Application.Bundler.Somoto.I_f851beeaa9 – Adaware

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Application creates the following process(es):

%original file name%.exe:1844

The Application injects its code into the following process(es):

biclient.exe:980

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process biclient.exe:980 makes changes in the file system.

The Application creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S1IF2PYL\The_Pirate_Bay_logo[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\smt_istartsurf.exe (22288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1256BWJ\eula-sourceapp[1].html (1650 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\InstallGenieo.exe.3 (9352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JL3UHQQ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JL3UHQQ\tokyo_sprite_full[1].png (3505 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\smt_istartsurf.exe.0 (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp (37040 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\InstallGenieo.exe.0 (9352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\InstallGenieo.exe.4 (9352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\smt_istartsurf.exe.5 (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\appshat_generic.exe.5 (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\appshat_generic.exe.4 (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\appshat_generic.exe.7 (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\appshat_generic.exe.6 (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1256BWJ\eula-sourceapp[1].htm (395 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\appshat_generic.exe.0 (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\appshat_generic.exe.3 (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\appshat_generic.exe.2 (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1256BWJ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JL3UHQQ\tokyoThreeWavesBG[1].jpg (510 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\InstallGenieo.exe.1 (9352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\smt_istartsurf.exe.3 (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\smt_istartsurf.exe.2 (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\smt_istartsurf.exe.1 (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\smt_istartsurf.exe.7 (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\smt_istartsurf.exe.6 (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\smt_istartsurf.exe.4 (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.1 (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.0 (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.3 (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1256BWJ\eula[1].htm (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S1IF2PYL\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.4 (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.7 (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.6 (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\InstallGenieo.exe.2 (9352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YFLCO7YQ\eula[1].htm (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S1IF2PYL\eula[1].html (538 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\InstallGenieo.exe.5 (9352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YFLCO7YQ\eula-istartsurf[1].htm (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\InstallGenieo.exe.6 (9352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YFLCO7YQ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\appshat_generic.exe.1 (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JL3UHQQ\eula[1].html (538 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.2 (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\InstallGenieo.exe (70607 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.5 (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YFLCO7YQ\The_Pirate_Bay_logo[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S1IF2PYL\eula-istartsurf[1].html (535 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\InstallGenieo.exe.7 (9352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\appshat_generic.exe (21724 bytes)

The Application deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S1IF2PYL\The_Pirate_Bay_logo[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1256BWJ\eula-sourceapp[1].html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\InstallGenieo.exe.3 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\smt_istartsurf.exe.6 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\appshat_generic.exe.5 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\appshat_generic.exe.4 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\appshat_generic.exe.7 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\appshat_generic.exe.6 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\appshat_generic.exe.1 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\appshat_generic.exe.0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\appshat_generic.exe.3 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\appshat_generic.exe.2 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\smt_istartsurf.exe.3 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\smt_istartsurf.exe.2 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\smt_istartsurf.exe.1 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\smt_istartsurf.exe.0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\smt_istartsurf.exe.7 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S1IF2PYL\smt_istartsurf[1].exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\smt_istartsurf.exe.5 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\smt_istartsurf.exe.4 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JL3UHQQ\SourceAppSetup[1].exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.1 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.3 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.2 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.5 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.4 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.7 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.6 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\InstallGenieo.exe.2 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\InstallGenieo.exe.4 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\InstallGenieo.exe.5 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\InstallGenieo.exe.6 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\InstallGenieo.exe.7 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Neon_Genesis_Evangelion_Platinum_Collection.8401676.TPB.torrent (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\InstallGenieo.exe.0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S1IF2PYL\eula-istartsurf[1].html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\InstallGenieo.exe.1 (0 bytes)

The process %original file name%.exe:1844 makes changes in the file system.

The Application creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\biclient.exe (8184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp (6501 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\config.ini (154 bytes)

The Application deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\config.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\biclient.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss1.tmp (0 bytes)

Registry activity

The process biclient.exe:980 makes changes in the system registry.

The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 91 57 7C CD 09 2D 1E 3A 31 91 D3 B4 4D 71 03"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Application modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Application modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Application modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Application deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1844 makes changes in the system registry.

The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6E 82 1B 33 B3 8B 79 A6 6B C1 16 99 AC BA 02 F6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\biclient.exe,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Dropped PE files

MD5	File path
2fb21755514945c8d5d27bbdd84eef62	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\4.tmp
d65611fbc4da8cea4e886076bec82d1e	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\InstallGenieo.exe
518879abe3170dabd172dfffcd165598	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\appshat_generic.exe
ac8f7611f353ca9803fad5ff81900678	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\biclient.exe
a8baa7d8069523253b8d8ccde24bf5ec	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\smt_istartsurf.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1844
Delete the original Application file.
Delete or disinfect the following files created/modified by the Application:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S1IF2PYL\The_Pirate_Bay_logo[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\smt_istartsurf.exe (22288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1256BWJ\eula-sourceapp[1].html (1650 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\InstallGenieo.exe.3 (9352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JL3UHQQ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JL3UHQQ\tokyo_sprite_full[1].png (3505 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\smt_istartsurf.exe.0 (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp (37040 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\InstallGenieo.exe.0 (9352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\InstallGenieo.exe.4 (9352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\smt_istartsurf.exe.5 (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\appshat_generic.exe.5 (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\appshat_generic.exe.4 (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\appshat_generic.exe.7 (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\appshat_generic.exe.6 (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\appshat_generic.exe.0 (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\appshat_generic.exe.3 (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\appshat_generic.exe.2 (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1256BWJ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JL3UHQQ\tokyoThreeWavesBG[1].jpg (510 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\InstallGenieo.exe.1 (9352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\smt_istartsurf.exe.3 (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\smt_istartsurf.exe.2 (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\smt_istartsurf.exe.1 (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\smt_istartsurf.exe.7 (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\smt_istartsurf.exe.6 (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\smt_istartsurf.exe.4 (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.1 (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.0 (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.3 (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1256BWJ\eula[1].htm (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S1IF2PYL\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.4 (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.7 (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.6 (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\InstallGenieo.exe.2 (9352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YFLCO7YQ\eula[1].htm (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S1IF2PYL\eula[1].html (538 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\InstallGenieo.exe.5 (9352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YFLCO7YQ\eula-istartsurf[1].htm (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\InstallGenieo.exe.6 (9352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YFLCO7YQ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\appshat_generic.exe.1 (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1JL3UHQQ\eula[1].html (538 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.2 (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp.5 (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YFLCO7YQ\The_Pirate_Bay_logo[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S1IF2PYL\eula-istartsurf[1].html (535 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\InstallGenieo.exe.7 (9352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\biclient.exe (8184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp (6501 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\config.ini (154 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 2.0.0.0
File Description: Powered by BetterInstaller
Comments:
Language: Language Neutral

Company Name: Product Name: Product Version: Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: 2.0.0.0File Description: Powered by BetterInstallerComments: Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	28860	29184	4.36907	33e8227bf6edbf3997e3d0895494668e
.data	36864	140	512	0.818223	1b0351714f371c0ba066871d4e504b00
.rdata	40960	3196	3584	3.54441	88a268b1fac88e9fad865c68cf3abce2
.bss	45056	110088	0	0	d41d8cd98f00b204e9800998ecf8427e
.idata	155648	4932	5120	3.53424	11c816edc4ef9cc4aa5511f8a707232b
.ndata	163840	36864	1024	0	0f343b0931126a20f133d67c2b018a3b
.rsrc	200704	17800	17920	3.9497	3b952b6cf19449d255a36efe2cd57cc1

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 3630
7f6d030a23f210ff0f767468fe3edd48
74fc1165f17d69e1205b8624e8b5fbbe
6deaaa49634d4ef6589fa2116f011a45
630e34598c05843fcf78ed9e87504e63
5325e620ec6cbf6918bc19bfc0ca49d0
9874d250393a5ca9bdb584349e6a11d4
99cbf9001892c6af0efad4afa94b2702
45cd604407f0af04cedd17c4d9bbba0d
4cef15098297e7c42991be3e40ad9bcf
192e76e660fabd4c5c4fc6056179fc86
6d6cadeac6ec451c70b3f47c7d794a34
56728519451e2b52f5f62c9fb6691d29
0d785d47b1c82023af9cf11d40f20704
50071def1d19b4a292932e38232d7b33
499a5a244e686961854cc81a6ac2f894
a777b08a4f3bd56dea2185c48cda4393
b18d4cd9c83d89116a7478da7a9d8b01
ca4a7cf7aaf0c145c06d67bb96a61da6
22f9e23fcc1e96fec45133be287a6bd5
6fad99e5944cf70690121a6aa6d64b82
e4e8d08fef9dae512def175605b37b30
330361ffef8a4c4690ec3d5e9acbee1d
15085ef3a04cc8da75e4e88c8e40360f
95d29a753a41d388af981f54013fa0e0
9fd81c119909308d540861e600a43bd3

Network Activity

URLs

URL	IP
hxxp://installer.betterinstaller.com/piratebaymirror/neongenesisevangelionplatinumcollection/da282e2bbb7e4e4483dc4da5b3e19aab?v=2.0&muid=BB240EA4D92FCC6BC5CA46520F398ADC
hxxp://d3fih8vt5tnw32.cloudfront.net/images/Tokyo/tokyoThreeWavesBG.jpg	54.230.99.198
hxxp://d39a6n71ru013w.cloudfront.net/images/Tokyo/tokyo_sprite_full.png	54.230.98.196
hxxp://installer.betterinstaller.com/installer/ajax
hxxp://d3fih8vt5tnw32.cloudfront.net/sponsored/sourceapp/eula-sourceapp.html	54.230.99.198
hxxp://d3fih8vt5tnw32.cloudfront.net/affiliates/eula.html	54.230.99.198
hxxp://d3k2eoekmudqmk.cloudfront.net/affiliates/eula.html	54.230.99.69
hxxp://d3k2eoekmudqmk.cloudfront.net/sponsored/istartsurf/eula-istartsurf.html	54.230.99.69
hxxp://d1p2zvpeuweyai.cloudfront.net/affiliates/piratebaymirror/The_Pirate_Bay_logo.png
hxxp://www.girlliuxiaowei.com/home/smt_istartsurf.exe	208.43.230.100
hxxp://installer.betterinstaller.com/pinger?event_type=offer_shown&installer_source=better_installer&software_type=sponsored&muid=bb240ea4d92fcc6bc5ca46520f398adc&client_uid=da282e2bbb7e4e4483dc4da5b3e19aab&uniqid=f851beeaa9065db1ee91294fc5689b2c&affiliate_id=piratebaymirror&software_id=neongenesisevangelionplatinumcollection&sponsored_id=istartsurf&tokyo_csrf2_key=84803c5219e63d6e8599911dfc4f01e1&tokyo_csrf2_timestamp=1426208469&slot_number=1&index_in_screen=1&index_in_session=1&display_height=68&0.1199777363849811
hxxp://a1049.d.akamai.net/sd?is=sm
hxxp://dpo55t230unug.cloudfront.net/mirror/nerocrossrider/appshat_generic.exe	54.230.99.179
hxxp://s3-1-w.amazonaws.com/partner/gim394750002/release/live/InstallGenieo.exe
hxxp://install-cdn.sourceapp.info/sd?is=sm	212.30.134.169
hxxp://download.genieo.com/partner/gim394750002/release/live/InstallGenieo.exe	54.231.17.33
hxxp://bi.bisrv.com/installer/ajax	78.138.127.15
hxxp://downloadcdn.filebulldog.com/affiliates/piratebaymirror/The_Pirate_Bay_logo.png	54.230.98.79
hxxp://bi.bisrv.com/piratebaymirror/neongenesisevangelionplatinumcollection/da282e2bbb7e4e4483dc4da5b3e19aab?v=2.0&muid=BB240EA4D92FCC6BC5CA46520F398ADC	78.138.127.15
hxxp://bi.bisrv.com/pinger?event_type=offer_shown&installer_source=better_installer&software_type=sponsored&muid=bb240ea4d92fcc6bc5ca46520f398adc&client_uid=da282e2bbb7e4e4483dc4da5b3e19aab&uniqid=f851beeaa9065db1ee91294fc5689b2c&affiliate_id=piratebaymirror&software_id=neongenesisevangelionplatinumcollection&sponsored_id=istartsurf&tokyo_csrf2_key=84803c5219e63d6e8599911dfc4f01e1&tokyo_csrf2_timestamp=1426208469&slot_number=1&index_in_screen=1&index_in_session=1&display_height=68&0.1199777363849811	78.138.127.15
piratebaydownload.co	52.1.146.44

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /sd?is=sm HTTP/1.1

Range: bytes=178497-

User-Agent: Better Installer(Mozilla)

Host: install-cdn.sourceapp.info

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Pragma: no-cache

Content-Type: application/octet-stream

Server: Microsoft-IIS/7.5

Content-Disposition: attachment; filename=SourceAppSetup.exe

X-AspNet-Version: 4.0.30319

SVR: SP004C2

X-Powered-By: ASP.NET

p3p: CP="CAO PSA OUR"

Cache-Control: private, max-age=86400

Expires: Sat, 14 Mar 2015 01:01:11 GMT

Date: Fri, 13 Mar 2015 01:01:11 GMT

Content-Range: bytes 178497-475991/475992

Content-Length: 297495

Connection: keep-alive

...rcn.{*......@.dI..T....n....._........3.D.r..I..XIPc-..g..V..\r....[..\h.........Q.....,.)[.PIR......aq..?<R~".....H..B&..D1.A.,.d.<.....E...S.......4.u.}.9$!K..q..^..._S.Fb.h.g......f......k.D..ol....".ZB<]......b..>-A....~p;t...p.!Q.gZi[:.c..?....t#1..2c..\.H.T.j.T.W..y.....\V..BTqD..r...b.zd.....s...".k..z../..V.........5Rm.!....tS.4..AI.`R.I.X ........V...g...........8......([3.O.).`5;.X.>[.....rV..4lW..4#.~.1A...h.r..c.*..k~4....W:s.)........../.....5....].F.......P.Q..N....NX[kK.3..,.{...5.g...........7... .WI...b......5..._..i.Q|!...x....o.A~....t....BS0F.........b-0/...,.. ....w.....f....FU...[*,f~#...0..B.o..}....N....H.W.2.T.i.}......e........i.`..../...c............}B*......Mu.......X..9Sq......l'g.....M..........*.W..'E..........Y.....Z_j.@.....|@FM......=....(.f...NDV...f...*....Me..CU}.....NN .r..S...HL.3y.uz...v.L.........F...S.u.. .$0h70..[...9..A..PxCy.w.-!....Yf...8z.....F...4iMt5|.".k.J.P6f......*-/..M]....f..........0.g.C0:1.g...L.2X...g.rs...P........A.v...[<a5..>%..B..0.d...x...]?...ZJ...{e.1..<7......".......".......%......Q....&3..'..<...KP../.....l...iuS......q....i..O.../..Y..q..e.....WN.....[w..,M.'.....2....)U.8...J...`.3.Z.......[.&M...c.P....}6..u...<..sp.hE.H.........4z ...I...w........."q.f..w,B.mu.?...m.P..F~7..J,..p...|.@..T8..B.S;x^...:.=.F..,...5.\..g....O........*....g.../....,.?..Z....Y..u.2E.o;.)q..L.......-^.:i.s.aH..w.f3K~....nz.......2o..S3..R.E. .}&(HKRnB.&$I......}.Y.....Fxx'=.....J..... .._../s....O.. .=7r.N.....~.<.....7.i.^.8y..

<<< skipped >>>

GET /partner/gim394750002/release/live/InstallGenieo.exe HTTP/1.1

User-Agent: Better Installer(Mozilla)

Host: download.genieo.com

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: OmhLswUTpfiVMSdmOyv / L ubjOcIYhUwAc4MvrisZFgTuSX5l0lEeLHU79DTUQHiTu t3IfqE=

x-amz-request-id: F3EE81C1A09E83F7

Date: Fri, 13 Mar 2015 01:01:13 GMT

Last-Modified: Mon, 20 Oct 2014 09:54:42 GMT

ETag: "d65611fbc4da8cea4e886076bec82d1e"

Accept-Ranges: bytes

Content-Type: application/octet-stream

Content-Length: 988408

Server: AmazonS3

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................................................................s..........P...............`............................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc...P............v..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..

<<< skipped >>>

GET /mirror/nerocrossrider/appshat_generic.exe HTTP/1.1

Range: bytes=0-

User-Agent: Better Installer(Mozilla)

Host: dpo55t230unug.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 285558

Connection: keep-alive

Date: Sun, 08 Mar 2015 05:10:01 GMT

x-amz-version-id: zdbgB_7owwl7Hq6LIKQBG0yBaPWISKtC

x-amz-meta-s3cmd-attrs: uid:500/gname:www/uname:www/gid:500/mode:33204/mtime:1415096893/atime:1415097003/ctime:1415096894

Cache-Control: max-age=3600

Last-Modified: Tue, 04 Nov 2014 11:01:28 GMT

ETag: "518879abe3170dabd172dfffcd165598"

Accept-Ranges: bytes

Server: AmazonS3

Content-Range: bytes 0-285557/285558

Age: 699

X-Cache: Hit from cloudfront

Via: 1.1 95a477af435073615179b256d8101334.cloudfront.net (CloudFront)

X-Amz-Cf-Id: fU-BDVqbrsIVuEKn7pX3O5cYenKdB6NeUDIM0UQjngGijf5DezUWMg==

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................................................................s.......@...............................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc........@.......v..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..

