uTorrent_Conduit_e046da1b39

by malwarelabrobot on May 23rd, 2014 in Malware Descriptions.

Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR, BankerGeneric.YR (Lavasoft MAS)
Behaviour: PUP


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: e046da1b39202825155947371254a4e6
SHA1: 6201513bfe534458135a8856d9ff4799b25349b3
SHA256: 68ae02712bbd848b2841d7bbe3978077953b4f5fe160f74c9047eccdfbbee889
SSDeep: 24576:OUJndyw/c5zsCZOK06t3WStqe/YLNB3f tV6MbEEO2v:VVdywMzJOs3HqhRBWtVJ
Size: 1270352 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: BitTorrent Inc.
Created at: 2014-04-19 02:11:18
Analyzed on: WindowsAda SP3 32-bit


Summary:

Potentially Unwanted Program. An application that does not display malicious behavior yet is installed without having first sought affirmative user consent for installation. Users may not realize, due to the nature of the installation procedure, that an application they have not explicitly agreed to has been installed. This category can also be used to classify other applications which in a certain context can be wanted e.g. remote administration tools or IRC clients.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

BrowserTabSearchMediaBar.exe:1404
BrowserTabSearchMediaBar.exe:1000
imapi.exe:2396
mediabar.exe:160
%original file name%.exe:3864
utt2D.tmp.exe:4056
rundll32.exe:2456
SafetyNutManager.exe:3204
SafetyNutManager.exe:4040
regsvr32.exe:288
msbloader.exe:200
pack.exe:1528
msfeedssync.exe:2096

The Trojan injects its code into the following process(es):

uTorrent.exe:516
safetynut.exe:2128
SafetyNutManager.exe:2064
msbloader.exe:368

File activity

The process uTorrent.exe:516 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\uTorrent\apps\featuredContent.btapp.new (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X33TH0UP\icon[2].ico (392 bytes)
%Documents and Settings%\%current user%\Cookies\SFF2AMO5.txt (96 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\main.css (6 bytes)
%Documents and Settings%\%current user%\Cookies\ELA8NTQ3.txt (93 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt5D.tmp (11516 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\plus.btapp.new (796 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AAE8OMVS\icon[1].ico (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar5B.tmp (2712 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\dlimagecache\804153A8C5C67F43BFD757A3A58ED68D7157DAA6 (1001 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\72F0D3E2141065DACF6134D07A06A2DF20590748\main.css (946 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\E9UY92VW\fileserve[1] (917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\E9UY92VW\icon[2].ico (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt59.tmp.new (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WJYHCPG4\icon[1].ico (392 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\index.html (3 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\72F0D3E2141065DACF6134D07A06A2DF20590748\icon.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5A.tmp (54 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\72F0D3E2141065DACF6134D07A06A2DF20590748\index.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WJYHCPG4\fileserve[1].css (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AAE8OMVS\fileserve[1] (44065 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\empty_movie.gif (282 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\dlimagecache\165F6EF40A81DD175FFAEA69E77ABFD30B27E71C (88 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\btapp (201 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\E9UY92VW\icon[1].ico (392 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\info_icon.png (250 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\settings.dat.new (71 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X33TH0UP\fileserve[1] (601 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\dlimagecache\77900433804D5EAD1719B7AC7A5C28E6D9AC13C7 (4069 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\vid_thumb.jpg (23 bytes)
%Documents and Settings%\%current user%\Cookies\GLJGHN83.txt (93 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\72F0D3E2141065DACF6134D07A06A2DF20590748 (4 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\dlimagecache\10E6FBE4D921B475FA5FEC6E9A535A540D6FEED1 (318 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\x.png (265 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\E9UY92VW\blank[1].htm (109 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\72F0D3E2141065DACF6134D07A06A2DF20590748\btapp (196 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\updates\3.4.1_30888.exe (7971 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\updates.dat (1845 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt5C.tmp (731 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\player.btapp (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AAE8OMVS\fileserve[1].png (392 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\welcome-upsell.btapp (28 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\72F0D3E2141065DACF6134D07A06A2DF20590748\index.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X33TH0UP\icon[1].ico (392 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\1b9783ca1f32c8d5acfe437935791686_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (80 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\utorrent.lng (7386 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\SFF2AMO5.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt5F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt5D.tmp (0 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\main.css (0 bytes)
%Documents and Settings%\%current user%\Cookies\I4R5GJTA.txt (0 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\index.html (0 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\72F0D3E2141065DACF6134D07A06A2DF20590748\icon.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5A.tmp (0 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\72F0D3E2141065DACF6134D07A06A2DF20590748\main.css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt59.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt5E.tmp (0 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\empty_movie.gif (0 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\72F0D3E2141065DACF6134D07A06A2DF20590748\index.js (0 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\btapp (0 bytes)
%Documents and Settings%\%current user%\Cookies\GLJGHN83.txt (0 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\info_icon.png (0 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B (0 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\vid_thumb.jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar5B.tmp (0 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\72F0D3E2141065DACF6134D07A06A2DF20590748 (0 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\x.png (0 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\plus.btapp.29069.tmp (0 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\72F0D3E2141065DACF6134D07A06A2DF20590748\btapp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt5C.tmp (0 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\72F0D3E2141065DACF6134D07A06A2DF20590748\index.html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt59.tmp.29062.tmp (0 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\featuredContent.btapp.29069.tmp (0 bytes)

The process BrowserTabSearchMediaBar.exe:1404 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsj62.tmp (26309 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz63.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BTR-BTS\insthlp.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BTR-BTS\ReportingHelper.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz63.tmp\nsisdl.dll (14 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsu61.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz63.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\APNMagicSearch_Reporting (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz63.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BTR-BTS\insthlp.dll_0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz63.tmp\nsisdl.dll (0 bytes)

The process BrowserTabSearchMediaBar.exe:1000 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\BTR-BTS\ReportingHelper.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm54.tmp\nsisdl.dll (14 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\BrowserTabSearchUninstall.exe (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BTR-BTS\insthlp.dll (1856 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\msbloader64.exe (3616 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\msb.dll (12088 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm54.tmp\System.dll (11 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\msb64.dll (13584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx53.tmp (26309 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\msbloader.exe (3312 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsm54.tmp\nsisdl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\APNMagicSearch_Reporting (0 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\msbloader64.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm54.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm54.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx52.tmp (0 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\msb64.dll (0 bytes)

The process imapi.exe:2396 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Temp\6f4vovr7.TMP (146970 bytes)

The process mediabar.exe:160 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsw31\nsn35.tmp\BrowserTabSearchMediaBar.exe (3465 bytes)

The process %original file name%.exe:3864 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Cookies\KCNUF5R3.txt (89 bytes)
%Documents and Settings%\%current user%\Start Menu\µTorrent.lnk (820 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\main.css (6 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\72F0D3E2141065DACF6134D07A06A2DF20590748\main.css (946 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\µTorrent.lnk (798 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\72F0D3E2141065DACF6134D07A06A2DF20590748\icon.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt2A.tmp.new (113 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\featuredContent.btapp (14 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\72F0D3E2141065DACF6134D07A06A2DF20590748\index.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt2D.tmp.exe (47888 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\toolbar_offer.benc (28 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\empty_movie.gif (282 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\maindoc.ico (63 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\plus.btapp (796 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\btapp (201 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\toolbar.benc.new (113 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\info_icon.png (250 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\settings.dat.new (142 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt27.tmp.new (2 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\vid_thumb.jpg (23 bytes)
%Documents and Settings%\%current user%\Cookies\I4R5GJTA.txt (89 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\x.png (265 bytes)
%Documents and Settings%\%current user%\Desktop\µTorrent.lnk (820 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar29.tmp (2712 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\72F0D3E2141065DACF6134D07A06A2DF20590748\btapp (196 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\uTorrent.exe (7386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt2B.tmp.new (79 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\player.btapp (3 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\welcome-upsell.btapp (28 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\72F0D3E2141065DACF6134D07A06A2DF20590748\index.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\index.html (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt2C.tmp.new (28 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\1f91d2d17ea675d4c2c3192e241743f9_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt58.tmp.new (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab28.tmp (54 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Tar29.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt2B.tmp.28765.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt2B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt2C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt58.tmp.29062.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt27.tmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\KCNUF5R3.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt2D.tmp.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt2C.tmp.28769.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt27.tmp.28746.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab28.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt58.tmp (0 bytes)

The process utt2D.tmp.exe:4056 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsw31.tmp\ns57.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3D.tmp (4545 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\x64 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\42.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3F.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4E.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw31\Helper.dll (63950 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw31\nsn35.tmp\pack.exe (110155 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\48.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw31.tmp\registry.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\47.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw31.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\43.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\40.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\45.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3C.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3A.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw31.tmp\ns60.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\44.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\38.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4B.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw31.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw31\Starter.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4A.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3B.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\E9UY92VW\install_statistics[1].xml (498 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\37.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4C.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3E.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\49.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw31.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\41.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw31.tmp\ns4F.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw31\nsn35.tmp\mediabar.exe (19152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\36.tmp (4545 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\Helper.dll (14988 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw31.tmp\ns50.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4D.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2F.tmp (259636 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\Uninstall.exe (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw31.tmp\ns56.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\39.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw31.tmp\ns51.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\46.tmp (4545 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsw31.tmp\ns57.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3D.tmp (0 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\x64 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\42.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw31.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\48.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw31.tmp\registry.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\47.tmp (0 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\x64\Internet Explorer Settings Update.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\43.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\40.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\45.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw31.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw31.tmp\ns60.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw31.tmp\UserInfo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\44.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\38.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4B.tmp (0 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\x64\safetynut_ie.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw31.tmp\nsExec.dll (0 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\x64\safetyldr_u.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\E9UY92VW\install_statistics[1].xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\37.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\49.tmp (0 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\x64\Internet Explorer Settings.exe (0 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\x64\safetyldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\41.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw31.tmp\ns4F.tmp (0 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\Internet Explorer Settings Update.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\36.tmp (0 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\x64\safetynut.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw31.tmp\ns50.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw2E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4D.tmp (0 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\x64\safetycrt.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw31.tmp\ns56.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\39.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw31.tmp\ns51.tmp (0 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\x64\configmgrc1.cfg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\46.tmp (0 bytes)

The process SafetyNutManager.exe:4040 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\SafetyNut\general.cfg (1 bytes)
%Documents and Settings%\All Users\Application Data\SafetyNut\S-1-5-21-1844237615-1960408961-1801674531-1003.cfg (4013 bytes)
%Documents and Settings%\All Users\Application Data\SafetyNut\coordinator.cfg (1864 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\All Users\Application Data\SafetyNut\S-1-5-21-1844237615-1960408961-1801674531-1003.cfg.bak (0 bytes)
%Documents and Settings%\All Users\Application Data\SafetyNut\coordinator.cfg.bak (0 bytes)

The process pack.exe:1528 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Browser Tab Search by Ask\SafetyNut\favicon.ico (1 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\Internet Explorer Settings.exe (9958 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\SafetyNutManager.exe (44197 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\x64\Internet Explorer Settings.exe (9866 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\x64\safetynut_ie.dll (18892 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\safetynut.dll (19938 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\x64\safetyldr_u.dll (24 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\safetyldr.dll (20 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\safetyChrome.dll (2309 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\configmgrc1.cfg (31 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\Internet Explorer Settings Update.exe (9483 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\safetyldr_u.dll (946 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\x64\safetynut.dll (17899 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\x64\Internet Explorer Settings Update.exe (11380 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\x64\safetycrt.dll (5792 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\safetynut_ie.dll (18311 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\safetynut.exe (29145 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\x64\configmgrc1.cfg (36 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\safetycrt.dll (4877 bytes)
%Program Files%\Browser Tab Search by Ask\SafetyNut\x64\safetyldr.dll (24 bytes)

The process msfeedssync.exe:2096 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms (3114 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\Internet Explorer Suggested Sites~.feed-ms (1080 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\SuggestedSites.dat (4 bytes)
%WinDir%\Tasks\User_Feed_Synchronization-{414D0F7C-B684-437B-B53E-8AB5AE32E070}.job (416 bytes)

Registry activity

The process uTorrent.exe:516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKCU\Software\BitTorrent\uTorrent]
"OfferProvider" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 42 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKCU\Software\BitTorrent\uTorrent]
"OfferViaCAU" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\uTorrent\DEBUG]
"Trace Level" = ""

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"utorrent.exe" = "9000"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"

[HKCU\Software\Microsoft\Internet Explorer\Main\WindowsSearch]
"Version" = "WS not installed"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1397862678"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 F8 48 67 E9 12 47 DC 73 AF 04 42 FA 6D 9B 18"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "uTorrent.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"

[HKCU\Software\BitTorrent\uTorrent]
"OfferName" = ""
"OfferAccepted" = "0"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\uTorrent\DEBUG]
"Trace Level"

The process BrowserTabSearchMediaBar.exe:1404 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\IACSearchAndMedia\MSB]
"env" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Browser Tab Search by Ask_IE]
"DisplayIcon" = "%Program Files%\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\BrowserTabSearchUninstall.exe"
"DisplayVersion" = "3.0.0.0.242"
"DisplayName" = "Browser Tab Search by Ask for Internet Explorer"

[HKLM\SOFTWARE\IACSearchAndMedia\MSB]
"apn_uid" = "3430024475584820"
"distributed" = "IAC Search & Media, Inc."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\IACSearchAndMedia\MSB]
"o" = "APN11459"
"browser" = "ie"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Browser Tab Search by Ask_IE]
"Path" = "%Program Files%\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Browser Tab Search by Ask_IE]
"NoModify" = "1"

[HKLM\SOFTWARE\IACSearchAndMedia\MSB]
"AppID" = "101"
"search_url" = "http://dts.search.ask.com/sr?src=tlb&gct=bar&sysid=488&apn_dtid=^TCH001^YY^US&apn_uid=3430024475584820&appid=101&o=APN11459&apn_ptnrs=^BE3&q="
"COMPANY" = "IAC Search and Media"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Browser Tab Search by Ask_IE]
"NoRepair" = "1"
"ExternalUninstallString" = "%Program Files%\Browser Tab Search by Ask\SafetyNut\Uninstall.exe /browser=ie"
"UninstallString" = "%Program Files%\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\BrowserTabSearchUninstall.exe /browser=ie"

[HKLM\SOFTWARE\IACSearchAndMedia\MSB]
"uninstall_ie" = "%Program Files%\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\BrowserTabSearchUninstall.exe /browser=ie"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0E 29 B3 9A 4D 97 30 E0 DF AB 97 43 61 2E BA D4"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\BTR-BTS\insthlp.dll_0,"

[HKLM\SOFTWARE\IACSearchAndMedia\MSB]
"sysid" = "488"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\IACSearchAndMedia\MSB]
"apn_dtid" = "TCH001"
"UninstallParam_IE" = "anxa=APNMSB&anxe=UninstallerEvent&anxp=^BE3^TCH001^YY^US&anxr=D3FF6F11-B3C3-4807-868C-94427683D1B6&anxt=3430024475584820&anxv=3.0.0.0&anxtv=3.0.0.0&tpid=BTR-BTS&apn_dbr=IE&o=APN11459&trgb=IE&doi=2014-05-23"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Browser Tab Search by Ask_IE]
"Publisher" = "IAC Search and Media"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Browser Tab Search by Ask" = "%Program Files%\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\msbloader.exe"

The process BrowserTabSearchMediaBar.exe:1000 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\IACSearchAndMedia\MSB]
"env" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Browser Tab Search by Ask_IE]
"DisplayIcon" = "%Program Files%\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\BrowserTabSearchUninstall.exe"
"DisplayVersion" = "3.0.0.0.242"
"DisplayName" = "Browser Tab Search by Ask for Internet Explorer"

[HKLM\SOFTWARE\IACSearchAndMedia\MSB]
"ReportingParam" = "http://phn.apnanalytics.com/tr.gif?anxa=APNMSB&anxe=PhoneHome&anxp=^BE3^TCH001^YY^US&&anxt=3430024475584820&anxv=3.0.0.0&anxtv=3.0.0.0&tpid=BTR-BTS&apn_dbr=IE&o=APN11459&trgb=IE&doi=2014-05-23&installationResult=success"
"apn_uid" = "3430024475584820"
"distributed" = "IAC Search & Media, Inc."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\IACSearchAndMedia\MSB]
"o" = "APN11459"
"browser" = "ie"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Browser Tab Search by Ask_IE]
"Path" = "%Program Files%\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Browser Tab Search by Ask_IE]
"NoModify" = "1"

[HKLM\SOFTWARE\IACSearchAndMedia\MSB]
"AppID" = "101"
"search_url" = "http://dts.search.ask.com/sr?src=tlb&gct=bar&sysid=488&apn_dtid=^TCH001^YY^US&apn_uid=3430024475584820&appid=101&o=APN11459&apn_ptnrs=^BE3&q="
"COMPANY" = "IAC Search and Media"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Browser Tab Search by Ask_IE]
"NoRepair" = "1"
"ExternalUninstallString" = "%Program Files%\Browser Tab Search by Ask\SafetyNut\Uninstall.exe /browser=ie"
"UninstallString" = "%Program Files%\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\BrowserTabSearchUninstall.exe /browser=ie"

[HKLM\SOFTWARE\IACSearchAndMedia\MSB]
"uninstall_ie" = "%Program Files%\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\BrowserTabSearchUninstall.exe /browser=ie"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "36 68 7C 04 7D 6A EC 2F 9C 3C BB A3 98 1F F2 67"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\IACSearchAndMedia\MSB]
"sysid" = "488"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\IACSearchAndMedia\MSB]
"apn_dtid" = "TCH001"
"UninstallParam_IE" = "anxa=APNMSB&anxe=UninstallerEvent&anxp=^BE3^TCH001^YY^US&anxr=5E42545E-6CDC-4155-BA34-EA19BE158646&anxt=3430024475584820&anxv=3.0.0.0&anxtv=3.0.0.0&tpid=BTR-BTS&apn_dbr=IE&o=APN11459&trgb=IE&doi=2014-05-23"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Browser Tab Search by Ask_IE]
"Publisher" = "IAC Search and Media"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Browser Tab Search by Ask" = "%Program Files%\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\msbloader.exe"

The process imapi.exe:2396 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 A5 76 F6 A6 57 2E 43 2A 1E B9 D6 97 6B AB 20"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Imapi]
"ControlFlags" = "1"
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Imapi\ImapiSvc]
"BitNames" = " ImapiDebugError ImapiDebugWarning ImapiDebugTrace ImapiDebugInfo ImapiDebugX ImapiDebugSort"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Imapi]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Imapi\ImapiSvc]
"Guid" = "8107d8e9-e323-49f5-bba2-abc35c243dca"

The process mediabar.exe:160 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 70 3B 81 86 B9 C3 7F E8 33 B6 66 EC 65 59 2A"

The process %original file name%.exe:3864 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\uTorrent]
"MajorVersion" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Classes\.btkey]
"Content Type" = "application/x-bittorrent-key"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Classes\Magnet\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Application Data\uTorrent\uTorrent.exe %1"

[HKCU\Software\Classes\bittorrent\DefaultIcon]
"(Default)" = "%Documents and Settings%\%current user%\Application Data\uTorrent\maindoc.ico"

[HKCU\Software\Classes\Magnet\DefaultIcon]
"(Default)" = "%Documents and Settings%\%current user%\Application Data\uTorrent\maindoc.ico"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Classes\.btkey]
"(Default)" = "uTorrent"

[HKCU\Software\Classes\Magnet]
"Content Type" = "application/x-magnet"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\uTorrent]
"DisplayName" = "µTorrent"

[HKCU\Software\Classes\.btskin]
"Content Type" = "application/x-bittorrent-skin"

[HKCR\MIME\Database\Content Type\application/x-bittorrent-app]
"Extension" = ".btapp"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\Classes\Magnet]
"URL Protocol" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\uTorrent]
"MinorVersion" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\uTorrent]
"UninstallString" = "%Documents and Settings%\%current user%\Application Data\uTorrent\uTorrent.exe /UNINSTALL"

[HKCU\Software\Classes\Applications\uTorrent.exe\shell]
"(Default)" = "open"

[HKCU\Software\Classes\.btapp]
"(Default)" = "uTorrent"

[HKCU\Software\Classes\Magnet]
"(Default)" = "Magnet URI"

[HKCU\Software\BitTorrent\uTorrent]
"OfferProvider" = ""

[HKCU\Software\Classes\bittorrent\shell]
"(Default)" = "open"

[HKCR\MIME\Database\Content Type\application/x-bittorrent-key]
"Extension" = ".btkey"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Classes\.btsearch]
"(Default)" = "uTorrent"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Classes\uTorrent\DefaultIcon]
"(Default)" = "%Documents and Settings%\%current user%\Application Data\uTorrent\maindoc.ico"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\BitTorrent\uTorrent]
"OfferViaCAU" = "0"

[HKCU\Software\Classes\MIME\Database\Content Type\application/x-bittorrent-key]
"Extension" = ".btkey"

[HKCU\Software\Classes\.btinstall]
"(Default)" = "uTorrent"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCU\Software\BitTorrent]
"computerid" = "2C 1F 12 B0 4C 84 0E D8 E6 AF 8E 72 F7 EC 98 9D"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FD C9 97 E4 A0 AB 64 83 EE 05 EE 13 FE FB A6 96"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\uTorrent]
"NoRepair" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Classes\MIME\Database\Content Type\application/x-bittorrent-app]
"Extension" = ".btapp"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\uTorrent]
"Publisher" = "BitTorrent Inc."

[HKCU\Software\Classes\.btskin]
"(Default)" = "uTorrent"

[HKCU\Software\Classes\uTorrent\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Application Data\uTorrent\uTorrent.exe %1"

[HKCU\Software\Classes\FalconBetaAccount]
"remote_access_client_id" = "1137952374"

[HKCU\Software\Classes\bittorrent]
"URL Protocol" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\uTorrent]
"DisplayVersion" = "3.4.1.30888"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"utt2D.tmp.exe" = "Browser Tab Search by Ask Install"

[HKCU\Software\Classes\bittorrent]
"(Default)" = "bittorrent URI"

[HKCU\Software\Classes\MIME\Database\Content Type\application/x-bittorrent]
"Extension" = ".torrent"

[HKCR\MIME\Database\Content Type\application/x-bittorrent-skin]
"Extension" = ".btskin"

[HKCU\Software\Classes\Magnet\shell]
"(Default)" = "open"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\uTorrent]
"DisplayIcon" = "%Documents and Settings%\%current user%\Application Data\uTorrent\uTorrent.exe,0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Classes\uTorrent\shell]
"(Default)" = "open"

[HKCU\Software\Classes\.btsearch\OpenWithProgids]
"uTorrent" = ""

[HKCU\Software\Classes\uTorrent\Content Type]
"(Default)" = "application/x-bittorrent"

[HKCU\Software\Classes\.torrent\OpenWithProgids]
"uTorrent" = ""

[HKCR\MIME\Database\Content Type\application/x-bittorrentsearchdescription xml]
"Extension" = ".btsearch"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\uTorrent]
"NoModify" = "1"

[HKCU\Software\BitTorrent\uTorrent]
"OfferName" = ""

[HKCU\Software\Classes\.btinstall]
"Content Type" = "application/x-bittorrent-appinst"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\uTorrent]
"InstallLocation" = "%Documents and Settings%\%current user%\Application Data\uTorrent"

[HKCR\MIME\Database\Content Type\application/x-bittorrent-appinst]
"Extension" = ".btinstall"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\uTorrent]
"VersionMinor" = "4"

[HKCU\Software\Classes\Applications\uTorrent.exe\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Application Data\uTorrent\uTorrent.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Classes\.btsearch]
"Content Type" = "application/x-bittorrentsearchdescription xml"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\BitTorrent\uTorrent]
"Revision" = "30888"

[HKCU\Software\Classes\MIME\Database\Content Type\application/x-bittorrent-appinst]
"Extension" = ".btinstall"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Classes\.torrent]
"(Default)" = "uTorrent"

[HKCU\Software\Classes\MIME\Database\Content Type\application/x-bittorrentsearchdescription xml]
"Extension" = ".btsearch"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\uTorrent]
"VersionMajor" = "3"

[HKCU\Software\Classes\.torrent]
"Content Type" = "application/x-bittorrent"

[HKCR\MIME\Database\Content Type\application/x-bittorrent]
"Extension" = ".torrent"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKCU\Software\Classes\bittorrent]
"Content Type" = "application/x-bittorrent-protocol"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\uTorrent]
"URLInfoAbout" = "http://www.utorrent.com"

[HKCU\Software\Classes\.btapp]
"Content Type" = "application/x-bittorrent-app"

[HKCU\Software\Classes\MIME\Database\Content Type\application/x-bittorrent-skin]
"Extension" = ".btskin"

[HKCU\Software\Classes\bittorrent\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Application Data\uTorrent\uTorrent.exe %1"

[HKCU\Software\BitTorrent\uTorrent]
"OfferAccepted" = "0"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Application Data\uTorrent]
"utorrent.exe" = "%Documents and Settings%\%current user%\Application Data\uTorrent\uTorrent.exe:*:Enabled:μTorrent"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"uTorrent" = "%Documents and Settings%\%current user%\Application Data\uTorrent\uTorrent.exe /MINIMIZED"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process utt2D.tmp.exe:4056 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utiljumpflip.exe]
"debugger" = "tasklist.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\browsersafeguard.exe]
"debugger" = "tasklist.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\volaro]
"debugger" = "tasklist.exe"

[HKLM\SOFTWARE\SafetyNut]
"Version" = "5.0.0.12521"

[HKLM\System\CurrentControlSet\Control\Session Manager\AppCertDlls]
"x86" = "%Program Files%\Browser Tab Search by Ask\SafetyNut\safetycrt.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\SafetyNut\General]
"UID" = "3430024475584820"
"iver" = "5.0.0.12521"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"ShowTabsWelcome" = "0"

[HKLM\SOFTWARE\SafetyNut\General]
"Country" = "UA"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vonteera]
"debugger" = "tasklist.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchprotection.exe]
"debugger" = "tasklist.exe"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"OpenInForeground" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 40 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2488}]
"DisplayName" = "Ask.com"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchprotector.exe]
"debugger" = "tasklist.exe"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.search.ask.com/?o=APN11459&gct=hp&d=488-101&v=n12521-356&t=4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\SafetyNut\General]
"ostype" = "win32"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}]
"Flags" = "1024"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"QuickTabsThreshold" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\browserdefender.exe]
"debugger" = "tasklist.exe"

[HKLM\SOFTWARE\SafetyNut\General]
"kbn" = "12521"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bprotect.exe]
"debugger" = "tasklist.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\SafetyNut]
"browser" = " ie"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2488}]
"SuggestionsURL_JSON" = "http://www.search.ask.com/suggest.php?src=ieb&gct=ds&appid=101&systemid=488&v=n12521-356&apn_uid=3430024475584820&apn_dtid=TCH001&o=APN11459&apn_ptnrs=AG1&qu={searchTerms}&ft=json"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchsettings.exe]
"debugger" = "tasklist.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2488}]
"Deleted" = "0"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2488}]
"SuggestionsURL_JSON" = "http://www.search.ask.com/suggest.php?src=ieb&gct=ds&appid=101&systemid=488&v=n12521-356&apn_uid=3430024475584820&apn_dtid=TCH001&o=APN11459&apn_ptnrs=AG1&qu={searchTerms}&ft=json"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"NewTabPageShowActivities" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\websteroidsservice.exe]
"debugger" = "tasklist.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\SafetyNut\General]
"ie_hp_supported" = "1"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"FrameAuto" = "1"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2488}]
"ShowSearchSuggestions" = "1"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2488}]
"FaviconPath" = "%Program Files%\Browser Tab Search by Ask\SafetyNut\favicon.ico"

[HKLM\SOFTWARE\SafetyNut\General]
"LN" = "en"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\snapdo.exe]
"debugger" = "tasklist.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\stinst64.exe]
"debugger" = "tasklist.exe"

[HKLM\SOFTWARE\SafetyNut\General]
"home" = "%Program Files%\Browser Tab Search by Ask"
"clid" = "{343AA2E4-75F8-48CA-B815-4B7FE38BA2A2}"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"NewTabPageShow" = "1"

[HKLM\SOFTWARE\SafetyNut\General]
"osl" = "en-US"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 F8 97 A9 45 F9 93 93 99 75 AD 7B B0 C0 55 2E"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2488}]
"FaviconPath" = "%Program Files%\Browser Tab Search by Ask\SafetyNut\favicon.ico"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2488}]
"Deleted" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitguard.exe]
"debugger" = "tasklist.exe"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2488}]
"DisplayName" = "Ask.com"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchsettings64.exe]
"debugger" = "tasklist.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protectedsearch.exe]
"debugger" = "tasklist.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"10" = "10"

[HKLM\SOFTWARE\SafetyNut\General]
"kapid" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\websteroids.exe]
"debugger" = "tasklist.exe"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"Enabled" = "1"

[HKLM\SOFTWARE\SafetyNut\General]
"iTime" = "2014-05-23"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\browserprotect.exe]
"debugger" = "tasklist.exe"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"ShortcutBehavior" = "1"

[HKCU\Software\Microsoft\Internet Explorer\Approved Extensions]
"{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}" = "51 66 7A 6C 4C 1D 3B 1B D5 D9 17 B9 E3 28 C4 06"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"UseHomepageForNewTab" = "1"

[HKLM\SOFTWARE\SafetyNut\General]
"pver" = "5.0.0.12521"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2488}]
"ShowSearchSuggestions" = "1"

[HKLM\SOFTWARE\SafetyNut\General]
"kisid" = "0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2488}]
"URL" = "http://dts.search.ask.com/sr?src=ieb&gct=ds&appid=101&systemid=488&v=n12521-356&apn_uid=3430024475584820&apn_dtid=TCH001&o=APN11459&apn_ptnrs=AG1&q={searchTerms}"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"Groups" = "1"

[HKLM\SOFTWARE\SafetyNut\General]
"sysid" = "488"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"OpenAllHomePages" = "1"

[HKLM\SOFTWARE\SafetyNut\General]
"UC" = "356"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\SafetyNut\General]
"osver" = "5.1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bpsvc.exe]
"debugger" = "tasklist.exe"

[HKLM\SOFTWARE\SafetyNut\General]
"sitime" = "1400855820"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dprotectsvc.exe]
"debugger" = "tasklist.exe"

[HKLM\SOFTWARE\SafetyNut\General]
"AppID" = "101"
"os_user_type" = "Admin"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"NewTabPageShowClosedTabs" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchinstaller.exe]
"debugger" = "tasklist.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\SafetyNut\General]
"Guid" = "{10AC039D-1073-3BCA-E76F-EB60607D86B8}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\SafetyNut\General]
"aw" = "No"
"ptype" = "n"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2488}]
"URL" = "http://dts.search.ask.com/sr?src=ieb&gct=ds&appid=101&systemid=488&v=n12521-356&apn_uid=3430024475584820&apn_dtid=TCH001&o=APN11459&apn_ptnrs=AG1&q={searchTerms}"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jumpflip]
"debugger" = "tasklist.exe"

[HKLM\SOFTWARE\SafetyNut\General]
"itime_t" = ""

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\stinst32.exe]
"debugger" = "tasklist.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\SafetyNut\General]
"ie_ds_supported" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\umbrella.exe]
"debugger" = "tasklist.exe"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"AutoRestartShell" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"Appinit_Dlls"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"removeBrowserTabSearchdatamngr"

"removeBrowserTabSearchtoolbar"

The process safetynut.exe:2128 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE 66 76 61 25 46 75 88 64 C7 22 32 AD 7A 67 D5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process rundll32.exe:2456 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA C8 D7 15 95 BB 1F 70 00 0C 2F 9F AF F8 F0 4A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\CleanupWiz]
"Days between clean up" = "60"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\CleanupWiz]
"Last used time" = "80 38 62 A9 AD 76 CF 01"

The process SafetyNutManager.exe:2064 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "38 A1 B0 8D 9D C6 16 88 8B 14 B8 B0 35 28 9B 8E"

[HKLM\System\CurrentControlSet\Control\Session Manager\AppCertDlls]
"x64" = "c:\program files\browser tab search by ask\safetynut\x64\safetycrt.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

The process SafetyNutManager.exe:3204 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D 1D 0C 14 DA ED C9 CC F3 3C 23 3E 30 54 B5 BA"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\SafetyNut\General]
"srn1" = "F06DEFF2-5B9C-490D-910F-35D3A9119622"
"srn0" = "SafetyNutManager"

The process SafetyNutManager.exe:4040 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CD AA 05 57 FF EF 24 8F 5C 7B B5 6B A9 7F B9 6C"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\LocalService\Local Settings\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process regsvr32.exe:288 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\SearchQUIEHelper.DNSGuard\CLSID]
"(Default)" = "{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}"

[HKCR\TypeLib\{6A4BCABA-C437-4C76-A54E-AF31B8A76CB9}\1.0]
"(Default)" = "SearchQUIEBHO 1.0 Type Library"

[HKCR\CLSID\{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCR\TypeLib\{6A4BCABA-C437-4C76-A54E-AF31B8A76CB9}\1.0\0\win32]
"(Default)" = "C:\PROGRA~1\BROWSE~1\SAFETY~1\SAE8B3~1.DLL"

[HKCR\Interface\{1B730ACF-26A3-447B-9994-14AEE0EB72CC}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{CC1AC828-BB47-4361-AFB5-96EEE259DD87}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}]
"(Default)" = "SafetyNut"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCR\CLSID\{CC1AC828-BB47-4361-AFB5-96EEE259DD87}\InprocServer32]
"(Default)" = "C:\PROGRA~1\BROWSE~1\SAFETY~1\SAE8B3~1.DLL"

[HKCR\TypeLib\{6A4BCABA-C437-4C76-A54E-AF31B8A76CB9}\1.0\HELPDIR]
"(Default)" = "C:\PROGRA~1\BROWSE~1\SAFETY~1"

[HKCR\CLSID\{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}\InprocServer32]
"(Default)" = "C:\PROGRA~1\BROWSE~1\SAFETY~1\SAE8B3~1.DLL"

[HKCR\CLSID\{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}\VersionIndependentProgID]
"(Default)" = "SearchQUIEHelper.UrlHelper"

[HKCR\SearchQUIEHelper.DNSGuard.1]
"(Default)" = "SafetyNut"

[HKCR\CLSID\{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}\ProgID]
"(Default)" = "SearchQUIEHelper.UrlHelper.1"

[HKCR\Interface\{1B730ACF-26A3-447B-9994-14AEE0EB72CC}]
"(Default)" = "IDNSGuard"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC B1 B9 A1 76 72 41 CE BA 07 D9 8C 76 6B 9E 76"

[HKCR\Interface\{1B730ACF-26A3-447B-9994-14AEE0EB72CC}\TypeLib]
"Version" = "1.0"

[HKCR\SearchQUIEHelper.DNSGuard.1\CLSID]
"(Default)" = "{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}"

[HKCR\Interface\{1B730ACF-26A3-447B-9994-14AEE0EB72CC}\TypeLib]
"(Default)" = "{6A4BCABA-C437-4C76-A54E-AF31B8A76CB9}"

[HKCR\Interface\{1B730ACF-26A3-447B-9994-14AEE0EB72CC}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{CC1AC828-BB47-4361-AFB5-96EEE259DD87}]
"(Default)" = "ErrorFilter Class"

[HKCR\SearchQUIEHelper.DNSGuard\CurVer]
"(Default)" = "SearchQUIEHelper.UrlHelper.1"

[HKCR\TypeLib\{6A4BCABA-C437-4C76-A54E-AF31B8A76CB9}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\SearchQUIEHelper.DNSGuard]
"(Default)" = "SafetyNut"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}\InprocServer32]
[HKCR\CLSID\{CC1AC828-BB47-4361-AFB5-96EEE259DD87}\InprocServer32]
[HKCR\CLSID\{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}\VersionIndependentProgID]
[HKCR\CLSID\{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}]
[HKCR\CLSID\{CC1AC828-BB47-4361-AFB5-96EEE259DD87}\Programmable]
[HKCR\CLSID\{CC1AC828-BB47-4361-AFB5-96EEE259DD87}]
[HKCR\CLSID\{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}\Programmable]
[HKCR\CLSID\{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}\ProgID]

The process msbloader.exe:200 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4E AE 68 F0 90 77 2F BB 86 2E F5 5B 6D 27 E8 71"

The process msbloader.exe:368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 38 44 AF 95 A1 B0 01 82 96 91 89 0B E9 19 18"

The process pack.exe:1528 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 B5 5D 74 77 67 7E 00 A4 CE 2B 72 78 5E BF C2"

The process msfeedssync.exe:2096 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F 54 37 F6 FA 1A 8C 50 3B FC 19 CE 6A EF EF 3C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Internet Explorer\Suggested Sites]
"DeletePending" = "0"
"UploadDiagInfo" = "1C 5C 00 00 71 17 00 08 80 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Internet Explorer\Main\WindowsSearch]
"Version" = "WS not installed"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

Dropped PE files

MD5 File path
fef48bf77720b2bb587c511eb7b91973 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\BTR-BTS\ReportingHelper.dll
2a9e782d5dae8cdaa2d20b1206dd3a70 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\BTR-BTS\insthlp.dll
297234c8ca7508dd11305299b41b1f03 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsw31\Helper.dll
57cad4c3fefc19e01e1915417da3be73 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsw31\Starter.exe
1de7eb13174c9f47cc34962c8a80cb0e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsw31\nsn35.tmp\BrowserTabSearchMediaBar.exe
1adf4b948e521e10fb9e0f2d1920bbb1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsw31\nsn35.tmp\mediabar.exe
51399e48b0e8be79ed7913668d090fd0 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsw31\nsn35.tmp\pack.exe
9469f9edd12c805fe5bfaafb70c7f3db c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\utt2D.tmp.exe
41b689f0846bf01b7a9281ae844e5ed6 c:\Program Files\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\BrowserTabSearchUninstall.exe
f26ddbd35521ffbd54c0bcf6b4891111 c:\Program Files\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\msb.dll
2018874cd4d77b00414a7f514150d2f9 c:\Program Files\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\msbloader.exe
297234c8ca7508dd11305299b41b1f03 c:\Program Files\Browser Tab Search by Ask\SafetyNut\Helper.dll
ccb72fbb7edcf03dd4fe87be22112655 c:\Program Files\Browser Tab Search by Ask\SafetyNut\Internet Explorer Settings.exe
f9b579c16c0ddca7e575179c8db7464c c:\Program Files\Browser Tab Search by Ask\SafetyNut\SafetyNutManager.exe
f14e1ebbd4a845927db6c84be71e16fe c:\Program Files\Browser Tab Search by Ask\SafetyNut\Uninstall.exe
e8a501f0ae3868f87f9fe782d745d902 c:\Program Files\Browser Tab Search by Ask\SafetyNut\configmgrc1.cfg
ad18a467a95d4768cf3808f0f1e1f96c c:\Program Files\Browser Tab Search by Ask\SafetyNut\safetyChrome.dll
d3b3489dc788d72f53ff16e0d76b3790 c:\Program Files\Browser Tab Search by Ask\SafetyNut\safetycrt.dll
54b49af72a305a40fb9eff2fd6c26786 c:\Program Files\Browser Tab Search by Ask\SafetyNut\safetyldr.dll
faf932cc3d806dfe24d343e4c2293c45 c:\Program Files\Browser Tab Search by Ask\SafetyNut\safetyldr_u.dll
353bee28a0af4cdff92fd5df771be234 c:\Program Files\Browser Tab Search by Ask\SafetyNut\safetynut.dll
21d95f48f34324eb0b815fe70ba9ca44 c:\Program Files\Browser Tab Search by Ask\SafetyNut\safetynut.exe
229bcdc8bd5f402ccc363cd47dbef7f8 c:\Program Files\Browser Tab Search by Ask\SafetyNut\safetynut_ie.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "\??\%Program Files%\Browser Tab Search by Ask\SafetyNut\configmgrc1.cfg" the Trojan controls operations with a system registry by installing the registry notifier.
The Trojan installs the following kernel-mode hooks:

ZwOpenProcess
ZwOpenThread

Using the driver " \??\%Program Files%\Browser Tab Search by Ask\SafetyNut\configmgrc1.cfg" the Trojan attaches its filter-device object to the Volume Device Object (VDO) of the file system driver.

Propagation

VersionInfo

Company Name: BitTorrent Inc.
Product Name: HD Player
Product Version: 3.4.1.30888
Legal Copyright: (c)2014 BitTorrent, Inc. All Rights Reserved.
Legal Trademarks:
Original Filename: uTorrent.exe
Internal Name: uTorrent.exe
File Version: 3.4.1.30888
File Description:
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 2093056 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 2097152 1138688 1135104 5.54501 d9be275472bbc3e9e8b0df4ee03ffaa8
.rsrc 3235840 126976 123904 4.8819 d6dbb5db1451f22526321545f9b1906d

Dropped from:

Downloaded by:

Similar by SSDeep:

0f205f276e833adcd79f1a2841709b0e

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://a26.ms.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt
hxxp://com-utorrent-prod-bench-290894750.us-east-1.elb.amazonaws.com/e?i=853EA7A31A873F12C565A7486FC7DF383DFDB9BE
hxxp://update.utorrent.com/installoffer.php?h=TIQO2OavjnL37Jid&v=109279400&w=A280105&l=en&c=US&db=iexplore.exe&cl=uTorrent&tsub=1&svp=4&cmp=129&ocmp=129 67.215.246.203
hxxp://update.utorrent.com/installstats.php?cl=uTorrent&v=109279400&h=TIQO2OavjnL37Jid&w=A280105&bu=0&pr=0&cmp=129&ocmp=129&showtbexists&pid=3864&cau=0&tbe=0&cd=0&view=win32 67.215.246.203
hxxp://update.utorrent.com/installstats.php?cl=uTorrent&v=109279400&h=TIQO2OavjnL37Jid&w=A280105&bu=0&pr=0&cmp=129&ocmp=129&offerretrievedfromserver&pid=3864&cau=0&ServerOfferRetrieved=1&sec_offs=adk,oc&view=win32 67.215.246.203
hxxp://update.utorrent.com/installstats.php?cl=uTorrent&v=109279400&h=TIQO2OavjnL37Jid&w=A280105&bu=0&pr=0&cmp=129&ocmp=129&mismexecute&pid=3864&cau=0&download=0&execute=0&error=mism execute succeeded&mismreturn=0&mismresult=provider:7,search:1,homepage:1&view=win32 67.215.246.203
hxxp://bittorrent.vo.llnwd.net/offers/MotelLife_InstallPath.bmp
hxxp://bittorrent.vo.llnwd.net/offers/imesh_ie_20140221.bmp
hxxp://update.utorrent.com/installstats.php?cl=uTorrent&v=109279400&h=TIQO2OavjnL37Jid&w=A280105&bu=0&pr=0&cmp=129&ocmp=129&showwarning&pid=3864&cau=0&view=win32 67.215.246.203
hxxp://update.utorrent.com/installstats.php?cl=uTorrent&v=109279400&h=TIQO2OavjnL37Jid&w=A280105&bu=0&pr=0&cmp=129&ocmp=129&showinstall&pid=3864&cau=0&au=0&view=win32 67.215.246.203
hxxp://update.utorrent.com/updatestats.php?cl=uTorrent&v=109279400&h=TIQO2OavjnL37Jid&k=&ip=8&dns=62&con=62&dl=828&dlurl=http://llsw.download3.utorrent.com/offers/imesh_ie_20140221.bmp&svp=4&pid=3864&sz=28700&bin=bmp&p1=192.168.139.2&m1=0&p2=192.168.50.10&m2=1&p4=10.235.0.11&m4=1&p5=193.138.244.106&m5=1&p6=46.164.136.181&m6=32&p7=80.91.160.129&m7=7&p9=195.22.214.108&m9=52&p10=89.221.34.181&m10=104&p11=87.248.216.137&m11=57&p12=87.248.217.254&m12=57 67.215.246.203
hxxp://update.utorrent.com/installstats.php?cl=uTorrent&v=109279400&h=TIQO2OavjnL37Jid&w=A280105&bu=0&pr=0&cmp=129&ocmp=129&showtorrentoffer&pid=3864&cau=0&toroffer=0&torofferid=MotelLife&view=win32 67.215.246.203
hxxp://update.utorrent.com/installstats.php?cl=uTorrent&v=109279400&h=TIQO2OavjnL37Jid&w=A280105&bu=0&pr=0&cmp=129&ocmp=129&wizardcomplete&pid=3864&cau=0&view=win32 67.215.246.203
hxxp://update.utorrent.com/installstats.php?cl=uTorrent&v=109279400&h=TIQO2OavjnL37Jid&w=A280105&bu=0&pr=0&cmp=129&ocmp=129&gettbofferresult&pid=3864&cau=0&tbofferresult=3&exit=1375&cbhomepage=1&cbsearch=1&tb=imesh&view=win32 67.215.246.203
hxxp://update.utorrent.com/installstats.php?cl=uTorrent&v=109279400&h=TIQO2OavjnL37Jid&w=A280105&bu=0&pr=0&cmp=129&ocmp=129&offerapierror&pid=3864&cau=0&OfferError=OfferNotReady&OfferProvider=NotProvided&OfferType=Server&view=win32 67.215.246.203
hxxp://update.utorrent.com/installstats.php?cl=uTorrent&v=109279400&h=TIQO2OavjnL37Jid&w=A280105&bu=0&pr=0&cmp=129&ocmp=129&installresult&pid=3864&cau=0&installresult=0&exit=1&au=0&view=win32 67.215.246.203
hxxp://bittorrent.vo.llnwd.net/utorrent-onboarding/player.btapp
hxxp://bittorrent.vo.llnwd.net/offers/imesh-en-20140501.exe
hxxp://s3-website-us-east-1.amazonaws.com/plus/utorrent/index.html
hxxp://bittorrent.vo.llnwd.net/utorrent-onboarding/welcome-upsell.btapp
hxxp://d3abeplup23idj.cloudfront.net/
hxxp://update.utorrent.com/updatestats.php?cl=uTorrent&v=109279400&h=TIQO2OavjnL37Jid&k=&ip=8&dns=62&con=78&dl=61547&dlurl=http://llsw.download3.utorrent.com/offers/imesh-en-20140501.exe&svp=4&pid=3864&sz=6656336&bin=toolbar&p1=192.168.139.2&m1=0&p2=192.168.50.10&m2=1&p3=193.138.244.233&m3=3&p4=10.235.0.11&m4=1&p5=193.138.244.106&m5=2&p6=46.164.136.181&m6=1&p7=80.91.160.129&m7=7&p9=195.22.214.108&m9=51&p10=89.221.34.181&m10=51&p11=87.248.216.137&m11=55&p12=87.248.217.254&m12=58 67.215.246.203
hxxp://www187a.apnanalytics.com/tr.gif?anxa=APNMSB&anxe=InstallerEvent&anxp=^BE3^TCH001^YY^US&anxr=5E42545E-6CDC-4155-BA34-EA19BE158646&anxt=3430024475584820&anxv=3.0.0.0&anxtv=3.0.0.0&tpid=BTR-BTS&apn_dbr=IE&o=APN11459&trgb=IE&installationResult=success&ieVersionInstalled=8.0.6001.18702&ffVersionInstalled=29.0.1.5239&crVersionInstalled=34.0.1847.131
hxxp://a1859.b.akamai.net/static/magicsbox/JITFeature.xml
hxxp://snutbe-lb-1790352312.us-east-1.elb.amazonaws.com/login
hxxp://update.utorrent.com/installstats.php?cl=uTorrent&v=109279400&h=TIQO2OavjnL37Jid&w=A280105&bu=0&pr=0&cmp=129&ocmp=129&gettbinstallresult&pid=3864&cau=0&tbinstallresult=3&cbhomepage=1&cbsearch=1&error=0&msg=&tb=imesh&url=http://llsw.download3.utorrent.com/offers/imesh-en-20140501.exe&prog=100&t=&view=win32 67.215.246.203
hxxp://snutbe-lb-1790352312.us-east-1.elb.amazonaws.com/install_statistics.php
hxxp://com-utorrent-prod-bench-290894750.us-east-1.elb.amazonaws.com/e?i=21
hxxp://utorrent.com/download/langpacks/dl.php?build=30888&ref=client&client=utorrent&sys_l=en&sel_l=0&tk=stable34 98.143.146.7
hxxp://com-utorrent-prod-bench-290894750.us-east-1.elb.amazonaws.com/e?i=29
hxxp://bittorrent.vo.llnwd.net/utorrent-onboarding/welcome-upsell.btapp?h=TIQO2OavjnL37Jid&v=109279400&ol=en&ul=&tk=stable34&c=uTorrent
hxxp://bittorrent.vo.llnwd.net/utorrent-onboarding/player.btapp?h=TIQO2OavjnL37Jid&v=109279400&ol=en&ul=&tk=stable34&c=uTorrent
hxxp://bittorrent.vo.llnwd.net/blank.html
hxxp://update.bittorrent.com/time.php 67.215.246.204
hxxp://bittorrent.hs.llnwd.net/download/langpacks/dl.php?build=30888&ref=client&client=utorrent&sys_l=en&sel_l=0&tk=stable34
hxxp://bittorrent.hs.llnwd.net/scripts/dl.php?build=30888&ref=client&client=utorrent&sys_l=en&sel_l=0&tk=stable34
hxxp://com-utorrent-prod-bench-290894750.us-east-1.elb.amazonaws.com/e?i=32
hxxp://d145enxyh9g9og.cloudfront.net/control/tags/ut.json
hxxp://update.utorrent.com/checkupdate.php?s=1&cl=uTorrent&v=109279400&l=en&svp=4&svn_revno=30888&tk=stable34&period=7&sids=0,0,0,0,0&lv=0_0_&c=US&w=A280105&h=TIQO2OavjnL37Jid&mts=31&gnc=1&nat_state=255&it=1&pc=8&sctl=1&shdi=1&def_tor=1&doainstalled=0&ie=8.0.6001.18702&xim=3&insvr=109279400&sss=2&rsb=2&rtsb=2&view=win32&cmp=129&ocmp=129&plus=3&pupsell=1&adc=1&ch_up=1?fg=1000&mt=51386&ssb=98&ssu=11644473697&xseq=0 67.215.246.203
hxxp://com-utorrent-prod-bench-290894750.us-east-1.elb.amazonaws.com/e?i=20
hxxp://mininova.org/favicon.ico
hxxp://bittorrent-954311581.us-east-1.elb.amazonaws.com/api/v2
hxxp://s3-website-us-east-1.amazonaws.com/images/mobile-icon.png
hxxp://gp1.wac.v2cdn.net/Advertisers/29bcf58df9724c3eac3cb41b726880dd.png
hxxp://gp1.wac.v2cdn.net/Advertisers/9b41b04aae7c4bd9b402ec332dfeef7d.png
hxxp://bittorrent-954311581.us-east-1.elb.amazonaws.com/i.gif?e=eyJhdiI6MzY0OTMsImF0IjoxMjI0LCJjbSI6MTEyMjM3LCJjaCI6ODc4NSwiY3IiOjMzMDg2NiwiZGkiOiI0NDhlNDhjMGJiZDg0YWNkOTdkYmM0ODI4NjUxMjU1YyIsImRtIjoxLCJmYyI6NDA4MTQxLCJmbCI6MjA2NDM1LCJrdyI6ImNsaWVudGRhdGE9dXRvcnJlbnR8My40LjEuMzA4ODh8MTI5LGlldmVyc2lvbj04LGZsYXNoPTExLDYsNjAyLDE2OCIsIm53Ijo1NjgyLCJwYyI6MC4wMiwicHIiOjIzNzU1LCJydCI6Mywic3QiOjMzMDQ5LCJ0ciI6dHJ1ZSwidWsiOiJ1ZTEtMzkzN2RhNzdkZTRiNDUzMTkzZjBhYmQ0YmE1MTYxYWQiLCJ0cyI6MTQwMDg1NTgyOTk2OCwiZnEiOjF9&s=q-yOGJwVWMGSPi6TPdSxyU_yQgg
hxxp://bittorrent-954311581.us-east-1.elb.amazonaws.com/i.gif?e=eyJhdiI6MzY0OTMsImF0Ijo5LCJjbSI6MTEyMjM3LCJjaCI6ODc4NSwiY3IiOjMzMDkwOCwiZGkiOiJlMGQyMWFjNjk0NTQ0NGMzOTEwNDk1MDI4NDMwYjM0MyIsImRtIjoxLCJmYyI6NDA4MTgyLCJmbCI6MjA2NDQxLCJrdyI6ImNsaWVudGRhdGE9dXRvcnJlbnR8My40LjEuMzA4ODh8MTI5LGlldmVyc2lvbj04LGZsYXNoPTExLDYsNjAyLDE2OCIsIm53Ijo1NjgyLCJwYyI6MC4wOCwicHIiOjIzNzU1LCJydCI6Mywic3QiOjMzMDQ5LCJ0ciI6dHJ1ZSwidWsiOiJ1ZTEtZTVhZjc4YTdlMzRhNGE0OWJlMDg2OGZlMDM1YTljZGQiLCJ0cyI6MTQwMDg1NTk1MDI0OCwiZnEiOjF9&s=a9bsJ5ihH9WGSkYZHCay2pKIJsM
hxxp://bittorrent-954311581.us-east-1.elb.amazonaws.com/i.gif?e=eyJhdiI6MzY0OTMsImF0Ijo5LCJjbSI6MTEyMjM3LCJjaCI6ODc4NSwiY3IiOjMzMDkwOCwiZGkiOiJlOGEzNTM4ZDM1MTY0ZTI3OGJiNTZkNzAyYWMwZTkwMyIsImRtIjoxLCJmYyI6NDA4MTgyLCJmbCI6MjA2NDQxLCJrdyI6ImNsaWVudGRhdGE9dXRvcnJlbnR8My40LjEuMzA4ODh8MTI5LGlldmVyc2lvbj04LGZsYXNoPTExLDYsNjAyLDE2OCIsIm53Ijo1NjgyLCJwYyI6MC4wOCwicHIiOjIzNzU1LCJydCI6Mywic3QiOjMzMDQ5LCJ0ciI6dHJ1ZSwidWsiOiJ1ZTEtNjIyNDk0ZDc5ZDc1NGNkMjhlOWEwOTM3Mjg5ZWI2YzkiLCJ0cyI6MTQwMDg1NTgwMzAzNSwiZnEiOjF9&s=_IMQG4uptLQ5YCYGGuN70Si6tbA
hxxp://www187a.apnanalytics.com/tr.gif?anxa=APNMSB&anxe=InstallerEvent&anxp=^BE3^TCH001^YY^US&anxr=D3FF6F11-B3C3-4807-868C-94427683D1B6&anxt=3430024475584820&anxv=3.0.0.0&anxtv=3.0.0.0&tpid=BTR-BTS&apn_dbr=IE&o=APN11459&trgb=IE&installationResult=success&ieVersionInstalled=8.0.6001.18702&ffVersionInstalled=29.0.1.5239&crVersionInstalled=34.0.1847.131
hxxp://ads.bittorrent.com/blank.html 87.248.217.254
hxxp://ll.download3.utorrent.com/offers/MotelLife_InstallPath.bmp 87.248.217.253
hxxp://apnstatic.ask.com/static/magicsbox/JITFeature.xml 188.43.72.58
hxxp://llsw.download3.utorrent.com/offers/imesh_ie_20140221.bmp 87.248.217.253
hxxp://update.utorrent.com/updatestats.php?cl=uTorrent&v=109279400&h=TIQO2OavjnL37Jid&k=&ip=8&dns=62&con=62&dl=828&dlurl=http://llsw.download3.utorrent.com/offers/imesh_ie_20140221.bmp&svp=4&pid=3864&sz=28700&bin=<NULL>bmp&p1=192.168.139.2&m1=0&p2=192.168.50.10&m2=1&p4=10.235.0.11&m4=1&p5=193.138.244.106&m5=1&p6=46.164.136.181&m6=32&p7=80.91.160.129&m7=7&p9=195.22.214.108&m9=52&p10=89.221.34.181&m10=104&p11=87.248.216.137&m11=57&p12=87.248.217.254&m12=57 67.215.246.203
hxxp://phn.apnanalytics.com/tr.gif?anxa=APNMSB&anxe=InstallerEvent&anxp=^BE3^TCH001^YY^US&anxr=5E42545E-6CDC-4155-BA34-EA19BE158646&anxt=3430024475584820&anxv=3.0.0.0&anxtv=3.0.0.0&tpid=BTR-BTS&apn_dbr=IE&o=APN11459&trgb=IE&installationResult=success&ieVersionInstalled=8.0.6001.18702&ffVersionInstalled=29.0.1.5239&crVersionInstalled=34.0.1847.131 199.36.100.187
hxxp://www.utorrent.com/scripts/dl.php?build=30888&ref=client&client=utorrent&sys_l=en&sel_l=0&tk=stable34 95.140.224.171
hxxp://engine.ap.bittorrent.com/i.gif?e=eyJhdiI6MzY0OTMsImF0Ijo5LCJjbSI6MTEyMjM3LCJjaCI6ODc4NSwiY3IiOjMzMDkwOCwiZGkiOiJlOGEzNTM4ZDM1MTY0ZTI3OGJiNTZkNzAyYWMwZTkwMyIsImRtIjoxLCJmYyI6NDA4MTgyLCJmbCI6MjA2NDQxLCJrdyI6ImNsaWVudGRhdGE9dXRvcnJlbnR8My40LjEuMzA4ODh8MTI5LGlldmVyc2lvbj04LGZsYXNoPTExLDYsNjAyLDE2OCIsIm53Ijo1NjgyLCJwYyI6MC4wOCwicHIiOjIzNzU1LCJydCI6Mywic3QiOjMzMDQ5LCJ0ciI6dHJ1ZSwidWsiOiJ1ZTEtNjIyNDk0ZDc5ZDc1NGNkMjhlOWEwOTM3Mjg5ZWI2YzkiLCJ0cyI6MTQwMDg1NTgwMzAzNSwiZnEiOjF9&s=_IMQG4uptLQ5YCYGGuN70Si6tbA 23.21.123.177
hxxp://engine.ap.bittorrent.com/i.gif?e=eyJhdiI6MzY0OTMsImF0IjoxMjI0LCJjbSI6MTEyMjM3LCJjaCI6ODc4NSwiY3IiOjMzMDg2NiwiZGkiOiI0NDhlNDhjMGJiZDg0YWNkOTdkYmM0ODI4NjUxMjU1YyIsImRtIjoxLCJmYyI6NDA4MTQxLCJmbCI6MjA2NDM1LCJrdyI6ImNsaWVudGRhdGE9dXRvcnJlbnR8My40LjEuMzA4ODh8MTI5LGlldmVyc2lvbj04LGZsYXNoPTExLDYsNjAyLDE2OCIsIm53Ijo1NjgyLCJwYyI6MC4wMiwicHIiOjIzNzU1LCJydCI6Mywic3QiOjMzMDQ5LCJ0ciI6dHJ1ZSwidWsiOiJ1ZTEtMzkzN2RhNzdkZTRiNDUzMTkzZjBhYmQ0YmE1MTYxYWQiLCJ0cyI6MTQwMDg1NTgyOTk2OCwiZnEiOjF9&s=q-yOGJwVWMGSPi6TPdSxyU_yQgg 23.21.123.177
hxxp://preved.safetynutbe.com/login 174.129.22.63
hxxp://engine.ap.bittorrent.com/api/v2 23.21.123.177
hxxp://llsw.download3.utorrent.com/offers/imesh-en-20140501.exe 87.248.217.253
hxxp://bench.utorrent.com/e?i=20 75.101.158.50
hxxp://static.ap.bittorrent.com/Advertisers/9b41b04aae7c4bd9b402ec332dfeef7d.png 93.184.220.20
hxxp://bundles.bittorrent.com/ 54.230.202.164
hxxp://bench.utorrent.com/e?i=29 75.101.158.50
hxxp://apps.bittorrent.com/utorrent-onboarding/welcome-upsell.btapp?h=TIQO2OavjnL37Jid&v=109279400&ol=en&ul=&tk=stable34&c=uTorrent 87.248.217.254
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt 212.30.134.169
hxxp://bench.utorrent.com/e?i=21 75.101.158.50
hxxp://cdn.ap.bittorrent.com/control/tags/ut.json 54.230.201.184
hxxp://apps.bittorrent.com/utorrent-onboarding/welcome-upsell.btapp 87.248.217.254
hxxp://apps.bittorrent.com/utorrent-onboarding/player.btapp 87.248.217.254
hxxp://www.mininova.org/favicon.ico 80.94.76.5
hxxp://engine.ap.bittorrent.com/i.gif?e=eyJhdiI6MzY0OTMsImF0Ijo5LCJjbSI6MTEyMjM3LCJjaCI6ODc4NSwiY3IiOjMzMDkwOCwiZGkiOiJlMGQyMWFjNjk0NTQ0NGMzOTEwNDk1MDI4NDMwYjM0MyIsImRtIjoxLCJmYyI6NDA4MTgyLCJmbCI6MjA2NDQxLCJrdyI6ImNsaWVudGRhdGE9dXRvcnJlbnR8My40LjEuMzA4ODh8MTI5LGlldmVyc2lvbj04LGZsYXNoPTExLDYsNjAyLDE2OCIsIm53Ijo1NjgyLCJwYyI6MC4wOCwicHIiOjIzNzU1LCJydCI6Mywic3QiOjMzMDQ5LCJ0ciI6dHJ1ZSwidWsiOiJ1ZTEtZTVhZjc4YTdlMzRhNGE0OWJlMDg2OGZlMDM1YTljZGQiLCJ0cyI6MTQwMDg1NTk1MDI0OCwiZnEiOjF9&s=a9bsJ5ihH9WGSkYZHCay2pKIJsM 23.21.123.177
hxxp://static.ap.bittorrent.com/Advertisers/29bcf58df9724c3eac3cb41b726880dd.png 93.184.220.20
hxxp://phn.apnanalytics.com/tr.gif?anxa=APNMSB&anxe=InstallerEvent&anxp=^BE3^TCH001^YY^US&anxr=D3FF6F11-B3C3-4807-868C-94427683D1B6&anxt=3430024475584820&anxv=3.0.0.0&anxtv=3.0.0.0&tpid=BTR-BTS&apn_dbr=IE&o=APN11459&trgb=IE&installationResult=success&ieVersionInstalled=8.0.6001.18702&ffVersionInstalled=29.0.1.5239&crVersionInstalled=34.0.1847.131 199.36.100.187
hxxp://apps.bittorrent.com/utorrent-onboarding/player.btapp?h=TIQO2OavjnL37Jid&v=109279400&ol=en&ul=&tk=stable34&c=uTorrent 87.248.217.254
hxxp://bench.utorrent.com/e?i=853EA7A31A873F12C565A7486FC7DF383DFDB9BE 75.101.158.50
hxxp://service.safetynutbe.com/install_statistics.php 174.129.22.63
hxxp://bench.utorrent.com/e?i=32 75.101.158.50
hxxp://utclient.utorrent.com/plus/utorrent/index.html 176.32.99.100
hxxp://utclient.utorrent.com/images/mobile-icon.png 176.32.99.100
hxxp://www.utorrent.com/download/langpacks/dl.php?build=30888&ref=client&client=utorrent&sys_l=en&sel_l=0&tk=stable34 95.140.224.171
hxxp://update.utorrent.com/updatestats.php?cl=uTorrent&v=109279400&h=TIQO2OavjnL37Jid&k=&ip=8&dns=62&con=78&dl=61547&dlurl=http://llsw.download3.utorrent.com/offers/imesh-en-20140501.exe&svp=4&pid=3864&sz=6656336&bin=<NULL>toolbar&p1=192.168.139.2&m1=0&p2=192.168.50.10&m2=1&p3=193.138.244.233&m3=3&p4=10.235.0.11&m4=1&p5=193.138.244.106&m5=2&p6=46.164.136.181&m6=1&p7=80.91.160.129&m7=7&p9=195.22.214.108&m9=51&p10=89.221.34.181&m10=51&p11=87.248.216.137&m11=55&p12=87.248.217.254&m12=58 67.215.246.203
router.utorrent.com 67.215.242.139
router.bittorrent.com 67.215.242.138
time.windows.com 65.55.56.206


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET P2P BTWebClient UA uTorrent in use
ET P2P BitTorrent DHT ping request

Traffic

GET /plus/utorrent/index.html HTTP/1.1
Host: utclient.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close


HTTP/1.1 200 OK
x-amz-id-2: Z9dcRY7SSqgDxye1vK 8et8ZInztCaFW9mbyaNnKf0y39YKyHSu7HS4z3Hr6tMke
x-amz-request-id: AD482389F3762F04
Date: Fri, 23 May 2014 14:35:49 GMT
Last-Modified: Fri, 18 Apr 2014 23:42:47 GMT
ETag: "ae4de37a73f20b44bc195a1b12d3a7c5"
Content-Type: text/html
Content-Length: 796
Server: AmazonS3
<html>...<head>....<script type='text/javascript' src='
../commonjs/jq.js'> </script>....<script type='text/javasc
ript' src='../commonjs/plusactive.js?ver=1'></script>....<
script type="text/javascript">.....$.ajax({......url: "hXXp://VVV.u
torrent.com/scripts/headers.php",......dataType: 'jsonp',......success
: function(headers) {.......country = headers['Geoip-Country-Code'];..
.....// Redirect US visitors.......if(country == 'US'){........setToUS
();.......}......}.....});....</script>....<script src="//cdn
.optimizely.com/js/240758443.js"></script>....<link href="
../commoncss/index.css" rel="stylesheet" type="text/css"/>....<m
eta charset=utf-8>....<title>Default : Plus Upgrade App</t
itle>...</head>...<body>....<iframe id='ifr' width='
100%' height='100%'> </iframe>...</body>..</html>
....



GET /static/magicsbox/JITFeature.xml HTTP/1.1
User-Agent: MSB User Agent
Host: apnstatic.ask.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "ce8b3a1ddf747846227f0437c3025d2b:1378773465"
Last-Modified: Fri, 06 Sep 2013 22:42:28 GMT
Accept-Ranges: bytes
Content-Length: 182
Content-Type: application/xml
Date: Fri, 23 May 2014 14:36:55 GMT
Connection: keep-alive
<?xml version="1.0" encoding="UTF-8"?>..<FeatureProperties>
;..    <QuickNav enabled="true" />..    <SearchDefense enable
d="true" />..    <MSB enabled="true" />..</FeatureProperti
es>..HTTP/1.1 200 OK..Server: Apache..ETag: "ce8b3a1ddf747846227f04
37c3025d2b:1378773465"..Last-Modified: Fri, 06 Sep 2013 22:42:28 GMT..
Accept-Ranges: bytes..Content-Length: 182..Content-Type: application/x
ml..Date: Fri, 23 May 2014 14:36:55 GMT..Connection: keep-alive..<?
xml version="1.0" encoding="UTF-8"?>..<FeatureProperties>..  
  <QuickNav enabled="true" />..    <SearchDefense enabled="tr
ue" />..    <MSB enabled="true" />..</FeatureProperties>
;....



GET /checkupdate.php?s=1&cl=uTorrent&v=109279400&l=en&svp=4&svn_revno=30888&tk=stable34&period=7&sids=0,0,0,0,0&lv=0_0_&c=US&w=A280105&h=TIQO2OavjnL37Jid&mts=31&gnc=1&nat_state=255&it=1&pc=8&sctl=1&shdi=1&def_tor=1&doainstalled=0&ie=8.0.6001.18702&xim=3&insvr=109279400&sss=2&rsb=2&rtsb=2&view=win32&cmp=129&ocmp=129&plus=3&pupsell=1&adc=1&ch_up=1?fg=1000&mt=51386&ssb=98&ssu=11644473697&xseq=0 HTTP/1.1
Host: update.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close


HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Fri, 23 May 2014 14:36:59 GMT
Content-Type: text/html
Content-Length: 642
Connection: close
X-Powered-By: PHP/5.4.27
Expires: Thu, 21 Jul 1980 00:00:00 GMT
Cache-Control: private
Last-Modified: Fri, 23 May 2014 14:36:59 GMT
d10:adsEnabledi1e13:fblikeEnabledi0e14:twitterEnabledi0e13:adRefreshRa
tei360e9:ftEnabledi1e11:lrecEnabledi1e14:sendConversioni0e19:specialOf
ferEnabledi0e20:specialOfferImageUrl0:21:specialOfferAcceptUrl0:17:spe
cialOfferTitle0:28:specialOfferAcceptButtonText0:29:specialOfferDeclin
eButtonText0:22:offerRolloutLabEnabledi1e17:trayOfferImageUrl51:http:/
/utclient.utorrent.com/images/mobile-icon.png18:trayOfferTargetUrl21:h
ttp://bit.ly/1hknGHI22:trayOfferHoverOverText23:uTorrent Android Clien
t17:trayOfferOneClicki0e10:searchUrls61:Infospace Search|hXXp://utorre
nt.inspsearch.com/search/web?q=1:k0:2:ip15:193.138.244.2312:tsi1400855
819e1:c2:uae..



GET /installstats.php?cl=uTorrent&v=109279400&h=TIQO2OavjnL37Jid&w=A280105&bu=0&pr=0&cmp=129&ocmp=129&showtbexists&pid=3864&cau=0&tbe=0&cd=0&view=win32 HTTP/1.1
Accept-Encoding: gzip
User-Agent: uTorrent(30888)/3.4.1
Host: update.utorrent.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Fri, 23 May 2014 14:35:31 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.4.27
0..



GET /download/langpacks/dl.php?build=30888&ref=client&client=utorrent&sys_l=en&sel_l=0&tk=stable34 HTTP/1.1
Host: VVV.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close


HTTP/1.1 301 Moved Permanently
Server: nginx/1.4.7
Date: Fri, 23 May 2014 14:37:02 GMT
Content-Type: text/html
Location: hXXp://VVV.utorrent.com/scripts/dl.php?build=30888&ref=client&client=utorrent&sys_l=en&sel_l=0&tk=stable34
Content-Length: 184
Connection: close
<html>..<head><title>301 Moved Permanently</title
></head>..<body bgcolor="white">..<center><h1&
gt;301 Moved Permanently</h1></center>..<hr><cent
er>nginx/1.4.7</center>..</body>..</html>....



POST /install_statistics.php HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE; Win32)
Host: service.safetynutbe.com
Content-Length: 2498
Cache-Control: no-cache

XML=<secure_request><salt>488</salt><data>4gXg6gQOl3lzDy/i4URJaYxQXybBKPh1MQwKWnj77wppbe1HOPyhHF8GMMS6AE0QXAZ34dwtcLTFncC3ckE45Xbr0hhA41f7smIeORMx5rJJOR pv3HG97Cnr7/F i8bvpLYd ZN8Qf79UPLZhTXwzHvVvz jp9VVEQkzOIEBQYovhuhg7hxEnHi8sjqt4JmQmmMjNFc eXQF1nekFjFa13SjfWx40VA/lhQYiAdO/yuyl2kPgWukj  EILRvLTEwlSiS/lfTLYfYOBCNCras9jhq6zrEpZAbD2BVcWycRhrmnwtw5jlaocU2sHhUzGTIAzwbvG09fdUdXOBlciGYx01XT8RsuK GDtOcnstSdki7e9npngWCwgp31TNXZl96YdnDRJNSoTRqAyTTEYkc RwBQ59RIH74/Toia4kdO2zGe7w2OWWaw7q5uonidm4XhNZ1I6b9JvLMEUx2ykUe/as zwiG f0daZCxXYAsy seJkYoMHlE4pWpZQmXetEvmBQuX4kV/pXZJfPPw8Pb2HOacSrmTlEtM99LrKUJgJMG6spqXOkMLfJxBpo5Aw3m5LqsO0Kup6Zoy14Hauwoda479FF58EH2PUdVPPkL8MLi4IrsoJNPaAGMhVK258odIanAOOwnzFgfY9POeuL8v4sgzs8UGsjlPi9NsTKZsbCShC76HVZ6IrXUTV6uDFiWWlw5Yiy19r/JsgI7cdSNmmyzrKaEABDtEPMqJP2f5HN1o9UNxH3XBTiyCSjbpJGqBFOsLJB8IkJJlrJxW7iIakSGh 91ihgxXQTg04FL1dqD5vGGZpwJPq1hqcfLXYv5nZIRckhRZVAbOlmL7qHGKCAp4hMrRhz3gdFPoD5G8lWZuqsHkxbJDRELfKdkzkGINcjHrAl2h3j13oq2ZMOWxmnDWWwYlRJ/oulHKkE2PyXXNNhFOWNKnEemibWeqrPJlkx110IC2LdHmAuIZTCvQwZZ84FpkL6 9p5MxJn9jH8YPRRLzSkLZPMjbAeahvvikRW4FIVHtgE FRrCQVpPkYR6ZxSrwOrMPjGxwGCbS RVA97Gif3l9xbiWa3DRby/w56SgrzCk6erijK/JNaBzNiBn08cS1WQM4lSF/TndlnJybMOAfTohTbHjQaLouHoordTAyuECPJPKjSxKQvWEPNFj15yrwXXEVnDIVhlOT CvCgqY1DTparI4UpeJ5ZvsYSXV51jJiswNukbFOTwf
HTTP/1.1 200 OK
Content-Type: text/xml
Date: Fri, 23 May 2014 14:37:00 GMT
Server: nginx
X-Server: web1
Content-Length: 498
Connection: keep-alive
<?xml version="1.0" encoding="utf-8"?>..<secure_reply>..  
<data>4gXg6gQOl3lzDy/i4URJaUxrNbxdn4dVvWpNIIQpGOg2vNNAFBlDG1B08p
wXzlt5qRA2qS/WNEuRIU1DCy7nEOsGlw02uzE5qsXoq5uIZnHD5kahgZZZF0lO8izoFM0L
0 /tb40lY6jaua6eHsMZ13AS34Crpj8hX0NrzU4y7yG8UJdta4X3fjuNvEbnYxsGt3C0q4
gy3aK94Sczf1 nLmt/jUUQpJS1xKe32kXOLRkcU0eykUN/D2jgKHbepnJInUz56P pARZp
B/2iSKMs8y/zSVVL6LOjs4njCpj4sRLqFpTDBXsZNTDdaRmL7I8H6DpYVljbADBFR2P97B
CIwOg6WFZY2wAwRUdj/ewQiMDoOlhWWNsAMEVHY/3sEIjAvDfxy7HFSVz 8Q7GdCTsAg==
</data>..</secure_reply>..HTTP/1.1 200 OK..Content-Type: t
ext/xml..Date: Fri, 23 May 2014 14:37:00 GMT..Server: nginx..X-Server:
 web1..Content-Length: 498..Connection: keep-alive..<?xml version="
1.0" encoding="utf-8"?>..<secure_reply>..  <data>4gXg6g
QOl3lzDy/i4URJaUxrNbxdn4dVvWpNIIQpGOg2vNNAFBlDG1B08pwXzlt5qRA2qS/WNEuR
IU1DCy7nEOsGlw02uzE5qsXoq5uIZnHD5kahgZZZF0lO8izoFM0L0 /tb40lY6jaua6eHs
MZ13AS34Crpj8hX0NrzU4y7yG8UJdta4X3fjuNvEbnYxsGt3C0q4gy3aK94Sczf1 nLmt/
jUUQpJS1xKe32kXOLRkcU0eykUN/D2jgKHbepnJInUz56P pARZpB/2iSKMs8y/zSVVL6L
Ojs4njCpj4sRLqFpTDBXsZNTDdaRmL7I8H6DpYVljbADBFR2P97BCIwOg6WFZY2wAwRUdj
/ewQiMDoOlhWWNsAMEVHY/3sEIjAvDfxy7HFSVz 8Q7GdCTsAg==</data>..<
;/secure_reply>....



POST /e?i=20 HTTP/1.1
Host: bench.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close
Content-Length: 293

{"h":"TIQO2OavjnL37Jid","cl":"uTorrent","v":109279400,"l":"en","w":"5.1","cts":1400855824,"eventName":"ap","fte":1,"lre":1,"ltic_0":0,"ltic_1":0,"lcic_0":0,"lcic_1":0,"laae":0,"lare":0,"laie":0,"lame":0,"name":"adrequest","errCode":0,"requestTime":1400855824,"action":"client.az.adrequest.ua"}
HTTP/1.1 200 OK
Content-Type: text/html
Date: Fri, 23 May 2014 14:38:46 GMT
Server: nginx/1.4.7
X-Powered-By: PHP/5.4.27
Content-Length: 21
Connection: Close
{"response_code":200}..



POST /e?i=29 HTTP/1.1
Host: bench.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close
Content-Length: 171

{"h":"TIQO2OavjnL37Jid","cl":"uTorrent","v":109279400,"l":"en","w":"5.1","cts":1400855822,"eventName":"dimensions", "appsize": [ 1200, 600 ], "screensize": [ 1716, 901 ] }
HTTP/1.1 200 OK
Content-Type: text/html
Date: Fri, 23 May 2014 14:37:58 GMT
Server: nginx/1.4.7
X-Powered-By: PHP/5.4.27
Content-Length: 21
Connection: Close
{"response_code":200}..



POST /e?i=29 HTTP/1.1
Host: bench.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close
Content-Length: 144

{"h":"TIQO2OavjnL37Jid","cl":"uTorrent","v":109279400,"l":"en","w":"5.1","cts":1400855822,"eventName":"flash", "flash version": "11,6,602,168" }
HTTP/1.1 200 OK
Content-Type: text/html
Date: Fri, 23 May 2014 14:38:20 GMT
Server: nginx/1.4.7
X-Powered-By: PHP/5.4.27
Content-Length: 21
Connection: Close
{"response_code":200}..



GET /blank.html HTTP/1.1
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Host: ads.bittorrent.com
Connection: Keep-Alive


HTTP/1.1 200 OK
x-amz-id-2: JWxhIKHNdEwAJuxjFoqm4a368O1LevOk82iD08REKC CGMW ePYeIhEWUCRcE0nd
x-amz-request-id: B631848566C2C6A8
Content-Type: text/html
Server: AmazonS3
Age: 234041
Date: Fri, 23 May 2014 14:37:02 GMT
Last-Modified: Thu, 23 Jan 2014 18:56:38 GMT
Content-Length: 109
Connection: keep-alive
<!DOCTYPE html>.<html>.<head>.</head>.<body
 style="overflow: hidden; margin: 0; padding: 0;">.</body>.&l
t;/html>HTTP/1.1 200 OK..x-amz-id-2: JWxhIKHNdEwAJuxjFoqm4a368O1Lev
Ok82iD08REKC CGMW ePYeIhEWUCRcE0nd..x-amz-request-id: B631848566C2C6A8
..Content-Type: text/html..Server: AmazonS3..Age: 234041..Date: Fri, 2
3 May 2014 14:37:02 GMT..Last-Modified: Thu, 23 Jan 2014 18:56:38 GMT.
.Content-Length: 109..Connection: keep-alive..<!DOCTYPE html>.&l
t;html>.<head>.</head>.<body style="overflow: hidden
; margin: 0; padding: 0;">.</body>.</html>..



POST /api/v2 HTTP/1.1
Host: engine.ap.bittorrent.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0 Windows NT 5.1; Trident/4.0)(30888)
Accept-Encoding: gzip
content-type: application/json
Connection: Close
Content-Length: 378

{ "keywords": [ "clientdata=utorrent|3.4.1.30888|129", "IEVersion=8", "flash=11,6,602,168" ], "placements": [ { "adTypes": [ 1224 ], "divName": "ft", "networkId": 5682, "properties": { "IEVersion": 8, "campaigncode": 129, "featurelevel": 0, "flash": "11,6,602,168", "major": 3, "minor": 4, "product": "utorrent", "tag": "", "tiny": 1, "version": 30888 }, "siteId": "33049" } ] }
HTTP/1.1 200 OK
Access-Control-Allow-Headers: accept, origin, content-type, content-length
Access-Control-Allow-Methods: GET,PUT,POST,DELETE,OPTIONS
Access-Control-Allow-Origin: *
Content-Type: application/json
Date: Fri, 23 May 2014 14:37:09 GMT
ETag: "1765517307"
Server: nginx/1.1.19
Set-Cookie: azk=ue1-3937da77de4b453193f0abd4ba5161ad; Path=/; Expires=Sat, 23 May 2015 14:37:09 GMT
x-powered-by: adzerk bifrost/
x-served-by: engine-us-east-1e-14
Content-Length: 2328
Connection: Close
{"user":{"key":"ue1-3937da77de4b453193f0abd4ba5161ad"},"decisions":{"f
t":{"adId":408141,"creativeId":330866,"flightId":206435,"campaignId":1
12237,"clickUrl":"hXXp://engine.ap.bittorrent.com/r?e=eyJhdiI6MzY0OTMs
ImF0IjoxMjI0LCJjbSI6MTEyMjM3LCJjaCI6ODc4NSwiY3IiOjMzMDg2NiwiZGkiOiI0ND
hlNDhjMGJiZDg0YWNkOTdkYmM0ODI4NjUxMjU1YyIsImRtIjoxLCJmYyI6NDA4MTQxLCJm
bCI6MjA2NDM1LCJrdyI6ImNsaWVudGRhdGE9dXRvcnJlbnR8My40LjEuMzA4ODh8MTI5LG
lldmVyc2lvbj04LGZsYXNoPTExLDYsNjAyLDE2OCIsIm53Ijo1NjgyLCJwYyI6MC4wMiwi
cHIiOjIzNzU1LCJydCI6Mywic3QiOjMzMDQ5LCJ0ciI6dHJ1ZSwidWsiOiJ1ZTEtMzkzN2
RhNzdkZTRiNDUzMTkzZjBhYmQ0YmE1MTYxYWQiLCJ0cyI6MTQwMDg1NTgyOTk2OCwidXIi
OiJodHRwOi8vdHJhY2tpc3RhLmNvbS90cmFjay9idHJlZGlyZWN0LnBocD9oYW5kbGU9MT
AwNTIifQ&s=KdYsOk1WI-AGDKkeTZxZ3uLSrsk","impressionUrl":"hXXp://engine
.ap.bittorrent.com/i.gif?e=eyJhdiI6MzY0OTMsImF0IjoxMjI0LCJjbSI6MTEyMjM
3LCJjaCI6ODc4NSwiY3IiOjMzMDg2NiwiZGkiOiI0NDhlNDhjMGJiZDg0YWNkOTdkYmM0O
DI4NjUxMjU1YyIsImRtIjoxLCJmYyI6NDA4MTQxLCJmbCI6MjA2NDM1LCJrdyI6ImNsaWV
udGRhdGE9dXRvcnJlbnR8My40LjEuMzA4ODh8MTI5LGlldmVyc2lvbj04LGZsYXNoPTExL
DYsNjAyLDE2OCIsIm53Ijo1NjgyLCJwYyI6MC4wMiwicHIiOjIzNzU1LCJydCI6Mywic3Q
iOjMzMDQ5LCJ0ciI6dHJ1ZSwidWsiOiJ1ZTEtMzkzN2RhNzdkZTRiNDUzMTkzZjBhYmQ0Y
mE1MTYxYWQiLCJ0cyI6MTQwMDg1NTgyOTk2OCwiZnEiOjF9&s=q-yOGJwVWMGSPi6TPdSx
yU_yQgg","contents":[{"type":"html","body":"<a href=\"hXXp://engine
.ap.bittorrent.com/r?e=eyJhdiI6MzY0OTMsImF0IjoxMjI0LCJjbSI6MTEyMjM3LCJ
jaCI6ODc4NSwiY3IiOjMzMDg2NiwiZGkiOiI0NDhlNDhjMGJiZDg0YWNkOTdkYmM0ODI4N
jUxMjU1YyIsImRtIjoxLCJmYyI6NDA4MTQxLCJmbCI6MjA2NDM1LCJrdyI6ImNsaWV
<<< skipped >>>


GET /favicon.ico HTTP/1.1
Host: VVV.mininova.org
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
If-Modified-Since: Sun, 1 Jan 1982 00:00:00 GMT
Connection: Close


HTTP/1.1 200 OK
Cache-control: public, max-age=25920000
Expires: Thu, 19 Mar 2015 14:37:05 GMT
Content-Type: image/x-icon
Accept-Ranges: bytes
ETag: "103585109"
Last-Modified: Sat, 30 Oct 2010 22:57:22 GMT
Content-Length: 318
Connection: close
Date: Fri, 23 May 2014 14:37:05 GMT
..............(.......(....... .......................................
.p6......J .......f.......M...|..............v?.......W.DDDDDDDDA.....
..A.......A.......A"q...".A"q...".A"q...".A"..%.".A"ar#.(.A"/..m .A..(
U...A.......A.......A.......A.......DDDDDDDD..........................
........................................



GET /tr.gif?anxa=APNMSB&anxe=InstallerEvent&anxp=^BE3^TCH001^YY^US&anxr=D3FF6F11-B3C3-4807-868C-94427683D1B6&anxt=3430024475584820&anxv=3.0.0.0&anxtv=3.0.0.0&tpid=BTR-BTS&apn_dbr=IE&o=APN11459&trgb=IE&installationResult=success&ieVersionInstalled=8.0.6001.18702&ffVersionInstalled=29.0.1.5239&crVersionInstalled=34.0.1847.131 HTTP/1.0
Host: phn.apnanalytics.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 204 No Content
Server: nginx/1.0.1
Date: Fri, 23 May 2014 14:37:18 GMT
Connection: close
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
Cache-Control: max-age=0



GET /installstats.php?cl=uTorrent&v=109279400&h=TIQO2OavjnL37Jid&w=A280105&bu=0&pr=0&cmp=129&ocmp=129&showtorrentoffer&pid=3864&cau=0&toroffer=0&torofferid=MotelLife&view=win32 HTTP/1.1
Accept-Encoding: gzip
User-Agent: uTorrent(30888)/3.4.1
Host: update.utorrent.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Fri, 23 May 2014 14:35:51 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.4.27
0..



GET /plus/utorrent/index.html HTTP/1.1
Host: utclient.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close


HTTP/1.1 200 OK
x-amz-id-2: RcXdP /6EgAtruILtgXl5w6biNeQP31ly7SvqHTlhT1y3TALSMMLASz2rvyVdfILmGSdGba23GE=
x-amz-request-id: 4EACFB1CA8DF520B
Date: Fri, 23 May 2014 14:37:03 GMT
Last-Modified: Fri, 18 Apr 2014 23:42:47 GMT
ETag: "ae4de37a73f20b44bc195a1b12d3a7c5"
Content-Type: text/html
Content-Length: 796
Connection: close
Server: AmazonS3
<html>...<head>....<script type='text/javascript' src='
../commonjs/jq.js'> </script>....<script type='text/javasc
ript' src='../commonjs/plusactive.js?ver=1'></script>....<
script type="text/javascript">.....$.ajax({......url: "hXXp://VVV.u
torrent.com/scripts/headers.php",......dataType: 'jsonp',......success
: function(headers) {.......country = headers['Geoip-Country-Code'];..
.....// Redirect US visitors.......if(country == 'US'){........setToUS
();.......}......}.....});....</script>....<script src="//cdn
.optimizely.com/js/240758443.js"></script>....<link href="
../commoncss/index.css" rel="stylesheet" type="text/css"/>....<m
eta charset=utf-8>....<title>Default : Plus Upgrade App</t
itle>...</head>...<body>....<iframe id='ifr' width='
100%' height='100%'> </iframe>...</body>..</html>
....



GET /static/magicsbox/JITFeature.xml HTTP/1.1
User-Agent: MSB User Agent
Host: apnstatic.ask.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "ce8b3a1ddf747846227f0437c3025d2b:1378773465"
Last-Modified: Fri, 06 Sep 2013 22:42:28 GMT
Accept-Ranges: bytes
Content-Length: 182
Content-Type: application/xml
Date: Fri, 23 May 2014 14:37:09 GMT
Connection: keep-alive
<?xml version="1.0" encoding="UTF-8"?>..<FeatureProperties>
;..    <QuickNav enabled="true" />..    <SearchDefense enable
d="true" />..    <MSB enabled="true" />..</FeatureProperti
es>..HTTP/1.1 200 OK..Server: Apache..ETag: "ce8b3a1ddf747846227f04
37c3025d2b:1378773465"..Last-Modified: Fri, 06 Sep 2013 22:42:28 GMT..
Accept-Ranges: bytes..Content-Length: 182..Content-Type: application/x
ml..Date: Fri, 23 May 2014 14:37:09 GMT..Connection: keep-alive..<?
xml version="1.0" encoding="UTF-8"?>..<FeatureProperties>..  
  <QuickNav enabled="true" />..    <SearchDefense enabled="tr
ue" />..    <MSB enabled="true" />..</FeatureProperties>
;....



GET /Advertisers/9b41b04aae7c4bd9b402ec332dfeef7d.png HTTP/1.1
Host: static.ap.bittorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
If-Modified-Since: Wed, 14 May 2014 05:03:15 GMT
Connection: Close


HTTP/1.1 304 Not Modified
Accept-Ranges: bytes
Date: Fri, 23 May 2014 14:37:06 GMT
Etag: "858dddb8e90c0a839d6871ff3c448e8e"
Expires: Wed, 22 May 2024 01:22:10 GMT
Last-Modified: Wed, 14 May 2014 05:03:15 GMT
Server: ECS (fra/D5A9)
x-amz-id-2: FWxFkr68iTcjdcJ76cpvfCge9XH9hOTfFmJKklKMgawM/A/gfalZ8dDjlgvFxPAmbz721BEIoSc=
x-amz-request-id: C09B397EC35E7595
X-Cache: HIT
Connection: close



POST /e?i=29 HTTP/1.1
Host: bench.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close
Content-Length: 171

{"h":"TIQO2OavjnL37Jid","cl":"uTorrent","v":109279400,"l":"en","w":"5.1","cts":1400855822,"eventName":"dimensions", "appsize": [ 1200, 600 ], "screensize": [ 1716, 901 ] }
HTTP/1.1 200 OK
Content-Type: text/html
Date: Fri, 23 May 2014 14:37:00 GMT
Server: nginx/1.4.7
X-Powered-By: PHP/5.4.27
Content-Length: 21
Connection: Close
{"response_code":200}..



POST /e?i=20 HTTP/1.1
Host: bench.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close
Content-Length: 299

{"h":"TIQO2OavjnL37Jid","cl":"uTorrent","v":109279400,"l":"en","w":"5.1","cts":1400855824,"eventName":"ap","fte":1,"lre":1,"ltic_0":0,"ltic_1":0,"lcic_0":0,"lcic_1":0,"laae":0,"lare":0,"laie":0,"lame":0,"name":"siteId","errCode":0,"requestTime":1400855824,"action":"client.az.error.badsiteid.33049"}
HTTP/1.1 200 OK
Content-Type: text/html
Date: Fri, 23 May 2014 14:35:45 GMT
Server: nginx/1.4.7
X-Powered-By: PHP/5.4.27
Content-Length: 21
Connection: Close
{"response_code":200}..



GET /utorrent-onboarding/player.btapp HTTP/1.1
Host: apps.bittorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close


HTTP/1.1 200 OK
x-amz-id-2: /obY3P5PPbe CSJNKu lU2WvNWxkRVjo5JUGd1PpMX6PRHqvoM4LUfv93W0Pu6K 
x-amz-request-id: 948D22BD74AEA285
Accept-Ranges: bytes
Content-Type: binary/octet-stream
Server: AmazonS3
Age: 244754
Date: Fri, 23 May 2014 14:35:48 GMT
Last-Modified: Tue, 08 Oct 2013 00:53:35 GMT
Content-Length: 3097
Connection: close
PK.........c.@!m@.............btappUT....8.O7N.Oux.............-.1.. .
.{^.....L...u.M....G..>v.i..f4.6....V/pO...q...S_...d..(..%.5.B.yp.
.H..Rk..$rb&.......*.......d....959...=&.`@.....(F..)Jz.....1.}....9..
PK.........c.@v.7.`...........main.cssUT....8.O7N.Oux..............S.n
.0.}. ".....[7e_c..k............i....9....`u...p.'4U..lH)...,.|.....Jn
.H...B.bm..:j.R...l@CU...cC.....IK._........,.K.b...<.I.F.]....A...
F|#...../.%.$...q8.........-.9%....3......h9 -V...)....gB../.Z.V@.&[..
a...!6..\)..QX....f...Qh.......H.....].ZD6....H(-.pSt...sH o^..nu.hB..
.a.ou......Ng.cEw.`....=_.............H..6..Y.>..7.}!.w...W.W'.....
....PK.........c.@..yI....6.......icon.bmpUT....8.O7N.Oux.............
U....@...>*....<..E.....;....{..Q.....yU-....<...D..4w..@/...
.c..................wf??...S.&...q.......}7k..).v..Z..l.R.8..;..;9..'.
.{:=yO.....{.E.>.`"...9..|$..G...#.H...<..<...:x......|!_....
|Y..[K...D.TP.Nk..;~......O679'...;~......w....;~....s.w....;~....S.w.
...;~....3.w....;~.....8~......w.....6...s._..?............N.~..X.....
./.)./../../.....K.....k........./../../..L...........%$../../../..|.G
.x.....-...........?............?............?..r.........,.|.e..?....
.....s...$xY...O..6.V.S....n....V/...k...x....2.....4.P....C..9.ka_.lC
3Ms..S.3.|..2....2......|..C.oS.y.iZ.......i..[.A.T_?.u......p.......F
=..i...u.G.......7..Y..M../PK.........u.@.W.@....m.......index.htmlUT.
...M.O.N.Oux..............U.r.0.}._..a...;i.\.0.r..tH..G...je.#.I...r.
.0I.O.v..v.J..........R...Y.. .ZF.....I.........Xt. ......'..n1...
<<< skipped >>>


POST /e?i=20 HTTP/1.1
Host: bench.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close
Content-Length: 296

{"h":"TIQO2OavjnL37Jid","cl":"uTorrent","v":109279400,"l":"en","w":"5.1","cts":1400855824,"eventName":"ap","fte":1,"lre":1,"ltic_0":0,"ltic_1":0,"lcic_0":0,"lcic_1":0,"laae":0,"lare":0,"laie":0,"lame":0,"name":"Ads Enabled","errCode":0,"requestTime":1400855824,"action":"client.az.adsenabled.ua"}
HTTP/1.1 200 OK
Content-Type: text/html
Date: Fri, 23 May 2014 14:38:34 GMT
Server: nginx/1.4.7
X-Powered-By: PHP/5.4.27
Content-Length: 21
Connection: Close
{"response_code":200}..



POST /e?i=29 HTTP/1.1
Host: bench.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close
Content-Length: 149

{"h":"TIQO2OavjnL37Jid","cl":"uTorrent","v":109279400,"l":"en","w":"5.1","cts":1400855823,"eventName":"cfu","action":"uTorrent.3.4.01.1.30888","i":0}
HTTP/1.1 200 OK
Content-Type: text/html
Date: Fri, 23 May 2014 14:38:00 GMT
Server: nginx/1.4.7
X-Powered-By: PHP/5.4.27
Content-Length: 21
Connection: Close
{"response_code":200}..



GET /images/mobile-icon.png HTTP/1.1
Host: utclient.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
If-Modified-Since: Sun, 1 Jan 1982 00:00:00 GMT
Connection: Close


HTTP/1.1 200 OK
x-amz-id-2: P6BeDWDaOuA55w0/8fQhohMrbXjC/kGFA cOdtJtzdSpEeQj2Y27J2ms5JtxxIhve0CJtV8ZLeI=
x-amz-request-id: 18A314D9747B03E6
Date: Fri, 23 May 2014 14:37:07 GMT
x-amz-meta-cb-modifiedtime: Tue, 11 Mar 2014 23:12:00 GMT
Last-Modified: Tue, 11 Mar 2014 23:12:21 GMT
ETag: "4280089022fce23da2c64031bf137c08"
Content-Type: image/png
Content-Length: 1263
Connection: close
Server: AmazonS3
.PNG........IHDR................a....tEXtSoftware.Adobe ImageReadyq.e&
lt;...kiTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.5-c021 79.154911, 2013/10/29-11:47:16        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap
/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#"
 xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xm
p.did:01801174072068119FB483BB6AA6447E" xmpMM:DocumentID="xmp.did:9E4A
8AB99C4311E3BC81E4BD1BE0F00E" xmpMM:InstanceID="xmp.iid:9E4A8AB89C4311
E3BC81E4BD1BE0F00E" xmp:CreatorTool="Adobe Photoshop CC (Macintosh)"&g
t; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:3637b3de-885b-4f94-
b5ae-3e362ec1613c" stRef:documentID="xmp.did:01801174072068119FB483BB6
AA6447E"/> </rdf:Description> </rdf:RDF> </x:xmpmeta
> <?xpacket end="r"?>m.......IDATx.b..........hb.P....,.... ^
..Z@,.....:.7. .f.7.Oeddpfecb`cgb......_..........`....P...T,....d3.h.
..v...# .f@..f ......... ..Y.D.08..| ..f.. .... ...3.....00B.......1..
.>...L..R.......?.._>.aB.. ..C...X...@!.....z. ...$q...?&.4..:d6
.\F..-...~..*~....2.H} ..@A..).P..d&.8........0.a.........IEND.B`...
<<< skipped >>>


POST /e?i=20 HTTP/1.1
Host: bench.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close
Content-Length: 299

{"h":"TIQO2OavjnL37Jid","cl":"uTorrent","v":109279400,"l":"en","w":"5.1","cts":1400855824,"eventName":"ap","fte":1,"lre":1,"ltic_0":0,"ltic_1":0,"lcic_0":0,"lcic_1":0,"laae":0,"lare":0,"laie":0,"lame":0,"name":"siteId","errCode":0,"requestTime":1400855824,"action":"client.az.error.badsiteid.33049"}
HTTP/1.1 200 OK
Content-Type: text/html
Date: Fri, 23 May 2014 14:36:59 GMT
Server: nginx/1.4.7
X-Powered-By: PHP/5.4.27
Content-Length: 21
Connection: Close
{"response_code":200}..



GET / HTTP/1.1
Host: bundles.bittorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close


HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: close
Cache-Control: public, max-age=300
Content-Encoding: gzip
Date: Fri, 23 May 2014 14:33:27 GMT
ETag: "1503368232"
Set-Cookie: connect.sid=eyJwYXNzcG9ydCI6e319--5f19a0dc71d1127c1494f9a84f91312152a2ef2e; Path=/; Expires=Fri, 23 May 2014 18:33:27 GMT; HttpOnly
Vary: Accept-Encoding
Age: 141
X-Cache: Hit from cloudfront
Via: 1.1 f96185b1d69d6f85635bc2b5554da639.cloudfront.net (CloudFront)
X-Amz-Cf-Id: c0Q3DKjj7iY5oA6_IyzVwI84kxnwjF2UEgzl0x_q2vZXpFsD-oNqrg==
1586.............;kS........S.R!..m....B....$<j..rQci....w$......3.
.m....R.H....w...[o/N..}.(.t6=..p.4.a.LS.l......w...7%I..Ql~O`..R..O[&
lt;... ....r.5....#.,.WA..._...O.....o.{..c..^...m\... ..h....4..'..G.
q....y.$.s.F..# ...,.I.O......F..l..M.m!...XS..>.....1m|'.D..b.....
C....5.=..qdMH2Q\.Uv.q........... ;;... .N...D.&.%4u.,...Z.......f...~
5oN..x6...)U./.R.....K.;jx......@D.....>.c.VV=.~:q}z.z...C..Q8.ff..
)..l."..]YB.o....bu.{wV..s$Yt~9........X.}.f.Q....*......=1.....F...E.
1..8....6.1%.#..^.fm:L....M>.{......F...>.........f.F.|..\.goa..
.......pF..c[Ng..n.j.H........g....;...w..W_.D...~. .f4.by..[...P 5..S
....B....~..k,.A..O.-l2.....<.{........?.?...8....0.e.%(..m.n....n.
E.~-5......0.Za.m.a4....).....>..%..r.O.gh.,P...[r.(..|)....t.g4..b
......Fl. ...ETy...Ps.......R....U..A.4......5..]:....:lo.......pz.*7*
.(...##..9h...td..mo3....6.7..#....... GY?C..ld.f=i.`..H...s..E.Q.(|.C
 :..Y2......K#.......1U.4g.....3.,L{.ri,.#.Y.he.Tl...D_H....t.....Tc.&
lt;?.Q)7.G..I:x....?#.. (rL.n.I...F.]6.#Ht.....~....Y3.$`;n....3.n....
.................._.......G...i..c[V........n.-I.n....W.....SM........
.ZG.!..... m/.8u..[..?..&..V@.p.&B...n.....kFq..k...~...!,~P.>.....
M4__.IJ..j.)....j.n.Z........?..D. ...t....*p.......K.!......5gq..\_..
VQ!...l..e...k.L ."U.*.E..g........0jn...\.....6".......}..f{;;...YE..
.1P......kF..j.[6h..3p%{`em..k..^...9F.....1=......g....S.....LU0.....
.@..<%.Z.p]....,.......*......O.)....*k\.Pi.>8^*......s......b..
zH.t.....7.~...1C.x.`....I[.Y... .Xu.Z.#....>q_R.>.|........
<<< skipped >>>


GET /installstats.php?cl=uTorrent&v=109279400&h=TIQO2OavjnL37Jid&w=A280105&bu=0&pr=0&cmp=129&ocmp=129&offerretrievedfromserver&pid=3864&cau=0&ServerOfferRetrieved=1&sec_offs=adk,oc&view=win32 HTTP/1.1
Accept-Encoding: gzip
User-Agent: uTorrent(30888)/3.4.1
Host: update.utorrent.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Fri, 23 May 2014 14:35:31 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.4.27
0..



GET /installstats.php?cl=uTorrent&v=109279400&h=TIQO2OavjnL37Jid&w=A280105&bu=0&pr=0&cmp=129&ocmp=129&gettbinstallresult&pid=3864&cau=0&tbinstallresult=3&cbhomepage=1&cbsearch=1&error=0&msg=&tb=imesh&url=http://llsw.download3.utorrent.com/offers/imesh-en-20140501.exe&prog=100&t=&view=win32 HTTP/1.1
Accept-Encoding: gzip
User-Agent: uTorrent(30888)/3.4.1
Host: update.utorrent.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Fri, 23 May 2014 14:37:04 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.4.27
0..



POST /e?i=20 HTTP/1.1
Host: bench.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close
Content-Length: 293

{"h":"TIQO2OavjnL37Jid","cl":"uTorrent","v":109279400,"l":"en","w":"5.1","cts":1400855825,"eventName":"ap","fte":1,"lre":1,"ltic_0":0,"ltic_1":0,"lcic_0":0,"lcic_1":0,"laae":0,"lare":0,"laie":0,"lame":0,"name":"adrequest","errCode":0,"requestTime":1400855825,"action":"client.az.adrequest.ua"}
HTTP/1.1 200 OK
Content-Type: text/html
Date: Fri, 23 May 2014 14:38:01 GMT
Server: nginx/1.4.7
X-Powered-By: PHP/5.4.27
Content-Length: 21
Connection: Close
{"response_code":200}..



POST /api/v2 HTTP/1.1
Host: engine.ap.bittorrent.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0 Windows NT 5.1; Trident/4.0)(30888)
Accept-Encoding: gzip
content-type: application/json
Connection: Close
Content-Length: 377

{ "keywords": [ "clientdata=utorrent|3.4.1.30888|129", "IEVersion=8", "flash=11,6,602,168" ], "placements": [ { "adTypes": [ 9 ], "divName": "lrec", "networkId": 5682, "properties": { "IEVersion": 8, "campaigncode": 129, "featurelevel": 0, "flash": "11,6,602,168", "major": 3, "minor": 4, "product": "utorrent", "tag": "", "tiny": 1, "version": 30888 }, "siteId": "33049" } ] }
HTTP/1.1 200 OK
Access-Control-Allow-Headers: accept, origin, content-type, content-length
Access-Control-Allow-Methods: GET,PUT,POST,DELETE,OPTIONS
Access-Control-Allow-Origin: *
Content-Type: application/json
Date: Fri, 23 May 2014 14:39:10 GMT
ETag: "358381392"
Server: nginx/1.1.19
Set-Cookie: azk=ue1-e5af78a7e34a4a49be0868fe035a9cdd; Path=/; Expires=Sat, 23 May 2015 14:39:10 GMT
x-powered-by: adzerk bifrost/
x-served-by: engine-us-east-1e-03
Content-Length: 2321
Connection: Close
{"user":{"key":"ue1-e5af78a7e34a4a49be0868fe035a9cdd"},"decisions":{"l
rec":{"adId":408182,"creativeId":330908,"flightId":206441,"campaignId"
:112237,"clickUrl":"hXXp://engine.ap.bittorrent.com/r?e=eyJhdiI6MzY0OT
MsImF0Ijo5LCJjbSI6MTEyMjM3LCJjaCI6ODc4NSwiY3IiOjMzMDkwOCwiZGkiOiJlMGQy
MWFjNjk0NTQ0NGMzOTEwNDk1MDI4NDMwYjM0MyIsImRtIjoxLCJmYyI6NDA4MTgyLCJmbC
I6MjA2NDQxLCJrdyI6ImNsaWVudGRhdGE9dXRvcnJlbnR8My40LjEuMzA4ODh8MTI5LGll
dmVyc2lvbj04LGZsYXNoPTExLDYsNjAyLDE2OCIsIm53Ijo1NjgyLCJwYyI6MC4wOCwicH
IiOjIzNzU1LCJydCI6Mywic3QiOjMzMDQ5LCJ0ciI6dHJ1ZSwidWsiOiJ1ZTEtZTVhZjc4
YTdlMzRhNGE0OWJlMDg2OGZlMDM1YTljZGQiLCJ0cyI6MTQwMDg1NTk1MDI0OCwidXIiOi
JodHRwOi8vdHJhY2tpc3RhLmNvbS90cmFjay9idHJlZGlyZWN0LnBocD9oYW5kbGU9MTAw
NTMifQ&s=DV7Y_B-iQj45R_sLNo-DNDVXZbw","impressionUrl":"hXXp://engine.a
p.bittorrent.com/i.gif?e=eyJhdiI6MzY0OTMsImF0Ijo5LCJjbSI6MTEyMjM3LCJja
CI6ODc4NSwiY3IiOjMzMDkwOCwiZGkiOiJlMGQyMWFjNjk0NTQ0NGMzOTEwNDk1MDI4NDM
wYjM0MyIsImRtIjoxLCJmYyI6NDA4MTgyLCJmbCI6MjA2NDQxLCJrdyI6ImNsaWVudGRhd
GE9dXRvcnJlbnR8My40LjEuMzA4ODh8MTI5LGlldmVyc2lvbj04LGZsYXNoPTExLDYsNjA
yLDE2OCIsIm53Ijo1NjgyLCJwYyI6MC4wOCwicHIiOjIzNzU1LCJydCI6Mywic3QiOjMzM
DQ5LCJ0ciI6dHJ1ZSwidWsiOiJ1ZTEtZTVhZjc4YTdlMzRhNGE0OWJlMDg2OGZlMDM1YTl
jZGQiLCJ0cyI6MTQwMDg1NTk1MDI0OCwiZnEiOjF9&s=a9bsJ5ihH9WGSkYZHCay2pKIJs
M","contents":[{"type":"html","body":"<a href=\"hXXp://engine.ap.bi
ttorrent.com/r?e=eyJhdiI6MzY0OTMsImF0Ijo5LCJjbSI6MTEyMjM3LCJjaCI6ODc4N
SwiY3IiOjMzMDkwOCwiZGkiOiJlMGQyMWFjNjk0NTQ0NGMzOTEwNDk1MDI4NDMwYjM0MyI
sImRtIjoxLCJmYyI6NDA4MTgyLCJmbCI6MjA2NDQxLCJrdyI6ImNsaWVudGRhdGE9d
<<< skipped >>>


GET /i.gif?e=eyJhdiI6MzY0OTMsImF0Ijo5LCJjbSI6MTEyMjM3LCJjaCI6ODc4NSwiY3IiOjMzMDkwOCwiZGkiOiJlMGQyMWFjNjk0NTQ0NGMzOTEwNDk1MDI4NDMwYjM0MyIsImRtIjoxLCJmYyI6NDA4MTgyLCJmbCI6MjA2NDQxLCJrdyI6ImNsaWVudGRhdGE9dXRvcnJlbnR8My40LjEuMzA4ODh8MTI5LGlldmVyc2lvbj04LGZsYXNoPTExLDYsNjAyLDE2OCIsIm53Ijo1NjgyLCJwYyI6MC4wOCwicHIiOjIzNzU1LCJydCI6Mywic3QiOjMzMDQ5LCJ0ciI6dHJ1ZSwidWsiOiJ1ZTEtZTVhZjc4YTdlMzRhNGE0OWJlMDg2OGZlMDM1YTljZGQiLCJ0cyI6MTQwMDg1NTk1MDI0OCwiZnEiOjF9&s=a9bsJ5ihH9WGSkYZHCay2pKIJsM HTTP/1.1
Host: engine.ap.bittorrent.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0 Windows NT 5.1; Trident/4.0)(30888)
Accept-Encoding: gzip
Accept-Language: en-US
Connection: Close


HTTP/1.1 200 OK
Access-Control-Allow-Headers: accept, origin, content-type, content-length
Access-Control-Allow-Methods: GET,PUT,POST,DELETE,OPTIONS
Access-Control-Allow-Origin: *
Content-Type: image/gif
Date: Fri, 23 May 2014 14:38:25 GMT
Server: nginx/1.1.19
Set-Cookie: azk=ue1-e5af78a7e34a4a49be0868fe035a9cdd; Path=/; Expires=Sat, 23 May 2015 14:38:25 GMT
Set-Cookie: azk-events=W3siYXYiOjM2NDkzLCJhdCI6OSwiY20iOjExMjIzNywiY2giOjg3ODUsImNyIjozMzA5MDgsImRpIjoiZTBkMjFhYzY5NDU0NDRjMzkxMDQ5NTAyODQzMGIzNDMiLCJkbSI6MSwiZmMiOjQwODE4MiwiZmwiOjIwNjQ0MSwia3ciOiJjbGllbnRkYXRhPXV0b3JyZW50fDMuNC4xLjMwODg4fDEyOSxpZXZlcnNpb249OCxmbGFzaD0xMSw2LDYwMiwxNjgiLCJudyI6NTY4MiwicGMiOjAuMDgsInByIjoyMzc1NSwicnQiOjMsInN0IjozMzA0OSwidHIiOnRydWUsInVrIjoidWUxLWU1YWY3OGE3ZTM0YTRhNDliZTA4NjhmZTAzNWE5Y2RkIiwidHMiOjE0MDA4NTU5NTAyNDgsImNpIjoiMGI2MWVlOGI1MDJmNDkyM2JlMDI3NGI5ZDkxNTI4MTkiLCJjdiI6MX1d; Path=/; Expires=Sun, 22 Jun 2014 14:38:25 GMT
x-powered-by: adzerk bifrost/
x-served-by: engine-us-east-1b-05
Content-Length: 43
Connection: Close
GIF89a.............!.......,...........D..;..



GET /installstats.php?cl=uTorrent&v=109279400&h=TIQO2OavjnL37Jid&w=A280105&bu=0&pr=0&cmp=129&ocmp=129&showinstall&pid=3864&cau=0&au=0&view=win32 HTTP/1.1
Accept-Encoding: gzip
User-Agent: uTorrent(30888)/3.4.1
Host: update.utorrent.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Fri, 23 May 2014 14:35:29 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.4.27
0..



GET /offers/imesh_ie_20140221.bmp HTTP/1.1
Host: llsw.download3.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close


HTTP/1.1 200 OK
Server: nginx/1.4.4
Content-Type: image/x-ms-bmp
Cache-Control: max-age=3600
Accept-Ranges: bytes
Age: 1100
Date: Fri, 23 May 2014 14:35:29 GMT
Last-Modified: Sat, 22 Feb 2014 00:45:07 GMT
Expires: Fri, 23 May 2014 15:17:09 GMT
Content-Length: 28700
Connection: close
BM.p......6...(...!...!............o..................................
......................................................................
......................................................................
......................................................................
......................................................................
.................................M..M..M..M..M..M..M..M..M..M..M..M..M
..M..M..M..M..M..M..M..M..M..M..M..M..M..M..M..M..M..M..M..M..M..M..M.
.M..M..M..M..M..M..M..M..M..M..M..M..M..M..M..M..M..M..M..M..M..M..M..
M..M..M..M..M..M..M..M..M..M..M..M..M..M..M..M..M..M..M..M..M..M..M..M
..M..M..M..M..M..M..M..M..M..M..M..M..M..M..M..M..M..M..M.............
......................................................................
......................................................................
......................................................................
.......................{..............................................
......................................................................
......................................................................
....................................................................|.
.............................................................M........
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>


GET /Advertisers/9b41b04aae7c4bd9b402ec332dfeef7d.png HTTP/1.1
Host: static.ap.bittorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
If-Modified-Since: Sun, 1 Jan 1982 00:00:00 GMT
Connection: Close


HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: image/png
Date: Fri, 23 May 2014 14:37:06 GMT
Etag: "858dddb8e90c0a839d6871ff3c448e8e"
Expires: Wed, 22 May 2024 01:22:10 GMT
Last-Modified: Wed, 14 May 2014 05:03:15 GMT
Server: ECS (fra/D5A9)
x-amz-id-2: FWxFkr68iTcjdcJ76cpvfCge9XH9hOTfFmJKklKMgawM/A/gfalZ8dDjlgvFxPAmbz721BEIoSc=
x-amz-request-id: C09B397EC35E7595
X-Cache: HIT
Content-Length: 9534
Connection: close
.PNG........IHDR.............@wR=....sBIT.....O.....PLTE...-...v....ZZ
Z.....9......Z...@@J.....:...g^???........-......t..._\9a..........q..
 />XBB....pp......7....~...3......&I......^pf..|..n.@@......K..|||!
3O...s..333i  I  k@@.  ..........<:.;Ip_Z..........tslw.&=_........
...y#!#j...``............Vs|0Wx.00...x..r....................x......  
H......1=d...@VS|..qp.xg.)T.4/...N...z..  u.....TTU......lNW..........
/=.;?DJW............rwx..u\................./;I......t.....Sam.{z.@]c.
.tkb....'g....&;!?n...o..<..(j.......Kr...o...u.....c............$.
fff...f......wh............ljl..|......j...@@.=C\..gn|.fb.nafz.....pp.
..Y..M~....XS^...X......V[J..DXt.....o...-9A{@@.Ax............K73...5O
n...Ok......o....*<B..!;>...t.._..k002EL....2J....2?......FRx...
!CO....{~....>K...x.....WKL...~.......y......q.......$r.........OZ{
..........pHYs...........~.....tEXtSoftware.Adobe Fireworks CS6.......
.tEXtCreation Time.05/04/14...... .IDATx....\.W...6@m..R... ..-..H..5.
7."....tAE..Y/-..T.).....X...[@^.t....h.V......-...-...>..I2.f.....
.>...9..w.y..93(...P...O.......2M./......@.rK.....B.....D..]..$.I).
........./&..........l........M-.......Y.`.;C.[..C[...p.r. ........^Cm
.pP..N..OzC9K.~..M.0.1.Na...'....S. ......:.O.RY...$...R.G'.n.7k*"=...
^iH.....3.[...}V.O...x..bL...#..L}.{-.......}...lPfdX.....'.Oy...\....
\Rl...&.&-C.R,..........$..].<l$.j$^i...`...F.i....@.....m......4..
....#..W./1c..}F2_...bRJ.....C.XL.vL!..)/&7@.\.f$.=..bL.|.....su..<
.D.......3.).cd3..:8.Dr.4a....,..).(.&...a...i-.......C.Y......v=@
<<< skipped >>>


POST /e?i=20 HTTP/1.1
Host: bench.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close
Content-Length: 295

{"h":"TIQO2OavjnL37Jid","cl":"uTorrent","v":109279400,"l":"en","w":"5.1","cts":1400855827,"eventName":"ap","fte":1,"lre":1,"ltic_0":1,"ltic_1":1,"lcic_0":0,"lcic_1":0,"laae":0,"lare":0,"laie":0,"lame":0,"name":"impression","errCode":0,"requestTime":1400855827,"action":"client.az.impression.ua"}
HTTP/1.1 200 OK
Content-Type: text/html
Date: Fri, 23 May 2014 14:36:29 GMT
Server: nginx/1.4.7
X-Powered-By: PHP/5.4.27
Content-Length: 21
Connection: Close
{"response_code":200}..



GET /installstats.php?cl=uTorrent&v=109279400&h=TIQO2OavjnL37Jid&w=A280105&bu=0&pr=0&cmp=129&ocmp=129&offerapierror&pid=3864&cau=0&OfferError=OfferNotReady&OfferProvider=NotProvided&OfferType=Server&view=win32 HTTP/1.1
Accept-Encoding: gzip
User-Agent: uTorrent(30888)/3.4.1
Host: update.utorrent.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Fri, 23 May 2014 14:35:44 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.4.27
0..



GET /i.gif?e=eyJhdiI6MzY0OTMsImF0IjoxMjI0LCJjbSI6MTEyMjM3LCJjaCI6ODc4NSwiY3IiOjMzMDg2NiwiZGkiOiI0NDhlNDhjMGJiZDg0YWNkOTdkYmM0ODI4NjUxMjU1YyIsImRtIjoxLCJmYyI6NDA4MTQxLCJmbCI6MjA2NDM1LCJrdyI6ImNsaWVudGRhdGE9dXRvcnJlbnR8My40LjEuMzA4ODh8MTI5LGlldmVyc2lvbj04LGZsYXNoPTExLDYsNjAyLDE2OCIsIm53Ijo1NjgyLCJwYyI6MC4wMiwicHIiOjIzNzU1LCJydCI6Mywic3QiOjMzMDQ5LCJ0ciI6dHJ1ZSwidWsiOiJ1ZTEtMzkzN2RhNzdkZTRiNDUzMTkzZjBhYmQ0YmE1MTYxYWQiLCJ0cyI6MTQwMDg1NTgyOTk2OCwiZnEiOjF9&s=q-yOGJwVWMGSPi6TPdSxyU_yQgg HTTP/1.1
Host: engine.ap.bittorrent.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0 Windows NT 5.1; Trident/4.0)(30888)
Accept-Encoding: gzip
Accept-Language: en-US
Connection: Close


HTTP/1.1 200 OK
Access-Control-Allow-Headers: accept, origin, content-type, content-length
Access-Control-Allow-Methods: GET,PUT,POST,DELETE,OPTIONS
Access-Control-Allow-Origin: *
Content-Type: image/gif
Date: Fri, 23 May 2014 14:35:57 GMT
Server: nginx/1.1.19
Set-Cookie: azk=ue1-3937da77de4b453193f0abd4ba5161ad; Path=/; Expires=Sat, 23 May 2015 14:35:57 GMT
Set-Cookie: azk-events=W3siYXYiOjM2NDkzLCJhdCI6MTIyNCwiY20iOjExMjIzNywiY2giOjg3ODUsImNyIjozMzA4NjYsImRpIjoiNDQ4ZTQ4YzBiYmQ4NGFjZDk3ZGJjNDgyODY1MTI1NWMiLCJkbSI6MSwiZmMiOjQwODE0MSwiZmwiOjIwNjQzNSwia3ciOiJjbGllbnRkYXRhPXV0b3JyZW50fDMuNC4xLjMwODg4fDEyOSxpZXZlcnNpb249OCxmbGFzaD0xMSw2LDYwMiwxNjgiLCJudyI6NTY4MiwicGMiOjAuMDIsInByIjoyMzc1NSwicnQiOjMsInN0IjozMzA0OSwidHIiOnRydWUsInVrIjoidWUxLTM5MzdkYTc3ZGU0YjQ1MzE5M2YwYWJkNGJhNTE2MWFkIiwidHMiOjE0MDA4NTU4Mjk5NjgsImNpIjoiMzllZDBiZmI5ZGMzNGVkNGI0ODQ4MDVmZjJkZDM5ODMiLCJjdiI6MX1d; Path=/; Expires=Sun, 22 Jun 2014 14:35:57 GMT
x-powered-by: adzerk bifrost/
x-served-by: engine-us-east-1b-15
Content-Length: 43
Connection: Close
GIF89a.............!.......,...........D..;..



GET /i.gif?e=eyJhdiI6MzY0OTMsImF0Ijo5LCJjbSI6MTEyMjM3LCJjaCI6ODc4NSwiY3IiOjMzMDkwOCwiZGkiOiJlOGEzNTM4ZDM1MTY0ZTI3OGJiNTZkNzAyYWMwZTkwMyIsImRtIjoxLCJmYyI6NDA4MTgyLCJmbCI6MjA2NDQxLCJrdyI6ImNsaWVudGRhdGE9dXRvcnJlbnR8My40LjEuMzA4ODh8MTI5LGlldmVyc2lvbj04LGZsYXNoPTExLDYsNjAyLDE2OCIsIm53Ijo1NjgyLCJwYyI6MC4wOCwicHIiOjIzNzU1LCJydCI6Mywic3QiOjMzMDQ5LCJ0ciI6dHJ1ZSwidWsiOiJ1ZTEtNjIyNDk0ZDc5ZDc1NGNkMjhlOWEwOTM3Mjg5ZWI2YzkiLCJ0cyI6MTQwMDg1NTgwMzAzNSwiZnEiOjF9&s=_IMQG4uptLQ5YCYGGuN70Si6tbA HTTP/1.1
Host: engine.ap.bittorrent.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0 Windows NT 5.1; Trident/4.0)(30888)
Accept-Encoding: gzip
Accept-Language: en-US
Connection: Close


HTTP/1.1 200 OK
Access-Control-Allow-Headers: accept, origin, content-type, content-length
Access-Control-Allow-Methods: GET,PUT,POST,DELETE,OPTIONS
Access-Control-Allow-Origin: *
Content-Type: image/gif
Date: Fri, 23 May 2014 14:36:34 GMT
Server: nginx/1.1.19
Set-Cookie: azk=ue1-622494d79d754cd28e9a0937289eb6c9; Path=/; Expires=Sat, 23 May 2015 14:36:34 GMT
Set-Cookie: azk-events=W3siYXYiOjM2NDkzLCJhdCI6OSwiY20iOjExMjIzNywiY2giOjg3ODUsImNyIjozMzA5MDgsImRpIjoiZThhMzUzOGQzNTE2NGUyNzhiYjU2ZDcwMmFjMGU5MDMiLCJkbSI6MSwiZmMiOjQwODE4MiwiZmwiOjIwNjQ0MSwia3ciOiJjbGllbnRkYXRhPXV0b3JyZW50fDMuNC4xLjMwODg4fDEyOSxpZXZlcnNpb249OCxmbGFzaD0xMSw2LDYwMiwxNjgiLCJudyI6NTY4MiwicGMiOjAuMDgsInByIjoyMzc1NSwicnQiOjMsInN0IjozMzA0OSwidHIiOnRydWUsInVrIjoidWUxLTYyMjQ5NGQ3OWQ3NTRjZDI4ZTlhMDkzNzI4OWViNmM5IiwidHMiOjE0MDA4NTU4MDMwMzUsImNpIjoiY2JkZWEwOWVhNjQzNDNiOWEwNzYxNzkzNTRmODJjMTgiLCJjdiI6MX1d; Path=/; Expires=Sun, 22 Jun 2014 14:36:34 GMT
x-powered-by: adzerk bifrost/
x-served-by: engine-us-east-1b-27
Content-Length: 43
Connection: Close
GIF89a.............!.......,...........D..;..



GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT
Accept-Ranges: bytes
ETag: "806f4cbb43dcf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 18
Cache-Control: max-age=2597
Date: Fri, 23 May 2014 14:35:24 GMT
Connection: keep-alive
X-CCC: RU
X-CID: 2
1401CF3DB40B609892HTTP/1.1 200 OK..Content-Type: text/plain..Last-Modi
fied: Wed, 12 Mar 2014 05:29:31 GMT..Accept-Ranges: bytes..ETag: "806f
4cbb43dcf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Conte
nt-Length: 18..Cache-Control: max-age=2597..Date: Fri, 23 May 2014 14:
35:24 GMT..Connection: keep-alive..X-CCC: RU..X-CID: 2..1401CF3DB40B60
9892..



GET /offers/imesh-en-20140501.exe HTTP/1.1
Host: llsw.download3.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/octet-stream
Cache-Control: max-age=14400
Accept-Ranges: bytes
Age: 1231
Date: Fri, 23 May 2014 14:35:48 GMT
Last-Modified: Fri, 02 May 2014 21:50:06 GMT
Expires: Fri, 23 May 2014 18:15:17 GMT
Content-Length: 6656336
Connection: close
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......A{.c...0...0
...0.b<0...0.b,0...0...0...0...0...0..%0...0.."0...0Rich...0.......
.................PE..L...&..Q.................r.......B...9...........
.@..........................pT......Zf...@............................
..............PT.............H{e......................................
........................................................text....p.....
..r.................. ..`.rdata...*.......,...v..............@..@.data
....~..........................@....ndata....M..@.....................
......rsrc........PT.....................@..@.reloc.......`T..........
...........@..B.......................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
.....=G..H.P.u..u..u.....@..K...SV.5.=G.W.E.P.u.....@..e...E..E.P.u...
..@..}..e....D.@........FR..VV..U... M..........M........E...FQ.....NU
..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.
P.u.....@..u....E..9}...n....~X.te.v4..L.@..E...tU.}.j.W.E......E.....
..P.@..vXW..T.@..u..5X.@.W..h ....E..E.Pj.h..F.W....@..u.W...u....E.P.
u.....@._^3.[.....L$...=G...i. @...T.....tUVW.q.3.;5.=G.sD..i. @...D..
S.....t.G.....t...O..t .....u...3....3...F. @..;5.=G.r.[_^...U..QQ
<<< skipped >>>


POST /e?i=32 HTTP/1.1
Host: bench.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close
Content-Length: 133

{"h":"TIQO2OavjnL37Jid","cl":"uTorrent","v":109279400,"l":"en","w":"5.1","cts":1400855823,"eventName":"changed_settings","tags":[  ]}
HTTP/1.1 200 OK
Content-Type: text/html
Date: Fri, 23 May 2014 14:38:45 GMT
Server: nginx/1.4.7
X-Powered-By: PHP/5.4.27
Content-Length: 21
Connection: Close
{"response_code":200}..



GET /download/langpacks/dl.php?build=30888&ref=client&client=utorrent&sys_l=en&sel_l=0&tk=stable34 HTTP/1.1
Host: utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close


HTTP/1.1 301 Moved Permanently
Server: nginx/1.4.7
Date: Fri, 23 May 2014 14:37:02 GMT
Content-Type: text/html
Content-Length: 184
Connection: close
Location: hXXp://VVV.utorrent.com/download/langpacks/dl.php?build=30888&ref=client&client=utorrent&sys_l=en&sel_l=0&tk=stable34
<html>..<head><title>301 Moved Permanently</title
></head>..<body bgcolor="white">..<center><h1&
gt;301 Moved Permanently</h1></center>..<hr><cent
er>nginx/1.4.7</center>..</body>..</html>....



POST /e?i=853EA7A31A873F12C565A7486FC7DF383DFDB9BE HTTP/1.1
Host: bench.utorrent.com
User-Agent: Hydra HttpRequest
Connection: close
Content-Length: 93

{"eventName":"hydra.compat.good","pid":"3864","h":"853EA7A31A873F12C565A7486FC7DF383DFDB9BE"}
HTTP/1.1 200 OK
Content-Type: text/html
Date: Fri, 23 May 2014 14:36:50 GMT
Server: nginx/1.4.7
X-Powered-By: PHP/5.4.27
Content-Length: 21
Connection: Close
{"response_code":200}..



POST /login HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 1986
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: preved.safetynutbe.com
Connection: Keep-Alive

XML=<secure_request><salt>488</salt><data>tLTwKI4 /gWoMnOvniSAWY3aEZ9IwGs lvw0l2YHy3LC3PpbPdCYKouiFJmSQKsIUKccv1/5ShZs6Q8ooE1H hgx7C/ROCmHQifvZVlyNiRvuKPPrQqPDsLeerL00d1SCuaRb4AoveW3SNnqqBH0Fs91ydQZIii7QFaPPeiJ4AO3TodPTLTNi0zeZ81 gutdSQGAPfWY6LWUR/F/3B6L4IRhbu6zuFYgYK1nfO0KQiG2VJaaGTrBnjRoiyUQAKoXnqft34cQEFPgz0qytubICZ lMAdg sZCUzqxyqpXdiN4UkJkGcn8NxN0Cnm9FGww06UjHGLvpgEiN6VIhPpfeN/ar31 PvFFWaGdXgHAvKAmdRGa69AZf5dL/5KgZR8DnyeneIJh3dVILMBS4tokg2m6qfDRnzaCBSvF3RpREFPgUezHOOpNN16sWq5udJjQYQJKTH7MVIQLxCkyHqArL3GzE9gj/zfnS6EeFG4GltS8tM/Il1oOb/A6nMWvv1F4VYuZrhKmX1l II5wIEzgwGNcWrXB6/KF0aLoDKNBqr2F2y1Gjjdolfp7eZaxI/UDARTsaz2IOqVCKWdsgMkAfeBI2u kTuMk9n1Slm47M55dJtWK6fpm74CScwE2L odfHqcE8EfHnEyy4LnfcfczLV8sAYe9wF1cCv65anUA8w/cZ8zDyhH1mD/tu33qT8ROp QtgnGa2zcOiKMe/eP3rD//dp28AG4t8IbMdJISz3SzFlzNkf9IlWDLywD9iXj2DASdgSaEEOZLorfrXWoNEXfN937LRDfyuEZIivR9ugOxIdlzHyfiaQGE4Nk8Rm /S9erAofplCPJW/AAM6zQDcnrvmsAuWdOkLFPNcGtXoLsWtE1yw7PxdAIrRNLmzm6id4uIiBMqGDblRINsIGoIVmmRPOCeODkzSVaA9IXy98dUKqMUlY7Z521Qr/w8 q OCD52Wfbugr/rhauYLNGflzsUG15h5ZK0tm5cp8Tq593gwz576Ft9qLhqTkWCTXVmSktyZ1x9BrfgOm2snisLQ24actg6WGDsdD41H3AlmAxcIl9zrgj5IkwFkd9oTSdn 0iLVM/jdJI7quajOuNpDAGlpfqOl6k7lM8zoF5DIz9shdFvAT8aPxCidBacR84eqftPau2j IE937mJJ2UpKSenreDkwpbzC7YWuK28xrlRczayfKjw1WoLGRU7lg4qsoLFr87WdKKt8sB/aDX
HTTP/1.1 200 OK
Content-Type: text/xml
Date: Fri, 23 May 2014 14:36:56 GMT
Server: nginx
X-Server: web1
Content-Length: 2906
Connection: keep-alive
<?xml version="1.0" encoding="utf-8"?>..<secure_reply>..  
<data>4gXg6gQOl3lzDy/i4URJaUxrNbxdn4dVvWpNIIQpGOgXYNo6zSJgwSteqj
szDWngv12nWLgGrYCMfuy3aPB1F17cXu7BDKKHC4kv6/yNjCMRJaJg1dG5StKj6aNLkim2
s1e817zXmpfXO8Py E7FF5qhr d3WAUKqMjQnKSoyS JMvDR0MUisa8gAXOrawPo9VwAal
7WrknLHA3JcViZQBFArCMqOty4WBwVRX5RrIbBQjzsx2XQWdCHn Mh/Airf4 hyNa3l/Kd
VEN2x5Eg4nVDQ1Zp1rg0LA4XLFIoAjvXUDmPz7P0/MtzrUBtPhRymRPqFmjqzL2DO5oFg5
QBIJrr21sSWe5EaTWFRCQAUeyiwZOkw8JGxqK0ymIsNxN1i6mcGIHU9Err5zWbBnvOM/dT
fXIzf2ohZTdMO/DeK549SO3bXY8nsu3toKaIciBvaL vWvb6W5N0L9IjQjMQf/pO X62Il
BqUYvYmz/Mb5PIfStzXdhMIyI9EmV U8gzzR20rSTrNVdnyMFT4LSvarHqG2tjFknEF72J
ZM/fGd7b/nADvZ558Xlo5rRsqKaiXPqcEvB8zhY7sV4426BilAyO9xqEGmGFtu3bp3MWjp
l7ql21rH1MAusMGvjEsykpAulzKeFKqyd8v7tC4jp3GYl52IOZRx62t2YIoCPJfrtlyitH
vUJOZ1Zy7QP2ETVwyQCQV ps6E709vG9Cba h4xBT/mhuEDJ8gteeRhIo6CtpaZfqOyTRn
LfcAA C4sHBv/fren K9JBwhNYKs77eA4rw25l0s7T/e3d3p/IEz2j5P/gyqXmLuYVTTrH
7LPPZaifLC8T/omwkLzM9sYU/VO8U E mMgkF/XryyUm2vU9fqgodwmidxPs5hFo/cm5wP
uLXHZ3MskITdGGpSLnVCSl6j50idHY2O359DRcLAr2cjpYtWKMK8gBknB6u Q6BLcR8OF 
I2kaIPEm6kSGD8KDTopKZwneINyb7u/EQzO8r9oC3eZTcl9DSCZGaRMagXWLvQhpZ8CeJn
hDvXNY rvQaq2TOdQT8WOhvwTIZ2VZlRTTsEKlVC1SwZl1eH8citggjcsKgdO8 k0bAriZ
hYF1i70IaWfAniZ4Q71zWPq70GqtkznUE/Fjob8EyGdlWZUU07BCpVQtUsGZdXh/HBUDwt
5eIKaQEYQdl0xdTAKAXKlNpuUs3f781a6h7lxkuphrqgAjbUcuSzdBSizH Nx96jEamnj8
ympD8DuwocyCAToecsQL0Lri10Bu8dg WcQX5yFeci87ZIdkjZmsAcHp91fsdAhu5Q1AYU
wtsMX0qvNRy3TlOXf2pl3OZBHebugsvTGaLShC65zXm8pik13sgKAfEkh5RqqZr y8BRfk
uPuDU0O6TA/JFXRFD2vMNT2qCxIvT 7sAFxAm 4NfJ7vIkovsiR0NcTv9tYtASRjgF
<<< skipped >>>


GET /utorrent-onboarding/welcome-upsell.btapp?h=TIQO2OavjnL37Jid&v=109279400&ol=en&ul=&tk=stable34&c=uTorrent HTTP/1.1
Host: apps.bittorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close


HTTP/1.1 200 OK
x-amz-id-2: HCpaeLg6Uh9Sm3sk0S53QKUErij9Jl2BjFcA7W08S2omUK1lk3TxpoRJFmDYmH X
x-amz-request-id: A7F6CC8B72CD7AE0
Accept-Ranges: bytes
Content-Type: binary/octet-stream
Server: AmazonS3
Age: 64236
Date: Fri, 23 May 2014 14:37:02 GMT
Last-Modified: Tue, 08 Oct 2013 00:54:05 GMT
Content-Length: 28315
Connection: close
PK.........}?@................btappUT...4}(O..(Oux.............5.1.. .
.{^..b.N.Q.K.)...b#a8.G....S.4....`...Af..4........Q...S....G>..|.I
...1...]..j..............}q.b....u. ..<oE..N..w..D..A....GA..U.w.5W
=..`...PK.........L|>...9............empty_movie.gifUT......M..(Oux
.............GIF89a.............!.......,.............................
H...........L................L*......J......j............N............
.........(8HXhx..........)9IYiy..........*:JZjz.......... ;K[k{.......
...,<L\l|..........-=M]m}...........>N^n~........../?O_o........
..0......<.0....1...;PK.........Y.>.Pi-....T.......index.htmlUT.
.....M..(Oux..............W.n.6....8U.:.f)....IC.d..vk..C...-.Yt(R%)_0
..k...$;.l.r.!.......|.F...~.....k(m%R...-@09I..AJ.dyz....Z.Y..A...-..
....V`....r.7.i.y....Epy..E....hJD.@..H..q.f..`.5&........3..i${..L. ,
X#..~k...v[...XK...,.Jkk.:...-..R....&.T.i..c.M?7...Ix...6aE.NM..Q p..
.p...Q.......Z.5J..7..P..b:'.".........n...}..r....t.....q_...r%.dU...
Wxx..n....8trT....FH..42..K...O..;_...r.M.^.t.7._...p...B.%..o........
..D.0g...nL.`..e.U .....5.`.....i....?...)..Q.:n...E-....b......Be.y.R
j..C..<.R..lB...KC...6......1..;.=..KQ)c.....!...RcJ5.yWH......i.J.
..jq.c..8Y..v...(/..N...R.......:.L..z.s.T48.*..Q........7.....I.c.y..
o.`.....?........pv.9...S.|.'[.....>..F..U.......I@.a)....u}..7T.R.
...5..o...o..ZUp.j.zQ..T^...n........D.fGa...J....B.$.D....u..\.......
$.......././N...fJd."n..@...|q.....o....F....f.YE.G.|....N..1...N....F
h/?..l.T.=L..W.vtl8.i=.(.r[&...W4..OJ..g..a.V[.....d..36sC....l/.&
<<< skipped >>>


GET /updatestats.php?cl=uTorrent&v=109279400&h=TIQO2OavjnL37Jid&k=&ip=8&dns=62&con=78&dl=61547&dlurl=http://llsw.download3.utorrent.com/offers/imesh-en-20140501.exe&svp=4&pid=3864&sz=6656336&bin=<NULL>toolbar&p1=192.168.139.2&m1=0&p2=192.168.50.10&m2=1&p3=193.138.244.233&m3=3&p4=10.235.0.11&m4=1&p5=193.138.244.106&m5=2&p6=46.164.136.181&m6=1&p7=80.91.160.129&m7=7&p9=195.22.214.108&m9=51&p10=89.221.34.181&m10=51&p11=87.248.216.137&m11=55&p12=87.248.217.254&m12=58 HTTP/1.1
Host: update.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close


HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Fri, 23 May 2014 14:36:56 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.4.27
Expires: Thu, 21 Jul 1980 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, private
Pragma: no-cache
0..



POST /api/v2 HTTP/1.1
Host: engine.ap.bittorrent.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0 Windows NT 5.1; Trident/4.0)(30888)
Accept-Encoding: gzip
content-type: application/json
Connection: Close
Content-Length: 377

{ "keywords": [ "clientdata=utorrent|3.4.1.30888|129", "IEVersion=8", "flash=11,6,602,168" ], "placements": [ { "adTypes": [ 9 ], "divName": "lrec", "networkId": 5682, "properties": { "IEVersion": 8, "campaigncode": 129, "featurelevel": 0, "flash": "11,6,602,168", "major": 3, "minor": 4, "product": "utorrent", "tag": "", "tiny": 1, "version": 30888 }, "siteId": "33049" } ] }
HTTP/1.1 200 OK
Access-Control-Allow-Headers: accept, origin, content-type, content-length
Access-Control-Allow-Methods: GET,PUT,POST,DELETE,OPTIONS
Access-Control-Allow-Origin: *
Content-Type: application/json
Date: Fri, 23 May 2014 14:36:43 GMT
ETag: "1830384725"
Server: nginx/1.1.19
Set-Cookie: azk=ue1-622494d79d754cd28e9a0937289eb6c9; Path=/; Expires=Sat, 23 May 2015 14:36:43 GMT
x-powered-by: adzerk bifrost/
x-served-by: engine-us-east-1a-27
Content-Length: 2321
Connection: Close
{"user":{"key":"ue1-622494d79d754cd28e9a0937289eb6c9"},"decisions":{"l
rec":{"adId":408182,"creativeId":330908,"flightId":206441,"campaignId"
:112237,"clickUrl":"hXXp://engine.ap.bittorrent.com/r?e=eyJhdiI6MzY0OT
MsImF0Ijo5LCJjbSI6MTEyMjM3LCJjaCI6ODc4NSwiY3IiOjMzMDkwOCwiZGkiOiJlOGEz
NTM4ZDM1MTY0ZTI3OGJiNTZkNzAyYWMwZTkwMyIsImRtIjoxLCJmYyI6NDA4MTgyLCJmbC
I6MjA2NDQxLCJrdyI6ImNsaWVudGRhdGE9dXRvcnJlbnR8My40LjEuMzA4ODh8MTI5LGll
dmVyc2lvbj04LGZsYXNoPTExLDYsNjAyLDE2OCIsIm53Ijo1NjgyLCJwYyI6MC4wOCwicH
IiOjIzNzU1LCJydCI6Mywic3QiOjMzMDQ5LCJ0ciI6dHJ1ZSwidWsiOiJ1ZTEtNjIyNDk0
ZDc5ZDc1NGNkMjhlOWEwOTM3Mjg5ZWI2YzkiLCJ0cyI6MTQwMDg1NTgwMzAzNSwidXIiOi
JodHRwOi8vdHJhY2tpc3RhLmNvbS90cmFjay9idHJlZGlyZWN0LnBocD9oYW5kbGU9MTAw
NTMifQ&s=8BRFKOajFeu-morWw5mfFPIaOEU","impressionUrl":"hXXp://engine.a
p.bittorrent.com/i.gif?e=eyJhdiI6MzY0OTMsImF0Ijo5LCJjbSI6MTEyMjM3LCJja
CI6ODc4NSwiY3IiOjMzMDkwOCwiZGkiOiJlOGEzNTM4ZDM1MTY0ZTI3OGJiNTZkNzAyYWM
wZTkwMyIsImRtIjoxLCJmYyI6NDA4MTgyLCJmbCI6MjA2NDQxLCJrdyI6ImNsaWVudGRhd
GE9dXRvcnJlbnR8My40LjEuMzA4ODh8MTI5LGlldmVyc2lvbj04LGZsYXNoPTExLDYsNjA
yLDE2OCIsIm53Ijo1NjgyLCJwYyI6MC4wOCwicHIiOjIzNzU1LCJydCI6Mywic3QiOjMzM
DQ5LCJ0ciI6dHJ1ZSwidWsiOiJ1ZTEtNjIyNDk0ZDc5ZDc1NGNkMjhlOWEwOTM3Mjg5ZWI
2YzkiLCJ0cyI6MTQwMDg1NTgwMzAzNSwiZnEiOjF9&s=_IMQG4uptLQ5YCYGGuN70Si6tb
A","contents":[{"type":"html","body":"<a href=\"hXXp://engine.ap.bi
ttorrent.com/r?e=eyJhdiI6MzY0OTMsImF0Ijo5LCJjbSI6MTEyMjM3LCJjaCI6ODc4N
SwiY3IiOjMzMDkwOCwiZGkiOiJlOGEzNTM4ZDM1MTY0ZTI3OGJiNTZkNzAyYWMwZTkwMyI
sImRtIjoxLCJmYyI6NDA4MTgyLCJmbCI6MjA2NDQxLCJrdyI6ImNsaWVudGRhdGE9d
<<< skipped >>>


GET /utorrent-onboarding/welcome-upsell.btapp HTTP/1.1
Host: apps.bittorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close


HTTP/1.1 200 OK
x-amz-id-2: HCpaeLg6Uh9Sm3sk0S53QKUErij9Jl2BjFcA7W08S2omUK1lk3TxpoRJFmDYmH X
x-amz-request-id: A7F6CC8B72CD7AE0
Accept-Ranges: bytes
Content-Type: binary/octet-stream
Server: AmazonS3
Age: 64161
Date: Fri, 23 May 2014 14:35:48 GMT
Last-Modified: Tue, 08 Oct 2013 00:54:05 GMT
Content-Length: 28315
Connection: close
PK.........}?@................btappUT...4}(O..(Oux.............5.1.. .
.{^..b.N.Q.K.)...b#a8.G....S.4....`...Af..4........Q...S....G>..|.I
...1...]..j..............}q.b....u. ..<oE..N..w..D..A....GA..U.w.5W
=..`...PK.........L|>...9............empty_movie.gifUT......M..(Oux
.............GIF89a.............!.......,.............................
H...........L................L*......J......j............N............
.........(8HXhx..........)9IYiy..........*:JZjz.......... ;K[k{.......
...,<L\l|..........-=M]m}...........>N^n~........../?O_o........
..0......<.0....1...;PK.........Y.>.Pi-....T.......index.htmlUT.
.....M..(Oux..............W.n.6....8U.:.f)....IC.d..vk..C...-.Yt(R%)_0
..k...$;.l.r.!.......|.F...~.....k(m%R...-@09I..AJ.dyz....Z.Y..A...-..
....V`....r.7.i.y....Epy..E....hJD.@..H..q.f..`.5&........3..i${..L. ,
X#..~k...v[...XK...,.Jkk.:...-..R....&.T.i..c.M?7...Ix...6aE.NM..Q p..
.p...Q.......Z.5J..7..P..b:'.".........n...}..r....t.....q_...r%.dU...
Wxx..n....8trT....FH..42..K...O..;_...r.M.^.t.7._...p...B.%..o........
..D.0g...nL.`..e.U .....5.`.....i....?...)..Q.:n...E-....b......Be.y.R
j..C..<.R..lB...KC...6......1..;.=..KQ)c.....!...RcJ5.yWH......i.J.
..jq.c..8Y..v...(/..N...R.......:.L..z.s.T48.*..Q........7.....I.c.y..
o.`.....?........pv.9...S.|.'[.....>..F..U.......I@.a)....u}..7T.R.
...5..o...o..ZUp.j.zQ..T^...n........D.fGa...J....B.$.D....u..\.......
$.......././N...fJd."n..@...|q.....o....F....f.YE.G.|....N..1...N....F
h/?..l.T.=L..W.vtl8.i=.(.r[&...W4..OJ..g..a.V[.....d..36sC....l/.&
<<< skipped >>>


GET /control/tags/ut.json HTTP/1.1
Host: cdn.ap.bittorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Accept-Language: en-US
Connection: Close


HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 2965
Connection: close
Date: Mon, 19 May 2014 19:32:31 GMT
Last-Modified: Mon, 19 May 2014 19:26:26 GMT
ETag: "2e4d2134fcace3a3d3aeb63994cf9345"
Accept-Ranges: bytes
Server: AmazonS3
Age: 68673
X-Cache: Hit from cloudfront
Via: 1.1 1fcd1033bfe42d3b0b03eb4bfbf9624a.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 8p5AT1WR_8P0Y056QCqoexxureLIt92lCeanLsG-RaHjlfzw_HeDMg==
{..    "version": 27,..    "adrules": [..        {..            "name"
: "default",..            "contactRate": 60,..            "adRefreshRa
te": 360,..            "lrecRefreshRate": 360,..            "ftRefresh
Rate": 360,..            "resetAds": 0,..            "rollout": 100,..
            "enabled": 1,..            "ftEnabled": 1,..            "l
recEnabled": 1,..            "sendConversion": 0..        },..        
{..            "name": "refresh_360",..            "adRefreshRate": 36
0,..            "lrecRefreshRate": 360,..            "ftRefreshRate": 
360,..            "resetAds": 0,..            "rollout": 100,..       
     "enabled": 1,..            "ftEnabled": 1,..            "lrecEnab
led": 1,..            "sendConversion": 0,..            "countries": "
cn,ee,es,hk,iq,ir,kr,kz,pr,tw,ua,ua,co,ve"..        },..        {..   
         "name": "refresh_60",..            "adRefreshRate": 60,..    
        "lrecRefreshRate": 60,..            "ftRefreshRate": 60,..    
        "resetAds": 0,..            "rollout": 100,..            "enab
led": 1,..            "ftEnabled": 1,..            "lrecEnabled": 1,..
            "sendConversion": 0,..            "countries": "bg,hu,jp,l
t,ph,pk,ro,rs,sa,th,eg"..        },..        {..            "name": "r
efresh_30",..            "lrecRefreshRate": 30,..            "ftRefres
hRate": 30,..            "rollout": 100,..            "enabled": 1,.. 
           "ftEnabled": 1,..            "lrecEnabled": 1,..           
 "countries": "cl,ae,ar,gr,is,mx,tr,br,by,cz,in,pt,sg"..        },
<<< skipped >>>


GET /offers/MotelLife_InstallPath.bmp HTTP/1.1
Host: ll.download3.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: image/x-ms-bmp
Cache-Control: max-age=3600
Accept-Ranges: bytes
Age: 794
Date: Fri, 23 May 2014 14:35:29 GMT
Last-Modified: Fri, 16 May 2014 21:55:19 GMT
Expires: Fri, 23 May 2014 15:22:15 GMT
Content-Length: 79364
Connection: close
BM.6......2...(....................1............................K.63v.
..<.wu...,U.^X......4,h.:5W.......4.;5I.....,$=...,.$.4.NBa.7,F.]No
...$.$.,.,$4.4,<.eai.4$?.tqv..y..QHR.<$=.$.$.,.,.4$4.....=,=.$.$
.,$,.4,4.........K<J.4.,.<$4.D4?.:48.B<@.........dKX.$...,.$.
D,8.L4@.4$,.<,4.T<E.....<$,.hUX.4...$...<$$.T44.,...\<&
lt;.L44.4$$.T<<.....<,,.D44.$...L<<.,$$.4,,..........db
.D,).dLH.\D?.w\W.\<4.dD<.........TD?.L4,.T<4.....dD4.4$..lL&l
t;.<,$.D4,.mTG.L<4.LD@.....}dT.L4$.T<,.\D4.dL<.\LA........
.lL4.v\I..yh..oZ...t.tW<.dL4.D4$.$....~[.L<,.TD4.,$..4,$.<4,.
D<4.........lT;.}dJ.XD,.L<$.\L4.TLA.................F...........
....................d...........:...............<...........e...[..
......n...p..K...=........V...4...K....4.g.....,......8...5...*w..$f.-
o...8...@...,....<.<m...,....K..,....H..5..,X....,...4.(4[.. ...
"....X..$A..>...9...5...*w...4...<.......g..,....<..'h..F...$
X.e{....4.,;..(4w...H...E.. ....).,<..(4..7E..-5h..,....F.5=..#(X.M
Y....V.AH..!$J.8=y.CH..& w.&*g...l...>...4...,...4...$.;;h.$$<..
.,.$$4.,,>.......$.....$$,.,,4.................................,,,.
$$$...ppVppV.p.n.p..nppnppn..p.n.p*n.o.n..onooononn..o.n.o.n..uppn.p.n
.p..jjjp.j.p.j..kjkkj..k..jkjjkj.k.j.k.j.k.U.k..UkkkZ..k.6ZkZkZkZkUUZk
ZZZ......................................................)............
......................................................................
...p..npnpppnpnpnp.n..ononooono..n.o.n.o.n..ononnon..o.n.o.n..onon
<<< skipped >>>


GET /scripts/dl.php?build=30888&ref=client&client=utorrent&sys_l=en&sel_l=0&tk=stable34 HTTP/1.1
Host: VVV.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/x-utorrent-language
Content-Disposition: attachment; filename=utorrent.lng
Cache-Control: max-age=3600
Accept-Ranges: bytes
Age: 2172
Date: Fri, 23 May 2014 14:37:02 GMT
Last-Modified: Mon, 21 Apr 2014 11:15:26 GMT
Expires: Fri, 23 May 2014 15:00:50 GMT
Content-Length: 1312039
Connection: close
PK.........Y.D..F..k..q.......Ukrainian!uk.txt...n\../.?..CI.)RC.]|.."
.@[r..Y...8.e.Z.E......HV..@.... Y.B.q,......1iQl..K...8h..... ...u...
...}.3.Sd.Z..jU}.]~......:...:..._..-....|.?.....:m1T.X.X.<..:..Fg.
.....wB.M.O.u..7:.!.lv..W;.. ..Cy.......}....^........es-.@K\8..>..
...?~.....Bm.\.....8].I.^.\.X.,......ZU.O.i.j..o...\.t.*f..Q..J.Em.P..
.?uJ,T.. ..D|....B*....X...B-..g...\!.w..c/.5...t.^...<.V..z>...
..r9..r.ZO.}..~.R...\)/. ._....zmN>;-.$..av......rY..J.En.V.....%.R
&.t....zef.WM.b..p].g.B........D.T....~..5...J>$'.r.K..Ki.n.)./.ki.
..i..6$..7.%....L.0;..lZw..=WLegDZ.#....G..k.0..F......d.\....Y.......
&.....T....%..Q..#[(]...URX?5.r..j5w..,.J.\.S(....R..?..........$.ku^.
.;rO.......oO~#w..0.1.y...... :.r..CKc.6.2^.. ^..b.3..wo&.......m.....
.....;O...kW..l...-*[.....)?..\(F:;....[....)<Z.K....z...._;.e.6d..
a......0!r2...EI..>.F............g yd........~)'I.."pV`.ve./.....|u
...j"...].Q./y.:......X/Hf.@A.3'..C'p..#...;...7.fy..]....l}W......5..
.{..jC'w..|)ve.g..v...E.0y.....d.7.X5m.(....C.x...-.h_.X\.zG..>...X
6`...8#.../d.......a).q2.o.Ox.r..,~...^-.lD.o.@..0...d..o.w.........W.
.....hVp...vlO~...7.....So.E..o....j..M.X...6...{U.Gy.....X....z.j....
.W).......j...W./.....`,yP(.K3)l.Gx#M...).......U%/.......a2...x.nX...
...Ops.....'o.#.......e:.....n...V^.$g..S.K..$:......I.......6..P,....
.w6W...O&..........?..|.s....F...d.$.6<c.'..Oj....R....../...[^...n
.v..|..............}&.c..xN.K....,:.d6....@......4....'...=i...t...N.:
.....I....'P.[...6.&.lM.....E.7<..H.......G.K.6L....k..7.R...#.
<<< skipped >>>


GET /installstats.php?cl=uTorrent&v=109279400&h=TIQO2OavjnL37Jid&w=A280105&bu=0&pr=0&cmp=129&ocmp=129&showwarning&pid=3864&cau=0&view=win32 HTTP/1.1
Accept-Encoding: gzip
User-Agent: uTorrent(30888)/3.4.1
Host: update.utorrent.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Fri, 23 May 2014 14:35:35 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.4.27
0..



GET /installstats.php?cl=uTorrent&v=109279400&h=TIQO2OavjnL37Jid&w=A280105&bu=0&pr=0&cmp=129&ocmp=129&installresult&pid=3864&cau=0&installresult=0&exit=1&au=0&view=win32 HTTP/1.1
Accept-Encoding: gzip
User-Agent: uTorrent(30888)/3.4.1
Host: update.utorrent.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Fri, 23 May 2014 14:35:44 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.4.27
0..



POST /e?i=853EA7A31A873F12C565A7486FC7DF383DFDB9BE HTTP/1.1
Host: bench.utorrent.com
User-Agent: Hydra HttpRequest
Connection: close
Content-Length: 92

{"eventName":"hydra.compat.good","pid":"516","h":"853EA7A31A873F12C565A7486FC7DF383DFDB9BE"}
HTTP/1.1 200 OK
Content-Type: text/html
Date: Fri, 23 May 2014 14:38:43 GMT
Server: nginx/1.4.7
X-Powered-By: PHP/5.4.27
Content-Length: 21
Connection: Close
{"response_code":200}..



GET /utorrent-onboarding/welcome-upsell.btapp?h=TIQO2OavjnL37Jid&v=109279400&ol=en&ul=&tk=stable34&c=uTorrent HTTP/1.1
Host: apps.bittorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
If-Modified-Since: Tue, 08 Oct 2013 00:54:05 GMT
Connection: Close


HTTP/1.1 304 Not Modified
Content-Type: binary/octet-stream
Age: 64235
Date: Fri, 23 May 2014 14:37:04 GMT
Connection: close



GET /utorrent-onboarding/player.btapp?h=TIQO2OavjnL37Jid&v=109279400&ol=en&ul=&tk=stable34&c=uTorrent HTTP/1.1
Host: apps.bittorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
If-Modified-Since: Tue, 08 Oct 2013 00:53:35 GMT
Connection: Close


HTTP/1.1 304 Not Modified
Content-Type: binary/octet-stream
Age: 244830
Date: Fri, 23 May 2014 14:37:04 GMT
Connection: close



GET /utorrent-onboarding/player.btapp?h=TIQO2OavjnL37Jid&v=109279400&ol=en&ul=&tk=stable34&c=uTorrent HTTP/1.1
Host: apps.bittorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close


HTTP/1.1 200 OK
x-amz-id-2: kLnNrkgfGAUNBhBwOUtnTaaAPMzN4DSdXHzrxkam8f6mjZV0Qi/hOlv0ELXd7rpV
x-amz-request-id: 04253D8D9662B60E
Accept-Ranges: bytes
Content-Type: binary/octet-stream
Server: AmazonS3
Age: 244803
Date: Fri, 23 May 2014 14:37:02 GMT
Last-Modified: Tue, 08 Oct 2013 00:53:35 GMT
Content-Length: 3097
Connection: close
PK.........c.@!m@.............btappUT....8.O7N.Oux.............-.1.. .
.{^.....L...u.M....G..>v.i..f4.6....V/pO...q...S_...d..(..%.5.B.yp.
.H..Rk..$rb&.......*.......d....959...=&.`@.....(F..)Jz.....1.}....9..
PK.........c.@v.7.`...........main.cssUT....8.O7N.Oux..............S.n
.0.}. ".....[7e_c..k............i....9....`u...p.'4U..lH)...,.|.....Jn
.H...B.bm..:j.R...l@CU...cC.....IK._........,.K.b...<.I.F.]....A...
F|#...../.%.$...q8.........-.9%....3......h9 -V...)....gB../.Z.V@.&[..
a...!6..\)..QX....f...Qh.......H.....].ZD6....H(-.pSt...sH o^..nu.hB..
.a.ou......Ng.cEw.`....=_.............H..6..Y.>..7.}!.w...W.W'.....
....PK.........c.@..yI....6.......icon.bmpUT....8.O7N.Oux.............
U....@...>*....<..E.....;....{..Q.....yU-....<...D..4w..@/...
.c..................wf??...S.&...q.......}7k..).v..Z..l.R.8..;..;9..'.
.{:=yO.....{.E.>.`"...9..|$..G...#.H...<..<...:x......|!_....
|Y..[K...D.TP.Nk..;~......O679'...;~......w....;~....s.w....;~....S.w.
...;~....3.w....;~.....8~......w.....6...s._..?............N.~..X.....
./.)./../../.....K.....k........./../../..L...........%$../../../..|.G
.x.....-...........?............?............?..r.........,.|.e..?....
.....s...$xY...O..6.V.S....n....V/...k...x....2.....4.P....C..9.ka_.lC
3Ms..S.3.|..2....2......|..C.oS.y.iZ.......i..[.A.T_?.u......p.......F
=..i...u.G.......7..Y..M../PK.........u.@.W.@....m.......index.htmlUT.
...M.O.N.Oux..............U.r.0.}._..a...;i.\.0.r..tH..G...je.#.I...r.
.0I.O.v..v.J..........R...Y.. .ZF.....I.........Xt. ......'..n1...
<<< skipped >>>


GET /tr.gif?anxa=APNMSB&anxe=InstallerEvent&anxp=^BE3^TCH001^YY^US&anxr=5E42545E-6CDC-4155-BA34-EA19BE158646&anxt=3430024475584820&anxv=3.0.0.0&anxtv=3.0.0.0&tpid=BTR-BTS&apn_dbr=IE&o=APN11459&trgb=IE&installationResult=success&ieVersionInstalled=8.0.6001.18702&ffVersionInstalled=29.0.1.5239&crVersionInstalled=34.0.1847.131 HTTP/1.0
Host: phn.apnanalytics.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 204 No Content
Server: nginx/1.0.1
Date: Fri, 23 May 2014 14:36:54 GMT
Connection: close
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
Cache-Control: max-age=0



POST /e?i=21 HTTP/1.1
Host: bench.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close
Content-Length: 367

{"h":"TIQO2OavjnL37Jid","cl":"uTorrent","v":109279400,"l":"en","w":"5.1","cts":1400855822,"eventName":"silent_autoupdate","launched_target":0,"updated":0,"relocated":0,"versions": [{"path":"updates\\3.4.1_30888.exe","version":"109279400","blacklisted":"0","crash_count":"0","opt_out":"0","running":""}], "action":"Initial download", "g_version":109279400, "no_sau":0}
HTTP/1.1 200 OK
Content-Type: text/html
Date: Fri, 23 May 2014 14:38:44 GMT
Server: nginx/1.4.7
X-Powered-By: PHP/5.4.27
Content-Length: 21
Connection: Close
{"response_code":200}..



GET /installstats.php?cl=uTorrent&v=109279400&h=TIQO2OavjnL37Jid&w=A280105&bu=0&pr=0&cmp=129&ocmp=129&wizardcomplete&pid=3864&cau=0&view=win32 HTTP/1.1
Accept-Encoding: gzip
User-Agent: uTorrent(30888)/3.4.1
Host: update.utorrent.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Fri, 23 May 2014 14:35:43 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.4.27
0..



POST /e?i=20 HTTP/1.1
Host: bench.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close
Content-Length: 295

{"h":"TIQO2OavjnL37Jid","cl":"uTorrent","v":109279400,"l":"en","w":"5.1","cts":1400855827,"eventName":"ap","fte":1,"lre":1,"ltic_0":1,"ltic_1":0,"lcic_0":0,"lcic_1":0,"laae":0,"lare":0,"laie":0,"lame":0,"name":"impression","errCode":0,"requestTime":1400855827,"action":"client.az.impression.ua"}
HTTP/1.1 200 OK
Content-Type: text/html
Date: Fri, 23 May 2014 14:38:03 GMT
Server: nginx/1.4.7
X-Powered-By: PHP/5.4.27
Content-Length: 21
Connection: Close
{"response_code":200}..



POST /e?i=20 HTTP/1.1
Host: bench.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close
Content-Length: 299

{"h":"TIQO2OavjnL37Jid","cl":"uTorrent","v":109279400,"l":"en","w":"5.1","cts":1400855825,"eventName":"ap","fte":1,"lre":1,"ltic_0":0,"ltic_1":0,"lcic_0":0,"lcic_1":0,"laae":0,"lare":0,"laie":0,"lame":0,"name":"siteId","errCode":0,"requestTime":1400855825,"action":"client.az.error.badsiteid.33049"}
HTTP/1.1 200 OK
Content-Type: text/html
Date: Fri, 23 May 2014 14:36:27 GMT
Server: nginx/1.4.7
X-Powered-By: PHP/5.4.27
Content-Length: 21
Connection: Close
{"response_code":200}..



GET /updatestats.php?cl=uTorrent&v=109279400&h=TIQO2OavjnL37Jid&k=&ip=8&dns=62&con=62&dl=828&dlurl=http://llsw.download3.utorrent.com/offers/imesh_ie_20140221.bmp&svp=4&pid=3864&sz=28700&bin=<NULL>bmp&p1=192.168.139.2&m1=0&p2=192.168.50.10&m2=1&p4=10.235.0.11&m4=1&p5=193.138.244.106&m5=1&p6=46.164.136.181&m6=32&p7=80.91.160.129&m7=7&p9=195.22.214.108&m9=52&p10=89.221.34.181&m10=104&p11=87.248.216.137&m11=57&p12=87.248.217.254&m12=57 HTTP/1.1
Host: update.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close


HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Fri, 23 May 2014 14:35:38 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.4.27
Expires: Thu, 21 Jul 1980 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, private
Pragma: no-cache
0..



GET /Advertisers/29bcf58df9724c3eac3cb41b726880dd.png HTTP/1.1
Host: static.ap.bittorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
If-Modified-Since: Sun, 1 Jan 1982 00:00:00 GMT
Connection: Close


HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: image/png
Date: Fri, 23 May 2014 14:37:06 GMT
Etag: "55184f55254cb8da1329dd0b4931b418"
Expires: Wed, 22 May 2024 00:45:28 GMT
Last-Modified: Wed, 14 May 2014 04:25:23 GMT
Server: ECS (fra/D5A2)
x-amz-id-2: nf7f7rea7IQsK1dXGZAEmBrAVVfw93TMzANJVy4wFrI6E3pAaRmDJtd7NG0FMO7yrWyFdBndS7M=
x-amz-request-id: D0B573DCA9026639
X-Cache: HIT
Content-Length: 6257
Connection: close
.PNG........IHDR......."......V.....8IDATx...w\.G......*EA.-.DQ..A.QA,
.....&../V.-6b.. .]T..... .D..(."(.J..y.XX.....i..~..{.N.M[......P.`0.
....`0.......`0........T....`0.L.....0.....7|..ij...bBO4..L..;.....iQ.
.se...!....A..K.g..4.6.F...b0...EA..t.P./~%..C7f>.....T.....(."...V
....[.....f.N*...`Z..3....E...l-.&1....b0...E......2.z...@R>c0..vR1
.............Q...0........ i.;~sS..`0......8..|.ZK...............o.*I.
.....b0.....w.....jj!.L-...S\.o.H..@S...S.h.......W..\$/y.x5..~*A....1
....^ki...r.6cxC.........df..e.?..c,.{..DN...@...e...22..V.....}......
...jC...7.......Y.h....Xack.i.B....9.o?.} ..Pon.x.~!...-G....[..Z0.CG3
v..P..N..}......S......aj5IjfR..o..2............_U."y..._...B..n......
..%l..sIA...-.Bhy..i.._f...Z.,.Y....\n%.<.a.....-G..9..j1.Zn.L[....
s.....e....7.Y...;.?..W...4...>U.o.......)ee.({..'...=...L.6u5.9..)
/.`......$|>_N.~.....-,.&.B.B.b%.wD..S.-..\...`........^...........
o....L...L.....p.....<.9......%...H.O%.:y...5m........ .......o.T-.
C..?~&O............N.) .^..[...3.....3.. )).:.....}........T..........
..2).n_wG&{.........Y..|.h.Hm5.... _....\.|.......M6...`1.....w.......
.%/]N.B>.........Fz.._..5..^.K.g........V...{w..C......d....N....o.
v..`.{...........Nm....x.LR.N....=s:QWO `..[......:..u$>?....h.,...
6L...}....... .7.").........`d.O.Y.j..c.T)(.....[......z.....9|VYYi.x.
_?w..,...(%.G.........}.'#3f........I6S......w........&'.%[........./1
n.j.t?.7..pZ..}.......A["..G..V.tj..q?-.}..<.....L. #.E_wG&{...4...
[EE.K.qb.V^^N....x..t2..W2{....bc......O..=...f.(Jvqq..IK{.v.i.H.}
<<< skipped >>>


POST /e?i=20 HTTP/1.1
Host: bench.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close
Content-Length: 295

{"h":"TIQO2OavjnL37Jid","cl":"uTorrent","v":109279400,"l":"en","w":"5.1","cts":1400855827,"eventName":"ap","fte":1,"lre":1,"ltic_0":1,"ltic_1":2,"lcic_0":0,"lcic_1":0,"laae":0,"lare":0,"laie":0,"lame":0,"name":"impression","errCode":0,"requestTime":1400855827,"action":"client.az.impression.ua"}
HTTP/1.1 200 OK
Content-Type: text/html
Date: Fri, 23 May 2014 14:38:38 GMT
Server: nginx/1.4.7
X-Powered-By: PHP/5.4.27
Content-Length: 21
Connection: Close
{"response_code":200}..



GET /installstats.php?cl=uTorrent&v=109279400&h=TIQO2OavjnL37Jid&w=A280105&bu=0&pr=0&cmp=129&ocmp=129&mismexecute&pid=3864&cau=0&download=0&execute=0&error=mism execute succeeded&mismreturn=0&mismresult=provider:7,search:1,homepage:1&view=win32 HTTP/1.1
Accept-Encoding: gzip
User-Agent: uTorrent(30888)/3.4.1
Host: update.utorrent.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Fri, 23 May 2014 14:35:32 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.4.27
0..



GET / HTTP/1.1
Host: bundles.bittorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close


HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: close
Cache-Control: public, max-age=300
Content-Encoding: gzip
Date: Fri, 23 May 2014 14:33:27 GMT
ETag: "-367812561"
Set-Cookie: connect.sid=eyJwYXNzcG9ydCI6e319--5f19a0dc71d1127c1494f9a84f91312152a2ef2e; Path=/; Expires=Fri, 23 May 2014 18:33:27 GMT; HttpOnly
Vary: Accept-Encoding
Age: 215
X-Cache: Hit from cloudfront
Via: 1.1 e13dc20cb35881b25fb296fb0383f55c.cloudfront.net (CloudFront)
X-Amz-Cf-Id: WyKOzn2rPW3kO8YtVMl3_h0zMIfY81pLkHOOhHIGdhkUWoc93zMdAQ==
1586.............;kS........S.R!..m....B....$<j..rQci....w$......3.
.m....R.H....w...[o/N..}.(.t6=..p.4.a.LS.l......w...7%I..Ql~O`..R..O[&
lt;... ....r.5....#.,.WA..._...O.....o.{..c..^...m\... ..h....4..'..G.
q....y.$.s.F..# ...,.I.O......F..l..M.m!...XS..>.....1m|'.D..b.....
C....5.=..qdMH2Q\.Uv.q........... ;;... .N...D.&.%4u.,...Z.......f...~
5oN..x6...)U./.R.....K.;jx......@D.....>.c.VV=.~:q}z.z...C..Q8.ff..
)..l."..]YB.o....bu.{wV..s$Yt~9........X.}.f.Q....*......=1.....F...E.
1..8....6.1%.#..^.fm:L....M>.{......F...>.........f.F.|..\.goa..
.......pF.^......=CM......9.!..1=.|............7.O....fT.v.......J.l:.
@..,.a....:..A...........]<.C...|.>..........._.|..Y._.b..F....1
..Y...R..............F#}qO.......#.X.[,...z....-.j.%...,.....hHG}F..!.
.8.Q}i.F.R_.QD.w...5....j^.(...rY....L...~|.YS....~.......H/hYj..7.r..
..;.02....fn<LG.q..6....m#q.a8....l...r..3.>.F.*.......dYa?'.QD.
....;..#k.%...R.n.4B.......S.Os...8.1.....-..b92...V.I.6..H..$);.L..1.
.L5...3..r.y$....G.. .3....".D.6....k..e30.D.{[N.....p.5.I......j>S
.v.~9.(Q....q..*.h....j..I.1..\~t.......eU...|....V......M.~5..R.=....
|......ut.B.........S....p...a..n....i"d.q.F}!.).f....../............K
pP.D...........ook...F.5A,...=..c.@`..`.@...j....O.?@8....I..]o[s..1..
..k.."h...[_..;....B!P..B_$@q..::.K1........E....`#..^_.....*k...#...U
.!....1.....f.....e.v.?.W..V.6Z....u.=p....6.....{o...UChCO}...~3U.8[/
.'P.....xh..u..*.....{G.j.`D.z..<..\h....qm@....x..G.B...../.T...w.
!......{...!.;....!.Us..'m.f.....c..k..@(>s..}I....._.G^.Gt.B..
<<< skipped >>>


GET /installstats.php?cl=uTorrent&v=109279400&h=TIQO2OavjnL37Jid&w=A280105&bu=0&pr=0&cmp=129&ocmp=129&gettbofferresult&pid=3864&cau=0&tbofferresult=3&exit=1375&cbhomepage=1&cbsearch=1&tb=imesh&view=win32 HTTP/1.1
Accept-Encoding: gzip
User-Agent: uTorrent(30888)/3.4.1
Host: update.utorrent.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Fri, 23 May 2014 14:34:05 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.4.27
0..



POST /e?i=20 HTTP/1.1
Host: bench.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close
Content-Length: 293

{"h":"TIQO2OavjnL37Jid","cl":"uTorrent","v":109279400,"l":"en","w":"5.1","cts":1400855824,"eventName":"ap","fte":1,"lre":1,"ltic_0":0,"ltic_1":0,"lcic_0":0,"lcic_1":0,"laae":0,"lare":0,"laie":0,"lame":0,"name":"adrequest","errCode":0,"requestTime":1400855824,"action":"client.az.adrequest.ua"}
HTTP/1.1 200 OK
Content-Type: text/html
Date: Fri, 23 May 2014 14:38:00 GMT
Server: nginx/1.4.7
X-Powered-By: PHP/5.4.27
Content-Length: 21
Connection: Close
{"response_code":200}..



GET /installoffer.php?h=TIQO2OavjnL37Jid&v=109279400&w=A280105&l=en&c=US&db=iexplore.exe&cl=uTorrent&tsub=1&svp=4&cmp=129&ocmp=129 HTTP/1.1
Accept-Encoding: gzip
User-Agent: uTorrent(30888)/3.4.1
Host: update.utorrent.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Fri, 23 May 2014 14:33:43 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.4.27
Expires: Thu, 21 Jul 1980 00:00:00 GMT
Cache-Control: private
Last-Modified: Fri, 23 May 2014 14:33:43 GMT
6f41..d16:secondary_offersl3:adk2:oce2:oci1e3:adki1e16:content_offer_i
d9:MotelLife17:content_offer_img25:MotelLife_InstallPath.bmp17:content
_offer_url113:hXXp://apps.bittorrent.com/featuredcontent/featuredconte
nt.btapp?offer=hXXp://bundles.bittorrent.com/inclient/yes21:content_of
fer_alttext322:Get the free BitTorrent exclusive, and go behind the sc
enes of the award-winning indie drama starring Emile Hirsch and Dakota
 Fanning...You get:..Interviews with Dakota Fanning, Stephen Dorff, an
d more..Commentary from director Gabe Polsky and author Willy Vlatin..
Behind the scenes footage from the 25-day shoot in Reno22:content_offe
r_checkbox41:Yes, I'd love to check out this download.21:content_offer
_checkedi1e22:content_offer_autoexeci0e19:content_offer_title32:Check 
out our new Bundle Release22:content_offer_subtitle34:Special Offer fo
r BitTorrent Users20:content_offer_footer240:By clicking "Next" and in
stalling this torrent bundle, you agree to the BitTorrent, Inc. <a 
href="hXXps://bundles.bittorrent.com/publish#!/terms">Terms of Serv
ice</a> and <a href="hXXp://VVV.bittorrent.com/legal/privacy"
>Privacy Policy</a>.8:toolbar0d5:title28:..Torrent Installati
on Offer8:subtitle34:Thank you for supporting ..Torrent9:body_text103:
Easily search the web from a search box conveniently added to your bro
wser interface as pictured above.13:body_text_rtf73:{\rtf1\ansi\ansicp
g1252\b Browser Tab Search for Internet Explorer by\b0}11:footer_text1
77:By clicking "Next" and installing the Browser Tab Search by Ask
<<< skipped >>>


GET /time.php HTTP/1.1
Host: update.bittorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close


HTTP/1.1 404 Not Found
Server: nginx/1.4.7
Date: Fri, 23 May 2014 14:35:20 GMT
Content-Type: text/html
Content-Length: 168
Connection: close
<html>..<head><title>404 Not Found</title><
/head>..<body bgcolor="white">..<center><h1>404 N
ot Found</h1></center>..<hr><center>nginx/1.4.
7</center>..</body>..</html>....







The Trojan connects to the servers at the folowing location(s):














Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Scan a system with an anti-rootkit tool.
    2. 

  2. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    BrowserTabSearchMediaBar.exe:1404
    BrowserTabSearchMediaBar.exe:1000
    imapi.exe:2396
    mediabar.exe:160
    %original file name%.exe:3864
    utt2D.tmp.exe:4056
    rundll32.exe:2456
    SafetyNutManager.exe:3204
    SafetyNutManager.exe:4040
    regsvr32.exe:288
    msbloader.exe:200
    pack.exe:1528
    msfeedssync.exe:2096
    

    3. 

  3. Delete the original Trojan file.
    4. 

  4. Delete or disinfect the following files created/modified by the Trojan:
    

    %Documents and Settings%\%current user%\Application Data\uTorrent\apps\featuredContent.btapp.new (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X33TH0UP\icon[2].ico (392 bytes)
    %Documents and Settings%\%current user%\Cookies\SFF2AMO5.txt (96 bytes)
    %Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\main.css (6 bytes)
    %Documents and Settings%\%current user%\Cookies\ELA8NTQ3.txt (93 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\utt5D.tmp (11516 bytes)
    %Documents and Settings%\%current user%\Application Data\uTorrent\apps\plus.btapp.new (796 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AAE8OMVS\icon[1].ico (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar5B.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Application Data\uTorrent\dlimagecache\804153A8C5C67F43BFD757A3A58ED68D7157DAA6 (1001 bytes)
    %Documents and Settings%\%current user%\Application Data\uTorrent\apps\72F0D3E2141065DACF6134D07A06A2DF20590748\main.css (946 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\E9UY92VW\fileserve[1] (917 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\E9UY92VW\icon[2].ico (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\utt59.tmp.new (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WJYHCPG4\icon[1].ico (392 bytes)
    %Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\index.html (3 bytes)
    %Documents and Settings%\%current user%\Application Data\uTorrent\apps\72F0D3E2141065DACF6134D07A06A2DF20590748\icon.bmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab5A.tmp (54 bytes)
    %Documents and Settings%\%current user%\Application Data\uTorrent\apps\72F0D3E2141065DACF6134D07A06A2DF20590748\index.js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WJYHCPG4\fileserve[1].css (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AAE8OMVS\fileserve[1] (44065 bytes)
    %Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\empty_movie.gif (282 bytes)
    %Documents and Settings%\%current user%\Application Data\uTorrent\dlimagecache\165F6EF40A81DD175FFAEA69E77ABFD30B27E71C (88 bytes)
    %Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\btapp (201 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\E9UY92VW\icon[1].ico (392 bytes)
    %Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\info_icon.png (250 bytes)
    %Documents and Settings%\%current user%\Application Data\uTorrent\settings.dat.new (71 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X33TH0UP\fileserve[1] (601 bytes)
    %Documents and Settings%\%current user%\Application Data\uTorrent\dlimagecache\77900433804D5EAD1719B7AC7A5C28E6D9AC13C7 (4069 bytes)
    %Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\vid_thumb.jpg (23 bytes)
    %Documents and Settings%\%current user%\Cookies\GLJGHN83.txt (93 bytes)
    %Documents and Settings%\%current user%\Application Data\uTorrent\dlimagecache\10E6FBE4D921B475FA5FEC6E9A535A540D6FEED1 (318 bytes)
    %Documents and Settings%\%current user%\Application Data\uTorrent\apps\D944B3378FAB35793B7951FA53E41B2AB9CC462B\x.png (265 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\E9UY92VW\blank[1].htm (109 bytes)
    %Documents and Settings%\%current user%\Application Data\uTorrent\apps\72F0D3E2141065DACF6134D07A06A2DF20590748\btapp (196 bytes)
    %Documents and Settings%\%current user%\Application Data\uTorrent\updates\3.4.1_30888.exe (7971 bytes)
    %Documents and Settings%\%current user%\Application Data\uTorrent\updates.dat (1845 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\utt5C.tmp (731 bytes)
    %Documents and Settings%\%current user%\Application Data\uTorrent\apps\player.btapp (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AAE8OMVS\fileserve[1].png (392 bytes)
    %Documents and Settings%\%current user%\Application Data\uTorrent\apps\welcome-upsell.btapp (28 bytes)
    %Documents and Settings%\%current user%\Application Data\uTorrent\apps\72F0D3E2141065DACF6134D07A06A2DF20590748\index.html (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X33TH0UP\icon[1].ico (392 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\1b9783ca1f32c8d5acfe437935791686_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (80 bytes)
    %Documents and Settings%\%current user%\Application Data\uTorrent\utorrent.lng (7386 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj62.tmp (26309 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsz63.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\BTR-BTS\insthlp.dll (1856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\BTR-BTS\ReportingHelper.dll (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsz63.tmp\nsisdl.dll (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm54.tmp\nsisdl.dll (14 bytes)
    %Program Files%\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\BrowserTabSearchUninstall.exe (7192 bytes)
    %Program Files%\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\msbloader64.exe (3616 bytes)
    %Program Files%\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\msb.dll (12088 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm54.tmp\System.dll (11 bytes)
    %Program Files%\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\msb64.dll (13584 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx53.tmp (26309 bytes)
    %Program Files%\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\msbloader.exe (3312 bytes)
    %WinDir%\Temp\6f4vovr7.TMP (146970 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw31\nsn35.tmp\BrowserTabSearchMediaBar.exe (3465 bytes)
    %Documents and Settings%\%current user%\Cookies\KCNUF5R3.txt (89 bytes)
    %Documents and Settings%\%current user%\Start Menu\µTorrent.lnk (820 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\µTorrent.lnk (798 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\utt2A.tmp.new (113 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\utt2D.tmp.exe (47888 bytes)
    %Documents and Settings%\%current user%\Application Data\uTorrent\toolbar_offer.benc (28 bytes)
    %Documents and Settings%\%current user%\Application Data\uTorrent\maindoc.ico (63 bytes)
    %Documents and Settings%\%current user%\Application Data\uTorrent\toolbar.benc.new (113 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\utt27.tmp.new (2 bytes)
    %Documents and Settings%\%current user%\Cookies\I4R5GJTA.txt (89 bytes)
    %Documents and Settings%\%current user%\Desktop\µTorrent.lnk (820 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar29.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Application Data\uTorrent\uTorrent.exe (7386 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\utt2B.tmp.new (79 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\utt2C.tmp.new (28 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\1f91d2d17ea675d4c2c3192e241743f9_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (105 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\utt58.tmp.new (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab28.tmp (54 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw31.tmp\ns57.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3D.tmp (4545 bytes)
    %Program Files%\Browser Tab Search by Ask\SafetyNut\x64 (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\42.tmp (4545 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3F.tmp (4545 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\4E.tmp (4545 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw31\Helper.dll (63950 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw31\nsn35.tmp\pack.exe (110155 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\48.tmp (4545 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw31.tmp\registry.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\47.tmp (4545 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw31.tmp\UserInfo.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\43.tmp (4545 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\40.tmp (4545 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\45.tmp (4545 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3C.tmp (4545 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3A.tmp (4545 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw31.tmp\ns60.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\44.tmp (4545 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\38.tmp (4545 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\4B.tmp (4545 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw31.tmp\nsExec.dll (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw31\Starter.exe (1856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\4A.tmp (4545 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3B.tmp (4545 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\E9UY92VW\install_statistics[1].xml (498 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\37.tmp (4545 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\4C.tmp (4545 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3E.tmp (4545 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\49.tmp (4545 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw31.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\41.tmp (4545 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw31.tmp\ns4F.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw31\nsn35.tmp\mediabar.exe (19152 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\36.tmp (4545 bytes)
    %Program Files%\Browser Tab Search by Ask\SafetyNut\Helper.dll (14988 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw31.tmp\ns50.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\4D.tmp (4545 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq2F.tmp (259636 bytes)
    %Program Files%\Browser Tab Search by Ask\SafetyNut\Uninstall.exe (3616 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw31.tmp\ns56.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\39.tmp (4545 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw31.tmp\ns51.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\46.tmp (4545 bytes)
    %Documents and Settings%\All Users\Application Data\SafetyNut\general.cfg (1 bytes)
    %Documents and Settings%\All Users\Application Data\SafetyNut\S-1-5-21-1844237615-1960408961-1801674531-1003.cfg (4013 bytes)
    %Documents and Settings%\All Users\Application Data\SafetyNut\coordinator.cfg (1864 bytes)
    %Program Files%\Browser Tab Search by Ask\SafetyNut\favicon.ico (1 bytes)
    %Program Files%\Browser Tab Search by Ask\SafetyNut\Internet Explorer Settings.exe (9958 bytes)
    %Program Files%\Browser Tab Search by Ask\SafetyNut\SafetyNutManager.exe (44197 bytes)
    %Program Files%\Browser Tab Search by Ask\SafetyNut\x64\Internet Explorer Settings.exe (9866 bytes)
    %Program Files%\Browser Tab Search by Ask\SafetyNut\x64\safetynut_ie.dll (18892 bytes)
    %Program Files%\Browser Tab Search by Ask\SafetyNut\safetynut.dll (19938 bytes)
    %Program Files%\Browser Tab Search by Ask\SafetyNut\x64\safetyldr_u.dll (24 bytes)
    %Program Files%\Browser Tab Search by Ask\SafetyNut\safetyldr.dll (20 bytes)
    %Program Files%\Browser Tab Search by Ask\SafetyNut\safetyChrome.dll (2309 bytes)
    %Program Files%\Browser Tab Search by Ask\SafetyNut\configmgrc1.cfg (31 bytes)
    %Program Files%\Browser Tab Search by Ask\SafetyNut\Internet Explorer Settings Update.exe (9483 bytes)
    %Program Files%\Browser Tab Search by Ask\SafetyNut\safetyldr_u.dll (946 bytes)
    %Program Files%\Browser Tab Search by Ask\SafetyNut\x64\safetynut.dll (17899 bytes)
    %Program Files%\Browser Tab Search by Ask\SafetyNut\x64\Internet Explorer Settings Update.exe (11380 bytes)
    %Program Files%\Browser Tab Search by Ask\SafetyNut\x64\safetycrt.dll (5792 bytes)
    %Program Files%\Browser Tab Search by Ask\SafetyNut\safetynut_ie.dll (18311 bytes)
    %Program Files%\Browser Tab Search by Ask\SafetyNut\safetynut.exe (29145 bytes)
    %Program Files%\Browser Tab Search by Ask\SafetyNut\x64\configmgrc1.cfg (36 bytes)
    %Program Files%\Browser Tab Search by Ask\SafetyNut\safetycrt.dll (4877 bytes)
    %Program Files%\Browser Tab Search by Ask\SafetyNut\x64\safetyldr.dll (24 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms (3114 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\Internet Explorer Suggested Sites~.feed-ms (1080 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\SuggestedSites.dat (4 bytes)
    %WinDir%\Tasks\User_Feed_Synchronization-{414D0F7C-B684-437B-B53E-8AB5AE32E070}.job (416 bytes)
    

    5. 

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):
    

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Browser Tab Search by Ask" = "%Program Files%\Browser Tab Search by Ask\SafetyNut\BrowserTabSearch\msbloader.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "uTorrent" = "%Documents and Settings%\%current user%\Application Data\uTorrent\uTorrent.exe /MINIMIZED"
    

    6. 

  6. Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):
    

    [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "AutoRestartShell" = "1"
    

    7. 

  7. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    8. 

  8. Reboot the computer.
    9. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2024 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now