Trojan.Win32.Swrort.3.FD, BankerGeneric.YR (Lavasoft MAS)Behaviour: Banker, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: e046da1b39202825155947371254a4e6
SHA1: 6201513bfe534458135a8856d9ff4799b25349b3
SHA256: 68ae02712bbd848b2841d7bbe3978077953b4f5fe160f74c9047eccdfbbee889
SSDeep: 24576:OUJndyw/c5zsCZOK06t3WStqe/YLNB3f tV6MbEEO2v:VVdywMzJOs3HqhRBWtVJ
Size: 1270352 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: BitTorrent Inc.
Created at: 2014-04-19 02:11:18
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
imapi.exe:1264
BrowserTabSearchMediaBar.exe:2792
BrowserTabSearchMediaBar.exe:304
mediabar.exe:560
wuauclt.exe:540
%original file name%.exe:1232
pack.exe:1308
regsvr32.exe:1736
SafetyNutManager.exe:1652
SafetyNutManager.exe:1060
msbloader.exe:420
utt14.tmp.exe:1624
The Trojan injects its code into the following process(es):
safetynut.exe:2288
SafetyNutManager.exe:1092
msbloader.exe:3192
uTorrent.exe:1628
File activity
The process imapi.exe:1264 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Temp\rjkfg2dp.TMP (146970 bytes)
The process BrowserTabSearchMediaBar.exe:2792 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\BTR-BTS\ReportingHelper.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BTR-BTS\insthlp.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4A.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk49.tmp (26309 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4A.tmp\nsisdl.dll (14 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4A.tmp\nsisdl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\APNMagicSearch_Reporting (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BTR-BTS\insthlp.dll_0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4A.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu48.tmp (0 bytes)
The process BrowserTabSearchMediaBar.exe:304 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\BTR-BTS\ReportingHelper.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj40.tmp (26309 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\BrowserTabSearchUninstall.exe (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz41.tmp\nsisdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz41.tmp\System.dll (11 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\msbloader64.exe (3616 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\msb.dll (12088 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BTR-BTS\insthlp.dll (1856 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\msb64.dll (13584 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\msbloader.exe (3312 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsz41.tmp\nsisdl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\APNMagicSearch_Reporting (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz41.tmp\System.dll (0 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\msbloader64.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz41.tmp (0 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\msb64.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3F.tmp (0 bytes)
The process mediabar.exe:560 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsx18\nsk1C.tmp\BrowserTabSearchMediaBar.exe (3465 bytes)
The process wuauclt.exe:540 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2016 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
The Trojan deletes the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)
The process %original file name%.exe:1232 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\plus.btapp (796 bytes)
%Documents and Settings%\%current user%\Start Menu\µTorrent.lnk (820 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt38.tmp.new (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\µTorrent.lnk (798 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\player.btapp (3 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\main.css (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar11.tmp (2712 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\72F0D3E2141065DACF6134D07A06A2DF20590748\main.css (946 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabE.tmp (54 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\index.html (3 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\72F0D3E2141065DACF6134D07A06A2DF20590748\icon.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab10.tmp (54 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\featuredContent.btapp (14 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\72F0D3E2141065DACF6134D07A06A2DF20590748\index.js (1 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\toolbar_offer.benc (28 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\empty_movie.gif (282 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\72F0D3E2141065DACF6134D07A06A2DF20590748\index.html (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@localhost[1].txt (167 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt12.tmp.new (113 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\btapp (201 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt14.tmp.exe (47888 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\info_icon.png (250 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\settings.dat.new (144 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\vid_thumb.jpg (23 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\x.png (265 bytes)
%Documents and Settings%\%current user%\Desktop\µTorrent.lnk (820 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\72F0D3E2141065DACF6134D07A06A2DF20590748\btapp (196 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\uTorrent.exe (7386 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\toolbar.benc.new (113 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\welcome-upsell.btapp (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uttD.tmp.new (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt13.tmp.new (28 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\1f91d2d17ea675d4c2c3192e241743f9_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (105 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\maindoc.ico (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarF.tmp (2712 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\utt38.tmp.6717.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabE.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uttD.tmp.6570.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt13.tmp.6602.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt14.tmp.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab10.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt13.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt38.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uttD.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar11.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarF.tmp (0 bytes)
The process pack.exe:1308 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Browser Tab Search by Ask\SafetyNut\favicon.ico (1 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\Internet Explorer Settings.exe (9958 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\SafetyNutManager.exe (44197 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\x64\Internet Explorer Settings.exe (9866 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\x64\safetynut_ie.dll (18892 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\safetynut.dll (19938 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\x64\safetyldr_u.dll (24 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\safetyldr.dll (20 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\safetyChrome.dll (2309 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\configmgrc1.cfg (31 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\Internet Explorer Settings Update.exe (9483 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\safetyldr_u.dll (946 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\x64\safetynut.dll (17899 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\x64\Internet Explorer Settings Update.exe (11380 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\x64\safetycrt.dll (5792 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\safetynut_ie.dll (18311 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\safetynut.exe (29145 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\x64\configmgrc1.cfg (36 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\safetycrt.dll (4877 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\x64\safetyldr.dll (24 bytes)
The process SafetyNutManager.exe:1060 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\SafetyNut\general.cfg (1 bytes)
%Documents and Settings%\All Users\Application Data\SafetyNut\S-1-5-21-1844237615-1960408961-1801674531-1003.cfg (2286 bytes)
%Documents and Settings%\All Users\Application Data\SafetyNut\coordinator.cfg (2376 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\All Users\Application Data\SafetyNut\S-1-5-21-1844237615-1960408961-1801674531-1003.cfg.bak (0 bytes)
%Documents and Settings%\All Users\Application Data\SafetyNut\coordinator.cfg.bak (0 bytes)
The process uTorrent.exe:1628 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\featuredContent.btapp.new (14 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\a95ad83f71905e5ff772e9a4bdeb9c5c_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (80 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\main.css (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\icon[1].ico (392 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\dlimagecache\EE373FDA61485ABE5F4B245DA161C0BF687A66B2 (4553 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\icon[2].ico (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\fileserve[1] (917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar3C.tmp (2712 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\plus.btapp.new (796 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\icon[1].ico (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\72F0D3E2141065DACF6134D07A06A2DF20590748\main.css (946 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\index.html (3 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\72F0D3E2141065DACF6134D07A06A2DF20590748\icon.bmp (1 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\dlimagecache\D42401539C30207709C00CDA9B6D8C1AFF03DBE5 (2881 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\fileserve[1].png (392 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\72F0D3E2141065DACF6134D07A06A2DF20590748 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\fileserve[1].css (73 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\72F0D3E2141065DACF6134D07A06A2DF20590748\index.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\empty_movie.gif (282 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\icon[1].ico (392 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@localhost[1].txt (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3B.tmp (54 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\btapp (201 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\icon[2].ico (392 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\info_icon.png (250 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\settings.dat.new (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\blank[1].htm (109 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\icon[1].ico (392 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\vid_thumb.jpg (23 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\utorrent.lng (7386 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\dlimagecache\165F6EF40A81DD175FFAEA69E77ABFD30B27E71C (119 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@localhost[2].txt (174 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\dlimagecache\10E6FBE4D921B475FA5FEC6E9A535A540D6FEED1 (318 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\x.png (265 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt3D.tmp (731 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\fileserve[1] (601 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\72F0D3E2141065DACF6134D07A06A2DF20590748\btapp (196 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\updates\3.4.1_30888.exe (7971 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\updates.dat (1845 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt3E.tmp (9836 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\player.btapp (3 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (1928 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\welcome-upsell.btapp (28 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\72F0D3E2141065DACF6134D07A06A2DF20590748\index.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt39.tmp.new (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\fileserve[1] (44065 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014040820140409\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar3C.tmp (0 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\main.css (0 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\72F0D3E2141065DACF6134D07A06A2DF20590748\main.css (0 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\index.html (0 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\72F0D3E2141065DACF6134D07A06A2DF20590748\icon.bmp (0 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\72F0D3E2141065DACF6134D07A06A2DF20590748 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt39.tmp (0 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\72F0D3E2141065DACF6134D07A06A2DF20590748\index.js (0 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\empty_movie.gif (0 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\featuredContent.btapp.6730.tmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@localhost[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3B.tmp (0 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\btapp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt45.tmp (0 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\info_icon.png (0 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt39.tmp.6720.tmp (0 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\vid_thumb.jpg (0 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\plus.btapp.6733.tmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@localhost[2].txt (0 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\x.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt3D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt46.tmp (0 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\72F0D3E2141065DACF6134D07A06A2DF20590748\btapp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014040820140409 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt3E.tmp (0 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\72F0D3E2141065DACF6134D07A06A2DF20590748\index.html (0 bytes)
The process utt14.tmp.exe:1624 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\31.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\install_statistics[1].xml (498 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx18\nsk1C.tmp\mediabar.exe (19152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1E.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx18.tmp\ns3A.tmp (6 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\x64 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2A.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\24.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2F.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx18\Helper.dll (63950 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2C.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx18.tmp\registry.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\21.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx18.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\25.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\26.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx18\nsk1C.tmp\pack.exe (110155 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx18.tmp\ns37.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\23.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\34.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx18.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc16.tmp (259636 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx18.tmp\ns47.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\33.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\22.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2D.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx18.tmp\ns44.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1D.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx18\Starter.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx18.tmp\ns43.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2E.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\28.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\29.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx18.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\27.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\32.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\35.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\30.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2B.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx18.tmp\ns36.tmp (6 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\Uninstall.exe (3616 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\Helper.dll (14988 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20.tmp (4545 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\31.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx18.tmp\UserInfo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1E.tmp (0 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\x64\safetyldr.dll (0 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\x64 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\24.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx18.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\34.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\21.tmp (0 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\x64\Internet Explorer Settings Update.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\25.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\26.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx18.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx18.tmp\ns37.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\23.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr15.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx18.tmp\registry.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx18.tmp\nsExec.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx18.tmp\ns47.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\33.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\22.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2D.tmp (0 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\x64\safetynut_ie.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx18.tmp\ns44.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1D.tmp (0 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\x64\safetyldr_u.dll (0 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\x64\safetynut.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx18.tmp\ns43.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\28.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\29.tmp (0 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\x64\Internet Explorer Settings.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\27.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\32.tmp (0 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\Internet Explorer Settings Update.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\35.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\30.tmp (0 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\x64\safetycrt.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx18.tmp\ns36.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\install_statistics[1].xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx18.tmp\ns3A.tmp (0 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\x64\configmgrc1.cfg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20.tmp (0 bytes)
Registry activity
The process BrowserTabSearchMediaBar.exe:2792 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\IACSearchAndMedia\MSB]
"env" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Browser Tab Search by Ask_IE]
"DisplayIcon" = "%Program Files%\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\BrowserTabSearchUninstall.exe"
"DisplayVersion" = "3.0.0.0.242"
"DisplayName" = "Browser Tab Search by Ask for Internet Explorer"
[HKLM\SOFTWARE\IACSearchAndMedia\MSB]
"apn_uid" = "1186403004234042"
"distributed" = "IAC Search & Media, Inc."
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\IACSearchAndMedia\MSB]
"o" = "APN11459"
"browser" = "ie"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Browser Tab Search by Ask_IE]
"Path" = "%Program Files%\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Browser Tab Search by Ask_IE]
"NoModify" = "1"
[HKLM\SOFTWARE\IACSearchAndMedia\MSB]
"AppID" = "101"
"search_url" = "http://dts.search.ask.com/sr?src=tlb&gct=bar&sysid=488&apn_dtid=^TCH001^YY^US&apn_uid=1186403004234042&appid=101&o=APN11459&apn_ptnrs=^BE3&q="
"COMPANY" = "IAC Search and Media"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Browser Tab Search by Ask_IE]
"NoRepair" = "1"
"ExternalUninstallString" = "%Program Files%\Browser Tab Search by Ask\SafetyNut\Uninstall.exe /browser=ie"
"UninstallString" = "%Program Files%\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\BrowserTabSearchUninstall.exe /browser=ie"
[HKLM\SOFTWARE\IACSearchAndMedia\MSB]
"uninstall_ie" = "%Program Files%\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\BrowserTabSearchUninstall.exe /browser=ie"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC E3 81 30 B2 13 D1 6A 61 75 9A 9D 8A 8C 2E 4F"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\BTR-BTS\insthlp.dll_0,"
[HKLM\SOFTWARE\IACSearchAndMedia\MSB]
"sysid" = "488"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\IACSearchAndMedia\MSB]
"apn_dtid" = "TCH001"
"UninstallParam_IE" = "anxa=APNMSB&anxe=UninstallerEvent&anxp=^BE3^TCH001^YY^US&anxr=434161A2-7861-4C82-B20D-75CD39B56951&anxt=1186403004234042&anxv=3.0.0.0&anxtv=3.0.0.0&tpid=BTR-BTS&apn_dbr=IE&o=APN11459&trgb=IE&doi=2014-05-08"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Browser Tab Search by Ask_IE]
"Publisher" = "IAC Search and Media"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Browser Tab Search by Ask" = "%Program Files%\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\msbloader.exe"
The process BrowserTabSearchMediaBar.exe:304 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\IACSearchAndMedia\MSB]
"env" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Browser Tab Search by Ask_IE]
"DisplayIcon" = "%Program Files%\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\BrowserTabSearchUninstall.exe"
"DisplayVersion" = "3.0.0.0.242"
"DisplayName" = "Browser Tab Search by Ask for Internet Explorer"
[HKLM\SOFTWARE\IACSearchAndMedia\MSB]
"ReportingParam" = "http://phn.apnanalytics.com/tr.gif?anxa=APNMSB&anxe=PhoneHome&anxp=^BE3^TCH001^YY^US&&anxt=1186403004234042&anxv=3.0.0.0&anxtv=3.0.0.0&tpid=BTR-BTS&apn_dbr=IE&o=APN11459&trgb=IE&doi=2014-05-08&installationResult=success"
"apn_uid" = "1186403004234042"
"distributed" = "IAC Search & Media, Inc."
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\IACSearchAndMedia\MSB]
"o" = "APN11459"
"browser" = "ie"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Browser Tab Search by Ask_IE]
"Path" = "%Program Files%\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Browser Tab Search by Ask_IE]
"NoModify" = "1"
[HKLM\SOFTWARE\IACSearchAndMedia\MSB]
"AppID" = "101"
"search_url" = "http://dts.search.ask.com/sr?src=tlb&gct=bar&sysid=488&apn_dtid=^TCH001^YY^US&apn_uid=1186403004234042&appid=101&o=APN11459&apn_ptnrs=^BE3&q="
"COMPANY" = "IAC Search and Media"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Browser Tab Search by Ask_IE]
"NoRepair" = "1"
"ExternalUninstallString" = "%Program Files%\Browser Tab Search by Ask\SafetyNut\Uninstall.exe /browser=ie"
"UninstallString" = "%Program Files%\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\BrowserTabSearchUninstall.exe /browser=ie"
[HKLM\SOFTWARE\IACSearchAndMedia\MSB]
"uninstall_ie" = "%Program Files%\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\BrowserTabSearchUninstall.exe /browser=ie"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA EE B2 EA 06 29 5C 91 B9 74 DB BD 8E C8 C6 79"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\IACSearchAndMedia\MSB]
"sysid" = "488"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\IACSearchAndMedia\MSB]
"apn_dtid" = "TCH001"
"UninstallParam_IE" = "anxa=APNMSB&anxe=UninstallerEvent&anxp=^BE3^TCH001^YY^US&anxr=3019EFB9-86F7-467A-8CBC-8AE7E27FDCB7&anxt=1186403004234042&anxv=3.0.0.0&anxtv=3.0.0.0&tpid=BTR-BTS&apn_dbr=IE&o=APN11459&trgb=IE&doi=2014-05-08"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Browser Tab Search by Ask_IE]
"Publisher" = "IAC Search and Media"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Browser Tab Search by Ask" = "%Program Files%\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\msbloader.exe"
The process mediabar.exe:560 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE 3F 54 DA 3C CC 26 DE BA 29 8E 27 01 29 4E 78"
The process %original file name%.exe:1232 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\uTorrent]
"UninstallString" = "%Documents and Settings%\%current user%\Application Data\uTorrent\uTorrent.exe /UNINSTALL"
"MajorVersion" = "3"
[HKCU\Software\Classes\Magnet]
"URL Protocol" = ""
[HKCU\Software\Classes\.btkey]
"Content Type" = "application/x-bittorrent-key"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Classes\Magnet\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Application Data\uTorrent\uTorrent.exe %1"
[HKCU\Software\Classes\bittorrent\DefaultIcon]
"(Default)" = "%Documents and Settings%\%current user%\Application Data\uTorrent\maindoc.ico"
[HKCU\Software\Classes\Magnet\DefaultIcon]
"(Default)" = "%Documents and Settings%\%current user%\Application Data\uTorrent\maindoc.ico"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Classes\.btkey]
"(Default)" = "uTorrent"
[HKCU\Software\Classes\Magnet]
"Content Type" = "application/x-magnet"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\uTorrent]
"DisplayName" = "µTorrent"
[HKCU\Software\Classes\.btskin]
"Content Type" = "application/x-bittorrent-skin"
[HKCR\MIME\Database\Content Type\application/x-bittorrent-app]
"Extension" = ".btapp"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\uTorrent]
"MinorVersion" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Classes\Applications\uTorrent.exe\shell]
"(Default)" = "open"
[HKCU\Software\Classes\.btapp]
"(Default)" = "uTorrent"
[HKCU\Software\Classes\Magnet]
"(Default)" = "Magnet URI"
[HKCU\Software\BitTorrent\uTorrent]
"OfferProvider" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKCU\Software\Classes\bittorrent\shell]
"(Default)" = "open"
[HKCR\MIME\Database\Content Type\application/x-bittorrent-key]
"Extension" = ".btkey"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\uTorrent]
"NoModify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Classes\.btsearch]
"(Default)" = "uTorrent"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Classes\uTorrent\DefaultIcon]
"(Default)" = "%Documents and Settings%\%current user%\Application Data\uTorrent\maindoc.ico"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\BitTorrent\uTorrent]
"OfferViaCAU" = "0"
[HKCU\Software\Classes\MIME\Database\Content Type\application/x-bittorrent-key]
"Extension" = ".btkey"
[HKCU\Software\Classes\.btinstall]
"(Default)" = "uTorrent"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\BitTorrent]
"computerid" = "56 4F F8 6D 65 FF A9 D5 A2 DB 3E 73 07 D2 B4 3D"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 6C 29 39 CE 6A 7C 77 C8 A4 5F 48 35 B2 37 CF"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"utt14.tmp.exe" = "Browser Tab Search by Ask Install"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\uTorrent]
"NoRepair" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Classes\MIME\Database\Content Type\application/x-bittorrent-app]
"Extension" = ".btapp"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\uTorrent]
"Publisher" = "BitTorrent Inc."
[HKCU\Software\Classes\.btskin]
"(Default)" = "uTorrent"
[HKCU\Software\Classes\uTorrent\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Application Data\uTorrent\uTorrent.exe %1"
[HKCU\Software\Classes\FalconBetaAccount]
"remote_access_client_id" = "8869266712"
[HKCU\Software\Classes\bittorrent]
"URL Protocol" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\uTorrent]
"DisplayVersion" = "3.4.1.30888"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Classes\bittorrent]
"(Default)" = "bittorrent URI"
[HKCU\Software\Classes\MIME\Database\Content Type\application/x-bittorrent]
"Extension" = ".torrent"
[HKCR\MIME\Database\Content Type\application/x-bittorrent-skin]
"Extension" = ".btskin"
[HKCU\Software\Classes\Magnet\shell]
"(Default)" = "open"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\uTorrent]
"DisplayIcon" = "%Documents and Settings%\%current user%\Application Data\uTorrent\uTorrent.exe,0"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKCU\Software\Classes\uTorrent\shell]
"(Default)" = "open"
[HKCU\Software\Classes\.btsearch\OpenWithProgids]
"uTorrent" = ""
[HKCU\Software\Classes\uTorrent\Content Type]
"(Default)" = "application/x-bittorrent"
[HKCU\Software\Classes\.torrent\OpenWithProgids]
"uTorrent" = ""
[HKCR\MIME\Database\Content Type\application/x-bittorrentsearchdescription xml]
"Extension" = ".btsearch"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\BitTorrent\uTorrent]
"OfferName" = ""
[HKCU\Software\Classes\.btinstall]
"Content Type" = "application/x-bittorrent-appinst"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\uTorrent]
"InstallLocation" = "%Documents and Settings%\%current user%\Application Data\uTorrent"
[HKCR\MIME\Database\Content Type\application/x-bittorrent-appinst]
"Extension" = ".btinstall"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\uTorrent]
"VersionMinor" = "4"
[HKCU\Software\Classes\Applications\uTorrent.exe\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Application Data\uTorrent\uTorrent.exe %1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Classes\.btsearch]
"Content Type" = "application/x-bittorrentsearchdescription xml"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\BitTorrent\uTorrent]
"Revision" = "30888"
[HKCU\Software\Classes\MIME\Database\Content Type\application/x-bittorrent-appinst]
"Extension" = ".btinstall"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Classes\.torrent]
"(Default)" = "uTorrent"
[HKCU\Software\Classes\MIME\Database\Content Type\application/x-bittorrentsearchdescription xml]
"Extension" = ".btsearch"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\uTorrent]
"VersionMajor" = "3"
[HKCU\Software\Classes\.torrent]
"Content Type" = "application/x-bittorrent"
[HKCR\MIME\Database\Content Type\application/x-bittorrent]
"Extension" = ".torrent"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKCU\Software\Classes\bittorrent]
"Content Type" = "application/x-bittorrent-protocol"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\uTorrent]
"URLInfoAbout" = "http://www.utorrent.com"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKCU\Software\Classes\.btapp]
"Content Type" = "application/x-bittorrent-app"
[HKCU\Software\Classes\MIME\Database\Content Type\application/x-bittorrent-skin]
"Extension" = ".btskin"
[HKCU\Software\Classes\bittorrent\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Application Data\uTorrent\uTorrent.exe %1"
[HKCU\Software\BitTorrent\uTorrent]
"OfferAccepted" = "0"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Application Data\uTorrent]
"utorrent.exe" = "%Documents and Settings%\%current user%\Application Data\uTorrent\uTorrent.exe:*:Enabled:μTorrent"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"uTorrent" = "%Documents and Settings%\%current user%\Application Data\uTorrent\uTorrent.exe /MINIMIZED"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process pack.exe:1308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F 3F EE DF 05 2E 46 A3 BA 5B DF 3E 1F 4E 4C 70"
The process safetynut.exe:2288 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B 70 5A DC C9 B9 55 FA 30 7E B6 0B CE AC 86 37"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process regsvr32.exe:1736 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\SearchQUIEHelper.DNSGuard\CLSID]
"(Default)" = "{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}"
[HKCR\TypeLib\{6A4BCABA-C437-4C76-A54E-AF31B8A76CB9}\1.0]
"(Default)" = "SearchQUIEBHO 1.0 Type Library"
[HKCR\CLSID\{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCR\TypeLib\{6A4BCABA-C437-4C76-A54E-AF31B8A76CB9}\1.0\0\win32]
"(Default)" = "C:\PROGRA~1\BROWSE~1\SAFETY~1\SAE8B3~1.DLL"
[HKCR\Interface\{1B730ACF-26A3-447B-9994-14AEE0EB72CC}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{CC1AC828-BB47-4361-AFB5-96EEE259DD87}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}]
"(Default)" = "SafetyNut"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKCR\CLSID\{CC1AC828-BB47-4361-AFB5-96EEE259DD87}\InprocServer32]
"(Default)" = "C:\PROGRA~1\BROWSE~1\SAFETY~1\SAE8B3~1.DLL"
[HKCR\TypeLib\{6A4BCABA-C437-4C76-A54E-AF31B8A76CB9}\1.0\HELPDIR]
"(Default)" = "C:\PROGRA~1\BROWSE~1\SAFETY~1"
[HKCR\CLSID\{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}\InprocServer32]
"(Default)" = "C:\PROGRA~1\BROWSE~1\SAFETY~1\SAE8B3~1.DLL"
[HKCR\CLSID\{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}\VersionIndependentProgID]
"(Default)" = "SearchQUIEHelper.UrlHelper"
[HKCR\SearchQUIEHelper.DNSGuard.1]
"(Default)" = "SafetyNut"
[HKCR\CLSID\{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}\ProgID]
"(Default)" = "SearchQUIEHelper.UrlHelper.1"
[HKCR\Interface\{1B730ACF-26A3-447B-9994-14AEE0EB72CC}]
"(Default)" = "IDNSGuard"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE 8B 48 26 AD 1F 50 65 FB FF 2A A6 5D CD 47 B4"
[HKCR\Interface\{1B730ACF-26A3-447B-9994-14AEE0EB72CC}\TypeLib]
"Version" = "1.0"
[HKCR\SearchQUIEHelper.DNSGuard.1\CLSID]
"(Default)" = "{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}"
[HKCR\Interface\{1B730ACF-26A3-447B-9994-14AEE0EB72CC}\TypeLib]
"(Default)" = "{6A4BCABA-C437-4C76-A54E-AF31B8A76CB9}"
[HKCR\Interface\{1B730ACF-26A3-447B-9994-14AEE0EB72CC}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{CC1AC828-BB47-4361-AFB5-96EEE259DD87}]
"(Default)" = "ErrorFilter Class"
[HKCR\SearchQUIEHelper.DNSGuard\CurVer]
"(Default)" = "SearchQUIEHelper.UrlHelper.1"
[HKCR\TypeLib\{6A4BCABA-C437-4C76-A54E-AF31B8A76CB9}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\SearchQUIEHelper.DNSGuard]
"(Default)" = "SafetyNut"
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}\InprocServer32]
[HKCR\CLSID\{CC1AC828-BB47-4361-AFB5-96EEE259DD87}\InprocServer32]
[HKCR\CLSID\{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}\VersionIndependentProgID]
[HKCR\CLSID\{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}]
[HKCR\CLSID\{CC1AC828-BB47-4361-AFB5-96EEE259DD87}\Programmable]
[HKCR\CLSID\{CC1AC828-BB47-4361-AFB5-96EEE259DD87}]
[HKCR\CLSID\{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}\Programmable]
[HKCR\CLSID\{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}\ProgID]
The process SafetyNutManager.exe:1652 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 F7 84 72 89 08 F6 14 58 F1 AC E9 A7 4C 34 40"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\SafetyNut\General]
"srn1" = "F06DEFF2-5B9C-490D-910F-35D3A9119622"
"srn0" = "SafetyNutManager"
The process SafetyNutManager.exe:1060 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 70 8A 72 A8 F6 5C 8C FC F9 9C 1E E1 39 33 AD"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process SafetyNutManager.exe:1092 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 A2 FB 2C AE 69 2C 9B 12 5C 1A 33 BE B1 B9 7B"
[HKLM\System\CurrentControlSet\Control\Session Manager\AppCertDlls]
"x64" = "c:\program files\browser tab search by ask\safetynut\x64\safetycrt.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
The process msbloader.exe:420 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "73 05 BE 42 93 E3 5B 93 D2 82 28 B5 FB EE DC 4B"
The process msbloader.exe:3192 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 27 B6 67 88 2C FD 28 10 2A 09 E1 85 C3 5E 49"
The process uTorrent.exe:1628 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKCU\Software\BitTorrent\uTorrent]
"OfferProvider" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014050820140509]
"CacheOptions" = "11"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014050820140509]
"CachePrefix" = ":2014050820140509:"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKCU\Software\BitTorrent\uTorrent]
"OfferViaCAU" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\uTorrent\DEBUG]
"Trace Level" = ""
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "uTorrent.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"utorrent.exe" = "9000"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1397862678"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014050820140509]
"CacheLimit" = "8192"
"CacheRepair" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "81 9B 36 22 EF F5 D6 A8 89 DD 76 F3 74 9C 3A E9"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
[HKCU\Software\BitTorrent\uTorrent]
"OfferName" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014050820140509]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014050820140509\"
[HKCU\Software\BitTorrent\uTorrent]
"OfferAccepted" = "0"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014040820140409]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\uTorrent\DEBUG]
"Trace Level"
The process utt14.tmp.exe:1624 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utiljumpflip.exe]
"debugger" = "tasklist.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\browsersafeguard.exe]
"debugger" = "tasklist.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\volaro]
"debugger" = "tasklist.exe"
[HKLM\SOFTWARE\SafetyNut]
"Version" = "5.0.0.12521"
[HKLM\System\CurrentControlSet\Control\Session Manager\AppCertDlls]
"x86" = "%Program Files%\Browser Tab Search by Ask\SafetyNut\safetycrt.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\SafetyNut\General]
"UID" = "1186403004234042"
"iver" = "5.0.0.12521"
"Country" = "UA"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vonteera]
"debugger" = "tasklist.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchprotection.exe]
"debugger" = "tasklist.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}]
"Flags" = "1024"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchprotector.exe]
"debugger" = "tasklist.exe"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.search.ask.com/?o=APN11459&gct=hp&d=488-101&v=n12521-341&t=4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\SafetyNut\General]
"ostype" = "win32"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\browserdefender.exe]
"debugger" = "tasklist.exe"
[HKLM\SOFTWARE\SafetyNut\General]
"kbn" = "12521"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bprotect.exe]
"debugger" = "tasklist.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\SafetyNut]
"browser" = " ie"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchsettings.exe]
"debugger" = "tasklist.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\websteroidsservice.exe]
"debugger" = "tasklist.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\SOFTWARE\SafetyNut\General]
"ie_hp_supported" = "1"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"FrameAuto" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\SafetyNut\General]
"LN" = "en"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\snapdo.exe]
"debugger" = "tasklist.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\stinst64.exe]
"debugger" = "tasklist.exe"
[HKLM\SOFTWARE\SafetyNut\General]
"home" = "%Program Files%\Browser Tab Search by Ask"
"clid" = "{1186EADA-042D-4042-9DC8-6A5276D0767D}"
"osl" = "en-US"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE E0 F6 F5 6F 09 38 74 EC 14 12 74 E2 30 C6 11"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitguard.exe]
"debugger" = "tasklist.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchsettings64.exe]
"debugger" = "tasklist.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protectedsearch.exe]
"debugger" = "tasklist.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant" = "http://dts.search.ask.com/sidebar.html?src=ssb&gct=ds&appid=101&systemid=488"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"10" = "10"
[HKLM\SOFTWARE\SafetyNut\General]
"kapid" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\websteroids.exe]
"debugger" = "tasklist.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 20 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\SafetyNut\General]
"iTime" = "2014-05-08"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\browserprotect.exe]
"debugger" = "tasklist.exe"
[HKCU\Software\Microsoft\Internet Explorer\Approved Extensions]
"{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}" = "51 66 7A 6C 4C 1D 3B 1B D5 D9 17 B9 E3 28 C4 06"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Use Search Asst" = "no"
[HKLM\SOFTWARE\SafetyNut\General]
"pver" = "5.0.0.12521"
"kisid" = "0"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\SafetyNut\General]
"sysid" = "488"
"UC" = "341"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\SafetyNut\General]
"osver" = "5.1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bpsvc.exe]
"debugger" = "tasklist.exe"
[HKLM\SOFTWARE\SafetyNut\General]
"sitime" = "1399564575"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dprotectsvc.exe]
"debugger" = "tasklist.exe"
[HKLM\SOFTWARE\SafetyNut\General]
"AppID" = "101"
"os_user_type" = "Admin"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchinstaller.exe]
"debugger" = "tasklist.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\SafetyNut\General]
"Guid" = "{10AC039D-1073-3BCA-E76F-EB60607D86B8}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\SafetyNut\General]
"aw" = "No"
"ptype" = "n"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jumpflip]
"debugger" = "tasklist.exe"
[HKLM\SOFTWARE\SafetyNut\General]
"itime_t" = ""
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Search Bar" = "http://dts.search.ask.com/sidebar.html?src=ssb&gct=ds&appid=101&systemid=488"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\stinst32.exe]
"debugger" = "tasklist.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKLM\SOFTWARE\SafetyNut\General]
"ie_ds_supported" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\umbrella.exe]
"debugger" = "tasklist.exe"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Search]
"SearchAssistant" = "http://dts.search.ask.com/sidebar.html?src=ssb&gct=ds&appid=101&systemid=488"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan adds the reference to itself to be executed when a user logs on:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"AutoRestartShell" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"Appinit_Dlls"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"removeBrowserTabSearchdatamngr"
"removeBrowserTabSearchtoolbar"
Dropped PE files
| MD5 | File path |
|---|---|
| fef48bf77720b2bb587c511eb7b91973 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\BTR-BTS\ReportingHelper.dll |
| 2a9e782d5dae8cdaa2d20b1206dd3a70 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\BTR-BTS\insthlp.dll |
| bf712f32249029466fa86756f5546950 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsx18.tmp\System.dll |
| c7ce0e47c83525983fd2c4c9566b4aad | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsx18.tmp\UserInfo.dll |
| 132e6153717a7f9710dcea4536f364cd | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsx18.tmp\nsExec.dll |
| 2b7007ed0262ca02ef69d8990815cbeb | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsx18.tmp\registry.dll |
| 297234c8ca7508dd11305299b41b1f03 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsx18\Helper.dll |
| 57cad4c3fefc19e01e1915417da3be73 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsx18\Starter.exe |
| 1de7eb13174c9f47cc34962c8a80cb0e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsx18\nsk1C.tmp\BrowserTabSearchMediaBar.exe |
| 1adf4b948e521e10fb9e0f2d1920bbb1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsx18\nsk1C.tmp\mediabar.exe |
| 51399e48b0e8be79ed7913668d090fd0 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsx18\nsk1C.tmp\pack.exe |
| 9469f9edd12c805fe5bfaafb70c7f3db | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\utt14.tmp.exe |
| 41b689f0846bf01b7a9281ae844e5ed6 | c:\Program Files\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\BrowserTabSearchUninstall.exe |
| f26ddbd35521ffbd54c0bcf6b4891111 | c:\Program Files\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\msb.dll |
| 2018874cd4d77b00414a7f514150d2f9 | c:\Program Files\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\msbloader.exe |
| 297234c8ca7508dd11305299b41b1f03 | c:\Program Files\Browser Tab Search by Ask\SafetyNut\Helper.dll |
| ccb72fbb7edcf03dd4fe87be22112655 | c:\Program Files\Browser Tab Search by Ask\SafetyNut\Internet Explorer Settings.exe |
| f9b579c16c0ddca7e575179c8db7464c | c:\Program Files\Browser Tab Search by Ask\SafetyNut\SafetyNutManager.exe |
| f14e1ebbd4a845927db6c84be71e16fe | c:\Program Files\Browser Tab Search by Ask\SafetyNut\Uninstall.exe |
| e8a501f0ae3868f87f9fe782d745d902 | c:\Program Files\Browser Tab Search by Ask\SafetyNut\configmgrc1.cfg |
| ad18a467a95d4768cf3808f0f1e1f96c | c:\Program Files\Browser Tab Search by Ask\SafetyNut\safetyChrome.dll |
| d3b3489dc788d72f53ff16e0d76b3790 | c:\Program Files\Browser Tab Search by Ask\SafetyNut\safetycrt.dll |
| 54b49af72a305a40fb9eff2fd6c26786 | c:\Program Files\Browser Tab Search by Ask\SafetyNut\safetyldr.dll |
| faf932cc3d806dfe24d343e4c2293c45 | c:\Program Files\Browser Tab Search by Ask\SafetyNut\safetyldr_u.dll |
| 353bee28a0af4cdff92fd5df771be234 | c:\Program Files\Browser Tab Search by Ask\SafetyNut\safetynut.dll |
| 21d95f48f34324eb0b815fe70ba9ca44 | c:\Program Files\Browser Tab Search by Ask\SafetyNut\safetynut.exe |
| 229bcdc8bd5f402ccc363cd47dbef7f8 | c:\Program Files\Browser Tab Search by Ask\SafetyNut\safetynut_ie.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
Using the driver "\??\%Program Files%\Browser Tab Search by Ask\SafetyNut\configmgrc1.cfg" the Trojan controls operations with a system registry by installing the registry notifier.
The Trojan installs the following kernel-mode hooks:
ZwOpenProcess
ZwOpenThread
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
imapi.exe:1264
BrowserTabSearchMediaBar.exe:2792
BrowserTabSearchMediaBar.exe:304
mediabar.exe:560
wuauclt.exe:540
%original file name%.exe:1232
pack.exe:1308
regsvr32.exe:1736
SafetyNutManager.exe:1652
SafetyNutManager.exe:1060
msbloader.exe:420
utt14.tmp.exe:1624 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%WinDir%\Temp\rjkfg2dp.TMP (146970 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BTR-BTS\ReportingHelper.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BTR-BTS\insthlp.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4A.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk49.tmp (26309 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4A.tmp\nsisdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj40.tmp (26309 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\BrowserTabSearchUninstall.exe (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz41.tmp\nsisdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz41.tmp\System.dll (11 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\msbloader64.exe (3616 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\msb.dll (12088 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\msb64.dll (13584 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\msbloader.exe (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx18\nsk1C.tmp\BrowserTabSearchMediaBar.exe (3465 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2016 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\plus.btapp (796 bytes)
%Documents and Settings%\%current user%\Start Menu\µTorrent.lnk (820 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt38.tmp.new (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\µTorrent.lnk (798 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\player.btapp (3 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\main.css (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar11.tmp (2712 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\72F0D3E2141065DACF6134D07A06A2DF20590748\main.css (946 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabE.tmp (54 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\index.html (3 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\72F0D3E2141065DACF6134D07A06A2DF20590748\icon.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab10.tmp (54 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\featuredContent.btapp (14 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\72F0D3E2141065DACF6134D07A06A2DF20590748\index.js (1 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\toolbar_offer.benc (28 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\empty_movie.gif (282 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\72F0D3E2141065DACF6134D07A06A2DF20590748\index.html (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@localhost[1].txt (167 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt12.tmp.new (113 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\btapp (201 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt14.tmp.exe (47888 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\info_icon.png (250 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\settings.dat.new (144 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\vid_thumb.jpg (23 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\x.png (265 bytes)
%Documents and Settings%\%current user%\Desktop\µTorrent.lnk (820 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\72F0D3E2141065DACF6134D07A06A2DF20590748\btapp (196 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\uTorrent.exe (7386 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\toolbar.benc.new (113 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\welcome-upsell.btapp (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uttD.tmp.new (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt13.tmp.new (28 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\1f91d2d17ea675d4c2c3192e241743f9_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (105 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\maindoc.ico (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarF.tmp (2712 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\favicon.ico (1 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\Internet Explorer Settings.exe (9958 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\SafetyNutManager.exe (44197 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\x64\Internet Explorer Settings.exe (9866 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\x64\safetynut_ie.dll (18892 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\safetynut.dll (19938 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\x64\safetyldr_u.dll (24 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\safetyldr.dll (20 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\safetyChrome.dll (2309 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\configmgrc1.cfg (31 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\Internet Explorer Settings Update.exe (9483 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\safetyldr_u.dll (946 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\x64\safetynut.dll (17899 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\x64\Internet Explorer Settings Update.exe (11380 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\x64\safetycrt.dll (5792 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\safetynut_ie.dll (18311 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\safetynut.exe (29145 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\x64\configmgrc1.cfg (36 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\safetycrt.dll (4877 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\x64\safetyldr.dll (24 bytes)
%Documents and Settings%\All Users\Application Data\SafetyNut\general.cfg (1 bytes)
%Documents and Settings%\All Users\Application Data\SafetyNut\S-1-5-21-1844237615-1960408961-1801674531-1003.cfg (2286 bytes)
%Documents and Settings%\All Users\Application Data\SafetyNut\coordinator.cfg (2376 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\featuredContent.btapp.new (14 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\a95ad83f71905e5ff772e9a4bdeb9c5c_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (80 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\icon[1].ico (392 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\dlimagecache\EE373FDA61485ABE5F4B245DA161C0BF687A66B2 (4553 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\icon[2].ico (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\fileserve[1] (917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar3C.tmp (2712 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\plus.btapp.new (796 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\icon[1].ico (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\dlimagecache\D42401539C30207709C00CDA9B6D8C1AFF03DBE5 (2881 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\fileserve[1].png (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\fileserve[1].css (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\icon[1].ico (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3B.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\icon[2].ico (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\blank[1].htm (109 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\icon[1].ico (392 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\utorrent.lng (7386 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\dlimagecache\165F6EF40A81DD175FFAEA69E77ABFD30B27E71C (119 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@localhost[2].txt (174 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\dlimagecache\10E6FBE4D921B475FA5FEC6E9A535A540D6FEED1 (318 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt3D.tmp (731 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\updates\3.4.1_30888.exe (7971 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\updates.dat (1845 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt3E.tmp (9836 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt39.tmp.new (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\31.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\install_statistics[1].xml (498 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx18\nsk1C.tmp\mediabar.exe (19152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1E.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx18.tmp\ns3A.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2A.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\24.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2F.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx18\Helper.dll (63950 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2C.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx18.tmp\registry.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\21.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx18.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\25.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\26.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx18\nsk1C.tmp\pack.exe (110155 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx18.tmp\ns37.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\23.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\34.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx18.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc16.tmp (259636 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx18.tmp\ns47.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\33.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\22.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2D.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx18.tmp\ns44.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1D.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx18\Starter.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx18.tmp\ns43.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2E.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\28.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\29.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx18.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\27.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\32.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\35.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\30.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2B.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx18.tmp\ns36.tmp (6 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\Uninstall.exe (3616 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\Helper.dll (14988 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20.tmp (4545 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Browser Tab Search by Ask" = "%Program Files%\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\msbloader.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"uTorrent" = "%Documents and Settings%\%current user%\Application Data\uTorrent\uTorrent.exe /MINIMIZED" - Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"AutoRestartShell" = "1" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: BitTorrent Inc.
