SCRIPT>..<TITLE>628 by 282 Icy Offer</TITLE>..<META content=3D"text/html; charset=3DUTF-8" =..http-equiv=3D"Content-Type"><!--=20..Edited by: Insert Initials & Date..Template Name: 628_Icy_2col_toolbar_EULA.php..-->..<STYLE>=0A=../* Overall page settings... */=0A=..=0A=..body {background-color:#fff;margin:0;padding:0;font-family: arial, =..verdana, sans serif;color:#707271;}=0A=..#content {width:628px;height:282px; overflow:hidden; =..backgro
<<< skipped >>>
GET /products/BM2/combos/stormwatch_tidy_double_628_3.mht HTTP/1.1
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "c0eacbc70936e091d5c25ded7e38ce8b:1410460777"
Last-Modified: Thu, 11 Sep 2014 18:39:37 GMT
Accept-Ranges: bytes
Content-Length: 101791
Content-Type: text/plain
Date: Thu, 18 Dec 2014 13:25:28 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: 628 by 282 Icy Offer..Date: Thu, 11 Sep 2014 14:39:31 -0400..MIME-Version: 1.0..Content-Type: multipart/related;...type="text/html";...boundary="----=_NextPart_000_0007_01CFCDCE.32759F00"..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609..This is a multi-part message in MIME format...------=_NextPart_000_0007_01CFCDCE.32759F00..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: file://C:\offerscreen\stormwatch_tidy_double_628_2.html..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =.."http://VVV.w3c.org/TR/1999/REC-html401-19991224/loose.dtd">..<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =.."hXXp://VVV.w3c.org/TR/1999/REC-html401-19991224/loose.dtd"><HTML><HEAD><=..META=20..content=3D"IE=3D11.0000" http-equiv=3D"X-UA-Compatible">..<TITLE>628 by 282 Icy Offer</TITLE>=20..<META http-equiv=3D"X-UA-Compatible" content=3D"IE=3D11.0000">=20..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT src=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/javascript"></SCRIPT>..=20..<META http-equiv=3D"Content-Type" content=3D"text/html; =..charset=3DUTF-8"><!-- =0A=..=0A=..Edited by: Insert Initials & Date=0A=..Template Name: 628_Icy_2col_toolbar_EULA.php=0A=..=0A=..-->=20..<STYLE>BODY {=0A=...PADDING-BOTTOM: 0px; BACK
<<< skipped >>>
GET /products/BM2/combos/optimizerpro_stormwatch_combo_628_3.mht HTTP/1.1
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "e558d883c39f6868c1076235bb0ce785:1410461597"
Last-Modified: Thu, 11 Sep 2014 18:53:17 GMT
Accept-Ranges: bytes
Content-Length: 101613
Content-Type: text/plain
Date: Thu, 18 Dec 2014 13:25:28 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: 628 by 282 Icy Offer..Date: Thu, 11 Sep 2014 14:51:17 -0400..MIME-Version: 1.0..Content-Type: multipart/related;...type="text/html";...boundary="----=_NextPart_000_000E_01CFCDCF.D79A9430"..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609..This is a multi-part message in MIME format...------=_NextPart_000_000E_01CFCDCF.D79A9430..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: file://C:\offerscreen\optimizerpro_stormwatch_combo_628_3.html..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =.."hXXp://VVV.w3c.org/TR/1999/REC-html401-19991224/loose.dtd">..<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =.."hXXp://VVV.w3c.org/TR/1999/REC-html401-19991224/loose.dtd"><HTML><HEAD><=..META=20..content=3D"IE=3D11.0000" http-equiv=3D"X-UA-Compatible">..<TITLE>628 by 282 Icy Offer</TITLE>=20..<META http-equiv=3D"X-UA-Compatible" content=3D"IE=3D11.0000">=20..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT src=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/javascript"></SCRIPT>..=20..<META http-equiv=3D"Content-Type" content=3D"text/html; =..charset=3DUTF-8"><!-- =0A=..=0A=..Edited by: Insert Initials & Date=0A=..Template Name: 628_Icy_2col_toolbar_EULA.php=0A=..=0A=..-->=20..<STYLE>BODY {=0A=...PADDING-BOTTOM: 0p
<<< skipped >>>
GET /products/BM2/findwidetoolbar/ipage/findwide_nocheckboxes_628.mht HTTP/1.1
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "67e1846cdcdbc12608ccee8c6c1c3f4c:1406225516"
Last-Modified: Thu, 24 Jul 2014 18:11:56 GMT
Accept-Ranges: bytes
Content-Length: 15545
Content-Type: text/plain
Date: Thu, 18 Dec 2014 13:25:29 GMT
Connection: keep-alive
From: "Saved by Windows Internet Explorer 8"..Subject: 628 by 282 Icy Offer..Date: Thu, 24 Jul 2014 14:10:24 -0400..MIME-Version: 1.0..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: hXXp://install.downloadadmin.com/BM_OFFERS_628/Advertisers/tnt/uniform_eula.php..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17514..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =.."hXXp://VVV.w3c.org/TR/1999/REC-html401-19991224/loose.dtd">..<HTML><HEAD><TITLE>628 by 282 Icy Offer</TITLE>..<META content=3D"text/html; charset=3DUTF-8" =..http-equiv=3DContent-Type><!-- =0A=..=0A=..Edited by: Insert Initials & Date=0A=..Template Name: 628_Icy_2col_toolbar_EULA.php=0A=..=0A=..-->..<STYLE>BODY {...PADDING-BOTTOM: 0px; BACKGROUND-COLOR: #fff; MARGIN: 0px; PADDING-LEFT: =..0px; PADDING-RIGHT: 0px; FONT-FAMILY: arial, verdana, sans serif; COLOR: =..#707271; PADDING-TOP: 0px..}..#content {...POSITION: relative; BACKGROUND-COLOR: #ebeef0; WIDTH: 628px; DISPLAY: =..block; HEIGHT: 282px; OVERFLOW: hidden..}..#headline {...POSITION: absolute..}..#toolbar {...POSITION: absolute..}..#copy {...POSITION: absolute..}..#eula {...POSITION: absolute..}..#disclaimer {...POSITION: absolute..}..#headline {...WIDTH: 598px; HEIGHT: 30px; TOP: 15px; LEFT: 15px..}..#toolbar {...WIDTH: 260px; HEIGHT: 30px; TOP: 50px; LEFT: 15px..}..#copy {...WIDTH: 260px; HEIGHT: 175px; TOP: 50px; LEFT: 15px..}..#eula {...WIDTH: 315px; HE
<<< skipped >>>
GET /products/BM2/allgenius/ipage/allgenius_628.mht HTTP/1.1
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "5d39fe93435c79364150dd5a6ec9cde9:1401305709"
Last-Modified: Wed, 28 May 2014 19:35:09 GMT
Accept-Ranges: bytes
Content-Length: 30692
Content-Type: text/plain
Date: Thu, 18 Dec 2014 13:25:29 GMT
Connection: keep-alive
From: "Saved by Windows Internet Explorer 8"..Subject: 628 by 282 Icy Offer..Date: Wed, 28 May 2014 15:33:37 -0400..MIME-Version: 1.0..Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Location: hXXp://install.downloadadmin.com/BM_OFFERS_628/Advertisers/allgenius/uniform_eula.php..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7600.16385..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =.."hXXp://VVV.w3c.org/TR/1999/REC-html401-19991224/loose.dtd">..<HTML><HEAD><TITLE>628 by 282 Icy Offer</TITLE>..<META content=3D"text/html; charset=3DUTF-8" =..http-equiv=3DContent-Type><!-- =0A=..=0A=..Edited by: Insert Initials & Date=0A=..Template Name: 628_Icy_2col_toolbar_EULA.php=0A=..=0A=..-->..<STYLE>BODY {...PADDING-BOTTOM: 0px; BACKGROUND-COLOR: #fff; MARGIN: 0px; PADDING-LEFT: =..0px; PADDING-RIGHT: 0px; FONT-FAMILY: arial, verdana, sans serif; COLOR: =..#707271; PADDING-TOP: 0px..}..#content {...POSITION: relative; BACKGROUND-COLOR: #ebeef0; WIDTH: 628px; DISPLAY: =..block; HEIGHT: 282px; OVERFLOW: hidden..}..#headline {...POSITION: absolute..}..#toolbar {...POSITION: absolute..}..#copy {...POSITION: absolute..}..#eula {...POSITION: absolute..}..#disclaimer {...POSITION: absolute..}..#headline {...WIDTH: 598px; HEIGHT: 30px; TOP: 15px; LEFT: 15px..}..#toolbar {...WIDTH: 260px; HEIGHT: 30px; TOP: 50px; LEFT: 15px..}..#copy {...WIDTH: 260px; HEIGHT: 145px; TOP: 80px; LEFT: 15px..}..#eula {...WIDTH: 315
<<< skipped >>>
HEAD /tnt2/freshy/FreshyToolbar.exe HTTP/1.1
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Content-Length: 0
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "94976ead18e170661effc912867700d7:1414713827"
Last-Modified: Fri, 31 Oct 2014 00:03:47 GMT
Accept-Ranges: bytes
Content-Length: 1365760
Content-Type: application/octet-stream
Date: Thu, 18 Dec 2014 13:25:36 GMT
Connection: keep-alive
HTTP/1.1 200 OK..Server: Apache..ETag: "94976ead18e170661effc912867700d7:1414713827"..Last-Modified: Fri, 31 Oct 2014 00:03:47 GMT..Accept-Ranges: bytes..Content-Length: 1365760..Content-Type: application/octet-stream..Date: Thu, 18 Dec 2014 13:25:36 GMT..Connection: keep-alive......
HEAD /products/BM2/knctr/exe/knctr_02262014.exe HTTP/1.1
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Content-Length: 0
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "9ab4a6bbcd543cec27e9905df4b533e9:1393428995"
Last-Modified: Wed, 26 Feb 2014 15:36:35 GMT
Accept-Ranges: bytes
Content-Length: 4606000
Content-Type: application/octet-stream
Date: Thu, 18 Dec 2014 13:25:38 GMT
Connection: keep-alive
....
HEAD /products/BM2/wordproser/exe/wordproser_11042014.exe HTTP/1.1
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Content-Length: 0
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "8348cfd6a7c6c718dc9faa42ae600982:1415287545"
Last-Modified: Thu, 06 Nov 2014 15:25:39 GMT
Accept-Ranges: bytes
Content-Length: 1149000
Content-Type: application/octet-stream
Date: Thu, 18 Dec 2014 13:25:38 GMT
Connection: keep-alive
....
HEAD /tn/TidyNetwork.exe HTTP/1.1
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Content-Length: 0
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "a6dd9630a63ba00b474f4d9430fd18a1:1418169275"
Last-Modified: Tue, 09 Dec 2014 23:54:35 GMT
Accept-Ranges: bytes
Content-Length: 1417464
Content-Type: application/octet-stream
Date: Thu, 18 Dec 2014 13:25:39 GMT
Connection: keep-alive
HTTP/1.1 200 OK..Server: Apache..ETag: "a6dd9630a63ba00b474f4d9430fd18a1:1418169275"..Last-Modified: Tue, 09 Dec 2014 23:54:35 GMT..Accept-Ranges: bytes..Content-Length: 1417464..Content-Type: application/octet-stream..Date: Thu, 18 Dec 2014 13:25:39 GMT..Connection: keep-alive..
GET /pca3.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.verisign.com
HTTP/1.1 200 OK
Server: Apache
ETag: "8f6b3bcd9bb64555001fba64f5b01b92:1411517716"
Last-Modified: Wed, 24 Sep 2014 00:15:16 GMT
Date: Thu, 18 Dec 2014 13:29:18 GMT
Content-Length: 933
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority..140922000000Z..141231235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2....{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N....* ....010207212031Z0!..N....-.1Gq.@...C..040401175251Z0!..Y......w`G........070411175657Z0!..Z`..H.@B....Z.*q..080403172017Z0!..l....I...Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1..7<.....e..010207211822Z0...*.H............M....s#..Lo...TU...tM.3...'.U......:Z...w.x.=....K.0;...!....D....9...,!....B.t. <..........-.....k.$<i{O.<.E...*.......Ow _..J.HTTP/1.1 200 OK..Server: Apache..ETag: "8f6b3bcd9bb64555001fba64f5b01b92:1411517716"..Last-Modified: Wed, 24 Sep 2014 00:15:16 GMT..Date: Thu, 18 Dec 2014 13:29:18 GMT..Content-Length: 933..Connection: keep-alive..Content-Type: application/pkix-crl..0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority..140922000000Z..141231235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P....0209231715
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1453
content-transfer-encoding: binary
Cache-Control: max-age=458533, public, no-transform, must-revalidate
Last-Modified: Tue, 16 Dec 2014 20:49:17 GMT
Expires: Tue, 23 Dec 2014 20:49:17 GMT
Date: Thu, 18 Dec 2014 13:29:18 GMT
Connection: keep-alive
0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....20141216204917Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a..eR&.....Y.)..".\....20141216204917Z....20141223204917Z0...*.H..................8*.6....l...7.y.......P.j..(.V"L........]/.o%.P..A.Z.Etv...C.....{......BC|R..tD..T. ....IbA......`...7..`....).. |Q\.....|~...U..z,m.@...).`.Z.8.Trky. ..r...TUg.h*....Z.&......,8r.../.2..,E....V..D..}'.]....8Lt...........}Jc..s{..|.!..b_.^..._..E`.......0...0...0..3......./...b.v..-....l}0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority0...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G1 OCSP Responder Certificate 30.."0...*.H.............0..........'......Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....H..3-; ).....0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M...T..pS.p..^|o....S..v.).).....r.v.qo$......C.V!....@.h#qh...u1T.].G0.]E...=._...... ........TE...Sa.s4........r...3.............0..0...U....0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H.............$..H......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e.......a..D...........e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :,....
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=474569, public, no-transform, must-revalidate
Last-Modified: Wed, 17 Dec 2014 01:14:37 GMT
Expires: Wed, 24 Dec 2014 01:14:37 GMT
Date: Thu, 18 Dec 2014 13:29:18 GMT
Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..20141217011437Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5........M.s.Q~...@?j.......20141217011437Z....20141224011437Z0...*.H.............@.v..Q.[k.2......."7..".m...".=....z.C.........(....F-Q\#.....P.....;.....":W.......'(........3...r.....OB..............JV5...7X.*..QM....Uf...6.....g.p.#....98..&...<.......I.@.|../!.qT.....W..qB..o.x.^(..3.#....}.....o...Lq...Y.~...X.\.?......~..opF.u......#0...0...0..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.........{(..t....2.Vf.....&;6).i*FK....W@....F....jnb.w._p.E.6.|.mk....(..........p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H...
<<< skipped >>>
HEAD /s/2/2/228488-676828-adobe-flash-player.exe HTTP/1.1
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: pf.dlcvit.com
Content-Length: 0
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 18 Dec 2014 13:25:32 GMT
Content-Type: application/octet-stream
Content-Length: 1054400
Last-Modified: Wed, 26 Nov 2014 20:02:31 GMT
Connection: keep-alive
Accept-Ranges: bytes
HTTP/1.1 200 OK..Server: nginx..Date: Thu, 18 Dec 2014 13:25:32 GMT..Content-Type: application/octet-stream..Content-Length: 1054400..Last-Modified: Wed, 26 Nov 2014 20:02:31 GMT..Connection: keep-alive..Accept-Ranges: bytes..
GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Mon, 05 May 2014 05:04:34 GMT
If-None-Match: "87fbb3811f68cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Sat, 04 Oct 2014 05:06:12 GMT
Accept-Ranges: bytes
ETag: "58cddbea90dfcf1:0"
Server: Microsoft-IIS/8.5
VTag: 279619316300000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 550
Cache-Control: max-age=900
Date: Thu, 18 Dec 2014 13:25:43 GMT
Connection: keep-alive
0.."0......0...*.H........0w1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1!0...U....Microsoft Time-Stamp PCA..141003211553Z..150102093553Z._0]0...U.#..0...#4..RFp..@.v.. ..5..0... .....7.......0...U......00... .....7......150101212553Z0...*.H.............:...h:O..9..a.M8.}*.........A....f......SG....(...g...>.!.4o7P....O...`x.h.W.F..x.9...1....C.......5..9..p ....1 ........$..P.......?.6...2.....(.."C1aF..B....I.V.u.4=Cs....~d5X..R...BRo............1Q-b.... ..P.M/SfvX..l..Mm.j9..A|.q.W=...Wy.Y]<....._!.../nt>....
GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sat, 24 May 2014 05:04:51 GMT
If-None-Match: "96bfbfb1d77cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Thu, 23 Oct 2014 05:05:32 GMT
Accept-Ranges: bytes
ETag: "a2f3ff97eeecf1:0"
Server: Microsoft-IIS/8.5
VTag: 791939326400000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 813
Cache-Control: max-age=900
Date: Thu, 18 Dec 2014 13:25:44 GMT
Connection: keep-alive
0..)0......0...*.H........0_1.0.....&...,d....com1.0.....&...,d....microsoft1-0 ..U...$Microsoft Root Certificate Authority..141022204822Z..150121090822Z0.0...a......../..100208014912Z._0]0...U.#..0......`@V'..%..*..S.Y..0... .....7.......0...U......'0... .....7......150120205822Z0...*.H.............4....w.h.Y..L.p.Q... ..?.~.q.......'.a[... ]G........t.....^p..De..0*r.n....G|....$b-{......d/....m...r.xQ...t..XtF...OW~.....@6...*x.h........wi.L.%.,<}.rULPR..T........P..g...._V.\z`..../..^...e.............r.%...:.S..W.....Qy...6.W..Fo.;.~.e9.]...;7..[.$wzD....|.%\.w..o...X.....R.2u.w."J\.&q.f.d<&.p....[31.....il.....dI2.#...h.Y.._e........H.%2.r.w..M.(~...W.{?...@n0.X.v..Wa.^o]...K....f[.oN\.V.../<..&.)@P.A.......p....D.Gj.M}PhUY?s...YX>..e...PC...@.^....v...:._[.l.....z.._(..>.l....O....ReP...M.%.B1..)....
GET /pki/crl/products/WinPCA.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 07 May 2014 05:04:02 GMT
If-None-Match: "a413fc3b169cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Mon, 06 Oct 2014 05:06:02 GMT
Accept-Ranges: bytes
ETag: "3e1c83923e1cf1:0"
Server: Microsoft-IIS/8.0
VTag: 438466244800000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 561
Cache-Control: max-age=900
Date: Thu, 18 Dec 2014 13:25:44 GMT
Connection: keep-alive
0..-0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Windows Verification PCA..141005213147Z..150104095147Z._0]0...U.#..0.......p............<.J0... .....7.......0...U......20... .....7......150103214147Z0...*.H.................C>....... ..3yv..N...Q...&..U...u(..8.2.,.K.r.M..m0..BdE..(@.bu//J.......b...H.Z...B..7zS.>......G....{..C..}p.......9d..Q.E/.N......fM.._A{7RI*.....t.B...d..>w'.. ..0xJ...'.0.6...o. ..(.......1..TU[..<..|F.>x..j.....xA2....b.'..{.t.H......A...@.{{ip......
GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 01 Jul 2014 05:04:34 GMT
If-None-Match: "924558f3e994cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Thu, 13 Nov 2014 06:02:42 GMT
Accept-Ranges: bytes
ETag: "88cab6f7ffcf1:0"
Server: Microsoft-IIS/8.5
VTag: 791936916300000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 554
Cache-Control: max-age=900
Date: Thu, 18 Dec 2014 13:25:44 GMT
Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA..141112173206Z..150211055206Z.a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U......W0... .....7......150210174206Z0...*.H................].`...D..9.>LO.ey...Qx%.^.P.& ...D.......b}.K..[.....5.m....).....H..6R....G/ju.........:..A.#.9!......D5...|".w.x..=.u..X6.7{..).XN....g......B.8.!&...........<7fS$..........t<X)%.b(0.L@..i..Kn.......fX... ,...K\....U1cp).........y.T..?rm.t..Y.}.E..-@.HTTP/1.1 200 OK..Content-Type: application/pkix-crl..Last-Modified: Thu, 13 Nov 2014 06:02:42 GMT..Accept-Ranges: bytes..ETag: "88cab6f7ffcf1:0"..Server: Microsoft-IIS/8.5..VTag: 791936916300000000..P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Content-Length: 554..Cache-Control: max-age=900..Date: Thu, 18 Dec 2014 13:25:44 GMT..Connection: keep-alive..0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA..141112173206Z..150211055206Z.a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U......W0... .....7......150210174206Z0...*.H................].`...D..9.>LO.ey...Qx%.^.P.& ...D.......b}.K..[.....5.m....).....H..6R....G/ju.........:..A.#.9!......D5...|".w.x..=.u..X6.7{..).XN....g......B.8.!&...........<7fS$..........t<X)%.b(0.L@..i..Kn.......fX... ,...K\.
<<< skipped >>>
HEAD /111001042/OptimizerPro.exe HTTP/1.1
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: dl.softservers.net
Content-Length: 0
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Thu, 18 Dec 2014 13:25:39 GMT
Content-Type: application/octet-stream
Content-Length: 8014840
Last-Modified: Tue, 09 Dec 2014 15:28:03 GMT
Connection: keep-alive
ETag: "54871503-7a4bf8"
Content-Disposition: attachment; filename=OptimizerPro.exe
HTTP/1.1 200 OK..Server: nginx/1.6.0..Date: Thu, 18 Dec 2014 13:25:39 GMT..Content-Type: application/octet-stream..Content-Length: 8014840..Last-Modified: Tue, 09 Dec 2014 15:28:03 GMT..Connection: keep-alive..ETag: "54871503-7a4bf8"..Content-Disposition: attachment; filename=OptimizerPro.exe..
GET /env?browserVersion=9&osVersion=Vista&s=FREESO030Zec25d5ec3750a12b89bdaf3236b1f0ed&browserName=IE&c=VELISMEDIA2&brand=freempr13.bertrejota.com&pid=vittalia&aid=FREESOFTSTORECOM&bc=1162530&osName=Windows&country=UA HTTP/1.1
X-WebInstallCode: complete url:hXXp://service.downloadadmin.com/external-install?bc=1162530&pid=vittalia&brand=freempr13.bertrejota.com&aid=FREESOFTSTORECOM&s=FREESO030Zec25d5ec3750a12b89bdaf3236b1f0ed&c=VELISMEDIA2&osName=Windows&osVersion=Vista&browserName=IE&browserVersion=9&secure=true&productKey=m7izpsc3q6c6a6odoxbkvnqqt666qqkp
X-Exename: %original file name%.exe
X-WebInstallUrl: hXXp://service.downloadadmin.com/external-install?bc=1162530&pid=vittalia&brand=freempr13.bertrejota.com&aid=FREESOFTSTORECOM&s=FREESO030Zec25d5ec3750a12b89bdaf3236b1f0ed&c=VELISMEDIA2&osName=Windows&osVersion=Vista&browserName=IE&browserVersion=9&secure=true&productKey=m7izpsc3q6c6a6odoxbkvnqqt666qqkp
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: service.downloadadmin.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Expires: 0
Content-Type: text/xml;charset=UTF-8
Transfer-Encoding: chunked
Date: Thu, 18 Dec 2014 13:25:22 GMT
Age: 0
X-Cache: MISS
001166..<?xml version="1.0" encoding="UTF-8" standalone="yes"?><Installer><Environment><Entry name="over-threshold:PremierOpinion (US) (1459)">true</Entry><Entry name="over-threshold:PremierOpinion (US) (1458)">true</Entry><Entry name="over-threshold:Findwide Toolbar (YHS) (Partners) [TNTTB]">true</Entry><Entry name="over-threshold:Findwide Toolbar (YHS) (Partners) [TNTTB]">true</Entry><Entry name="over-threshold:LookThisUp (US)">true</Entry><Entry name="over-threshold:SaveDailyDeals (US)">true</Entry><Entry name="over-threshold:Priceless">true</Entry><Entry name="over-threshold:SystemOptimizerPro (US)">true</Entry><Entry name="over-threshold:WeatherBug">true</Entry><Entry name="over-threshold:PremierOpinion (UK) (1458)">true</Entry><Entry name="over-threshold:Taplika (GB)">true</Entry><Entry name="over-threshold:SafeSearch (CA)">true</Entry><Entry name="over-threshold:Findwide Toolbar (FR) (Partner) [TNTTB]">true</Entry><Entry name="over-threshold:Taplika (FR)">true</Entry><Entry name="over-threshold:SystemOptimizerPro (GB)">true</Entry><Entry name="over-threshold:DesktopDock (GB) (Verti)">true</Entry><Entry name="over-threshold:Registry Helper (SafeApp Software) (INTL)">true</Entry><Entry name="over-threshold:VBates (CA)">true</Entry><Entry name="over-threshold:DesktopDock (CA
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=334177, public, no-transform, must-revalidate
Last-Modified: Mon, 15 Dec 2014 10:19:02 GMT
Expires: Mon, 22 Dec 2014 10:19:02 GMT
Date: Thu, 18 Dec 2014 13:29:25 GMT
Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..20141215101902Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5.......A..2.....:...:......20141215101902Z....20141222101902Z0...*.H.............A.?v....x...R..IV..........9.%...OQ.&lm..L81!.l4......v,.....:e.......m.2\$K.I.GS..E95.J.G;...T...lj.....f.=.5!$..cM..0'....F.k.n.$.6s...V.<.xbrT....).nC...`Q.m18d.....V...?9O..X.$...bZ...[.....%z^.....'...l..e....b.(q..CH. .........T.M.d.:...@4.Sk.d!..-,....#0...0...0..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.........{(..t....2.Vf.....&;6).i*FK....W@....F....jnb.w._p.E.6.|.mk....(..........p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H...
<<< skipped >>>
HEAD /tgtudp.exe HTTP/1.1
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: web1.upsa1a.com
Content-Length: 0
Connection: Keep-Alive
HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Location: hXXp://web1.upsa1a.com/tdtjpd.exe
Cache-Control: public, max-age=86400
Vary: Accept-Encoding
Content-Length: 160
Accept-Ranges: bytes
Date: Thu, 18 Dec 2014 13:23:31 GMT
Connection: keep-alive
....
HEAD /tdtjpd.exe HTTP/1.1
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: web1.upsa1a.com
Content-Length: 0
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Cache-Control: public, max-age=86400
Vary: Accept-Encoding
Content-Length: 217286
Accept-Ranges: bytes
Date: Thu, 18 Dec 2014 13:23:31 GMT
Connection: keep-alive
HTTP/1.1 200 OK..Content-Type: application/octet-stream..Cache-Control: public, max-age=86400..Vary: Accept-Encoding..Content-Length: 217286..Accept-Ranges: bytes..Date: Thu, 18 Dec 2014 13:23:31 GMT..Connection: keep-alive..
GET //MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH+3ahq1OMCAxvnFQ== HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com
HTTP/1.1 200 OK
Date: Thu, 18 Dec 2014 13:25:12 GMT
Server: Apache
Content-Transfer-Encoding: Binary
Cache-Control: max-age=112507, public, no-transform, must-revalidate
Last-Modified: Thu, 18 Dec 2014 10:19:01 GMT
Expires: Fri, 19 Dec 2014 22:19:01 GMT
ETag: "d551cd34edff9a2d49b92bdf002bf4e981f1326e"
Content-Length: 1816
Connection: close
Content-Type: application/ocsp-response
0..........0..... .....0......0...0..-...0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, LLC1-0 ..U...$http://certs.godaddy.com/repository/1.0,..U...%Go Daddy Class 2 Validation Authority..20141218101901Z0f0d0<0... ......... ......]..J^.y_..F<........L.q.a.=....j...........20141218101901Z....20141219221901Z0...*.H..................04@E.2.Y.[al.^'k.<..<.`..E>..X...~6......|8...F^.M%S6*.P).^2.......!3...u.x>uZ.%Au.,..1..d........ZK.J..*5G.u.)zQ....(...,i9...2...B..N.*.xg|..&.~kFD... ....f%F.....j......."P..Q4T.V..y.R....Z....P...6....G.=....,.6j.....E.86...........g..4.....0ct.......0...0...0.......... .0...*.H........0c1.0...U....US1!0...U....The Go Daddy Group, Inc.110/..U...(Go Daddy Class 2 Certification Authority0...140401070000Z..150401070000Z0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, LLC1-0 ..U...$hXXp://certs.godaddy.com/repository/1.0,..U...%Go Daddy Class 2 Validation Authority0.."0...*.H.............0..........J<V_....7p\.....^.'...Y.C.BPX..$.?.......#..S....'=.....D..h-.n.....#....n..M...c..:E.x..Q.&..2w..{..oq...y.......K..@bH....7&.G.U.....G.{.Cj....S.|.).(....... .....}4.[r........N.........1B.zp..L.....Eq.G$a.A...9..... /.B.....G..e....7.\=QcN......Xw..4].........0...0...U.......0.0...U...........0...U.%..0... ......... .......0...U.......dK...Z5...NP.\.S.~.0...U.#..0.........L.q.a.=....j..0... .....0......02..U... 0)0'.%.#.!hXXp://crl.godaddy.com/gdroot.crl0M..U. .F0D0B..`.H...m....0301.. ........%hXXps://cert
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1762
content-transfer-encoding: binary
Cache-Control: max-age=547043, public, no-transform, must-revalidate
Last-Modified: Wed, 17 Dec 2014 21:24:36 GMT
Expires: Wed, 24 Dec 2014 21:24:36 GMT
Date: Thu, 18 Dec 2014 13:29:26 GMT
Connection: keep-alive
0..........0..... .....0......0...0......;O}a.!..u...au..eUNp..20141217212436Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...313..R...%V.......K3.....20141217212436Z....20141224212436Z0...*.H.................X2.I...~.."...c.6U.....&H."....u......F..Y{.$.q......5....H......6....:..z.d,..ct.. ../.....~......V.-.#. j2x.t...>...I.@p.Tk.....PX!{WR.....-'..~...p..1*M.oT.rV.I/.c..........l.>.}.I....@Z.8,.n..[.5.y...x.$s.O.?.....D..1...v...1.E7#m=m ..........W........0...0...0...........2...'U.BM...g.B0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G50...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Responder Certificate 30.."0...*.H.............0...............2&..PL...,..2....:..tH...`JG.%..*...s.c%...?t..J..0.q....~..k@X.l.i....0..kk..h.9"1.5?..s.....3[...u......]...R0..Z}....l..I.Y.....j\H.q...#.uw.4qz.#.J.....@2$"..$l.B.......D.ye..(..2.........@...... ...."... E..0M,..b{.^..s'....f.6.pr4.J........'j..........0...0...U.......0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U...........0... .....0......0!..U....0...0.1.0...U....TGV-B-2760...U......;O}a.!..u...au..eUNp0...U.#..0.....e......0..C9...3130...*.H.............(.&..Dgr.Ve..#...5
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEFfypMGYcmbFYnz/tUJymgs= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1725
content-transfer-encoding: binary
Cache-Control: max-age=345285, public, no-transform, must-revalidate
Last-Modified: Mon, 15 Dec 2014 13:24:11 GMT
Expires: Mon, 22 Dec 2014 13:24:11 GMT
Date: Thu, 18 Dec 2014 13:29:26 GMT
Connection: keep-alive
0..........0..... .....0......0...0......u\..3Oo?U...H.....O!..20141215132411Z0s0q0I0... ...................F....0.yV......{&.K......&.......W....rf.b|..Br......20141215132411Z....20141222132411Z0...*.H.................7..c.V&.u.....~9.....!.sG.....Eh2l6^.L..~j5}QK..B..s$Kb...`..w.9jQ.S... ..V..5<}.....,.HV}...%..
