MD5: 8e24b9da4d0f038fd29b0e245ef9313f
SHA1: 32af3d8b23d6b861fdcc34f7645a4b8a9b860751
SHA256: 7e2df435c625920b25e4f276d03f84920bf992501e72b007a976d0d17bef45bb
SSDeep: 49152:mnsHyjtk2MYC5GDxqYRHcNRygOSk55l0Q2c0h5mbFsqlpBLV5QbcLRRV7Tw26T:mnsmtk2aGHcHy955CQkAFsWBtrFQ
Size: 3177472 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, BorlandDelphiv30, UPolyXv05_v6
Company: Flipora
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit

Summary:

Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.

Payload

Process activity

The Trojan creates the following process(es):

%original file name%.exe:3676

The Trojan injects its code into the following process(es):

._cache_%original file name%.exe:1652
Synaptics.exe:3304
mshta.exe:3572

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3676 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ (4 bytes)
C:\Windows\System32\config\SOFTWARE (24280 bytes)
C:\ProgramData\Synaptics\RCXFAF1.tmp (136247 bytes)
C:\ProgramData\Synaptics\Synaptics.exe (23349 bytes)
C:\Windows\System32\config\SOFTWARE.LOG1 (18543 bytes)

The process ._cache_%original file name%.exe:1652 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\shell_scripts\check_if_cscript_is_working.js (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\styles\common.css (102 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\images\loading.gif (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\uttFBAC.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\scripts\initialize.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\AUR57MIA.txt (89 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\shell_scripts\shell_ping_after_close.js (312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\shell_scripts\shell_install_offer.js (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\i18n\br.json (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\i18n\ru.json (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\scripts\common.js (349 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\i18n\fr.json (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\uTorrent\settings.dat.new (73 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\i18n\en.json (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\3rdparty\FS.dll (933 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-732923889-1296844034-1208581001-1000\1f91d2d17ea675d4c2c3192e241743f9_88dcd395-b062-45b3-a6cd-79f37c0eba08 (105 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\3X9U2CIU.txt (89 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\i18n\ko.json (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\i18n\de.json (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\scripts\uninstall.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\images\main_icon.png (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\images\yandex_horz_ru.png (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\images\search_protect.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\images\yandex_browser_setup.bmp (204 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\images\bt_icon_48px.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\styles\installer.css (587 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\index.hta (739 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\i18n\es.json (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\i18n\it.json (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\images\logo_Yandex_RU_UA_vertical.png (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\index.hta.log (26 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\images\main_bittorrent.ico (103 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\i18n\pt.json (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\install.1501590031.zip (281721 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\3rdparty\FS.ocx (965 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\scripts\install.js (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\scripts\es5-shim.js (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\images\yandex_horz.png (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\uninstall.hta (575 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\images\main_utorrent.ico (107 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\uttFBAC.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\3X9U2CIU.txt (0 bytes)

The process Synaptics.exe:3304 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RCX1.tmp (137517 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\23B523C9E7746F715D33C6527C18EB9D (325 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\23B523C9E7746F715D33C6527C18EB9D (876 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RCXFFF0.tmp (137517 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Qg13l1Oe.ico (284 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Qg13l1Oe.exe (5441 bytes)
C:\Users\"%CurrentUserName%"\Downloads\dotNetFx35setup.exe (25426 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Qg13l1Oe.ico (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Qg13l1Oe.exe (0 bytes)

The process mshta.exe:3572 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00144817.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ns480180C7\3B1DE5F8_stp.CIS.part (711 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\css\sdk-ui\browse.css (337 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\D17520460597802.dat (4861 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ns480180C7\3B1DE5F8_stp.CIS (4260 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\HT.locale (143 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\LV.locale (144 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\css\sdk-ui\images\progress-bg.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\AF.locale (154 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\HY.locale (219 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\KO.locale (141 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\UZ.locale (169 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\css\sdk-ui\button.css (417 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\css\ie6_main.css (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\EU.locale (161 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\bg_test_B[1].png (16858 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\css\sdk-ui\images\button-bg.png (131 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\LO.locale (305 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\BE.locale (256 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\SK.locale (164 bytes)
%Program Files%\001432B3.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\DE.locale (161 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ns480180C7\3B1DE5F8_stp\asgnd.json (6341 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\MS.locale (143 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\RO.locale (156 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\GU.locale (318 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\FA.locale (186 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\Battery_icon[1].png (213 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\SQ.locale (149 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\KU.locale (132 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\ML.locale (360 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\001431AA.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\EL.locale (235 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\CS.locale (154 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\css\main.css (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\HU.locale (172 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\JA.locale (195 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\TE.locale (320 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\3rdparty\FS.dll (933 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\csshover3.htc (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\RS_RA_V1_FS[1].png (13868 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\KA.locale (335 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\ET.locale (145 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\TL.locale (163 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\PL.locale (155 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\IS.locale (155 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\PA.locale (257 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00143091.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\RS_RA_V2_M_WIN[1].png (19388 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\KK.locale (218 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\PT.locale (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0014319A.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\RU.locale (266 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\HE.locale (166 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\NE.locale (334 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\ZU.locale (138 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\ID.locale (157 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\PS.locale (195 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\VPN_icon[1].png (364 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\UR.locale (211 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\SL.locale (160 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\NL.locale (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\AZ.locale (177 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\Video_icon[1].png (312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\D17520460597801.dat (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\FI.locale (143 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\SV.locale (157 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ns480180C7\2E832125_stp\icc.DAT (941 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\json[1].js (322 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ns480180C7\2E832125_stp.CIS.part (759 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ns480180C7\2E832125_stp.CIS (14436 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\EN[1].png (1703 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ADBlock_icon[1].png (433 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\NO.locale (148 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\YO.locale (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\IT.locale (154 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\LT.locale (166 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\ES.locale (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\css\sdk-ui\images\progress-bg2.png (978 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\BG.locale (223 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\images\Loader.gif (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\VI.locale (180 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\1670262622.log (244351 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\001430B0.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\DA.locale (148 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\TR.locale (139 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\HR.locale (154 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\UK.locale (255 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\HI.locale (284 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\SR.locale (154 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\TA.locale (330 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\BS.locale (159 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\CA.locale (161 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\fs_bg[1].png (2634 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\index.hta.log (33 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\css\sdk-ui\checkbox.css (190 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\EN.locale (147 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\images\main_utorrent.ico (110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\MK.locale (221 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\bootstrap_14921.html (156 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\FR.locale (163 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\MR.locale (289 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\TH.locale (264 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\ZH.locale (137 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\css\sdk-ui\progress-bar.css (506 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\001431AA.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00144817.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00143091.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\bootstrap_14921.html (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\001430B0.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0014319A.log (0 bytes)
%Program Files%\001432B3.log (0 bytes)

Registry activity

The process %original file name%.exe:3676 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synaptics Pointing Device Driver" = "C:\ProgramData\Synaptics\Synaptics.exe"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process ._cache_%original file name%.exe:1652 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}]
"(Default)" = "ActiveBinderX Control"

[HKCR\Interface\{8ACDC97A-ED69-44A0-9FA7-214AB3450F2D}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Classes\FalconBetaAccount]
"remote_access_client_id" = "5261492492"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\Verb]
"(Default)" = ""

[HKCR\TypeLib\{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}\1.0]
"(Default)" = "ActiveBinderProj Library"

[HKCR\Interface\{8ACDC97A-ED69-44A0-9FA7-214AB3450F2D}]
"(Default)" = "FS"

[HKCR\Interface\{C936EC34-11FC-4F15-81C3-8AA143BA8E4B}\TypeLib]
"(Default)" = "{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}"

[HKCR\FS.ActiveBinderX]
"(Default)" = "ActiveBinderX Control"

[HKCR\TypeLib\{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}\1.0\0\win32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\3rdparty\FS.ocx"

[HKCR\Interface\{C936EC34-11FC-4F15-81C3-8AA143BA8E4B}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\ToolboxBitmap32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\3rdparty\FS.ocx,1"

[HKCR\Interface\{8ACDC97A-ED69-44A0-9FA7-214AB3450F2D}\TypeLib]
"(Default)" = "{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}"

[HKCR\Interface\{C936EC34-11FC-4F15-81C3-8AA143BA8E4B}]
"(Default)" = "IActiveBinderXEvents"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\Version]
"(Default)" = "1.0"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\FS.ActiveBinderX\Clsid]
"(Default)" = "{4E120188-0CAC-468C-B2D9-9D1F079EBC25}"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\ProgID]
"(Default)" = "FS.ActiveBinderX"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\Control]
"(Default)" = ""

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\MiscStatus]
"(Default)" = "0"

[HKCR\Interface\{C936EC34-11FC-4F15-81C3-8AA143BA8E4B}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{8ACDC97A-ED69-44A0-9FA7-214AB3450F2D}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{C936EC34-11FC-4F15-81C3-8AA143BA8E4B}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\Verb\0]
"(Default)" = "Properties,0,2"

[HKCR\Interface\{8ACDC97A-ED69-44A0-9FA7-214AB3450F2D}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}\1.0\FLAGS]
"(Default)" = "2"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\TypeLib]
"(Default)" = "{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\MiscStatus\1]
"(Default)" = "205201"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\InprocServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\3rdparty\FS.ocx"

[HKCR\TypeLib\{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}\1.0\HELPDIR]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\3rdparty\"

The process Synaptics.exe:3304 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\Synaptics_RASMANCS]
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\Synaptics_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Synaptics_RASAPI32]
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Synaptics_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\Synaptics_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileTracingMask" = "4294901760"

"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Synaptics_RASMANCS]
"EnableConsoleTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process mshta.exe:3572 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1299588363"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3F 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "mshta.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASAPI32]
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name: Synaptics
Product Name: Synaptics Pointing Device Driver
Product Version: 1.0.0.0
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.4
File Description: Synaptics Pointing Device Driver
Comments:
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://com-utorrent-prod-bench-290894750.us-east-1.elb.amazonaws.com/e?i=50
hxxp://download-new.utorrent.com/endpoint/hydra-ut/os/win7/track/stable/browser/ie/os-region/US/os-lang/en/os-ver/6.1/enc-ver/111258508/
hxxp://ip-api.com/json?callback=jQuery19107445021943009298_1501590043726&_=1501590043727	108.61.191.230
hxxp://rp.robotitor.com/?v=2.0&subver=6.21&pcrc=1427031125	54.76.37.1
hxxp://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978	50.23.197.94
hxxp://os.robotitor.com/BitTorrent/?v=6.0&c=526762032&t=1323777	52.210.43.9
hxxp://com-utorrent-prod-bench-290894750.us-east-1.elb.amazonaws.com/e?i=50&e=eyJldmVudE5hbWUiOiJoeWRyYTEiLCJhY3Rpb24iOiJvZmZlciIsInBpZCI6IjE2NTIiLCJoIjoiVTY3Z3doRlJ3b2VQOTMzNiIsInYiOiIxMTEyNTg1MDgiLCJiIjo0MzkxNiwiY2wiOiJ1VG9ycmVudCIsImxuZyI6InJ1Iiwib3NhIjoiMzIiLCJzbG5nIjoiZW4iLCJkYiI6IldpbmRvd3MgSW50ZXJuZXQgRXhwbG9yZXIiLCJkYnYiOiI5LjAiLCJpYnIiOlt7Im5hbWUiOiJGaXJlZm94IiwidmVyc2lvbiI6IjQ5LjAiLCJleGVOYW1lIjoiZmlyZWZveCJ9LHsibmFtZSI6Ikdvb2dsZSBDaHJvbWUiLCJ2ZXJzaW9uIjoiNTQuMCIsImV4ZU5hbWUiOiJjaHJvbWUifSx7Im5hbWUiOiJXaW5kb3dzIEludGVybmV0IEV4cGxvcmVyIiwidmVyc2lvbiI6IjkuMCIsImV4ZU5hbWUiOiJpZXhwbG9yZSJ9XSwib2ZmZXJ0eXBlIjoicHJpbWFyeSIsInByb3ZpZGVyIjoiSXJvblNyYyIsImhvd21hbnkiOjEsIm9mZmVyc2hvd24iOjAsInN0YXR1cyI6ImxvYWRfRExMX3N1Y2NlZWQiLCJpcm9uc3JjX29mZmVyX3ZlcnNpb24iOiIxLjAifQ==
hxxp://com-utorrent-prod-bench-290894750.us-east-1.elb.amazonaws.com/e?i=50&e=eyJldmVudE5hbWUiOiJoeWRyYTEiLCJhY3Rpb24iOiJodGFiZWdpbiIsInBpZCI6IjE2NTIiLCJoIjoiVTY3Z3doRlJ3b2VQOTMzNiIsInYiOiIxMTEyNTg1MDgiLCJiIjo0MzkxNiwiY2wiOiJ1VG9ycmVudCIsImxuZyI6InJ1Iiwib3NhIjoiMzIiLCJzbG5nIjoiZW4iLCJkYiI6IldpbmRvd3MgSW50ZXJuZXQgRXhwbG9yZXIiLCJkYnYiOiI5LjAiLCJpYnIiOlt7Im5hbWUiOiJGaXJlZm94IiwidmVyc2lvbiI6IjQ5LjAiLCJleGVOYW1lIjoiZmlyZWZveCJ9LHsibmFtZSI6Ikdvb2dsZSBDaHJvbWUiLCJ2ZXJzaW9uIjoiNTQuMCIsImV4ZU5hbWUiOiJjaHJvbWUifSx7Im5hbWUiOiJXaW5kb3dzIEludGVybmV0IEV4cGxvcmVyIiwidmVyc2lvbiI6IjkuMCIsImV4ZU5hbWUiOiJpZXhwbG9yZSJ9XSwiaXAiOiIxOTQuMjQyLjk2LjIxOCIsImNuIjoiVWtyYWluZSIsInBhY2tpZCI6InJ1X3lhbmRleF9pcyJ9
hxxp://rp.robotitor.com/?v=2.0&subver=6.21&pcrc=1754337324	54.76.37.1
hxxp://rp.robotitor.com/?v=2.0&subver=6.21&pcrc=1149495921	54.76.37.1
hxxp://rp.robotitor.com/?v=2.0&subver=6.21&pcrc=284868744	54.76.37.1
hxxp://img.robotitor.com/img/Pipupimiwad/fs_bg.png	199.58.87.155
hxxp://img.robotitor.com/img/Rawabere/FS/bg_test_B.png	199.58.87.155
hxxp://rp.robotitor.com/?v=2.0&subver=6.21&pcrc=448803107	54.76.37.1
hxxp://rp.robotitor.com/?v=2.0&subver=6.21&pcrc=1933594832	54.76.37.1
hxxp://cdneu.robotitor.com/ofr/Solululadul/asgnd.cis	146.185.27.45
hxxp://cdneu.robotitor.com/ofr/Solululadul/icc_v5_8.cis	146.185.27.45
hxxp://img.robotitor.com/img/Tavasat/15Feb17/v1_fs/EN.png	199.58.87.155
hxxp://rp.robotitor.com/?v=2.0&subver=6.21&pcrc=601164120	54.76.37.1
hxxp://rp.robotitor.com/?v=2.0&subver=6.21&pcrc=1687675366	54.76.37.1
hxxp://cdnus.robotitor.com/ofr/Solululadul/icc_v5_8.cis	199.58.87.151
hxxp://cdnus.robotitor.com/ofr/Solululadul/asgnd.cis	199.58.87.151
hxxp://img.robotitor.com/img/Repererarer/RS_RA_V1_FS.png	199.58.87.155
hxxp://rp.robotitor.com/?v=2.0&subver=6.21&pcrc=10585753	54.76.37.1
hxxp://img.robotitor.com/img/Repererarer/RS_RA_V2_M_WIN.png	199.58.87.155
hxxp://rp.robotitor.com/?v=2.0&subver=6.21&pcrc=36596338	54.76.37.1
hxxp://img.robotitor.com/img/Repererarer/ADBlock_icon.png	199.58.87.155
hxxp://img.robotitor.com/img/Repererarer/Battery_icon.png	199.58.87.155
hxxp://img.robotitor.com/img/Repererarer/Video_icon.png	199.58.87.155
hxxp://img.robotitor.com/img/Repererarer/VPN_icon.png	199.58.87.155
hxxp://rp.robotitor.com/?v=2.0&subver=6.21&pcrc=333111036	54.76.37.1
hxxp://download-lb.utorrent.com/endpoint/hydra-ut/os/win7/track/stable/browser/ie/os-region/US/os-lang/en/os-ver/6.1/enc-ver/111258508/	67.215.238.66
hxxp://i-50.b-000.xyz.bench.utorrent.com/e?i=50&e=eyJldmVudE5hbWUiOiJoeWRyYTEiLCJhY3Rpb24iOiJodGFiZWdpbiIsInBpZCI6IjE2NTIiLCJoIjoiVTY3Z3doRlJ3b2VQOTMzNiIsInYiOiIxMTEyNTg1MDgiLCJiIjo0MzkxNiwiY2wiOiJ1VG9ycmVudCIsImxuZyI6InJ1Iiwib3NhIjoiMzIiLCJzbG5nIjoiZW4iLCJkYiI6IldpbmRvd3MgSW50ZXJuZXQgRXhwbG9yZXIiLCJkYnYiOiI5LjAiLCJpYnIiOlt7Im5hbWUiOiJGaXJlZm94IiwidmVyc2lvbiI6IjQ5LjAiLCJleGVOYW1lIjoiZmlyZWZveCJ9LHsibmFtZSI6Ikdvb2dsZSBDaHJvbWUiLCJ2ZXJzaW9uIjoiNTQuMCIsImV4ZU5hbWUiOiJjaHJvbWUifSx7Im5hbWUiOiJXaW5kb3dzIEludGVybmV0IEV4cGxvcmVyIiwidmVyc2lvbiI6IjkuMCIsImV4ZU5hbWUiOiJpZXhwbG9yZSJ9XSwiaXAiOiIxOTQuMjQyLjk2LjIxOCIsImNuIjoiVWtyYWluZSIsInBhY2tpZCI6InJ1X3lhbmRleF9pcyJ9	23.21.139.158
hxxp://i-50.b-000.xyz.bench.utorrent.com/e?i=50&e=eyJldmVudE5hbWUiOiJoeWRyYTEiLCJhY3Rpb24iOiJvZmZlciIsInBpZCI6IjE2NTIiLCJoIjoiVTY3Z3doRlJ3b2VQOTMzNiIsInYiOiIxMTEyNTg1MDgiLCJiIjo0MzkxNiwiY2wiOiJ1VG9ycmVudCIsImxuZyI6InJ1Iiwib3NhIjoiMzIiLCJzbG5nIjoiZW4iLCJkYiI6IldpbmRvd3MgSW50ZXJuZXQgRXhwbG9yZXIiLCJkYnYiOiI5LjAiLCJpYnIiOlt7Im5hbWUiOiJGaXJlZm94IiwidmVyc2lvbiI6IjQ5LjAiLCJleGVOYW1lIjoiZmlyZWZveCJ9LHsibmFtZSI6Ikdvb2dsZSBDaHJvbWUiLCJ2ZXJzaW9uIjoiNTQuMCIsImV4ZU5hbWUiOiJjaHJvbWUifSx7Im5hbWUiOiJXaW5kb3dzIEludGVybmV0IEV4cGxvcmVyIiwidmVyc2lvbiI6IjkuMCIsImV4ZU5hbWUiOiJpZXhwbG9yZSJ9XSwib2ZmZXJ0eXBlIjoicHJpbWFyeSIsInByb3ZpZGVyIjoiSXJvblNyYyIsImhvd21hbnkiOjEsIm9mZmVyc2hvd24iOjAsInN0YXR1cyI6ImxvYWRfRExMX3N1Y2NlZWQiLCJpcm9uc3JjX29mZmVyX3ZlcnNpb24iOiIxLjAifQ==	23.21.139.158
hxxp://i-50.b-000.xyz.bench.utorrent.com/e?i=50	23.21.139.158
router.utorrent.com	82.221.103.244
docs.google.com	172.217.16.110
xred.mooo.com	31.223.26.37
router.bittorrent.com	67.215.246.10

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET MALWARE ISearchTech.com XXXPornToolbar Activity (MyApp)
ET MALWARE Win32/InstallCore Initial Install Activity 1
ET POLICY External IP Lookup ip-api.com

Traffic

POST /?v=2.0&subver=6.21&pcrc=1427031125 HTTP/1.1

Accept: */*

Host: rp.robotitor.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)

Content-Length: 2336

Cache-Control: no-cache

...3E.Q)_l.y...K....2l~..}5.M.4..*........>..W.a.......1^.[.@du..g ....Y~.ew.._.r!..@.N......6...x.fVV.6.t..i5,......gF..H...i...`.2.Eyf.PI..I)q.%i2....x.....%z.....`...^...~jk..y....C]... .{.M.l.........,..h6......K.->...l#......\hzX.o.(....y.(.Czg..b...mB.s;.......@U...._..{.(...C.]....k%.8...Bupu$.U..5.k|].(.B,.......I.{.Je..s. ..o.rM#.F.b..%q.V..<...n..?oC.........z...G4...o...9..756.^5.25v]^u3....6g..`$

..N..R?...Ay.........R...E.j....@.R[y`=./...4.!..8T....#..5. ..f...o.>.m.!..G......,..H.ks..w...io4.....#~..N.[:......}h5.&c/...p..>".._............s|h.
..YC...Qm...v. S......F,..m|_uD%}..2.&,............f..C.)...*.J.(.GE..8l...~C_.}...v....1..(}.*.e..w9.4T1.YK..wJ."......99=..r...2..9.9f=...q.......b.e.84..K.d..Q?).m..C$N.....K.....{..c..^..y...q..Gj...f7?.5..y..w@I. V5.../...0...V?.9F.X../?..L5`..C.8=.F..{.C..

en.]... .i.x..g1$..xM.)..R...p7.q$.L.D..........hZl..Y..... Ga...=.LNh...2..."....Q..b!..

.....4.-.-ab.0.......1..v..8.....g.B....n.e..)T...B..t.e.H.G...lU../.['a.i../..._<..116.,V......I.F*.@S..*.....
 l.[...o*:..`5.Bv.@_u...;|n.o.,....}.V4.H../.............Va.|l....&....#.R...<nh.#....1:..f,..z[;...".......q.....}.x.{.(S"=...E.v.o@.7.....F...1i..V.0h.(......1.e.B,'.j...b..r?.aUR...
..XOc3..;.-.bn.....e....(cXS..E.....R)..[.{..Z...j.......k.Q.j....." ........V
HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Tue, 01 Aug 2017 12:20:47 GMT

Content-Length: 4

Connection: keep-alive
DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Tue
, 01 Aug 2017 12:20:47 GMT..Content-Length: 4..Connection: keep-alive.
.DONE....


POST /?v=2.0&subver=6.21&pcrc=1754337324 HTTP/1.1

Accept: */*

Host: rp.robotitor.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)

Content-Length: 2976

Cache-Control: no-cache

.I..~...$$.......Nn8>&....''9LZ.I.)...~.B.!"...K.n../.;.9Ja%.........O.....\Txip....Z....x.A...N.].R,9...n.....;.Bs...h.I........?\..X...{DDl .W...Q.)...F..R......*...F...\3snx......=.`P...k..%...:.nb.......D.e^g.M.zM @....0Hz(l?......U..:E
3D.

...P...n.v.u..ZUX...........s..4f.ia;..$.G.8^:<...Z..9...x}^ ......P.~...r.v..
,['.=..w.U..Jo.y..qv.....H...y.G.@[.id:g........M..<.q.vT.Y..y.T^..<t..d... %3...z.4....h2.b.....>....U.....^......O...@co...T..is_........)...Qbzk.I. 1...`y..f^...}..M.i.= ...lT.$..d..E...../X.=.*.$=......\... %U.7}..z....]8*.z-..E........%|f....]../KU.rH.4.........Q..._%<\..D..\...3CW.G.h..y\D.W..k...w....uNPB..(..%.ml.,..)d.b-C../..!...>D.o="W........J .X3!|}..V...=..
.....[.......v..... .A...uw...........`6........Q..I}......$......M. ...#.X.MTY`P?D...

R........m..S...|C..&R....w.Ln9.......h..".......$....4C.ho.n..,.z0M./|>.....6.eL.z......0f.@{w...|...J...H..b....[RH...n..iE.....n..t.kL.B...Be....P\.....US.$.OIa.BV.. z..6g<....v.W.<Vi]..s..,...k.\xFr_C.# .y...J.35?e.AZ(.I.....C.......`....&..YEMr...7 bD..g....O....<.mS.....,P... F..| ..w.[}.>...@._.%/...cx!...]f....r%)n......."d.}....G.....'C..6>F.'.w.z?.......)M..pz."q)N...>v...$...b..... ]!w.w."...}..'......b<4H...j.eKee.~.u......~..=.n..*.....
...:.r..e......4.e%.~ .4...q.@q..
HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Tue, 01 Aug 2017 12:20:48 GMT

Content-Length: 4

Connection: keep-alive
DONE....


POST /?v=2.0&subver=6.21&pcrc=284868744 HTTP/1.1

Accept: */*

Host: rp.robotitor.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)

Content-Length: 1952

Cache-Control: no-cache

....V.....2$......@..........

@V.Y.jN.nt.d..o.wI.....A..........x.I@................Eb.v.{P.....i.pL....M%k.pq-=....Wgb.{.3...9.......u.$.....!.T%.g<..}...:...Glf}u.Q...\&.R..p....G..2....;.:.n.u..m..Q...34.W..n...gc.L....bn..o7js......:...]KE..b6.7......L4......._S..s.Q.x..fi.B2...x...x...VY.>7.q*x%.Ucl9.\,09...8.^.D.w.'U1;&u..I.'_C...8.}..Q...x...]..O5.E..~.0....x"o.2.U.K...S..:.k.....>.R..^.p..`.....}....$8".R..x:|....#..8.].Po.{.X..-.4....8.S..,.NS|#.K.%3....;m..qD...U.....G#RQ..........Is../.Cc....#..f?......._. #G[<..:V........h..M[."..

..p..,.

...Re...^.x9P.m)7.9..(4U.'.....>..1...113.B"...A.....z.*%h.K......TA$B |.Gcz1o........ .......#.i..l<y..JU..g.eY..1.r.OI....OL..\......y:.&........3...-....q.h.0.2.`t..U..1b..\......B.D_7...&W*..|...~..5....l`.*....Q..uTS.b.......j.6pL.s!.....CR....^....Gx ......D..

.. A1.....v...........C..,;.7..".N.#F.Y
..>.<g.....TR.s.n....S......

.....t..QuxW.g.....Qu.3.p."Qh
=.X.....i.e76..

.W..|.5 }.N.l..T?l....E..7.......(.0.eg....,..5R...Nz..=J.N.....}......^..../...W........5....3...".

...........0Byco...9. ..

..n....-3...K..t...... ..-...H..h...D...T.t5T....zd".z...P..aw......1..*j...._..i.4..;.......K.l.(!..1..k#..

K.l0.!.......W..."...&X. Q. 
7.m...o..U....Mjq....L.1.#M0..t ....9..."...$.O...@yn..r.tp....*fB.q..w..e.8.9>.
HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Tue, 01 Aug 2017 12:20:48 GMT

Content-Length: 4

Connection: keep-alive
DONE....


POST /?v=2.0&subver=6.21&pcrc=1933594832 HTTP/1.1

Accept: */*

Host: rp.robotitor.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)

Content-Length: 1952

Cache-Control: no-cache

I'.........a.o.~<..=0..T.|O.......c.r..M.jc.y{r.si !....X..w2....1@..k..U6.v..5..4..p}....j...bT...5.p.Y$..H\..........@.H....../tuD......L9....F_......A
-bX.......HU#5.......o...G. ......cE..LQ....P..AH.......Z..vF..D..[.._..S ....$_..,..8...AX.......,,Y..u...H$.Y....F..q$4.p.\..P..w.....\"....>...gP.P.

tMk D6...I.

...EI..C..t!.)j..k.....x....f.8.1(b....k@IwC..K.-mM.h'.S.....l......1b$.g.`.'4.9.s.?b
MD.....e..pC.....w...)..o..-;...{...qdR.,..3.j<..%....[t.nJ.N\.7._G...3>..^w.-..Q.:..J
Cg.x.#...EmA.&x6.m.]n61X..d>E...J.D..R..&Y^.#...#EP.~...>B....V..(.Ma.....h.....RO.".#.X....w....Lo.....OT...\*x.r..).<H."g.*.Y.Y4..(.. ...^....>..c.Uh...i....P.{.#.W..63.......<..dB.$

.U...5=..C@i.....i.LN."..wG.'.. ny/.]....W-......J...5....I..[..e.m.....:>...
.......?..

..7BVk...%{...R....r!..h...C\..Ja... ..#/j.$GB<..W3.O.......;Nl.5.V....vE.......E~...#.h..?]..8....JNl...*...*..........}....)k.|..S.;....y. ...X.^...d.(.JyK.....|G'."s.......1.."G.a[..T....W78..q..-.~.p...~....72<a....:..FC5..._...w(..@K^...bE.....aP..P.{.L...NS.......

4fn.&.Ei....".8.!2>. ..W....[.u......X...B.14..dM.O)...4.........%Q......z..cH.t]...Z.....
....LE.....j.."3.....=.[..W....p.C.v..u...;..H.&..N. N......7e.IW.'.!..............^.E.....K..p.yO...i..G{.;.a.[F..*4...5...".8@Dp...,.xA.....&..n..
HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Tue, 01 Aug 2017 12:20:48 GMT

Content-Length: 4

Connection: keep-alive
DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Tue
, 01 Aug 2017 12:20:48 GMT..Content-Length: 4..Connection: keep-alive.
.DONE....


POST /?v=2.0&subver=6.21&pcrc=1687675366 HTTP/1.1

Accept: */*

Host: rp.robotitor.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)

Content-Length: 1952

Cache-Control: no-cache

...QzK....i.....xAz(....B.O$|.~W.<.....WW*.m..`v.P..y...~.o.NKo...V.....f......}....bN.?7.f....{......Y..g"...V.7...).m^.

. y ....c$......V@.C...wl..A*......
~S...L..jp.L&C.@h<75^..:.b...o.......[...>."Rs.&...~op'}..8..3.........g....|...B...kZw.NU.. (BH.@.oy.D.....7.....k...s.x.....Q.$....4q..>0d9..U.......j|.l.....$2FaD7:.....RX"...?/.3....T^....]H...o.,.nS0.p.c.
....#..}.u_E.. ....$.?............o.4. .%7
......?...%X...F.L....S....{.}...e;.(....u.../...=(.A.Z...)......\........;b...TZ.(....n...t.(Wr.....F..(...5.Sm........PHf0D;>..*WF......n..3z.......}..~.F..:.......}......c=c.\.........Ih.p.
.....@<.......5.GNd....!:......s.`...........].E...~........F...#U..=.n.....6.9....2.<M....H.g.U.PU.m.Bp....K....;.0*.&......A......gW^....O....._.{O..,...;..&.%D..vau..>....C.6.xR|..o<\...............<JO.B.5vUE(.j.~x3 S.w..f9.-..X.,n.K....$......=5.fP.....!.F..&.....Q...3.pR....]\Z..07..OR.kz...&..u.......u....i.qaFda....c..(..{..D%..m..h...^..x

{..2<|..-....z.gx....z.aBsEa.5T..]...r8.<].D...\.O..I......L..$.....\ C..G.&6.....X".1s....w..U./.

YjPq...i 6ia

5.V.t. .)...}...og....T.L.F.c........EH...2.k....Lg......_...2-
.......H....Rx.....%.....}..cp.Q.<.....h.
....v.z....
....N..r`KF.B.g.f.n ..6.?..:...J..l..4..TZ... ..k.0U..`.2.*(...j:`H
..,TK..F...w.Yvv...._.
HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Tue, 01 Aug 2017 12:20:49 GMT

Content-Length: 4

Connection: keep-alive
DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Tue
, 01 Aug 2017 12:20:49 GMT..Content-Length: 4..Connection: keep-alive.
.DONE....


POST /?v=2.0&subver=6.21&pcrc=36596338 HTTP/1.1

Accept: */*

Host: rp.robotitor.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)

Content-Length: 2032

Cache-Control: no-cache

(:.] .N
.......O_V..._8_.S.c.C......^..S4.
.....UG.B.>l.

.Vk ,...Z
..=..b~..... b.........K.y..X..l...c.|wvv<.xvZ0....ye...;.X/R.]./..%.....fN..w.r.......Hq..Gc..3.D.c..C.=7?..........?.Yo8L.-...6.".,L2#.Hm"..}p.:(.NL#..A.Q..:.H.......d$$...:...*..}.PsX

.r...X!.^...N;...e.Y.{......:A%i.]..<.y=.5.\I..w........mM..:

..4 ..I6_..b....m..........}....^.......K......M.......C..Ba8SG.K..$LV.......'..G(d......Oe.._.y......).A.Eb...S.[7..j0...b..
\.@...4.22.`m. Q..4f{.F>........e.B

0X.}.W..i.)......R.ZF...]...ge ..ZajsN{.onU .^z\...c~....BNP.j......i.R.I.#RZd...e.&#.,......9.
.z.X...m$....^.JZU.E{e....5...-2K......T....h....]..R.MW............x...xQ...............\.r?#...s$..e)..0.Q.....5A."Ih..{..X....Fe......v..6T.....E......[.....$..Z.~.w.e.f.H..PE.............9..R.o$.wI.o].kE9.._iw....mi..P...L..f.....d...J}i../J..S.'.T....*..?$I.._......%..x.5..<{<W...k..uW....`j~..[.&.V...5.%{a.w>.....t$.!.a..1....d.
.E.......nY?w#.\n<........}.%....}. (......]...@_..&..VBI....b*.K.....;V..4....)?.x..U....W........@..o.....?r...U.Y<...8"/...x.K..'..S......8.?B.k..f_.B;F..8..'....d@...v

...h....R....l.|95.V..q/......v/........S..F.P.~.k&..7.....-C........ ...X.y.40x..I.S....(......*.PL_..'
..1...

%...b.{J*...
o..Qe..n..f.l
..p........6...^.!.H...s;H.2.d9.Z.v.x.....`3.p.g.u[..C.j..9......
HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Tue, 01 Aug 2017 12:20:49 GMT

Content-Length: 4

Connection: keep-alive
DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Tue
, 01 Aug 2017 12:20:49 GMT..Content-Length: 4..Connection: keep-alive.
.DONE..

HEAD /ofr/Solululadul/asgnd.cis HTTP/1.1

Accept: */*

Host: cdneu.robotitor.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)

Content-Length: 0

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.0.10

Date: Tue, 01 Aug 2017 12:20:48 GMT

Content-Type: application/octet-stream

Connection: keep-alive

x-amz-id-2: r0l wRO3VrTWMxpyy7K5DFJkIylKkOdGcoDsxp3z9PRxUp3SCwQ8ILxvKXjBn/ql

x-amz-request-id: 31DA117E04BA7725

x-amz-version-id: ak82ScyXtEXeOWL8crBo3MgwwdwO6r.3

x-amz-meta-cb-modifiedtime: Wed, 20 Jan 2016 14:37:36 GMT

Last-Modified: Wed, 20 Jan 2016 14:38:52 GMT

ETag: "638ebcd93f900c3908f5dde6d8bc2d9f"

Content-Length: 101029

Accept-Ranges: bytes
HTTP/1.1 200 OK..Server: nginx/1.0.10..Date: Tue, 01 Aug 2017 12:20:48
 GMT..Content-Type: application/octet-stream..Connection: keep-alive..
x-amz-id-2: r0l wRO3VrTWMxpyy7K5DFJkIylKkOdGcoDsxp3z9PRxUp3SCwQ8ILxvKX
jBn/ql..x-amz-request-id: 31DA117E04BA7725..x-amz-version-id: ak82ScyX
tEXeOWL8crBo3MgwwdwO6r.3..x-amz-meta-cb-modifiedtime: Wed, 20 Jan 2016
 14:37:36 GMT..Last-Modified: Wed, 20 Jan 2016 14:38:52 GMT..ETag: "63
8ebcd93f900c3908f5dde6d8bc2d9f"..Content-Length: 101029..Accept-Ranges
: bytes......


GET /ofr/Solululadul/asgnd.cis HTTP/1.1

Range: bytes=0-101028

Accept: */*

Host: cdneu.robotitor.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Server: nginx/1.0.10

Date: Tue, 01 Aug 2017 12:20:50 GMT

Content-Type: application/octet-stream

Content-Length: 101029

Connection: keep-alive

x-amz-id-2: r0l wRO3VrTWMxpyy7K5DFJkIylKkOdGcoDsxp3z9PRxUp3SCwQ8ILxvKXjBn/ql

x-amz-request-id: 31DA117E04BA7725

x-amz-version-id: ak82ScyXtEXeOWL8crBo3MgwwdwO6r.3

x-amz-meta-cb-modifiedtime: Wed, 20 Jan 2016 14:37:36 GMT

Last-Modified: Wed, 20 Jan 2016 14:38:52 GMT

ETag: "638ebcd93f900c3908f5dde6d8bc2d9f"

Content-Range: bytes 0-101028/101029
CIS................?...............P..............M.U....$..q.X]....9u
..9u...#a!.s..2.....{8.u..i3.\...Q.....X..}.E..c.).........&`.......B&
gt;Zr..|...E....=..>.o.u..........=|....:._-@.6.d.b.......F'/.C^..t
...e%.s^.3..4..&..o)Y....UrU.R@.........i.%?...lW.-..g.'..KC...'..0E.m
.d.....x.#]...y..u...?.x.V[....o5.x..MQ\....nX.@.9r..iJ.8...L.E...c.4.
.6.x..@'..[..C(4.&.../A..i........e...`T..H. ........)....9(!.D..m...0
..e.,...~..<. ..L.}...................../...sC..#..}.... .......9.9
.....Ji..Xb.Yjk.../...6.@b...i..&....F....M..a....u..B..~_2....h.:nu..
..-..QiL.P|.LB.).....X..v5Z.$aP.".*...z.b5J..z....h.a>?n~h.$..;.V.'
i...2......Y..q^Z4..\....=`....o.M....~.....:u..^.....A@......k..b...Z
<.!..;......&y..!4...#..S.p;wb....@a...._.......At.5..pz........t.5
H.. 8.-..7...{.P.a;..ia..@.Ac.1.....T...,dmoE's;....5...B.7.vQ$9......
y{.j...F....|...9.u....M......1./.-t....dI#d..C9..Lg...../. .v.......1
T..60.2........#..B..............8.....y#~5A...~t...K...{a.|.z....~.*.
.b*.49k.2....>..]s...W...B.n....zK.,..Vk.....h...........w...".....
.I..XW[..}W...y0f..k.~..O6.97#Gk8.5(....Y.W..k...Lz....6fz.....)|.}../
h(8....0dzx.\........._..b...'..Y..w/*H..\.B...\.......1&..Vg..[..N(.Z
I.......G..[.x....0:.eJ.J~..)o..,....T...i..Z.Q......P!.J......_...F.1
er.8...#d...).......Z..im..F.i....%".o.....F.z.V..Q..K....R..W ./.".E.
.dR...y......'Tu....9U..$4."..wP...d9.....x$...W`....8....#u...1..\,.S
.:.kdU..[...,.a"....". P....!.V.K.Q"M.G.e....w!C..../..... m9J1..&I..z
&.2.I..-B.......{.=Ftm....6....A...3..=@t..67.-M.U.Z/..c..^W/Wo .h
<<< skipped >>>

POST /BitTorrent/?v=6.0&c=526762032&t=1323777 HTTP/1.1

Accept: */*

Host: os.robotitor.com

User-Agent: ICAS

Content-Length: 1792

Cache-Control: no-cache

.^.S...N)Tw?.G{&W.....}jL.vI^.!1...c .dm$r5...

...L8..{.;..|q........1|;.N..#M.o...bbU3$.. k..y`..2njh.[...QU.....=.b.............q.I..~.Q..r..P....t.h....Vw....`.....{...".J...6.a... 1U..00............Cg..C..r..E.G..../.y. ..|.........=n&q..!........'<.........YI..0.2..$!...\5~..0..L.[.M.Fg......1...1.)...I.T@....W.......LXD..9.3..y.p. ..

A(...<.@K.....8,8.?".Mk/}...hKV .!0.*......a.M..K,

\.....(QT...q*8uk...7..j.6.D.*.{
..B..d..9].E....|.:K..Ac.....#.dYfz.b.C..{.PL'.N.'....JR.......\^...RD.&$...|.u.!p..?....kJg.C..8..Yd.TW...t.."X...?$.~...s..x....M]....w......c6@.@.......f..v..u..3=....._.Z..Z..k...<...."............H.O....<.GU#.iG...lL.Y.(...M.B....o....Y........
....A..6g9....[h.#e.....  .._.&...m
P.....\..NT....~..y5.. }......P.}...Gi..>.......

}..#YP$.}...=s.l.^...;p.hH.*...p.......vC....k...E.....?..

.....M8...v.....%7......}.%....]...6....RI.i(~`..u.p....J..q..pE.\..~1.v....:..U.wP}.K..&I=.(..E.5s...........auc....p.z..\...,.....<@..;.C........._...Q9...!K....>...3W.....|.4EG.....)^Pb~,Z..K.L..m..)y..lM....6.7..|o\.}..N..j...^6.2....h.R..s..c....V...I.d............ .F...G....2.YJA......=....9..@.g.9..l,'......aC.. .<...R......E>h.[7..h.a...3Lia=.E..T.V...XkG.[..... |........h..}
"#K....!=

c....Q?].^.s.*.m.=.Z).....).j...#6ps..Nl(;....-..=....1.HU{...l.&.....V......T.Z.{.....bT..om...)..U_."..Y....Hu!.<
HTTP/1.1 200 OK

Cache-Control: no-cache

Content-Type: text/plain

Date: Tue, 01 Aug 2017 12:20:47 GMT

Expires: Thu, 01 Jan 1970 00:00:01 GMT

Server: nginx

X-ICSCT-CC: UA

X-ICSCT-GICSET: 137156HotfixFredImported

X-ICSCT-IP: 194.242.96.218

X-ICSCT-SERVER-NAME: ads-slave-162-p-production-eu-west-1-i-0a034a502cffa5133

X-ICSCT-TIMESTAMP: 20170801072047445

X-ICSCT-VERSION: v1.6.2

X-ICSCT-XC: 1f3cfb072bc5ded412eb0f20eaa0b3fa349c056a

X-ICSCT-XS: 91bba9083b637bbb85f2bc525458ea3d2e0cb405

X-Powered-By: PHP/5.5.38

X-Robots-Tag: none

transfer-encoding: chunked

Connection: keep-alive
3635...@........Q.D..C..55x5.....x....Q..,.I.......,...x.d.C..9.{-V...
*.$.w..n.z.....e..u,....V.N..<..O...0?..h........`.F..R.c2O...X..N8
r....kS..%c......%.....J.TN(J...5.n-.D1.#...>.!0.$....&....... ..Pq
@.''H.~.....F...WO......F.7.C|.....6....H].kk...?.a.W|.....0X...C.\...
..&s.. .w.f..I...N~...a.b!V6.L~D.U.RV...-)Adqx..yb..M.Q6.>.......'s
.....e..00....:....[.B.M.N..<pp..q.M.%.........W]3....h.sP.Jm .W|.*
.0.f.k............p...h...A-S..../..xz..(..4.........^*...n.h.....4...
A.7..Q....a...u...W.o..P.NVx.qw6.vJ.....P...R=p..lbm..E&.?..h3.~.. .0'
;.)....6l0.........{...n.6e.K............3D...g.....(Bn..c\.W...y(...J
w.h.6{R....|,....*.u........G#....@..%p....x.R.6piKN9z.&@......c....:.
..t9....y.....e'...-P0<y>.$..Fu^"..s(..3t.......kKD...z...r..>
;.....-Pm...3..........m.dP..Y~g.m..oG....i4...c......p@.D....A..N.i./
w3.?.b(....X..Hs.g.j.~...G....c....#.^..#.....d.\FO..F.u/..r_.l...i...
..Im..L...p..2.Wo.....|I..D.....#......@... ..6.(.FT .7.. 3}...1I...M}
V.j..1.a  "A.|.....,....e.!.L..~ .p..G..."l....b..b.:.....v.o8..uza..1
....;...Hm.........`~.i7...`E'..1...k...f...`.................#./x..(.
o.l:OP....0.d.Ih.E.%......f)L......,..f.}..g.7.>$.(...G...T.?...D[1
.q....7.[Q........ a.@.:..Z....#...............F....H8........U.RN...#
.....l.9...?..yx.C....z.q.m.!p..Z.....&...h.'...B.....^.! []..........
.....#J...Y...a.p.....egZ...{.]?..f......._...g..&.&.Nl.L..WZ.....]...
&....u.C....0|.....8."'.a....Y....lH...%..Mb.f..!.]H..@..@..)..I.5:;@.
nu..*.#\(.....M...%...].q..6.....|r.u..jy.N....\N...JW9...T#.[5<
<<< skipped >>>

POST /e?i=50 HTTP/1.1

Host: i-50.b-000.xyz.bench.utorrent.com

User-Agent: Hydra HttpRequest

Connection: close

Content-Length: 270

{"eventName":"hydra1","action":"INFO","type":"i","res":"1276x846","cts":"1501590043","pv":"","cau":"0","cc":"0","bkt1":"0","ssb":"13","v":"111258508","cl":"uTorrent","osv":"6.1","l":"en","pid":"1652","h":"U67gwhFRwoeP9336","sid":"U67gwhFRwoeP93361501590031","order":"3"}
HTTP/1.1 200 OK

Content-Type: text/html

Date: Tue, 01 Aug 2017 12:20:43 GMT

Server: nginx

X-Powered-By: PHP/5.4.30

Content-Length: 21

Connection: Close
{"response_code":200}..

GET /json?callback=jQuery19107445021943009298_1501590043726&_=1501590043727 HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ip-api.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Content-Type: text/javascript; charset=utf-8

Date: Tue, 01 Aug 2017 12:20:45 GMT

Content-Length: 322
jQuery19107445021943009298_1501590043726({"as":"AS31561 Pitline Ltd","
city":"Kharkiv","country":"Ukraine","countryCode":"UA","isp":"Pitline 
Ltd","lat":49.9808,"lon":36.2527,"org":"Pitline Ltd","query":"194.242.
96.218","region":"63","regionName":"Kharkivs'ka Oblast'","status":"suc
cess","timezone":"Europe/Kiev","zip":""});HTTP/1.1 200 OK..Access-Cont
rol-Allow-Origin: *..Content-Type: text/javascript; charset=utf-8..Dat
e: Tue, 01 Aug 2017 12:20:45 GMT..Content-Length: 322..jQuery191074450
21943009298_1501590043726({"as":"AS31561 Pitline Ltd","city":"Kharkiv"
,"country":"Ukraine","countryCode":"UA","isp":"Pitline Ltd","lat":49.9
808,"lon":36.2527,"org":"Pitline Ltd","query":"194.242.96.218","region
":"63","regionName":"Kharkivs'ka Oblast'","status":"success","timezone
":"Europe/Kiev","zip":""});..

GET /ofr/Solululadul/icc_v5_8.cis HTTP/1.1

Range: bytes=0-506657

Accept: */*

Host: cdnus.robotitor.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Server: nginx/1.0.10

Date: Tue, 01 Aug 2017 12:20:49 GMT

Content-Type: application/octet-stream

Content-Length: 506658

Connection: keep-alive

x-amz-id-2: 7TooMFJJRcz9L2dDBVCSZJmXBV0qkegPwIMmgySKZtIFAwPJLeCH6wRovIuBqF2oHJ8YfW16nW4=

x-amz-request-id: 7CFD51147C037FA9

Last-Modified: Mon, 05 Jun 2017 11:20:09 GMT

ETag: "d3275dae3b2da9508907b2e97cd72712"

x-amz-meta-cb-modifiedtime: Sun, 04 Jun 2017 11:47:23 GMT

x-amz-version-id: B1J2nyfjCWzZziCw.awfI7I4ql6woVzG

Content-Range: bytes 0-506657/506658
CIS................_.......".......P.......u..uYX.nA!9Y..M............
...EY9CC3..GF..S3_<.Q[aW6].....L...L...#a!...|2...s..y..l... ....-.
D.c....E..Hs..v......Ok.$...U/..W..3..h;O........3........0-..d.....8i
..*Q .T.Zl.q.8..Sj......y.{........nT.2....s.Zw...H....`ig.`N.../Z..MJ
O..i......w6*../.t.<.-..p..W5...V7.=.lkV...Z.`.P.ba.8.h'.0..<...
WH.[.TT....e$..=........`..(....:...fY}K.L..l.}7..N.QWx%.(].*.m....T..
........{.w..7..X.gJ'7D......y.G.<|-.......Vy.[,.O*../.4.......9..L
(...)s.g,%.=...i...e.4...T......dS...;..2r.......Bo....9..8Y..?.4.....
(.Y)0..I..#....dzp)s.J.....[..../....Z...=f.C....,...:.....A.,)...N..'
S....v....p.~n........ h......G....i6A.m..} .(I.sn..... ...!.K..!.....
.X....D..I...P"......o...h.b.Xn...N...5.y.0-.L.>....Zh<2-..^M...
..W. ...]...A.....'%.....9.:.Ta.-..3..x.....s,W1w................I.!.)
)g..~..c..B.V..[....o%.g......z.V..j..FU.*....A..SJ.I7i.. .......x...r
u.....Uf-........>../.LXgA..zk..4.u{....`...E....j......yw.....?j..
hzD..V.....0.3..._..n.*.....s)....c..g*..ox..5u.:O..|....D...Z.u.m.R.(
a.....,.D....h.yg..?..UE..]\....'.z..m...sOG._m....K...I......a.I9....
}..H..P..D...zk46..V.....Zw...!.._B..........|..Z.Xq.dSx..]...ur7..G..
..x......b..L.}$;..@.....]>...-.{..J...[.|A.*6......EKy...@..(U|_.o
8.l...tf........H.......s......c(.%M.._*...&?. .Ni..2...(.R.%.R.M..!..
&G.....n..VW..m....~x.CE.p5.....................0..{Q.{....N8.B!#..a{.
..L..D.....v*.U.;:.8...I...Z...e^3..gl&.i`Q...l.p...q..J.Ki.]..I.....i
t.......W..*x..................Eo.>..c..z......6...w.,mV>...
<<< skipped >>>

POST /e?i=50 HTTP/1.1

Host: i-50.b-000.xyz.bench.utorrent.com

User-Agent: Hydra HttpRequest

Connection: close

Content-Length: 261

{"eventName":"hydra1","action":"packDownloadResult","type":"i","result":"1","cau":"0","pv":"","cc":"0","bkt1":"0","ssb":"13","v":"111258508","cl":"uTorrent","osv":"6.1","l":"en","pid":"1652","h":"U67gwhFRwoeP9336","sid":"U67gwhFRwoeP93361501590031","order":"2"}
HTTP/1.1 200 OK

Content-Type: text/html

Date: Tue, 01 Aug 2017 12:20:43 GMT

Server: nginx

X-Powered-By: PHP/5.4.30

Content-Length: 21

Connection: Close
{"response_code":200}..

POST /?v=2.0&subver=6.21&pcrc=1149495921 HTTP/1.1

Accept: */*

Host: rp.robotitor.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)

Content-Length: 1968

Cache-Control: no-cache

...4.....>.K..~......#f~.7N.. ...P.Mh.?|C.u.pmB.........ZVX......*...S.........iOS...o|$.e\.M...?!C<hiz.t.yK.....S.y`Syq..^,.<.N

.....}.E.Sr-A.'...*I..
8eU...pcP..O.....|E
...'..j...U..(...$.....%.p.uX...\*......:x.-.z...g..V.I.>.....Z.w.....
.UP..../..aT...w.k.S .W...FW...#@K..

..../..A

B.S.o.....2.v...2.t6..A.#[...."<.'..T......;0..=...uC...<).r>_.."Z....}..Z.9.C.>..W.-.j.zx.....%.2...!Y(.;.{......#C\..gm.(.08....!S*.0....<.. ].>..T..\a&..zO.y}K#..v~q^.. *rZ..5.e./.=.Zm'..j...0Z~..x...z..v........9T.......D....73.S l`-..^..$.XL.f....ML.........=Ivc9zxl.......p%.;....1...A........e.\5...#nx....\EX...P.3z

.oY.N..-........'F..S.#@U(....k........."..{.A]...A...R......V..D.$czz/.1..x.",...oM.jP....h.$....|&-.,p.X.....i...

..rO}....N...Zt..AjG......v.....|..4.<......i.%....y........4d...$u.E}m}Z.W...y.z..k~1...F...\q.......6.A{d..C.....A.A...{b._k..~4..pN.....hd.{.|M..ch..l.2.~p_a..P

...c6.o/..5=.B....G...JNl5.....m.J0....q./..M............7.......;E.VV..... .~......N..-fv..3......u.RU...e.J.h"....).8....D.. f{..
).......I.0..... ...Q|j.-gG...,C...T.L.gm^` ..3...z:...`ZtE.M.9p....yB.\'b.Ggk|.5.=3...........)..........7.....Xn.fD..5.V.;r..4.......w..#gEel....I.X....L^......b.......H...!......x\I..dtu....3v].......D........ZB.<.b..a.C.M..7`..*B.....E.%.Gy.s.q...4.
HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Tue, 01 Aug 2017 12:20:48 GMT

Content-Length: 4

Connection: keep-alive
DONE....


POST /?v=2.0&subver=6.21&pcrc=448803107 HTTP/1.1

Accept: */*

Host: rp.robotitor.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)

Content-Length: 2992

Cache-Control: no-cache

.I..G.)E..,(D-..V.....]4.......]..B..4...iUa.@...T..6BC..[....}......]2m....../..5.Q..w..o...bb.
.m\.F ....#l%....=.3=.&'..E/........Z]...h.N.-uP....!.Hi.7.&*..7o.y.Y.(...#..Y.z..,..l.o....._...B.a.#.XP..v,....~.....P........=..`q=..n.7...2...u.<.,...W...T..q...heW.Yh.~.."....b.j.x.X$..{y`o.

"0

#.{..E..2b....[f:......iRL".g.iS....l.I..U..N....J1.}5z}.I....]..g.?..y.%..G..A..-.@...
;..J.5;..5.
..'_......`.fx.i....l.=c%aM..E.Y
.Z... ....5a.....7....I.j...nRP.#;,K8(....l.QM

.O%.?.8T.,.K..p....v.!..w.!....P.YR.........@.we.A.Y.XO...V...d........T X.9e`.....AK......d.B..>...6...).;7Z...DW.=8@G.!R....|....2V..v.....:.k......49...!....2.....v.1...N..... ....Xb2.....T......0\.6q.......9<..g...k..=...Y{.2.........@w,.....k.....M]N.2.....<..X......sU.m...~L..
6.a..0.s..0.2..Q^.B..o<.9.k.!.R..x^..:F#..B........i

.k.{W.h#*..\&...]d..=(?..6.{.*..}...xq.E..g'7t......>..6k.y)...........g..J l.[q.p.t.t..r..?.U.

$..`.q*&..RB..&P...]ka.)t..Y....R.Y[....ikEPN.cC.vF.....*..'.pef~.[.H.4m.m.`H....,2...e'.F.P... .O......".........0...nK...4.......e.;6<.....

.v..L..(..n..........C.k.x.....*...T..~...Z..._...~.Q..7Te"..s..)......W<?...2.I?.0...].. ...i g2.9._c.(i7..-...|..7.u.ra....C%.......!%...aP...?.|...@.!......b)L....n.=.D3z.%.OB...0.....q..}..k...JT.3S]....."&"........z4[.[./H.. .....j..
HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Tue, 01 Aug 2017 12:20:48 GMT

Content-Length: 4

Connection: keep-alive
DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Tue
, 01 Aug 2017 12:20:48 GMT..Content-Length: 4..Connection: keep-alive.
.DONE....


POST /?v=2.0&subver=6.21&pcrc=601164120 HTTP/1.1

Accept: */*

Host: rp.robotitor.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)

Content-Length: 1968

Cache-Control: no-cache

W..$...1.:.A].PP.].A%.v...q.......g.WH........".....A!$s.c!.y.]..........<.?{.|.BH.#.Rq.$...u.?. .y....J.(F.W.......5...K...2.q.O..M...<./..........~

n.=.2t.:..e..j...:.o.XSF....w..3.F.<...hw.%...8~R...L.G`L.....7F........kvI..c..e.s.....2.K .e......}..l..V.Z
..Kv..IQ.w&N...G.....Z"v.C*...0.b5......=..G.s.......b..w.Q.k..y....,..O..|.ip.._.9./...?}U...RZF.=.Z....M......w...%.Rl..#3..&B.Ag)......r...i..
...%'......^q.{..MYm.... ..#.C%ynR....B.o._@6%.c...CSa....g.S

... ...Ayyy.k."j...8*...z.d...P......R.~.\.H.

dz......-.\B[.u.R.F?...l..(..J...%...-3$'.:..cx.......k..>.En...=.. .......!Y.{.

...y.5.U65..-..} q...<...f/.5...m.t5:.
wz..r...H....A....a.@.7.....d.M.2.x..wF..>..!.E.q5F.'.l9.*../-.....8......0.....c....i../.....:{...(.:.^..ÿ.#.s...u......i.044...8.$(..W.W..D.......\..~&. ..f.0.......s..K.TT....C_@:.dD...g} .~..>... ...3....T{>2:.Hv0...zb6.a$HQ.1..'.8...V.D<>...Hx..G1R..e..v...Iz..Rw.D..n.6.|. ..nh,.:....;......."....S.`.....,q....R..m.2.Aa[ .g{.g7.....L..o....[p.....!...`...3....&...Q\.........p...f)<.?....v.
...~..WgCFG..

.....[.#......1.a?...j.b..-..Z...A.i.....
........z..j.PW.>....u.n......J|V....v6..)...{..B.... F...s\.2.T. ..>.>.Ow..'.D..\.|..y..2..)....<..^...q:.
F.@e..h:.GbO........2..%5I5.l. .....!X6A.k7~.&n.(..9......].'#...?..
HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Tue, 01 Aug 2017 12:20:49 GMT

Content-Length: 4

Connection: keep-alive
DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Tue
, 01 Aug 2017 12:20:49 GMT..Content-Length: 4..Connection: keep-alive.
.DONE....


POST /?v=2.0&subver=6.21&pcrc=10585753 HTTP/1.1

Accept: */*

Host: rp.robotitor.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)

Content-Length: 1968

Cache-Control: no-cache

xg.
.......F....P...~3....K...n. M........Oc...-.v.0...W.,G2.].G'.(\.Y.u..A .I6.~S....'..chN..?..lx...yU...........:9:.~cy.)&1...$,..]..K
1.V2.....\:.s..u....-...r.."..A.t....[...Ax.e^.S..r.........7.....>*.pn .?...m.M.\"A....y.d..y.).D......,.t..r....b..&.....G.E..Rc:%

1.i...J...#..=S....

.n.............8d....#5..o.
%.H=~.-S# .}9..r.....4......O..v.O.*...x.......{QPF...:4.C^.s...p.k/...*.........3.9..;J<{..x^....&...h...W ...cFk...M.. ..."...lq'.bX ...zq...@.3....)o4T..J..q..?.%.z.RS>..V..KF.._.M....4m...."[P...1..0.....Y..y.aT.).._.

v$.....w.....$b].a....f'....;:W.s;E*R.e.... .

..v.T..%>......$.......&......2......(.1.
.] ..u@.yP.....:...].v..0(__.z..~..].....%J..3........&............R.u.f..5...Q.....=.7.V...
.....f..z. .!....q..A.k>../...P.#...4-...-COT.RE3........

}:...:C!.e.=.o\....?$I<a...B.:.CMjW.........D...b....^02.....p`K .....D.oc..&...5..*.d...&.......q..u.Y...^.!O..*....q...C.>..........k.#..K.....de..h.................w...[.f.....K.t...<..]...?... .6:l...ja.k..A\I.&...&;'(....X.S,..G.....N).....h5...s..C.%.j....{t..=...`.......:....G......%......qI8z......QT...../.....9s.V.S_.sb..KM...p.<..K........`..Ln.-Ldj5.{..)..x.3}>.Bl.g!Tco4...c..Z......j..2.q....L4..&1i..7.j..\

...K......$m..u......H.U:..:..].....}...E.43......uM/....d~...c.{T3..>.:=.?.j.
HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Tue, 01 Aug 2017 12:20:49 GMT

Content-Length: 4

Connection: keep-alive
DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Tue
, 01 Aug 2017 12:20:49 GMT..Content-Length: 4..Connection: keep-alive.
.DONE....


POST /?v=2.0&subver=6.21&pcrc=333111036 HTTP/1.1

Accept: */*

Host: rp.robotitor.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)

Content-Length: 3648

Cache-Control: no-cache

..Sq.XZ|.....~ ....]Q.....>...Y3

>N.vc....3..E&

?&pq>.@. ..........z.`...S...y..qA..X..`s...I. {...Z..zSEf.M....?.r.i\....w.~..].c..

..k..\..c..Wmv
I.Z.......).....a_.....d....,c.......(~..-...Y...i&.w..w.2...Yde.K.7...]...8.s&.Te/..h...O.....,...Dlh...q........^h.......c.@DZ.w..z.:..o.J....>]..>7$.l..@..8.8.3 ..P..l..r.5.m.0o'....V..^.>.J. ..&.L.Y[.Q...K......w..yYF......%.Kb..... ..:.o_....."H..:..~..i....Y..Zxs..VaE..M..H ..\.w..fW...[..;.V.w ........J...'.]..X..b'N..Xp.R....FId~.-...U|.v...v<J..g.h.b.b.\d4........f.6)}...z.7.t

....;.....Tk.b@.>....s..-..[#2h2.....W"w.4..[....#(Dy.. J......C.iJ.F...}......L.W....}.PeR .Ms.....P.iw.Ty..:..nT....'Wb./.d....X{!..x.Z.)e....|..Y.Wm.:MgLV........V..?.

Dc...........f......j.....$..

lf...W...`..w=.q........9_.v..s.. oUE..Y.U.....g....>...H|./.<.89..0.iB'.0&..r}..D.Y.hI...1..gb..ic4.......4.. ...Q....pc.0...,....x..T..n
.....D2SC.*.cU..$C.2.....ize.^.".>"]. .....S....y. 

...f?i..:..w...pn..q....m~.n..[u..m..-L\<D..d8.w>...@..4......0k%..\....

..;ae..j.bw%.d
/...z.(...{.. $....R..m.W..O.....S..X.\yf....&...%.........R.P."...M.T.....Z7a..%..k~..x..e..`.'.!.;...N......u....m....\o...H......%).,?....Nc"...J./.......F. ,......{_..........._.......Q.......Vh.....\..v.....................6=..h..v.$_.... .....y...K 
HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Tue, 01 Aug 2017 12:20:53 GMT

Content-Length: 4

Connection: keep-alive
DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Tue
, 01 Aug 2017 12:20:53 GMT..Content-Length: 4..Connection: keep-alive.
.DONE..

GET /endpoint/hydra-ut/os/win7/track/stable/browser/ie/os-region/US/os-lang/en/os-ver/6.1/enc-ver/111258508/ HTTP/1.1

Host: download-lb.utorrent.com

User-Agent: Hydra HttpRequest

Connection: close

Content-Length: 0

HTTP/1.1 200 OK

Server: nginx/1.6.1

Date: Tue, 01 Aug 2017 12:20:34 GMT

Content-Type: application/octet-stream

Content-Length: 2422352

Connection: close

X-bt-sig: aab785dff9d2e469fe2f7cf0b017e9acc68511e2db7159128886044cce4597b0d0b48fc21312b774fb1d4c9e8865f1ff910b4133a4fffed902949f99b7bafd3bca35fcebeb960f7e17f80e472268dc2c7ac19514d5eb03b02a23dc2134e8c4718f0974da498a498606e5f49ca732a92428758906339bce65ce01d7333e20bfdb6bcd9836c98d2fbeb2768fca884a70f0abeb0a30dc6da73bcc2ce64890db047d633d71df255650a2c3c532d71d99c6d9891905922220dde98c2674fbe420bd204576f2396109387c12215ed6b7281770dc8bb0da834e07281b976683fb3c265028c2c377cde59de5ef3bf990f659d728f09a675ec3b9e91561e2d8156d453d5c

Last-Modified: Fri, 28 Apr 2017 05:30:30  0000

Accept-Ranges: none

Content-Disposition: attachment; filename="hta.zip"

X-bt-size: 2422352

Cache-Control: private

X-rl-mx: true

Rule-UUID: de7f6050-4f7c-45cf-a888-37b23152e2e9

Content-MD5: c5aafa98f633fdd4b55bc1e06a620e32

Expires: Tue, 01 Jan 1980 00:00:00  0000

X-bt-hash: 6dc7a1b2d78f8a036606f61d1c9f2c88b6be26e5
PK........U{.J..c.............index.hta<html>..<head>.    
<title>Loading...</title>.    <meta charset="utf-8">
.    <meta http-equiv="X-UA-Compatible" content="IE=9">.    <
meta http-equiv="MSThemeCompatible" content="yes">..    <script 
src="scripts/initialize.js"></script>..    <link rel="styl
esheet" href="styles/common.css"/>..    <!--[if lte IE 8]>.  
  <script src="scripts/es5-shim.js"></script>.    <![en
dif]-->..</head>..<style>.    * {.         overflow: hi
dden;.        margin: 0px;.        padding: 0px;.        z-index: 0;. 
   }.</style>..<body class="installer_body">.    <!-- t
his is the loading img while loading offer page -->.    <div id=
'loading_img'></div>.</body>..<script src="scripts/c
ommon.js"></script>..<script src="scripts/install.js">&
lt;/script>..</html>.PK........U{.Jw[Yy?...?.......uninstall.
hta<html>..<head>.    <title>Loading...</title>
;.    <meta charset="utf-8">.    <meta http-equiv="X-UA-Compa
tible" content="IE=9">.    <meta http-equiv="MSThemeCompatible" 
content="yes">..    <script src="scripts/initialize.js"></
script>..    <link rel="stylesheet" href="styles/common.css"/>
;...    <!--[if lte IE 8]>.        <script language="javascri
pt" type="text/javascript" src='scripts/es5-shim.js'></script>
;.    <![endif]-->..</head>..<body class="installer
<<< skipped >>>

GET /ofr/Solululadul/icc_v5_8.cis HTTP/1.1

Range: bytes=409600-506657

Accept: */*

Host: cdneu.robotitor.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Server: nginx/1.0.10

Date: Tue, 01 Aug 2017 12:20:51 GMT

Content-Type: application/octet-stream

Content-Length: 97058

Connection: keep-alive

x-amz-id-2: aCkursxnrYV4GPYD2rHDtRQZDPLDQWwI/qjOqLSsetLoh9WeJ6PVqZ83xg6dSJ3hLU95ImbFWC0=

x-amz-request-id: F5B6719971382B54

Last-Modified: Mon, 05 Jun 2017 11:20:09 GMT

ETag: "d3275dae3b2da9508907b2e97cd72712"

x-amz-meta-cb-modifiedtime: Sun, 04 Jun 2017 11:47:23 GMT

x-amz-version-id: B1J2nyfjCWzZziCw.awfI7I4ql6woVzG

Content-Range: bytes 409600-506657/506658
M.\^...>).:h..(..]..6....i......{.}]^...2..lI...O.f..V3..[...=F...F
....5........'.*D...c.....M@..y,..-.... j.hq...;6.K..V......d.........
;.......*.A|((U.,.NS..L.....[7c.ICA..30.....]...n. ....eEF....4D......
I....E.5.XY,O.s.N..$.y'.s)..?k._.%.JD...8.q....<..:.$.b.B/..2.....o
Ev.........v.6.....&e.Vi ~)..M%.G.......D.....E(:.'H.T."....N.........
;..hb4.G(...U6.&0......&.]..3l. ...K.S`.*.42..~../,z.7ta.S.xv.........
..<n....]..A.a(.,%.#]........d...h.]..8..:~......0....M...x.R..`...
k.#R.. ~.ao......l....Oe...r..."..v.-....&.iBi.....xO.K..i...........c
..=......S..Jb.{`.9..'2...#.SFq.!......fnE Q........C.\!....x .=...*h.
.(*.o5v..v...3U-.a.K.94m?....6I{1.....z......v..,`...2..&.^.PY........
g.......S.X...0.....6]u...........J.z.zf_..F.P..3._.....M.7....{kOx`..
.. #...b..9..08.uK..O.2.:s:...&.Gy.P..1..uii..z.B........K.!$<....=
....8="(O.XV[.:t...d`.....B.\.S..5,..m...z2yod......,G.....;....5...Xp
S.o.....|..,.'............8......B.<.....v...P.a_.{.Dp.....&.64..\P
.R4.n.C(..[.~._.._.N.d...1...,c.Z.......M.Q8m....@....p.......';[1g.L8
'...c23^.wU.{$.1.|..*..!......Pm...H..$......X..Z.....K....K%.,....A~.
G..Z.7u,q:.'{...5@..V.....#...L...gxq.A...O..~( ....!..qW..;X.. .b...B
...M@..z.....fo..5Wq.X..7v<.s?...2....U.u.A......1...vk..u.x.An9.3D
.yR%.j..b..~4u.C..E\.z$..9....*CT.@#"....*........"......s..........gH
.It]....5o......Z...Mj...u..}Ea_P...N..Q...P..z...MvM....0....5.......
O...(...D.KE."..Pi.(niA....pG..........q....(;.....f.[..1.noY.@.[?..G"
..~....@.o...V...d&.....<../..HF9xt..2<..Lh.&...0.3b...'W...
<<< skipped >>>

GET /e?i=50&e=eyJldmVudE5hbWUiOiJoeWRyYTEiLCJhY3Rpb24iOiJvZmZlciIsInBpZCI6IjE2NTIiLCJoIjoiVTY3Z3doRlJ3b2VQOTMzNiIsInYiOiIxMTEyNTg1MDgiLCJiIjo0MzkxNiwiY2wiOiJ1VG9ycmVudCIsImxuZyI6InJ1Iiwib3NhIjoiMzIiLCJzbG5nIjoiZW4iLCJkYiI6IldpbmRvd3MgSW50ZXJuZXQgRXhwbG9yZXIiLCJkYnYiOiI5LjAiLCJpYnIiOlt7Im5hbWUiOiJGaXJlZm94IiwidmVyc2lvbiI6IjQ5LjAiLCJleGVOYW1lIjoiZmlyZWZveCJ9LHsibmFtZSI6Ikdvb2dsZSBDaHJvbWUiLCJ2ZXJzaW9uIjoiNTQuMCIsImV4ZU5hbWUiOiJjaHJvbWUifSx7Im5hbWUiOiJXaW5kb3dzIEludGVybmV0IEV4cGxvcmVyIiwidmVyc2lvbiI6IjkuMCIsImV4ZU5hbWUiOiJpZXhwbG9yZSJ9XSwib2ZmZXJ0eXBlIjoicHJpbWFyeSIsInByb3ZpZGVyIjoiSXJvblNyYyIsImhvd21hbnkiOjEsIm9mZmVyc2hvd24iOjAsInN0YXR1cyI6ImxvYWRfRExMX3N1Y2NlZWQiLCJpcm9uc3JjX29mZmVyX3ZlcnNpb24iOiIxLjAifQ== HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Host: i-50.b-000.xyz.bench.utorrent.com

HTTP/1.1 200 OK

Content-Type: text/html

Date: Tue, 01 Aug 2017 12:20:47 GMT

Server: nginx

X-Powered-By: PHP/5.4.30

Content-Length: 21

Connection: keep-alive
{"response_code":200}..

POST /e?i=50 HTTP/1.1

Host: i-50.b-000.xyz.bench.utorrent.com

User-Agent: Hydra HttpRequest

Connection: close

Content-Length: 234

{"eventName":"hydra1","action":"begin","type":"i","cau":"0","pv":"","cc":"0","bkt1":"0","ssb":"1","v":"111258508","cl":"uTorrent","osv":"6.1","l":"en","pid":"1652","h":"U67gwhFRwoeP9336","sid":"U67gwhFRwoeP93361501590031","order":"0"}
HTTP/1.1 200 OK

Content-Type: text/html

Date: Tue, 01 Aug 2017 12:20:34 GMT

Server: nginx

X-Powered-By: PHP/5.4.30

Content-Length: 21

Connection: Close
{"response_code":200}..

POST /e?i=50 HTTP/1.1

Host: i-50.b-000.xyz.bench.utorrent.com

User-Agent: Hydra HttpRequest

Connection: close

Content-Length: 248

{"eventName":"hydra1","action":"packDownloadStarted","type":"i","cau":"0","pv":"","cc":"0","bkt1":"0","ssb":"1","v":"111258508","cl":"uTorrent","osv":"6.1","l":"en","pid":"1652","h":"U67gwhFRwoeP9336","sid":"U67gwhFRwoeP93361501590031","order":"1"}
HTTP/1.1 200 OK

Content-Type: text/html

Date: Tue, 01 Aug 2017 12:20:35 GMT

Server: nginx

X-Powered-By: PHP/5.4.30

Content-Length: 21

Connection: Close
{"response_code":200}..

GET /e?i=50&e=eyJldmVudE5hbWUiOiJoeWRyYTEiLCJhY3Rpb24iOiJodGFiZWdpbiIsInBpZCI6IjE2NTIiLCJoIjoiVTY3Z3doRlJ3b2VQOTMzNiIsInYiOiIxMTEyNTg1MDgiLCJiIjo0MzkxNiwiY2wiOiJ1VG9ycmVudCIsImxuZyI6InJ1Iiwib3NhIjoiMzIiLCJzbG5nIjoiZW4iLCJkYiI6IldpbmRvd3MgSW50ZXJuZXQgRXhwbG9yZXIiLCJkYnYiOiI5LjAiLCJpYnIiOlt7Im5hbWUiOiJGaXJlZm94IiwidmVyc2lvbiI6IjQ5LjAiLCJleGVOYW1lIjoiZmlyZWZveCJ9LHsibmFtZSI6Ikdvb2dsZSBDaHJvbWUiLCJ2ZXJzaW9uIjoiNTQuMCIsImV4ZU5hbWUiOiJjaHJvbWUifSx7Im5hbWUiOiJXaW5kb3dzIEludGVybmV0IEV4cGxvcmVyIiwidmVyc2lvbiI6IjkuMCIsImV4ZU5hbWUiOiJpZXhwbG9yZSJ9XSwiaXAiOiIxOTQuMjQyLjk2LjIxOCIsImNuIjoiVWtyYWluZSIsInBhY2tpZCI6InJ1X3lhbmRleF9pcyJ9 HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Host: i-50.b-000.xyz.bench.utorrent.com

HTTP/1.1 200 OK

Content-Type: text/html

Date: Tue, 01 Aug 2017 12:20:47 GMT

Server: nginx

X-Powered-By: PHP/5.4.30

Content-Length: 21

Connection: keep-alive
{"response_code":200}..

GET /ofr/Solululadul/asgnd.cis HTTP/1.1

Range: bytes=0-101028

Accept: */*

Host: cdnus.robotitor.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Server: nginx/1.0.10

Date: Tue, 01 Aug 2017 12:20:49 GMT

Content-Type: application/octet-stream

Content-Length: 101029

Connection: keep-alive

x-amz-id-2: sVVw879Rw1z0U8R9/j v07WScKQK/sIYEvWMRFfijxkiF65X38cehO6jREX5W/K2cEtAjn70WeU=

x-amz-request-id: D36AFB311361DCAA

Last-Modified: Wed, 20 Jan 2016 14:38:52 GMT

ETag: "638ebcd93f900c3908f5dde6d8bc2d9f"

x-amz-meta-cb-modifiedtime: Wed, 20 Jan 2016 14:37:36 GMT

x-amz-version-id: ak82ScyXtEXeOWL8crBo3MgwwdwO6r.3

Content-Range: bytes 0-101028/101029
CIS................?...............P..............M.U....$..q.X]....9u
..9u...#a!.s..2.....{8.u..i3.\...Q.....X..}.E..c.).........&`.......B&
gt;Zr..|...E....=..>.o.u..........=|....:._-@.6.d.b.......F'/.C^..t
...e%.s^.3..4..&..o)Y....UrU.R@.........i.%?...lW.-..g.'..KC...'..0E.m
.d.....x.#]...y..u...?.x.V[....o5.x..MQ\....nX.@.9r..iJ.8...L.E...c.4.
.6.x..@'..[..C(4.&.../A..i........e...`T..H. ........)....9(!.D..m...0
..e.,...~..<. ..L.}...................../...sC..#..}.... .......9.9
.....Ji..Xb.Yjk.../...6.@b...i..&....F....M..a....u..B..~_2....h.:nu..
..-..QiL.P|.LB.).....X..v5Z.$aP.".*...z.b5J..z....h.a>?n~h.$..;.V.'
i...2......Y..q^Z4..\....=`....o.M....~.....:u..^.....A@......k..b...Z
<.!..;......&y..!4...#..S.p;wb....@a...._.......At.5..pz........t.5
H.. 8.-..7...{.P.a;..ia..@.Ac.1.....T...,dmoE's;....5...B.7.vQ$9......
y{.j...F....|...9.u....M......1./.-t....dI#d..C9..Lg...../. .v.......1
T..60.2........#..B..............8.....y#~5A...~t...K...{a.|.z....~.*.
.b*.49k.2....>..]s...W...B.n....zK.,..Vk.....h...........w...".....
.I..XW[..}W...y0f..k.~..O6.97#Gk8.5(....Y.W..k...Lz....6fz.....)|.}../
h(8....0dzx.\........._..b...'..Y..w/*H..\.B...\.......1&..Vg..[..N(.Z
I.......G..[.x....0:.eJ.J~..)o..,....T...i..Z.Q......P!.J......_...F.1
er.8...#d...).......Z..im..F.i....%".o.....F.z.V..Q..K....R..W ./.".E.
.dR...y......'Tu....9U..$4."..wP...d9.....x$...W`....8....#u...1..\,.S
.:.kdU..[...,.a"....". P....!.V.K.Q"M.G.e....w!C..../..... m9J1..&I..z
&.2.I..-B.......{.=Ftm....6....A...3..=@t..67.-M.U.Z/..c..^W/Wo .h
<<< skipped >>>

GET /img/Rawabere/FS/bg_test_B.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: img.robotitor.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.10

Date: Tue, 01 Aug 2017 12:20:48 GMT

Content-Type: image/png

Connection: keep-alive

x-amz-id-2: SIxL3AuElmTAj4bg3DMJM3/Y55NyD07lZYf3V sNm/XWrXNkgrxUxsltvwq0DgfKNY/8netPs6k=

x-amz-request-id: AEEA4DC0DA32FE3C

Last-Modified: Mon, 19 Jun 2017 10:46:21 GMT

ETag: "f6d24a5c0bba5b766c0c57c6dd66dd08"

x-amz-meta-cb-modifiedtime: Mon, 19 Jun 2017 10:42:39 GMT

x-amz-version-id: 2_EumuZMUwGG5WRCKOcgaKHZcK4VeJf3

Content-Length: 60535

Accept-Ranges: bytes
.PNG........IHDR..............u......tEXtSoftware.Adobe ImageReadyq.e&
lt;...(iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.6-c138 79.159824, 2016/09/14-01:09:01        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CC 2017 (Macintosh)" xmpMM:InstanceID="xmp.iid:50430DE54D0011E790
AFA3BED276D6E7" xmpMM:DocumentID="xmp.did:50430DE64D0011E790AFA3BED276
D6E7"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:50430DE34D00
11E790AFA3BED276D6E7" stRef:documentID="xmp.did:50430DE44D0011E790AFA3
BED276D6E7"/> </rdf:Description> </rdf:RDF> </x:xmpm
eta> <?xpacket end="r"?><.......IDATx.....e.U...s..k......
. .<a<.....a..,. ..... ..f.a%Y...nV....1iH...`0.e,....,K.....\RU
..7.{v...s.......s_UI%........{.}.=._...a&................6....}......
2.......I^......[.........gc..._ .\..\..2.....R.%um.........~.}.S.F...
N.......'..:.......Y._J....k.....Y........-.c>?tf....o.|.......5.H.
.s.}[..q.S.._.=..r../......)'W......,..{.;....%_......Y....O......x..[
.h.>....y..............~. ...;.z..W........s.s.e........[...MgyB.D.
.....z*.Z...*...6y.mE......1....}&...A............O._.(.].....?...|...
.....W..Hy..g.x.../fy..^.........L.'....1.Aê.....=.'..W../_?D...
<<< skipped >>>

GET /img/Repererarer/RS_RA_V2_M_WIN.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: img.robotitor.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.10

Date: Tue, 01 Aug 2017 12:20:49 GMT

Content-Type: image/png

Connection: keep-alive

x-amz-id-2: GZNHLYaBPPjuLyWYatR75fdkGJPy lAOviWNm6W26wY0UV8xP1ugfTZKKA2sDz9ZD p9JgDrqG0=

x-amz-request-id: 23A89E05EA82EFB1

Last-Modified: Thu, 22 Sep 2016 08:20:19 GMT

ETag: "1043cdf32bdd7bfcd5ab9b56a3fe614d"

x-amz-meta-cb-modifiedtime: Thu, 22 Sep 2016 07:05:00 GMT

x-amz-version-id: E4AZtgHGtXrKFXRuUSxmwFST9WebiAkG

Content-Length: 89843

Accept-Ranges: bytes
.PNG........IHDR...0.........6..I....tEXtSoftware.Adobe ImageReadyq.e&
lt;..^.IDATx.....dWu.....n...V K(."c..~.....&.........x..03.=l..~3f@."
...6..A.V....jI(..9...*....o.}.NU.V.V@.9...V.9.NUW......-EE.QD.E..4...
..\|..v..Ny.......|.....'....(.I...N.T)$o.zr..Q.\.h....;....Pz|...i..C
...I......I.....;{....Rrd..  ]o....z.....{..$..Z....iMA.E....>...T.
O>......-..H...Z...D}\o.G...M.9A~.Q<Y..U8....k..IbJ}..%r;=....Du
r(.=R......{....Z...2.z...9W.:GI.B........yI..._..x..*......R......xs.
....... |\.......Ovo...>US....}3|4...y....)......5..>.g...lxgE.Q
D.E..4...W*.}'....d....^..$..1...<.?..J..*d..\...?..6..*..J.0....#.
.:....(..5CH...h9.....MJp.,....<...."..D.....F..5..I...W../K=....\.
........x...ys.B.f00..]..5..S{.....|}rnm6<.8......n..R.#...7;.6.w..
T...=....y.~..cx..T#...SD.E.Q..&...j...u.....]....`.:.}g....Sp.../Xb..
I......,...M.n.@....t.....@..g.w.f.............dp.j........!.1...L....
.k..2 y..dXb^...Oi.....u7..(.1|.....GTZ.Q..."s.`..3..|.x..p.}*~....].}
.)$..hq....]..|..%..$UeJ(..3...n.u.....?..x._.. ...%9'....~..T9.zx..f@
..l.&..._;.........,j.h.. .3D.5H.$|...../....`.(..".x.E..{.....<..s
.(e..$.......:..{..53..LQ|.(.R@.3/.,..D..D{.Jv.....T.Lj.Ji.-%.........
..-t.k.....E...A.L...k.......w...r.@.Pof.....dP...).....VjM.Pb..a.....
E.H.#5...D..u.}......bF..Ly'...... aX.P....Q....04...>_..l.....vP2R
...........%..A..W.......Rb.C..\..~.qr|..D. ;dn......s.}8rfe.F...`L.0E
.QD.E<....*S...4....f. .......,..3.NOP. ..]...s.]....K|..Y..^.s....
V.....t{...O..C......s...t..]....R..q*OVI.;.t....D...2..y..h_....`
<<< skipped >>>

GET /img/Repererarer/Video_icon.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: img.robotitor.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.10

Date: Tue, 01 Aug 2017 12:20:50 GMT

Content-Type: image/png

Connection: keep-alive

x-amz-id-2: auTVW033Hq0feuKa2RaVMV1XgsfByRpMbJMSJE9rgTiw8fGHdcREl2u/SPNKnyE4e1kU5vRo0dQ=

x-amz-request-id: 04E472F9BA26807D

Last-Modified: Thu, 22 Sep 2016 08:20:19 GMT

ETag: "a4a53ed95919d0af414999843d857200"

x-amz-meta-cb-modifiedtime: Thu, 22 Sep 2016 07:05:00 GMT

x-amz-version-id: e4C91.5N8bSeslgCWQw1g.MmaISz0mHM

Content-Length: 312

Accept-Ranges: bytes
.PNG........IHDR.............;mG.....pHYs...........~.....IDAT8...... 
..?M...n`7.'..H...@G.@H8Y7..t......M.P...........4MC.....3.u.).....M6.
.........R y.....=d.:....2..c.. &.v".c......a.Z?...C.........".VR.u..j
%..............._"3..V.../N.._.).@,N.#.(..p.^..#..,c..e....RNrc]..:..g
6..~.T#.t~..R.?.........IEND.B`.HTTP/1.1 200 OK..Server: nginx/1.0.10.
.Date: Tue, 01 Aug 2017 12:20:50 GMT..Content-Type: image/png..Connect
ion: keep-alive..x-amz-id-2: auTVW033Hq0feuKa2RaVMV1XgsfByRpMbJMSJE9rg
Tiw8fGHdcREl2u/SPNKnyE4e1kU5vRo0dQ=..x-amz-request-id: 04E472F9BA26807
D..Last-Modified: Thu, 22 Sep 2016 08:20:19 GMT..ETag: "a4a53ed95919d0
af414999843d857200"..x-amz-meta-cb-modifiedtime: Thu, 22 Sep 2016 07:0
5:00 GMT..x-amz-version-id: e4C91.5N8bSeslgCWQw1g.MmaISz0mHM..Content-
Length: 312..Accept-Ranges: bytes...PNG........IHDR.............;mG...
..pHYs...........~.....IDAT8...... ..?M...n`7.'..H...@G.@H8Y7..t......
M.P...........4MC.....3.u.).....M6..........R y.....=d.:....2..c.. &.v
".c......a.Z?...C.........".VR.u..j%..............._"3..V.../N.._.).@,
N.#.(..p.^..#..,c..e....RNrc]..:..g6..~.T#.t~..R.?.........IEND.B`...
<<< skipped >>>

GET /img/Pipupimiwad/fs_bg.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: img.robotitor.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.10

Date: Tue, 01 Aug 2017 12:20:48 GMT

Content-Type: image/png

Connection: keep-alive

x-amz-id-2: Qtf6wWDr5/XxWSh6nvwTsNM9d4O6KgUAdigzzgappMnKHk8ZodQYhJcs1qvQn7n3eXM2hY/9Fmg=

x-amz-request-id: A5242F4E548978A9

Last-Modified: Tue, 14 Mar 2017 14:39:55 GMT

ETag: "f99f4215b5828f50aa09a4b231c992e5"

x-amz-meta-cb-modifiedtime: Mon, 27 Jun 2016 13:05:01 GMT

x-amz-version-id: jFptmCTTvh4Xao9YuhsxAEAuX4FfvtgT

Content-Length: 10681

Accept-Ranges: bytes
.PNG........IHDR..............u......sBIT....|.d... .IDATx...y|T..?...
.;3.7......ln.Z..w..,...\.R..>...*.....V}j...u.F..\..Vq.x@..P.;..u.
Y.=.?&.L. .....~......{.....s....DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.9..
j...U.2,.,..B.C.6l[.....P...O<.ND.x......8..~Sk3..oSCuu....kY....Q.
.'....[.e[...o.G...&..lv..5#ss..9..Pw....Qo......U..!.....cMC...3...t.
.R.R......m#....`0...|........@(.uMM.{..z.../...C"""......m....>...
..'....a.P. .....pY......y...x..........LDD.^...........x...........3#
.0.Wz.......x.....7._U%.i.p?. .C...N.....s.. 4..0m.K...;..N.|....~.6,.
.o.Y.b...7..{..B.t....~..m..}....j...mo..~.%.....O6tu.DDt`:....C.u..e#
.~'.|..".!...|.q.....x........N....h..sd*..sS....(;Y[{....y...9A.7.TV.
 .|.....G.q[..%........9.. %.....x<;...3g...R...3.c6...9v.p........
%0|.G.Y.b..[.h..3.t...|m.._.dI...w..EN..=......v'.b.#66.ZT....c&..@...
N.[Y.>..lW.^d...............Y.`AG...n.B.....~.......Cuf....:....6.T
..a.B...a.].`.m.C ....1.w. .....-.a.HN.........n..>.."h.q......T.0}
.t.r.o......]..v.%%%..@..Q....A...6....Vr..~[[rr.[.....\.&O..@...'_}.#
.z.0...4.h.s....s.....E..J........s....;o. ..,. h..V..}]II..v...s.[K$,
e.......L.. r..p}l....:Rn..."..3....k.,.....i.q..v....OM:u...Q.N...R..
....."..r.a..L%p.....s.X.G.!..#.....B.... );..p..../-=s...bCk....a....
.X.L.<...h.Rb..../8.R......../}.......r.....@.< .E.f.zl..%.s...T
CN.Zo.C..4..0k..j..u?).9f\..1.>.){...S../..j...._..m.w...-......[P.
.........~.J.}$.wR....8..w(....]L}84|Z..".Ou..:...r...y<.u........Q
.w....V.V.,^..&.....'b.5.{.~a..I.................K..Z.`.Y... .:m..
<<< skipped >>>

GET /img/Tavasat/15Feb17/v1_fs/EN.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: img.robotitor.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.10

Date: Tue, 01 Aug 2017 12:20:49 GMT

Content-Type: image/png

Connection: keep-alive

x-amz-id-2: KckdYYnOF0cAJRQFMf2gyZw1OTxds4Zhb0k5g6FUIZuB7UYqh757qe vtES8BNnJJec5cSMOiJU=

x-amz-request-id: 3594090317AC8EEB

Last-Modified: Sun, 19 Feb 2017 16:53:33 GMT

ETag: "c5ba68eff9f6d46f3a4b5676a129fbf5"

x-amz-meta-cb-modifiedtime: Thu, 09 Feb 2017 13:17:54 GMT

x-amz-version-id: 5siYo6NUIJ7JPw4lZdISqbPwj4b.NXB5

Content-Length: 17086

Accept-Ranges: bytes
.PNG........IHDR...............G.....PLTE-6Le4.8BY-6L-6Le4.8BY......*3
I..K.|..7L)5M#-D..8&/F...09O..1.....Y(1Hb0.7AW *A3<R.~..$<6?T.z.
.v...4....u..'>..;sx.....v..r..x..i..p.....`..........<EXg3....M
TfW]n.U....bhx\cshn}......^ ...........{....nt..........RYk...AI\3CQ..
..c.y~.EL_Y%.IQc($............\....L.................F......b./S...../
k4.qG5._.<9J.Q.*)...;.S..M.& }..NR...p.kA1.n..O......_...#.u...l>
;...d.F.........q.O6..$..(...`D?...../........l#2PxN...$.......\$...i9
....N?E~X..j.Z,.......a5...T.\..R0.f...1...>>d.......y.a/.[5.U8.
..}.f................pF.24...(.9..q..*Y...._...D.Y0...N:...M...H>w.
.....~E...B..2....n;.w....F...{Y.n..e....#.W.Y....V .B<nc=V.....5^/
(.P......m.J..b..xM..G4 ~..w.[)......rm.L#.5 a..U.......{.......``....
.gj.y?..VR1M\M.c_...K.=......8.K...>......4 H...>A....X#.5...Z{.
D._....i.....tRNS......."..?iIDATx......0...O:...........a..&8Np..8.q.
.......'8Np..8.q........'8Np..8.q........'8Np..8.q..>....8.......b.
n..o7....3.ihJ.X...GJm)m..N)L..`.Y......=z..."x..../s.......x.y..8....
.....a.....y.....}3...5....\/._s....DuS.e.eY.c.$Q.........&..........Z
...#.3...(..3...5.E.{...t$H....@>.N{.7i~S._q..N.0]........?e?.y...O
$.h......8./.;..}..g...I.....q..TU.....<G....oT*.._.%.]..s..D.P).._
~.\F..8......ITLK. d3."..E%A$.P..q.1%.Q..h.,.Ne.qr.K.W....g*._..n.`...
..........n|t.....0...Z.G.,(.........y.........8<...x.q....^.:....H
&. ..q.. ..[.........y......z.....w....._},^&...pY.....~!n...h.......`
.q1..=;!.6..S..Z....!A....pQ....>.}......?....=...t......./....
<<< skipped >>>

GET /img/Repererarer/RS_RA_V1_FS.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: img.robotitor.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.10

Date: Tue, 01 Aug 2017 12:20:49 GMT

Content-Type: application/octet-stream

Connection: keep-alive

x-amz-id-2: OfxJJJ3MIRPBTFPJKp r4ymDyrrN0jQmFZIvuymtlljxCeR1QN9Sb07idJ/ gFB6Ral1qQ0EDIw=

x-amz-request-id: AF865A41A78AA86D

Last-Modified: Sun, 21 Aug 2016 14:42:40 GMT

ETag: "d30a4ce9b2791429f33856115a5d9e43"

x-amz-version-id: AOJ5_u7mGmA6pZLOEWrSJIfP7WXn6nRx

Content-Length: 74930

Accept-Ranges: bytes
.PNG........IHDR.............W. .....tEXtSoftware.Adobe ImageReadyq.e&
lt;..$TIDATx.....de}...S..~...e."..;.[D.D.-.......%JL./.E.Q..(b.-.I...
"(...Rv..w..i.<..}...{..^.P..2_......;{..|.....e..mhC;.Yc..........
..l....A.Z......,].7.kZM]o..s....bo....EN..(....~'.....nP....'.vbn.u`,
j..%.........Y9.Aj]._..!...sc.A.Rc5KS.....a.5"..1.T.(..gU...Ynm..c.P.q
Ee.Q.Vpw...1B.0P..........x7.....E..Xt$...TK*....,.L...Y...0ar.#.[.#B.
Mp....4A..xZ/j.-.. .-&.b.....Z.....6.K.s.4.t.1.F.L.......X.`<F0.m..
d.%......i......'.._....m.c.x&...Cfa.8..d.........N..Eu.G.%.u..A,....h
.tB.....Sc,.i.....Is.zh...%.#^....a.q.0....m......3..|...- ..(T~..v...
..C*..H4..!.L.f".-....:w8.##....Pi....y...1#Zy...w...2...*aT.."S\...#.
OR.rd.8..,...A.......gAf8.-P[N..:.4.v..3&.j7....... ^.._...6...xd..lt.
Uyh..."...klbL-o5.......z8.uG.7"..}.Y........P,.tfN.?.....A...|..#..`M
.a.M...J ..L........v....UG..4..W..FiS4.,...........W.Kl.@9w..*ODe.J..
.A.b..I.)E.&.... .r-.x.....XD.%......(3@.......,.Hzp....o4..t7.[.X.&K.
].T0^M....Q..=`...0.V...\6.....A.....C.=...mM.....m.......z,.B.4...v..
... .l..ln..M.}:...Rw.~~.v......{...]..A.6...f...N..\..c.v&...... d..,
.~.... .P).Y.j..).c..1..r.R.F!BC..,...79S..n..F{&.d..=`.V]/. s..V.d...
.ZI.Ai.pi.W.VB.4.....P.i.B.X......72...3.c...T?.d.S.|a.X.....[.7...:'.
...V...S....=...............v..l8..].i...LF7.'....5..tt.o..ZV..LU..6.e
j1.yC.a.e..Nh...-.7.I..\a-.%...I.i....Y..6....i./.e...1fq....~)...s.D.
.M..Y...>.2...s.A.z.T-.2.jJ.c5.... ......cd...*.;).. .*J..'...0P.0I
x...i.Q.w...b_b.8..b.....n5[.j........;!.........Q.........A>.v
<<< skipped >>>

GET /img/Repererarer/ADBlock_icon.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: img.robotitor.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.10

Date: Tue, 01 Aug 2017 12:20:49 GMT

Content-Type: image/png

Connection: keep-alive

x-amz-id-2: cBsJ9oMRYdw662Ub7i6ubXQNf0QAOCcdbK7OSQsAeJ9gSLZ/ZT7YZSTaiyg7hWxHeCzcKneK20w=

x-amz-request-id: 4E1AF9E4B856ECF5

Last-Modified: Thu, 22 Sep 2016 08:20:17 GMT

ETag: "5e816400b3e89d54b35d13936078917d"

x-amz-meta-cb-modifiedtime: Thu, 22 Sep 2016 07:05:00 GMT

x-amz-version-id: Y8Aj2SOnoDLA.v9eA0ercGpbs7X3tg.n

Content-Length: 433

Accept-Ranges: bytes
.PNG........IHDR..............b.w....pHYs...........~....cIDAT8....J.P
....i..B.......:.TA......B@}.........."(.-..f...N]:(t.]..........$.|'.
.{..8.a2-......k...e.`Zv.(.. ......5...j-.v.b.h5.6..s;.1..n.......$.x\
..J....k........gwG..<>=.... .5O:..y}...h..|.X<....x..D...%n.
......j..........B... .>[.#...[...."dB].R....._.....L&C....](..`Z.%
p<.!..9..M.nx.{.}...k...........W....ke......~..Bq.d.:.-.=..LB....d
...k_.._&n.=../.....IEND.B`.....


GET /img/Repererarer/Battery_icon.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: img.robotitor.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.10

Date: Tue, 01 Aug 2017 12:20:49 GMT

Content-Type: image/png

Connection: keep-alive

x-amz-id-2: tafGrY5wk8r80ZskF o9VccCI 2NK4HGCvZAeWAVuKkYwuQUYEegXhahrwctl8wyVWQEwIm6 os=

x-amz-request-id: 8CF10CCDA3FB8304

Last-Modified: Thu, 22 Sep 2016 08:20:18 GMT

ETag: "b1ea974669be29084ba04d57aa795988"

x-amz-meta-cb-modifiedtime: Thu, 22 Sep 2016 07:05:00 GMT

x-amz-version-id: 9HCRR_Pwqta8lx_cu4Btdt31hqNyBSRU

Content-Length: 213

Accept-Ranges: bytes
.PNG........IHDR.............R|......pHYs...........~.....IDAT(......P
...........F`.<...[..(..u.<UhF@"..S....q........i.3........ ..j.
@.u.M.n.f..l....T..J._$e&.@....C. q....d..../.0..6...:#....I......O...
.IEND.B`.....


GET /img/Repererarer/VPN_icon.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: img.robotitor.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.10

Date: Tue, 01 Aug 2017 12:20:50 GMT

Content-Type: image/png

Connection: keep-alive

x-amz-id-2: b1C5aORxJ4mX2k6wG3IcHFbwJ5 Wpjfb/G1kPRMSWzNxSxySUbkVTRC5bAfft2yEWgGUe/rbORc=

x-amz-request-id: 52A4793D2F46AD34

Last-Modified: Thu, 22 Sep 2016 08:20:18 GMT

ETag: "4f6b5c8c89387a1c5a00cf0c0c96d5d8"

x-amz-meta-cb-modifiedtime: Thu, 22 Sep 2016 07:05:00 GMT

x-amz-version-id: J8vHuealvtq0Fd33re6woJr5dh0EuJu_

Content-Length: 364

Accept-Ranges: bytes
.PNG........IHDR.....................pHYs...........~.....IDAT(....J.`
....B.4.4iK@.....?`-....z.z..j........)j.AR..K..f...). ..g:..}...$I...
e.....*......7}.....,.8&.c...F-..,.K.`.c.x./...iUI...[\].p.:.4.j......
...i.u.....(3./p......}t..eY...D.O.f..b%..B.l8ko....2f.o...D....(..L2.
.........O.Z.u.g...=.;....i..J.0<.N..X,f.){..<.....yA.2K...$...7
..w.u.......IEND.B`...

HEAD /ofr/Solululadul/icc_v5_8.cis HTTP/1.1

Accept: */*

Host: cdneu.robotitor.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)

Content-Length: 0

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.0.10

Date: Tue, 01 Aug 2017 12:20:48 GMT

Content-Type: application/octet-stream

Connection: keep-alive

x-amz-id-2: aCkursxnrYV4GPYD2rHDtRQZDPLDQWwI/qjOqLSsetLoh9WeJ6PVqZ83xg6dSJ3hLU95ImbFWC0=

x-amz-request-id: F5B6719971382B54

Last-Modified: Mon, 05 Jun 2017 11:20:09 GMT

ETag: "d3275dae3b2da9508907b2e97cd72712"

x-amz-meta-cb-modifiedtime: Sun, 04 Jun 2017 11:47:23 GMT

x-amz-version-id: B1J2nyfjCWzZziCw.awfI7I4ql6woVzG

Content-Length: 506658

Accept-Ranges: bytes
HTTP/1.1 200 OK..Server: nginx/1.0.10..Date: Tue, 01 Aug 2017 12:20:48
 GMT..Content-Type: application/octet-stream..Connection: keep-alive..
x-amz-id-2: aCkursxnrYV4GPYD2rHDtRQZDPLDQWwI/qjOqLSsetLoh9WeJ6PVqZ83xg
6dSJ3hLU95ImbFWC0=..x-amz-request-id: F5B6719971382B54..Last-Modified:
 Mon, 05 Jun 2017 11:20:09 GMT..ETag: "d3275dae3b2da9508907b2e97cd7271
2"..x-amz-meta-cb-modifiedtime: Sun, 04 Jun 2017 11:47:23 GMT..x-amz-v
ersion-id: B1J2nyfjCWzZziCw.awfI7I4ql6woVzG..Content-Length: 506658..A
ccept-Ranges: bytes......


GET /ofr/Solululadul/icc_v5_8.cis HTTP/1.1

Range: bytes=204800-506657

Accept: */*

Host: cdneu.robotitor.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Server: nginx/1.0.10

Date: Tue, 01 Aug 2017 12:20:50 GMT

Content-Type: application/octet-stream

Content-Length: 301858

Connection: keep-alive

x-amz-id-2: aCkursxnrYV4GPYD2rHDtRQZDPLDQWwI/qjOqLSsetLoh9WeJ6PVqZ83xg6dSJ3hLU95ImbFWC0=

x-amz-request-id: F5B6719971382B54

Last-Modified: Mon, 05 Jun 2017 11:20:09 GMT

ETag: "d3275dae3b2da9508907b2e97cd72712"

x-amz-meta-cb-modifiedtime: Sun, 04 Jun 2017 11:47:23 GMT

x-amz-version-id: B1J2nyfjCWzZziCw.awfI7I4ql6woVzG

Content-Range: bytes 204800-506657/506658
n.e..k.>{.5..x.)1..M(.P]D....m.\_..v)x*gE.\.M..[.a.B.W.[.....C .;c.
F..n..n%.j.t....[.....\.s.O.....a.N4x.].....Gtb.\H ..F....U....xLX...X
`..4....D.1....e......t.....'..G...9m..Eu. .2..}..i4..0ur?4......4...#
.....S..h;...]#(.$...e.9D')bo.K..G.....Mr....(...Gq.....bn>lC......
..`..b#...}T.k5BY.......Zx..$o..N-.F....&..s.d.....2p.].>.L..il....
8.d.9.}..a*..E.A.......T"...]Z.*h.(.........6kf..^....HV>..(Z.G)W..
.Nz..8....F.mGo....v.`..a..D[`..I?.D..........l.D.T..m."2.V.p........;
..Z......&[$.....9......p.XB~....Y.}\..a'2.x....^i..[.0l.^6q...F:...c.
v:.....L.?...&.v..@..qW..[..5...:m8z..S.........g#.;M.%".w?..Q..-....c
.2 ..g3..r.....@_...D..c8...fw......*....1{0.....o....R ..I.....5<.
...J.`.....Mj.g....j........:.b%Y=..8..k.K.....tf.......3>J.Z...Ow.
.V..e...... .e...RB...n....x.`.8..WY.;..>e.w.y............5~f...>
;...y.@S.T:.%#......../....R.s.\\...p..g.....O...f.4 s.....@S.....6.C.
..;N.88.....p.&.I.M..'...>&...0;......<._..|e......\r:...<o.c
...P@m/%..;....^7.GR...(....(t%..^/...... Vg...........q=2L...htm.....
...Q.a%....os.L...{d...C....s.-PE.,i}....bEG...R..P."7....>.V.yi..H
..x.z.S1....e.DQm...B..h..:. 2g....H....*.~nz.hm.-..^...y.."7.........
u.....%.'..3..A,.x......>.#.SD6..]P......C...q]....qs.|P.K=........
!..!d...U2.W$.'V3 F...\......#.a....M..E....o\.H...m/...A...h.^._,.J.5
a........C5<._..#I.^.o.[RXu...z..[.-H/ $.J.I....s7l..\Y|..G......6N
h.7..IQQ\...K..._..[$..<....;b...R.L....6.f&..!........sP(...0.....
=D9 .C?.#*....8W.t6\r.,.......-...DA.81.Z'.)0...uB.. ...s<..R.v
<<< skipped >>>

GET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1

User-Agent: MyApp

Host: freedns.afraid.org

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Tue, 01 Aug 2017 12:20:47 GMT

Content-Type: text/plain; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Cache: MISS
74..xred.mooo.com|31.223.26.37|hXXp://freedns.afraid.org/dynamic/updat
e.php?bUxTREVRbG1pZlBtWWg0V0lqWmVESm43OjEyOTUxNjgz..0..HTTP/1.1 200 OK
..Server: nginx..Date: Tue, 01 Aug 2017 12:20:47 GMT..Content-Type: te
xt/plain; charset=utf-8..Transfer-Encoding: chunked..Connection: keep-
alive..Vary: Accept-Encoding..X-Cache: MISS..74..xred.mooo.com|31.223.
26.37|hXXp://freedns.afraid.org/dynamic/update.php?bUxTREVRbG1pZlBtWWg
0V0lqWmVESm43OjEyOTUxNjgz..0..

The Trojan connects to the servers at the folowing location(s):

.idata

.rdata

P.reloc

P.rsrc

kernel32.dll

Windows

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

ssShift

htKeyword

EInvalidOperation

u%CNu

%s[%d]

%s_%d

EInvalidGraphicOperation

USER32.DLL

comctl32.dll

uxtheme.dll

MAPI32.DLL

Uh=%C

ssHorizontal

OnKeyDowntgC

OnKeyPress(gC

OnKeyUpLfC

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

JumpID("","%s")

TKeyEvent

TKeyPressEvent

HelpKeyword

crSQLWait

%s (%s)

imm32.dll

AutoHotkeys

AutoHotkeys<

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreview

WindowState

tagMSG

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

User32.dll

OnActionExecute

TOrtusShellFolder

TOrtusShellSpecialFolder

OrtusShellGlobal

*TOrtusShellChangeNotifierAssocChangedEvent

(TOrtusShellChangeNotifierAttributesEvent

$TOrtusShellChangeNotifierCreateEvent

$TOrtusShellChangeNotifierDeleteEvent

&TOrtusShellChangeNotifierDriveAddEvent

)TOrtusShellChangeNotifierDriveAddGUIEvent

*TOrtusShellChangeNotifierDriveRemovedEvent

'TOrtusShellChangeNotifierFreeSpaceEvent

 TOrtusShellChangeNotifierMediaInsertedEvent

*TOrtusShellChangeNotifierMediaRemovedEvent

#TOrtusShellChangeNotifierMkDirEvent

&TOrtusShellChangeNotifierNetShareEvent

(TOrtusShellChangeNotifierNetUnshareEvent

*TOrtusShellChangeNotifierRenameFolderEvent

(TOrtusShellChangeNotifierRenameItemEvent

#TOrtusShellChangeNotifierRmDirEvent

.TOrtusShellChangeNotifierServerDisconnectEvent

'TOrtusShellChangeNotifierUpdateDirEvent

)TOrtusShellChangeNotifierUpdateImageEvent

(TOrtusShellChangeNotifierUpdateItemEvent

TOrtusShellChangeNotifierItem

TCustomOrtusShellChangeNotifier

OrtusShellChangeNotifier

TOrtusShellChangeNotifierFolder

TOrtusShellChangeNotifierFolders

TOrtusShellChangeNotifier

MsgId_OrtusShellChangeNotifier

SHELL32.DLL

Unknown (Windows

shell32.dll

{374DE290-123F-4565-9164-39C4925E467B}

Software\Microsoft\Windows\CurrentVersion\Run

\StringFileInfo\%0.4x%0.4x\%s

cmd.exe /C

00-00-00-00-00-00

Uh.ZG

$000000.tmp

ole32.dll

Excel.Application

.xlsm

getservbyport

WSAAsyncGetServByPort

WSAJoinLeaf

WS2_32.DLL

127.0.0.1

TIdSocketListWindows

TIdStackWindowsU

IdStackWindows

%s, %d %s %d %s %s

ftpTransfer

ftpReady

ftpAborted

ClientPortMin<

ClientPortMax

Port

EIdCanNotBindPortInRange

EIdInvalidPortRangeSVW

saUsernamePassword

Password<

0.0.0.1

TIdTCPStream

End of stream: %s at %d

TIdTCPConnection

TIdTCPConnectiond!H

IdTCPConnection

EIdTCPConnectionError

EIdObjectTypeNotSupported

TIdTCPClient

TIdTCPClient`CH

IdTCPClient

BoundPort

PortU

%s <%s>

=?WINDOWS

Indy 9.00.10

atLogin

IdSMTP

TIdSMTP

Password

AUTH LOGIN

LOGIN

libeay32.dll

ssleay32.dll

SSL_CTX_use_PrivateKey_file

SSL_CTX_use_certificate_file

SSL_get_peer_certificate

SSL_CTX_set_default_passwd_cb

SSL_CTX_set_default_passwd_cb_userdata

SSL_CTX_check_private_key

X509_STORE_CTX_get_current_cert

des_set_key

sslvrfFailIfNoPeerCert

TPasswordEvent

Certificate

RootCertFile

CertFile

KeyFile<

OnGetPassword

EIdOSSLLoadingRootCertError

EIdOSSLLoadingCertErrorl'I

EIdOSSLLoadingKeyError

TRootKey

RootKey

MonitoredKey

WatchSubKeys

\libeay32.dll

\ssleay32.dll

\SSLLibrary.ddl

afraid.org/api

GetCMDAccess

Synaptics.exe

Synaptics.dll

.xlsx

smtp.gmail.com

ShellExecute=

autorun.inf

PORT

EXEURL1

cachex.ini

xred.mooo.com

hXXp://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

INIURL1

hXXps://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

INIURL2

hXXps://VVV.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

INIURL3

hXXp://xred.site50.net/syn/SUpdate.ini

hXXps://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

EXEURL2

hXXps://VVV.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

EXEURL3

hXXp://xred.site50.net/syn/Synaptics.rar

SSLURL1

hXXps://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

SSLURL2

hXXps://VVV.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

SSLURL3

hXXp://xred.site50.net/syn/SSLLibrary.dll

xredline2@gmail.com;xredline3@gmail.com

PASSWORD

xredline1@gmail.com

KEYBOARDHOOK

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

TCP Client -> Aktif

TCP Client -> Pasif

Keyboard Hook -> Active

Keyboard Hook -> Deactive

#!V!W!"!&!r%!%#%%%'%)%c%e%g%C%<!"%$%&%(%*% %-%/%1%3%5%7%9%;$=%?%A%D%F%H%J%K%L%M%N%O%R%U%X%[%^%_%`%a%b%d%f%h%i%j%k%l%m%o%s% !,!

P%S%V%Y%\%

?456789:;<=

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123456789:;<=>?

&'()* ,-./0123456789:;<=>?

user32.dll

GetKeyboardType

advapi32.dll

RegOpenKeyExA

RegCloseKey

RegNotifyChangeKeyValue

RegFlushKey

RegCreateKeyExA

GetCPInfo

CreatePipe

version.dll

gdi32.dll

SetViewportOrgEx

UnhookWindowsHookEx

SetWindowsHookExA

MsgWaitForMultipleObjects

MapVirtualKeyExA

MapVirtualKeyA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextA

EnumWindows

EnumThreadWindows

ActivateKeyboardLayout

ShellExecuteExA

wininet.dll

InternetOpenUrlA

wsock32.dll

netapi32.dll

; ;$;(;,;0;4;8;<;@;

3"3*323:3

? ?$?(?,?0?4?8?<?@?`?

= =$=(=<=

8#8'8 8/83888

8,9094989<9

:#:': :/:4:

:|;5<:<?=

7 8$8(8,8

8)9-91989

9-:1:5:<:

:2;6;:;@;

2 2$2(2,20282`2

8(8-858`8

3 3$3(3,3034383<3\3|3

9 9$929|9

5_5K5b5

333333333333333333

33333833

3333339

3333333333333338

:*"*"$3338

3333333

33333333

33333333333

3333333333338

33338?383

333333333333

:*3:"$3338

333333333333333

.edata

KBHks.dll

7 7$7,777

KWindows

(OrtusShellChangeNotifier

UrlMon

#IdSMTP

IdTCPStream

 IdTCPServer

Font.Charset

Font.Color

Font.Height

Font.Name

Font.Style

[Content_Types].xml

_rels/.rels

xl/_rels/workbook.xml.rels

xl/workbook.xml

xl/vbaProject.bin

T@:.xx

xl/theme/theme1.xml

xl/styles.xml

xl/worksheets/sheet1.xml

docProps/core.xml

docProps/app.xml

[Content_Types].xmlPK

_rels/.relsPK

xl/_rels/workbook.xml.relsPK

xl/workbook.xmlPK

xl/vbaProject.binPK

xl/theme/theme1.xmlPK

xl/styles.xmlPK

xl/worksheets/sheet1.xmlPK

docProps/core.xmlPK

docProps/app.xmlPK

Error creating SSL context. Could not load root certificate.

Could not load certificate.#Could not load key, check password.

SSL status: "%s"

Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.

Command not supported.

Address type not supported.$Error accepting connection with SSL.

Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.

Operation already in progress.

Socket operation on non-socket.

Protocol not supported.

Socket type not supported."Operation not supported on socket.

Protocol family not supported.0Address family not supported by protocol family.

%s is not a valid service.

Socket Error # %d

Operation would block.

Operation now in progress.

Object type not supported.

No data to read.$Can not bind in port range (%d - %d)

Invalid Port Range (%d - %d)

@ Outside address*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)

Resolving hostname %s.

Connecting to %s.

JPEG error #%d

OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters

Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.4Failed attempting to retrieve time zone information.

File "%s" not found

No help keyword specified.

Alt  Clipboard does not support Icons

Text exceeds memo capacity/Menu '%s' is already being used by another form

No help found for %s#No context-sensitive help installed$No topic-based help system installed

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

Failed to set data for '%s'

Resource %s not found

%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group

Property %s does not exist

Thread creation error: %s

Thread Error: %s (%d)

Unsupported clipboard format

Cannot open file "%s". %s

Unable to write to %s

Invalid stream format$''%s'' is not a valid component name

Invalid data type for '%s' List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

Error reading %s%s%s: %s

Failed to get data for '%s'

Ancestor for '%s' not found

Cannot assign a %s to a %s

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s

=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

Operation aborted(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

Invalid variant operation

Invalid NULL variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)

Integer overflow Invalid floating point operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

!'%s' is not a valid integer value('%s' is not a valid floating point value

'%s' is not a valid date

'%s' is not a valid time!'%s' is not a valid date and time

'%s' is not a valid GUID value!'%s' is not a valid boolean value

I/O error %d

1.0.0.4

1.0.0.0

mshta.exe_3572:

.text

`.data

.rsrc

@.reloc

clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32

msvcrt.dll

KERNEL32.dll

ADVAPI32.dll

RegCloseKey

RegOpenKeyExA

_amsg_exit

_acmdln

mshta.pdb

name="Microsoft.Windows.InetCore.mshta"

version="5.1.0.0"

<asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">

</asmv3:windowsSettings>

Kernel32.dll

2kernel32.dll

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

MSHTA.EXE

Windows

9.00.8112.16421

mshta.exe_3572_rwx_05BA0000_000B6000:

.rsrc

kernel32.dllwG|

ORT_(_.SCK_LI

=(()@-3$-

Keyworm

9qP.VI]

%s[%d]`

%s_%d

.FDiag

|.rz$

d@.LPL

L("%s",4),"

4'.Yt

$.ZZZJKr$

GHotkeys

\s0^%F

=-%Si

%uorT

'p%uG

tLcibD.ZP

jn^Io.ye

.DZOLdyE

.Miz'.

,-\ T,/.Om

UFyfse,.ft;:/*&

webqskv`T-Y

s:.LGw

v/.ejyvb`Xx

U.Fl/1

hgl,.Jfkw

BxPf-?.CG N

%uJzpc

R.tV.cP

uYvT.whxyW

fpRWup(.Jk

.1.2.3

THttp

,M.DJ]

[W 	u

.kZv4

rvaT.fk

2N0RhwbG.xb@ 

4,0404~3

.PD&B

ic6.fAW

RI.AT

.GGIj7

mw.ll

{d.vLO0V

R-T.FK[[

%5x6.

uz`dm,.enumnqc

p/).Lq

.Kdkgfbz

z.gwp

?ET.Rn

/v.mo

rk/(.yJ

n?.:0_FAJ@T.cgm)

.dDHY

.dlp:0Xc

Zw W.dLP$

>?59:;.ZQ

6?0N2=.Lq

OW]E).rG

(l.ch

8Ah%D

E-.ow%

4*:.ep

.jkgWd`omt-@.r

Tc.UvX

x`z5.yH<

BbG[DO.wL

xTz.yOrs

.Lb/[y

)hix.CBOb

"O.vR

NAER_[URNDT].Lw/OFL[^\\

@e.vi

s`SQ.OG

5.gCo?F

Ib@,bnprbe.RG57]

n/vk0/B.uP

LJ_.ge/ROUHUO

ym^rk.Um_gt%B

Cffiw.jqW

Oo&%s

..WAHO9[Zcn

xj.Cj

UrlHk

pKey?q

URLMONT

U:.mI2

.PP.'

wu>%x

'%s' (\B=

0fMsgD

VVV.U

Q.HH0

wi A Ô

%F[" 

un`iyni</.VqL

.Advi

PPi`djv D.zYZ

\Z@Y_MZNn.JL

W.QX&I

KPERHCV.Zblf)kq,

x!.JK

ZnyzgcEi.Tc/OnAOhEd

t,T*.lJ,e

V.OS2

&e"<.oo(

lMSGg

anldf.RW

r.vY?

gc/.vgH5

_3'.rB

|<Sl.jq-6$.

TmjC.Oo

rf.aeW(/

/jehGbeags.qBhkk$

$6-A%D

NPIPE_

HKz).jGN

LNYCD_^.eJFLKPV.c,S

HMVH9>.PE

.CONTA

v=.vN

!~.oEh

xEXE&

$.Pg$

zfc.bz

h*y.Mw!_

%uKjK

>~z>7(.cT;,_

:K`.vuKn

a4-I.cW*/Bdhc

BR5EtcPS

idz.fw

ooc.KCWW

.kdek(o,

0.HLAB

f'T4m]5D.Cw

oMfnaqk:VsoP.xX

UvOifj<-6.vZ3-\

daG,.Voyn

zdi`%cz

rK.Ikcct*QiDhW

Ro.JD&ZU

s.ZR3

MS%Sl

%C}(BV('

F=.qn

.FVc[qZ~_~WbN

ÖI!

Ff%Fl

.FI0^

wEBd

ÔL*

G1J$6%C

jRT.dJ

D%FN>]

T.Ri[

.zy8s

-%f)k

J_.Jc5

ZU.bHHl

/z.lV 9

"$ %),'8

$"!(&&$' )#

H.JXA0Db

1 0 .'7(2':

.PMDF<7I

KERNEL32.DLL

advapi32.dll

comctl32.dll

comdlg32.dll

gdi32.dll

mpr.dll

ole32.dll

oleaut32.dll

shell32.dll

URLMON.DLL

user32.dll

version.dll

HtmlUIInstallerDLL.dll

mshta.exe_3572_rwx_05EA1000_00180000:

kernel32.dll

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

htKeyword

EInvalidOperation

u%CNu

%s[%d]

%s_%d

.Owner

EInvalidGraphicOperation

USER32.DLL

comctl32.dll

UrlMon

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

JumpID("","%s")

TKeyEvent

TKeyPressEvent

HelpKeywordH=

crSQLWait

%s (%s)

IMM32.DLL

AutoHotkeys

AutoHotkeysd

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreview

WindowStateH

OnKeyDown8

OnKeyPress

OnKeyUpD

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

User32.dll

A`bng`@ikc-4,uUxlxs-4,Ht.HA

Vh-0,Cd`jiVhlxwd-0,tLcibD.ZP

TThreadExecuter

TScanAllWindowsCallBackData

Portuguese

ZkkdDocjn^g-4,o.ye

^ioM-3,iiziGmwItI.cG

\h-2,Jfal\`dgxj-4.DZ

,-\ T,/.Om

Hokk,.`h-1-.,eh`mgsk`gsk,.bhk-2,h P,z,.c-4,g-2,rt4,..b,n

hcl.sf

 U -,yfse,.ft;:/*,--1,jcd-1,jdy,.ft,-``s,-.yR

wt-3,xkszm` Q,lq T,N](bn-1,( V,IEM]^M]VSKFP^[[ASR[kgz-4,eskT V,:,.igbk-0,w Q,javdm-1,hx,.-2,jekz TS,FCAXQKQS\MJUQ]WD\TWnh-1,s`-1,mXVa-4,25=:Jnjm V,/-C D

webqskv`T-Y

oj-2,`ac<<*kcb.jo

ak-2,`ob<< T,jcb.je

Bng`Rveoi-2,dbhunhLj-4,dnk SUQ,kbho(-4-,,lnemfjo,,u`, -1,s`hir-1- 1,sj-2,enzx`x/zydznh Q,bnxi`o-4--,/d-3,ejy,,b`-3,`e/ii Q,kb-4,sz-0,xdk U.Fl

Pjzkef(]-2,lkfvmfg-3,c-1,gkl(caa`ojk-0,c T,ui-2 T,aibhgl,.sk-1,fkw-1-.,fga`c R,a`mvaopgl,.bkz-2,p,,.c T

IN]JVN]K]KJ]B]F^UF@@]\v-2,ujbRBjazsnc^s`lkr-1,`-1,].jl

1.2.3

THttpTimeOutThread

THttpCallBackShell

Gx-21,\igh]ixyj-42,M.DJ

A`qjz``-0,ZkdkNgij.pc

Kcqjpc`-0,Aaj-1,gEdafa`.pM

Jmvgknm Q,2,,<,./accwcxgeni5 W,O_GB R,=>)27,.Pkbjhu-4-.,IV,,8)37,.Spejblx Q,2,,< W.g W

TPipeServer

TPipeObject

TPipeServerListener

TPipeClientU

isrPipe

@altc T,Bnc T,Bdrab Q,mw,.rap,.uk>,. N,D

Ecezcb-4 S,Tmeic6.fA

Bc/K-33,`-1.jG

Jbhblnrefc V,H-0,bv-1,li.AT

Uju-0,c-2 W,Ht-2,h-4.Rq

Ijv-1,h-0,jm Q,Jq-1,n-2,/,.u`l,.lnmw Q,ll`oj`zh`m-2 Q,xjzi`vz Q,kbz`.^l

Q-0,iznjib Q,`u,.tgu-0,qyi-1,ulb.a-F

Ob-4,/dcdzfe, kh-3,`/r-2,jld.vL

V-1,ns-4-.,hx V,lmdeehea,.mdhi Q,hi`onezhdh-2f.a

ebP-3,dLfnda`-4,`yj-4.PL

Vks-3,mkqi`,.Aehk W,_mtb6 T.B_

Hlcc U,iezkaela,--3,ewhki U-3,ohh-3,*yj,-hh U,kxb-4,hd,-,-`e-4,`,--3,edc*.UP

Ibs-1,htrgb W,uz`dm,.enumnqc-1,dc VSQ,uc S,ehq`mhgjdc V,znh V,ctdn,.efro/ W,Aahia,.uh V-1,dtross V,zib V,jnphbnfb P,/).a,q

Bdah T,lxyk P,nae-33,dbdhi T,l-3,7 T.XO

Mooanj V,zygrh, zi,-j,.`dgk VU.Qf

Mdyke, -4 U-2,ev`,.e-4 U,`ikdzez` R ,-3,`-2,ixl`k,,qa,,v`-1,c,,(,.xdl-2-,,od`,,``oh,,ka-0-,,qa,,ndj,,xmgbkv P,\.I

Zorqo,.ug-00,bq-3-.,nedaugn RW,qo-1,qgx-2 W,uczom-4,z W,J^ZW R,Xoieo,.twz-3,hp-3-.,pkfb W,ak-0,tg*jhudbhcn,.ugyzfp-3 PW.e

Hg`jnj,.-0,nw-0,lxr,.`lha-0,nb R,)fs-22- ,dk)bh,.Mdq`edgj)fijl U-S,k

Bo`hdbbboi,.-4,ik,.ony`gnoj U,/ P.9\

Spb-3 V,qzbtgj,-ol,.Nnw`fu R,Clv R,jd`dk-4 V,d-1,bk R,zec R,accq,.-2,tmxdbgj QV,kicipgca R,zec R,Mesle-3 V,Oo-2,< R.Y V

Mhv,-Pbt-4,`h Q,nqh`yfi,-,-v-4,m7 S.LN

Janyjnkdyfij S,XncJAby S-1,b-3,pfhc S,gfcgcb-3 S,ifdojc,,.Rn

Vkszmkqm`,.Kiwz*Ekjnnmkc(lkfla-1,=(-<._

, ,--:,[

\kj,.zf-30,mp-0,kl S-2,ofdj,.imk,.xq`xagjj(lak(gfhnf-2-. P.j,8

Nmgk[mqk(qekptnm-1,ao,.klj`oa W .,gho,.-3,eg-0,m>, .f,H

\ekvynmzlo,.-1,lxkz)dh,.-2,ck,.obbk)xgtl W .,gnea-1,lo5,.-0,n-23,fe-2,k)ckomn-1,4).i4

Zol W-2,h-1,umb)cabz W,`h-2 W,ff-4,b,.uhiib)t-0,wyh-1,s)*,.nniaulc,.uhiib)ukv-1,b-2,s W,y-3

L_LCUNTF, KHC.op

0.0.0.0

3?:96=>?59:;.ZQ

6?0N2=.Lq

;768>1-80

cabinet.dll

\fgejnhg,.Dhr,.f-3- ,z`b, -2,gbyz,..8y

000000000000

Xkzlxz*jy,.-3,le,.fldi VS,no-3,b*ycof,.hf*bep-3,5*Qo-3,Im-3,4*:.e

 ;7.Q,>N-Y,[ T,Tc.Uv

 Q .,Y-1,a4,,.gh

K`o-0,Kebj,--0,o-1--,iv-04,mm-0,hh,.i-4,cc/NE] S --3,k-1,x`z5.yH

Y]H.if

d-3,tdcQqdc.Lb

)hix.CB

Dg`c_-1,clj-24,5/eiv2.wj

ch_strtup_urls

,.Fqmz S,_ebvl>,.I>

]DKizHi-4,exc-1,Hc`hk-3.GI

Mhcn`mhh,.qv/obrj-1 T,vnmoghkw( QP.q,N

G`cojehi T,yv,.gck-3,hirk U.a?

CJ[hx.Xu

_.Wo*BC-T5p7d.V-b,

(/tdolb,-`ahyiju,-rjdyh`i,-vfse Q-0,oh Q-1,f`d/illj W,lm-2,blev W,knzii/.Rl

Gfrhba`)c-2,h-2,gxe-0,z(F-1,`lhl,.zaz-3,gjzk(,,``nk3,.-IC

NAER_[URNDT].Lw

Gotqomkdzhhk,.bhkhhuhke)W N

Uctaur T,cfoj,.wgvoj< T._,g

Gdd`ceki T,Ek-2,pmiba-3 U,@ea`,.vit-0,a-4,q,.smv,.`ikgah U,jqi U,zk,,iogg U,ab,,U-1,mzlbak`,.Icak*.`?

CdyzkffkxDkco*kb-3,oxkn*kh-3,ox,.k-3,*bokyz*edk*xo-3,ex-3-.,kfxkkns,.yodz T.e-_

LJ_.ge

fxk S,Cym^rk.Um

Ulegdjc,,clo``i*,,`-4,tcw7 V.AP

ole32.dll

MAPI32.DLL

LeftPopup

,.Ggazb2.s-c

,.gyxap, xokxoj,., -2,gvc*cgxyoen*4 R-`-.

/`gx/-2214,azxjj.Cj

olepro32.dll

IWebBrowser

IWebBrowserApp`

IWebBrowser2

TEWBWindowSetResizable

TEWBWindowSetLeft

TEWBWindowSetTop

TEWBWindowSetWidth

TEWBWindowSetHeight

bstrUrlContext

bstrUrl

OnWindowSetResizable

OnWindowSetLeft4

OnWindowSetTopl

OnWindowSetWidth

OnWindowSetHeight

grfKeyState

TComTargetExecEvent

CmdGroup

nCmdID

nCmdexecopt

hhctrl.ocx

URLMON.DLL

SHDOCLC.DLL

rcmDefault

rcmDebug

DontExecuteScripts

DontExecuteJava

DontExecuteActiveX

DisableUrlIfEncodingUTF8

EnableUrlIfEncodingUTF8

CheckFontSupportsCodePage

DisableSubmitUrlInUTF8

EnableSubmitUrlInUTF8

lpMsg

PMsg

pguidCmdGroup

TTranslateUrlEvent

pchURLIn

ppchURLOut

CmdID

pszUrl

pszUrlContext

szPassWord

ErrorUrl

OptionKeyPath

OverrideOptionKeyPath

OnTranslateUrl

OnCommandExec

'%s' is not supported.

TMsgEvent

TKeyEventEx

Port

Password

poPortrait

OnKeyDown

0.750000

3333333

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform

User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)(

This object does not support this method (

Unsupported type for Parameter with Index %d

Method call unsuccessful. Object: %s, Method: %s, Exception: %s , Source: %s.

hXXp://

hXXps://

B])i-2,`j-0,aag/-0,wgl U,kqjk-02,fg`)iigejl,.-3,f-1,f)bm-2,znok3/.tc

Gdxfbcj W,DY,.bxo`s,.iokbhode0,.-3c

L\, hpjey V-2,n`iyni</.Vq

A`bfmv(wwrm S,oll S,Ktmmz R,fbcg(`olflz R,jf,.gesz-0,(pzpamiq2 S,8,.

eiOnKeyDown

eiOnKeyPress

eiOnKeyUp

OnKeyUp

Handler with EventID = %s already exists.

Error on IConnectionPoint.Advise

Source don't have connection point for [%s]

YR-0,xh]izn.cQ

2.1.0.0

This exe was created with an old version of HtmlAppMaker.

Ekcjfn*rl*fgvdin S,b-3,ko_C V,exek S-3,bc S,lejoe-2,omm*sqf0 V,j-X

-0,cnyzgcEi.Tc

Qwgfc T,jmfqi(mjdmgpggj T,hzki,.kkjhac T,haha P-C,D

https

Sf[.t,T*.lJ,e

Bfh U,Cfk`,.jgd`nja,.-2,`?,._-S

Hoe V,ea-4 V,xfdq, zcc, ^yil-1,nux,.miyc, ub`hc, g-4 Q,x,.jjykjbr,.yse`bhl P,k.f

MSGALL

Clri,.ancjdoe,.ksmc,-gkbh Q,jo-3 Q,dodmgj QQ,dgad8,. Q.Y

irsoMsgDialog

irsoJoinPath

irsoGetCmdLineParam

irsoGetCmdLineCount

irsoGetCmdLineIndexOf

irsoGetCmdLineParamValue

irsoGetCmdLineAll

irsoRegCreateKey

irsoRegCreateKeyTree

irsoRegDeleteKey

irsoIsRegKeyExists

irsoRegListKeyValues

irsoRegListKeyKeys

irsoRegSearchKeyKeys

irsoRegCopyKey

irsoGetRegKeyInfo

irsoHttpGetData

irsoHttpGetDataInThread

irsoLibraryExecuteProc

irsoLibraryExecuteProcW

irsoLibraryExecuteProcWithResult

!irsoLibraryExecuteProcWithResultW

irsoExecute

irsoExecuteDllInProcess

irsoSaveExecuteUsingCMD

irsoIsMutexExists

irsoCreatePipeServer

irsoStopPipeServer

irsoSendDataToPipeServer

irsoSetDebugLogUrl

irsoGetDebugLogUrl

irsoGetWebBrowserHandle

irsoGetCurExeCheckSum

irsoGetExeInjection

TExecArgs@

iubnyybRolkanldf.RW

b-1,[-1,e.Hv

.html

H-4,njBdi-2,o-4,r.vY

-4,fhxXahcxgw.rg

gghYcjrf.ae

jehGbeags.qB

PIPE_DATA

PIPE

LNYCD_^.eP

HMVH9>.PE

\gld-2,vyt,.gey-10- 4,kod-0,kf1,-Fvfa[K, O-1,m-13,kp, blhnnz U,x,-GG<,-hcgalchf,.q-323,myy,.kx,-`m-1--,kljobgo S.V..

F-1,`b[A,-L-1,gz-2,kz,-albhmz/-3-.,GM:,.hiabline,.ia-1,kiiw,.ld-2,ojakj V.h-C

-3,1 T-1,`-4,b-4,w37 P,abov=.vN

irsoExecutePackage

irsoReportPackageError

irsoReportPackageSkip

irsoReportPackageQuit

irsoReportPackageSuccess

irsoReportPackageInfo

irsoGetPackageFilenameFromHttp

irsoGetPackageExecExitCode

irsoGetPackageExecResult

irsoGetPackageDwnldUrls

irsoSetPackageRelProgressShare

irsoGetFireFoxEXE

irsoGetIEEXE

irsoGetChromeEXE

irsoGetOperaEXE

irsoGetFireFoxVer

irsoGetChromeVer

irsoGetOperaVer

irsoUninstallAddExeCmd

irsoUninstallAddOpenBrowserCmd

irsoUninstallAddRegistryKey

irsoUninstallExecute

irsoReportStart

irsoReportInfo

irsoSetExclusiveExec

isroSetReportUrl

-11,jycmjaOaahDgvyc-11.Pg

Pfc V,potaaz V,`k-1 V,g T-2,nivzesp,.ou T,`ir T,k-3,owz< V,f._

zfc.bz

]no^dun.Vx

\fuj-1,w U,P\O U,qah`k,.nlvcbqff,-U>

\GCAPMA][.oj

Fvonszedm,.ojvid-4 S,ydnm,.ojob,,-4,l,.,.oobMyfAjmf-14,Glohng,, P  ,F-13,dq4,,.7^

Lukkyyaag,-ko-1,j`z)z`kg,-koea(zf,-*jeaA-2,HcqAokm-1,[hijp/ T .,L-4,za-0,7(.cT

Apmft-1,glj(mbqofw T-4,ffj(mbhd,.wk(,,ghd]kk-4,Aebm-1,p VT .,Fvzaq>(>-9

AAjcM0WrUSlfbBR5EtcPS6EMoD3wF3FKlaGHXQ0Ox4qre4LUBQYa0/SWyvZ26RV14TwPpmqepAntqZ6qJId/PBwcgibQr7vwIboNrrDj5AVp/wPGGHVmiZst7cluh/ViMeGGMZAAz7lGwPsuLdz12JDqfbhN9grpmVeEBOQxUqj5qNawTJR9SSe3w8tDp7AEEHgTSs xWrpFPMj

Mgsejf Q-2-.,dihj(@-12,aig,.-4,o-2,fgs-2-.,is-2,fmh-2,gkg-2,ggh)em-4 W .,]ul,. W,Blcg@-12,aig,.njhi(i-0-.,noeb(OZQAEVH]U@AFYZZZYH[\NVEM_)yara,.-1,nl,.ccp,.(qagkn)-3,zi-4,glcm,.j-4,)wgs-0-.,ieja-2,h-2-.,eggooc-0KC

Ukszv.ra

Ool,-x,.kdezkk`gxo,,zjo,,glyxonfi-1W.g

]k-4,vfk-2,ak,.HLAB1 T,K.j

Aczgv7,.FanbkjhAdbh-1,*,-,-^cvlcq>VS,. T,IbnWyova7,..O

Baezgjc6,.JatzKbjkv,, URT,fimeq-4,k T,SilGkbzembkv T,bap T,m-2,wmk`a`,,av T,HbhWxopa23JkAavaChba-32,( T,HbhWxopa6.?,N

Gozgp;,.KlrzcnmAddd-1,q*(,.Rcsooq;U_,. B

Itdj-1,xn`b,,dnyko-0-,0,ojb,,dn`` W-0,c,, U,k``D`bjn-2,aEi-1,xmkci-3 US ,,Iu-2,c-3,=/.rG

Narky5 V,In-0,IhmjtMj-4,rgdaG VR,/Voynk-2,1TEo-0,Mshm2.av

Ihhht,.-3,lak,.Ng-3,zdi`,.-3,cz,.yi4,..Ya

H-1,ug-4-.,p`h` W-14,wnfj,.sg,--2,b-1--,aanh-1 P-0--3,foh,.di-2,zngc4 W-<.h

K-3,gi-3,rmc` V,gm-0,alx,.qli` V,gmbj T,xa VV,hbjCizEq-31,IbjktRmbsa-4-,,* T,I-1,tk-3,4 V.?,n

[nzwaei S-1,ck S,gmhfzx,.aihedzd-0,ml, zl2, >.3

_g`oeli, xg-1,felo-4,em`, -4,kiemn,.-4,c R,zci R,cjel,.-4,dpkjh,.,.cmljgi8,..9.,

Rmbaop,.mowzemhophk` T,djmktjzasaj T,umca,,k-0,p/ T,]kla,.t`geefa-2 T,lmilu T,`ku T,ladj,.mowzemhk`NA

1.2.1

inflate 1.2.1 Copyright 1995-2003 Mark Adler

deflate 1.2.1 Copyright 1995-2003 Jean-loup Gailly

?456789:;<=

!"#$%&'()* ,-./0123

333333333333333333

33333833

3333339

3333333333333338

:*"*"$3338

33333333

33333333333

3333333333338

33338?383

333333333333

:*3:"$3338

333333333333333

%up2N

%C}(BV('

F=.qn

ÖI!

5IØ

4K×M*D8

ÔL*

dN%CgM/

G0I%D=

RT.dJ

~=kEY

5/x.fR

T.Ri[

{'{.6`^(

-%f)k

J_.Jc5

%5U"r

ZU.bHt

GetProcessHeap

GetCPInfo

RegQueryInfoKeyA

RegOpenKeyExA

RegFlushKey

RegEnumKeyExA

RegDeleteKeyA

RegCreateKeyExA

RegCloseKey

SetViewportOrgEx

UnhookWindowsHookEx

SetWindowsHookExA

MapVirtualKeyA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextA

GetAsyncKeyState

EnumWindows

EnumThreadWindows

EnumChildWindows

ActivateKeyboardLayout

GetKeyboardType

"$ %),'8

38000=344

4? 3!0 3!6

H.JXA

&)"%&$&'&",,/- '

1 0 .'7(2':

- /*-( ,'.-!$$$&'('/*) ,*/.)*72-7)

944(@32%2u8

.PMDF<7I

.idata

.edata

P.reloc

P.rsrc

H.JXA0Db

SOFTWARE\Microsoft\Windows NT\CurrentVersion

errorUrl

\bin\SubWCRev.exe

OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters

Clipboard does not support Icons/Menu '%s' is already being used by another form

No help found for %s#No context-sensitive help installed$No topic-based help system installed

OLE error %.8x%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group

Property %s does not exist

Metafile is not valid!Cannot change the size of an icon Invalid operation on TOleGraphic

Unsupported clipboard format

Invalid stream format$''%s'' is not a valid component name

Invalid data type for '%s' List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

Error reading %s%s%s: %s

Failed to get data for '%s'

Failed to set data for '%s'

Resource %s not found

Ancestor for '%s' not found

Cannot assign a %s to a %s

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file %s

Cannot open file %s

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

!'%s' is not a valid integer value('%s' is not a valid floating point value

'%s' is not a valid GUID value

I/O error %d

Integer overflow Invalid floating point operation

mshta.exe_3572_rwx_07BD1000_0004F000:

kernel32.dll

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

EVariantBadIndexError

u%CNu

.Owner

TThreadExecuter

^ioM-3,iiziGmwItI.cG

\h-2,Jfal\`dgxj-4.DZ

oj-2,`ac<<*kcb.jo

ntdll.dll

SQL error or missing database

An internal logic error in SQLite

Operation terminated by sqlite3_interrupt()

Uses OS features not supported on host

2nd parameter to sqlite3_bind out of range

sqlite3_step() has another row ready

sqlite3_step() has finished executing

Unknown SQLite Error Code

sqlite3.dll

ESQLiteException

TSQLiteDatabase

TSQLiteTable

Error executing SQL

Could not prepare SQL statement

Error executing SQL statement

Could not prepare SQL statement

SQLite is Busy

Kf`, -1 W,hefc,.cxb`,,juoocbz,,.I,x

TRealSQLQuery

TSqlBrowser

TBrowserChrome

,.AAGGY(-].Y

 UV -,cu/ U,dh-1,ySljt1 U.Hr

-4,k`hoz,,.Wg

,.jjb,.hvco-4,mi`Tqrm59d.9

3333333

 V,ACAOY*.EQ

G`x-0.vz

Daj`d,.Zd-1,z`oo-2,URgh-2,vi-1,l]Egjsg-2,fg-1,R^hfjfv-0,RJtz-1,lo-1,Xls-0,gfoTOyqKaguiggdzRZug-1,hfmRdhk-1,frgh-2,/egjsg-2,fg-1,kmfmQ1vmepc;j1cjyl]Kf`ml-1,lo I.c

_-3,d.SE

KWindows

XisrWindowsEx

YisrUrl

isrOperaUtils

isrChromeUtils

kisrSQLiteTable3

isrSQLite3

isrSQLiteUtils

GetCPInfo

RegOpenKeyExA

RegCloseKey

GetKeyboardType

.idata

.edata

P.reloc

P.rsrc

.imeJ

SOFTWARE\Microsoft\Windows NT\CurrentVersion

%s.Seek not implemented$Operation not allowed on sorted list

Property %s does not exist

Cannot assign a %s to a %s

Class %s not found%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file %s

Cannot open file %s$''%s'' is not a valid component name

Invalid property value List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

Error reading %s%s%s: %s

Ancestor for '%s' not found

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

Invalid variant operation!Invalid variant operation ($%.8x)

Variant is not an array5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

Integer overflow Invalid floating point operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

!'%s' is not a valid integer value"'%s' is not a valid currency value!'%g' is not a valid date and time

I/O error %d

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:3676
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\ (4 bytes)
   C:\Windows\System32\config\SOFTWARE (24280 bytes)
   C:\ProgramData\Synaptics\RCXFAF1.tmp (136247 bytes)
   C:\ProgramData\Synaptics\Synaptics.exe (23349 bytes)
   C:\Windows\System32\config\SOFTWARE.LOG1 (18543 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\shell_scripts\check_if_cscript_is_working.js (18 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\styles\common.css (102 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\images\loading.gif (5 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\uttFBAC.tmp (0 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\scripts\initialize.js (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\AUR57MIA.txt (89 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\shell_scripts\shell_ping_after_close.js (312 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\shell_scripts\shell_install_offer.js (7 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\i18n\br.json (6 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\i18n\ru.json (9 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\scripts\common.js (349 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\i18n\fr.json (6 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\uTorrent\settings.dat.new (73 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\i18n\en.json (5 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\3rdparty\FS.dll (933 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-732923889-1296844034-1208581001-1000\1f91d2d17ea675d4c2c3192e241743f9_88dcd395-b062-45b3-a6cd-79f37c0eba08 (105 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\3X9U2CIU.txt (89 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\i18n\ko.json (6 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\i18n\de.json (6 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\scripts\uninstall.js (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\images\main_icon.png (4 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\images\yandex_horz_ru.png (7 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\images\search_protect.png (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\images\yandex_browser_setup.bmp (204 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\images\bt_icon_48px.png (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\styles\installer.css (587 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\index.hta (739 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\i18n\es.json (5 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\i18n\it.json (6 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\images\logo_Yandex_RU_UA_vertical.png (6 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\index.hta.log (26 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\images\main_bittorrent.ico (103 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\i18n\pt.json (6 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\install.1501590031.zip (281721 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\3rdparty\FS.ocx (965 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\scripts\install.js (15 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\scripts\es5-shim.js (11 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\images\yandex_horz.png (8 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\uninstall.hta (575 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFFD2.tmp.1501590031\HTA\images\main_utorrent.ico (107 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RCX1.tmp (137517 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\23B523C9E7746F715D33C6527C18EB9D (325 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\23B523C9E7746F715D33C6527C18EB9D (876 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RCXFFF0.tmp (137517 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Qg13l1Oe.ico (284 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Qg13l1Oe.exe (5441 bytes)
   C:\Users\"%CurrentUserName%"\Downloads\dotNetFx35setup.exe (25426 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00144817.log (8 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ns480180C7\3B1DE5F8_stp.CIS.part (711 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\css\sdk-ui\browse.css (337 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\D17520460597802.dat (4861 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\HT.locale (143 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\LV.locale (144 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\css\sdk-ui\images\progress-bg.png (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\AF.locale (154 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\HY.locale (219 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\KO.locale (141 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\UZ.locale (169 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\css\sdk-ui\button.css (417 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\css\ie6_main.css (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\EU.locale (161 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\bg_test_B[1].png (16858 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\css\sdk-ui\images\button-bg.png (131 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\LO.locale (305 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\BE.locale (256 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\SK.locale (164 bytes)
   %Program Files%\001432B3.log (8 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\DE.locale (161 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ns480180C7\3B1DE5F8_stp\asgnd.json (6341 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\MS.locale (143 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\RO.locale (156 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\GU.locale (318 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\FA.locale (186 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\Battery_icon[1].png (213 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\SQ.locale (149 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\KU.locale (132 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\ML.locale (360 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\001431AA.log (8 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\EL.locale (235 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\CS.locale (154 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\css\main.css (6 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\HU.locale (172 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\JA.locale (195 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\TE.locale (320 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\csshover3.htc (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\RS_RA_V1_FS[1].png (13868 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\KA.locale (335 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\ET.locale (145 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\TL.locale (163 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\PL.locale (155 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\IS.locale (155 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\PA.locale (257 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00143091.log (8 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\RS_RA_V2_M_WIN[1].png (19388 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\KK.locale (218 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\PT.locale (150 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0014319A.log (8 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\RU.locale (266 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\HE.locale (166 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\NE.locale (334 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\ZU.locale (138 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\ID.locale (157 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\PS.locale (195 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\VPN_icon[1].png (364 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\UR.locale (211 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\SL.locale (160 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\NL.locale (146 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\AZ.locale (177 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\Video_icon[1].png (312 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\D17520460597801.dat (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\FI.locale (143 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\SV.locale (157 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ns480180C7\2E832125_stp\icc.DAT (941 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\json[1].js (322 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ns480180C7\2E832125_stp.CIS.part (759 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\EN[1].png (1703 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ADBlock_icon[1].png (433 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\NO.locale (148 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\YO.locale (146 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\IT.locale (154 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\LT.locale (166 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\ES.locale (150 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\css\sdk-ui\images\progress-bg2.png (978 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\BG.locale (223 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\images\Loader.gif (10 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\VI.locale (180 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\1670262622.log (244351 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\001430B0.log (8 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\DA.locale (148 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\TR.locale (139 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\HR.locale (154 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\UK.locale (255 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\HI.locale (284 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\SR.locale (154 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\TA.locale (330 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\BS.locale (159 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\CA.locale (161 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\fs_bg[1].png (2634 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\css\sdk-ui\checkbox.css (190 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\EN.locale (147 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\MK.locale (221 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\bootstrap_14921.html (156 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\FR.locale (163 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\MR.locale (289 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\TH.locale (264 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\locale\ZH.locale (137 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132318447885\css\sdk-ui\progress-bar.css (506 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "Synaptics Pointing Device Driver" = "C:\ProgramData\Synaptics\Synaptics.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.