Application.Bundler.InstallBrain.A_c471503e7b

by malwarelabrobot on August 18th, 2014 in Malware Descriptions.

not-a-virus:HEUR:AdWare.Win32.BrainInst.heur (Kaspersky), Application.Bundler.InstallBrain.A (AdAware), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: c471503e7b1ed1c4dd9abd2f71d7dae9
SHA1: a9916565f82eb4d2168dae635c569519f0d94560
SHA256: b1d81fd17170f40f6264248f1f923ba0b5d5f30a3a60fb639c67d4e971a4ec5c
SSDeep: 24576:f5qQTl4G1RcOQok7o93YbFJJGCcP7lxOyOi7Rd3N6:fQQT6GEOyo9kFLtcP7lxLnL3I
Size: 817824 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: AirInstaller
Created at: 2013-09-20 14:20:26
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Application creates the following process(es):
No processes have been created.
The Application injects its code into the following process(es):

%original file name%.exe:1840

Mutexes

The following mutexes were created/opened:

ShimCacheMutex
RasPbFile
{69C867F8-341A-44a8-B8F2-AF392F12143A}804105true
ZonesLockedCacheCounterMutex
ZonesCacheCounterMutex
ZonesCounterMutex
_!MSFTHISTORY!_
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!history!history.ie5!
WininetConnectionMutex
WininetStartupMutex
WininetProxyRegistryMutex
c:!documents and settings!adm!local settings!history!history.ie5!mshist012014081720140818!
_!SHMSFTHISTORY!_
CTF.LBES.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.Compart.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.Asm.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.Layouts.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.TMD.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003

File activity

The process %original file name%.exe:1840 makes changes in the file system.
The Application creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\b4.gif (661 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\pb-bg-right.jpg (468 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\btn.png (716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3008.html (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\b-bg.gif (295 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\red-pb-act-right.jpg (694 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B2.tmp (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\main.css (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\pb-bg.jpg (333 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\corn4.png (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\b3.gif (384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3146.html (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\arrow.gif (207 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\component_518.part (33029 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\events\cav.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3601.html (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3232.html (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\red-pb-act-left.jpg (681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\events\events.js (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\mask.bmp (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3941.html (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\2985.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\component_519.part (5954 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B3.tmp (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\arrow.png (911 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\lbg-top.gif (12 bytes)
%System%\wbem\Logs\wbemprox.log (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ajax-loader2.gif (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\js\jquery-1.7.min.js (94 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\2984.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\js\jquery.noselect.min.js (299 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\2980.html (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\lbg.gif (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\center2.jpg (305 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\btn2.png (402 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\pb-bg-left.jpg (460 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ajax-loader.gif (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3600.html (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\2987.html (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\2986.html (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\main - копия.css (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\mid.jpg (403 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\logo.png (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\js\smart.js (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\lbg-bottom.gif (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\conditions\conditions.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3145.html (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\check.jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\corn3.png (138 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\corn2.png (136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\corn1.png (139 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3364.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\js\old_smart.js (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\trust.gif (437 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\red-pb-act.jpg (380 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\js\config.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\template_40.png (110 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3385.html (17 bytes)

The Application deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021820130225 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021820130225\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302\index.dat (0 bytes)

Registry activity

The process %original file name%.exe:1840 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014081720140818]
"CachePrefix" = ":2014081720140818:"
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014081720140818]
"CacheOptions" = "11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014081720140818]
"CacheRepair" = "0"

[HKCU\Software\Microsoft\Windows Script\Settings]
"JITDebug" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014081720140818]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014081720140818\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8B FE 13 8D F8 09 D4 F4 C6 F8 04 55 A5 32 96 81"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "C:\%original file name%.exe:*:Enabled:%original file name%.exe (in)"

The Application modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Application modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Application modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Application deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013030120130302]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021120130218]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021820130225]

Dropped PE files

MD5 File path
375df55e6337e43b992bd3451802c6af c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\ibtmpd366498\component_518
3ed0a2882d62a7bff0645be507757f4c c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\ibtmpd366498\component_519

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: Installer
Product Version: 15.9.28.27
Legal Copyright: Copyright 2012
Legal Trademarks:
Original Filename: installer.exe
Internal Name: installer
File Version: 15.9.28.27
File Description: Installer
Comments:
Language: English (United Kingdom)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 106236 106496 4.73406 0d3d7e0f700194accb219396586936fc
.rdata 110592 32866 33280 4.19622 311ce55086569ba80d6319d3656afc11
.data 147456 13096 9216 3.31887 571cbf16e9add883bb2f2d2c11b35727
.rsrc 163840 650668 650752 5.47948 7b69a089de15cd17cfb99c129316a099
.reloc 815104 8574 8704 3.12516 5873e2cca4a559e776377b3f2a957fec