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQMgSk4dLKWKRB+2DViUmQEUw3ggwQUDURcFlNEwYJ+HSCrJfQBY9i+eaUCECyLOOAjYRltRQP8lkAE25w= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: sd.symcd.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1730
content-transfer-encoding: binary
Cache-Control: max-age=394328, public, no-transform, must-revalidate
Last-Modified: Tue, 16 Dec 2014 02:54:24 GMT
Expires: Tue, 23 Dec 2014 02:54:24 GMT
Date: Thu, 18 Dec 2014 13:25:37 GMT
Connection: keep-alive
0..........0..... .....0......0...0......P).Niz5............?..20141216025424Z0s0q0I0... ..........)8t..).~.5bRd.S......D\.SD..~. .%..c..y...,.8.#a.mE...@.......20141216025424Z....20141223025424Z0...*.H..................h...-..0.$X(#...C:.L9;.?......9_...:...X:.(....>3....6...,..J...X..DhBz/..).....k.....w:op<.X........fN.%(e.j..%..7..`...."...._......mI%zh.....{..........cS...Y.qQdQ^g....D.....ES. ...=?%t.}1S.Xf...i?......3...hsX..F.3._X.[...g<;.g5.hD...o.9.....4.(.....0...0...0..........]../g.0.h.....$C0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)101/0-..U...&VeriSign Class 3 Secure Server CA - G30...141204000000Z..150304235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1>0<..U...5VeriSign Class 3 Secure Server CA - G3 OCSP Responder0.."0...*.H.............0............Q..>.]....b...........G[..sz_:.eM.J..m)....J.KV..W....e.M...C.......8.|...^...S./.r.KOv.&...OVW....rG.@...e...:S4....R..&"......l.....1&..nY..p.....4...L`.g...E#t....Mw....1.O.....i..e.b.qa...p.....$...b...V....#.M3......|..B.R..:@UtY@:s..h.........me..........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........https://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-24570...*.H.............y.boc.....2<.-..O...ehR.............. ...
<<< skipped >>>
GET //MEgwRjBEMEIwQDAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CB0sVHV5/pAc= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com
HTTP/1.1 200 OK
Date: Thu, 18 Dec 2014 13:25:13 GMT
Server: Apache
Content-Transfer-Encoding: Binary
Cache-Control: max-age=121907, public, no-transform, must-revalidate
Last-Modified: Thu, 18 Dec 2014 13:03:57 GMT
Expires: Sat, 20 Dec 2014 01:03:57 GMT
ETag: "349f96f2ff6823e7808790419adf838c4daa2783"
Content-Length: 1895
Connection: close
Content-Type: application/ocsp-response
0..c......\0..X.. .....0.....I0..E0......0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, LLC1-0 ..U...$http://certs.godaddy.com/repository/1 0)..U..."Go Daddy Validation Authority - G2..20141218130357Z0j0h0@0... ..........._lkv...8..f..R34N..@..'..4.0.3..l...,....K..^.......20141218130357Z....20141220010357Z0...*.H.............4 .....\K.Y...........(...g;.:.............K.M&9.Q..g...Hd.5b...(.H<..un.....I5..d.b;....m....UE......=.5.i...N\.|.. ..1.\)_........v..].T...]{k..`Xw....D.........QD..KV.,.Kct}...kf...w.Ll...U..O.M....8.9.8..3.-7J.X..1`..cyT:..!6^....DZ.A.BN0Z.K.c.......^C....0...0...0..........$..0...*.H........0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.1-0 ..U...$hXXp://certs.godaddy.com/repository/1301..U...*Go Daddy Secure Certificate Authority - G20...140401070000Z..150401070000Z0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, LLC1-0 ..U...$hXXp://certs.godaddy.com/repository/1 0)..U..."Go Daddy Validation Authority - G20.."0...*.H.............0..........?.........'' ...X....0.........T..W............,\...zZ./h....W......>.......Z..K....n..$Us..Y..e..b_I|T.....$.>....%D$.3..$....*.|)........S..$A.e<...r..rE)....(...C[V.........~`C.........L....\....W......M....w.Zk......h. i.....J..n.........u.....K)...E.........0...0...U.......0.0...U...........0...U.%..0... ......... .......0...U......wI.p......!.(..d.tT(0...U.#..0...@..'..4.0.3..l...,..0... .....0......01..U...*0(0&.$.". hXXp://crl.goda
<<< skipped >>>
GET /CSC3-2010.cer HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: csc3-2010-aia.verisign.com
HTTP/1.1 200 OK
Server: Apache
ETag: "4df6e0fc400cae9c052fae98c66d379f:1367386211"
Last-Modified: Wed, 01 May 2013 05:30:11 GMT
Accept-Ranges: bytes
Content-Length: 1550
Content-Type: text/plain
Date: Thu, 18 Dec 2014 13:29:26 GMT
Connection: keep-alive
0...0..........R...%V.......K3.0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G50...100208000000Z..200207235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Signing 2010 CA0.."0...*.H.............0.........#K^....2..W....&~......}..6k..u.0..h.. u......i..7..{.....7M_.;......'5.%.8..c.........jb.L.!......;.*O.[..O..v..'.|..~}......H.i...<<A.>......q.U...&J@<..&...m...%{..?../....w..V.z;T0S..b4....Z.(..L.N~[.........u....G...r..4....L~..O.=W.0..6...v.....~4-..........0...0...U.......0.......0p..U. .i0g0e..`.H...E....0V0(.. .........hXXps://VVV.verisign.com/cps0*.. .......0...hXXps://VVV.verisign.com/rpa0...U...........0m.. ........a0_.].[0Y0W0U..image/gif0!0.0... ..............k...j.H.,{..0%.#hXXp://logo.verisign.com/vslogo.gif04..U...-0 0).'.%.#hXXp://crl.verisign.com/pca3-g5.crl04.. ........(0&0$.. .....0...hXXp://ocsp.verisign.com0...U.%..0... ......... .......0(..U...!0...0.1.0...U....VeriSignMPKI-2-80...U..........{&.K......&.....0...U.#..0.....e......0..C9...3130...*.H.............V".4..a.H...V.d..........z."..G8J-l..q.|.p...O...S..^.t.I$..&...G.Lc...4..E...&s....dm.q..E.`.YQ9.X.k....yk..Ar.7"...#.?D...a....\.=...B=e6..=@(....#&.K ...].L4.<..7.o. .4.&.........!.3o..X.%|t.X.u.c?.1|......Sv.[........].!
<<< skipped >>>
GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?15561099d5d16a9f HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 05 Dec 2013 22:47:50 GMT
If-None-Match: "0af536cf2ce1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com
HTTP/1.1 200 OK
Cache-Control: max-age=86400
Content-Type: application/octet-stream
Last-Modified: Thu, 03 Jul 2014 23:34:12 GMT
Accept-Ranges: bytes
ETag: "0b2464b1797cf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 6408
Date: Thu, 18 Dec 2014 13:25:11 GMT
Connection: keep-alive
MSCF............,...................O.......'#.........D.z .disallowedcert.stl....2..'#CK...8T...g........g.k..".....mlI."d..m...P$"....e.J........z.....\..........9g.9....~.........Q.Q......Q..DL.8.C.PS.K0.!P.0........#.DY.8.....V.....$.C....a.0...........`......;.S.....0#...m... ..`0...?.!vR?.....d....`......_@..}....$...i..OR'..$....K..'Z....o.g..*.Vc.....[nY e./.EJ...B.Y.......Ag......!....9......u..!..1Yy.......r...Ss^@...M.Dtl\....i.k....3...B.Z.:.p.N....*......x,...ah/..].[....GB..T..$A....SY..t.E5R..R...9!....*.*68V....1... ...Q{...".Op@L.2M...1;xd{.C.u?..e.U.=f.nx.........y.G..0.......\L .'.^....$......N=..m...UjrZs...J.I.C....;......q_..e......?.T..2..bw....E.L.{...S...~.<.........-.Q..|.l. .1..6r....[}!J..,...naPk.U.... ..{@LH..W....>.Sq...8.5.,.z..0.jL.S..........]...yW_...Y.1..h.7...9{.....I......g.Y.,1...i8n.6..........4.]...........=........^..n.K7...c.g).Z. .0..$7.ys.p...B.5.].f...|(3!.|..P...j..^..j....#(...@...As..*.O..i..u....9..S.Y.n..HXW...F ..i...:.......!.] r......D..*ld.b.>>:Pp.....5:1 o=..5.'..4.......hO....{.V.rx..V...%.}..u...6Wv-..".iV.b..B0.Q..,...E.Dy...x..5....?Z.$L..1.....4...=.....g!....%..:..c..j..v~....._R.6.......;.#.Y*p..J.4.#'..Vo...g^K...J....._.^..u...)....&/.....q....o......4.....S...,q.....p.8IIe.....d|.3{)...M.0.X...4.."..P.......Hk.... ]!.!... ..#.x..<..X.........'.E(<b[.......#.. ....XiLl|..=.....&P.@H.J.oo...a...x B....l.....@.P......!8..@...q2..;.......mm....>~............j%..>.X.,V...J...C ....*..Z.8- RKGW...0./Z.__..)7g_'{.......pr......;.
<<< skipped >>>
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?2a50e63961c067a9 HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 12 Mar 2014 20:20:10 GMT
If-None-Match: "0b96c77303ecf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com
HTTP/1.1 200 OK
Cache-Control: max-age=604800
Content-Type: application/octet-stream
Last-Modified: Fri, 12 Sep 2014 18:47:05 GMT
Accept-Ranges: bytes
ETag: "805a83f2b9cecf1:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
X-Powered-By: ARR/2.5
X-Powered-By: ASP.NET
Content-Length: 56928
Date: Thu, 18 Dec 2014 13:25:12 GMT
Connection: keep-alive
MSCF....`.......,...................I.................,E.Y .authroot.stl..Y-..8..CK...<T...g.v!M.d..f.%d..}K..5..F. ...T..%.,YJ.,!T......_..x.<=O.....yy....;3..>.|..~..\.....|......;..8..~.za...."A...q.......g..m......<X........j"I........!..-w.....w....P...H..(.?}..2.N. .u..a. ...=.C..D.F>rC.. ..|).=.. ..3b.8H.M...(...u8.%...W.g...\YB.m:.....dE.........V....$....Dn:....0...S."...o..q.....K...I..K...(x%....>A.R...`.0 .........<`L0mp...%....y.....g.n...R0Op..<..,....`0$z.@..&.x"....T..H...<........~..E..".....<<.\B(.....................@.....L.........KNAy8/"...f.......k..Jm7j....R.5q....Rz..!@...].......Y.[........4.. .D8..&...t.J^O..Q.._..1.J.m5<'k.,....%T....i.\.;.;q..S./ 8.?Bu.............}D.Q....L....*..[.."e......15m..._.0.M........#..v!..<...@..?sc.y....*.....tX[........{.W4.Q...^u@..*..QP.......~.L9N....2r...4.....B..-\(...b.d...K...O.8..Un.......V.<.......A...V.....(..s..f..q.{N0.hS.,..;M.|G|.@.M.._.....7._6...C.0...A;L....%...M=Y.....f.JV.(.5.....0..?*...KZ....jM...8.6U...#...ew.?..?...........WE.Or..O>..{.'W2.........3m.O.u..Z8....H4@.w}.o:?~....]<!...%....}@.d...L.p.a.g ..K."..N1!%..S.bT.H.-.....e..`.0$...0t..DX..{.....#./...8.5..M...T.......D......V\C.zy.....3E:..>.{..).QW......q....9..n..1....8%,.........r.p@.>. ...Q.?.p..7.?..7...&..!.........`. .=....Sf..q.l.A.....L...t.}g..;...f....=.e.~.z....C..*R....H-..=...f..(t'.."....F...g._....n.J..U.4vr`}.....1..o@.....@.#...R. L8....z..].|......3..y..-./....K..6{...s.<R`.}6....?.......-..@.g..S....
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEDWXMYfzhzoHMn7OWAybfto= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1453
content-transfer-encoding: binary
Cache-Control: max-age=588102, public, no-transform, must-revalidate
Last-Modified: Thu, 18 Dec 2014 08:44:48 GMT
Expires: Thu, 25 Dec 2014 08:44:48 GMT
Date: Thu, 18 Dec 2014 13:25:37 GMT
Connection: keep-alive
0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....20141218084448Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a..5.1...:.2~.X..~.....20141218084448Z....20141225084448Z0...*.H.............h6._........h...p&"u.....w].w..R......O.&.w.z....!.jE-..U.4..*'.!...b?Z/..U..".8.y.........6.....5.-z..r%.b*..\i...T,.q.F....v.......*.jG..V.s.e..Up... ...u........O9..Z..GC.lk..6..{...Gq..,...54.T......'..|e........?..s.. ..)i.h.......gZ.q.;,. ..!.....<Xy....0...0...0..3......./...b.v..-....l}0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority0...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G1 OCSP Responder Certificate 30.."0...*.H.............0..........'......Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....H..3-; ).....0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M...T..pS.p..^|o....S..v.).).....r.v.qo$......C.V!....@.h#qh...u1T.].G0.]E...=._...... ........TE...Sa.s4........r...3.............0..0...U....0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H.............$..H......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e.......a..D...........e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :,....
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEG7MeqWnAyAJuM689OlS1JE= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1762
content-transfer-encoding: binary
Cache-Control: max-age=388515, public, no-transform, must-revalidate
Last-Modified: Tue, 16 Dec 2014 01:19:11 GMT
Expires: Tue, 23 Dec 2014 01:19:11 GMT
Date: Thu, 18 Dec 2014 13:25:37 GMT
Connection: keep-alive
0..........0..... .....0......0...0......;O}a.!..u...au..eUNp..20141216011911Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...313..n.z... ......R......20141216011911Z....20141223011911Z0...*.H.............l|s..>....$.F....4..z..4.r#...}..Q...a....s...[$.6..........7_!...4.oJk(^..'.}...B<x..X_...........'....YB...>,G.&..p...R.0...h...z#!.{..yR./..Z..j_)...%.....a.....Dz......$.5uk^.iv.y;.6N..=...R..R../.t\Qce7.. .K.X^m.5...6.....v.9..{......|..8F..[....9F.. ....0...0...0...........2...'U.BM...g.B0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G50...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Responder Certificate 30.."0...*.H.............0...............2&..PL...,..2....:..tH...`JG.%..*...s.c%...?t..J..0.q....~..k@X.l.i....0..kk..h.9"1.5?..s.....3[...u......]...R0..Z}....l..I.Y.....j\H.q...#.uw.4qz.#.J.....@2$"..$l.B.......D.ye..(..2.........@...... ...."... E..0M,..b{.^..s'....f.6.pr4.J........'j..........0...0...U.......0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://www.symauth.com/rpa0...U.%..0... .......0...U...........0... .....0......0!..U....0...0.1.0...U....TGV-B-2760...U......;O}a.!..u...au..eUNp0...U.#..0.....e......0..C9...3130...*.H.............(.&..Dgr.Ve..#.
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1697
content-transfer-encoding: binary
Cache-Control: max-age=580361, public, no-transform, must-revalidate
Last-Modified: Thu, 18 Dec 2014 06:40:12 GMT
Expires: Thu, 25 Dec 2014 06:40:12 GMT
Date: Thu, 18 Dec 2014 13:29:19 GMT
Connection: keep-alive
0..........0..... .....0......0...0...A0?1=0;..U...4VeriSign Class 3 Code Signing 2004 CA OCSP Responder..20141218064012Z0s0q0I0... ........?.@..w.........Y.!......Q...==d6|h.[x....7..`..........cV.!.....20141218064012Z....20141225064012Z0...*.H....................P LA...l..7.p6n..............1/.l.}.....R...o.!....1.`P..!...W.. p....w..l"..y. L.s/&.].#....\"...[.?..k.Ds.....e0..0A....#..0..n,-.......w..pLpu.b...L..G.\n`.....B'./.......X:.E..Sy.O MQ.I.Y0.2..x..m...._.9.{.3a]sT2..[............4.?,6..d....>3Q..F....0...0...0..{.........[..I|.....Zm..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)041.0,..U...%VeriSign Class 3 Code Signing 2004 CA0...140428000000Z..150729235959Z0?1=0;..U...4VeriSign Class 3 Code Signing 2004 CA OCSP Responder0.."0...*.H.............0.........Y....h..@..>.....%.-.....O...' y.........x..Gw.xF.....?..Z..u,.X.&..........3C..H.l.....f..;]s!.\"v...|....].@.....K7m2...N......-S.I......5n...G7. ..W....n..*..-f?EY.......UN...r...........-_.%..,P;b.....)(.P.4...,.%....<..6.....[r^X.EV..S...5#'Y.. .TD...........0...0...U.......0.0...U.%..0... .......0...U...........0... .....0......0f..U. ._0]0[..`.H...E....0L0#.. .........hXXps://d.symcb.com/cps0%.. .......0...hXXps://d.symcb.com/rpa0!..U....0...0.1.0...U....TGV-B-1080...U......"...?....`>q..i1o...0...U.#..0.....Q...==d6|h.[x....70...*.H.............B8@.$..wo......E.....P52"b*@'C\.y.(...n....h.f..7f.....v...pb<...]..|..........k
<<< skipped >>>
HEAD /aj/bundle/1048 HTTP/1.1
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: d1.arcadegiant.com
Content-Length: 0
Connection: Keep-Alive
HTTP/1.1 405 Method Not Allowed
Server: Apache/2.4.1 (Unix) OpenSSL/1.0.0g
Allow: GET, POST
Content-Type: text/html; charset=windows-1252
Content-Length: 0
Date: Thu, 18 Dec 2014 13:25:38 GMT
GET //MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQdI2+OBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com
HTTP/1.1 200 OK
Date: Thu, 18 Dec 2014 13:25:13 GMT
Server: Apache
Content-Transfer-Encoding: Binary
Cache-Control: max-age=122045, public, no-transform, must-revalidate
Last-Modified: Thu, 18 Dec 2014 13:06:22 GMT
Expires: Sat, 20 Dec 2014 01:06:22 GMT
ETag: "ddd5f8bee2ed36f534cd1514e9102cdd86869d7d"
Content-Length: 1853
Connection: close
Content-Type: application/ocsp-response
0..9......20..... .....0......0...0..-...0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, LLC1-0 ..U...$http://certs.godaddy.com/repository/100...U...'Go Daddy Root Validation Authority - G2..20141218130622Z0d0b0:0... .........#o..K......#..... ...:....g(.....An ............20141218130622Z....20141220010622Z0...*.H.............v..ecX.ct...kUN.o{.)?....A....h.t.l...{.xIJ.....>.....D.]........g.Ng|..e..|.r.....J8..xY.{._.c.,......Ss..!.......f....0.....w3;.KR....~.".7..A.?...d...E*.. .........z.%Srw....E...l.7.{.%I".~Q>e......$w..^#.>....Bq,L..%(..,..*.g ..Z.z.6.....U...{[.N..........0...0...0...........0...*.H........0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.110/..U...(Go Daddy Root Certificate Authority - G20...140401070000Z..150401070000Z0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, LLC1-0 ..U...$hXXp://certs.godaddy.com/repository/100...U...'Go Daddy Root Validation Authority - G20.."0...*.H.............0...........~........l&nbOp..|%..T8..v...p.........(..........|...L..d3z.......)..."y1U^N.t...].a..v...d.$3H1T_.;.<~.*o...VWC....u.....{.7.8*Y...J.9.l.Ur..2-.2.v....0E...d;cJ...5I..3.5.........R..^.c~O% ..)...P....H;.../.."c..{.VG...?...h...b3... i......-.B.Q%. ............0...0...U.......0.0...U...........0...U.%..0... ......... .......0...U.......v6Q.lE3c|l[.`..~.[.0...U.#..0...:....g(.....An .....0... .....0......05..U....0,0*.(.&.$hXXp://crl.godaddy.com/gdroot-g2.crl0M..U. .F0D0B..`.H...m....
<<< skipped >>>
HEAD /aj/bundle/1048 HTTP/1.1
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: d1.arcadegiant.com
Content-Length: 0
Connection: Keep-Alive
HTTP/1.1 405 Method Not Allowed
Server: Apache/2.4.1 (Unix) OpenSSL/1.0.0g
Allow: GET, POST
Content-Type: text/html; charset=windows-1252
Content-Length: 0
Date: Thu, 18 Dec 2014 13:25:38 GMT
POST /external-install?bc=1162530&pid=vittalia&brand=freempr13.bertrejota.com&aid=FREESOFTSTORECOM&s=FREESO030Zec25d5ec3750a12b89bdaf3236b1f0ed&c=VELISMEDIA2&osName=Windows&osVersion=Vista&browserName=IE&browserVersion=9&secure=true&productKey=m7izpsc3q6c6a6odoxbkvnqqt666qqkp HTTP/1.1
X-WebInstallCode: complete url:hXXp://service.downloadadmin.com/external-install?bc=1162530&pid=vittalia&brand=freempr13.bertrejota.com&aid=FREESOFTSTORECOM&s=FREESO030Zec25d5ec3750a12b89bdaf3236b1f0ed&c=VELISMEDIA2&osName=Windows&osVersion=Vista&browserName=IE&browserVersion=9&secure=true&productKey=m7izpsc3q6c6a6odoxbkvnqqt666qqkp
Content-Type: application/x-www-form-urlencoded
X-WebInstallUrl: hXXp://service.downloadadmin.com/external-install?bc=1162530&pid=vittalia&brand=freempr13.bertrejota.com&aid=FREESOFTSTORECOM&s=FREESO030Zec25d5ec3750a12b89bdaf3236b1f0ed&c=VELISMEDIA2&osName=Windows&osVersion=Vista&browserName=IE&browserVersion=9&secure=true&productKey=m7izpsc3q6c6a6odoxbkvnqqt666qqkp
X-Exename: %original file name%.exe
Content-Length: 10
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: service.downloadadmin.com
Connection: Keep-Alive
delta=1779
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Date: Thu, 18 Dec 2014 13:25:08 GMT
Age: 0
X-Cache: MISS
0..HTTP/1.1 200 OK..Transfer-Encoding: chunked..Date: Thu, 18 Dec 2014 13:25:08 GMT..Age: 0..X-Cache: MISS..0..
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=479253, public, no-transform, must-revalidate
Last-Modified: Wed, 17 Dec 2014 02:34:46 GMT
Expires: Wed, 24 Dec 2014 02:34:46 GMT
Date: Thu, 18 Dec 2014 13:29:21 GMT
Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..20141217023446Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5.......l$.%t...............20141217023446Z....20141224023446Z0...*.H................!..4./....*Dj...$."......1.".x..C...}.o.u.-...:..V..IG.p.......G@."..~...c.....s.5sf...C;.`C.S~.....v...H..w..V...oo.z7.}C...m...8.-t..|?32.V...Q).txG.........Y.|N...l.#..;.......&.T.je.=.C?..f...T?....(.iv.})_q.....R.'0@...uW.y..8),.....J...7.............#0...0...0..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at https://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.........{(..t....2.Vf.....&;6).i*FK....W@....F....jnb.w._p.E.6.|.mk....(..........p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H......
<<< skipped >>>
GET /external-install?bc=1162530&pid=vittalia&brand=freempr13.bertrejota.com&aid=FREESOFTSTORECOM&s=FREESO030Zec25d5ec3750a12b89bdaf3236b1f0ed&c=VELISMEDIA2&osName=Windows&osVersion=Vista&browserName=IE&browserVersion=9&secure=true&productKey=m7izpsc3q6c6a6odoxbkvnqqt666qqkp HTTP/1.1
X-WebInstallCode: complete url:hXXp://service.downloadadmin.com/external-install?bc=1162530&pid=vittalia&brand=freempr13.bertrejota.com&aid=FREESOFTSTORECOM&s=FREESO030Zec25d5ec3750a12b89bdaf3236b1f0ed&c=VELISMEDIA2&osName=Windows&osVersion=Vista&browserName=IE&browserVersion=9&secure=true&productKey=m7izpsc3q6c6a6odoxbkvnqqt666qqkp
X-Exename: %original file name%.exe
X-WebInstallUrl: hXXp://service.downloadadmin.com/external-install?bc=1162530&pid=vittalia&brand=freempr13.bertrejota.com&aid=FREESOFTSTORECOM&s=FREESO030Zec25d5ec3750a12b89bdaf3236b1f0ed&c=VELISMEDIA2&osName=Windows&osVersion=Vista&browserName=IE&browserVersion=9&secure=true&productKey=m7izpsc3q6c6a6odoxbkvnqqt666qqkp
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: service.downloadadmin.com
Connection: Keep-Alive
HTTP/1.1 302 Found
Cache-Control: no-cache
Content-length: 0
Location: hXXps://service.downloadadmin.com/external-install?bc=1162530&pid=vittalia&brand=freempr13.bertrejota.com&aid=FREESOFTSTORECOM&s=FREESO030Zec25d5ec3750a12b89bdaf3236b1f0ed&c=VELISMEDIA2&osName=Windows&osVersion=Vista&browserName=IE&browserVersion=9&secure=true&productKey=m7izpsc3q6c6a6odoxbkvnqqt666qqkp
Connection: close
Map
The Worm connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_992:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
@.reloc
@.reloc
uDSSh
uDSSh
verifying installer: %d%%
verifying installer: %d%%
unpacking data: %d%%
unpacking data: %d%%
... %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
RegDeleteKeyExA
RegDeleteKeyExA
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
*?|/":
*?|/":
%s=%s
%s=%s
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegDeleteKeyA
RegDeleteKeyA
RegCloseKey
RegCloseKey
RegEnumKeyA
RegEnumKeyA
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
stub_lzma.exe
stub_lzma.exe
AppData\Local\Temp\nso86BE.tmp\LuaBridge.dll
AppData\Local\Temp\nso86BE.tmp\LuaBridge.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso86BE.tmp\LuaBridge.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso86BE.tmp\LuaBridge.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso86BE.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso86BE.tmp
LuaBridge.dll
LuaBridge.dll
?execFile@LuaBridge@@YA_NPAUnamed_state_t@1@PBD@Z
?execFile@LuaBridge@@YA_NPAUnamed_state_t@1@PBD@Z
?processPipeCommands@LuaBridge@@YAHPAUnamed_state_t@1@PAX_N@Z
?processPipeCommands@LuaBridge@@YAHPAUnamed_state_t@1@PAX_N@Z
_luabridge_exec_file@8
_luabridge_exec_file@8
C:\Programming\GitHome\LuaBridge\Release\LuaBridge.pdb
C:\Programming\GitHome\LuaBridge\Release\LuaBridge.pdb
6%6.676@6
6%6.676@6
242;2]2{2
242;2]2{2
4 4$4(4,4044484
4 4$4(4,4044484
.textbss
.textbss
.idata
.idata
ProxyForUrl
ProxyForUrl
Win32.Job
Win32.Job
Nsis.PluginCall
Nsis.PluginCall
Win32.Handle
Win32.Handle
Error:Unknown /state named %s
Error:Unknown /state named %s
evalResp{args=%x,stateName=%x}
evalResp{args=%x,stateName=%x}
evalLuaFile[state=%x/%s][thread=%d](%s)
evalLuaFile[state=%x/%s][thread=%d](%s)
nsLua.cpp
nsLua.cpp
WM_EXEC_FILE|File=
WM_EXEC_FILE|File=
LuaRemoteLoop[state=%x/%s][thread=%d]
LuaRemoteLoop[state=%x/%s][thread=%d]
com.luabridge.WndProcTable
com.luabridge.WndProcTable
[%s]Error Handling Message(%d,%d,%d,%d):%s
[%s]Error Handling Message(%d,%d,%d,%d):%s
[%s]Calling Global Function(%s)
[%s]Calling Global Function(%s)
checkIsChild:Failed to Get Exe Path(rc=%d)
checkIsChild:Failed to Get Exe Path(rc=%d)
checkIsChild:Failed to SetEnvironmentVariable(rc=%d)
checkIsChild:Failed to SetEnvironmentVariable(rc=%d)
checkIsChild:Failed to Create Shared Data Block(rc=%d)
checkIsChild:Failed to Create Shared Data Block(rc=%d)
checkIsChild:Create process failed(rc=%d)
checkIsChild:Create process failed(rc=%d)
checkIsChild:GetExitCodeProcess failed(rc=%d)
checkIsChild:GetExitCodeProcess failed(rc=%d)
[%s]Error Evaluating %s
[%s]Error Evaluating %s
ERROR:%s
ERROR:%s
PipeName:
PipeName:
evalLuaString[state=%x/%s][thread=%d](%s)
evalLuaString[state=%x/%s][thread=%d](%s)
DBGHELP.DLL
DBGHELP.DLL
Saved dump file to '%s'
Saved dump file to '%s'
Failed to save dump file to '%s' (error %d)
Failed to save dump file to '%s' (error %d)
Failed to create dump file '%s' (error %d)
Failed to create dump file '%s' (error %d)
DBGHELP.DLL too old
DBGHELP.DLL too old
DBGHELP.DLL not found
DBGHELP.DLL not found
Thread named '%s' could not be found
Thread named '%s' could not be found
Expected async state name:%s
Expected async state name:%s
unknown state name '%s'
unknown state name '%s'
evalInState() error; no code passed
evalInState() error; no code passed
ERROR:Cannot post to state[%s] not async and note default
ERROR:Cannot post to state[%s] not async and note default
lua51.dll
lua51.dll
WINMM.dll
WINMM.dll
IPHLPAPI.DLL
IPHLPAPI.DLL
msvcrt.dll
msvcrt.dll
CreatePipe
CreatePipe
ShellExecute
ShellExecute
EnumRegKey
EnumRegKey
create_pipe
create_pipe
nso86BE.tmp
nso86BE.tmp
:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso86BE.tmp
:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso86BE.tmp
c:\%original file name%.exe
c:\%original file name%.exe
%original file name%.exe
%original file name%.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nsz86AD.tmp
ers\"%CurrentUserName%"\AppData\Local\Temp\nsz86AD.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
5334543
5334543
8664755
8664755
8760876
8760876
Nullsoft Install System v5.6.7
Nullsoft Install System v5.6.7
com.build.date
com.build.date
8/27/2014
8/27/2014
com.build.dir
com.build.dir
C:\BundleManager\25\WebTemplates
C:\BundleManager\25\WebTemplates
com.build.id
com.build.id
com.build.machine
com.build.machine
com.build.skin
com.build.skin
com.build.time
com.build.time
com.build.user
com.build.user
$%USER%
$%USER%
%original file name%.exe_720:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
@.reloc
@.reloc
uDSSh
uDSSh
verifying installer: %d%%
verifying installer: %d%%
unpacking data: %d%%
unpacking data: %d%%
... %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
RegDeleteKeyExA
RegDeleteKeyExA
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
*?|/":
*?|/":
%s=%s
%s=%s
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegDeleteKeyA
RegDeleteKeyA
RegCloseKey
RegCloseKey
RegEnumKeyA
RegEnumKeyA
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
stub_lzma.exe
stub_lzma.exe
"C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\218\allgeniusSetup" /np 1 /is trlsua
"C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\218\allgeniusSetup" /np 1 /is trlsua
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaBridge.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaBridge.dll
sers\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp
sers\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp
s\UrlAssociations\http\UserChoice
s\UrlAssociations\http\UserChoice
ers\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaBridge.dll
ers\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaBridge.dll
All Files|*.*
All Files|*.*
GetProcessHeap
GetProcessHeap
COMDLG32.dll
COMDLG32.dll
nsDialogs.dll
nsDialogs.dll
.reloc
.reloc
ButtonEvent.dll
ButtonEvent.dll
shell32.dll
shell32.dll
NotifyIcon.dll
NotifyIcon.dll
C:\Programming\GitHome\bm-core.git\25\Custom\NotifyIcon\Release\notifyicon.pdb
C:\Programming\GitHome\bm-core.git\25\Custom\NotifyIcon\Release\notifyicon.pdb
`'\%D,3
`'\%D,3
WININET.dll
WININET.dll
EnumChildWindows
EnumChildWindows
OLEAUT32.dll
OLEAUT32.dll
customnsWeb.dll
customnsWeb.dll
C:\Programming\GitHome\bm-core-main.git\25\Custom\Nsweb\Release\nsWeb.pdb
C:\Programming\GitHome\bm-core-main.git\25\Custom\Nsweb\Release\nsWeb.pdb
CustomNsWebForwarder
CustomNsWebForwarder
1 1$1(1,10141
1 1$1(1,10141
C:\Nsis\Browser-%s
C:\Nsis\Browser-%s
nswebForwarder
nswebForwarder
CustomNsWebContainer
CustomNsWebContainer
Execute: "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\218\allgeniusSetup" /np 1 /is trlsua
Execute: "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\218\allgeniusSetup" /np 1 /is trlsua
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp
nst8AD3.tmp
nst8AD3.tmp
-Execute:
-Execute:
adm\AppData\Local\Temp\nst8AD3.tmp\218\allgeniusSetup" /np 1 /is trlsua
adm\AppData\Local\Temp\nst8AD3.tmp\218\allgeniusSetup" /np 1 /is trlsua
n-Dynamic/production/popup/rebuilt_nosource.exe.nsi:Line 2575.1.2
n-Dynamic/production/popup/rebuilt_nosource.exe.nsi:Line 2575.1.2
on/popup/rebuilt_nosource.exe.nsi:Line 2568.1.2
on/popup/rebuilt_nosource.exe.nsi:Line 2568.1.2
Line 2549.1.2
Line 2549.1.2
on/popup/rebuilt_nosource.exe.nsi:Line 2451.2
on/popup/rebuilt_nosource.exe.nsi:Line 2451.2
uilt_nosource.exe.nsi:Line 2451.2
uilt_nosource.exe.nsi:Line 2451.2
min-Dynamic/production/popup/rebuilt_nosource.exe.nsi:Line 980.2
min-Dynamic/production/popup/rebuilt_nosource.exe.nsi:Line 980.2
pe Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
pe Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
://install-cdn.allgenius.info/sd?is=tr
://install-cdn.allgenius.info/sd?is=tr
FreshyToolbar.exe
FreshyToolbar.exe
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\218\sd
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\218\sd
shyToolbar.exe
shyToolbar.exe
1180304
1180304
105576280
105576280
7290328
7290328
c:\%original file name%.exe
c:\%original file name%.exe
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\218
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\218
%original file name%.exe
%original file name%.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nso8AB2.tmp
ers\"%CurrentUserName%"\AppData\Local\Temp\nso8AB2.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
IE.HTTP
IE.HTTP
vittalia_template_for_sem_2_traffic,bc=1162530,pid=vittalia,brand=freempr13bertrejotacom,aid=freesoftstorecom,s=freeso030zec25d5ec3750a12b89bdaf3236b1f0ed,c=velismedia2,country=ua,osname=windows,osversion=vista,browsername=ie,browserversion=9
vittalia_template_for_sem_2_traffic,bc=1162530,pid=vittalia,brand=freempr13bertrejotacom,aid=freesoftstorecom,s=freeso030zec25d5ec3750a12b89bdaf3236b1f0ed,c=velismedia2,country=ua,osname=windows,osversion=vista,browsername=ie,browserversion=9
component(s) from hXXp://install-cdn.allgenius.info
component(s) from hXXp://install-cdn.allgenius.info
p://mirror.mirror-files.com
p://mirror.mirror-files.com
1179844
1179844
1638988
1638988
2490836
2490836
1180262
1180262
1376732
1376732
1049380
1049380
1376768
1376768
3115931
3115931
3132405
3132405
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\218\allgeniusSetup
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\218\allgeniusSetup
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\218\
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\218\
hXXp://mirror.mirror-files.com/binstallers/BM2/api/do_tracking_hit.lua
hXXp://mirror.mirror-files.com/binstallers/BM2/api/do_tracking_hit.lua
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\1\do_tracking_hit.lua
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\1\do_tracking_hit.lua
do_tracking_hit.lua
do_tracking_hit.lua
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\1\
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\1\
5334543
5334543
8664755
8664755
8760876
8760876
Nullsoft Install System v5.6.7
Nullsoft Install System v5.6.7
com.build.date
com.build.date
8/27/2014
8/27/2014
com.build.dir
com.build.dir
C:\BundleManager\25\WebTemplates
C:\BundleManager\25\WebTemplates
com.build.id
com.build.id
com.build.machine
com.build.machine
com.build.skin
com.build.skin
com.build.time
com.build.time
com.build.user
com.build.user
$%USER%
$%USER%
%original file name%.exe_720_rwx_02A61000_0000A000:
Portions Copyright (c) 1999,2003 Avenger by NhT
Portions Copyright (c) 1999,2003 Avenger by NhT
KWindows
KWindows
GetProcessHeap
GetProcessHeap
.idata
.idata
.edata
.edata
P.reloc
P.reloc
P.rsrc
P.rsrc
%original file name%.exe_720_rwx_10004000_00001000:
callback%d
callback%d
Upd4terSrv.exe_2920:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
tableKey
tableKey
resourceKey
resourceKey
v2.0.50727
v2.0.50727
_s__RTTIClassHierarchyDescriptor
_s__RTTIClassHierarchyDescriptor
LanguageSupport
LanguageSupport
Microsoft.VisualC
Microsoft.VisualC
System.Runtime.CompilerServices
System.Runtime.CompilerServices
System.Security.Permissions
System.Security.Permissions
System.Runtime.InteropServices
System.Runtime.InteropServices
System.Reflection
System.Reflection
System.Collections.Generic
System.Collections.Generic
System.Diagnostics
System.Diagnostics
System.Runtime.ConstrainedExecution
System.Runtime.ConstrainedExecution
System.Threading
System.Threading
System.Security
System.Security
std.bad_alloc.{ctor}
std.bad_alloc.{ctor}
std.bad_alloc.{dtor}
std.bad_alloc.{dtor}
std.bad_alloc.__vecDelDtor
std.bad_alloc.__vecDelDtor
std.logic_error.{ctor}
std.logic_error.{ctor}
std.logic_error.{dtor}
std.logic_error.{dtor}
std.logic_error.what
std.logic_error.what
std.logic_error.__vecDelDtor
std.logic_error.__vecDelDtor
std.length_error.{ctor}
std.length_error.{ctor}
std.length_error.{dtor}
std.length_error.{dtor}
std.length_error.__vecDelDtor
std.length_error.__vecDelDtor
std.vector >.{ctor}
std.vector >.{ctor}
std.vector >.{dtor}
std.vector >.{dtor}
std.vector >.begin
std.vector >.begin
std.vector >.end
std.vector >.end
std.vector >.resize
std.vector >.resize
std.vector >.size
std.vector >.size
std.vector >.[]
std.vector >.[]
std.vector >._Buy
std.vector >._Buy
std.vector >._Tidy
std.vector >._Tidy
std.vector >.max_size
std.vector >.max_size
std.vector >.erase
std.vector >.erase
std.vector >._Destroy
std.vector >._Destroy
std.vector >._Insert_n
std.vector >._Insert_n
std.vector >._Xlen
std.vector >._Xlen
std.allocator<:_aux_cont>.deallocate
std.allocator<:_aux_cont>.deallocate
std.vector >.capacity
std.vector >.capacity
std.vector >._Make_iter
std.vector >._Make_iter
std.vector >._Ufill
std.vector >._Ufill
std.allocator<:_aux_cont>.allocate
std.allocator<:_aux_cont>.allocate
std.vector >.{ctor}
std.vector >.{ctor}
std.basic_string,std::allocator >.{ctor},class std::allocator > >
std.basic_string,std::allocator >.{ctor},class std::allocator > >
stdext.unchecked_copy
stdext.unchecked_copy
std.vector >._Umove
std.vector >._Umove
std.fill
std.fill
std.allocator<:_aux_cont>.{ctor}
std.allocator<:_aux_cont>.{ctor}
stdext.unchecked_uninitialized_fill_n >
stdext.unchecked_uninitialized_fill_n >
std.vector >._Construct
std.vector >._Construct
std.basic_string,std::allocator >._Construct,class std::allocator > >
std.basic_string,std::allocator >._Construct,class std::allocator > >
std.vector >.insert
std.vector >.insert
stdext.unchecked_fill_n
stdext.unchecked_fill_n
std.vector >._Insert
std.vector >._Insert
stdext.unchecked_uninitialized_copy >
stdext.unchecked_uninitialized_copy >
std.vector >._Reverse
std.vector >._Reverse
std.vector >._Ucopy
std.vector >._Ucopy
stdext.unchecked_uninitialized_copy >
stdext.unchecked_uninitialized_copy >
std.swap
std.swap
ObfPackerLib.ObfPacker.{ctor}
ObfPackerLib.ObfPacker.{ctor}
ObfPackerLib.ObfPacker.{dtor}
ObfPackerLib.ObfPacker.{dtor}
ObfPackerLib.ObfPacker.TestFromRC
ObfPackerLib.ObfPacker.TestFromRC
ObfPackerLib.ObfPacker.RunRCInServiceMode
ObfPackerLib.ObfPacker.RunRCInServiceMode
ObfPackerLib.ObfPacker.StopServiceMode
ObfPackerLib.ObfPacker.StopServiceMode
msclr.auto_gcroot<:obfpackercli>.{ctor}
msclr.auto_gcroot<:obfpackercli>.{ctor}
msclr.auto_gcroot<:obfpackercli>.=
msclr.auto_gcroot<:obfpackercli>.=
msclr.auto_gcroot<:obfpackercli>.->
msclr.auto_gcroot<:obfpackercli>.->
msclr.auto_gcroot<:obfpackercli>.{dtor}
msclr.auto_gcroot<:obfpackercli>.{dtor}
msclr.auto_gcroot<:obfpackercli>.attach
msclr.auto_gcroot<:obfpackercli>.attach
msclr.auto_gcroot<:obfpackercli>.valid
msclr.auto_gcroot<:obfpackercli>.valid
msclr.auto_gcroot<:obfpackercli>.reset
msclr.auto_gcroot<:obfpackercli>.reset
.NativeDll.IsSafeForManagedCode
.NativeDll.IsSafeForManagedCode
.DefaultDomain.DoNothing
.DefaultDomain.DoNothing
.DefaultDomain.HasPerProcess
.DefaultDomain.HasPerProcess
.DefaultDomain.HasNative
.DefaultDomain.HasNative
.DefaultDomain.NeedsInitialization
.DefaultDomain.NeedsInitialization
.DefaultDomain.Initialize
.DefaultDomain.Initialize
?A0xf084536d.??__E?Initialized@CurrentDomain@@@$$Q2HA@@YMXXZ
?A0xf084536d.??__E?Initialized@CurrentDomain@@@$$Q2HA@@YMXXZ
?A0xf084536d.??__E?Uninitialized@CurrentDomain@@@$$Q2HA@@YMXXZ
?A0xf084536d.??__E?Uninitialized@CurrentDomain@@@$$Q2HA@@YMXXZ
?A0xf084536d.??__E?IsDefaultDomain@CurrentDomain@@@$$Q2_NA@@YMXXZ
?A0xf084536d.??__E?IsDefaultDomain@CurrentDomain@@@$$Q2_NA@@YMXXZ
?A0xf084536d.??__E?InitializedVtables@CurrentDomain@@@$$Q2W4State@Progress@2@A@@YMXXZ
?A0xf084536d.??__E?InitializedVtables@CurrentDomain@@@$$Q2W4State@Progress@2@A@@YMXXZ
?A0xf084536d.??__E?InitializedNative@CurrentDomain@@@$$Q2W4State@Progress@2@A@@YMXXZ
?A0xf084536d.??__E?InitializedNative@CurrentDomain@@@$$Q2W4State@Progress@2@A@@YMXXZ
?A0xf084536d.??__E?InitializedPerProcess@CurrentDomain@@@$$Q2W4State@Progress@2@A@@YMXXZ
?A0xf084536d.??__E?InitializedPerProcess@CurrentDomain@@@$$Q2W4State@Progress@2@A@@YMXXZ
?A0xf084536d.??__E?InitializedPerAppDomain@CurrentDomain@@@$$Q2W4State@Progress@2@A@@YMXXZ
?A0xf084536d.??__E?InitializedPerAppDomain@CurrentDomain@@@$$Q2W4State@Progress@2@A@@YMXXZ
.LanguageSupport.InitializeVtables
.LanguageSupport.InitializeVtables
.LanguageSupport.InitializeDefaultAppDomain
.LanguageSupport.InitializeDefaultAppDomain
.LanguageSupport.InitializeNative
.LanguageSupport.InitializeNative
.LanguageSupport.InitializePerProcess
.LanguageSupport.InitializePerProcess
.LanguageSupport.InitializePerAppDomain
.LanguageSupport.InitializePerAppDomain
.LanguageSupport.InitializeUninitializer
.LanguageSupport.InitializeUninitializer
.LanguageSupport._Initialize
.LanguageSupport._Initialize
.LanguageSupport.UninitializeAppDomain
.LanguageSupport.UninitializeAppDomain
.LanguageSupport._UninitializeDefaultDomain
.LanguageSupport._UninitializeDefaultDomain
.LanguageSupport.UninitializeDefaultDomain
.LanguageSupport.UninitializeDefaultDomain
.LanguageSupport.DomainUnload
.LanguageSupport.DomainUnload
.LanguageSupport.Cleanup
.LanguageSupport.Cleanup
.LanguageSupport.Initialize
.LanguageSupport.Initialize
.cctor
.cctor
.LanguageSupport.{ctor}
.LanguageSupport.{ctor}
.LanguageSupport.{dtor}
.LanguageSupport.{dtor}
?A0x978cd4c1.ArrayUnwindFilter
?A0x978cd4c1.ArrayUnwindFilter
std.allocator.{ctor}
std.allocator.{ctor}
.AtExitLock._handle
.AtExitLock._handle
.AtExitLock._lock_Set
.AtExitLock._lock_Set
.AtExitLock._lock_Get
.AtExitLock._lock_Get
.AtExitLock._lock_Destruct
.AtExitLock._lock_Destruct
.AtExitLock.IsInitialized
.AtExitLock.IsInitialized
.AtExitLock.AddRef
.AtExitLock.AddRef
.ThisModule.Handle
.ThisModule.Handle
.ThisModule.ResolveMethod
.ThisModule.ResolveMethod
_WinMainCRTStartup
_WinMainCRTStartup
std.basic_string,std::allocator >.{ctor}
std.basic_string,std::allocator >.{ctor}
std.basic_string,std::allocator >.{dtor}
std.basic_string,std::allocator >.{dtor}
std.basic_string,std::allocator >.c_str
std.basic_string,std::allocator >.c_str
std.basic_string,std::allocator >._Myptr
std.basic_string,std::allocator >._Myptr
std.basic_string,std::allocator >._Tidy
std.basic_string,std::allocator >._Tidy
std.allocator.deallocate
std.allocator.deallocate
std.allocator.allocate
std.allocator.allocate
std.allocator.{ctor}
std.allocator.{ctor}
std.basic_string,std::allocator >.append
std.basic_string,std::allocator >.append
std.allocator.max_size
std.allocator.max_size
std.basic_string,std::allocator >.reserve
std.basic_string,std::allocator >.reserve
std.exception.{ctor}
std.exception.{ctor}
std.exception.{dtor}
std.exception.{dtor}
?A0x2873fc43.CallJunkCode_SOPTT
?A0x2873fc43.CallJunkCode_SOPTT
?A0x2873fc43.CallJunkCode_QDLUE
?A0x2873fc43.CallJunkCode_QDLUE
?A0x2873fc43.CallJunkCode_OKNZT
?A0x2873fc43.CallJunkCode_OKNZT
?A0x2873fc43.CallJunkCode_TMHRC
?A0x2873fc43.CallJunkCode_TMHRC
?A0x2873fc43.CallJunkCode_EDMFW
?A0x2873fc43.CallJunkCode_EDMFW
?A0x2873fc43.CallJunkCode_LPAIX
?A0x2873fc43.CallJunkCode_LPAIX
?A0x2873fc43.CallJunkCode_EAZSM
?A0x2873fc43.CallJunkCode_EAZSM
?A0x2873fc43.CallJunkCode_MRTHM
?A0x2873fc43.CallJunkCode_MRTHM
?A0x2873fc43.CallJunkCode_KGXAV
?A0x2873fc43.CallJunkCode_KGXAV
?A0x2873fc43.CallJunkCode_IYLDC
?A0x2873fc43.CallJunkCode_IYLDC
?A0x2873fc43.CallJunkCode_AHQDL
?A0x2873fc43.CallJunkCode_AHQDL
?A0x2873fc43.CallJunkCode_PBKWI
?A0x2873fc43.CallJunkCode_PBKWI
?A0x2873fc43.CallJunkCode_BDCXA
?A0x2873fc43.CallJunkCode_BDCXA
?A0x2873fc43.CallJunkCode_OLVMH
?A0x2873fc43.CallJunkCode_OLVMH
?A0x2873fc43.CallJunkCode_CSZER
?A0x2873fc43.CallJunkCode_CSZER
BinLoader.GetResourceBinary
BinLoader.GetResourceBinary
BinLoader.GetResourceSize
BinLoader.GetResourceSize
_amsg_exit
_amsg_exit
.ThrowModuleLoadException
.ThrowModuleLoadException
.DoDllLanguageSupportValidation
.DoDllLanguageSupportValidation
.ThrowNestedModuleLoadException
.ThrowNestedModuleLoadException
.RegisterModuleUninitializer
.RegisterModuleUninitializer
.DoCallBackInDefaultDomain
.DoCallBackInDefaultDomain
?A0x7c948259.unnamed-global-0
?A0x7c948259.unnamed-global-0
?A0x7c948259.unnamed-global-1
?A0x7c948259.unnamed-global-1
?A0x7c948259.unnamed-global-2
?A0x7c948259.unnamed-global-2
?A0x7c948259.unnamed-global-3
?A0x7c948259.unnamed-global-3
?A0x7c948259.unnamed-global-4
?A0x7c948259.unnamed-global-4
?A0x7c948259.unnamed-global-5
?A0x7c948259.unnamed-global-5
?A0x7c948259.unnamed-global-6
?A0x7c948259.unnamed-global-6
?A0x7c948259.unnamed-global-7
?A0x7c948259.unnamed-global-7
?A0x7c948259.unnamed-global-8
?A0x7c948259.unnamed-global-8
?A0x7c948259.unnamed-global-9
?A0x7c948259.unnamed-global-9
?A0x7c948259.unnamed-global-10
?A0x7c948259.unnamed-global-10
?A0x7c948259.unnamed-global-11
?A0x7c948259.unnamed-global-11
?A0x7c948259.unnamed-global-12
?A0x7c948259.unnamed-global-12
?A0x7c948259.unnamed-global-13
?A0x7c948259.unnamed-global-13
?A0x7c948259.unnamed-global-14
?A0x7c948259.unnamed-global-14
?A0x7c948259.unnamed-global-15
?A0x7c948259.unnamed-global-15
?A0x7c948259.unnamed-global-16
?A0x7c948259.unnamed-global-16
?A0x7c948259.unnamed-global-17
?A0x7c948259.unnamed-global-17
?A0x7c948259.unnamed-global-18
?A0x7c948259.unnamed-global-18
?A0x7c948259.unnamed-global-19
?A0x7c948259.unnamed-global-19
?A0x7c948259.unnamed-global-20
?A0x7c948259.unnamed-global-20
?A0x7c948259.unnamed-global-21
?A0x7c948259.unnamed-global-21
?A0x7c948259.unnamed-global-22
?A0x7c948259.unnamed-global-22
?A0x7c948259.unnamed-global-23
?A0x7c948259.unnamed-global-23
?A0x7c948259.unnamed-global-24
?A0x7c948259.unnamed-global-24
?A0x7c948259.unnamed-global-25
?A0x7c948259.unnamed-global-25
?A0x7c948259.unnamed-global-26
?A0x7c948259.unnamed-global-26
?A0x7c948259.unnamed-global-27
?A0x7c948259.unnamed-global-27
?A0x7c948259.unnamed-global-28
?A0x7c948259.unnamed-global-28
?A0x7c948259.unnamed-global-29
?A0x7c948259.unnamed-global-29
?A0x7c948259.unnamed-global-30
?A0x7c948259.unnamed-global-30
?A0x7c948259.unnamed-global-31
?A0x7c948259.unnamed-global-31
?A0x7c948259.unnamed-global-32
?A0x7c948259.unnamed-global-32
?A0x7c948259.unnamed-global-33
?A0x7c948259.unnamed-global-33
?A0x7c948259.unnamed-global-34
?A0x7c948259.unnamed-global-34
EncryptionKeyTable
EncryptionKeyTable
EncryptionKeyResource
EncryptionKeyResource
Bin.sizeStringTable
Bin.sizeStringTable
Bin.apiStringTable
Bin.apiStringTable
?A0x79f4ca5a.unnamed-global-0
?A0x79f4ca5a.unnamed-global-0
?A0x79f4ca5a.unnamed-global-1
?A0x79f4ca5a.unnamed-global-1
?A0x79f4ca5a.unnamed-global-2
?A0x79f4ca5a.unnamed-global-2
?A0x79f4ca5a.unnamed-global-3
?A0x79f4ca5a.unnamed-global-3
?A0x79f4ca5a.unnamed-global-4
?A0x79f4ca5a.unnamed-global-4
?A0x79f4ca5a.unnamed-global-5
?A0x79f4ca5a.unnamed-global-5
?A0x79f4ca5a.unnamed-global-6
?A0x79f4ca5a.unnamed-global-6
?A0x79f4ca5a.unnamed-global-7
?A0x79f4ca5a.unnamed-global-7
?A0x79f4ca5a.unnamed-global-8
?A0x79f4ca5a.unnamed-global-8
?A0x79f4ca5a.unnamed-global-9
?A0x79f4ca5a.unnamed-global-9
?A0x79f4ca5a.unnamed-global-10
?A0x79f4ca5a.unnamed-global-10
?A0x79f4ca5a.unnamed-global-11
?A0x79f4ca5a.unnamed-global-11
?A0x79f4ca5a.unnamed-global-12
?A0x79f4ca5a.unnamed-global-12
?A0x79f4ca5a.unnamed-global-13
?A0x79f4ca5a.unnamed-global-13
?A0x79f4ca5a.unnamed-global-14
?A0x79f4ca5a.unnamed-global-14
?A0x79f4ca5a.unnamed-global-15
?A0x79f4ca5a.unnamed-global-15
?A0x79f4ca5a.unnamed-global-16
?A0x79f4ca5a.unnamed-global-16
?A0x79f4ca5a.unnamed-global-17
?A0x79f4ca5a.unnamed-global-17
?A0x79f4ca5a.unnamed-global-18
?A0x79f4ca5a.unnamed-global-18
?A0x79f4ca5a.unnamed-global-19
?A0x79f4ca5a.unnamed-global-19
?A0x79f4ca5a.unnamed-global-20
?A0x79f4ca5a.unnamed-global-20
?A0x79f4ca5a.unnamed-global-21
?A0x79f4ca5a.unnamed-global-21
?A0x79f4ca5a.unnamed-global-22
?A0x79f4ca5a.unnamed-global-22
?A0x79f4ca5a.unnamed-global-23
?A0x79f4ca5a.unnamed-global-23
?A0x79f4ca5a.unnamed-global-24
?A0x79f4ca5a.unnamed-global-24
?A0x79f4ca5a.unnamed-global-25
?A0x79f4ca5a.unnamed-global-25
?A0x79f4ca5a.unnamed-global-26
?A0x79f4ca5a.unnamed-global-26
?A0x79f4ca5a.unnamed-global-27
?A0x79f4ca5a.unnamed-global-27
?A0x79f4ca5a.unnamed-global-28
?A0x79f4ca5a.unnamed-global-28
?A0x79f4ca5a.unnamed-global-29
?A0x79f4ca5a.unnamed-global-29
?A0x79f4ca5a.unnamed-global-30
?A0x79f4ca5a.unnamed-global-30
?A0x79f4ca5a.unnamed-global-31
?A0x79f4ca5a.unnamed-global-31
?A0x79f4ca5a.unnamed-global-32
?A0x79f4ca5a.unnamed-global-32
?A0x79f4ca5a.unnamed-global-33
?A0x79f4ca5a.unnamed-global-33
?A0x79f4ca5a.unnamed-global-34
?A0x79f4ca5a.unnamed-global-34
?A0x79f4ca5a.unnamed-global-35
?A0x79f4ca5a.unnamed-global-35
?A0x5fb6b9aa.unnamed-global-0
?A0x5fb6b9aa.unnamed-global-0
?A0x5fb6b9aa.unnamed-global-1
?A0x5fb6b9aa.unnamed-global-1
?A0x5fb6b9aa.unnamed-global-2
?A0x5fb6b9aa.unnamed-global-2
?A0x5fb6b9aa.unnamed-global-3
?A0x5fb6b9aa.unnamed-global-3
?A0x5fb6b9aa.unnamed-global-4
?A0x5fb6b9aa.unnamed-global-4
?A0x5fb6b9aa.unnamed-global-5
?A0x5fb6b9aa.unnamed-global-5
?A0x5fb6b9aa.unnamed-global-6
?A0x5fb6b9aa.unnamed-global-6
?A0x5fb6b9aa.unnamed-global-7
?A0x5fb6b9aa.unnamed-global-7
?A0x5fb6b9aa.unnamed-global-8
?A0x5fb6b9aa.unnamed-global-8
?A0x5fb6b9aa.unnamed-global-9
?A0x5fb6b9aa.unnamed-global-9
?A0x5fb6b9aa.unnamed-global-10
?A0x5fb6b9aa.unnamed-global-10
?A0x5fb6b9aa.unnamed-global-11
?A0x5fb6b9aa.unnamed-global-11
?A0x5fb6b9aa.unnamed-global-12
?A0x5fb6b9aa.unnamed-global-12
?A0x5fb6b9aa.unnamed-global-13
?A0x5fb6b9aa.unnamed-global-13
?A0x5fb6b9aa.unnamed-global-14
?A0x5fb6b9aa.unnamed-global-14
?A0x5fb6b9aa.unnamed-global-15
?A0x5fb6b9aa.unnamed-global-15
?A0x5fb6b9aa.unnamed-global-16
?A0x5fb6b9aa.unnamed-global-16
?A0x5fb6b9aa.unnamed-global-17
?A0x5fb6b9aa.unnamed-global-17
?A0x5fb6b9aa.unnamed-global-18
?A0x5fb6b9aa.unnamed-global-18
?A0x5fb6b9aa.unnamed-global-19
?A0x5fb6b9aa.unnamed-global-19
?A0x5fb6b9aa.unnamed-global-20
?A0x5fb6b9aa.unnamed-global-20
?A0x5fb6b9aa.unnamed-global-21
?A0x5fb6b9aa.unnamed-global-21
?A0x5fb6b9aa.unnamed-global-22
?A0x5fb6b9aa.unnamed-global-22
?A0x5fb6b9aa.unnamed-global-23
?A0x5fb6b9aa.unnamed-global-23
?A0x5fb6b9aa.apiServx
?A0x5fb6b9aa.apiServx
?A0x5fb6b9aa.obfPacker
?A0x5fb6b9aa.obfPacker
?A0x5fb6b9aa.obfPacker$initializer$
?A0x5fb6b9aa.obfPacker$initializer$
?A0x2873fc43.unnamed-global-0
?A0x2873fc43.unnamed-global-0
?A0xee165adf.unnamed-global-0
?A0xee165adf.unnamed-global-0
?A0xee165adf.unnamed-global-1
?A0xee165adf.unnamed-global-1
?A0xee165adf.unnamed-global-2
?A0xee165adf.unnamed-global-2
?A0xee165adf.unnamed-global-3
?A0xee165adf.unnamed-global-3
?A0xee165adf.unnamed-global-4
?A0xee165adf.unnamed-global-4
?A0xee165adf.unnamed-global-5
?A0xee165adf.unnamed-global-5
?A0xee165adf.unnamed-global-6
?A0xee165adf.unnamed-global-6
?A0xee165adf.unnamed-global-7
?A0xee165adf.unnamed-global-7
?A0xee165adf.unnamed-global-8
?A0xee165adf.unnamed-global-8
?A0xee165adf.unnamed-global-9
?A0xee165adf.unnamed-global-9
?A0xee165adf.unnamed-global-10
?A0xee165adf.unnamed-global-10
?A0xee165adf.unnamed-global-11
?A0xee165adf.unnamed-global-11
?A0xee165adf.unnamed-global-12
?A0xee165adf.unnamed-global-12
?A0xee165adf.unnamed-global-13
?A0xee165adf.unnamed-global-13
?A0xee165adf.unnamed-global-14
?A0xee165adf.unnamed-global-14
?A0xee165adf.unnamed-global-15
?A0xee165adf.unnamed-global-15
?A0xee165adf.unnamed-global-16
?A0xee165adf.unnamed-global-16
?A0xee165adf.unnamed-global-17
?A0xee165adf.unnamed-global-17
?A0xee165adf.unnamed-global-18
?A0xee165adf.unnamed-global-18
?A0xee165adf.unnamed-global-19
?A0xee165adf.unnamed-global-19
?A0xee165adf.unnamed-global-20
?A0xee165adf.unnamed-global-20
?A0xee165adf.unnamed-global-21
?A0xee165adf.unnamed-global-21
?A0xee165adf.unnamed-global-22
?A0xee165adf.unnamed-global-22
?A0xee165adf.unnamed-global-23
?A0xee165adf.unnamed-global-23
?A0xee165adf.unnamed-global-24
?A0xee165adf.unnamed-global-24
?A0xee165adf.unnamed-global-25
?A0xee165adf.unnamed-global-25
?A0xee165adf.unnamed-global-26
?A0xee165adf.unnamed-global-26
?A0xee165adf.unnamed-global-27
?A0xee165adf.unnamed-global-27
?A0xee165adf.unnamed-global-28
?A0xee165adf.unnamed-global-28
?A0xee165adf.unnamed-global-29
?A0xee165adf.unnamed-global-29
?A0xee165adf.unnamed-global-30
?A0xee165adf.unnamed-global-30
?A0xee165adf.unnamed-global-31
?A0xee165adf.unnamed-global-31
?A0xee165adf.unnamed-global-32
?A0xee165adf.unnamed-global-32
?A0xee165adf.unnamed-global-33
?A0xee165adf.unnamed-global-33
?A0xee165adf.unnamed-global-34
?A0xee165adf.unnamed-global-34
?A0xee165adf.unnamed-global-35
?A0xee165adf.unnamed-global-35
?A0xee165adf.unnamed-global-36
?A0xee165adf.unnamed-global-36
?A0xee165adf.unnamed-global-37
?A0xee165adf.unnamed-global-37
?A0xee165adf.unnamed-global-38
?A0xee165adf.unnamed-global-38
?A0xee165adf.unnamed-global-39
?A0xee165adf.unnamed-global-39
Lib.sizeStringTable
Lib.sizeStringTable
Lib.apiStringTable
Lib.apiStringTable
?A0xd57d3ab9.unnamed-global-0
?A0xd57d3ab9.unnamed-global-0
?A0xd57d3ab9.unnamed-global-1
?A0xd57d3ab9.unnamed-global-1
?A0xd57d3ab9.unnamed-global-2
?A0xd57d3ab9.unnamed-global-2
?A0xd57d3ab9.unnamed-global-3
?A0xd57d3ab9.unnamed-global-3
?A0xd57d3ab9.unnamed-global-4
?A0xd57d3ab9.unnamed-global-4
?A0xd57d3ab9.unnamed-global-5
?A0xd57d3ab9.unnamed-global-5
?A0xd57d3ab9.unnamed-global-6
?A0xd57d3ab9.unnamed-global-6
?A0xd57d3ab9.unnamed-global-7
?A0xd57d3ab9.unnamed-global-7
?A0xd57d3ab9.unnamed-global-8
?A0xd57d3ab9.unnamed-global-8
?A0xd57d3ab9.unnamed-global-9
?A0xd57d3ab9.unnamed-global-9
?A0xd57d3ab9.unnamed-global-10
?A0xd57d3ab9.unnamed-global-10
?A0xd57d3ab9.unnamed-global-11
?A0xd57d3ab9.unnamed-global-11
?A0xd57d3ab9.unnamed-global-12
?A0xd57d3ab9.unnamed-global-12
?A0xd57d3ab9.unnamed-global-13
?A0xd57d3ab9.unnamed-global-13
?A0xd57d3ab9.unnamed-global-14
?A0xd57d3ab9.unnamed-global-14
?A0xd57d3ab9.unnamed-global-15
?A0xd57d3ab9.unnamed-global-15
?A0xd57d3ab9.unnamed-global-16
?A0xd57d3ab9.unnamed-global-16
?A0xd57d3ab9.unnamed-global-17
?A0xd57d3ab9.unnamed-global-17
?A0xd57d3ab9.unnamed-global-18
?A0xd57d3ab9.unnamed-global-18
?A0xd57d3ab9.unnamed-global-19
?A0xd57d3ab9.unnamed-global-19
?A0xd57d3ab9.unnamed-global-20
?A0xd57d3ab9.unnamed-global-20
?A0xd57d3ab9.unnamed-global-21
?A0xd57d3ab9.unnamed-global-21
?A0xd57d3ab9.unnamed-global-22
?A0xd57d3ab9.unnamed-global-22
?A0xd57d3ab9.unnamed-global-23
?A0xd57d3ab9.unnamed-global-23
?A0xd57d3ab9.unnamed-global-24
?A0xd57d3ab9.unnamed-global-24
?A0xd57d3ab9.unnamed-global-25
?A0xd57d3ab9.unnamed-global-25
?A0xd57d3ab9.unnamed-global-26
?A0xd57d3ab9.unnamed-global-26
?A0xd57d3ab9.unnamed-global-27
?A0xd57d3ab9.unnamed-global-27
?A0xd57d3ab9.unnamed-global-28
?A0xd57d3ab9.unnamed-global-28
?A0xd57d3ab9.unnamed-global-29
?A0xd57d3ab9.unnamed-global-29
?A0xd57d3ab9.unnamed-global-30
?A0xd57d3ab9.unnamed-global-30
?A0xd57d3ab9.unnamed-global-31
?A0xd57d3ab9.unnamed-global-31
?A0xd57d3ab9.unnamed-global-32
?A0xd57d3ab9.unnamed-global-32
?A0xd57d3ab9.unnamed-global-33
?A0xd57d3ab9.unnamed-global-33
?A0xd57d3ab9.unnamed-global-34
?A0xd57d3ab9.unnamed-global-34
?A0xd57d3ab9.unnamed-global-35
?A0xd57d3ab9.unnamed-global-35
?A0xd57d3ab9.unnamed-global-36
?A0xd57d3ab9.unnamed-global-36
?A0xd57d3ab9.unnamed-global-37
?A0xd57d3ab9.unnamed-global-37
?A0xd57d3ab9.unnamed-global-38
?A0xd57d3ab9.unnamed-global-38
?A0xe230abe1.unnamed-global-0
?A0xe230abe1.unnamed-global-0
?A0xe230abe1.unnamed-global-1
?A0xe230abe1.unnamed-global-1
?A0xe230abe1.unnamed-global-2
?A0xe230abe1.unnamed-global-2
?A0xe230abe1.unnamed-global-3
?A0xe230abe1.unnamed-global-3
?A0xe230abe1.unnamed-global-4
?A0xe230abe1.unnamed-global-4
?A0xe230abe1.unnamed-global-5
?A0xe230abe1.unnamed-global-5
?A0xe230abe1.unnamed-global-6
?A0xe230abe1.unnamed-global-6
?A0xe230abe1.unnamed-global-7
?A0xe230abe1.unnamed-global-7
?A0xe230abe1.unnamed-global-8
?A0xe230abe1.unnamed-global-8
?A0xe230abe1.unnamed-global-9
?A0xe230abe1.unnamed-global-9
?A0xe230abe1.unnamed-global-10
?A0xe230abe1.unnamed-global-10
?A0xe230abe1.unnamed-global-11
?A0xe230abe1.unnamed-global-11
?A0xe230abe1.unnamed-global-12
?A0xe230abe1.unnamed-global-12
?A0xe230abe1.unnamed-global-13
?A0xe230abe1.unnamed-global-13
?A0xe230abe1.unnamed-global-14
?A0xe230abe1.unnamed-global-14
?A0xe230abe1.unnamed-global-15
?A0xe230abe1.unnamed-global-15
?A0xe230abe1.unnamed-global-16
?A0xe230abe1.unnamed-global-16
?A0xe230abe1.unnamed-global-17
?A0xe230abe1.unnamed-global-17
?A0xe230abe1.unnamed-global-18
?A0xe230abe1.unnamed-global-18
?A0xe230abe1.unnamed-global-19
?A0xe230abe1.unnamed-global-19
?A0xe230abe1.unnamed-global-20
?A0xe230abe1.unnamed-global-20
?A0xe230abe1.unnamed-global-21
?A0xe230abe1.unnamed-global-21
?A0xe230abe1.unnamed-global-22
?A0xe230abe1.unnamed-global-22
?A0xe230abe1.unnamed-global-23
?A0xe230abe1.unnamed-global-23
?A0xe230abe1.unnamed-global-24
?A0xe230abe1.unnamed-global-24
?A0xe230abe1.unnamed-global-25
?A0xe230abe1.unnamed-global-25
?A0xe230abe1.unnamed-global-26
?A0xe230abe1.unnamed-global-26
?A0xe230abe1.unnamed-global-27
?A0xe230abe1.unnamed-global-27
?A0xe230abe1.unnamed-global-28
?A0xe230abe1.unnamed-global-28
?A0xe230abe1.unnamed-global-29
?A0xe230abe1.unnamed-global-29
?A0xe230abe1.unnamed-global-30
?A0xe230abe1.unnamed-global-30
?A0xe230abe1.unnamed-global-31
?A0xe230abe1.unnamed-global-31
?A0xe230abe1.unnamed-global-32
?A0xe230abe1.unnamed-global-32
?A0xe230abe1.unnamed-global-33
?A0xe230abe1.unnamed-global-33
?A0xe230abe1.unnamed-global-34
?A0xe230abe1.unnamed-global-34
?A0xe230abe1.unnamed-global-35
?A0xe230abe1.unnamed-global-35
?A0xe230abe1.unnamed-global-36
?A0xe230abe1.unnamed-global-36
?A0xe230abe1.unnamed-global-37
?A0xe230abe1.unnamed-global-37
?A0xe230abe1.unnamed-global-38
?A0xe230abe1.unnamed-global-38
?A0xe230abe1.unnamed-global-39
?A0xe230abe1.unnamed-global-39
?Uninitialized@CurrentDomain@@@$$Q2HA
?Uninitialized@CurrentDomain@@@$$Q2HA
?A0xf084536d.?Uninitialized$initializer$@CurrentDomain@@@$$Q2P6MXXZA
?A0xf084536d.?Uninitialized$initializer$@CurrentDomain@@@$$Q2P6MXXZA
?InitializedPerAppDomain@CurrentDomain@@@$$Q2W4State@Progress@2@A
?InitializedPerAppDomain@CurrentDomain@@@$$Q2W4State@Progress@2@A
?A0xf084536d.?InitializedPerAppDomain$initializer$@CurrentDomain@@@$$Q2P6MXXZA
?A0xf084536d.?InitializedPerAppDomain$initializer$@CurrentDomain@@@$$Q2P6MXXZA
?IsDefaultDomain@CurrentDomain@@@$$Q2_NA
?IsDefaultDomain@CurrentDomain@@@$$Q2_NA
?A0xf084536d.?IsDefaultDomain$initializer$@CurrentDomain@@@$$Q2P6MXXZA
?A0xf084536d.?IsDefaultDomain$initializer$@CurrentDomain@@@$$Q2P6MXXZA
?InitializedNative@CurrentDomain@@@$$Q2W4State@Progress@2@A
?InitializedNative@CurrentDomain@@@$$Q2W4State@Progress@2@A
?A0xf084536d.?InitializedNative$initializer$@CurrentDomain@@@$$Q2P6MXXZA
?A0xf084536d.?InitializedNative$initializer$@CurrentDomain@@@$$Q2P6MXXZA
?Initialized@CurrentDomain@@@$$Q2HA
?Initialized@CurrentDomain@@@$$Q2HA
?A0xf084536d.?Initialized$initializer$@CurrentDomain@@@$$Q2P6MXXZA
?A0xf084536d.?Initialized$initializer$@CurrentDomain@@@$$Q2P6MXXZA
?InitializedVtables@CurrentDomain@@@$$Q2W4State@Progress@2@A
?InitializedVtables@CurrentDomain@@@$$Q2W4State@Progress@2@A
?A0xf084536d.?InitializedVtables$initializer$@CurrentDomain@@@$$Q2P6MXXZA
?A0xf084536d.?InitializedVtables$initializer$@CurrentDomain@@@$$Q2P6MXXZA
?InitializedPerProcess@CurrentDomain@@@$$Q2W4State@Progress@2@A
?InitializedPerProcess@CurrentDomain@@@$$Q2W4State@Progress@2@A
?A0xf084536d.?InitializedPerProcess$initializer$@CurrentDomain@@@$$Q2P6MXXZA
?A0xf084536d.?InitializedPerProcess$initializer$@CurrentDomain@@@$$Q2P6MXXZA
?InitializedPerProcess@DefaultDomain@@@2_NA
?InitializedPerProcess@DefaultDomain@@@2_NA
?Entered@DefaultDomain@@@2_NA
?Entered@DefaultDomain@@@2_NA
?InitializedNative@DefaultDomain@@@2_NA
?InitializedNative@DefaultDomain@@@2_NA
?Count@AllDomains@@@2HA
?Count@AllDomains@@@2HA
?hasNative@DefaultDomain@@@0W4State@TriBool@2@A
?hasNative@DefaultDomain@@@0W4State@TriBool@2@A
?hasPerProcess@DefaultDomain@@@0W4State@TriBool@2@A
?hasPerProcess@DefaultDomain@@@0W4State@TriBool@2@A
?InitializedNativeFromCCTOR@DefaultDomain@@@2_NA
?InitializedNativeFromCCTOR@DefaultDomain@@@2_NA
__unep@?DoNothing@DefaultDomain@@@$$FCGJPAX@Z
__unep@?DoNothing@DefaultDomain@@@$$FCGJPAX@Z
__unep@?_UninitializeDefaultDomain@LanguageSupport@@@$$FCGJPAX@Z
__unep@?_UninitializeDefaultDomain@LanguageSupport@@@$$FCGJPAX@Z
?_lock@AtExitLock@@@$$Q0PAXA
?_lock@AtExitLock@@@$$Q0PAXA
?_ref_count@AtExitLock@@@$$Q0HA
?_ref_count@AtExitLock@@@$$Q0HA
.ctor
.ctor
StubService.exe
StubService.exe
System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
c:\ofuscador\bin\Packer\stubtemp\Release\StubService.pdb
c:\ofuscador\bin\Packer\stubtemp\Release\StubService.pdb
KERNEL32.dll
KERNEL32.dll
MSVCR90.dll
MSVCR90.dll
_acmdln
_acmdln
_crt_debugger_hook
_crt_debugger_hook
MSVCP90.dll
MSVCP90.dll
?DoCallBackInDefaultDomain@@@YAXP6GJPAX@Z0@Z
?DoCallBackInDefaultDomain@@@YAXP6GJPAX@Z0@Z
?ThrowNestedModuleLoadException@@@YAXP$AAVException@System@@0@Z
?ThrowNestedModuleLoadException@@@YAXP$AAVException@System@@0@Z
?ThrowModuleLoadException@@@YAXP$AAVString@System@@@Z
?ThrowModuleLoadException@@@YAXP$AAVString@System@@@Z
?RegisterModuleUninitializer@@@YAXP$AAVEventHandler@System@@@Z
?RegisterModuleUninitializer@@@YAXP$AAVEventHandler@System@@@Z
?DoDllLanguageSupportValidation@@@YAXXZ
?DoDllLanguageSupportValidation@@@YAXXZ
?ThrowModuleLoadException@@@YAXP$AAVString@System@@P$AAVException@3@@Z
?ThrowModuleLoadException@@@YAXP$AAVString@System@@P$AAVException@3@@Z
msvcm90.dll
msvcm90.dll
_CorExeMain
_CorExeMain
mscoree.dll
mscoree.dll
JO1%.BA
JO1%.BA
%Co{m
%Co{m
4 4$4(4044484
4 4$4(4044484
My Sample Service: ServiceMain: Performing Service Start Operations
My Sample Service: ServiceMain: Performing Service Start Operations
My Sample Service: ServiceMain: Performing Cleanup Operations
My Sample Service: ServiceMain: Performing Cleanup Operations
kernel32.dll
kernel32.dll
Advapi32.dll
Advapi32.dll
UpdaterServiceExe
UpdaterServiceExe
1.1.8.0
1.1.8.0
UpdaterServiceExe.exe
UpdaterServiceExe.exe
TNT2User.exe_2824:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
8%u(j
8%u(j
uœ\u
uœ\u
mem:%x
mem:%x
RegDeleteKeyExW
RegDeleteKeyExW
Advapi32.dll
Advapi32.dll
RegOpenKeyTransactedW
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyTransactedW
F%D,3
F%D,3
advapi32.dll
advapi32.dll
SubclassChrome
SubclassChrome
UnInjLib.dll
UnInjLib.dll
operator
operator
GetProcessWindowStation
GetProcessWindowStation
E:\ProjectsBuild\ClickOnce\ReleaseFreshy\TNT2User.pdb
E:\ProjectsBuild\ClickOnce\ReleaseFreshy\TNT2User.pdb
log.dll
log.dll
GetWindowsDirectoryW
GetWindowsDirectoryW
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
CreateDialogIndirectParamW
CreateDialogIndirectParamW
EnumWindows
EnumWindows
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
RegDeleteKeyW
RegDeleteKeyW
RegOpenKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegEnumKeyExW
RegEnumKeyExW
RegEnumKeyW
RegEnumKeyW
CryptDeriveKey
CryptDeriveKey
CryptDestroyKey
CryptDestroyKey
CryptImportKey
CryptImportKey
RegOverridePredefKey
RegOverridePredefKey
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
ShellExecuteW
ShellExecuteW
SHFileOperationW
SHFileOperationW
ShellExecuteExW
ShellExecuteExW
SHELL32.dll
SHELL32.dll
OLEAUT32.dll
OLEAUT32.dll
SHLWAPI.dll
SHLWAPI.dll
GDI32.dll
GDI32.dll
URLDownloadToFileW
URLDownloadToFileW
URLDownloadToCacheFileW
URLDownloadToCacheFileW
URLOpenPullStreamW
URLOpenPullStreamW
urlmon.dll
urlmon.dll
PSAPI.DLL
PSAPI.DLL
InternetOpenUrlW
InternetOpenUrlW
WININET.dll
WININET.dll
GdiplusShutdown
GdiplusShutdown
gdiplus.dll
gdiplus.dll
COMCTL32.dll
COMCTL32.dll
VERSION.dll
VERSION.dll
WS2_32.dll
WS2_32.dll
UxTheme.dll
UxTheme.dll
AVIFIL32.dll
AVIFIL32.dll
d3d9.dll
d3d9.dll
GetCPInfo
GetCPInfo
.?AV?$CAtlExeModuleT@VCTNT2UserModule@@@ATL@@
.?AV?$CAtlExeModuleT@VCTNT2UserModule@@@ATL@@
zcÃ
zcÃ
ForceRemove {554EBE31-AEC1-4E34-BCE3-606467760D88} = s 'TNT2 ToolbarManager'
ForceRemove {554EBE31-AEC1-4E34-BCE3-606467760D88} = s 'TNT2 ToolbarManager'
val ServerExecutable = s '%MODULE_RAW%'
val ServerExecutable = s '%MODULE_RAW%'
TypeLib = s '{ABB8A8A5-FF98-40F6-B573-5841B063EA37}'
TypeLib = s '{ABB8A8A5-FF98-40F6-B573-5841B063EA37}'
ForceRemove {72A6AB0F-2FA8-4C73-9FCB-1E62A608F001}
ForceRemove {72A6AB0F-2FA8-4C73-9FCB-1E62A608F001}
val CLSID = s '{554EBE31-AEC1-4E34-BCE3-606467760D88}'
val CLSID = s '{554EBE31-AEC1-4E34-BCE3-606467760D88}'
ForceRemove {70BC1CDB-0744-4172-BDA0-B5A487D00C3A}
ForceRemove {70BC1CDB-0744-4172-BDA0-B5A487D00C3A}
Paint.NET v2.72rZ
Paint.NET v2.72rZ
.BB83T
.BB83T
V.ii[
V.ii[
X.sq?