Product Name: HD Player
Product Version: 3.4.1.30888
Legal Copyright: (c)2014 BitTorrent, Inc. All Rights Reserved.
Legal Trademarks:
Original Filename: uTorrent.exe
Internal Name: uTorrent.exe
File Version: 3.4.1.30888
File Description:
Comments:
Language: English (United States)
Company Name: BitTorrent Inc.Product Name: HD Player Product Version: 3.4.1.30888Legal Copyright: (c)2014 BitTorrent, Inc. All Rights Reserved.Legal Trademarks: Original Filename: uTorrent.exeInternal Name: uTorrent.exeFile Version: 3.4.1.30888File Description: Comments: Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| UPX0 | 4096 | 2093056 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| UPX1 | 2097152 | 1138688 | 1135104 | 5.54501 | d9be275472bbc3e9e8b0df4ee03ffaa8 |
| .rsrc | 3235840 | 126976 | 123904 | 4.8819 | d6dbb5db1451f22526321545f9b1906d |
Dropped from:
Downloaded by:
Similar by SSDeep:
0f205f276e833adcd79f1a2841709b0e
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://82.221.103.246/updatestats.php?cl=uTorrent&v=109279400&h=Zf-p1aLbPnMH0rQ9&k=&ip=8&dns=47&con=47&dl=11781&dlurl=http://ll.download3.utorrent.com/offers/imesh-en-20140501.exe&svp=4&pid=1232&sz=6656336&bin=toolbar&p1=192.168.220.2&m1=0&p2=192.168.50.10&m2=0&p3=193.138.244.233&m3=5&p4=10.235.0.11&m4=1&p5=193.138.244.106&m5=1&p6=193.138.244.138&m6=0&p7=149.6.76.41&m7=1&p8=154.54.38.138&m8=10&p9=130.117.49.133&m9=29&p10=154.54.36.9&m10=37&p11=154.54.38.49&m11=41&p12=154.54.73.74&m12=41&p13=149.6.140.2&m13=56&p14=87.248.217.254&m14=40 | |
| hxxp://82.221.103.246/installstats.php?cl=uTorrent&v=109279400&h=Zf-p1aLbPnMH0rQ9&w=A280105&bu=0&pr=0&cmp=129&ocmp=129&gettbinstallresult&pid=1232&cau=0&tbinstallresult=3&cbhomepage=1&cbsearch=1&error=0&msg=&tb=imesh&url=http://ll.download3.utorrent.com/offers/imesh-en-20140501.exe&prog=100&t=&view=win32 | |
| hxxp://com-utorrent-prod-bench-290894750.us-east-1.elb.amazonaws.com/e?i=BBDCA0D217103CFB32DCB812A9B32D1CE3C4B663 | |
| hxxp://utorrent.com/download/langpacks/dl.php?build=30888&ref=client&client=utorrent&sys_l=en&sel_l=0&tk=stable34 | 98.143.146.7 |
| hxxp://com-utorrent-prod-bench-290894750.us-east-1.elb.amazonaws.com/e?i=21 | |
| hxxp://d3abeplup23idj.cloudfront.net/ | |
| hxxp://com-utorrent-prod-bench-290894750.us-east-1.elb.amazonaws.com/e?i=29 | |
| hxxp://bittorrent.hs.llnwd.net/download/langpacks/dl.php?build=30888&ref=client&client=utorrent&sys_l=en&sel_l=0&tk=stable34 | |
| hxxp://update.bittorrent.com/time.php | 67.215.246.204 |
| hxxp://s3-website-us-east-1.amazonaws.com/plus/utorrent/index.html | |
| hxxp://bittorrent.hs.llnwd.net/scripts/dl.php?build=30888&ref=client&client=utorrent&sys_l=en&sel_l=0&tk=stable34 | |
| hxxp://a1859.b.akamai.net/static/magicsbox/JITFeature.xml | |
| hxxp://bittorrent.vo.llnwd.net/blank.html | |
| hxxp://bittorrent.vo.llnwd.net/utorrent-onboarding/welcome-upsell.btapp?h=Zf-p1aLbPnMH0rQ9&v=109279400&ol=en&ul=&tk=stable34&c=uTorrent | |
| hxxp://bittorrent.vo.llnwd.net/utorrent-onboarding/player.btapp?h=Zf-p1aLbPnMH0rQ9&v=109279400&ol=en&ul=&tk=stable34&c=uTorrent | |
| hxxp://www187a.apnanalytics.com/tr.gif?anxa=APNMSB&anxe=InstallerEvent&anxp=^BE3^TCH001^YY^US&anxr=3019EFB9-86F7-467A-8CBC-8AE7E27FDCB7&anxt=1186403004234042&anxv=3.0.0.0&anxtv=3.0.0.0&tpid=BTR-BTS&apn_dbr=IE&o=APN11459&trgb=IE&installationResult=success&ieVersionInstalled=6.0.2900.5512&ffVersionInstalled=&crVersionInstalled= | |
| hxxp://com-utorrent-prod-bench-290894750.us-east-1.elb.amazonaws.com/e?i=32 | |
| hxxp://update.utorrent.com/checkupdate.php?s=1&cl=uTorrent&v=109279400&l=en&svp=4&svn_revno=30888&tk=stable34&period=7&sids=0,0,0,0,0&lv=3063507_0_&c=US&w=A280105&h=Zf-p1aLbPnMH0rQ9&mts=31&nat_state=255&it=12&pc=23&sctl=1&shdi=1&def_tor=1&doainstalled=0&ie=6.0.2900.5512&xim=3&insvr=109279400&sss=7&rsb=2&rtsb=7&view=win32&cmp=129&ocmp=129&plus=3&adc=1&ch_up=1?ssb=48&ssu=11644473645&xseq=0 | 67.215.246.203 |
| hxxp://com-utorrent-prod-bench-290894750.us-east-1.elb.amazonaws.com/e?i=20 | |
| hxxp://mininova.org/favicon.ico | |
| hxxp://s3-website-us-east-1.amazonaws.com/images/mobile-icon.png | |
| hxxp://snutbe-lb-1790352312.us-east-1.elb.amazonaws.com/login | |
| hxxp://snutbe-lb-1790352312.us-east-1.elb.amazonaws.com/install_statistics.php | |
| hxxp://d145enxyh9g9og.cloudfront.net/control/tags/ut.json | |
| hxxp://engine3-774595980.us-east-1.elb.amazonaws.com/api/v2 | |
| hxxp://gp1.wac.v2cdn.net/Advertisers/221c05127fdd449a83a22ee524747d56.png | |
| hxxp://engine3-774595980.us-east-1.elb.amazonaws.com/i.gif?e=eyJhdiI6MzY0OTMsImF0Ijo5LCJjbSI6MTEyMjM3LCJjaCI6ODc4NSwiY3IiOjMyNTMzNSwiZGkiOiJhZGM0NDAxNzZjNDM0NWEzOTI5MzM4MWVhNTUxZWQ1YiIsImRtIjoxLCJmYyI6NDAxMjY4LCJmbCI6MjAyMjgzLCJrdyI6ImNsaWVudGRhdGE9dXRvcnJlbnR8My40LjEuMzA4ODh8MTI5LGlldmVyc2lvbj02LGZsYXNoPTExLDYsNjAyLDE2OCIsIm53Ijo1NjgyLCJwYyI6MC4wOCwicHIiOjIzNzU1LCJydCI6Mywic3QiOjMzMDQ5LCJ0ciI6dHJ1ZSwidWsiOiJ1ZTEtNDBiOWI0Njc0ZWE2NDA4M2IwMGRmNzBiYWY5YTBkMTIiLCJ0cyI6MTM5OTU2NDYxNjgwMywiZnEiOjF9&s=0xbULDKJwEbnCTKfEJE4HTww2v0 | |
| hxxp://engine3-774595980.us-east-1.elb.amazonaws.com/i.gif?e=eyJhdiI6MzY0OTMsImF0Ijo5LCJjbSI6MTEyMjM3LCJjaCI6ODc4NSwiY3IiOjMyNTMzNSwiZGkiOiIwN2U1Y2EwMTFjNjA0OGIwOWZjMDQzOWYxYjZmMWM2OCIsImRtIjoxLCJmYyI6NDAxMjY4LCJmbCI6MjAyMjgzLCJrdyI6ImNsaWVudGRhdGE9dXRvcnJlbnR8My40LjEuMzA4ODh8MTI5LGlldmVyc2lvbj02LGZsYXNoPTExLDYsNjAyLDE2OCIsIm53Ijo1NjgyLCJwYyI6MC4wOCwicHIiOjIzNzU1LCJydCI6Mywic3QiOjMzMDQ5LCJ0ciI6dHJ1ZSwidWsiOiJ1ZTEtMTlmOTBhZTU1NmYxNDAwNjhmYTJmY2NiYTYzNDllZmMiLCJ0cyI6MTM5OTU2NDU3NzY0OSwiZnEiOjF9&s=_aXHUHscZAqqLpmUBMg4gbYuRng | |
| hxxp://gp1.wac.v2cdn.net/Advertisers/9dfc37a6c8164a3385188bdd31c70ef4.png | |
| hxxp://engine3-774595980.us-east-1.elb.amazonaws.com/i.gif?e=eyJhdiI6MzY0OTMsImF0IjoxMjI0LCJjbSI6MTEyMjM3LCJjaCI6ODc4NSwiY3IiOjMyNTIyOSwiZGkiOiJmZWU0ZDU3ZjU2NTE0ZjY2OGM4NzU0ZjVkNzVlODU0NyIsImRtIjoxLCJmYyI6NDAxMTYxLCJmbCI6MjAyMjY2LCJrdyI6ImNsaWVudGRhdGE9dXRvcnJlbnR8My40LjEuMzA4ODh8MTI5LGlldmVyc2lvbj02LGZsYXNoPTExLDYsNjAyLDE2OCIsIm53Ijo1NjgyLCJwYyI6MC4wMiwicHIiOjIzNzU1LCJydCI6Mywic3QiOjMzMDQ5LCJ0ciI6dHJ1ZSwidWsiOiJ1ZTEtNDBiOWI0Njc0ZWE2NDA4M2IwMGRmNzBiYWY5YTBkMTIiLCJ0cyI6MTM5OTU2NDYwNDYwNCwiZnEiOjF9&s=pk8R5HxZS5eOuKIDAQYavvRWR_I | |
| hxxp://static.ap.bittorrent.com/Advertisers/221c05127fdd449a83a22ee524747d56.png | 93.184.220.20 |
| hxxp://apnstatic.ask.com/static/magicsbox/JITFeature.xml | 212.30.134.213 |
| hxxp://apps.bittorrent.com/utorrent-onboarding/welcome-upsell.btapp?h=Zf-p1aLbPnMH0rQ9&v=109279400&ol=en&ul=&tk=stable34&c=uTorrent | 87.248.217.254 |
| hxxp://ads.bittorrent.com/blank.html | 87.248.217.253 |
| hxxp://utclient.utorrent.com/images/mobile-icon.png | 205.251.243.204 |
| hxxp://engine.ap.bittorrent.com/i.gif?e=eyJhdiI6MzY0OTMsImF0Ijo5LCJjbSI6MTEyMjM3LCJjaCI6ODc4NSwiY3IiOjMyNTMzNSwiZGkiOiJhZGM0NDAxNzZjNDM0NWEzOTI5MzM4MWVhNTUxZWQ1YiIsImRtIjoxLCJmYyI6NDAxMjY4LCJmbCI6MjAyMjgzLCJrdyI6ImNsaWVudGRhdGE9dXRvcnJlbnR8My40LjEuMzA4ODh8MTI5LGlldmVyc2lvbj02LGZsYXNoPTExLDYsNjAyLDE2OCIsIm53Ijo1NjgyLCJwYyI6MC4wOCwicHIiOjIzNzU1LCJydCI6Mywic3QiOjMzMDQ5LCJ0ciI6dHJ1ZSwidWsiOiJ1ZTEtNDBiOWI0Njc0ZWE2NDA4M2IwMGRmNzBiYWY5YTBkMTIiLCJ0cyI6MTM5OTU2NDYxNjgwMywiZnEiOjF9&s=0xbULDKJwEbnCTKfEJE4HTww2v0 | 174.129.25.157 |
| hxxp://engine.ap.bittorrent.com/api/v2 | 174.129.25.157 |
| hxxp://www.utorrent.com/scripts/dl.php?build=30888&ref=client&client=utorrent&sys_l=en&sel_l=0&tk=stable34 | 95.140.224.171 |
| hxxp://apps.bittorrent.com/utorrent-onboarding/player.btapp?h=Zf-p1aLbPnMH0rQ9&v=109279400&ol=en&ul=&tk=stable34&c=uTorrent | 87.248.217.254 |
| hxxp://cdn.ap.bittorrent.com/control/tags/ut.json | 54.230.201.119 |
| hxxp://static.ap.bittorrent.com/Advertisers/9dfc37a6c8164a3385188bdd31c70ef4.png | 93.184.220.20 |
| hxxp://bundles.bittorrent.com/ | 54.230.201.155 |
| hxxp://bench.utorrent.com/e?i=20 | 54.225.143.149 |
| hxxp://preved.safetynutbe.com/login | 174.129.22.63 |
| hxxp://bench.utorrent.com/e?i=BBDCA0D217103CFB32DCB812A9B32D1CE3C4B663 | 54.225.143.149 |
| hxxp://bench.utorrent.com/e?i=29 | 54.225.143.149 |
| hxxp://www.mininova.org/favicon.ico | 80.94.76.5 |
| hxxp://update.utorrent.li/installstats.php?cl=uTorrent&v=109279400&h=Zf-p1aLbPnMH0rQ9&w=A280105&bu=0&pr=0&cmp=129&ocmp=129&gettbinstallresult&pid=1232&cau=0&tbinstallresult=3&cbhomepage=1&cbsearch=1&error=0&msg=&tb=imesh&url=http://ll.download3.utorrent.com/offers/imesh-en-20140501.exe&prog=100&t=&view=win32 | |
| hxxp://bench.utorrent.com/e?i=21 | 54.225.143.149 |
| hxxp://phn.apnanalytics.com/tr.gif?anxa=APNMSB&anxe=InstallerEvent&anxp=^BE3^TCH001^YY^US&anxr=3019EFB9-86F7-467A-8CBC-8AE7E27FDCB7&anxt=1186403004234042&anxv=3.0.0.0&anxtv=3.0.0.0&tpid=BTR-BTS&apn_dbr=IE&o=APN11459&trgb=IE&installationResult=success&ieVersionInstalled=6.0.2900.5512&ffVersionInstalled=&crVersionInstalled= | 199.36.100.187 |
| hxxp://engine.ap.bittorrent.com/i.gif?e=eyJhdiI6MzY0OTMsImF0Ijo5LCJjbSI6MTEyMjM3LCJjaCI6ODc4NSwiY3IiOjMyNTMzNSwiZGkiOiIwN2U1Y2EwMTFjNjA0OGIwOWZjMDQzOWYxYjZmMWM2OCIsImRtIjoxLCJmYyI6NDAxMjY4LCJmbCI6MjAyMjgzLCJrdyI6ImNsaWVudGRhdGE9dXRvcnJlbnR8My40LjEuMzA4ODh8MTI5LGlldmVyc2lvbj02LGZsYXNoPTExLDYsNjAyLDE2OCIsIm53Ijo1NjgyLCJwYyI6MC4wOCwicHIiOjIzNzU1LCJydCI6Mywic3QiOjMzMDQ5LCJ0ciI6dHJ1ZSwidWsiOiJ1ZTEtMTlmOTBhZTU1NmYxNDAwNjhmYTJmY2NiYTYzNDllZmMiLCJ0cyI6MTM5OTU2NDU3NzY0OSwiZnEiOjF9&s=_aXHUHscZAqqLpmUBMg4gbYuRng | 174.129.25.157 |
| hxxp://service.safetynutbe.com/install_statistics.php | 50.17.206.223 |
| hxxp://update.utorrent.li/updatestats.php?cl=uTorrent&v=109279400&h=Zf-p1aLbPnMH0rQ9&k=&ip=8&dns=47&con=47&dl=11781&dlurl=http://ll.download3.utorrent.com/offers/imesh-en-20140501.exe&svp=4&pid=1232&sz=6656336&bin=toolbar&p1=192.168.220.2&m1=0&p2=192.168.50.10&m2=0&p3=193.138.244.233&m3=5&p4=10.235.0.11&m4=1&p5=193.138.244.106&m5=1&p6=193.138.244.138&m6=0&p7=149.6.76.41&m7=1&p8=154.54.38.138&m8=10&p9=130.117.49.133&m9=29&p10=154.54.36.9&m10=37&p11=154.54.38.49&m11=41&p12=154.54.73.74&m12=41&p13=149.6.140.2&m13=56&p14=87.248.217.254&m14=40 | |
| hxxp://engine.ap.bittorrent.com/i.gif?e=eyJhdiI6MzY0OTMsImF0IjoxMjI0LCJjbSI6MTEyMjM3LCJjaCI6ODc4NSwiY3IiOjMyNTIyOSwiZGkiOiJmZWU0ZDU3ZjU2NTE0ZjY2OGM4NzU0ZjVkNzVlODU0NyIsImRtIjoxLCJmYyI6NDAxMTYxLCJmbCI6MjAyMjY2LCJrdyI6ImNsaWVudGRhdGE9dXRvcnJlbnR8My40LjEuMzA4ODh8MTI5LGlldmVyc2lvbj02LGZsYXNoPTExLDYsNjAyLDE2OCIsIm53Ijo1NjgyLCJwYyI6MC4wMiwicHIiOjIzNzU1LCJydCI6Mywic3QiOjMzMDQ5LCJ0ciI6dHJ1ZSwidWsiOiJ1ZTEtNDBiOWI0Njc0ZWE2NDA4M2IwMGRmNzBiYWY5YTBkMTIiLCJ0cyI6MTM5OTU2NDYwNDYwNCwiZnEiOjF9&s=pk8R5HxZS5eOuKIDAQYavvRWR_I | 174.129.25.157 |
| hxxp://utclient.utorrent.com/plus/utorrent/index.html | 205.251.243.204 |
| hxxp://www.utorrent.com/download/langpacks/dl.php?build=30888&ref=client&client=utorrent&sys_l=en&sel_l=0&tk=stable34 | 95.140.224.171 |
| hxxp://bench.utorrent.com/e?i=32 | 54.225.143.149 |
| router.utorrent.com | 67.215.242.139 |
| router.bittorrent.com | 67.215.242.138 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
POST /e?i=20 HTTP/1.1
Host: bench.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close
Content-Length: 295
{"h":"Zf-p1aLbPnMH0rQ9","cl":"uTorrent","v":109279400,"l":"en","w":"5.1","cts":1399564601,"eventName":"ap","fte":1,"lre":1,"ltic_0":0,"ltic_1":1,"lcic_0":0,"lcic_1":0,"laae":0,"lare":0,"laie":0,"lame":0,"name":"impression","errCode":0,"requestTime":1399564601,"action":"client.az.impression.ua"}
HTTP/1.1 200 OK
Content-Type: text/html
Date: Thu, 08 May 2014 15:55:59 GMT
Server: nginx/1.4.7
X-Powered-By: PHP/5.4.27
Content-Length: 21
Connection: Close
{"response_code":200}..
POST /e?i=20 HTTP/1.1
Host: bench.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close
Content-Length: 299
{"h":"Zf-p1aLbPnMH0rQ9","cl":"uTorrent","v":109279400,"l":"en","w":"5.1","cts":1399564601,"eventName":"ap","fte":1,"lre":1,"ltic_0":0,"ltic_1":0,"lcic_0":0,"lcic_1":0,"laae":0,"lare":0,"laie":0,"lame":0,"name":"siteId","errCode":0,"requestTime":1399564601,"action":"client.az.error.badsiteid.33049"}
HTTP/1.1 200 OK
Content-Type: text/html
Date: Thu, 08 May 2014 15:56:45 GMT
Server: nginx/1.4.7
X-Powered-By: PHP/5.4.27
Content-Length: 21
Connection: Close
{"response_code":200}..
POST /e?i=20 HTTP/1.1
Host: bench.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close
Content-Length: 293
{"h":"Zf-p1aLbPnMH0rQ9","cl":"uTorrent","v":109279400,"l":"en","w":"5.1","cts":1399564601,"eventName":"ap","fte":1,"lre":1,"ltic_0":0,"ltic_1":0,"lcic_0":0,"lcic_1":0,"laae":0,"lare":0,"laie":0,"lame":0,"name":"adrequest","errCode":0,"requestTime":1399564601,"action":"client.az.adrequest.ua"}
HTTP/1.1 200 OK
Content-Type: text/html
Date: Thu, 08 May 2014 15:56:15 GMT
Server: nginx/1.4.7
X-Powered-By: PHP/5.4.27
Content-Length: 21
Connection: Close
{"response_code":200}..
GET /download/langpacks/dl.php?build=30888&ref=client&client=utorrent&sys_l=en&sel_l=0&tk=stable34 HTTP/1.1
Host: VVV.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close
HTTP/1.1 301 Moved Permanently
Server: nginx/1.4.7
Date: Thu, 08 May 2014 15:56:01 GMT
Content-Type: text/html
Location: hXXp://VVV.utorrent.com/scripts/dl.php?build=30888&ref=client&client=utorrent&sys_l=en&sel_l=0&tk=stable34
Content-Length: 184
Connection: close
<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx/1.4.7</center>..</body>..</html>....
GET /blank.html HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ads.bittorrent.com
Connection: Keep-Alive
HTTP/1.1 200 OK
x-amz-id-2: JWxhIKHNdEwAJuxjFoqm4a368O1LevOk82iD08REKC CGMW ePYeIhEWUCRcE0nd
x-amz-request-id: B631848566C2C6A8
Content-Type: text/html
Server: AmazonS3
Age: 238787
Date: Thu, 08 May 2014 15:56:02 GMT
Last-Modified: Thu, 23 Jan 2014 18:56:38 GMT
Content-Length: 109
Connection: keep-alive
<!DOCTYPE html>.<html>.<head>.</head>.<body style="overflow: hidden; margin: 0; padding: 0;">.</body>.</html>HTTP/1.1 200 OK..x-amz-id-2: JWxhIKHNdEwAJuxjFoqm4a368O1LevOk82iD08REKC CGMW ePYeIhEWUCRcE0nd..x-amz-request-id: B631848566C2C6A8..Content-Type: text/html..Server: AmazonS3..Age: 238787..Date: Thu, 08 May 2014 15:56:02 GMT..Last-Modified: Thu, 23 Jan 2014 18:56:38 GMT..Content-Length: 109..Connection: keep-alive..<!DOCTYPE html>.<html>.<head>.</head>.<body style="overflow: hidden; margin: 0; padding: 0;">.</body>.</html>..
GET /i.gif?e=eyJhdiI6MzY0OTMsImF0Ijo5LCJjbSI6MTEyMjM3LCJjaCI6ODc4NSwiY3IiOjMyNTMzNSwiZGkiOiJhZGM0NDAxNzZjNDM0NWEzOTI5MzM4MWVhNTUxZWQ1YiIsImRtIjoxLCJmYyI6NDAxMjY4LCJmbCI6MjAyMjgzLCJrdyI6ImNsaWVudGRhdGE9dXRvcnJlbnR8My40LjEuMzA4ODh8MTI5LGlldmVyc2lvbj02LGZsYXNoPTExLDYsNjAyLDE2OCIsIm53Ijo1NjgyLCJwYyI6MC4wOCwicHIiOjIzNzU1LCJydCI6Mywic3QiOjMzMDQ5LCJ0ciI6dHJ1ZSwidWsiOiJ1ZTEtNDBiOWI0Njc0ZWE2NDA4M2IwMGRmNzBiYWY5YTBkMTIiLCJ0cyI6MTM5OTU2NDYxNjgwMywiZnEiOjF9&s=0xbULDKJwEbnCTKfEJE4HTww2v0 HTTP/1.1
Host: engine.ap.bittorrent.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0 Windows NT 5.1; Trident/2.0)(30888)
Accept-Encoding: gzip
Accept-Language: en-US
Connection: Close
HTTP/1.1 200 OK
Access-Control-Allow-Headers: accept, origin, content-type, content-length
Access-Control-Allow-Methods: GET,PUT,POST,DELETE,OPTIONS
Access-Control-Allow-Origin: *
Content-Type: image/gif
Date: Thu, 08 May 2014 15:56:38 GMT
Server: nginx/1.1.19
Set-Cookie: azk=ue1-40b9b4674ea64083b00df70baf9a0d12; Path=/; Expires=Fri, 08 May 2015 15:56:38 GMT
Set-Cookie: azk-events=W3siYXYiOjM2NDkzLCJhdCI6OSwiY20iOjExMjIzNywiY2giOjg3ODUsImNyIjozMjUzMzUsImRpIjoiYWRjNDQwMTc2YzQzNDVhMzkyOTMzODFlYTU1MWVkNWIiLCJkbSI6MSwiZmMiOjQwMTI2OCwiZmwiOjIwMjI4Mywia3ciOiJjbGllbnRkYXRhPXV0b3JyZW50fDMuNC4xLjMwODg4fDEyOSxpZXZlcnNpb249NixmbGFzaD0xMSw2LDYwMiwxNjgiLCJudyI6NTY4MiwicGMiOjAuMDgsInByIjoyMzc1NSwicnQiOjMsInN0IjozMzA0OSwidHIiOnRydWUsInVrIjoidWUxLTQwYjliNDY3NGVhNjQwODNiMDBkZjcwYmFmOWEwZDEyIiwidHMiOjEzOTk1NjQ2MTY4MDMsImNpIjoiNGQ4YzYxNGM3YmYwNDcyNzk5M2VjN2E3MTJkZDQ2OWQiLCJjdiI6MX1d; Path=/; Expires=Sat, 07 Jun 2014 15:56:38 GMT
x-powered-by: adzerk bifrost/
x-served-by: engine-us-east-1b-21
Content-Length: 43
Connection: Close
GIF89a.............!.......,...........D..;..
POST /e?i=20 HTTP/1.1
Host: bench.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close
Content-Length: 299
{"h":"Zf-p1aLbPnMH0rQ9","cl":"uTorrent","v":109279400,"l":"en","w":"5.1","cts":1399564600,"eventName":"ap","fte":1,"lre":1,"ltic_0":0,"ltic_1":0,"lcic_0":0,"lcic_1":0,"laae":0,"lare":0,"laie":0,"lame":0,"name":"siteId","errCode":0,"requestTime":1399564600,"action":"client.az.error.badsiteid.33049"}
HTTP/1.1 200 OK
Content-Type: text/html
Date: Thu, 08 May 2014 15:57:02 GMT
Server: nginx/1.4.7
X-Powered-By: PHP/5.4.27
Content-Length: 21
Connection: Close
{"response_code":200}..
POST /install_statistics.php HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE; Win32)
Host: service.safetynutbe.com
Content-Length: 1646
Cache-Control: no-cache
XML=<secure_request><salt>488</salt><data>4gXg6gQOl3lzDy/i4URJaYxQXybBKPh1MQwKWnj77wppbe1HOPyhHF8GMMS6AE0QXAZ34dwtcLTFncC3ckE45Xbr0hhA41f7smIeORMx5rJJOR pv3HG97Cnr7/F i8bvpLYd ZN8Qf79UPLZhTXwzHvVvz jp9VVEQkzOIEBQYovhuhg7hxEnHi8sjqt4JmQmmMjNFc eXQF1nekFjFa8Yz2obozJOPGYtoQF8lEH2dPqU7GuvqaARQJHzkWrYs93e3qxSCf8fMEStHa9GF/khw7cmzoUXm2jJnibz0tkzkoMoAfpLB5txm9s wWEM IAzwbvG09fdUdXOBlciGYx01XT8RsuK GDtOcnstSdki7e9npngWCwgp31TNXZl96YdnDRJNSoTRqAyTTEYkc RwBQ59RIH74/Toia4kdO2zGe7w2OWWaw7q5uonidm4XhNZ1I6b9JvLMEUx2ykUe/as zwiG f0daZCxXYAsy seJkYoMHlE4pWpZQmXetEvmBQuX4kV/pXZJfPPw8Pb2HOacSrmTlEtM99LrKUJgJMG6spqXOkMLfJxBpo5Aw3m5LqsO0Kup6Zoy14Hauwoda479FF58EH2PUdVPPkL8MLi4IrsoJNPaAGMhVK258odIanAOOwnzFgfY9POeuL8v4sgzs8UGsjlPi9NsTKZsbCShC76HVZ6IrXUTV6uDFiWWlw5Yiy19r/JsgI7cdSNmmyzrKaEABDtEPMqJP2f5HN1o9UNxH3XBTiyCSjbpJGqBFOsLJB8IkJJlrJxW7iIakSGh 91ihgxXQTg04FL1dqD5vGGZpwJPq1hqcfLXYv5nZIRckhRZVAbOlmL7qHGKCAp4hMrRhz3gdFPoD5G8lWZuqsHkxbJDRELfKdkzkGINcjHrAl2h3j13oq2ZMOWxmnDWWwYlRJ/oulHKkE2PyXXNNhFOWNKnEemibWeqrPJlkx110IC2LdHmAuIZTCvQwZZ84FpkL6 9p5MxJn9jH8YPRRLzSkLZPMjbAeahvvikRW4FIVHtgE FRrCQVpPkYR6ZxSrwOrMPjGxwGCbS RVA97Gif3l9xbiWa3DRby/w56SgrzCk6erijK/JNaBzNiBn08cS1WQM4lSF/TndlnJybMOAfTohTbHjQaLouHoordTAyuECPJPKjSxKQvWEPNFj15yrwXXEVnDIVhlOT CvCgqY1DTparI4UpeJ5ZvsYSXV51jJiswNukbFOTwf
HTTP/1.1 200 OK
Content-Type: text/xml
Date: Thu, 08 May 2014 15:56:15 GMT
Server: nginx
X-Server: web5
Content-Length: 498
Connection: keep-alive
<?xml version="1.0" encoding="utf-8"?>..<secure_reply>.. <data>4gXg6gQOl3lzDy/i4URJaUxrNbxdn4dVvWpNIIQpGOg2vNNAFBlDG1B08pwXzlt5qRA2qS/WNEuRIU1DCy7nEOsGlw02uzE5qsXoq5uIZnHD5kahgZZZF0lO8izoFM0LK1Yv0ZyU5WcYjAnMoDoXFnAS34Crpj8hX0NrzU4y7yG8UJdta4X3fjuNvEbnYxsGt3C0q4gy3aK94Sczf1 nLmt/jUUQpJS1xKe32kXOLRkcU0eykUN/D2jgKHbepnJInUz56P pARZpB/2iSKMs8y/zSVVL6LOjs4njCpj4sRLqFpTDBXsZNTDdaRmL7I8H6DpYVljbADBFR2P97BCIwOg6WFZY2wAwRUdj/ewQiMDoOlhWWNsAMEVHY/3sEIjAvDfxy7HFSVz 8Q7GdCTsAg==</data>..</secure_reply>..HTTP/1.1 200 OK..Content-Type: text/xml..Date: Thu, 08 May 2014 15:56:15 GMT..Server: nginx..X-Server: web5..Content-Length: 498..Connection: keep-alive..<?xml version="1.0" encoding="utf-8"?>..<secure_reply>.. <data>4gXg6gQOl3lzDy/i4URJaUxrNbxdn4dVvWpNIIQpGOg2vNNAFBlDG1B08pwXzlt5qRA2qS/WNEuRIU1DCy7nEOsGlw02uzE5qsXoq5uIZnHD5kahgZZZF0lO8izoFM0LK1Yv0ZyU5WcYjAnMoDoXFnAS34Crpj8hX0NrzU4y7yG8UJdta4X3fjuNvEbnYxsGt3C0q4gy3aK94Sczf1 nLmt/jUUQpJS1xKe32kXOLRkcU0eykUN/D2jgKHbepnJInUz56P pARZpB/2iSKMs8y/zSVVL6LOjs4njCpj4sRLqFpTDBXsZNTDdaRmL7I8H6DpYVljbADBFR2P97BCIwOg6WFZY2wAwRUdj/ewQiMDoOlhWWNsAMEVHY/3sEIjAvDfxy7HFSVz 8Q7GdCTsAg==</data>..</secure_reply>....
GET /static/magicsbox/JITFeature.xml HTTP/1.1
User-Agent: MSB User Agent
Host: apnstatic.ask.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "ce8b3a1ddf747846227f0437c3025d2b:1378773465"
Last-Modified: Fri, 06 Sep 2013 22:42:28 GMT
Accept-Ranges: bytes
Content-Length: 182
Content-Type: application/xml
Date: Thu, 08 May 2014 15:56:01 GMT
Connection: keep-alive
<?xml version="1.0" encoding="UTF-8"?>..<FeatureProperties>.. <QuickNav enabled="true" />.. <SearchDefense enabled="true" />.. <MSB enabled="true" />..</FeatureProperties>..HTTP/1.1 200 OK..Server: Apache..ETag: "ce8b3a1ddf747846227f0437c3025d2b:1378773465"..Last-Modified: Fri, 06 Sep 2013 22:42:28 GMT..Accept-Ranges: bytes..Content-Length: 182..Content-Type: application/xml..Date: Thu, 08 May 2014 15:56:01 GMT..Connection: keep-alive..<?xml version="1.0" encoding="UTF-8"?>..<FeatureProperties>.. <QuickNav enabled="true" />.. <SearchDefense enabled="true" />.. <MSB enabled="true" />..</FeatureProperties>....
GET /installstats.php?cl=uTorrent&v=109279400&h=Zf-p1aLbPnMH0rQ9&w=A280105&bu=0&pr=0&cmp=129&ocmp=129&gettbinstallresult&pid=1232&cau=0&tbinstallresult=3&cbhomepage=1&cbsearch=1&error=0&msg=&tb=imesh&url=http://ll.download3.utorrent.com/offers/imesh-en-20140501.exe&prog=100&t=&view=win32 HTTP/1.1
Accept-Encoding: gzip
User-Agent: uTorrent(30888)/3.4.1
Host: update.utorrent.li
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Thu, 08 May 2014 15:55:55 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.4.27
0..
GET /time.php HTTP/1.1
Host: update.bittorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close
HTTP/1.1 404 Not Found
Server: nginx/1.4.7
Date: Thu, 08 May 2014 15:54:53 GMT
Content-Type: text/html
Content-Length: 168
Connection: close
<html>..<head><title>404 Not Found</title></head>..<body bgcolor="white">..<center><h1>404 Not Found</h1></center>..<hr><center>nginx/1.4.7</center>..</body>..</html>....
POST /e?i=BBDCA0D217103CFB32DCB812A9B32D1CE3C4B663 HTTP/1.1
Host: bench.utorrent.com
User-Agent: Hydra HttpRequest
Connection: close
Content-Length: 93
{"eventName":"hydra.compat.good","pid":"1628","h":"BBDCA0D217103CFB32DCB812A9B32D1CE3C4B663"}
HTTP/1.1 200 OK
Content-Type: text/html
Date: Thu, 08 May 2014 15:56:28 GMT
Server: nginx/1.4.7
X-Powered-By: PHP/5.4.27
Content-Length: 21
Connection: Close
{"response_code":200}..
POST /e?i=29 HTTP/1.1
Host: bench.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close
Content-Length: 171
{"h":"Zf-p1aLbPnMH0rQ9","cl":"uTorrent","v":109279400,"l":"en","w":"5.1","cts":1399564584,"eventName":"dimensions", "appsize": [ 1200, 600 ], "screensize": [ 1276, 846 ] }
HTTP/1.1 200 OK
Content-Type: text/html
Date: Thu, 08 May 2014 15:56:59 GMT
Server: nginx/1.4.7
X-Powered-By: PHP/5.4.27
Content-Length: 21
Connection: Close
{"response_code":200}..
GET /Advertisers/9dfc37a6c8164a3385188bdd31c70ef4.png HTTP/1.1
Host: static.ap.bittorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
If-Modified-Since: Sun, 1 Jan 1982 00:00:00 GMT
Connection: Close
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: image/png
Date: Thu, 08 May 2014 15:56:18 GMT
Etag: "cfe2cb2a3bf8967473c17bb1527f556c"
Expires: Wed, 08 May 2024 02:15:34 GMT
Last-Modified: Tue, 06 May 2014 06:01:37 GMT
Server: ECS (fra/D5B2)
x-amz-id-2: KDj9WmxOxs1qzcW/br/Fb ypgwH4sytBNTVBpiVmmjbvn12GJ7FQqHxs2SHguLb y/BnyEztxrA=
x-amz-request-id: 451702BC3F3EB25E
X-Cache: HIT
Content-Length: 6397
Connection: close
.PNG........IHDR......."......V......IDATx...y\M....[.....EE.2I.THF.(.Q.....1L......L.......!!..&ID."2%E*..=....u.{...J.x....8.9......x.s..T......`0.LgB....`0.....`..N*...`0......h.0.......%^....H|hlG.....N*...`.$c..E.B..D[....n.t.E].L.b0.`'...`0].....B-~.z...n..0...;....... D.".D....K._(.. ..T....tI.fR....U....|.`'...`0].D.b&U... D'.5...t .I.`0.L...r.W..>...Y.......&G......:Za....`.Zup.syk-..n..UR.F".......3.../D.`?...`0..V....~;.k...........IM..p.f...A...7.I...C.}.`.....}..{w.../f.../!.u..Z....of.=(*..-<......G...].N&']...F..z&Q.*/%g..y.....q...s...j...l[\..y7.F.....@.RH6*~ndEv..t....T................0...<.V).7.b.,...5.HPS....t$..y(*..D'.K8.n|..y....~kA...z..oC.....0]......8..X.......7/I.~H.C...`....'9.K.....d..............m...NK......5...FV$..l..B......B`2.22..K D D ..~}..l.x.X.....%...K0.....AW..4K..M...A..::e..Z._.N. b....X..z5...........z.......ig....k..%...u06..h..q:.j...U..0.o*%EQ.'..WSS......0}.Ge....[-.......On..`...;. ].at!U1_.22L.dNj3~..\..@.}p.x...B:.%..%q......E..R.wEZt.ut..|qP..N.a........JI."..J.9UCC..n....o.<H...I>.n7..xa.......w.!%5..c.......1.!.u*).dRyy......}m..'...7:....,.....]..S...{..y..G~m..;.._8w..M...........X..uw..M.......~..........?.n.........4.....%.....Ddv..|W]];w......|.C...\...K...fh.'....;.E}..d0..`jj.......m%..$KY5b...|..P6.......|...a..K?.y....D5.....6[mA...q....4.pg....q...\.Q.RF...IH9z.....}...}.@....Jt.~.....q..}.........=.hl|.0t.@.....v# ..........6[.b,..(_^^.q.R....{.v..mA..~.o.l..hQa..,@....)..f..(..X.2.....zz.d.....D'."..u,.....*..D.X......N.}..O.p....".
<<
<<< skipped >>>
GET /control/tags/ut.json HTTP/1.1
Host: cdn.ap.bittorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Accept-Language: en-US
Connection: Close
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 3214
Connection: close
Date: Thu, 01 May 2014 20:48:49 GMT
Last-Modified: Thu, 01 May 2014 20:44:08 GMT
ETag: "c0ee2155a9450779c5413f3a4e2627cc"
Accept-Ranges: bytes
Server: AmazonS3
Age: 68847
X-Cache: Hit from cloudfront
Via: 1.1 e89c67951b2bc58773e3664c08702f34.cloudfront.net (CloudFront)
X-Amz-Cf-Id: aoMmTOkgawmjRj2vXYg3yJPYWYSvo1ubcZJ5JlIsgolQ69w5xSCc8A==
{.. "version": 24,.. "adrules": [.. {.. "name": "default",.. "contactRate": 60,.. "adRefreshRate": 360,.. "lrecRefreshRate": 360,.. "ftRefreshRate": 360,.. "resetAds": 0,.. "rollout": 100,.. "enabled": 1,.. "ftEnabled": 1,.. "lrecEnabled": 1,.. "sendConversion": 0.. },.. {.. "name": "refresh_360",.. "adRefreshRate": 360,.. "lrecRefreshRate": 360,.. "ftRefreshRate": 360,.. "resetAds": 0,.. "rollout": 100,.. "enabled": 1,.. "ftEnabled": 1,.. "lrecEnabled": 1,.. "sendConversion": 0,.. "countries": "cn,ee,es,hk,iq,ir,kr,kz,pr,tw,ua,ua,co,ve".. },.. {.. "name": "refresh_60",.. "adRefreshRate": 60,.. "lrecRefreshRate": 60,.. "ftRefreshRate": 60,.. "resetAds": 0,.. "rollout": 100,.. "enabled": 1,.. "ftEnabled": 1,.. "lrecEnabled": 1,.. "sendConversion": 0,.. "countries": "bg,hu,jp,lt,ph,pk,ro,rs,sa,th,eg".. },.. {.. "name": "refresh_30",.. "lrecRefreshRate": 30,.. "ftRefreshRate": 30,.. "rollout": 100,.. "enabled": 1,.. "ftEnabled": 1,.. "lrecEnabled": 1,.. "countries": "cl,ae,ar,gr,is,mx,tr,br,by,cz,in,pt,sg".. },
<<
<<< skipped >>>
GET /utorrent-onboarding/welcome-upsell.btapp?h=Zf-p1aLbPnMH0rQ9&v=109279400&ol=en&ul=&tk=stable34&c=uTorrent HTTP/1.1
Host: apps.bittorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
If-Modified-Since: Tue, 08 Oct 2013 00:54:05 GMT
Connection: Close
HTTP/1.1 304 Not Modified
Content-Type: binary/octet-stream
Age: 68989
Date: Thu, 08 May 2014 15:56:06 GMT
Connection: close
POST /e?i=20 HTTP/1.1
Host: bench.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close
Content-Length: 293
{"h":"Zf-p1aLbPnMH0rQ9","cl":"uTorrent","v":109279400,"l":"en","w":"5.1","cts":1399564600,"eventName":"ap","fte":1,"lre":1,"ltic_0":0,"ltic_1":0,"lcic_0":0,"lcic_1":0,"laae":0,"lare":0,"laie":0,"lame":0,"name":"adrequest","errCode":0,"requestTime":1399564600,"action":"client.az.adrequest.ua"}
HTTP/1.1 200 OK
Content-Type: text/html
Date: Thu, 08 May 2014 15:57:16 GMT
Server: nginx/1.4.7
X-Powered-By: PHP/5.4.27
Content-Length: 21
Connection: Close
{"response_code":200}..
POST /login HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 1212
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: preved.safetynutbe.com
Connection: Keep-Alive
XML=
488tLTwKI4+/gWoMnOvniSAWY3aEZ9IwGs+lvw0l2YHy3LC3PpbPdCYKouiFJmSQKsIUKccv1/5ShZs6Q8ooE1H+ldSa3f2mNza+EyvSwBB9GDl1Db898IQct7IgjDxI6sJt8xbRdlzm+Y3ZTVIvqtl5891ydQZIii7QFaPPeiJ4AO3TodPTLTNi0zeZ81+gutdSQGAPfWY6LWUR/F/3B6L4IRhbu6zuFYgYK1nfO0KQiG2VJaaGTrBnjRoiyUQAKoXnqft34cQEFPgz0qytubICZ+lMAdg+sZCUzqxyqpXdiN4UkJkGcn8NxN0Cnm9FGww06UjHGLvpgEiN6VIhPpfeN/ar31+PvFFWaGdXgHAvKACMCH1+1YEvhoo/2wUEWCLnyeneIJh3dVILMBS4tokg2m6qfDRnzaCBSvF3RpREFPgUezHOOpNN16sWq5udJjQYQJKTH7MVIQLxCkyHqArL3GzE9gj/zfnS6EeFG4GltQDQ6tX7cVG/GvAU+XuvoWs7jgtzCmMoAD3dkQahP0osmNcWrXB6/KF0aLoDKNBqr2F2y1Gjjdolfp7eZaxI/UDARTsaz2IOqVCKWdsgMkAfeBI2u+kTuMk9n1Slm47M54Oe7LiN9Frb/Rty3KW2onPlqFT5WoMlIr1hI7xKqct8w/gPqwdeaIU5q5rtqFteoKs8kcwyX1V6QefRhtRVHx+DA1nvNdtJO79XHHIOxv/j2Px7DTT0A+4FlBxWrZK84/tnmasKV6Qt/ND9QE2SgBiajJ5R7Ho3eZDO9pURgpqttRJ8qgF90fF9mRYqT2oh47COd0zoQT0D/l2AI4arXFWGElRGtY7prrpR1XzgFgz6ZD7raU4bv1hxTlKzw7xxFcDcRhFoowrtcmMSnf9Y6BrkRGdLnWS3xJrqkVBWDvYmai/sPkQzYOCcL3cUXGsBlKLTGAcu38nVtq53NfPxkJ+XeM4YBM44lFR3V78PzdoyBeqFvEgAYzIiu/Q+K74TELdgDSygUlsC00rhwv4aNrVJdWyZNAxrbAXXRlbBy0rUg==
HTTP/1.1 200 OK
Content-Type: text/xml
Date: Thu, 08 May 2014 15:56:08 GMT
Server: nginx
X-Server: web6
Content-Length: 838
Connection: keep-alive
<?xml version="1.0" encoding="utf-8"?>..<secure_reply>.. <data>4gXg6gQOl3lzDy/i4URJaUxrNbxdn4dVvWpNIIQpGOgXYNo6zSJgwSteqjszDWngv12nWLgGrYCMfuy3aPB1F17cXu7BDKKHC4kv6/yNjCMRJaJg1dG5StKj6aNLkim2s1e817zXmpfXO8Py E7FF5qhr d3WAUKqMjQnKSoyS JMvDR0MUisa8gAXOrawPo9VwAal7WrknLHA3JcViZQBFArCMqOty4WBwVRX5RrIbBQjzsx2XQWdCHn Mh/Airf4 hyNa3l/KdVEN2x5Eg4nVDQ1Zp1rg0LA4XLFIoAjvXUDmPz7P0/MtzrUBtPhRymRPqFmjqzL2DO5oFg5QBIJrr21sSWe5EaTWFRCQAUeyiwZOkw8JGxqK0ymIsNxN1i6mcGIHU9Err5zWbBnvOM/dTfXIzf2ohZTdMO/DeK549SO3bXY8nsu3toKaIciBvaL vWvb6W5N0L9IjQjMQf/pO X62IlBqUYvYmz/Mb5PIfStzXdhMIyI9EmV U8gzzR20rSTrNVdnyMFT4LSvarHqG2tjFknEF72JZM/fGd7b/nADvZ558Xlo5rRsqKaiXPqcEvB8zhY7sV4426BilAyO9xqEGmGFtu3bp3MWjpmbR7DxYs1pgVR4bgnmVhXvqvdvBmxfOGBgk34R/SnKQ g6WFZY2wAwRUdj/ewQiMDoOlhWWNsAMEVHY/3sEIjA6DpYVljbADBFR2P97BCIwHsddVl7P0VJAHwVGnOFRmA=</data>..</secure_reply>..HTTP/1.1 200 OK..Content-Type: text/xml..Date: Thu, 08 May 2014 15:56:08 GMT..Server: nginx..X-Server: web6..Content-Length: 838..Connection: keep-alive..<?xml version="1.0" encoding="utf-8"?>..<secure_reply>.. <data>4gXg6gQOl3lzDy/i4URJaUxrNbxdn4dVvWpNIIQpGOgXYNo6zSJgwSteqjszDWngv12nWLgGrYCMfuy3aPB1F17cXu7BDKKHC4kv6/yNjCMRJaJg1dG5StKj6aNLkim2s1e817zXmpfXO8Py E7FF5qhr d3WAUKqMjQnKSoyS JMvDR0MUisa8gAXOrawPo9VwAal7WrknLHA3JcViZQBFArCMqOty4WBwVRX5RrIbBQjzsx2XQWdCHn Mh/Airf4 hyNa3l/KdVEN2x5Eg4nVDQ1Zp1rg0LA4XLFIoAjvXUDmPz7P0/MtzrUBtPhRymRPqFmjqzL2DO5oFg5QBIJrr21sSWe5EaTWFRCQAUeyiwZOkw8JGxqK0ymIsNxN1i6mcGIHU9Err5zWbBnvOM/dTfXIzf2ohZTdMO/DeK549SO3b
<<
<<< skipped >>>
GET /utorrent-onboarding/player.btapp?h=Zf-p1aLbPnMH0rQ9&v=109279400&ol=en&ul=&tk=stable34&c=uTorrent HTTP/1.1
Host: apps.bittorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close
HTTP/1.1 200 OK
x-amz-id-2: kLnNrkgfGAUNBhBwOUtnTaaAPMzN4DSdXHzrxkam8f6mjZV0Qi/hOlv0ELXd7rpV
x-amz-request-id: 04253D8D9662B60E
Accept-Ranges: bytes
Content-Type: binary/octet-stream
Server: AmazonS3
Age: 249573
Date: Thu, 08 May 2014 15:56:02 GMT
Last-Modified: Tue, 08 Oct 2013 00:53:35 GMT
Content-Length: 3097
Connection: close
PK.........c.@!m@.............btappUT....8.O7N.Oux.............-.1.. ..{^.....L...u.M....G..>v.i..f4.6....V/pO...q...S_...d..(..%.5.B.yp..H..Rk..$rb&.......*.......d....959...=&.`@.....(F..)Jz.....1.}....9..PK.........c.@v.7.`...........main.cssUT....8.O7N.Oux..............S.n.0.}. ".....[7e_c..k............i....9....`u...p.'4U..lH)...,.|.....Jn.H...B.bm..:j.R...l@CU...cC.....IK._........,.K.b...<.I.F.]....A...F|#...../.%.$...q8.........-.9%....3......h9 -V...)....gB../.Z.V@.&[..a...!6..\)..QX....f...Qh.......H.....].ZD6....H(-.pSt...sH o^..nu.hB...a.ou......Ng.cEw.`....=_.............H..6..Y.>..7.}!.w...W.W'.........PK.........c.@..yI....6.......icon.bmpUT....8.O7N.Oux.............U....@...>*....<..E.....;....{..Q.....yU-....<...D..4w..@/....c..................wf??...S.&...q.......}7k..).v..Z..l.R.8..;..;9..'..{:=yO.....{.E.>.`"...9..|$..G...#.H...<..<...:x......|!_....|Y..[K...D.TP.Nk..;~......O679'...;~......w....;~....s.w....;~....S.w....;~....3.w....;~.....8~......w.....6...s._..?............N.~..X....../.)./../../.....K.....k........./../../..L...........%$../../../..|.G.x.....-...........?............?............?..r.........,.|.e..?.........s...$xY...O..6.V.S....n....V/...k...x....2.....4.P....C..9.ka_.lC3Ms..S.3.|..2....2......|..C.oS.y.iZ.......i..[.A.T_?.u......p.......F=..i...u.G.......7..Y..M../PK.........u.@.W.@....m.......index.htmlUT....M.O.N.Oux..............U.r.0.}._..a...;i.\.0.r..tH..G...je.#.I...r..0I.O.v..v.J..........R...Y.. .ZF.....I.........Xt. ......'..n1...
<<
<<< skipped >>>
GET /download/langpacks/dl.php?build=30888&ref=client&client=utorrent&sys_l=en&sel_l=0&tk=stable34 HTTP/1.1
Host: utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close
HTTP/1.1 301 Moved Permanently
Server: nginx/1.4.7
Date: Thu, 08 May 2014 15:56:00 GMT
Content-Type: text/html
Content-Length: 184
Connection: close
Location: hXXp://VVV.utorrent.com/download/langpacks/dl.php?build=30888&ref=client&client=utorrent&sys_l=en&sel_l=0&tk=stable34
<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx/1.4.7</center>..</body>..</html>....
POST /e?i=21 HTTP/1.1
Host: bench.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close
Content-Length: 367
{"h":"Zf-p1aLbPnMH0rQ9","cl":"uTorrent","v":109279400,"l":"en","w":"5.1","cts":1399564583,"eventName":"silent_autoupdate","launched_target":0,"updated":0,"relocated":0,"versions": [{"path":"updates\\3.4.1_30888.exe","version":"109279400","blacklisted":"0","crash_count":"0","opt_out":"0","running":""}], "action":"Initial download", "g_version":109279400, "no_sau":0}
HTTP/1.1 200 OK
Content-Type: text/html
Date: Thu, 08 May 2014 15:55:57 GMT
Server: nginx/1.4.7
X-Powered-By: PHP/5.4.27
Content-Length: 21
Connection: Close
{"response_code":200}..
GET /images/mobile-icon.png HTTP/1.1
Host: utclient.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
If-Modified-Since: Sun, 1 Jan 1982 00:00:00 GMT
Connection: Close
HTTP/1.1 200 OK
x-amz-id-2: l1n3EJTywUrQucQ7uGTywrRplwms y4KJ5tFV5ih3A8MmfTDEIyEhpuecbtzZhXM
x-amz-request-id: 9C5DE8EE647C8F69
Date: Thu, 08 May 2014 15:56:07 GMT
x-amz-meta-cb-modifiedtime: Tue, 11 Mar 2014 23:12:00 GMT
Last-Modified: Tue, 11 Mar 2014 23:12:21 GMT
ETag: "4280089022fce23da2c64031bf137c08"
Content-Type: image/png
Content-Length: 1263
Server: AmazonS3
.PNG........IHDR................a....tEXtSoftware.Adobe ImageReadyq.e<...kiTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.154911, 2013/10/29-11:47:16 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:01801174072068119FB483BB6AA6447E" xmpMM:DocumentID="xmp.did:9E4A8AB99C4311E3BC81E4BD1BE0F00E" xmpMM:InstanceID="xmp.iid:9E4A8AB89C4311E3BC81E4BD1BE0F00E" xmp:CreatorTool="Adobe Photoshop CC (Macintosh)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:3637b3de-885b-4f94-b5ae-3e362ec1613c" stRef:documentID="xmp.did:01801174072068119FB483BB6AA6447E"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>m.......IDATx.b..........hb.P....,.... ^..Z@,.....:.7. .f.7.Oeddpfecb`cgb......_..........`....P...T,....d3.h...v...# .f@..f ......... ..Y.D.08..| ..f.. .... ...3.....00B.......1...>...L..R.......?.._>.aB.. ..C...X...@!.....z. ...$q...?&.4..:d6.\F..-...~..*~....2.H} ..@A..).P..d&.8........0.a.........IEND.B`...
<<
<<< skipped >>>
POST /e?i=20 HTTP/1.1
Host: bench.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close
Content-Length: 299
{"h":"Zf-p1aLbPnMH0rQ9","cl":"uTorrent","v":109279400,"l":"en","w":"5.1","cts":1399564600,"eventName":"ap","fte":1,"lre":1,"ltic_0":0,"ltic_1":0,"lcic_0":0,"lcic_1":0,"laae":0,"lare":0,"laie":0,"lame":0,"name":"siteId","errCode":0,"requestTime":1399564600,"action":"client.az.error.badsiteid.33049"}
HTTP/1.1 200 OK
Content-Type: text/html
Date: Thu, 08 May 2014 15:56:15 GMT
Server: nginx/1.4.7
X-Powered-By: PHP/5.4.27
Content-Length: 21
Connection: Close
{"response_code":200}..
GET /utorrent-onboarding/player.btapp?h=Zf-p1aLbPnMH0rQ9&v=109279400&ol=en&ul=&tk=stable34&c=uTorrent HTTP/1.1
Host: apps.bittorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
If-Modified-Since: Tue, 08 Oct 2013 00:53:35 GMT
Connection: Close
HTTP/1.1 304 Not Modified
Content-Type: binary/octet-stream
Age: 249577
Date: Thu, 08 May 2014 15:56:06 GMT
Connection: close
GET /i.gif?e=eyJhdiI6MzY0OTMsImF0IjoxMjI0LCJjbSI6MTEyMjM3LCJjaCI6ODc4NSwiY3IiOjMyNTIyOSwiZGkiOiJmZWU0ZDU3ZjU2NTE0ZjY2OGM4NzU0ZjVkNzVlODU0NyIsImRtIjoxLCJmYyI6NDAxMTYxLCJmbCI6MjAyMjY2LCJrdyI6ImNsaWVudGRhdGE9dXRvcnJlbnR8My40LjEuMzA4ODh8MTI5LGlldmVyc2lvbj02LGZsYXNoPTExLDYsNjAyLDE2OCIsIm53Ijo1NjgyLCJwYyI6MC4wMiwicHIiOjIzNzU1LCJydCI6Mywic3QiOjMzMDQ5LCJ0ciI6dHJ1ZSwidWsiOiJ1ZTEtNDBiOWI0Njc0ZWE2NDA4M2IwMGRmNzBiYWY5YTBkMTIiLCJ0cyI6MTM5OTU2NDYwNDYwNCwiZnEiOjF9&s=pk8R5HxZS5eOuKIDAQYavvRWR_I HTTP/1.1
Host: engine.ap.bittorrent.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0 Windows NT 5.1; Trident/2.0)(30888)
Accept-Encoding: gzip
Accept-Language: en-US
Connection: Close
HTTP/1.1 200 OK
Access-Control-Allow-Headers: accept, origin, content-type, content-length
Access-Control-Allow-Methods: GET,PUT,POST,DELETE,OPTIONS
Access-Control-Allow-Origin: *
Content-Type: image/gif
Date: Thu, 08 May 2014 15:55:51 GMT
Server: nginx/1.1.19
Set-Cookie: azk=ue1-40b9b4674ea64083b00df70baf9a0d12; Path=/; Expires=Fri, 08 May 2015 15:55:51 GMT
Set-Cookie: azk-events=W3siYXYiOjM2NDkzLCJhdCI6MTIyNCwiY20iOjExMjIzNywiY2giOjg3ODUsImNyIjozMjUyMjksImRpIjoiZmVlNGQ1N2Y1NjUxNGY2NjhjODc1NGY1ZDc1ZTg1NDciLCJkbSI6MSwiZmMiOjQwMTE2MSwiZmwiOjIwMjI2Niwia3ciOiJjbGllbnRkYXRhPXV0b3JyZW50fDMuNC4xLjMwODg4fDEyOSxpZXZlcnNpb249NixmbGFzaD0xMSw2LDYwMiwxNjgiLCJudyI6NTY4MiwicGMiOjAuMDIsInByIjoyMzc1NSwicnQiOjMsInN0IjozMzA0OSwidHIiOnRydWUsInVrIjoidWUxLTQwYjliNDY3NGVhNjQwODNiMDBkZjcwYmFmOWEwZDEyIiwidHMiOjEzOTk1NjQ2MDQ2MDQsImNpIjoiYjU5MWFhYzAzZmRkNDI0ZjkwMzg3ZDdjOTA3OWRhZWMiLCJjdiI6MX1d; Path=/; Expires=Sat, 07 Jun 2014 15:55:51 GMT
x-powered-by: adzerk bifrost/
x-served-by: engine-us-east-1b-14
Content-Length: 43
Connection: Close
GIF89a.............!.......,...........D..;..
GET /favicon.ico HTTP/1.1
Host: VVV.mininova.org
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
If-Modified-Since: Sun, 1 Jan 1982 00:00:00 GMT
Connection: Close
HTTP/1.1 200 OK
Cache-control: public, max-age=25920000
Expires: Wed, 04 Mar 2015 15:56:05 GMT
Content-Type: image/x-icon
Accept-Ranges: bytes
ETag: "103585109"
Last-Modified: Sat, 30 Oct 2010 22:57:22 GMT
Content-Length: 318
Connection: close
Date: Thu, 08 May 2014 15:56:05 GMT
..............(.......(....... ........................................p6......J .......f.......M...|..............v?.......W.DDDDDDDDA.......A.......A.......A"q...".A"q...".A"q...".A"..%.".A"ar#.(.A"/..m .A..(U...A.......A.......A.......A.......DDDDDDDD..................................................................
GET /tr.gif?anxa=APNMSB&anxe=InstallerEvent&anxp=^BE3^TCH001^YY^US&anxr=3019EFB9-86F7-467A-8CBC-8AE7E27FDCB7&anxt=1186403004234042&anxv=3.0.0.0&anxtv=3.0.0.0&tpid=BTR-BTS&apn_dbr=IE&o=APN11459&trgb=IE&installationResult=success&ieVersionInstalled=6.0.2900.5512&ffVersionInstalled=&crVersionInstalled= HTTP/1.0
Host: phn.apnanalytics.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 204 No Content
Server: nginx/1.0.1
Date: Thu, 08 May 2014 15:56:02 GMT
Connection: close
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
Cache-Control: max-age=0
POST /api/v2 HTTP/1.1
Host: engine.ap.bittorrent.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0 Windows NT 5.1; Trident/2.0)(30888)
Accept-Encoding: gzip
content-type: application/json
Connection: Close
Content-Length: 377
{ "keywords": [ "clientdata=utorrent|3.4.1.30888|129", "IEVersion=6", "flash=11,6,602,168" ], "placements": [ { "adTypes": [ 9 ], "divName": "lrec", "networkId": 5682, "properties": { "IEVersion": 6, "campaigncode": 129, "featurelevel": 0, "flash": "11,6,602,168", "major": 3, "minor": 4, "product": "utorrent", "tag": "", "tiny": 1, "version": 30888 }, "siteId": "33049" } ] }
HTTP/1.1 200 OK
Access-Control-Allow-Headers: accept, origin, content-type, content-length
Access-Control-Allow-Methods: GET,PUT,POST,DELETE,OPTIONS
Access-Control-Allow-Origin: *
Content-Type: application/json
Date: Thu, 08 May 2014 15:56:17 GMT
ETag: "-1613173514"
Server: nginx/1.1.19
Set-Cookie: azk=ue1-19f90ae556f140068fa2fccba6349efc; Path=/; Expires=Fri, 08 May 2015 15:56:17 GMT
x-powered-by: adzerk bifrost/
x-served-by: engine-us-east-1a-23
Content-Length: 2321
Connection: Close
{"user":{"key":"ue1-19f90ae556f140068fa2fccba6349efc"},"decisions":{"lrec":{"adId":401268,"creativeId":325335,"flightId":202283,"campaignId":112237,"clickUrl":"hXXp://engine.ap.bittorrent.com/r?e=eyJhdiI6MzY0OTMsImF0Ijo5LCJjbSI6MTEyMjM3LCJjaCI6ODc4NSwiY3IiOjMyNTMzNSwiZGkiOiIwN2U1Y2EwMTFjNjA0OGIwOWZjMDQzOWYxYjZmMWM2OCIsImRtIjoxLCJmYyI6NDAxMjY4LCJmbCI6MjAyMjgzLCJrdyI6ImNsaWVudGRhdGE9dXRvcnJlbnR8My40LjEuMzA4ODh8MTI5LGlldmVyc2lvbj02LGZsYXNoPTExLDYsNjAyLDE2OCIsIm53Ijo1NjgyLCJwYyI6MC4wOCwicHIiOjIzNzU1LCJydCI6Mywic3QiOjMzMDQ5LCJ0ciI6dHJ1ZSwidWsiOiJ1ZTEtMTlmOTBhZTU1NmYxNDAwNjhmYTJmY2NiYTYzNDllZmMiLCJ0cyI6MTM5OTU2NDU3NzY0OSwidXIiOiJodHRwOi8vdHJhY2tpc3RhLmNvbS90cmFjay9idHJlZGlyZWN0LnBocD9oYW5kbGU9MTAwMTkifQ&s=qb1hfDEXNMaDRoHuFnlOp1qD5fo","impressionUrl":"hXXp://engine.ap.bittorrent.com/i.gif?e=eyJhdiI6MzY0OTMsImF0Ijo5LCJjbSI6MTEyMjM3LCJjaCI6ODc4NSwiY3IiOjMyNTMzNSwiZGkiOiIwN2U1Y2EwMTFjNjA0OGIwOWZjMDQzOWYxYjZmMWM2OCIsImRtIjoxLCJmYyI6NDAxMjY4LCJmbCI6MjAyMjgzLCJrdyI6ImNsaWVudGRhdGE9dXRvcnJlbnR8My40LjEuMzA4ODh8MTI5LGlldmVyc2lvbj02LGZsYXNoPTExLDYsNjAyLDE2OCIsIm53Ijo1NjgyLCJwYyI6MC4wOCwicHIiOjIzNzU1LCJydCI6Mywic3QiOjMzMDQ5LCJ0ciI6dHJ1ZSwidWsiOiJ1ZTEtMTlmOTBhZTU1NmYxNDAwNjhmYTJmY2NiYTYzNDllZmMiLCJ0cyI6MTM5OTU2NDU3NzY0OSwiZnEiOjF9&s=_aXHUHscZAqqLpmUBMg4gbYuRng","contents":[{"type":"html","body":"<a href=\"hXXp://engine.ap.bittorrent.com/r?e=eyJhdiI6MzY0OTMsImF0Ijo5LCJjbSI6MTEyMjM3LCJjaCI6ODc4NSwiY3IiOjMyNTMzNSwiZGkiOiIwN2U1Y2EwMTFjNjA0OGIwOWZjMDQzOWYxYjZmMWM2OCIsImRtIjoxLCJmYyI6NDAxMjY4LCJmbCI6MjAyMjgzLCJrdyI6ImNsaWVudGRhdGE9d
<<
<<< skipped >>>
POST /e?i=20 HTTP/1.1
Host: bench.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close
Content-Length: 293
{"h":"Zf-p1aLbPnMH0rQ9","cl":"uTorrent","v":109279400,"l":"en","w":"5.1","cts":1399564600,"eventName":"ap","fte":1,"lre":1,"ltic_0":0,"ltic_1":0,"lcic_0":0,"lcic_1":0,"laae":0,"lare":0,"laie":0,"lame":0,"name":"adrequest","errCode":0,"requestTime":1399564600,"action":"client.az.adrequest.ua"}
HTTP/1.1 200 OK
Content-Type: text/html
Date: Thu, 08 May 2014 15:57:09 GMT
Server: nginx/1.4.7
X-Powered-By: PHP/5.4.27
Content-Length: 21
Connection: Close
{"response_code":200}..
POST /e?i=20 HTTP/1.1
Host: bench.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close
Content-Length: 295
{"h":"Zf-p1aLbPnMH0rQ9","cl":"uTorrent","v":109279400,"l":"en","w":"5.1","cts":1399564601,"eventName":"ap","fte":1,"lre":1,"ltic_0":0,"ltic_1":2,"lcic_0":0,"lcic_1":0,"laae":0,"lare":0,"laie":0,"lame":0,"name":"impression","errCode":0,"requestTime":1399564601,"action":"client.az.impression.ua"}
HTTP/1.1 200 OK
Content-Type: text/html
Date: Thu, 08 May 2014 15:57:16 GMT
Server: nginx/1.4.7
X-Powered-By: PHP/5.4.27
Content-Length: 21
Connection: Close
{"response_code":200}..
POST /api/v2 HTTP/1.1
Host: engine.ap.bittorrent.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0 Windows NT 5.1; Trident/2.0)(30888)
Accept-Encoding: gzip
content-type: application/json
Connection: Close
Content-Length: 377
{ "keywords": [ "clientdata=utorrent|3.4.1.30888|129", "IEVersion=6", "flash=11,6,602,168" ], "placements": [ { "adTypes": [ 9 ], "divName": "lrec", "networkId": 5682, "properties": { "IEVersion": 6, "campaigncode": 129, "featurelevel": 0, "flash": "11,6,602,168", "major": 3, "minor": 4, "product": "utorrent", "tag": "", "tiny": 1, "version": 30888 }, "siteId": "33049" } ] }
HTTP/1.1 200 OK
Access-Control-Allow-Headers: accept, origin, content-type, content-length
Access-Control-Allow-Methods: GET,PUT,POST,DELETE,OPTIONS
Access-Control-Allow-Origin: *
Content-Type: application/json
Date: Thu, 08 May 2014 15:56:56 GMT
ETag: "-179764688"
Server: nginx/1.1.19
Set-Cookie: azk=ue1-40b9b4674ea64083b00df70baf9a0d12; Path=/; Expires=Fri, 08 May 2015 15:56:56 GMT
x-powered-by: adzerk bifrost/
x-served-by: engine-us-east-1a-08
Content-Length: 2321
Connection: Close
{"user":{"key":"ue1-40b9b4674ea64083b00df70baf9a0d12"},"decisions":{"lrec":{"adId":401268,"creativeId":325335,"flightId":202283,"campaignId":112237,"clickUrl":"hXXp://engine.ap.bittorrent.com/r?e=eyJhdiI6MzY0OTMsImF0Ijo5LCJjbSI6MTEyMjM3LCJjaCI6ODc4NSwiY3IiOjMyNTMzNSwiZGkiOiJhZGM0NDAxNzZjNDM0NWEzOTI5MzM4MWVhNTUxZWQ1YiIsImRtIjoxLCJmYyI6NDAxMjY4LCJmbCI6MjAyMjgzLCJrdyI6ImNsaWVudGRhdGE9dXRvcnJlbnR8My40LjEuMzA4ODh8MTI5LGlldmVyc2lvbj02LGZsYXNoPTExLDYsNjAyLDE2OCIsIm53Ijo1NjgyLCJwYyI6MC4wOCwicHIiOjIzNzU1LCJydCI6Mywic3QiOjMzMDQ5LCJ0ciI6dHJ1ZSwidWsiOiJ1ZTEtNDBiOWI0Njc0ZWE2NDA4M2IwMGRmNzBiYWY5YTBkMTIiLCJ0cyI6MTM5OTU2NDYxNjgwMywidXIiOiJodHRwOi8vdHJhY2tpc3RhLmNvbS90cmFjay9idHJlZGlyZWN0LnBocD9oYW5kbGU9MTAwMTkifQ&s=ea_G6uWUxWCpBc-_lB6FdBqrjEg","impressionUrl":"hXXp://engine.ap.bittorrent.com/i.gif?e=eyJhdiI6MzY0OTMsImF0Ijo5LCJjbSI6MTEyMjM3LCJjaCI6ODc4NSwiY3IiOjMyNTMzNSwiZGkiOiJhZGM0NDAxNzZjNDM0NWEzOTI5MzM4MWVhNTUxZWQ1YiIsImRtIjoxLCJmYyI6NDAxMjY4LCJmbCI6MjAyMjgzLCJrdyI6ImNsaWVudGRhdGE9dXRvcnJlbnR8My40LjEuMzA4ODh8MTI5LGlldmVyc2lvbj02LGZsYXNoPTExLDYsNjAyLDE2OCIsIm53Ijo1NjgyLCJwYyI6MC4wOCwicHIiOjIzNzU1LCJydCI6Mywic3QiOjMzMDQ5LCJ0ciI6dHJ1ZSwidWsiOiJ1ZTEtNDBiOWI0Njc0ZWE2NDA4M2IwMGRmNzBiYWY5YTBkMTIiLCJ0cyI6MTM5OTU2NDYxNjgwMywiZnEiOjF9&s=0xbULDKJwEbnCTKfEJE4HTww2v0","contents":[{"type":"html","body":"<a href=\"hXXp://engine.ap.bittorrent.com/r?e=eyJhdiI6MzY0OTMsImF0Ijo5LCJjbSI6MTEyMjM3LCJjaCI6ODc4NSwiY3IiOjMyNTMzNSwiZGkiOiJhZGM0NDAxNzZjNDM0NWEzOTI5MzM4MWVhNTUxZWQ1YiIsImRtIjoxLCJmYyI6NDAxMjY4LCJmbCI6MjAyMjgzLCJrdyI6ImNsaWVudGRhdGE9d
<<
<<< skipped >>>
POST /e?i=29 HTTP/1.1
Host: bench.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close
Content-Length: 149
{"h":"Zf-p1aLbPnMH0rQ9","cl":"uTorrent","v":109279400,"l":"en","w":"5.1","cts":1399564588,"eventName":"cfu","action":"uTorrent.3.4.01.1.30888","i":0}
HTTP/1.1 200 OK
Content-Type: text/html
Date: Thu, 08 May 2014 15:57:03 GMT
Server: nginx/1.4.7
X-Powered-By: PHP/5.4.27
Content-Length: 21
Connection: Close
{"response_code":200}..
GET /scripts/dl.php?build=30888&ref=client&client=utorrent&sys_l=en&sel_l=0&tk=stable34 HTTP/1.1
Host: VVV.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/x-utorrent-language
Content-Disposition: attachment; filename=utorrent.lng
Cache-Control: max-age=3600
Accept-Ranges: bytes
Age: 752
Date: Thu, 08 May 2014 15:56:01 GMT
Last-Modified: Mon, 21 Apr 2014 11:15:26 GMT
Expires: Thu, 08 May 2014 16:43:29 GMT
Content-Length: 1312039
Connection: close
PK.........Y.D..F..k..q.......Ukrainian!uk.txt...n\../.?..CI.)RC.]|..".@[r..Y...8.e.Z.E......HV..@.... Y.B.q,......1iQl..K...8h..... ...u......}.3.Sd.Z..jU}.]~......:...:..._..-....|.?.....:m1T.X.X.<..:..Fg......wB.M.O.u..7:.!.lv..W;.. ..Cy.......}....^........es-.@K\8..>.....?~.....Bm.\.....8].I.^.\.X.,......ZU.O.i.j..o...\.t.*f..Q..J.Em.P...?uJ,T.. ..D|....B*....X...B-..g...\!.w..c/.5...t.^...<.V..z>.....r9..r.ZO.}..~.R...\)/. ._....zmN>;-.$..av......rY..J.En.V.....%.R&.t....zef.WM.b..p].g.B........D.T....~..5...J>$'.r.K..Ki.n.)./.ki...i..6$..7.%....L.0;..lZw..=WLegDZ.#....G..k.0..F......d.\....Y.......&.....T....%..Q..#[(]...URX?5.r..j5w..,.J.\.S(....R..?..........$.ku^..;rO.......oO~#w..0.1.y...... :.r..CKc.6.2^.. ^..b.3..wo&.......m..........;O...kW..l...-*[.....)?..\(F:;....[....)<Z.K....z...._;.e.6d..a......0!r2...EI..>.F............g yd........~)'I.."pV`.ve./.....|u...j"...].Q./y.:......X/Hf.@A.3'..C'p..#...;...7.fy..]....l}W......5...{..jC'w..|)ve.g..v...E.0y.....d.7.X5m.(....C.x...-.h_.X\.zG..>...X6`...8#.../d.......a).q2.o.Ox.r..,~...^-.lD.o.@..0...d..o.w.........W......hVp...vlO~...7.....So.E..o....j..M.X...6...{U.Gy.....X....z.j.....W).......j...W./.....`,yP(.K3)l.Gx#M...).......U%/.......a2...x.nX......Ops.....'o.#.......e:.....n...V^.$g..S.K..$:......I.......6..P,.....w6W...O&..........?..|.s....F...d.$.6<c.'..Oj....R....../...[^...n.v..|..............}&.c..xN.K....,:.d6....@......4....'...=i...t...N.:.....I....'P.[...6.&.lM.....E.7<..H.......G.K.6L....k..7.R...#.
<<
<<< skipped >>>
GET /checkupdate.php?s=1&cl=uTorrent&v=109279400&l=en&svp=4&svn_revno=30888&tk=stable34&period=7&sids=0,0,0,0,0&lv=3063507_0_&c=US&w=A280105&h=Zf-p1aLbPnMH0rQ9&mts=31&nat_state=255&it=12&pc=23&sctl=1&shdi=1&def_tor=1&doainstalled=0&ie=6.0.2900.5512&xim=3&insvr=109279400&sss=7&rsb=2&rtsb=7&view=win32&cmp=129&ocmp=129&plus=3&adc=1&ch_up=1?ssb=48&ssu=11644473645&xseq=0 HTTP/1.1
Host: update.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Thu, 08 May 2014 15:56:08 GMT
Content-Type: text/html
Content-Length: 642
Connection: close
X-Powered-By: PHP/5.4.27
Expires: Thu, 21 Jul 1980 00:00:00 GMT
Cache-Control: private
Last-Modified: Thu, 08 May 2014 15:56:08 GMT
d10:adsEnabledi1e13:fblikeEnabledi0e14:twitterEnabledi0e13:adRefreshRatei360e9:ftEnabledi1e11:lrecEnabledi1e14:sendConversioni0e19:specialOfferEnabledi0e20:specialOfferImageUrl0:21:specialOfferAcceptUrl0:17:specialOfferTitle0:28:specialOfferAcceptButtonText0:29:specialOfferDeclineButtonText0:22:offerRolloutLabEnabledi1e17:trayOfferImageUrl51:http://utclient.utorrent.com/images/mobile-icon.png18:trayOfferTargetUrl21:http://bit.ly/1hknGHI22:trayOfferHoverOverText23:uTorrent Android Client17:trayOfferOneClicki0e10:searchUrls61:Infospace Search|hXXp://utorrent.inspsearch.com/search/web?q=1:k0:2:ip15:193.138.244.2312:tsi1399564568e1:c2:uae..
POST /e?i=29 HTTP/1.1
Host: bench.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close
Content-Length: 171
{"h":"Zf-p1aLbPnMH0rQ9","cl":"uTorrent","v":109279400,"l":"en","w":"5.1","cts":1399564584,"eventName":"dimensions", "appsize": [ 1200, 600 ], "screensize": [ 1276, 846 ] }
HTTP/1.1 200 OK
Content-Type: text/html
Date: Thu, 08 May 2014 15:55:16 GMT
Server: nginx/1.4.7
X-Powered-By: PHP/5.4.27
Content-Length: 21
Connection: Close
{"response_code":200}..
GET /i.gif?e=eyJhdiI6MzY0OTMsImF0Ijo5LCJjbSI6MTEyMjM3LCJjaCI6ODc4NSwiY3IiOjMyNTMzNSwiZGkiOiIwN2U1Y2EwMTFjNjA0OGIwOWZjMDQzOWYxYjZmMWM2OCIsImRtIjoxLCJmYyI6NDAxMjY4LCJmbCI6MjAyMjgzLCJrdyI6ImNsaWVudGRhdGE9dXRvcnJlbnR8My40LjEuMzA4ODh8MTI5LGlldmVyc2lvbj02LGZsYXNoPTExLDYsNjAyLDE2OCIsIm53Ijo1NjgyLCJwYyI6MC4wOCwicHIiOjIzNzU1LCJydCI6Mywic3QiOjMzMDQ5LCJ0ciI6dHJ1ZSwidWsiOiJ1ZTEtMTlmOTBhZTU1NmYxNDAwNjhmYTJmY2NiYTYzNDllZmMiLCJ0cyI6MTM5OTU2NDU3NzY0OSwiZnEiOjF9&s=_aXHUHscZAqqLpmUBMg4gbYuRng HTTP/1.1
Host: engine.ap.bittorrent.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0 Windows NT 5.1; Trident/2.0)(30888)
Accept-Encoding: gzip
Accept-Language: en-US
Connection: Close
HTTP/1.1 200 OK
Access-Control-Allow-Headers: accept, origin, content-type, content-length
Access-Control-Allow-Methods: GET,PUT,POST,DELETE,OPTIONS
Access-Control-Allow-Origin: *
Content-Type: image/gif
Date: Thu, 08 May 2014 15:56:41 GMT
Server: nginx/1.1.19
Set-Cookie: azk=ue1-19f90ae556f140068fa2fccba6349efc; Path=/; Expires=Fri, 08 May 2015 15:56:41 GMT
Set-Cookie: azk-events=W3siYXYiOjM2NDkzLCJhdCI6OSwiY20iOjExMjIzNywiY2giOjg3ODUsImNyIjozMjUzMzUsImRpIjoiMDdlNWNhMDExYzYwNDhiMDlmYzA0MzlmMWI2ZjFjNjgiLCJkbSI6MSwiZmMiOjQwMTI2OCwiZmwiOjIwMjI4Mywia3ciOiJjbGllbnRkYXRhPXV0b3JyZW50fDMuNC4xLjMwODg4fDEyOSxpZXZlcnNpb249NixmbGFzaD0xMSw2LDYwMiwxNjgiLCJudyI6NTY4MiwicGMiOjAuMDgsInByIjoyMzc1NSwicnQiOjMsInN0IjozMzA0OSwidHIiOnRydWUsInVrIjoidWUxLTE5ZjkwYWU1NTZmMTQwMDY4ZmEyZmNjYmE2MzQ5ZWZjIiwidHMiOjEzOTk1NjQ1Nzc2NDksImNpIjoiN2M0NjhhODg5ZjMwNDM1NjhhYzc2ODQ0ZjY2NGJhODQiLCJjdiI6MX1d; Path=/; Expires=Sat, 07 Jun 2014 15:56:41 GMT
x-powered-by: adzerk bifrost/
x-served-by: engine-us-east-1a-24
Content-Length: 43
Connection: Close
GIF89a.............!.......,...........D..;..
GET /utorrent-onboarding/welcome-upsell.btapp?h=Zf-p1aLbPnMH0rQ9&v=109279400&ol=en&ul=&tk=stable34&c=uTorrent HTTP/1.1
Host: apps.bittorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close
HTTP/1.1 200 OK
x-amz-id-2: HCpaeLg6Uh9Sm3sk0S53QKUErij9Jl2BjFcA7W08S2omUK1lk3TxpoRJFmDYmH X
x-amz-request-id: A7F6CC8B72CD7AE0
Accept-Ranges: bytes
Content-Type: binary/octet-stream
Server: AmazonS3
Age: 68986
Date: Thu, 08 May 2014 15:56:07 GMT
Last-Modified: Tue, 08 Oct 2013 00:54:05 GMT
Content-Length: 28315
Connection: close
PK.........}?@................btappUT...4}(O..(Oux.............5.1.. ..{^..b.N.Q.K.)...b#a8.G....S.4....`...Af..4........Q...S....G>..|.I...1...]..j..............}q.b....u. ..<oE..N..w..D..A....GA..U.w.5W=..`...PK.........L|>...9............empty_movie.gifUT......M..(Oux.............GIF89a.............!.......,.............................H...........L................L*......J......j............N.....................(8HXhx..........)9IYiy..........*:JZjz.......... ;K[k{..........,<L\l|..........-=M]m}...........>N^n~........../?O_o..........0......<.0....1...;PK.........Y.>.Pi-....T.......index.htmlUT......M..(Oux..............W.n.6....8U.:.f)....IC.d..vk..C...-.Yt(R%)_0..k...$;.l.r.!.......|.F...~.....k(m%R...-@09I..AJ.dyz....Z.Y..A...-......V`....r.7.i.y....Epy..E....hJD.@..H..q.f..`.5&........3..i${..L. ,X#..~k...v[...XK...,.Jkk.:...-..R....&.T.i..c.M?7...Ix...6aE.NM..Q p...p...Q.......Z.5J..7..P..b:'.".........n...}..r....t.....q_...r%.dU...Wxx..n....8trT....FH..42..K...O..;_...r.M.^.t.7._...p...B.%..o..........D.0g...nL.`..e.U .....5.`.....i....?...)..Q.:n...E-....b......Be.y.Rj..C..<.R..lB...KC...6......1..;.=..KQ)c.....!...RcJ5.yWH......i.J...jq.c..8Y..v...(/..N...R.......:.L..z.s.T48.*..Q........7.....I.c.y..o.`.....?........pv.9...S.|.'[.....>..F..U.......I@.a)....u}..7T.R....5..o...o..ZUp.j.zQ..T^...n........D.fGa...J....B.$.D....u..\.......$.......././N...fJd."n..@...|q.....o....F....f.YE.G.|....N..1...N....Fh/?..l.T.=L..W.vtl8.i=.(.r[&...W4..OJ..g..a.V[.....d..36sC....l/.&
<<
<<< skipped >>>
GET /updatestats.php?cl=uTorrent&v=109279400&h=Zf-p1aLbPnMH0rQ9&k=&ip=8&dns=47&con=47&dl=11781&dlurl=http://ll.download3.utorrent.com/offers/imesh-en-20140501.exe&svp=4&pid=1232&sz=6656336&bin=<NULL>toolbar&p1=192.168.220.2&m1=0&p2=192.168.50.10&m2=0&p3=193.138.244.233&m3=5&p4=10.235.0.11&m4=1&p5=193.138.244.106&m5=1&p6=193.138.244.138&m6=0&p7=149.6.76.41&m7=1&p8=154.54.38.138&m8=10&p9=130.117.49.133&m9=29&p10=154.54.36.9&m10=37&p11=154.54.38.49&m11=41&p12=154.54.73.74&m12=41&p13=149.6.140.2&m13=56&p14=87.248.217.254&m14=40 HTTP/1.1
Host: update.utorrent.li
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Thu, 08 May 2014 15:55:45 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.4.27
Expires: Thu, 21 Jul 1980 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, private
Pragma: no-cache
0..
POST /e?i=29 HTTP/1.1
Host: bench.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close
Content-Length: 144
{"h":"Zf-p1aLbPnMH0rQ9","cl":"uTorrent","v":109279400,"l":"en","w":"5.1","cts":1399564584,"eventName":"flash", "flash version": "11,6,602,168" }
HTTP/1.1 200 OK
Content-Type: text/html
Date: Thu, 08 May 2014 15:55:59 GMT
Server: nginx/1.4.7
X-Powered-By: PHP/5.4.27
Content-Length: 21
Connection: Close
{"response_code":200}..
POST /e?i=20 HTTP/1.1
Host: bench.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close
Content-Length: 297
{"h":"Zf-p1aLbPnMH0rQ9","cl":"uTorrent","v":109279400,"l":"en","w":"5.1","cts":1399564588,"eventName":"ap","fte":1,"lre":1,"ltic_0":0,"ltic_1":0,"lcic_0":0,"lcic_1":0,"laae":0,"lare":0,"laie":0,"lame":0,"name":"Ads Enabled","errCode":0,"requestTime":1399564588,"action":"client.ppc.adsenabled.ua"}
HTTP/1.1 200 OK
Content-Type: text/html
Date: Thu, 08 May 2014 15:55:46 GMT
Server: nginx/1.4.7
X-Powered-By: PHP/5.4.27
Content-Length: 21
Connection: Close
{"response_code":200}..
POST /api/v2 HTTP/1.1
Host: engine.ap.bittorrent.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0 Windows NT 5.1; Trident/2.0)(30888)
Accept-Encoding: gzip
content-type: application/json
Connection: Close
Content-Length: 437
{ "keywords": [ "clientdata=utorrent|3.4.1.30888|129", "IEVersion=6", "flash=11,6,602,168" ], "placements": [ { "adTypes": [ 1224 ], "divName": "ft", "networkId": 5682, "properties": { "IEVersion": 6, "campaigncode": 129, "featurelevel": 0, "flash": "11,6,602,168", "major": 3, "minor": 4, "product": "utorrent", "tag": "", "tiny": 1, "version": 30888 }, "siteId": "33049" } ], "user": { "key": "ue1-40b9b4674ea64083b00df70baf9a0d12" } }
HTTP/1.1 200 OK
Access-Control-Allow-Headers: accept, origin, content-type, content-length
Access-Control-Allow-Methods: GET,PUT,POST,DELETE,OPTIONS
Access-Control-Allow-Origin: *
Content-Type: application/json
Date: Thu, 08 May 2014 15:56:44 GMT
ETag: "-161058039"
Server: nginx/1.1.19
Set-Cookie: azk=ue1-40b9b4674ea64083b00df70baf9a0d12; Path=/; Expires=Fri, 08 May 2015 15:56:44 GMT
x-powered-by: adzerk bifrost/
x-served-by: engine-us-east-1e-22
Content-Length: 2328
Connection: Close
{"user":{"key":"ue1-40b9b4674ea64083b00df70baf9a0d12"},"decisions":{"ft":{"adId":401161,"creativeId":325229,"flightId":202266,"campaignId":112237,"clickUrl":"hXXp://engine.ap.bittorrent.com/r?e=eyJhdiI6MzY0OTMsImF0IjoxMjI0LCJjbSI6MTEyMjM3LCJjaCI6ODc4NSwiY3IiOjMyNTIyOSwiZGkiOiJmZWU0ZDU3ZjU2NTE0ZjY2OGM4NzU0ZjVkNzVlODU0NyIsImRtIjoxLCJmYyI6NDAxMTYxLCJmbCI6MjAyMjY2LCJrdyI6ImNsaWVudGRhdGE9dXRvcnJlbnR8My40LjEuMzA4ODh8MTI5LGlldmVyc2lvbj02LGZsYXNoPTExLDYsNjAyLDE2OCIsIm53Ijo1NjgyLCJwYyI6MC4wMiwicHIiOjIzNzU1LCJydCI6Mywic3QiOjMzMDQ5LCJ0ciI6dHJ1ZSwidWsiOiJ1ZTEtNDBiOWI0Njc0ZWE2NDA4M2IwMGRmNzBiYWY5YTBkMTIiLCJ0cyI6MTM5OTU2NDYwNDYwNCwidXIiOiJodHRwOi8vdHJhY2tpc3RhLmNvbS90cmFjay9idHJlZGlyZWN0LnBocD9oYW5kbGU9MTAwMDYifQ&s=QLqhWuws0-JZ5xOGVgw-Bq2TVkY","impressionUrl":"hXXp://engine.ap.bittorrent.com/i.gif?e=eyJhdiI6MzY0OTMsImF0IjoxMjI0LCJjbSI6MTEyMjM3LCJjaCI6ODc4NSwiY3IiOjMyNTIyOSwiZGkiOiJmZWU0ZDU3ZjU2NTE0ZjY2OGM4NzU0ZjVkNzVlODU0NyIsImRtIjoxLCJmYyI6NDAxMTYxLCJmbCI6MjAyMjY2LCJrdyI6ImNsaWVudGRhdGE9dXRvcnJlbnR8My40LjEuMzA4ODh8MTI5LGlldmVyc2lvbj02LGZsYXNoPTExLDYsNjAyLDE2OCIsIm53Ijo1NjgyLCJwYyI6MC4wMiwicHIiOjIzNzU1LCJydCI6Mywic3QiOjMzMDQ5LCJ0ciI6dHJ1ZSwidWsiOiJ1ZTEtNDBiOWI0Njc0ZWE2NDA4M2IwMGRmNzBiYWY5YTBkMTIiLCJ0cyI6MTM5OTU2NDYwNDYwNCwiZnEiOjF9&s=pk8R5HxZS5eOuKIDAQYavvRWR_I","contents":[{"type":"html","body":"<a href=\"hXXp://engine.ap.bittorrent.com/r?e=eyJhdiI6MzY0OTMsImF0IjoxMjI0LCJjbSI6MTEyMjM3LCJjaCI6ODc4NSwiY3IiOjMyNTIyOSwiZGkiOiJmZWU0ZDU3ZjU2NTE0ZjY2OGM4NzU0ZjVkNzVlODU0NyIsImRtIjoxLCJmYyI6NDAxMTYxLCJmbCI6MjAyMjY2LCJrdyI6ImNsaWV
<<
<<< skipped >>>
GET / HTTP/1.1
Host: bundles.bittorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: close
Cache-Control: public, max-age=300
Content-Encoding: gzip
Date: Thu, 08 May 2014 15:53:07 GMT
ETag: "-721968541"
Set-Cookie: connect.sid=eyJwYXNzcG9ydCI6e319--5f19a0dc71d1127c1494f9a84f91312152a2ef2e; Path=/; Expires=Thu, 08 May 2014 19:53:07 GMT; HttpOnly
Vary: Accept-Encoding
Age: 174
X-Cache: Hit from cloudfront
Via: 1.1 7b48191d48ad0a2b3616c20acd7fbc1c.cloudfront.net (CloudFront)
X-Amz-Cf-Id: pYiav_rnvvWo8z2dnLsOyAhfVsOFLbzte9pZQ_eBrpWhgVL5tXSyDA==
157a.............;is.8......[e.e..%..L{.GI......dU*.D............../....}.TH\..F...v.^..|.<P&.lz....i.._.&..@i....w...;%q..ad~.a..P....xv..#.m.X9.......i...........'`_...[.^.d..H.......'...9...c6....%..o.c..`.(1s..Vs....I0.~....F......4..F.....QM...H...Q......."zU1...X.1.....F.I.(.&$.(..({..s..te.O.......|.R.P%hF.....b.8j..fG-.M.dn.?...Q.....Y4...........a.....=5...f.. B.].C@...KJ.../.8.}.\j.....0..33v...Yu."O.]iL.o....#u.{.V..w,Ytq5........X.}.f......*......=6....GF....8df..- ...P....`.x1...0.2..7...1o.N.7...w..s:.n.s.u..0B.s...z......a.pe.&.Q.....v..2...0&..]..R.....w../.:_..~..};..0.LiJ...C..&.A..0.N.P.>.<X....L.qP..#.ew.G?.w.O....._......x.xzvk{.._@o..mP.....1.6F.?.9.ZbP#..Y[a..._...p./..S"....}B..{....@..>.@J.Zd.!#.K..|.=..Q..$e.!:.zT_......r.Qe.K.C.@......Jy#.\V.......z?:..)...I?...a{.h...,......Q.E.....ra.@3'..8lw.I.//u#v.a0....lO..r..S.>LG.........xYb?'.Q......3..Ck.....R.n.4.....\....O3.9.(.1........b92.....I.6.....$)=IM..1..L5......r..$..$.'..K.3....EN..m2.b#...Og.....v.b....p.5.q...$//j6S.z.v9.(a....p..*hh....j..q.2..^}t....!..e..a..V.C...%...{...j...8.DS'$..B....v..!$.... u/.9u .;6?.X#TX.-...0..Yr..Q].t...F.X......{....QA.x....;.<}...q..A.x..Z....h.8.`...x.1..1..0E...M.f........]...8.....9....u.......tdC]_..;....B.Q..B_.@q...:.K>..F.L11..!.C...Pczua..B.)...M....,#.@.........KF..h.;u...g`J.@.ZF..4Z.C..g..=.e....o....?..........f..r6. 'P...........5TFg.......TA.V.\(x.F9.h.EY...B....R..@.`...C..Q......dJs.8^.r...........V.)K..u....8..U...:......g.....#...l.Gt.B.....*[.... .m..~.
<<
<<< skipped >>>
GET /Advertisers/221c05127fdd449a83a22ee524747d56.png HTTP/1.1
Host: static.ap.bittorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
If-Modified-Since: Sun, 1 Jan 1982 00:00:00 GMT
Connection: Close
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: image/png
Date: Thu, 08 May 2014 15:56:18 GMT
Etag: "858dddb8e90c0a839d6871ff3c448e8e"
Expires: Wed, 08 May 2024 03:22:13 GMT
Last-Modified: Tue, 06 May 2014 07:09:10 GMT
Server: ECS (fra/D5BF)
x-amz-id-2: KqYJLiAeq/k9mGiweS ffoCig5LKKir0Cejx4lvhJfyYcANt6iVgi5AXB42207li
x-amz-request-id: BF8961781EF8E023
X-Cache: HIT
Content-Length: 9534
Connection: close
.PNG........IHDR.............@wR=....sBIT.....O.....PLTE...-...v....ZZZ.....9......Z...@@J.....:...g^???........-......t..._\9a..........q.. />XBB....pp......7....~...3......&I......^pf..|..n.@@......K..|||!3O...s..333i I k@@. ..........<:.;Ip_Z..........tslw.&=_...........y#!#j...``............Vs|0Wx.00...x..r....................x...... H......1=d...@VS|..qp.xg.)T.4/...N...z.. u.....TTU......lNW........../=.;?DJW............rwx..u\................./;I......t.....Sam.{z.@]c..tkb....'g....&;!?n...o..<..(j.......Kr...o...u.....c............$.fff...f......wh............ljl..|......j...@@.=C\..gn|.fb.nafz.....pp...Y..M~....XS^...X......V[J..DXt.....o...-9A{@@.Ax............K73...5On...Ok......o....*<B..!;>...t.._..k002EL....2J....2?......FRx...!CO....{~....>K...x.....WKL...~.......y......q.......$r.........OZ{..........pHYs...........~.....tEXtSoftware.Adobe Fireworks CS6........tEXtCreation Time.05/04/14...... .IDATx....\.W...6@m..R... ..-..H..5.7."....tAE..Y/-..T.).....X...[@^.t....h.V......-...-...>..I2.f......>...9..w.y..93(...P...O.......2M./......@.rK.....B.....D..]..$.I)........../&..........l........M-.......Y.`.;C.[..C[...p.r. ........^Cm.pP..N..OzC9K.~..M.0.1.Na...'....S. ......:.O.RY...$...R.G'.n.7k*"=...^iH.....3.[...}V.O...x..bL...#..L}.{-.......}...lPfdX.....'.Oy...\....\Rl...&.&-C.R,..........$..].<l$.j$^i...`...F.i....@.....m......4......#..W./1c..}F2_...bRJ.....C.XL.vL!..)/&7@.\.f$.=..bL.|.....su..<.D.......3.).cd3..:8.Dr.4a....,..).(.&...a...i-.......C.Y......v=@
<<
<<< skipped >>>
GET /plus/utorrent/index.html HTTP/1.1
Host: utclient.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close
HTTP/1.1 200 OK
x-amz-id-2: j2CsWixywmpHh/5RxVf1eHSKV2XDtLrR0 UDd7GIXvVvRF5jJ4HgpvEAm99Lms2g
x-amz-request-id: A6847741AE3F5BBD
Date: Thu, 08 May 2014 15:56:02 GMT
Last-Modified: Fri, 18 Apr 2014 23:42:47 GMT
ETag: "ae4de37a73f20b44bc195a1b12d3a7c5"
Content-Type: text/html
Content-Length: 796
Server: AmazonS3
<html>...<head>....<script type='text/javascript' src='../commonjs/jq.js'> </script>....<script type='text/javascript' src='../commonjs/plusactive.js?ver=1'></script>....<script type="text/javascript">.....$.ajax({......url: "hXXp://VVV.utorrent.com/scripts/headers.php",......dataType: 'jsonp',......success: function(headers) {.......country = headers['Geoip-Country-Code'];.......// Redirect US visitors.......if(country == 'US'){........setToUS();.......}......}.....});....</script>....<script src="//cdn.optimizely.com/js/240758443.js"></script>....<link href="../commoncss/index.css" rel="stylesheet" type="text/css"/>....<meta charset=utf-8>....<title>Default : Plus Upgrade App</title>...</head>...<body>....<iframe id='ifr' width='100%' height='100%'> </iframe>...</body>..</html>....
POST /e?i=32 HTTP/1.1
Host: bench.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close
Content-Length: 139
{"h":"Zf-p1aLbPnMH0rQ9","cl":"uTorrent","v":109279400,"l":"en","w":"5.1","cts":1399564588,"eventName":"changed_settings","tags":[ 213449 ]}
HTTP/1.1 200 OK
Content-Type: text/html
Date: Thu, 08 May 2014 15:56:32 GMT
Server: nginx/1.4.7
X-Powered-By: PHP/5.4.27
Content-Length: 21
Connection: Close
{"response_code":200}..
GET /Advertisers/221c05127fdd449a83a22ee524747d56.png HTTP/1.1
Host: static.ap.bittorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
If-Modified-Since: Tue, 06 May 2014 07:09:10 GMT
Connection: Close
HTTP/1.1 304 Not Modified
Accept-Ranges: bytes
Date: Thu, 08 May 2014 15:56:18 GMT
Etag: "858dddb8e90c0a839d6871ff3c448e8e"
Expires: Wed, 08 May 2024 03:22:13 GMT
Last-Modified: Tue, 06 May 2014 07:09:10 GMT
Server: ECS (fra/D5BF)
x-amz-id-2: KqYJLiAeq/k9mGiweS ffoCig5LKKir0Cejx4lvhJfyYcANt6iVgi5AXB42207li
x-amz-request-id: BF8961781EF8E023
X-Cache: HIT
Connection: close
POST /e?i=20 HTTP/1.1
Host: bench.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close
Content-Length: 295
{"h":"Zf-p1aLbPnMH0rQ9","cl":"uTorrent","v":109279400,"l":"en","w":"5.1","cts":1399564601,"eventName":"ap","fte":1,"lre":1,"ltic_0":1,"ltic_1":2,"lcic_0":0,"lcic_1":0,"laae":0,"lare":0,"laie":0,"lame":0,"name":"impression","errCode":0,"requestTime":1399564601,"action":"client.az.impression.ua"}
HTTP/1.1 200 OK
Content-Type: text/html
Date: Thu, 08 May 2014 15:57:17 GMT
Server: nginx/1.4.7
X-Powered-By: PHP/5.4.27
Content-Length: 21
Connection: Close
{"response_code":200}..
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
uTorrent.exe_1628:
`.rsrc
`.rsrc
SSh(CZ
SSh(CZ
SSSSh<2f
SSSSh<2f
tù>t Sh(!Z
tù>t Sh(!Z
SSh,'Z
SSh,'Z
SSh0GZ
SSh0GZ
SSSSSh
SSSSSh
SShp=Z
SShp=Z
L$0SSh
L$0SSh
L$LSShDeZ
L$LSShDeZ
SShDeZ
SShDeZ
L$(SSh
L$(SSh
t$0SSh
t$0SSh
L$\SSh
L$\SSh
t$LSSh
t$LSSh
t$LSShDeZ
t$LSShDeZ
PSSh|AZ
PSSh|AZ
FH<.tP<[tL<\tH<*tD<|t@<^t<<$t8
FH<.tP<[tL<\tH<*tD<|t@<^t<<$t8
<.uW<.u
<.uW<.u
>httpup
>httpup
nt.Kt
nt.Kt
uùA
uùA
USSht
USSht
?httpu
?httpu
SSSSSh0
SSSSSh0
It.It
It.It
t.hdW[
t.hdW[
tYf9.tT
tYf9.tT
D$()D$0SSh
D$()D$0SSh
SSSSh
SSSSh
SSSSSShX
SSSSSShX
SPSSSSh
SPSSSSh
Cj.Xf9D$`u
Cj.Xf9D$`u
F\ FTP
F\ FTP
Ht8Ht.Ht
Ht8Ht.Ht
%W<%uH
%W<%uH
j.Xf;
j.Xf;
D$.SP
D$.SP
UDP0u
UDP0u
HTTPu
HTTPu
9HTTPu#f
9HTTPu#f
PSSSSSSh
PSSSSSSh
D$.UP
D$.UP
>HTTPu
>HTTPu
D$4PSSh
D$4PSSh
tHj.Zf;
tHj.Zf;
u.VhP
u.VhP
D$LPSSh
D$LPSSh
<. UDPu
<. UDPu
<. TCPuS
<. TCPuS
j*]f9.uP
j*]f9.uP
D$ SSh
D$ SSh
SSh\2^
SSh\2^
SSh<U><pre>keyA</pre><pre>keyB</pre><pre>D$.VP</pre><pre>u.PPP</pre><pre>j.Yf;</pre><pre>_tcPVj@</pre><pre>.PjRW</pre><pre>tuHtnHtBHHt.Hus</pre><pre>autoexecutestart</pre><pre>mismexecute</pre><pre>kernel32.dll</pre><pre>http://utclient.utorrent.com/plus/utorrent/index.html</pre><pre>https://activate.utorrent.com</pre><pre>http://offers.bittorrent.com/w/1.0/arj</pre><pre>http://events.bittorrent.com/startConversion</pre><pre>http://cdn.ap.bittorrent.com/control/tags/bt.json</pre><pre>http://cdn.ap.bittorrent.com/control/tags/ut.json</pre><pre>http://cdn.ap.bittorrent.com/control/tags/staging_bt.json</pre><pre>http://cdn.ap.bittorrent.com/control/tags/staging_ut.json</pre><pre>http://apps.bittorrent.com/conduit/eula/ByChoosingToInstall.html</pre><pre>%u %d %S</pre><pre>default_offer: %d GetActiveToolbarName: %s</pre><pre>CollectToolbarPreferences: _ACTIVE_BROWSER: %S</pre><pre>provider:%S,search:%d,homepage:%d</pre><pre>mism execute succeeded</pre><pre>CollectToolbarPreferences: mism execute succeeded</pre><pre>CollectToolbarPreferences: mism execute FAILED</pre><pre>toolbar%d</pre><pre>http://update.utorrent.com/uninstall?type=%s-%U&h=%s&v=%d</pre><pre>content_offer_url</pre><pre>attempted_to_receive_server_search_url</pre><pre>"elevated":%d, "message":"%S", "error_code":%d</pre><pre>http://www.utorrent.com</pre><pre>IsYandexInstalled %s</pre><pre>GetConduitInstalledState: Found key: HKEY_LOCAL_MACHINE %S</pre><pre>GetConduitInstalledState: HKEY_LOCAL_MACHINE %S = %d</pre><pre>GetConduitInstalledState: Found key: HKEY_CLASSES_ROOT %S</pre><pre>GetConduitInstalledState: installed=%d visible=%d enabled=%d</pre><pre>IsConduitInstalled: %d</pre><pre>GetToolbarDict: %s</pre><pre>GetToolbarDict: count=%d</pre><pre>GetToolbarDict: Found %s in 'id' key</pre><pre>GetToolbarDict: DID NOT find %s in 'id' key</pre><pre>IsConduitToolbarOffer %s</pre><pre>checkboxes: %s</pre><pre>TBDownloadCallback err: %s size: %I64d</pre><pre>TBDownloadCallback write FAILED: %S</pre><pre>TBDownloadCallback write OK: %S</pre><pre>Using default offer? [%S]</pre><pre>passed_hash_check? %s</pre><pre>base_parameter: [%S]</pre><pre>chrome_param</pre><pre>TBDownloadCallback: flag: %s</pre><pre>toolbar commandline: %s</pre><pre>TBDownloadCallback: RAN %S %S RETURN: %d</pre><pre>offer_urls</pre><pre>WhichConduitSettingsAreActive: %s</pre><pre>ShowYandexOffer: %d</pre><pre>ShowYandexSearchOffer: %d</pre><pre>ShowConduitBing: %d</pre><pre>ShowConduitGoogle: %d</pre><pre>&bin=%stoolbar</pre><pre>TBRequestThread Parsed OK?: %s</pre><pre>TBRequestThread FAILED. err: %S</pre><pre>content_offer_autoexec</pre><pre>offer_retrieved: %s</pre><pre>empty_offer: %s</pre><pre>default_offer: %s</pre><pre>showToolbar: %s</pre><pre>onOfferDownload: Using default offer. g_is_default_offer: %s</pre><pre>image_url</pre><pre>onOfferDownload: %s</pre><pre>eula_url</pre><pre>http://%%s/offers/%s</pre><pre>http://update.utorrent.com/installoffer.php</pre><pre>RetrieveOffer browser %S</pre><pre>db=%U</pre><pre>cl=%s</pre><pre>tsub=%d</pre><pre>RetrieveOffer %s</pre><pre>The source code, design, and structure of the Software are trade secrets. You will not disassemble, decompile, or reverse engineer itor otherwise attempt to discover the source code of the Software, in whole or in part, except to the extent expressly permitted by law, or distribute it. You will not use the Software for illegal purposes. You will comply with all export laws. The Software is licensed, not sold.</pre><pre>The Software accelerates downloads by enabling your computer to grab pieces of files from other BitTorrent users simultaneously. Your use of the Software to download files will, in turn, enable other users to download pieces of those files from you, thereby maximizing download speeds for all users. In the Software, only files that you are explicitly downloading or sharing or have downloaded or shared through BitTorrent will be made available to others. You consent to other users' use of your network connection to download portions of such files from you. At any time, you may uninstall the Software through the Add/Remove Programs control panel utility. In addition, for the BitTorrent or</pre><pre>BitTorrent, Inc. disclaims any responsibility for harm resulting from the Software or any software or content downloaded using the Software, whether or not BitTorrent, Inc. approved such software or content. BitTorrent, Inc. approval does not guarantee that software or content from an approved partner will function, sound, or appear as offered or hoped, or be complete, accurate, or free from bugs, errors, viruses, or other harmful content. BitTorrent, Inc. expressly disclaims all warranties and conditions, express or implied, including any implied warranties and conditions of merchantability, fitness for a particular purpose, and noninfringement, and any warranties and conditions arising out of course of dealing or usage of trade regarding the Software or any software or content you download using the Software. No advice or information, whether oral or written, obtained from BitTorrent, Inc. or elsewhere will create any warranty or condition not expressly stated in this agreement. Some jurisdictions do not allow certain limitations on implied warranties, so the above limitation may not apply to you to its full extent.</pre><pre>BitTorrent, Inc.'s total liability to you from all causes of action and under all theories of liability will be limited to $50.00. In no event and under no theory of liability will BitTorrent, Inc. be liable to you for any special, incidental, exemplary, or consequential damages arising out of or in connection with this agreement or the software whether or not BitTorrent, Inc. has been advised of the possibility of such damages. The foregoing limitations will survive even if any limited remedy specified is found to have failed of its essential purpose. Some jurisdictions do not allow the limitation or exclusion of liability for incidental or consequential damages, so the above limitation or exclusion may not apply to you to its full extent.</pre><pre>In an attempt to provide increased value to our visitors, we may choose various third party web sites or services to link to, and/or frame within, the Sites or Services. We may also include offers from third parties as part of the installation process for our software, which in some instances may include but is not limited to offers made through SweetLabs, Inc. (OpenCandy), whose End User License Agreement is http://www.opencandy.com/eulas/b/sneula.html. We also participate in co-branding and other relationships to offer e-commerce and other services and features to our users. However, even if the third party is affiliated with us, we have no control over these sites or services, each of which has separate privacy and data collection practices independent of us. We have no responsibility or liability for these independent policies or actions, and are not responsible for the privacy practices or the content of any such web sites or services. These linked sites or services are only for your convenience and you therefore access them at your own risk.</pre><pre>These BitTorrent, Inc. terms will be governed by and construed in accordance with the laws of California, USA, without regard to conflicts of law rules. The United Nations Convention on Contracts for the International Sale of Goods will not apply. The failure by either party to enforce any provision will not constitute a waiver. Any waiver, modification, or amendment of the BitTorrent, Inc. terms will be effective only if signed. If any provision is held to be unenforceable, it will be enforced to the maximum extent possible and will not diminish other provisions. BitTorrent, Inc. may make changes to these terms from time to time. When these changes are made, BitTorrent, Inc. will make a new copy of the terms available at www.bittorrent.com/legal/eula. You understand and agree that if you use the Software after the date on which the terms have changed, BitTorrent, Inc. will treat your use as acceptance of the updated terms. You agree that BitTorrent, Inc. may provide you with notices, including those regarding changes to the terms, by postings on www.bittorrent.com/legal/eula. This and the Privacy Policy at www.bittorrent.com/legal/privacy are BitTorrent, Inc.'s complete and exclusive understanding with you regarding your use of the Software as an end user, except that sometimes additional terms or product requirements (including age requirements) may apply. Additional terms will be available with the relevant Software, and those additional terms become part of your agreement with us if you use those Software.</pre><pre>If you have any questions, contact us at legal@bittorrent.com.</pre><pre>onPageInit:DLG_OFFER_NON_GOOGLE: checkbox %d %s [%s]</pre><pre>Result: %s</pre><pre>&bin=%sbmp</pre><pre>http://apps.bittorrent.com/utorrent-onboarding/welcome-upsell.btapp</pre><pre>http://apps.bittorrent.com/utorrent-onboarding/player.btapp</pre><pre>http://bundles.bittorrent.com/</pre><pre>no toolbar url</pre><pre>bundled_url</pre><pre>%s %s</pre><pre>ShellExecuteExW</pre><pre>shell32.dll</pre><pre>cbhomepage=%d</pre><pre>cbsearch=%d</pre><pre>cbtoolbar=%d</pre><pre>cbrevert=%d</pre><pre>au=%d</pre><pre>installresult=%d</pre><pre>exit=%d</pre><pre>au=%u</pre><pre>tbe=%d</pre><pre>cd=%d</pre><pre>tbofferresult=%d</pre><pre>tb=%s</pre><pre>tbinstallresult=%d</pre><pre>error=%d</pre><pre>msg=%U</pre><pre>url=%U</pre><pre>prog=%u</pre><pre>toroffer=%d</pre><pre>torofferid=%s</pre><pre>&shoffer=%d</pre><pre>cancellastpage=%U</pre><pre>ServerOfferRetrieved=%d</pre><pre>sec_offs=%U</pre><pre>OfferError=%U</pre><pre>OfferProvider=%U</pre><pre>OfferType=%U</pre><pre>Offer=%U</pre><pre>Accepted=%d</pre><pre>toroffername=%s</pre><pre>torexecresult=%d</pre><pre>download=%d</pre><pre>execute=%d</pre><pre>error=%U</pre><pre>mismreturn=%d</pre><pre>mismresult=%U</pre><pre>view=%s</pre><pre>SendStaticURLThread</pre><pre>3.4.1.30888</pre><pre>autoexecfailed</pre><pre>uTCBTWebClient</pre><pre>had_version_already = %s</pre><pre>running_from_install_dir = %s</pre><pre>Target version = %d</pre><pre>HasPendingUpdate = %s</pre><pre>IsThisTargetVersion = %s</pre><pre>IsThisTargetVersion_2 = %s</pre><pre>"status":"Manually ran non target version","from_install_dir":"%d"</pre><pre>IsThisVersionBlacklisted = %s</pre><pre>client_manager.IsThisVersionBlacklisted() || client_manager.DidOptOutOfThisVersion() && running_from_install_dir</pre><pre>g_version < target_version = %d</pre><pre>res == %d</pre><pre>Cancel Downgrade -- cvm.RemoveRunningVersion</pre><pre>2012-12-04 23:04:37 -0800</pre><pre>BTWebClient</pre><pre>http://apps.bittorrent.com/webui/version.json</pre><pre>INSTALL_FAIL_USER_CANCEL -- cvm.RemoveRunningVersion</pre><pre>()$^.* ?[]|\-{},:=!</pre><pre>compat.fail.windir</pre><pre>\System32\mshta.exe</pre><pre>\SysWOW64\mshta.exe</pre><pre>compat.fail.mshtaMissing</pre><pre>mshta.exe not found</pre><pre>compat.good</pre><pre>update.utorrent.com</pre><pre>http://</pre><pre>Cannot load DBGHELP.DLL</pre><pre>Cannot load MiniDumpWriteDump from DBGHELP.DLL</pre><pre>bench.utorrent.com</pre><pre>(. ?)://([^/:] )(?::([0-9] ))?([^?]*)(?:\?(.*))?</pre><pre>Not a recognizable URL: "</pre><pre>https</pre><pre>HttpRequest redirect to HTTPS. Not supported</pre><pre>User-Agent: Hydra HttpRequest</pre><pre>HTTP/1.1</pre><pre>] ([0-9] )[</pre><pre>HttpRequest status line not recognizable "</pre><pre>"OX_u":"%s",</pre><pre>"az_id":"%s"</pre><pre>%s.%d</pre><pre>"url":"%s","errCode":%d,"id":%d,"requestTime":%Ld,"action":"%s"</pre><pre>%s,"name":"%s"</pre><pre>"name":"%s","errCode":%d,"requestTime":%Ld</pre><pre>%s,"action":"%s"</pre><pre>--AdUnitGroup LoadAdTorrent Sending click to OpenX with cookie: %s.</pre><pre>Ft ad unit will next refresh in %d seconds</pre><pre>Lrec ad unit will next refresh in %d seconds</pre><pre>AdUnitManager::CanInitViaSettings? EnableAds? %d lrec %d ft %d</pre><pre>ftEnabled = %d</pre><pre>lrecEnabled = %d</pre><pre>ftRefreshRatePattern = [%s]</pre><pre>lrecRefreshRatePattern = [%s]</pre><pre>adRefreshRatePattern = [%s]</pre><pre>ftClickUrl = '%s'</pre><pre>lrecClickUrl = '%s'</pre><pre>ftAdId = %d</pre><pre>lrecAdId = %d</pre><pre>contactRate = %d</pre><pre>lrecCode = '%s'</pre><pre>ftCode = '%s'</pre><pre>adServerType = '%s'</pre><pre>send_conversion = %d</pre><pre>server dom url = '%s'</pre><pre>serverUrl[%d] = '%s'</pre><b>msbloader.exe_3192:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>@.reloc</pre><pre>operator</pre><pre>GetProcessWindowStation</pre><pre>C:\.jenkins\jobs\MAGICSEARCHBOX_IMESH\workspace\msb_imesh\out\Release\msbloader.pdb</pre><pre>KERNEL32.dll</pre><pre>SetWindowsHookExW</pre><pre>UnhookWindowsHookEx</pre><pre>USER32.dll</pre><pre>ole32.dll</pre><pre>OLEAUT32.dll</pre><pre>WinHttpCloseHandle</pre><pre>WinHttpSetOption</pre><pre>WinHttpCrackUrl</pre><pre>WinHttpOpen</pre><pre>WinHttpConnect</pre><pre>WinHttpOpenRequest</pre><pre>WinHttpSendRequest</pre><pre>WinHttpReceiveResponse</pre><pre>WinHttpQueryHeaders</pre><pre>WinHttpQueryDataAvailable</pre><pre>WinHttpReadData</pre><pre>WINHTTP.dll</pre><pre>GetProcessHeap</pre><pre>GetCPInfo</pre><pre>.?AVCUrlHelper@@</pre><pre>.?AV?$CWindowImpl@VWindowsWatch@@VCWindow@ATL@@V?$CWinTraits@$0FGAAAAAA@$0A@@3@@ATL@@</pre><pre>.?AVWindowsWatch@@</pre><pre>%Program Files%\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\msbloader.exe</pre><pre><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></pre><pre>6(6,60646</pre><pre>1 1$1(1,1</pre><pre>>$>(>,>0>4>8><>@></pre><pre>?(?/?4?8?<?]?</pre><pre>&0,0004080</pre><pre>> >$>(>,>0>`></pre><pre>mscoree.dll</pre><pre>- Attempt to initialize the CRT more than once.</pre><pre>- CRT not initialized</pre><pre>- floating point support not loaded</pre><pre>KERNEL32.DLL</pre><pre>WUSER32.DLL</pre><pre>32-088A7730-1B2F-4DF3-B72D-B90415B8DCDC</pre><pre>http://apnstatic.ask.com/static/magicsbox/JITFeature.xml</pre><pre>msb.dll</pre><pre>msb64.dll</pre><pre>kernel32.dll</pre><pre>32-93389161-B8F5-41CA-A507-084B6591367</pre><pre>MozillaWindowClass</pre><pre>Chrome_WidgetWin</pre><pre>user32.dll</pre><pre>3.0.0.0.242</pre><pre>msbloader.exe</pre></U>