Win32.Sality.3_f6081ec84e

by malwarelabrobot on August 14th, 2014 in Malware Descriptions.

Win32.Sality.3 (B) (Emsisoft), Win32.Sality.3 (AdAware), Trojan.Win32.Swrort.3.FD, Virus.Win32.Sality.FD, Virus.Win32.Sality.2.FD, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, Virus, WormAutorun

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: f6081ec84ecf7e26b7d2b49866274d73
SHA1: e34a01d80c01783dbb091e88c9a763e43f1a8a7a
SHA256: 66dc9210620cd5e6847fe708cb9fb3e62b7350289a7df81a05d8d2b877507157
SSDeep: 12288:tlS8X8hs4Rwo0a1xqDOevoSrzrLKxc5EVV8u:zS8X8h7wla1gOozN2VVb
Size: 437592 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-07-23 11:01:45
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour	Description
WormAutorun	A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:528
Explorer.EXE:128

Mutexes

The following mutexes were created/opened:

c:!documents and settings!adm!local settings!history!history.ie5!mshist012014081320140814!
_!SHMSFTHISTORY!_
{1B655094-FE2A-433c-A877-FF9793445069}
CTF.TMD.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.Layouts.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.Asm.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.Compart.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.LBES.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
RasPbFile
WininetProxyRegistryMutex
WininetConnectionMutex
WininetStartupMutex
c:!documents and settings!adm!local settings!history!history.ie5!
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
_!MSFTHISTORY!_
ShimCacheMutex
%original file name%.exeM_528_
wmiprvse.exeM_1820_
msiexec.exeM_904_
vmtoolsd.exeM_2028_
jqs.exeM_1960_
mscorsvw.exeM_1912_
spoolsv.exeM_1424_
svchost.exeM_1096_
svchost.exeM_928_
lsass.exeM_772_
services.exeM_760_
winlogon.exeM_716_
csrss.exeM_692_
smss.exeM_620_
uxJLpe1m
ZonesLockedCacheCounterMutex
ZonesCacheCounterMutex
ZonesCounterMutex

File activity

The process %original file name%.exe:528 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\f[1].txt (392 bytes)
%WinDir%\system.ini (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CA4TAJWL.gif (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CAQBKHYB.gif (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CAPH7ZUK.gif (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\sd_100733_cf3f5[1].jpg (4920 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\campaign-100861,100733[1].htm (2006 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\sd_100861_41d97[2].jpg (1016 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\fad58-59ade[1].css (780 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\pubads_impl_46[1].js (2696 bytes)
C:\autorun.inf (325 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (432 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CA6JILM5.gif (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CAPWA1H3.gif (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\gradientbg[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CASTMF2R.gif (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\sd_100861_41d97[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winlruq.exe (741 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\sd_100733_cf3f5[1].jpg (7450 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\f[2].txt (829 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pubads_impl_46[1].js (3573 bytes)
%System%\wbem\Logs\wbemprox.log (152 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (187 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\hitman-18[1].png (844 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\f[1].txt (3656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\campaign-100861,100733[1] (1714 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\sd_icon_100861_8a4a3[1].png (1 bytes)
C:\rdhxl.pif (103 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\universaldownloader-prefetch[1].htm (657 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\sprite[1].png (7 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (209 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (11258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\fad58-59ade[2].css (529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CAWXEJGD.gif (35 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (23136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\loading[1].gif (1 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (272 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\306e0-148e0[1].js (7571 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (11634 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\f[2].txt (4261 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\f[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CA4TAJWL.gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winlruq.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CASTMF2R.gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\f[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CAPH7ZUK.gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CAWXEJGD.gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041720130418\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\fad58-59ade[1].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CAQBKHYB.gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041720130418 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\pubads_impl_46[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CA6JILM5.gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CAPWA1H3.gif (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)

Registry activity

The process %original file name%.exe:528 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Aas]
"a4_116" = "831618036"
"a4_157" = "1125551997"
"a3_149" = "1051199068"
"a4_156" = "1118382876"
"a3_148" = "1044210237"
"a2_180" = "1290438668"
"a4_159" = "1139890239"
"a2_182" = "1304775470"
"a2_183" = "1311956795"
"a2_184" = "1319123206"
"a2_185" = "1326289665"
"a2_186" = "1333458309"
"a4_158" = "1132721118"
"a2_188" = "1347792550"
"a2_189" = "1354971463"
"a3_223" = "1581849174"
"a1_185" = "676709289"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKCU\Software\Aas]
"a1_184" = "124912842"
"a2_255" = "1828119425"
"a1_183" = "863878424"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Aas]
"a1_182" = "3745895216"
"a3_193" = "1400620808"
"a1_181" = "1820253992"
"a1_180" = "695496300"
"a3_78" = "542637991"
"a3_79" = "549622726"
"a4_206" = "1476838926"
"a3_72" = "533156193"
"a3_73" = "506656128"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKCU\Software\Aas]
"a3_71" = "525712590"
"a3_76" = "561686245"
"a3_77" = "568613636"
"a3_74" = "513568291"
"a3_75" = "554631746"
"a4_181" = "1297610901"
"a4_218" = "1562868378"
"a4_219" = "1570037499"
"a4_216" = "1548530136"
"a4_217" = "1555699257"
"a4_214" = "1534191894"
"a4_215" = "1541361015"
"a4_212" = "1519853652"
"a4_213" = "1527022773"
"a4_210" = "1505515410"
"a4_211" = "1512684531"
"a3_152" = "1106310065"
"a3_153" = "1080268752"
"a4_108" = "774265068"
"a4_109" = "781434189"
"a3_156" = "1135231285"
"a3_157" = "1108731220"
"a3_154" = "1087178867"
"a3_155" = "1127787666"
"a4_102" = "731250342"
"a4_103" = "738419463"
"a4_100" = "716912100"
"a4_101" = "724081221"
"a4_106" = "759926826"
"a4_107" = "767095947"
"a4_104" = "745588584"
"a4_105" = "752757705"
"a2_59" = "422985696"
"a2_58" = "415801573"
"a2_53" = "379966866"
"a2_52" = "372800457"
"a2_51" = "365615932"
"a2_50" = "358463601"
"a2_57" = "408635262"
"a2_56" = "401467853"
"a2_55" = "394299171"
"a2_54" = "387135197"
"a2_187" = "1340622942"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\Aas]
"a4_251" = "1799449371"
"a4_55" = "394301655"
"a4_54" = "387132534"
"a4_57" = "408639897"
"a4_56" = "401470776"
"a4_51" = "365625171"
"a4_50" = "358456050"
"a4_53" = "379963413"
"a4_52" = "372794292"

[HKCU\Software\Aas\695404737]
"50183847" = "5D585DB0C242E19554AF9464967FCCA3804140C56ECCA2C056492A0D89FDC1847E0A1AC7AA0227DE42694F782B065B835925C77F66B8367A7F776AEBDA2383B41C67A49C70F3E05C3F4D88C19308D9A4F3ABE8943E8931055A228E88455D3393ADBCD4D391254F1D88554A5C8D5EC25006A91F65EC7D34EC05DC0F6CE233A0A1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014081320140814]
"CacheLimit" = "8192"

[HKCU\Software\Aas]
"a4_59" = "422978139"
"a4_58" = "415809018"
"a1_248" = "2970704555"
"a3_249" = "1801832560"
"a1_178" = "3296232140"
"a1_179" = "4256004766"
"a1_176" = "3154655428"
"a3_135" = "950830350"
"a1_174" = "916561053"
"a1_175" = "3291281692"
"a1_172" = "1650674174"

[HKCU\Software\Aas\695404737]
"21507363" = "0"

[HKCU\Software\Aas]
"a1_170" = "1410231003"
"a1_171" = "3568864146"
"a2_236" = "1691915529"
"a2_237" = "1699082288"
"a2_234" = "1677581080"
"a2_235" = "1684735085"
"a2_232" = "1663227077"
"a2_233" = "1670399593"
"a2_230" = "1648889079"
"a2_231" = "1656063434"
"a4_209" = "1498346289"
"a2_238" = "1706248788"
"a2_239" = "1713414497"
"a3_94" = "690598327"
"a3_95" = "698045910"
"a3_96" = "671534665"
"a3_97" = "678453992"
"a3_90" = "662052915"
"a3_91" = "669107282"
"a3_92" = "643004661"
"a3_93" = "649993492"
"a3_209" = "1481480472"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Aas]
"a3_98" = "685967115"
"a3_99" = "726580138"
"a2_181" = "1297607362"
"a3_254" = "1837822487"
"a1_138" = "678940135"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Aas]
"a1_139" = "3511011869"

[HKCU\Software\Softonic\Universal Downloader]
"uuid" = "0447DF04-078F-413D-88E9-63E7A1412DBA"

[HKCU\Software\Aas]
"a1_159" = "3766657082"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"

[HKCU\Software\Aas]
"a1_260" = "3196774237"
"a1_261" = "2850688351"
"a1_130" = "4136920076"
"a2_157" = "1125552855"
"a2_156" = "1118387286"
"a2_155" = "1111221105"
"a1_131" = "403699920"
"a2_153" = "1096868655"
"a2_152" = "1089701423"
"a2_99" = "709741352"
"a2_98" = "702566131"
"a2_97" = "695407144"
"a2_96" = "688228273"
"a2_95" = "681058620"
"a2_94" = "673904719"
"a2_93" = "666726086"
"a2_92" = "659557755"
"a2_91" = "652390443"
"a2_90" = "645226384"
"a4_151" = "1082537271"
"a4_150" = "1075368150"
"a4_153" = "1096875513"
"a4_152" = "1089706392"
"a4_155" = "1111213755"
"a4_154" = "1104044634"
"a1_58" = "3955442500"
"a1_59" = "3074511589"
"a1_56" = "1439177197"
"a1_57" = "1088473730"
"a1_54" = "3831756"
"a1_55" = "2897937356"
"a1_52" = "1234309018"
"a1_53" = "403029401"
"a1_50" = "1304021951"
"a1_51" = "3234905198"
"a3_215" = "1524377438"
"a3_214" = "1517454143"
"a3_217" = "1572437008"
"a3_216" = "1565514737"
"a3_211" = "1529532890"
"a3_210" = "1488928187"
"a3_213" = "1510469276"
"a3_212" = "1536445053"
"a3_136" = "991836577"
"a3_219" = "1553446098"
"a3_218" = "1545867443"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Aas]
"a1_155" = "371961814"
"a4_208" = "1491177168"
"a1_217" = "3031037188"
"a3_43" = "324843106"
"a3_42" = "284237251"
"a3_41" = "277248416"
"a3_40" = "269796609"
"a3_47" = "353765350"
"a3_46" = "313221959"
"a3_45" = "305778468"
"a3_44" = "332278405"
"a1_132" = "3025919605"
"a1_133" = "2166607379"
"a3_49" = "368270520"
"a3_48" = "360822809"
"a1_136" = "1656737594"
"a2_119" = "853127309"
"a1_134" = "4072410650"
"a1_135" = "1541601626"
"a4_99" = "709742979"
"a4_98" = "702573858"
"a2_118" = "845961521"
"a1_189" = "3517044454"
"a4_91" = "652390011"
"a4_90" = "645220890"
"a4_93" = "666728253"
"a4_92" = "659559132"
"a4_95" = "681066495"
"a4_94" = "673897374"
"a4_97" = "695404737"
"a4_96" = "688235616"
"a3_109" = "798021476"
"a3_108" = "790966981"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"

[HKCU\Software\Aas]
"a4_259" = "1856802339"

"a3_245" = "1773304572"
"a1_160" = "927166709"
"a3_101" = "707522668"
"a3_100" = "733503437"
"a3_103" = "754977070"
"a3_102" = "714511503"
"a3_105" = "769475040"
"a3_104" = "762555713"
"a3_107" = "750493346"
"a3_106" = "742980099"
"a2_113" = "810113614"
"a1_250" = "2756833286"
"a2_112" = "802944935"
"a1_165" = "952684234"

"a3_70" = "485103791"
"a1_164" = "2401422449"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Aas]
"a2_110" = "788610320"
"a2_117" = "838793892"
"a4_258" = "1849633218"
"a2_116" = "831612376"
"a1_169" = "3311615583"
"a2_115" = "824446463"
"a1_168" = "3821985756"
"a2_114" = "817276123"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Aas]
"a2_179" = "1283272710"
"a4_252" = "1806618492"
"a3_232" = "1646370241"
"a4_253" = "1813787613"
"a4_250" = "1792280250"
"a2_215" = "1541361788"
"a1_222" = "1293190971"
"a2_144" = "1032348135"
"a1_104" = "1798221374"
"a1_221" = "8369679"
"a1_226" = "983339943"
"a1_227" = "679616301"
"a1_224" = "4251054174"
"a2_145" = "1039519110"
"a4_256" = "1835294976"
"a1_228" = "1579130121"
"a2_217" = "1555696917"
"a2_146" = "1046684849"
"a4_257" = "1842464097"
"a4_261" = "1871140581"
"a2_147" = "1053867181"
"a4_254" = "1820956734"
"a2_140" = "1003683695"
"a2_253" = "1813785608"
"a2_141" = "1010847746"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Aas]
"a2_142" = "1018007071"
"a2_143" = "1025182849"
"a4_260" = "1863971460"
"a3_259" = "1873798154"
"a1_246" = "1986011457"
"a3_258" = "1866220523"
"a1_240" = "1589943467"
"a3_150" = "1092336383"
"a2_193" = "1383632724"
"a2_192" = "1376473909"
"a2_191" = "1369308799"
"a3_151" = "1099259678"
"a3_133" = "970345548"
"a2_196" = "1405157262"

[HKCU\Software\Aas\695404737]
"35845605" = "229"

[HKCU\Software\Aas]
"a2_194" = "1390806629"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Aas]
"a2_199" = "1426660045"
"a2_198" = "1419491896"
"a3_116" = "814879197"
"a3_117" = "821922428"
"a1_241" = "2997196003"
"a3_114" = "834001179"
"a4_182" = "1304780022"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Aas]
"a4_180" = "1290441780"
"a3_115" = "807894458"
"a1_89" = "2067958996"
"a1_88" = "2535120354"
"a4_184" = "1319118264"
"a4_185" = "1326287385"
"a1_85" = "584944618"
"a1_84" = "2966039439"
"a1_87" = "2399498457"
"a1_86" = "1892599469"
"a1_81" = "1383558925"
"a1_80" = "4148703870"
"a1_83" = "2625982498"
"a1_82" = "1838176218"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Aas]
"a3_159" = "1123168790"
"a3_110" = "771902343"
"a2_128" = "917645584"
"a2_129" = "924814715"
"a2_126" = "903314929"
"a2_127" = "910487083"
"a2_124" = "888978897"
"a3_111" = "778955814"
"a2_122" = "874629404"
"a2_123" = "881795990"
"a2_120" = "860296287"
"a2_121" = "867461192"
"a1_67" = "321725741"
"a1_66" = "3910519510"
"a1_65" = "1844882063"
"a1_64" = "2088114382"
"a1_63" = "978022996"
"a1_62" = "491899042"
"a1_61" = "4285619363"
"a1_60" = "3065948579"
"a3_138" = "1006335587"
"a3_139" = "979823234"
"a4_162" = "1161397602"
"a4_163" = "1168566723"
"a4_164" = "1175735844"
"a4_165" = "1182904965"
"a1_69" = "448973950"
"a1_68" = "3404519423"
"a1_12" = "3160473439"
"a1_13" = "1809201091"
"a1_10" = "1234934786"
"a1_11" = "1920954879"
"a1_16" = "3183253209"
"a1_17" = "3480640550"
"a1_14" = "2260550791"
"a1_15" = "1322960657"
"a4_115" = "824448915"
"a4_114" = "817279794"
"a1_18" = "2629289892"
"a1_19" = "1154887811"
"a4_111" = "795772431"
"a4_110" = "788603310"
"a4_113" = "810110673"
"a4_112" = "802941552"
"a2_48" = "344117146"
"a2_49" = "351283393"
"a4_140" = "1003676940"
"a2_40" = "286766997"
"a2_41" = "293932638"
"a2_42" = "301100656"
"a2_43" = "308279681"
"a2_44" = "315447877"
"a2_45" = "322613862"
"a2_46" = "329782094"
"a2_47" = "336951011"
"a1_244" = "1513095449"
"a3_203" = "1472066242"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Aas]
"a4_148" = "1061029908"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014081320140814]
"CacheOptions" = "11"

[HKCU\Software\Aas]
"a4_146" = "1046691666"
"a4_42" = "301103082"
"a4_43" = "308272203"
"a4_40" = "286764840"
"a4_41" = "293933961"
"a4_46" = "329779566"
"a4_47" = "336948687"
"a4_44" = "315441324"
"a4_45" = "322610445"
"a4_48" = "344117808"
"a4_49" = "351286929"
"a4_198" = "1419485958"
"a4_137" = "982169577"
"a4_255" = "1828125855"
"a4_136" = "975000456"
"a3_205" = "1452936068"
"a4_147" = "1053860787"
"a3_244" = "1765852765"
"a1_161" = "264703916"
"a3_140" = "986812197"
"a1_163" = "2140046829"
"a1_162" = "2169204139"
"a3_18" = "112354555"
"a3_19" = "152901914"
"a1_167" = "3513255944"
"a1_166" = "314252793"
"a3_14" = "83367783"
"a3_15" = "124488582"
"a3_16" = "131411001"
"a3_17" = "104906840"
"a3_10" = "88506851"
"a3_11" = "95435266"
"a3_12" = "69459621"
"a3_13" = "76378820"
"a4_37" = "265257477"
"a4_36" = "258088356"
"a4_35" = "250919235"
"a4_34" = "243750114"
"a4_33" = "236580993"
"a4_32" = "229411872"
"a4_31" = "222242751"
"a4_30" = "215073630"
"a3_241" = "1744311672"
"a4_39" = "279595719"
"a4_38" = "272426598"
"a2_175" = "1254588936"
"a2_174" = "1247421622"
"a1_103" = "3956348541"
"a2_178" = "1276110943"
"a2_177" = "1268937023"
"a4_244" = "1749265524"
"a2_176" = "1261770745"
"a1_196" = "1577769845"
"a4_145" = "1039522545"
"a2_171" = "1225922108"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014081320140814]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014081320140814\"

[HKCU\Software\Aas]
"a3_251" = "1782710578"
"a2_170" = "1218755636"
"a4_139" = "996507819"
"a1_102" = "196777721"
"a4_138" = "989338698"

[HKCU\Software\Aas\695404737]
"28676484" = "35"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Aas]
"a2_209" = "1498342886"
"a4_131" = "939154851"
"a3_261" = "1854160076"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014081320140814]
"CacheRepair" = "0"

[HKCU\Software\Aas]
"a3_228" = "1617824845"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Aas]
"a1_101" = "3599252587"
"a1_249" = "1841268224"
"a1_237" = "3713495171"
"a4_149" = "1068199029"
"a3_141" = "1027810116"
"a3_247" = "1753789374"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Aas]
"a2_221" = "1584378658"
"a2_220" = "1577212800"
"a2_223" = "1598706867"
"a2_222" = "1591585765"
"a2_225" = "1613047726"
"a2_224" = "1605880119"
"a2_227" = "1627408218"
"a2_226" = "1620229381"
"a1_229" = "4246720889"
"a3_229" = "1624875244"
"a2_207" = "1484010319"
"a3_181" = "1280611004"
"a2_88" = "630888836"
"a2_89" = "638012470"
"a3_180" = "1307180573"
"a2_84" = "602207287"
"a2_85" = "609383522"
"a2_86" = "616536641"
"a2_87" = "623708622"
"a2_80" = "573522670"
"a3_34" = "260325067"
"a2_82" = "587859657"
"a2_83" = "595040148"
"a4_124" = "888971004"
"a4_125" = "896140125"
"a1_29" = "60342351"
"a1_28" = "2463286612"
"a4_120" = "860294520"
"a4_121" = "867463641"
"a4_122" = "874632762"
"a4_123" = "881801883"
"a1_23" = "1195310206"
"a1_22" = "4021000579"
"a1_21" = "1665788235"
"a1_20" = "2283628842"
"a1_27" = "509061962"
"a1_26" = "138138899"
"a1_25" = "446547377"
"a1_24" = "1386848166"
"a4_141" = "1010846061"
"a3_187" = "1324038386"
"a3_186" = "1316586579"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Aas]
"a3_189" = "1371566516"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Aas]
"a3_227" = "1610836010"
"a3_50" = "341766363"
"a3_51" = "348755322"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"

[HKCU\Software\Aas]
"a3_53" = "396796476"
"a3_54" = "370165343"
"a3_55" = "377748222"
"a3_56" = "384737041"
"a3_57" = "425210800"
"a3_58" = "432789459"
"a3_59" = "406145138"
"a1_127" = "416914503"
"a1_126" = "3768551977"
"a1_121" = "894800269"
"a1_120" = "2372806316"
"a1_123" = "1946870182"
"a1_122" = "1610620935"
"a4_238" = "1706250798"
"a4_239" = "1713419919"
"a2_111" = "795775751"
"a4_230" = "1648897830"
"a4_231" = "1656066951"
"a4_232" = "1663236072"
"a4_233" = "1670405193"
"a4_234" = "1677574314"
"a4_235" = "1684743435"
"a4_236" = "1691912556"
"a4_237" = "1699081677"

"a3_178" = "1292673371"
"a3_179" = "1300121082"
"a3_174" = "1264145351"
"a3_175" = "1271198822"
"a3_176" = "1245079705"
"a3_177" = "1252068664"
"a3_170" = "1235731011"
"a3_171" = "1209100002"
"a3_172" = "1216092933"
"a3_173" = "1223671716"
"a2_31" = "222234448"
"a2_30" = "215079810"
"a2_33" = "236579047"
"a2_32" = "229413849"
"a2_35" = "250914768"
"a2_34" = "243748420"
"a2_37" = "265265127"
"a2_36" = "258096170"
"a2_39" = "279603639"
"a2_38" = "272429193"
"a4_79" = "566360559"
"a4_78" = "559191438"
"a3_226" = "1636956043"
"a1_223" = "408751152"
"a4_73" = "523345833"
"a4_72" = "516176712"
"a4_71" = "509007591"
"a4_70" = "501838470"
"a4_77" = "552022317"
"a4_76" = "544853196"
"a4_75" = "537684075"
"a4_74" = "530514954"
"a1_137" = "2441481904"
"a4_86" = "616544406"
"a4_87" = "623713527"
"a4_84" = "602206164"
"a4_85" = "609375285"
"a4_82" = "587867922"
"a4_83" = "595037043"
"a4_80" = "573529680"
"a4_81" = "580698801"
"a4_183" = "1311949143"
"a1_225" = "415335188"
"a4_197" = "1412316837"
"a4_88" = "630882648"
"a4_89" = "638051769"
"a1_158" = "1061797761"
"a2_100" = "716908890"
"a4_196" = "1405147716"

[HKCU\Software\Aas\695404737]
"14338242" = "0"

[HKCU\Software\Aas]
"a1_150" = "2630623368"
"a1_151" = "3953062215"

[HKCU\Software\Aas\695404737]
"7169121" = "221"

[HKCU\Software\Aas]
"a1_153" = "2154768205"
"a1_154" = "2741299971"
"a2_102" = "731243138"
"a1_156" = "2494715731"
"a1_157" = "1381484486"
"a1_235" = "2023429943"
"a2_229" = "1641733440"
"a1_188" = "1168828647"
"a2_103" = "738426825"
"a1_231" = "2786341885"
"a1_230" = "1835671865"
"a1_233" = "507718918"
"a2_228" = "1634566104"
"a2_104" = "745593928"
"a4_201" = "1440993321"
"a1_247" = "1316725170"
"a1_239" = "3740704859"
"a1_238" = "786475450"
"a2_105" = "752761960"
"a2_210" = "1505512825"
"a2_211" = "1512678860"
"a2_212" = "1519859715"
"a2_213" = "1527029590"
"a2_214" = "1534195648"
"a2_106" = "759924909"
"a2_216" = "1548528828"
"a1_177" = "3795000493"
"a2_218" = "1562865648"
"a2_219" = "1570030758"
"a3_253" = "1830771188"
"a2_107" = "767091202"
"a1_187" = "2733704579"
"a3_221" = "1600966036"
"a2_261" = "1871137314"
"a2_260" = "1863964494"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Aas]
"a1_96" = "280283568"
"a3_185" = "1309597744"
"a1_173" = "3124298052"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Aas]
"a2_244" = "1749260181"
"a1_232" = "930605398"
"a3_183" = "1328655230"
"a1_186" = "1945690213"
"a3_222" = "1608410679"
"a2_131" = "939148345"
"a2_130" = "931982553"
"a4_179" = "1283272659"
"a2_133" = "953499242"
"a2_132" = "946330739"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Aas]
"a2_135" = "967833460"
"a3_182" = "1288058591"
"a2_134" = "960664810"
"a1_107" = "2835906557"
"a2_137" = "982166446"
"a4_178" = "1276103538"
"a1_106" = "2309645334"
"a4_227" = "1627390467"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014081320140814]
"CachePrefix" = ":2014081320140814:"

[HKCU\Software\Aas]
"a2_136" = "975008591"
"a1_105" = "1740643189"
"a4_195" = "1397978595"
"a4_194" = "1390809474"
"a1_98" = "1883747871"
"a1_99" = "80412060"
"a4_191" = "1369302111"
"a4_190" = "1362132990"
"a4_193" = "1383640353"
"a4_192" = "1376471232"
"a1_92" = "3666182599"
"a1_93" = "1155804238"
"a1_90" = "727784774"
"a1_91" = "972663237"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"

[HKCU\Software\Aas]
"a1_97" = "2048152314"
"a1_94" = "2453599361"
"a1_95" = "580839981"
"a2_75" = "537687484"
"a2_74" = "530523785"
"a2_77" = "552014509"
"a2_76" = "544855723"
"a2_71" = "509003844"
"a2_70" = "501834614"
"a2_73" = "523338315"
"a2_72" = "516205663"
"a2_139" = "996515354"
"a2_138" = "989333078"
"a1_100" = "877265594"
"a2_79" = "566355769"
"a2_78" = "559198276"
"a1_74" = "959783092"
"a1_75" = "2615424721"
"a1_76" = "4184179826"
"a1_77" = "3001566949"
"a1_70" = "894229579"
"a1_71" = "3750775481"
"a1_72" = "425272634"
"a1_73" = "1051283040"
"a4_173" = "1240257933"
"a4_172" = "1233088812"
"a3_129" = "907869896"
"a3_128" = "934369961"
"a1_78" = "1439419730"
"a1_79" = "2795406675"
"a4_175" = "1254596175"
"a4_174" = "1247427054"
"a3_123" = "898388146"
"a3_239" = "1730403494"
"a3_122" = "891468819"
"a3_237" = "1682343908"
"a3_236" = "1708909381"
"a3_235" = "1701334818"
"a3_234" = "1660856963"
"a3_233" = "1653814880"
"a3_121" = "850861040"
"a3_231" = "1672935854"
"a3_230" = "1665877263"
"a3_252" = "1789764949"
"a3_120" = "843343697"
"a1_109" = "1548679931"
"a2_173" = "1240255574"
"a3_127" = "927442486"
"a1_108" = "598354902"
"a3_126" = "886312343"
"a1_0" = "2549995699"
"a3_125" = "879323508"
"a3_198" = "1436076335"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKCU\Software\Aas]
"a3_196" = "1388556397"
"a3_197" = "1429034124"
"a3_194" = "1407548331"
"a3_124" = "905966805"
"a3_192" = "1393042153"
"a1_2" = "158777458"
"a3_190" = "1345525207"
"a3_191" = "1352568438"
"a1_242" = "2767262988"
"a1_3" = "1012951156"
"a2_172" = "1233086698"
"a1_4" = "2588273087"
"a4_171" = "1225919691"
"a1_5" = "1110114194"
"a4_170" = "1218750570"
"a1_6" = "3612956413"
"a4_177" = "1268934417"
"a1_7" = "3762461465"
"a4_176" = "1261765296"
"a3_29" = "224867540"
"a3_28" = "183865525"
"a1_116" = "394345377"
"a1_117" = "1596590819"
"a1_110" = "3890456817"
"a1_111" = "3061173058"
"a1_112" = "370290432"
"a1_9" = "806123221"
"a3_21" = "167399900"
"a3_20" = "159956413"
"a3_23" = "148336286"
"a3_22" = "140888703"
"a3_25" = "195929936"
"a3_24" = "188875569"
"a3_27" = "176880658"
"a3_26" = "169827315"
"a4_24" = "172058904"
"a4_25" = "179228025"
"a4_26" = "186397146"
"a4_27" = "193566267"
"a4_20" = "143382420"
"a4_21" = "150551541"
"a4_22" = "157720662"
"a4_23" = "164889783"
"a4_28" = "200735388"
"a4_29" = "207904509"
"a2_81" = "580704219"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Aas]
"a4_203" = "1455331563"
"a3_238" = "1689270279"
"a4_126" = "903309246"
"a1_190" = "3207706944"
"a4_127" = "910478367"
"a1_208" = "2160677311"
"a1_209" = "2463158376"
"a3_255" = "1844811446"
"a1_204" = "3493024787"
"a1_205" = "722838248"
"a1_206" = "1637598386"
"a1_207" = "3858921173"
"a1_200" = "2660245893"
"a1_201" = "2791957757"
"a1_202" = "278084434"
"a1_203" = "1260608400"
"a2_162" = "1161406178"
"a3_112" = "785940569"
"a2_163" = "1168571561"
"a2_160" = "1147053561"
"a2_161" = "1154220754"
"a2_258" = "1849635765"
"a2_259" = "1856802978"
"a1_243" = "2315596613"
"a2_254" = "1820950633"
"a4_128" = "917647488"
"a2_256" = "1835301408"
"a2_257" = "1842472789"
"a2_250" = "1792285813"
"a2_251" = "1799453724"
"a2_252" = "1806620711"
"a4_129" = "924816609"
"a3_113" = "826942712"
"a2_164" = "1175744107"
"a2_165" = "1182901522"
"a2_101" = "724075755"

"a1_38" = "2895070015"
"a1_39" = "652089520"
"a4_135" = "967831335"
"a4_134" = "960662214"
"a4_133" = "953493093"
"a4_132" = "946323972"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKCU\Software\Aas]
"a4_130" = "931985730"
"a1_30" = "545417823"
"a1_31" = "1849220982"
"a1_32" = "4288023442"
"a1_33" = "2424900029"
"a1_34" = "1237982837"
"a1_35" = "2270922483"
"a1_36" = "770204698"
"a1_37" = "28386431"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCU\Software\Aas]
"a2_190" = "1362123773"
"a3_158" = "1115724279"
"a2_197" = "1412310013"
"a2_168" = "1204406141"
"a1_251" = "3409808958"
"a2_108" = "774260147"
"a2_109" = "781426272"
"a3_69" = "478110732"
"a3_68" = "470664173"
"a3_65" = "449123976"
"a3_64" = "442135145"
"a3_67" = "497168202"
"a3_66" = "489720619"
"a3_61" = "454263092"
"a3_60" = "413199509"
"a3_63" = "468244982"
"a3_62" = "461186391"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Aas]
"a4_229" = "1641728709"
"a4_228" = "1634559588"
"a4_223" = "1598713983"
"a4_222" = "1591544862"
"a4_221" = "1584375741"
"a4_220" = "1577206620"
"a2_169" = "1211586486"
"a4_226" = "1620221346"
"a4_225" = "1613052225"
"a4_224" = "1605883104"
"a1_1" = "2297674042"
"a3_169" = "1228156448"
"a3_168" = "1187689857"
"a3_167" = "1180635502"
"a3_166" = "1206680783"
"a3_165" = "1199757484"
"a3_164" = "1192698893"
"a3_163" = "1151697898"
"a3_162" = "1144713035"
"a3_161" = "1171213096"
"a3_160" = "1163777673"
"a2_28" = "200729259"
"a2_29" = "207897509"
"a2_26" = "186396329"
"a2_27" = "193573708"
"a2_24" = "172060830"
"a2_25" = "179228827"
"a2_22" = "157727151"
"a2_23" = "164895024"
"a2_20" = "143379837"
"a2_21" = "150543186"
"a4_68" = "487500228"
"a4_69" = "494669349"
"a3_195" = "1380982730"
"a4_60" = "430147260"
"a4_61" = "437316381"
"a4_62" = "444485502"
"a4_63" = "451654623"
"a4_64" = "458823744"
"a4_65" = "465992865"
"a4_66" = "473161986"
"a4_67" = "480331107"
"a1_220" = "206212647"
"a3_246" = "1746738975"
"a3_256" = "1818692393"
"a1_198" = "1453393768"
"a3_250" = "1809280147"
"a4_200" = "1433824200"
"a2_7" = "50177842"
"a2_6" = "43011489"
"a2_5" = "35843592"
"a2_4" = "28674469"
"a2_3" = "21508509"
"a2_2" = "14344086"
"a2_1" = "7176051"
"a2_0" = "9674"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Aas]
"a1_236" = "1606674466"
"a2_9" = "64527863"

"a4_5" = "35845605"
"a4_4" = "28676484"
"a4_7" = "50183847"
"a4_6" = "43014726"
"a4_1" = "7169121"
"a4_0" = "0"
"a4_3" = "21507363"
"a4_2" = "14338242"
"a1_143" = "1341297553"
"a1_142" = "2945157744"
"a1_141" = "2468661874"
"a1_140" = "218781010"
"a4_9" = "64522089"
"a4_8" = "57352968"
"a1_145" = "1836149573"
"a1_144" = "2069417727"
"a3_52" = "389745053"
"a2_203" = "1455326084"
"a2_202" = "1448155022"
"a2_201" = "1440991732"
"a2_200" = "1433826648"
"a4_202" = "1448162442"
"a2_206" = "1476841655"
"a2_205" = "1469662311"
"a2_204" = "1462493255"
"a1_129" = "2234399069"
"a1_192" = "1807447958"
"a2_8" = "57345917"
"a1_128" = "1885484885"
"a3_87" = "607024862"
"a3_86" = "633131711"
"a3_85" = "626081308"
"a3_84" = "585598461"
"a3_83" = "578085210"
"a3_82" = "571034939"
"a3_81" = "597665944"
"a3_80" = "590099577"
"a2_154" = "1104050233"
"a1_218" = "2824571686"
"a1_149" = "3513395498"
"a3_89" = "654610320"
"a3_88" = "614067057"
"a1_125" = "4197570656"
"a4_205" = "1469669805"
"a1_148" = "1837060828"
"a1_124" = "2147241798"
"a4_186" = "1333456506"
"a4_168" = "1204412328"

"a4_187" = "1340625627"
"a1_234" = "107717740"
"a3_199" = "1409969486"
"a3_242" = "1718323611"
"a1_194" = "906998839"
"a1_212" = "1158011496"
"a4_204" = "1462500684"
"a1_245" = "3890413051"
"a4_245" = "1756434645"
"a4_169" = "1211581449"
"a4_188" = "1347794748"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CD 2B A6 47 66 82 5E BF 14 75 18 C3 65 49 F0 82"

[HKCU\Software\Aas]
"a4_189" = "1354963869"
"a2_125" = "896146083"
"a1_147" = "4009592935"
"a3_243" = "1725243962"
"a1_195" = "4110376890"
"a3_257" = "1825746760"
"a4_207" = "1484008047"
"a1_146" = "2544730851"
"a3_220" = "1593911669"
"a1_252" = "3769580990"
"a1_8" = "2492004817"
"a4_199" = "1426655079"
"a1_257" = "2123722553"
"a1_256" = "2606381902"
"a1_255" = "4219870912"
"a1_254" = "528676421"
"a1_259" = "920431261"
"a1_258" = "35562128"
"a2_62" = "444486056"
"a2_63" = "451650600"
"a2_60" = "430150099"
"a2_61" = "437308284"
"a2_66" = "473166952"
"a2_67" = "480336750"
"a2_64" = "458821372"
"a2_65" = "465988009"
"a3_240" = "1737322713"
"a2_68" = "487492099"
"a2_69" = "494669896"
"a2_148" = "1061035795"
"a2_149" = "1068221996"
"a1_41" = "2482334519"
"a1_40" = "1104732767"
"a1_43" = "66764284"
"a1_42" = "410822709"
"a1_45" = "1793592402"
"a1_44" = "878029594"
"a1_47" = "2619640595"
"a1_46" = "3226991527"
"a1_49" = "881356888"
"a1_48" = "4169436022"
"a4_144" = "1032353424"

[HKCU\Software\Aas\695404737]
"43014726" = "0700687474703A2F2F6D657273696E6573636F72746C6172692E636F6D2F6C6F676F2E67696600687474703A2F2F7777772E706C73657870726573732E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F7061657061696C696E2E636F6D2F6C6F676F2E67696600687474703A2F2F646572657375742E636F6D2F6C6F676F2E67696600687474703A2F2F736D74726F666575732E636F6D2E62722F6C6F676F2E67696600687474703A2F2F6E626669782E6E65742F6C6F676F2E67696600687474703A2F2F7265666B616A70617269732E66722F6C6F676F2E676966"

[HKCU\Software\Aas]
"a4_142" = "1018015182"
"a4_143" = "1025184303"
"a3_118" = "862924447"
"a3_119" = "869974846"
"a3_202" = "1465015971"
"a1_114" = "1020356843"
"a3_200" = "1416954337"
"a3_201" = "1424013824"
"a3_206" = "1493543975"
"a3_207" = "1500987462"
"a3_204" = "1445500773"
"a1_115" = "1754318017"
"a1_197" = "4264410045"
"a2_166" = "1190071116"
"a3_208" = "1508041977"
"a2_195" = "1397973172"
"a1_199" = "3352624089"
"a4_246" = "1763603766"
"a3_36" = "241268621"
"a3_37" = "248309804"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"

[HKCU\Software\Aas]
"a3_35" = "267899754"
"a3_32" = "212854281"
"a3_33" = "253401768"
"a3_30" = "231909751"
"a3_31" = "205278614"
"a2_167" = "1197236469"
"a3_188" = "1364647189"
"a1_113" = "3448113674"
"a4_241" = "1727758161"
"a3_38" = "289377359"
"a3_39" = "296296686"
"a4_249" = "1785111129"
"a3_184" = "1336102801"
"a4_248" = "1777942008"

"a3_130" = "915379051"
"a1_191" = "186883301"
"a3_131" = "922302346"
"a1_118" = "463194771"

"a3_132" = "962897965"
"a1_119" = "1608739923"
"a2_17" = "121880347"
"a2_16" = "114710947"
"a2_15" = "107542267"
"a2_14" = "100361603"
"a2_13" = "93194854"
"a2_12" = "86026972"
"a2_11" = "78869254"
"a2_10" = "71693063"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"

[HKCU\Software\Aas]
"a3_134" = "943841519"
"a4_247" = "1770772887"
"a2_19" = "136210828"
"a2_18" = "129051416"
"a4_11" = "78860331"
"a4_10" = "71691210"
"a4_13" = "93198573"
"a4_12" = "86029452"
"a4_15" = "107536815"
"a4_14" = "100367694"
"a4_17" = "121875057"
"a4_16" = "114705936"
"a4_19" = "136213299"
"a4_18" = "129044178"
"a3_137" = "998890944"
"a4_240" = "1720589040"
"a4_160" = "1147059360"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Aas]
"a4_243" = "1742096403"
"a3_8" = "40388897"
"a3_9" = "47967552"
"a3_6" = "59977839"
"a3_7" = "67032206"
"a3_4" = "11991981"
"a3_5" = "52535244"
"a3_2" = "31040235"
"a3_3" = "4933386"
"a3_0" = "17001001"
"a3_1" = "23989832"
"a1_193" = "3229873643"
"a2_208" = "1491177697"
"a2_151" = "1082535085"
"a4_242" = "1734927282"

"a2_150" = "1075366079"
"a4_166" = "1190074086"
"a4_167" = "1197243207"
"a3_145" = "1022800088"
"a1_219" = "3867051585"
"a3_144" = "1015749817"
"a4_161" = "1154228481"
"a1_216" = "6652266"
"a1_215" = "1586773546"
"a1_214" = "3988806985"
"a1_213" = "34142184"
"a3_147" = "1070844314"
"a1_211" = "3194166237"
"a1_210" = "3133028060"
"a3_146" = "1063277947"
"a2_159" = "1139873700"
"a4_119" = "853125399"
"a2_158" = "1132717113"
"a1_253" = "3061573473"
"a4_118" = "845956278"
"a3_260" = "1847236781"
"a3_143" = "1008236550"
"a2_249" = "1785116982"
"a2_248" = "1777932600"
"a2_247" = "1770767096"
"a2_246" = "1763599270"
"a2_245" = "1756433114"
"a3_142" = "1034864615"
"a2_243" = "1742098680"
"a2_242" = "1734932780"
"a2_241" = "1727752178"
"a2_240" = "1720584127"
"a3_224" = "1588903625"
"a1_152" = "2789376726"
"a3_225" = "1629901672"
"a3_248" = "1761236945"
"a4_117" = "838787157"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

Firewall notifications are disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013041720130418]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5	File path
d9eadca37db462c17eddd3c3a82ecd6d	c:\rdhxl.pif

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name: Softonic
Product Name: Softonic Downloader
Product Version: 1.41.3.5
Legal Copyright: Copyright (C) 2014
Legal Trademarks:
Original Filename: SoftonicDownloader.exe
Internal Name: SoftonicDownloader.exe
File Version: 1.41.3.5
File Description: Softonic Downloader
Comments:
Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
wffD56w5	4096	688128	0	0	d41d8cd98f00b204e9800998ecf8427e
u5AHyC7V	692224	323584	323072	5.54394	2ed7cdc6746c338ca484b0da5052d090
.rsrc	1015808	86016	86016	5.37593	e5393ead1e10a7857ee9cb0df7f4213b

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://www-google-analytics.l.google.com/__utm.gif?utmwv=5.4.6&utms=1&utmn=1088278839&utmhn=hitman-pro.sd.softonic.com&utmcs=utf-8&utmsr=1024x768&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Asistente de instalaciÃ³n de&utmhid=753756403&utmr=-&utmp=/98580/universaldownloader-prefetch&utmht=1407954787399&utmac=UA-48247475-1&utmcc=__utma=185463600.1416413502.1407954787.1407954787.1407954787.1;+__utmz=185463600.1407954787.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none);&utmmt=1&utmu=qAAg~
hxxp://46.28.209.74/blank.gif?product=st_session&event=prefetch:session:create&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107&params={"client":{"ab_test":"","download_date":"1407954773","execution_date":"1407954787618","client_timezone":3,"api_version":"1.41.3"},"user":{"id_machine":"a8a67a25000000000000000c29d6c59b","id_user":"0447DF04-078F-413D-88E9-63E7A1412DBA","os":"WindowsXP"},"browser":{"default_browser":"iexplorer","default_browser_version":"6.0.2900.5512","default_browser_language":"en","default_browser_used":0,"default_browser_search_provider":"","default_browser_homepage":""},"program":{"id_cob":"0","id_file":"98580","id_section":"555","id_main_section":"548"}}
hxxp://46.28.209.74/blank.gif?product=st_sd_prefetch&event=camp_rpm&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107&params={"101197":{"campaign_id":"101197","default_rpm":5139},"100942":{"campaign_id":"100942","default_rpm":4715},"100861":{"campaign_id":"100861","default_rpm":8418},"100733":{"campaign_id":"100733","default_rpm":9092},"100727":{"campaign_id":"100727","default_rpm":5286},"100712":{"campaign_id":"100712","default_rpm":1051},"100711":{"campaign_id":"100711","default_rpm":940},"100707":{"campaign_id":"100707","default_rpm":414},"100516":{"campaign_id":"100516","default_rpm":1161},"50593":{"campaign_id":"50593","default_rpm":271},"41483":{"campaign_id":"41483","default_rpm":1},"100978":{"campaign_id":"100978","default_rpm":1126},"sd_flag":1}
hxxp://46.28.209.74/blank.gif?product=st_sd_prefetch&event=camp_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107&params={"campaign_id":"100733","excluded":"0","sd_flag":1}
hxxp://46.28.209.74/blank.gif?product=st_sd_prefetch&event=camp_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107&params={"campaign_id":"100861","excluded":"0","sd_flag":1}
hxxp://46.28.209.74/blank.gif?product=st_sd_prefetch&event=sc_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107&params={"campaign_id":"100733","sc_id":"-1","sc_type":"ns","met":false,"sd_flag":1}
hxxp://46.28.209.74/blank.gif?product=st_sd_prefetch&event=sc_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107&params={"campaign_id":"100733","sc_id":"1131","sc_type":"ns","met":false,"sd_flag":1}
hxxp://46.28.209.74/blank.gif?product=st_sd_prefetch&event=sc_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107&params={"campaign_id":"100733","sc_id":"-2","sc_type":"ns","met":false,"sd_flag":1}
hxxp://46.28.209.74/blank.gif?product=st_sd_prefetch&event=sc_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107&params={"campaign_id":"100733","sc_id":"1239","sc_type":"ns","met":false,"sd_flag":1}
hxxp://46.28.209.74/blank.gif?product=st_sd_prefetch&event=sc_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107&params={"campaign_id":"100733","sc_id":"1124","sc_type":"ns","met":false,"sd_flag":1}
hxxp://46.28.209.74/blank.gif?product=st_sd_prefetch&event=sc_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107&params={"campaign_id":"100733","sc_id":"1132","sc_type":"ns","met":false,"sd_flag":1}
hxxp://46.28.209.74/blank.gif?product=st_sd_prefetch&event=sc_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107&params={"campaign_id":"100733","sc_id":"1259","sc_type":"ns","met":false,"sd_flag":1}
hxxp://46.28.209.74/blank.gif?product=st_sd_prefetch&event=sc_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107&params={"campaign_id":"100733","sc_id":"1130","sc_type":"ns","met":false,"sd_flag":1}
hxxp://46.28.209.74/blank.gif?product=st_sd_prefetch&event=sc_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107&params={"campaign_id":"100733","sc_id":"-3","sc_type":"ns","met":false,"sd_flag":1}
hxxp://46.28.209.74/blank.gif?product=st_sd_prefetch&event=sc_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107&params={"campaign_id":"100861","sc_id":"-3","sc_type":"ns","met":false,"sd_flag":1}
hxxp://46.28.209.74/blank.gif?product=st_sd_prefetch&event=sc_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107&params={"campaign_id":"100861","sc_id":"-1","sc_type":"ns","met":false,"sd_flag":1}
hxxp://46.28.209.74/blank.gif?product=st_sd_prefetch&event=sc_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107&params={"campaign_id":"100861","sc_id":"-2","sc_type":"ns","met":false,"sd_flag":1}
hxxp://46.28.209.74/blank.gif?product=st_sd_prefetch&event=sc_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107&params={"campaign_id":"100861","sc_id":"430","sc_type":"ns","met":false,"sd_flag":1}
hxxp://46.28.209.74/blank.gif?product=st_sd_prefetch&event=sc_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107&params={"campaign_id":"100861","sc_id":"988","sc_type":"ns","met":false,"sd_flag":1}
hxxp://www-google-analytics.l.google.com/__utm.gif?utmwv=5.4.6&utms=2&utmn=540733519&utmhn=hitman-pro.sd.softonic.com&utmt=event&utme=5(js_errorSDCaughtErrorA not tracked http connection ID has triggered the callback - no error provided)&utmcs=utf-8&utmsr=1024x768&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Asistente de instalaciÃ³n de&utmhid=753756403&utmr=-&utmp=/98580/universaldownloader-prefetch&utmht=1407954788087&utmac=UA-48247475-1&utmni=1&utmcc=__utma=185463600.1416413502.1407954787.1407954787.1407954787.1;+__utmz=185463600.1407954787.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none);&utmmt=1&utmu=6AAgAAAAC~
hxxp://46.28.209.70/universaldownloader-track
hxxp://46.28.209.74/blank.gif?product=st_activity&event=prefetch:campaigns:selected&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107&params={"1":{"id_campaign":"100861"},"2":{"id_campaign":"100733"}}
hxxp://46.28.209.70/98580/universaldownloader/campaign-100861,100733?sd_timestamp=1407954787
hxxp://46.28.209.70/css/generated/fad58-59ade.css
hxxp://imagenes.es.sftcdn.net/es/scrn/98000/98580/hitman-18.png	46.28.209.51
hxxp://screenshots.en.sftcdn.net/campaign/scrn/100000/100861/sd_icon_100861_8a4a3.png	46.28.209.52
hxxp://screenshots.en.sftcdn.net/campaign/scrn/100000/100861/sd_100861_41d97.jpeg	46.28.209.52
hxxp://screenshots.en.sftcdn.net/campaign/scrn/100000/100733/sd_100733_cf3f5.jpg	46.28.209.52
hxxp://46.28.209.70/shared/img/sd_client/gradientbg.png
hxxp://pagead46.l.doubleclick.net/tag/js/gpt.js
hxxp://46.28.209.70/shared/img/sd_client/sprite.png
hxxp://46.28.209.70/shared/img/sd_client/loading.gif
hxxp://pagead46.l.doubleclick.net/pagead/show_companion_ad.js
hxxp://pagead46.l.doubleclick.net/gpt/pubads_impl_46.js
hxxp://www-google-analytics.l.google.com/__utm.gif?utmwv=5.4.6&utms=3&utmn=1836989245&utmhn=hitman-pro.sd.softonic.com&utmcs=utf-8&utmsr=1024x768&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Asistente de instalaciÃ³n de Hitman&utmhid=835284767&utmr=-&utmp=/98580/universaldownloader/campaign-100861,100733?sd_timestamp=1407954787&utmht=1407954790227&utmac=UA-48247475-1&utmcc=__utma=185463600.1416413502.1407954787.1407954787.1407954787.1;+__utmz=185463600.1407954787.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none);&utmmt=1&utmu=qAAg~
hxxp://www-google-analytics.l.google.com/__utm.gif?utmwv=5.4.6&utms=4&utmn=1511123953&utmhn=hitman-pro.sd.softonic.com&utmcs=utf-8&utmsr=1024x768&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Asistente de instalaciÃ³n de Hitman&utmhid=835284767&utmr=http://unknown_browser_unknown_version&utmp=/init_startup&utmht=1407954790446&utmac=UA-152357-4&utmcc=__utma=185463600.1416413502.1407954787.1407954787.1407954787.1;+__utmz=185463600.1407954787.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none);&utmmt=1&utmu=qACgAAAAC~
hxxp://www-google-analytics.l.google.com/__utm.gif?utmwv=5.4.6&utms=5&utmn=863010644&utmhn=hitman-pro.sd.softonic.com&utmcs=utf-8&utmsr=1024x768&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Asistente de instalaciÃ³n de Hitman&utmhid=835284767&utmr=http://unknown_browser_unknown_version&utmp=/start_api&utmht=1407954790462&utmac=UA-152357-4&utmcc=__utma=185463600.1416413502.1407954787.1407954787.1407954787.1;+__utmz=185463600.1407954787.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none);&utmmt=1&utmu=qACgAAAAC~
hxxp://www-google-analytics.l.google.com/__utm.gif?utmwv=5.4.6&utms=6&utmn=2062632509&utmhn=hitman-pro.sd.softonic.com&utmcs=utf-8&utmsr=1024x768&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Asistente de instalaciÃ³n de Hitman&utmhid=835284767&utmr=http://unknown_browser_unknown_version&utmp=/legal_start&utmht=1407954790571&utmac=UA-152357-4&utmcc=__utma=185463600.1416413502.1407954787.1407954787.1407954787.1;+__utmz=185463600.1407954787.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none);&utmmt=1&utmu=qACgAAAAC~
hxxp://www-google-analytics.l.google.com/__utm.gif?utmwv=5.4.6&utms=7&utmn=1462241216&utmhn=hitman-pro.sd.softonic.com&utmcs=utf-8&utmsr=1024x768&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Asistente de instalaciÃ³n de Hitman&utmhid=835284767&utmr=http://unknown_browser_unknown_version&utmp=/legal_timestamp&utmht=1407954790587&utmac=UA-152357-4&utmcc=__utma=185463600.1416413502.1407954787.1407954787.1407954787.1;+__utmz=185463600.1407954787.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none);&utmmt=1&utmu=qACgAAAAC~
hxxp://www-google-analytics.l.google.com/__utm.gif?utmwv=5.4.6&utms=8&utmn=1519455623&utmhn=hitman-pro.sd.softonic.com&utmcs=utf-8&utmsr=1024x768&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Asistente de instalaciÃ³n de Hitman&utmhid=835284767&utmr=http://unknown_browser_unknown_version&utmp=/C100861--load1&utmht=1407954790680&utmac=UA-152357-4&utmcc=__utma=185463600.1416413502.1407954787.1407954787.1407954787.1;+__utmz=185463600.1407954787.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none);&utmmt=1&utmu=qACgAAAAC~
hxxp://www-google-analytics.l.google.com/__utm.gif?utmwv=5.4.6&utms=9&utmn=416444187&utmhn=hitman-pro.sd.softonic.com&utmcs=utf-8&utmsr=1024x768&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Asistente de instalaciÃ³n de Hitman&utmhid=835284767&utmr=http://unknown_browser_unknown_version&utmp=/C100733--load2&utmht=1407954790712&utmac=UA-152357-4&utmcc=__utma=185463600.1416413502.1407954787.1407954787.1407954787.1;+__utmz=185463600.1407954787.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none);&utmmt=1&utmu=qACgAAAAC~
hxxp://screenshots.en.sftcdn.net/campaign/scrn/100000/100861/sd_100861_41d97.jpeg?v=0.1888716158060174	46.28.209.52
hxxp://screenshots.en.sftcdn.net/campaign/scrn/100000/100733/sd_100733_cf3f5.jpg?v=0.6483588568132502	46.28.209.52
hxxp://csi.gstatic.com/csi?v=3&s=gpt&action=global&e=publisher_ads,companion_ads&vrg=46&rt=load.1562	64.233.186.94
hxxp://softonic-analytics.net/blank.gif?product=st_sd_prefetch&event=camp_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107&params={"campaign_id":"100733","excluded":"0","sd_flag":1}
hxxp://static.sd-client.softonic.com/shared/img/sd_client/loading.gif
hxxp://static.sd-client.softonic.com/shared/img/sd_client/sprite.png
hxxp://softonic-analytics.net/blank.gif?product=st_sd_prefetch&event=sc_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107&params={"campaign_id":"100861","sc_id":"988","sc_type":"ns","met":false,"sd_flag":1}
hxxp://softonic-analytics.net/blank.gif?product=st_sd_prefetch&event=sc_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107&params={"campaign_id":"100861","sc_id":"-1","sc_type":"ns","met":false,"sd_flag":1}
hxxp://softonic-analytics.net/blank.gif?product=st_sd_prefetch&event=sc_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107&params={"campaign_id":"100861","sc_id":"430","sc_type":"ns","met":false,"sd_flag":1}
hxxp://www.google-analytics.com/__utm.gif?utmwv=5.4.6&utms=7&utmn=1462241216&utmhn=hitman-pro.sd.softonic.com&utmcs=utf-8&utmsr=1024x768&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Asistente de instalaciÃ³n de Hitman&utmhid=835284767&utmr=http://unknown_browser_unknown_version&utmp=/legal_timestamp&utmht=1407954790587&utmac=UA-152357-4&utmcc=__utma=185463600.1416413502.1407954787.1407954787.1407954787.1;+__utmz=185463600.1407954787.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none);&utmmt=1&utmu=qACgAAAAC~	173.194.43.39
hxxp://www.google-analytics.com/__utm.gif?utmwv=5.4.6&utms=6&utmn=2062632509&utmhn=hitman-pro.sd.softonic.com&utmcs=utf-8&utmsr=1024x768&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Asistente de instalaciÃ³n de Hitman&utmhid=835284767&utmr=http://unknown_browser_unknown_version&utmp=/legal_start&utmht=1407954790571&utmac=UA-152357-4&utmcc=__utma=185463600.1416413502.1407954787.1407954787.1407954787.1;+__utmz=185463600.1407954787.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none);&utmmt=1&utmu=qACgAAAAC~	173.194.43.39
hxxp://partner.googleadservices.com/gpt/pubads_impl_46.js	173.194.43.58
hxxp://www.google-analytics.com/__utm.gif?utmwv=5.4.6&utms=1&utmn=1088278839&utmhn=hitman-pro.sd.softonic.com&utmcs=utf-8&utmsr=1024x768&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Asistente de instalaciÃ³n de&utmhid=753756403&utmr=-&utmp=/98580/universaldownloader-prefetch&utmht=1407954787399&utmac=UA-48247475-1&utmcc=__utma=185463600.1416413502.1407954787.1407954787.1407954787.1;+__utmz=185463600.1407954787.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none);&utmmt=1&utmu=qAAg~	173.194.43.39
hxxp://softonic-analytics.net/blank.gif?product=st_sd_prefetch&event=sc_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107&params={"campaign_id":"100733","sc_id":"-1","sc_type":"ns","met":false,"sd_flag":1}
hxxp://softonic-analytics.net/blank.gif?product=st_sd_prefetch&event=sc_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107&params={"campaign_id":"100733","sc_id":"1131","sc_type":"ns","met":false,"sd_flag":1}
hxxp://softonic-analytics.net/blank.gif?product=st_sd_prefetch&event=sc_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107&params={"campaign_id":"100733","sc_id":"-2","sc_type":"ns","met":false,"sd_flag":1}
hxxp://static.sd-client.softonic.com/css/generated/fad58-59ade.css
hxxp://softonic-analytics.net/blank.gif?product=st_sd_prefetch&event=sc_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107&params={"campaign_id":"100733","sc_id":"1130","sc_type":"ns","met":false,"sd_flag":1}
hxxp://softonic-analytics.net/blank.gif?product=st_sd_prefetch&event=camp_rpm&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107&params={"101197":{"campaign_id":"101197","default_rpm":5139},"100942":{"campaign_id":"100942","default_rpm":4715},"100861":{"campaign_id":"100861","default_rpm":8418},"100733":{"campaign_id":"100733","default_rpm":9092},"100727":{"campaign_id":"100727","default_rpm":5286},"100712":{"campaign_id":"100712","default_rpm":1051},"100711":{"campaign_id":"100711","default_rpm":940},"100707":{"campaign_id":"100707","default_rpm":414},"100516":{"campaign_id":"100516","default_rpm":1161},"50593":{"campaign_id":"50593","default_rpm":271},"41483":{"campaign_id":"41483","default_rpm":1},"100978":{"campaign_id":"100978","default_rpm":1126},"sd_flag":1}
hxxp://www.google-analytics.com/__utm.gif?utmwv=5.4.6&utms=4&utmn=1511123953&utmhn=hitman-pro.sd.softonic.com&utmcs=utf-8&utmsr=1024x768&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Asistente de instalaciÃ³n de Hitman&utmhid=835284767&utmr=http://unknown_browser_unknown_version&utmp=/init_startup&utmht=1407954790446&utmac=UA-152357-4&utmcc=__utma=185463600.1416413502.1407954787.1407954787.1407954787.1;+__utmz=185463600.1407954787.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none);&utmmt=1&utmu=qACgAAAAC~	173.194.43.39
hxxp://softonic-analytics.net/blank.gif?product=st_sd_prefetch&event=sc_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107&params={"campaign_id":"100861","sc_id":"-2","sc_type":"ns","met":false,"sd_flag":1}
hxxp://www.google-analytics.com/__utm.gif?utmwv=5.4.6&utms=9&utmn=416444187&utmhn=hitman-pro.sd.softonic.com&utmcs=utf-8&utmsr=1024x768&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Asistente de instalaciÃ³n de Hitman&utmhid=835284767&utmr=http://unknown_browser_unknown_version&utmp=/C100733--load2&utmht=1407954790712&utmac=UA-152357-4&utmcc=__utma=185463600.1416413502.1407954787.1407954787.1407954787.1;+__utmz=185463600.1407954787.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none);&utmmt=1&utmu=qACgAAAAC~	173.194.43.39
hxxp://softonic-analytics.net/blank.gif?product=st_sd_prefetch&event=sc_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107&params={"campaign_id":"100733","sc_id":"1132","sc_type":"ns","met":false,"sd_flag":1}
hxxp://www.google-analytics.com/__utm.gif?utmwv=5.4.6&utms=5&utmn=863010644&utmhn=hitman-pro.sd.softonic.com&utmcs=utf-8&utmsr=1024x768&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Asistente de instalaciÃ³n de Hitman&utmhid=835284767&utmr=http://unknown_browser_unknown_version&utmp=/start_api&utmht=1407954790462&utmac=UA-152357-4&utmcc=__utma=185463600.1416413502.1407954787.1407954787.1407954787.1;+__utmz=185463600.1407954787.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none);&utmmt=1&utmu=qACgAAAAC~	173.194.43.39
hxxp://softonic-analytics.net/blank.gif?product=st_sd_prefetch&event=sc_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107&params={"campaign_id":"100861","sc_id":"-3","sc_type":"ns","met":false,"sd_flag":1}
hxxp://www.google-analytics.com/__utm.gif?utmwv=5.4.6&utms=2&utmn=540733519&utmhn=hitman-pro.sd.softonic.com&utmt=event&utme=5(js_errorSDCaughtErrorA not tracked http connection ID has triggered the callback - no error provided)&utmcs=utf-8&utmsr=1024x768&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Asistente de instalaciÃ³n de&utmhid=753756403&utmr=-&utmp=/98580/universaldownloader-prefetch&utmht=1407954788087&utmac=UA-48247475-1&utmni=1&utmcc=__utma=185463600.1416413502.1407954787.1407954787.1407954787.1;+__utmz=185463600.1407954787.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none);&utmmt=1&utmu=6AAgAAAAC~	173.194.43.39
hxxp://softonic-analytics.net/blank.gif?product=st_sd_prefetch&event=sc_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107&params={"campaign_id":"100733","sc_id":"1259","sc_type":"ns","met":false,"sd_flag":1}
hxxp://softonic-analytics.net/blank.gif?product=st_activity&event=prefetch:campaigns:selected&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107&params={"1":{"id_campaign":"100861"},"2":{"id_campaign":"100733"}}
hxxp://static.sd-client.softonic.com/shared/img/sd_client/gradientbg.png
hxxp://pagead2.googlesyndication.com/pagead/show_companion_ad.js	173.194.43.58
hxxp://softonic-analytics.net/blank.gif?product=st_sd_prefetch&event=sc_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107&params={"campaign_id":"100733","sc_id":"1124","sc_type":"ns","met":false,"sd_flag":1}
hxxp://softonic-analytics.net/blank.gif?product=st_sd_prefetch&event=sc_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107&params={"campaign_id":"100733","sc_id":"-3","sc_type":"ns","met":false,"sd_flag":1}
hxxp://www.google-analytics.com/__utm.gif?utmwv=5.4.6&utms=8&utmn=1519455623&utmhn=hitman-pro.sd.softonic.com&utmcs=utf-8&utmsr=1024x768&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Asistente de instalaciÃ³n de Hitman&utmhid=835284767&utmr=http://unknown_browser_unknown_version&utmp=/C100861--load1&utmht=1407954790680&utmac=UA-152357-4&utmcc=__utma=185463600.1416413502.1407954787.1407954787.1407954787.1;+__utmz=185463600.1407954787.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none);&utmmt=1&utmu=qACgAAAAC~	173.194.43.39
hxxp://softonic-analytics.net/blank.gif?product=st_sd_prefetch&event=camp_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107&params={"campaign_id":"100861","excluded":"0","sd_flag":1}
hxxp://www.googletagservices.com/tag/js/gpt.js	173.194.43.45
hxxp://softonic-analytics.net/blank.gif?product=st_session&event=prefetch:session:create&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107&params={"client":{"ab_test":"","download_date":"1407954773","execution_date":"1407954787618","client_timezone":3,"api_version":"1.41.3"},"user":{"id_machine":"a8a67a25000000000000000c29d6c59b","id_user":"0447DF04-078F-413D-88E9-63E7A1412DBA","os":"WindowsXP"},"browser":{"default_browser":"iexplorer","default_browser_version":"6.0.2900.5512","default_browser_language":"en","default_browser_used":0,"default_browser_search_provider":"","default_browser_homepage":""},"program":{"id_cob":"0","id_file":"98580","id_section":"555","id_main_section":"548"}}
hxxp://softonic-analytics.net/blank.gif?product=st_sd_prefetch&event=sc_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107&params={"campaign_id":"100733","sc_id":"1239","sc_type":"ns","met":false,"sd_flag":1}
hxxp://www.google-analytics.com/__utm.gif?utmwv=5.4.6&utms=3&utmn=1836989245&utmhn=hitman-pro.sd.softonic.com&utmcs=utf-8&utmsr=1024x768&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Asistente de instalaciÃ³n de Hitman&utmhid=835284767&utmr=-&utmp=/98580/universaldownloader/campaign-100861,100733?sd_timestamp=1407954787&utmht=1407954790227&utmac=UA-48247475-1&utmcc=__utma=185463600.1416413502.1407954787.1407954787.1407954787.1;+__utmz=185463600.1407954787.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none);&utmmt=1&utmu=qAAg~	173.194.43.39
hxxp://hitman-pro.sd.softonic.com/universaldownloader-track
hxxp://hitman-pro.sd.softonic.com/98580/universaldownloader/campaign-100861,100733?sd_timestamp=1407954787

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

<font color="red">GET /blank.gif?product=st_sd_prefetch&event=sc_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107¶ms={"campaign_id":"100733","sc_id":"1130","sc_type":"ns","met":false,"sd_flag":1} HTTP/1.1<br>

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.3<br>

Host: softonic-analytics.net<br>

Accept: */*<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Date: Wed, 13 Aug 2014 23:32:10 GMT<br>

Server: Apache<br>

Set-Cookie: softonic_analytics-admin=deleted; expires=Tue, 13-Aug-2013 23:32:09 GMT; path=/; domain=softonic-analytics.net<br>

Expires: Mon, 26 Jul 1997 05:00:00 GMT<br>

Cache-control: max-age=0, must-revalidate<br>

Pragma: no-cache<br>

Content-Length: 35<br>

Connection: close<br>

Content-Type: image/gif<br><pre>GIF89a.............,...........D..;..</pre></font><br><br

<font color="red">GET /blank.gif?product=st_session&event=prefetch:session:create&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107¶ms={"client":{"ab_test":"","download_date":"1407954773","execution_date":"1407954787618","client_timezone":3,"api_version":"1.41.3"},"user":{"id_machine":"a8a67a25000000000000000c29d6c59b","id_user":"0447DF04-078F-413D-88E9-63E7A1412DBA","os":"WindowsXP"},"browser":{"default_browser":"iexplorer","default_browser_version":"6.0.2900.5512","default_browser_language":"en","default_browser_used":0,"default_browser_search_provider":"","default_browser_homepage":""},"program":{"id_cob":"0","id_file":"98580","id_section":"555","id_main_section":"548"}} HTTP/1.1<br>

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.3<br>

Host: softonic-analytics.net<br>

Accept: */*<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Date: Wed, 13 Aug 2014 23:32:10 GMT<br>

Server: Apache<br>

Set-Cookie: softonic_analytics-admin=deleted; expires=Tue, 13-Aug-2013 23:32:09 GMT; path=/; domain=softonic-analytics.net<br>

Expires: Mon, 26 Jul 1997 05:00:00 GMT<br>

Cache-control: max-age=0, must-revalidate<br>

Pragma: no-cache<br>

Content-Length: 35<br>

Connection: close<br>

Content-Type: image/gif<br><pre>GIF89a.............,...........D..;..</pre></font><br><br

<font color="red">GET /blank.gif?product=st_sd_prefetch&event=sc_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107¶ms={"campaign_id":"100861","sc_id":"-2","sc_type":"ns","met":false,"sd_flag":1} HTTP/1.1<br>

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.3<br>

Host: softonic-analytics.net<br>

Accept: */*<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Date: Wed, 13 Aug 2014 23:32:10 GMT<br>

Server: Apache<br>

Set-Cookie: softonic_analytics-admin=deleted; expires=Tue, 13-Aug-2013 23:32:09 GMT; path=/; domain=softonic-analytics.net<br>

Expires: Mon, 26 Jul 1997 05:00:00 GMT<br>

Cache-control: max-age=0, must-revalidate<br>

Pragma: no-cache<br>

Content-Length: 35<br>

Connection: close<br>

Content-Type: image/gif<br><pre>GIF89a.............,...........D..;..</pre></font><br><br

<font color="red">GET /blank.gif?product=st_sd_prefetch&event=camp_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107¶ms={"campaign_id":"100861","excluded":"0","sd_flag":1} HTTP/1.1<br>

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.3<br>

Host: softonic-analytics.net<br>

Accept: */*<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Date: Wed, 13 Aug 2014 23:32:10 GMT<br>

Server: Apache<br>

Set-Cookie: softonic_analytics-admin=deleted; expires=Tue, 13-Aug-2013 23:32:09 GMT; path=/; domain=softonic-analytics.net<br>

Expires: Mon, 26 Jul 1997 05:00:00 GMT<br>

Cache-control: max-age=0, must-revalidate<br>

Pragma: no-cache<br>

Content-Length: 35<br>

Connection: close<br>

Content-Type: image/gif<br><pre>GIF89a.............,...........D..;..</pre></font><br><br

<font color="red">GET /tag/js/gpt.js HTTP/1.1<br>

Accept: */*<br>

Referer: hXXp://hitman-pro.sd.softonic.com/98580/universaldownloader/campaign-100861,100733?sd_timestamp=1407954787<br>

Accept-Language: en-us<br>

Accept-Encoding: gzip, deflate<br>

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.3<br>

Host: VVV.googletagservices.com<br>

Connection: Keep-Alive<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

P3P: policyref="hXXp://VVV.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"<br>

Content-Type: text/javascript; charset=UTF-8<br>

ETag: 6173966193363249890<br>

Date: Wed, 13 Aug 2014 23:00:09 GMT<br>

Expires: Thu, 14 Aug 2014 00:00:09 GMT<br>

X-Content-Type-Options: nosniff<br>

Content-Disposition: attachment; filename="f.txt"<br>

Content-Encoding: gzip<br>

Server: cafe<br>

Content-Length: 14252<br>

X-XSS-Protection: 1; mode=block<br>

Age: 1923<br>

Cache-Control: public, max-age=3600<br>

Alternate-Protocol: 80:quic<br><pre>............yW.H.(.?....e..bl.....!@[email protected].......<br>.K............'<.L'..s..J....?....S..3..y4.,...R..<.t..@`f.Kng..<br>[a.A....u....|.^...V..8a..`.Q.n...b.b..0o.....-,.{.km.M.).YK..I4..j..F<br>P.U.R...i0..7...W...e..:.uwgM.c?..E5.6.'....e.'A..L...LS..h..U.P.Y.%..<br>.. .#...v.<...2.)....s......bg.^.6V..q.5RCo-.Q.V....`Z.......2...U.<br>.....;..B..@..>.]...)....C?.D.5Z5.KwRVpL$f./.Y..?..B6..~ .,..t..i..<br>(j......ifw/..y..M.y.^....U..G..y..~-b0!.....Ww..y.u.k......^.R..f.[..<br>|.M..z@..$....s..o2'.G...Q.M#.f....'{Z.0.h...9.. '...........W~....O..<br>....q7..0..[.\.K-....t....Oj.......z..\.......5......%.EX...xD...=E...<br>...Ef...:9?.[.C{..<-..........p...../5>....y2.<.).f.....3P^..<br>"...t..L A.k. ......h....T..);..sw....Y..m....u._......6..$"..y.../..&<br>lt;.T...?....w.._.....t.N...;..!.GnQc.1Kx.....m~Y.4}..1.b....;...vB..8<br>U).F.3.... .....F:Y....f..xR....q.l.9.6D..B&..7........6.....X........<br>i.......z=..;.......|.]K.8.$N{...l..s.|.m..,..........:..z.M.....O.O0'<br>...o...k..;.w.TYq-;....3.~.a....v.Y....xL..,.S..*.).I}.......].*`z[[.x<br>....:..wG.1..<._.M..Q.....m.y?....B........]...&L@;.d......|.......<br>...A...0j.?..L..."6.N.....>.lme^A..HX...P....F....Y3..Y.#...N..g...<br>tl9.....}...^-..A2.....I...#..............$...a.......t<..$........<br>..?.....c..?.xo........w...o.......ED....=@[email protected]=@..=...n.a..L...<br>|...sK....=@s..........=..C...'@..>......P...@}L....=<........||<br>e......#:.zj 8.....x.Y.~....&'a.CQ.A....Ve..z..LL..Y^l....5....%..`...<br>.p...]T..W...x.jPW.,[.wf,.-...h...]o)a.Q...J.7.".......`.<..gk.</pre><<< skipped >>></font><br><br

<font color="red">GET /blank.gif?product=st_sd_prefetch&event=sc_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107¶ms={"campaign_id":"100733","sc_id":"1132","sc_type":"ns","met":false,"sd_flag":1} HTTP/1.1<br>

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.3<br>

Host: softonic-analytics.net<br>

Accept: */*<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Date: Wed, 13 Aug 2014 23:32:10 GMT<br>

Server: Apache<br>

Set-Cookie: softonic_analytics-admin=deleted; expires=Tue, 13-Aug-2013 23:32:09 GMT; path=/; domain=softonic-analytics.net<br>

Expires: Mon, 26 Jul 1997 05:00:00 GMT<br>

Cache-control: max-age=0, must-revalidate<br>

Pragma: no-cache<br>

Content-Length: 35<br>

Connection: close<br>

Content-Type: image/gif<br><pre>GIF89a.............,...........D..;..</pre></font><br><br

<font color="red">GET /blank.gif?product=st_sd_prefetch&event=sc_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107¶ms={"campaign_id":"100861","sc_id":"-3","sc_type":"ns","met":false,"sd_flag":1} HTTP/1.1<br>

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.3<br>

Host: softonic-analytics.net<br>

Accept: */*<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Date: Wed, 13 Aug 2014 23:32:10 GMT<br>

Server: Apache<br>

Set-Cookie: softonic_analytics-admin=deleted; expires=Tue, 13-Aug-2013 23:32:09 GMT; path=/; domain=softonic-analytics.net<br>

Expires: Mon, 26 Jul 1997 05:00:00 GMT<br>

Cache-control: max-age=0, must-revalidate<br>

Pragma: no-cache<br>

Content-Length: 35<br>

Connection: close<br>

Content-Type: image/gif<br><pre>GIF89a.............,...........D..;..</pre></font><br><br

<font color="red">POST /universaldownloader-track HTTP/1.1<br>

md5_hash: 10b9c0ad9e3a1df0221035f1226dd90c<br>

Accept-Language: en-us<br>

Referer: hXXp://hitman-pro.sd.softonic.com/98580/universaldownloader-prefetch<br>

Accept: application/json, text/javascript, */*; q=0.01<br>

Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br>

x-requested-with: XMLHttpRequest<br>

Accept-Encoding: gzip, deflate<br>

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.3<br>

Host: hitman-pro.sd.softonic.com<br>

Content-Length: 8095<br>

Connection: Keep-Alive<br>

Cache-Control: no-cache<br>

Cookie: __utma=185463600.1416413502.1407954787.1407954787.1407954787.1; __utmb=185463600.1.10.1407954787; __utmc=185463600; __utmz=185463600.1407954787.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); UACR_98580=false; UACA_98580=false; UD1_POSITION_98580=; _FCes=100733|1|1407954787.100861|1|1407954787<br>

<br>

id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107&id_machine=a8a67a25000000000000000c29d6c59b&id_user=0447DF04-078F-413D-88E9-63E7A1412DBA&id_file=98580&id_section=555&id_main_section=548&ab_test=&api_version=1.41.3×tamp=1407954787&download_browser=unknown_browser&download_browser_version=unknown_version&client_timezone=3&test_track=false&flavour=5&av_installed=&step=prefetch_events&events=[["special_conditions_evaluation",[{"campaign_id":"100733","campaign_priority":9092,"campaign_reranked_priority":null,"special_condition_i</font><br><font color="blue">HTTP/1.1 200 OK<br>

Date: Wed, 13 Aug 2014 23:32:10 GMT<br>

Server: Apache<br>

Set-Cookie: sd_client_es-admin=deleted; expires=Tue, 13-Aug-2013 23:32:10 GMT; path=/; domain=sd.sd.softonic.com<br>

Vary: Accept-Encoding,User-Agent<br>

Content-Encoding: gzip<br>

Content-Length: 35<br>

Keep-Alive: timeout=3, max=10<br>

Connection: Keep-Alive<br>

Content-Type: application/json; charset=utf-8<br><pre>...........V*.I,)-V.R..V.....l.....</font>....</pre></font><br><br><font color="red">GET /98580/universaldownloader/campaign-100861,100733?sd_timestamp=1407954787 HTTP/1.1<br>

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*<br>

Accept-Language: en-us<br>

Accept-Encoding: gzip, deflate<br>

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.3<br>

Host: hitman-pro.sd.softonic.com<br>

Connection: Keep-Alive<br>

Cookie: __utma=185463600.1416413502.1407954787.1407954787.1407954787.1; __utmb=185463600.2.9.1407954788087; __utmc=185463600; __utmz=185463600.1407954787.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); UACR_98580=false; UACA_98580=false; UD1_POSITION_98580=; _FCes=100733|1|1407954787.100861|1|1407954787<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Date: Wed, 13 Aug 2014 23:32:11 GMT<br>

Server: Apache<br>

Set-Cookie: sd_client_es-admin=deleted; expires=Tue, 13-Aug-2013 23:32:10 GMT; path=/; domain=sd.sd.softonic.com<br>

Expires: Mon, 26 Jul 1997 05:00:00 GMT<br>

Cache-control: max-age=0, must-revalidate<br>

Pragma: no-cache<br>

Vary: Accept-Encoding,User-Agent<br>

Content-Encoding: gzip<br>

Content-Length: 13338<br>

Keep-Alive: timeout=3, max=9<br>

Connection: Keep-Alive<br>

Content-Type: text/html; charset=utf-8<br><pre>...........}.r.9.......mK>M.NQ.-..n..,[email protected]%...y...};.....<br>m.a#..._......H....9..n......Df"....i......]6...;y.ux...K....v..s...=;<br>;:d.R.....N...w..... ..(X .G.QiT/.a.|vZ.BXU....E..%;.....R.WC...3.TWWW<br>U..s.._/.Y..k...............\..).../.....d.]n9.......h...eU. .E....b..<br>.]?..,.C....w<[\....|..G.VN !.K.S.\...!.......s.L.i.N..h.@C........<br>...?--A.r..E.9^_..K.2..X~...J..<.C.~....G..O.>XZ..e.j.!...9"f...<br>....v........#..H......O0.Eb..#..,...m q$.K....9C.z~...0`.m*...z. d...<br>.......9.=|....<;.=:9kC..Of.8.==x...k.J%[....J....B....?.....#Y/.,.<br>R..............t....,*....[.G\.[.....,...=&Et.t.......#m.a.x.......C&g<br>t;..^...w.u...#\>f.....^....E...zj..6......-R}....[L ...fK....@...}<br>..(.=..._..=H.,Y.%.\}....T..|.={[email protected]......"....L0j..,...0....r.Y...<br>...g.=.!.2y...\c.1f.f...."2.........d........XK..u.*...gF\......&E.J$.<br>...X..e%! .8....9).L!.....pmv.j...|...R..r.,[email protected]<br>Q.LBeW.'ET.."...H$....r..:.-?.....X..~.OK2p.h.1[...$X..'a0.cE.PK....&l<br>t;].....Da.....4S..<!p(J./.M.5bl......?X|\......x_#.X....{x...4...h<br>...x.f.d..Gb....ZVj~!.q.FI..A2............c..HX...yQ...Z.j...D..XOq.G.<br>[email protected].*k...........!.... ?.x.....8...4q5...R<br>..o....cul......)V\F....w.H.....v.. A7..|.....A*M..%..{.t.u.J..4W*....<br>,B..b/......%[email protected].......<bZ...u.....~.M..L_.AW....<br>...v.....~EA..'.,...... ..E..B....E.Z([email protected]..<br>K..*.&g).-Q.w......?...9.]S?.<.f......."..G..g....$F.....j.S.......<br>u..W.....u.......p)Qy...|.....6.RW.....G.c._z;z,l.....:AAp......&.</pre><<< skipped >>></font><br><br

<font color="red">GET /blank.gif?product=st_sd_prefetch&event=sc_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107¶ms={"campaign_id":"100861","sc_id":"988","sc_type":"ns","met":false,"sd_flag":1} HTTP/1.1<br>

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.3<br>

Host: softonic-analytics.net<br>

Accept: */*<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Date: Wed, 13 Aug 2014 23:32:10 GMT<br>

Server: Apache<br>

Set-Cookie: softonic_analytics-admin=deleted; expires=Tue, 13-Aug-2013 23:32:09 GMT; path=/; domain=softonic-analytics.net<br>

Expires: Mon, 26 Jul 1997 05:00:00 GMT<br>

Cache-control: max-age=0, must-revalidate<br>

Pragma: no-cache<br>

Content-Length: 35<br>

Connection: close<br>

Content-Type: image/gif<br><pre>GIF89a.............,...........D..;..</pre></font><br><br

<font color="red">GET /blank.gif?product=st_sd_prefetch&event=sc_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107¶ms={"campaign_id":"100733","sc_id":"-3","sc_type":"ns","met":false,"sd_flag":1} HTTP/1.1<br>

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.3<br>

Host: softonic-analytics.net<br>

Accept: */*<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Date: Wed, 13 Aug 2014 23:32:10 GMT<br>

Server: Apache<br>

Set-Cookie: softonic_analytics-admin=deleted; expires=Tue, 13-Aug-2013 23:32:09 GMT; path=/; domain=softonic-analytics.net<br>

Expires: Mon, 26 Jul 1997 05:00:00 GMT<br>

Cache-control: max-age=0, must-revalidate<br>

Pragma: no-cache<br>

Content-Length: 35<br>

Connection: close<br>

Content-Type: image/gif<br><pre>GIF89a.............,...........D..;..</pre></font><br><br

<font color="red">GET /gpt/pubads_impl_46.js HTTP/1.1<br>

Accept: */*<br>

Referer: hXXp://hitman-pro.sd.softonic.com/98580/universaldownloader/campaign-100861,100733?sd_timestamp=1407954787<br>

Accept-Language: en-us<br>

Accept-Encoding: gzip, deflate<br>

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.3<br>

Host: partner.googleadservices.com<br>

Connection: Keep-Alive<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Vary: Accept-Encoding<br>

Content-Encoding: gzip<br>

Content-Type: text/javascript<br>

Last-Modified: Tue, 29 Jul 2014 17:42:15 GMT<br>

Date: Thu, 07 Aug 2014 16:10:01 GMT<br>

Expires: Fri, 07 Aug 2015 16:10:01 GMT<br>

X-Content-Type-Options: nosniff<br>

Server: sffe<br>

Content-Length: 33549<br>

X-XSS-Protection: 1; mode=block<br>

Cache-Control: public, max-age=31536000<br>

Age: 544931<br>

Alternate-Protocol: 80:quic<br><pre>......n.....y..H.8..^E...H......"... .....3.'..e;>d,9......>..e`<br>....!V.wuUu.v....0.... >.../~>.fl....|...b>..J..vk....q..eW,.<br>..XY....8M..7Ll ...0.|?p .y...p..|.b.....:.-.c...yN...i;........<.S<br>l...g.|8.7C>.C[........i.^..'.jM.....C..Kk......jH.q<....]k1..d8<br>.#k.H.f.a.oJ....y~{..C....c..S.`[.2.Y.....r.U.k....ti.....U.H-....Y.-c<br>....Q..Ug.-P.._.buQ.b.X.k......C..Eu;...j...bWB.6...eu.g.... ...[.v...<br>..3$.s..SU.'..N...a`f] .p...i.....ata5......oy>h.9....<y....><br>.[l`...,.@@.Q..f.[.7.8L....3.y.=.......N>......y:[email protected]...#...q.3<br>...,."[email protected]...?U......l0Lr9..E....p4..z.k...Y.......y5......k.lJ.P.v..<br>.oN.PMy>....4....pw...........m]....L.ko....E.X..9[d.....(]6......y<br>.7...r.6..i|... v[.w.rs.jZ.../^.m....h.....M.....,_...mai..../......5x<br>.c.....q<g.H......q..\..D>......c.Z...m.xg..T.A.....J......1.0..<br>q...t.sH....!K..4...=u...O.6X$.n..........t.R.......i..f...,........!^<br>l.)@j.4......a6.`...A.%V\.L.,......C.....3......M.$..g.,O'.n..RN?.:...<br>O.<;.....;..<.r:Z..u,.5Ze_.......1......_w........4...h.....?B.^<br>..]....~.J....'3...j....9...u...e^`.~]._._...0..EZ[./ku_c...{\.....Z p<br>C.Z._........)....~....~.....k...~o......9|w1.{........-...w,u",.9_:_.<br>.v../t.k.F.M......waY...0.z.\.T@[email protected],.O...{<br>x.'j;%.M....8..>?...#r..w...V.j.tX..o.6L.0{...}g...y...<.<...<br>...I.*...fk.._}|[email protected].........<br>i.A.[v=...._!......\.A.Z.....:...D\..{..paT,....,_.sW.bX......4.p..LF.<br>t.Mf......x....{.....;0...6....:?o..:..3...>......?..9...>s.</pre><<< skipped >>></font><br><br

<font color="red">GET /es/scrn/98000/98580/hitman-18.png HTTP/1.1<br>

Accept: */*<br>

Referer: hXXp://hitman-pro.sd.softonic.com/98580/universaldownloader/campaign-100861,100733?sd_timestamp=1407954787<br>

Accept-Language: en-us<br>

Accept-Encoding: gzip, deflate<br>

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.3<br>

Host: imagenes.es.sftcdn.net<br>

Connection: Keep-Alive<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Server: Apache<br>

Last-Modified: Wed, 30 Jun 2010 11:04:34 GMT<br>

Cache-Control: max-age=172800<br>

Content-Type: image/png<br>

Content-Length: 13825<br>

Accept-Ranges: bytes<br>

Date: Wed, 13 Aug 2014 23:32:12 GMT<br>

Connection: keep-alive<br>

Age: 0<br>

X-Served-By: screenshots<br>

X-Cache: HIT<br>

X-Cache-Hits: 3<br>

Expires: Fri, 15 Aug 2014 23:32:12 GMT<br><pre>.PNG........IHDR...d...c.....m.......bKGD..............pHYs...H...H.F.<br>k>..3.IDATx...y.d.].....>..t......-.f...-..m.1S...6....[....C...<br>.......de...!`...0..a.......%Y.e.-.$.<..c....{..}..n.-....^.U....s.<br>w...o(13...%s.W..^>.=^..%v...K.x.....2 /..e@^b....,[email protected].<br>....Y.......|yaqH....Kw..^.}[email protected]>-i.$....q...............|y<br>.%.....'..<.PG..([email protected]@...s.../HB,...t....tu&.p.O.B.N.....7%P2.<br>..7m..P ".!/.J.L...........q..<..o...^....m.$).f.....t.2..R<....<br>...bg>.Y.J.a ....6.(&...v.J..O...I.....9....t...G.p.:@..,7%Q5-.m.c.<br>....(....20/.....[..-.G?.w._.`.QA7.r!....b"iaq. 0... %&...... ...E.0..<br>[email protected]>{r.E]........o%Ch,bf8....\. Y!iX%:....hi..!<br>.ZZ4.:....<..6(r..6v~>.>.}[email protected].../.d.q.<br>\....o.^p.l9....*......z/... ..]. 6]...!4.- Z..$.&.y*z....k.<..?...<br>..CE0...&.../.>D.1L.....m...0w..I.......V..)...F.[r.L.M..o....v...Q<br>.u1t.`..e.0.|......\..Hr*..1,...$.b..jB.4.)...p.1[l/<.$"D.....f;eX.<br>$.b9.K.U./Q.....X.M0.x"QA.`..&...1.= .....?7.;vu.. .\>p.......F....<br> &.D^le....,[email protected]. ......K...&.....S..,.dI........PU..pz..<br>n ..$;..U.B..O...c.Xl...C.yE..q...]]. ..53PE...........%b.H.B0,.!3)...<br>..6.....>......I...n.`$|05. ..).,.X..h.BZL.5...2x.Fip...c.........'<br>...#.1....v(. X.Bn.....u.H........d1..Y..|...,..zj..}....j..D..J)h. .d<br>K\Z....u..em.k...I.4.,...B.b.....1.?..g.]S~..e.q.*w.....h1K'...%......<br>. D.I...X.....1.....N./.l.M.-.....}..{T...._d.......,...=.3...V..b.5..<br>.M...,-h..p.l.e.l..>rd...n..~.f..U...I._db.....2.*.5t&Y....,).d</pre><<< skipped >>></font><br><br

<font color="red">GET /__utm.gif?utmwv=5.4.6&utms=1&utmn=1088278839&utmhn=hitman-pro.sd.softonic.com&utmcs=utf-8&utmsr=1024x768&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Asistente de instalaciÃ³n de&utmhid=753756403&utmr=-&utmp=/98580/universaldownloader-prefetch&utmht=1407954787399&utmac=UA-48247475-1&utmcc=__utma=185463600.1416413502.1407954787.1407954787.1407954787.1;+__utmz=185463600.1407954787.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmmt=1&utmu=qAAg~ HTTP/1.1<br>

Accept: */*<br>

Referer: hXXp://hitman-pro.sd.softonic.com/98580/universaldownloader-prefetch<br>

Accept-Language: en-us<br>

Accept-Encoding: gzip, deflate<br>

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.3<br>

Host: VVV.google-analytics.com<br>

Connection: Keep-Alive<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Pragma: no-cache<br>

Expires: Wed, 19 Apr 2000 11:43:00 GMT<br>

Last-Modified: Wed, 21 Jan 2004 19:51:30 GMT<br>

X-Content-Type-Options: nosniff<br>

Content-Type: image/gif<br>

Date: Thu, 07 Aug 2014 16:10:02 GMT<br>

Server: Golfe2<br>

Content-Length: 35<br>

Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate<br>

Age: 544928<br>

Alternate-Protocol: 80:quic<br><pre>GIF89a.............,...........D..;</font>....</pre></font><br><br><font color="red">GET /__utm.gif?utmwv=5.4.6&utms=2&utmn=540733519&utmhn=hitman-pro.sd.softonic.com&utmt=event&utme=5(js_error*SDCaughtError*A not tracked http connection ID has triggered the callback - no error provided)&utmcs=utf-8&utmsr=1024x768&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Asistente de instalaciÃ³n de&utmhid=753756403&utmr=-&utmp=/98580/universaldownloader-prefetch&utmht=1407954788087&utmac=UA-48247475-1&utmni=1&utmcc=__utma=185463600.1416413502.1407954787.1407954787.1407954787.1;+__utmz=185463600.1407954787.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmmt=1&utmu=6AAgAAAAC~ HTTP/1.1<br>

Accept: */*<br>

Referer: hXXp://hitman-pro.sd.softonic.com/98580/universaldownloader-prefetch<br>

Accept-Language: en-us<br>

Accept-Encoding: gzip, deflate<br>

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.3<br>

Host: VVV.google-analytics.com<br>

Connection: Keep-Alive<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Pragma: no-cache<br>

Expires: Wed, 19 Apr 2000 11:43:00 GMT<br>

Last-Modified: Wed, 21 Jan 2004 19:51:30 GMT<br>

X-Content-Type-Options: nosniff<br>

Content-Type: image/gif<br>

Date: Thu, 07 Aug 2014 16:10:02 GMT<br>

Server: Golfe2<br>

Content-Length: 35<br>

Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate<br>

Age: 544928<br>

Alternate-Protocol: 80:quic<br><pre>GIF89a.............,...........D..;</font>....</pre></font><br><br><font color="red">GET /__utm.gif?utmwv=5.4.6&utms=3&utmn=1836989245&utmhn=hitman-pro.sd.softonic.com&utmcs=utf-8&utmsr=1024x768&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Asistente de instalaciÃ³n de Hitman&utmhid=835284767&utmr=-&utmp=/98580/universaldownloader/campaign-100861,100733?sd_timestamp=1407954787&utmht=1407954790227&utmac=UA-48247475-1&utmcc=__utma=185463600.1416413502.1407954787.1407954787.1407954787.1;+__utmz=185463600.1407954787.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmmt=1&utmu=qAAg~ HTTP/1.1<br>

Accept: */*<br>

Referer: hXXp://hitman-pro.sd.softonic.com/98580/universaldownloader/campaign-100861,100733?sd_timestamp=1407954787<br>

Accept-Language: en-us<br>

Accept-Encoding: gzip, deflate<br>

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.3<br>

Host: VVV.google-analytics.com<br>

Connection: Keep-Alive<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Pragma: no-cache<br>

Expires: Wed, 19 Apr 2000 11:43:00 GMT<br>

Last-Modified: Wed, 21 Jan 2004 19:51:30 GMT<br>

X-Content-Type-Options: nosniff<br>

Content-Type: image/gif<br>

Date: Thu, 07 Aug 2014 16:10:02 GMT<br>

Server: Golfe2<br>

Content-Length: 35<br>

Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate<br>

Age: 544930<br>

Alternate-Protocol: 80:quic<br><pre>GIF89a.............,...........D..;</font>....</pre></font><br><br><font color="red">GET /__utm.gif?utmwv=5.4.6&utms=4&utmn=1511123953&utmhn=hitman-pro.sd.softonic.com&utmcs=utf-8&utmsr=1024x768&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Asistente de instalaciÃ³n de Hitman&utmhid=835284767&utmr=http://unknown_browser_unknown_version&utmp=/init_startup&utmht=1407954790446&utmac=UA-152357-4&utmcc=__utma=185463600.1416413502.1407954787.1407954787.1407954787.1;+__utmz=185463600.1407954787.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmmt=1&utmu=qACgAAAAC~ HTTP/1.1<br>

Accept: */*<br>

Referer: hXXp://hitman-pro.sd.softonic.com/98580/universaldownloader/campaign-100861,100733?sd_timestamp=1407954787<br>

Accept-Language: en-us<br>

Accept-Encoding: gzip, deflate<br>

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.3<br>

Host: VVV.google-analytics.com<br>

Connection: Keep-Alive<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Pragma: no-cache<br>

Expires: Wed, 19 Apr 2000 11:43:00 GMT<br>

Last-Modified: Wed, 21 Jan 2004 19:51:30 GMT<br>

X-Content-Type-Options: nosniff<br>

Content-Type: image/gif<br>

Date: Thu, 07 Aug 2014 16:10:02 GMT<br>

Server: Golfe2<br>

Content-Length: 35<br>

Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate<br>

Age: 544931<br>

Alternate-Protocol: 80:quic<br><pre>GIF89a.............,...........D..;</font>....</pre></font><br><br><font color="red">GET /__utm.gif?utmwv=5.4.6&utms=6&utmn=2062632509&utmhn=hitman-pro.sd.softonic.com&utmcs=utf-8&utmsr=1024x768&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Asistente de instalaciÃ³n de Hitman&utmhid=835284767&utmr=http://unknown_browser_unknown_version&utmp=/legal_start&utmht=1407954790571&utmac=UA-152357-4&utmcc=__utma=185463600.1416413502.1407954787.1407954787.1407954787.1;+__utmz=185463600.1407954787.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmmt=1&utmu=qACgAAAAC~ HTTP/1.1<br>

Accept: */*<br>

Referer: hXXp://hitman-pro.sd.softonic.com/98580/universaldownloader/campaign-100861,100733?sd_timestamp=1407954787<br>

Accept-Language: en-us<br>

Accept-Encoding: gzip, deflate<br>

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.3<br>

Host: VVV.google-analytics.com<br>

Connection: Keep-Alive<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Pragma: no-cache<br>

Expires: Wed, 19 Apr 2000 11:43:00 GMT<br>

Last-Modified: Wed, 21 Jan 2004 19:51:30 GMT<br>

X-Content-Type-Options: nosniff<br>

Content-Type: image/gif<br>

Date: Thu, 07 Aug 2014 16:10:02 GMT<br>

Server: Golfe2<br>

Content-Length: 35<br>

Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate<br>

Age: 544931<br>

Alternate-Protocol: 80:quic<br><pre>GIF89a.............,...........D..;</font>....</pre></font><br><br><font color="red">GET /__utm.gif?utmwv=5.4.6&utms=8&utmn=1519455623&utmhn=hitman-pro.sd.softonic.com&utmcs=utf-8&utmsr=1024x768&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Asistente de instalaciÃ³n de Hitman&utmhid=835284767&utmr=http://unknown_browser_unknown_version&utmp=/C100861--load1&utmht=1407954790680&utmac=UA-152357-4&utmcc=__utma=185463600.1416413502.1407954787.1407954787.1407954787.1;+__utmz=185463600.1407954787.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmmt=1&utmu=qACgAAAAC~ HTTP/1.1<br>

Accept: */*<br>

Referer: hXXp://hitman-pro.sd.softonic.com/98580/universaldownloader/campaign-100861,100733?sd_timestamp=1407954787<br>

Accept-Language: en-us<br>

Accept-Encoding: gzip, deflate<br>

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.3<br>

Host: VVV.google-analytics.com<br>

Connection: Keep-Alive<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Pragma: no-cache<br>

Expires: Wed, 19 Apr 2000 11:43:00 GMT<br>

Last-Modified: Wed, 21 Jan 2004 19:51:30 GMT<br>

X-Content-Type-Options: nosniff<br>

Content-Type: image/gif<br>

Date: Thu, 07 Aug 2014 16:10:02 GMT<br>

Server: Golfe2<br>

Content-Length: 35<br>

Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate<br>

Age: 544931<br>

Alternate-Protocol: 80:quic<br><pre>GIF89a.............,...........D..;..</pre></font><br><br

<font color="red">GET /blank.gif?product=st_sd_prefetch&event=sc_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107¶ms={"campaign_id":"100861","sc_id":"430","sc_type":"ns","met":false,"sd_flag":1} HTTP/1.1<br>

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.3<br>

Host: softonic-analytics.net<br>

Accept: */*<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Date: Wed, 13 Aug 2014 23:32:10 GMT<br>

Server: Apache<br>

Set-Cookie: softonic_analytics-admin=deleted; expires=Tue, 13-Aug-2013 23:32:09 GMT; path=/; domain=softonic-analytics.net<br>

Expires: Mon, 26 Jul 1997 05:00:00 GMT<br>

Cache-control: max-age=0, must-revalidate<br>

Pragma: no-cache<br>

Content-Length: 35<br>

Connection: close<br>

Content-Type: image/gif<br><pre>GIF89a.............,...........D..;..</pre></font><br><br

<font color="red">GET /blank.gif?product=st_sd_prefetch&event=sc_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107¶ms={"campaign_id":"100733","sc_id":"1131","sc_type":"ns","met":false,"sd_flag":1} HTTP/1.1<br>

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.3<br>

Host: softonic-analytics.net<br>

Accept: */*<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Date: Wed, 13 Aug 2014 23:32:10 GMT<br>

Server: Apache<br>

Set-Cookie: softonic_analytics-admin=deleted; expires=Tue, 13-Aug-2013 23:32:09 GMT; path=/; domain=softonic-analytics.net<br>

Expires: Mon, 26 Jul 1997 05:00:00 GMT<br>

Cache-control: max-age=0, must-revalidate<br>

Pragma: no-cache<br>

Content-Length: 35<br>

Connection: close<br>

Content-Type: image/gif<br><pre>GIF89a.............,...........D..;..</pre></font><br><br

<font color="red">GET /blank.gif?product=st_sd_prefetch&event=camp_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107¶ms={"campaign_id":"100733","excluded":"0","sd_flag":1} HTTP/1.1<br>

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.3<br>

Host: softonic-analytics.net<br>

Accept: */*<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Date: Wed, 13 Aug 2014 23:32:10 GMT<br>

Server: Apache<br>

Set-Cookie: softonic_analytics-admin=deleted; expires=Tue, 13-Aug-2013 23:32:09 GMT; path=/; domain=softonic-analytics.net<br>

Expires: Mon, 26 Jul 1997 05:00:00 GMT<br>

Cache-control: max-age=0, must-revalidate<br>

Pragma: no-cache<br>

Content-Length: 35<br>

Connection: close<br>

Content-Type: image/gif<br><pre>GIF89a.............,...........D..;..</pre></font><br><br

<font color="red">GET /blank.gif?product=st_sd_prefetch&event=sc_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107¶ms={"campaign_id":"100733","sc_id":"1259","sc_type":"ns","met":false,"sd_flag":1} HTTP/1.1<br>

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.3<br>

Host: softonic-analytics.net<br>

Accept: */*<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Date: Wed, 13 Aug 2014 23:32:10 GMT<br>

Server: Apache<br>

Set-Cookie: softonic_analytics-admin=deleted; expires=Tue, 13-Aug-2013 23:32:09 GMT; path=/; domain=softonic-analytics.net<br>

Expires: Mon, 26 Jul 1997 05:00:00 GMT<br>

Cache-control: max-age=0, must-revalidate<br>

Pragma: no-cache<br>

Content-Length: 35<br>

Connection: close<br>

Content-Type: image/gif<br><pre>GIF89a.............,...........D..;..</pre></font><br><br

<font color="red">GET /campaign/scrn/100000/100861/sd_100861_41d97.jpeg HTTP/1.1<br>

Accept: */*<br>

Referer: hXXp://hitman-pro.sd.softonic.com/98580/universaldownloader/campaign-100861,100733?sd_timestamp=1407954787<br>

Accept-Language: en-us<br>

Accept-Encoding: gzip, deflate<br>

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.3<br>

Host: screenshots.en.sftcdn.net<br>

Connection: Keep-Alive<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Server: Apache<br>

Last-Modified: Mon, 24 Mar 2014 16:19:57 GMT<br>

Cache-Control: max-age=172800<br>

Content-Type: image/jpeg<br>

Content-Length: 8968<br>

Accept-Ranges: bytes<br>

Date: Wed, 13 Aug 2014 23:32:12 GMT<br>

Connection: keep-alive<br>

Age: 0<br>

X-Served-By: screenshots<br>

X-Cache: HIT<br>

X-Cache-Hits: 11930<br>

Expires: Fri, 15 Aug 2014 23:32:12 GMT<br><pre>......JFIF.....H.H.....C..............................................<br>......................C...............................................<br>........................j.............................................<br>.?.........................!.1..A.."2Qaq..#BR..38bt...$CS.(Dcr........<br>..........................4........................!1.A..Q."aq.....R..<br>#2B................?..TF....v8..$...[j..2..:.B.*'..#...S]5......m.i...<br>u..k.....U....zY...*.c&6#..G#=..`...h...5}..........Y...&H..p...0....@<br>f.vn....UV....MK.D.T.L.q.............a.W....e.\...#QTh)d...g.. .....q.<br>.{h.s...h.....4.....4..........=4....Ac..B3{.h.Ta..S.Q#.9.\....?..*..B<br>..u..k.w.;q..i.Kt\...N...B...s...........[.?....Y)$.....,.O .,p.....w.<br>..mQ...c[...'..mDm;....=.....>U.a9....J..;.../..E{QZ.n^......z...oQ<br>.&~..>3...s.q....5..l...l..y...n.7......:.(...........9.d.!........<br>.=..;n{...].5.]...d..?..$qB..eO/...$.9..T..jx.b.S...%.T.]..R.o.[....=N<br>..YY...He.yd.....R@.... [....6]}f..F..5..K...B.i.M5@(.. ....1!....v..m<br>/g.M.z.J..,.]........t...VK .x.h.c.jX?W$F.#....OQm...x/.W.,.*.a..h....<br>Y.....S.d..;.c..b.......~...l.&....tX....n.F.Sr..T...X..*W.^..N2......<br>.wh..;.........=^"T....\0v.W.........J..%.Ay...i.UB..UD.S%Z.Y...0..nT.<br>=..,.Y\q.....h...V.B.J.....I..e.|.,J....|..\.......>`.`IN.K....5.&z<br>...[..x..<..r.#..,~..$.\. .m...I4..6.%..eX.Q^.d.;...n..<..?.. ..<br>..d........>.%..U.8..Xc.Ia.........C..U....Zo..E...\..<.ReH:...j<br>Y..<0..F......,.;3a.n.... %....-L.uK.2!`......=3. m.$._...m.."...c.<br>...f.i!....p.>_?"....Rw,../.-..Z....I..%...Q....."`[email protected]</pre><<< skipped >>></font><br><br><font color="red">GET /campaign/scrn/100000/100861/sd_100861_41d97.jpeg?v=0.1888716158060174 HTTP/1.1<br>

Accept: */*<br>

Referer: hXXp://hitman-pro.sd.softonic.com/98580/universaldownloader/campaign-100861,100733?sd_timestamp=1407954787<br>

Accept-Language: en-us<br>

Accept-Encoding: gzip, deflate<br>

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.3<br>

Host: screenshots.en.sftcdn.net<br>

Connection: Keep-Alive<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Server: Apache<br>

Last-Modified: Mon, 24 Mar 2014 16:19:57 GMT<br>

Cache-Control: max-age=172800<br>

Content-Type: image/jpeg<br>

Content-Length: 8968<br>

Accept-Ranges: bytes<br>

Date: Wed, 13 Aug 2014 23:32:13 GMT<br>

Connection: keep-alive<br>

Age: 0<br>

X-Served-By: screenshots<br>

X-Cache: MISS<br>

X-Cache-Hits: 0<br>

Expires: Fri, 15 Aug 2014 23:32:13 GMT<br><pre>......JFIF.....H.H.....C..............................................<br>......................C...............................................<br>........................j.............................................<br>.?.........................!.1..A.."2Qaq..#BR..38bt...$CS.(Dcr........<br>..........................4........................!1.A..Q."aq.....R..<br>#2B................?..TF....v8..$...[j..2..:.B.*'..#...S]5......m.i...<br>u..k.....U....zY...*.c&6#..G#=..`...h...5}..........Y...&H..p...0....@<br>f.vn....UV....MK.D.T.L.q.............a.W....e.\...#QTh)d...g.. .....q.<br>.{h.s...h.....4.....4..........=4....Ac..B3{.h.Ta..S.Q#.9.\....?..*..B<br>..u..k.w.;q..i.Kt\...N...B...s...........[.?....Y)$.....,.O .,p.....w.<br>..mQ...c[...'..mDm;....=.....>U.a9....J..;.../..E{QZ.n^......z...oQ<br>.&~..>3...s.q....5..l...l..y...n.7......:.(...........9.d.!........<br>.=..;n{...].5.]...d..?..$qB..eO/...$.9..T..jx.b.S...%.T.]..R.o.[....=N<br>..YY...He.yd.....R@.... [....6]}f..F..5..K...B.i.M5@(.. ....1!....v..m<br>/g.M.z.J..,.]........t...VK .x.h.c.jX?W$F.#....OQm...x/.W.,.*.a..h....<br>Y.....S.d..;.c..b.......~...l.&....tX....n.F.Sr..T...X..*W.^..N2......<br>.wh..;.........=^"T....\0v.W.........J..%.Ay...i.UB..UD.S%Z.Y...0..nT.<br>=..,.Y\q.....h...V.B.J.....I..e.|.,J....|..\.......>`.`IN.K....5.&z<br>...[..x..<..r.#..,~..$.\. .m...I4..6.%..eX.Q^.d.;...n..<..?.. ..<br>..d........>.%..U.8..Xc.Ia.........C..U....Zo..E...\..<.ReH:...j<br>Y..<0..F......,.;3a.n.... %....-L.uK.2!`......=3. m.$._...m.."...c.<br>...f.i!....p.>_?"....Rw,../.-..Z....I..%...Q....."`[email protected]</pre><<< skipped >>></font><br><br

<font color="red">GET /blank.gif?product=st_sd_prefetch&event=sc_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107¶ms={"campaign_id":"100733","sc_id":"-1","sc_type":"ns","met":false,"sd_flag":1} HTTP/1.1<br>

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.3<br>

Host: softonic-analytics.net<br>

Accept: */*<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Date: Wed, 13 Aug 2014 23:32:10 GMT<br>

Server: Apache<br>

Set-Cookie: softonic_analytics-admin=deleted; expires=Tue, 13-Aug-2013 23:32:09 GMT; path=/; domain=softonic-analytics.net<br>

Expires: Mon, 26 Jul 1997 05:00:00 GMT<br>

Cache-control: max-age=0, must-revalidate<br>

Pragma: no-cache<br>

Content-Length: 35<br>

Connection: close<br>

Content-Type: image/gif<br><pre>GIF89a.............,...........D..;..</pre></font><br><br

<font color="red">GET /css/generated/fad58-59ade.css HTTP/1.1<br>

Accept: */*<br>

Referer: hXXp://hitman-pro.sd.softonic.com/98580/universaldownloader/campaign-100861,100733?sd_timestamp=1407954787<br>

Accept-Language: en-us<br>

Accept-Encoding: gzip, deflate<br>

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.3<br>

Host: static.sd-client.softonic.com<br>

Connection: Keep-Alive<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Date: Wed, 13 Aug 2014 23:32:12 GMT<br>

Server: Apache<br>

Last-Modified: Tue, 12 Aug 2014 13:07:11 GMT<br>

Accept-Ranges: bytes<br>

Cache-Control: max-age=2592000<br>

Expires: Fri, 12 Sep 2014 23:32:12 GMT<br>

Vary: Accept-Encoding,User-Agent<br>

Content-Encoding: gzip<br>

Content-Length: 5022<br>

Keep-Alive: timeout=3, max=10<br>

Connection: Keep-Alive<br>

Content-Type: text/css<br><pre>...........<k..Fr.. ..,[email protected]."i......~U.b.(if7<br>A<.-Q.U....j.)9...m......w..zz..=..mV..dE...........M.....<....O<br>...o....5|[./a.}..<L.0M.S..y.g.!....0....0.....i. .c..h..%aVT.6l...<br>...U.........a{....8.I...U..H.f..>.YA......*^T_/-....-k.v..yN......<br>...H..\*.uY}..KG.q/.. @W....R.YY.I..%eJ.tW ._H}..E;h.....X.....3'.?..S<br>N.9..nhA/.n{8#..$...*.....O..~..8.......R.0..].]K.s.ch..>|.....IR..<br>..[`N..H.i..f.p...$m....S.lF>.verj..c..@<..1LrJ.]....n.n-a..].-.<br>.l.j[.......Y../.C.....)[email protected]..............: .M^..pX....=......!...<br>c......X.uK..2,.MG..Y.>....E....sU.. ....t.....W)..S...h.gU.5....wy<br>....~>..2..]{.I....O...4..g.9..Y.C.F....1...K.............../..uF..<br>!E3hh..L%.E./ ....9....... .....A..>E}...l.a..l.....~...J...D.x.Z.v<br>..D......."...4a....H....f....8......L9..!".E.." ......q..._.KE.....|.<br>._?..x\.4 ?..l.lZ..{.....o.b.:.........gR.. ...*..&C...iN...%.........<br>a.....9K..*..p...y...T."...z&.._..@....~...%..}]..tu....{j.e...|.S.n.&<br>lt;..|j...tX..w...s$y0........%[email protected]..?.-$..Pr.......[...]B..n;.....<br>!oA.3l....q9....&.......<.....N...Z"......].`2D3.tY..p^..1..NWv....<br>:_. K?7...y8.Z....g.Z.-......m..j....L....h..%.... 4AY.1...O..........<br>....yn...`X...Ms.....#W n.p....cO..h.6..I.a.b.Bp.XX.ld].Ia..3.[..Qi.Rl<br>oB.....;...&.P.m.,.r."..`N....n....K.n.J.3..Q..X...G.Z3...9......Pt..)<br>.m..)....R2f....z^.*^.....FLf4....w#]..E..@;.O'$.2.(.1b..F._-bM(s.....<br>.zp.A.b._..s^p..3H....3p-kC.p...o...VQ..B1&.).d...Qk.B..m.b.....;.....<br>...6b..Z.2|.q0.3.^CC...yl...,RLR.t9P.!Y.I..\.N....qy,9.A{ ..f...qq</pre><<< skipped >>></font><br><br><font color="red">GET /shared/img/sd_client/gradientbg.png HTTP/1.1<br>

Accept: */*<br>

Referer: hXXp://hitman-pro.sd.softonic.com/98580/universaldownloader/campaign-100861,100733?sd_timestamp=1407954787<br>

Accept-Language: en-us<br>

Accept-Encoding: gzip, deflate<br>

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.3<br>

Host: static.sd-client.softonic.com<br>

Connection: Keep-Alive<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Date: Wed, 13 Aug 2014 23:32:12 GMT<br>

Server: Apache<br>

Last-Modified: Thu, 27 Mar 2014 08:18:00 GMT<br>

Accept-Ranges: bytes<br>

Content-Length: 2958<br>

Cache-Control: max-age=172800<br>

Expires: Fri, 15 Aug 2014 23:32:12 GMT<br>

Keep-Alive: timeout=3, max=9<br>

Connection: Keep-Alive<br>

Content-Type: image/png<br><pre>.PNG........IHDR...)...........\.....tEXtSoftware.Adobe ImageReadyq.e&<br>lt;....PLTE...........................................................<br>......................................................................<br>...........................O *E...4tRNS...............................<br>.....................KW"e...HIDATx....v.9..Q{.%y......I.3.\...m..`..u.<br>s1.s.D...Q,. ..`(..S....O.....SJ........8...=.LR.[.&......:.eJY..oI:./<br>...$..BJ.#KS.sH2..%.{F..='..?HR./..6.X......)./R.. ..6.....F..g.[.I.&l<br>t;.l..2$...42.....S.....>..........h2..f..3.........<...X&r....T<br>..gg.-...t.....em<b.V&.g.c....6E,.-..qF6. ...o.Q.$S...(./y...DD..w.<br>.:iQ .c....3.&.TcCT.t,UE.E..HP.R.s.......V.`...%...'6.`...g..UIf(..K..<br>..uF2..r......T.!..]fLWF..\lU$....=c:2#.`....<...E". .".. qU.7P.[..<br>c.}.J.q.N.*..:g)%...!.. ..,[email protected]..,9.:l....c....<...<br>G.8...O......?.....5..'}.....TB..#.... Uxq..\..Y....1.P ..P.........Cd<br>a...g.....V'....G.:..uW..2.X......a2!.....L..2...mb...f:.i. z........S<br>...u)d8dC.R..q.`..N.^.~.q.......].....U.....%..p1&..b5..K..q..h...D...<br>...0...b..?M`...ak..2}J.7....l..<........7\...g!.Jf.0k.......){.-[.<br>f...M.. ..`.hY}..]....Z...z`.J.eb.........Vl..s...p.Zi.*..kd~..Q...l.@<br>......(l.v.L%:..|.c....,..Tg.....I..7[.-#,.....j#...B.`..b.m`..[....g.<br>.<Gs......".5c.R.4QC.5.][email protected]....<br>%0.m./....z{{~.y...........gz.zz.........??{..g~....D...............z.<br>_.......k.}...^?v..w.O..........t.x...~..x..}.........................<br>..............=..m...]Ew7...._....j_.j.....~.&....\7....~.....Pw..</pre><<< skipped >>></font><br><br><font color="red">GET /shared/img/sd_client/loading.gif HTTP/1.1<br>

Accept: */*<br>

Referer: hXXp://hitman-pro.sd.softonic.com/98580/universaldownloader/campaign-100861,100733?sd_timestamp=1407954787<br>

Accept-Language: en-us<br>

Accept-Encoding: gzip, deflate<br>

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.3<br>

Host: static.sd-client.softonic.com<br>

Connection: Keep-Alive<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Date: Wed, 13 Aug 2014 23:32:12 GMT<br>

Server: Apache<br>

Last-Modified: Thu, 27 Mar 2014 08:18:00 GMT<br>

Accept-Ranges: bytes<br>

Content-Length: 1553<br>

Cache-Control: max-age=172800<br>

Expires: Fri, 15 Aug 2014 23:32:12 GMT<br>

Keep-Alive: timeout=3, max=8<br>

Connection: Keep-Alive<br>

Content-Type: image/gif<br><pre>GIF89a................................................................<br>......................................................................<br>......................................................................<br>......................................................................<br>......................................................~..}..|..z..y..x<br>..t..v..s..r..q..p..m..o..l..k..j..............!..NETSCAPE2.0.....!...<br>..|.,............|..;\r....bvwz.....-lqK'......|.[p9.....4lE.....Nj#..<br>...^g.....[c.....G_......[8..!..IV*..'..|#OP1......).. @JGB=93)...$3&l<br>t;9 ......!.....|.,..........y.|.|4RhjW:...)Vilortvd1.&]eA..&Lwt.N`..|<br><.-[;...|AX....NU....JQ....8M.....%I.....|8C ......<=%.........1<br>73/*&!....% '.....!.....|.,..........w.|.|-EY[L3..!GX[_cgjZ..LS6.Cmj..<br>?M)..6r`."I0..Iu:3E...&xZ<A...zr9=.. 8....5!....*0....... *........<br>..!$!................!.....|.,..........w.|.|$9IM@,...8GJOSWZM&..;A..:<br>_]).1<...0dU|.7$..Aj4&3..mR,0..pi(...qk.)..&uX.$..Mw;|....{g.|.....<br>..|2....................!.....|.,..........z.|.|.(591#...'258=AE<..<br>.)-....-KI ..)...&PE|."...5W,......ZD...._X....c[....fL....Dk4|....9o\<br>......'Jsl......zxa.....[;....!.....|.,..........x.|.|..$'#......"&*.2<br>-......... 77.......=5|.....(C#......G6....LG....QJ...|U?....:Z,|...1_<br>M.N'|.Be]&.fyxtrokV)..;YljS....!.....|.,..........w.|.|...............<br>............$%........*&|......0......3)..95..=9[z...B1<wL./G#.ct8.<br>)M>./mrF.7TL...]nkfc_ZH!.5O_[G....!.....|.,..........v.|.|........|<br>.........1.......gz.|...|;wM.|...Xv'..!.lt..&"jr.|*'So../#5lD.#3.|</pre><<< skipped >>></font><br><br

<font color="red">GET /blank.gif?product=st_sd_prefetch&event=sc_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107¶ms={"campaign_id":"100733","sc_id":"1124","sc_type":"ns","met":false,"sd_flag":1} HTTP/1.1<br>

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.3<br>

Host: softonic-analytics.net<br>

Accept: */*<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Date: Wed, 13 Aug 2014 23:32:10 GMT<br>

Server: Apache<br>

Set-Cookie: softonic_analytics-admin=deleted; expires=Tue, 13-Aug-2013 23:32:09 GMT; path=/; domain=softonic-analytics.net<br>

Expires: Mon, 26 Jul 1997 05:00:00 GMT<br>

Cache-control: max-age=0, must-revalidate<br>

Pragma: no-cache<br>

Content-Length: 35<br>

Connection: close<br>

Content-Type: image/gif<br><pre>GIF89a.............,...........D..;..</pre></font><br><br

<font color="red">GET /campaign/scrn/100000/100861/sd_icon_100861_8a4a3.png HTTP/1.1<br>

Accept: */*<br>

Referer: hXXp://hitman-pro.sd.softonic.com/98580/universaldownloader/campaign-100861,100733?sd_timestamp=1407954787<br>

Accept-Language: en-us<br>

Accept-Encoding: gzip, deflate<br>

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.3<br>

Host: screenshots.en.sftcdn.net<br>

Connection: Keep-Alive<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Server: Apache<br>

Last-Modified: Tue, 25 Mar 2014 08:34:17 GMT<br>

Cache-Control: max-age=172800<br>

Content-Type: image/png<br>

Content-Length: 1191<br>

Accept-Ranges: bytes<br>

Date: Wed, 13 Aug 2014 23:32:12 GMT<br>

Connection: keep-alive<br>

Age: 0<br>

X-Served-By: screenshots<br>

X-Cache: HIT<br>

X-Cache-Hits: 3846<br>

Expires: Fri, 15 Aug 2014 23:32:12 GMT<br><pre>.PNG........IHDR..............w=.....bKGD..............pHYs...t...t..f<br>.x....vpAg.........xL......IDATH..V.K.Q........[n...-....4...YXQ).. .E<br>!A..P..>T.E...P...?D.Y...,.PD.e.Yd..:..c.).9xv.......y..y...$....!&<br>gt;>.111|LLL..QQQ...Fll,.###.H:.FB{.NJJ..._.IR......9#=.........f8l<br>640..PY...|...r....(..........9xDD.W...R........8..G.....5^0.....V..V.<br>a.XPQ^..Rt"b.'L.,..iR...j...W......W...........bOs.LF#.J%..i&C..PX4!KK<br>.......0.6...f...ao:.m.A..>y."...D..s...]9/.`.H...`ge.\&Cxx8O.$.B..<br>..6r.C.v-..;.............O]........c...M..*.TG9/........q.............<br>.....O...9.:.f....l49.....HT..99hu....N...ob>....n\......PI.i).....<br>.l..a...&.a.kk..#k......wc#[email protected] .A.....4.|[.7.V.&..R4.<br>.^..R...eZ...|.v.....O..>6p-...v-....!S.T...h2..tj.....{V......><br>b..2..aF...........nGN..H..c..B........K..n....MR.Y**(@ws-'..........C<br>.....N...!:_.....( -.N..D........T1 ... .........s;.&....... ....03.&g<br>t;...{3_&%. ....['..0y..A.......f.^mS..N9.ai!...E.'.-S.S..h.:....n...7<br>T..f-.w....*.a..S..[..HK......Q=9....G.$.$...M....*!.5}cM.\N'.<B...<br>......W|q....4.h.0....$~..[lJg...EF.X..|..G..#.#.....o...m...%tEXtdate<br>:create.2014-03-25T09:34:13 01:00y..B...%tEXtdate:modify.2014-03-25T09<br>:34:13 01:00........IEND.B`.</font>....</pre><<< skipped >>></font><br><br><font color="red">GET /campaign/scrn/100000/100733/sd_100733_cf3f5.jpg HTTP/1.1<br>

Accept: */*<br>

Referer: hXXp://hitman-pro.sd.softonic.com/98580/universaldownloader/campaign-100861,100733?sd_timestamp=1407954787<br>

Accept-Language: en-us<br>

Accept-Encoding: gzip, deflate<br>

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.3<br>

Host: screenshots.en.sftcdn.net<br>

Connection: Keep-Alive<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Server: Apache<br>

Last-Modified: Tue, 25 Feb 2014 13:58:09 GMT<br>

Cache-Control: max-age=172800<br>

Content-Type: image/jpeg<br>

Content-Length: 55535<br>

Accept-Ranges: bytes<br>

Date: Wed, 13 Aug 2014 23:32:12 GMT<br>

Connection: keep-alive<br>

Age: 0<br>

X-Served-By: screenshots<br>

X-Cache: HIT<br>

X-Cache-Hits: 1064<br>

Expires: Fri, 15 Aug 2014 23:32:12 GMT<br><pre>......JFIF.....%.%.....C..............................................<br>......................C...............................................<br>..........................|...........................................<br>...p...........................!..1A...Qaq.."RT....2SV..........$&'38U<br>rw.....#46BXfv...%(CDFHWb.....)5gsu..7G...............................<br>.........b........................!..1.AQ..."aq2R......#ST......3BU...<br>..$%&4bcdst..56CDEeru.....Vv....FW..............?........T.I$.e.QC....<br>.&9.s...)K..a....uy.#G.GH...I$..#...wwb..T.....$.U*... ;.*"".wv8UEPY..<br>.*....k...7..2....~z..b..-...2].R..%.N....(.n'HT..L.... yn..<..3..#<br>....n...(.u .......O{wtRY...M%.6.........$f.&..g.g..m6}w..}.G.ci.S....<br>"....";.......B........WW.4..o..B.3bA..:. Xwq..U.......%I.Jc..!..t. ..<br>.$_..p_.kw.~U........^^A..........C5..-......d.....y....;a.nVT..o'1.v.<br>5..x.m.A.Egx#.....Yf{<H.f...\F.r.p%..d..X.W..txG..Y..]#.R\.0.jW.><br>;.....>.....;....;...I.DY...Lx..6.....,/...u8..CZjCO....}..`..Htt.Q<br>....]Ar[..\.P..x......uk. ".R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.<br>R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R......0...[Fh.Xh...B.&F....<br>..;..."..v..u...T ...............?.V.......]s[..z.W..v.........Z.V,v..<br>..[.y^(..."w......|.yD.....4o&.1..^.bf....z...J...)....M?<.%.N.....<br>...h.8. 2...~.F....L.KE...[..d...S [..6.!..B...|..^h..lA..J.\..RlDTI7.<br>... ./C..S...j.{...[.4..x.......~o;.....v....I.&u.D.C..w.}..[.=y*...C.<br>....5.N...T....u.[...mm".&.mV.n.V.. ([email protected]<br>N.. 69...4U....cE$."....L3.v.3..MOh....y._$.Q.8[L....-,[email protected]</pre><<< skipped >>></font><br><br><font color="red">GET /campaign/scrn/100000/100733/sd_100733_cf3f5.jpg?v=0.6483588568132502 HTTP/1.1<br>

Accept: */*<br>

Referer: hXXp://hitman-pro.sd.softonic.com/98580/universaldownloader/campaign-100861,100733?sd_timestamp=1407954787<br>

Accept-Language: en-us<br>

Accept-Encoding: gzip, deflate<br>

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.3<br>

Host: screenshots.en.sftcdn.net<br>

Connection: Keep-Alive<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Server: Apache<br>

Last-Modified: Tue, 25 Feb 2014 13:58:09 GMT<br>

Cache-Control: max-age=172800<br>

Content-Type: image/jpeg<br>

Content-Length: 55535<br>

Accept-Ranges: bytes<br>

Date: Wed, 13 Aug 2014 23:32:13 GMT<br>

Connection: keep-alive<br>

Age: 0<br>

X-Served-By: screenshots<br>

X-Cache: MISS<br>

X-Cache-Hits: 0<br>

Expires: Fri, 15 Aug 2014 23:32:13 GMT<br><pre>......JFIF.....%.%.....C..............................................<br>......................C...............................................<br>..........................|...........................................<br>...p...........................!..1A...Qaq.."RT....2SV..........$&'38U<br>rw.....#46BXfv...%(CDFHWb.....)5gsu..7G...............................<br>.........b........................!..1.AQ..."aq2R......#ST......3BU...<br>..$%&4bcdst..56CDEeru.....Vv....FW..............?........T.I$.e.QC....<br>.&9.s...)K..a....uy.#G.GH...I$..#...wwb..T.....$.U*... ;.*"".wv8UEPY..<br>.*....k...7..2....~z..b..-...2].R..%.N....(.n'HT..L.... yn..<..3..#<br>....n...(.u .......O{wtRY...M%.6.........$f.&..g.g..m6}w..}.G.ci.S....<br>"....";.......B........WW.4..o..B.3bA..:. Xwq..U.......%I.Jc..!..t. ..<br>.$_..p_.kw.~U........^^A..........C5..-......d.....y....;a.nVT..o'1.v.<br>5..x.m.A.Egx#.....Yf{<H.f...\F.r.p%..d..X.W..txG..Y..]#.R\.0.jW.><br>;.....>.....;....;...I.DY...Lx..6.....,/...u8..CZjCO....}..`..Htt.Q<br>....]Ar[..\.P..x......uk. ".R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.<br>R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R......0...[Fh.Xh...B.&F....<br>..;..."..v..u...T ...............?.V.......]s[..z.W..v.........Z.V,v..<br>..[.y^(..."w......|.yD.....4o&.1..^.bf....z...J...)....M?<.%.N.....<br>...h.8. 2...~.F....L.KE...[..d...S [..6.!..B...|..^h..lA..J.\..RlDTI7.<br>... ./C..S...j.{...[.4..x.......~o;.....v....I.&u.D.C..w.}..[.=y*...C.<br>....5.N...T....u.[...mm".&.mV.n.V.. ([email protected]<br>N.. 69...4U....cE$."....L3.v.3..MOh....y._$.Q.8[L....-,[email protected]</pre><<< skipped >>></font><br><br

<font color="red">GET /blank.gif?product=st_activity&event=prefetch:campaigns:selected&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107¶ms={"1":{"id_campaign":"100861"},"2":{"id_campaign":"100733"}} HTTP/1.1<br>

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.3<br>

Host: softonic-analytics.net<br>

Accept: */*<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Date: Wed, 13 Aug 2014 23:32:10 GMT<br>

Server: Apache<br>

Set-Cookie: softonic_analytics-admin=deleted; expires=Tue, 13-Aug-2013 23:32:10 GMT; path=/; domain=softonic-analytics.net<br>

Expires: Mon, 26 Jul 1997 05:00:00 GMT<br>

Cache-control: max-age=0, must-revalidate<br>

Pragma: no-cache<br>

Content-Length: 35<br>

Connection: close<br>

Content-Type: image/gif<br><pre>GIF89a.............,...........D..;..</pre></font><br><br

<font color="red">GET /blank.gif?product=st_sd_prefetch&event=sc_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107¶ms={"campaign_id":"100733","sc_id":"-2","sc_type":"ns","met":false,"sd_flag":1} HTTP/1.1<br>

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.3<br>

Host: softonic-analytics.net<br>

Accept: */*<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Date: Wed, 13 Aug 2014 23:32:10 GMT<br>

Server: Apache<br>

Set-Cookie: softonic_analytics-admin=deleted; expires=Tue, 13-Aug-2013 23:32:09 GMT; path=/; domain=softonic-analytics.net<br>

Expires: Mon, 26 Jul 1997 05:00:00 GMT<br>

Cache-control: max-age=0, must-revalidate<br>

Pragma: no-cache<br>

Content-Length: 35<br>

Connection: close<br>

Content-Type: image/gif<br><pre>GIF89a.............,...........D..;..</pre></font><br><br

<font color="red">GET /blank.gif?product=st_sd_prefetch&event=sc_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107¶ms={"campaign_id":"100861","sc_id":"-1","sc_type":"ns","met":false,"sd_flag":1} HTTP/1.1<br>

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.3<br>

Host: softonic-analytics.net<br>

Accept: */*<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Date: Wed, 13 Aug 2014 23:32:10 GMT<br>

Server: Apache<br>

Set-Cookie: softonic_analytics-admin=deleted; expires=Tue, 13-Aug-2013 23:32:09 GMT; path=/; domain=softonic-analytics.net<br>

Expires: Mon, 26 Jul 1997 05:00:00 GMT<br>

Cache-control: max-age=0, must-revalidate<br>

Pragma: no-cache<br>

Content-Length: 35<br>

Connection: close<br>

Content-Type: image/gif<br><pre>GIF89a.............,...........D..;..</pre></font><br><br

<font color="red">GET /pagead/show_companion_ad.js HTTP/1.1<br>

Accept: */*<br>

Referer: hXXp://hitman-pro.sd.softonic.com/98580/universaldownloader/campaign-100861,100733?sd_timestamp=1407954787<br>

Accept-Language: en-us<br>

Accept-Encoding: gzip, deflate<br>

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.3<br>

Host: pagead2.googlesyndication.com<br>

Connection: Keep-Alive<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

P3P: policyref="hXXp://VVV.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"<br>

Content-Type: text/javascript; charset=UTF-8<br>

ETag: 7246099845880564243<br>

Date: Wed, 13 Aug 2014 23:00:22 GMT<br>

Expires: Thu, 14 Aug 2014 00:00:22 GMT<br>

X-Content-Type-Options: nosniff<br>

Content-Disposition: attachment; filename="f.txt"<br>

Content-Encoding: gzip<br>

Server: cafe<br>

Content-Length: 44633<br>

X-XSS-Protection: 1; mode=block<br>

Age: 1910<br>

Cache-Control: public, max-age=3600<br>

Alternate-Protocol: 80:quic<br><pre>............g{...0......u...%....^...'n.r....UR..QrI.......,...g...]..<br>E.....a`F..?..G........Y......]..4......q?X..9..`..A0.../.q..d...F..j.<br>.?>.jn.r......_..C..O......2...(!.U..S..A.-..Qw.[_7.,...f.e...$ehzV<br>.o...gC..A!..~-....j.Z0.Mu.-w...(..#?.!E..r......8..n..R.t).^..=L.q...<br>..i....?3... .0.w./j...t.>X.....Q...Q!.h..a=..c...x6.:..qk6...e....<br>.j@..`.s......%..M.-.F.A...,c4.z..B.Oj...(...(...$.g....BK'.t.p.7..p.z<br>..] N0.^.a..G..P.>u..[X-....IXT. 9..".........F1.T..K ..'......^.I.<br>6...8......-DJ.e2x0L....-...[.QTsLkL._.i.\....~.]..@...\s\h.>....#.<br>[email protected]..\k....V..)...9[{*.......=.......t2...#..<br>A.....jY...0.....U. ..7.E....6 ....$vV......\_...9K...1.2...3X.#w...W.<br>q.;..u.....X..'95G....;......s|..f. O.q.`8.#J....t.:..,,..w....-.....6<br>.....Z.A..........>...........o8..g#[email protected].*..?.O..R<7..zW|..<br>.....\kD.....ua.....O......`...\...O.S.....{.. ..:...6....7..>.O6..<br>0.b.k.{......GVm..c....l_.m\....3..k.-,..nW6^]....M6....D..v.Cw...q.x.<br>(..5.E ?\g..F.\.2X.bS..`...=.......}.}.k....O...:#.^Y.X..7n..1.[..N.e.<br>..`.<.......;..4s1.....mAe..j.........r....p....n..pf.Vy..Q.n...]..<br>U....Q..]BG.xh....CY|r.\...`.=.).i8...2...Xw...a....7..Q...ME.`...8.y.<br>...~...Q\...v..v... ..[C..&.u....^.V ....Nz..~..N...~j<...=...4W.6&<br>9...J%[email protected].~...5..........~W......s.l....k...&.,Z{.....<br>.'Dh.s3._ .e../4.......cC.b.m..1.6...7.....Z.xu..OC8a...k4...kX..,.P..<br>.hr.>.,....L.5R=]...Dh......s...Y.8t.9%....Q.....C....q....mv...D..<br>p........E.R...Q8}wyr..%c.`]'(G.i<.......A......cV..V q,.....M.</pre><<< skipped >>></font><br><br

<font color="red">GET /__utm.gif?utmwv=5.4.6&utms=5&utmn=863010644&utmhn=hitman-pro.sd.softonic.com&utmcs=utf-8&utmsr=1024x768&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Asistente de instalaciÃ³n de Hitman&utmhid=835284767&utmr=http://unknown_browser_unknown_version&utmp=/start_api&utmht=1407954790462&utmac=UA-152357-4&utmcc=__utma=185463600.1416413502.1407954787.1407954787.1407954787.1;+__utmz=185463600.1407954787.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmmt=1&utmu=qACgAAAAC~ HTTP/1.1<br>

Accept: */*<br>

Referer: hXXp://hitman-pro.sd.softonic.com/98580/universaldownloader/campaign-100861,100733?sd_timestamp=1407954787<br>

Accept-Language: en-us<br>

Accept-Encoding: gzip, deflate<br>

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.3<br>

Host: VVV.google-analytics.com<br>

Connection: Keep-Alive<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Pragma: no-cache<br>

Expires: Wed, 19 Apr 2000 11:43:00 GMT<br>

Last-Modified: Wed, 21 Jan 2004 19:51:30 GMT<br>

X-Content-Type-Options: nosniff<br>

Content-Type: image/gif<br>

Date: Thu, 07 Aug 2014 16:10:01 GMT<br>

Server: Golfe2<br>

Content-Length: 35<br>

Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate<br>

Age: 544932<br>

Alternate-Protocol: 80:quic<br><pre>GIF89a.............,...........D..;</font>....</pre></font><br><br><font color="red">GET /__utm.gif?utmwv=5.4.6&utms=7&utmn=1462241216&utmhn=hitman-pro.sd.softonic.com&utmcs=utf-8&utmsr=1024x768&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Asistente de instalaciÃ³n de Hitman&utmhid=835284767&utmr=http://unknown_browser_unknown_version&utmp=/legal_timestamp&utmht=1407954790587&utmac=UA-152357-4&utmcc=__utma=185463600.1416413502.1407954787.1407954787.1407954787.1;+__utmz=185463600.1407954787.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmmt=1&utmu=qACgAAAAC~ HTTP/1.1<br>

Accept: */*<br>

Referer: hXXp://hitman-pro.sd.softonic.com/98580/universaldownloader/campaign-100861,100733?sd_timestamp=1407954787<br>

Accept-Language: en-us<br>

Accept-Encoding: gzip, deflate<br>

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.3<br>

Host: VVV.google-analytics.com<br>

Connection: Keep-Alive<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Pragma: no-cache<br>

Expires: Wed, 19 Apr 2000 11:43:00 GMT<br>

Last-Modified: Wed, 21 Jan 2004 19:51:30 GMT<br>

X-Content-Type-Options: nosniff<br>

Content-Type: image/gif<br>

Date: Thu, 07 Aug 2014 16:10:01 GMT<br>

Server: Golfe2<br>

Content-Length: 35<br>

Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate<br>

Age: 544932<br>

Alternate-Protocol: 80:quic<br><pre>GIF89a.............,...........D..;</font>....</pre></font><br><br><font color="red">GET /__utm.gif?utmwv=5.4.6&utms=9&utmn=416444187&utmhn=hitman-pro.sd.softonic.com&utmcs=utf-8&utmsr=1024x768&utmvp=650x450&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Asistente de instalaciÃ³n de Hitman&utmhid=835284767&utmr=http://unknown_browser_unknown_version&utmp=/C100733--load2&utmht=1407954790712&utmac=UA-152357-4&utmcc=__utma=185463600.1416413502.1407954787.1407954787.1407954787.1;+__utmz=185463600.1407954787.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmmt=1&utmu=qACgAAAAC~ HTTP/1.1<br>

Accept: */*<br>

Referer: hXXp://hitman-pro.sd.softonic.com/98580/universaldownloader/campaign-100861,100733?sd_timestamp=1407954787<br>

Accept-Language: en-us<br>

Accept-Encoding: gzip, deflate<br>

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.3<br>

Host: VVV.google-analytics.com<br>

Connection: Keep-Alive<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Pragma: no-cache<br>

Expires: Wed, 19 Apr 2000 11:43:00 GMT<br>

Last-Modified: Wed, 21 Jan 2004 19:51:30 GMT<br>

X-Content-Type-Options: nosniff<br>

Content-Type: image/gif<br>

Date: Thu, 07 Aug 2014 16:10:01 GMT<br>

Server: Golfe2<br>

Content-Length: 35<br>

Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate<br>

Age: 544932<br>

Alternate-Protocol: 80:quic<br><pre>GIF89a.............,...........D..;..</pre></font><br><br

<font color="red">GET /csi?v=3&s=gpt&action=global&e=publisher_ads,companion_ads&vrg=46&rt=load.1562 HTTP/1.1<br>

Accept: */*<br>

Referer: hXXp://hitman-pro.sd.softonic.com/98580/universaldownloader/campaign-100861,100733?sd_timestamp=1407954787<br>

Accept-Language: en-us<br>

Accept-Encoding: gzip, deflate<br>

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.3<br>

Host: csi.gstatic.com<br>

Connection: Keep-Alive<br>

<br>

</font><br><font color="blue">HTTP/1.1 204 No Content<br>

Pragma: no-cache<br>

Cache-Control: private, no-cache<br>

Expires: Wed, 17 Sep 1975 21:32:10 GMT<br>

Access-Control-Allow-Origin: *<br>

Last-Modified: Wed, 21 Jan 2004 19:51:30 GMT<br>

Content-Type: image/gif<br>

Date: Wed, 13 Aug 2014 23:32:14 GMT<br>

Server: Golfe2<br>

Content-Length: 0<br>

Alternate-Protocol: 80:quic<br><pre></pre></font><br><br

<font color="red">GET /blank.gif?product=st_sd_prefetch&event=sc_eval&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107¶ms={"campaign_id":"100733","sc_id":"1239","sc_type":"ns","met":false,"sd_flag":1} HTTP/1.1<br>

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.3<br>

Host: softonic-analytics.net<br>

Accept: */*<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Date: Wed, 13 Aug 2014 23:32:10 GMT<br>

Server: Apache<br>

Set-Cookie: softonic_analytics-admin=deleted; expires=Tue, 13-Aug-2013 23:32:10 GMT; path=/; domain=softonic-analytics.net<br>

Expires: Mon, 26 Jul 1997 05:00:00 GMT<br>

Cache-control: max-age=0, must-revalidate<br>

Pragma: no-cache<br>

Content-Length: 35<br>

Connection: close<br>

Content-Type: image/gif<br><pre>GIF89a.............,...........D..;..</pre></font><br><br

<font color="red">GET /blank.gif?product=st_sd_prefetch&event=camp_rpm&id_session=7BFA1B9E-C8F3-46AE-87F5-0A1EBF8B3107¶ms={"101197":{"campaign_id":"101197","default_rpm":5139},"100942":{"campaign_id":"100942","default_rpm":4715},"100861":{"campaign_id":"100861","default_rpm":8418},"100733":{"campaign_id":"100733","default_rpm":9092},"100727":{"campaign_id":"100727","default_rpm":5286},"100712":{"campaign_id":"100712","default_rpm":1051},"100711":{"campaign_id":"100711","default_rpm":940},"100707":{"campaign_id":"100707","default_rpm":414},"100516":{"campaign_id":"100516","default_rpm":1161},"50593":{"campaign_id":"50593","default_rpm":271},"41483":{"campaign_id":"41483","default_rpm":1},"100978":{"campaign_id":"100978","default_rpm":1126},"sd_flag":1} HTTP/1.1<br>

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.3<br>

Host: softonic-analytics.net<br>

Accept: */*<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Date: Wed, 13 Aug 2014 23:32:10 GMT<br>

Server: Apache<br>

Set-Cookie: softonic_analytics-admin=deleted; expires=Tue, 13-Aug-2013 23:32:09 GMT; path=/; domain=softonic-analytics.net<br>

Expires: Mon, 26 Jul 1997 05:00:00 GMT<br>

Cache-control: max-age=0, must-revalidate<br>

Pragma: no-cache<br>

Content-Length: 35<br>

Connection: close<br>

Content-Type: image/gif<br><pre>GIF89a.............,...........D..;..</pre></font><br><br

<font color="red">GET /shared/img/sd_client/sprite.png HTTP/1.1<br>

Accept: */*<br>

Referer: hXXp://hitman-pro.sd.softonic.com/98580/universaldownloader/campaign-100861,100733?sd_timestamp=1407954787<br>

Accept-Language: en-us<br>

Accept-Encoding: gzip, deflate<br>

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C) SoftonicDownloader/1.41.3<br>

Host: static.sd-client.softonic.com<br>

Connection: Keep-Alive<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Date: Wed, 13 Aug 2014 23:32:12 GMT<br>

Server: Apache<br>

Last-Modified: Thu, 29 May 2014 10:13:33 GMT<br>

Accept-Ranges: bytes<br>

Content-Length: 7892<br>

Cache-Control: max-age=172800<br>

Expires: Fri, 15 Aug 2014 23:32:12 GMT<br>

Keep-Alive: timeout=3, max=10<br>

Connection: Keep-Alive<br>

Content-Type: image/png<br><pre>.PNG........IHDR.......\.....ld......sBIT.....O.....PLTE..............<br>......................................................................<br>...............................................h......................<br>.f.....n........Dw.I..............U..}..,...v..\. g...........x.a...R.<br>.............>....:n........M..].T*..:.....m....tV.....]........7..<br>..Q..P..O)....P.i...O..N..N..M....sJ..M..K..L..L..J..J..JJz...I..I..H.<br>.I..H..Istv..H..G..H..G..G..G..F..F.x.go...F..F..E..E..D..D..D..B..C/v<br>...B:[email protected]..>/g..m..p..i...<..=.z:.g.;b..z:[email protected]?[ZW<br>.5>.u8.4<.s7.b..3;.1:.09{O$./8.p5..7.-6.[..m4&Q..,5. 3.k3(X..*2.<br>)1.R..(0.'/.%,.T..f1.e1.&..$,.$,.%-.# .# ."*.#,."*.!)." .!(.!*.!). (..<br>'. (..&. '.I...'..&..%..&..%..%..$..$.."..#..#..".."..!..!....9.899...<br>................*................>.j.....tRNS......................<br>......................................................................<br>......................................................................<br>......................................................................<br>.............~T.....pHYs...........~.....tEXtSoftware.Adobe Fireworks <br>CS6.......gIDATx...._[.^..'.LhC...4.t.K....H.w0......^.)w.i..T...q..w.<br>.bq..*U.2j]..hU...^.}).\.......,.@......._..!0.u>[email protected]\..<br>fUHC....c.X;4.c..I...m..c...d.B.2...}. ..- ...A....,.:p51.4.Ig..:.}...<br>...r......WXw..........z. 3v..^.....2......5.Bw.;...M.......ffx..Ac...<br>....jf...F53.K...y...^.(h..M].>....................y.o.:...m.-.2C..<br>..................(.Jro.P............wqo....7....<...7*.z......</pre><<< skipped >>></font><br><br

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_528:

`.rsrc

PSSSSSSh

PSSSSh

u.hL?L

F><.tN<[tJ<\tF<*tB<|t><^t:<$t6

II I!"II#$IIII%&'III(I)*I III,-.II/0123IIII4I5IIIIIII6IIIIII789:;<IIIIIIII=>II?@ABCDEFIIIIGIIIIH

88888888888888888

%u$Vj%

t.Gj:W

xSSSh

FTPjKS

FtPj;S

C.PjRV

[%s %s %s]

Send failure: %s

Failed writing body (%d != %d)

%s:%d

WARNING: failed to save cookies in %s

About to connect() to %s%s port %d (#%d)

Connected to %s (%s) port %d (#%d)

<url> malformed

:]://%[^

[^:]:%[^

Protocol %s not supported or disabled in libcurl

http_proxy

%5[^:@]:%5[^@]

%5[^:]:%5[^

:%5[^@]

Port number too large: %lu

%s://%s%s%s:%d%s%s

ftps

[%*39[0123456789abcdefABCDEF:.%]%c

Couldn't find host %s in the _netrc file; using defaults

[email protected]

Couldn't resolve host '%s'

Couldn't resolve proxy '%s'

Connection #%d seems to be dead!

Connection (#%d) was killed to make room (holds %d)

Re-using existing connection! (#%ld) with host %s

%s://%s

Connection #%ld to host %s left intact

operation aborted by callback

HTTP/

ioctl callback returned error %d

the ioctl callback returned %d

seek callback returned error %d

The requested URL returned error: %d

HTTP/1.0 connection set to keep alive!

HTTP/1.1 proxy connection set close!

HTTP/1.0 proxy connection set to keep alive!

HTTP 1.0, assume close after body

HTTP =

HTTP/%d.%d =

No URL set!

[^?&/:]://%c

Violate RFC 2616/10.3.2 and switch from POST to GET

Disables POST, goes with %s

Issue another request to this URL: '%s'

Maximum (%d) redirects followed

Received problem %d in the chunky parser

HTTP server doesn't seem to support byte ranges. Cannot resume.

Rewinding stream by : %d bytes on url %s (size = %lld, maxdownload = %lld, bytecount = %lld, nread = %d)

Leftovers after chunking. Rewinding %d bytes

Operation timed out after %ld milliseconds with %lld bytes received

Operation timed out after %ld milliseconds with %lld out of %lld bytes received

unspecified error %d

%s cookie %s="%s" for domain %s, path %s, expire %d

#HttpOnly_

httponly

I99[^;

skipped cookie with bad tailmatch domain: %s

skipped cookie with illegal dotcount domain: %s

23[^;=]=I99[^;

%s%s%s

# Fatal libcurl error

# Netscape HTTP Cookie File

# hXXp://curl.haxx.se/rfc/cookie_spec.html

# This file was generated by libcurl! Edit at your own risk.

bind failure: %s

Local port: %d

Bind to local port %d failed, trying next

couldn't find my own IP address (%s)

Bind local address to %s

Couldn't bind to '%s'

TCP_NODELAY set

Could not set TCP_NODELAY: %s

Failed to connect to %s: %s

Trying %s...

Internal error removing splay node = %d

Internal error clearing splay node = %d

Error in the SSH layer

Caller must register CURLOPT_CONV_ callback options

TFTP: No such user

TFTP: Unknown transfer ID

TFTP: Illegal operation

TFTP: Access Violation

TFTP: File Not Found

Login denied

Issuer check against peer certificate failed

Invalid LDAP URL

Unrecognized HTTP Content-Encoding

Problem with the SSL CA cert (path? access rights?)

Peer certificate cannot be authenticated with known CA certificates

Problem with the local SSL certificate

SSL peer certificate or SSH md5 fingerprint was not OK

A libcurl function was given a bad argument

Operation was aborted by an application callback

FTP: command REST failed

FTP: command PORT failed

HTTP response code said error

FTP: couldn't retrieve (RETR failed) the specified file

FTP: couldn't set file type

FTP: can't figure out the host in the PASV response

FTP: unknown 227 response format

FTP: unknown PASV reply

FTP: unknown PASS reply

FTP: weird server reply

URL using bad/illegal format or missing URL

Unsupported protocol

Winsock version not supported

Protocol family not supported

Address family not supported

Operation not supported

Socket is unsupported

Protocol is unsupported

Protocol option is unsupported

Unknown error %d (%#x)

Resolving host timed out: %s

Could not resolve host: %s; %s

Could not resolve proxy: %s; %s

Could not resolve host: %s

gethostbyname(2) failed for %s:%d; %s

init_resolve_thread() failed for %s; %s

TFTP

set timeouts for state %d; Total %d, retry %d maxtry %d

tftp_rx: giving up waiting for block %d

Received unexpected DATA packet block %d

Timeout waiting for block %d ACK. Retries = %d

tftp_rx: internal error

tftp_tx: giving up waiting for block %d ack

Received ACK for block %d, expecting %d

tftp_tx: internal error

bind() failed; %s

tftp_send_first: internal error

%s%c%s%c

TFTP finished

Can't get the size of %s

Can't open %s for writing

Last-Modified: %s, d %s M d:d:d GMT

Couldn't open file %s

There are more than %d entries

LDAP remote: %s

LDAP local: ldap_simple_bind_s %s

LDAP local: Cannot connect to %s:%d

LDAP local: trying to establish %s connection

LDAP local: %s

LDAP local: LDAP Vendor = %s ; LDAP Version = %d

CLIENT libcurl 7.19.0

MATCH %s %s %s

DEFINE %s %s

insufficient winsock version to support telnet

WSAStartup failed (%d)

%s %d %d

%s %s %d

%s %s %s

%s IAC %d

%s IAC %s

Sending data failed (%d)

%d (unknown)

%s (unsupported)

%s IAC SB

Syntax error in telnet option: %s

Unknown telnet option %s

7[^= ]%*[ =]%5s

USER,%s

%c%c%c%c%s%c%c

%c%s%c%s

7[^,],7s

%c%c%c%c

FreeLibrary(wsock2) failed (%d)

WSACloseEvent failed (%d)

WSACreateEvent failed (%d)

failed to find WSAEnumNetworkEvents function (%d)

failed to find WSAEventSelect function (%d)

failed to find WSACloseEvent function (%d)

failed to find WSACreateEvent function (%d)

failed to load WS2_32.DLL (%d)

WS2_32.DLL

Excessive FTP response line length received, %zd bytes. Stripping

FTP response reading failed

FTP response aborted due to select/poll error: %d

FTP response timeout

Failed FTP upload:

RETR response: d

Connecting to %s (%s) port %d

Uploading to a URL without a file name!

FTPS not supported!

USER %s

socket(2) failed (%s)

PORT %d,%d,%d,%d,%d,%d

Telling server to connect to %d.%d.%d.%d:%d

Failed to resolve host name %s

getsockname() failed: %s

Connect data stream passively

REST %d

SIZE %s

STOR %s

APPE %s

Bad PASV/EPSV response: d

Can't resolve new host %s:%d

%d.%d.%d.%d

Skips %d.%d.%d.%d for data connection, uses %s instead

%d,%d,%d,%d,%d,%d

%c%c%c%u%c

Failed to do PORT

Got a d response code instead of the assumed 200

RETR %s

ftp server doesn't support SIZE

PBSZ %d

Access denied: d

ACCT %s

PASS %s

ACCT rejected by server: d

QUOT string not accepted: %s

TYPE %c

MDTM %s

ddd d:d:d GMT

dddddd

unsupported MDTM reply format

server did not report OK, got %d

Remembering we are in dir "%s"

CWD %s

Failed to MKD dir: d

MKD %s

QUOT command failed with d

Entry path is '%s'

PROT %c

unsupported parameter to CURLOPT_FTPSSLAUTH: %d

AUTH %s

Got a d ftp-server response when 220 was expected

%sAuthorization: Basic %s

%s:%s

Server auth using %s with user '%s'

Proxy auth using %s with user '%s'

Failed sending HTTP POST request

Content-Type: application/x-www-form-urlencoded

Internal HTTP POST error!

Failed sending HTTP request

If-Unmodified-Since: %s

Last-Modified: %s

If-Modified-Since: %s

%s, d %s M d:d:d GMT

%s%s=%s

%s %s%s HTTP/%s

%s%s%s%s%s%s%s%s%s%s%s

Content-Range: bytes %s/%lld

Content-Range: bytes %s%lld/%lld

Range: bytes=%s

;type=%c

ftps://

PTF://

Host: %s%s%s:%d

Host: %s%s%s

Accept-Encoding: %s

Referer: %s

Received HTTP code %d from proxy after CONNECT

%d bytes of chunk left

HTTP/1.%d %d

Read %d bytes of chunk, continue

CONNECT %s:%d HTTP/1.0

%s%s%s%s

Host: %s

Establish HTTP proxy tunnel to %s:%d

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.

Failed to resolve "%s" for SOCKS4 connect.

No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)

SOCKS5 GSSAPI per-message authentication is not supported.

Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)

Failed to resolve "%s" for SOCKS5 connect.

User was rejected by the SOCKS5 server (%d %d).

SOCKS5: server resolving disabled for hostnames of length > 255 [actual len=%d]

--:--:--

= %s = %s = %s %s %s %s %s %s %s

password

login

Operation too slow. Less than %d bytes/sec transfered the last %d seconds

%s, algorithm="%s"

%s, opaque="%s"

%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", response="%s"

%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=x, qop="%s", response="%s"

%s:%s:x:%s:%s:%s

%s:%s:%s

%5[^=]=23[^

%5[^=]="23[^"]"

d:d:d

%c%c==

%c%c%c=

.html

.jpeg

--%s--

Content-Type: %s

; filename="%s"

Content-Disposition: attachment; filename="%s"

Content-Type: multipart/mixed, boundary=%s

%s; boundary=%s

()$^.* ?[]|\-{},:=!

:/-_.!~*'()

xxxxx

Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

GetProcessWindowStation

portuguese-brazilian

operator

()$^.* ?[]|\-{},:=!

Kernel32.DLL

invalid map<K, T> key

User-Agent: %s

http/

NOINT_MSG

urls_to_restore_on_startup

startup_urls

search_url

keyword

zcÁ

.?AVHTTPClientImplementation@@

.?AVHTTPClientInterface@@

.?AV?$EventTSpecificFunctor@VWindowsAPI@@@@

.?AV?$TSpecificFunctor@VWindowsAPI@@@@

.?AVFirefoxBrowserHandler@Browser@Lib@Softonic@@

.?AVChromeBrowserHandler@Browser@Lib@Softonic@@

.?AVWindowsAPI@@

.?AUDWebBrowserEvents2@@

.?AUIHttpNegotiate@@

.?AVCustomIHttpNegotiate@@

.?AV?$EventTSpecificFunctor@VCurlMultiDownloadJob@@@@

.?AVCurlMultiDownloadJob@@

c:\%original file name%.exe

GetCPInfo

GetProcessHeap

PeekNamedPipe

RegCloseKey

RegEnumKeyExW

RegCreateKeyExW

RegOpenKeyExW

RegDeleteKeyW

RegQueryInfoKeyW

ShellExecuteW

ShellExecuteExW

URLDownloadToFileW

UrlMkGetSessionOption

UrlMkSetSessionOption

GetAsyncKeyState

GetKeyState

EnumChildWindows

EnumDesktopWindows

InternetOpenUrlA

.text

`.rdata

@.data

.rsrc

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.1.1.0" processorArchitecture="X86" name="Softonic.UniversalDownloader" type="win32"></assemblyIdentity><description>Universal Downloader Download Helper.</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>

KERNEL32.DLL

ADVAPI32.dll

COMCTL32.dll

GDI32.dll

gdiplus.dll

IPHLPAPI.DLL

ole32.dll

OLEAUT32.dll

PSAPI.DLL

RPCRT4.dll

SHELL32.dll

SHLWAPI.dll

urlmon.dll

USER32.dll

VERSION.dll

WININET.dll

WLDAP32.dll

WSOCK32.dll

[BEGIN DATA SEGMENT][KEY]WIDTH[VALUE]650[ENDVALUE][KEY]HEIGHT[VALUE]450[ENDVALUE][KEY]URL[VALUE]hXXp://hitman-pro.sd.softonic.com/98580/universaldownloader-prefetch[ENDVALUE][KEY]NOINT_TITLE[VALUE]No se ha detectado conexi

n a Internet[ENDVALUE][KEY]NOINT_MSG[VALUE]Se necesita conexi

ntalo de nuevo. [ENDVALUE][KEY]PROGRESS_BAR_X[VALUE]20[ENDVALUE][KEY]PROGRESS_BAR_Y[VALUE]99[ENDVALUE][KEY]PROGRESS_BAR_HEIGHT[VALUE]30[ENDVALUE][KEY]START_HIDDEN[VALUE]true[ENDVALUE][KEY]LOADING_DIALOG_TEXT[VALUE]Por favor, espere...[ENDVALUE][KEY]LOADING_DIALOG_TITLE[VALUE]Descarga e instalaci

n de Hitman[ENDVALUE][KEY]MIN_BUTTON_SIZE_X[VALUE]18[ENDVALUE][KEY]MIN_BUTTON_SIZE_Y[VALUE]17[ENDVALUE][KEY]MIN_PROGRAM_SIZE_X[VALUE]210[ENDVALUE][KEY]MIN_PROGRAM_SIZE_Y[VALUE]20[ENDVALUE][KEY]MIN_PROGRESS_TEXT_SIZE_X[VALUE]210[ENDVALUE][KEY]MIN_PROGRESS_TEXT_SIZE_Y[VALUE]20[ENDVALUE][KEY]MIN_PROGRESS_BAR_SIZE_X[VALUE]222[ENDVALUE][KEY]MIN_PROGRESS_BAR_SIZE_Y[VALUE]2

Qh.TB

SHELL32.DLL

ShellExecuteA

%original file name%.exe

hXXp://mersinescortlari.com/logo.gif

hXXp://VVV.plsexpress.com/images/logo.gif

hXXp://paepailin.com/logo.gif

hXXp://deresut.com/logo.gif

hXXp://smtrofeus.com.br/logo.gif

hXXp://nbfix.net/logo.gif

hXXp://refkajparis.fr/logo.gif

logo.gif

hXXp://wingmakershope.za.pl/images/button.gif

hXXp://wellssmall.com/images/logo.gif

hXXp://VVV.uehsi.de/logo.gif

hXXp://hotelispb.hop.ru/image/logo.gif

.info/J

home.gifI888

KERNEL32.dll

h.rata

Bkrnl.exe?

= =$=(=,=

322%2`.50728)

.klkjw:9fqwi

FamXf39.sys

.pBTa8

%s:*:

Bg.laXV

&?%x=

GUrlA'

Web%w|nc

HTTP)

2GUARDCMD.

.ENHCDM

PL/KPCKwWEB

MM.PFW.

.bssf

J:CRT

MSVCRT.dll

WS2_32.dll

SHFileOperationA

H[%s] %s

[%d][%s|%s][%s][%s]

[%d][%s|%s][%s][%s][%s]

Glog.txt

HKERNEL32.DLL

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

mscoree.dll

WUSER32.DLL

.temp

Ld-d-d

[%d] [%lld|%lld]

1.41.3

Got Elevation URL. [%s]

New URL was not valid.

@Received message %s

xxxxxxxxxxx

explorer.exe "

[%d %d]

Hchrome

firefox

0.0.0.0

Web View

Web Host

%d|%d|%d

errorUrl

%s(%s)

%s --> (%s)

.swf?

.jpg?

.gif?

.png?

Value: %d

%s\*.*

%s\%s

Proxy by URL are not supported.

Automatic proxy discovery are not supported.

http=

https=

CPTF://

- URL:

[%d] Starting thread...

[%d] Thread Creation OK!

[%d] Error creating thread! trying again...

[%d] Thread started...

Bhttp/

%d - [%d][%lld/%lld][%lld]

json_writer.cpp

Hjson_value.cpp

Software\Classes\http\shell\open\command\

http\shell\open\command\

Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice\

Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice\

chrome.exe

iexplore.exe

firefox.exe

opera.exe

opera

safari.ex

browser.startup.homepage

browser.search.order.1

browser.search.order.2

browser.search.order.3

prefs.js

\"(.)*.;

browser.search.selectedEngine

browser.search.defaultenginename

browser.search.useDBForOrder

user_pref("browser.search.useDBForOrder", "false");

browser.search.useDBForOrder", "false");

browser.search.useDBForOrder.*

%s*.*

Software\Mozilla\Mozilla Firefox\

\Google\Chrome

SOFTWARE\Mozilla\Mozilla Firefox

SOFTWARE\Mozilla\Mozilla Firefox\

PathToExe

\Mozilla\Firefox\profiles.ini

\Mozilla\Firefox\

\search-metadata.json

ljson_reader.cpp

log.txt

Assertion failed: %s, file %s, line %d

1.41.3.5

SoftonicDownloader.exe

%original file name%.exe_528_rwx_00401000_000F7000:

PSSSSSSh

PSSSSh

u.hL?L

F><.tN<[tJ<\tF<*tB<|t><^t:<$t6

II I!"II#$IIII%&'III(I)*I III,-.II/0123IIII4I5IIIIIII6IIIIII789:;<IIIIIIII=>II?@ABCDEFIIIIGIIIIH

88888888888888888

%u$Vj%

t.Gj:W

xSSSh

FTPjKS

FtPj;S

C.PjRV

[%s %s %s]

Send failure: %s

Failed writing body (%d != %d)

%s:%d

WARNING: failed to save cookies in %s

About to connect() to %s%s port %d (#%d)

Connected to %s (%s) port %d (#%d)

<url> malformed

:]://%[^

[^:]:%[^

Protocol %s not supported or disabled in libcurl

http_proxy

%5[^:@]:%5[^@]

%5[^:]:%5[^

:%5[^@]

Port number too large: %lu

%s://%s%s%s:%d%s%s

ftps

[%*39[0123456789abcdefABCDEF:.%]%c

Couldn't find host %s in the _netrc file; using defaults

[email protected]

Couldn't resolve host '%s'

Couldn't resolve proxy '%s'

Connection #%d seems to be dead!

Connection (#%d) was killed to make room (holds %d)

Re-using existing connection! (#%ld) with host %s

%s://%s

Connection #%ld to host %s left intact

operation aborted by callback

HTTP/

ioctl callback returned error %d

the ioctl callback returned %d

seek callback returned error %d

The requested URL returned error: %d

HTTP/1.0 connection set to keep alive!

HTTP/1.1 proxy connection set close!

HTTP/1.0 proxy connection set to keep alive!

HTTP 1.0, assume close after body

HTTP =

HTTP/%d.%d =

No URL set!

[^?&/:]://%c

Violate RFC 2616/10.3.2 and switch from POST to GET

Disables POST, goes with %s

Issue another request to this URL: '%s'

Maximum (%d) redirects followed

Received problem %d in the chunky parser

HTTP server doesn't seem to support byte ranges. Cannot resume.

Rewinding stream by : %d bytes on url %s (size = %lld, maxdownload = %lld, bytecount = %lld, nread = %d)

Leftovers after chunking. Rewinding %d bytes

Operation timed out after %ld milliseconds with %lld bytes received

Operation timed out after %ld milliseconds with %lld out of %lld bytes received

unspecified error %d

%s cookie %s="%s" for domain %s, path %s, expire %d

#HttpOnly_

httponly

I99[^;

skipped cookie with bad tailmatch domain: %s

skipped cookie with illegal dotcount domain: %s

23[^;=]=I99[^;

%s%s%s

# Fatal libcurl error

# Netscape HTTP Cookie File

# hXXp://curl.haxx.se/rfc/cookie_spec.html

# This file was generated by libcurl! Edit at your own risk.

bind failure: %s

Local port: %d

Bind to local port %d failed, trying next

couldn't find my own IP address (%s)

Bind local address to %s

Couldn't bind to '%s'

TCP_NODELAY set

Could not set TCP_NODELAY: %s

Failed to connect to %s: %s

Trying %s...

Internal error removing splay node = %d

Internal error clearing splay node = %d

Error in the SSH layer

Caller must register CURLOPT_CONV_ callback options

TFTP: No such user

TFTP: Unknown transfer ID

TFTP: Illegal operation

TFTP: Access Violation

TFTP: File Not Found

Login denied

Issuer check against peer certificate failed

Invalid LDAP URL

Unrecognized HTTP Content-Encoding

Problem with the SSL CA cert (path? access rights?)

Peer certificate cannot be authenticated with known CA certificates

Problem with the local SSL certificate

SSL peer certificate or SSH md5 fingerprint was not OK

A libcurl function was given a bad argument

Operation was aborted by an application callback

FTP: command REST failed

FTP: command PORT failed

HTTP response code said error

FTP: couldn't retrieve (RETR failed) the specified file

FTP: couldn't set file type

FTP: can't figure out the host in the PASV response

FTP: unknown 227 response format

FTP: unknown PASV reply

FTP: unknown PASS reply

FTP: weird server reply

URL using bad/illegal format or missing URL

Unsupported protocol

Winsock version not supported

Protocol family not supported

Address family not supported

Operation not supported

Socket is unsupported

Protocol is unsupported

Protocol option is unsupported

Unknown error %d (%#x)

Resolving host timed out: %s

Could not resolve host: %s; %s

Could not resolve proxy: %s; %s

Could not resolve host: %s

gethostbyname(2) failed for %s:%d; %s

init_resolve_thread() failed for %s; %s

TFTP

set timeouts for state %d; Total %d, retry %d maxtry %d

tftp_rx: giving up waiting for block %d

Received unexpected DATA packet block %d

Timeout waiting for block %d ACK. Retries = %d

tftp_rx: internal error

tftp_tx: giving up waiting for block %d ack

Received ACK for block %d, expecting %d

tftp_tx: internal error

bind() failed; %s

tftp_send_first: internal error

%s%c%s%c

TFTP finished

Can't get the size of %s

Can't open %s for writing

Last-Modified: %s, d %s M d:d:d GMT

Couldn't open file %s

There are more than %d entries

LDAP remote: %s

LDAP local: ldap_simple_bind_s %s

LDAP local: Cannot connect to %s:%d

LDAP local: trying to establish %s connection

LDAP local: %s

LDAP local: LDAP Vendor = %s ; LDAP Version = %d

CLIENT libcurl 7.19.0

MATCH %s %s %s

DEFINE %s %s

insufficient winsock version to support telnet

WSAStartup failed (%d)

%s %d %d

%s %s %d

%s %s %s

%s IAC %d

%s IAC %s

Sending data failed (%d)

%d (unknown)

%s (unsupported)

%s IAC SB

Syntax error in telnet option: %s

Unknown telnet option %s

7[^= ]%*[ =]%5s

USER,%s

%c%c%c%c%s%c%c

%c%s%c%s

7[^,],7s

%c%c%c%c

FreeLibrary(wsock2) failed (%d)

WSACloseEvent failed (%d)

WSACreateEvent failed (%d)

failed to find WSAEnumNetworkEvents function (%d)

failed to find WSAEventSelect function (%d)

failed to find WSACloseEvent function (%d)

failed to find WSACreateEvent function (%d)

failed to load WS2_32.DLL (%d)

WS2_32.DLL

Excessive FTP response line length received, %zd bytes. Stripping

FTP response reading failed

FTP response aborted due to select/poll error: %d

FTP response timeout

Failed FTP upload:

RETR response: d

Connecting to %s (%s) port %d

Uploading to a URL without a file name!

FTPS not supported!

USER %s

socket(2) failed (%s)

PORT %d,%d,%d,%d,%d,%d

Telling server to connect to %d.%d.%d.%d:%d

Failed to resolve host name %s

getsockname() failed: %s

Connect data stream passively

REST %d

SIZE %s

STOR %s

APPE %s

Bad PASV/EPSV response: d

Can't resolve new host %s:%d

%d.%d.%d.%d

Skips %d.%d.%d.%d for data connection, uses %s instead

%d,%d,%d,%d,%d,%d

%c%c%c%u%c

Failed to do PORT

Got a d response code instead of the assumed 200

RETR %s

ftp server doesn't support SIZE

PBSZ %d

Access denied: d

ACCT %s

PASS %s

ACCT rejected by server: d

QUOT string not accepted: %s

TYPE %c

MDTM %s

ddd d:d:d GMT

dddddd

unsupported MDTM reply format

server did not report OK, got %d

Remembering we are in dir "%s"

CWD %s

Failed to MKD dir: d

MKD %s

QUOT command failed with d

Entry path is '%s'

PROT %c

unsupported parameter to CURLOPT_FTPSSLAUTH: %d

AUTH %s

Got a d ftp-server response when 220 was expected

%sAuthorization: Basic %s

%s:%s

Server auth using %s with user '%s'

Proxy auth using %s with user '%s'

Failed sending HTTP POST request

Content-Type: application/x-www-form-urlencoded

Internal HTTP POST error!

Failed sending HTTP request

If-Unmodified-Since: %s

Last-Modified: %s

If-Modified-Since: %s

%s, d %s M d:d:d GMT

%s%s=%s

%s %s%s HTTP/%s

%s%s%s%s%s%s%s%s%s%s%s

Content-Range: bytes %s/%lld

Content-Range: bytes %s%lld/%lld

Range: bytes=%s

;type=%c

ftps://

PTF://

Host: %s%s%s:%d

Host: %s%s%s

Accept-Encoding: %s

Referer: %s

Received HTTP code %d from proxy after CONNECT

%d bytes of chunk left

HTTP/1.%d %d

Read %d bytes of chunk, continue

CONNECT %s:%d HTTP/1.0

%s%s%s%s

Host: %s

Establish HTTP proxy tunnel to %s:%d

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.

Failed to resolve "%s" for SOCKS4 connect.

No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)

SOCKS5 GSSAPI per-message authentication is not supported.

Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)

Failed to resolve "%s" for SOCKS5 connect.

User was rejected by the SOCKS5 server (%d %d).

SOCKS5: server resolving disabled for hostnames of length > 255 [actual len=%d]

--:--:--

= %s = %s = %s %s %s %s %s %s %s

password

login

Operation too slow. Less than %d bytes/sec transfered the last %d seconds

%s, algorithm="%s"

%s, opaque="%s"

%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", response="%s"

%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=x, qop="%s", response="%s"

%s:%s:x:%s:%s:%s

%s:%s:%s

%5[^=]=23[^

%5[^=]="23[^"]"

d:d:d

%c%c==

%c%c%c=

.html

.jpeg

--%s--

Content-Type: %s

; filename="%s"

Content-Disposition: attachment; filename="%s"

Content-Type: multipart/mixed, boundary=%s

%s; boundary=%s

()$^.* ?[]|\-{},:=!

:/-_.!~*'()

xxxxx

Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

GetProcessWindowStation

portuguese-brazilian

operator

()$^.* ?[]|\-{},:=!

Kernel32.DLL

invalid map<K, T> key

User-Agent: %s

http/

NOINT_MSG

urls_to_restore_on_startup

startup_urls

search_url

keyword

zcÁ

.?AVHTTPClientImplementation@@

.?AVHTTPClientInterface@@

.?AV?$EventTSpecificFunctor@VWindowsAPI@@@@

.?AV?$TSpecificFunctor@VWindowsAPI@@@@

.?AVFirefoxBrowserHandler@Browser@Lib@Softonic@@

.?AVChromeBrowserHandler@Browser@Lib@Softonic@@

.?AVWindowsAPI@@

.?AUDWebBrowserEvents2@@

.?AUIHttpNegotiate@@

.?AVCustomIHttpNegotiate@@

.?AV?$EventTSpecificFunctor@VCurlMultiDownloadJob@@@@

.?AVCurlMultiDownloadJob@@

c:\%original file name%.exe

GetCPInfo

GetProcessHeap

PeekNamedPipe

RegCloseKey

RegEnumKeyExW

RegCreateKeyExW

RegOpenKeyExW

RegDeleteKeyW

RegQueryInfoKeyW

ShellExecuteW

ShellExecuteExW

URLDownloadToFileW

UrlMkGetSessionOption

UrlMkSetSessionOption

GetAsyncKeyState

GetKeyState

EnumChildWindows

EnumDesktopWindows

InternetOpenUrlA

.text

`.rdata

@.data

.rsrc

H[%s] %s

[%d][%s|%s][%s][%s]

[%d][%s|%s][%s][%s][%s]

Glog.txt

HKERNEL32.DLL

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

mscoree.dll

WUSER32.DLL

.temp

Ld-d-d

[%d] [%lld|%lld]

1.41.3

Got Elevation URL. [%s]

New URL was not valid.

@Received message %s

xxxxxxxxxxx

explorer.exe "

[%d %d]

Hchrome

firefox

0.0.0.0

Web View

Web Host

%d|%d|%d

errorUrl

%s(%s)

%s --> (%s)

.swf?

.jpg?

.gif?

.png?

Value: %d

%s\*.*

%s\%s

Proxy by URL are not supported.

Automatic proxy discovery are not supported.

http=

https=

CPTF://

- URL:

[%d] Starting thread...

[%d] Thread Creation OK!

[%d] Error creating thread! trying again...

[%d] Thread started...

Bhttp/

%d - [%d][%lld/%lld][%lld]

json_writer.cpp

Hjson_value.cpp

Software\Classes\http\shell\open\command\

http\shell\open\command\

Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice\

Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice\

chrome.exe

iexplore.exe

firefox.exe

opera.exe

opera

safari.ex

browser.startup.homepage

browser.search.order.1

browser.search.order.2

browser.search.order.3

prefs.js

\"(.)*.;

browser.search.selectedEngine

browser.search.defaultenginename

browser.search.useDBForOrder

user_pref("browser.search.useDBForOrder", "false");

browser.search.useDBForOrder", "false");

browser.search.useDBForOrder.*

%s*.*

Software\Mozilla\Mozilla Firefox\

\Google\Chrome

SOFTWARE\Mozilla\Mozilla Firefox

SOFTWARE\Mozilla\Mozilla Firefox\

PathToExe

\Mozilla\Firefox\profiles.ini

\Mozilla\Firefox\

\search-metadata.json

ljson_reader.cpp

log.txt

Assertion failed: %s, file %s, line %d

%original file name%.exe_528_rwx_004FB000_00001000:

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.1.1.0" processorArchitecture="X86" name="Softonic.UniversalDownloader" type="win32"></assemblyIdentity><description>Universal Downloader Download Helper.</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>

KERNEL32.DLL

ADVAPI32.dll

COMCTL32.dll

GDI32.dll

gdiplus.dll

IPHLPAPI.DLL

ole32.dll

OLEAUT32.dll

PSAPI.DLL

RPCRT4.dll

SHELL32.dll

SHLWAPI.dll

urlmon.dll

USER32.dll

VERSION.dll

WININET.dll

WLDAP32.dll

WSOCK32.dll

URLDownloadToFileW

[BEGIN DATA SEGMENT][KEY]WIDTH[VALUE]650[ENDVALUE][KEY]HEIGHT[VALUE]450[ENDVALUE][KEY]URL[VALUE]hXXp://hitman-pro.sd.softonic.com/98580/universaldownloader-prefetch[ENDVALUE][KEY]NOINT_TITLE[VALUE]No se ha detectado conexi

n a Internet[ENDVALUE][KEY]NOINT_MSG[VALUE]Se necesita conexi

ntalo de nuevo. [ENDVALUE][KEY]PROGRESS_BAR_X[VALUE]20[ENDVALUE][KEY]PROGRESS_BAR_Y[VALUE]99[ENDVALUE][KEY]PROGRESS_BAR_HEIGHT[VALUE]30[ENDVALUE][KEY]START_HIDDEN[VALUE]true[ENDVALUE][KEY]LOADING_DIALOG_TEXT[VALUE]Por favor, espere...[ENDVALUE][KEY]LOADING_DIALOG_TITLE[VALUE]Descarga e instalaci

n de Hitman[ENDVALUE][KEY]MIN_BUTTON_SIZE_X[VALUE]18[ENDVALUE][KEY]MIN_BUTTON_SIZE_Y[VALUE]17[ENDVALUE][KEY]MIN_PROGRAM_SIZE_X[VALUE]210[ENDVALUE][KEY]MIN_PROGRAM_SIZE_Y[VALUE]20[ENDVALUE][KEY]MIN_PROGRESS_TEXT_SIZE_X[VALUE]210[ENDVALUE][KEY]MIN_PROGRESS_TEXT_SIZE_Y[VALUE]20[ENDVALUE][KEY]MIN_PROGRESS_BAR_SIZE_X[VALUE]222[ENDVALUE][KEY]MIN_PROGRESS_BAR_SIZE_Y[VALUE]2

1.41.3.5

SoftonicDownloader.exe

%original file name%.exe_528_rwx_004FD000_00010000:

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

%original file name%.exe

.rsrc

c:\%original file name%.exe

hXXp://mersinescortlari.com/logo.gif

hXXp://VVV.plsexpress.com/images/logo.gif

hXXp://paepailin.com/logo.gif

hXXp://deresut.com/logo.gif

hXXp://smtrofeus.com.br/logo.gif

hXXp://nbfix.net/logo.gif

hXXp://refkajparis.fr/logo.gif

logo.gif

hXXp://wingmakershope.za.pl/images/button.gif

hXXp://wellssmall.com/images/logo.gif

hXXp://VVV.uehsi.de/logo.gif

hXXp://hotelispb.hop.ru/image/logo.gif

.info/J

home.gifI888

.text

KERNEL32.dll

h.rata

Bkrnl.exe?

= =$=(=,=

322%2`.50728)

.klkjw:9fqwi

FamXf39.sys

.pBTa8

%s:*:

Bg.laXV

&?%x=

GUrlA'

Web%w|nc

HTTP)

2GUARDCMD.

.ENHCDM

PL/KPCKwWEB

MM.PFW.

.bssf

J:CRT

ADVAPI32.dll

MSVCRT.dll

SHELL32.dll

USER32.dll

WS2_32.dll

RegCloseKey

SHFileOperationA

%original file name%.exe_528_rwx_00B10000_0108E000:

c:\windows

hXXp://mersinescortlari.com/logo.gif

hXXp://VVV.plsexpress.com/images/logo.gif

hXXp://paepailin.com/logo.gif

hXXp://deresut.com/logo.gif

hXXp://smtrofeus.com.br/logo.gif

hXXp://nbfix.net/logo.gif

hXXp://refkajparis.fr/logo.gif

%System%\drivers\gohksn.sys

21380461694

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

.rsrc

hXXp://89.119.67.154/testo5/

hXXp://kukutrustnet777.info/home.gif

hXXp://kukutrustnet888.info/home.gif

hXXp://kukutrustnet987.info/home.gif

.text

KERNEL32.dll

USER32.dll

h.rdata

H.data

.reloc

ntoskrnl.exe

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50728)

Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Software\Microsoft\Windows\CurrentVersion

hXXp://VVV.klkjwre9fqwieluoi.info/

hXXp://kukutrustnet777888.info/

Software\Microsoft\Windows\CurrentVersion\policies\system

Software\Microsoft\Windows\ShellNoRoam\MUICache

%s:*:Enabled:ipsec

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced

GdiPlus.dll

hXXp://

ipfltdrv.sys

VVV.microsoft.com

?%x=%d

&%x=%d

SYSTEM.INI

USER32.DLL

.%c%s

\\.\amsint32

NTDLL.DLL

autorun.inf

ADVAPI32.DLL

win%s.exe

%s.exe

WININET.DLL

InternetOpenUrlA

avast! Web Scanner

Avira AntiVir Premium WebGuard

cmdGuard

cmdAgent

Eset HTTP Server

ProtoPort Firewall service

SpIDer FS Monitor for Windows NT

Symantec Password Validation

WebrootDesktopFirewallDataService

WebrootFirewall

%d%d.tmp

SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

%s\%s

%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats

Software\Microsoft\Windows\CurrentVersion\Ext\Stats

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Explorer.exe

A2CMD.

ASHWEBSV.

AVGCC.AVGCHSVX.

DRWEB

DWEBLLIO

DWEBIO

FSGUIEXE.

MCVSSHLD.

NPFMSG.

SYMSPORT.

WEBSCANX.

.adata

M_%d_

%c%d_%d

?456789:;<=

!"#$%&'()* ,-./0123

GetProcessHeap

GetWindowsDirectoryA

RegEnumKeyExA

RegDeleteKeyA

RegOpenKeyExA

RegCreateKeyA

RegCloseKey

SHFileOperationA

&3&3&3&389

.rdata

.data

Bkrnl.exe?

= =$=(=,=

322%2`.50728)

.klkjw:9fqwi

FamXf39.sys

.pBTa8

%s:*:

Bg.laXV

&?%x=

GUrlA'

Web%w|nc

HTTP)

2GUARDCMD.

.ENHCDM

PL/KPCKwWEB

MM.PFW.

.bssf

J:CRT

ADVAPI32.dll

MSVCRT.dll

SHELL32.dll

WS2_32.dll

%original file name%.exe_528_rwx_01EA0000_00002000:

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

.rsrc

Explorer.EXE_128_rwx_00E70000_00002000:

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

.rsrc

%original file name%.exe_528_rwx_01FB0000_00001000:

|%original file name%.exeM_528_

Explorer.EXE_128_rwx_00E80000_00001000:

|explorer.exeM_128_

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\f[1].txt (392 bytes)
%WinDir%\system.ini (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CA4TAJWL.gif (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CAQBKHYB.gif (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CAPH7ZUK.gif (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\sd_100733_cf3f5[1].jpg (4920 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\campaign-100861,100733[1].htm (2006 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\sd_100861_41d97[2].jpg (1016 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\fad58-59ade[1].css (780 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\pubads_impl_46[1].js (2696 bytes)
C:\autorun.inf (325 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (432 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CA6JILM5.gif (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CAPWA1H3.gif (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\gradientbg[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CASTMF2R.gif (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\sd_100861_41d97[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winlruq.exe (741 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\sd_100733_cf3f5[1].jpg (7450 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\f[2].txt (829 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pubads_impl_46[1].js (3573 bytes)
%System%\wbem\Logs\wbemprox.log (152 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (187 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\hitman-18[1].png (844 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\f[1].txt (3656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\sd_icon_100861_8a4a3[1].png (1 bytes)
C:\rdhxl.pif (103 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\universaldownloader-prefetch[1].htm (657 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\sprite[1].png (7 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (209 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (11258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\fad58-59ade[2].css (529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CAWXEJGD.gif (35 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (23136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\loading[1].gif (1 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (272 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\306e0-148e0[1].js (7571 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (11634 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\f[2].txt (4261 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Win32.Sality.3_f6081ec84e

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Win32.Sality.3_f6081ec84e

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet