MD5: 6643c4004a1c6ee997467033ca03af14
SHA1: b4f2f8b00ee5f57f46e76201a01f190463a72392
SHA256: 2ee912374f2062b6bfe04a3036431f27c5c6ca485fff10a1f431292801344325
SSDeep: 12288:UTOcCf6yNUEH3m5gjKQD8LBlXxjOuf1sjk8OoI6BAbiZ:UTOpVUq3MgJD8LzXd9fp8I6iGZ
Size: 457914 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171, UPolyXv05_v6
Company: no certificate found
Created at: 2011-04-28 14:38:20
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

amisid.exe:1940
setup.exe:1752
setup.tmp:644
%original file name%.exe:228
win10phone__2827_il36975_26.exe:572
Upgrade.exe:1492

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process setup.exe:1752 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-7RV69.tmp\setup.tmp (3784 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-7RV69.tmp\setup.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-7RV69.tmp (0 bytes)

The process setup.tmp:644 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-21BKS.tmp\_isetup\_shfoldr.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CW5HG8EK\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\B9DDBJCW\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BKVRWAPP\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-21BKS.tmp\Upgrade.exe (8581 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-21BKS.tmp\itdownload.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\POEKUC06\desktop.ini (67 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-21BKS.tmp\itdownload.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-21BKS.tmp\_isetup (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-21BKS.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-21BKS.tmp\Upgrade.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-21BKS.tmp\_isetup\_shfoldr.dll (0 bytes)

The process %original file name%.exe:228 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\7ZipSfx.000\setup.exe (3249 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\7ZipSfx.000 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7ZipSfx.000\setup.exe (0 bytes)

The process win10phone__2827_il36975_26.exe:572 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst2.tmp (16052 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\amisid.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\registry.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\NSIS_AntiVmFraud.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\System.dll (11 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\dummy.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\checks.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\amisid.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\registry.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\NSIS_AntiVmFraud.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\nsisos.dll (0 bytes)

The process Upgrade.exe:1492 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\win10phone__2827_il36975_26.exe (3446 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\win10phone__2827_il36975_26.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\__tmp_rar_sfx_access_check_469984 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\data.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0 (0 bytes)

Registry activity

The process amisid.exe:1940 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
"CategoryCount" = "16"

[HKCU\Software\InternetTurbo]
"UID" = "975F29BE8C8FD0BC5E8EBA2BBF1B629F"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 8D C7 17 66 43 0A 32 15 8F CE 3F 8B 7F 47 AD"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\amisid\DEBUG]
"Trace Level" = ""

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\amisid\DEBUG]
"Trace Level"

The process setup.exe:1752 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA B8 BA BE A2 C0 AC E1 9E 8F 79 C6 CF 1D 16 F4"

The process setup.tmp:644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 00 DA D7 64 13 B2 CE 78 5C 5E 88 DC 36 F4 F4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Favorites" = "%Documents and Settings%\All Users\Favorites"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\7ZipSfx.000]
"setup.exe" = "setup Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""
"NetHood" = "%Documents and Settings%\%current user%\NetHood"
"Fonts" = "%WinDir%\Fonts"
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"PrintHood" = "%Documents and Settings%\%current user%\PrintHood"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Administrative Tools" = "%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Templates" = "%Documents and Settings%\All Users\Templates"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Administrative Tools" = ""
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"SendTo" = "%Documents and Settings%\%current user%\SendTo"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 BB 1F A9 D3 90 23 F6 CE 58 D1 98 9B 1B 40 B8"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CD Burning" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\CD Burning"
"Recent" = "%Documents and Settings%\%current user%\Recent"
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process win10phone__2827_il36975_26.exe:572 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF 8E 6E A7 22 C7 28 4D B0 F8 D0 50 5E 50 ED 39"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi3.tmp\registry.dll,"

[HKCU\Software\InstallPath\Status]
"Installer" = "S"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The Trojan deletes the following registry key(s):

[HKCU\Software\InternetTurbo]

The process Upgrade.exe:1492 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 75 24 5C 45 E0 D3 87 B7 3B C6 F7 4E 0B B2 0F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0]
"win10phone__2827_il36975_26.exe" = "Buffallo Sabes daemon"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: iSoft
Product Name: SFXMaker
Product Version: 1.4.1.2100
Legal Copyright: Copyright (c) 2006-2011 Iuli
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.4.1.2100
File Description: Compiled by SFXMaker
Comments:
Language: English (Canada)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://upgradesoftware2017.com/freeupgradesoftNEW/8-Windows10PHONE/upgrade.exe	188.121.41.137
hxxp://upgradesoftware2017.com/redirection.html	188.121.41.137
hxxp://g1.panthercdn.com/counter/counter.js
hxxp://upgradesoftware2017.com/	188.121.41.137
hxxp://c.statcounter.com/t.php?sc_project=10738598&java=1&security=267f1d37&u1=E3A0092DF6854F4581DBD39C31C9578C&sc_random=0.40540406162741676&jg=new&rr=1.1.1.1.1.1.1.1.1&resolution=1276&h=846&camefrom=&u=http://bestprosoft.xyz/redirection.html&t=&sc_snum=1&p=0&invisible=1
hxxp://upgradesoftware2017.com/wp-content/themes/flexibility2/style.php	188.121.41.137
hxxp://upgradesoftware2017.com/wp-content/themes/flexibility2/ie6style.php	188.121.41.137
hxxp://upgradesoftware2017.com/wp-content/themes/flexibility2/iepngfix_tilebg.js	188.121.41.137
hxxp://upgradesoftware2017.com/download2.png	188.121.41.137
hxxp://upgradesoftware2017.com/wp-content/themes/flexibility2/images/navssbg.png	188.121.41.137
hxxp://upgradesoftware2017.com/wp-content/themes/flexibility2/images/footerdark.png	188.121.41.137
hxxp://s32.postimg.org/ar19thbr9/maxresdefault.jpg	141.101.120.104
hxxp://s32.postimg.org/cfrzikxxh/cover.png	141.101.120.104
hxxp://s32.postimg.org/h1me77sx1/yumtynreh.png	141.101.120.104
hxxp://s32.postimg.org/6qjerzrdn/image.png	141.101.120.104
hxxp://s32.postimg.org/90gxxyluj/image.png	141.101.120.104
hxxp://s32.postimg.org/83aip3acb/image.png	141.101.120.104
hxxp://s32.postimg.org/b535aoift/image.png	141.101.120.104
hxxp://s32.postimg.org/c2r2h7ktj/image.png	141.101.120.104
hxxp://s32.postimg.org/n9s1wvzmt/image.png	141.101.120.104
hxxp://s32.postimg.org/vfxec11iz/9gag.png	141.101.120.104
hxxp://s32.postimg.org/w9kufim5t/cover.png	141.101.120.104
hxxp://s32.postimg.org/6kki806sr/animated.gif	141.101.120.104
hxxp://s32.postimg.org/apa4ybjbb/cover.png	141.101.120.104
hxxp://s32.postimg.org/dw3ypq17r/vtutorial.gif	141.101.120.104
hxxp://s32.postimg.org/uiliysu5l/2016_01_15_5_35_25.png	141.101.120.104
hxxp://s32.postimg.org/fbk4t7kc7/digitaltvonpc.png	141.101.120.104
hxxp://upgradesoftware2017.com/wp-content/themes/flexibility2/iepngfix.htc	188.121.41.137
hxxp://imgur.com/vQyVyP5.png
hxxp://upgradesoftware2017.com/wp-content/uploads/2015/09/21.png	188.121.41.137
hxxp://upgradesoftware2017.com/wp-content/uploads/2015/09/cover-coperta1.png	188.121.41.137
hxxp://upgradesoftware2017.com/wp-content/themes/flexibility2/images/headers/header-Flare.png	188.121.41.137
hxxp://upgradesoftware2017.com/wp-content/themes/flexibility2/images/blank.gif	188.121.41.137
hxxp://upgradesoftware2017.com/wp-content/uploads/2015/08/Cover.png	188.121.41.137
hxxp://upgradesoftware2017.com/wp-content/uploads/2015/09/11.png	188.121.41.137
hxxp://upgradesoftware2017.com/wp-content/uploads/2015/08/Cover1.png	188.121.41.137
hxxp://s15.postimg.org/6qjerzrdn/image.png
hxxp://softvipdownload.com/
hxxp://s23.postimg.org/83aip3acb/image.png
hxxp://s13.postimg.org/c2r2h7ktj/image.png
hxxp://bestprosoft.com/wp-content/uploads/2015/08/Cover.png	188.121.41.137
hxxp://bestprosoft.com/wp-content/uploads/2015/09/21.png	188.121.41.137
hxxp://softvipdownload.com/wp-content/themes/flexibility2/ie6style.php
hxxp://softvipdownload.com/wp-content/themes/flexibility2/images/navssbg.png
hxxp://softvipdownload.com/download2.png
hxxp://bestprosoft.com/wp-content/uploads/2015/08/Cover1.png	188.121.41.137
hxxp://s23.postimg.org/90gxxyluj/image.png
hxxp://softvipdownload.com/wp-content/themes/flexibility2/images/blank.gif
hxxp://s2.postimg.org/uiliysu5l/2016_01_15_5_35_25.png
hxxp://bestprosoft.com/wp-content/uploads/2015/09/cover-coperta1.png	188.121.41.137
hxxp://softvipdownload.com/wp-content/themes/flexibility2/images/headers/header-Flare.png
hxxp://www.statcounter.com/counter/counter.js
hxxp://s28.postimg.org/6kki806sr/animated.gif
hxxp://softvipdownload.com/wp-content/themes/flexibility2/images/footerdark.png
hxxp://bestprosoft.xyz/redirection.html	188.121.41.137
hxxp://s22.postimg.org/w9kufim5t/cover.png	141.101.120.105
hxxp://s21.postimg.org/apa4ybjbb/cover.png	141.101.120.105
hxxp://softvipdownload.com/wp-content/themes/flexibility2/iepngfix.htc
hxxp://softvipdownload.com/wp-content/themes/flexibility2/style.php
hxxp://softvipdownload.com/wp-content/themes/flexibility2/iepngfix_tilebg.js
hxxp://i.imgur.com/vQyVyP5.png	23.235.43.193
hxxp://s13.postimg.org/fbk4t7kc7/digitaltvonpc.png
hxxp://s16.postimg.org/n9s1wvzmt/image.png
hxxp://s8.postimg.org/h1me77sx1/yumtynreh.png	141.101.120.104
hxxp://bestprosoft.com/wp-content/uploads/2015/09/11.png	188.121.41.137
hxxp://s18.postimg.org/b535aoift/image.png
hxxp://s15.postimg.org/vfxec11iz/9gag.png
hxxp://s2.postimg.org/dw3ypq17r/vtutorial.gif
www.flexibilitytheme.com	66.147.242.185
s.ytimg.com	216.58.214.206

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
SURICATA STREAM Packet with invalid ack
SURICATA STREAM ESTABLISHED invalid ack
SURICATA STREAM ESTABLISHED packet out of window
SURICATA STREAM FIN out of window
SURICATA STREAM SHUTDOWN RST invalid ack

Traffic

GET /cfrzikxxh/cover.png HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s32.postimg.org

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 19 May 2016 07:10:54 GMT

Content-Type: image/png

Content-Length: 102033

Connection: keep-alive

Set-Cookie: __cfduid=d9e30535b8876e65ed8e172e5952d31501463641854; expires=Fri, 19-May-17 07:10:54 GMT; path=/; domain=.postimg.org; HttpOnly

Last-Modified: Tue, 26 Apr 2016 23:00:37 GMT

ETag: "571ff315-18e91"

CF-Cache-Status: HIT

Expires: Fri, 19 May 2017 07:10:54 GMT

Cache-Control: public, max-age=31536000

Accept-Ranges: bytes

Server: cloudflare-nginx

CF-RAY: 2a55bb581dfa372c-ARN
.PNG........IHDR...R.................pHYs...............C7iTXtXML:com.
adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?&
gt;.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6
-c111 79.158325, 2015/09/10-01:10:20        ">.   <rdf:RDF xmlns
:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">.      <rdf:D
escription rdf:about="".            xmlns:xmp="hXXp://ns.adobe.com/xap
/1.0/".            xmlns:dc="hXXp://purl.org/dc/elements/1.1/".       
     xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/".            
xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/".            xmlns:stEvt=
"hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#".            xmlns:s
tRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#".            xmln
s:tiff="hXXp://ns.adobe.com/tiff/1.0/".            xmlns:exif="hXXp://
ns.adobe.com/exif/1.0/">.         <xmp:CreatorTool>Adobe Phot
oshop CC 2015 (Windows)</xmp:CreatorTool>.         <xmp:Creat
eDate>2016-04-27T01:50:03 03:00</xmp:CreateDate>.         <
;xmp:ModifyDate>2016-04-27T01:53:19 03:00</xmp:ModifyDate>.  
       <xmp:MetadataDate>2016-04-27T01:53:19 03:00</xmp:Metad
ataDate>.         <dc:format>image/png</dc:format>.    
     <photoshop:ColorMode>3</photoshop:ColorMode>.        
 <photoshop:TextLayers>.            <rdf:Bag>.            
   <rdf:li rdf:parseType="Resource">.                  <photo
shop:LayerName>Disable</photoshop:LayerName>.            
<<< skipped >>>

GET /wp-content/themes/flexibility2/images/blank.gif HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: softvipdownload.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/gif

Last-Modified: Thu, 05 Jul 2012 12:39:40 GMT

Accept-Ranges: bytes

ETag: "0e9d3eab5acd1:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:55 GMT

Content-Length: 49
GIF89a...................!.......,...........T..;HTTP/1.1 200 OK..Cont
ent-Type: image/gif..Last-Modified: Thu, 05 Jul 2012 12:39:40 GMT..Acc
ept-Ranges: bytes..ETag: "0e9d3eab5acd1:0"..Server: Microsoft-IIS/7.0.
.X-Powered-By: ASP.NET..Date: Thu, 19 May 2016 07:10:55 GMT..Content-L
ength: 49..GIF89a...................!.......,...........T..;HTTP/1.1 3
04 Not Modified..Last-Modified: Thu, 05 Jul 2012 12:39:40 GMT..Accept-
Ranges: bytes..ETag: "0e9d3eab5acd1:0"..Server: Microsoft-IIS/7.0..X-P
owered-By: ASP.NET..Date: Thu, 19 May 2016 07:10:56 GMT..HTTP/1.1 304 
Not Modified..Last-Modified: Thu, 05 Jul 2012 12:39:40 GMT..Accept-Ran
ges: bytes..ETag: "0e9d3eab5acd1:0"..Server: Microsoft-IIS/7.0..X-Powe
red-By: ASP.NET..Date: Thu, 19 May 2016 07:10:56 GMT..HTTP/1.1 304 Not
 Modified..Last-Modified: Thu, 05 Jul 2012 12:39:40 GMT..Accept-Ranges
: bytes..ETag: "0e9d3eab5acd1:0"..Server: Microsoft-IIS/7.0..X-Powered
-By: ASP.NET..Date: Thu, 19 May 2016 07:10:56 GMT......