<<< skipped >>>

GET /sd?is=sm HTTP/1.1

Range: bytes=297495-

User-Agent: Better Installer(Mozilla)

Host: install-cdn.sourceapp.info

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Pragma: no-cache

Content-Type: application/octet-stream

Server: Microsoft-IIS/7.5

Content-Disposition: attachment; filename=SourceAppSetup.exe

X-AspNet-Version: 4.0.30319

SVR: SP004C2

X-Powered-By: ASP.NET

p3p: CP="CAO PSA OUR"

Cache-Control: private, max-age=86400

Expires: Sat, 14 Mar 2015 01:01:11 GMT

Date: Fri, 13 Mar 2015 01:01:11 GMT

Content-Range: bytes 297495-475991/475992

Content-Length: 178497

Connection: keep-alive

f.k00. J.b)Q...g0..J1V.m.aC.I...N.=.j...b|.....S.(.A^.Ww&.uW....=>..0..{._J./)6.e..].....R..MVLn....{..5-%......\....d..S......X>e.\..`...%.b..$..Cn....8.PKZ.Z.%..p...\....e=......h.v.h....U`.|...T...O..2.v%.....3Lh0.C.q..~....sO\<..A.....W.....K..=..]V.UT......}..[..e....z...`Mw{....w...|.$l.0Ky..o.X.^.c...Pa.=%,.`q.cT*......K.0..@....z!"....4.q.]...|.%..1.5pB.7.6}..d..O..VoM.W(......b..G.M.u...f.].../C{:..Dg...\...D...b...#k...o.K.Y5...J..3j....}.m._....P...-..d.....}..l..(......@...........;.....,...^.L...(... ..r..2..B...|u.a,.I.K.$.M.. .~.8.P.J.".X... ....v.}.cn...=.\f;I..M..p~.!.^.....l0Bj[.4R...U......n^2\.........A...). ..Ee..y.~..d....wx).....3.........Ke.f....G2].....g.Y..%..f.].>....=:.1...<l..ow...Z.....D{..#.p.."...P../\.IN.(....1.$.d|......xJ.4e.I..~'..Dp....uS.1oW.W$..Y..A..)..%/J..a........0I=..o.4.........>...3......M...9.......@./.n.X..,...7......h......R..w.&'....<..{.#Aw..f.Vg....w.oBT..%.tU(X.4.w. /. E.'..n...!FE1.9\d.h..z...C}T..?..98......1...F. b.).....e....tw...b.*.U.W.d..r..S..c..4.k..M!...........0..R#.M!...jf..... ..q..SK. ...v.VcT'vg.1...:.,....X.Z....0^y...m...r.a8.Z..?w.........q.Y..7@$A=.Ju..v..r....c, ....S.V..j......5.9.....}T;..Xi..&...M.c!t.z..5....|.m. ..'....:.j.b.......:...N.b...OF..M.b.....|R9....m.. 0"!....B.]...CZ.!H..L.F......pA.j...s=.i>.6.2P..y..._\3.0...<...CZt...YL....6...`.rs.-.h3....d..........^.7u......L.{.j._...%.6.......(B2&V.....C;...,e.?..Qp#.F..?`Q...s.m.5..j...7.BH.k.]...>.{l.&..kD...g...*P@v..:kd.....e?..MY....O..5......q..U

<<< skipped >>>

GET /mirror/nerocrossrider/appshat_generic.exe HTTP/1.1

Range: bytes=214170-

User-Agent: Better Installer(Mozilla)

Host: dpo55t230unug.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 71388

Connection: keep-alive

Date: Sun, 08 Mar 2015 05:10:01 GMT

x-amz-version-id: zdbgB_7owwl7Hq6LIKQBG0yBaPWISKtC

x-amz-meta-s3cmd-attrs: uid:500/gname:www/uname:www/gid:500/mode:33204/mtime:1415096893/atime:1415097003/ctime:1415096894

Cache-Control: max-age=3600

Last-Modified: Tue, 04 Nov 2014 11:01:28 GMT

ETag: "518879abe3170dabd172dfffcd165598"

Accept-Ranges: bytes

Server: AmazonS3

Content-Range: bytes 214170-285557/285558

Age: 699

X-Cache: Hit from cloudfront

Via: 1.1 c1639d907cade557ebff29e5be78b0b6.cloudfront.net (CloudFront)

X-Amz-Cf-Id: kvsqd3J7qqIgXR-tqXzY_nK07jp_4hvDyE4VbgEs5nko0EreHzZF6w==

a...:X.h0...d...,Q..b:..... <o..^..z.nI...n..b..3........$.#....k..m...L:M..^..b..j.*G.:c'^T... .k..|..?D...c....\..P.}...@.....I.Rcl.au....x.X..7.[.f...!......g...)aT......k.....1..K.....ou74.U..#.k3-...N.......t....u8n.7.c.2..7J... ...h..s......[.V..44.a..<.- .....x..O2oZ*...u.....oY...T..k..r. z'._GC..B.W.9&1......'.~/].2 v~..:f.=.x<0.}.e3F/5..b..<!..H...1)......V~G...7.........A..1VS..s.!6.k.J6...h.o...8..A^.@......l>.[.Z...I..P..................Y..... .I."....s....6d..<F-..[....\]^... C4w>..'j$.qT........J .{..\....X>..............|EU.*................c..Q.<......Mk..%....1c...8.g:...=.d'.R...Im,O.o$..Q.....O..fS43.(...`..........M.s...Rx..[.|:...&.^.....c......)...>.6.C4c".%..O..r.Cg.........|._...9..m.h.6.;.Y.L.~).M..]A\...e.u`...U....s.X....m.....1y|.....k......~..uEi.$...J..pK.:Xt.....z9.bu*...1:.C....`.]..N.oR.....0..(.5U!.*....$.......3t.0..Vd6..H....6.9N,....)T....e.h.."..N6..nUE.......Z..d.........&.....`..1..............b9..K..g..9Md...K...6q.?...MU.GW.c.C..Ppfw..u.{.."..]....wf|k./(BX......V...p>...'.;..(..Q.....9.:...R.v";...zv\;..Ow.2...7.~.IT.D..mu.k.OGw....<U.....x.. ...i.....W.5|w.#....DR.w.}..r......D...^Y..v.... 05...K.:.{..}Q...t.Y......P..#Hl....2........&c.....C.*...D....l...v.K.vD.wC..vK4..W.P.).X.....Z..;V2......,j....q./.q.i..d.........\..F.._a...U....T...m...d.....>....{z.tf.T..%...5.. NF.......).....:.b,..O.Yq.....u/oT<.`.m...1.@...................l.X.l..M.E.|T..mVLY.......C(E.....F...e|...hu.\.\. .....~ ..Fi>..M.;..f.U$..!.&6 Y......s..

<<< skipped >>>

GET /partner/gim394750002/release/live/InstallGenieo.exe HTTP/1.1

Range: bytes=0-

User-Agent: Better Installer(Mozilla)

Host: download.genieo.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

x-amz-id-2: Y5ULIsaIj700HSLzORofHH82Mi5arROrRKvtJLKwb7CGiaJxSZShy/4KgKn/b2yDtDlB5loA9WU=

x-amz-request-id: 65718E8B896215EE

Date: Fri, 13 Mar 2015 01:01:14 GMT

Last-Modified: Mon, 20 Oct 2014 09:54:42 GMT

ETag: "d65611fbc4da8cea4e886076bec82d1e"

Accept-Ranges: bytes

Content-Range: bytes 0-988407/988408

Content-Type: application/octet-stream

Content-Length: 988408

Server: AmazonS3

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................................................................s..........P...............`............................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc...P............v..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..

<<< skipped >>>

GET /home/smt_istartsurf.exe HTTP/1.1

Range: bytes=181500-

User-Agent: Better Installer(Mozilla)

Host: VVV.girlliuxiaowei.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Server: nginx

Date: Fri, 13 Mar 2015 01:01:10 GMT

Content-Type: application/octet-stream

Content-Length: 108900

Last-Modified: Tue, 10 Mar 2015 01:55:04 GMT

Connection: keep-alive

Expires: Mon, 16 Mar 2015 01:01:10 GMT

Cache-Control: max-age=259200

Content-Range: bytes 181500-290399/290400

ZHH.$.B.CHS...B.ZHI...B.CHT...B.NLB...B.ENU...B.ENA...B.ENL...B.ENC...B.ENB...B.ENI...B.ENJ.t.B.ENZ.\.B.ENS.@.B.ENT.4.B.ENG.(.B.ENU...B.ENU...B.FRB...B.FRC...B.FRL...B.FRS...B.DEA...B.DEC...B.DEL...B.DES...B.ENI.p.B.ITS.d.B.NOR.P.B.NOR.<.B.NON.$.B.PTB...B.ESS...B.ESB...B.ESL...B.ESO...B.ESC...B.ESD...B.ESF...B.ESE.t.B.ESG.`.B.ESH.P.B.ESM.@.B.ESN.,.B.ESI...B.ESA...B.ESZ...B.ESR...B.ESU...B.ESY...B.ESV...B.SVF...B.DES...B.ENG...B.ENU...B.ENU...B.USA...B.GBR...B.CHN.|.B.CZE.t.B.GBR.d.B.GBR.\.B.NLD.P.B.HKG.D.B.NZL.@.B.NZL.4.B.CHN.(.B.CHN...B.PRI...B.SVK...B.ZAF...B.KOR...B.ZAF...B.KOR...B.TTO...B.GBR...B.GBR...B.USA...B.USA.......6...-.........OCP.ACP.Norwegian-Nynorsk...c.c.s...U.T.F.-.8...U.T.F.-.1.6.L.E.....U.N.I.C.O.D.E... Complete Object Locator'... Class Hierarchy Descriptor'.... Base Class Array'.. Base Class Descriptor at (. Type Descriptor'...`local static thread guard'.`managed vector copy constructor iterator'..`vector vbase copy constructor iterator'....`vector copy constructor iterator'..`dynamic atexit destructor for '....`dynamic initializer for '..`eh vector vbase copy constructor iterator'.`eh vector copy constructor iterator'...`managed vector destructor iterator'....`managed vector constructor iterator'...`placement delete[] closure'....`placement delete closure'..`omni callsig'.. delete[]... new[]..`local vftable constructor closure'.`local vftable'.`RTTI...`EH.`udt returning'.`copy constructor closure'..`eh vector vbase constructor iterator'..`eh vector destructor iterator'.`eh vector constr

<<< skipped >>>

GET /home/smt_istartsurf.exe HTTP/1.1

User-Agent: Better Installer(Mozilla)

Host: VVV.girlliuxiaowei.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 13 Mar 2015 01:01:10 GMT

Content-Type: application/octet-stream

Content-Length: 290400

Last-Modified: Tue, 10 Mar 2015 01:55:04 GMT

Connection: keep-alive

Expires: Mon, 16 Mar 2015 01:01:10 GMT

Cache-Control: max-age=259200

Accept-Ranges: bytes

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......M.C...-R..-R..-R...R..-R...R6.-R...R..-R...R..-R...R..-R..,Rt.-R...R..-R.E.R..-R...R..-RRich..-R........PE..L....<.T............................ 8............@.......................................@.................................08.......................R..`....p..L...`...............................h...@............................................text...#........................... ..`.rdata..f...........................@..@.data...$K...P...*...2..............@....rsrc................\..............@..@.reloc.../...p...0..."..............@..B........................................................................................................................................................................................................................................................................................................................................................U..3.j.P.u..F......F......>.....]...U......V..M..;...i..... .;E.s..E..M..I....s..M.S... ]... M.;.w.h..B..b....M. E..M..E.;.s.j.Q...'....]..F.;.tR...r..........r........u....M....E.QP.........{..r....~..r........u...SP.B(........U.j.[;U.wG;.r.......;.r.......RQ..P......F....;.r.......;.r........u....M....E..F;.r.......;.r........u....M...Q..P.d....F....;.r.......;.r........u...QP.>....M.....~...N.[r.................h..B..p....U..Q.}...M.u.;A.viS.Y.VW;.sY .9].wR3.B U....y..r......M....SQ.E.P.&.M..}..

<<< skipped >>>

GET /mirror/nerocrossrider/appshat_generic.exe HTTP/1.1

Range: bytes=142780-

User-Agent: Better Installer(Mozilla)

Host: dpo55t230unug.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 142778

Connection: keep-alive

Date: Sun, 08 Mar 2015 05:10:01 GMT

x-amz-version-id: zdbgB_7owwl7Hq6LIKQBG0yBaPWISKtC

x-amz-meta-s3cmd-attrs: uid:500/gname:www/uname:www/gid:500/mode:33204/mtime:1415096893/atime:1415097003/ctime:1415096894

Cache-Control: max-age=3600

Last-Modified: Tue, 04 Nov 2014 11:01:28 GMT

ETag: "518879abe3170dabd172dfffcd165598"

Accept-Ranges: bytes

Server: AmazonS3

Content-Range: bytes 142780-285557/285558

Age: 699

X-Cache: Hit from cloudfront

Via: 1.1 5f32e0f17e78c0bfe70226dd05074c92.cloudfront.net (CloudFront)

X-Amz-Cf-Id: iii6CV_ytH9oiFgHkIgrrRBVCGRJLq8R5ABuDlUVCIl1lXTKaYlBsg==

..<......O.. ..o...U ...h..y.O..X..C............2.[..,..."m...~b..........V:...!.......;n .f.P..i?.|...B..w..?5w{...z9.].8*..3..(x...z/E_...oz...#.".2:...z-.&ng...&y.......H|.q$...Y.....G..M..E.*N...&..z...U.`....t.?T5.m..<.<...BK..nY_#[....YI?.4...!h.Y..>.....c.M....F..j..Ht7.gN...z..(..l..\u.~...].Ub...M!..<{.P.M.MM.ne?..<.:....O.,=.h.....Z.b.........Y....R.s.e.I).i..fpk.j.O0........].2|.0.C``.......m_z.=W..^...C:............Q...xbR.....t...eF.V.....aR..2o..w.>..r!U......Xs%.Wm.&.LbX0{.P........@..\w.......>.../.bW........X....^e8......Lq...[.3a...n*..........2..!c_ .......{...Z.lf...z..o...~*..l....G..2.w.8.#.*........DH..-df.].....kr........_..@..g...'k.... ....m.=....X..J........e.... .R.7.........!..\..C..G/./..y..*=.......,..V..f.%....LF.|......T..g..fPs.............-6.".l.t 5..'B.....=.}K.9.%.j.1..J.\u&...mg!..Y(...U./?q=B{.z..Q...>....<..B.|keIL.c;........N....n....*K...F..~.5.2......K...'n..,&rt...N.G.59.]k....N..3....P...)......M w..........6.G.2T......L...B0.#.R....5..,.N..|#..%.lN...9.j...j.2x....R....Mh..-...D.2...l....*....9c..m.9.e....].j....a.2.7...\....E.Biu.Bf....a..Oh..r... ...(2n..7BD7.D/........D...T..*.q...u.J..4...v...I..u.Wr......*.......b....`..L@.CI.......1@...zrR..Z..Um....Z.D>\..........3C.b.._XI.[s..t.......].R..p.=.&E..Z4<....z...=..%.Y..>..CF.,]tp..C.iV..z.dh.pI?c\7..4!2..^.M....GDiK..*.=...!.?.......H.......)]...(..@..(..{..E^yVP ......%M,..O...S2........d^....T..VE.....j.y.......}..GqN....E7rG{.E.....y...N/.WG..,...QV.GC.m.gY..........4...

<<< skipped >>>

GET /home/smt_istartsurf.exe HTTP/1.1

Range: bytes=72600-

User-Agent: Better Installer(Mozilla)

Host: VVV.girlliuxiaowei.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Server: nginx

Date: Fri, 13 Mar 2015 01:01:10 GMT

Content-Type: application/octet-stream

Content-Length: 217800

Last-Modified: Tue, 10 Mar 2015 01:55:04 GMT

Connection: keep-alive

Expires: Mon, 16 Mar 2015 01:01:10 GMT

Cache-Control: max-age=259200

Content-Range: bytes 72600-290399/290400

.....^]...U...u.j..u..u..u..o......]...U...E.S.].f.;.W..tC...f..t9.. ..M.f..t....f..t .... .u....f9..u.f.9.t..........f..u.3._[].......U...U.VW..t..}...u...1..j.^.0.gl.....3.E...u....... ......@..t.Ou...u......1..j"Y......3._^]...U..V.u.W..t..}...u..|1..j.^.0..l...._^]..M...u.3.f......f.:.t....Ou...t. ....f......f..t.Ou.3...u.f...*1..j"Y........U..V.u.W..t..}...u...1..j.^.0..k...._^]..E...u.f...... ....f......f..t.Ou.3...u.f....0..j"Y......j.h..C......3..}.3..u.;....;.u...0.........%k..........V.....Y.}..F.@uoV.....Y...t....t...................C.....YC..A$.u)...t....t.................C.....YC..@$.t...0..........j...M..9}.u..N.x......A....V.N...Y.E..E...........E..i.....u.V.d...Y.j.h..C......3..}.3..u.;....;.u.../.........1j..........V.....Y.}..F.@uoV.....Y...t....t...................C.....YC..A$.u)...t....t.................C.....YC..@$.t..#/..........i...M..9}.u!.N.x....E..........V.u..`Z..YY.E..E...........E..m.....u.V.h...Y...U..SV.u.W....F.@uoV.....Y..YC.;.t....t...................C......A$.u%;.t....t.................C......@$.t..]...........h...._^[]..].;.t..F...u...y...u..~..u.V.w...Y..;F.u..~..u.@.....F.@..t.8.t.@.......F..F........F...%......j.h0.C..-...3.9E......u...-.........Yh......,.u......Y.e...u..u......YY.E..E...........E.. .....u......Y...U..j.j..u.........]...U.... SW3.j.3.Y.}..]...9].u..I-..........g......i.E.;.t.V.u..E..u..E..u..E.P.E.B....E..............M...x..E....E....E.PS.ZX..YY.M.x..E......E.PS.BX..YY..^_[....U...u.j..u..u..K......]..@RC... .C.Vj.^..u........;.}.... .C.j.P.W ..YY...C...u.

<<< skipped >>>

GET /images/Tokyo/tokyoThreeWavesBG.jpg HTTP/1.1

Accept: */*

Referer: hXXp://bi.bisrv.com/piratebaymirror/neongenesisevangelionplatinumcollection/da282e2bbb7e4e4483dc4da5b3e19aab?v=2.0&muid=BB240EA4D92FCC6BC5CA46520F398ADC

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: d3fih8vt5tnw32.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/jpeg

Content-Length: 15368

Connection: keep-alive

Server: nginx

Date: Tue, 10 Mar 2015 15:26:31 GMT

Last-Modified: Tue, 10 Mar 2015 13:40:32 GMT

ETag: "54fef450-3c08"

Expires: Tue, 10 Mar 2015 15:36:31 GMT

Cache-Control: max-age=600

Accept-Ranges: bytes

X-Cache: RefreshHit from cloudfront

Via: 1.1 95a477af435073615179b256d8101334.cloudfront.net (CloudFront)

X-Amz-Cf-Id: Ec0jRv_InmseArx5n6HF4Eu6dCNsnsi6s8E-uOAQBixQMKZmVXHOHA==

......Exif..II*.................Ducky.......2.....mhXXp://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:20C8E87541DAE111B4BB9504935C1EDB" xmpMM:DocumentID="xmp.did:9221A174EAAF11E18FF38F26F77384E1" xmpMM:InstanceID="xmp.iid:9221A173EAAF11E18FF38F26F77384E1" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:5CE23EFD5CE7E11188929FF0DC9AD62D" stRef:documentID="xmp.did:20C8E87541DAE111B4BB9504935C1EDB"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d...........................................................#"""#''''''''''..................................................!! !!''''''''''........D.."......................................................................................!1.AQ.aq.."2...BRb#....r.....3c$CSs.....Dt....4...6.......................!1.AQaq..."2...BR#...r..b.3...S4T..............?............................@...... ........B.....V@.. ..U.^R...Y......8.M.O@9....Yk.6Fq.'............)...........b...........................B.....................2.......FR0 ....%l...6

<<< skipped >>>

GET /sponsored/sourceapp/eula-sourceapp.html HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://bi.bisrv.com/piratebaymirror/neongenesisevangelionplatinumcollection/da282e2bbb7e4e4483dc4da5b3e19aab?v=2.0&muid=BB240EA4D92FCC6BC5CA46520F398ADC

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: d3fih8vt5tnw32.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Server: nginx

Date: Sun, 08 Mar 2015 06:44:47 GMT

Last-Modified: Sun, 02 Nov 2014 08:13:44 GMT

Expires: Sun, 08 Mar 2015 06:54:47 GMT

Cache-Control: max-age=600

Content-Encoding: gzip

Vary: Accept-Encoding

X-Cache: RefreshHit from cloudfront

Via: 1.1 95a477af435073615179b256d8101334.cloudfront.net (CloudFront)

X-Amz-Cf-Id: rXLp9U6SDUNyb5mma7HQOQbZh5oaQs0Jq3pz6MA3Rf4TGNzxE97zqQ==

36ec.............}.r....sU..C..cLE."U.m[. ."A.6I...d..#.$IT.H..Q..........Yk.}....|..vtGQ@..........=...>^....tR\].=...{.....?9>>....z?.8/^..,..r........../.....j...........zqw<....X..c..p...h..........t2[.~.0.~......lU..|....jU...r..V..[.n......a.z.T..q^.~oU}^...K~..M=z....7.zR/^......;~4-.w.......p?^U..y9.^..z1-'..........O_...N.......u...............wz%'b ..p..a9............)?-..an....^....r.....5s~:.g..N......;...o.....G..c....5.x...j=)...a.....i_....v..-./......n_./...w......E..?h..w........=.|h..........t..Y....A..{.....O....A.{.?(>.....x'...x.e.....z-~..}P.......>..........>>.\`..3|......6..k.;.....o.;.......Q....8~....dS-....U..V..xV.....=...8..|<.f..h.-.jZ.V........(.EU...H..,..zV....E.^/.Uk>...b........A..P.....[/1....L.;...#M.kL..0.5&.,.......X.......c.X._xw1.OA.#.......%.mR.6..TeS.Y..\...]=p.6...s....^...;.....?U...u...|9.X.W...r.X\...../.?....b^/JN.?[T..... |..j3..r...r<)o.....IBf.},......>....<.0..#-.s.._U.0..x9......d=....\.....r6...... l..g.....N.........k.....^d.....\...XK|...pF8...Jk......ZL.9......Z....|.....r...N....' <..,k..A.H.h...CQ......jt.....C./.rR.q.....S.......@.X......W...rj..Q....M..tz...ed...$<y...... ....|X.....Z.w...2H.c..4...).......... l3F.o3.,....qVc...Z.SmP....02&.....Y.j...s.bR...(.. ...;..K.lb(g.z.Z.G.a....`>...1......K2.../.hg.....9e...H.gU.Zc.,z......2f.........7..R.AYX.'.....`.I...B..4p.......x..@.\..5U..x.......*..z.=r.6.'.s\H.9.!.N.;......g....gq.O.. .Y......[.X%........ L.........9..E..............`.I1.F.......0|.h...".

<<< skipped >>>

GET /home/smt_istartsurf.exe HTTP/1.1

Range: bytes=217800-

User-Agent: Better Installer(Mozilla)

Host: VVV.girlliuxiaowei.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Server: nginx

Date: Fri, 13 Mar 2015 01:01:10 GMT

Content-Type: application/octet-stream

Content-Length: 72600

Last-Modified: Tue, 10 Mar 2015 01:55:04 GMT

Connection: keep-alive

Expires: Mon, 16 Mar 2015 01:01:10 GMT

Cache-Control: max-age=259200

Content-Range: bytes 217800-290399/290400

....................h.u.........................................t.w.....................................z.h.........................................d.e.....................................d.e.........................................a.t.....................................d.e.........................................a.u.....................................e.n.........................................i.t.....................................i.t.........................................e.g.....................................a.r.........................................r.o.....................................r.o.........................................s.a.....................................a.r.........................................d.k.....................................d.a.........................................m.a.....................................a.r......................................D..m.y.....................................e.n.....................................U...m.m.....................................m.m.........................................p.t.....................................p.t.........................................f.r.....................................f.r...........................................................................................................B......?AV?$_Node_str@D@tr1@std@@.......B......?AV?$_Node_class@DV?$regex_traits@D@tr1@std@@@tr1@std@@......B......?AVcodecvt_base@std@@....B......?AV?$codecvt@DDH@std@@...B......?AUIHttpNegotiate@@......B......?AUIServiceProvider

<<< skipped >>>

GET /home/smt_istartsurf.exe HTTP/1.1

Range: bytes=145200-

User-Agent: Better Installer(Mozilla)

Host: VVV.girlliuxiaowei.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Server: nginx

Date: Fri, 13 Mar 2015 01:01:10 GMT

Content-Type: application/octet-stream

Content-Length: 145200

Last-Modified: Tue, 10 Mar 2015 01:55:04 GMT

Connection: keep-alive

Expires: Mon, 16 Mar 2015 01:01:10 GMT

Cache-Control: max-age=259200

Content-Range: bytes 145200-290399/290400

.......}..t...'....]...U...E..h.C.]...............U...M..MZ..f9.t.3.]..A<...8PE..u.3......f9H......]..............U...E..H<....A.SV..q.3.W.D....t..}..H.;.r..X...;.r.B..(;.r.3._^[]...............U..j.h.$C.h..A.d.....P...SVW.tVC.1E.3.P.E.d......e..E.....h..@..*........tT.E.-..@.Ph..@..P........t:.@$.........E......M.d......Y_^[..]..E...3..9...........e..E.....3..M.d......Y_^[..]...U....$.tVC.3..E..E.S.E..E.VW.E...p...e...=l.C...E.u}h4.B...T.B............= .B.h(.B.S...........5..B.P..h..B.S.l.C...P..h..B.S.p.C...P..h..B.S.t.C...P...|.C...t.h..B.S..P...x.C..x.C..M..5..B.;.tG9.|.C.t?P...5|.C.........t,..t(....t..M.Qj..M.Qj.P....t..E..u..M... ..3.p.C.;E.t)P....t"...E...t..t.C.;E.t.P....t..u....E..5l.C.....t..u..u..u..u.....3..M._^3.[.........U...E.f.....f..u. E...H]...U...M...x....~....u...{C.]...{C....{C.].............;N.....]...U......tVC.3..E..E....@.SVW.=|.B.3.VV.u..E..u......M.;.u.3......~Ej.3.X.....r9.D..=....w........;.t............P.....Y;.t..............3.;.t..u.S.u..u.....t VV9u.u.VV...u..u.j.SV.u...<.B...S.....Y...e._^[.M.3..W.......U......u..M.......u..E..u..u..u.P.........}..t..M..ap.............U..SVWUj.j.h.GB..u...O..]_^[..]..L$..A..........t2.D$..H.3......U.h..P(R.P$R........].D$..T$.........SVW.D$.UPj.h.GB.d.5.....tVC.3.P.D$.d......D$(.X..p....t:.|$,.t.;t$,v-.4v....L$..H..|...u.h.....D...I....D..._......L$.d........._^[.3.d.......y..GB.u..Q..R.9Q.u.......SQ..bC...SQ..bC..L$..K..C..k.UQPXY]Y[........U...E.VW..xY;...C.sQ...........<...C.......<..u5.=.TC..S.].u....t.Ht.Hu.Sj...Sj...Sj....

<<< skipped >>>

GET /images/Tokyo/tokyo_sprite_full.png HTTP/1.1

Accept: */*

Referer: hXXp://bi.bisrv.com/piratebaymirror/neongenesisevangelionplatinumcollection/da282e2bbb7e4e4483dc4da5b3e19aab?v=2.0&muid=BB240EA4D92FCC6BC5CA46520F398ADC

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: d39a6n71ru013w.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Content-Length: 26401

Connection: keep-alive

Server: nginx

Date: Tue, 10 Mar 2015 13:50:19 GMT

Last-Modified: Tue, 10 Mar 2015 13:40:32 GMT

ETag: "54fef450-6721"

Expires: Tue, 10 Mar 2015 14:00:19 GMT

Cache-Control: max-age=600

Accept-Ranges: bytes

Age: 59

X-Cache: Hit from cloudfront

Via: 1.1 9d3cc62eeee5c3d8d5e74dc52327bf12.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 4Um8bl3UQAgq82s0pR0RknNSh9ALTAp8voXujwLceI-Eyn5h4VqMkQ==

.PNG........IHDR...............-)....tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:080CC8DDBD6511E3B018CC780203A0F9" xmpMM:DocumentID="xmp.did:080CC8DEBD6511E3B018CC780203A0F9"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:080CC8DBBD6511E3B018CC780203A0F9" stRef:documentID="xmp.did:080CC8DCBD6511E3B018CC780203A0F9"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..!C..c.IDATx......G}.....9....,....;...Mx.1..!.l...`............{..%.q...o..qp ...1.flA0..E.d......vW..W/S..3..IgF:....5=..=}..3....._.B>......!...%.....RJr....e...m......M...uW*..v..j.J.b.~.w.7QI/....{.@...)]....}.Ugf......eM.u..].N."c%.,.V...;.5..}.v.......A...l>.;.>O....Lo..ku^......3.8....x./M.G]5y.(P....p...X..^.z.....R._ ..m..u/|.......:D.Z....\........;\....k.....|x>7\."....RLi.$.%ZWo\......o.]]q...|.r.......Y.3.mal...d{{..W.....fQ.-.......j5..e.....6............k(......b^k.....|miA....A$..(;o.??D.p.S5S'..KW.......=....>..H..f.5....N.t...6 .......0w.0.`.......x.y....S{.

<<< skipped >>>

GET /partner/gim394750002/release/live/InstallGenieo.exe HTTP/1.1

Range: bytes=247102-

User-Agent: Better Installer(Mozilla)

Host: download.genieo.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

x-amz-id-2: mIIbQquEwYDXE0otso5JbZMpXv1pljmqYBV08yJHLzxQeiWmfiFqOtfA5FPaJlEyg4KhE2vvMyU=

x-amz-request-id: 3A4FBC598373E204

Date: Fri, 13 Mar 2015 01:01:14 GMT

Last-Modified: Mon, 20 Oct 2014 09:54:42 GMT

ETag: "d65611fbc4da8cea4e886076bec82d1e"

Accept-Ranges: bytes

Content-Range: bytes 247102-988407/988408

Content-Type: application/octet-stream

Content-Length: 741306

Server: AmazonS3

-s...R.... .e.>7........... )..51.n4..@..)....ck.../.01-. Z?L....k....O..<2Ma....7..r.2....j....O.".A......dK..&G..Hj6.(.P....ZxVA.>...Sr.l:.86....6bq.....>.d-p~R{..jI.L..M. .8O....q..[..J4...T..l.....m.......)e.C..A....I,cPy2|.."-...".M.O..v...=Q......|.......'..Z..I}....Dw.....f.i...m.~.o..H'.j.....&.agE.`._`.>...[.:O...^4......3...7.{.a@.m...9..bH...<......BY..4C.}..Qf.'(.....rRf?...q.=|....|....[........E..Gu...oD2 ...E/....2$..k......o......E.. h.....s7..ouq...N..".o.....L.....%.8-...zG.._.|.B{.e(w.iy.....ALA.}.,.cf1%ZE-.U.....oa.F.~|o.":,.N.s...N.^x....GT..(.!..oy'.N..?.L....7...)..f1nS.P.6....._v......._)S......`....qe0.d.DI............sq..su...{j..Y..'...;..6.{..@..Os3p4T8.z...8....L.Q.F...H../...b...(..k._..z.a...f...0......}.......P.|-.3.g...<.,w=P.tk_$..p..\,...K..*..........S.....l&..^C.q.J...OD...$..T..x...`........:Ea#"...fv....p.u.YWE.........m..E...CV....=sR...=W.DC..jQ..o.74;9 .5y^.H&f.3..|X.......w. ..^./E...X..lC.|.hR.. ...._Jr..v...E..X~.D.Q.......5.>...A..v ...a~=..F ..{a"....yj F..].n......=1H<.Z...n}.1.;.!7U3..........G..N...T......A.........m .....PcC\Cek.w.........J.a....{*.>.u..]9.....2K.}.G@........$-H....=9....f&f..6l...M...u ..k.N).O..8J.~........i ..`5.........r..g`..../...E.....R...P......l$r.GTJ...\...v9..Y.D.!&e..aq...)%.'.[.....Pgx..../.PQ..yv..D...#...m.|P!.l..s.$.q&=..d6T.jQ...]d....7c ...ll.s...X..`T.(Da.P..b..!....A>..n."..H.....Rrc...C.T..J]Jx\*.....l...q2..q...R......?9..4l.....F..3`{..x.`..d^.g............C..t.G.'xdA>y...m....m~..."..~

<<< skipped >>>

GET /sd?is=sm HTTP/1.1

User-Agent: Better Installer(Mozilla)

Host: install-cdn.sourceapp.info

Cache-Control: no-cache

HTTP/1.1 200 OK

Pragma: no-cache

Content-Type: application/octet-stream

Server: Microsoft-IIS/7.5

Content-Disposition: attachment; filename=SourceAppSetup.exe

X-AspNet-Version: 4.0.30319

SVR: SP004C2

X-Powered-By: ASP.NET

p3p: CP="CAO PSA OUR"

Content-Length: 475992

Cache-Control: private, max-age=86400

Expires: Sat, 14 Mar 2015 01:01:11 GMT

Date: Fri, 13 Mar 2015 01:01:11 GMT

Connection: keep-alive

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................Z....... ...0.......p....@.................................$S.......................................s.......p..............h*...............................................................p...............................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data...x............p..............@....ndata.......p...........................rsrc........p.......t..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....nD..H.P.u..u..u...Hr@..B...SV.5.nD..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h..D.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...nD...Si.. ..VW.T.....tO.q.3.;5.nD.sB..i.. ...D.......t.G.....t...O..t .....u...3....3...F.. ..;5.nD.r._^[...U..QQ.U.SV..i.. .

<<< skipped >>>

GET /sd?is=sm HTTP/1.1

Range: bytes=356994-

User-Agent: Better Installer(Mozilla)

Host: install-cdn.sourceapp.info

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Pragma: no-cache

Content-Type: application/octet-stream

Server: Microsoft-IIS/7.5

Content-Disposition: attachment; filename=SourceAppSetup.exe

X-AspNet-Version: 4.0.30319

SVR: SP004C2

X-Powered-By: ASP.NET

p3p: CP="CAO PSA OUR"

Cache-Control: private, max-age=86400

Expires: Sat, 14 Mar 2015 01:01:11 GMT

Date: Fri, 13 Mar 2015 01:01:11 GMT

Content-Range: bytes 356994-475991/475992

Content-Length: 118998

Connection: keep-alive

....j..bY-?..xx.J.s.:wN.-.UD..2.Z..6..g..R.H.......v*....->..f..yn..y... ..~..t9...'J..i..Yy... ..i.//L..'....X.....{.I..../jK.m.Gd......X.....sJ.(".(.5J.. $.,....W..kj.B..V4H....CW..R..D.y.....)/./.x......v..#.....s....Y.<.w.D&.w..N...>fZ.f.#GF...(&.....-.....Ep..b....e1....3.....n.T..'y....t.x.@@l...3..<..%...j......Y.{33.q.^..F..X.z.TU.......|...2...R....H....M[Vs#_6... ..n@]....m<^....e.......<n. (n....w.)..1K.0.u.s....;.....u]...._.}:-.C...H..[!.%.......J7.#..*i.y.9.B..s....%e......2.K...=w.......U6....i....u.v.1...)..[y...M'vHG.^H^93.<1bifU].._b.U.8k..W.m.........}%s.V..]H.Z&c...4g........J...M.....\...[...|...Q.5]..L..!.M'B..F..8..=V..p.."9X@.HDa.,.2...S....%CN.jE.].../..h.M#...\k.y..Rt..[F..&}..].95.?.@ .........&....1ul.3 ....X..3..._......P.G.l..*".M....}.. O. ..fb~;)...sXm..<.".*.|Q.vZ.,...M..M....8..Q...t.gE....@.....Y..Oo...I.....\..C......Jl.... #.z....1.EA...R).u..d.!=..|...L..|9......:....D.a.i....m..>.....S...........P(.e>.,..LI.M.U.C........'?W7..$....R...8...g66..}..74..H.r.{..5..K@vGx.~.:&e.......=.~...].2,.5..r.......9Dy.pD.....%P.J..s....9b.E..(.......].......g.'F*....~..7/....8....C.kg."`;......B.,E..E.(.!.w.hN...H;.....n...DQLK.......n.Z..]..Oz.\xW...`._.I...h.9c$t....x...~.J.".%j..5.....E.#..G.H.b.......>..i5...H.;=B...t*5.pXZ...;...x......od.C.<'n ..V0T.[%..f....N8....e....O....X..........h. ..PDJ9. .l....3....;t.....44..A.Ss5....m,.yk..1qX.m..|..a..:i.....a..H.....V.OPi..........:?fN........c.....q.X.c....5.3....i.$f...T4.W=....Q...hb.....{p.C.._1..

<<< skipped >>>

GET /partner/gim394750002/release/live/InstallGenieo.exe HTTP/1.1

Range: bytes=123551-

User-Agent: Better Installer(Mozilla)

Host: download.genieo.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

x-amz-id-2: UR jPMoB20rNAlRZOtN6q1JCsozx4Buz3j5AKlcz VhniI3DErqU3gjW9VVEYG FbYWHQwSgOgo=

x-amz-request-id: 761BAF852748A891

Date: Fri, 13 Mar 2015 01:01:14 GMT

Last-Modified: Mon, 20 Oct 2014 09:54:42 GMT

ETag: "d65611fbc4da8cea4e886076bec82d1e"

Accept-Ranges: bytes

Content-Range: bytes 123551-988407/988408

Content-Type: application/octet-stream

Content-Length: 864857

Server: AmazonS3

.[J.w...qYt\M.Fz.4.*.......o.....1K.pE..2....CpY%...~45...'...E...o.$....H.h..;o.r.~.98....'...Y.E........r.....C....'!^....i.=.*.(..........."...s...v..u..-."...Nm2\..t..@K9...ao.L..78.n.c.1>.-..\....I....z.n?.......2...^..?/...a'..".A...D6P....Q.F....<.B6.a<{\..1V..' ...3/...a.*..MkJ.....$ ...=b.z..5...#..O.W......^O..K...s....>..6.f!<.S.{. '..Ich...h...f...8<\<`..ff.Y;.<=......:E.f|.Aj..*nN/....[.S.l.....U....\........k....#p........>.Nvg....c..Q.....k...p..q....;..<.....l..<..\y....{...fH...F..... [....B...Y.'..T..w.a..9.....cCW.'S.k.......7.CY.t.....(.)IX...W...........T.......M/.......uzfBNU.y.....s...W,&.>B....{E...^.v...%<...R...w........<.E=c.. 3.....5...V...U....W@...s..%..M]~...&..@..w.s.6#R..X2X.5uUZ.Q......tM.k.u.O.....G.Vz...,.JZ&J.'..fBE.M..@....F....8.....P..mN...t..j.61Luq.....l...@f.X..=v.....s;.Y...Zfy..e..m.G..0..i=.Y.$..ok...I .V...,.A...K.gB..c..,.AEfS\....;.9.J..{//>.x_.t5i.6k}....I......I....R.......O..d..Y6eD.kG.Aj..,.....u...2Be....WRU?.36...9..N....l;.m..y....\......g.m'.Q..%f.#../......Yoe.......j."&.-.WB..'W.J|2..R^p\.2}.S^.[j.3..3M.d..}1....}.X;[..f?o.h..W...[N..Q.P.JI...fc...E..bkhW.;&.f..........AY.p...t.....3UP.^-'G..7.e.nL .!i\q{...M.'..=.K&.-..!.9<......p.bhX.......[Tz1.k..n.QD.....>F..$.$9x.Q..f.e_.0...j.<...d.Y..MKL......8.;h.w.g...Q.{q..B..f4.O...hk.bf;.[)..._...DE8C.(I/..*..z.:.....s.#O...[)(.lA.zC...b}..P.S.X..o....Z..0.....Y.$....mu..C...J..p....I.s~z..Kr...Y..c:....Y..a.....z%. 7L...8t^..w..d..df...Yt...9.......Ru...

<<< skipped >>>

GET /home/smt_istartsurf.exe HTTP/1.1

Range: bytes=108900-

User-Agent: Better Installer(Mozilla)

Host: VVV.girlliuxiaowei.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Server: nginx

Date: Fri, 13 Mar 2015 01:01:10 GMT

Content-Type: application/octet-stream

Content-Length: 181500

Last-Modified: Tue, 10 Mar 2015 01:55:04 GMT

Connection: keep-alive

Expires: Mon, 16 Mar 2015 01:01:10 GMT

Cache-Control: max-age=259200

Content-Range: bytes 108900-290399/290400

.......pl..u.j .....Y...%....j...2..Y.e...5.XC...lV.Y...YY.E..E............j...1..Y.u..j.....B....d.B......V.5.XC...h.B.....u..5..C.....B...V.5.XC...l.B...^...XC....t.P.5..C.....B......XC....XC....t.P..p.B....XC...-0..j.h."C......hh.B.....B..u..F\..B..f..3.G.~..~p......C..K...C.Fh.\C.j...1..Y.e...vh....B..E......>...j...0..Y.}..E..Fl..u...XC..Fl.vl.....Y.E................3.G.u.j.../..Y.j.../..Y...VW..d.B..5.XC..............uNh....j........YY..t:V.5.XC..5..C.....B.....t.j.V.....YY..x.B..N......V..f..Y3.W..t.B._..^...V.........u.j......Y..^.j.h."C.......u..........F$..t.P..e..Y.F,..t.P..e..Y.F4..t.P..e..Y.F<..t.P..e..Y.F@..t.P.|e..Y.FD..t.P.ne..Y.FH..t.P.`e..Y.F\=..B.t.P.Oe..Yj.../..Y.e...~h..t.W..`.B...u....\C.t.W."e..Y.E......W...j..L/..Y.E......~l..t#W.....Y;=.XC.t....XC.t..?.u.W.*...Y.E..........V..d..Y.........u.j......Y..u.j......Y...Whh.B.....B.....u..4...3._.V.5 .B.h..B.W..h..B.W...C...h..B.W...C...h..B.W...C....=..C...5l.B....C.t..=..C..t..=..C..t...u$.h.B....C..p.B.....C...A..5..C....C...d.B...XC...........5..C.P................5..C..5..B....5..C....C....5..C....C....5..C....C......C..c,....tc.=..B.h..A..5..C.......XC....tDh....j........YY..t0V.5.XC..5..C.......t.j.V.,...YY..x.B..N....3.@.......3.^_...U.........tVC.3..E..}...E.SVW.}...x...........t....h......|.....Q.u..u.P............ub..d.B...zuxVV.u..u...x.............p.....tXFVP.*.....YY..tH..p.....t...S.u..u...x....l..........t.j.V.......3.YY;.u!9.t...t.S.Tb..Y....M._^3.[..Z.....N.QSVP.Gi.......u.9.t...t.S. b..Y3...WWWWW......}..uH.5|.B.3.PP.u

<<< skipped >>>

GET /sd?is=sm HTTP/1.1

Range: bytes=59499-

User-Agent: Better Installer(Mozilla)

Host: install-cdn.sourceapp.info

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Pragma: no-cache

Content-Type: application/octet-stream

Server: Microsoft-IIS/7.5

Content-Disposition: attachment; filename=SourceAppSetup.exe

X-AspNet-Version: 4.0.30319

SVR: SP004C2

X-Powered-By: ASP.NET

p3p: CP="CAO PSA OUR"

Cache-Control: private, max-age=86400

Expires: Sat, 14 Mar 2015 01:01:11 GMT

Date: Fri, 13 Mar 2015 01:01:11 GMT

Content-Range: bytes 59499-475991/475992

Content-Length: 416493

Connection: keep-alive

...3l. ....i;....51...6E..Q.o7.9.<~...&o.`7D..z......7.y.lp........3.`1...96X...f...g@.').%..q.[..S/.....E...%../ ..;!cc.=r.s?..J...{R%..0<q].$...b.......Yn..A~'.fx..71....L..7.....j.^.l]b..#&O<6.pV\m{"".y..Y...0.f ...B.._h.T..6..O.<......NJ..{il.....9.~........%...._x!.@..c..m.Ht....j.y..Ay...]............F.;._.... .[......}g&.1....SU.....4VU..i....g...S&YX...Hx.....}c..;..j.m.(........'.).wZ..0.j..J.........C...=..^W...............Z..rN..?.,.{..C......3:..G.rQ...Z$..?.3m3L.......eY.k..x.{i.........e5..t.%~8...8.........N.l..!.j*.,....B..C...s......L.. X.#...4..&.;..?...0..z.3..9i.o.'....17)0o........8........].. 2dt.]=,9..{......&.W(..r..9,...F...z].J.L...~......l.x.*G....)b.Ej.....Mc.H]....k.;.....2.V...t.......x(Z.*gE.e.2....s.}........W..?...X....?~7..bY.?..&p.I......O..~y..../....U....qP..v/..@.....p2..G.0...Z...r..k.......z..0.Âº.0....ldl..TI.x..3.. ..>M.I...hx......C.. d..-.......;.....{.].t..i0.T...%.|b..#VL[.z...\..?u.K.........}.q...)..&..*..z.......9...o.9s..,..h..,..O.H........95.]......A..;....:.Lw.c.G..4. w;......p.}(...}d.Eq.5..*....c.4E~...f..fZ.kbF].........)..O..A........ND....]A......a`I...iP...[..6:-.,.../0..!.....2..a...-.;...p..^gL...^.F[..@.)_.a`K......qu..v.C ..p@.)...q..J...l;..#....Q9,G.......i.\.G..o}....&.s..Nz..fP.0.....F..M-.$D.....0}....99....y.Z..d..(.j...f(...fEW...,..8.._.4Y1.y...eq....d.t.%6....]$..KE......k.&6j`.pJ.2^.2x.t.<..>l.......&..)<...w....0%:...d.......G.^.'I&........A..........s.NE9.s.^.....<x./..4.'..=T.(&....Y....`,....l...7...rz...6.q

<<< skipped >>>

GET /mirror/nerocrossrider/appshat_generic.exe HTTP/1.1

Range: bytes=71389-142779

User-Agent: Better Installer(Mozilla)

Host: dpo55t230unug.cloudfront.net

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 71391

Connection: keep-alive

Date: Sun, 08 Mar 2015 05:10:01 GMT

x-amz-version-id: zdbgB_7owwl7Hq6LIKQBG0yBaPWISKtC

x-amz-meta-s3cmd-attrs: uid:500/gname:www/uname:www/gid:500/mode:33204/mtime:1415096893/atime:1415097003/ctime:1415096894

Cache-Control: max-age=3600

Last-Modified: Tue, 04 Nov 2014 11:01:28 GMT

ETag: "518879abe3170dabd172dfffcd165598"

Accept-Ranges: bytes

Server: AmazonS3

Content-Range: bytes 71389-142779/285558

Age: 699

X-Cache: Hit from cloudfront

Via: 1.1 c1639d907cade557ebff29e5be78b0b6.cloudfront.net (CloudFront)

X-Amz-Cf-Id: XdsAdeUuFWvSC_qbO6r8hh8y9xoXY4FhIcb7tVkhhpIswJ2DvRqb_Q==

...IK.#.ikv7..=....\z....if.J^.;,5!.._...MR..w.OX..&.....p:.........5.L.iT.L.O.....7D.]b..........3.. 2=v.a.....^k....xp .`..y.1>...A.Q!..._.J.D.......j..].8v....>.P.\ei%..OU[.V.p.*ky..E*.D0).-l.B.....*..aG.b^..T.yqu8.Np.'.Z&V`..-..2l..Bu.l ........4X.U..9p..}E|..J...".m..:.....@..8auM.wLc$h...8D.s"..]......3.. .$..H.Sf.z.....q.Ke.....b.......IO[......U....l..-.!2......2.ed...M...@..s..K.....].<.........g.mG..as..ez|.C.......=p.^U|.`s6.).\).]........2j.....N....a...i\.m.<......8......z....=....i.s.2...r...n.=h.D".O.MN..a.S..f. .S.i....N>.O;...>..4%.{.L....... m.....%.Hw.U<...."...ns.Z....).)`o:....O....0..SDt..|V.G...iU.d P..x..{`i[.X.Uh..@..`C...;6.\..y.]-W.... ...G9`.%i~.G.......r#`...`...G....Z..KQA~'vL2XAM..(o......jU.....3........7...o.q...9...@....dO.r..c.KO.`....u...G......H.N.|..;#..G.n]J.Kx......t.if.8u.^....L..L..;..# 6...p ...........U..KU%....F...>....L.sZ.Cm.!..cllj...&.:......p..y.....ds_.....W..t2.,.I...Z..c.T?/&O...8..q..<:Cp.....7&.D7.....e,2.)..G..FP.l. .N....(......I.......4&...8.1;...M...=.2..%;.V).>..5e...I...@D....0.!..GHUZ.nnh..........n#.....F.v.S...Zy.m..........;..k...3..(. .k.............,H.D.L.....K...`[.. C..7X.uq.zV.t...m..`..H.....s.e..R.7...4.F..`.b!..N.pY...=%K...s.Tt*9.rR..A....xt.hR.k..25...=`...7.........&=....vK.A...4.d7y.....(....7.(..l.k...h.C.w|..yP..#...lNI..\8....c...I&.h.[.=p... ...._......).;.>"@.....@.n@..)...,....80.W......kh..z8.......W3S..E...3..H....^.t.L.\........3G..b.....!.^....U........

<<< skipped >>>

GET /mirror/nerocrossrider/appshat_generic.exe HTTP/1.1

Range: bytes=0-

User-Agent: Better Installer(Mozilla)

Host: dpo55t230unug.cloudfront.net

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 285558

Connection: keep-alive

Date: Sun, 08 Mar 2015 05:10:01 GMT

x-amz-version-id: zdbgB_7owwl7Hq6LIKQBG0yBaPWISKtC

x-amz-meta-s3cmd-attrs: uid:500/gname:www/uname:www/gid:500/mode:33204/mtime:1415096893/atime:1415097003/ctime:1415096894

Cache-Control: max-age=3600

Last-Modified: Tue, 04 Nov 2014 11:01:28 GMT

ETag: "518879abe3170dabd172dfffcd165598"

Accept-Ranges: bytes

Server: AmazonS3

Content-Range: bytes 0-285557/285558

Age: 699

X-Cache: Hit from cloudfront

Via: 1.1 1bf0d882921b31997e2650c5d2719973.cloudfront.net (CloudFront)

X-Amz-Cf-Id: y7O2Y1wPhIiOP64hFKZCDSw2PwXypjG_juQ87yk4gVfMuR1WS-mJiQ==

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................................................................s.......@...............................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc........@.......v..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..

<<< skipped >>>

GET /sd?is=sm HTTP/1.1

Range: bytes=118998-237996

User-Agent: Better Installer(Mozilla)

Host: install-cdn.sourceapp.info

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Pragma: no-cache

Content-Type: application/octet-stream

Server: Microsoft-IIS/7.5

Content-Disposition: attachment; filename=SourceAppSetup.exe

X-AspNet-Version: 4.0.30319

SVR: SP004C2

X-Powered-By: ASP.NET

p3p: CP="CAO PSA OUR"

Cache-Control: private, max-age=86400

Expires: Sat, 14 Mar 2015 01:01:11 GMT

Date: Fri, 13 Mar 2015 01:01:11 GMT

Content-Range: bytes 118998-237996/475992

Content-Length: 118999

Connection: keep-alive

........{i......EdZ$.. ...?.Cbp....k..?.pLH....j.J1...W.0\NjWF2...A2.8N...~........u...../...i..#..x...?...b@V..3r..."./jl....W...........?.5.i....QFK...b.>....wt<..L9........t...i..;.l...g0....8.......uKt..^.N....76.6s.I...d._.w......}...s.k..q.F......F...@T.X..4.......o...n6!.u.i....[.U.G..F...*vY..K'.....7NTW,..ZD..@I#sngXI.....".{.Q......~...5`.#.......S....QD...........G...R........Y.|...?Cc.w....R|..QZ...@.\.'...@...O.T..N.`.<.$g..U...H]. ....-. .@.u..".}=P..B_.}.$f.j.k.Q.u...(.Fa.sJ...x.3.ri.E..:.;_H<...z.x.w........l..l...T......A.d.(Q..s:.a^......i;.8.../..c..T...o..V..H....i_\}...iJ.....u....'i..".4.......7.x.e.R..5.U.=.....VTE-R#Oi....b.t..#...W,L..;M...`.....r.."C../$.......].A...S.$^........@..!T_../l.I..I`......I-.w.J..r..>8.H.Q.Hd.@.[av..c~.@.5.......eR.......Q....\d..C1....%...=*/...d.... ...aN..,..7"...C!94..;.8.O'.3B..D.B..\%......\3.F..4B.....o..B0.1.z]......%..wS...6...f.H..K..r.4....&7|.o\.%.Rx...I..w&....V..O..}......;.%.K...".z......&.L...4h'A.v{,1....e:...J..k@.Y}..5t.....T...U.E.q.......N.Z|.b.FRj..3....O....Xdp..p.:.P@m......43~.&Q.>7SO3.o.8.....).n|.}.x....u7&.=kO..[...Fj...tq..v..(.9.7......P%..>....C....YM.V.u."yk.{..E..0_......o..w..C........~L...7...q..#.T..n.y0.....J..nb..\..u....9....YN......x.9..&.d.sN~..5m....J3....D..L'..0 . !Q...2L...G....s..D..r......Z..Df....sN..o]".& ..L.>HE...T7...u.(..!.Jkn....Z..$h.J2.....m..1.#.0&.@t..N7Xw....=T..K..hX....?v.I...G.8..Ny...@C....B..M!..M,..q......P......R..[V.ieo_.j5Nl....h%.>...W..6i..s......#~...$.........m

<<< skipped >>>

GET /partner/gim394750002/release/live/InstallGenieo.exe HTTP/1.1

Range: bytes=0-

User-Agent: Better Installer(Mozilla)

Host: download.genieo.com

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

x-amz-id-2: YDfoA9PCw4GoEMSNgZ1OC0zyYwkphxQ31330LNVRYvWJwp7 V8dIzshmUn4MFXzuUqFLSc8uigw=

x-amz-request-id: 44DC3AB5B4F9EE6E

Date: Fri, 13 Mar 2015 01:01:14 GMT

Last-Modified: Mon, 20 Oct 2014 09:54:42 GMT

ETag: "d65611fbc4da8cea4e886076bec82d1e"

Accept-Ranges: bytes

Content-Range: bytes 0-988407/988408

Content-Type: application/octet-stream

Content-Length: 988408

Server: AmazonS3

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................................................................s..........P...............`............................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc...P............v..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t..

GET /affiliates/eula.html HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://bi.bisrv.com/piratebaymirror/neongenesisevangelionplatinumcollection/da282e2bbb7e4e4483dc4da5b3e19aab?v=2.0&muid=BB240EA4D92FCC6BC5CA46520F398ADC

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: d3k2eoekmudqmk.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Server: nginx

Date: Sun, 08 Mar 2015 05:10:31 GMT

Last-Modified: Sun, 26 Oct 2014 17:23:05 GMT

Expires: Sun, 08 Mar 2015 05:20:31 GMT

Cache-Control: max-age=600

Content-Encoding: gzip

Vary: Accept-Encoding

X-Cache: RefreshHit from cloudfront

Via: 1.1 a7ff8407dd3b3befd5f1244b3435b471.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 4Wp6OE_NXmBd3bYxgslvH_SplwBhjz4OE-uZxSjHXTbpo_YvGqvUxA==

1500.............Zks.F......N.......|.-y."!...P.P.... .)".....1S..{....R.g.Jl...}.{...>....F7..ZV.T]NO..Pu....?...Q4R..G.c...VEE..I..Y......:..Z........?...n...G......o......w>.o.d..U.../......4..`..?~{T..d]..i..;.~......y.Q....7i<,..<.....d...|...l.?..t..F.OeU$.....:Xl..U;8...Q.~.vGw......E.I.....z.7S....q.I..f.q.DW.....U....|..(.u.1...z..3..|....A.....:.............P....X$..*.w..........s.;..]..........u.?..%f...~....S..b...,..........5.(,Qm...w .NK...Y>......u.......}n..C......8$....)..R..4IuwS....h...*...f.e.q7...<y...I.....:8...s#Z/M./...B...s..|}.........@..T..)t..uJ.WR..._.LTvz. yV._.L.tz..6 ........e.......6.....#b.j.A..yw.[.p.a...6n.6;(u40..8.....&..DT.....EQ..k..JD.C....zDq....W...X...f.W..D....I.:............~..........f..a.QZ....>f%.(..n....z.v.u.mCc..].......u$..S..UK<...."T.......dhR.U7i.3.......4.K.....6..-..]......'$Y..9$.....U>Et....y....M..M.2x.....`An|.^.t'O.. !..m>.:8.KZ.........$C...f..Ll...4.<ZGm.$H{Q...........z..m................p........|C.......i^.W.}'.>..*.....z .=,..7..L.WY^..T./..zS&...w....g.x..O.U\$q.S....Y.S%*.7..................W..,^'8......o..W..Z....Q.U.7bp...l5.E....=P....A.D;45....d.q...Jg....."...<._&...>(VQ..<......Q..v.....?@,...h...P8..i.<N.......fs5.u.8...8v..-. .....OG..'O.....3{*1u....P..?TK...!..:...e.......6.N./.....C...'...V&.].....|.b...\.D..J...Y...n-.j.j...u..G.....B.h.Z......s..dw...9.\...D....]w.n..r...~..q4.St........&..3RC'pO.....p.C.2R..."7..6x8.'#/..I..S......vd..r......I.9..79..B.4..^}ur....S..s...u2."...~

<<< skipped >>>

GET /affiliates/piratebaymirror/The_Pirate_Bay_logo.png HTTP/1.1

Accept: */*

Referer: hXXp://bi.bisrv.com/piratebaymirror/neongenesisevangelionplatinumcollection/da282e2bbb7e4e4483dc4da5b3e19aab?v=2.0&muid=BB240EA4D92FCC6BC5CA46520F398ADC

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: downloadcdn.filebulldog.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Content-Length: 3955

Connection: keep-alive

Server: nginx

Date: Fri, 13 Mar 2015 01:01:09 GMT

Last-Modified: Mon, 04 Feb 2013 18:04:54 GMT

ETag: "510ff846-f73"

Expires: Fri, 13 Mar 2015 01:11:09 GMT

Cache-Control: max-age=600

Accept-Ranges: bytes

X-Cache: Miss from cloudfront

Via: 1.1 82cdda900e097a19d365892f62aa31dd.cloudfront.net (CloudFront)

X-Amz-Cf-Id: lNqgr8Cbru17FtYMqqd7iRJ4-zyTh88cqgShlD7TsSqEaj_-czrOzw==

.PNG........IHDR...0...0.....W.......sRGB.........gAMA......a.....pHYs..........o.d....tIME......0..w.....tEXtSoftware.Paint.NET v3.5.100.r.....IDAThC...x.W..e.K..Id.=..._....KD.!...P...-..m....jM.v...>S.....S.6.t..U.UKH... .F..$m.<.y....s..s.=w.:th... g.p.M.vP...H.r..u.p.c........d...vP......e[...m.P.....6Z.....%.~\.. .Fz..:..T.....fYm4....'.t..........?kh..t...MZZ......a.wl_.m.6:=0~LV. .;Q.....a...D?..Y...I~.{.6.k...r.#'....d..h.....N..HK..}"[........\~o.........7..T~h...a.&.....s................<u@D....."....9 .gT...T....oN.<......d^.........)....\..1T...[N..m.}....b..AQ..AQ..... *}.....5 ..........w..<.....v2...f.....*.^.u)S.....0..7m..!......y...s....Cc%.K....O t.)*..N"fL*..'.........)...H.kT%s.cj..)jTd....9.?..%.....E./.%.YCb..J.....O.....1......>..S..[.....6....^xk..X.rr~........p..6(.s~I....... ..*..&\..S(.=I.n..r.X.....AM..9<;..n..:..U.....@..c{......v4.7}.0bZA.......,......w[R..s..d.\..42.z....!D!.........H...{t....feT...^}.!..D....d.nd.......L .J....A...xc..,.J.-etzP.....eU)..AN.$HD.C.Q..K...ow ]ke.`R..{*.#. .S.....1.HC..>sH. ..iT..3$.....*V.J.x.\E..>dN0q...(...."V4....*i.....j.V..D<?d...3.....e.......@5.B..19......,=)....2..U%.|yt.xiTj}i.o.....XE.lo...d.-w[3....8...j......'e..i...}i`B?]<....".g..... .....D5.y.4>zUu. 2.......&.."...R..T2.=.>...j....P.........8...HT....@.2L`-..6....w.).EDe..[..6..uc2......Y..$.....?.Qk6Y.Y.J.G...*.._]K.m&...j.H.7.W@..6y......L..&i.>.....R..V!.. Z{.sw.={HL>^....2.............."i]s.x........5..cx^..6.._.Fy...5.....K.kk2....

<<< skipped >>>

GET /sd?is=sm HTTP/1.1

Range: bytes=118998-

User-Agent: Better Installer(Mozilla)

Host: install-cdn.sourceapp.info

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Pragma: no-cache

Content-Type: application/octet-stream

Server: Microsoft-IIS/7.5

Content-Disposition: attachment; filename=SourceAppSetup.exe

X-AspNet-Version: 4.0.30319

SVR: SP004C2

X-Powered-By: ASP.NET

p3p: CP="CAO PSA OUR"

Cache-Control: private, max-age=86400

Expires: Sat, 14 Mar 2015 01:01:11 GMT

Date: Fri, 13 Mar 2015 01:01:11 GMT

Content-Range: bytes 118998-475991/475992

Content-Length: 356994

Connection: keep-alive

........{i......EdZ$.. ...?.Cbp....k..?.pLH....j.J1...W.0\NjWF2...A2.8N...~........u...../...i..#..x...?...b@V..3r..."./jl....W...........?.5.i....QFK...b.>....wt<..L9........t...i..;.l...g0....8.......uKt..^.N....76.6s.I...d._.w......}...s.k..q.F......F...@T.X..4.......o...n6!.u.i....[.U.G..F...*vY..K'.....7NTW,..ZD..@I#sngXI.....".{.Q......~...5`.#.......S....QD...........G...R........Y.|...?Cc.w....R|..QZ...@.\.'...@...O.T..N.`.<.$g..U...H]. ....-. .@.u..".}=P..B_.}.$f.j.k.Q.u...(.Fa.sJ...x.3.ri.E..:.;_H<...z.x.w........l..l...T......A.d.(Q..s:.a^......i;.8.../..c..T...o..V..H....i_\}...iJ.....u....'i..".4.......7.x.e.R..5.U.=.....VTE-R#Oi....b.t..#...W,L..;M...`.....r.."C../$.......].A...S.$^........@..!T_../l.I..I`......I-.w.J..r..>8.H.Q.Hd.@.[av..c~.@.5.......eR.......Q....\d..C1....%...=*/...d.... ...aN..,..7"...C!94..;.8.O'.3B..D.B..\%......\3.F..4B.....o..B0.1.z]......%..wS...6...f.H..K..r.4....&7|.o\.%.Rx...I..w&....V..O..}......;.%.K...".z......&.L...4h'A.v{,1....e:...J..k@.Y}..5t.....T...U.E.q.......N.Z|.b.FRj..3....O....Xdp..p.:.P@m......43~.&Q.>7SO3.o.8.....).n|.}.x....u7&.=kO..[...Fj...tq..v..(.9.7......P%..>....C....YM.V.u."yk.{..E..0_......o..w..C........~L...7...q..#.T..n.y0.....J..nb..\..u....9....YN......x.9..&.d.sN~..5m....J3....D..L'..0 . !Q...2L...G....s..D..r......Z..Df....sN..o]".& ..L.>HE...T7...u.(..!.Jkn....Z..$h.J2.....m..1.#.0&.@t..N7Xw....=T..K..hX....?v.I...G.8..Ny...@C....B..M!..M,..q......P......R..[V.ieo_.j5Nl....h%.>...W..6i..s......#~...$.........m

<<< skipped >>>

GET /partner/gim394750002/release/live/InstallGenieo.exe HTTP/1.1

Range: bytes=494204-

User-Agent: Better Installer(Mozilla)

Host: download.genieo.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

x-amz-id-2: U6WzL5ZVMkiTYFgaaRNgiDNXWIX1UnLSeACUu0lRjbHILy7 UXJGPEflVwfK4IPu1r4850OC5zc=

x-amz-request-id: F776F0D2F7E9E215

Date: Fri, 13 Mar 2015 01:01:14 GMT

Last-Modified: Mon, 20 Oct 2014 09:54:42 GMT

ETag: "d65611fbc4da8cea4e886076bec82d1e"

Accept-Ranges: bytes

Content-Range: bytes 494204-988407/988408

Content-Type: application/octet-stream

Content-Length: 494204

Server: AmazonS3

.;M@{..M.?..4R.[v. .-..bIcw.......b.....!..rf.P.........0.....{......y..WL.D*^...a...Mu.....U.O!4_?....@.cbA.k.)4......V.P!s...!pW6$~......T..i...kQ.X..-.V.&...;.`...._B..-*.V.*[.S..?...)$\....i...E;........|p.B|ON......:...@,.qX.vb8.%.<@..z.>_.RB..y.n.oX.AW1(....YU.4..O....Q...........A.z[.G..-z#......4/...X..N..l|.p..5!'hV.._.n..c..^.k...E.....p..5B.......HEm.dh.4.sGUh..WP7.#...........:Z.].K"............B]W.V...L0q~.].AB.`.trp.eW..J##..[.r,.(.&...."..G..B........#o..`....p...]5{w.......%z......P}......Wj. M)^...5...Y.C._.7..*........'.. jI.c...t..@$.X.ty...1.He...eV....}.l.R.2....A.P.....q....#"..58.Yg.f...(...1).....,......|.#.KB...3H$..N...r...r.)...^.ST.$..?\.... 8,d....{ M...u..:C........e..FL.j....S...MMd....%.N.i.....y.c..M..H....v.~5........:.fDI...#.....0.(TH...sWso...:.#~....p....B!.....D."m..Xt..c,.m...e....z.F*..m.Ci.Qt.....j.m*<...n.7...M..J......(..{....z......y.v.."@kNX.k3{.m.[.._m\....(...Rz.ka..Qwb....3.\o.?.x..6........j..Do..j....)q....]Q..}.. ....9....x.. b#Q/ .g.._.-Y.ZZ..r>2.e.\zu....d:w..].j..ma.0D[........9..2.=...<....j..h.D.3Z..0.f.{$......i..tm..y.J.>.$.kz......._.....z...Q.K.(..=.7..I....C.9R_.z...w...B.... ..y...2.j..@'q.m..zs..}.........z...r).~....%.............]..rY0..Y.sgE...B.e.....|.<h..q.tLPw.....MD....z.....z..3..jP.KQ6>.I..#.{...gyf...@|..#....|..,t..m....q*.r.OLX`"B.....k....!n.Q;n......2vn....... a....{..|z...H....C.!.eGn.#.....-..m.R...N...._..e..k.&../p......b.....jq.L.-.c..q/..O/b.......m....~.....:D.A&..Y...`...z..c..U...F...jZ.G.s....*..AI..

<<< skipped >>>

GET /home/smt_istartsurf.exe HTTP/1.1

Range: bytes=72600-145200

User-Agent: Better Installer(Mozilla)

Host: VVV.girlliuxiaowei.com

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Server: nginx

Date: Fri, 13 Mar 2015 01:01:10 GMT

Content-Type: application/octet-stream

Content-Length: 72601

Last-Modified: Tue, 10 Mar 2015 01:55:04 GMT

Connection: keep-alive

Expires: Mon, 16 Mar 2015 01:01:10 GMT

Cache-Control: max-age=259200

Content-Range: bytes 72600-145200/290400

.....^]...U...u.j..u..u..u..o......]...U...E.S.].f.;.W..tC...f..t9.. ..M.f..t....f..t .... .u....f9..u.f.9.t..........f..u.3._[].......U...U.VW..t..}...u...1..j.^.0.gl.....3.E...u....... ......@..t.Ou...u......1..j"Y......3._^]...U..V.u.W..t..}...u..|1..j.^.0..l...._^]..M...u.3.f......f.:.t....Ou...t. ....f......f..t.Ou.3...u.f...*1..j"Y........U..V.u.W..t..}...u...1..j.^.0..k...._^]..E...u.f...... ....f......f..t.Ou.3...u.f....0..j"Y......j.h..C......3..}.3..u.;....;.u...0.........%k..........V.....Y.}..F.@uoV.....Y...t....t...................C.....YC..A$.u)...t....t.................C.....YC..@$.t...0..........j...M..9}.u..N.x......A....V.N...Y.E..E...........E..i.....u.V.d...Y.j.h..C......3..}.3..u.;....;.u.../.........1j..........V.....Y.}..F.@uoV.....Y...t....t...................C.....YC..A$.u)...t....t.................C.....YC..@$.t..#/..........i...M..9}.u!.N.x....E..........V.u..`Z..YY.E..E...........E..m.....u.V.h...Y...U..SV.u.W....F.@uoV.....Y..YC.;.t....t...................C......A$.u%;.t....t.................C......@$.t..]...........h...._^[]..].;.t..F...u...y...u..~..u.V.w...Y..;F.u..~..u.@.....F.@..t.8.t.@.......F..F........F...%......j.h0.C..-...3.9E......u...-.........Yh......,.u......Y.e...u..u......YY.E..E...........E.. .....u......Y...U..j.j..u.........]...U.... SW3.j.3.Y.}..]...9].u..I-..........g......i.E.;.t.V.u..E..u..E..u..E.P.E.B....E..............M...x..E....E....E.PS.ZX..YY.M.x..E......E.PS.BX..YY..^_[....U...u.j..u..u..K......]..@RC... .C.Vj.^..u........;.}.... .C.j.P.W ..YY...C...u.

<<< skipped >>>

GET /partner/gim394750002/release/live/InstallGenieo.exe HTTP/1.1

Range: bytes=617755-

User-Agent: Better Installer(Mozilla)

Host: download.genieo.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

x-amz-id-2: Ur/0DlqWP66Ok1G5COX8gPrdRTgtsoiBUdTH8lrPT4TUeccliMjzbscfDwETzB1Edavve pPiC0=

x-amz-request-id: 05351A7EDDE2FAA1

Date: Fri, 13 Mar 2015 01:01:14 GMT

Last-Modified: Mon, 20 Oct 2014 09:54:42 GMT

ETag: "d65611fbc4da8cea4e886076bec82d1e"

Accept-Ranges: bytes

Content-Range: bytes 617755-988407/988408

Content-Type: application/octet-stream

Content-Length: 370653

Server: AmazonS3

...m$......"4C..HA.e...P.V.9J.2.E...."X..!X...>.U.oL{$.!.......5..h.9\...Ua.M.%....... .5.}.@R2.s.l.'...'..My.......3i.........e..SPNO.ka..R...f...5Mm..............c....W..%z`..U........D.h]...\q.....vyr..2..$.[.8M..6...=.*..g...J. N-k....w........G....s......6.3?>...).>D..J.^.c/.N....u.6.....s...{....L..n......:........'...,...^..mg...BO.>..}H#..N.'.F...%.....p..#....t...zV.,.\9.......D...B...B.:.[.IYZ...c..^K..[(d....H.......FwD.......z..L....-.i(.......I.....x.*..s[.....b.H0DR..<"......d..w.{..v%e.8n......6t..P..>VK.e...4...B(7...>.a....K..A...Z.%.x."...:O...!...".p`......t.....q..Z...".....t...s;.".[h.#z..ZG....&A.(.....@..........}...?g..u(.M..[.dD..h.7C4HS......I.-....'.....|O......X[.....2"6.lR..(......m_....f...........u...n....Y..i.9.......5..5..<7 ...0.c...|.i..zHh8..B'.........B.~1..;....A.T.H..FT.....8.9L..i`,..t.!C...B.<..lQ..W...F[....|T\..o.f...e.....H.o....9U....p.ReW.z.wJ.....A.!.#.../0.......E..v...X.M.(.:p[...b9.{#N.....0...%6..AsI....'.........9.H%}6.0..'.;..R5.........4.j.Vw..g..N$...q............s.}.)........\.2..^P..f....UA.bQK...o.~B..D...F...W.....)L.../.wL]>f.x....S@.g..A^.x......&G.Z........G..2.WuO......&.....T.W...)(..D.e.........C .Bl.U{...hC..ml0.......x......3...............h|....d.0`3.6$l.)Q...e.....BPo|-..@..<,K.0t.....2g.o./4..(.q$.M..M..X(J}..F.Y.%Z..9.'.n...WR.V.V..I:.S`..uA.(h9FN.c..X.........4..........kD......>7.6%..n..`.v..R..w.u:.n.......u5f.!K*....6:...tK..n...k.%...AJ.".../..}p.g...3.2.m.[..6....g..F...C......G_..B]*..i.<PX./gMI.

<<< skipped >>>

GET /home/smt_istartsurf.exe HTTP/1.1

Range: bytes=0-

User-Agent: Better Installer(Mozilla)

Host: VVV.girlliuxiaowei.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Server: nginx

Date: Fri, 13 Mar 2015 01:01:10 GMT

Content-Type: application/octet-stream

Content-Length: 290400

Last-Modified: Tue, 10 Mar 2015 01:55:04 GMT

Connection: keep-alive

Expires: Mon, 16 Mar 2015 01:01:10 GMT

Cache-Control: max-age=259200

Content-Range: bytes 0-290399/290400

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......M.C...-R..-R..-R...R..-R...R6.-R...R..-R...R..-R...R..-R..,Rt.-R...R..-R.E.R..-R...R..-RRich..-R........PE..L....<.T............................ 8............@.......................................@.................................08.......................R..`....p..L...`...............................h...@............................................text...#........................... ..`.rdata..f...........................@..@.data...$K...P...*...2..............@....rsrc................\..............@..@.reloc.../...p...0..."..............@..B........................................................................................................................................................................................................................................................................................................................................................U..3.j.P.u..F......F......>.....]...U......V..M..;...i..... .;E.s..E..M..I....s..M.S... ]... M.;.w.h..B..b....M. E..M..E.;.s.j.Q...'....]..F.;.tR...r..........r........u....M....E.QP.........{..r....~..r........u...SP.B(........U.j.[;U.wG;.r.......;.r.......RQ..P......F....;.r.......;.r........u....M....E..F;.r.......;.r........u....M...Q..P.d....F....;.r.......;.r........u...QP.>....M.....~...N.[r.................h..B..p....U..Q.}...M.u.;A.viS.Y.VW;.sY .9].wR3.B U....y..r......M....SQ.E.P.&.M..}..

<<< skipped >>>

GET /home/smt_istartsurf.exe HTTP/1.1

Range: bytes=36300-

User-Agent: Better Installer(Mozilla)

Host: VVV.girlliuxiaowei.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Server: nginx

Date: Fri, 13 Mar 2015 01:01:10 GMT

Content-Type: application/octet-stream

Content-Length: 254100

Last-Modified: Tue, 10 Mar 2015 01:55:04 GMT

Connection: keep-alive

Expires: Mon, 16 Mar 2015 01:01:10 GMT

Cache-Control: max-age=259200

Content-Range: bytes 36300-290399/290400

.....Yj.X......w@.K<3.9s4.OT.wP.K4....Od...O`.K..Oh.w.;.u..w$.w(.w,.w......3...u..G@.....C@.GX.CD.G\.C0$..Gl.C0.....t..C9...C?........Gl........G|.E..Op..xV4..Gt.gE#.Gx.xV4.E.;.t..E.....t..X....E.u..Cx.M..D...G<.w..{|3._^[..U......U.SV3.W.u..u.;.t....;.u.j.X......x|;.t.97u.j...;.u.3.......E..G..G\.O.;.v..G.9w..........U............GX..........@..;.s.......y....Wh.W<.G`3..].......q....w`j.S.7.............X...._<)_X..l..7.w.._.t@.e....t8.Op.A.%................E....2.0.U..;....U..E..E...29].r..G|.O.;.v.....t%.W..4..V.)G\ .)G|.O..w.u.:.............d.u_.G..w.;.s...3...t..O.....W....@;.r.._..GP.........)w\)w.)w..w..w..u..GP.G\..._...uN.E...tG....B.G.._..E..G..%....w..M..E..GP ........)w\.u..}...GP.G\t>..t:.}..u.......j....}..t..E._^[....../.......'........j.......E...t.....E...U..QW3..}.;.u.j.X.PV.s|;.u.j.X.B9~\u..FP;FTt..E.......;.t.P.C...Y.>.>9~@t..F..n...V.~@.(....E.Y.{|^_...j......h.......RP...........U..Q.>.SWu~.~..ux..D...S.....W..H.B....H.f.....f..u. ......FB.....\t.../t.h..C.WS.........E.P.u..5...YY..u..E...P...........%....Y............_[Y]...U..SW.u........D...SW...........H.f.....f..u. ......FB.....\t.../t.h..C.SW.;......_3.[]...U.........tVC.3..E..E.SVW.....................d.....;C...Y....~..t..F....E..N..;.8...u....t...........3.........uE...@...3.f.G................................. .....$.....(.....,.......;A.}...............E...9A.}..6..............M.......9H.|......S......Pj...T...P.6..............P......P......P.6..........t.......\.............3........t.......=..........&gt

<<< skipped >>>

GET /affiliates/piratebaymirror/The_Pirate_Bay_logo.png HTTP/1.1

Accept: */*

Referer: hXXp://bi.bisrv.com/piratebaymirror/neongenesisevangelionplatinumcollection/da282e2bbb7e4e4483dc4da5b3e19aab?v=2.0&muid=BB240EA4D92FCC6BC5CA46520F398ADC

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: downloadcdn.filebulldog.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Content-Length: 3955

Connection: keep-alive

Server: nginx

Date: Fri, 13 Mar 2015 01:01:09 GMT

Last-Modified: Mon, 04 Feb 2013 18:04:54 GMT

ETag: "510ff846-f73"

Expires: Fri, 13 Mar 2015 01:11:09 GMT

Cache-Control: max-age=600

Accept-Ranges: bytes

X-Cache: Miss from cloudfront

Via: 1.1 82cdda900e097a19d365892f62aa31dd.cloudfront.net (CloudFront)

X-Amz-Cf-Id: E5nJfzKu7lbVGtg9eRIJ59AwQs3wq73GTI_qf3WqmvURj3Yva0blyA==

.PNG........IHDR...0...0.....W.......sRGB.........gAMA......a.....pHYs..........o.d....tIME......0..w.....tEXtSoftware.Paint.NET v3.5.100.r.....IDAThC...x.W..e.K..Id.=..._....KD.!...P...-..m....jM.v...>S.....S.6.t..U.UKH... .F..$m.<.y....s..s.=w.:th... g.p.M.vP...H.r..u.p.c........d...vP......e[...m.P.....6Z.....%.~\.. .Fz..:..T.....fYm4....'.t..........?kh..t...MZZ......a.wl_.m.6:=0~LV. .;Q.....a...D?..Y...I~.{.6.k...r.#'....d..h.....N..HK..}"[........\~o.........7..T~h...a.&.....s................<u@D....."....9 .gT...T....oN.<......d^.........)....\..1T...[N..m.}....b..AQ..AQ..... *}.....5 ..........w..<.....v2...f.....*.^.u)S.....0..7m..!......y...s....Cc%.K....O t.)*..N"fL*..'.........)...H.kT%s.cj..)jTd....9.?..%.....E./.%.YCb..J.....O.....1......>..S..[.....6....^xk..X.rr~........p..6(.s~I....... ..*..&\..S(.=I.n..r.X.....AM..9<;..n..:..U.....@..c{......v4.7}.0bZA.......,......w[R..s..d.\..42.z....!D!.........H...{t....feT...^}.!..D....d.nd.......L .J....A...xc..,.J.-etzP.....eU)..AN.$HD.C.Q..K...ow ]ke.`R..{*.#. .S.....1.HC..>sH. ..iT..3$.....*V.J.x.\E..>dN0q...(...."V4....*i.....j.V..D<?d...3.....e.......@5.B..19......,=)....2..U%.|yt.xiTj}i.o.....XE.lo...d.-w[3....8...j......'e..i...}i`B?]<....".g..... .....D5.y.4>zUu. 2.......&.."...R..T2.=.>...j....P.........8...HT....@.2L`-..6....w.).EDe..[..6..uc2......Y..$.....?.Qk6Y.Y.J.G...*.._]K.m&...j.H.7.W@..6y......L..&i.>.....R..V!.. Z{.sw.={HL>^....2.............."i]s.x........5..cx^..6.._.Fy...5.....K.kk2....

<<< skipped >>>

GET /home/smt_istartsurf.exe HTTP/1.1

Range: bytes=254100-

User-Agent: Better Installer(Mozilla)

Host: VVV.girlliuxiaowei.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Server: nginx

Date: Fri, 13 Mar 2015 01:01:10 GMT

Content-Type: application/octet-stream

Content-Length: 36300

Last-Modified: Tue, 10 Mar 2015 01:55:04 GMT

Connection: keep-alive

Expires: Mon, 16 Mar 2015 01:01:10 GMT

Cache-Control: max-age=259200

Content-Range: bytes 254100-290399/290400

.Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..H#..P'..Q'..Q'..Q'..Q'..........Q&..R&..R&..R'..R&..R&..R&..R&..R&..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..Q'..R'..........R&..................................................................................................................................................................................S&..........S%..................................................................................................................................................................................S$..........U$..................................................................................................................................................................................U#..........V"..................................................................................................................................................................................V"..........W!..................................................................................................................................................................................X ..........Y...................................................................................................................................................................................X ..........Z..........

<<< skipped >>>

GET /sd?is=sm HTTP/1.1

Range: bytes=0-

User-Agent: Better Installer(Mozilla)

Host: install-cdn.sourceapp.info

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Pragma: no-cache

Content-Type: application/octet-stream

Server: Microsoft-IIS/7.5

Content-Disposition: attachment; filename=SourceAppSetup.exe

X-AspNet-Version: 4.0.30319

SVR: SP004C2

X-Powered-By: ASP.NET

p3p: CP="CAO PSA OUR"

Cache-Control: private, max-age=86400

Expires: Sat, 14 Mar 2015 01:01:11 GMT

Date: Fri, 13 Mar 2015 01:01:11 GMT

Content-Range: bytes 0-475991/475992

Content-Length: 475992

Connection: keep-alive

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................Z....... ...0.......p....@.................................$S.......................................s.......p..............h*...............................................................p...............................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data...x............p..............@....ndata.......p...........................rsrc........p.......t..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....nD..H.P.u..u..u...Hr@..B...SV.5.nD..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h..D.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...nD...Si.. ..VW.T.....tO.q.3.;5.nD.sB..i.. ...D.......t.G.....t...O..t .....u...3....3...F.. ..;5.nD.r._^[...U..QQ.U.SV..i.. .

<<< skipped >>>

GET /sponsored/istartsurf/eula-istartsurf.html HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://bi.bisrv.com/piratebaymirror/neongenesisevangelionplatinumcollection/da282e2bbb7e4e4483dc4da5b3e19aab?v=2.0&muid=BB240EA4D92FCC6BC5CA46520F398ADC

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: d3k2eoekmudqmk.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Server: nginx

Date: Sun, 08 Mar 2015 05:10:31 GMT

Last-Modified: Sun, 26 Oct 2014 17:24:16 GMT

Expires: Sun, 08 Mar 2015 05:20:31 GMT

Cache-Control: max-age=600

Content-Encoding: gzip

Age: 245

Vary: Accept-Encoding

X-Cache: Hit from cloudfront

Via: 1.1 3fe63ad2ae5f5b8c327f7cf3001228e0.cloudfront.net (CloudFront)

X-Amz-Cf-Id: UzW2fN3xiO2R8NKPoGZipngAiWLzFLE_-z_kMiBpPhB-YIC_WcWMYA==

139c.............Z.s...... ..4.Z....m......g..........#y.>X|.b:........R.f&q........]<...o......Y.En.~....s39...}|>..q.....W_]....sU.....J.........m7....v;.~<.......-.:....'.h.,k........"/..{.9...Ou...l.?........;......oo.>....M\......G/.....S...f.....V..k..]...\._...eW......d.1....{z.v....vy....r\...4.zvVvy~..}6........im..z.Y....k...Y.6.M.t...........O..O?.....a...M.V....nk.q.W.....w.....7..7.....~....>.....V....u.4.).RK....[...B....z....h....;H.....^Ze..o^.W..*].b......~.5?>.?z..,.lw..\;....n...r..5A....*..lK.......|weW_..M......'.z.......i.l......>....f.k_.p.E....v.$.4...x...y.^9I.zr.4..e.`...Q...f7.Wf.k.gS..~.:.....n.....W>..;J..&:...P......<.k..x........k[C#g..].......(c...)~x......................^...y"...}.N.....)....<_Ve{......ts;<[....g..`.4..K..#.]?.#.rE.%.{fR...Ilu....'..S..c.l....'..=.{od...H....=>...}fN.r..G...H.............Ac.../.|........Cc.S....Z..\..h.....;.&iL.v..Sf........>..v ...6H.%.....j.\.....t.....7%<..KW.@.ff>.a/Bi|..1[.@.pX....]..)..|......X^.....<.G\.B..*3I68..R.f....-.w...........u....E.2...w&u....q...... ...s@5x..D..._...B.rgZ_....U......>.j.m2....w.C...Z...M...w.^g. .....HO1....g.r... ..6.P.o...... i.......z.B...9../.F0N.X...S.K@.......U.....FF_....2....7.%. .B....^.[.?N.....w.74........ 6.E_.j["kB..k..x.2'.L.N..Z6..ZN.E\!.7}z....T...MyJp.aoY.1....x.\...iP.t.....3*.)...4.p...4.l.li.kD.W.......J...n.=......f"..O@s|n.....m<B.J".Y.<....C.....!;#7.p..2..&.A.{.K.....s.mp1.g.K.{P.. M....@....]]../.H.z.!X".b.....hL.W.e....vM...)

<<< skipped >>>

GET /mirror/nerocrossrider/appshat_generic.exe HTTP/1.1

User-Agent: Better Installer(Mozilla)

Host: dpo55t230unug.cloudfront.net

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Content-Length: 285558

Connection: keep-alive

Date: Sun, 08 Mar 2015 05:10:01 GMT

x-amz-version-id: zdbgB_7owwl7Hq6LIKQBG0yBaPWISKtC

x-amz-meta-s3cmd-attrs: uid:500/gname:www/uname:www/gid:500/mode:33204/mtime:1415096893/atime:1415097003/ctime:1415096894

Cache-Control: max-age=3600

Last-Modified: Tue, 04 Nov 2014 11:01:28 GMT

ETag: "518879abe3170dabd172dfffcd165598"

Accept-Ranges: bytes

Server: AmazonS3

Age: 699

X-Cache: Hit from cloudfront

Via: 1.1 111d7d2d6210ffae0900ad3d2e66bc5e.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 7PysVT31wEjjkA1F3vz8AyMPaLEkMCgHuYctw8qi16MkzZ-EsIG9fg==

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................................................................s.......@...............................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc........@.......v..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..

<<< skipped >>>

GET /sd?is=sm HTTP/1.1

Range: bytes=416493-

User-Agent: Better Installer(Mozilla)

Host: install-cdn.sourceapp.info

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Pragma: no-cache

Content-Type: application/octet-stream

Server: Microsoft-IIS/7.5

Content-Disposition: attachment; filename=SourceAppSetup.exe

X-AspNet-Version: 4.0.30319

SVR: SP004C2

X-Powered-By: ASP.NET

p3p: CP="CAO PSA OUR"

Cache-Control: private, max-age=86400

Expires: Sat, 14 Mar 2015 01:01:11 GMT

Date: Fri, 13 Mar 2015 01:01:11 GMT

Content-Range: bytes 416493-475991/475992

Content-Length: 59499

Connection: keep-alive

.....o....^(.l.X..W......^Hk r... .jy "..<....../..3I(.c<...=....yR..`EJ...C...=..F....t....yx...!....D"..kOE...6......q`.@..ggx........'......<4.QIh.y.....% z....y...VL...*z......K.......:..:...R.F........./...s\....Wk.Q3*wZ.......P...61.[.g<...9..Ra4..].......h...!k........_..h...~t`T/....`.:d....\)%"?1.X...@.q%...".M......j..X'..I......../.6s<.[..S.-........*xk....p.a.2VK.B\...v...G....J...Oc..6..3..0........,..e|KL3....~.F^s........lU.....o...$.Q.......]..{aB...Pr.s..$......_.4.....l...v ..0?M1b&......I.$C.fl.d........k...N.g^...bb.x..v..~....:...jT......S....:......G...un.r.IP.T.. ...$>.....#U.B.' ......y=ZB......_..r?.r.5...=..{(.}.e..{.n..:S.a!.:....Pk_.E...{u.UJ...l....T|....AV....3>Y..=}....G.X%...aTg...8~.X...9.....C.9.....2z.vh.....R..z.s.w...j.t..........&...:...g......3d.Zf.%&P|J...x.Z..>.2zbK.....>B.6..0.A.).....O.h.....v..zP.wj..J.ng...%Hz......tV..(.......p.A...p.A.2JN...@..<....P...I..{}0....p.0.`GW.....xA)A.h..1.b............qQ.b_`n....2.....L.`#...:E.o...H....|..../..@.x<A.0..j....w.p.....60...).V.q..;BD.v.zuHM.....M.M6..$.U....*.........HI4....m|0rO.*....o;..:.y...P.......34.0.....D.wx.......R.C1A.....=..........Tz...9%...R.x.&......2./..X.sC.Ps.8...{...c......k.....$$....T.y...E|..H)(....l.]....q.3#K....H..b...40..."..c._..d...M.Y.UZ....Q......d..).!^.........G...q4a..R.&U..._.....LY...'a... .~.NpA....4... ....8.H;3.\..!..k6.e.....~N8.. $/.7....(.[.L.rkU...%Z1#..'$m..atp./wT..=i..{.L]...$.....p.....W..gJQ<..I..Lp%k&T...3.:........3.TA..*cB...[D._..?l (.!.

<<< skipped >>>

GET /partner/gim394750002/release/live/InstallGenieo.exe HTTP/1.1

Range: bytes=864857-

User-Agent: Better Installer(Mozilla)

Host: download.genieo.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

x-amz-id-2: AsfOVK1IHuc7mLqhQt6ewOB 8WIACEwqgR8ME9cpeadCc/19oGQEWB Fsv oHkdvvgw/GYskQ1U=

x-amz-request-id: EDB4698CE09AD0AB

Date: Fri, 13 Mar 2015 01:01:14 GMT

Last-Modified: Mon, 20 Oct 2014 09:54:42 GMT

ETag: "d65611fbc4da8cea4e886076bec82d1e"

Accept-Ranges: bytes

Content-Range: bytes 864857-988407/988408

Content-Type: application/octet-stream

Content-Length: 123551

Server: AmazonS3

7f..]....|.5...[HZ-.....{\..Y......?...DQ....5Wp.!./...,LGv....- ......zw..x..B%9{..#....x.. Rp..by....KZ...k.t..y......8*.<.........L.d.-..@....a.v.s..,...}..l....g....s.6*...".....F..f&.0.p..-....q....UN.....^...-S.3.....@ /2.;......v.(.#....2.......Z.un....:....U.J4.......l.....S.........Y....".W.1..r.-.!./.a.......v....6.......l..a.!.^.;..8.t.]qeq..u..7'/..I.fEd.m....ij....L..R..$......0..1O.......D.C.........n...^...eC~...>ec...xU?4......Y-s.F...y,..cM.....'.b.w-..z>U.... .9.K.!4..y..&N...Y..$...R*........b....V....\6l...H..`.{.....4.Z......X?.q.2Y.D..J.Z.z..~..p.JP(...v.#..P...._ ....G.s $..x[.e..$<V!....h...I.h9O%,....R'S..F...*.G......I.Sp.1]....#|K.G..S........."=.XZ....9.......S.DR..)9..x....:.....$......=....n.....{.J.......I..[..VLm.6l.!=..Q.v.....f*....".)>..D.1......t..:9.....d5.).y|w..Z.(.=~....2Ix..o_;..........'..J.2Ds.!q.v.-.....#."..iq.:1A[d...]....,....-(.^Q..R.>..-=...[=.M.c...%.\hu.t...M...h.WC:r......|x)....[~k.[....d......@F....X.....*..7YQ..Kai.m7.....Y...D.2.o.P......(J&>z..\5....5L@..Y.t#r`o.h.....c)y...=.x..%...%...A_.r.Po...}.........Uq...V.r....i.m].!...)d.....I..R.$..)*..V.z..O.).n.15.qP.]t.9..'.J2y..9?..S.....4C....a..%.I....?g...5..M..cy.....o...........<...P.S3c.M../[=u.#.g.m.V._H=.....E.>U.R..3"..u.|j.n..\...r*.....o.b...;.j\.H......g#..S........hv..<..H!.(.......q.g .....Bc..u.E......./5.Qo....j....@^......J....._=.Iy..K.`.W..E.t...m.w.K..[<..e*.g(.T.fD=.........xeD.g....&.._.b..Lc.zvkn.Q.O..0NI...~.5.b%k...**.f...sk..)z[.0..JY.u:lJ?...'.M~.k.

<<< skipped >>>

GET /sd?is=sm HTTP/1.1

Range: bytes=0-

User-Agent: Better Installer(Mozilla)

Host: install-cdn.sourceapp.info

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Pragma: no-cache

Content-Type: application/octet-stream

Server: Microsoft-IIS/7.5

Content-Disposition: attachment; filename=SourceAppSetup.exe

X-AspNet-Version: 4.0.30319

SVR: SP004C2

X-Powered-By: ASP.NET

p3p: CP="CAO PSA OUR"

Cache-Control: private, max-age=86400

Expires: Sat, 14 Mar 2015 01:01:11 GMT

Date: Fri, 13 Mar 2015 01:01:11 GMT

Content-Range: bytes 0-475991/475992

Content-Length: 475992

Connection: keep-alive

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................Z....... ...0.......p....@.................................$S.......................................s.......p..............h*...............................................................p...............................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data...x............p..............@....ndata.......p...........................rsrc........p.......t..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....nD..H.P.u..u..u...Hr@..B...SV.5.nD..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h..D.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...nD...Si.. ..VW.T.....tO.q.3.;5.nD.sB..i.. ...D.......t.G.....t...O..t .....u...3....3...F.. ..;5.nD.r._^[...U..QQ.U.SV..i.. .

<<< skipped >>>

GET /mirror/nerocrossrider/appshat_generic.exe HTTP/1.1

Range: bytes=249864-

User-Agent: Better Installer(Mozilla)

Host: dpo55t230unug.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 35694

Connection: keep-alive

Date: Sun, 08 Mar 2015 05:10:01 GMT

x-amz-version-id: zdbgB_7owwl7Hq6LIKQBG0yBaPWISKtC

x-amz-meta-s3cmd-attrs: uid:500/gname:www/uname:www/gid:500/mode:33204/mtime:1415096893/atime:1415097003/ctime:1415096894

Cache-Control: max-age=3600

Last-Modified: Tue, 04 Nov 2014 11:01:28 GMT

ETag: "518879abe3170dabd172dfffcd165598"

Accept-Ranges: bytes

Server: AmazonS3

Content-Range: bytes 249864-285557/285558

Age: 699

X-Cache: Hit from cloudfront

Via: 1.1 5f32e0f17e78c0bfe70226dd05074c92.cloudfront.net (CloudFront)

X-Amz-Cf-Id: xvkNAkXafdcHi7TToWdLi460swN3oFqUL2C5iTQYv2b0JBvHzfhbyQ==

..X..9f.q...%.@_e../xo....nFE5..b:.....I..}..ELr.......b.....=..Bq.G._...|.eh:..B_]...'.q.T..XMz4N.@.....?.....Kg.I....f&.\.B6...........f..Ff...,...i0E["...A/#.).....P..]..,.[..$.../..Q..>'...F.1.=.h.C ..l...Vc..^K]....z.Dp.<6.. .=..%$`.G...'..h..'"#......!^..}F7g..[.K..n~.s..4fo%.K.....M...-......GM|V.......N..o...(.,........1...=...J{....~v..C...HwM'rg=...Y..Y>Rj.[....=Xh%P.F(...Ph.D&..S.....EF..7....\.Z.&/`..1q......(./..A.WWs.....L...:^.`....:......z.7.m.c.Xj(...z.....z._.Y.Z.<..m....-F..-r.......yV....;\~....P...`qR..ue..Pad"..8.f&1/.w%.e...m.....M].c..C.}.%_.s.WQxQ..1.WO.Ea.76.~..r.&..9..%8.0.......xE..$..a/..*z.;khi.k".<}.....v....0)..a.&..Z..n..a|P.gjT....C.....[..W.g.4.k|a.Zw-....k...?.{.......ZM......_.>i.@.`<#...y.S.<.;..kf..u.....6....$..}2..6.....h.U#.......j..=.{.4..}....@)..K...%...z^cxR.".b....j.....T....U?is.3..L.D-v..{P....P....\...*..........NI.n.y...M....@...?d`N..k^...}....o5U.(..:'..|.c..wQ....)..T..y..uz.8......H...A....'}5....W.....u...@ ...s)........x..d.X.zz.p.....(.......c1..g.......S..Q....Ae..&P;7./...A...%)'....~.q.T.3..j2..1..S.C..Dq.`...c.yZOpP..1...z...D.3.f.__.F:.H......I..@.~...t..c.p.W.U."...1].>9..d:...i.6.......G{.mh..'...d..|{....:<.TZ..2I...._yI.fpG....S.??,.A.z7.@.gkP=r.....{z.Q...Q.~.......t......1.]..Sf(.QD...6.%...5\.&HW......h.n*.j.cnk..]....fz....W@... ..w...}.8...h.`n...........9>o.0.....pa.....U..\e..%J.....`....OF.{.P &.....v..bk..n.c.M&..(.....8e.YZMw..R.M]Qa....o.p.$g.D._.C...5........F.Pu{..n6...[.....T.&..N^.@.B.z.....hMQ.`2.

<<< skipped >>>

GET /mirror/nerocrossrider/appshat_generic.exe HTTP/1.1

Range: bytes=178475-

User-Agent: Better Installer(Mozilla)

Host: dpo55t230unug.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 107083

Connection: keep-alive

Date: Sun, 08 Mar 2015 05:10:01 GMT

x-amz-version-id: zdbgB_7owwl7Hq6LIKQBG0yBaPWISKtC

x-amz-meta-s3cmd-attrs: uid:500/gname:www/uname:www/gid:500/mode:33204/mtime:1415096893/atime:1415097003/ctime:1415096894

Cache-Control: max-age=3600

Last-Modified: Tue, 04 Nov 2014 11:01:28 GMT

ETag: "518879abe3170dabd172dfffcd165598"

Accept-Ranges: bytes

Server: AmazonS3

Content-Range: bytes 178475-285557/285558

Age: 699

X-Cache: Hit from cloudfront

Via: 1.1 111d7d2d6210ffae0900ad3d2e66bc5e.cloudfront.net (CloudFront)

X-Amz-Cf-Id: rG5Zg5jt2I3paAKoz7_hltUJ9Qxr-CkA34tNkWparKOtOcRk1-ATDw==

w.N>.Pq..A)...[N......B.x../.>GGya.k....3@.T..V.......b...j.5f..N.Z......j..&...h....A.hO..\....'.....sj.`.....H.S.|.s=.......I.)L>...c....i.>.....G.u..H.D....P......qC0<.(...m..y.dm.\1N.m...v.T`- .Ss. .G2..rk.......N{t.1ts..t@Z..y6..u...04..Q.......}......6P$....2.52..!.x....L.R. ..v.@...n......vc......Z....8..PT,.].\...a..........k.....A.....P....u`..I.///....b~.y..^...P...z..p..:.d.....R.4....U. ...../.M]..~.........(...... y.).. ..In.I.)..ua.*..N!Q.......1.e..b)F5...x.bS..f..|q.H..K...V.`.^...x!Su4_"?...uc.tY.m...%....r..be.z. ....0.^.....]y........)... .u_/..V..6).v..\.7n-z.q.............Y.w.oBk..f..}...M..@uF.Sp. .*.b.;..).....|.\@c..)......H.P..;......!"...gN.......9W.... ......NJJJ....N|..)T..aU..1....5~.G...=d.m..Qfl..?.yO|e...`.sXm$Op;."p................t=V.........Q....f.r0.........i...M......E....Y.../....N.7/.;.....|..R...(./.4..{)..~.M....).......f.w...6.^.0TB...H..c.......^-a.G`0ub..|a;.C..T.<..N/......^..>."....f..$..d.=.X0..x4R...W...=.....`..w.$\a/.~R.~<.....jS.q.es....-.....#W#.D.4H...tw...&.A.w/...t...[H"D....9E].....A....B<D.7[.2.3.!.......P.......R..R._.I...y........(.V.WH..t.U.NG...5.l@.Pr.......L.k.\D.k.2....3.."."........p...?_X.........$v.....,......\.V..EV.G...........Z.DO....B..V...%.D....].n..`...H.!..=<.. Y.*l..].j.u.d.o.M.i...>..m........$K..@.....]~.H.z.p.O.?.i.&.U.....U."<..o.S#..x.....s..g.[.....A.6~'-.1D........`Pim2....;.xsV2.'7.#..jlW.1-..4......h ..~...oV..."...]|..i=.....V(.....e..!..EU.d....ui..9).....^P.o.g..e..H.1x.....\.#..D....G.w.p

<<< skipped >>>

GET /mirror/nerocrossrider/appshat_generic.exe HTTP/1.1

Range: bytes=107085-

User-Agent: Better Installer(Mozilla)

Host: dpo55t230unug.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 178473

Connection: keep-alive

Date: Sun, 08 Mar 2015 05:10:01 GMT

x-amz-version-id: zdbgB_7owwl7Hq6LIKQBG0yBaPWISKtC

x-amz-meta-s3cmd-attrs: uid:500/gname:www/uname:www/gid:500/mode:33204/mtime:1415096893/atime:1415097003/ctime:1415096894

Cache-Control: max-age=3600

Last-Modified: Tue, 04 Nov 2014 11:01:28 GMT

ETag: "518879abe3170dabd172dfffcd165598"

Accept-Ranges: bytes

Server: AmazonS3

Content-Range: bytes 107085-285557/285558

Age: 699

X-Cache: Hit from cloudfront

Via: 1.1 5f32e0f17e78c0bfe70226dd05074c92.cloudfront.net (CloudFront)

X-Amz-Cf-Id: BQ4KRgien6T-8UjSRGXQQy-p_pXzHrB5yOfgES-6COfTHS6gb94jxg==

...^]..)..;....h.d1...5^1...B...Q...z.N....WC'./..h......U.S....[...*.>P.^jM..%i.3T5..w..$.X......?u.U...!.0..s.../..F.....i...k........9M?.....p..3....J.Q.../s............8.0w2J"h..1...W.#R@iQ.Y.,Kao.@..:Kl...Pk./%.$.G..WF......i@....Px.-(j8&R..;..KE.UZ..&..........B.Y...'3D.....K....>..6/......DM.....5B...k.I5.&....3....2..oe\7...@.....Y...?...0r..J..ko...Kr.3.?A....um..r6..k......3....tX.....hQV.'.`.....X.3uM...6...J...O...@...z..OC"}.e..W.......BP.i...(GG%...P.]3".q<.A.l{.......u..J.J.J.6Z(..-.w......)....nI\Z.B.>.xi#p. .9._(..m......"..c...AnY.~......;..W....(..".d...EF...2..V....D..I .._..z.Y..o.......^...i2.c....'J...0B?............<...TM....T..)....Y../..Xg......>|mC....O.......-7.z 9A..U..<U......Z.Q.X...i...C...D.s_...^..r..aJ....mm......p.......W.......'.*....LA".P......Y5np.z..../ro..>..\.$d-.i_.g..=...*.]0$.Z:r...D. ..O*i.......B.%..K..^@...6Z....%....c...q...z.R!].w(}.e.....R}7.c.......-...0/..i.....;..... ...'...tf.=....g>.N...A........\..vHz.........{5.."s.........R...\.p.xj}...~=..w.V..$%....,o..Xa>...8.Q..E.....b.qL.K..a.....o0{...CEd/......J_n.......0T....#. .x...k0.....M'yr.X.U..E...oF.z.rE.oX....E...q...M..l*....q...~.`b..\..#..kJ..Mlt".P9..B.Y..r.j....Q.Y.1..w...%.x..nH....Mg-....#RZ.g..c...`no~.~.=.7y.....cI...jM;.....8.4O.Y...w..5..RZ.}..`..V..z/.{.....t..y#Vr.9_;.-.G....s..\l^..h.]...{.^...{..`...oae....A...\&|....4.z..........t.0...MzJ'...!.iW`x.xG#.T.Q...p..<.7...S...... q.6n=m2....o..aW.xp..s@......Ueu.nI2D.........H{h;k.o....#.H.".c..<I#.b......].

<<< skipped >>>

GET /partner/gim394750002/release/live/InstallGenieo.exe HTTP/1.1

Range: bytes=741306-

User-Agent: Better Installer(Mozilla)

Host: download.genieo.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

x-amz-id-2: iqPfZ1H5T1POK5TtP3eG9azfyPG42k/qdceyImbCZERNJohATp07H xEI/Sx/YnFCF0JumlorqA=

x-amz-request-id: B22F5CD1FB0A9883

Date: Fri, 13 Mar 2015 01:01:14 GMT

Last-Modified: Mon, 20 Oct 2014 09:54:42 GMT

ETag: "d65611fbc4da8cea4e886076bec82d1e"

Accept-Ranges: bytes

Content-Range: bytes 741306-988407/988408

Content-Type: application/octet-stream

Content-Length: 247102

Server: AmazonS3

......yM.[....~.....8.^..$5*iD..8.'.~N.1.Dfm.Pz.\..M.a.. .h#....H..&...@..............*P......\..d....#V..Q...p7.sY....8FX.....k...~...P....Y@.G.].....y..N.k.%U..L......8..?.....8..x.v...{.e.. .p.Zp..O...JBe.H..M.\(..y.d.&.B....H*........5...........uZ...JfY(..;.x.......k..w1......>.n.&$I....~K...M......w..#A....D..ms.z...zx.a6.5.BY..k.f...$.....H|..^.....9...F.m.u-...'...H.w.eYA......{5....R."..d#..z:..0......H.......su..........t.5.....8.t....T1...C7.9y......_wO_...b.....)/....^......NH...7.;i...U..o...u..k#o....\Z..Ha^..T.H"'......s.........1...U.{g..r..*o...^.....t%B....o.DV......!...8.....V @j....P.4o.z\..B.8S $z8./.x...~sw?ol..f.0}...a..`u.A...(n..o...:.).Ga..h^.jZ.'.c...q..^$..).....n.....y~~s[50...E.. ...S._A.F.}...F.e.shd<.4fL...j....|E...'U..e.B.....Q.!J...K..Q._......6ME....b...`8.!.5.E..........'1.....2.D.SA.Lo.]../..d.........SP......-n..g*.k.../....G]{..R...6s.....j.;..M.4.......s8.Q~.jbx.o.!..G.O... ..C....).:..........n".c.=.q].e..2.D....J..lFny../-....e....?......3`.|.......n.A...|h$;.....wu...1...4z9.t..#..f.>....A.).._..J..Bs/5.b_....C.}.....&...nU?n...Lb.hH....H.o............RE.{...=.v.sjw.m!4f..AC).....1..F..A*..s.......;z^NMQ.P..D.SEf.......AM........$.qzgM......=.....A.8..y...,......{..|......!...Q....u..............m...8?......q...t.w...M.yE.D.K.h.........).......|....#...3....[.6.G......C..e..T.....!......k=...JuEzV./.w..."Cj.0......~T.N........O.[..G5o..........Q...V.c..H.......'z..mX1.......}w.NE.K....j.1T=.)}.....zS..9...v......A....$...........r..dc.."r.0..l..h..H.......;..

<<< skipped >>>

GET /partner/gim394750002/release/live/InstallGenieo.exe HTTP/1.1

Range: bytes=370653-

User-Agent: Better Installer(Mozilla)

Host: download.genieo.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

x-amz-id-2: b/kyKsJw vJizvwQ8VMG2kbqSCInyzdI7beTqRi2 s9DItLUEtH4fhnCIDv 1TT8vWLN8yhRgY=

x-amz-request-id: 6198B39B5D94F432

Date: Fri, 13 Mar 2015 01:01:14 GMT

Last-Modified: Mon, 20 Oct 2014 09:54:42 GMT

ETag: "d65611fbc4da8cea4e886076bec82d1e"

Accept-Ranges: bytes

Content-Range: bytes 370653-988407/988408

Content-Type: application/octet-stream

Content-Length: 617755

Server: AmazonS3

.......F....T2Y..B..U7...r....yR.5e..v.l.....a:{r.Ju.$..F}R..7Ul.4...Ni]H"x.O.....7..<...._*.;.....}U.).@k?jCE.4C.6|..{E.......1..t.^.<..F..z..>....-@Y.j&.e.......7u.(.q.1....=jm...e....- .......S>.E.:.Qk..../l..n.J....R..^s... Q72.....Z.....X..IK.D}.. ..1?r~.. ..O..y...y.7..\.h.Q..w..E...I-._....[.....K.jG.....q.5.*?...R\.f....u..P.?.i.>l.9`..g..Q...p.f....k.m)...dK..N..).P.............w....!.......e..`.:...n..Bp2.jr...td.....~....wi-.P..?j8.j,.....].....K.<H...n.....2.?".?.....4...QR...<R......c.\....._.%..v.dg.N. ...e.Xe.,&7,MY...:,e.Z...,% .\.hK.....Y....^T. . ....<.A4.....6.(._x>........V......Sx.M.b)5)....Q.....V(..,..<t2.v.b..H.C...K......f];...a.R..14...#Y..u.Aj....8<...... (.....l.DsaM#..$[_.IM|.WK.[%..[u?~...4.n.%..a....."...h/..i...`M.../...............X.\F.q.......;#....f....x.h."....m..3nK.Jp(k..8.1.../.r.|...(.....#.,.....&%0.y..,......)..5.~.,...V...;d.Vu...H.4G.#l....gL.j...y..?o...>I..)...g...H.!.;}/.Z..5.j...5.....uR.......PM{....=...O..hDI...=H.6.PL..a6.!uz(.A........T.w...../..X..`\.x.7.'........>..............?.......h..2.U9..J.=k..a..qo@....af.@.^r#U.F...qv..D...j..%....8......r.%...K.....v$...i.t.....c.E......o1e.Z>."..._4.UM$Keg..D...F...:.-1.ak.........-..|Y..A.#].g3...7..4......Z..-.Q..yS._.uL.nK.e.M..Y"...p0OX...s2$w1....y.....06.)...(..C...\.gX..>.h&..-.q&1....C..lI..>.W..T.J..MS..l.u.m81.R2..03R..3.<.....=X.........m.$wNp(3....D2.5.i..D4E.G..Z..?....eO.R.e......(l.Y... .....PE..!.|....M....@7...u...gm.hO.WP..[XY.dz.;.u....U..r.... a

<<< skipped >>>

GET /home/smt_istartsurf.exe HTTP/1.1

Range: bytes=0-

User-Agent: Better Installer(Mozilla)

Host: VVV.girlliuxiaowei.com

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Server: nginx

Date: Fri, 13 Mar 2015 01:01:10 GMT

Content-Type: application/octet-stream

Content-Length: 290400

Last-Modified: Tue, 10 Mar 2015 01:55:04 GMT

Connection: keep-alive

Expires: Mon, 16 Mar 2015 01:01:10 GMT

Cache-Control: max-age=259200

Content-Range: bytes 0-290399/290400

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......M.C...-R..-R..-R...R..-R...R6.-R...R..-R...R..-R...R..-R..,Rt.-R...R..-R.E.R..-R...R..-RRich..-R........PE..L....<.T............................ 8............@.......................................@.................................08.......................R..`....p..L...`...............................h...@............................................text...#........................... ..`.rdata..f...........................@..@.data...$K...P...*...2..............@....rsrc................\..............@..@.reloc.../...p...0..."..............@..B........................................................................................................................................................................................................................................................................................................................................................U..3.j.P.u..F......F......>.....]...U......V..M..;...i..... .;E.s..E..M..I....s..M.S... ]... M.;.w.h..B..b....M. E..M..E.;.s.j.Q...'....]..F.;.tR...r..........r........u....M....E.QP.........{..r....~..r........u...SP.B(........U.j.[;U.wG;.r.......;.r.......RQ..P......F....;.r.......;.r........u....M....E..F;.r.......;.r........u....M...Q..P.d....F....;.r.......;.r........u...QP.>....M.....~...N.[r.................h..B..p....U..Q.}...M.u.;A.viS.Y.VW;.sY .9].wR3.B U....y..r......M....SQ.E.P.&.M..}..

<<< skipped >>>

GET /sd?is=sm HTTP/1.1

Range: bytes=237996-

User-Agent: Better Installer(Mozilla)

Host: install-cdn.sourceapp.info

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Pragma: no-cache

Content-Type: application/octet-stream

Server: Microsoft-IIS/7.5

Content-Disposition: attachment; filename=SourceAppSetup.exe

X-AspNet-Version: 4.0.30319

SVR: SP004C2

X-Powered-By: ASP.NET

p3p: CP="CAO PSA OUR"

Cache-Control: private, max-age=86400

Expires: Sat, 14 Mar 2015 01:01:11 GMT

Date: Fri, 13 Mar 2015 01:01:11 GMT

Content-Range: bytes 237996-475991/475992

Content-Length: 237996

Connection: keep-alive

.d.....o.0Z.`....u.=1..0&.D.........7J.0O.o.7..n....Ay....`JP@..m..Nd..^!U... ......7d....f0....#....|....'[.>..v.[Q.v.zG.YV...kc2.e.(-.h...^...5..:ai...)..FHf..%.T..Rp..5..\x..-..3........F...=....(....}..K..... ..,.@\`).x5.....x.......(.D....Qc.....p...#.*....o.:ZW...Q.:j....r6A...a|.UhN{/$.9.w.D..F.`..=Z.l..:.gpHu.3.X3#.....n?...^.....n-w .......n......9hE..j.._.,....K ..R.e..?.<J.~P....W<.*....7.h.i..q.}x...&....F..D,T..=.Z.T.v.u../..].n...........p....j.. .<.......W.......4..y......E..VveH. 0...n.p....-.C.....m..t.5....j(.....@....qp....7..b.7!.....y..4.......I....=....a3rW.......T.F2p......VEH..:....@...<F8.'z.v.5...j...C1.d.}..[....r.R..H..s...jM.c........q%.j.".A..l>7_.Z..#.c.z..6<.Y..]Y.-....K.........|U..Uh...V...v..,='l...a.y9.....S....$I/.H...\.f..#8....h..q....g......:z.cq...|9Lk#..../H-.sKo.t......,7;.}...6....}U]n.1....m.l.'.s.X.#g.Y(..eW|O .o.....;.:.X...F^....r .q...B>.n...D....).5...<..d..{tv.`......[.7.@...O.......Oz...&..Y.C.d.mj..]......W..4./O$:Q9...(...)...he..U...X{....S.....a.Z7..2...oo...4..E..G.....q.&.....N....x-!. .o.@.e.8._f@#'a.%r..$7Xq..._...)....NW.;q(A...;u..j..X8..$5.F.l..q..f..2...fG..S.s\>.D.jh......|...#..}h....`2R.a....<...Ct..3.0.-/!......z.N.U.T...q....A<..........U...n[:..h....;.8>..y.l...>......m...._..l..^e.A`...f.).(C.l.R.J...zj......u.i..-..6..../...O......K....Fx.a.........{l..9....}...8.|....L..n.....X.q.........!O.H<..i.TB.<...zR. W..h.;}.Z...@....Z1....L..U.`V.....v...d........4P5(Vj..#........3..g5..bw.S.c. .._...

<<< skipped >>>

GET /mirror/nerocrossrider/appshat_generic.exe HTTP/1.1

Range: bytes=71390-

User-Agent: Better Installer(Mozilla)

Host: dpo55t230unug.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 214168

Connection: keep-alive

Date: Sun, 08 Mar 2015 05:10:01 GMT

x-amz-version-id: zdbgB_7owwl7Hq6LIKQBG0yBaPWISKtC

x-amz-meta-s3cmd-attrs: uid:500/gname:www/uname:www/gid:500/mode:33204/mtime:1415096893/atime:1415097003/ctime:1415096894

Cache-Control: max-age=3600

Last-Modified: Tue, 04 Nov 2014 11:01:28 GMT

ETag: "518879abe3170dabd172dfffcd165598"

Accept-Ranges: bytes

Server: AmazonS3

Content-Range: bytes 71390-285557/285558

Age: 699

X-Cache: Hit from cloudfront

Via: 1.1 5f32e0f17e78c0bfe70226dd05074c92.cloudfront.net (CloudFront)

X-Amz-Cf-Id: bXVvNaKoOJIgvyYPIKtuZzHvm0EDukKClyXhgelSuVF-WNWU40DKnw==

..IK.#.ikv7..=....\z....if.J^.;,5!.._...MR..w.OX..&.....p:.........5.L.iT.L.O.....7D.]b..........3.. 2=v.a.....^k....xp .`..y.1>...A.Q!..._.J.D.......j..].8v....>.P.\ei%..OU[.V.p.*ky..E*.D0).-l.B.....*..aG.b^..T.yqu8.Np.'.Z&V`..-..2l..Bu.l ........4X.U..9p..}E|..J...".m..:.....@..8auM.wLc$h...8D.s"..]......3.. .$..H.Sf.z.....q.Ke.....b.......IO[......U....l..-.!2......2.ed...M...@..s..K.....].<.........g.mG..as..ez|.C.......=p.^U|.`s6.).\).]........2j.....N....a...i\.m.<......8......z....=....i.s.2...r...n.=h.D".O.MN..a.S..f. .S.i....N>.O;...>..4%.{.L....... m.....%.Hw.U<...."...ns.Z....).)`o:....O....0..SDt..|V.G...iU.d P..x..{`i[.X.Uh..@..`C...;6.\..y.]-W.... ...G9`.%i~.G.......r#`...`...G....Z..KQA~'vL2XAM..(o......jU.....3........7...o.q...9...@....dO.r..c.KO.`....u...G......H.N.|..;#..G.n]J.Kx......t.if.8u.^....L..L..;..# 6...p ...........U..KU%....F...>....L.sZ.Cm.!..cllj...&.:......p..y.....ds_.....W..t2.,.I...Z..c.T?/&O...8..q..<:Cp.....7&.D7.....e,2.)..G..FP.l. .N....(......I.......4&...8.1;...M...=.2..%;.V).>..5e...I...@D....0.!..GHUZ.nnh..........n#.....F.v.S...Zy.m..........;..k...3..(. .k.............,H.D.L.....K...`[.. C..7X.uq.zV.t...m..`..H.....s.e..R.7...4.F..`.b!..N.pY...=%K...s.Tt*9.rR..A....xt.hR.k..25...=`...7.........&=....vK.A...4.d7y.....(....7.(..l.k...h.C.w|..yP..#...lNI..\8....c...I&.h.[.=p... ...._......).;.>"@.....@.n@..)...,....80.W......kh..z8.......W3S..E...3..H....^.t.L.\........3G..b.....!.^....U......d..k.X...84P..%V........O._.rg.7.g..`G4.$u.x

<<< skipped >>>

GET /partner/gim394750002/release/live/InstallGenieo.exe HTTP/1.1

Range: bytes=247102-494204

User-Agent: Better Installer(Mozilla)

Host: download.genieo.com

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

x-amz-id-2: PxuHQflRmAPLjlQLtJfQT4AR/1TG4VJJG8Qn6TwgRfOLG5wXsGN 9oZdg2NFYKdo3pjvHIjXxdE=

x-amz-request-id: C5B3648613C5C4BB

Date: Fri, 13 Mar 2015 01:01:14 GMT

Last-Modified: Mon, 20 Oct 2014 09:54:42 GMT

ETag: "d65611fbc4da8cea4e886076bec82d1e"

Accept-Ranges: bytes

Content-Range: bytes 247102-494204/988408

Content-Type: application/octet-stream

Content-Length: 247103

Server: AmazonS3

-s...R.... .e.>7........... )..51.n4..@..)....ck.../.01-. Z?L....k....O..<2Ma....7..r.2....j....O.".A......dK..&G..Hj6.(.P....ZxVA.>...Sr.l:.86....6bq.....>.d-p~R{..jI.L..M. .8O....q..[..J4...T..l.....m.......)e.C..A....I,cPy2|.."-...".M.O..v...=Q......|.......'..Z..I}....Dw.....f.i...m.~.o..H'.j.....&.agE.`._`.>...[.:O...^4......3...7.{.a@.m...9..bH...<......BY..4C.}..Qf.'(.....rRf?...q.=|....|....[........E..Gu...oD2 ...E/....2$..k......o......E.. h.....s7..ouq...N..".o.....L.....%.8-...zG.._.|.B{.e(w.iy.....ALA.}.,.cf1%ZE-.U.....oa.F.~|o.":,.N.s...N.^x....GT..(.!..oy'.N..?.L....7...)..f1nS.P.6....._v......._)S......`....qe0.d.DI............sq..su...{j..Y..'...;..6.{..@..Os3p4T8.z...8....L.Q.F...H../...b...(..k._..z.a...f...0......}.......P.|-.3.g...<.,w=P.tk_$..p..\,...K..*..........S.....l&..^C.q.J...OD...$..T..x...`........:Ea#"...fv....p.u.YWE.........m..E...CV....=sR...=W.DC..jQ..o.74;9 .5y^.H&f.3..|X.......w. ..^./E...X..lC.|.hR.. ...._Jr..v...E..X~.D.Q.......5.>...A..v ...a~=..F ..{a"....yj F..].n......=1H..

GET /mirror/nerocrossrider/appshat_generic.exe HTTP/1.1

Range: bytes=35695-

User-Agent: Better Installer(Mozilla)

Host: dpo55t230unug.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 249863

Connection: keep-alive

Date: Sun, 08 Mar 2015 05:10:01 GMT

x-amz-version-id: zdbgB_7owwl7Hq6LIKQBG0yBaPWISKtC

x-amz-meta-s3cmd-attrs: uid:500/gname:www/uname:www/gid:500/mode:33204/mtime:1415096893/atime:1415097003/ctime:1415096894

Cache-Control: max-age=3600

Last-Modified: Tue, 04 Nov 2014 11:01:28 GMT

ETag: "518879abe3170dabd172dfffcd165598"

Accept-Ranges: bytes

Server: AmazonS3

Content-Range: bytes 35695-285557/285558

Age: 699

X-Cache: Hit from cloudfront

Via: 1.1 f16aaf9742c058884a37f43c56e4a874.cloudfront.net (CloudFront)

X-Amz-Cf-Id: GM5I-epK_FWbXFFhP_zuqxfsKOzGHMwW3VhypaJa9HHvSP8RBxFjNg==

.CA@.khh.............hfe.ONM.>>>.555.,,,.&&%.!!!.................................$"".)''..,,.200./--.*((.866.QOP.qpp....=........................................................................................................................776.........%##.=<<.ecc.............ihf.OON.>>>.444. .&%%.#!!.................................%##.,'(.0...100. )).- .@>>.XVW.~}|.............................................................................................................................AA@. .....&$$.<::._]].............kih.POO.>>>.444. .%%%.#!!.............................#%%.''&.-)).1...0//.*((.200.HFF.`^^................................................................................................................................_JJI.##$.....##$.<<<._^^.............kih.POO.>>>.444. .%%%.! .........................!!!.$&%.(((.-**.3.0./--.*((.644.LJJ.ecc....k...........................................................................................................................9UVU.&&&.....!!!.999.___.............lki.PPO.>>>.555.,,,.&''.!##.. ...................... ."&%.())./ ,.4/0./ . )).:88.RPP.hee....3...........................................................................................................................!`_^., ..... .444.YYY.............kmi.OQN.>>>.545., ,.&%&.#!#.......................... ..#"!.)&&./,-.310.,)(.-**.><<.SRR.nnm.........................................................

<<< skipped >>>

GET /piratebaymirror/neongenesisevangelionplatinumcollection/da282e2bbb7e4e4483dc4da5b3e19aab?v=2.0&muid=BB240EA4D92FCC6BC5CA46520F398ADC HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: bi.bisrv.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 13 Mar 2015 01:01:07 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Vary: Accept-Encoding

<<< skipped >>>

POST /installer/ajax HTTP/1.1

x-requested-with: XMLHttpRequest

Accept-Language: en-us

Referer: hXXp://bi.bisrv.com/piratebaymirror/neongenesisevangelionplatinumcollection/da282e2bbb7e4e4483dc4da5b3e19aab?v=2.0&muid=BB240EA4D92FCC6BC5CA46520F398ADC

Accept: application/json, text/javascript, */*; q=0.01

Content-Type: application/x-www-form-urlencoded

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: bi.bisrv.com

Content-Length: 2694

Connection: Keep-Alive

Cache-Control: no-cache

country=UA&uid_orig=da282e2bbb7e4e4483dc4da5b3e19aab&uid=da282e2bbb7e4e4483dc4da5b3e19aab&affid=piratebaymirror&sid=neongenesisevangelionplatinumcollection&cli_id=&softwareName=Neon Genesis Evangelion Platinum Collection&installerVersion=2.0&osVersion=5.1.2600 Service Pack 3 32bit&ieVersion=4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)&defaultBrowser="C:Program FilesInternet Exploreriexplore.exe" -nohome&defaultBrowserName=ie&originBrowser=ie&hostBrowser=ie&tzo=MTIw&muid=bb240ea4d92fcc6bc5ca46520f398adc&cu=false&cd=false&tokyo_csrf_key=08a915df8ec9ff5ca07fa1197a3235ac&tokyo_csrf_timestamp=1426208467&unique_id=f851beeaa9065db1ee91294fc5689b2c&clientIp=193.138.244.231&ffInstalled=false&dfz=false&avdr=lDKrp/3VMDh61tuJfJlrKXs1VI6ezbhGnJBKbIRjXeIYfcyodTGERY6ZOIkepjCAJ6l5ti1eroI6fZ94jJ7hVTGSxjM0U9E7

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 13 Mar 2015 01:01:09 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Vary: Accept-Encoding

1fce..{"dictionary":{"Finalizing installation, Please wait.":"Finalizing installation, Please wait.","Exiting now will cancel the installation of %software_name% \nAre you sure you want to exit?":"Exiting now will cancel the installation of %software_name% \nAre you sure you want to exit?","If you accept the terms of the agreement, click Next to continue. You must accept the agreement to install %software_name%":"If you accept the terms of the agreement, click Next to continue. You must accept the agreement to install %software_name%","There appears to be a network download problem. Try again?":"There appears to be a network download problem. Try again?","There seems to be a connection problem, please try again later":"There seems to be a connection problem, please try again later","Abort installation":"Abort installation","To cancel the installation click abort":"To cancel the installation click abort","To install without bundled offers click skip":"To install without bundled offers click skip","Otherwise click continue to proceed":"Otherwise click continue to proceed","Resume download on next windows startup":"Resume download on next windows startup","Abort":"Abort","Skip":"Skip","Continue":"Continue","Decline":"Decline","Confirm":"Confirm","Optional offers":"Optional offers","Read more":"Read more","Pressing the \"Skip All\" button will skip all the optional bundled offers":"Pressing the \"Skip All\" button will skip all the optional bundled offers","while allowing you to continue installing":"while allowing

<<< skipped >>>

GET /pinger?event_type=offer_shown&installer_source=better_installer&software_type=sponsored&muid=bb240ea4d92fcc6bc5ca46520f398adc&client_uid=da282e2bbb7e4e4483dc4da5b3e19aab&uniqid=f851beeaa9065db1ee91294fc5689b2c&affiliate_id=piratebaymirror&software_id=neongenesisevangelionplatinumcollection&sponsored_id=istartsurf&tokyo_csrf2_key=84803c5219e63d6e8599911dfc4f01e1&tokyo_csrf2_timestamp=1426208469&slot_number=1&index_in_screen=1&index_in_session=1&display_height=68&0.1199777363849811 HTTP/1.1

Accept: */*

Referer: hXXp://bi.bisrv.com/piratebaymirror/neongenesisevangelionplatinumcollection/da282e2bbb7e4e4483dc4da5b3e19aab?v=2.0&muid=BB240EA4D92FCC6BC5CA46520F398ADC

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: bi.bisrv.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 13 Mar 2015 01:01:10 GMT

Content-Type: image/jpeg

Transfer-Encoding: chunked

0..HTTP/1.1 200 OK..Server: nginx..Date: Fri, 13 Mar 2015 01:01:10 GMT..Content-Type: image/jpeg..Transfer-Encoding: chunked..0..

GET /affiliates/eula.html HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://bi.bisrv.com/piratebaymirror/neongenesisevangelionplatinumcollection/da282e2bbb7e4e4483dc4da5b3e19aab?v=2.0&muid=BB240EA4D92FCC6BC5CA46520F398ADC

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: d3fih8vt5tnw32.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Server: nginx

Date: Sun, 08 Mar 2015 05:10:31 GMT

Last-Modified: Sun, 26 Oct 2014 17:23:05 GMT

Expires: Sun, 08 Mar 2015 05:20:31 GMT

Cache-Control: max-age=600

Content-Encoding: gzip

Vary: Accept-Encoding

X-Cache: RefreshHit from cloudfront

Via: 1.1 f16aaf9742c058884a37f43c56e4a874.cloudfront.net (CloudFront)

X-Amz-Cf-Id: ZuuLyCQ5zNHrZfQPSCiDVPfIq75avXQTTIMFiRM0FO_eFdLpzRVZGg==

1500.............Zks.F......N.......|.-y."!...P.P.... .)".....1S..{....R.g.Jl...}.{...>....F7..ZV.T]NO..Pu....?...Q4R..G.c...VEE..I..Y......:..Z........?...n...G......o......w>.o.d..U.../......4..`..?~{T..d]..i..;.~......y.Q....7i<,..<.....d...|...l.?..t..F.OeU$.....:Xl..U;8...Q.~.vGw......E.I.....z.7S....q.I..f.q.DW.....U....|..(.u.1...z..3..|....A.....:.............P....X$..*.w..........s.;..]..........u.?..%f...~....S..b...,..........5.(,Qm...w .NK...Y>......u.......}n..C......8$....)..R..4IuwS....h...*...f.e.q7...<y...I.....:8...s#Z/M./...B...s..|}.........@..T..)t..uJ.WR..._.LTvz. yV._.L.tz..6 ........e.......6.....#b.j.A..yw.[.p.a...6n.6;(u40..8.....&..DT.....EQ..k..JD.C....zDq....W...X...f.W..D....I.:............~..........f..a.QZ....>f%.(..n....z.v.u.mCc..].......u$..S..UK<...."T.......dhR.U7i.3.......4.K.....6..-..]......'$Y..9$.....U>Et....y....M..M.2x.....`An|.^.t'O.. !..m>.:8.KZ.........$C...f..Ll...4.<ZGm.$H{Q...........z..m................p........|C.......i^.W.}'.>..*.....z .=,..7..L.WY^..T./..zS&...w....g.x..O.U\$q.S....Y.S%*.7..................W..,^'8......o..W..Z....Q.U.7bp...l5.E....=P....A.D;45....d.q...Jg....."...<._&...>(VQ..<......Q..v.....?@,...h...P8..i.<N.......fs5.u.8...8v..-. .....OG..'O.....3{*1u....P..?TK...!..:...e.......6.N./.....C...'...V&.].....|.b...\.D..J...Y...n-.j.j...u..G.....B.h.Z......s..dw...9.\...D....]w.n..r...~..q4.St........&..3RC'pO.....p.C.2R..."7..6x8.'#/..I..S......vd..r......I.9..79..B.4..^}ur....S..s...u2."...~

<<< skipped >>>

Map

The Application connects to the servers at the folowing location(s):

Strings from Dumps

biclient.exe_980:

.text

`.rdata

@.data

.rsrc

@.reloc

PSShP

SSSSh

RegDeleteKeyExW

FtpCommandW

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps