MD5: ad692556140e84a9fb839451adffcf00
SHA1: 942e5a4974c2b21806fb960faf7a8d487e37347a
SHA256: 0ca2fc821a06800698ad28d2624129df06f6fb344bf7dcb42c29f7721381f4c1
SSDeep: 12288:TLojy90QnAakyPzV/wKmoiC CEdHpObV R9OgXFt8pYnvmcaHm7GHAkOYmVkRJR9:GyXnA wf8 rdEbIR9O0tDnvNb1NuJBn
Size: 1022464 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-07-14 02:42:43
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1592

The Trojan injects its code into the following process(es):

SOFTON~1.EXE:176

Mutexes

The following mutexes were created/opened:

ShimCacheMutex

File activity

The process %original file name%.exe:1592 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\CAMTAS~1.EXE (13304 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\SOFTON~1.EXE (8292 bytes)

The process SOFTON~1.EXE:176 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\universaldownloader-prefetch[1].htm (2011 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\campaign-101361[1] (2826 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\camtasia-studio-25[1].png (2571 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CARMC77L.gif (35 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@softonic[2].txt (311 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\analytics[1].js (1008 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CA58N6J5.gif (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\cc92a7d66e[1].setToken (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\gradientbg[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\sprite[1].png (7 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@softonic[1].txt (490 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1470e-36454[1].js (10138 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\fad58-0b1e4[1].css (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\loading[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%System%\wbem\Logs\wbemprox.log (152 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (193 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (9700 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\nr-476.min[1].js (4153 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAK9AR4T.gif (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CALGOJ1X.gif (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\campaign-101361[1].htm (2465 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (10066 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAYVI5IP.gif (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CA0PQHD6.gif (35 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (22648 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\sd_101361_93215[1].jpg (5988 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\fad58-0b1e4[2].css (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CA8LMN4T.gif (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014040820140409\index.dat (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@softonic[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@softonic[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014040820140409 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAK9AR4T.gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\fad58-0b1e4[1].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CALGOJ1X.gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAYVI5IP.gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CA8LMN4T.gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CARMC77L.gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CA0PQHD6.gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CA58N6J5.gif (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)

Registry activity

The process %original file name%.exe:1592 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 D8 9C 56 D7 A5 73 CA 7B 9D BA A1 31 81 FF E4"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

The process SOFTON~1.EXE:176 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Softonic\Universal Downloader]
"uuid" = "69B3851B-1A0A-42AC-9C21-BCEC27C303D3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014111720141118]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014111720141118\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014111720141118]
"CachePrefix" = ":2014111720141118:"
"CacheLimit" = "8192"
"CacheOptions" = "11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D9 12 58 0C 97 86 77 80 F8 7D CC 22 CA 22 08 D8"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014111720141118]
"CacheRepair" = "0"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014040820140409]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Microsoft Corporation
Product Name: HD Player
Product Version: 8.00.7600.16385
Legal Copyright: (c) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: WEXTRACT.EXE .MUI
Internal Name: Wextract
File Version: 8.00.7600.16385 (win7_rtm.090713-1255)
File Description: Win32 Cabinet Self-Extractor
Comments:
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://softonic-analytics.net/blank.gif?product=st_activity&event=window:app:loaded&id_session=419BBAB6-DD91-41E7-B3C5-625C565ECAB1&params={"api_version":"1.41.6","country":"us","flavour":"3","id_file":"17614","machine_id":"a8a67a25000000000000000c29ac6398","os":"[OS:2600,5,1,2,1,256,3,0,Service Pack 3]","ts":"1416219828","url":"hxxp://camtasia-studio.ud.en.softonic.com/17614/universaldownloader-prefetch?WL=1822","user_agent":"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.6"}	46.28.209.74
hxxp://camtasia-studio.ud.en.softonic.com/17614/universaldownloader-prefetch?WL=1822	46.28.209.69
hxxp://camtasia-studio.ud.en.softonic.com/js/generated/1470e-36454.js	46.28.209.69
hxxp://www-google-analytics.l.google.com/analytics.js
hxxp://www-google-analytics.l.google.com/__utm.gif?utmwv=5.4.6&utms=1&utmn=1363540769&utmhn=camtasia-studio.ud.en.softonic.com&utmcs=utf-8&utmsr=1276x846&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Download and installation process for Camtasia Studio&utmhid=312431175&utmr=-&utmp=/17614/universaldownloader-prefetch?WL=1822&utmht=1416219830914&utmac=UA-48247475-1&utmcc=__utma=74966784.1220658294.1416219831.1416219831.1416219831.1;+__utmz=74966784.1416219831.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmmt=1&utmu=qAAg~
hxxp://c.global-ssl.fastly.net/nr-476.min.js
hxxp://www-google-analytics.l.google.com/r/collect?v=1&_v=j30&a=312431175&t=pageview&_s=1&dl=http://camtasia-studio.ud.en.softonic.com/17614/universaldownloader-prefetch?WL=1822&ul=en-us&de=utf-8&dt=Download and installation process for Camtasia Studio&sd=32-bit&sr=1276x846&vp=650x450&je=0&fl=11.6 r602&_utma=74966784.1220658294.1416219831.1416219831.1416219831.1&_utmz=74966784.1416219831.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)&_utmht=1416219832351&_u=MQACAEAAI~&jid=248504733&cid=1220658294.1416219831&tid=UA-48247475-3&_r=1&z=142078201
hxxp://camtasia-studio.ud.en.softonic.com/universaldownloader-track?wl=1822	46.28.209.69
hxxp://camtasia-studio.ud.en.softonic.com/17614/universaldownloader/campaign-101361?WL=1822&sd_timestamp=1416219830	46.28.209.69
hxxp://camtasia-studio.ud.en.softonic.com/css/generated/fad58-0b1e4.css	46.28.209.69
hxxp://screenshots.en.sftcdn.net/en/scrn/17000/17614/camtasia-studio-25.png	46.28.209.52
hxxp://screenshots.en.sftcdn.net/campaign/scrn/101000/101361/sd_101361_93215.jpeg	46.28.209.52
hxxp://camtasia-studio.ud.en.softonic.com/shared/img/sd_client/gradientbg.png	46.28.209.69
hxxp://camtasia-studio.ud.en.softonic.com/shared/img/sd_client/loading.gif	46.28.209.69
hxxp://camtasia-studio.ud.en.softonic.com/shared/img/sd_client/sprite.png	46.28.209.69
hxxp://www-google-analytics.l.google.com/collect?v=1&_v=j30&a=1826458754&t=pageview&_s=1&dl=http://camtasia-studio.ud.en.softonic.com/17614/universaldownloader/campaign-101361?WL=1822&sd_timestamp=1416219830&ul=en-us&de=utf-8&dt=Download and installation process for Camtasia Studio&sd=32-bit&sr=1276x846&vp=650x450&je=0&fl=11.6 r602&_utma=74966784.1220658294.1416219831.1416219831.1416219831.1&_utmz=74966784.1416219831.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)&_utmht=1416219833914&_u=MACCAEAAI~&jid=&cid=1220658294.1416219831&tid=UA-48247475-3&z=937265454
hxxp://www-google-analytics.l.google.com/__utm.gif?utmwv=5.4.6&utms=2&utmn=526057416&utmhn=camtasia-studio.ud.en.softonic.com&utmcs=utf-8&utmsr=1276x846&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Download and installation process for Camtasia Studio&utmhid=1826458754&utmr=-&utmp=/17614/universaldownloader/campaign-101361?WL=1822&sd_timestamp=1416219830&utmht=1416219834257&utmac=UA-48247475-1&utmcc=__utma=74966784.1220658294.1416219831.1416219831.1416219831.1;+__utmz=74966784.1416219831.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmmt=1&utmu=qAAg~
hxxp://www-google-analytics.l.google.com/__utm.gif?utmwv=5.4.6&utms=3&utmn=514346309&utmhn=camtasia-studio.ud.en.softonic.com&utmcs=utf-8&utmsr=1276x846&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Download and installation process for Camtasia Studio&utmhid=1826458754&utmr=http://unknown_browser_unknown_version&utmp=/init_startup&utmht=1416219834554&utmac=UA-152357-9&utmcc=__utma=74966784.1220658294.1416219831.1416219831.1416219831.1;+__utmz=74966784.1416219831.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmmt=1&utmu=qACgAAAAC~
hxxp://www-google-analytics.l.google.com/__utm.gif?utmwv=5.4.6&utms=4&utmn=11233041&utmhn=camtasia-studio.ud.en.softonic.com&utmcs=utf-8&utmsr=1276x846&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Download and installation process for Camtasia Studio&utmhid=1826458754&utmr=http://unknown_browser_unknown_version&utmp=/start_api&utmht=1416219834586&utmac=UA-152357-9&utmcc=__utma=74966784.1220658294.1416219831.1416219831.1416219831.1;+__utmz=74966784.1416219831.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmmt=1&utmu=qACgAAAAC~
hxxp://www-google-analytics.l.google.com/__utm.gif?utmwv=5.4.6&utms=5&utmn=1891377921&utmhn=camtasia-studio.ud.en.softonic.com&utmcs=utf-8&utmsr=1276x846&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Download and installation process for Camtasia Studio&utmhid=1826458754&utmr=http://unknown_browser_unknown_version&utmp=/legal_start&utmht=1416219834742&utmac=UA-152357-9&utmcc=__utma=74966784.1220658294.1416219831.1416219831.1416219831.1;+__utmz=74966784.1416219831.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmmt=1&utmu=qACgAAAAC~
hxxp://www-google-analytics.l.google.com/__utm.gif?utmwv=5.4.6&utms=6&utmn=760046469&utmhn=camtasia-studio.ud.en.softonic.com&utmcs=utf-8&utmsr=1276x846&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Download and installation process for Camtasia Studio&utmhid=1826458754&utmr=http://unknown_browser_unknown_version&utmp=/legal_timestamp&utmht=1416219834992&utmac=UA-152357-9&utmcc=__utma=74966784.1220658294.1416219831.1416219831.1416219831.1;+__utmz=74966784.1416219831.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmmt=1&utmu=qACgAAAAC~
hxxp://www-google-analytics.l.google.com/__utm.gif?utmwv=5.4.6&utms=7&utmn=1837934325&utmhn=camtasia-studio.ud.en.softonic.com&utmcs=utf-8&utmsr=1276x846&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Download and installation process for Camtasia Studio&utmhid=1826458754&utmr=http://unknown_browser_unknown_version&utmp=/C101361--load1&utmht=1416219835211&utmac=UA-152357-9&utmcc=__utma=74966784.1220658294.1416219831.1416219831.1416219831.1;+__utmz=74966784.1416219831.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmmt=1&utmu=qACgAAAAC~
hxxp://www.google-analytics.com/__utm.gif?utmwv=5.4.6&utms=6&utmn=760046469&utmhn=camtasia-studio.ud.en.softonic.com&utmcs=utf-8&utmsr=1276x846&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Download and installation process for Camtasia Studio&utmhid=1826458754&utmr=http://unknown_browser_unknown_version&utmp=/legal_timestamp&utmht=1416219834992&utmac=UA-152357-9&utmcc=__utma=74966784.1220658294.1416219831.1416219831.1416219831.1;+__utmz=74966784.1416219831.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmmt=1&utmu=qACgAAAAC~	173.194.116.192
hxxp://www.google-analytics.com/__utm.gif?utmwv=5.4.6&utms=7&utmn=1837934325&utmhn=camtasia-studio.ud.en.softonic.com&utmcs=utf-8&utmsr=1276x846&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Download and installation process for Camtasia Studio&utmhid=1826458754&utmr=http://unknown_browser_unknown_version&utmp=/C101361--load1&utmht=1416219835211&utmac=UA-152357-9&utmcc=__utma=74966784.1220658294.1416219831.1416219831.1416219831.1;+__utmz=74966784.1416219831.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmmt=1&utmu=qACgAAAAC~	173.194.116.192
hxxp://www.google-analytics.com/__utm.gif?utmwv=5.4.6&utms=1&utmn=1363540769&utmhn=camtasia-studio.ud.en.softonic.com&utmcs=utf-8&utmsr=1276x846&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Download and installation process for Camtasia Studio&utmhid=312431175&utmr=-&utmp=/17614/universaldownloader-prefetch?WL=1822&utmht=1416219830914&utmac=UA-48247475-1&utmcc=__utma=74966784.1220658294.1416219831.1416219831.1416219831.1;+__utmz=74966784.1416219831.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmmt=1&utmu=qAAg~	173.194.116.192
hxxp://js-agent.newrelic.com/nr-476.min.js	185.31.17.175
hxxp://www.google-analytics.com/analytics.js	173.194.116.192
hxxp://www.google-analytics.com/__utm.gif?utmwv=5.4.6&utms=3&utmn=514346309&utmhn=camtasia-studio.ud.en.softonic.com&utmcs=utf-8&utmsr=1276x846&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Download and installation process for Camtasia Studio&utmhid=1826458754&utmr=http://unknown_browser_unknown_version&utmp=/init_startup&utmht=1416219834554&utmac=UA-152357-9&utmcc=__utma=74966784.1220658294.1416219831.1416219831.1416219831.1;+__utmz=74966784.1416219831.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmmt=1&utmu=qACgAAAAC~	173.194.116.192
hxxp://www.google-analytics.com/collect?v=1&_v=j30&a=1826458754&t=pageview&_s=1&dl=http://camtasia-studio.ud.en.softonic.com/17614/universaldownloader/campaign-101361?WL=1822&sd_timestamp=1416219830&ul=en-us&de=utf-8&dt=Download and installation process for Camtasia Studio&sd=32-bit&sr=1276x846&vp=650x450&je=0&fl=11.6 r602&_utma=74966784.1220658294.1416219831.1416219831.1416219831.1&_utmz=74966784.1416219831.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)&_utmht=1416219833914&_u=MACCAEAAI~&jid=&cid=1220658294.1416219831&tid=UA-48247475-3&z=937265454	173.194.116.192
hxxp://www.google-analytics.com/__utm.gif?utmwv=5.4.6&utms=4&utmn=11233041&utmhn=camtasia-studio.ud.en.softonic.com&utmcs=utf-8&utmsr=1276x846&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Download and installation process for Camtasia Studio&utmhid=1826458754&utmr=http://unknown_browser_unknown_version&utmp=/start_api&utmht=1416219834586&utmac=UA-152357-9&utmcc=__utma=74966784.1220658294.1416219831.1416219831.1416219831.1;+__utmz=74966784.1416219831.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmmt=1&utmu=qACgAAAAC~	173.194.116.192
hxxp://www.google-analytics.com/r/collect?v=1&_v=j30&a=312431175&t=pageview&_s=1&dl=http://camtasia-studio.ud.en.softonic.com/17614/universaldownloader-prefetch?WL=1822&ul=en-us&de=utf-8&dt=Download and installation process for Camtasia Studio&sd=32-bit&sr=1276x846&vp=650x450&je=0&fl=11.6 r602&_utma=74966784.1220658294.1416219831.1416219831.1416219831.1&_utmz=74966784.1416219831.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)&_utmht=1416219832351&_u=MQACAEAAI~&jid=248504733&cid=1220658294.1416219831&tid=UA-48247475-3&_r=1&z=142078201	173.194.116.192
hxxp://www.google-analytics.com/__utm.gif?utmwv=5.4.6&utms=5&utmn=1891377921&utmhn=camtasia-studio.ud.en.softonic.com&utmcs=utf-8&utmsr=1276x846&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Download and installation process for Camtasia Studio&utmhid=1826458754&utmr=http://unknown_browser_unknown_version&utmp=/legal_start&utmht=1416219834742&utmac=UA-152357-9&utmcc=__utma=74966784.1220658294.1416219831.1416219831.1416219831.1;+__utmz=74966784.1416219831.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmmt=1&utmu=qACgAAAAC~	173.194.116.192
hxxp://www.google-analytics.com/__utm.gif?utmwv=5.4.6&utms=2&utmn=526057416&utmhn=camtasia-studio.ud.en.softonic.com&utmcs=utf-8&utmsr=1276x846&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Download and installation process for Camtasia Studio&utmhid=1826458754&utmr=-&utmp=/17614/universaldownloader/campaign-101361?WL=1822&sd_timestamp=1416219830&utmht=1416219834257&utmac=UA-48247475-1&utmcc=__utma=74966784.1220658294.1416219831.1416219831.1416219831.1;+__utmz=74966784.1416219831.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmmt=1&utmu=qAAg~	173.194.116.192
beacon-6.newrelic.com	50.31.164.192

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /nr-476.min.js HTTP/1.1

Accept: */*

Referer: hXXp://camtasia-studio.ud.en.softonic.com/17614/universaldownloader-prefetch?WL=1822

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.6

Host: js-agent.newrelic.com

Connection: Keep-Alive

HTTP/1.1 200 OK

x-amz-id-2: 1vJhD1NqM HeRrKsyg gCCM8QI4bTFgxvzXCnikkrpQExiTHNXNX3pxJxU8sp4Bm0/ZGQetuc7g=

x-amz-request-id: 4A65EB4E9546E826

Cache-Control: public, max-age=315360000

Expires: Thu, 31 Dec 2037 23:55:55 GMT

Last-Modified: Tue, 30 Sep 2014 18:19:08 GMT

ETag: "d131658362c40cedda15546bb81e9644"

Content-Type: application/javascript

Server: AmazonS3

Content-Length: 18146

Accept-Ranges: bytes

Date: Mon, 17 Nov 2014 10:22:27 GMT

Via: 1.1 varnish

Age: 1180379

Connection: keep-alive

X-Served-By: cache-fra1240-FRA

X-Cache: HIT

X-Cache-Hits: 24595

X-Timer: S1416219747.382060766,VS0,VE0

Vary: Accept-Encoding
!function(n,e,t){function r(t,i){if(!e[t]){if(!n[t]){var u="function"=
=typeof __nr_require&&__nr_require;if(!i&&u)return u(t,!0);if(o)return
 o(t,!0);throw new Error("Cannot find module '" t "'")}var a=e[t]={exp
orts:{}};n[t][0].call(a.exports,function(e){var o=n[t][1][e];return r(
o?o:e)},a,a.exports)}return e[t].exports}for(var o="function"==typeof 
__nr_require&&__nr_require,i=0;i<t.length;i  )r(t[i]);return r}({1:
[function(n,e){e.exports=function(n,e){return"addEventListener"in wind
ow?addEventListener(n,e,!1):"attachEvent"in window?attachEvent("on" n,
e):void 0}},{}],2:[function(n,e){function t(n,e,t,o){l("bstAgg",[n,e,t
,o]),m[n]||(m[n]={});var i=m[n][e];return i||(m[n][e]=i={params:t||{}}
),i.metrics=r(o,i.metrics),i}function r(n,e){return e||(e={count:0}),e
.count =1,c(n,function(n,t){e[n]=o(t,e[n])}),e}function o(n,e){return 
e?(e&&!e.c&&(e={t:e.t,min:e.t,max:e.t,sos:e.t*e.t,c:1}),e.c =1,e.t =n,
e.sos =n*n,n>e.max&&(e.max=n),n<e.min&&(e.min=n),e):{t:n}}functi
on i(n,e){return e?m[n]&&m[n][e]:m[n]}function u(n){for(var e,t={},r="
",o=0;o<n.length;o  )r=n[o],t[r]=a(m[r]),t[r].length&&(e=!0),delete
 m[r];return e?t:null}function a(n){return"object"!=typeof n?[]:c(n,fu
nction(n,e){return e})}function s(n,e){"undefined"==typeof e&&(e=(new 
Date).getTime()),p[n]=e}function f(n,e,r){var o=p[e],i=p[r];"undefined
"!=typeof o&&"undefined"!=typeof i&&t("measures",n,{value:i-o})}var c=
n(1),l=n("handle"),d=n(2),m={},p={};e.exports={store:t,take:u,get:i,ma
rk:s,measure:f},setTimeout(function(){d("bstAgg",function(){})},1e
<<< skipped >>>

GET /nr-476.min.js HTTP/1.1

Accept: */*

Referer: hXXp://camtasia-studio.ud.en.softonic.com/17614/universaldownloader/campaign-101361?WL=1822&sd_timestamp=1416219830

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.6

Host: js-agent.newrelic.com

Connection: Keep-Alive

HTTP/1.1 200 OK

x-amz-id-2: 1vJhD1NqM HeRrKsyg gCCM8QI4bTFgxvzXCnikkrpQExiTHNXNX3pxJxU8sp4Bm0/ZGQetuc7g=

x-amz-request-id: 4A65EB4E9546E826

Cache-Control: public, max-age=315360000

Expires: Thu, 31 Dec 2037 23:55:55 GMT

Last-Modified: Tue, 30 Sep 2014 18:19:08 GMT

ETag: "d131658362c40cedda15546bb81e9644"

Content-Type: application/javascript

Server: AmazonS3

Content-Length: 18146

Accept-Ranges: bytes

Date: Mon, 17 Nov 2014 10:22:30 GMT

Via: 1.1 varnish

Age: 1180382

Connection: keep-alive

X-Served-By: cache-fra1240-FRA

X-Cache: HIT

X-Cache-Hits: 24601

X-Timer: S1416219750.915556669,VS0,VE0

Vary: Accept-Encoding
!function(n,e,t){function r(t,i){if(!e[t]){if(!n[t]){var u="function"=
=typeof __nr_require&&__nr_require;if(!i&&u)return u(t,!0);if(o)return
 o(t,!0);throw new Error("Cannot find module '" t "'")}var a=e[t]={exp
orts:{}};n[t][0].call(a.exports,function(e){var o=n[t][1][e];return r(
o?o:e)},a,a.exports)}return e[t].exports}for(var o="function"==typeof 
__nr_require&&__nr_require,i=0;i<t.length;i  )r(t[i]);return r}({1:
[function(n,e){e.exports=function(n,e){return"addEventListener"in wind
ow?addEventListener(n,e,!1):"attachEvent"in window?attachEvent("on" n,
e):void 0}},{}],2:[function(n,e){function t(n,e,t,o){l("bstAgg",[n,e,t
,o]),m[n]||(m[n]={});var i=m[n][e];return i||(m[n][e]=i={params:t||{}}
),i.metrics=r(o,i.metrics),i}function r(n,e){return e||(e={count:0}),e
.count =1,c(n,function(n,t){e[n]=o(t,e[n])}),e}function o(n,e){return 
e?(e&&!e.c&&(e={t:e.t,min:e.t,max:e.t,sos:e.t*e.t,c:1}),e.c =1,e.t =n,
e.sos =n*n,n>e.max&&(e.max=n),n<e.min&&(e.min=n),e):{t:n}}functi
on i(n,e){return e?m[n]&&m[n][e]:m[n]}function u(n){for(var e,t={},r="
",o=0;o<n.length;o  )r=n[o],t[r]=a(m[r]),t[r].length&&(e=!0),delete
 m[r];return e?t:null}function a(n){return"object"!=typeof n?[]:c(n,fu
nction(n,e){return e})}function s(n,e){"undefined"==typeof e&&(e=(new 
Date).getTime()),p[n]=e}function f(n,e,r){var o=p[e],i=p[r];"undefined
"!=typeof o&&"undefined"!=typeof i&&t("measures",n,{value:i-o})}var c=
n(1),l=n("handle"),d=n(2),m={},p={};e.exports={store:t,take:u,get:i,ma
rk:s,measure:f},setTimeout(function(){d("bstAgg",function(){})},1e
<<< skipped >>>

GET /analytics.js HTTP/1.1

Accept: */*

Referer: hXXp://camtasia-studio.ud.en.softonic.com/17614/universaldownloader-prefetch?WL=1822

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.6

Host: VVV.google-analytics.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Mon, 17 Nov 2014 08:26:57 GMT

Expires: Mon, 17 Nov 2014 10:26:57 GMT

Last-Modified: Fri, 03 Oct 2014 00:48:42 GMT

X-Content-Type-Options: nosniff

Content-Type: text/javascript

Vary: Accept-Encoding

Content-Encoding: gzip

Server: Golfe2

Content-Length: 11181

Age: 6928

Cache-Control: public, max-age=7200

Alternate-Protocol: 80:quic,p=0.01
...........}iW.J..w~..........c.x..$$aH.l..R.0..vd.!......U%.....n....
..=....L.*O..?......Q2PC.||..lx>...A.N..t..."..8.?...p..A.'...kb.P.
R..M...l.(..,9..iQ.D..........w*..d..*.....2..8..s..SO\!....'~........
.SY".d...c..H5....<K.I..4J....H....(..b.~.........z"C.S9>...f.Q.
....4.h...I.@f4...#..C5.....0aO.a.R.._"9......'c.:....G^..`N..~J..0...
,E2.<.zru.&S.......O.?A.E...]c.......v<....}.Q....9......e....3.
.>.=(J.J..).^`0.x....<1...E...0..G.r$3...).....9L1.].=|;.L.gr.x-
...........:.V~..ClTTd.\.N....S...U*..3.*..,TTo.-....T........qg....(.
....h..{ckK..Q...L..k!F........./_..~.vo........?}......V.w..<.....
_.8.\\^]..7.76.>...?.?.P..l;.....z...=..........M.%...ep3...HU2.P..
.9..E....EYb.............L^wQ...;..a><...<....zA../Y..x1L.b})
.  ..-_.j8.q.(......1...Wi#...z.I*.W..U.nd[v......s<>...n..H-...
.jz^Y...]..G...)?XYol...x....b.f..@.>... .AG....5v6..oBX..3..9V{...
.sL.....1Q..S..N.3..bO ........[MO|).S,..(...6?p..b.......T6...!..Y.c.
.._..=.....L.f...m..B..........;.....8O.I............s.N9{ee...p.k(.L.
.g?.n0....TL...Z.Yr>.H.;..j.oP.:....Y..U....>..fS......Q.}U!a.Q.
.|....6..r|=P.=H.mV!XI.dLG{!...1....do...l.S..t.c......O........{..8..
O...w...q.x..y...t....D.r... ..W......C5......x...ob. ..z...'I.%Y.....
{m7........P...;.-t..V..,oL......(R....7..Q.h.................]G%nU..R
...."".  .I...t.i.P=4..#.....8....... <Oq8.R.!b.].~.l.V.f...k3..\..
.6 [email protected]..........@49.&.q..0......P..j..._ex.....q.-/1z.:Gj..'.>
.B-..U;#...6.:X..D.M.^.m....U.U[.&.....f..M...LS%.....r...1...k...
<<< skipped >>>

GET /collect?v=1&_v=j30&a=1826458754&t=pageview&_s=1&dl=http://camtasia-studio.ud.en.softonic.com/17614/universaldownloader/campaign-101361?WL=1822&sd_timestamp=1416219830&ul=en-us&de=utf-8&dt=Download and installation process for Camtasia Studio&sd=32-bit&sr=1276x846&vp=650x450&je=0&fl=11.6 r602&_utma=74966784.1220658294.1416219831.1416219831.1416219831.1&_utmz=74966784.1416219831.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)&_utmht=1416219833914&_u=MACCAEAAI~&jid=&cid=1220658294.1416219831&tid=UA-48247475-3&z=937265454 HTTP/1.1

Accept: */*

Referer: hXXp://camtasia-studio.ud.en.softonic.com/17614/universaldownloader/campaign-101361?WL=1822&sd_timestamp=1416219830

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.6

Host: VVV.google-analytics.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Pragma: no-cache

Expires: Mon, 07 Aug 1995 23:30:00 GMT

Access-Control-Allow-Origin: *

Last-Modified: Sun, 17 May 1998 03:00:00 GMT

X-Content-Type-Options: nosniff

Content-Type: image/gif

Date: Thu, 13 Nov 2014 10:23:29 GMT

Server: Golfe2

Content-Length: 35

Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate

Age: 345539

Alternate-Protocol: 80:quic,p=0.01
GIF89a.............,...........D..;HTTP/1.1 200 OK..Pragma: no-cache..
Expires: Mon, 07 Aug 1995 23:30:00 GMT..Access-Control-Allow-Origin: *
..Last-Modified: Sun, 17 May 1998 03:00:00 GMT..X-Content-Type-Options
: nosniff..Content-Type: image/gif..Date: Thu, 13 Nov 2014 10:23:29 GM
T..Server: Golfe2..Content-Length: 35..Cache-Control: private, no-cach
e, no-cache=Set-Cookie, proxy-revalidate..Age: 345539..Alternate-Proto
col: 80:quic,p=0.01..GIF89a.............,...........D..;....


GET /__utm.gif?utmwv=5.4.6&utms=3&utmn=514346309&utmhn=camtasia-studio.ud.en.softonic.com&utmcs=utf-8&utmsr=1276x846&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Download and installation process for Camtasia Studio&utmhid=1826458754&utmr=http://unknown_browser_unknown_version&utmp=/init_startup&utmht=1416219834554&utmac=UA-152357-9&utmcc=__utma=74966784.1220658294.1416219831.1416219831.1416219831.1;+__utmz=74966784.1416219831.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmmt=1&utmu=qACgAAAAC~ HTTP/1.1

Accept: */*

Referer: hXXp://camtasia-studio.ud.en.softonic.com/17614/universaldownloader/campaign-101361?WL=1822&sd_timestamp=1416219830

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.6

Host: VVV.google-analytics.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Pragma: no-cache

Expires: Wed, 19 Apr 2000 11:43:00 GMT

Last-Modified: Wed, 21 Jan 2004 19:51:30 GMT

X-Content-Type-Options: nosniff

Content-Type: image/gif

Date: Thu, 13 Nov 2014 10:23:29 GMT

Server: Golfe2

Content-Length: 35

Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate

Age: 345540

Alternate-Protocol: 80:quic,p=0.01
GIF89a.............,...........D..;HTTP/1.1 200 OK..Pragma: no-cache..
Expires: Wed, 19 Apr 2000 11:43:00 GMT..Last-Modified: Wed, 21 Jan 200
4 19:51:30 GMT..X-Content-Type-Options: nosniff..Content-Type: image/g
if..Date: Thu, 13 Nov 2014 10:23:29 GMT..Server: Golfe2..Content-Lengt
h: 35..Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-re
validate..Age: 345540..Alternate-Protocol: 80:quic,p=0.01..GIF89a.....
........,...........D..;....


GET /__utm.gif?utmwv=5.4.6&utms=5&utmn=1891377921&utmhn=camtasia-studio.ud.en.softonic.com&utmcs=utf-8&utmsr=1276x846&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Download and installation process for Camtasia Studio&utmhid=1826458754&utmr=http://unknown_browser_unknown_version&utmp=/legal_start&utmht=1416219834742&utmac=UA-152357-9&utmcc=__utma=74966784.1220658294.1416219831.1416219831.1416219831.1;+__utmz=74966784.1416219831.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmmt=1&utmu=qACgAAAAC~ HTTP/1.1

Accept: */*

Referer: hXXp://camtasia-studio.ud.en.softonic.com/17614/universaldownloader/campaign-101361?WL=1822&sd_timestamp=1416219830

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.6

Host: VVV.google-analytics.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Pragma: no-cache

Expires: Wed, 19 Apr 2000 11:43:00 GMT

Last-Modified: Wed, 21 Jan 2004 19:51:30 GMT

X-Content-Type-Options: nosniff

Content-Type: image/gif

Date: Thu, 13 Nov 2014 10:23:29 GMT

Server: Golfe2

Content-Length: 35

Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate

Age: 345540

Alternate-Protocol: 80:quic,p=0.01
GIF89a.............,...........D..;HTTP/1.1 200 OK..Pragma: no-cache..
Expires: Wed, 19 Apr 2000 11:43:00 GMT..Last-Modified: Wed, 21 Jan 200
4 19:51:30 GMT..X-Content-Type-Options: nosniff..Content-Type: image/g
if..Date: Thu, 13 Nov 2014 10:23:29 GMT..Server: Golfe2..Content-Lengt
h: 35..Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-re
validate..Age: 345540..Alternate-Protocol: 80:quic,p=0.01..GIF89a.....
........,...........D..;....


GET /__utm.gif?utmwv=5.4.6&utms=7&utmn=1837934325&utmhn=camtasia-studio.ud.en.softonic.com&utmcs=utf-8&utmsr=1276x846&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Download and installation process for Camtasia Studio&utmhid=1826458754&utmr=http://unknown_browser_unknown_version&utmp=/C101361--load1&utmht=1416219835211&utmac=UA-152357-9&utmcc=__utma=74966784.1220658294.1416219831.1416219831.1416219831.1;+__utmz=74966784.1416219831.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmmt=1&utmu=qACgAAAAC~ HTTP/1.1

Accept: */*

Referer: hXXp://camtasia-studio.ud.en.softonic.com/17614/universaldownloader/campaign-101361?WL=1822&sd_timestamp=1416219830

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.6

Host: VVV.google-analytics.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Pragma: no-cache

Expires: Wed, 19 Apr 2000 11:43:00 GMT

Last-Modified: Wed, 21 Jan 2004 19:51:30 GMT

X-Content-Type-Options: nosniff

Content-Type: image/gif

Date: Thu, 13 Nov 2014 10:23:29 GMT

Server: Golfe2

Content-Length: 35

Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate

Age: 345541

Alternate-Protocol: 80:quic,p=0.01
GIF89a.............,...........D..;HTTP/1.1 200 OK..Pragma: no-cache..
Expires: Wed, 19 Apr 2000 11:43:00 GMT..Last-Modified: Wed, 21 Jan 200
4 19:51:30 GMT..X-Content-Type-Options: nosniff..Content-Type: image/g
if..Date: Thu, 13 Nov 2014 10:23:29 GMT..Server: Golfe2..Content-Lengt
h: 35..Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-re
validate..Age: 345541..Alternate-Protocol: 80:quic,p=0.01..GIF89a.....
........,...........D..;..

GET /en/scrn/17000/17614/camtasia-studio-25.png HTTP/1.1

Accept: */*

Referer: hXXp://camtasia-studio.ud.en.softonic.com/17614/universaldownloader/campaign-101361?WL=1822&sd_timestamp=1416219830

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.6

Host: screenshots.en.sftcdn.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache

Last-Modified: Wed, 31 Mar 2010 10:52:46 GMT

Cache-Control: max-age=172800

Content-Type: image/png

Content-Length: 15892

Accept-Ranges: bytes

Date: Mon, 17 Nov 2014 10:22:28 GMT

Connection: keep-alive

Age: 0

X-Served-By: screenshots

X-Cache: HIT

X-Cache-Hits: 50326

Expires: Wed, 19 Nov 2014 10:22:28 GMT
.PNG........IHDR...d...d.....p..T....gAMA....7.......bKGD.............
.pHYs...H...H.F.k>....vpAg...d...d..&^...<.IDATx...y.d.}..9...o.
..y.....`!.E.)..-9.J.X).d%)..'N..;.T..S....U\........[.......J.... .$.
..`0....[._.w;K....2....$....................9..B.q..c......W...g.f..%
IB.e.?..V.1.......lss...p.......wl.ON/x...c`..........K..n...!.O~...GQ
.....c._......!...9..N....'.|..t:......._L...........G.!.}&..<..s..
.P........^........j..R6.........d2y........../..%(......%..M!..H..q.P
...?..g~..~.?.t:...y]!.R...N......#..............[..o..2J`.N.r.....r..
jaa.............?.w|._.{y...../.$In......._.......x..0s.....g........}
.K_..VWW..R.{7 * ....-..{~k-Z...._.......... .r....(wkPp.E}....../.._]
^^.O.R._....c..s.c.{.........._wwwG..d.Q..>..........?.../.........
[N|.C...B,..~.c..X.g~.g..H5..e.......... ..C.<...........1..lll|...
.K.......V)..].....   ./}.K....#.....6vww_}..G.L...,.... .b]......?.'.
..........#........q..E....>z.....6........a.;...j..J..$.dn........
[email protected]...;....>.....S?...GUX.I.T..8g... C.A....p.. ...
=.Ns..%s.....g?.=......Z..k...P.Mp....o..0..|.s....O>....(@H...O<
;..bC.<C.Ct/@.!.........38w...P..U...:...o........?|7 .;..l........
g.8..b.<..........g0.u..W....j.Da9.8.-_P..B..zFafH!..e.......>..
...[[email protected]. ^....G.]@...a...\.m..6.s.]_....@. ........;..
.`....lR....)...u.. .@)Q.K..F......z9A..q..a...u...P.....j.".....^."ry
..q.....wp.M.}.ox..{...b..3...Lu...(/2.)06C..m2.N06...cR..)=..(....Q.K
Q./. I..'....>..B.w_....9.k....H'}i..!...x.>.].l.`.. ..../ z
<<< skipped >>>

GET /campaign/scrn/101000/101361/sd_101361_93215.jpeg HTTP/1.1

Accept: */*

Referer: hXXp://camtasia-studio.ud.en.softonic.com/17614/universaldownloader/campaign-101361?WL=1822&sd_timestamp=1416219830

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.6

Host: screenshots.en.sftcdn.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache

Last-Modified: Fri, 26 Sep 2014 09:59:18 GMT

Cache-Control: max-age=172800

Content-Type: image/jpeg

Content-Length: 56526

Accept-Ranges: bytes

Date: Mon, 17 Nov 2014 10:22:28 GMT

Connection: keep-alive

Age: 0

X-Served-By: screenshots

X-Cache: HIT

X-Cache-Hits: 2064160

Expires: Wed, 19 Nov 2014 10:22:28 GMT
......JFIF.....H.H......Exif..II*................/hXXp://ns.adobe.com/
xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> &
lt;x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021
 79.155772, 2014/01/13-19:44:00        "> <rdf:RDF xmlns:rdf="ht
tp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf
:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http:/
/ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sT
ype/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)" 
xmpMM:InstanceID="xmp.iid:E9B6868444B411E4BE19CC72E601FB12" xmpMM:Docu
mentID="xmp.did:E9B6868544B411E4BE19CC72E601FB12"> <xmpMM:Derive
dFrom stRef:instanceID="xmp.iid:E9B6868244B411E4BE19CC72E601FB12" stRe
f:documentID="xmp.did:E9B6868344B411E4BE19CC72E601FB12"/> </rdf:
Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="
r"?>...C...........................................................
.........C............................................................
..........................................................]...........
................!1..."AQ2a.Bq......#R..3b.$r..4CSst.....Xcu...&'(9v.
.DTWe......................................C..........................
!"1..2ABQaqR...#3...br..C....$%S.456c..............?...........4.M.m..
...i......f...u..BS..$..z.w...: ..zE..uerP?.l..W%.....#.<.Rg..q..~~
qw..k.`......u..N...Y....~.V....i_k.....Z.S.*.^.\7.......>bj.....-k
...kk....Mi. ...\...y.E*.l..N.|...^q.>....YQJ.-...:...l.u......
<<< skipped >>>

GET /__utm.gif?utmwv=5.4.6&utms=1&utmn=1363540769&utmhn=camtasia-studio.ud.en.softonic.com&utmcs=utf-8&utmsr=1276x846&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Download and installation process for Camtasia Studio&utmhid=312431175&utmr=-&utmp=/17614/universaldownloader-prefetch?WL=1822&utmht=1416219830914&utmac=UA-48247475-1&utmcc=__utma=74966784.1220658294.1416219831.1416219831.1416219831.1;+__utmz=74966784.1416219831.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmmt=1&utmu=qAAg~ HTTP/1.1

Accept: */*

Referer: hXXp://camtasia-studio.ud.en.softonic.com/17614/universaldownloader-prefetch?WL=1822

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.6

Host: VVV.google-analytics.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Pragma: no-cache

Expires: Wed, 19 Apr 2000 11:43:00 GMT

Last-Modified: Wed, 21 Jan 2004 19:51:30 GMT

X-Content-Type-Options: nosniff

Content-Type: image/gif

Date: Thu, 13 Nov 2014 10:23:27 GMT

Server: Golfe2

Content-Length: 35

Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate

Age: 345539

Alternate-Protocol: 80:quic,p=0.01
GIF89a.............,...........D..;HTTP/1.1 200 OK..Pragma: no-cache..
Expires: Wed, 19 Apr 2000 11:43:00 GMT..Last-Modified: Wed, 21 Jan 200
4 19:51:30 GMT..X-Content-Type-Options: nosniff..Content-Type: image/g
if..Date: Thu, 13 Nov 2014 10:23:27 GMT..Server: Golfe2..Content-Lengt
h: 35..Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-re
validate..Age: 345539..Alternate-Protocol: 80:quic,p=0.01..GIF89a.....
........,...........D..;....


GET /r/collect?v=1&_v=j30&a=312431175&t=pageview&_s=1&dl=http://camtasia-studio.ud.en.softonic.com/17614/universaldownloader-prefetch?WL=1822&ul=en-us&de=utf-8&dt=Download and installation process for Camtasia Studio&sd=32-bit&sr=1276x846&vp=650x450&je=0&fl=11.6 r602&_utma=74966784.1220658294.1416219831.1416219831.1416219831.1&_utmz=74966784.1416219831.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)&_utmht=1416219832351&_u=MQACAEAAI~&jid=248504733&cid=1220658294.1416219831&tid=UA-48247475-3&_r=1&z=142078201 HTTP/1.1

Accept: */*

Referer: hXXp://camtasia-studio.ud.en.softonic.com/17614/universaldownloader-prefetch?WL=1822

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.6

Host: VVV.google-analytics.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Date: Mon, 17 Nov 2014 10:22:27 GMT

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Cache-Control: no-cache, no-store, must-revalidate

Last-Modified: Sun, 17 May 1998 03:00:00 GMT

X-Content-Type-Options: nosniff

Content-Type: image/gif

Server: Golfe2

Content-Length: 35

Alternate-Protocol: 80:quic,p=0.01
GIF89a.............,...........D..;HTTP/1.1 200 OK..Access-Control-All
ow-Origin: *..Date: Mon, 17 Nov 2014 10:22:27 GMT..Pragma: no-cache..E
xpires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, no-sto
re, must-revalidate..Last-Modified: Sun, 17 May 1998 03:00:00 GMT..X-C
ontent-Type-Options: nosniff..Content-Type: image/gif..Server: Golfe2.
.Content-Length: 35..Alternate-Protocol: 80:quic,p=0.01..GIF89a.......
......,...........D..;....


GET /__utm.gif?utmwv=5.4.6&utms=2&utmn=526057416&utmhn=camtasia-studio.ud.en.softonic.com&utmcs=utf-8&utmsr=1276x846&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Download and installation process for Camtasia Studio&utmhid=1826458754&utmr=-&utmp=/17614/universaldownloader/campaign-101361?WL=1822&sd_timestamp=1416219830&utmht=1416219834257&utmac=UA-48247475-1&utmcc=__utma=74966784.1220658294.1416219831.1416219831.1416219831.1;+__utmz=74966784.1416219831.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmmt=1&utmu=qAAg~ HTTP/1.1

Accept: */*

Referer: hXXp://camtasia-studio.ud.en.softonic.com/17614/universaldownloader/campaign-101361?WL=1822&sd_timestamp=1416219830

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.6

Host: VVV.google-analytics.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Pragma: no-cache

Expires: Wed, 19 Apr 2000 11:43:00 GMT

Last-Modified: Wed, 21 Jan 2004 19:51:30 GMT

X-Content-Type-Options: nosniff

Content-Type: image/gif

Date: Thu, 13 Nov 2014 10:23:27 GMT

Server: Golfe2

Content-Length: 35

Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate

Age: 345542

Alternate-Protocol: 80:quic,p=0.01
GIF89a.............,...........D..;HTTP/1.1 200 OK..Pragma: no-cache..
Expires: Wed, 19 Apr 2000 11:43:00 GMT..Last-Modified: Wed, 21 Jan 200
4 19:51:30 GMT..X-Content-Type-Options: nosniff..Content-Type: image/g
if..Date: Thu, 13 Nov 2014 10:23:27 GMT..Server: Golfe2..Content-Lengt
h: 35..Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-re
validate..Age: 345542..Alternate-Protocol: 80:quic,p=0.01..GIF89a.....
........,...........D..;....


GET /__utm.gif?utmwv=5.4.6&utms=4&utmn=11233041&utmhn=camtasia-studio.ud.en.softonic.com&utmcs=utf-8&utmsr=1276x846&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Download and installation process for Camtasia Studio&utmhid=1826458754&utmr=http://unknown_browser_unknown_version&utmp=/start_api&utmht=1416219834586&utmac=UA-152357-9&utmcc=__utma=74966784.1220658294.1416219831.1416219831.1416219831.1;+__utmz=74966784.1416219831.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmmt=1&utmu=qACgAAAAC~ HTTP/1.1

Accept: */*

Referer: hXXp://camtasia-studio.ud.en.softonic.com/17614/universaldownloader/campaign-101361?WL=1822&sd_timestamp=1416219830

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.6

Host: VVV.google-analytics.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Pragma: no-cache

Expires: Wed, 19 Apr 2000 11:43:00 GMT

Last-Modified: Wed, 21 Jan 2004 19:51:30 GMT

X-Content-Type-Options: nosniff

Content-Type: image/gif

Date: Thu, 13 Nov 2014 10:23:27 GMT

Server: Golfe2

Content-Length: 35

Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate

Age: 345542

Alternate-Protocol: 80:quic,p=0.01
GIF89a.............,...........D..;HTTP/1.1 200 OK..Pragma: no-cache..
Expires: Wed, 19 Apr 2000 11:43:00 GMT..Last-Modified: Wed, 21 Jan 200
4 19:51:30 GMT..X-Content-Type-Options: nosniff..Content-Type: image/g
if..Date: Thu, 13 Nov 2014 10:23:27 GMT..Server: Golfe2..Content-Lengt
h: 35..Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-re
validate..Age: 345542..Alternate-Protocol: 80:quic,p=0.01..GIF89a.....
........,...........D..;....


GET /__utm.gif?utmwv=5.4.6&utms=6&utmn=760046469&utmhn=camtasia-studio.ud.en.softonic.com&utmcs=utf-8&utmsr=1276x846&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Download and installation process for Camtasia Studio&utmhid=1826458754&utmr=http://unknown_browser_unknown_version&utmp=/legal_timestamp&utmht=1416219834992&utmac=UA-152357-9&utmcc=__utma=74966784.1220658294.1416219831.1416219831.1416219831.1;+__utmz=74966784.1416219831.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmmt=1&utmu=qACgAAAAC~ HTTP/1.1

Accept: */*

Referer: hXXp://camtasia-studio.ud.en.softonic.com/17614/universaldownloader/campaign-101361?WL=1822&sd_timestamp=1416219830

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.6

Host: VVV.google-analytics.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Pragma: no-cache

Expires: Wed, 19 Apr 2000 11:43:00 GMT

Last-Modified: Wed, 21 Jan 2004 19:51:30 GMT

X-Content-Type-Options: nosniff

Content-Type: image/gif

Date: Thu, 13 Nov 2014 10:23:27 GMT

Server: Golfe2

Content-Length: 35

Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate

Age: 345543

Alternate-Protocol: 80:quic,p=0.01
GIF89a.............,...........D..;HTTP/1.1 200 OK..Pragma: no-cache..
Expires: Wed, 19 Apr 2000 11:43:00 GMT..Last-Modified: Wed, 21 Jan 200
4 19:51:30 GMT..X-Content-Type-Options: nosniff..Content-Type: image/g
if..Date: Thu, 13 Nov 2014 10:23:27 GMT..Server: Golfe2..Content-Lengt
h: 35..Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-re
validate..Age: 345543..Alternate-Protocol: 80:quic,p=0.01..GIF89a.....
........,...........D..;..

GET /blank.gif?product=st_activity&event=window:app:loaded&id_session=419BBAB6-DD91-41E7-B3C5-625C565ECAB1¶ms={"api_version":"1.41.6","country":"us","flavour":"3","id_file":"17614","machine_id":"a8a67a25000000000000000c29ac6398","os":"[OS:2600,5,1,2,1,256,3,0,Service Pack 3]","ts":"1416219828","url":"hXXp://camtasia-studio.ud.en.softonic.com/17614/universaldownloader-prefetch?WL=1822","user_agent":"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.6"}
 HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.6

Host: softonic-analytics.net

Accept: */*

HTTP/1.1 200 OK

Date: Mon, 17 Nov 2014 10:22:24 GMT

Server: Apache

Set-Cookie: softonic_analytics-admin=deleted; expires=Sun, 17-Nov-2013 10:22:23 GMT; path=/; domain=softonic-analytics.net

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-control: max-age=0, must-revalidate

Pragma: no-cache

Content-Length: 35

Connection: close

Content-Type: image/gif
GIF89a.............,...........D..;..

GET /css/generated/fad58-0b1e4.css HTTP/1.1

Accept: */*

Referer: hXXp://camtasia-studio.ud.en.softonic.com/17614/universaldownloader/campaign-101361?WL=1822&sd_timestamp=1416219830

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.6

Host: camtasia-studio.ud.en.softonic.com

Connection: Keep-Alive

Cookie: __utma=74966784.1220658294.1416219831.1416219831.1416219831.1; __utmb=74966784.1.10.1416219831; __utmc=74966784; __utmz=74966784.1416219831.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); UACR_17614=false; UACA_17614=false; UD1_POSITION_17614=; NREUM=s=1416219832664&r=322484&p=0; _FCen=101361|1|1416219832.100516||; _ga=GA1.2.1220658294.1416219831; _gat=1

HTTP/1.1 200 OK

Date: Mon, 17 Nov 2014 10:22:28 GMT

Server: Apache

Last-Modified: Tue, 11 Nov 2014 15:01:39 GMT

Accept-Ranges: bytes

Cache-Control: max-age=2592000

Expires: Wed, 17 Dec 2014 10:22:28 GMT

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 5341

Keep-Alive: timeout=3, max=10

Connection: Keep-Alive

Content-Type: text/css
...........<i...q.. .y..= 5...6.g...... H..E.$f(.KR........X}P.{...
.. Q.U...u7...I...xw.......>~........D.2.....HK.5.... )=VEF....~...
......]...Y.9..0..,..EX.a...$<...$<N..,<......jN.>.E.(...&
gt;waG.t..$..]Q..~9W...c.eb..D.C^..MM.,/..S..4:..p.....r.....].0j..*.R
.t.>l..mMR..Z ...K._{[email protected].\.U.Em.R.u..G..
..,.....)..R.m?..W..;^...).C.....:..x._.:...>$..w.q........ìh....
.Jv.&$iS./.~..=.2.dy.6.E.E.$....R.;`3.a...s{.N...|..1J.J.}....n.n.`...
.-.7|.zWu.....wy.w/.c.e...i.....@..?.....?|.......&/.mQ..pT....?.G....
.................uTV......<....E?3....bt2A._-.....U.......C.E..m.^.
......C..............G.~z...0|.....^...4.\.p.........k.......i...9...I
...l..6..<.....I|-.BAv..2/.;H.o.<...y..y......D .1..$........HI.
..8.L.U..d|w...Q.q.K..,...Dm...<%...'...;..0...O1./....)'....=.....
{....a|J?../...x..,.......vLK.\.G.....=;S...$..I~.&M..$.ty.d..A...Z. r
c.....'.#.|..3..~....N..B..U.#z.ZQ.>}..$U. . ..?.._...H...T.2[...w.
>..d..#....l..9;..[.K::........H..S.....ZS..O..g.t..#.B.O.%WI...M..
......X.vsJ..*...t....[.....p)l..oZa"..b.)....A..%..!..&`.c..7...b.g..
.!'q....#.BX.K&....f.g..l.U.....RK ...Yj..R..<xb........ij..u..zQ.H
.E... Q...%I...C.;[email protected]{........=.-.meS.Hi./
r.....:q..<..Y8S....e.q.U.h....v,.;..JK.F...z...d.....!2?..X.m$N8Y.
..90...v.. ....O.c.pf".k........6...U5.^....8.......ef|?V..."...F\9JF.
9#.1....)......2...x....7......x.ISZwr..ec.......8I...C..Yj...#:].`...
;Q.s...$@@..N.X.3j.8......hF,=.F.q....K<..&I.......T..K..I.....
<<< skipped >>>

GET /shared/img/sd_client/loading.gif HTTP/1.1

Accept: */*

Referer: hXXp://camtasia-studio.ud.en.softonic.com/17614/universaldownloader/campaign-101361?WL=1822&sd_timestamp=1416219830

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.6

Host: camtasia-studio.ud.en.softonic.com

Connection: Keep-Alive

Cookie: __utma=74966784.1220658294.1416219831.1416219831.1416219831.1; __utmb=74966784.1.10.1416219831; __utmc=74966784; __utmz=74966784.1416219831.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); UACR_17614=false; UACA_17614=false; UD1_POSITION_17614=; NREUM=s=1416219832664&r=322484&p=0; _FCen=101361|1|1416219832.100516||; _ga=GA1.2.1220658294.1416219831; _gat=1

HTTP/1.1 200 OK

Date: Mon, 17 Nov 2014 10:22:28 GMT

Server: Apache

Last-Modified: Tue, 27 May 2014 15:18:03 GMT

Accept-Ranges: bytes

Content-Length: 1553

Cache-Control: max-age=172800

Expires: Wed, 19 Nov 2014 10:22:28 GMT

Keep-Alive: timeout=3, max=9

Connection: Keep-Alive

Content-Type: image/gif
GIF89a................................................................
......................................................................
......................................................................
......................................................................
......................................................~..}..|..z..y..x
..t..v..s..r..q..p..m..o..l..k..j..............!..NETSCAPE2.0.....!...
..|.,............|..;\r....bvwz.....-lqK'......|.[p9.....4lE.....Nj#..
...^g.....[c.....G_......[8..!..IV*..'..|#OP1......).. @JGB=93)...$3&l
t;9 ......!.....|.,..........y.|.|4RhjW:...)Vilortvd1.&]eA..&Lwt.N`..|
<.-[;...|AX....NU....JQ....8M.....%I.....|8C ......<=%.........1
73/*&!....% '.....!.....|.,..........w.|.|-EY[L3..!GX[_cgjZ..LS6.Cmj..
?M)..6r`."I0..Iu:3E...&xZ<A...zr9=.. 8....5!....*0....... *........
..!$!................!.....|.,..........w.|.|$9IM@,...8GJOSWZM&..;A..:
_]).1<...0dU|.7$..Aj4&3..mR,0..pi(...qk.)..&uX.$..Mw;|....{g.|.....
..|2....................!.....|.,..........z.|.|.(591#...'258=AE<..
.)-....-KI ..)...&PE|."...5W,......ZD...._X....c[....fL....Dk4|....9o\
......'Jsl......zxa.....[;....!.....|.,..........x.|.|..$'#......"&*.2
-......... 77.......=5|.....(C#......G6....LG....QJ...|U?....:Z,|...1_
M.N'|.Be]&.fyxtrokV)..;YljS....!.....|.,..........w.|.|...............
............$%........*&|......0......3)..95..=9[z...B1<wL./G#.ct8.
)M>./mrF.7TL...]nkfc_ZH!.5O_[G....!.....|.,..........v.|.|........|
.........1.......gz.|...|;wM.|...Xv'..!.lt..&"jr.|*'So../#5lD.#3.|
<<< skipped >>>

GET /17614/universaldownloader-prefetch?WL=1822 HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.6

Host: camtasia-studio.ud.en.softonic.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Mon, 17 Nov 2014 10:22:24 GMT

Server: Apache

Set-Cookie: ud_client_en-admin=deleted; expires=Sun, 17-Nov-2013 10:22:23 GMT; path=/; domain=ud.softonic.com

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-control: max-age=0, must-revalidate

Pragma: no-cache

Vary: Accept-Language,Accept-Encoding

Content-Encoding: gzip

Content-Length: 9896

Keep-Alive: timeout=3, max=10

Connection: Keep-Alive

Content-Type: text/html; charset=utf-8
...........}iw......W..^Xj..x..)......3u...iVI*@FHD......{..........s.
..(..k...J<i..=.....6.......W/N4}...u...:.8.~.... .c.....Y..IL.V...
...<.......u.o%..u..u.}u..L....V.....'|..i.g..n:..?..u-....Y.cu.xz.
.........O.Y...3..9..[W.......0..k.......K.....I..8....<L.;..>.h
....\.g-5.).........M.....`7.$.3{.Z99...}..Qd$.,"E.L5..;...;)..)..t...
 .......8..\....Rw].q2...1e.j.3LRC..v.'...x...dg......Y..2.?......WEI.
!.\yb...Ps.7..L..x...bd.........$sC...S.......3.x...o..,.52X..W.*F...^
..Ns.....0.Y....l....^.,.....f....\9.".mJ.4.mF.....>..,g1K3{N....a.
[email protected]...........}.d..0..nl../ .............q_6.>.....*c./...
....K. ..(-.....U.H.br.....zW........K..K..fSfO.mf...B...|H..h...\.aN.
...6a.|.R....MV...........|.Q..r.Y...r.5....X.UE...........C..U......n
j!.....p.._n.o.OI.h.d....(.....0...s"3`.H...Il1..$.>........`..8..L
,bzj..{u...._.l..)..K.h....p....e.f)......s.u.......NJ.W.ogg.f.!.E..s.
q.7......T........~x.W.Y..../.G.'w# ....u.O" .....$.&..gq.~b.<.$Z..
...8m6}......\[email protected] .......R......y...5...hK(.zS'...4....'1N.0j. 
..j...."6...].FDv....aG.O.l.4...q..(&..N...,b9C.}...n.s...L..(..E.. ..
.H.s.bY3,.....v.}[email protected]
...D.X.Sa..1N".$.E2.f,....L.Q..32.l.S&T......~...}-......!!....K.....b
..e....u........:q..e.....0L.....K.......W}.h.*..H.IK.:.M...a.....5.@.
.Z...Q....=.,.4......4..v...0y.....)....).]i.%y.k..>pv...n..'.$..k]
k...tw.<.......O...i......b.a%..,..I... 3....j....1O...$..=..O.,..9
.......bKu.f..%.....Qm..nmY9~..$..9h......\jmQ..j..tz.8.U....hk...
<<< skipped >>>

GET /js/generated/1470e-36454.js HTTP/1.1

Accept: */*

Referer: hXXp://camtasia-studio.ud.en.softonic.com/17614/universaldownloader-prefetch?WL=1822

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.6

Host: camtasia-studio.ud.en.softonic.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Mon, 17 Nov 2014 10:22:24 GMT

Server: Apache

Last-Modified: Mon, 03 Nov 2014 11:06:40 GMT

Accept-Ranges: bytes

Cache-Control: max-age=2592000

Expires: Wed, 17 Dec 2014 10:22:24 GMT

Vary: Accept-Encoding

Content-Encoding: gzip

Keep-Alive: timeout=3, max=9

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: text/javascript
1faa...............z.H.8..?O!a.U..Q.,k!..'Kr....e......@.$...R.E.w..&g
t;.}..K. (W........$r.....X...E...H.k.lz......m......i.%Ek-.GI1..d....
.........C<.7.<.N..~X$.;.is?.?.....I.9...pXl&Y4y.O......q2M...a8
..'..,.p.9...t.B.d2.'.'at.f......S.9.....p....3Y...4.....y.'..Q.f..4..
.q~.a.z.5M....Y.A~.z6....x..&..X..$Q>.%Y..*-.......D...bj.D.p......
.f.SR.....4.....,..6..c.. ....M.0.....x.\$..r.b...`.....NJ...a:...Q?..
).Nn....q$.}..I.r.'[email protected] .........8N..0|..dr..
..os...".....-k29..v...q8...M.....AHPQ..*h._..hM....2.M..d3.OO.....~O.
an....fG.It.....0.S.]8..0q.%.M...1..U.|.i..Y..4.>.QV.....i.g.~}....
>Rr.W.a........r..........p.b.m8......(....Z.....z.5N..........A...
. .z.F{../..;....G..B....K.w...w7..8......r6w...f.l.....i..KYw/.......
....6....Z....V.M.^a..q.V/u..0.....r ...........|E..*.-0*f....k.d./.mx
.M..t.m....t..7...f..N.......[.......4...8)...o...........,p...&..r...
h...osG..M>.b..>V\_.ah..2....N'i.6.'...d..J.kP.>C..w....i.80Y
.r>.l.....R...7..................e........^...q._....0^..N.........
.a...ia...K...8.fp6L;!.?..........He......n-K..N..s.1].eS..k.....3..7Y
....d:.dk!..X$."y.6.Q....Cwq"/...N..[....U...~x.="H...n..O...c........
.ZE.....}< ....._........p...}.F.i~....(..L....w..I........8N.....H
V.........@.;.S.QL..a..~.A'.)}Z........|........F.6/...5..g.osTln..o..
..=...o=ok.....KaD_..>.Xu.E..../..... xd.m......!. o.O..`.....&.`z.
j...p2..4...>..xpq.`T.d..$*S..d....&/....Mj.S..z-N.y-.:\C u.k.R....
[email protected]..._.K[N..O..R7......~..|...G..j.T......
<<< skipped >>>

POST /universaldownloader-track?wl=1822 HTTP/1.1

md5_hash: 8786874d6e1c0133180e9c7ecc2c0e59

Accept-Language: en-us

Referer: hXXp://camtasia-studio.ud.en.softonic.com/17614/universaldownloader-prefetch?WL=1822

Accept: application/json, text/javascript, */*; q=0.01

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

x-requested-with: XMLHttpRequest

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.6

Host: camtasia-studio.ud.en.softonic.com

Content-Length: 4064

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: __utma=74966784.1220658294.1416219831.1416219831.1416219831.1; __utmb=74966784.1.10.1416219831; __utmc=74966784; __utmz=74966784.1416219831.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); UACR_17614=false; UACA_17614=false; UD1_POSITION_17614=; _FCen=101361|1|1416219832.100516||

id_session=419BBAB6-DD91-41E7-B3C5-625C565ECAB1&id_machine=a8a67a25000000000000000c29ac6398&id_user=69B3851B-1A0A-42AC-9C21-BCEC27C303D3&id_file=17614&id_section=700&id_main_section=699&ab_test=&api_version=1.41.6×tamp=1416219830&download_browser=unknown_browser&download_browser_version=unknown_version&client_timezone=2&test_track=false&flavour=3&av_installed=&step=prefetch_events&events=[["special_conditions_evaluation",[{"campaign_id":"101361","campaign_priority":1343,"campaign_reranked_priority":null,"sp
HTTP/1.1 200 OK

Date: Mon, 17 Nov 2014 10:22:27 GMT

Server: Apache

Set-Cookie: ud_client_en-admin=deleted; expires=Sun, 17-Nov-2013 10:22:26 GMT; path=/; domain=ud.softonic.com

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 35

Keep-Alive: timeout=3, max=8

Connection: Keep-Alive

Content-Type: application/json; charset=utf-8
...........V*.I,)-V.R..V.....l.........


GET /17614/universaldownloader/campaign-101361?WL=1822&sd_timestamp=1416219830 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.6

Host: camtasia-studio.ud.en.softonic.com

Connection: Keep-Alive

Cookie: __utma=74966784.1220658294.1416219831.1416219831.1416219831.1; __utmb=74966784.1.10.1416219831; __utmc=74966784; __utmz=74966784.1416219831.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); UACR_17614=false; UACA_17614=false; UD1_POSITION_17614=; NREUM=s=1416219832664&r=322484&p=0; _FCen=101361|1|1416219832.100516||; _ga=GA1.2.1220658294.1416219831; _gat=1

HTTP/1.1 200 OK

Date: Mon, 17 Nov 2014 10:22:27 GMT

Server: Apache

Set-Cookie: ud_client_en-admin=deleted; expires=Sun, 17-Nov-2013 10:22:26 GMT; path=/; domain=ud.softonic.com

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-control: max-age=0, must-revalidate

Pragma: no-cache

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 15885

Keep-Alive: timeout=3, max=7

Connection: Keep-Alive

Content-Type: text/html; charset=utf-8
...........}.V.J.....B.. .....F...9.. ...y...-,K.$...._...}....M.I....
4..$.9}{.Z.u..P..]{.]..........k...h'.w..w5}.Z...[....i_...;....v..0.S
?.YP......M.A.Z......W..S=?..a[u.,/..B...z....ux......L...W....,..:.u,
...6g^lt9.67.7........S~.V....O..[?........w.......M....V.......a.".Fj
q 4.....p...Y~.^..7,."...{~7..4i.?>6SxrQ...,..."_YY.\U.....~..y:...
h jp.......(.bW..#...&u...Gm.8.SV >k........FX.x.I..ha...]DWf...q..
m{..5..() ...w..tY..O..Rym1.3C.g=...P`.mWvn%.o0.qlZ....9h....bpUa.A02.
...W....$<...4...7.].}.y.|~/.b.......kd/qb...6. ;.....x.O..rc.R.p..
OR..8i.....!L|...@'.Q ..l=....C..-.N...%...j>...Y....}....t.. ..q..
...1=:V..X....YYZ.>[email protected] ...7..{...i..m?.'q4.q:....{|..i&
lt;R..Z........Y...2'......a.......=.D.].7......7.......(..;*]....UWE.
.......N~..........-o....Y.aDDq....2....4....I.([email protected]..
.......` .5..{..^.<......r..f..y.F...,.d....A.....m...\....b....-d.
V..C.Q..r.-,<...-."...wL...=;\1@5. b.........N.*..g.#...A....M.....
P.VX.$.^.......G..$..........._....y..b.J0..n.*.......*..!.$Ip..o...(.
..^K..[...,......8l..a.X...J...x..3t....I.......%`C.y..v..C1Y.u.....O9
..V.}ot.B'ss.Q..ps_.....(..T....321B~..A[f...s...AD.p.....5..f.v.x.;..
........>......Y.2.K.uP9../....Sa|.0n.vN$.Q....(..3.;~..Xm..0.B....
.-........;B..y...:.Jo.......{...($.%.:....:...|)..fq..~....p/qh.KY...
..)..J..R...Y....F......n...*k~.0..!D.zpy.h...].OY.3.,.z~.Q....>O..
.>.]q.Di.k..>pv....,-..Q.D..V. !...yrc.~......aq..Q..@...<,..
.D.4.}..t........EM....FQ../&.3'..a....WC....j...~UV.....R'....px.
<<< skipped >>>

GET /shared/img/sd_client/gradientbg.png HTTP/1.1

Accept: */*

Referer: hXXp://camtasia-studio.ud.en.softonic.com/17614/universaldownloader/campaign-101361?WL=1822&sd_timestamp=1416219830

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.6

Host: camtasia-studio.ud.en.softonic.com

Connection: Keep-Alive

Cookie: __utma=74966784.1220658294.1416219831.1416219831.1416219831.1; __utmb=74966784.1.10.1416219831; __utmc=74966784; __utmz=74966784.1416219831.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); UACR_17614=false; UACA_17614=false; UD1_POSITION_17614=; NREUM=s=1416219832664&r=322484&p=0; _FCen=101361|1|1416219832.100516||; _ga=GA1.2.1220658294.1416219831; _gat=1

HTTP/1.1 200 OK

Date: Mon, 17 Nov 2014 10:22:28 GMT

Server: Apache

Last-Modified: Tue, 27 May 2014 15:18:01 GMT

Accept-Ranges: bytes

Content-Length: 2958

Cache-Control: max-age=172800

Expires: Wed, 19 Nov 2014 10:22:28 GMT

Keep-Alive: timeout=3, max=6

Connection: Keep-Alive

Content-Type: image/png
.PNG........IHDR...)...........\.....tEXtSoftware.Adobe ImageReadyq.e&
lt;....PLTE...........................................................
......................................................................
...........................O *E...4tRNS...............................
.....................KW"e...HIDATx....v.9..Q{.%y......I.3.\...m..`..u.
s1.s.D...Q,. ..`(..S....O.....SJ........8...=.LR.[.&......:.eJY..oI:./
...$..BJ.#KS.sH2..%.{F..='..?HR./..6.X......)./R.. ..6.....F..g.[.I.&l
t;.l..2$...42.....S.....>..........h2..f..3.........<...X&r....T
..gg.-...t.....em<b.V&.g.c....6E,.-..qF6. ...o.Q.$S...(./y...DD..w.
.:iQ .c....3.&.TcCT.t,UE.E..HP.R.s.......V.`...%...'6.`...g..UIf(..K..
..uF2..r......T.!..]fLWF..\lU$....=c:2#.`....<...E". .".. qU.7P.[..
c.}.J.q.N.*..:g)%...!.. ..,[email protected]..,9.:l....c....<...
G.8...O......?.....5..'}.....TB..#.... Uxq..\..Y....1.P ..P.........Cd
a...g.....V'....G.:..uW..2.X......a2!.....L..2...mb...f:.i. z........S
...u)d8dC.R..q.`..N.^.~.q.......].....U.....%..p1&..b5..K..q..h...D...
...0...b..?M`...ak..2}J.7....l..<........7\...g!.Jf.0k.......){.-[.
f...M.. ..`.hY}..]....Z...z`.J.eb.........Vl..s...p.Zi.*..kd~..Q...l.@
......(l.v.L%:..|.c....,..Tg.....I..7[.-#,.....j#...B.`..b.m`..[....g.
.<Gs......".5c.R.4QC.5.][email protected]....
%0.m./....z{{~.y...........gz.zz.........??{..g~....D...............z.
_.......k.}...^?v..w.O..........t.x...~..x..}.........................
..............=..m...]Ew7...._....j_.j.....~.&....\7....~.....Pw..
<<< skipped >>>

GET /shared/img/sd_client/sprite.png HTTP/1.1

Accept: */*

Referer: hXXp://camtasia-studio.ud.en.softonic.com/17614/universaldownloader/campaign-101361?WL=1822&sd_timestamp=1416219830

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.6

Host: camtasia-studio.ud.en.softonic.com

Connection: Keep-Alive

Cookie: __utma=74966784.1220658294.1416219831.1416219831.1416219831.1; __utmb=74966784.1.10.1416219831; __utmc=74966784; __utmz=74966784.1416219831.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); UACR_17614=false; UACA_17614=false; UD1_POSITION_17614=; NREUM=s=1416219832664&r=322484&p=0; _FCen=101361|1|1416219832.100516||; _ga=GA1.2.1220658294.1416219831; _gat=1

HTTP/1.1 200 OK

Date: Mon, 17 Nov 2014 10:22:28 GMT

Server: Apache

Last-Modified: Thu, 17 Jul 2014 09:01:45 GMT

Accept-Ranges: bytes

Content-Length: 7892

Cache-Control: max-age=172800

Expires: Wed, 19 Nov 2014 10:22:28 GMT

Keep-Alive: timeout=3, max=5

Connection: Keep-Alive

Content-Type: image/png
.PNG........IHDR.......\.....ld......sBIT.....O.....PLTE..............
......................................................................
...............................................h......................
.f.....n........Dw.I..............U..}..,...v..\. g...........x.a...R.
.............>....:n........M..].T*..:.....m....tV.....]........7..
..Q..P..O)....P.i...O..N..N..M....sJ..M..K..L..L..J..J..JJz...I..I..H.
.I..H..Istv..H..G..H..G..G..G..F..F.x.go...F..F..E..E..D..D..D..B..C/v
...B:[email protected]..>/g..m..p..i...<..=.z:.g.;b..z:[email protected]?[ZW
.5>.u8.4<.s7.b..3;.1:.09{O$./8.p5..7.-6.[..m4&Q..,5. 3.k3(X..*2.
)1.R..(0.'/.%,.T..f1.e1.&..$,.$,.%-.# .# ."*.#,."*.!)." .!(.!*.!). (..
'. (..&. '.I...'..&..%..&..%..%..$..$.."..#..#..".."..!..!....9.899...
................*................>.j.....tRNS......................
......................................................................
......................................................................
......................................................................
.............~T.....pHYs...........~.....tEXtSoftware.Adobe Fireworks 
CS6.......gIDATx...._[.^..'.LhC...4.t.K....H.w0......^.)w.i..T...q..w.
.bq..*U.2j]..hU...^.}).\.......,.@......._..!0.u>[email protected]\..
fUHC....c.X;4.c..I...m..c...d.B.2...}. ..- ...A....,.:p51.4.Ig..:.}...
...r......WXw..........z. 3v..^.....2......5.Bw.;...M.......ffx..Ac...
....jf...F53.K...y...^.(h..M].>....................y.o.:...m.-.2C..
..................(.Jro.P............wqo....7....<...7*.z......
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

KERNEL32.dll

GDI32.dll

USER32.dll

msvcrt.dll

COMCTL32.dll

VERSION.dll

advapi32.dll

wininit.ini

advpack.dll

Software\Microsoft\Windows\CurrentVersion\App Paths

setupapi.dll

setupx.dll

IXPd.TMP

TMP4351$.TMP

FINISHMSG

USRQCMD

ADMQCMD

msdownld.tmp

wextract.pdb

PSSSSSSh

RegCloseKey

RegOpenKeyExA

RegQueryInfoKeyA

RegCreateKeyExA

GetWindowsDirectoryA

ExitWindowsEx

MsgWaitForMultipleObjects

_acmdln

_amsg_exit

rundll32.exe %s,InstallHinfSection %s 128 %s

SHELL32.DLL

Software\Microsoft\Windows\CurrentVersion\RunOnce

PendingFileRenameOperations

System\CurrentControlSet\Control\Session Manager\FileRenameOperations

wextract_cleanup%d

%s /D:%s

rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"

Command.com /c %s

zcÁ

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\

)%u]Q

Bp.Dx

gA`0)%UJ

CAMTAS~1.EXE

SOFTON~1.EXE

Z-%c?

`E0#-d}

)%Uo/

%U}7(

fs.PnY%?T

o%U"!

u>.KT09|

H.haO

.BF];

-0%S?

*5%FJ

-QyWTY.Gb

.YP48

9!PS.ko

.IBRr)fm6

_.drg

bB.DX#z

) .rITI

yoM

.wou.d{

3v7.Ys

1.gLv

V?l.XU

W.nGn

K:\:<hl

<v.vP

%CGBw

v2.0.50727

5q.Yc

%\?%C

.NM,`=

n%xiRR

.jQe}S

f r.rq9

.ynp]

y.BW?

P%C'OQ2

|%s#^w

9XIl%d%

@Y.sDI

uK`%U

7/%se

%UTvj

j%dpP

.QC"6

|z<.Ty

7jf)0.gK

2*c.gQ

%S!>?4

2@W%x

!;.eB

8vIU.sh

/w2%u

xcWL.rQ

.Sz>0m

sNwU%XG

[iO.pm3

gT%u;y2"O7sM

=%X8a

Ra.nn

D1ÿ

ûBB

#%X2!

#<.KH

.tCJj

.aFgHv

c[.td

?j%cY

=2L)F%x

(kA(%X

Q.V%D

%b.xi

4Y%fnZL

wextract.manifest

Manifest to support IExpress WExtract.exe.

version="1.0.0.0"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<requestedExecutionLevel

Kernel32.dll

Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement.

: %s."

".CFailed to get disk space information from: %s.

System Message: %s.&A required resource cannot be located. Are you sure you want to cancel?

8Unable to retrieve operating system version information.!Memory allocation request failed.

Filetable full.Ên not change to destination folder.

Setup could not find a drive with %s KB free disk space to install the program. Please free up some space first and press RETRY or press CANCEL to exit setup.KThat folder is invalid. Please make sure the folder exists and is writable.IYou must specify a folder with fully qualified pathname or choose Cancel.UImpossible d'obtenir les informations d'espace disque de

: %s.

: %s.&Une ressource requise est introuvable.

!Le fichier .cab n'est pas valide. La table de fichiers est pleine.7Impossible de se placer dans le dossier de destination.

aucun disque disposant de %s Ko d'espace libre pour l'installation. Lib

criture.JVous devez sp

Shell32.dll

<%s>.

: %s 

Windows 95

Windows NT 4.0

'%s'.

advpack.dll.&

Windows NT

!Could not update folder edit box.5Could not load functions required for browser dialog.7Could not load Shell32.dll required for browser dialog.

(Error creating process <%s>. Reason: %s1The cluster size in this system is not supported.,A required resource appears to be corrupted.QWindows 95 or Windows NT 4.0 Beta 2 or greater is required for this installation.

Error loading %shGetProcAddress() failed on function '%s'. Possible reason: incorrect version of advpack.dll being used./Windows 95 or Windows NT is required to install

Could not create folder '%s'

To install this program, you need %s KB disk space on drive %s. It is recommended that you free up the required disk space before you continue.

dition du dossier.FImpossible de charger les fonctions requises par la bo

te de dialogue.QImpossible de charger Shell32.dll requise par la bo

ation du processus <%s>. Raison : %s=La taille de cluster de ce syst

me n'est pas prise en charge.%Une ressource requise est endommag

e.]Cette installation requiert les versions Windows

95, Windows

Erreur de chargement de %st

chec de GetProcAddress() sur la fonction %s. Raison possible

: utilisation d'une version incorrecte de advpack.dll.0L'installation requiert Windows

95 ou Windows

er le dossier %s

cessite %s Ko d'espace libre sur le disque %s. Il est recommand

Windows

ExitWindowsEx.n

(%s) .

Error retrieving Windows folder

$NT Shutdown: OpenProcessToken error.)NT Shutdown: AdjustTokenPrivileges error.!NT Shutdown: ExitWindowsEx error.}Extracting file failed. It is most likely caused by low memory (low disk space for swapping file) or corrupted Cabinet file.aThe setup program could not retrieve the volume information for drive (%s) .

System message: %s.xSetup could not find a drive with %s KB free disk space to install the program. Please free up some space and try again.eThe installation program appears to be damaged or corrupted. Contact the vendor of this application.

ration du dossier Windows

me Windows.

un fichier .cab endommag

.tLe programme d'installation n'a pas pu r

rer les informations de volume du disque (%s).

: %s.|Le programme d'installation n'a pas trouv

les %s Ko d'espace disque libres n

/C:<Cmd> --

/C:<Cmd> -- Override Install Command defined by author.

eAnother copy of the '%s' package is already running on your system. Do you want to run another copy?

Could not find the file: %s.

/C:<Cmd> -- Ignorer la commande Install d

_Une autre copie du lot %s tourne d

?&Impossible de trouver le fichier : %s.

Windows

:The folder '%s' does not exist. Do you want to create it?hAnother copy of the '%s' package is already running on your system. You can only run one copy at a time.OThe '%s' package is not compatible with the version of Windows you are running.SThe '%s' package is not compatible with the version of the file: %s on your system.

Vous n'avez pas les droits d'administrateur sur cet ordinateur. Certaines installations ne peuvent

2Le dossier %s n'existe pas. Voulez-vous le cr

?tLe package %s est d

la fois.]Le package %s n'est pas compatible avec la version de Windows que vous utilisez actuellement.]Le package %s n'est pas compatible avec la version du fichier : %s pr

8.00.7600.16385 (win7_rtm.090713-1255)

WEXTRACT.EXE .MUI

Windows

8.00.7600.16385

SOFTON~1.EXE_176:

`.rsrc

PSSSSSSh

PSSSSh

F><.tN<[tJ<\tF<*tB<|t><^t:<$t6

II I!"II#$IIII%&'III(I)*I III,-.II/0123IIII4I5IIIIIII6IIIIII789:;<IIIIIIII=>II?@ABCDEFIIIIGIIIIH

88888888888888888

%u$Vj%

t.Gj:W

xSSSh

FTPjKS

FtPj;S

C.PjRV

[%s %s %s]

Send failure: %s

Failed writing body (%d != %d)

%s:%d

WARNING: failed to save cookies in %s

About to connect() to %s%s port %d (#%d)

Connected to %s (%s) port %d (#%d)

<url> malformed

:]://%[^

[^:]:%[^

Protocol %s not supported or disabled in libcurl

http_proxy

%5[^:@]:%5[^@]

%5[^:]:%5[^

:%5[^@]

Port number too large: %lu

%s://%s%s%s:%d%s%s

ftps

[%*39[0123456789abcdefABCDEF:.%]%c

Couldn't find host %s in the _netrc file; using defaults

[email protected]

Couldn't resolve host '%s'

Couldn't resolve proxy '%s'

Connection #%d seems to be dead!

Connection (#%d) was killed to make room (holds %d)

Re-using existing connection! (#%ld) with host %s

%s://%s

Connection #%ld to host %s left intact

operation aborted by callback

HTTP/

ioctl callback returned error %d

the ioctl callback returned %d

seek callback returned error %d

The requested URL returned error: %d

HTTP/1.0 connection set to keep alive!

HTTP/1.1 proxy connection set close!

HTTP/1.0 proxy connection set to keep alive!

HTTP 1.0, assume close after body

HTTP =

HTTP/%d.%d =

No URL set!

[^?&/:]://%c

Violate RFC 2616/10.3.2 and switch from POST to GET

Disables POST, goes with %s

Issue another request to this URL: '%s'

Maximum (%d) redirects followed

Received problem %d in the chunky parser

HTTP server doesn't seem to support byte ranges. Cannot resume.

Rewinding stream by : %d bytes on url %s (size = %lld, maxdownload = %lld, bytecount = %lld, nread = %d)

Leftovers after chunking. Rewinding %d bytes

Operation timed out after %ld milliseconds with %lld bytes received

Operation timed out after %ld milliseconds with %lld out of %lld bytes received

unspecified error %d

%s cookie %s="%s" for domain %s, path %s, expire %d

#HttpOnly_

httponly

I99[^;

skipped cookie with bad tailmatch domain: %s

skipped cookie with illegal dotcount domain: %s

23[^;=]=I99[^;

%s%s%s

# Fatal libcurl error

# Netscape HTTP Cookie File

# hXXp://curl.haxx.se/rfc/cookie_spec.html

# This file was generated by libcurl! Edit at your own risk.

bind failure: %s

Local port: %d

Bind to local port %d failed, trying next

couldn't find my own IP address (%s)

Bind local address to %s

Couldn't bind to '%s'

TCP_NODELAY set

Could not set TCP_NODELAY: %s

Failed to connect to %s: %s

Trying %s...

Internal error removing splay node = %d

Internal error clearing splay node = %d

Error in the SSH layer

Caller must register CURLOPT_CONV_ callback options

TFTP: No such user

TFTP: Unknown transfer ID

TFTP: Illegal operation

TFTP: Access Violation

TFTP: File Not Found

Login denied

Issuer check against peer certificate failed

Invalid LDAP URL

Unrecognized HTTP Content-Encoding

Problem with the SSL CA cert (path? access rights?)

Peer certificate cannot be authenticated with known CA certificates

Problem with the local SSL certificate

SSL peer certificate or SSH md5 fingerprint was not OK

A libcurl function was given a bad argument

Operation was aborted by an application callback

FTP: command REST failed

FTP: command PORT failed

HTTP response code said error

FTP: couldn't retrieve (RETR failed) the specified file

FTP: couldn't set file type

FTP: can't figure out the host in the PASV response

FTP: unknown 227 response format

FTP: unknown PASV reply

FTP: unknown PASS reply

FTP: weird server reply

URL using bad/illegal format or missing URL

Unsupported protocol

Winsock version not supported

Protocol family not supported

Address family not supported

Operation not supported

Socket is unsupported

Protocol is unsupported

Protocol option is unsupported

Unknown error %d (%#x)

Resolving host timed out: %s

Could not resolve host: %s; %s

Could not resolve proxy: %s; %s

Could not resolve host: %s

gethostbyname(2) failed for %s:%d; %s

init_resolve_thread() failed for %s; %s

TFTP

set timeouts for state %d; Total %d, retry %d maxtry %d

tftp_rx: giving up waiting for block %d

Received unexpected DATA packet block %d

Timeout waiting for block %d ACK. Retries = %d

tftp_rx: internal error

tftp_tx: giving up waiting for block %d ack

Received ACK for block %d, expecting %d

tftp_tx: internal error

bind() failed; %s

tftp_send_first: internal error

%s%c%s%c

TFTP finished

Can't get the size of %s

Can't open %s for writing

Last-Modified: %s, d %s M d:d:d GMT

Couldn't open file %s

There are more than %d entries

LDAP remote: %s

LDAP local: ldap_simple_bind_s %s

LDAP local: Cannot connect to %s:%d

LDAP local: trying to establish %s connection

LDAP local: %s

LDAP local: LDAP Vendor = %s ; LDAP Version = %d

CLIENT libcurl 7.19.0

MATCH %s %s %s

DEFINE %s %s

insufficient winsock version to support telnet

WSAStartup failed (%d)

%s %d %d

%s %s %d

%s %s %s

%s IAC %d

%s IAC %s

Sending data failed (%d)

%d (unknown)

%s (unsupported)

%s IAC SB

Syntax error in telnet option: %s

Unknown telnet option %s

7[^= ]%*[ =]%5s

USER,%s

%c%c%c%c%s%c%c

%c%s%c%s

7[^,],7s

%c%c%c%c

FreeLibrary(wsock2) failed (%d)

WSACloseEvent failed (%d)

WSACreateEvent failed (%d)

failed to find WSAEnumNetworkEvents function (%d)

failed to find WSAEventSelect function (%d)

failed to find WSACloseEvent function (%d)

failed to find WSACreateEvent function (%d)

failed to load WS2_32.DLL (%d)

WS2_32.DLL

Excessive FTP response line length received, %zd bytes. Stripping

FTP response reading failed

FTP response aborted due to select/poll error: %d

FTP response timeout

Failed FTP upload: 

RETR response: d

Connecting to %s (%s) port %d

Uploading to a URL without a file name!

FTPS not supported!

USER %s

socket(2) failed (%s)

PORT %d,%d,%d,%d,%d,%d

Telling server to connect to %d.%d.%d.%d:%d

Failed to resolve host name %s

getsockname() failed: %s

Connect data stream passively

REST %d

SIZE %s

STOR %s

APPE %s

Bad PASV/EPSV response: d

Can't resolve new host %s:%d

%d.%d.%d.%d

Skips %d.%d.%d.%d for data connection, uses %s instead

%d,%d,%d,%d,%d,%d

%c%c%c%u%c

Failed to do PORT

Got a d response code instead of the assumed 200

RETR %s

ftp server doesn't support SIZE

PBSZ %d

Access denied: d

ACCT %s

PASS %s

ACCT rejected by server: d

QUOT string not accepted: %s

TYPE %c

MDTM %s

ddd d:d:d GMT

dddddd

unsupported MDTM reply format

server did not report OK, got %d

Remembering we are in dir "%s"

CWD %s

Failed to MKD dir: d

MKD %s

QUOT command failed with d

Entry path is '%s'

PROT %c

unsupported parameter to CURLOPT_FTPSSLAUTH: %d

AUTH %s

Got a d ftp-server response when 220 was expected

%sAuthorization: Basic %s

%s:%s

Server auth using %s with user '%s'

Proxy auth using %s with user '%s'

Failed sending HTTP POST request

Content-Type: application/x-www-form-urlencoded

Internal HTTP POST error!

Failed sending HTTP request

If-Unmodified-Since: %s

Last-Modified: %s

If-Modified-Since: %s

%s, d %s M d:d:d GMT

%s%s=%s

%s %s%s HTTP/%s

%s%s%s%s%s%s%s%s%s%s%s

Content-Range: bytes %s/%lld

Content-Range: bytes %s%lld/%lld

Range: bytes=%s

;type=%c

ftps://

PTF://

Host: %s%s%s:%d

Host: %s%s%s

Accept-Encoding: %s

Referer: %s

Received HTTP code %d from proxy after CONNECT

%d bytes of chunk left

HTTP/1.%d %d

Read %d bytes of chunk, continue

CONNECT %s:%d HTTP/1.0

%s%s%s%s

Host: %s

Establish HTTP proxy tunnel to %s:%d

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.

Failed to resolve "%s" for SOCKS4 connect.

No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)

SOCKS5 GSSAPI per-message authentication is not supported.

Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)

Failed to resolve "%s" for SOCKS5 connect.

User was rejected by the SOCKS5 server (%d %d).

SOCKS5: server resolving disabled for hostnames of length > 255 [actual len=%d]

--:--:--

= %s = %s = %s %s %s %s %s %s %s

password

login

Operation too slow. Less than %d bytes/sec transfered the last %d seconds

%s, algorithm="%s"

%s, opaque="%s"

%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", response="%s"

%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=x, qop="%s", response="%s"

%s:%s:x:%s:%s:%s

%s:%s:%s

%5[^=]=23[^

%5[^=]="23[^"]"

d:d:d

%c%c==

%c%c%c=

.html

.jpeg

--%s--

Content-Type: %s

; filename="%s"

Content-Disposition: attachment; filename="%s"

Content-Type: multipart/mixed, boundary=%s

%s; boundary=%s

()$^.* ?[]|\-{},:=!

:/-_.!~*'()

xxxxx

Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

GetProcessWindowStation

portuguese-brazilian

operator

()$^.* ?[]|\-{},:=!

Kernel32.DLL

invalid map<K, T> key

User-Agent: %s

http/

NOINT_MSG

urls_to_restore_on_startup

startup_urls

search_url

keyword

zcÁ

.?AVHTTPClientImplementation@@

.?AVHTTPClientInterface@@

.?AV?$EventTSpecificFunctor@VWindowsAPI@@@@

.?AV?$TSpecificFunctor@VWindowsAPI@@@@

.?AVFirefoxBrowserHandler@Browser@Lib@Softonic@@

.?AVChromeBrowserHandler@Browser@Lib@Softonic@@

.?AVWindowsAPI@@

.?AUDWebBrowserEvents2@@

.?AUIHttpNegotiate@@

.?AVCustomIHttpNegotiate@@

.?AV?$EventTSpecificFunctor@VCurlMultiDownloadJob@@@@

.?AVCurlMultiDownloadJob@@

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\SOFTON~1.EXE

GetCPInfo

GetProcessHeap

PeekNamedPipe

RegCloseKey

RegEnumKeyExW

RegCreateKeyExW

RegOpenKeyExW

RegDeleteKeyW

RegQueryInfoKeyW

ShellExecuteW

ShellExecuteExW

URLDownloadToFileW

UrlMkGetSessionOption

UrlMkSetSessionOption

GetAsyncKeyState

GetKeyState

EnumChildWindows

EnumDesktopWindows

InternetOpenUrlA

.text

`.rdata

@.data

.rsrc

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.1.1.0" processorArchitecture="X86" name="Softonic.UniversalDownloader" type="win32"></assemblyIdentity><description>Universal Downloader Download Helper.</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>

KERNEL32.DLL

ADVAPI32.dll

COMCTL32.dll

GDI32.dll

gdiplus.dll

IPHLPAPI.DLL

ole32.dll

OLEAUT32.dll

PSAPI.DLL

RPCRT4.dll

SHELL32.dll

SHLWAPI.dll

urlmon.dll

USER32.dll

VERSION.dll

WININET.dll

WLDAP32.dll

WSOCK32.dll

H[%s] %s

[%d][%s|%s][%s][%s]

[%d][%s|%s][%s][%s][%s]

Glog.txt

HKERNEL32.DLL

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

mscoree.dll

WUSER32.DLL

.temp

Ld-d-d

[%d] [%lld|%lld]

1.41.6

Got Elevation URL. [%s]

New URL was not valid.

@Received message %s

xxxxxxxxxxx

explorer.exe "

[%d %d]

Hchrome

firefox

0.0.0.0

Web View

Web Host

%d|%d|%d

errorUrl

%s(%s)

%s --> (%s)

.swf?

.jpg?

.gif?

.png?

Value: %d

%s\*.*

%s\%s

Proxy by URL are not supported.

Automatic proxy discovery are not supported.

http=

https=

CPTF://

- URL:

[%d] Starting thread...

[%d] Thread Creation OK!

[%d] Error creating thread! trying again...

[%d] Thread started...

Ahttp/

%d - [%d][%lld/%lld][%lld]

json_writer.cpp

Hjson_value.cpp

Software\Classes\http\shell\open\command\

http\shell\open\command\

Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice\

Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice\

chrome.exe

iexplore.exe

firefox.exe

opera.exe

opera

safari.ex

browser.startup.homepage

browser.search.order.1

browser.search.order.2

browser.search.order.3

prefs.js

\"(.)*.;

browser.search.selectedEngine

browser.search.defaultenginename

browser.search.useDBForOrder

user_pref("browser.search.useDBForOrder", "false");

browser.search.useDBForOrder", "false");

browser.search.useDBForOrder.*

%s*.*

Software\Mozilla\Mozilla Firefox\

\Google\Chrome

SOFTWARE\Mozilla\Mozilla Firefox

SOFTWARE\Mozilla\Mozilla Firefox\

PathToExe

\Mozilla\Firefox\profiles.ini

\Mozilla\Firefox\

\search-metadata.json

ljson_reader.cpp

log.txt

Assertion failed: %s, file %s, line %d

WWW.4C.-*QPCY.

.JK=3CC>?*QPCY)

WWW.JK=3CC*>*QPCY 

.JK=3CC>?*QPCY=

.JK=3CC*QPCY*

.JK=3CC>?*QPCY>

.JK=3CC>?*QPCY?-)Y7

.JK=3CC*>*QPCY*

.JK=3CC*QPCY?

.JK=3CC*QPCY>

.JK=3CC*QPCY26UY,

YH.JK=3CC*QPCY*

8.JK=3CC*QPCY?

.JK=3CC*QPCY=

W.JK=3CC*QPCY=

"<7=/85,<$";078  &2< $";078  &/85,<$";078  &<7=/85,<$

*6?-.8 <% 

*6?-.8 <%-

0<!)56 <

*6?-.8 <%*

3*&073<:-067*

X.JK=3CC*>*QPCY 

3*&073<:-0674

1.41.6.3

SOFTON~1.EXE_176_rwx_00401000_000F6000:

PSSSSSSh

PSSSSh

F><.tN<[tJ<\tF<*tB<|t><^t:<$t6

II I!"II#$IIII%&'III(I)*I III,-.II/0123IIII4I5IIIIIII6IIIIII789:;<IIIIIIII=>II?@ABCDEFIIIIGIIIIH

88888888888888888

%u$Vj%

t.Gj:W

xSSSh

FTPjKS

FtPj;S

C.PjRV

[%s %s %s]

Send failure: %s

Failed writing body (%d != %d)

%s:%d

WARNING: failed to save cookies in %s

About to connect() to %s%s port %d (#%d)

Connected to %s (%s) port %d (#%d)

<url> malformed

:]://%[^

[^:]:%[^

Protocol %s not supported or disabled in libcurl

http_proxy

%5[^:@]:%5[^@]

%5[^:]:%5[^

:%5[^@]

Port number too large: %lu

%s://%s%s%s:%d%s%s

ftps

[%*39[0123456789abcdefABCDEF:.%]%c

Couldn't find host %s in the _netrc file; using defaults

[email protected]

Couldn't resolve host '%s'

Couldn't resolve proxy '%s'

Connection #%d seems to be dead!

Connection (#%d) was killed to make room (holds %d)

Re-using existing connection! (#%ld) with host %s

%s://%s

Connection #%ld to host %s left intact

operation aborted by callback

HTTP/

ioctl callback returned error %d

the ioctl callback returned %d

seek callback returned error %d

The requested URL returned error: %d

HTTP/1.0 connection set to keep alive!

HTTP/1.1 proxy connection set close!

HTTP/1.0 proxy connection set to keep alive!

HTTP 1.0, assume close after body

HTTP =

HTTP/%d.%d =

No URL set!

[^?&/:]://%c

Violate RFC 2616/10.3.2 and switch from POST to GET

Disables POST, goes with %s

Issue another request to this URL: '%s'

Maximum (%d) redirects followed

Received problem %d in the chunky parser

HTTP server doesn't seem to support byte ranges. Cannot resume.

Rewinding stream by : %d bytes on url %s (size = %lld, maxdownload = %lld, bytecount = %lld, nread = %d)

Leftovers after chunking. Rewinding %d bytes

Operation timed out after %ld milliseconds with %lld bytes received

Operation timed out after %ld milliseconds with %lld out of %lld bytes received

unspecified error %d

%s cookie %s="%s" for domain %s, path %s, expire %d

#HttpOnly_

httponly

I99[^;

skipped cookie with bad tailmatch domain: %s

skipped cookie with illegal dotcount domain: %s

23[^;=]=I99[^;

%s%s%s

# Fatal libcurl error

# Netscape HTTP Cookie File

# hXXp://curl.haxx.se/rfc/cookie_spec.html

# This file was generated by libcurl! Edit at your own risk.

bind failure: %s

Local port: %d

Bind to local port %d failed, trying next

couldn't find my own IP address (%s)

Bind local address to %s

Couldn't bind to '%s'

TCP_NODELAY set

Could not set TCP_NODELAY: %s

Failed to connect to %s: %s

Trying %s...

Internal error removing splay node = %d

Internal error clearing splay node = %d

Error in the SSH layer

Caller must register CURLOPT_CONV_ callback options

TFTP: No such user

TFTP: Unknown transfer ID

TFTP: Illegal operation

TFTP: Access Violation

TFTP: File Not Found

Login denied

Issuer check against peer certificate failed

Invalid LDAP URL

Unrecognized HTTP Content-Encoding

Problem with the SSL CA cert (path? access rights?)

Peer certificate cannot be authenticated with known CA certificates

Problem with the local SSL certificate

SSL peer certificate or SSH md5 fingerprint was not OK

A libcurl function was given a bad argument

Operation was aborted by an application callback

FTP: command REST failed

FTP: command PORT failed

HTTP response code said error

FTP: couldn't retrieve (RETR failed) the specified file

FTP: couldn't set file type

FTP: can't figure out the host in the PASV response

FTP: unknown 227 response format

FTP: unknown PASV reply

FTP: unknown PASS reply

FTP: weird server reply

URL using bad/illegal format or missing URL

Unsupported protocol

Winsock version not supported

Protocol family not supported

Address family not supported

Operation not supported

Socket is unsupported

Protocol is unsupported

Protocol option is unsupported

Unknown error %d (%#x)

Resolving host timed out: %s

Could not resolve host: %s; %s

Could not resolve proxy: %s; %s

Could not resolve host: %s

gethostbyname(2) failed for %s:%d; %s

init_resolve_thread() failed for %s; %s

TFTP

set timeouts for state %d; Total %d, retry %d maxtry %d

tftp_rx: giving up waiting for block %d

Received unexpected DATA packet block %d

Timeout waiting for block %d ACK. Retries = %d

tftp_rx: internal error

tftp_tx: giving up waiting for block %d ack

Received ACK for block %d, expecting %d

tftp_tx: internal error

bind() failed; %s

tftp_send_first: internal error

%s%c%s%c

TFTP finished

Can't get the size of %s

Can't open %s for writing

Last-Modified: %s, d %s M d:d:d GMT

Couldn't open file %s

There are more than %d entries

LDAP remote: %s

LDAP local: ldap_simple_bind_s %s

LDAP local: Cannot connect to %s:%d

LDAP local: trying to establish %s connection

LDAP local: %s

LDAP local: LDAP Vendor = %s ; LDAP Version = %d

CLIENT libcurl 7.19.0

MATCH %s %s %s

DEFINE %s %s

insufficient winsock version to support telnet

WSAStartup failed (%d)

%s %d %d

%s %s %d

%s %s %s

%s IAC %d

%s IAC %s

Sending data failed (%d)

%d (unknown)

%s (unsupported)

%s IAC SB

Syntax error in telnet option: %s

Unknown telnet option %s

7[^= ]%*[ =]%5s

USER,%s

%c%c%c%c%s%c%c

%c%s%c%s

7[^,],7s

%c%c%c%c

FreeLibrary(wsock2) failed (%d)

WSACloseEvent failed (%d)

WSACreateEvent failed (%d)

failed to find WSAEnumNetworkEvents function (%d)

failed to find WSAEventSelect function (%d)

failed to find WSACloseEvent function (%d)

failed to find WSACreateEvent function (%d)

failed to load WS2_32.DLL (%d)

WS2_32.DLL

Excessive FTP response line length received, %zd bytes. Stripping

FTP response reading failed

FTP response aborted due to select/poll error: %d

FTP response timeout

Failed FTP upload: 

RETR response: d

Connecting to %s (%s) port %d

Uploading to a URL without a file name!

FTPS not supported!

USER %s

socket(2) failed (%s)

PORT %d,%d,%d,%d,%d,%d

Telling server to connect to %d.%d.%d.%d:%d

Failed to resolve host name %s

getsockname() failed: %s

Connect data stream passively

REST %d

SIZE %s

STOR %s

APPE %s

Bad PASV/EPSV response: d

Can't resolve new host %s:%d

%d.%d.%d.%d

Skips %d.%d.%d.%d for data connection, uses %s instead

%d,%d,%d,%d,%d,%d

%c%c%c%u%c

Failed to do PORT

Got a d response code instead of the assumed 200

RETR %s

ftp server doesn't support SIZE

PBSZ %d

Access denied: d

ACCT %s

PASS %s

ACCT rejected by server: d

QUOT string not accepted: %s

TYPE %c

MDTM %s

ddd d:d:d GMT

dddddd

unsupported MDTM reply format

server did not report OK, got %d

Remembering we are in dir "%s"

CWD %s

Failed to MKD dir: d

MKD %s

QUOT command failed with d

Entry path is '%s'

PROT %c

unsupported parameter to CURLOPT_FTPSSLAUTH: %d

AUTH %s

Got a d ftp-server response when 220 was expected

%sAuthorization: Basic %s

%s:%s

Server auth using %s with user '%s'

Proxy auth using %s with user '%s'

Failed sending HTTP POST request

Content-Type: application/x-www-form-urlencoded

Internal HTTP POST error!

Failed sending HTTP request

If-Unmodified-Since: %s

Last-Modified: %s

If-Modified-Since: %s

%s, d %s M d:d:d GMT

%s%s=%s

%s %s%s HTTP/%s

%s%s%s%s%s%s%s%s%s%s%s

Content-Range: bytes %s/%lld

Content-Range: bytes %s%lld/%lld

Range: bytes=%s

;type=%c

ftps://

PTF://

Host: %s%s%s:%d

Host: %s%s%s

Accept-Encoding: %s

Referer: %s

Received HTTP code %d from proxy after CONNECT

%d bytes of chunk left

HTTP/1.%d %d

Read %d bytes of chunk, continue

CONNECT %s:%d HTTP/1.0

%s%s%s%s

Host: %s

Establish HTTP proxy tunnel to %s:%d

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.

Failed to resolve "%s" for SOCKS4 connect.

No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)

SOCKS5 GSSAPI per-message authentication is not supported.

Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)

Failed to resolve "%s" for SOCKS5 connect.

User was rejected by the SOCKS5 server (%d %d).

SOCKS5: server resolving disabled for hostnames of length > 255 [actual len=%d]

--:--:--

= %s = %s = %s %s %s %s %s %s %s

password

login

Operation too slow. Less than %d bytes/sec transfered the last %d seconds

%s, algorithm="%s"

%s, opaque="%s"

%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", response="%s"

%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=x, qop="%s", response="%s"

%s:%s:x:%s:%s:%s

%s:%s:%s

%5[^=]=23[^

%5[^=]="23[^"]"

d:d:d

%c%c==

%c%c%c=

.html

.jpeg

--%s--

Content-Type: %s

; filename="%s"

Content-Disposition: attachment; filename="%s"

Content-Type: multipart/mixed, boundary=%s

%s; boundary=%s

()$^.* ?[]|\-{},:=!

:/-_.!~*'()

xxxxx

Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

GetProcessWindowStation

portuguese-brazilian

operator

()$^.* ?[]|\-{},:=!

Kernel32.DLL

invalid map<K, T> key

User-Agent: %s

http/

NOINT_MSG

urls_to_restore_on_startup

startup_urls

search_url

keyword

zcÁ

.?AVHTTPClientImplementation@@

.?AVHTTPClientInterface@@

.?AV?$EventTSpecificFunctor@VWindowsAPI@@@@

.?AV?$TSpecificFunctor@VWindowsAPI@@@@

.?AVFirefoxBrowserHandler@Browser@Lib@Softonic@@

.?AVChromeBrowserHandler@Browser@Lib@Softonic@@

.?AVWindowsAPI@@

.?AUDWebBrowserEvents2@@

.?AUIHttpNegotiate@@

.?AVCustomIHttpNegotiate@@

.?AV?$EventTSpecificFunctor@VCurlMultiDownloadJob@@@@

.?AVCurlMultiDownloadJob@@

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\SOFTON~1.EXE

GetCPInfo

GetProcessHeap

PeekNamedPipe

RegCloseKey

RegEnumKeyExW

RegCreateKeyExW

RegOpenKeyExW

RegDeleteKeyW

RegQueryInfoKeyW

ShellExecuteW

ShellExecuteExW

URLDownloadToFileW

UrlMkGetSessionOption

UrlMkSetSessionOption

GetAsyncKeyState

GetKeyState

EnumChildWindows

EnumDesktopWindows

InternetOpenUrlA

.text

`.rdata

@.data

.rsrc

H[%s] %s

[%d][%s|%s][%s][%s]

[%d][%s|%s][%s][%s][%s]

Glog.txt

HKERNEL32.DLL

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

mscoree.dll

WUSER32.DLL

.temp

Ld-d-d

[%d] [%lld|%lld]

1.41.6

Got Elevation URL. [%s]

New URL was not valid.

@Received message %s

xxxxxxxxxxx

explorer.exe "

[%d %d]

Hchrome

firefox

0.0.0.0

Web View

Web Host

%d|%d|%d

errorUrl

%s(%s)

%s --> (%s)

.swf?

.jpg?

.gif?

.png?

Value: %d

%s\*.*

%s\%s

Proxy by URL are not supported.

Automatic proxy discovery are not supported.

http=

https=

CPTF://

- URL:

[%d] Starting thread...

[%d] Thread Creation OK!

[%d] Error creating thread! trying again...

[%d] Thread started...

Ahttp/

%d - [%d][%lld/%lld][%lld]

json_writer.cpp

Hjson_value.cpp

Software\Classes\http\shell\open\command\

http\shell\open\command\

Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice\

Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice\

chrome.exe

iexplore.exe

firefox.exe

opera.exe

opera

safari.ex

browser.startup.homepage

browser.search.order.1

browser.search.order.2

browser.search.order.3

prefs.js

\"(.)*.;

browser.search.selectedEngine

browser.search.defaultenginename

browser.search.useDBForOrder

user_pref("browser.search.useDBForOrder", "false");

browser.search.useDBForOrder", "false");

browser.search.useDBForOrder.*

%s*.*

Software\Mozilla\Mozilla Firefox\

\Google\Chrome

SOFTWARE\Mozilla\Mozilla Firefox

SOFTWARE\Mozilla\Mozilla Firefox\

PathToExe

\Mozilla\Firefox\profiles.ini

\Mozilla\Firefox\

\search-metadata.json

ljson_reader.cpp

log.txt

Assertion failed: %s, file %s, line %d

WWW.4C.-*QPCY.

.JK=3CC>?*QPCY)

WWW.JK=3CC*>*QPCY 

.JK=3CC>?*QPCY=

.JK=3CC*QPCY*

.JK=3CC>?*QPCY>

.JK=3CC>?*QPCY?-)Y7

.JK=3CC*>*QPCY*

.JK=3CC*QPCY?

.JK=3CC*QPCY>

.JK=3CC*QPCY26UY,

YH.JK=3CC*QPCY*

8.JK=3CC*QPCY?

.JK=3CC*QPCY=

W.JK=3CC*QPCY=

"<7=/85,<$";078  &2< $";078  &/85,<$";078  &<7=/85,<$

*6?-.8 <% 

*6?-.8 <%-

0<!)56 <

*6?-.8 <%*

3*&073<:-067*

X.JK=3CC*>*QPCY 

3*&073<:-0674

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:1592
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\CAMTAS~1.EXE (13304 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\SOFTON~1.EXE (8292 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\universaldownloader-prefetch[1].htm (2011 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\campaign-101361[1] (2826 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\camtasia-studio-25[1].png (2571 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CARMC77L.gif (35 bytes)
   %Documents and Settings%\%current user%\Cookies\Current_User@softonic[2].txt (311 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\analytics[1].js (1008 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CA58N6J5.gif (35 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\cc92a7d66e[1].setToken (25 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\gradientbg[1].png (2 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\sprite[1].png (7 bytes)
   %Documents and Settings%\%current user%\Cookies\Current_User@softonic[1].txt (490 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1470e-36454[1].js (10138 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\fad58-0b1e4[1].css (5 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\loading[1].gif (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
   %System%\wbem\Logs\wbemprox.log (152 bytes)
   %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (193 bytes)
   %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (9700 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\nr-476.min[1].js (4153 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAK9AR4T.gif (35 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CALGOJ1X.gif (35 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\campaign-101361[1].htm (2465 bytes)
   %Documents and Settings%\%current user%\Cookies\[email protected][2].txt (10066 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAYVI5IP.gif (35 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CA0PQHD6.gif (35 bytes)
   %Documents and Settings%\%current user%\Cookies\index.dat (22648 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\sd_101361_93215[1].jpg (5988 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\fad58-0b1e4[2].css (22 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CA8LMN4T.gif (35 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
   "wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.