GET /wp-content/themes/flexibility2/images/blank.gif HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 05 Jul 2012 12:39:40 GMT

If-None-Match: "0e9d3eab5acd1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: softvipdownload.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Last-Modified: Thu, 05 Jul 2012 12:39:40 GMT

Accept-Ranges: bytes

ETag: "0e9d3eab5acd1:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:56 GMT
....


GET /wp-content/themes/flexibility2/images/blank.gif HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 05 Jul 2012 12:39:40 GMT

If-None-Match: "0e9d3eab5acd1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: softvipdownload.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Last-Modified: Thu, 05 Jul 2012 12:39:40 GMT

Accept-Ranges: bytes

ETag: "0e9d3eab5acd1:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:56 GMT
....


GET /wp-content/themes/flexibility2/images/blank.gif HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 05 Jul 2012 12:39:40 GMT

If-None-Match: "0e9d3eab5acd1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: softvipdownload.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Last-Modified: Thu, 05 Jul 2012 12:39:40 GMT

Accept-Ranges: bytes

ETag: "0e9d3eab5acd1:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:56 GMT
....


GET /wp-content/themes/flexibility2/images/blank.gif HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 05 Jul 2012 12:39:40 GMT

If-None-Match: "0e9d3eab5acd1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: softvipdownload.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Last-Modified: Thu, 05 Jul 2012 12:39:40 GMT

Accept-Ranges: bytes

ETag: "0e9d3eab5acd1:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:56 GMT
....


GET /wp-content/themes/flexibility2/images/blank.gif HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 05 Jul 2012 12:39:40 GMT

If-None-Match: "0e9d3eab5acd1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: softvipdownload.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Last-Modified: Thu, 05 Jul 2012 12:39:40 GMT

Accept-Ranges: bytes

ETag: "0e9d3eab5acd1:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:56 GMT
....


GET /wp-content/themes/flexibility2/images/blank.gif HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 05 Jul 2012 12:39:40 GMT

If-None-Match: "0e9d3eab5acd1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: softvipdownload.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Last-Modified: Thu, 05 Jul 2012 12:39:40 GMT

Accept-Ranges: bytes

ETag: "0e9d3eab5acd1:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:56 GMT
....


GET /wp-content/themes/flexibility2/images/blank.gif HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 05 Jul 2012 12:39:40 GMT

If-None-Match: "0e9d3eab5acd1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: softvipdownload.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Last-Modified: Thu, 05 Jul 2012 12:39:40 GMT

Accept-Ranges: bytes

ETag: "0e9d3eab5acd1:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:57 GMT
....


GET /wp-content/themes/flexibility2/images/blank.gif HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 05 Jul 2012 12:39:40 GMT

If-None-Match: "0e9d3eab5acd1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: softvipdownload.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Last-Modified: Thu, 05 Jul 2012 12:39:40 GMT

Accept-Ranges: bytes

ETag: "0e9d3eab5acd1:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:57 GMT
....


GET /wp-content/themes/flexibility2/images/blank.gif HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 05 Jul 2012 12:39:40 GMT

If-None-Match: "0e9d3eab5acd1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: softvipdownload.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Last-Modified: Thu, 05 Jul 2012 12:39:40 GMT

Accept-Ranges: bytes

ETag: "0e9d3eab5acd1:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:57 GMT
....


GET /wp-content/themes/flexibility2/images/blank.gif HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 05 Jul 2012 12:39:40 GMT

If-None-Match: "0e9d3eab5acd1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: softvipdownload.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Last-Modified: Thu, 05 Jul 2012 12:39:40 GMT

Accept-Ranges: bytes

ETag: "0e9d3eab5acd1:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:57 GMT
HTTP/1.1 304 Not Modified..Last-Modified: Thu, 05 Jul 2012 12:39:40 GM
T..Accept-Ranges: bytes..ETag: "0e9d3eab5acd1:0"..Server: Microsoft-II
S/7.0..X-Powered-By: ASP.NET..Date: Thu, 19 May 2016 07:10:57 GMT..ont>....


GET /wp-content/themes/flexibility2/images/blank.gif HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 05 Jul 2012 12:39:40 GMT

If-None-Match: "0e9d3eab5acd1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: softvipdownload.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Last-Modified: Thu, 05 Jul 2012 12:39:40 GMT

Accept-Ranges: bytes

ETag: "0e9d3eab5acd1:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:58 GMT
HTTP/1.1 304 Not Modified..Last-Modified: Thu, 05 Jul 2012 12:39:40 GM
T..Accept-Ranges: bytes..ETag: "0e9d3eab5acd1:0"..Server: Microsoft-II
S/7.0..X-Powered-By: ASP.NET..Date: Thu, 19 May 2016 07:10:58 GMT..ont>....


GET /wp-content/themes/flexibility2/images/blank.gif HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 05 Jul 2012 12:39:40 GMT

If-None-Match: "0e9d3eab5acd1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: softvipdownload.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Last-Modified: Thu, 05 Jul 2012 12:39:40 GMT

Accept-Ranges: bytes

ETag: "0e9d3eab5acd1:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:58 GMT
....


GET /wp-content/themes/flexibility2/images/blank.gif HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 05 Jul 2012 12:39:40 GMT

If-None-Match: "0e9d3eab5acd1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: softvipdownload.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Last-Modified: Thu, 05 Jul 2012 12:39:40 GMT

Accept-Ranges: bytes

ETag: "0e9d3eab5acd1:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:58 GMT
....


GET /wp-content/themes/flexibility2/images/blank.gif HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 05 Jul 2012 12:39:40 GMT

If-None-Match: "0e9d3eab5acd1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: softvipdownload.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Last-Modified: Thu, 05 Jul 2012 12:39:40 GMT

Accept-Ranges: bytes

ETag: "0e9d3eab5acd1:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:58 GMT
HTTP/1.1 304 Not Modified..Last-Modified: Thu, 05 Jul 2012 12:39:40 GM
T..Accept-Ranges: bytes..ETag: "0e9d3eab5acd1:0"..Server: Microsoft-II
S/7.0..X-Powered-By: ASP.NET..Date: Thu, 19 May 2016 07:10:58 GMT..ont>....


GET /wp-content/themes/flexibility2/images/blank.gif HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 05 Jul 2012 12:39:40 GMT

If-None-Match: "0e9d3eab5acd1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: softvipdownload.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Last-Modified: Thu, 05 Jul 2012 12:39:40 GMT

Accept-Ranges: bytes

ETag: "0e9d3eab5acd1:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:58 GMT
HTTP/1.1 304 Not Modified..Last-Modified: Thu, 05 Jul 2012 12:39:40 GM
T..Accept-Ranges: bytes..ETag: "0e9d3eab5acd1:0"..Server: Microsoft-II
S/7.0..X-Powered-By: ASP.NET..Date: Thu, 19 May 2016 07:10:58 GMT..ont>....


GET /wp-content/themes/flexibility2/images/blank.gif HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 05 Jul 2012 12:39:40 GMT

If-None-Match: "0e9d3eab5acd1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: softvipdownload.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Last-Modified: Thu, 05 Jul 2012 12:39:40 GMT

Accept-Ranges: bytes

ETag: "0e9d3eab5acd1:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:58 GMT
HTTP/1.1 304 Not Modified..Last-Modified: Thu, 05 Jul 2012 12:39:40 GM
T..Accept-Ranges: bytes..ETag: "0e9d3eab5acd1:0"..Server: Microsoft-II
S/7.0..X-Powered-By: ASP.NET..Date: Thu, 19 May 2016 07:10:58 GMT..

GET /b535aoift/image.png HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s18.postimg.org

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 19 May 2016 07:10:54 GMT

Content-Type: image/png

Content-Length: 124224

Connection: keep-alive

Set-Cookie: __cfduid=d5c33fface9e8c5c41b8131cdfc2ca52e1463641854; expires=Fri, 19-May-17 07:10:54 GMT; path=/; domain=.postimg.org; HttpOnly

Last-Modified: Sun, 03 Apr 2016 20:37:28 GMT

ETag: "57017f08-1e540"

CF-Cache-Status: HIT

Expires: Fri, 19 May 2017 07:10:54 GMT

Cache-Control: public, max-age=31536000

Accept-Ranges: bytes

Server: cloudflare-nginx

CF-RAY: 2a55bb582baa36f6-ARN
.PNG........IHDR.......g.............pHYs...t...t..f.x....tIME........
.X.....tEXtAuthor....H....tEXtDescription...!#....tEXtCopyright....:..
..tEXtCreation time.5.......tEXtSoftware.]p.:....tEXtDisclaimer.......
..tEXtWarning.........tEXtSource.........tEXtComment.........tEXtTitle
....'.. .IDATx...y|T.}...l...}.......x.f ..&q........m......K~..M.6..5
i.....S7Mpb.....`..".......h4...4..H..H.........s.....=...{...>....
.....0.u.DDDDDD..K.TDDDDDD..B..........R.......3..""""""2g..:?..wEDDDD
DdN....B..................9.P*""""""sF.TDDDDDD..B..........R.......3..
..........AF..x.d.n.oF../ZOAv.i..{......1..^...X.&.$B .>..A....9O&.
..P. ..u.Y.TDDDDDd>.?K....o....Cc3.d........[....>...?.&...../.M
.........F.....}.4......<..-.|.....].(..].......<3..]...% ......
..OS74..x<D[.s<....... c.].[YN.,.YDDDDDD..Kl2.....Z.Fij...|..z^.
....Y<....O../.0G=....Cv.K.o?...........k..}.q~{....g..*.B.......&l
t;a..HXt.w|......l......'tE.r...g..............#..9...wi9.!y..........
Y..z.B.......\.....;...y..p...8..-.....;.......,.w8.R....... 2......G:
.....9..V}.3|....l..c)............9._..C.?Dc.(..'....#......H..^0...""
""""r..0U/<......%_.....?.?...E..K..0...zj:].v8UJEDDDDD&p36.F..?...
M_..._J..5l...x.p..x.....3..........~.3<...d.'.j...O/...$...0.;.P.t
..T(..........P#G...?8<...0M.......qo.q.^(.{.......Z:.tK..]........
........./6fq.......Q..Id..l...a.......^.@ff...%b..# .......L`.h.$:%..
.X..n...Lr..Y]..d...0......g6<...>....|@/.O.................b.(.
.....q.......MM..B(5.....v_DDDDD... .....g........I.-.......~.>
<<< skipped >>>

GET /uiliysu5l/2016_01_15_5_35_25.png HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s2.postimg.org

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 19 May 2016 07:10:54 GMT

Content-Type: image/png

Content-Length: 162187

Connection: keep-alive

Set-Cookie: __cfduid=d8663556cce4a51711727b2234c7d1b5c1463641854; expires=Fri, 19-May-17 07:10:54 GMT; path=/; domain=.postimg.org; HttpOnly

Last-Modified: Fri, 15 Jan 2016 03:36:04 GMT

ETag: "56986924-2798b"

CF-Cache-Status: HIT

Expires: Fri, 19 May 2017 07:10:54 GMT

Cache-Control: public, max-age=31536000

Accept-Ranges: bytes

Server: cloudflare-nginx

CF-RAY: 2a55bb583fdd37b6-ARN
.PNG........IHDR....... .......y.....pHYs...t...t..f.x....tIME.....#$?
..-....tEXtAuthor....H....tEXtDescription...!#....tEXtCopyright....:..
..tEXtCreation time.5.......tEXtSoftware.]p.:....tEXtDisclaimer.......
..tEXtWarning.........tEXtSource.........tEXtComment.........tEXtTitle
....'.. .IDATx...wx\W......2*..=r.%.c.q" .8...$...Sv.].@^..x..........
.!...F.(q...*..[..:.>...lI.,..,...y.<.....{F...9..x.....!..B.!..
B....`..E.].!..B.!..B.qS..oLt..U...}.......*.E.!..B.!..BL ...!..B.!..B
..$.$..B.!..B.q.. ..B.!..B.!.M@.@B.!..B.!..7..DW@.!..B.!..7..^x...}..'
..&76...!..B.!..B\..o.q..{[email protected]............
/"u...VA.!..B.!.....w......o../[email protected]|...7J....y}.J.].
=~...aM..>.....B.!..B.qY...d..X.,.t....2.C....q:..#...........K..x.
T.wQV.EY.....Zj...MB.!..B.!..W..<.....@~...../.T......(.j....}J....
..........]~...B.!..B.!.!..>.R...p.x.Z.FoDk..`.b..F....`F...P(../.Q
..cU..B.!nH.l..d......u#.c&.k.p.{L...B...g.....6fA...I.,XA..;..J.M.Cp.
b..f.7e.z....&.....f"-Z?VE.!..(......Cg..L233...Ujvi.[X{.....}o72twv..
27...lY;Q.......... .......=.r.......e.[W.e.0.w.5G?../.R....!...k.%`.R
 h.....z.JS..H.6..cl..[3ihj...E..W.t....h5j."...........$...L......B..
.=...W..c.. ..B.U....gc.z..7t..`2.eAn.;...1X..w..d-..k7.3.....X....|6f
.!3..n..{.....59)l..Dw.W.e.......Vs.Vu..s.6..)...........c.[....vM.do&
o.E..I../....A.!.D.,.t.].&..g..O.."..*$..M8.C..,Q...8z.,%.U.65S..ByM..
.b..*....O.I....L.K....O.3.m.B.qU... w...@*.l.n.a....0...Ot....ed1....
..d.,. ........~..`]^... w.......`s.:....Y.t66{./..z.[^ .,6.....~.
<<< skipped >>>

GET /wp-content/uploads/2015/09/21.png HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: bestprosoft.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: no-cache,max-age=1209600

Content-Type: image/png

Last-Modified: Wed, 28 Oct 2015 19:26:22 GMT

Accept-Ranges: bytes

ETag: "9225c87b611d11:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:54 GMT

Content-Length: 127295
.PNG........IHDR.......U.......3X....pHYs...t...t..f.x....tIME........
..l....tEXtAuthor....H....tEXtDescription...!#....tEXtCopyright....:..
..tEXtCreation time.5.......tEXtSoftware.]p.:....tEXtDisclaimer.......
..tEXtWarning.........tEXtSource.........tEXtComment.........tEXtTitle
....'.. .IDATx.....\W.....y...,o.....f..g.wF.....X.fC =....E(6.!=..L(v
[email protected]. .....T..'.=...=......o..A..A......
0V..1....A..A..A..Y...no..gL.B....$.. .. ./.... .. .. ._."0..A..A..D`,
.. .. .....A..A...... .. .. ."0..A..A..@... .. .....X..A..A...... .. .
...%.s.....o...i1..6k..6..v...T...<.....c... ..A.%.[OS.)p.D........
...K8..$.`.8...XA&...X...@.|.....'kL...=...Mn. ..s........o..r...'....
.<.wO.i..!..5.5C.>.....y....8..=n,...'....c...Nd(fT....cw-..BT..
....J.._Y i|..c.3.bt"M....7..-....x<.d.g...mA..1{j.?x#O.....:M.y..:
..I.b..b.f.. ..L*.....c.....cw.....2....L.}...K..".2F..x^%....Kc....f.
Z1E5 ..1u....Nr~F.Y....:......L...;.....n9.,v.^.....F...e........ .F.\
.d..=..0$.-..>a...|..=...i....V..K..:.~......{.E5....U%..E.c....)s.
.i^{nu.I.hO...QKQ)...4.'.^.u.B.....{.[..W...}..v.... /6O...}...'....f2
.........8.V[.}..F5S.R..d.p{=...a. c...Z........~.F..i...j..d2.<...
qn.$..l...>.b."$..zl..~w..T..U..5.;.k.g..%.I.H.j...c.2cR.".h.......
.o>jp..../..atz.?..9....7.].W......W.(...N...<..........v..x...O
......x.r.<?..~0......w..;. QB......>N..97./(],p......2..%......
.=$M.v.,..b..E...u~../.I...8.....|Z.....O-..g0Hp../.tE.. .j....6.....?
.3.7W..."..'...d...._....=O....H..... ...~.Ec.=....&.....8'.)....0
<<< skipped >>>

GET /wp-content/uploads/2015/08/Cover.png HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: bestprosoft.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: no-cache,max-age=1209600

Content-Type: image/png

Last-Modified: Mon, 24 Aug 2015 01:21:30 GMT

Accept-Ranges: bytes

ETag: "9a0e134bded01:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:55 GMT

Content-Length: 111332
.PNG........IHDR...[..........M/.....pHYs................OiCCPPhotosho
p ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE.........
..Q,......!.........{.k........>...........H3Q5...B..........@..$p.
...d!s.#...~<< ".....x.....M..0.....B.\[email protected]..@F....
&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH..
...........0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I.
 [email protected]..._-...."[email protected]~..,/...;.
.m..%..h^[email protected].~<<E.........J.B[a.W}.g._.W.l.~<..
....$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..&
gt;.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?..
..D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/[email protected]..=p..
a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2...
.G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.
."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.X
H,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,  .......3...!.[.
[email protected].(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9...IK......h.h.i..t.
....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&
..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._.
.. .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).).
.4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.
n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<./...QC][email protected]....
..<..F.F..i.\.$.m.m..&.&!&KM.M..RM..).;L;L........5.=1.2.......
<<< skipped >>>

GET /wp-content/uploads/2015/09/cover-coperta1.png HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: bestprosoft.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: no-cache,max-age=1209600

Content-Type: image/png

Last-Modified: Wed, 28 Oct 2015 19:27:33 GMT

Accept-Ranges: bytes

ETag: "bf4a8cb1b611d11:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:57 GMT

Content-Length: 408129
.PNG........IHDR...;.........,.......pHYs...............Q7iTXtXML:com.
adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?&
gt;.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6
-c067 79.157747, 2015/03/30-23:40:42        ">.   <rdf:RDF xmlns
:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">.      <rdf:D
escription rdf:about="".            xmlns:xmpMM="hXXp://ns.adobe.com/x
ap/1.0/mm/".            xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType
/ResourceEvent#".            xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/
sType/ResourceRef#".            xmlns:dc="hXXp://purl.org/dc/elements/
1.1/".            xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/"
.            xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/".            xmln
s:tiff="hXXp://ns.adobe.com/tiff/1.0/".            xmlns:exif="hXXp://
ns.adobe.com/exif/1.0/">.         <xmpMM:DocumentID>adobe:doc
id:photoshop:7dc6d6fe-6f98-11e5-a45f-8d0ceaf35f2b</xmpMM:DocumentID
>.         <xmpMM:InstanceID>xmp.iid:e23bdc10-e0bc-8842-acca-
88dbbfba81b4</xmpMM:InstanceID>.         <xmpMM:OriginalDocum
entID>F31F7DCFDC00A2B122E4DA3F0F781EDF</xmpMM:OriginalDocumentID
>.         <xmpMM:History>.            <rdf:Seq>.      
         <rdf:li rdf:parseType="Resource">.                  <
;stEvt:action>saved</stEvt:action>.                  <stEv
t:instanceID>xmp.iid:7566f5d8-be32-b744-b3a6-36661031e0ff</stEvt
:instanceID>.                  <stEvt:when>2015-09-22T13:
<<< skipped >>>

GET /wp-content/uploads/2015/09/21.png HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: bestprosoft.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: no-cache,max-age=1209600

Content-Type: image/png

Last-Modified: Wed, 28 Oct 2015 19:26:22 GMT

Accept-Ranges: bytes

ETag: "9225c87b611d11:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:57 GMT

Content-Length: 127295
.PNG........IHDR.......U.......3X....pHYs...t...t..f.x....tIME........
..l....tEXtAuthor....H....tEXtDescription...!#....tEXtCopyright....:..
..tEXtCreation time.5.......tEXtSoftware.]p.:....tEXtDisclaimer.......
..tEXtWarning.........tEXtSource.........tEXtComment.........tEXtTitle
....'.. .IDATx.....\W.....y...,o.....f..g.wF.....X.fC =....E(6.!=..L(v
[email protected]. .....T..'.=...=......o..A..A......
0V..1....A..A..A..Y...no..gL.B....$.. .. ./.... .. .. ._."0..A..A..D`,
.. .. .....A..A...... .. .. ."0..A..A..@... .. .....X..A..A...... .. .
...%.s.....o...i1..6k..6..v...T...<.....c... ..A.%.[OS.)p.D........
...K8..$.`.8...XA&...X...@.|.....'kL...=...Mn. ..s........o..r...'....
.<.wO.i..!..5.5C.>.....y....8..=n,...'....c...Nd(fT....cw-..BT..
....J.._Y i|..c.3.bt"M....7..-....x<.d.g...mA..1{j.?x#O.....:M.y..:
..I.b..b.f.. ..L*.....c.....cw.....2....L.}...K..".2F..x^%....Kc....f.
Z1E5 ..1u....Nr~F.Y....:......L...;.....n9.,v.^.....F...e........ .F.\
.d..=..0$.-..>a...|..=...i....V..K..:.~......{.E5....U%..E.c....)s.
.i^{nu.I.hO...QKQ)...4.'.^.u.B.....{.[..W...}..v.... /6O...}...'....f2
.........8.V[.}..F5S.R..d.p{=...a. c...Z........~.F..i...j..d2.<...
qn.$..l...>.b."$..zl..~w..T..U..5.;.k.g..%.I.H.j...c.2cR.".h.......
.o>jp..../..atz.?..9....7.].W......W.(...N...<..........v..x...O
......x.r.<?..~0......w..;. QB......>N..97./(],p......2..%......
.=$M.v.,..b..E...u~../.I...8.....|Z.....O-..g0Hp../.tE.. .j....6.....?
.3.7W..."..'...d...._....=O....H..... ...~.Ec.=....&.....8'.)....0
<<< skipped >>>

GET /wp-content/uploads/2015/09/11.png HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: bestprosoft.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: no-cache,max-age=1209600

Content-Type: image/png

Last-Modified: Wed, 28 Oct 2015 19:25:48 GMT

Accept-Ranges: bytes

ETag: "6b6e3a73b611d11:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:58 GMT

Content-Length: 115324
.PNG........IHDR..............#$M....pHYs...t...t..f.x....tIME......2 
o ,....tEXtAuthor....H....tEXtDescription...!#....tEXtCopyright....:..
..tEXtCreation time.5.......tEXtSoftware.]p.:....tEXtDisclaimer.......
..tEXtWarning.........tEXtSource.........tEXtComment.........tEXtTitle
....'.. .IDATx...g.eW~....'.:....:...8Cr...F.J...l. ?.k.K1p..N..[.!...
.........CrHv....a......$;..n...!.4...{.P........._...!..B.!.sI..m.)..
g..!..B.!.c...9.J)..."..B.!.xL..n..B.!.....@/..B.!.sL...B.!...1..B.!..
B<.$..!..B....@/..B.!.sL...B.!...1..B.!..B<.$..!..B.........r...
.0[Q.F.;.[l..._j.....&K.<.......>....v!.....j..OW. ......c..g..g
$[....GgLT.c....V.s.....9]....9".o......O..B.!..Tt3..3.,.4....M{s..}..
.....p.X.......C.v.........d(7*4s.....Gk...*.J...N.L.m.....Hry....E.$.
i9......e.ok._....!....`..".=7............u..<U........c'.> ..Q.
2[.....8c..n......9..Y._.]J....,.A..."n3.O..UL.0....w..YS...K..Y.....h
[email protected].]*RP!.Y...]..<.=.:F.
.........`..9<s..2.J....z.;{.n....%..b.c.....:..Y....d......J.....y
.....p...b..F....sL.M.K.?.;..>.?......$......$...02&.....:.......!.
.MAUu*Su....R1`...1`.C.A.bV*,.^....Q$.ws..g.u..=4..k.N..*.nU%.^.?.....
2B.......z........~.7..(.hf..^[.ON.xn...[....[....'.~........1u..T.3o.
...!]..O>...7n.1.sn..^Y.ON.... Q.3:..g..:[email protected]
...F.I...?......(.9..z.*.{u..^..1.q.'?.oo..?.i|7E....?8.K.y.x.Z.......
a...?......o......../..b..vB.EX.....~.%.v=H.By.?....0TF.\...^._....|..
.4.._...3.J..e~..[......z.._...f.`{....^..M*s........8.7..3...!;iB
<<< skipped >>>

GET /wp-content/uploads/2015/08/Cover1.png HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: bestprosoft.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: no-cache,max-age=1209600

Content-Type: image/png

Last-Modified: Mon, 24 Aug 2015 14:00:09 GMT

Accept-Ranges: bytes

ETag: "90f7eb2f75ded01:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:58 GMT

Content-Length: 110921
.PNG........IHDR...[..........M/.....pHYs................OiCCPPhotosho
p ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE.........
..Q,......!.........{.k........>...........H3Q5...B..........@..$p.
...d!s.#...~<< ".....x.....M..0.....B.\[email protected]..@F....
&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH..
...........0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I.
 [email protected]..._-...."[email protected]~..,/...;.
.m..%..h^[email protected].~<<E.........J.B[a.W}.g._.W.l.~<..
....$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..&
gt;.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?..
..D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/[email protected]..=p..
a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2...
.G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.
."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.X
H,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,  .......3...!.[.
[email protected].(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9...IK......h.h.i..t.
....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&
..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._.
.. .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).).
.4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.
n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<./...QC][email protected]....
..<..F.F..i.\.$.m.m..&.&!&KM.M..RM..).;L;L........5.=1.2.......
<<< skipped >>>

GET /c2r2h7ktj/image.png HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s13.postimg.org

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 19 May 2016 07:10:54 GMT

Content-Type: image/png

Content-Length: 151746

Connection: keep-alive

Set-Cookie: __cfduid=d1c35629dbc4cd7cfe96abd7c0a8c78fb1463641854; expires=Fri, 19-May-17 07:10:54 GMT; path=/; domain=.postimg.org; HttpOnly

Last-Modified: Sun, 03 Apr 2016 20:36:59 GMT

ETag: "57017eeb-250c2"

CF-Cache-Status: HIT

Expires: Fri, 19 May 2017 07:10:54 GMT

Cache-Control: public, max-age=31536000

Accept-Ranges: bytes

Server: cloudflare-nginx

CF-RAY: 2a55bb582dba3714-ARN
.PNG........IHDR.......g.............pHYs...t...t..f.x....tIME........
.......tEXtAuthor....H....tEXtDescription...!#....tEXtCopyright....:..
..tEXtCreation time.5.......tEXtSoftware.]p.:....tEXtDisclaimer.......
..tEXtWarning.........tEXtSource.........tEXtComment.........tEXtTitle
....'.. .IDATx...wt..}......`0.... ..$.DR..H........qb...(.$.unb.8....
..;q,...d..:%[email protected]...|..Z..~..g.Z.g...m....DDDDDDDV.
q.. """"""...JEDDDDDd.(.........Q(.......U.P*"""""".....yU........UaH$
..."""""".*.|WDDDDDDV.B..........R......Y5.."""""".j.JEDDDDDd..W{.""""
""..f...f...........Nya.9.7.y..0.r...(QO..[..`.Lf.hh..#/...'.....t.o.g
.R........t'cO.#..........[..Q>....u...<.Lp...._.7.p.....>...
.N...qb.)&._.....|;.!n..G...|..T.wEDDDDD~...B...Z.5.9..c..O..}6..x<
.@./y..~./.....*.5.'...,""""""..Kj&.......Cu....b./....mE.K...{.{..G..
S...O..?.?..|.f.G....|...........v...rIf9.JEDDDDD..F..O..v]...%).m....
..{.9/q.K .f.../.bx.?..O....-%c.E..#d...|..wqu....c=C.TDDDDDD.........
....>.c.<..QL.M.....{...R,..;.R......Y..UE......vF&..-..M7......
.M../.R......Y"0.2....../..{.O...<..2o.2_~W........ """"""g........
w..^.... .....op..Y...{._.v.:..d.i.TDDDDDd.0...N<......Z...US.q..][
E.`x...f.:.....o..e.......y.u5.Mg.m.g.......P.r/. .Q....T(......Y"Lp..
C.|.......2MJ....{.um.n.](.G.L.>.s.6F^.H..cLm.\[email protected]
...uT.l.rv...8..i...wx......P.-....Y.TDDDDDd..F..gV>.....;.4/.L..KZ
..d!.K0..?...W.<.....K..b.$G.u05......O.....V.R....w}6.......St..0{
.B.!.H$...EDDDDD.9.$b.....#...e..l..).].K.L..b!...!. .i6W:)...K2..
<<< skipped >>>

GET /redirection.html HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: bestprosoft.xyz

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/html

Last-Modified: Thu, 19 May 2016 02:00:55 GMT

Accept-Ranges: bytes

ETag: "e3f0bc4772b1d11:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:52 GMT

Content-Length: 764
<meta HTTP-EQUIV="REFRESH" content="0; url=hXXp://softvipdownload.c
om/">....<!-- Start of StatCounter Code for Default Guide -->
..<script type="text/javascript">..var sc_project=10738598; ..va
r sc_invisible=1; ..var sc_security="267f1d37"; ..var scJsHost = (("ht
tps:" == document.location.protocol) ?.."hXXps://secure." : "hXXp://ww
w.");..document.write("<sc" "ript type='text/javascript' src='"  ..
scJsHost .."statcounter.com/counter/counter.js'></" "script>"
);..</script>..<noscript><div class="statcounter">&l
t;a title="web analytics"..href="hXXp://statcounter.com/" target="_bla
nk"><img..class="statcounter"..src="hXXp://c.statcounter.com/107
38598/0/267f1d37/1/"..alt="web analytics"></a></div><
;/noscript>..<!-- End of StatCounter Code for Default Guide --&g
t;..HTTP/1.1 200 OK..Content-Type: text/html..Last-Modified: Thu, 19 M
ay 2016 02:00:55 GMT..Accept-Ranges: bytes..ETag: "e3f0bc4772b1d11:0".
.Server: Microsoft-IIS/7.0..X-Powered-By: ASP.NET..Date: Thu, 19 May 2
016 07:10:52 GMT..Content-Length: 764..<meta HTTP-EQUIV="REFRESH" c
ontent="0; url=hXXp://softvipdownload.com/">....<!-- Start of St
atCounter Code for Default Guide -->..<script type="text/javascr
ipt">..var sc_project=10738598; ..var sc_invisible=1; ..var sc_secu
rity="267f1d37"; ..var scJsHost = (("https:" == document.location.prot
ocol) ?.."hXXps://secure." : "hXXp://VVV.");..document.write("<sc" 
"ript type='text/javascript' src='"  ..scJsHost .."statcounter.com
<<< skipped >>>

GET /freeupgradesoftNEW/8-Windows10PHONE/upgrade.exe HTTP/1.0

Host: upgradesoftware2017.com

User-Agent: InnoTools_Downloader

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Last-Modified: Wed, 18 May 2016 22:23:59 GMT

Accept-Ranges: bytes

ETag: "c4f445f953b1d11:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:47 GMT

Connection: close

Content-Length: 814257
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......[...........
......:.......,.......<............... .{.....=.......;.......>.
....Rich............PE..L......R.................R...<......H......
..p....@..............................................................
.......3...l........................................s.................
.................@............p..t............................text...~
Q.......R.................. ..`.rdata..CO...p...P...V..............@..
@[email protected]........................
.......@..@...........................................................
......................................................................
......................................................................
......................................................................
......................................................................
........................................................[B..=...QV...u
...`/...E.............#...E..............E.........H....E....M...M...N
@..M...M.^d........3..|$..rJ.L$..9RuA.|$..r:.y.au4.y.ru..y.!u(.y..u".y
..u..I...u.j......u.j......u.j.X.....j...$..... ....P..U....4....t..E.
[email protected]...(....u..E.....E...E.]....D$.V...F..N.;N.v_.F.SUW.l.B...t.;.
v.Ph.tB.U..R.........Q...F.......D. .N...;.w...S.6.......YY..u.....Q..
.>_].^.[^....t$... [email protected]$......P..F..V...^.........
j..p..p..R...D$.V...F..N.;N.v`.F.SUW.l.B...t.;.v.Ph.tB.U..R.......
<<< skipped >>>

GET /n9s1wvzmt/image.png HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s16.postimg.org

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 19 May 2016 07:10:54 GMT

Content-Type: image/png

Content-Length: 125076

Connection: keep-alive

Set-Cookie: __cfduid=d3699b508a574ff120f176798e0eaba951463641854; expires=Fri, 19-May-17 07:10:54 GMT; path=/; domain=.postimg.org; HttpOnly

Last-Modified: Sun, 03 Apr 2016 20:37:45 GMT

ETag: "57017f19-1e894"

CF-Cache-Status: HIT

Expires: Fri, 19 May 2017 07:10:54 GMT

Cache-Control: public, max-age=31536000

Accept-Ranges: bytes

Server: cloudflare-nginx

CF-RAY: 2a55bb58336216b2-ARN
.PNG........IHDR.......g.............pHYs...t...t..f.x....tIME........
.......tEXtAuthor....H....tEXtDescription...!#....tEXtCopyright....:..
..tEXtCreation time.5.......tEXtSoftware.]p.:....tEXtDisclaimer.......
..tEXtWarning.........tEXtSource.........tEXtComment.........tEXtTitle
....'.. .IDATx...wt..}......`0.... ..$.DR..H........qb...(.$.unb.8....
..;q,...d..:%[email protected]...|..Z..~..g.Z.g...m....DDDDDDDV.
q.. """"""...JEDDDDDd.(.........Q(.......U.P*"""""".....yU........UaH$
..."""""".*.|WDDDDDDV.B..........R......Y5.."""""".j.JEDDDDDd..W{.""""
""..f...f...........Nya.9.7.y..0.r...(QO..[..`.Lf.hh..#/...'.....t.o.g
.R........t'cO.#..........[..Q>....u...<.Lp...._.7.p.....>...
.N...qb.)&._.....|;.!n..G...|..T.wEDDDDD~...B...Z.5.9..c..O..}6..x<
.@./y..~./.....*.5.'...,""""""..Kj&.......Cu....b./....mE.K...{.{..G..
S...O..?.?..|.f.G....|...........v...rIf9.JEDDDDD..F..O..v]...%).m....
..{.9/q.K .f.../.bx.?..O....-%c.E..#d...|..wqu....c=C.TDDDDDD.........
....>.c.<..QL.M.....{...R,..;.R......Y..UE......vF&..-..M7......
.M../.R......Y"0.2....../..{.O...<..2o.2_~W........ """"""g........
w..^.... .....op..Y...{._.v.:..d.i.TDDDDDd.0...N<......Z...US.q..][
E.`x...f.:.....o..e.......y.u5.Mg.m.g.......P.r/. .Q....T(......Y"Lp..
C.|.......2MJ....{.um.n.](.G.L.>.s.6F^.H..cLm.\[email protected]
...uT.l.rv...8..i...wx......P.-....Y.TDDDDDd..F..gV>.....;.4/.L..KZ
..d!.K0..?...W.<.....K..b.$G.u05......O.....V.R....w}6.......St..0{
.B.!.H$...EDDDDD.9.$b.....#...e..l..).].K.L..b!...!. .i6W:)...K2..
<<< skipped >>>

GET /counter/counter.js HTTP/1.1

Accept: */*

Referer: hXXp://bestprosoft.xyz/redirection.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.statcounter.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 19 May 2016 07:10:52 GMT

Server: PWS/8.1.36.0005

X-Px: ht h0-s1105.p11-fra.cdngp.net

ETag: W/"5714b418-56ec"

Cache-Control: public, max-age=43200

Content-Length: 8353

Content-Type: application/x-javascript

Content-Encoding: gzip

Vary: Accept-Encoding

Last-Modified: Mon, 18 Apr 2016 10:16:56 GMT

Connection: keep-alive
...........\{s.6..*.V. .dI...i..l..V.[......(....H..l9#...u.$@J..\.]..
7.m.h..F../.!H.Y.?F.....T.../..Ys'......oE]*."..gY.E.n.".;\..Y.>}D.
..&H....9....)vv..!.Bj.G.n......4...zQ...U......."\e..St....4.0..&...0
....x........h....C.l....y..,.....5"^.....i.?.a.0......8.S9.]..Wt...6.
E...uY..= ,..U..b..w.. ....o.....y.}.LE...ECU..Ip?.~3....0..V.d...9...
.g.l.....R....XSM.l....C$.Y.l>F."y...@d.......`>..K..h.?mD.lh.e.
f...e"...<k.9,.X,....y..yV.*...Q..W.~&F..-..o@.".Y.,b.x.7...l...<
;[email protected]. ..g.b.c......W.8...x.........X<
6~.._.6M..b..j[.e......w7..y.*.fV.C.b.p.^.3.>.U&h..s..r...l.(FiYg..
."|....'..-.kQ..=..j..x.[.VH..#.L.U.Z..U".iL..2..gQYgs.)...P....i.&."D
W.....8p.C..Z.=...#g4.9..b.u.}.^<tz#...G}..O.;.......w....z'..;....
..z=.`......I..g0........w.!A......\%I*.S..d.._..Wj.......*...1.(:..s.
...D.g..[...<w..Q..........Ry........p.d.wmJ.k.q............-.z....
.. .pm]X.......o.E......C.&.<Z...\...y.w]..oIZB...?..?.H..Zq.......
 J...B....l;.r:g..6.W(Q....* }.B....V...,.6.$.*a..........M..$....(u..
Jj.uv.....]U...Q.&..%H....U..( iA.a.mr?..%x..jIT.B.....T..h.G...rE...G
yl.*.P......H<.yp.S..~..M}..m....m.X....x?b.R.{...Q..:......L.<.
..y.V.....bgV..,._?`....\."mZr.>Py....o...(...5T.%?*.....6*.....Z.1
...e..........L|...JJ...p/.v.....G.~.....h...&c.2..!...e...........T&g
t;;..x4.Md.S....9.N...s.|r...=...8..M.....N..a....h1.?.f.h....M...u...
\.a..(.=....... ......gh:.............0N.[G;.4.. ..A)r..|...q....]....
...Nh6C.K...[...h....F.....E......\.F..:..;...3_h$%v.....b..T...Tx
<<< skipped >>>

GET /counter/counter.js HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Mon, 18 Apr 2016 10:16:56 GMT; length=22252

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.statcounter.com

Connection: Keep-Alive

Cookie: is_unique=sc10738598.1463641853.0; is_visitor_unique=1463641853328226018

HTTP/1.1 304 Not Modified

Date: Thu, 19 May 2016 07:10:54 GMT

Server: PWS/8.1.36.0005

X-Px: ht h0-s1105.p11-fra.cdngp.net

ETag: W/"5714b418-56ec"

Cache-Control: public, max-age=43200

Last-Modified: Mon, 18 Apr 2016 10:16:56 GMT

Connection: keep-alive
HTTP/1.1 304 Not Modified..Date: Thu, 19 May 2016 07:10:54 GMT..Server
: PWS/8.1.36.0005..X-Px: ht h0-s1105.p11-fra.cdngp.net..ETag: W/"5714b
418-56ec"..Cache-Control: public, max-age=43200..Last-Modified: Mon, 1
8 Apr 2016 10:16:56 GMT..Connection: keep-alive..

GET /90gxxyluj/image.png HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s23.postimg.org

Connection: Keep-Alive

.[b[.O.>....z.G....4<YyJ.T.i.....g......}~...`...{.c..j.o...t..E
...;.;.\..t.....W.W..:_m.t.<...O.......\k..z..{f....7....y......9=.
..zo.......~r'.....w'[email protected]...?[......j.w....G..........C.......
...8>99.?r....C.d.&........./~..............m|..............x31^.V.
..w.w.....O.| .(.h...S.............c3-...H.iTXtXML:com.adobe.xmp.....&
lt;?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpme
ta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c111 79.158325
, 2015/09/10-01:10:20        ">.   <rdf:RDF xmlns:rdf="hXXp://ww
w.w3.org/1999/02/22-rdf-syntax-ns#">.      <rdf:Description rdf:
about="".            xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/".        
    xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/".            xmlns:st
Evt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#".            xml
ns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#".            
xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/".            xmlns
:dc="hXXp://purl.org/dc/elements/1.1/".            xmlns:tiff="hXXp://
ns.adobe.com/tiff/1.0/".            xmlns:exif="hXXp://ns.adobe.com/ex
if/1.0/">.         <xmp:CreatorTool>Adobe Photoshop CC 2015 (
Windows)</xmp:CreatorTool>.         <xmp:CreateDate>2016-0
4-03T17:34:46 03:00</xmp:CreateDate>.         <xmp:MetadataDa
te>2016-04-03T17:59:25 03:00</xmp:MetadataDate>.         <
xmp:ModifyDate>2016-04-03T17:59:25 03:00</xmp:ModifyDate>.   
      <xmpMM:InstanceID>xmp.iid:ff9450c9-0fb6-6941-bd1c-7c31
<<< skipped >>>

GET /apa4ybjbb/cover.png HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s21.postimg.org

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 19 May 2016 07:10:54 GMT

Content-Type: image/png

Content-Length: 125430

Connection: keep-alive

Set-Cookie: __cfduid=d6e47ca385b509614cf82d0a997317c721463641854; expires=Fri, 19-May-17 07:10:54 GMT; path=/; domain=.postimg.org; HttpOnly

Last-Modified: Fri, 15 Jan 2016 03:34:28 GMT

ETag: "569868c4-1e9f6"

CF-Cache-Status: HIT

Expires: Fri, 19 May 2017 07:10:54 GMT

Cache-Control: public, max-age=31536000

Accept-Ranges: bytes

Server: cloudflare-nginx

CF-RAY: 2a55bb584d760a4e-ARN
.PNG........IHDR...[..........M/.....pHYs................OiCCPPhotosho
p ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE.........
..Q,......!.........{.k........>...........H3Q5...B..........@..$p.
...d!s.#...~<< ".....x.....M..0.....B.\[email protected]..@F....
&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH..
...........0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I.
 [email protected]..._-...."[email protected]~..,/...;.
.m..%..h^[email protected].~<<E.........J.B[a.W}.g._.W.l.~<..
....$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..&
gt;.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?..
..D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/[email protected]..=p..
a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2...
.G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.
."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.X
H,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,  .......3...!.[.
[email protected].(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9...IK......h.h.i..t.
....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&
..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._.
.. .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).).
.4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.
n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<./...QC][email protected]....
..<..F.F..i.\.$.m.m..&.&!&KM.M..RM..).;L;L........5.=1.2.......
<<< skipped >>>

GET /wp-content/themes/flexibility2/style.php HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: softvipdownload.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/css

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:53 GMT

Content-Length: 22469
/*--- This is the CSS that controls the theme. It's pretty sloppy, but
 try running php tags through CSS Tidy and see what happens. ---*/..ht
ml {...margin: 0px;...min-height: 100%;..}..body {...margin:0px;...pad
ding:0px;...background-color: #526074;...min-height: 100%;...}..body {
...background-image: url('hXXp://softvipdownload.com/wp-content/themes
/flexibility2/images/backgrounds/diaglines.png');...background-repeat:
 repeat; ...background-position: center top;..}..a:link, a:visited, a:
active a:focus {...-moz-outline-style:none;..}..a:hover {...-moz-outli
ne-style:none;..}..h1, h2, h3, h4 {...font-family: Georgia, Helvetica,
 sans-serif;..}..h2.pagetitle {...padding:8px 8px 8px 15px;...margin:0
px 0px 5px 0px;...background-color:#FFFFFF;...font: normal 22px/26px G
eorgia;...color: #A10000;...border: solid 1px #D7CAB5;..}..img {...bor
der:none;...margin:0;...padding:0;..}...alignleft {...margin-right:10p
x;...margin-bottom:10px;..    float: left;..}...alignright {...margin-
bottom:10px;...margin-left:10px;..    float: right;..}...aligncenter {
...display: block; ...margin-left: auto; ...margin-right: auto;..    m
argin-bottom:10px;..}..hr {...height: 1px;...border:0;...width: 95%;..
.color: #E6E6E6;...background-color: #E6E6E6;..}...postwrap blockquote
 {...margin:0 15px 10px 15px;...padding:10px 15px;...border: 1px solid
 #999999;...background: #CCCCCC;..}...postwrap blockquote blockquote {
...margin-right:5px;...margin-left:0;...background: #CCCCCC;..}...post
wrap blockquote p {...margin:0;...padding:0 0 5px;..}..#bgwrapper 
<<< skipped >>>

GET /wp-content/themes/flexibility2/images/navssbg.png HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: softvipdownload.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Thu, 05 Jul 2012 12:39:44 GMT

Accept-Ranges: bytes

ETag: "068ff40ab5acd1:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:53 GMT

Content-Length: 288
.PNG........IHDR...d...#.....b.......sBIT....|.d.....pHYs.........B.4.
....tEXtCreation Time.12/19/08.[......tEXtSoftware.Adobe FireworksO..N
...|IDATh......P.......S..&..=.T X..g.od\.... 1....#H. 1....%...==./Ab
...$F..Ab...$.c.cCb...$F..G=.....#H. 1....#H.?$.....#H. 1...._O..W....
IEND.B`.HTTP/1.1 200 OK..Content-Type: image/png..Last-Modified: Thu, 
05 Jul 2012 12:39:44 GMT..Accept-Ranges: bytes..ETag: "068ff40ab5acd1:
0"..Server: Microsoft-IIS/7.0..X-Powered-By: ASP.NET..Date: Thu, 19 Ma
y 2016 07:10:53 GMT..Content-Length: 288...PNG........IHDR...d...#....
.b.......sBIT....|.d.....pHYs.........B.4.....tEXtCreation Time.12/19/
08.[......tEXtSoftware.Adobe FireworksO..N...|IDATh......P.......S..&.
.=.T X..g.od\.... 1....#H. 1....%...==./Ab...$F..Ab...$.c.cCb...$F..G=
.....#H. 1....#H.?$.....#H. 1...._O..W....IEND.B`.....


GET /wp-content/themes/flexibility2/iepngfix.htc HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: softvipdownload.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/x-component

Last-Modified: Thu, 05 Jul 2012 12:37:07 GMT

Accept-Ranges: bytes

ETag: "801b6be3aa5acd1:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:54 GMT

Content-Length: 5006
<public:component>..<public:attach event="oncontentready"...o
nevent="IEPNGFix.process(element, 1)" />..<script type="text/jav
ascript">..// IE5.5  PNG Alpha Fix v2.0 Alpha 2..// (c) 2004-2008 A
ngus Turnbull hXXp://VVV.twinhelix.com..// This is licensed under the 
GNU LGPL, version 2.1 or later...// For details, see: hXXp://creativec
ommons.org/licenses/LGPL/2.1/..if (!window.IEPNGFix) {...window.IEPNGF
ix = {};..}....// This must be a path to a blank image, relative to th
e HTML document(s)...// In production use I suggest '/images/blank.gif
' or similar. That's all!..IEPNGFix.blankImg = '/wp-content/themes/fle
xibility2/images/blank.gif';....if (!IEPNGFix.data) {...IEPNGFix.data 
= {};..}....IEPNGFix.fix = function(elm, src, t) {...// Applies an ima
ge 'src' to an element 'elm' using the DirectX filter....// If 'src' i
s null, filter is disabled....// Disables the 'hook' to prevent infini
te recursion on setting BG/src....// 't' = type, where background tile
 = 0, background = 1, IMG SRC = 2....var h = this.hook.enabled;...this
.hook.enabled = 0;...var f = 'DXImageTransform.Microsoft.AlphaImageLoa
der';...src = (src || '').replace(/\(/g, '(').replace(/\)/g, ')');
...if (....srHTTP/1.1 200 OK..Content-Type: text/x-component..Last-Mod
ified: Thu, 05 Jul 2012 12:37:07 GMT..Accept-Ranges: bytes..ETag: "801
b6be3aa5acd1:0"..Server: Microsoft-IIS/7.0..X-Powered-By: ASP.NET..Dat
e: Thu, 19 May 2016 07:10:54 GMT..Content-Length: 5006..<public:com
ponent>..<public:attach event="oncontentready"...onevent="IE
<<< skipped >>>

GET /fbk4t7kc7/digitaltvonpc.png HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s13.postimg.org

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 19 May 2016 07:10:54 GMT

Content-Type: image/png

Content-Length: 298623

Connection: keep-alive

Set-Cookie: __cfduid=d1c35629dbc4cd7cfe96abd7c0a8c78fb1463641854; expires=Fri, 19-May-17 07:10:54 GMT; path=/; domain=.postimg.org; HttpOnly

Last-Modified: Sun, 21 Feb 2016 05:40:55 GMT

ETag: "56c94de7-48e7f"

CF-Cache-Status: HIT

Expires: Fri, 19 May 2017 07:10:54 GMT

Cache-Control: public, max-age=31536000

Accept-Ranges: bytes

Server: cloudflare-nginx

CF-RAY: 2a55bb583dbd3714-ARN
.PNG........IHDR... ...X......v.p....pHYs.......... ......tIME........
.......tEXtAuthor....H....tEXtDescription...!#....tEXtCopyright....:..
..tEXtCreation time.5.......tEXtSoftware.]p.:....tEXtDisclaimer.......
..tEXtWarning.........tEXtSource.........tEXtComment.........tEXtTitle
....'.. .IDATx...w.......a..$..]%$.D..HdD2&....ls.......^g.........`^.
s..`2&..D....(k.W.w'u.z...............gw........._?.S-.{B.B....B:.....
....?(....\....|<..l,       `..B.,.......Be..).o~../........X..W.,=
:.....W.\t...q.uW........%.6....>)@...e.1..!.Zv ...v....z....r.....
....'.>.._.e..R....Q7.........o.MX.....DnY.z~...\.../...k......2.g.
...}?...k.]....G.}...\....2.......c..k......(..JO..............l.<$
>r.F.....)../...".!pp........S...J.........e..s.....i..Z.........uq
l{...q ]._......== ..X...'B~p.'B.k...........k.....DG.W$... ...- w9   
    ...h..b.#...........b...$.D.R`;6.....}\....s..m......2.\..6.O.!..D
.W.)...p./....b...< .)SD".....bI...R.I......."..F..P^N.O >......
..M...B..u..)$F|.......!.......)$B.\...O.......s...u..~../@r..t.....;.
.1...6.l.._/.:J...e.k..uR..Iu}.a:8............KW{'...H..P.(...........
...w .<!.DI!AR..Q...........u..h.6....c......w..G...g.~y...w......\
......... ..].q.pQ..=.......7l.....I3...\.x4Fe$.@:..?.....Z..6..uC?...
Q*[email protected].......^......|...[....."c......>...3...O...`g
2......e...~......c...C...N..u.a.......u...$h....Y=....N.93.0...X4..{W
....T..........c.A......f..!....\.2..W.........?.c....r.L..U..-?Y..8..
...}QQL...........Hg.O..:.^..._y.h...x....v..k...W..2............M
<<< skipped >>>

GET /w9kufim5t/cover.png HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s22.postimg.org

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 19 May 2016 07:10:54 GMT

Content-Type: image/png

Content-Length: 124855

Connection: keep-alive

Set-Cookie: __cfduid=d3699b508a574ff120f176798e0eaba951463641854; expires=Fri, 19-May-17 07:10:54 GMT; path=/; domain=.postimg.org; HttpOnly

Last-Modified: Fri, 15 Jan 2016 03:27:09 GMT

ETag: "5698670d-1e7b7"

CF-Cache-Status: HIT

Expires: Fri, 19 May 2017 07:10:54 GMT

Cache-Control: public, max-age=31536000

Accept-Ranges: bytes

Server: cloudflare-nginx

CF-RAY: 2a55bb58367b16b2-ARN
.PNG........IHDR...[..........M/.....pHYs................OiCCPPhotosho
p ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE.........
..Q,......!.........{.k........>...........H3Q5...B..........@..$p.
...d!s.#...~<< ".....x.....M..0.....B.\[email protected]..@F....
&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH..
...........0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I.
 [email protected]..._-...."[email protected]~..,/...;.
.m..%..h^[email protected].~<<E.........J.B[a.W}.g._.W.l.~<..
....$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..&
gt;.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?..
..D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/[email protected]..=p..
a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2...
.G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.
."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.X
H,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,  .......3...!.[.
[email protected].(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9...IK......h.h.i..t.
....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&
..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._.
.. .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).).
.4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.
n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<./...QC][email protected]....
..<..F.F..i.\.$.m.m..&.&!&KM.M..RM..).;L;L........5.=1.2.......
<<< skipped >>>

GET / HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: softvipdownload.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Server: Microsoft-IIS/7.0

X-Pingback: hXXp://softvipdownload.com/xmlrpc.php

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:53 GMT

Content-Length: 52391
..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "h
ttp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html 
xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head profile="hXXp://gmp
g.org/xfn/11">..<meta http-equiv="Content-Type" content="text/ht
ml; charset=UTF-8" />..<meta name="distribution" content="global
" />..<meta name="robots" content="follow, all" />..<meta 
name="language" content="en, sv" />..<title>..SoftVipDownload
</title>..<meta name="generator" content="WordPress 3.2.1" /&
gt;..<!-- leave this for stats please -->..<link rel="shortcu
t icon" href="hXXp://softvipdownload.com/wp-content/themes/flexibility
2/favicon.ico" type="image/x-icon" />..<link rel="alternate" typ
e="application/rss xml" title="RSS 2.0" href="hXXp://softvipdownload.c
om/?feed=rss2" />..<link rel="alternate" type="text/xml" title="
RSS .92" href="hXXp://softvipdownload.com/?feed=rss" />..<link r
el="alternate" type="application/atom xml" title="Atom 0.3" href="http
://softvipdownload.com/?feed=atom" />..<link rel="pingback" href
="hXXp://softvipdownload.com/xmlrpc.php" />...<link rel='archive
s' title='April 2016' href='hXXp://softvipdownload.com/?m=201604' />
;..<link rel='archives' title='March 2016' href='hXXp://softvipdown
load.com/?m=201603' />..<link rel='archives' title='February 201
6' href='hXXp://softvipdownload.com/?m=201602' />..<link rel='ar
chives' title='December 2015' href='hXXp://softvipdownload.com/?m=
<<< skipped >>>

GET /wp-content/themes/flexibility2/ie6style.php HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: softvipdownload.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/css

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:53 GMT

Content-Length: 1980
..body {background-image:none;}..#bgwrapper {background-image:none;}..
.topshadow {behavior: url(hXXp://softvipdownload.com/wp-content/themes
/flexibility2/iepngfix.htc);}..#content {width: 910px;}..#header {beha
vior: url(hXXp://softvipdownload.com/wp-content/themes/flexibility2/ie
pngfix.htc);}..#nav {behavior: url(hXXp://softvipdownload.com/wp-conte
nt/themes/flexibility2/iepngfix.htc);}..#feature {background-image:non
e;}..img {behavior: url(hXXp://softvipdownload.com/wp-content/themes/f
lexibility2/iepngfix.htc);}..#nav li a {behavior: url(hXXp://softvipdo
wnload.com/wp-content/themes/flexibility2/iepngfix.htc);}..#nav li a s
pan {behavior: url(hXXp://softvipdownload.com/wp-content/themes/flexib
ility2/iepngfix.htc);}..#header #searchform {behavior: url(hXXp://soft
vipdownload.com/wp-content/themes/flexibility2/iepngfix.htc);}..#rssfe
eds .img {behavior: url(hXXp://softvipdownload.com/wp-content/themes/f
lexibility2/iepngfix.htc);}..h2.pagetitle {background-image:none;}...p
ostMeta {behavior: url(hXXp://softvipdownload.com/wp-content/themes/fl
exibility2/iepngfix.htc);}..div.commentcount {behavior: url(hXXp://sof
tvipdownload.com/wp-content/themes/flexibility2/iepngfix.htc);}..div.p
ostdate {behavior: url(hXXp://softvipdownload.com/wp-content/themes/fl
exibility2/iepngfix.htc);}..#sidebar-top ul li { background-image:none
; padding-left:0px;}..#sidebar-left ul li, #sidebar-right ul li {backg
round-image:none; padding-left:0px;}..#sidebar-top div.toptitle {backg
round: url(images/sidebar-h2-bg.png) no-repeat top left; backgroun
<<< skipped >>>

GET /wp-content/themes/flexibility2/iepngfix_tilebg.js HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: softvipdownload.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: application/x-javascript

Last-Modified: Thu, 05 Jul 2012 12:37:07 GMT

Accept-Ranges: bytes

ETag: "801b6be3aa5acd1:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:53 GMT

Content-Length: 3828
// IE5.5  PNG Alpha Fix v2.0beta1: Background Tiling Support..// (c) 2
008 Angus Turnbull hXXp://VVV.twinhelix.com..// This is licensed under
 the GNU LGPL, version 2.1 or later...// For details, see: hXXp://crea
tivecommons.org/licenses/LGPL/2.1/..if (!window.IEPNGFix) {...window.I
EPNGFix = {};..}..IEPNGFix.tileBG = function(elm, pngSrc, ready) {.../
/ Params: A reference to a DOM element, the PNG src file pathname, and
 a...// hidden "ready-to-run" passed when called back after image prel
oading....var data = this.data[elm.uniqueID],....elmW = Math.max(elm.c
lientWidth, elm.scrollWidth),....elmH = Math.max(elm.clientHeight, elm
.scrollHeight),....bgX = elm.currentStyle.backgroundPositionX,....bgY 
= elm.currentStyle.backgroundPositionY,....bgR = elm.currentStyle.back
groundRepeat;...// Cache of DIVs created per element, and image preloa
der/data....if (!data.tiles) {....data.tiles = {.....src: '',.....cach
e: [],.....img: new Image(),.....old: {}....};...}...var tiles = data.
tiles,....pngW = tiles.img.width,....pngH = tiles.img.height;...if (pn
gSrc) {....if (!ready && pngSrc != tiles.src) {.....// New image? Prel
oad it with a callback to detect dimensions......tiles.img.onload = fu
nction() {......this.onload = null;......IEPNGFix.tileBG(elm, pngSrc, 
1);.....};.....return tiles.img.src = pngSrc;....}...} else {....// No
 image?....if (tiles.src) ready = 1;....pngW = pngH = 0;...}...tiles.s
rc = pngSrc;...if (!ready && elmW == tiles.old.w && elmH == tiles.old.
h &&....bgX == tiles.old.x && bgY == tiles.old.y && bgR == tiles.o
<<< skipped >>>

GET /download2.png HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: softvipdownload.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Fri, 22 Apr 2016 22:50:37 GMT

Accept-Ranges: bytes

ETag: "8e9f3063e99cd11:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:53 GMT

Content-Length: 18827
.PNG........IHDR.......X......8......pHYs................OiCCPPhotosho
p ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE.........
..Q,......!.........{.k........>...........H3Q5...B..........@..$p.
...d!s.#...~<< ".....x.....M..0.....B.\[email protected]..@F....
&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH..
...........0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I.
 [email protected]..._-...."[email protected]~..,/...;.
.m..%..h^[email protected].~<<E.........J.B[a.W}.g._.W.l.~<..
....$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..&
gt;.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?..
..D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/[email protected]..=p..
a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2...
.G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.
."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.X
H,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,  .......3...!.[.
[email protected].(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9...IK......h.h.i..t.
....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&
..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._.
.. .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).).
.4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.
n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<./...QC][email protected]....
..<..F.F..i.\.$.m.m..&.&!&KM.M..RM..).;L;L........5.=1.2.......
<<< skipped >>>

GET /wp-content/themes/flexibility2/images/footerdark.png HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: softvipdownload.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Thu, 05 Jul 2012 12:39:42 GMT

Accept-Ranges: bytes

ETag: "03bce3fab5acd1:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:54 GMT

Content-Length: 2804
.PNG........IHDR...............q.....sBIT....|.d.....pHYs...........~.
....tEXtSoftware.Adobe FireworksO..N....tEXtCreation Time.01/12/09V..K
...PIDATx......W...s.y...y6...X..v..Ep..(.q.DAA...F!!....f01........ &
lt;,....8......X.Z................"""""""""./......z%c.1..c.1..c....kT
9..c.1..c.1..ws..c.1..c.1..Yv..#..c.1..c.1...{.WL(..c.1..c.1....S.0..c
.1..c.1.3#..1..c.1..cl..qg.1..c.1..c.mU.M(..c.1..c.1....w.U...0..c.1..
c.16.V...E.c.1..c.1.....>5..c.1..c.1..c;.v........#..c.1..c.1.N.U}f
B...c.1..c.1.v...M(..c.1..c.1...V...E.c.1..c.1.....7...]..p..c.1..c.1.
.i...O(..c.1..c.1...V...E.c.1..c.1.....><..c.1..c.1..c;.V.=...1.
.c.1..c..)...'.a.1..c.1..clg....".1..c.1..c.......?.....c.1..c.1..;.V.
..E.c.1..c.1......2..c.1..c.1..c;[.W'.a.1..c.1..clg..XU/V.?.1..c.1..c.
1v...k..0..c.1..c.1..U}tB...c.1..c.1.vv..p8z.1..c.1..c..)..oL(..c.1..c
.1...V...E.c.1..c.1......5..c.1..c.1..c;...7.....c.1..c.1...[.w&.a.1..
c.1..clg....".1..c.1..c..lU..P.1..c.1..c...]..F...M.#..c.1..c.1.N.U}lB
...c.1..c.1.v...O(..c.1..c.1...n....o...G.1..c.1..c..f....".1..c.1..c.
.lU?.P.1..c.1..c........0..c.1..c.1..k...._.c.1..c.1...b....".1..c.1..
c..lU?.P.1..c.1..c...]...z.z...1..c.1..c...mU..P.1..c.1..c.....'..0..c
.1..c.1..U.tB...c.1..c.1.vv..U...m.#..c.1..c.1.N.U.lB...c.1..c.1.v...&
.a.1..c.1..clg.....s.1..c.1..c.M.U.|B...c.1..c.1.v.._L(..c.1..c.1...V.
......#..c.1..c.1.N.U}zB...c.1..c.1.vv.R.1..c.1..c.....W..0..c.1..c.1.
.U.zB...c.1..c.1.vv.f....;.G.1..c.1..c..n....".1..c.1..c...Z..p..c.1..
c.1..cSlU..P.1..c.1..c...]..a.1..c.1..clg....".1..c.1..c..lU_.P.1.
<<< skipped >>>

GET /wp-content/themes/flexibility2/images/headers/header-Flare.png HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: softvipdownload.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Thu, 05 Jul 2012 12:41:49 GMT

Accept-Ranges: bytes

ETag: "80e4808bab5acd1:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:54 GMT

Content-Length: 14984
.PNG........IHDR...............vZ....sBIT....|.d.....pHYs...........~.
....tEXtCreation Time.12/11/08..00....tEXtXML:com.adobe.xmp.<?xpack
et begin="   " id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:
x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 4.1-c034 46.272976, Sat Jan
 27 2007 22:37:37        ">.   <rdf:RDF xmlns:rdf="hXXp://VVV.w3
.org/1999/02/22-rdf-syntax-ns#">.      <rdf:Description rdf:abou
t="".            xmlns:xap="hXXp://ns.adobe.com/xap/1.0/">.        
 <xap:CreatorTool>Adobe Fireworks CS3</xap:CreatorTool>.  
       <xap:CreateDate>2008-12-11T17:54:50Z</xap:CreateDate&g
t;.         <xap:ModifyDate>2008-12-12T04:33:57Z</xap:ModifyD
ate>.      </rdf:Description>.      <rdf:Description rdf:a
bout="".            xmlns:dc="hXXp://purl.org/dc/elements/1.1/">.  
       <dc:format>image/png</dc:format>.      </rdf:Des
cription>.   </rdf:RDF>.</x:xmpmeta>.                  
                                                                      
            .                                                         
                                           .                          
                                                                 #.t..
...tEXtSoftware.Adobe FireworksO..N.. .IDATx....r.H.&S.j..s=.;.}..X...
_,....Ef.t7kk..K.. ....Zk..........0z.Az.[.'S .....[.z...g.G..a...f{V.
.....k"./.......g.[k.c,........q....j?....."....!ezH.[.U#..Zv.......6c
.X........._.Y...b1.....\`g.{....*.ZoAl.",GI.*Q...[q.lC`.......E.e
<<< skipped >>>

GET /wp-content/themes/flexibility2/images/navssbg.png HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 05 Jul 2012 12:39:44 GMT

If-None-Match: "068ff40ab5acd1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: softvipdownload.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Last-Modified: Thu, 05 Jul 2012 12:39:44 GMT

Accept-Ranges: bytes

ETag: "068ff40ab5acd1:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:55 GMT
....


GET /wp-content/themes/flexibility2/images/headers/header-Flare.png HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 05 Jul 2012 12:41:49 GMT

If-None-Match: "80e4808bab5acd1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: softvipdownload.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Last-Modified: Thu, 05 Jul 2012 12:41:49 GMT

Accept-Ranges: bytes

ETag: "80e4808bab5acd1:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:55 GMT
....


GET /wp-content/themes/flexibility2/images/blank.gif HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: softvipdownload.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/gif

Last-Modified: Thu, 05 Jul 2012 12:39:40 GMT

Accept-Ranges: bytes

ETag: "0e9d3eab5acd1:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:55 GMT

Content-Length: 49
GIF89a...................!.......,...........T..;HTTP/1.1 304 Not Modi
fied..Last-Modified: Thu, 05 Jul 2012 12:39:40 GMT..Accept-Ranges: byt
es..ETag: "0e9d3eab5acd1:0"..Server: Microsoft-IIS/7.0..X-Powered-By: 
ASP.NET..Date: Thu, 19 May 2016 07:10:56 GMT..HTTP/1.1 304 Not Modifie
d..Last-Modified: Thu, 05 Jul 2012 12:39:40 GMT..Accept-Ranges: bytes.
.ETag: "0e9d3eab5acd1:0"..Server: Microsoft-IIS/7.0..X-Powered-By: ASP
.NET..Date: Thu, 19 May 2016 07:10:56 GMT..HTTP/1.1 304 Not Modified..
Last-Modified: Thu, 05 Jul 2012 12:39:40 GMT..Accept-Ranges: bytes..ET
ag: "0e9d3eab5acd1:0"..Server: Microsoft-IIS/7.0..X-Powered-By: ASP.NE
T..Date: Thu, 19 May 2016 07:10:56 GMT......


GET /wp-content/themes/flexibility2/images/blank.gif HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 05 Jul 2012 12:39:40 GMT

If-None-Match: "0e9d3eab5acd1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: softvipdownload.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Last-Modified: Thu, 05 Jul 2012 12:39:40 GMT

Accept-Ranges: bytes

ETag: "0e9d3eab5acd1:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:56 GMT
....


GET /wp-content/themes/flexibility2/images/blank.gif HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 05 Jul 2012 12:39:40 GMT

If-None-Match: "0e9d3eab5acd1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: softvipdownload.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Last-Modified: Thu, 05 Jul 2012 12:39:40 GMT

Accept-Ranges: bytes

ETag: "0e9d3eab5acd1:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:56 GMT
....


GET /wp-content/themes/flexibility2/images/blank.gif HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 05 Jul 2012 12:39:40 GMT

If-None-Match: "0e9d3eab5acd1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: softvipdownload.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Last-Modified: Thu, 05 Jul 2012 12:39:40 GMT

Accept-Ranges: bytes

ETag: "0e9d3eab5acd1:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:56 GMT
....


GET /wp-content/themes/flexibility2/images/blank.gif HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 05 Jul 2012 12:39:40 GMT

If-None-Match: "0e9d3eab5acd1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: softvipdownload.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Last-Modified: Thu, 05 Jul 2012 12:39:40 GMT

Accept-Ranges: bytes

ETag: "0e9d3eab5acd1:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:56 GMT
....


GET /wp-content/themes/flexibility2/images/blank.gif HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 05 Jul 2012 12:39:40 GMT

If-None-Match: "0e9d3eab5acd1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: softvipdownload.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Last-Modified: Thu, 05 Jul 2012 12:39:40 GMT

Accept-Ranges: bytes

ETag: "0e9d3eab5acd1:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:56 GMT
....


GET /wp-content/themes/flexibility2/images/blank.gif HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 05 Jul 2012 12:39:40 GMT

If-None-Match: "0e9d3eab5acd1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: softvipdownload.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Last-Modified: Thu, 05 Jul 2012 12:39:40 GMT

Accept-Ranges: bytes

ETag: "0e9d3eab5acd1:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:56 GMT
....


GET /wp-content/themes/flexibility2/images/blank.gif HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 05 Jul 2012 12:39:40 GMT

If-None-Match: "0e9d3eab5acd1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: softvipdownload.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Last-Modified: Thu, 05 Jul 2012 12:39:40 GMT

Accept-Ranges: bytes

ETag: "0e9d3eab5acd1:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:56 GMT
....


GET /wp-content/themes/flexibility2/images/blank.gif HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 05 Jul 2012 12:39:40 GMT

If-None-Match: "0e9d3eab5acd1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: softvipdownload.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Last-Modified: Thu, 05 Jul 2012 12:39:40 GMT

Accept-Ranges: bytes

ETag: "0e9d3eab5acd1:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:57 GMT
....


GET /wp-content/themes/flexibility2/images/blank.gif HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 05 Jul 2012 12:39:40 GMT

If-None-Match: "0e9d3eab5acd1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: softvipdownload.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Last-Modified: Thu, 05 Jul 2012 12:39:40 GMT

Accept-Ranges: bytes

ETag: "0e9d3eab5acd1:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:57 GMT
....


GET /wp-content/themes/flexibility2/images/blank.gif HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 05 Jul 2012 12:39:40 GMT

If-None-Match: "0e9d3eab5acd1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: softvipdownload.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Last-Modified: Thu, 05 Jul 2012 12:39:40 GMT

Accept-Ranges: bytes

ETag: "0e9d3eab5acd1:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:57 GMT
HTTP/1.1 304 Not Modified..Last-Modified: Thu, 05 Jul 2012 12:39:40 GM
T..Accept-Ranges: bytes..ETag: "0e9d3eab5acd1:0"..Server: Microsoft-II
S/7.0..X-Powered-By: ASP.NET..Date: Thu, 19 May 2016 07:10:57 GMT..ont>....


GET /wp-content/themes/flexibility2/images/blank.gif HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 05 Jul 2012 12:39:40 GMT

If-None-Match: "0e9d3eab5acd1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: softvipdownload.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Last-Modified: Thu, 05 Jul 2012 12:39:40 GMT

Accept-Ranges: bytes

ETag: "0e9d3eab5acd1:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:57 GMT
HTTP/1.1 304 Not Modified..Last-Modified: Thu, 05 Jul 2012 12:39:40 GM
T..Accept-Ranges: bytes..ETag: "0e9d3eab5acd1:0"..Server: Microsoft-II
S/7.0..X-Powered-By: ASP.NET..Date: Thu, 19 May 2016 07:10:57 GMT..ont>....


GET /wp-content/themes/flexibility2/images/blank.gif HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 05 Jul 2012 12:39:40 GMT

If-None-Match: "0e9d3eab5acd1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: softvipdownload.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Last-Modified: Thu, 05 Jul 2012 12:39:40 GMT

Accept-Ranges: bytes

ETag: "0e9d3eab5acd1:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:58 GMT
....


GET /wp-content/themes/flexibility2/images/blank.gif HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 05 Jul 2012 12:39:40 GMT

If-None-Match: "0e9d3eab5acd1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: softvipdownload.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Last-Modified: Thu, 05 Jul 2012 12:39:40 GMT

Accept-Ranges: bytes

ETag: "0e9d3eab5acd1:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:58 GMT
....


GET /wp-content/themes/flexibility2/images/blank.gif HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 05 Jul 2012 12:39:40 GMT

If-None-Match: "0e9d3eab5acd1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: softvipdownload.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Last-Modified: Thu, 05 Jul 2012 12:39:40 GMT

Accept-Ranges: bytes

ETag: "0e9d3eab5acd1:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:58 GMT
HTTP/1.1 304 Not Modified..Last-Modified: Thu, 05 Jul 2012 12:39:40 GM
T..Accept-Ranges: bytes..ETag: "0e9d3eab5acd1:0"..Server: Microsoft-II
S/7.0..X-Powered-By: ASP.NET..Date: Thu, 19 May 2016 07:10:58 GMT..ont>....


GET /wp-content/themes/flexibility2/images/blank.gif HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 05 Jul 2012 12:39:40 GMT

If-None-Match: "0e9d3eab5acd1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: softvipdownload.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Last-Modified: Thu, 05 Jul 2012 12:39:40 GMT

Accept-Ranges: bytes

ETag: "0e9d3eab5acd1:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:58 GMT
....


GET /wp-content/themes/flexibility2/images/blank.gif HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 05 Jul 2012 12:39:40 GMT

If-None-Match: "0e9d3eab5acd1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: softvipdownload.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Last-Modified: Thu, 05 Jul 2012 12:39:40 GMT

Accept-Ranges: bytes

ETag: "0e9d3eab5acd1:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:58 GMT
HTTP/1.1 304 Not Modified..Last-Modified: Thu, 05 Jul 2012 12:39:40 GM
T..Accept-Ranges: bytes..ETag: "0e9d3eab5acd1:0"..Server: Microsoft-II
S/7.0..X-Powered-By: ASP.NET..Date: Thu, 19 May 2016 07:10:58 GMT..ont>....


GET /wp-content/themes/flexibility2/images/footerdark.png HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 05 Jul 2012 12:39:42 GMT

If-None-Match: "03bce3fab5acd1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: softvipdownload.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Last-Modified: Thu, 05 Jul 2012 12:39:42 GMT

Accept-Ranges: bytes

ETag: "03bce3fab5acd1:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:58 GMT
HTTP/1.1 304 Not Modified..Last-Modified: Thu, 05 Jul 2012 12:39:42 GM
T..Accept-Ranges: bytes..ETag: "03bce3fab5acd1:0"..Server: Microsoft-I
IS/7.0..X-Powered-By: ASP.NET..Date: Thu, 19 May 2016 07:10:58 GMT..

GET /h1me77sx1/yumtynreh.png HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s8.postimg.org

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 19 May 2016 07:10:54 GMT

Content-Type: image/png

Content-Length: 408129

Connection: keep-alive

Set-Cookie: __cfduid=d5c33fface9e8c5c41b8131cdfc2ca52e1463641854; expires=Fri, 19-May-17 07:10:54 GMT; path=/; domain=.postimg.org; HttpOnly

Last-Modified: Sat, 02 Apr 2016 21:10:17 GMT

ETag: "57003539-63a41"

CF-Cache-Status: HIT

Expires: Fri, 19 May 2017 07:10:54 GMT

Cache-Control: public, max-age=31536000

Accept-Ranges: bytes

Server: cloudflare-nginx

CF-RAY: 2a55bb581d5936f6-ARN
.PNG........IHDR...;.........,.......pHYs...............Q7iTXtXML:com.
adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?&
gt;.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6
-c067 79.157747, 2015/03/30-23:40:42        ">.   <rdf:RDF xmlns
:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">.      <rdf:D
escription rdf:about="".            xmlns:xmpMM="hXXp://ns.adobe.com/x
ap/1.0/mm/".            xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType
/ResourceEvent#".            xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/
sType/ResourceRef#".            xmlns:dc="hXXp://purl.org/dc/elements/
1.1/".            xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/"
.            xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/".            xmln
s:tiff="hXXp://ns.adobe.com/tiff/1.0/".            xmlns:exif="hXXp://
ns.adobe.com/exif/1.0/">.         <xmpMM:DocumentID>adobe:doc
id:photoshop:7dc6d6fe-6f98-11e5-a45f-8d0ceaf35f2b</xmpMM:DocumentID
>.         <xmpMM:InstanceID>xmp.iid:e23bdc10-e0bc-8842-acca-
88dbbfba81b4</xmpMM:InstanceID>.         <xmpMM:OriginalDocum
entID>F31F7DCFDC00A2B122E4DA3F0F781EDF</xmpMM:OriginalDocumentID
>.         <xmpMM:History>.            <rdf:Seq>.      
         <rdf:li rdf:parseType="Resource">.                  <
;stEvt:action>saved</stEvt:action>.                  <stEv
t:instanceID>xmp.iid:7566f5d8-be32-b744-b3a6-36661031e0ff</stEvt
:instanceID>.                  <stEvt:when>2015-09-22T13:
<<< skipped >>>

GET /vQyVyP5.png HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: i.imgur.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Last-Modified: Mon, 16 Jun 2014 04:28:30 GMT

ETag: "572d3751fa708458ce95a2938ebbf2d5"

Content-Type: image/png

Fastly-Debug-Digest: ccd76d253dafa1222ae135695b0eb2c43c9dc949cac4764de284820c5f9edec1

cache-control: public, max-age=31536000

Content-Length: 211539

Accept-Ranges: bytes

Date: Thu, 19 May 2016 07:10:54 GMT

Age: 9094262

Connection: keep-alive

X-Served-By: cache-iad2122-IAD, cache-ams4145-AMS

X-Cache: HIT, HIT

X-Cache-Hits: 1, 1

X-Timer: S1463641854.755910,VS0,VE0

Access-Control-Allow-Methods: GET, OPTIONS

Access-Control-Allow-Origin: *

Server: cat factory 1.0
.PNG........IHDR...^...........u.....pHYs.......... ......tIME.......&
gt;.%.....tEXtAuthor....H....tEXtDescription...!#....tEXtCopyright....
:....tEXtCreation time.5.......tEXtSoftware.]p.:....tEXtDisclaimer....
.....tEXtWarning.........tEXtSource.........tEXtComment.........tEXtTi
tle....'.. .IDATx...y.].u/...sz...64....;..Z.vl..-a..<......N."^.{.
.l./o}k...I..c..8...h.&..A-.......0.mF.....9U..Q...S....[h......S.k...
..k.p.Y/......0...$J.(Q.D..%..i.....c.uF...........T.D..%J.(..H.....(.
s....j...>.y.y....o..R*(%...R.EQ ...Dk....!.......1.*....y..(.PV.7.
..rH&*......}...K|H.8-].'.......K .qy[.C...p.w'7.....'c ~.....?...O.'.
.{..................N.._|...w....JI4..(........h4.....Bk...Zk.........
8.H....\...7...%...V.-..Rz...dd..;.H...6/..`..yHC...U..l..K.....e.M...
*..T.Yk.Un...%.r.W6.PJ........6..|.......?...O.'.'.........O.......N.h
`.....Q!y.V.W......."U0)UHO.Z......F....]...(_...x.L\...'/.....k..]...
...s]xy.3...f$?/'......M..c[&............p..{w.l.g2..w..e.............
=.y..,5.L...k-.,..%...`a....e.A..yyEQB....}.K.! ..y......qaL....c..LAJ
.....0.y.N.......!..\..JUr......B.(.P...A...^v....<.%]Hgk....EQ6..h
4j.j].Z'....N.....5.....r.,...B.`..S)..(..."...M.'.........H......g...
...C=..u ....Q....!8.Rs.a5.\.gV.E...2..aP....T.hy..B..F..Q.....`..d...
.".*-|t4....0...*.#....eT.W..!..=.I.`7zF.p...*.....\...R...U2.r8v<.
L..q.B......?...O..)..."}8e.".s4..y.p.....h.y....6.,..y`.B....ui.\.6..
..Z....oQ......2hc.g]j.h....p.d..V...V..E.J.......d..<..P.....>'
.e.g.....ad.l...1Y.....T4....Ut....{....-.....O.'...........&..v._
<<< skipped >>>

GET /dw3ypq17r/vtutorial.gif HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s2.postimg.org

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 19 May 2016 07:10:54 GMT

Content-Type: image/gif

Content-Length: 2809824

Connection: keep-alive

Set-Cookie: __cfduid=d30bef69fcbc2d4b23cc9bb038b33fadc1463641854; expires=Fri, 19-May-17 07:10:54 GMT; path=/; domain=.postimg.org; HttpOnly

Last-Modified: Fri, 15 Jan 2016 03:36:07 GMT

ETag: "56986927-2adfe0"

CF-Cache-Status: HIT

Expires: Fri, 19 May 2017 07:10:54 GMT

Cache-Control: public, max-age=31536000

Accept-Ranges: bytes

Server: cloudflare-nginx

CF-RAY: 2a55bb58344d3762-ARN
GIF89a .........................................R....1Z.B..J..k...{...
.){.Bc.JB.J..c......)..R.)1.)B.)Z.)..B{.RR.cZ.c...R.....!.)..B).BB.B..
JZ.J..Z{.k..k..{1.........!cJ!..)..)!!9!!9{.B1!B11BBcBB{BB.BR.BZkBc.Bc
.BkkBs.Bs.Bs.Bs.B{.B..B..B..B..B..B..J99JBBJ{kJ..J.cJ..Z))ZB1ZZ.Zk{Zk.
Z{.Z..Z..Z..c9{cJBcZ{c.sc..c..c..c..c..c..c..k1)kB1kk{k..k..k..sRBs..{
1s{B1{B{{Z{{Z.{cR{k.{..{..{..{..{..{...kc.ks.ss..s....................
.....B9.RJ.sZ.s............c...................)..JB.RR.k..k1.kB.kR..s
.......1).9..R..R).kc.{.................sB..Z..k..{................k..
k!.kk....B).k9.ss..)..{..R..k.....{.......!..J..R...{..{..R...........
.........1.....9..k.............)..B).Z..kB.s...R..k..{..k.k...k.....{
..k.......)..9...)..R.....R..k.9.........1.....{......................
...........!..NETSCAPE2.0.....!.......,.... ...........e...WP...... ..
...&.....b..FK.1yB......I('.\...../U..)...O4e...3.N..v....(OU6Q>J.t
...6..|D..J.U.2U...WG)....u..=f..,..m..p......Y.k.|..4...|..].Q......,
)(K. @......e.E......*.XW..L.pV..OO.i4....7..-3u...q.....o........'f..
.[...r...?O...u... .........9{F.......G..=.z....O.}..E.f......$......1
...b. H....I[.V.L...aJ8.4.O:.E..G....|...K....h....S%^..X....`z...]<
;.8.Ea......IWE>&..KUM...Ru..e....L .....Y!.d.........kZ...I..."j..
.[N....U.A..#..Vg...D..EAg]w.5w.v..w(r.5.....W....'.y.t....hA..E....Cd
....9....*[email protected]]5..gJ.y.(.$...PA!'.o .........V..XT/....,.t#..
jU.......E..$.n....w..R_{r.Ra..f.eV>(.`wD...YH...b.)..4...#.S{.....
....I..z.g.lF.uf...jrw.2W(u......EJ.0.....8....9.L^.)| *.......1..
<<< skipped >>>

GET /6qjerzrdn/image.png HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s15.postimg.org

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 19 May 2016 07:10:54 GMT

Content-Type: image/png

Content-Length: 144221

Connection: keep-alive

Set-Cookie: __cfduid=d8663556cce4a51711727b2234c7d1b5c1463641854; expires=Fri, 19-May-17 07:10:54 GMT; path=/; domain=.postimg.org; HttpOnly

Last-Modified: Sun, 03 Apr 2016 20:36:18 GMT

ETag: "57017ec2-2335d"

CF-Cache-Status: HIT

Expires: Fri, 19 May 2017 07:10:54 GMT

Cache-Control: public, max-age=31536000

Accept-Ranges: bytes

Server: cloudflare-nginx

CF-RAY: 2a55bb583fde37b6-ARN
.PNG........IHDR...%.........2"._....pHYs...t...t..f.x....tIME......:b
..K....tEXtAuthor....H....tEXtDescription...!#....tEXtCopyright....:..
..tEXtCreation time.5.......tEXtSoftware.]p.:....tEXtDisclaimer.......
..tEXtWarning.........tEXtSource.........tEXtComment.........tEXtTitle
....'.. .IDATx...wx\.}...).......A..I..{.E..]."[.c{c'..-..g.lr.Y{o...M
..&..8...*j.z.H... @...F...3g.....$XE.......#..3....|.....e....c.8...B
.!..B|..EAw,...$..!..B.!>t.P.88..c.S.?B.!..B...|3K.....5..}_..B.!..
.#g..e.i...mw9...Z..B.!...:H(.B.!..BL)..%..B.!.xW...e......p....d. .b.
7.. ......{....GB..B.!...])hj.|.....X..=O>..H....a.C.Qq.-..........
%B.!..B.w%..B...@M.._.2.p...;..A.........pK.... .G..V._...yO..B.!.....
.Y./..xl.~T....&\.....B.....k......m2....._1.e.e.;.i.R"..B.!.x.z.x.L8.
.o~..y...(z.fd.a.|. .O...:d.-!..B.!..f&......?.s2....|[email protected].....!~..v&
s.uH(.B.!..B.'z0H^}=.._u..?.A...B.!....-PSsAQ{...=.........:..D.!..B..
..B!f<......pl.cl....;z....F..B!.}....Y..._q=2...B.!....]n......T.s
...Mf|.._.*..V.mm............6.....d.c.&-%B.!..B.w.UPpAQ{....00..s...H
..D...HM..B.!...q>.......U.P..R)....I&......_$z.8..n.w..`.1:..k...,
D.........P"..B.!.G......z......7:6....v......:.L&9.....z.)...J~~.U9..
..m".(..~e...n.U9_.b;....-% B.!..BL..v....4............BIAA...?.....s.
F.F...........y...5....s.F.._.1.1C.e..B.!....h....7P......s......[J...
([email protected]..!..B.1Ul.ftll.w..d.-!..B.!...P"..B.!..R..B.....!.
w..f:N....5T.K0.FS...0-.K..S3......~........n....%.N.6...........#M4..
...eUQ5...^5C6e.....B...!.B\Q...*.G0...g.......S.t........>RE~.
<<< skipped >>>

GET /6kki806sr/animated.gif HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s28.postimg.org

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 19 May 2016 07:10:54 GMT

Content-Type: image/gif

Content-Length: 1403309

Connection: keep-alive

Set-Cookie: __cfduid=d9e30535b8876e65ed8e172e5952d31501463641854; expires=Fri, 19-May-17 07:10:54 GMT; path=/; domain=.postimg.org; HttpOnly

Last-Modified: Fri, 15 Jan 2016 03:29:32 GMT

ETag: "5698679c-1569ad"

CF-Cache-Status: HIT

Expires: Fri, 19 May 2017 07:10:54 GMT

Cache-Control: public, max-age=31536000

Accept-Ranges: bytes

Server: cloudflare-nginx

CF-RAY: 2a55bb582eb5372c-ARN
GIF89a .............................s.!..Z!..Z..).!B.)c.)..1..9Z.Bs.J.
.R..R..k..1..k..s....!9B!..)..)9!)ZZ)Zs)s.1.c1.J1!11)k1Bc1B.1J.1J.1ZB1
s{1s.1.B1..1..1..9k.B..B!1B).B91B{ZB..B..B.9J!kJJZJZcJs.J.sRR.Rk.Rs.R.
.R..R..Z!JZB9ZRBZ.Bc..c.1c).c)kc9.cRccZ.cZ)ccBc{Zc.sc..c..c.sc.Zkkkks.
k{{k{.k..k..sc.s{.s..{1.{..{..{...9Z.J..R1.Rc.kR.ks..9..s.11.k1..s..s.
.k....................9..9.......R1.s1.s.....kR.ks.s...9..k.....s..Z..
{.9J..1.....s.......c..k1.......cR.cs..Z..s..{.9R..9..1..Z..Z..{....s.
..........k1..9.......sc..Z..s..1..Z..{........9..R..s.....R..s.......
............9...9.{..9k.k.......c{B..1.R.9s9....)9..R..R..Z..c.1s....9
k.1s.k..J..B...).s..k..........................9..s99Z!c.B..........ZR
.....9.)..)..11.J9....Zc.R...........9.....9J.Jc.c..R.................
...........!..NETSCAPE2.0.....!.......,.... ..........HP......<.P..
[email protected]... C..I....(S.\I..H.0av.I.F..E.<.y.f..3b..H.......
<9......J.Juj..X.f..u...MS.\y....g_&...m[..........x....Ah..$...9.p
...F~....a.n#..0bf...|R....g..k..<.n.(h....&u........3P&f..r.;..A.w
.v..xj... ..|.. Ft...S...\.k.......)6..H.<....._........l.aF."F..y.
E.....5.{.....c...T.U...ZE. w...R.&%...'i..Y...TF..X.L.....w...c.yT`Q.
i(_Yc...d<.dYS..y.h......e.Zrh....f...OL..D..X..!.... ]..[s.9..sh*.
..MDG..QY7a.t^W.S.}g^y...gB....B3.%...&.ad4.wS~PD*.l...S.LTY...v:.K/.T
aSQ.0......."Dx..]..j...-.hL!..T.2.'.c..."...............F...k..-.d.Hf
..mV....OBi..E......B.)..b..a...pf2g..i......)'.r.J.Sz.....'....6[...F
.^[email protected])...V....n.k.$.$kUv.. ..j0j|$....r. ..z.(..<.8-..\...
<<< skipped >>>

GET /vfxec11iz/9gag.png HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s15.postimg.org

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 19 May 2016 07:10:54 GMT

Content-Type: image/png

Content-Length: 169529

Connection: keep-alive

Set-Cookie: __cfduid=dc285e284cf77bf1808efeaaac138e9051463641854; expires=Fri, 19-May-17 07:10:54 GMT; path=/; domain=.postimg.org; HttpOnly

Last-Modified: Fri, 15 Jan 2016 03:28:40 GMT

ETag: "56986768-29639"

CF-Cache-Status: HIT

Expires: Fri, 19 May 2017 07:10:54 GMT

Cache-Control: public, max-age=31536000

Accept-Ranges: bytes

Server: cloudflare-nginx

CF-RAY: 2a55bb5826b805bb-ARN
.PNG........IHDR.....................pHYs...t...t..f.x....tEXtCreation
 time.5..... .IDATx...wxT...............b...^...8....Y....M.K6...w....
..8..:..ILb.........][email protected].<.y...s....b...^..B.
!..B.!.mM..h......B.!..B.!..){.............:t....E.!..B.!..BL"...!..B.
!..BL....B.!..B.!...$.$..B.!..B.1.H.H.!..B.!..b.POv...B.!..B.1.edd.z..
..1...M.@B.!..B.!......7.....5#~.".8.Txl7)5.i.lg_x,...0...4..a.C.T....
%m...V...B.!..B.!..7..k.\..,y..^...)........O...7T.......rv.tv........
A...B. ...... ..B.!..B.!F5..F......A7[..FQ........<n.^.............
....Fi....v*..i.*..s.B.!..B.!..P7s.P....<.7x...P.B.....P..(...s.6..
v..6........}...B.!..B.!n"}.>7S...p.x.Z.FoDk.....1(..O ....F.B.@...
G.R.U.B.!....n. c.v.'.#.....\.dd.a.\a!......@..{....`..$...q*.._...v.f
..W..Q_A.....3.tyP(@......B......M.`].....=...l....9lL.....|;..e..3..v
.}/.a].....vg......~.....6P.}...z\......}.:.mje.......o...<7...{...
....`}..<..BL..S..*.=.F..J]v.J.....V]..H/..2..o...B..*.;:.z.h5j.B..
....;......k*.R.*...B.[KA..r...P).. ...nS.l...S2.....|;...#.x39.:..9..
=L..%c..Y7IPs......9.%:..3..n.}.A..Ev.fr^J..o....H..R...l....`.Vr^....
0...H.S.!.D........q:N..9(b.............FAY5'.]..........).R..."..V...
..<.......%v.\.....s.B.1..X...7w.-.....j.:...4.e.Mv.n..kyn..._a\g.M
....1'.....i.......I..l.Z.-.....Z....?....B6.l....^.....dm...*wK.....{
.W....(..<nY`..G.^..<[email protected],[email protected]...^.Dmc.Z.... 
...bs8(,)....$X.0..c.w!...l..L..^a....|.........._0.'.q[.^..kV..e0.|.[
P...dfo"k[.k%.h.D..3.......rH.......2.....,]i% k/....f...uO.......
<<< skipped >>>

GET /ar19thbr9/maxresdefault.jpg HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s32.postimg.org

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 19 May 2016 07:10:54 GMT

Content-Type: image/jpeg

Content-Length: 55279

Connection: keep-alive

Set-Cookie: __cfduid=d9c425df9f42e512da41c84a647c5975c1463641854; expires=Fri, 19-May-17 07:10:54 GMT; path=/; domain=.postimg.org; HttpOnly

Last-Modified: Tue, 26 Apr 2016 23:00:09 GMT

ETag: "571ff2f9-d7ef"

CF-Cache-Status: HIT

Expires: Fri, 19 May 2017 07:10:54 GMT

Cache-Control: public, max-age=31536000

Accept-Ranges: bytes

Server: cloudflare-nginx

CF-RAY: 2a55bb5816ed1694-ARN
......JFIF.............*Exif..II*.......1...............Google........
......................................................................
................................................................h.....
.........................................h..........................!1
...AQ."aq..#2B...356Rbrst....$SUu...........&Tc......LDe....7d...E..
.....................................M..........................!1.AQq
."2a......4Rr..#35BSb.....$6....Ì.ET....d............?...R.....P..@(
......P..@(......P..@(......P..@(....QT..P..@(......P..@(......P..@(..
....P..@(......P..@(......P..@(......P..@(......P..@(......P..@(......
P..U..U..i.2Lq.o)...C. &.. ...9.w...V..<S.........#.eee%YX.e`pU..A.
...5........5...t.NN3M5....Q.W...@*.S.P..@(......P..U..@*..L.@).)..p..
........`..0PS.U0T....SW`....Y\..........P..@(......@(......P..@(.....
.P..@([email protected].*.|.KL.......6y...A......[...)R ..aCM...*S.t_..
...5.~..?.N...I.j*m..O.U.M.#....._6.^./.].WT=bLo.XG..Y..$q...U...y.R.c
......R...".._..n...c.6.........h.. ..SWm...n.._.t4>K.?.......].WR.
=~.sw)........*..v..^da.S~....5...Ru%.I}..4..Z$\|..>2.p....O......5
?...%...P.}....{.6....tY......2;....".......U..........ao.*._.E...Q...
.....`.7..xS.8E%....J?T...n.<.....4~.<_.?..>..-z.........AT..
..................R....n...1.r.e.q.!..3.}..=.>..5.v..*O2.G{.le...H.
r......~.....9..M..G..H.).W.m..O...|..,.....'^h....\..5o..?.~.?.......
.O...V...8.O..h ......~.|..|.......]M9..ow..9..XVT6..........&WI~*._~Q
.G..G<...L.>g5.....oa..&..\%M..n......h_CC>G....Y.it...p.
<<< skipped >>>

GET /t.php?sc_project=10738598&java=1&security=267f1d37&u1=E3A0092DF6854F4581DBD39C31C9578C&sc_random=0.40540406162741676&jg=new&rr=1.1.1.1.1.1.1.1.1&resolution=1276&h=846&camefrom=&u=http://bestprosoft.xyz/redirection.html&t=&sc_snum=1&p=0&invisible=1 HTTP/1.1

Accept: */*

Referer: hXXp://bestprosoft.xyz/redirection.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: c.statcounter.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 19 May 2016 07:10:53 GMT

Server: Apache/2.2.3 (CentOS)

P3P: policyref="hXXp://VVV.statcounter.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Set-Cookie: is_unique=sc10738598.1463641853.0; expires=Tue, 18-May-2021 07:10:53 GMT; path=/; domain=.statcounter.com

Set-Cookie: is_visitor_unique=1463641853328226018; expires=Sat, 19-May-2018 07:10:53 GMT; path=/; domain=.statcounter.com

Content-Length: 49

Connection: close

Content-Type: image/gif
GIF89a...................!.......,...........T..;..

GET /83aip3acb/image.png HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s23.postimg.org

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 19 May 2016 07:10:54 GMT

Content-Type: image/png

Content-Length: 116484

Connection: keep-alive

Set-Cookie: __cfduid=d8663556cce4a51711727b2234c7d1b5c1463641854; expires=Fri, 19-May-17 07:10:54 GMT; path=/; domain=.postimg.org; HttpOnly

Last-Modified: Sun, 03 Apr 2016 20:36:35 GMT

ETag: "57017ed3-1c704"

CF-Cache-Status: HIT

Expires: Fri, 19 May 2017 07:10:54 GMT

Cache-Control: public, max-age=31536000

Accept-Ranges: bytes

Server: cloudflare-nginx

CF-RAY: 2a55bb583fdd37b6-ARN
.PNG........IHDR.......g.............pHYs...t...t..f.x....tIME......-.
UF.....tEXtAuthor....H....tEXtDescription...!#....tEXtCopyright....:..
..tEXtCreation time.5.......tEXtSoftware.]p.:....tEXtDisclaimer.......
..tEXtWarning.........tEXtSource.........tEXtComment.........tEXtTitle
....'.. .IDATx...wt..}...[......vR.I.")Q....u,...O,;..N..'.DI.I.....ql
'7v"'q.\."....^.bQ.M.$....o...3....J.....ZZK...~..Pk......~.#BDDDDDD..
[email protected].]........#."
.R........-.........Q(........Q(........Q(........Q(..........=.......
...d......S...]..`.3.LbR...<.r...2{:}...,X9.F*g2..B?._~.]^;-..3gz..
.xg.R......sA.N.>.....................[[email protected]..[]...~...O....)
.. $(....i...?........(....=.j........[..L..._...B6..>.....m .p<
.......O.:_~.......e.h>Kw.......s.S....|..,........\.]...[.....-.K.
...5..?...|........r.......K..V....7~.. ...9 ....""""""...IP..J..~6.LO
....<...oq4u.#]..._v../.8t._........Ac...;..t.......k....>.a..""
""""rB.|.^~;.........=..MLc....7..;.m.$..w;.R.......!.<..7|...o.p..
{.^..7~.w.....Y..B.........;.....O../.a..,..o..|.C.....&S.8{.T.wEDDDDD
....X..=|.?....O.._.w..?................)...i.TDDDDDd."...l..;<s.H.
X..n.s/Z......0..!.^:....~....%.s%...........HK|...~...K=..wb]u!.._.-.
JEDDDDDF(......|..>7...1.t..-......R.......w..<.........(= ..t..
.q..............w....2 .#6.J..=$...W....x.2..'3.........""""""#..V.Ts;
..5d.:......8g.......C..5_.ob.c....? ....Y.~.==..^.......l...........`
.}..:...{.0p.B..EQ.Z./"""""r......@/Y/...hb..%...cg/[email protected].
<<< skipped >>>

HEAD /freeupgradesoftNEW/8-Windows10PHONE/upgrade.exe HTTP/1.0

Host: upgradesoftware2017.com

User-Agent: InnoTools_Downloader

HTTP/1.1 200 OK

Content-Length: 814257

Content-Type: application/octet-stream

Last-Modified: Wed, 18 May 2016 22:23:59 GMT

Accept-Ranges: bytes

ETag: "c4f445f953b1d11:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:47 GMT

Connection: close

GET /wp-content/uploads/2015/09/cover-coperta1.png HTTP/1.1

Accept: */*

Referer: hXXp://softvipdownload.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: bestprosoft.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: no-cache,max-age=1209600

Content-Type: image/png

Last-Modified: Wed, 28 Oct 2015 19:27:33 GMT

Accept-Ranges: bytes

ETag: "bf4a8cb1b611d11:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:54 GMT

Content-Length: 408129
.PNG........IHDR...;.........,.......pHYs...............Q7iTXtXML:com.
adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?&
gt;.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6
-c067 79.157747, 2015/03/30-23:40:42        ">.   <rdf:RDF xmlns
:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">.      <rdf:D
escription rdf:about="".            xmlns:xmpMM="hXXp://ns.adobe.com/x
ap/1.0/mm/".            xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType
/ResourceEvent#".            xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/
sType/ResourceRef#".            xmlns:dc="hXXp://purl.org/dc/elements/
1.1/".            xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/"
.            xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/".            xmln
s:tiff="hXXp://ns.adobe.com/tiff/1.0/".            xmlns:exif="hXXp://
ns.adobe.com/exif/1.0/">.         <xmpMM:DocumentID>adobe:doc
id:photoshop:7dc6d6fe-6f98-11e5-a45f-8d0ceaf35f2b</xmpMM:DocumentID
>.         <xmpMM:InstanceID>xmp.iid:e23bdc10-e0bc-8842-acca-
88dbbfba81b4</xmpMM:InstanceID>.         <xmpMM:OriginalDocum
entID>F31F7DCFDC00A2B122E4DA3F0F781EDF</xmpMM:OriginalDocumentID
>.         <xmpMM:History>.            <rdf:Seq>.      
         <rdf:li rdf:parseType="Resource">.                  <
;stEvt:action>saved</stEvt:action>.                  <stEv
t:instanceID>xmp.iid:7566f5d8-be32-b744-b3a6-36661031e0ff</stEvt
:instanceID>.                  <stEvt:when>2015-09-22T13:
<<< skipped >>>

GET /wp-content/uploads/2015/08/Cover.png HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: bestprosoft.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: no-cache,max-age=1209600

Content-Type: image/png

Last-Modified: Mon, 24 Aug 2015 01:21:30 GMT

Accept-Ranges: bytes

ETag: "9a0e134bded01:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Thu, 19 May 2016 07:10:58 GMT

Content-Length: 111332
.PNG........IHDR...[..........M/.....pHYs................OiCCPPhotosho
p ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE.........
..Q,......!.........{.k........>...........H3Q5...B..........@..$p.
...d!s.#...~<< ".....x.....M..0.....B.\[email protected]..@F....
&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH..
...........0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I.
 [email protected]..._-...."[email protected]~..,/...;.
.m..%..h^[email protected].~<<E.........J.B[a.W}.g._.W.l.~<..
....$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..&
gt;.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?..
..D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/[email protected]..=p..
a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2...
.G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.
."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.X
H,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,  .......3...!.[.
[email protected].(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9...IK......h.h.i..t.
....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&
..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._.
.. .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).).
.4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.
n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<./...QC][email protected]....
..<..F.F..i.\.$.m.m..&.&!&KM.M..RM..).;L;L........5.=1.2.......
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%?9-*09,*19}*09

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

SHLWAPI.dll

SHDOCVW.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

IE-X-X

rsabase.dll

System\CurrentControlSet\Control\Windows

dw15 -x -s %u

watson.microsoft.com

IEWatsonURL

%s -h %u

iedw.exe

Iexplore.XPExceptionFilter

jscript.DLL

mshtml.dll

mlang.dll

urlmon.dll

wininet.dll

shdocvw.DLL

browseui.DLL

comctl32.DLL

IEXPLORE.EXE

iexplore.pdb

ADVAPI32.dll

MsgWaitForMultipleObjects

IExplorer.EXE

IIIIIB(II<.Fg

7?_____ZZSSH%

)z.UUUUUUUU

,....Qym

````2```

{.QLQIIIKGKGKGKGKGKG

;33;33;0

8888880

8887080

browseui.dll

shdocvw.dll

6.00.2900.5512 (xpsp.080413-2105)

Windows

Operating System

6.00.2900.5512

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   amisid.exe:1940
   setup.exe:1752
   setup.tmp:644
   %original file name%.exe:228
   win10phone__2827_il36975_26.exe:572
   Upgrade.exe:1492

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\is-7RV69.tmp\setup.tmp (3784 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\is-21BKS.tmp\_isetup\_shfoldr.dll (23 bytes)
   %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CW5HG8EK\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\B9DDBJCW\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BKVRWAPP\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\is-21BKS.tmp\Upgrade.exe (8581 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\is-21BKS.tmp\itdownload.dll (1281 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\POEKUC06\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\7ZipSfx.000\setup.exe (3249 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\nsisos.dll (5 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nst2.tmp (16052 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\amisid.exe (1856 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\registry.dll (784 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\NSIS_AntiVmFraud.dll (3312 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\System.dll (11 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\win10phone__2827_il36975_26.exe (3446 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.