X.sq?
.Rh!$
.Rh!$
%&)#&)#&)#
%&)#&)#&)#
"iTXtXML:com.adobe.xmp
"iTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> n
" id="W5M0MpCehiHzreSzNTczkc9d"?> n
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
.WWWr
.WWWr
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
osss.vrrbWWW>
osss.vrrbWWW>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> Lx
" id="W5M0MpCehiHzreSzNTczkc9d"?> Lx
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
Paint.NET v3.5.100
Paint.NET v3.5.100
}``|^^~^_
}``|^^~^_
...QQQ---
...QQQ---
"""$$$%%%
"""$$$%%%
&&&!!! """,,,###,,,###,,,###,,,###,,,###,,,###,,,###,,,###,,,### $$$
&&&!!! """,,,###,,,###,,,###,,,###,,,###,,,###,,,###,,,###,,,### $$$
...QQQ
...QQQ
666!!!777!!!777!!!777!!!777
666!!!777!!!777!!!777!!!777
!!!777!!!777!!!777
!!!777!!!777!!!777
!!!777 777!!!
!!!777 777!!!
666!!!777!!!777
666!!!777!!!777
...QQQ...RRR...QQQ
...QQQ...RRR...QQQ
...QQQ...QQQ---
...QQQ...QQQ---
!!!777!!!777!!!777!!!777!!!777
!!!777!!!777!!!777!!!777!!!777
...QQQ---QQQ...QQQ
...QQQ---QQQ...QQQ
!!!777!!!777!!!777!!!777!!!777 777!!!
!!!777!!!777!!!777!!!777!!!777 777!!!
555$$$DDD NNN---QQQ---QQQ...QQQ
555$$$DDD NNN---QQQ---QQQ...QQQ
stdole2.tlbWWW
stdole2.tlbWWW
nGetCurrentUrlWWW
nGetCurrentUrlWWW
bstrUrlW,
bstrUrlW,
^DetachChrome
^DetachChrome
CreateChromeToolbarWd
CreateChromeToolbarWd
AttachChromeToolbarWd
AttachChromeToolbarWd
XMLHttpRequestWW
XMLHttpRequestWW
7pencodeUrlWWW
7pencodeUrlWWW
keyW
keyW
bstrKeyW
bstrKeyW
"shellExecute
"shellExecute
bstrOperationWWW
bstrOperationWWW
1varFeedbackUrlWW
1varFeedbackUrlWW
pMsg
pMsg
urlDownloadToFileWWW
urlDownloadToFileWWW
ZcreateProcessHiddenW
ZcreateProcessHiddenW
bsUrlWWW
bsUrlWWW
IsRegistryKeyExistWW
IsRegistryKeyExistWW
bsKeyWWW
bsKeyWWW
~cmdW4
~cmdW4
ÃX_Text
ÃX_Text
SendKeystrokeWWW
SendKeystrokeWWW
chKeyWWW
chKeyWWW
bsUrlDownloadWWW
bsUrlDownloadWWW
Created by MIDL version 7.00.0555 at Tue Oct 28 11:24:49 2014
Created by MIDL version 7.00.0555 at Tue Oct 28 11:24:49 2014
?%?,?3?9?
?%?,?3?9?
4L4_4
4L4_4
7)72777]7
7)72777]7
8 8$8(8,8084888
8 8$8(8,8084888
:$:(:,:0:
:$:(:,:0:
4!4*4/4
4!4*4/4
= =$=(=,=
= =$=(=,=
$0(0,00040
$0(0,00040
8 8$8(8,80848
8 8$8(8,80848
Shell32.dll
Shell32.dll
%s\%s
%s\%s
\autorun.inf
\autorun.inf
%s-%s
%s-%s
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
\PARTNER.TNT
\PARTNER.TNT
\INSTALL.TNT
\INSTALL.TNT
\UNINSTALL.TNT
\UNINSTALL.TNT
\UPDATE.TNT
\UPDATE.TNT
\GLOBALUNINSTALL.TNT
\GLOBALUNINSTALL.TNT
kernel32.dll
kernel32.dll
HRESULT error - %X
HRESULT error - %X
Restored %d localStorage items
Restored %d localStorage items
Saved %d localStorage items
Saved %d localStorage items
%s Line:%d %s
%s Line:%d %s
%s was not loaded
%s was not loaded
Microsoft.XMLHTTP
Microsoft.XMLHTTP
XMLHttpRequest
XMLHttpRequest
XMLHttpRequest was not created
XMLHttpRequest was not created
%%X
%%X
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
Requsted %s not found in localStorage
Requsted %s not found in localStorage
*.TNT
*.TNT
CRYP_Error %d(0xx)
CRYP_Error %d(0xx)
\inst.ini
\inst.ini
\runt.ini
\runt.ini
hXXp://staging.ws.freshy.com/general/latest_install.php?toolbar_id=
hXXp://staging.ws.freshy.com/general/latest_install.php?toolbar_id=
hXXp://staging.ws.freshy.com/general/latest_revision.php?toolbar_id=
hXXp://staging.ws.freshy.com/general/latest_revision.php?toolbar_id=
hXXp://services.freshy.com/general/latest_install.php?toolbar_id=
hXXp://services.freshy.com/general/latest_install.php?toolbar_id=
hXXp://services.freshy.com/general/latest_revision.php?toolbar_id=
hXXp://services.freshy.com/general/latest_revision.php?toolbar_id=
unable to start TNT engine 0x%x
unable to start TNT engine 0x%x
cant open %s
cant open %s
error=%d(0x%x)
error=%d(0x%x)
cant save %s
cant save %s
0x%X,0x%X
0x%X,0x%X
%d/%d/%d at %d:d
%d/%d/%d at %d:d
CreateProcess error=%d(0x%x)
CreateProcess error=%d(0x%x)
deleteRegistry returned %d(0x%X)
deleteRegistry returned %d(0x%X)
TNT2User.exe
TNT2User.exe
Killed %d TNT2
Killed %d TNT2
WARN: download fail for %s
WARN: download fail for %s
CreateProcessWithTokenW error=%d(0x%x)
CreateProcessWithTokenW error=%d(0x%x)
LastSession.log
LastSession.log
user32.dll
user32.dll
User32.dll
User32.dll
Entering standby mode - %d browser(s) open
Entering standby mode - %d browser(s) open
Wow time to check the processes was %d
Wow time to check the processes was %d
\uX
\uX
RadioPlayer.Volume
RadioPlayer.Volume
RadioPlayer.LastUrl
RadioPlayer.LastUrl
RadioPlayer.LastId
RadioPlayer.LastId
RadioPlayer.Favorites
RadioPlayer.Favorites
RadioPlayer.Width
RadioPlayer.Width
\RemoteSkin.wms
\RemoteSkin.wms
{6BF52A52-394A-11d3-B153-00C04F79FAA6}
{6BF52A52-394A-11d3-B153-00C04F79FAA6}
emptymsg
emptymsg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech\AudioInput
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech\AudioInput
OLEAUT32.DLL
OLEAUT32.DLL
UXTHEME.DLL
UXTHEME.DLL
hXXp://staging.ws.freshy.com/general/latest4.php?
hXXp://staging.ws.freshy.com/general/latest4.php?
hXXp://services.freshy.com/general/latest4.php?
hXXp://services.freshy.com/general/latest4.php?
\TNT2\TNT2UserPS.dll
\TNT2\TNT2UserPS.dll
Ieframe.dll
Ieframe.dll
Global\com.tnt2toolbar.%s
Global\com.tnt2toolbar.%s
TntMagicDel.dll
TntMagicDel.dll
\rundll32.exe
\rundll32.exe
hXXp://services.freshy.com/general/ping.php?action=
hXXp://services.freshy.com/general/ping.php?action=
&os=NT-platform%;v%d.%d
&os=NT-platform%;v%d.%d
TNT2User started with cmd line: %s
TNT2User started with cmd line: %s
TNT2User exited with code: %d
TNT2User exited with code: %d
Mscoree.dll
Mscoree.dll
\crash.dmp
\crash.dmp
\LastSession.log
\LastSession.log
keydown
keydown
\partner.dat
\partner.dat
\storage.dat
\storage.dat
\blklst%d.db
\blklst%d.db
Download fail - %s
Download fail - %s
CToolbarMan::m_dwRef %d
CToolbarMan::m_dwRef %d
Creating TDOM for %s
Creating TDOM for %s
failed to start jshost %x
failed to start jshost %x
cant download %s
cant download %s
selectedBrowser 0x%X error
selectedBrowser 0x%X error
"url":
"url":
hXXp://
hXXp://
{ "error": 502, "url": "%s" }
{ "error": 502, "url": "%s" }
addEventListener for %d
addEventListener for %d
not found event %s
not found event %s
CreateChromeToolbar %x
CreateChromeToolbar %x
GetClassName error 0x%x
GetClassName error 0x%x
Chrome_RenderWidgetHostHWND
Chrome_RenderWidgetHostHWND
\tnt2chrome.dll
\tnt2chrome.dll
CToolbarManager::m_dwRef 0x%x from %s
CToolbarManager::m_dwRef 0x%x from %s
Added a view for 0x%X
Added a view for 0x%X
started by the browser: %d
started by the browser: %d
will be using X background color (0=rebar)
will be using X background color (0=rebar)
c:\temp\out.avi
c:\temp\out.avi
combase.dll
combase.dll
mscoree.dll
mscoree.dll
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- floating point support not loaded
- floating point support not loaded
USER32.DLL
USER32.DLL
MSPDB110.DLL
MSPDB110.DLL
C:\Users\"%CurrentUserName%"\AppData\Local\TNT2\2.0.0.1895\TNT2User.exe
C:\Users\"%CurrentUserName%"\AppData\Local\TNT2\2.0.0.1895\TNT2User.exe
Freshy.com
Freshy.com
2.0.0.1895
2.0.0.1895
Freshy.com All Rights Reserved
Freshy.com All Rights Reserved
Upd4terSrv.exe_2920_rwx_6E672000_00002000:
gn?.gn
gn?.gn
allgeniusSetup_884:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
... %d%%
... %d%%
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
sers\"%CurrentUserName%"\AppData\Local\Temp\nsg639.tmp\inetc.dll
sers\"%CurrentUserName%"\AppData\Local\Temp\nsg639.tmp\inetc.dll
t.dll
t.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsg639.tmp\inetc.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsg639.tmp\inetc.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsg639.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsg639.tmp
s\http\UserChoice
s\http\UserChoice
@.Qc'-
@.Qc'-
@.reloc
@.reloc
u.Uj@
u.Uj@
MSVCRT.dll
MSVCRT.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExA
HttpQueryInfoA
HttpQueryInfoA
FtpCreateDirectoryA
FtpCreateDirectoryA
FtpOpenFileA
FtpOpenFileA
HttpOpenRequestA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpEndRequestA
HttpEndRequestA
InternetCrackUrlA
InternetCrackUrlA
WININET.dll
WININET.dll
inetc.dll
inetc.dll
Open URL Error
Open URL Error
URL Parts Error
URL Parts Error
FtpCreateDir failed (550)
FtpCreateDir failed (550)
Error FTP path (550)
Error FTP path (550)
Downloading %s
Downloading %s
%dkB (%d%%) of %dkB @ %d.dkB/s
%dkB (%d%%) of %dkB @ %d.dkB/s
(%d %s%s remaining)
(%d %s%s remaining)
REST %d
REST %d
SIZE %s
SIZE %s
Content-Length: %d
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Authorization: basic %s
Authorization: basic %s
Proxy-authorization: basic %s
Proxy-authorization: basic %s
%s:%s
%s:%s
FtpCommandA
FtpCommandA
wininet.dll
wininet.dll
%u MB
%u MB
%u kB
%u kB
%u bytes
%u bytes
%d:d:d
%d:d:d
%s - %s
%s - %s
(Err=%d)
(Err=%d)
NSIS_Inetc (Mozilla)
NSIS_Inetc (Mozilla)
Filename: %s
Filename: %s
/password
/password
Uploading %s
Uploading %s
9!9-9B9}9
9!9-9B9}9
9!9*90959
9!9*90959
? ?'?,?:?
? ?'?,?:?
wl]M.Ru
wl]M.Ru
.LCB(
.LCB(
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\allgenius\Setup
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\allgenius\Setup
osoft Windows 7 Professional N version : 6.1.7601 service pack : 1.0
osoft Windows 7 Professional N version : 6.1.7601 service pack : 1.0
7BA32E8-5DB1-4167-AB06-0AE36AF3A120
7BA32E8-5DB1-4167-AB06-0AE36AF3A120
DB1-4167-AB06-0AE36AF3A120
DB1-4167-AB06-0AE36AF3A120
BA32E8-5DB1-4167-AB06-0AE36AF3A120}
BA32E8-5DB1-4167-AB06-0AE36AF3A120}
"C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\218\allgeniusSetup" /np 1 /is trlsua
"C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\218\allgeniusSetup" /np 1 /is trlsua
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\allgenius
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\allgenius
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\218
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\218
ers\"%CurrentUserName%"\AppData\Local\Temp\nsq628.tmp
ers\"%CurrentUserName%"\AppData\Local\Temp\nsq628.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\218\allgeniusSetup
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\218\allgeniusSetup
77BA32E8-5DB1-4167-AB06-0AE36AF3A120
77BA32E8-5DB1-4167-AB06-0AE36AF3A120
00:50:56:21:01:74
00:50:56:21:01:74
10.0.9200.16521
10.0.9200.16521
0.50727.5420
0.50727.5420
Windows, 64-bit
Windows, 64-bit
Microsoft Windows 7 Professional N version : 6.1.7601 service pack : 1.0
Microsoft Windows 7 Professional N version : 6.1.7601 service pack : 1.0
Nullsoft Install System v2.46
Nullsoft Install System v2.46
allgeniusSetup_884_rwx_10004000_00001000:
callback%d
callback%d