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 24
e72f1b26ccd11a61ab3b1d840c826e2b
99003cb09ca70d45fac4fb32e5399587
0f7a82d7763c300557e569886f4208fb
e6db1f885f501ce27db25bd0a5c619cd
c0bc5d6930dab81029531be2dc6e0308
f9c1eaba84f3ac6e8ff315eb937a79c2
655c4aa4b50967b716077b07c86e7d9b
24cd3c139ffc8fe1249149857614fbb3
7a660045686faa04e3788ef1ea77533d
93680d312fee389edaaa9cda383194b3
d218822401c7d2dc804cde1c6a019f98
ac9328fd619afcc68aa52ec124af2b74
de7446f0b0406391972be69770b41142
518b80d93ca9222fe27725d17a6bdd29
b37a9e45578a2136f36e189481c80065
af55e8b1ffa3a542c4c599f87ea1fa34
8f1f49bfff8cbdf8b3b59cecc1991990
ec5afbf9f7ae28d296c222579b4255b7
3546998e010e36772bde80ba5c51b938
042894e34888fd250e9c6dbc6d58dc6a
8971f6e3b4b5582dbd94c4b7537b4e3a
502399cc417fd64158205c76170043f3
2a5f05824ed03380ef5986a54692551b
72fbe038ab46bb9ba5f8522b7f225817

URLs

URL IP
hxxp://174.36.241.169/track/ib-start?cid=4105
hxxp://174.36.241.169/track/ib-show?cid=4105&componentid=518
hxxp://174.36.241.169/track/ib-show?cid=4105&componentid=519
hxxp://173.192.190.226/files/components/sp-downloader.exe
hxxp://173.192.190.226/files/components/BuenoSearchTB.exe
hxxp://173.192.190.226/files/components/SearchShock.exe
hxxp://173.192.190.226/files/components/SearchAlgo.exe
hxxp://173.192.190.226/files/components/yandex_downloader_v3.exe
hxxp://173.192.190.226/files/components/CloudBackup.exe
hxxp://173.192.190.226/files/products/PCPerformerSetup-4.exe
hxxp://173.192.190.226/files/components/PortalMoreSetup.exe
hxxp://173.192.190.226/files/products/UnknownFile.exe
hxxp://173.192.190.226/files/components/SpeedanAlysisSetupW.exe
hxxp://173.192.190.226/files/products/ffdshow.exe
hxxp://173.192.190.226/files/products/MatroskaSplitter.exe
hxxp://www.appregis.com/files/components/BuenoSearchTB.exe
hxxp://www.appregis.com/files/products/ffdshow.exe
hxxp://api.ibario.com/track/ib-start?cid=4105
hxxp://www.appregis.com/files/components/SearchShock.exe
hxxp://www.appregis.com/files/components/CloudBackup.exe
hxxp://www.appregis.com/files/products/MatroskaSplitter.exe
hxxp://www.appregis.com/files/products/UnknownFile.exe
hxxp://www.appregis.com/files/components/PortalMoreSetup.exe
hxxp://www.appregis.com/files/components/yandex_downloader_v3.exe
hxxp://www.appregis.com/files/components/SearchAlgo.exe
hxxp://api.ibario.com/track/ib-show?cid=4105&componentid=519
hxxp://www.appregis.com/files/components/sp-downloader.exe
hxxp://api.ibario.com/track/ib-show?cid=4105&componentid=518
hxxp://www.appregis.com/files/products/PCPerformerSetup-4.exe
hxxp://www.appregis.com/files/components/SpeedanAlysisSetupW.exe


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

SURICATA STREAM ESTABLISHED packet out of window
SURICATA STREAM Packet with invalid ack
SURICATA STREAM ESTABLISHED invalid ack

Traffic

GET /files/products/ffdshow.exe HTTP/1.1
Range: bytes=3821680-4777099
Host: VVV.appregis.com
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:12 GMT
Content-Type: application/octet-stream
Content-Length: 955420
Last-Modified: Sat, 11 Jan 2014 12:15:49 GMT
Connection: keep-alive
Content-Range: bytes 3821680-4777099/4777100
.hP.B...d... ........i..eD... }..m...rB...g.!..m..u........&.:...>.
}.[...2..~tn...l..I..j-.!.-...d...[`.S.S.51..Qo.a.P..p.iBjY.(k..7.....
.d...~>...]._&....&.n..7LP....sO...pG...}.u.%.......%......!...s. .
......i..yoH)[email protected]{.......A.V9..L..&.I...?F&.v.$ ......L...>.7
!#zOdj>....!.M.O...~.!..&o...l.UY.c6D.....<..F.?.t...K...i.P\.A.
...B...Q...7..ZpS...!.\.4.,(..:.y-qY..o @Au?%.*.h.........8$.....v....
.....A&.8. .U....Wm....")..C.#..c.1.I..<Z.Y.....a..D.......b..B...H
...5n........2!..w......F...F.#.er...k...s.M... ...3`!8u..........$..a
!..P &._........M....X.....f......c.=.I..0........Mxs..i`.....HM4.....
F...38..L.`.6.-]~..o.........K.E.~).\....V...{..gW...!'n$V2h..&5l..^.G
..R..b.$.{..Z. /....AA.._.....l...`N.7t...c.....S..l(..y..X.`.:.......
......j....Cw...8.{h.E..8..4..u.bn..%..".'.C.....tC.o8[s>.Ey%...^..
......#W.A6....,th....L=?.........s...*..@!.l.df.|...au...J..p....bg."
ZnuK..t..=h...kX....k...........~9.........sw/A#......X.d`.....`.}....
...:n[.iV2p>.>..J.q./.S=..xQQ.._..MR..."x2............eZ.5...Je0
.....d....gVj...rda..o.j..o9.S..*.eC...b.vI...RB.3.'h..Q.......'.Ev...
..b....EAx...t....L5...0.u.....s?.C....^-...%............LM.X4........
h`Wn....".M...%...&.,....Gf}.....T..D..?ob{....G.....UV.X.p.w...h.@./.
.....N...SQ.YM..!d8`._ka..ZA.G...............VKE%...w.....&.[lqv...r.$
...YE..y*X..=0...C...q.3.....(R..._..x.5....*[email protected]..(
.9.$..X$L^....x=....@P=.....p.7.....k]..`.5.{..*..h..7^....6j....n..{L
CO...'W;.3y.....b....Q.(..P...v...{hp7.......S6.....Vk%zg:.t......
<<< skipped >>>

GET /files/products/MatroskaSplitter.exe HTTP/1.1


Range: bytes=557586-836378
Host: VVV.appregis.com
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:17 GMT
Content-Type: application/octet-stream
Content-Length: 278793
Last-Modified: Sat, 11 Jan 2014 12:27:02 GMT
Connection: keep-alive
Content-Range: bytes 557586-836378/1393969
..!.N.....LC......yu..O...J.V....5..XX.c(.~.0....L.bP.LE.R..]...S..x..
%....{..>.0.1..n..i.:.v!.H.ub...j......w....mH4}A...;......LI....D.
....T.-.*]&..Ir.....9.P...Tx.~.F.XW...-$....xfq...t....^..x.Y|,.x..]..
._r..u...!.) ..$.o.....S........_.p...p8....J....K.u..........._.s....
J..3..r..5/~..\*\..7.'.i..Ub.M2.C.h^e......B...rWf#W..q.t..~...v.-....
..~dZd.).qEg],...6.*.w.P.W.......<.....\.|n..[..3.0.!6...8C....D(2.
....8).q......y............!.Z...f*,/.....zk..&.1.....j>..`...xL..c
C_..W.B.b7.....=h...p..9O.i....yT.4.m..i.k...xSk.1..Ui.uG5.....F....F|
.....n.g'..s...B.x..sg;.f...H va..GA.w_.g....._.!$..a..|....s.%*f8x...
.F..^....=7...M~ ...<........V..N.....|....@P,.".g.C..D.s6Sc%..m.i.
..t...px..w.........\.Vl....B..@...;f.9......KT....N...a....=0myH..|..
 *..U.kn...6t...|!.\.....u.t~.n.)K....6......=.;..ps..N.Y:....3*_J.B..
6..D;.}o..{l. d@c...".K/s.A.V.>k.v..s._}..~.......T...4.I...2z.....
........{.p(.....`J........Y.W...W=...K"...r....rA-u(...k.b9O.g...X.0.
O...{/..2....4c....N.y....p.<Ad..s.]....i.D.7.....e..W..Q.g....{...
... ..K....@...._.cR.l..a..?.Cse....?.5..n.]....... G.....[h[..Jr....1
..Y..2.QZ.4.d.$'...n5.<.`8gW .l..(<[email protected].. .cxbX#..W#
..Q.o..u.n>/.,....(.U,..or....W;...*.h...b.y..FQ.BE.o.....Y...p?D.#
.....o.......G....i.. .;....$x...b..B8..q....n...h.V6F.X..$T......iE.9
t.n......q."4xK;...ugj1...?....~.=.....2.r..>.S.5.. L...1n...."....
.9....u,7.Gg/..YM)...knK.........O16..4....iJ.o....._.B........"..q...
..[.........#....s.8.lT}n..Q.k]......Kp...i.A.D...........9V.....F
<<< skipped >>>


HEAD /files/products/PCPerformerSetup-4.exe HTTP/1.1
Connection: close
Host: VVV.appregis.com


HTTP/1.1 200 OK
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:05 GMT
Content-Type: application/octet-stream
Content-Length: 4254614
Last-Modified: Thu, 03 Jul 2014 07:06:18 GMT
Connection: close
Accept-Ranges: bytes



HEAD /files/components/SearchAlgo.exe HTTP/1.1
Connection: close
Host: VVV.appregis.com


HTTP/1.1 200 OK
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:05 GMT
Content-Type: application/octet-stream
Content-Length: 504024
Last-Modified: Fri, 01 Aug 2014 12:54:52 GMT
Connection: close
Accept-Ranges: bytes



HEAD /files/products/MatroskaSplitter.exe HTTP/1.1
Connection: close
Host: VVV.appregis.com


HTTP/1.1 200 OK
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:06 GMT
Content-Type: application/octet-stream
Content-Length: 1393969
Last-Modified: Sat, 11 Jan 2014 12:27:02 GMT
Connection: close
Accept-Ranges: bytes



HEAD /files/components/SpeedanAlysisSetupW.exe HTTP/1.1
Connection: close
Host: VVV.appregis.com


HTTP/1.1 200 OK
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:06 GMT
Content-Type: application/octet-stream
Content-Length: 1952505
Last-Modified: Tue, 17 Jun 2014 12:40:52 GMT
Connection: close
Accept-Ranges: bytes



GET /files/products/ffdshow.exe HTTP/1.1
Range: bytes=1910840-2866259
Host: VVV.appregis.com
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:12 GMT
Content-Type: application/octet-stream
Content-Length: 955420
Last-Modified: Sat, 11 Jan 2014 12:15:49 GMT
Connection: keep-alive
Content-Range: bytes 1910840-2866259/4777100
zP.{=&w|.....j...%v&p...d.}sz.....t..J..7....%.ZZ.$d.!.m.% ...._d..'..
....f.......#~....0k.....Oly...2..G.....jN..b...bj.A..z.....&...!.jA.t
..4.!{.....I.N.....x.#.Y{.b.2...t._...d../...Hc..5Q.H.'...f...Ui..`0D.
...p.3....[...Z.{........`UXZ...&.......Kf.D.!...}j.|..O!..!.v....PSL.
......w.G...../[email protected]....|.K.|..N6w.....\..-\X.US.. ......
6....y........ .....U&.:...x..r.P...%!&2.............aKD..6.z..X......
'.{[email protected]....._.,,....k.1W{Z..rH..o.]/.N.....d..G...yi"..E....
.GB.".0.HS.u.=....P...9....j....Z..S}..V...g...\mx..">.....<....
.."."a...|..?...D.....iy([email protected]$...nbPy# tR.|U...}.q:.....2.
GW..~.I...........e.....^.m|....]..p..b[x.<[email protected]@....$.%...$!i
.En-..._d...0YP......v....G..HHt.3.8..$z.O._.E..A.Q.T.o.]..RTld.)....x
..g..!A. ...Fx..s.m....c..f....~,......!...E..TU.[s.92.ktx.MR.4B.C...l
.p...cg ....=W.eog..7|.z.N...F.Y.-%7..........M..;p.../G.E.([.'..K1Y..
.....t=..>....... ...q.r.$....6wc.Sv.}..}....{.o...d|...#.......w.v
p..6/..l.....:..!=*.u..?.N.......M^....S....6RSdz..CW.'dr%....1..M..6.
...=.1.....^.Q......m... _..cOB;,..z........e.2.........8a.&....s..~u.
{z..<..m..&..L...}.#..n..6......h....$....9. ).._\gd...y.sc/.3.a.&.
....F.O..W9.B............O...{..\.Wo.c..Q.wy..z.......Z&....U..C..|=..
g.S'..:..*.]uO....X).'5@ E.X.............>.....4u..i..I....`A.bK]j.
...Ux..v..{.{..Q..?.dH..g......{..[.p..<.)...6A............ek....B.
...>...C...dv.9..?s..3..J../y.......@H}[email protected].!(.o....~...:..
>j.PNC.Y.P^.U.Nc..X........p.)."t....-..TS......T..........9...
<<< skipped >>>

GET /files/products/MatroskaSplitter.exe HTTP/1.1


Range: bytes=278793-557585
Host: VVV.appregis.com
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:17 GMT
Content-Type: application/octet-stream
Content-Length: 278793
Last-Modified: Sat, 11 Jan 2014 12:27:02 GMT
Connection: keep-alive
Content-Range: bytes 278793-557585/1393969
k...9}@.<-4..}.. wo`$ey......1..r..6f...r...%....*.....<....=.&.
..>K..9g...................a.C_._Mn.]W.b.2Y[....b.8...cl...Fj.....F
32..C...5q=.>..Q...:.....%....vHJ.... h:[email protected]......`p....r.
....DL.Z.*c.E-...)]...F..#Y.%..j2a,.......$..X5>z)..u....Px...k...c
W1..>..o.....KK....x;...b.E.L.j:....<p25.4|^..e.s.............&g
t;.H....5......W..w.X(..S....X.d...]"7......M...4......g.."s........h.
.%.....-..m..- .H3..9u.#V|bn...&i..o..M.....Dj...7%..Pw..d?.M..GC.EfW.
.l.....0.c.....J...>9u>AxJ...l.!5.6".....U......u.G...V..Q*95..w
.!..3....i..d?.*Q.:..*?y.?]RW...r<{.h...K....-XA.}.L.S..51Z.~......
-.......b=...........W.@.^.(#........k#....N|.'c'.......Gl...<>.
.......y%.RM..H..Z.t.y...4...o..;N..F.......O....ui.3...C..._.u.Ut...7
f.........hXmZ......&C...... $...F..i..../sQ...n....y[..pU..)....R@..%
*...(..gR..9t.. U!.....B./.QX.&.}.....l.v.R..o..J..-.b...*Qe.........m
........!..._.%l.h.Cc.{.b.u(n!"aq.k.b[.v.9k.A.6[.$.F_P.`.E'........s. 
..Ig.".l ...;.23C../.8..%g.....s........D.........v...... 9.....#..T..
.7.D.....;.,V.W..P..@'.0.......7...:.....miVjO.......\VM.`.4.p._...k..
[email protected]...(.;...9..A1. .u.c...........i.....H.Nv... ...#i....Pd.
..y...t... .........|..............-E......u..n&??..B..&.....EV..|...2
d.x..1....'.V..k.!W.......K......5o..x.o..d.. .....~.d..)...SW.lY.\...
..a....S.i.....J..ytC........B`.W...b.C.<O..3..Z..AR..E.;4....2F...
...S.f.QW..dK..iy...f..B..8.....`.l........'......4. ../.9....L..s.b&g
t;.<.m.M.....>............=..v#Z........6...A.U.s....AE`.uX 
<<< skipped >>>


HEAD /files/components/SearchShock.exe HTTP/1.1
Connection: close
Host: VVV.appregis.com


HTTP/1.1 200 OK
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:05 GMT
Content-Type: application/octet-stream
Content-Length: 575323
Last-Modified: Fri, 01 Aug 2014 12:54:56 GMT
Connection: close
Accept-Ranges: bytes



HEAD /files/products/MatroskaSplitter.exe HTTP/1.1
Connection: close
Host: VVV.appregis.com


HTTP/1.1 200 OK
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:16 GMT
Content-Type: application/octet-stream
Content-Length: 1393969
Last-Modified: Sat, 11 Jan 2014 12:27:02 GMT
Connection: close
Accept-Ranges: bytes



GET /files/products/ffdshow.exe HTTP/1.1
Range: bytes=0-955419
Host: VVV.appregis.com
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:12 GMT
Content-Type: application/octet-stream
Content-Length: 955420
Last-Modified: Sat, 11 Jan 2014 12:15:49 GMT
Connection: keep-alive
Content-Range: bytes 0-955419/4777100
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........#yd.B.7.B.7
.B.7..z7.B.7..l7.B.7.B.7.B.7.:.7.B.7...7.B.7.:.7.B.7Rich.B.7..........
..............PE..L....q.N.................d.......B...3............@.
.........................0............................................
........... ..x.......................................................
.....................................................text...@b.......d
.................. ..`.rdata...............h..............@[email protected]...
|[email protected]................................
...rsrc...x.... ......................@..@............................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
...G..H.P.u..u..u...|[email protected][email protected].....@
..}[email protected]... M..........M........E...FQ.....NU..M
.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u
[email protected]}[email protected].}.j.W.E......E.......P
[email protected][email protected][email protected] [email protected]..
...@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..S..
...t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ.U.
<<< skipped >>>

GET /files/products/MatroskaSplitter.exe HTTP/1.1


Range: bytes=1115172-1393968
Host: VVV.appregis.com
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:17 GMT
Content-Type: application/octet-stream
Content-Length: 278797
Last-Modified: Sat, 11 Jan 2014 12:27:02 GMT
Connection: keep-alive
Content-Range: bytes 1115172-1393968/1393969
|j......."......h>.OY..b..C......r.B.?..... ...Uy..5K(.F./.:'=|R.")
V.F..2.....hb`.O......:.M..^.......]...pTa.s..)[s{.Uj....M..5..9..<
-..9C...(.J....\.........}<@..*.....Y......0/[email protected]../...K.
..kY0.._!.......P..'.......O....d..V...G..>J.0..,<.{......!...oU
..-7E(...n.7.$4..j......YP..Um.......aP..7-[...R.>.T.r.Q......./F..
..#v..^l..)....R.Z.\{.cn....:...|!...........p....../....=]4....K.?..#
...U7...b.%if......6..q..\.,1M.].{[email protected])1...L.i.u..$.w
...}.u!=.xt.1..!..h..D..u.[,......zw.i....=.Z..p....".....EQ...s.K.K..
.....{.f..b.".. .s./....a...WZ.!........i.C.4L..2rFXA....5t.......x. .
..9=#Q...`y......I(..b.......Z..,..Fv>O..`Nb.g...(..!...ZP2b.x..l,a
O>$....!...G.'...6*..*...._..ieb....1..-.8.=...Zb.".D..KIL..?...VB.
..P.{.8.V5~./..Yl.p..U..N..)|.....s[b...G].m..E..>.....yQ..........
........bJE......;O{&&...Ph..5K3..&\o.....r .,.......^.Y1.W..nJ.^hP.St
QtHG....[.=..M.:..2. [email protected]].....x..].C...%.{.M...d".l8].-V...$.k.
Am.......W.<st.8.~..V...A.E..........m.8..S.W........)1....C.mW].e.
.Yg.V.........=.Z7................k.....K/.."g...Jk....)TB...wi.......
Q.>.4G..I...x?......s...[.7Z....... ...8.....K.#..f.S.l<L.-y<
rhV.........7.3.'...v.z...H.....9(.U.-....3'......9x....4..n'w..N. :..
.........-1.J.0.#...0.1 !...h......Jp'H...O.H...TN}.5E.........M=.@...
..i.=.8.......:.Ug.p..2.;.D(.-%Z#.W.y-..T..pu..z.a@[._.l&T.2.-0.kB.0.g
.j.s0.|(...`.......:/r...}. J..V.d0.6..'....]!..Kw...M73:...zG].4.d.t.
kz.c%.|...A..L...[......!....h..r..HM..!.....07.g.-~E...X..Z...)ha
<<< skipped >>>


HEAD /files/components/CloudBackup.exe HTTP/1.1
Connection: close
Host: VVV.appregis.com


HTTP/1.1 200 OK
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:05 GMT
Content-Type: application/octet-stream
Content-Length: 165000
Last-Modified: Tue, 22 Jul 2014 07:47:03 GMT
Connection: close
Accept-Ranges: bytes



HEAD /files/products/UnknownFile.exe HTTP/1.1
Connection: close
Host: VVV.appregis.com


HTTP/1.1 200 OK
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:06 GMT
Content-Type: application/octet-stream
Content-Length: 140443
Last-Modified: Tue, 22 Jul 2014 12:39:41 GMT
Connection: close
Accept-Ranges: bytes



GET /files/products/ffdshow.exe HTTP/1.1
Range: bytes=2866260-3821679
Host: VVV.appregis.com
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:12 GMT
Content-Type: application/octet-stream
Content-Length: 955420
Last-Modified: Sat, 11 Jan 2014 12:15:49 GMT
Connection: keep-alive
Content-Range: bytes 2866260-3821679/4777100
j..".i...7....18...d......=....G.<.x....(......`...0.n.0...R.c...:.
.F.4.*-.^...c...4.r.L..rE".O"[email protected]]..X.R..|h.......5.S.^;...].|X.0X
...P..&....Z..K`[...!..iOu...E5J...6.y.....UH\i..rP.....KV.B!Z..7Ej...
9XN..8...Z ...LO..|.}..e...y....KJ.u}7.C.......i.P;Mi8N.....2..{2w..z.
....y..a.bZ?..wu3...m.M.^..?...e.U.......N...Y.N$.U...J.P.w..X`\Y..x..
.DMz.0.......B..e.'.%^.. i..%....tB ...]_....io............;...<.."
.d.-.x,.X.....q..dYt...?V..0.1......%....e..5.....Wi:.w. ..(e.j..p....
......I..Z.]-..P..^.L.(.Z.n%..jP.7..l..F4/.%..EPP..?...~.p..i....MZ..-
~..........x..}&a.....H..;..[.;KI....i.7..).._.z\..h.K.2..8o}!..P.....
..Pgs......>.MC'y.b..>.pU.=...._)>..o....\...k.i.B.=C4.OOv..{
..[6......n..u..O....Z....<.3/..L.:..,.:.W.....7.!.;iTK.....m..ss&g
t;|..&u.....\.....Z.lz..UG.M..o.......W......)...I(.....N5V.f{. ..#.1.
m4ON......-..<h...!....Q_..k^ .....C..3nl.....LvP- ....V..`.2y]V..h
R.q...._....3...6f.y..z....&...L.oUS.\.J......?lT.j.5.\R....w.e*9}r"O.
3.ay.....V..Q..P...xU&K."cb..."Dq..Ji^.N.......J~...ww,[email protected]./c..h..
|X..4.w..s.<....u..Q....W.L.Z..3 .(..u..Kk. ............c.4n#D..)..
..W.....>.B..E.|h*'.!. 6....;....<..M.M...vp..G..5.,.-.4.S.n.#..
.~.oA;.lj...H...*].~..G.......9..]...<.F7r{..f...9..s..3..0.. 1.0.m
..|..........m...f...!&...-2a?.9....I..j*%.j..M...G*f.P.'.M;.wK...ci..
..7......./d..rX.Q..?..n.9.a.h..P..n>.#....;[email protected][email protected]..(&7.
........W....\.Y....'h .....}>.:'.\.n .../.O....u;.y'....7...... .|
..L...0"........Y..B|..5J..%..n...Q,....z.Y[.q.6.eM.;.L....Gq?.N..
<<< skipped >>>

GET /files/products/MatroskaSplitter.exe HTTP/1.1


Range: bytes=836379-1115171
Host: VVV.appregis.com
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:17 GMT
Content-Type: application/octet-stream
Content-Length: 278793
Last-Modified: Sat, 11 Jan 2014 12:27:02 GMT
Connection: keep-alive
Content-Range: bytes 836379-1115171/1393969
QC.#:..0.........z.;#-......#6.ZE^P.....1|..If..lE.$..r..>[email protected]
..[.....F.....7q....C....J?..]%. .w.sR..2x.....-.-.Sw..i.).M.'n.......
U.9.........C}..71..W].....\.A7.s...........;.[.F.'_(....=N.Z.....M..W
.J=.8.l...V0..y._8?P. ......p. ......7..7O.........id...2..l......8.&l
t;.3..^3..'N.]\@...r.H.?......e{..;.o.J.s!.Sz.][email protected]..!t... ..
.c.ZuI. .f.x.M......d~..b...0S...>.....p.IRd.E.....m... ....`....V.
...*.G........qy...U\k..E"..5.{:S.t..v:{.m..z..../.JE.. .....t......U(
S.s.....KL.Wfa(.)f.c....0..c...9.pQ............a3t2...C.u...5d..2-...Q
H......61.. .....L...%........q......Z7...K......j..uW..\nA.M.-..E....
~e.#.g9....G.z......x.h..B.s...: L<.^[email protected].$.3.k....,
/.G.t.q....^...|.n...KfJ;..y...B.W.......gU...d..#*..]2.f.Z.....S...).
v).........F..QH......IE[y.W.6..D..4.p.........i...HK.......Z..k...8.K
S':[email protected].;.DU.~....!.)J...........D.8t.......p...e.)..-0
...=.;).....8o.<hj.../8<T...X.....y...`K.2.4.1...Q....Q...z.1.2q
.N....)...5...k.H...s..|,..t.U..R...........*...._..BF.7.LaWV.F=G#.W7.
7...m...6.|....k_;Pz..$....?.......B.Y.....A......F[..wO>=._R-.T...
..u.h...>.r.!..........$..x..dG. $....XV.%...\&...r..h....3u..Z..z.
s.J.b......W)JP...u.%..!.f..F...Y$c....~1.g..]......,.4.-.T..0....3...
.~^...!......*6..%.2...........#..'.uiBIao. ..6...j.4 O..-0J.<A..3.
-2...g^1..pzm~.*..3.c..d..r.d......~....h.eU'Ko,.A..D...8......m..3...
...-...[...6..B3\.!.\[....}'..3...x.,.#.....y-..(...O.%..Q......p.I...
.]......y.&H..Xo#0.;..Y.u[....GZR..g.......}.!.......|.`...P.q....
<<< skipped >>>


HEAD /files/products/ffdshow.exe HTTP/1.1
Connection: close
Host: VVV.appregis.com


HTTP/1.1 200 OK
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:12 GMT
Content-Type: application/octet-stream
Content-Length: 4777100
Last-Modified: Sat, 11 Jan 2014 12:15:49 GMT
Connection: close
Accept-Ranges: bytes



HEAD /files/products/ffdshow.exe HTTP/1.1
Connection: close
Host: VVV.appregis.com


HTTP/1.1 200 OK
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:06 GMT
Content-Type: application/octet-stream
Content-Length: 4777100
Last-Modified: Sat, 11 Jan 2014 12:15:49 GMT
Connection: close
Accept-Ranges: bytes



HEAD /files/components/sp-downloader.exe HTTP/1.1
Connection: close
Host: VVV.appregis.com


HTTP/1.1 200 OK
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:04 GMT
Content-Type: application/octet-stream
Content-Length: 145928
Last-Modified: Wed, 14 May 2014 15:11:00 GMT
Connection: close
Accept-Ranges: bytes



HEAD /files/components/BuenoSearchTB.exe HTTP/1.1
Connection: close
Host: VVV.appregis.com


HTTP/1.1 200 OK
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:05 GMT
Content-Type: application/octet-stream
Content-Length: 744136
Last-Modified: Mon, 16 Dec 2013 10:24:31 GMT
Connection: close
Accept-Ranges: bytes



HEAD /files/components/yandex_downloader_v3.exe HTTP/1.1
Connection: close
Host: VVV.appregis.com


HTTP/1.1 200 OK
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:05 GMT
Content-Type: application/octet-stream
Content-Length: 145792
Last-Modified: Wed, 17 Jul 2013 10:46:52 GMT
Connection: close
Accept-Ranges: bytes



HEAD /files/components/PortalMoreSetup.exe HTTP/1.1
Connection: close
Host: VVV.appregis.com


HTTP/1.1 200 OK
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:05 GMT
Content-Type: application/octet-stream
Content-Length: 582640
Last-Modified: Tue, 12 Aug 2014 12:10:04 GMT
Connection: close
Accept-Ranges: bytes



GET /files/products/ffdshow.exe HTTP/1.1
Range: bytes=955420-1910839
Host: VVV.appregis.com
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:12 GMT
Content-Type: application/octet-stream
Content-Length: 955420
Last-Modified: Sat, 11 Jan 2014 12:15:49 GMT
Connection: keep-alive
Content-Range: bytes 955420-1910839/4777100
..........:..5..v.v!.:..98 ._..c...9...|......b..}.....xm.u|.2>....
.9...c......t0k;$ .;.....=...^.....^..W.$wN..i'...7....~&.t...1E..o..5
........].>....q......O6. P.k..5...D...@.......... [email protected]{.?.n.?.
...Q...x2>..i.E...........h.eL....SG.<Ax..O..mO.QE.P...V..%..Z.&
gt;..v.n....#m.....I$.^i.....Q.,....\....a..O...iY....k...Q/OI..w.C...
...@.&...s...}....0...A..M..6..p..V ..E8Tc_;f.P....D:7.-P..F5.QtY.3l..
Y%r.;...k o.v[..k(.y"..}).....c....Kt.$<...2f".3y..)m...U..E.._".J.
....s4..Sy.....[_..a.....zf...u.C ...x..E...5r...?a....p...Y...d?.....
.. .. 4./...6.4..-.s..A.)..>$U...IE.f....A..].f.{/h......h.....0..~
"..W(.....o..(S.E.A.....3.b{8.).(..%..rbH.9..c`.$.Y../.T. 9a..f...x...
n..G.7....Q.3...z..h.{..W....E..5X..lyM.^.b.....#.......Z3.....n...&.V
4../.#Ux.>.D.9....;..t.4........<..m.y...''.xV.5.....#.Bl...`..$
.C5 ..=.....({Y#C.{.......l.W..!.$...6...Q.A ._....Qj.`....%4......
...O....u26....U.<.e. .....u.........<....1}C.^b.qC.9./..=..0[.m
....$RqU[J...t....Z.....\0.!...5`&.C_Tp....$V... jB.......X#.!....]'{.
..y&CV....DWR...u....[,................a......B.!..x........){J..n..V.
...b.lK.`C>.6L.*.....n4.a.....s..T...xo...F.....G..k.<.....4B...
e.!.....',e.!6..e`7.x...S..dGj.J|.`....Q1.%.......\\P..u'd.....(....C6
nFL..^[email protected].......{/. ....................
.<.|.8....B.....U......g...... .....[.....X...>^U4b.. NJ.....v!.
EC.0.........$u.._.I....&.eA....&....#...........yyIo/..T_..e$..6j...m
..G....NG}...`BQ.....~..X>6...8.].......D..I@.#...v.......] .pA
<<< skipped >>>

GET /files/products/MatroskaSplitter.exe HTTP/1.1


Range: bytes=0-278792
Host: VVV.appregis.com
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:17 GMT
Content-Type: application/octet-stream
Content-Length: 278793
Last-Modified: Sat, 11 Jan 2014 12:27:02 GMT
Connection: keep-alive
Content-Range: bytes 0-278792/1393969
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........#yd.B.7.B.7
.B.7..z7.B.7..l7.B.7.B.7.B.7.:.7.B.7...7.B.7.:.7.B.7Rich.B.7..........
..............PE..L....q.N.................d.......B...3............@.
.........................0............................................
........... ..x.......................................................
.....................................................text...@b.......d
.................. ..`.rdata...............h..............@[email protected]...
|[email protected]................................
...rsrc...x.... ......................@..@............................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
...G..H.P.u..u..u...|[email protected][email protected].....@
..}[email protected]... M..........M........E...FQ.....NU..M
.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u
[email protected]}[email protected].}.j.W.E......E.......P
[email protected][email protected][email protected] [email protected]..
...@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..S..
...t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ.U.
<<< skipped >>>


GET /track/ib-start?cid=4105 HTTP/1.1
Host: api.ibario.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 17 Aug 2014 02:07:04 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=2
Vary: Accept-Encoding
X-Powered-By: PHP/5.4.13
27..{"flash":{},"error":false,"status":200}..0......


GET /track/ib-show?cid=4105&componentid=518 HTTP/1.1


Host: api.ibario.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 17 Aug 2014 02:07:05 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=2
Vary: Accept-Encoding
X-Powered-By: PHP/5.4.13
27..{"flash":{},"error":false,"status":200}..0......


GET /track/ib-show?cid=4105&componentid=519 HTTP/1.1


Host: api.ibario.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 17 Aug 2014 02:07:05 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=2
Vary: Accept-Encoding
X-Powered-By: PHP/5.4.13
27..{"flash":{},"error":false,"status":200}..0..







The Application connects to the servers at the folowing location(s):







%original file name%.exe_1840:




.text
`.rdata
@.data
.rsrc
@.reloc
RC4 for x86, CRYPTOGAMS by <[email protected]>
6-9'6-9'
$6.:$6.:
*?#1*?#1
>8$4,8$4,
AES for x86, CRYPTOGAMS by <[email protected]>
cwX_UcTB^DCRTf
yTPAwCTT}^PUcTB^DCRT}^RZcTB^DCRTbXKT^WcTB^DCRT
\PX_BTEnBGRnREC]nYP_U]TCP
wX_UcTB^DCRTf
1.2.7
inflate 1.2.7 Copyright 1995-2012 Mark Adler
operator
GetProcessWindowStation
GetWindowsDirectoryW
GetProcessHeap
KERNEL32.dll
USER32.dll
GDI32.dll
GetCPInfo
zcÁ
\u.bo
b7x.Kr
.vw$.]n
.Gkek
/x.aQ
z)EJe-e}
/%F)Y
z.RA.
G.tiJ
.se<Id
F.Qtu
G.pP;
[email protected]
qB.Ay
%sA2K
DC> '%d
w.DDs
<` /
.tEpU
&.GO)'T
f.ATI
l%Uem
E%D,^
.C.qoU
Q%c:N
%f=esO0@
eL%F%u4
8%XGyvK
h.TS$w
}qD.KX,
q.MbY
)5N %S
.yo0m,
x.sU)
m%fIZ
Y%xsc
0.ekS
.Ea{;w
d*.rQ-
x7^U.Vj
2V.xi]
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*">
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
7*8084888<8
2 2$2(2,2
$0 0@0|0
? ?%?,?1???
kernel32.dll
KERNEL32.DLL
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
c:\%original file name%.exe
15.9.28.27
installer.exe

%original file name%.exe_1840_rwx_01570000_00001000:




.text
`.rdata
@.data
.rsrc
@.reloc

%original file name%.exe_1840_rwx_0167E000_00004000:




c:\%original file name%.exe






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
    2. 

  2. Delete the original Application file.
    3. 

  3. Delete or disinfect the following files created/modified by the Application:
    

    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\b4.gif (661 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\pb-bg-right.jpg (468 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\btn.png (716 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3008.html (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\b-bg.gif (295 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\red-pb-act-right.jpg (694 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B2.tmp (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\main.css (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\pb-bg.jpg (333 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\corn4.png (130 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\b3.gif (384 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3146.html (19 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\arrow.gif (207 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\component_518.part (33029 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\events\cav.xml (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3601.html (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3232.html (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\red-pb-act-left.jpg (681 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\events\events.js (17 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\mask.bmp (42 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3941.html (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\2985.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\component_519.part (5954 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B3.tmp (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\arrow.png (911 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\lbg-top.gif (12 bytes)
    %System%\wbem\Logs\wbemprox.log (76 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ajax-loader2.gif (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\js\jquery-1.7.min.js (94 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\2984.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\js\jquery.noselect.min.js (299 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\2980.html (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\lbg.gif (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\center2.jpg (305 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\btn2.png (402 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\pb-bg-left.jpg (460 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ajax-loader.gif (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3600.html (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\2987.html (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\2986.html (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\main - копия.css (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\mid.jpg (403 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\logo.png (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\js\smart.js (24 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\lbg-bottom.gif (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\conditions\conditions.js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3145.html (18 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\check.jpg (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\corn3.png (138 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\corn2.png (136 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\corn1.png (139 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3364.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\js\old_smart.js (23 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\trust.gif (437 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\red-pb-act.jpg (380 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\js\config.js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\template_40.png (110 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3385.html (17 bytes)
    

    4. 

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    5. 

  5. Reboot the computer.
    6. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now