Worm.Win32.AutoItGen_b9242fe81a

WormAutoItGen.YR, GenericAutorunWorm.YR (Lavasoft MAS) Behaviour: Worm, WormAutorun The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete ...
Blog rating:5 out of5 with1 ratings

Worm.Win32.AutoItGen_b9242fe81a

by malwarelabrobot on December 19th, 2014 in Malware Descriptions.

WormAutoItGen.YR, GenericAutorunWorm.YR (Lavasoft MAS)
Behaviour: Worm, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: b9242fe81a7c95a53dc79ded71c30a4c
SHA1: 0529bccab3f016bdd330ef25a46f5e55677b38b9
SHA256: ccd2d1a84cbf2e1a5b7b0447ed93c717dc12b625c2647554245c1172cfa75388
SSDeep: 12288:rxpJfslZtuaVd9lpmhwQbift489IVGD4xJFl6Xqb5Kbmkg8SH:lp9sVuaVdvgVbmgGDijyikg5H
Size: 840936 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-07-15 19:29:31
Analyzed on: Windows7Ada SP1 64-bit


Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Worm creates the following process(es):

TPAutoConnSvc.exe:1844
tdtjpd.exe:3016
%original file name%.exe:2836
%original file name%.exe:992
vcredist.exe:2708
vcredist.exe:816

The Worm injects its code into the following process(es):

%original file name%.exe:720
Upd4terSrv.exe:2920

Mutexes

The following mutexes were created/opened:

ZonesCacheCounterMutex
ZonesLockedCacheCounterMutex
DBWinMutex
!IECompat!Mutex
MidiMapper_modLongMessage_RefCnt
_!SHMSFTHISTORY!_

File activity

The process tdtjpd.exe:3016 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Program Files% (x86)\SoftwareUpdater\translations.xml (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsaBF69.tmp\nsisunz.dll (251 bytes)
%Program Files% (x86)\SoftwareUpdater\Upd4terSrv.exe (60025 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SH2TVRCI\vcredist_x86[1].exe (62511768 bytes)
%Program Files% (x86)\SoftwareUpdater\AppsUpd4ter.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\update.zip (22676 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsaBF69.tmp\nsURL.dll (1910 bytes)
%Program Files% (x86)\SoftwareUpdater\Interop.Shell32.dll (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsaBF69.tmp\nsExec.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsaBF69.tmp\System.dll (23 bytes)
%Program Files% (x86)\SoftwareUpdater\config.xml (1654 bytes)
%Program Files% (x86)\SoftwareUpdater\AppsUpd4ter.exe (77321 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\vcredist.exe (818135 bytes)
%Program Files% (x86)\SoftwareUpdater\uninstall.exe (2749 bytes)

The process %original file name%.exe:2836 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsz896C.tmp (6522 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsz896D.tmp\LuaBridge.dll (1921 bytes)

The process %original file name%.exe:720 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\customNsWeb.dll (812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaSocket\lua\socket\tp.lua (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\index.html (2617 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\52\stormwatch_tidy_double_628_3.mht (12588 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\win32_constants.lua (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\ButtonEvent.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\41\tidy_stormwatch_optimizerpro_triple_628_3.mht (12988 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\UACInfo.dll (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\packaged_app.lua (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\animatedProgress.gif (1177 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\data_injection.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\DownloadThread.lua (579 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\service_registry.lua (462 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\downloads.lua (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\versioninfo.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\36\knctr_stormwatch_tidy_updateadmin_628.mht (10204 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\res\patches.js (73 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaSocket\mime\core.dll (1909 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\un.package.exe (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\browserutils.dll (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\callbackproxy.lua (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\nsisunz.dll (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\env.lua (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\21\arcadegiant_stormwatch_optimizerpro_updateadmin_628.mht (10204 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarA44E.tmp (2784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\33\wordproser_stormwatch_optimizerpro_triple_628_2.mht (10204 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\Events.lua (912 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\50\optimizerpro_tidy_double628.mht (9476 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\47\tidy_stormwatch_pcoptpro_628_3.mht (12988 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\nsis7z.dll (6360 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\api_substitution.lua (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\wininet\url.lua (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaXml_lib.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\save.gif (73 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SH2TVRCI\iconCheck.gif (740 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\scheduler.lua (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SH2TVRCI\wbk13B5.tmp (242 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\wininet\wininet_h.lua (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\wininet\http.lua (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\GuiInit.lua (5520 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaSocket\lua\socket.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\offer_filters.lua (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SH2TVRCI\knockout-2.0.js (10370 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\accept_green.gif (73 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771 (1688 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\System.dll (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\uistate.lua (310 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\wininet\core.lua (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D47DBD2F9E3365FBBE008D71FB06716F_835A2FD7EE5F1F37B7872C78D42A88BF (1504 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\net_utils.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaSocket\lua\socket\url.lua (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\conditional_engine.lua (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse8AC3.tmp (49287 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\151\findwide_nocheckboxes_628.mht (676 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\processfreefile.lua (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\5\findwide_updateadmin_combo_628.mht (8844 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SH2TVRCI\wbkB70E.tmp (4850 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\FloatingProgress.dll (812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\1\vittalia_primary_combo_2.mht (7772 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D47DBD2F9E3365FBBE008D71FB06716F_835A2FD7EE5F1F37B7872C78D42A88BF (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\res\common.css (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D266D9E1E69FA1EEFB9699B009B34C8_8CA7164968F366C9A94AC8E71C4BDD9B (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D (1720 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\__web.xml (142125 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\44\wordproser_stormwatch_optimizerpro_triple_628_2.mht (10204 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\res\jquery.js (6360 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\wininet\wintypes.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\2\tdtjpd.exe (221 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\wininet\defs.lua (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\ffi.dll (7392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\wininet\io.lua (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\lua51.dll (9582 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\data_stores.lua (703 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\decline.gif (73 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaSocket\lua\ltn12.lua (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\2\tgtudp.exe (29140 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SH2TVRCI\wbkAEA3.tmp (1442 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\offer_stats.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\notifyicon.lua (302 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\BrowserControl.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\generic_icon.gif (73 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\run.gif (73 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\IntegratedOffer.lua (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\bit.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2427C246DCF85A06DD675914EDA68038_EEE52A74DEE31B064E156E492FD05217 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\17\contentexplorer_stormwatch_optimizerpro_updateadmin_628.mht (10204 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\definitions.lua (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\win32_pipeserver.dll (2392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin.zip (4708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaSocket\lua\socket\smtp.lua (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\54\optimizerpro_stormwatch_combo_628_3.mht (12588 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\show.gif (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\close.gif (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\luacom.dll (4992 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\AdvancedTests.lua (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\218\allgenius_628.mht (3172 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BA41173F3FB1502C814D759E3B8A6FFF_80D945C561FF63F9F3DD59EE0F29FDE9 (1752 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\1\do_tracking_hit.lua (913 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\async_tracking.lua (799 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\25\arcadegiant_stormwatch_optimizerpro_updateadmin_628.mht (10204 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\res\knockout.js (6360 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\utils.lua (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\bundleinstall.lua (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\extension.tlb (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\open.gif (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\vm_details.lua (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\generic_icon.ico (337 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\survey_environment.lua (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\2\softwareupdater_628.mht (388 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\29\knctr_stormwatch_optimizerpro_updateadmin_628.mht (10204 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\eagerinstall.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SH2TVRCI\AutoFeatureModel.js (386 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\options.json (273 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 (370 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2427C246DCF85A06DD675914EDA68038_EEE52A74DEE31B064E156E492FD05217 (1480 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaSocket\lua\socket\ftp.lua (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\luaxml.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaSocket\socket\core.dll (2473 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\tucow_bga1.gif (337 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\wininet\ltn12.lua (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaSocket\lua\socket\http.lua (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\wininet\ftp.lua (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\exit.gif (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\3\findwide_updateadmin_combo_628.mht (8844 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaBridge.dll (1921 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BA41173F3FB1502C814D759E3B8A6FFF_80D945C561FF63F9F3DD59EE0F29FDE9 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_8CA7164968F366C9A94AC8E71C4BDD9B (1504 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\json.lua (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\res\common.js (3616 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabA44D.tmp (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SH2TVRCI\OfferScreenParameters.js (50 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\DownloadList.lua (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\wininet\compat.lua (392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaSocket\lua\mime.lua (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 (378 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\sandbox.lua (8 bytes)

The process %original file name%.exe:992 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsz86AE.tmp (6522 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso86BE.tmp\LuaBridge.dll (1921 bytes)

The process vcredist.exe:2708 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\BootstrapperApplicationData.xml (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\thm.xml (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.be\vcredist_x86.exe (58408 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\wixstdba.dll (2485 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\cabB3E1576D1FEFBB979E13B1A5379E0B16 (75717 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1 (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\logo.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_vcredist_x86_20141218152947.log (24538 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcRuntimeAdditional_x86 (2132 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f} (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\thm.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\license.rtf (327 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\cab54A5CABBE7274D8A22EB58060AAB7623 (11824 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcRuntimeMinimum_x86 (1712 bytes)

The process vcredist.exe:816 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_vcredist_x86_20141218152947_1_vcRuntimeAdditional_x86.log (76054 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_vcredist_x86_20141218152947_0_vcRuntimeMinimum_x86.log (74578 bytes)
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm (1352 bytes)
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe (2321 bytes)

Registry activity

The process TPAutoConnSvc.exe:1844 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\ThinPrint\TPPrnUI\HP LaserJet Professional M1212nf MFP#:3]
"TrayData" = "2,Tray 3, 3,Tray 2, 1,Tray 1, 4,Manual Feed, 7,Auto Select"
"FormData" = "1,2159,2794,Letter¶40,40,2086,2712, 5,2159,3556,Legal¶40,40,2086,3474, 9,2100,2970,A4¶39,39,2032,2890, 7,1842,2667,Executive¶40,40,1761,2585, 258,2159,3302,8.5 x 13 (custom)¶40,40,2086,3220, 11,1480,2100,A5¶39,39,1408,2020, 70,1050,1480,A6¶39,39,975,1399, 13,1820,2570,B5 (JIS)¶39,39,1747,2490, 264,1950,2700,16K 195x270¶39,39,1882,2620, 263,1840,2600,16K 184x260¶39,39,1761,2520, 257,1970,2730,16K 197x273¶39,39,1896,2650, 43,1000,1480,Japanese Postcard¶39,39,921,1399, 82,1480,2000,Double Japan Postcard Rotated¶39,39,1408,1919, 20,1046,2413,Envelope #10¶40,40,975,2331, 37,983,1905,Envelope Monarch¶40,40,907,1823, 34,1760,2500,Envelope B5¶39,39,1693,2420, 28,1620,2290,Envelope C5¶39,39,1544,2209, 27,1100,2200,Envelope DL¶39,39,1029,2120"
"DelAfterCreate" = "1"

[HKU\.DEFAULT\Printers\DevModes2]
"HP LaserJet Professional M1212nf MFP#:3" = "48 00 50 00 20 00 4C 00 61 00 73 00 65 00 72 00"

The Worm deletes the following registry key(s):

[HKLM\SOFTWARE\ThinPrint\TPPrnUI\HP LaserJet Professional M1212nf MFP#:3]

The process tdtjpd.exe:3016 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdater]
"DisplayName" = "SoftwareUpdater"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ef-0d-5d]
"WpadDecision" = "0"
"WpadDecisionTime" = "9A 85 11 0C C6 1A D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadNetworkName" = "Network"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ef-0d-5d]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Wow6432Node\SoftwareUpdater]
"versionUpdaterSw" = "1.1.8.14351"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ef-0d-5d]
"WpadDetectedUrl" = ""

[HKLM\SOFTWARE\Wow6432Node\SoftwareUpdater]
"UpdaterPath" = "%Program Files% (x86)\SoftwareUpdater\AppsUpd4ter.exe"
"channel_id" = "1033"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadDecision" = "0"

[HKLM\SOFTWARE\Wow6432Node\SoftwareUpdater]
"enduser_id" = "188998987"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadDecisionTime" = "87 21 C1 AF C6 1A D0 01"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdater]
"UninstallString" = "%Program Files% (x86)\SoftwareUpdater\uninstall.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ef-0d-5d]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process %original file name%.exe:2836 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\31ec1c24\PUPautoinsaller_v1.exe, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\31ec1c24\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\6c88b866\python.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\6c88b866\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsz896D.tmp\LuaBridge.dll,"

The process %original file name%.exe:720 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm]
"fdwSupport" = "1"
"aFormatTagCache" = "01 00 00 00 10 00 00 00 02 00 00 00 32 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ef-0d-5d]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711]
"cFormatTags" = "3"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm]
"fdwSupport" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm]
"cFormatTags" = "2"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711]
"cFilterTags" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm]
"cFilterTags" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadDecision" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610]
"fdwSupport" = "1"
"cFilterTags" = "0"
"cFormatTags" = "2"
"aFormatTagCache" = "01 00 00 00 10 00 00 00 31 00 00 00 14 00 00 00"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711]
"fdwSupport" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm]
"aFormatTagCache" = "01 00 00 00 10 00 00 00 11 00 00 00 14 00 00 00"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm]
"cFilterTags" = "0"

[HKCU\Software\Classes\Local Settings\MuiCache\2B\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3D 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ef-0d-5d]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm]
"cFormatTags" = "2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadNetworkName" = "Network"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4]
"Blob" = "0F 00 00 00 01 00 00 00 14 00 00 00 5D 82 AD B9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ef-0d-5d]
"WpadDecisionTime" = "9A 85 11 0C C6 1A D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadDecisionTime" = "9A 85 11 0C C6 1A D0 01"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711]
"aFormatTagCache" = "01 00 00 00 10 00 00 00 06 00 00 00 12 00 00 00"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoDetect"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ef-0d-5d]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"2796BAE63F1801E277261BA0D77770028F20EEE4"

The process vcredist.exe:816 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}]
"BundleTag" = "Type: REG_SZ, Length: 0"

[HKCR\Installer\Dependencies\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}]
"Version" = "11.0.61030.0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}]
"QuietUninstallString" = "C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe /uninstall /quiet"
"BundleAddonCode" = "Type: REG_MULTI_SZ, Length: 0"
"BundleDetectCode" = "Type: REG_MULTI_SZ, Length: 0"
"BundleCachePath" = "C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe"
"NoElevateOnModify" = "1"
"DisplayIcon" = "C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe,0"

"BundlePatchCode" = "Type: REG_MULTI_SZ, Length: 0"

[HKCU\Software\Classes\Local Settings\MuiCache\2B\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}]
"ModifyPath" = "C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe /modify"
"DisplayName" = "Microsoft Visual C 2012 Redistributable (x86) - 11.0.61030"
"Installed" = "1"
"EstimatedSize" = "17800"
"EngineVersion" = "3.6.3542.0"
"BundleVersion" = "11.0.61030.0"
"BundleProviderKey" = "{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}"
"DisplayVersion" = "11.0.61030.0"
"Publisher" = "Microsoft Corporation"
"UninstallString" = "C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe /uninstall"
"Resume" = "1"
"BundleUpgradeCode" = "{0B65F2F3-A845-36BB-848A-5D939826EBE4}"

[HKCR\Installer\Dependencies\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}]
"DisplayName" = "Microsoft Visual C 2012 Redistributable (x86) - 11.0.61030"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}" = "C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe /burn.log.append C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_vcredist_x86_20141218152947.log /quiet ignored /burn.runonce"

The Worm deletes the following value(s) in system registry:

[HKCR\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v11\Dependents\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}]
"MinVersion"

[HKCR\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditional_x86,v11\Dependents\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}]
"MaxVersion"
"MinVersion"

[HKCR\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimum_x86,v11\Dependents\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}]
"MinVersion"

[HKCR\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v11\Dependents\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}]
"MaxVersion"
"MinVersion"

[HKCR\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimum_x86,v11\Dependents\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}]
"MaxVersion"

[HKCR\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v11\Dependents\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}]
"MaxVersion"

The Worm disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}"

Dropped PE files

MD5 File path
a990de9edf0145ca5b01761978f49432 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso86BE.tmp\LuaBridge.dll
fad9d09fc0267e8513b8628e767b2604 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\ButtonEvent.dll
0f26c6d34d3841e93145dd00d0175651 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\FloatingProgress.dll
a990de9edf0145ca5b01761978f49432 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaBridge.dll
4a4845ba1666907f708c9c10a31ec227 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaSocket\mime\core.dll
4bf7db111acfa7c28ad36606107b3322 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaSocket\socket\core.dll
7292b642bd958aeb7fd7cfd19e45b068 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaXml_lib.dll
7e3c808299aa2c405dffa864471ddb7f c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\System.dll
d02a497be5f89c44827f142c4662f591 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\UACInfo.dll
0a29e1b270ccea61aba7d7cdd10e0388 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\bit.dll
dd8a05024e825f75d3d151ea84bf414e c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\browserutils.dll
e6f8bce5bd3b59c5b1f3225d8f8d3b14 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\customNsWeb.dll
e390287499549de31da007f7f0ae4d10 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\ffi.dll
fceee0026aafd237afdb4aea4ecd3557 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\lua51.dll
b991f57d815ca821cdb42d2792db366f c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\luacom.dll
692479f7c07a64a6a632148e382f0e22 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\nsis7z.dll
5f13dbc378792f23e598079fc1e4422b c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\nsisunz.dll
5694e7daf20c47c8d5e73d4a838c2ee6 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\un.package.exe
ebc5bb904cdac1c67ada3fa733229966 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\versioninfo.dll
e626f4baffc82488c1efd873c250fb09 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\win32_pipeserver.dll
a990de9edf0145ca5b01761978f49432 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsz896D.tmp\LuaBridge.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23306 23552 4.47645 325c988d9f77e7ce27fe1fa6f6fd93f7
.rdata 28672 5397 5632 3.61721 64bdba47e612466214b378a9e0d4057c
.data 36864 109756 512 0.972488 c11d691b44d2912a53e6b566fedf2406
.ndata 147456 147456 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 294912 191960 192000 2.99591 27689cb0ad69a7df7e0617c8c171883d
.reloc 487424 2682 3072 0 d2a70550489de356a2cd6bfc40711204

Dropped from:

Downloaded by:

Similar by SSDeep:

34902d76df577323848946aa29f635a0
dc52da4e4036b4c82097baacc8fd8f3f
2f542ce0f14198cbc2239600d0315291
f2221f189b066370e19140e942404345
cb61db838c861137ca801b2fe5a0b5c5
74bf47bb984c747fb7a127b5db9e7f4d
64499cdac945ca9f7a7bfba7ef102998
2cd4f157f519ed55f36e32e677d599d9
b19181162637518d4f11ab2e3d55981e
517aa200f936831c34421940aef6ded3
4b974b1daccd6b0d1ffac5ef67189b04
e8f8febb586d5cdcc7e8ce5e4d652e2f
82f9d8edba9b824fb09811f9effab569
60223014c6416ce3c62fdfff2541aeed
590a3a3dcc0044b213cbe0c854c83935
e329326a088fad15c7482d2f0f40438d
28010505b9bf00f9b44a59de1a6b9a3c
aea0f8a202300f5bc80d3dbb5555d15e
1330818f0dc6331731b1247d90b44956
53bda3e498b733bc656879f5cac2d66a
2b6ed41f3b28a11594c254d8df9e429e
ce2b4aa216c72e8fff0ea64a41016175
fc4fbbb65ef407d5b8668cf334bfad37
cb312aa040112d7a85bb98447c7feaa1
87e3ff911209b4ed5f3fd7178527fc60
e49c2d10fc40f3ddedb3ffcd8bbc2b80
9c2d1bd031fd5226b1956b7ec60e6c92
a9594adeb6b0ed7ed1f47c0c9ed1d903
e3d0c35811697ad2941d4a869f8e00b3
5bb0950a80b9244dd82a49f65ad946c5
f2521699ece1f47629064bf4faf55c6e
dfcf2adb31669775dc3fe3615e089caa
f241bd6843d04785be0feab753be2055
be9c1adad6f958c6aaf674b31c576d8e
c1b492a3dac3e2319e34b0f3628bc0da
9dc7f44b345144142f2402abb160cf46
318e1cb469b94411b5a963b312c89cec
7d0f1a89435a5ac9c74175ded1944dea
cf9fe811b403027538b339859cd5fcf4
1ac22b0ced6de010d8d2ff65454ae529
d932f91fc6b7894d6f5351f7b774f689
0da1a4d4c8a1c9bd6afbf99df6433486

Similar by Lavasoft Polymorphic Checker:

Total found: 74
34902d76df577323848946aa29f635a0
8eb47c153cd199692a21f8d9fb1e65e5
0da1a4d4c8a1c9bd6afbf99df6433486
d932f91fc6b7894d6f5351f7b774f689
1ac22b0ced6de010d8d2ff65454ae529
cf9fe811b403027538b339859cd5fcf4
ace89f1a23c3dd68c1ffcf5691025bc9
9681eb345cd8f44c015d294213628554
7d0f1a89435a5ac9c74175ded1944dea
318e1cb469b94411b5a963b312c89cec
9dc7f44b345144142f2402abb160cf46
c1b492a3dac3e2319e34b0f3628bc0da
be9c1adad6f958c6aaf674b31c576d8e
f241bd6843d04785be0feab753be2055
7b35c7d77e7f085ecc2b27df162b45b5
6c952fc5dc1ef5268b486be33288b580
dfcf2adb31669775dc3fe3615e089caa
0be99f5e427f4036ee08c3f3c2193a69
bc5d4e2634bab073018a021c14810f2b
c78b866300a6ef85867eb0888b134c7e
0843a3a880954d87a72efbc23aaff077
f2521699ece1f47629064bf4faf55c6e
5bb0950a80b9244dd82a49f65ad946c5
e3d0c35811697ad2941d4a869f8e00b3
a9594adeb6b0ed7ed1f47c0c9ed1d903
435f9e4f9070acc5bfe80a0f61f4b412

URLs

URL IP
hxxp://service.downloadadmin.com/external-install?bc=1162530&pid=vittalia&brand=freempr13.bertrejota.com&aid=FREESOFTSTORECOM&s=FREESO030Zec25d5ec3750a12b89bdaf3236b1f0ed&c=VELISMEDIA2&osName=Windows&osVersion=Vista&browserName=IE&browserVersion=9&secure=true&productKey=m7izpsc3q6c6a6odoxbkvnqqt666qqkp 50.22.63.138
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?15561099d5d16a9f
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?2a50e63961c067a9
hxxp://ocsp.godaddy.com.akadns.net//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH+3ahq1OMCAxvnFQ== 72.167.239.239
hxxp://ocsp.godaddy.com.akadns.net//MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQdI2+OBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc= 72.167.239.239
hxxp://ocsp.godaddy.com.akadns.net//MEgwRjBEMEIwQDAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CB0sVHV5/pAc= 72.167.239.239
hxxp://a728.g.akamai.net/skins/da/03122014/DownloadAdmin-Generic-DLM.zip
hxxp://a728.g.akamai.net/binstallers/BM2/vittalia/ipage/vittalia_primary_combo_2.mht
hxxp://a728.g.akamai.net/binstallers/BM2/api/do_tracking_hit.lua
hxxp://a728.g.akamai.net/products/BM2/softwareupdater/ipage/softwareupdater_628.mht
hxxp://a728.g.akamai.net/products/BM2/findwidetoolbar/ipage/findwide_updateadmin_combo_628.mht
hxxp://a728.g.akamai.net/products/BM2/combos/contentexplorer_stormwatch_optimizerpro_updateadmin_628.mht
hxxp://a728.g.akamai.net/products/BM2/combos/arcadegiant_stormwatch_optimizerpro_updateadmin_628.mht
hxxp://a728.g.akamai.net/products/BM2/combos/knctr_stormwatch_optimizerpro_updateadmin_628.mht
hxxp://a728.g.akamai.net/products/BM2/combos/wordproser_stormwatch_optimizerpro_triple_628_2.mht
hxxp://a728.g.akamai.net/products/BM2/combos/knctr_stormwatch_tidy_updateadmin_628.mht
hxxp://a728.g.akamai.net/products/BM2/combos/tidy_stormwatch_optimizerpro_triple_628_3.mht
hxxp://a728.g.akamai.net/products/BM2/combos/tidy_stormwatch_pcoptpro_628_3.mht
hxxp://a728.g.akamai.net/products/BM2/628/uniform/optimizerpro_tidy_double628.mht
hxxp://a728.g.akamai.net/products/BM2/combos/stormwatch_tidy_double_628_3.mht
hxxp://a728.g.akamai.net/products/BM2/combos/optimizerpro_stormwatch_combo_628_3.mht
hxxp://a728.g.akamai.net/products/BM2/findwidetoolbar/ipage/findwide_nocheckboxes_628.mht
hxxp://a728.g.akamai.net/products/BM2/allgenius/ipage/allgenius_628.mht
hxxp://web1.upsa1a.com/tgtudp.exe 93.189.32.145
hxxp://web1.upsa1a.com/tdtjpd.exe 93.189.32.145
hxxp://a728.g.akamai.net/tnt2/freshy/FreshyToolbar.exe
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEDWXMYfzhzoHMn7OWAybfto=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEG7MeqWnAyAJuM689OlS1JE=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQMgSk4dLKWKRB+2DViUmQEUw3ggwQUDURcFlNEwYJ+HSCrJfQBY9i+eaUCECyLOOAjYRltRQP8lkAE25w=
hxxp://d1.arcadegiant.com/aj/bundle/1048 74.120.16.148
hxxp://a728.g.akamai.net/products/BM2/knctr/exe/knctr_02262014.exe
hxxp://a728.g.akamai.net/products/BM2/wordproser/exe/wordproser_11042014.exe
hxxp://a728.g.akamai.net/tn/TidyNetwork.exe
hxxp://dl.softservers.net/111001042/OptimizerPro.exe 108.163.210.20
hxxp://a1269.d.akamai.net/sd?is=tr
hxxp://a1363.g.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl
hxxp://a1363.g.akamai.net/pki/crl/products/microsoftrootcert.crl
hxxp://a1363.g.akamai.net/pki/crl/products/WinPCA.crl
hxxp://a1363.g.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=
hxxp://e6845.ce.akamaiedge.net/pca3.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=
hxxp://e6845.ce.akamaiedge.net/CSC3-2010.cer
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEFfypMGYcmbFYnz/tUJymgs=
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl 87.245.202.16
hxxp://csc3-2010-aia.verisign.com/CSC3-2010.cer 23.43.133.163
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= 23.43.139.27
hxxp://mirror.mirror-files.com/products/BM2/combos/arcadegiant_stormwatch_optimizerpro_updateadmin_628.mht 87.245.202.65
hxxp://ocsp.godaddy.com//MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQdI2+OBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc= 72.167.239.239
hxxp://mirror.mirror-files.com/products/BM2/combos/tidy_stormwatch_optimizerpro_triple_628_3.mht 87.245.202.65
hxxp://mirror.mirror-files.com/products/BM2/findwidetoolbar/ipage/findwide_nocheckboxes_628.mht 87.245.202.65
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl 87.245.202.16
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?15561099d5d16a9f 87.245.202.24
hxxp://service.downloadadmin.com/env?browserVersion=9&osVersion=Vista&s=FREESO030Zec25d5ec3750a12b89bdaf3236b1f0ed&browserName=IE&c=VELISMEDIA2&brand=freempr13.bertrejota.com&pid=vittalia&aid=FREESOFTSTORECOM&bc=1162530&osName=Windows&country=UA 50.22.63.138
hxxp://install-cdn.allgenius.info/sd?is=tr 213.155.152.187
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= 23.43.139.27
hxxp://mirror.mirror-files.com/products/BM2/628/uniform/optimizerpro_tidy_double628.mht 87.245.202.65
hxxp://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH+3ahq1OMCAxvnFQ== 72.167.239.239
hxxp://mirror.mirror-files.com/tn/TidyNetwork.exe 87.245.202.65
hxxp://mirror.mirror-files.com/products/BM2/combos/knctr_stormwatch_optimizerpro_updateadmin_628.mht 87.245.202.65
hxxp://mirror.mirror-files.com/binstallers/BM2/api/do_tracking_hit.lua 87.245.202.65
hxxp://mirror.mirror-files.com/products/BM2/wordproser/exe/wordproser_11042014.exe 87.245.202.65
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl 87.245.202.16
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?2a50e63961c067a9 87.245.202.24
hxxp://mirror.mirror-files.com/products/BM2/findwidetoolbar/ipage/findwide_updateadmin_combo_628.mht 87.245.202.65
hxxp://mirror.mirror-files.com/products/BM2/combos/knctr_stormwatch_tidy_updateadmin_628.mht 87.245.202.65
hxxp://mirror.mirror-files.com/products/BM2/combos/contentexplorer_stormwatch_optimizerpro_updateadmin_628.mht 87.245.202.65
hxxp://mirror.mirror-files.com/products/BM2/combos/wordproser_stormwatch_optimizerpro_triple_628_2.mht 87.245.202.65
hxxp://mirror.mirror-files.com/skins/da/03122014/DownloadAdmin-Generic-DLM.zip 87.245.202.65
hxxp://mirror.mirror-files.com/products/BM2/knctr/exe/knctr_02262014.exe 87.245.202.65
hxxp://mirror.mirror-files.com/products/BM2/allgenius/ipage/allgenius_628.mht 87.245.202.65
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= 23.43.139.27
hxxp://mirror.mirror-files.com/products/BM2/combos/stormwatch_tidy_double_628_3.mht 87.245.202.65
hxxp://mirror.mirror-files.com/products/BM2/softwareupdater/ipage/softwareupdater_628.mht 87.245.202.65
hxxp://mirror.mirror-files.com/products/BM2/combos/optimizerpro_stormwatch_combo_628_3.mht 87.245.202.65
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= 23.43.139.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEFfypMGYcmbFYnz/tUJymgs= 23.43.139.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= 23.43.139.27
hxxp://mirror.mirror-files.com/tnt2/freshy/FreshyToolbar.exe 87.245.202.65
hxxp://sd.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQMgSk4dLKWKRB+2DViUmQEUw3ggwQUDURcFlNEwYJ+HSCrJfQBY9i+eaUCECyLOOAjYRltRQP8lkAE25w= 23.43.139.27
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl 87.245.202.16
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEG7MeqWnAyAJuM689OlS1JE= 23.43.139.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= 23.43.139.27
hxxp://ocsp.godaddy.com//MEgwRjBEMEIwQDAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CB0sVHV5/pAc= 72.167.239.239
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEDWXMYfzhzoHMn7OWAybfto= 23.43.139.27
hxxp://pf.dlcvit.com/s/2/2/228488-676828-adobe-flash-player.exe 87.98.229.151
hxxp://crl.verisign.com/pca3.crl 23.43.133.163
hxxp://mirror.mirror-files.com/binstallers/BM2/vittalia/ipage/vittalia_primary_combo_2.mht 87.245.202.65
hxxp://mirror.mirror-files.com/products/BM2/combos/tidy_stormwatch_pcoptpro_628_3.mht 87.245.202.65
s3.amazonaws.com 54.231.244.0


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

SURICATA UDPv4 invalid checksum
SURICATA IPv4 invalid checksum

Traffic

HEAD /sd?is=tr HTTP/1.1
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: install-cdn.allgenius.info
Content-Length: 0
Connection: Keep-Alive


HTTP/1.1 200 OK
Pragma: no-cache
Content-Type: application/octet-stream
Server: Microsoft-IIS/7.5
Content-Disposition: attachment; filename=allgeniusSetup.exe
X-AspNet-Version: 4.0.30319
SVR: SP003C2
X-Powered-By: ASP.NET
p3p: CP="CAO PSA OUR"
Content-Length: 583472
Cache-Control: private, max-age=86400
Expires: Fri, 19 Dec 2014 13:25:39 GMT
Date: Thu, 18 Dec 2014 13:25:39 GMT
Connection: keep-alive
HTTP/1.1 200 OK..Pragma: no-cache..Content-Type: application/octet-str
eam..Server: Microsoft-IIS/7.5..Content-Disposition: attachment; filen
ame=allgeniusSetup.exe..X-AspNet-Version: 4.0.30319..SVR: SP003C2..X-P
owered-By: ASP.NET..p3p: CP="CAO PSA OUR"..Content-Length: 583472..Cac
he-Control: private, max-age=86400..Expires: Fri, 19 Dec 2014 13:25:39
 GMT..Date: Thu, 18 Dec 2014 13:25:39 GMT..Connection: keep-alive..



GET /skins/da/03122014/DownloadAdmin-Generic-DLM.zip HTTP/1.1
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "f4474d468a32b9ec78bf53ceffffcb3b:1402673048"
Last-Modified: Fri, 13 Jun 2014 15:24:08 GMT
Accept-Ranges: bytes
Content-Length: 35976
Content-Type: application/zip
Date: Thu, 18 Dec 2014 13:25:18 GMT
Connection: keep-alive
PK......../{kD.(......?.......GenericDLM/accept_green.gif.TgTS.....4..
FT....RnB...$."-.. .......b.$X#...::.RDA.'... AQAQQ..."E.t.(.8........
u..g..}....=/..C......(`.s......2....h.......$zq....~.;..s.......t....
.1.%.....za;=.!%..;...S..\`.*.B....A>....I...nqvA.x3'SJ..!.%.....vY
<....p4....z.....%s.?...E..==..x-T7.....&..l.8..8E........5N..\PrG.
y.q.E...\...;...:... ..."....[i1mt..bl._.5...y.mr.3.....:R.kz. ZX-.Cl?
>>.._.......d.U|........"..L./.....W#A....&r .<@. .Z..E....V%
.(B..\....%r.H....$....#.B.2.Uw...H..D.HG2..@}...B..1.h....$..G .H8...
px,.{Hh..J$Q.d....eS....,...t....R..XlJJ.&..#S.cq..E...G..he.T.W..J...
,.R...Ub.....e.d....hA"..V..|k.#[email protected].?...T...!R...
.....'....._%S.d...[.&.T2e.L..D.@w._ ........5X.T...Q0...y0b......l..M
...q.@.?D$.q..&.........d.d.H......%L..../.H!^)...2...i.x.Zp....W8y-.I
.X]1.......~......../.......`...?>...................]...o.^.j}....
.O..<j..........i.}..........h..T.v...Ry....K.........N...8^p,?/7.h
v.....:..........k.....n....ic....uk..^..NY..R*V.eRIR.rqB|.H(X._......
^.0&zA./2.'..pNXhHp.<v  .....K..R)>d.....AX.......6.......vt...5
s....m..~..07CL.jjbld..M1.M..p......B?...qM...K...e...;v...g....(B....
..}4'7/.X....E'O..,y...?..p...RE.....Tkk.M=my!W.o.n.s.bH.ID....Z.?y...
....^?1y..........g2ohxdt.....>....80X.0P.[....3..$.Z..sH.%9x}.....
.....m...`...g.G..{.T...$8lo.:q..O.......r...:......E.}.\.;........,.;
.1#m4.0..j..Z....[ux...Z..m|.WF.PO.eP.J. ....g5~..,..\.~9...3...k.....
.......4L.....AZ.&...5q..).{.......7?>........g.-....c....wi.".
<<< skipped >>>

GET /binstallers/BM2/vittalia/ipage/vittalia_primary_combo_2.mht HTTP/1.1


User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "034d0615e36f0f9524de959ba10ca481:1417452401"
Last-Modified: Mon, 01 Dec 2014 16:46:41 GMT
Accept-Ranges: bytes
Content-Length: 62297
Content-Type: text/plain
Date: Thu, 18 Dec 2014 13:25:25 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Product Name..Date: Mo
n, 1 Dec 2014 11:32:43 -0500..MIME-Version: 1.0..Content-Type: multipa
rt/related;...type="text/html";...boundary="----=_NextPart_000_000B_01
D00D5A.85DFD180"..X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.1
7609..This is a multi-part message in MIME format...------=_NextPart_0
00_000B_01D00D5A.85DFD180..Content-Type: text/html;...charset="utf-8".
.Content-Transfer-Encoding: quoted-printable..Content-Location: file:/
/C:\offerscreen\vitallia_primary_10.html..=EF=BB=BF<!DOCTYPE HTML P
UBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =.."hXXp://VVV.w3c.org/
TR/1999/REC-html401-19991224/loose.dtd">..<!DOCTYPE html PUBLIC 
"-//W3C//DTD HTML 4.01 Transitional//EN" =.."hXXp://VVV.w3c.org/TR/199
9/REC-html401-19991224/loose.dtd"><HTML><HEAD><=..ME
TA=20..content=3D"IE=3D11.0000" http-equiv=3D"X-UA-Compatible">..&l
t;META http-equiv=3D"X-UA-Compatible" content=3D"IE=3D11.0000">=20.
.<META http-equiv=3D"X-UA-Compatible" content=3D"IE=3D11.0000"> 
=20..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0.js" =..type
=3D"text/javascript"></SCRIPT>..  =20..<SCRIPT src=3D"file
:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/javascript">
;</SCRIPT>..  =20..<SCRIPT src=3D"file:///C:/offerscreen/Offe
rScreenParameters.js" =..type=3D"text/javascript"></SCRIPT>..
   <TITLE =..data-bind=3D"text:$root.customParameters()['ProductNam
e']">Product=20.. Name</TITLE>=20..<META http-equiv=3D
<<< skipped >>>

GET /binstallers/BM2/api/do_tracking_hit.lua HTTP/1.1


User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "9cc9c7aa05eddd412b09d5b37d446f81:1404848561"
Last-Modified: Tue, 08 Jul 2014 19:42:41 GMT
Accept-Ranges: bytes
Content-Length: 913
Content-Type: text/plain
Date: Thu, 18 Dec 2014 13:25:25 GMT
Connection: keep-alive
--[[.-- Lua Script to perform tracking hits IT can be run at start off
er or finish and has aacces tot he variables.--]]..local http=require(
"wininet.http");.local json=require("json");..local main=function().  
  -- Need GuiInit.    local guiinit=require("GuiInit");.    local _Dow
nloads=require("Downloads");.    local target=current.file._a_.Options
 -- Get the options blob.    -- No Target is specified then do nothing
.    if target  == ""  or not target then.       return; -- Blank so d
o nothing .    end.    target=current.expand_path(target);.    -- Get 
the command line and look for an option .    --[[local cli=current.exp
and_path("$CMDLINE");.    local opts=string.match(cli or "","--custom.
p.tid=([^ ] )");.    ]].    -- Make a reques to the target Url.    loc
al r,c,h  = http.request{.        method="POST",.        url=target ,.
        proxy=_Downloads.proxyForUrl(target).    }..end...return main(
);.....


GET /products/BM2/softwareupdater/ipage/softwareupdater_628.mht HTTP/1.1


User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "c9ea80af3548458c96bb102b6107a2ff:1414182019"
Last-Modified: Fri, 24 Oct 2014 20:20:19 GMT
Accept-Ranges: bytes
Content-Length: 11587
Content-Type: text/plain
Date: Thu, 18 Dec 2014 13:25:25 GMT
Connection: keep-alive
From: "Saved by Windows Internet Explorer 8"..Subject: 628 by 282 Icy 
Offer..Date: Fri, 24 Oct 2014 16:19:18 -0400..MIME-Version: 1.0..Conte
nt-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quot
ed-printable..Content-Location: hXXp://install.downloadadmin.com/BM_OF
FERS_628/Advertisers/softwareupdater/uniform_eula.php?mode=preview..X-
MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17514..=EF=BB=BF<!
DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =.."http:
//VVV.w3c.org/TR/1999/REC-html401-19991224/loose.dtd">..<HTML>
;<HEAD><TITLE>628 by 282 Icy Offer</TITLE>..<META
 content=3D"text/html; charset=3DUTF-8" =..http-equiv=3DContent-Type&g
t;<!-- =0A=..=0A=..Edited by: Insert Initials & Date=0A=..Template 
Name: 628_Icy_2col_toolbar_EULA.php=0A=..=0A=..-->..<STYLE>BO
DY {...PADDING-BOTTOM: 0px; BACKGROUND-COLOR: #fff; MARGIN: 0px; PADDI
NG-LEFT: =..0px; PADDING-RIGHT: 0px; FONT-FAMILY: arial, verdana, sans
 serif; COLOR: =..#707271; PADDING-TOP: 0px..}..#content {...POSITION:
 relative; BACKGROUND-COLOR: #ebeef0; WIDTH: 628px; DISPLAY: =..block;
 HEIGHT: 282px; OVERFLOW: hidden..}..#headline {...POSITION: absolute.
.}..#toolbar {...POSITION: absolute..}..#copy {...POSITION: absolute..
}..#eula {...POSITION: absolute..}..#disclaimer {...POSITION: absolute
..}..#headline {...WIDTH: 598px; HEIGHT: 30px; TOP: 15px; LEFT: 15px..
}..#toolbar {...WIDTH: 260px; HEIGHT: 30px; TOP: 50px; LEFT: 15px..}..
#copy {...WIDTH: 260px; HEIGHT: 145px; TOP: 80px; LEFT: 15px..}..#
<<< skipped >>>

GET /products/BM2/findwidetoolbar/ipage/findwide_updateadmin_combo_628.mht HTTP/1.1


User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "2e0aefadbcdd20a1b1437a97926bcd1b:1416948312"
Last-Modified: Tue, 25 Nov 2014 20:45:12 GMT
Accept-Ranges: bytes
Content-Length: 69228
Content-Type: text/plain
Date: Thu, 18 Dec 2014 13:25:25 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: 628 by 282 Icy Offer..
Date: Tue, 25 Nov 2014 15:44:30 -0500..MIME-Version: 1.0..Content-Type
: multipart/related;...type="text/html";...boundary="----=_NextPart_00
0_0007_01D008C6.B36A2850"..X-MimeOLE: Produced By Microsoft MimeOLE V6
.1.7601.17609..This is a multi-part message in MIME format...------=_N
extPart_000_0007_01D008C6.B36A2850..Content-Type: text/html;...charset
="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Locatio
n: file://C:\offerscreen\findwide_updateadmin_combo_628.html..=EF=BB=B
F<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =..
"hXXp://VVV.w3c.org/TR/1999/REC-html401-19991224/loose.dtd">..<!
DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" =.."http:
//VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><HTML><
;HEAD><ME=..TA=20..content=3D"IE=3D11.0000" http-equiv=3D"X-UA-C
ompatible">..=20..<SCRIPT src=3D"file:///C:/offerscreen/knockout
-2.0.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRI
PT src=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/
javascript"></SCRIPT>.. <TITLE>628 by 282 Icy Offer<
/TITLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/ht
ml; =..charset=3DUTF-8"> <!-- =0A=..=0A=..Edited by: Insert Init
ials & Date=0A=..Template Name: 628_Icy_2col_toolbar_EULA.php=0A=..=0A
=..-->=20..<STYLE>=0A=../* Overall page settings... */=0A=..=
0A=..body {background-color:#fff;margin:0;padding:0;font-family: a
<<< skipped >>>

GET /products/BM2/findwidetoolbar/ipage/findwide_updateadmin_combo_628.mht HTTP/1.1


User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "2e0aefadbcdd20a1b1437a97926bcd1b:1416948312"
Last-Modified: Tue, 25 Nov 2014 20:45:12 GMT
Accept-Ranges: bytes
Content-Length: 69228
Content-Type: text/plain
Date: Thu, 18 Dec 2014 13:25:26 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: 628 by 282 Icy Offer..
Date: Tue, 25 Nov 2014 15:44:30 -0500..MIME-Version: 1.0..Content-Type
: multipart/related;...type="text/html";...boundary="----=_NextPart_00
0_0007_01D008C6.B36A2850"..X-MimeOLE: Produced By Microsoft MimeOLE V6
.1.7601.17609..This is a multi-part message in MIME format...------=_N
extPart_000_0007_01D008C6.B36A2850..Content-Type: text/html;...charset
="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Locatio
n: file://C:\offerscreen\findwide_updateadmin_combo_628.html..=EF=BB=B
F<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =..
"hXXp://VVV.w3c.org/TR/1999/REC-html401-19991224/loose.dtd">..<!
DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" =.."http:
//VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><HTML><
;HEAD><ME=..TA=20..content=3D"IE=3D11.0000" http-equiv=3D"X-UA-C
ompatible">..=20..<SCRIPT src=3D"file:///C:/offerscreen/knockout
-2.0.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRI
PT src=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/
javascript"></SCRIPT>.. <TITLE>628 by 282 Icy Offer<
/TITLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/ht
ml; =..charset=3DUTF-8"> <!-- =0A=..=0A=..Edited by: Insert Init
ials & Date=0A=..Template Name: 628_Icy_2col_toolbar_EULA.php=0A=..=0A
=..-->=20..<STYLE>=0A=../* Overall page settings... */=0A=..=
0A=..body {background-color:#fff;margin:0;padding:0;font-family: a
<<< skipped >>>

GET /products/BM2/combos/contentexplorer_stormwatch_optimizerpro_updateadmin_628.mht HTTP/1.1


User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "42be207ed658280b3f4ef5728e13fdec:1418845600"
Last-Modified: Wed, 17 Dec 2014 19:46:40 GMT
Accept-Ranges: bytes
Content-Length: 76325
Content-Type: text/plain
Date: Thu, 18 Dec 2014 13:25:26 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282.
.Date: Fri, 24 Oct 2014 11:42:51 -0400..MIME-Version: 1.0..Content-Typ
e: multipart/related;...type="text/html";...boundary="----=_NextPart_0
00_0000_01CFEF7F.A431DCD0"..X-MimeOLE: Produced By Microsoft MimeOLE V
6.1.7601.17609..This is a multi-part message in MIME format...------=_
NextPart_000_0000_01CFEF7F.A431DCD0..Content-Type: text/html;...charse
t="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Locati
on: file://C:\offerscreen\storm_alerts_quad_1.html..=EF=BB=BF<!DOCT
YPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML&
gt;<HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-
Compatible">..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0
.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT s
rc=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/java
script"></SCRIPT>.. <TITLE>Search.com 628 by 282</TI
TLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/html;
 =..charset=3Dutf-8">=20..<STYLE>=0A=..=0A=../* set the backg
round color to match the offer. */=0A=..body {background-color:#e3e3e3
;margin:0;padding:0;font-family: arial, =..verdana, sans serif;color:#
222;position:relative;height: 282px;width: =..628px;}=0A=..table{backg
round-repeat: no-repeat;}=0A=..h1 {font-size: 18px;font-weight: bold;m
argin-bottom: 4px;margin-top: 0;}=0A=..p {margin: 0;font-size: 12px}=0
A=..td{vertical-align:top; }=0A=..a{COLOR:#0858a8; text-decoration
<<< skipped >>>

GET /products/BM2/combos/arcadegiant_stormwatch_optimizerpro_updateadmin_628.mht HTTP/1.1


User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "f81f9435b0f7bf2d51e92ba4bc6311a3:1418845601"
Last-Modified: Wed, 17 Dec 2014 19:46:41 GMT
Accept-Ranges: bytes
Content-Length: 76276
Content-Type: text/plain
Date: Thu, 18 Dec 2014 13:25:26 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282.
.Date: Fri, 24 Oct 2014 11:42:51 -0400..MIME-Version: 1.0..Content-Typ
e: multipart/related;...type="text/html";...boundary="----=_NextPart_0
00_0000_01CFEF7F.A431DCD0"..X-MimeOLE: Produced By Microsoft MimeOLE V
6.1.7601.17609..This is a multi-part message in MIME format...------=_
NextPart_000_0000_01CFEF7F.A431DCD0..Content-Type: text/html;...charse
t="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Locati
on: file://C:\offerscreen\storm_alerts_quad_1.html..=EF=BB=BF<!DOCT
YPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML&
gt;<HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-
Compatible">..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0
.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT s
rc=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/java
script"></SCRIPT>.. <TITLE>Search.com 628 by 282</TI
TLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/html;
 =..charset=3Dutf-8">=20..<STYLE>=0A=..=0A=../* set the backg
round color to match the offer. */=0A=..body {background-color:#e3e3e3
;margin:0;padding:0;font-family: arial, =..verdana, sans serif;color:#
222;position:relative;height: 282px;width: =..628px;}=0A=..table{backg
round-repeat: no-repeat;}=0A=..h1 {font-size: 18px;font-weight: bold;m
argin-bottom: 4px;margin-top: 0;}=0A=..p {margin: 0;font-size: 12px}=0
A=..td{vertical-align:top; }=0A=..a{COLOR:#0858a8; text-decoration
<<< skipped >>>

GET /products/BM2/combos/arcadegiant_stormwatch_optimizerpro_updateadmin_628.mht HTTP/1.1


User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "f81f9435b0f7bf2d51e92ba4bc6311a3:1418845601"
Last-Modified: Wed, 17 Dec 2014 19:46:41 GMT
Accept-Ranges: bytes
Content-Length: 76276
Content-Type: text/plain
Date: Thu, 18 Dec 2014 13:25:26 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282.
.Date: Fri, 24 Oct 2014 11:42:51 -0400..MIME-Version: 1.0..Content-Typ
e: multipart/related;...type="text/html";...boundary="----=_NextPart_0
00_0000_01CFEF7F.A431DCD0"..X-MimeOLE: Produced By Microsoft MimeOLE V
6.1.7601.17609..This is a multi-part message in MIME format...------=_
NextPart_000_0000_01CFEF7F.A431DCD0..Content-Type: text/html;...charse
t="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Locati
on: file://C:\offerscreen\storm_alerts_quad_1.html..=EF=BB=BF<!DOCT
YPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML&
gt;<HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-
Compatible">..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0
.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT s
rc=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/java
script"></SCRIPT>.. <TITLE>Search.com 628 by 282</TI
TLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/html;
 =..charset=3Dutf-8">=20..<STYLE>=0A=..=0A=../* set the backg
round color to match the offer. */=0A=..body {background-color:#e3e3e3
;margin:0;padding:0;font-family: arial, =..verdana, sans serif;color:#
222;position:relative;height: 282px;width: =..628px;}=0A=..table{backg
round-repeat: no-repeat;}=0A=..h1 {font-size: 18px;font-weight: bold;m
argin-bottom: 4px;margin-top: 0;}=0A=..p {margin: 0;font-size: 12px}=0
A=..td{vertical-align:top; }=0A=..a{COLOR:#0858a8; text-decoration
<<< skipped >>>

GET /products/BM2/combos/knctr_stormwatch_optimizerpro_updateadmin_628.mht HTTP/1.1


User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "bee859f72942202b8c08083235f6e488:1418845600"
Last-Modified: Wed, 17 Dec 2014 19:46:40 GMT
Accept-Ranges: bytes
Content-Length: 76285
Content-Type: text/plain
Date: Thu, 18 Dec 2014 13:25:27 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282.
.Date: Fri, 24 Oct 2014 11:42:51 -0400..MIME-Version: 1.0..Content-Typ
e: multipart/related;...type="text/html";...boundary="----=_NextPart_0
00_0000_01CFEF7F.A431DCD0"..X-MimeOLE: Produced By Microsoft MimeOLE V
6.1.7601.17609..This is a multi-part message in MIME format...------=_
NextPart_000_0000_01CFEF7F.A431DCD0..Content-Type: text/html;...charse
t="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Locati
on: file://C:\offerscreen\storm_alerts_quad_1.html..=EF=BB=BF<!DOCT
YPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML&
gt;<HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-
Compatible">..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0
.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT s
rc=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/java
script"></SCRIPT>.. <TITLE>Search.com 628 by 282</TI
TLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/html;
 =..charset=3Dutf-8">=20..<STYLE>=0A=..=0A=../* set the backg
round color to match the offer. */=0A=..body {background-color:#e3e3e3
;margin:0;padding:0;font-family: arial, =..verdana, sans serif;color:#
222;position:relative;height: 282px;width: =..628px;}=0A=..table{backg
round-repeat: no-repeat;}=0A=..h1 {font-size: 18px;font-weight: bold;m
argin-bottom: 4px;margin-top: 0;}=0A=..p {margin: 0;font-size: 12px}=0
A=..td{vertical-align:top; }=0A=..a{COLOR:#0858a8; text-decoration
<<< skipped >>>

GET /products/BM2/combos/wordproser_stormwatch_optimizerpro_triple_628_2.mht HTTP/1.1


User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "df30d43158cf98a36ac67d50fdf29c26:1413906113"
Last-Modified: Tue, 21 Oct 2014 15:41:53 GMT
Accept-Ranges: bytes
Content-Length: 75833
Content-Type: text/plain
Date: Thu, 18 Dec 2014 13:25:27 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282.
.Date: Thu, 11 Sep 2014 14:02:12 -0400..MIME-Version: 1.0..Content-Typ
e: multipart/related;...type="text/html";...boundary="----=_NextPart_0
00_0007_01CFCDC8.FC55D2F0"..X-MimeOLE: Produced By Microsoft MimeOLE V
6.1.7601.17609..This is a multi-part message in MIME format...------=_
NextPart_000_0007_01CFCDC8.FC55D2F0..Content-Type: text/html;...charse
t="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Locati
on: file://C:\offerscreen\searchsnacks_stormwatch_optimizerpro_triple_
628.html..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Tran
sitional//EN">..<HTML><HEAD><META content=3D"IE=3D5.
0000" =..http-equiv=3D"X-UA-Compatible">..<TITLE>Search.com 6
28 by 282</TITLE>..<META content=3DIE=3D5.0000 http-equiv=3DX
-UA-Compatible>..<SCRIPT type=3Dtext/javascript=20..src=3D"file:
///C:/offerscreen/knockout-2.0.js"></SCRIPT>..<SCRIPT type
=3Dtext/javascript=20..src=3D"file:///C:/offerscreen/AutoFeatureModel.
js"></SCRIPT>..<META content=3D"text/html; charset=3Dutf-8
" http-equiv=3DContent-Type>..<STYLE>BODY {...HEIGHT: 282px; 
FONT-FAMILY: arial, verdana, sans serif; WIDTH: 628px; =..POSITION: re
lative; COLOR: #222; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; =..PADDING
-LEFT: 0px; MARGIN: 0px; PADDING-RIGHT: 0px; BACKGROUND-COLOR: =..#e3e
3e3..}..TABLE {...BACKGROUND-REPEAT: no-repeat..}..H1 {...MARGIN-BOTTO
M: 4px; FONT-SIZE: 18px; FONT-WEIGHT: bold; MARGIN-TOP: 0px..}..P 
<<< skipped >>>

GET /products/BM2/combos/knctr_stormwatch_tidy_updateadmin_628.mht HTTP/1.1


User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "c83d95e89ada6b4ceb5ae4ccf3a56e23:1418845600"
Last-Modified: Wed, 17 Dec 2014 19:46:40 GMT
Accept-Ranges: bytes
Content-Length: 76353
Content-Type: text/plain
Date: Thu, 18 Dec 2014 13:25:27 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282.
.Date: Fri, 24 Oct 2014 11:42:51 -0400..MIME-Version: 1.0..Content-Typ
e: multipart/related;...type="text/html";...boundary="----=_NextPart_0
00_0000_01CFEF7F.A431DCD0"..X-MimeOLE: Produced By Microsoft MimeOLE V
6.1.7601.17609..This is a multi-part message in MIME format...------=_
NextPart_000_0000_01CFEF7F.A431DCD0..Content-Type: text/html;...charse
t="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Locati
on: file://C:\offerscreen\storm_alerts_quad_1.html..=EF=BB=BF<!DOCT
YPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML&
gt;<HEAD><META content=3D"IE=3D5.0000" =..http-equiv=3D"X-UA-
Compatible">..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0
.js" =..type=3D"text/javascript"></SCRIPT>..=20..<SCRIPT s
rc=3D"file:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/java
script"></SCRIPT>.. <TITLE>Search.com 628 by 282</TI
TLE>=20..<META http-equiv=3D"Content-Type" content=3D"text/html;
 =..charset=3Dutf-8">=20..<STYLE>=0A=..=0A=../* set the backg
round color to match the offer. */=0A=..body {background-color:#e3e3e3
;margin:0;padding:0;font-family: arial, =..verdana, sans serif;color:#
222;position:relative;height: 282px;width: =..628px;}=0A=..table{backg
round-repeat: no-repeat;}=0A=..h1 {font-size: 18px;font-weight: bold;m
argin-bottom: 4px;margin-top: 0;}=0A=..p {margin: 0;font-size: 12px}=0
A=..td{vertical-align:top; }=0A=..a{COLOR:#0858a8; text-decoration
<<< skipped >>>

GET /products/BM2/combos/tidy_stormwatch_optimizerpro_triple_628_3.mht HTTP/1.1


User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "d56c3fa053a4272761f497a4b1b53156:1410460246"
Last-Modified: Thu, 11 Sep 2014 18:30:46 GMT
Accept-Ranges: bytes
Content-Length: 102694
Content-Type: text/plain
Date: Thu, 18 Dec 2014 13:25:27 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282.
.Date: Thu, 11 Sep 2014 14:28:18 -0400..MIME-Version: 1.0..Content-Typ
e: multipart/related;...type="text/html";...boundary="----=_NextPart_0
00_0007_01CFCDCC.A1C309D0"..X-MimeOLE: Produced By Microsoft MimeOLE V
6.1.7601.17609..This is a multi-part message in MIME format...------=_
NextPart_000_0007_01CFCDCC.A1C309D0..Content-Type: text/html;...charse
t="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Locati
on: file://C:\offerscreen\tidy_stormwatch_optimizerpro_triple_628_3.ht
ml..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transition
al//EN">..<HTML><HEAD><META content=3D"IE=3D5.0000" 
=..http-equiv=3D"X-UA-Compatible">..<TITLE>Search.com 628 by 
282</TITLE>..<META content=3DIE=3D5.0000 http-equiv=3DX-UA-Co
mpatible>..<SCRIPT type=3Dtext/javascript=20..src=3D"file:///C:/
offerscreen/knockout-2.0.js"></SCRIPT>..<SCRIPT type=3Dtex
t/javascript=20..src=3D"file:///C:/offerscreen/AutoFeatureModel.js">
;</SCRIPT>..<META content=3D"text/html; charset=3Dutf-8" http
-equiv=3DContent-Type>..<STYLE>BODY {...HEIGHT: 282px; FONT-F
AMILY: arial, verdana, sans serif; WIDTH: 628px; =..POSITION: relative
; COLOR: #222; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; =..PADDING-LEFT:
 0px; MARGIN: 0px; PADDING-RIGHT: 0px; BACKGROUND-COLOR: =..#e3e3e3..}
..TABLE {...BACKGROUND-REPEAT: no-repeat..}..H1 {...MARGIN-BOTTOM: 4px
; FONT-SIZE: 18px; FONT-WEIGHT: bold; MARGIN-TOP: 0px..}..P {...FO
<<< skipped >>>

GET /products/BM2/combos/wordproser_stormwatch_optimizerpro_triple_628_2.mht HTTP/1.1


User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "df30d43158cf98a36ac67d50fdf29c26:1413906113"
Last-Modified: Tue, 21 Oct 2014 15:41:53 GMT
Accept-Ranges: bytes
Content-Length: 75833
Content-Type: text/plain
Date: Thu, 18 Dec 2014 13:25:28 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282.
.Date: Thu, 11 Sep 2014 14:02:12 -0400..MIME-Version: 1.0..Content-Typ
e: multipart/related;...type="text/html";...boundary="----=_NextPart_0
00_0007_01CFCDC8.FC55D2F0"..X-MimeOLE: Produced By Microsoft MimeOLE V
6.1.7601.17609..This is a multi-part message in MIME format...------=_
NextPart_000_0007_01CFCDC8.FC55D2F0..Content-Type: text/html;...charse
t="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Locati
on: file://C:\offerscreen\searchsnacks_stormwatch_optimizerpro_triple_
628.html..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Tran
sitional//EN">..<HTML><HEAD><META content=3D"IE=3D5.
0000" =..http-equiv=3D"X-UA-Compatible">..<TITLE>Search.com 6
28 by 282</TITLE>..<META content=3DIE=3D5.0000 http-equiv=3DX
-UA-Compatible>..<SCRIPT type=3Dtext/javascript=20..src=3D"file:
///C:/offerscreen/knockout-2.0.js"></SCRIPT>..<SCRIPT type
=3Dtext/javascript=20..src=3D"file:///C:/offerscreen/AutoFeatureModel.
js"></SCRIPT>..<META content=3D"text/html; charset=3Dutf-8
" http-equiv=3DContent-Type>..<STYLE>BODY {...HEIGHT: 282px; 
FONT-FAMILY: arial, verdana, sans serif; WIDTH: 628px; =..POSITION: re
lative; COLOR: #222; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; =..PADDING
-LEFT: 0px; MARGIN: 0px; PADDING-RIGHT: 0px; BACKGROUND-COLOR: =..#e3e
3e3..}..TABLE {...BACKGROUND-REPEAT: no-repeat..}..H1 {...MARGIN-BOTTO
M: 4px; FONT-SIZE: 18px; FONT-WEIGHT: bold; MARGIN-TOP: 0px..}..P 
<<< skipped >>>

GET /products/BM2/combos/tidy_stormwatch_pcoptpro_628_3.mht HTTP/1.1


User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "c366cf4b06414069658f45fed9f6c0b9:1410460245"
Last-Modified: Thu, 11 Sep 2014 18:30:45 GMT
Accept-Ranges: bytes
Content-Length: 102884
Content-Type: text/plain
Date: Thu, 18 Dec 2014 13:25:28 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: Search.com 628 by 282.
.Date: Thu, 11 Sep 2014 14:29:43 -0400..MIME-Version: 1.0..Content-Typ
e: multipart/related;...type="text/html";...boundary="----=_NextPart_0
00_001A_01CFCDCC.D453FC10"..X-MimeOLE: Produced By Microsoft MimeOLE V
6.1.7601.17609..This is a multi-part message in MIME format...------=_
NextPart_000_001A_01CFCDCC.D453FC10..Content-Type: text/html;...charse
t="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Locati
on: file://C:\offerscreen\tidy_stormwatch_pcoptpro_628_3.html..=EF=BB=
BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
..<HTML><HEAD><META content=3D"IE=3D5.0000" =..http-equ
iv=3D"X-UA-Compatible">..<TITLE>Search.com 628 by 282</TIT
LE>..<META content=3DIE=3D5.0000 http-equiv=3DX-UA-Compatible>
;..<SCRIPT type=3Dtext/javascript=20..src=3D"file:///C:/offerscreen
/knockout-2.0.js"></SCRIPT>..<SCRIPT type=3Dtext/javascrip
t=20..src=3D"file:///C:/offerscreen/AutoFeatureModel.js"></SCRIP
T>..<META content=3D"text/html; charset=3Dutf-8" http-equiv=3DCo
ntent-Type>..<STYLE>BODY {...HEIGHT: 282px; FONT-FAMILY: aria
l, verdana, sans serif; WIDTH: 628px; =..POSITION: relative; COLOR: #2
22; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; =..PADDING-LEFT: 0px; MARGI
N: 0px; PADDING-RIGHT: 0px; BACKGROUND-COLOR: =..#e3e3e3..}..TABLE {..
.BACKGROUND-REPEAT: no-repeat..}..H1 {...MARGIN-BOTTOM: 4px; FONT-SIZE
: 18px; FONT-WEIGHT: bold; MARGIN-TOP: 0px..}..P {...FONT-SIZE: 12
<<< skipped >>>

GET /products/BM2/628/uniform/optimizerpro_tidy_double628.mht HTTP/1.1


User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "5ea69c34d5cfb247b87389148c42810c:1377526515"
Last-Modified: Mon, 26 Aug 2013 14:15:15 GMT
Accept-Ranges: bytes
Content-Length: 72537
Content-Type: text/plain
Date: Thu, 18 Dec 2014 13:25:28 GMT
Connection: keep-alive
From: "Saved by Windows Internet Explorer 9"..Subject: 628 by 282 Icy 
Offer..Date: Mon, 7 Jan 2013 11:23:06 -0500..MIME-Version: 1.0..Conten
t-Type: multipart/related;...type="text/html";...boundary="----=_NextP
art_000_0010_01CDECC9.5D450B40"..X-MimeOLE: Produced By Microsoft Mime
OLE V6.1.7601.17609..This is a multi-part message in MIME format...---
---=_NextPart_000_0010_01CDECC9.5D450B40..Content-Type: text/html;...c
harset="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-L
ocation: file://C:\offerscreen\strongvault_tidy_double628.html..=EF=BB
=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =
.."hXXp://VVV.w3c.org/TR/1999/REC-html401-19991224/loose.dtd">..<
;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" =.."htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><HTML>&
lt;HEAD>..<SCRIPT type=3D"text/javascript" =..src=3D"file:///C:/
offerscreen/knockout-2.0.js"></SCRIPT>..<SCRIPT type=3D"te
xt/javascript" =..src=3D"file:///C:/offerscreen/AutoFeatureModel.js"&g
t;</SCRIPT>..<TITLE>628 by 282 Icy Offer</TITLE>..&l
t;META content=3D"text/html; charset=3DUTF-8" =..http-equiv=3D"Content
-Type"><!--=20..Edited by: Insert Initials & Date..Template Name
: 628_Icy_2col_toolbar_EULA.php..-->..<STYLE>=0A=../* Overall
 page settings... */=0A=..=0A=..body {background-color:#fff;margin:0;p
adding:0;font-family: arial, =..verdana, sans serif;color:#707271;}=0A
=..#content {width:628px;height:282px; overflow:hidden; =..backgro
<<< skipped >>>

GET /products/BM2/combos/stormwatch_tidy_double_628_3.mht HTTP/1.1


User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "c0eacbc70936e091d5c25ded7e38ce8b:1410460777"
Last-Modified: Thu, 11 Sep 2014 18:39:37 GMT
Accept-Ranges: bytes
Content-Length: 101791
Content-Type: text/plain
Date: Thu, 18 Dec 2014 13:25:28 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: 628 by 282 Icy Offer..
Date: Thu, 11 Sep 2014 14:39:31 -0400..MIME-Version: 1.0..Content-Type
: multipart/related;...type="text/html";...boundary="----=_NextPart_00
0_0007_01CFCDCE.32759F00"..X-MimeOLE: Produced By Microsoft MimeOLE V6
.1.7601.17609..This is a multi-part message in MIME format...------=_N
extPart_000_0007_01CFCDCE.32759F00..Content-Type: text/html;...charset
="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Locatio
n: file://C:\offerscreen\stormwatch_tidy_double_628_2.html..=EF=BB=BF&
lt;!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =.."h
ttp://VVV.w3c.org/TR/1999/REC-html401-19991224/loose.dtd">..<!DO
CTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =.."hXXp://
VVV.w3c.org/TR/1999/REC-html401-19991224/loose.dtd"><HTML><
;HEAD><=..META=20..content=3D"IE=3D11.0000" http-equiv=3D"X-UA-C
ompatible">..<TITLE>628 by 282 Icy Offer</TITLE>=20..&l
t;META http-equiv=3D"X-UA-Compatible" content=3D"IE=3D11.0000">=20.
.<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0.js" =..type=3D"
text/javascript"></SCRIPT>..=20..<SCRIPT src=3D"file:///C:
/offerscreen/AutoFeatureModel.js" =..type=3D"text/javascript"></
SCRIPT>..=20..<META http-equiv=3D"Content-Type" content=3D"text/
html; =..charset=3DUTF-8"><!-- =0A=..=0A=..Edited by: Insert Ini
tials & Date=0A=..Template Name: 628_Icy_2col_toolbar_EULA.php=0A=..=0
A=..-->=20..<STYLE>BODY {=0A=...PADDING-BOTTOM: 0px; BACK
<<< skipped >>>

GET /products/BM2/combos/optimizerpro_stormwatch_combo_628_3.mht HTTP/1.1


User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "e558d883c39f6868c1076235bb0ce785:1410461597"
Last-Modified: Thu, 11 Sep 2014 18:53:17 GMT
Accept-Ranges: bytes
Content-Length: 101613
Content-Type: text/plain
Date: Thu, 18 Dec 2014 13:25:28 GMT
Connection: keep-alive
From: "Saved by Internet Explorer 11"..Subject: 628 by 282 Icy Offer..
Date: Thu, 11 Sep 2014 14:51:17 -0400..MIME-Version: 1.0..Content-Type
: multipart/related;...type="text/html";...boundary="----=_NextPart_00
0_000E_01CFCDCF.D79A9430"..X-MimeOLE: Produced By Microsoft MimeOLE V6
.1.7601.17609..This is a multi-part message in MIME format...------=_N
extPart_000_000E_01CFCDCF.D79A9430..Content-Type: text/html;...charset
="utf-8"..Content-Transfer-Encoding: quoted-printable..Content-Locatio
n: file://C:\offerscreen\optimizerpro_stormwatch_combo_628_3.html..=EF
=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN
" =.."hXXp://VVV.w3c.org/TR/1999/REC-html401-19991224/loose.dtd">..
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =.."
hXXp://VVV.w3c.org/TR/1999/REC-html401-19991224/loose.dtd"><HTML
><HEAD><=..META=20..content=3D"IE=3D11.0000" http-equiv=3D
"X-UA-Compatible">..<TITLE>628 by 282 Icy Offer</TITLE>
=20..<META http-equiv=3D"X-UA-Compatible" content=3D"IE=3D11.0000"&
gt;=20..<SCRIPT src=3D"file:///C:/offerscreen/knockout-2.0.js" =..t
ype=3D"text/javascript"></SCRIPT>..=20..<SCRIPT src=3D"fil
e:///C:/offerscreen/AutoFeatureModel.js" =..type=3D"text/javascript"&g
t;</SCRIPT>..=20..<META http-equiv=3D"Content-Type" content=3
D"text/html; =..charset=3DUTF-8"><!-- =0A=..=0A=..Edited by: Ins
ert Initials & Date=0A=..Template Name: 628_Icy_2col_toolbar_EULA.php=
0A=..=0A=..-->=20..<STYLE>BODY {=0A=...PADDING-BOTTOM: 0p
<<< skipped >>>

GET /products/BM2/findwidetoolbar/ipage/findwide_nocheckboxes_628.mht HTTP/1.1


User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "67e1846cdcdbc12608ccee8c6c1c3f4c:1406225516"
Last-Modified: Thu, 24 Jul 2014 18:11:56 GMT
Accept-Ranges: bytes
Content-Length: 15545
Content-Type: text/plain
Date: Thu, 18 Dec 2014 13:25:29 GMT
Connection: keep-alive
From: "Saved by Windows Internet Explorer 8"..Subject: 628 by 282 Icy 
Offer..Date: Thu, 24 Jul 2014 14:10:24 -0400..MIME-Version: 1.0..Conte
nt-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quot
ed-printable..Content-Location: hXXp://install.downloadadmin.com/BM_OF
FERS_628/Advertisers/tnt/uniform_eula.php..X-MimeOLE: Produced By Micr
osoft MimeOLE V6.1.7601.17514..=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W
3C//DTD HTML 4.01 Transitional//EN" =.."hXXp://VVV.w3c.org/TR/1999/REC
-html401-19991224/loose.dtd">..<HTML><HEAD><TITLE>
;628 by 282 Icy Offer</TITLE>..<META content=3D"text/html; ch
arset=3DUTF-8" =..http-equiv=3DContent-Type><!-- =0A=..=0A=..Edi
ted by: Insert Initials & Date=0A=..Template Name: 628_Icy_2col_toolba
r_EULA.php=0A=..=0A=..-->..<STYLE>BODY {...PADDING-BOTTOM: 0p
x; BACKGROUND-COLOR: #fff; MARGIN: 0px; PADDING-LEFT: =..0px; PADDING-
RIGHT: 0px; FONT-FAMILY: arial, verdana, sans serif; COLOR: =..#707271
; PADDING-TOP: 0px..}..#content {...POSITION: relative; BACKGROUND-COL
OR: #ebeef0; WIDTH: 628px; DISPLAY: =..block; HEIGHT: 282px; OVERFLOW:
 hidden..}..#headline {...POSITION: absolute..}..#toolbar {...POSITION
: absolute..}..#copy {...POSITION: absolute..}..#eula {...POSITION: ab
solute..}..#disclaimer {...POSITION: absolute..}..#headline {...WIDTH:
 598px; HEIGHT: 30px; TOP: 15px; LEFT: 15px..}..#toolbar {...WIDTH: 26
0px; HEIGHT: 30px; TOP: 50px; LEFT: 15px..}..#copy {...WIDTH: 260px; H
EIGHT: 175px; TOP: 50px; LEFT: 15px..}..#eula {...WIDTH: 315px; HE
<<< skipped >>>

GET /products/BM2/allgenius/ipage/allgenius_628.mht HTTP/1.1


User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "5d39fe93435c79364150dd5a6ec9cde9:1401305709"
Last-Modified: Wed, 28 May 2014 19:35:09 GMT
Accept-Ranges: bytes
Content-Length: 30692
Content-Type: text/plain
Date: Thu, 18 Dec 2014 13:25:29 GMT
Connection: keep-alive
From: "Saved by Windows Internet Explorer 8"..Subject: 628 by 282 Icy 
Offer..Date: Wed, 28 May 2014 15:33:37 -0400..MIME-Version: 1.0..Conte
nt-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding: quot
ed-printable..Content-Location: hXXp://install.downloadadmin.com/BM_OF
FERS_628/Advertisers/allgenius/uniform_eula.php..X-MimeOLE: Produced B
y Microsoft MimeOLE V6.1.7600.16385..=EF=BB=BF<!DOCTYPE HTML PUBLIC
 "-//W3C//DTD HTML 4.01 Transitional//EN" =.."hXXp://VVV.w3c.org/TR/19
99/REC-html401-19991224/loose.dtd">..<HTML><HEAD><TI
TLE>628 by 282 Icy Offer</TITLE>..<META content=3D"text/ht
ml; charset=3DUTF-8" =..http-equiv=3DContent-Type><!-- =0A=..=0A
=..Edited by: Insert Initials & Date=0A=..Template Name: 628_Icy_2col_
toolbar_EULA.php=0A=..=0A=..-->..<STYLE>BODY {...PADDING-BOTT
OM: 0px; BACKGROUND-COLOR: #fff; MARGIN: 0px; PADDING-LEFT: =..0px; PA
DDING-RIGHT: 0px; FONT-FAMILY: arial, verdana, sans serif; COLOR: =..#
707271; PADDING-TOP: 0px..}..#content {...POSITION: relative; BACKGROU
ND-COLOR: #ebeef0; WIDTH: 628px; DISPLAY: =..block; HEIGHT: 282px; OVE
RFLOW: hidden..}..#headline {...POSITION: absolute..}..#toolbar {...PO
SITION: absolute..}..#copy {...POSITION: absolute..}..#eula {...POSITI
ON: absolute..}..#disclaimer {...POSITION: absolute..}..#headline {...
WIDTH: 598px; HEIGHT: 30px; TOP: 15px; LEFT: 15px..}..#toolbar {...WID
TH: 260px; HEIGHT: 30px; TOP: 50px; LEFT: 15px..}..#copy {...WIDTH: 26
0px; HEIGHT: 145px; TOP: 80px; LEFT: 15px..}..#eula {...WIDTH: 315
<<< skipped >>>

HEAD /tnt2/freshy/FreshyToolbar.exe HTTP/1.1


User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Content-Length: 0
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "94976ead18e170661effc912867700d7:1414713827"
Last-Modified: Fri, 31 Oct 2014 00:03:47 GMT
Accept-Ranges: bytes
Content-Length: 1365760
Content-Type: application/octet-stream
Date: Thu, 18 Dec 2014 13:25:36 GMT
Connection: keep-alive
HTTP/1.1 200 OK..Server: Apache..ETag: "94976ead18e170661effc912867700
d7:1414713827"..Last-Modified: Fri, 31 Oct 2014 00:03:47 GMT..Accept-R
anges: bytes..Content-Length: 1365760..Content-Type: application/octet
-stream..Date: Thu, 18 Dec 2014 13:25:36 GMT..Connection: keep-alive..
....


HEAD /products/BM2/knctr/exe/knctr_02262014.exe HTTP/1.1


User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Content-Length: 0
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "9ab4a6bbcd543cec27e9905df4b533e9:1393428995"
Last-Modified: Wed, 26 Feb 2014 15:36:35 GMT
Accept-Ranges: bytes
Content-Length: 4606000
Content-Type: application/octet-stream
Date: Thu, 18 Dec 2014 13:25:38 GMT
Connection: keep-alive
....


HEAD /products/BM2/wordproser/exe/wordproser_11042014.exe HTTP/1.1


User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Content-Length: 0
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "8348cfd6a7c6c718dc9faa42ae600982:1415287545"
Last-Modified: Thu, 06 Nov 2014 15:25:39 GMT
Accept-Ranges: bytes
Content-Length: 1149000
Content-Type: application/octet-stream
Date: Thu, 18 Dec 2014 13:25:38 GMT
Connection: keep-alive
....


HEAD /tn/TidyNetwork.exe HTTP/1.1


User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: mirror.mirror-files.com
Content-Length: 0
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "a6dd9630a63ba00b474f4d9430fd18a1:1418169275"
Last-Modified: Tue, 09 Dec 2014 23:54:35 GMT
Accept-Ranges: bytes
Content-Length: 1417464
Content-Type: application/octet-stream
Date: Thu, 18 Dec 2014 13:25:39 GMT
Connection: keep-alive
HTTP/1.1 200 OK..Server: Apache..ETag: "a6dd9630a63ba00b474f4d9430fd18
a1:1418169275"..Last-Modified: Tue, 09 Dec 2014 23:54:35 GMT..Accept-R
anges: bytes..Content-Length: 1417464..Content-Type: application/octet
-stream..Date: Thu, 18 Dec 2014 13:25:39 GMT..Connection: keep-alive..



GET /pca3.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.verisign.com


HTTP/1.1 200 OK
Server: Apache
ETag: "8f6b3bcd9bb64555001fba64f5b01b92:1411517716"
Last-Modified: Wed, 24 Sep 2014 00:15:16 GMT
Date: Thu, 18 Dec 2014 13:29:18 GMT
Content-Length: 933
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U
....Class 3 Public Primary Certification Authority..140922000000Z..141
231235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y
.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.....
..fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R
.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....
u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2..
..{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N
....* [email protected]!..Y......w
`G........070411175657Z0!..Z`[email protected].*q..080403172017Z0!..l....I..
.Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1
..7<.....e..010207211822Z0...*.H............M....s#..Lo...TU...tM.3
...'.U......:Z...w.x.=....K.0;...!....D....9...,!....B.t. <........
..-.....k.$<i{O.<.E...*.......Ow _..J.HTTP/1.1 200 OK..Server: A
pache..ETag: "8f6b3bcd9bb64555001fba64f5b01b92:1411517716"..Last-Modif
ied: Wed, 24 Sep 2014 00:15:16 GMT..Date: Thu, 18 Dec 2014 13:29:18 GM
T..Content-Length: 933..Connection: keep-alive..Content-Type: applicat
ion/pkix-crl..0...0...0...*.H........0_1.0...U....US1.0...U....VeriSig
n, Inc.1705..U....Class 3 Public Primary Certification Authority..1409
22000000Z..141231235959Z0..x0!...v....a_>..2......020924164823Z0!..
...A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0
!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P....0209231715
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1453
content-transfer-encoding: binary
Cache-Control: max-age=458533, public, no-transform, must-revalidate
Last-Modified: Tue, 16 Dec 2014 20:49:17 GMT
Expires: Tue, 23 Dec 2014 20:49:17 GMT
Date: Thu, 18 Dec 2014 13:29:18 GMT
Connection: keep-alive
0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....2014121
6204917Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a.
.eR&.....Y.)..".\....20141216204917Z....20141223204917Z0...*.H........
..........8*.6....l...7.y.......P.j..(.V"L........]/.o%.P..A.Z.Etv...C
.....{......BC|R..tD..T. ....IbA......`...7..`....).. |Q\.....|~...U..
z,m.@...).`.Z.8.Trky. ..r...TUg.h*....Z.&......,8r.../.2..,E....V..D..
}'.]....8Lt...........}Jc..s{..|.!..b_.^..._..E`.......0...0...0..3...
..../...b.v..-....l}0...*.H........0_1.0...U....US1.0...U....VeriSign,
 Inc.1705..U....Class 3 Public Primary Certification Authority0...1412
02000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporatio
n1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G1
 OCSP Responder Certificate 30.."0...*.H.............0..........'.....
.Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....H..3-; )....
.0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M...T..pS.p..^|
o....S..v.).)[email protected]#qh...u1T.].G0.]E...=._.....
. ........TE...Sa.s4........r...3.............0..0...U....0.0l..U. .e0
c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......
0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .
....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H.............$..H
......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e.......a..D.....
......e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :,....
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1


Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=474569, public, no-transform, must-revalidate
Last-Modified: Wed, 17 Dec 2014 01:14:37 GMT
Expires: Wed, 24 Dec 2014 01:14:37 GMT
Date: Thu, 18 Dec 2014 13:29:18 GMT
Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..2014121
7011437Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
..M.s.Q~...@?j.......20141217011437Z....20141224011437Z0...*.H........
[email protected].[k.2......."7..".m...".=....z.C.........(....F-Q\#.....P..
...;.....":W.......'(........3...r.....OB..............JV5...7X.*..QM.
...Uf...6.....g.p.#....98..&...<.......I.@.|../!.qT.....W..qB..o.x.
^(..3.#....}.....o...Lq...Y.~...X.\.?......~..opF.u......#0...0...0...
.......<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use a
t hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code S
igning 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...
U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms o
f use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Clas
s 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.......
..{(..t....2.Vf.....&;6).i*[email protected]._p.E.6.|.mk....(....
......p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.
}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....
(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U..
..0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisig
n.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp.
 by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U.....
...0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H...
<<< skipped >>>


HEAD /s/2/2/228488-676828-adobe-flash-player.exe HTTP/1.1
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: pf.dlcvit.com
Content-Length: 0
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Thu, 18 Dec 2014 13:25:32 GMT
Content-Type: application/octet-stream
Content-Length: 1054400
Last-Modified: Wed, 26 Nov 2014 20:02:31 GMT
Connection: keep-alive
Accept-Ranges: bytes
HTTP/1.1 200 OK..Server: nginx..Date: Thu, 18 Dec 2014 13:25:32 GMT..C
ontent-Type: application/octet-stream..Content-Length: 1054400..Last-M
odified: Wed, 26 Nov 2014 20:02:31 GMT..Connection: keep-alive..Accept
-Ranges: bytes..



GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Mon, 05 May 2014 05:04:34 GMT
If-None-Match: "87fbb3811f68cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Sat, 04 Oct 2014 05:06:12 GMT
Accept-Ranges: bytes
ETag: "58cddbea90dfcf1:0"
Server: Microsoft-IIS/8.5
VTag: 279619316300000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 550
Cache-Control: max-age=900
Date: Thu, 18 Dec 2014 13:25:43 GMT
Connection: keep-alive
0.."0......0...*.H........0w1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1!0...U....Microsoft Time-St
amp PCA..141003211553Z..150102093553Z._0]0...U.#..0...#[email protected].. .
.5..0... .....7.......0...U......00... .....7......150101212553Z0...*.
H.............:...h:O..9..a.M8.}*.........A....f......SG....(...g...&g
t;.!.4o7P....O...`x.h.W.F..x.9...1....C.......5..9..p ....1 ........$.
.P.......?.6...2.....(.."C1aF..B....I.V.u.4=Cs....~d5X..R...BRo.......
.....1Q-b.... ..P.M/SfvX..l..Mm.j9..A|.q.W=...Wy.Y]<....._!.../nt>....


GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1


Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sat, 24 May 2014 05:04:51 GMT
If-None-Match: "96bfbfb1d77cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Thu, 23 Oct 2014 05:05:32 GMT
Accept-Ranges: bytes
ETag: "a2f3ff97eeecf1:0"
Server: Microsoft-IIS/8.5
VTag: 791939326400000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 813
Cache-Control: max-age=900
Date: Thu, 18 Dec 2014 13:25:44 GMT
Connection: keep-alive
0..)0......0...*.H........0_1.0.....&...,d....com1.0.....&...,d....mic
rosoft1-0 ..U...$Microsoft Root Certificate Authority..141022204822Z..
150121090822Z0.0...a......../..100208014912Z._0]0...U.#..0......`@V'..
%..*..S.Y..0... .....7.......0...U......'0... .....7......150120205822
Z0...*.H.............4....w.h.Y..L.p.Q... ..?.~.q.......'.a[... ]G....
....t.....^p..De..0*r.n....G|....$b-{......d/....m...r.xQ...t..XtF...O
W~.....@6...*x.h........wi.L.%.,<}.rULPR..T........P..g...._V.\z`..
../..^...e.............r.%...:.S..W.....Qy...6.W..Fo.;.~.e9.]...;7..[.
$wzD....|.%\.w..o...X.....R.2u.w."J\.&q.f.d<&.p....[31.....il.....d
I2.#...h.Y.._e........H.%2.r.w..M.(~...W.{[email protected].^o]...K....f
[.oN\.V.../<..&.)@P.A.......p....D.Gj.M}PhUY?s...YX>..e...PC...@
.^....v...:._[.l.....z.._(..>.l....O....ReP...M.%.B1..)....


GET /pki/crl/products/WinPCA.crl HTTP/1.1


Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 07 May 2014 05:04:02 GMT
If-None-Match: "a413fc3b169cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Mon, 06 Oct 2014 05:06:02 GMT
Accept-Ranges: bytes
ETag: "3e1c83923e1cf1:0"
Server: Microsoft-IIS/8.0
VTag: 438466244800000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 561
Cache-Control: max-age=900
Date: Thu, 18 Dec 2014 13:25:44 GMT
Connection: keep-alive
0..-0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U
....Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Window
s Verification PCA..141005213147Z..150104095147Z._0]0...U.#..0.......p
............<.J0... .....7.......0...U......20... .....7......15010
3214147Z0...*.H.................C>....... ..3yv..N...Q...&..U...u(.
.8.2.,.K.r.M..m0..BdE..(@.bu//J.......b...H.Z...B..7zS.>......G....
{..C..}p.......9d..Q.E/.N......fM.._A{7RI*.....t.B...d..>w'.. ..0xJ
...'.0.6...o. ..(.......1..TU[..<..|F.>x..j.....xA2....b.'..{.t.
H......A...@.{{ip......


GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1


Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 01 Jul 2014 05:04:34 GMT
If-None-Match: "924558f3e994cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Thu, 13 Nov 2014 06:02:42 GMT
Accept-Ranges: bytes
ETag: "88cab6f7ffcf1:0"
Server: Microsoft-IIS/8.5
VTag: 791936916300000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 554
Cache-Control: max-age=900
Date: Thu, 18 Dec 2014 13:25:44 GMT
Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Si
gning PCA..141112173206Z..150211055206Z.a0_0...U.#..0..........X..7.3.
..L...0... .....7.........0...U......W0... .....7......150210174206Z0.
..*.H................].`...D..9.>LO.ey...Qx%.^.P.& ...D.......b}.K.
.[.....5.m....).....H..6R....G/ju.........:..A.#.9!......D5...|".w.x..
=.u..X6.7{..).XN....g......B.8.!&...........<7fS$..........t<X)%
.b([email protected]... ,...K\....U1cp).........y.T..?rm.t..Y.}.E..
[email protected]/1.1 200 OK..Content-Type: application/pkix-crl..Last-Modified:
 Thu, 13 Nov 2014 06:02:42 GMT..Accept-Ranges: bytes..ETag: "88cab6f7f
fcf1:0"..Server: Microsoft-IIS/8.5..VTag: 791936916300000000..P3P: CP=
"ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo
 CNT COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Content-
Length: 554..Cache-Control: max-age=900..Date: Thu, 18 Dec 2014 13:25:
44 GMT..Connection: keep-alive..0..&0......0...*.H........0y1.0...U...
.US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corpora
tion1#0!..U....Microsoft Code Signing PCA..141112173206Z..150211055206
Z.a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U......W
0... .....7......150210174206Z0...*.H................].`...D..9.>LO
.ey...Qx%.^.P.& ...D.......b}.K..[.....5.m....).....H..6R....G/ju.....
....:..A.#.9!......D5...|".w.x..=.u..X6.7{..).XN....g......B.8.!&.....
......<7fS$..........t<X)%.b([email protected]... ,...K\.
<<< skipped >>>


HEAD /111001042/OptimizerPro.exe HTTP/1.1
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: dl.softservers.net
Content-Length: 0
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Thu, 18 Dec 2014 13:25:39 GMT
Content-Type: application/octet-stream
Content-Length: 8014840
Last-Modified: Tue, 09 Dec 2014 15:28:03 GMT
Connection: keep-alive
ETag: "54871503-7a4bf8"
Content-Disposition: attachment; filename=OptimizerPro.exe
HTTP/1.1 200 OK..Server: nginx/1.6.0..Date: Thu, 18 Dec 2014 13:25:39 
GMT..Content-Type: application/octet-stream..Content-Length: 8014840..
Last-Modified: Tue, 09 Dec 2014 15:28:03 GMT..Connection: keep-alive..
ETag: "54871503-7a4bf8"..Content-Disposition: attachment; filename=Opt
imizerPro.exe..



GET /env?browserVersion=9&osVersion=Vista&s=FREESO030Zec25d5ec3750a12b89bdaf3236b1f0ed&browserName=IE&c=VELISMEDIA2&brand=freempr13.bertrejota.com&pid=vittalia&aid=FREESOFTSTORECOM&bc=1162530&osName=Windows&country=UA HTTP/1.1
X-WebInstallCode: complete url:hXXp://service.downloadadmin.com/external-install?bc=1162530&pid=vittalia&brand=freempr13.bertrejota.com&aid=FREESOFTSTORECOM&s=FREESO030Zec25d5ec3750a12b89bdaf3236b1f0ed&c=VELISMEDIA2&osName=Windows&osVersion=Vista&browserName=IE&browserVersion=9&secure=true&productKey=m7izpsc3q6c6a6odoxbkvnqqt666qqkp
X-Exename: %original file name%.exe
X-WebInstallUrl: hXXp://service.downloadadmin.com/external-install?bc=1162530&pid=vittalia&brand=freempr13.bertrejota.com&aid=FREESOFTSTORECOM&s=FREESO030Zec25d5ec3750a12b89bdaf3236b1f0ed&c=VELISMEDIA2&osName=Windows&osVersion=Vista&browserName=IE&browserVersion=9&secure=true&productKey=m7izpsc3q6c6a6odoxbkvnqqt666qqkp
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: service.downloadadmin.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Expires: 0
Content-Type: text/xml;charset=UTF-8
Transfer-Encoding: chunked
Date: Thu, 18 Dec 2014 13:25:22 GMT
Age: 0
X-Cache: MISS
001166..<?xml version="1.0" encoding="UTF-8" standalone="yes"?>&
lt;Installer><Environment><Entry name="over-threshold:Prem
ierOpinion (US) (1459)">true</Entry><Entry name="over-thre
shold:PremierOpinion (US) (1458)">true</Entry><Entry name=
"over-threshold:Findwide Toolbar (YHS) (Partners) [TNTTB]">true<
/Entry><Entry name="over-threshold:Findwide Toolbar (YHS) (Partn
ers) [TNTTB]">true</Entry><Entry name="over-threshold:Look
ThisUp (US)">true</Entry><Entry name="over-threshold:SaveD
ailyDeals (US)">true</Entry><Entry name="over-threshold:Pr
iceless">true</Entry><Entry name="over-threshold:SystemOpt
imizerPro (US)">true</Entry><Entry name="over-threshold:We
atherBug">true</Entry><Entry name="over-threshold:PremierO
pinion (UK) (1458)">true</Entry><Entry name="over-threshol
d:Taplika (GB)">true</Entry><Entry name="over-threshold:Sa
feSearch (CA)">true</Entry><Entry name="over-threshold:Fin
dwide Toolbar (FR) (Partner) [TNTTB]">true</Entry><Entry n
ame="over-threshold:Taplika (FR)">true</Entry><Entry name=
"over-threshold:SystemOptimizerPro (GB)">true</Entry><Entr
y name="over-threshold:DesktopDock (GB) (Verti)">true</Entry>
<Entry name="over-threshold:Registry Helper (SafeApp Software) (INT
L)">true</Entry><Entry name="over-threshold:VBates (CA)"&g
t;true</Entry><Entry name="over-threshold:DesktopDock (CA
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=334177, public, no-transform, must-revalidate
Last-Modified: Mon, 15 Dec 2014 10:19:02 GMT
Expires: Mon, 22 Dec 2014 10:19:02 GMT
Date: Thu, 18 Dec 2014 13:29:25 GMT
Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..2014121
5101902Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
.A..2.....:...:......20141215101902Z....20141222101902Z0...*.H........
.....A.?v....x...R..IV..........9.%...OQ.&lm..L81!.l4......v,.....:e..
.....m.2\$K.I.GS..E95.J.G;...T...lj.....f.=.5!$..cM..0'....F.k.n.$.6s.
..V.<.xbrT....).nC...`Q.m18d.....V...?9O..X.$...bZ...[.....%z^.....
'...l..e....b.(q..CH. .........T.M.d.:[email protected]!..-,....#0...0...0...
.......<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use a
t hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code S
igning 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...
U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms o
f use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Clas
s 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.......
..{(..t....2.Vf.....&;6).i*[email protected]._p.E.6.|.mk....(....
......p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.
}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....
(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U..
..0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisig
n.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp.
 by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U.....
...0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H...
<<< skipped >>>


HEAD /tgtudp.exe HTTP/1.1
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: web1.upsa1a.com
Content-Length: 0
Connection: Keep-Alive


HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Location: hXXp://web1.upsa1a.com/tdtjpd.exe
Cache-Control: public, max-age=86400
Vary: Accept-Encoding
Content-Length: 160
Accept-Ranges: bytes
Date: Thu, 18 Dec 2014 13:23:31 GMT
Connection: keep-alive
....


HEAD /tdtjpd.exe HTTP/1.1


User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: web1.upsa1a.com
Content-Length: 0
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Cache-Control: public, max-age=86400
Vary: Accept-Encoding
Content-Length: 217286
Accept-Ranges: bytes
Date: Thu, 18 Dec 2014 13:23:31 GMT
Connection: keep-alive
HTTP/1.1 200 OK..Content-Type: application/octet-stream..Cache-Control
: public, max-age=86400..Vary: Accept-Encoding..Content-Length: 217286
..Accept-Ranges: bytes..Date: Thu, 18 Dec 2014 13:23:31 GMT..Connectio
n: keep-alive..



GET //MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH+3ahq1OMCAxvnFQ== HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com


HTTP/1.1 200 OK
Date: Thu, 18 Dec 2014 13:25:12 GMT
Server: Apache
Content-Transfer-Encoding: Binary
Cache-Control: max-age=112507, public, no-transform, must-revalidate
Last-Modified: Thu, 18 Dec 2014 10:19:01 GMT
Expires: Fri, 19 Dec 2014 22:19:01 GMT
ETag: "d551cd34edff9a2d49b92bdf002bf4e981f1326e"
Content-Length: 1816
Connection: close
Content-Type: application/ocsp-response
0..........0..... .....0......0...0..-...0..1.0...U....US1.0...U....Ar
izona1.0...U....Scottsdale1.0...U....GoDaddy.com, LLC1-0 ..U...$http:/
/certs.godaddy.com/repository/1.0,..U...%Go Daddy Class 2 Validation A
uthority..20141218101901Z0f0d0<0... ......... ......]..J^.y_..F<
........L.q.a.=....j...........20141218101901Z....20141219221901Z0...*
[email protected].[al.^'k.<..<.`..E>..X...~6......
|8...F^.M%S6*.P).^2.......!3...u.x>uZ.%Au.,..1..d........ZK.J..*5G.
u.)zQ....(...,i9...2...B..N.*.xg|..&.~kFD... ....f%F.....j......."P..Q
4T.V..y.R....Z....P...6....G.=....,.6j.....E.86...........g..4.....0ct
.......0...0...0.......... .0...*.H........0c1.0...U....US1!0...U....T
he Go Daddy Group, Inc.110/..U...(Go Daddy Class 2 Certification Autho
rity0...140401070000Z..150401070000Z0..1.0...U....US1.0...U....Arizona
1.0...U....Scottsdale1.0...U....GoDaddy.com, LLC1-0 ..U...$hXXp://cert
s.godaddy.com/repository/1.0,..U...%Go Daddy Class 2 Validation Author
ity0.."0...*.H.............0..........J<V_....7p\.....^.'...Y.C.BPX
..$.?.......#..S....'=.....D..h-.n.....#....n..M...c..:E.x..Q.&..2w..{
[email protected]&.G.U.....G.{.Cj....S.|.).(....... .....}4.[
r........N.........1B.zp..L.....Eq.G$a.A...9..... /.B.....G..e....7.\=
QcN......Xw..4].........0...0...U.......0.0...U...........0...U.%..0..
. ......... .......0...U.......dK...Z5...NP.\.S.~.0...U.#..0.........L
.q.a.=....j..0... .....0......02..U... 0)0'.%.#.!hXXp://crl.godaddy.co
m/gdroot.crl0M..U. .F0D0B..`.H...m....0301.. ........%hXXps://cert
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1762
content-transfer-encoding: binary
Cache-Control: max-age=547043, public, no-transform, must-revalidate
Last-Modified: Wed, 17 Dec 2014 21:24:36 GMT
Expires: Wed, 24 Dec 2014 21:24:36 GMT
Date: Thu, 18 Dec 2014 13:29:26 GMT
Connection: keep-alive
0..........0..... .....0......0...0......;O}a.!..u...au..eUNp..2014121
7212436Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...3
13..R...%V.......K3.....20141217212436Z....20141224212436Z0...*.H.....
............X2.I...~.."...c.6U.....&H."....u......F..Y{.$.q......5....
H......6....:..z.d,..ct.. ../.....~......V.-.#. j2x.t...>[email protected]
.....PX!{WR.....-'..~...p..1*M.oT.rV.I/.c..........l.>.}[email protected],
.n..[.5.y...x.$s.O.?.....D..1...v...1.E7#m=m ..........W........0...0.
..0...........2...'U.BM...g.B0...*.H........0..1.0...U....US1.0...U...
.VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 Ve
riSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 P
ublic Primary Certification Authority - G50...141202000000Z..151216235
959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec
 Trust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Responder Cert
ificate 30.."0...*.H.............0...............2&..PL...,..2....:..t
H...`JG.%..*...s.c%[email protected]"1.5?..s..
...3[...u......]...R0..Z}....l..I.Y.....j\H.q...#.uw.4qz.#.J.....@2$".
.$l.B.......D.ye..(..2.........@...... ...."... E..0M,..b{.^..s'....f.
6.pr4.J........'j..........0...0...U.......0.0l..U. .e0c0a..`.H...E...
.0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.
symauth.com/rpa0...U.%..0... .......0...U...........0... .....0......0
!..U....0...0.1.0...U....TGV-B-2760...U......;O}a.!..u...au..eUNp0...U
.#..0.....e......0..C9...3130...*.H.............(.&..Dgr.Ve..#...5
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEFfypMGYcmbFYnz/tUJymgs= HTTP/1.1


Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1725
content-transfer-encoding: binary
Cache-Control: max-age=345285, public, no-transform, must-revalidate
Last-Modified: Mon, 15 Dec 2014 13:24:11 GMT
Expires: Mon, 22 Dec 2014 13:24:11 GMT
Date: Thu, 18 Dec 2014 13:29:26 GMT
Connection: keep-alive
0..........0..... .....0......0...0......u\..3Oo?U...H.....O!..2014121
5132411Z0s0q0I0... ...................F....0.yV......{&.K......&......
.W....rf.b|..Br......20141215132411Z....20141222132411Z0...*.H........
.........7..c.V&.u.....~9.....!.sG.....Eh2l6^.L..~j5}QK..B..s$Kb...`..
w.9jQ.S... ..V..5<}.....,.HV}...%..



GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQMgSk4dLKWKRB+2DViUmQEUw3ggwQUDURcFlNEwYJ+HSCrJfQBY9i+eaUCECyLOOAjYRltRQP8lkAE25w= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: sd.symcd.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1730
content-transfer-encoding: binary
Cache-Control: max-age=394328, public, no-transform, must-revalidate
Last-Modified: Tue, 16 Dec 2014 02:54:24 GMT
Expires: Tue, 23 Dec 2014 02:54:24 GMT
Date: Thu, 18 Dec 2014 13:25:37 GMT
Connection: keep-alive
0..........0..... .....0......0...0......P).Niz5............?..2014121
6025424Z0s0q0I0... ..........)8t..).~.5bRd.S......D\.SD..~. .%..c..y..
.,.8.#[email protected]...*.H........
..........h...-..0.$X(#...C:.L9;.?......9_...:...X:.(....>3....6...
,..J...X..DhBz/..).....k.....w:op<.X........fN.%(e.j..%..7..`....".
..._......mI%zh.....{..........cS...Y.qQdQ^g....D.....ES. ...=?%t.}1S.
Xf...i?......3...hsX..F.3._X.[...g<;.g5.hD...o.9.....4.(.....0...0.
..0..........]../g.0.h.....$C0...*.H........0..1.0...U....US1.0...U...
.VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of us
e at hXXps://VVV.verisign.com/rpa (c)101/0-..U...&VeriSign Class 3 Sec
ure Server CA - G30...141204000000Z..150304235959Z0..1.0...U....US1.0.
..U....VeriSign, Inc.1.0...U....VeriSign Trust Network1>0<..U...
5VeriSign Class 3 Secure Server CA - G3 OCSP Responder0.."0...*.H.....
........0............Q..>.]....b...........G[..sz_:.eM.J..m)....J.K
V..W....e.M...C.......8.|...^...S./[email protected]...:S4...
.R..&"......l.....1&..nY..p.....4...L`.g...E#t....Mw....1.O.....i..e.b
.qa...p.....$...b...V....#.M3......|..B.R..:@UtY@:s..h.........me.....
.....0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........htt
ps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSi
gn's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .
......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-24
570...*.H.............y.boc.....2<.-..O...ehR.............. ...
<<< skipped >>>


GET //MEgwRjBEMEIwQDAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CB0sVHV5/pAc= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com


HTTP/1.1 200 OK
Date: Thu, 18 Dec 2014 13:25:13 GMT
Server: Apache
Content-Transfer-Encoding: Binary
Cache-Control: max-age=121907, public, no-transform, must-revalidate
Last-Modified: Thu, 18 Dec 2014 13:03:57 GMT
Expires: Sat, 20 Dec 2014 01:03:57 GMT
ETag: "349f96f2ff6823e7808790419adf838c4daa2783"
Content-Length: 1895
Connection: close
Content-Type: application/ocsp-response
0..c......\0..X.. .....0.....I0..E0......0..1.0...U....US1.0...U....Ar
izona1.0...U....Scottsdale1.0...U....GoDaddy.com, LLC1-0 ..U...$http:/
/certs.godaddy.com/repository/1 0)..U..."Go Daddy Validation Authority
 - G2..20141218130357Z0j0h0@0... ..........._lkv...8..f..R34N..@..'..4
.0.3..l...,....K..^.......20141218130357Z....20141220010357Z0...*.H...
..........4 .....\K.Y...........(...g;.:.............K.M&9.Q..g...Hd.5
b...(.H<..un.....I5..d.b;....m....UE......=.5.i...N\.|.. ..1.\)_...
.....v..].T...]{k..`Xw....D.........QD..KV.,.Kct}...kf...w.Ll...U..O.M
....8.9.8..3.-7J.X..1`..cyT:..!6^....DZ.A.BN0Z.K.c.......^C....0...0..
.0..........$..0...*.H........0..1.0...U....US1.0...U....Arizona1.0...
U....Scottsdale1.0...U....GoDaddy.com, Inc.1-0 ..U...$hXXp://certs.god
addy.com/repository/1301..U...*Go Daddy Secure Certificate Authority -
 G20...140401070000Z..150401070000Z0..1.0...U....US1.0...U....Arizona1
.0...U....Scottsdale1.0...U....GoDaddy.com, LLC1-0 ..U...$hXXp://certs
.godaddy.com/repository/1 0)..U..."Go Daddy Validation Authority - G20
.."0...*.H.............0..........?.........'' ...X....0.........T..W.
...........,\...zZ./h....W......>.......Z..K....n..$Us..Y..e..b_I|T
.....$.>....%D$.3..$....*.|)........S..$A.e<...r..rE)....(...C[V
.........~`C.........L....\....W......M....w.Zk......h. i.....J..n....
.....u.....K)...E.........0...0...U.......0.0...U...........0...U.%..0
... ......... .......0...U......wI.p......!.(..d.tT(0...U.#..0...@..'.
.4.0.3..l...,..0... .....0......01..U...*0(0&.$.". hXXp://crl.goda
<<< skipped >>>


GET /CSC3-2010.cer HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: csc3-2010-aia.verisign.com


HTTP/1.1 200 OK
Server: Apache
ETag: "4df6e0fc400cae9c052fae98c66d379f:1367386211"
Last-Modified: Wed, 01 May 2013 05:30:11 GMT
Accept-Ranges: bytes
Content-Length: 1550
Content-Type: text/plain
Date: Thu, 18 Dec 2014 13:29:26 GMT
Connection: keep-alive
0...0..........R...%V.......K3.0...*.H........0..1.0...U....US1.0...U.
...VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 
VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3
 Public Primary Certification Authority - G50...100208000000Z..2002072
35959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Tru
st Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)1
01.0,..U...%VeriSign Class 3 Code Signing 2010 CA0.."0...*.H..........
...0.........#K^....2..W....&~......}..6k..u.0..h.. u......i..7..{....
.7M_.;......'5.%.8..c.........jb.L.!......;.*O.[..O..v..'.|..~}......H
.i...<<A.>......q.U...&J@<..&...m...%{..?../....w..V.z;T0S
..b4....Z.(..L.N~[.........u....G...r..4....L~..O.=W.0..6...v.....~4-.
.........0...0...U.......0.......0p..U. .i0g0e..`.H...E....0V0(.. ....
.....hXXps://VVV.verisign.com/cps0*.. .......0...hXXps://VVV.verisign.
com/rpa0...U...........0m.. ........a0_.].[0Y0W0U..image/gif0!0.0... .
.............k...j.H.,{..0%.#hXXp://logo.verisign.com/vslogo.gif04..U.
..-0 0).'.%.#hXXp://crl.verisign.com/pca3-g5.crl04.. ........(0&0$.. .
....0...hXXp://ocsp.verisign.com0...U.%..0... ......... .......0(..U..
.!0...0.1.0...U....VeriSignMPKI-2-80...U..........{&.K......&.....0...
U.#..0.....e......0..C9...3130...*.H.............V".4..a.H...V.d......
....z."..G8J-l..q.|.p...O...S..^.t.I$..&...G.Lc...4..E...&s....dm.q..E
.`.YQ9.X.k....yk..Ar.7"...#.?D...a....\.=...B=e6..=@(....#&.K ...].L4.
<..7.o. .4.&.........!.3o..X.%|t.X.u.c?.1|......Sv.[........].!
<<< skipped >>>


GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?15561099d5d16a9f HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 05 Dec 2013 22:47:50 GMT
If-None-Match: "0af536cf2ce1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com


HTTP/1.1 200 OK
Cache-Control: max-age=86400
Content-Type: application/octet-stream
Last-Modified: Thu, 03 Jul 2014 23:34:12 GMT
Accept-Ranges: bytes
ETag: "0b2464b1797cf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 6408
Date: Thu, 18 Dec 2014 13:25:11 GMT
Connection: keep-alive
MSCF............,...................O.......'#.........D.z .disallowed
cert.stl....2..'#CK...8T...g........g.k..".....mlI."d..m...P$"....e.J.
.......z.....\..........9g.9....~.........Q.Q......Q..DL.8.C.PS.K0.!P.
0........#.DY.8.....V.....$.C....a.0...........`......;.S.....0#...m..
. ..`0...?.!vR?.....d....`......_@..}....$...i..OR'..$....K..'Z....o.g
..*.Vc.....[nY e./.EJ...B.Y.......Ag......!....9......u..!..1Yy.......
r...Ss^@...M.Dtl\....i.k....3...B.Z.:.p.N....*......x,...ah/..].[....G
B..T..$A....SY..t.E5R..R...9!....*.*68V....1... ...Q{..."[email protected];
xd{.C.u?..e.U.=f.nx.........y.G..0.......\L .'.^....$......N=..m...Ujr
Zs...J.I.C....;......q_..e......?.T..2..bw....E.L.{...S...~.<......
...-.Q..|.l. .1..6r....[}!J..,...naPk.U.... ..{@LH..W....>.Sq...8.5
.,.z..0.jL.S..........]...yW_...Y.1..h.7...9{.....I......g.Y.,1...i8n.
6..........4.]...........=........^..n.K7...c.g).Z. .0..$7.ys.p...B.5.
].f...|(3!.|..P...j..^..j....#([email protected]..*.O..i..u....9..S.Y.n..HXW..
.F ..i...:.......!.] r......D..*ld.b.>>:Pp.....5:1 o=..5.'..4...
....hO....{.V.rx..V...%.}..u...6Wv-..".iV.b..B0.Q..,...E.Dy...x..5....
?Z.$L..1.....4...=.....g!....%..:..c..j..v~....._R.6.......;.#.Y*p..J.
4.#'..Vo...g^K...J....._.^..u...)....&/.....q....o......4.....S...,q..
...p.8IIe.....d|.3{)...M.0.X...4.."..P.......Hk.... ]!.!... ..#.x..<
;..X.........'.E(<b[.......#.. ....XiLl|[email protected] 
[email protected][email protected]..;.......mm....>~............j%..>
;.X.,V...J...C ....*..Z.8- RKGW...0./Z.__..)7g_'{.......pr......;.
<<< skipped >>>

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?2a50e63961c067a9 HTTP/1.1


Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 12 Mar 2014 20:20:10 GMT
If-None-Match: "0b96c77303ecf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com


HTTP/1.1 200 OK
Cache-Control: max-age=604800
Content-Type: application/octet-stream
Last-Modified: Fri, 12 Sep 2014 18:47:05 GMT
Accept-Ranges: bytes
ETag: "805a83f2b9cecf1:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
X-Powered-By: ARR/2.5
X-Powered-By: ASP.NET
Content-Length: 56928
Date: Thu, 18 Dec 2014 13:25:12 GMT
Connection: keep-alive
MSCF....`.......,...................I.................,E.Y .authroot.s
tl..Y-..8..CK...<T...g.v!M.d..f.%d..}K..5..F. ...T..%.,YJ.,!T......
_..x.<=O.....yy....;3..>.|..~..\.....|......;..8..~.za...."A...q
.......g..m......<X........j"I........!..-w.....w....P...H..(.?}..2
.N. .u..a. ...=.C..D.F>rC.. ..|).=.. ..3b.8H.M...(...u8.%...W.g...\
YB.m:.....dE.........V....$....Dn:....0...S."...o..q.....K...I..K...(x
%....>A.R...`.0 .........<`L0mp...%....y.....g.n...R0Op..<..,
....`0$z.@..&.x"....T..H...<........~..E..".....<<.\B(.......
[email protected]/"...f.......k..Jm7j....R.5q....Rz.
.!@...].......Y.[........4.. .D8..&...t.J^O..Q.._..1.J.m5<'k.,....%
T....i.\.;.;q..S./ 8.?Bu.............}D.Q....L....*..[.."e......15m...
_.0.M........#..v!..<...@..?sc.y....*.....tX[........{.W4.Q...^u@..
*..QP.......~.L9N....2r...4.....B..-\(...b.d...K...O.8..Un.......V.<
;.......A...V.....(..s..f..q.{N0.hS.,..;M.|G|[email protected].._.....7._6...C.0...
A;L....%...M=Y.....f.JV.(.5.....0..?*...KZ....jM...8.6U...#...ew.?..?.
..........WE.Or..O>..{.'[email protected]}.o:?~....]&l
t;!...%....}@.d...L.p.a.g ..K."..N1!%..S.bT.H.-.....e..`.0$...0t..DX..
{.....#./...8.5..M...T.......D......V\C.zy.....3E:..>.{..).QW......
q....9..n..1....8%,.........r.p@.>. ...Q.?.p..7.?..7...&..!........
.`. .=....Sf..q.l.A.....L...t.}g..;...f....=.e.~.z....C..*R....H-..=..
.f..(t'.."....F...g._....n.J..U.4vr`}.....1..o@.....@.#...R. L8....z..
].|......3..y..-./....K..6{...s.<R`.}[email protected]....
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEDWXMYfzhzoHMn7OWAybfto= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1453
content-transfer-encoding: binary
Cache-Control: max-age=588102, public, no-transform, must-revalidate
Last-Modified: Thu, 18 Dec 2014 08:44:48 GMT
Expires: Thu, 25 Dec 2014 08:44:48 GMT
Date: Thu, 18 Dec 2014 13:25:37 GMT
Connection: keep-alive
0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....2014121
8084448Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a.
.5.1...:.2~.X..~.....20141218084448Z....20141225084448Z0...*.H........
.....h6._........h...p&"u.....w].w..R......O.&.w.z....!.jE-..U.4..*'.!
...b?Z/..U..".8.y.........6.....5.-z..r%.b*..\i...T,.q.F....v.......*.
jG..V.s.e..Up... ...u........O9..Z..GC.lk..6..{...Gq..,...54.T......'.
.|e........?..s.. ..)i.h.......gZ.q.;,. ..!.....<Xy....0...0...0..3
......./...b.v..-....l}0...*.H........0_1.0...U....US1.0...U....VeriSi
gn, Inc.1705..U....Class 3 Public Primary Certification Authority0...1
41202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corpora
tion1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA -
 G1 OCSP Responder Certificate 30.."0...*.H.............0..........'..
....Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....H..3-; ).
....0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M...T..pS.p.
.^|o....S..v.).)[email protected]#qh...u1T.].G0.]E...=._..
.... ........TE...Sa.s4........r...3.............0..0...U....0.0l..U. 
.e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. ....
...0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0..
. .....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H.............$
..H......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e.......a..D..
.........e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :,.
...
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEG7MeqWnAyAJuM689OlS1JE= HTTP/1.1


Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1762
content-transfer-encoding: binary
Cache-Control: max-age=388515, public, no-transform, must-revalidate
Last-Modified: Tue, 16 Dec 2014 01:19:11 GMT
Expires: Tue, 23 Dec 2014 01:19:11 GMT
Date: Thu, 18 Dec 2014 13:25:37 GMT
Connection: keep-alive
0..........0..... .....0......0...0......;O}a.!..u...au..eUNp..2014121
6011911Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...3
13..n.z... ......R......20141216011911Z....20141223011911Z0...*.H.....
........l|s..>....$.F....4..z..4.r#...}..Q...a....s...[$.6.........
.7_!...4.oJk(^..'.}...B<x..X_...........'....YB...>,G.&..p...R.0
...h...z#!.{..yR./..Z..j_)...%.....a.....Dz......$.5uk^.iv.y;.6N..=...
R..R../.t\Qce7.. .K.X^m.5...6.....v.9..{......|..8F..[....9F.. ....0..
.0...0...........2...'U.BM...g.B0...*.H........0..1.0...U....US1.0...U
....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006
 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 
3 Public Primary Certification Authority - G50...141202000000Z..151216
235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Syman
tec Trust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Responder C
ertificate 30.."0...*.H.............0...............2&..PL...,..2....:
..tH...`JG.%..*...s.c%[email protected]"1.5?..
s.....3[...u......]...R0..Z}....l..I.Y.....j\H.q...#.uw.4qz.#.J.....@2
$"..$l.B.......D.ye..(..2.........@...... ...."... E..0M,..b{.^..s'...
.f.6.pr4.J........'j..........0...0...U.......0.0l..U. .e0c0a..`.H...E
....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://w
ww.symauth.com/rpa0...U.%..0... .......0...U...........0... .....0....
..0!..U....0...0.1.0...U....TGV-B-2760...U......;O}a.!..u...au..eUNp0.
..U.#..0.....e......0..C9...3130...*.H.............(.&..Dgr.Ve..#.
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1697
content-transfer-encoding: binary
Cache-Control: max-age=580361, public, no-transform, must-revalidate
Last-Modified: Thu, 18 Dec 2014 06:40:12 GMT
Expires: Thu, 25 Dec 2014 06:40:12 GMT
Date: Thu, 18 Dec 2014 13:29:19 GMT
Connection: keep-alive
0..........0..... .....0......0...0...A0?1=0;..U...4VeriSign Class 3 C
ode Signing 2004 CA OCSP Responder..20141218064012Z0s0q0I0... ........
[email protected].!......Q...==d6|h.[x....7..`..........cV.!.....201412
18064012Z....20141225064012Z0...*.H....................P LA...l..7.p6n
..............1/.l.}.....R...o.!....1.`P..!...W.. p....w..l"..y. L.s/&
.].#....\"...[.?..k.Ds.....e0..0A....#..0..n,-.......w..pLpu.b...L..G.
\n`.....B'./.......X:.E..Sy.O MQ.I.Y0.2..x..m...._.9.{.3a]sT2..[......
......4.?,6..d....>3Q..F....0...0...0..{.........[..I|.....Zm..0...
*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSig
n Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa
 (c)041.0,..U...%VeriSign Class 3 Code Signing 2004 CA0...140428000000
Z..150729235959Z0?1=0;..U...4VeriSign Class 3 Code Signing 2004 CA OCS
P Responder0.."0...*.H.............0.........Y....h..@..>.....%.-..
...O...' y.........x..Gw.xF.....?..Z..u,.X.&..........3C..H.l.....f..;
]s!.\"v...|....][email protected]. ..W....n..*..-
f?EY.......UN...r...........-_.%..,P;b.....)(.P.4...,.%....<..6....
.[r^X.EV..S...5#'Y.. .TD...........0...0...U.......0.0...U.%..0... ...
....0...U...........0... .....0......0f..U. ._0]0[..`.H...E....0L0#.. 
.........hXXps://d.symcb.com/cps0%.. .......0...hXXps://d.symcb.com/rp
a0!..U....0...0.1.0...U....TGV-B-1080...U......"...?....`>q..i1o...
0...U.#..0.....Q...==d6|h.[x....70...*.H.............B8@.$..wo......E.
....P52"b*@'C\.y.(...n....h.f..7f.....v...pb<...]..|..........k
<<< skipped >>>


HEAD /aj/bundle/1048 HTTP/1.1
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: d1.arcadegiant.com
Content-Length: 0
Connection: Keep-Alive


HTTP/1.1 405 Method Not Allowed
Server: Apache/2.4.1 (Unix) OpenSSL/1.0.0g
Allow: GET, POST
Content-Type: text/html; charset=windows-1252
Content-Length: 0
Date: Thu, 18 Dec 2014 13:25:38 GMT



GET //MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQdI2+OBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com


HTTP/1.1 200 OK
Date: Thu, 18 Dec 2014 13:25:13 GMT
Server: Apache
Content-Transfer-Encoding: Binary
Cache-Control: max-age=122045, public, no-transform, must-revalidate
Last-Modified: Thu, 18 Dec 2014 13:06:22 GMT
Expires: Sat, 20 Dec 2014 01:06:22 GMT
ETag: "ddd5f8bee2ed36f534cd1514e9102cdd86869d7d"
Content-Length: 1853
Connection: close
Content-Type: application/ocsp-response
0..9......20..... .....0......0...0..-...0..1.0...U....US1.0...U....Ar
izona1.0...U....Scottsdale1.0...U....GoDaddy.com, LLC1-0 ..U...$http:/
/certs.godaddy.com/repository/100...U...'Go Daddy Root Validation Auth
ority - G2..20141218130622Z0d0b0:0... .........#o..K......#..... ...:.
...g(.....An ............20141218130622Z....20141220010622Z0...*.H....
.........v..ecX.ct...kUN.o{.)?....A....h.t.l...{.xIJ.....>.....D.].
.......g.Ng|..e..|.r.....J8..xY.{._.c.,......Ss..!.......f....0.....w3
;.KR....~.".7..A.?...d...E*.. .........z.%Srw....E...l.7.{.%I".~Q>e
......$w..^#.>....Bq,L..%(..,..*.g ..Z.z.6.....U...{[.N..........0.
..0...0...........0...*.H........0..1.0...U....US1.0...U....Arizona1.0
...U....Scottsdale1.0...U....GoDaddy.com, Inc.110/..U...(Go Daddy Root
 Certificate Authority - G20...140401070000Z..150401070000Z0..1.0...U.
...US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, LL
C1-0 ..U...$hXXp://certs.godaddy.com/repository/100...U...'Go Daddy Ro
ot Validation Authority - G20.."0...*.H.............0...........~.....
...l&nbOp..|%..T8..v...p.........(..........|...L..d3z.......)..."y1U^
N.t...].a..v...d.$3H1T_.;.<~.*o...VWC....u.....{.7.8*Y...J.9.l.Ur..
2-.2.v....0E...d;cJ...5I..3.5.........R..^.c~O% ..)...P....H;.../.."c.
.{.VG...?...h...b3... i......-.B.Q%. ............0...0...U.......0.0..
.U...........0...U.%..0... ......... .......0...U.......v6Q.lE3c|l[.`.
.~.[.0...U.#..0...:....g(.....An .....0... .....0......05..U....0,0*.(
.&.$hXXp://crl.godaddy.com/gdroot-g2.crl0M..U. .F0D0B..`.H...m....
<<< skipped >>>


HEAD /aj/bundle/1048 HTTP/1.1
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: d1.arcadegiant.com
Content-Length: 0
Connection: Keep-Alive


HTTP/1.1 405 Method Not Allowed
Server: Apache/2.4.1 (Unix) OpenSSL/1.0.0g
Allow: GET, POST
Content-Type: text/html; charset=windows-1252
Content-Length: 0
Date: Thu, 18 Dec 2014 13:25:38 GMT



POST /external-install?bc=1162530&pid=vittalia&brand=freempr13.bertrejota.com&aid=FREESOFTSTORECOM&s=FREESO030Zec25d5ec3750a12b89bdaf3236b1f0ed&c=VELISMEDIA2&osName=Windows&osVersion=Vista&browserName=IE&browserVersion=9&secure=true&productKey=m7izpsc3q6c6a6odoxbkvnqqt666qqkp HTTP/1.1
X-WebInstallCode: complete url:hXXp://service.downloadadmin.com/external-install?bc=1162530&pid=vittalia&brand=freempr13.bertrejota.com&aid=FREESOFTSTORECOM&s=FREESO030Zec25d5ec3750a12b89bdaf3236b1f0ed&c=VELISMEDIA2&osName=Windows&osVersion=Vista&browserName=IE&browserVersion=9&secure=true&productKey=m7izpsc3q6c6a6odoxbkvnqqt666qqkp
Content-Type: application/x-www-form-urlencoded
X-WebInstallUrl: hXXp://service.downloadadmin.com/external-install?bc=1162530&pid=vittalia&brand=freempr13.bertrejota.com&aid=FREESOFTSTORECOM&s=FREESO030Zec25d5ec3750a12b89bdaf3236b1f0ed&c=VELISMEDIA2&osName=Windows&osVersion=Vista&browserName=IE&browserVersion=9&secure=true&productKey=m7izpsc3q6c6a6odoxbkvnqqt666qqkp
X-Exename: %original file name%.exe
Content-Length: 10
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: service.downloadadmin.com
Connection: Keep-Alive

delta=1779
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Date: Thu, 18 Dec 2014 13:25:08 GMT
Age: 0
X-Cache: MISS
0..HTTP/1.1 200 OK..Transfer-Encoding: chunked..Date: Thu, 18 Dec 2014
 13:25:08 GMT..Age: 0..X-Cache: MISS..0..



GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=479253, public, no-transform, must-revalidate
Last-Modified: Wed, 17 Dec 2014 02:34:46 GMT
Expires: Wed, 24 Dec 2014 02:34:46 GMT
Date: Thu, 18 Dec 2014 13:29:21 GMT
Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..2014121
7023446Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
.l$.%t...............20141217023446Z....20141224023446Z0...*.H........
........!..4./....*Dj...$."......1.".x..C...}.o.u.-...:..V..IG.p......
.G@."..~...c.....s.5sf...C;.`C.S~.....v...H..w..V...oo.z7.}C...m...8.-
t..|?32.V...Q).txG.........Y.|N...l.#..;.......&.T.je.=.C?..f...T?....
(.iv.})_q.....R.'[email protected]),.....J...7.............#0...0...0......
....<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....VeriS
ign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at h
ttps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Sign
ing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...U..
..VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of u
se at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3
 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.........{
(..t....2.Vf.....&;6).i*[email protected]._p.E.6.|.mk....(.......
...p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.}..
.r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....(n.
.i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U....0
.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.c
om/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by
 reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........
0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H......
<<< skipped >>>


GET /external-install?bc=1162530&pid=vittalia&brand=freempr13.bertrejota.com&aid=FREESOFTSTORECOM&s=FREESO030Zec25d5ec3750a12b89bdaf3236b1f0ed&c=VELISMEDIA2&osName=Windows&osVersion=Vista&browserName=IE&browserVersion=9&secure=true&productKey=m7izpsc3q6c6a6odoxbkvnqqt666qqkp HTTP/1.1
X-WebInstallCode: complete url:hXXp://service.downloadadmin.com/external-install?bc=1162530&pid=vittalia&brand=freempr13.bertrejota.com&aid=FREESOFTSTORECOM&s=FREESO030Zec25d5ec3750a12b89bdaf3236b1f0ed&c=VELISMEDIA2&osName=Windows&osVersion=Vista&browserName=IE&browserVersion=9&secure=true&productKey=m7izpsc3q6c6a6odoxbkvnqqt666qqkp
X-Exename: %original file name%.exe
X-WebInstallUrl: hXXp://service.downloadadmin.com/external-install?bc=1162530&pid=vittalia&brand=freempr13.bertrejota.com&aid=FREESOFTSTORECOM&s=FREESO030Zec25d5ec3750a12b89bdaf3236b1f0ed&c=VELISMEDIA2&osName=Windows&osVersion=Vista&browserName=IE&browserVersion=9&secure=true&productKey=m7izpsc3q6c6a6odoxbkvnqqt666qqkp
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
Host: service.downloadadmin.com
Connection: Keep-Alive


HTTP/1.1 302 Found
Cache-Control: no-cache
Content-length: 0
Location: hXXps://service.downloadadmin.com/external-install?bc=1162530&pid=vittalia&brand=freempr13.bertrejota.com&aid=FREESOFTSTORECOM&s=FREESO030Zec25d5ec3750a12b89bdaf3236b1f0ed&c=VELISMEDIA2&osName=Windows&osVersion=Vista&browserName=IE&browserVersion=9&secure=true&productKey=m7izpsc3q6c6a6odoxbkvnqqt666qqkp
Connection: close







The Worm connects to the servers at the folowing location(s):







%original file name%.exe_992:




.text
`.rdata
@.data
.ndata
.rsrc
@.reloc
uDSSh
verifying installer: %d%%
unpacking data: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
%u.%u%s%s
.DEFAULT\Control Panel\International
RegDeleteKeyExA
Software\Microsoft\Windows\CurrentVersion
*?|<>/":
%s=%s
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegDeleteKeyA
RegCloseKey
RegEnumKeyA
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
stub_lzma.exe
AppData\Local\Temp\nso86BE.tmp\LuaBridge.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso86BE.tmp\LuaBridge.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso86BE.tmp
LuaBridge.dll
?execFile@LuaBridge@@YA_NPAUnamed_state_t@1@PBD@Z
?processPipeCommands@LuaBridge@@YAHPAUnamed_state_t@1@PAX_N@Z
_luabridge_exec_file@8
C:\Programming\GitHome\LuaBridge\Release\LuaBridge.pdb
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
6%6.676@6
242;2]2{2
4 4$4(4,4044484<4
.textbss
.idata
ProxyForUrl
Win32.Job
Nsis.PluginCall
Win32.Handle
Error:Unknown /state named %s
evalResp{args=%x,stateName=%x}
evalLuaFile[state=%x/%s][thread=%d](%s)
nsLua.cpp
WM_EXEC_FILE|File=
LuaRemoteLoop[state=%x/%s][thread=%d]
com.luabridge.WndProcTable
[%s]Error Handling Message(%d,%d,%d,%d):%s
[%s]Calling Global Function(%s)
checkIsChild:Failed to Get Exe Path(rc=%d)
checkIsChild:Failed to SetEnvironmentVariable(rc=%d)
checkIsChild:Failed to Create Shared Data Block(rc=%d)
checkIsChild:Create process failed(rc=%d)
checkIsChild:GetExitCodeProcess failed(rc=%d)
[%s]Error Evaluating %s
ERROR:%s
PipeName:
evalLuaString[state=%x/%s][thread=%d](%s)
DBGHELP.DLL
Saved dump file to '%s'
Failed to save dump file to '%s' (error %d)
Failed to create dump file '%s' (error %d)
DBGHELP.DLL too old
DBGHELP.DLL not found
Thread named '%s' could not be found
Expected async state name:%s
unknown state name '%s'
evalInState() error; no code passed
ERROR:Cannot post to state[%s] not async and note default
lua51.dll
WINMM.dll
IPHLPAPI.DLL
msvcrt.dll
CreatePipe
ShellExecute
EnumRegKey
create_pipe
nso86BE.tmp
:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso86BE.tmp
c:\%original file name%.exe
%original file name%.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nsz86AD.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
5334543
8664755
8760876
<assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/>
<description>Nullsoft Install System v5.6.7
<dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
com.build.date
8/27/2014
com.build.dir
C:\BundleManager\25\WebTemplates
com.build.id
com.build.machine
com.build.skin
com.build.time
com.build.user
$%USER%

%original file name%.exe_720:




.text
`.rdata
@.data
.ndata
.rsrc
@.reloc
uDSSh
verifying installer: %d%%
unpacking data: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
%u.%u%s%s
.DEFAULT\Control Panel\International
RegDeleteKeyExA
Software\Microsoft\Windows\CurrentVersion
*?|<>/":
%s=%s
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegDeleteKeyA
RegCloseKey
RegEnumKeyA
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
stub_lzma.exe
"C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\218\allgeniusSetup" /np 1 /is trlsua
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaBridge.dll
sers\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp
s\UrlAssociations\http\UserChoice
ers\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaBridge.dll
All Files|*.*
GetProcessHeap
COMDLG32.dll
nsDialogs.dll
.reloc
ButtonEvent.dll
shell32.dll
NotifyIcon.dll
C:\Programming\GitHome\bm-core.git\25\Custom\NotifyIcon\Release\notifyicon.pdb
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
`'\%D,3
WININET.dll
EnumChildWindows
OLEAUT32.dll
customnsWeb.dll
C:\Programming\GitHome\bm-core-main.git\25\Custom\Nsweb\Release\nsWeb.pdb
CustomNsWebForwarder
1 1$1(1,10141
C:\Nsis\Browser-%s
nswebForwarder
CustomNsWebContainer
Execute: "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\218\allgeniusSetup" /np 1 /is trlsua
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp
nst8AD3.tmp
-Execute:
adm\AppData\Local\Temp\nst8AD3.tmp\218\allgeniusSetup" /np 1 /is trlsua
n-Dynamic/production/popup/rebuilt_nosource.exe.nsi:Line 2575.1.2
on/popup/rebuilt_nosource.exe.nsi:Line 2568.1.2
Line 2549.1.2
on/popup/rebuilt_nosource.exe.nsi:Line 2451.2
uilt_nosource.exe.nsi:Line 2451.2
min-Dynamic/production/popup/rebuilt_nosource.exe.nsi:Line 980.2
pe Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=3115931;pid=720)
://install-cdn.allgenius.info/sd?is=tr
FreshyToolbar.exe
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\218\sd
shyToolbar.exe
1180304
105576280
7290328
c:\%original file name%.exe
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\218
%original file name%.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nso8AB2.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
IE.HTTP
vittalia_template_for_sem_2_traffic,bc=1162530,pid=vittalia,brand=freempr13bertrejotacom,aid=freesoftstorecom,s=freeso030zec25d5ec3750a12b89bdaf3236b1f0ed,c=velismedia2,country=ua,osname=windows,osversion=vista,browsername=ie,browserversion=9
component(s) from hXXp://install-cdn.allgenius.info
p://mirror.mirror-files.com
1179844
1638988
2490836
1180262
1376732
1049380
1376768
3115931
3132405
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\218\allgeniusSetup
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\218\
hXXp://mirror.mirror-files.com/binstallers/BM2/api/do_tracking_hit.lua
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\1\do_tracking_hit.lua
do_tracking_hit.lua
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\1\
5334543
8664755
8760876
<assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/>
<description>Nullsoft Install System v5.6.7
<dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
com.build.date
8/27/2014
com.build.dir
C:\BundleManager\25\WebTemplates
com.build.id
com.build.machine
com.build.skin
com.build.time
com.build.user
$%USER%

%original file name%.exe_720_rwx_02A61000_0000A000:




Portions Copyright (c) 1999,2003 Avenger by NhT
KWindows
GetProcessHeap
.idata
.edata
P.reloc
P.rsrc

%original file name%.exe_720_rwx_10004000_00001000:




callback%d

Upd4terSrv.exe_2920:




.text
`.rdata
@.data
.rsrc
@.reloc
tableKey
resourceKey
v2.0.50727
_s__RTTIClassHierarchyDescriptor
LanguageSupport
<CrtImplementationDetails>
Microsoft.VisualC
System.Runtime.CompilerServices
System.Security.Permissions
System.Runtime.InteropServices
System.Reflection
System.Collections.Generic
System.Diagnostics
System.Runtime.ConstrainedExecution
System.Threading
System.Security
std.bad_alloc.{ctor}
std.bad_alloc.{dtor}
std.bad_alloc.__vecDelDtor
std.logic_error.{ctor}
std.logic_error.{dtor}
std.logic_error.what
std.logic_error.__vecDelDtor
std.length_error.{ctor}
std.length_error.{dtor}
std.length_error.__vecDelDtor
std.vector<char,std::allocator<char> >.{ctor}
std.vector<char,std::allocator<char> >.{dtor}
std.vector<char,std::allocator<char> >.begin
std.vector<char,std::allocator<char> >.end
std.vector<char,std::allocator<char> >.resize
std.vector<char,std::allocator<char> >.size
std.vector<char,std::allocator<char> >.[]
std.vector<char,std::allocator<char> >._Buy
std.vector<char,std::allocator<char> >._Tidy
std.vector<char,std::allocator<char> >.max_size
std.vector<char,std::allocator<char> >.erase
std.vector<char,std::allocator<char> >._Destroy
std.vector<char,std::allocator<char> >._Insert_n
std.vector<char,std::allocator<char> >._Xlen
std.allocator<std::_Aux_cont>.deallocate
std.vector<char,std::allocator<char> >.capacity
std.vector<char,std::allocator<char> >._Make_iter
std.vector<char,std::allocator<char> >._Ufill
std.allocator<std::_Aux_cont>.allocate
std.vector<char,std::allocator<char> >.{ctor}<char const *>
std.basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >.{ctor}<class std::_String_iterator<char,struct std::char_traits<char>,class std::allocator<char> > >
stdext.unchecked_copy<char *,char *>
std.vector<char,std::allocator<char> >._Umove<char *>
std.fill<char *,char>
std.allocator<std::_Aux_cont>.{ctor}<char>
stdext.unchecked_uninitialized_fill_n<char *,unsigned int,char,class std::allocator<char> >
std.vector<char,std::allocator<char> >._Construct<char const *>
std.basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >._Construct<class std::_String_iterator<char,struct std::char_traits<char>,class std::allocator<char> > >
std.vector<char,std::allocator<char> >.insert<char const *>
stdext.unchecked_fill_n<char *,unsigned int,char>
std.vector<char,std::allocator<char> >._Insert<char const *>
stdext.unchecked_uninitialized_copy<char *,char *,class std::allocator<char> >
std.vector<char,std::allocator<char> >._Reverse
std.vector<char,std::allocator<char> >._Ucopy<char const *>
stdext.unchecked_uninitialized_copy<char const *,char *,class std::allocator<char> >
std.swap<char>
ObfPackerLib.ObfPacker.{ctor}
ObfPackerLib.ObfPacker.{dtor}
ObfPackerLib.ObfPacker.TestFromRC
ObfPackerLib.ObfPacker.RunRCInServiceMode
ObfPackerLib.ObfPacker.StopServiceMode
msclr.auto_gcroot<ObfPackerLib::ObfPackerCli ^>.{ctor}
msclr.auto_gcroot<ObfPackerLib::ObfPackerCli ^>.=
msclr.auto_gcroot<ObfPackerLib::ObfPackerCli ^>.->
msclr.auto_gcroot<ObfPackerLib::ObfPackerCli ^>.{dtor}
msclr.auto_gcroot<ObfPackerLib::ObfPackerCli ^>.attach
msclr.auto_gcroot<ObfPackerLib::ObfPackerCli ^>.valid
msclr.auto_gcroot<ObfPackerLib::ObfPackerCli ^>.reset
<CrtImplementationDetails>.NativeDll.IsSafeForManagedCode
<CrtImplementationDetails>.DefaultDomain.DoNothing
<CrtImplementationDetails>.DefaultDomain.HasPerProcess
<CrtImplementationDetails>.DefaultDomain.HasNative
<CrtImplementationDetails>.DefaultDomain.NeedsInitialization
<CrtImplementationDetails>.DefaultDomain.Initialize
?A0xf084536d.??__E?Initialized@CurrentDomain@<CrtImplementationDetails>@@$$Q2HA@@YMXXZ
?A0xf084536d.??__E?Uninitialized@CurrentDomain@<CrtImplementationDetails>@@$$Q2HA@@YMXXZ
?A0xf084536d.??__E?IsDefaultDomain@CurrentDomain@<CrtImplementationDetails>@@$$Q2_NA@@YMXXZ
?A0xf084536d.??__E?InitializedVtables@CurrentDomain@<CrtImplementationDetails>@@$$Q2W4State@Progress@2@A@@YMXXZ
?A0xf084536d.??__E?InitializedNative@CurrentDomain@<CrtImplementationDetails>@@$$Q2W4State@Progress@2@A@@YMXXZ
?A0xf084536d.??__E?InitializedPerProcess@CurrentDomain@<CrtImplementationDetails>@@$$Q2W4State@Progress@2@A@@YMXXZ
?A0xf084536d.??__E?InitializedPerAppDomain@CurrentDomain@<CrtImplementationDetails>@@$$Q2W4State@Progress@2@A@@YMXXZ
<CrtImplementationDetails>.LanguageSupport.InitializeVtables
<CrtImplementationDetails>.LanguageSupport.InitializeDefaultAppDomain
<CrtImplementationDetails>.LanguageSupport.InitializeNative
<CrtImplementationDetails>.LanguageSupport.InitializePerProcess
<CrtImplementationDetails>.LanguageSupport.InitializePerAppDomain
<CrtImplementationDetails>.LanguageSupport.InitializeUninitializer
<CrtImplementationDetails>.LanguageSupport._Initialize
<CrtImplementationDetails>.LanguageSupport.UninitializeAppDomain
<CrtImplementationDetails>.LanguageSupport._UninitializeDefaultDomain
<CrtImplementationDetails>.LanguageSupport.UninitializeDefaultDomain
<CrtImplementationDetails>.LanguageSupport.DomainUnload
<CrtImplementationDetails>.LanguageSupport.Cleanup
<CrtImplementationDetails>.LanguageSupport.Initialize
.cctor
<CrtImplementationDetails>.LanguageSupport.{ctor}
<CrtImplementationDetails>.LanguageSupport.{dtor}
?A0x978cd4c1.ArrayUnwindFilter
std.allocator<char>.{ctor}
<CrtImplementationDetails>.AtExitLock._handle
<CrtImplementationDetails>.AtExitLock._lock_Set
<CrtImplementationDetails>.AtExitLock._lock_Get
<CrtImplementationDetails>.AtExitLock._lock_Destruct
<CrtImplementationDetails>.AtExitLock.IsInitialized
<CrtImplementationDetails>.AtExitLock.AddRef
<CrtImplementationDetails>.ThisModule.Handle
<CrtImplementationDetails>.ThisModule.ResolveMethod<void const * __clrcall(void)>
_WinMainCRTStartup
std.basic_string<char,std::char_traits<char>,std::allocator<char> >.{ctor}
std.basic_string<char,std::char_traits<char>,std::allocator<char> >.{dtor}
std.basic_string<char,std::char_traits<char>,std::allocator<char> >.c_str
std.basic_string<char,std::char_traits<char>,std::allocator<char> >._Myptr
std.basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >._Tidy
std.allocator<char>.deallocate
std.allocator<char>.allocate
std.allocator<wchar_t>.{ctor}
std.basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >.append
std.allocator<char>.max_size
std.basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >.reserve
std.exception.{ctor}
std.exception.{dtor}
?A0x2873fc43.CallJunkCode_SOPTT
?A0x2873fc43.CallJunkCode_QDLUE
?A0x2873fc43.CallJunkCode_OKNZT
?A0x2873fc43.CallJunkCode_TMHRC
?A0x2873fc43.CallJunkCode_EDMFW
?A0x2873fc43.CallJunkCode_LPAIX
?A0x2873fc43.CallJunkCode_EAZSM
?A0x2873fc43.CallJunkCode_MRTHM
?A0x2873fc43.CallJunkCode_KGXAV
?A0x2873fc43.CallJunkCode_IYLDC
?A0x2873fc43.CallJunkCode_AHQDL
?A0x2873fc43.CallJunkCode_PBKWI
?A0x2873fc43.CallJunkCode_BDCXA
?A0x2873fc43.CallJunkCode_OLVMH
?A0x2873fc43.CallJunkCode_CSZER
BinLoader.GetResourceBinary
BinLoader.GetResourceSize
_amsg_exit
<CrtImplementationDetails>.ThrowModuleLoadException
<CrtImplementationDetails>.DoDllLanguageSupportValidation
<CrtImplementationDetails>.ThrowNestedModuleLoadException
<CrtImplementationDetails>.RegisterModuleUninitializer
<CrtImplementationDetails>.DoCallBackInDefaultDomain
?A0x7c948259.unnamed-global-0
?A0x7c948259.unnamed-global-1
?A0x7c948259.unnamed-global-2
?A0x7c948259.unnamed-global-3
?A0x7c948259.unnamed-global-4
?A0x7c948259.unnamed-global-5
?A0x7c948259.unnamed-global-6
?A0x7c948259.unnamed-global-7
?A0x7c948259.unnamed-global-8
?A0x7c948259.unnamed-global-9
?A0x7c948259.unnamed-global-10
?A0x7c948259.unnamed-global-11
?A0x7c948259.unnamed-global-12
?A0x7c948259.unnamed-global-13
?A0x7c948259.unnamed-global-14
?A0x7c948259.unnamed-global-15
?A0x7c948259.unnamed-global-16
?A0x7c948259.unnamed-global-17
?A0x7c948259.unnamed-global-18
?A0x7c948259.unnamed-global-19
?A0x7c948259.unnamed-global-20
?A0x7c948259.unnamed-global-21
?A0x7c948259.unnamed-global-22
?A0x7c948259.unnamed-global-23
?A0x7c948259.unnamed-global-24
?A0x7c948259.unnamed-global-25
?A0x7c948259.unnamed-global-26
?A0x7c948259.unnamed-global-27
?A0x7c948259.unnamed-global-28
?A0x7c948259.unnamed-global-29
?A0x7c948259.unnamed-global-30
?A0x7c948259.unnamed-global-31
?A0x7c948259.unnamed-global-32
?A0x7c948259.unnamed-global-33
?A0x7c948259.unnamed-global-34
EncryptionKeyTable
EncryptionKeyResource
Bin.sizeStringTable
Bin.apiStringTable
?A0x79f4ca5a.unnamed-global-0
?A0x79f4ca5a.unnamed-global-1
?A0x79f4ca5a.unnamed-global-2
?A0x79f4ca5a.unnamed-global-3
?A0x79f4ca5a.unnamed-global-4
?A0x79f4ca5a.unnamed-global-5
?A0x79f4ca5a.unnamed-global-6
?A0x79f4ca5a.unnamed-global-7
?A0x79f4ca5a.unnamed-global-8
?A0x79f4ca5a.unnamed-global-9
?A0x79f4ca5a.unnamed-global-10
?A0x79f4ca5a.unnamed-global-11
?A0x79f4ca5a.unnamed-global-12
?A0x79f4ca5a.unnamed-global-13
?A0x79f4ca5a.unnamed-global-14
?A0x79f4ca5a.unnamed-global-15
?A0x79f4ca5a.unnamed-global-16
?A0x79f4ca5a.unnamed-global-17
?A0x79f4ca5a.unnamed-global-18
?A0x79f4ca5a.unnamed-global-19
?A0x79f4ca5a.unnamed-global-20
?A0x79f4ca5a.unnamed-global-21
?A0x79f4ca5a.unnamed-global-22
?A0x79f4ca5a.unnamed-global-23
?A0x79f4ca5a.unnamed-global-24
?A0x79f4ca5a.unnamed-global-25
?A0x79f4ca5a.unnamed-global-26
?A0x79f4ca5a.unnamed-global-27
?A0x79f4ca5a.unnamed-global-28
?A0x79f4ca5a.unnamed-global-29
?A0x79f4ca5a.unnamed-global-30
?A0x79f4ca5a.unnamed-global-31
?A0x79f4ca5a.unnamed-global-32
?A0x79f4ca5a.unnamed-global-33
?A0x79f4ca5a.unnamed-global-34
?A0x79f4ca5a.unnamed-global-35
?A0x5fb6b9aa.unnamed-global-0
?A0x5fb6b9aa.unnamed-global-1
?A0x5fb6b9aa.unnamed-global-2
?A0x5fb6b9aa.unnamed-global-3
?A0x5fb6b9aa.unnamed-global-4
?A0x5fb6b9aa.unnamed-global-5
?A0x5fb6b9aa.unnamed-global-6
?A0x5fb6b9aa.unnamed-global-7
?A0x5fb6b9aa.unnamed-global-8
?A0x5fb6b9aa.unnamed-global-9
?A0x5fb6b9aa.unnamed-global-10
?A0x5fb6b9aa.unnamed-global-11
?A0x5fb6b9aa.unnamed-global-12
?A0x5fb6b9aa.unnamed-global-13
?A0x5fb6b9aa.unnamed-global-14
?A0x5fb6b9aa.unnamed-global-15
?A0x5fb6b9aa.unnamed-global-16
?A0x5fb6b9aa.unnamed-global-17
?A0x5fb6b9aa.unnamed-global-18
?A0x5fb6b9aa.unnamed-global-19
?A0x5fb6b9aa.unnamed-global-20
?A0x5fb6b9aa.unnamed-global-21
?A0x5fb6b9aa.unnamed-global-22
?A0x5fb6b9aa.unnamed-global-23
?A0x5fb6b9aa.apiServx
?A0x5fb6b9aa.obfPacker
?A0x5fb6b9aa.obfPacker$initializer$
?A0x2873fc43.unnamed-global-0
?A0xee165adf.unnamed-global-0
?A0xee165adf.unnamed-global-1
?A0xee165adf.unnamed-global-2
?A0xee165adf.unnamed-global-3
?A0xee165adf.unnamed-global-4
?A0xee165adf.unnamed-global-5
?A0xee165adf.unnamed-global-6
?A0xee165adf.unnamed-global-7
?A0xee165adf.unnamed-global-8
?A0xee165adf.unnamed-global-9
?A0xee165adf.unnamed-global-10
?A0xee165adf.unnamed-global-11
?A0xee165adf.unnamed-global-12
?A0xee165adf.unnamed-global-13
?A0xee165adf.unnamed-global-14
?A0xee165adf.unnamed-global-15
?A0xee165adf.unnamed-global-16
?A0xee165adf.unnamed-global-17
?A0xee165adf.unnamed-global-18
?A0xee165adf.unnamed-global-19
?A0xee165adf.unnamed-global-20
?A0xee165adf.unnamed-global-21
?A0xee165adf.unnamed-global-22
?A0xee165adf.unnamed-global-23
?A0xee165adf.unnamed-global-24
?A0xee165adf.unnamed-global-25
?A0xee165adf.unnamed-global-26
?A0xee165adf.unnamed-global-27
?A0xee165adf.unnamed-global-28
?A0xee165adf.unnamed-global-29
?A0xee165adf.unnamed-global-30
?A0xee165adf.unnamed-global-31
?A0xee165adf.unnamed-global-32
?A0xee165adf.unnamed-global-33
?A0xee165adf.unnamed-global-34
?A0xee165adf.unnamed-global-35
?A0xee165adf.unnamed-global-36
?A0xee165adf.unnamed-global-37
?A0xee165adf.unnamed-global-38
?A0xee165adf.unnamed-global-39
Lib.sizeStringTable
Lib.apiStringTable
?A0xd57d3ab9.unnamed-global-0
?A0xd57d3ab9.unnamed-global-1
?A0xd57d3ab9.unnamed-global-2
?A0xd57d3ab9.unnamed-global-3
?A0xd57d3ab9.unnamed-global-4
?A0xd57d3ab9.unnamed-global-5
?A0xd57d3ab9.unnamed-global-6
?A0xd57d3ab9.unnamed-global-7
?A0xd57d3ab9.unnamed-global-8
?A0xd57d3ab9.unnamed-global-9
?A0xd57d3ab9.unnamed-global-10
?A0xd57d3ab9.unnamed-global-11
?A0xd57d3ab9.unnamed-global-12
?A0xd57d3ab9.unnamed-global-13
?A0xd57d3ab9.unnamed-global-14
?A0xd57d3ab9.unnamed-global-15
?A0xd57d3ab9.unnamed-global-16
?A0xd57d3ab9.unnamed-global-17
?A0xd57d3ab9.unnamed-global-18
?A0xd57d3ab9.unnamed-global-19
?A0xd57d3ab9.unnamed-global-20
?A0xd57d3ab9.unnamed-global-21
?A0xd57d3ab9.unnamed-global-22
?A0xd57d3ab9.unnamed-global-23
?A0xd57d3ab9.unnamed-global-24
?A0xd57d3ab9.unnamed-global-25
?A0xd57d3ab9.unnamed-global-26
?A0xd57d3ab9.unnamed-global-27
?A0xd57d3ab9.unnamed-global-28
?A0xd57d3ab9.unnamed-global-29
?A0xd57d3ab9.unnamed-global-30
?A0xd57d3ab9.unnamed-global-31
?A0xd57d3ab9.unnamed-global-32
?A0xd57d3ab9.unnamed-global-33
?A0xd57d3ab9.unnamed-global-34
?A0xd57d3ab9.unnamed-global-35
?A0xd57d3ab9.unnamed-global-36
?A0xd57d3ab9.unnamed-global-37
?A0xd57d3ab9.unnamed-global-38
?A0xe230abe1.unnamed-global-0
?A0xe230abe1.unnamed-global-1
?A0xe230abe1.unnamed-global-2
?A0xe230abe1.unnamed-global-3
?A0xe230abe1.unnamed-global-4
?A0xe230abe1.unnamed-global-5
?A0xe230abe1.unnamed-global-6
?A0xe230abe1.unnamed-global-7
?A0xe230abe1.unnamed-global-8
?A0xe230abe1.unnamed-global-9
?A0xe230abe1.unnamed-global-10
?A0xe230abe1.unnamed-global-11
?A0xe230abe1.unnamed-global-12
?A0xe230abe1.unnamed-global-13
?A0xe230abe1.unnamed-global-14
?A0xe230abe1.unnamed-global-15
?A0xe230abe1.unnamed-global-16
?A0xe230abe1.unnamed-global-17
?A0xe230abe1.unnamed-global-18
?A0xe230abe1.unnamed-global-19
?A0xe230abe1.unnamed-global-20
?A0xe230abe1.unnamed-global-21
?A0xe230abe1.unnamed-global-22
?A0xe230abe1.unnamed-global-23
?A0xe230abe1.unnamed-global-24
?A0xe230abe1.unnamed-global-25
?A0xe230abe1.unnamed-global-26
?A0xe230abe1.unnamed-global-27
?A0xe230abe1.unnamed-global-28
?A0xe230abe1.unnamed-global-29
?A0xe230abe1.unnamed-global-30
?A0xe230abe1.unnamed-global-31
?A0xe230abe1.unnamed-global-32
?A0xe230abe1.unnamed-global-33
?A0xe230abe1.unnamed-global-34
?A0xe230abe1.unnamed-global-35
?A0xe230abe1.unnamed-global-36
?A0xe230abe1.unnamed-global-37
?A0xe230abe1.unnamed-global-38
?A0xe230abe1.unnamed-global-39
?Uninitialized@CurrentDomain@<CrtImplementationDetails>@@$$Q2HA
?A0xf084536d.?Uninitialized$initializer$@CurrentDomain@<CrtImplementationDetails>@@$$Q2P6MXXZA
?InitializedPerAppDomain@CurrentDomain@<CrtImplementationDetails>@@$$Q2W4State@Progress@2@A
?A0xf084536d.?InitializedPerAppDomain$initializer$@CurrentDomain@<CrtImplementationDetails>@@$$Q2P6MXXZA
?IsDefaultDomain@CurrentDomain@<CrtImplementationDetails>@@$$Q2_NA
?A0xf084536d.?IsDefaultDomain$initializer$@CurrentDomain@<CrtImplementationDetails>@@$$Q2P6MXXZA
?InitializedNative@CurrentDomain@<CrtImplementationDetails>@@$$Q2W4State@Progress@2@A
?A0xf084536d.?InitializedNative$initializer$@CurrentDomain@<CrtImplementationDetails>@@$$Q2P6MXXZA
?Initialized@CurrentDomain@<CrtImplementationDetails>@@$$Q2HA
?A0xf084536d.?Initialized$initializer$@CurrentDomain@<CrtImplementationDetails>@@$$Q2P6MXXZA
?InitializedVtables@CurrentDomain@<CrtImplementationDetails>@@$$Q2W4State@Progress@2@A
?A0xf084536d.?InitializedVtables$initializer$@CurrentDomain@<CrtImplementationDetails>@@$$Q2P6MXXZA
?InitializedPerProcess@CurrentDomain@<CrtImplementationDetails>@@$$Q2W4State@Progress@2@A
?A0xf084536d.?InitializedPerProcess$initializer$@CurrentDomain@<CrtImplementationDetails>@@$$Q2P6MXXZA
?InitializedPerProcess@DefaultDomain@<CrtImplementationDetails>@@2_NA
?Entered@DefaultDomain@<CrtImplementationDetails>@@2_NA
?InitializedNative@DefaultDomain@<CrtImplementationDetails>@@2_NA
?Count@AllDomains@<CrtImplementationDetails>@@2HA
?hasNative@DefaultDomain@<CrtImplementationDetails>@@0W4State@TriBool@2@A
?hasPerProcess@DefaultDomain@<CrtImplementationDetails>@@0W4State@TriBool@2@A
?InitializedNativeFromCCTOR@DefaultDomain@<CrtImplementationDetails>@@2_NA
__unep@?DoNothing@DefaultDomain@<CrtImplementationDetails>@@$$FCGJPAX@Z
__unep@?_UninitializeDefaultDomain@LanguageSupport@<CrtImplementationDetails>@@$$FCGJPAX@Z
?_lock@AtExitLock@<CrtImplementationDetails>@@$$Q0PAXA
?_ref_count@AtExitLock@<CrtImplementationDetails>@@$$Q0HA
.ctor
StubService.exe
System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
c:\ofuscador\bin\Packer\stubtemp\Release\StubService.pdb
KERNEL32.dll
MSVCR90.dll
_acmdln
_crt_debugger_hook
MSVCP90.dll
?DoCallBackInDefaultDomain@<CrtImplementationDetails>@@YAXP6GJPAX@Z0@Z
?ThrowNestedModuleLoadException@<CrtImplementationDetails>@@YAXP$AAVException@System@@0@Z
?ThrowModuleLoadException@<CrtImplementationDetails>@@YAXP$AAVString@System@@@Z
?RegisterModuleUninitializer@<CrtImplementationDetails>@@YAXP$AAVEventHandler@System@@@Z
?DoDllLanguageSupportValidation@<CrtImplementationDetails>@@YAXXZ
?ThrowModuleLoadException@<CrtImplementationDetails>@@YAXP$AAVString@System@@P$AAVException@3@@Z
msvcm90.dll
_CorExeMain
mscoree.dll
JO1%.BA
%Co{m
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<assemblyIdentity type="win32" name="Microsoft.VC90.CRT" version="9.0.21022.8" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>
4 4$4(4044484<4@4
My Sample Service: ServiceMain: Performing Service Start Operations
My Sample Service: ServiceMain: Performing Cleanup Operations
kernel32.dll
Advapi32.dll
UpdaterServiceExe
1.1.8.0
UpdaterServiceExe.exe

TNT2User.exe_2824:




.text
`.rdata
@.data
.rsrc
@.reloc
8%u(j
uœ\u
mem:%x
RegDeleteKeyExW
Advapi32.dll
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
F%D,3
advapi32.dll
SubclassChrome
UnInjLib.dll
operator
GetProcessWindowStation
E:\ProjectsBuild\ClickOnce\ReleaseFreshy\TNT2User.pdb
log.dll
GetWindowsDirectoryW
GetProcessHeap
KERNEL32.dll
CreateDialogIndirectParamW
EnumWindows
USER32.dll
RegCloseKey
RegCreateKeyExW
RegDeleteKeyW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
RegEnumKeyW
CryptDeriveKey
CryptDestroyKey
CryptImportKey
RegOverridePredefKey
ADVAPI32.dll
ole32.dll
ShellExecuteW
SHFileOperationW
ShellExecuteExW
SHELL32.dll
OLEAUT32.dll
SHLWAPI.dll
GDI32.dll
URLDownloadToFileW
URLDownloadToCacheFileW
URLOpenPullStreamW
urlmon.dll
PSAPI.DLL
InternetOpenUrlW
WININET.dll
GdiplusShutdown
gdiplus.dll
COMCTL32.dll
VERSION.dll
WS2_32.dll
UxTheme.dll
AVIFIL32.dll
d3d9.dll
GetCPInfo
.?AV?$CAtlExeModuleT@VCTNT2UserModule@@@ATL@@
zcÁ
ForceRemove {554EBE31-AEC1-4E34-BCE3-606467760D88} = s 'TNT2 ToolbarManager'
val ServerExecutable = s '%MODULE_RAW%'
TypeLib = s '{ABB8A8A5-FF98-40F6-B573-5841B063EA37}'
ForceRemove {72A6AB0F-2FA8-4C73-9FCB-1E62A608F001}
val CLSID = s '{554EBE31-AEC1-4E34-BCE3-606467760D88}'
ForceRemove {70BC1CDB-0744-4172-BDA0-B5A487D00C3A}
Paint.NET v2.72rZ
.BB83T
V.ii[
X.sq?
.Rh!$
%&)#&)#&)#
"iTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:9B237E5AED7211E1A217A0DEFA3AD4AB" xmpMM:DocumentID="xmp.did:9B237E5BED7211E1A217A0DEFA3AD4AB"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9B237E58ED7211E1A217A0DEFA3AD4AB" stRef:documentID="xmp.did:9B237E59ED7211E1A217A0DEFA3AD4AB"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?> 
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:1DC28E06F2ED11E19AD9939883AE11EA" xmpMM:DocumentID="xmp.did:1DC28E07F2ED11E19AD9939883AE11EA"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:1DC28E04F2ED11E19AD9939883AE11EA" stRef:documentID="xmp.did:1DC28E05F2ED11E19AD9939883AE11EA"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>n
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:C87F2E40ED7211E1B012DF28704E5B7F" xmpMM:DocumentID="xmp.did:C87F2E41ED7211E1B012DF28704E5B7F"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:C87F2E3EED7211E1B012DF28704E5B7F" stRef:documentID="xmp.did:C87F2E3FED7211E1B012DF28704E5B7F"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
.WWWr
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:A33821D3F2E911E1978C9C9D5E083561" xmpMM:DocumentID="xmp.did:A33821D4F2E911E1978C9C9D5E083561"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:A33821D1F2E911E1978C9C9D5E083561" stRef:documentID="xmp.did:A33821D2F2E911E1978C9C9D5E083561"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:DD145787ED7211E186F1F4F834F9B7B2" xmpMM:DocumentID="xmp.did:DD145788ED7211E186F1F4F834F9B7B2"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:DD145785ED7211E186F1F4F834F9B7B2" stRef:documentID="xmp.did:DD145786ED7211E186F1F4F834F9B7B2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:43CE9C4CEE1F11E18D3F8BDCB24290F4" xmpMM:DocumentID="xmp.did:43CE9C4DEE1F11E18D3F8BDCB24290F4"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:43CE9C4AEE1F11E18D3F8BDCB24290F4" stRef:documentID="xmp.did:43CE9C4BEE1F11E18D3F8BDCB24290F4"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:4F9B5734ED7311E18E3F99B302878B2B" xmpMM:DocumentID="xmp.did:4F9B5735ED7311E18E3F99B302878B2B"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:4F9B5732ED7311E18E3F99B302878B2B" stRef:documentID="xmp.did:4F9B5733ED7311E18E3F99B302878B2B"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:CF9F692BF2EC11E196BE9CA392B23C10" xmpMM:DocumentID="xmp.did:CF9F692CF2EC11E196BE9CA392B23C10"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:CF9F6929F2EC11E196BE9CA392B23C10" stRef:documentID="xmp.did:CF9F692AF2EC11E196BE9CA392B23C10"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:49E269C1ED7311E1AD5AE4F968DFC050" xmpMM:DocumentID="xmp.did:49E269C2ED7311E1AD5AE4F968DFC050"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:49E269BFED7311E1AD5AE4F968DFC050" stRef:documentID="xmp.did:49E269C0ED7311E1AD5AE4F968DFC050"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:8623DF56F2EC11E1B2D0802F3071B663" xmpMM:DocumentID="xmp.did:8623DF57F2EC11E1B2D0802F3071B663"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:8623DF54F2EC11E1B2D0802F3071B663" stRef:documentID="xmp.did:8623DF55F2EC11E1B2D0802F3071B663"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:583FAFB9ED7311E183B9C14E3875F3D3" xmpMM:DocumentID="xmp.did:583FAFBAED7311E183B9C14E3875F3D3"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:583FAFB7ED7311E183B9C14E3875F3D3" stRef:documentID="xmp.did:583FAFB8ED7311E183B9C14E3875F3D3"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:1A87B5D6F2EB11E1B030B2F7391497AD" xmpMM:DocumentID="xmp.did:1A87B5D7F2EB11E1B030B2F7391497AD"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:1A87B5D4F2EB11E1B030B2F7391497AD" stRef:documentID="xmp.did:1A87B5D5F2EB11E1B030B2F7391497AD"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:FBE5BD5CED7211E18F55B30DB8479D1D" xmpMM:DocumentID="xmp.did:FBE5BD5DED7211E18F55B30DB8479D1D"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:FBE5BD5AED7211E18F55B30DB8479D1D" stRef:documentID="xmp.did:FBE5BD5BED7211E18F55B30DB8479D1D"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
osss.vrrbWWW>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:EDF5BE30F2EC11E1AE62ECD22091CECF" xmpMM:DocumentID="xmp.did:EDF5BE31F2EC11E1AE62ECD22091CECF"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:EDF5BE2EF2EC11E1AE62ECD22091CECF" stRef:documentID="xmp.did:EDF5BE2FF2EC11E1AE62ECD22091CECF"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:20C9A3A4ED7311E1B052A666A5C95ECF" xmpMM:DocumentID="xmp.did:20C9A3A5ED7311E1B052A666A5C95ECF"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:20C9A3A2ED7311E1B052A666A5C95ECF" stRef:documentID="xmp.did:20C9A3A3ED7311E1B052A666A5C95ECF"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:55E099CAF2ED11E19CB6816D8FCC058D" xmpMM:DocumentID="xmp.did:55E099CBF2ED11E19CB6816D8FCC058D"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:55E099C8F2ED11E19CB6816D8FCC058D" stRef:documentID="xmp.did:55E099C9F2ED11E19CB6816D8FCC058D"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:D9C56F99ED7E11E18F1891325B4B3925" xmpMM:DocumentID="xmp.did:D9C56F9AED7E11E18F1891325B4B3925"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:D9C56F97ED7E11E18F1891325B4B3925" stRef:documentID="xmp.did:D9C56F98ED7E11E18F1891325B4B3925"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:BBBCAD7FED7F11E187C4B0977B15254D" xmpMM:DocumentID="xmp.did:BBBCAD80ED7F11E187C4B0977B15254D"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:BBBCAD7DED7F11E187C4B0977B15254D" stRef:documentID="xmp.did:BBBCAD7EED7F11E187C4B0977B15254D"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>Lx
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:DD7ACFD5ED7511E1BBC2F512F954E727" xmpMM:DocumentID="xmp.did:DD7ACFD6ED7511E1BBC2F512F954E727"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:DD7ACFD3ED7511E1BBC2F512F954E727" stRef:documentID="xmp.did:DD7ACFD4ED7511E1BBC2F512F954E727"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:F93D6394ED7511E180A29B62DC91DBAD" xmpMM:DocumentID="xmp.did:F93D6395ED7511E180A29B62DC91DBAD"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:F93D6392ED7511E180A29B62DC91DBAD" stRef:documentID="xmp.did:F93D6393ED7511E180A29B62DC91DBAD"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
Paint.NET v3.5.100
}``|^^~^_
...QQQ---
"""$$$%%%
           
               
&&&!!!   """,,,###,,,###,,,###,,,###,,,###,,,###,,,###,,,###,,,###   $$$
...QQQ
666!!!777!!!777!!!777!!!777
!!!777!!!777!!!777
!!!777 777!!!
666!!!777!!!777
...QQQ...RRR...QQQ
...QQQ...QQQ---
!!!777!!!777!!!777!!!777!!!777
...QQQ---QQQ...QQQ
!!!777!!!777!!!777!!!777!!!777 777!!!
555$$$DDD   NNN---QQQ---QQQ...QQQ
stdole2.tlbWWW
nGetCurrentUrlWWW
bstrUrlW,
^DetachChrome
CreateChromeToolbarWd
AttachChromeToolbarWd
XMLHttpRequestWW
7pencodeUrlWWW
keyW
bstrKeyW
"shellExecute
bstrOperationWWW
1varFeedbackUrlWW
pMsg
urlDownloadToFileWWW
ZcreateProcessHiddenW
bsUrlWWW
IsRegistryKeyExistWW
bsKeyWWW
~cmdW4
ÝX_Text
SendKeystrokeWWW
chKeyWWW
bsUrlDownloadWWW
Created by MIDL version 7.00.0555 at Tue Oct 28 11:24:49 2014
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS></application></compatibility></assembly>
?%?,?3?9?
4L4_4
7)72777]7
8 8$8(8,8084888
:$:(:,:0:
4!4*4/4<4
= =$=(=,=
$0(0,00040
8 8$8(8,80848
Shell32.dll
%s\%s
\autorun.inf
%s-%s
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
\PARTNER.TNT
\INSTALL.TNT
\UNINSTALL.TNT
\UPDATE.TNT
\GLOBALUNINSTALL.TNT
kernel32.dll
HRESULT error - %X
Restored %d localStorage items
Saved %d localStorage items
%s Line:%d %s
%s was not loaded
Microsoft.XMLHTTP
XMLHttpRequest
XMLHttpRequest was not created
%%X
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
Requsted %s not found in localStorage
*.TNT
CRYP_Error %d(0xx)
\inst.ini
\runt.ini
hXXp://staging.ws.freshy.com/general/latest_install.php?toolbar_id=
hXXp://staging.ws.freshy.com/general/latest_revision.php?toolbar_id=
hXXp://services.freshy.com/general/latest_install.php?toolbar_id=
hXXp://services.freshy.com/general/latest_revision.php?toolbar_id=
unable to start TNT engine 0x%x
cant open %s
error=%d(0x%x)
cant save %s
0x%X,0x%X
%d/%d/%d at %d:d
CreateProcess error=%d(0x%x)
deleteRegistry returned %d(0x%X)
TNT2User.exe
Killed %d TNT2
WARN: download fail for %s
CreateProcessWithTokenW error=%d(0x%x)
LastSession.log
user32.dll
User32.dll
Entering standby mode - %d browser(s) open
Wow time to check the processes was %d
\uX
RadioPlayer.Volume
RadioPlayer.LastUrl
RadioPlayer.LastId
RadioPlayer.Favorites
RadioPlayer.Width
\RemoteSkin.wms
{6BF52A52-394A-11d3-B153-00C04F79FAA6}
emptymsg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech\AudioInput
OLEAUT32.DLL
UXTHEME.DLL
hXXp://staging.ws.freshy.com/general/latest4.php?
hXXp://services.freshy.com/general/latest4.php?
\TNT2\TNT2UserPS.dll
Ieframe.dll
Global\com.tnt2toolbar.%s
TntMagicDel.dll
\rundll32.exe
hXXp://services.freshy.com/general/ping.php?action=
&os=NT-platform%;v%d.%d
TNT2User started with cmd line: %s
TNT2User exited with code: %d
Mscoree.dll
\crash.dmp
\LastSession.log
keydown
\partner.dat
\storage.dat
\blklst%d.db
Download fail - %s
CToolbarMan::m_dwRef %d
Creating TDOM for %s
failed to start jshost %x
cant download %s
selectedBrowser 0x%X error
"url":
hXXp://
{ "error": 502, "url": "%s" }
addEventListener for %d
not found event %s
CreateChromeToolbar %x
GetClassName error 0x%x
Chrome_RenderWidgetHostHWND
\tnt2chrome.dll
CToolbarManager::m_dwRef 0x%x from %s
Added a view for 0x%X
started by the browser: %d
will be using X background color (0=rebar)
c:\temp\out.avi
combase.dll
mscoree.dll
- CRT not initialized
- Attempt to initialize the CRT more than once.
- floating point support not loaded
USER32.DLL
MSPDB110.DLL
C:\Users\"%CurrentUserName%"\AppData\Local\TNT2\2.0.0.1895\TNT2User.exe
Freshy.com
2.0.0.1895
Freshy.com All Rights Reserved

Upd4terSrv.exe_2920_rwx_6E672000_00002000:




 gn?.gn

allgeniusSetup_884:




.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
sers\"%CurrentUserName%"\AppData\Local\Temp\nsg639.tmp\inetc.dll
t.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsg639.tmp\inetc.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsg639.tmp
s\http\UserChoice
@.Qc'-
@.reloc
u.Uj@
MSVCRT.dll
HttpSendRequestA
HttpSendRequestExA
HttpQueryInfoA
FtpCreateDirectoryA
FtpOpenFileA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpEndRequestA
InternetCrackUrlA
WININET.dll
inetc.dll
Open URL Error
URL Parts Error
FtpCreateDir failed (550)
Error FTP path (550)
Downloading %s
%dkB (%d%%) of %dkB @ %d.dkB/s
(%d %s%s remaining)
REST %d
SIZE %s
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
Authorization: basic %s
Proxy-authorization: basic %s
%s:%s
FtpCommandA
wininet.dll
%u MB
%u kB
%u bytes
%d:d:d
%s - %s
(Err=%d)
NSIS_Inetc (Mozilla)
Filename: %s
/password
Uploading %s
9!9-9B9}9
9!9*90959
? ?'?,?:?
wl]M.Ru
.LCB(
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\allgenius\Setup
osoft Windows 7 Professional N version : 6.1.7601 service pack : 1.0
7BA32E8-5DB1-4167-AB06-0AE36AF3A120
DB1-4167-AB06-0AE36AF3A120
BA32E8-5DB1-4167-AB06-0AE36AF3A120}
"C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\218\allgeniusSetup" /np 1 /is trlsua
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\allgenius
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\218
ers\"%CurrentUserName%"\AppData\Local\Temp\nsq628.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\218\allgeniusSetup
77BA32E8-5DB1-4167-AB06-0AE36AF3A120
00:50:56:21:01:74
10.0.9200.16521
0.50727.5420
Windows, 64-bit
Microsoft Windows 7 Professional N version : 6.1.7601 service pack : 1.0
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

allgeniusSetup_884_rwx_10004000_00001000:




callback%d






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    TPAutoConnSvc.exe:1844
    tdtjpd.exe:3016
    %original file name%.exe:2836
    %original file name%.exe:992
    vcredist.exe:2708
    vcredist.exe:816
    

    2. 

  2. Delete the original Worm file.
    3. 

  3. Delete or disinfect the following files created/modified by the Worm:
    

    %Program Files% (x86)\SoftwareUpdater\translations.xml (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsaBF69.tmp\nsisunz.dll (251 bytes)
    %Program Files% (x86)\SoftwareUpdater\Upd4terSrv.exe (60025 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SH2TVRCI\vcredist_x86[1].exe (62511768 bytes)
    %Program Files% (x86)\SoftwareUpdater\AppsUpd4ter.exe.config (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\update.zip (22676 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsaBF69.tmp\nsURL.dll (1910 bytes)
    %Program Files% (x86)\SoftwareUpdater\Interop.Shell32.dll (1568 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsaBF69.tmp\nsExec.dll (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsaBF69.tmp\System.dll (23 bytes)
    %Program Files% (x86)\SoftwareUpdater\config.xml (1654 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\vcredist.exe (818135 bytes)
    %Program Files% (x86)\SoftwareUpdater\uninstall.exe (2749 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsz896C.tmp (6522 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsz896D.tmp\LuaBridge.dll (1921 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\customNsWeb.dll (812 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaSocket\lua\socket\tp.lua (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\index.html (2617 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\52\stormwatch_tidy_double_628_3.mht (12588 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\win32_constants.lua (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\ButtonEvent.dll (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\41\tidy_stormwatch_optimizerpro_triple_628_3.mht (12988 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\UACInfo.dll (12 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\packaged_app.lua (11 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\animatedProgress.gif (1177 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\data_injection.lua (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\DownloadThread.lua (579 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\service_registry.lua (462 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\downloads.lua (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\versioninfo.dll (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\36\knctr_stormwatch_tidy_updateadmin_628.mht (10204 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\res\patches.js (73 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaSocket\mime\core.dll (1909 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\un.package.exe (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\browserutils.dll (7 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\callbackproxy.lua (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\nsisunz.dll (1552 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\env.lua (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\21\arcadegiant_stormwatch_optimizerpro_updateadmin_628.mht (10204 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarA44E.tmp (2784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\33\wordproser_stormwatch_optimizerpro_triple_628_2.mht (10204 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\Events.lua (912 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\50\optimizerpro_tidy_double628.mht (9476 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\47\tidy_stormwatch_pcoptpro_628_3.mht (12988 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\nsis7z.dll (6360 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\api_substitution.lua (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\wininet\url.lua (12 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaXml_lib.dll (23 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\save.gif (73 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SH2TVRCI\iconCheck.gif (740 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\scheduler.lua (7 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SH2TVRCI\wbk13B5.tmp (242 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\wininet\wininet_h.lua (1856 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\wininet\http.lua (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\GuiInit.lua (5520 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaSocket\lua\socket.lua (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\offer_filters.lua (13 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SH2TVRCI\knockout-2.0.js (10370 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\accept_green.gif (73 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771 (1688 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\System.dll (22 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\uistate.lua (310 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\wininet\core.lua (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D47DBD2F9E3365FBBE008D71FB06716F_835A2FD7EE5F1F37B7872C78D42A88BF (1504 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\net_utils.lua (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaSocket\lua\socket\url.lua (10 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\conditional_engine.lua (10 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse8AC3.tmp (49287 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\151\findwide_nocheckboxes_628.mht (676 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\processfreefile.lua (12 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\5\findwide_updateadmin_combo_628.mht (8844 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SH2TVRCI\wbkB70E.tmp (4850 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\FloatingProgress.dll (812 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\1\vittalia_primary_combo_2.mht (7772 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D47DBD2F9E3365FBBE008D71FB06716F_835A2FD7EE5F1F37B7872C78D42A88BF (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\res\common.css (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D266D9E1E69FA1EEFB9699B009B34C8_8CA7164968F366C9A94AC8E71C4BDD9B (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D (1720 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\__web.xml (142125 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\44\wordproser_stormwatch_optimizerpro_triple_628_2.mht (10204 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\res\jquery.js (6360 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\wininet\wintypes.lua (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 (56 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\2\tdtjpd.exe (221 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\wininet\defs.lua (1552 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\ffi.dll (7392 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\wininet\io.lua (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\lua51.dll (9582 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\data_stores.lua (703 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\decline.gif (73 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaSocket\lua\ltn12.lua (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\2\tgtudp.exe (29140 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SH2TVRCI\wbkAEA3.tmp (1442 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\offer_stats.lua (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\notifyicon.lua (302 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\BrowserControl.lua (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\generic_icon.gif (73 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\run.gif (73 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\IntegratedOffer.lua (1552 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\bit.dll (23 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2427C246DCF85A06DD675914EDA68038_EEE52A74DEE31B064E156E492FD05217 (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\17\contentexplorer_stormwatch_optimizerpro_updateadmin_628.mht (10204 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\definitions.lua (10 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\win32_pipeserver.dll (2392 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin.zip (4708 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaSocket\lua\socket\smtp.lua (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\54\optimizerpro_stormwatch_combo_628_3.mht (12588 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\show.gif (25 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\close.gif (25 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\luacom.dll (4992 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\AdvancedTests.lua (7 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\218\allgenius_628.mht (3172 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BA41173F3FB1502C814D759E3B8A6FFF_80D945C561FF63F9F3DD59EE0F29FDE9 (1752 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\1\do_tracking_hit.lua (913 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\async_tracking.lua (799 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\25\arcadegiant_stormwatch_optimizerpro_updateadmin_628.mht (10204 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\res\knockout.js (6360 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\utils.lua (1552 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\bundleinstall.lua (10 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\extension.tlb (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\open.gif (25 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\vm_details.lua (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\generic_icon.ico (337 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\survey_environment.lua (7 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\2\softwareupdater_628.mht (388 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\29\knctr_stormwatch_optimizerpro_updateadmin_628.mht (10204 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\eagerinstall.lua (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SH2TVRCI\AutoFeatureModel.js (386 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\options.json (273 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 (370 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2427C246DCF85A06DD675914EDA68038_EEE52A74DEE31B064E156E492FD05217 (1480 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaSocket\lua\socket\ftp.lua (9 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\luaxml.lua (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaSocket\socket\core.dll (2473 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\tucow_bga1.gif (337 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\wininet\ltn12.lua (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaSocket\lua\socket\http.lua (12 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\wininet\ftp.lua (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\GenericDLM\exit.gif (25 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\3\findwide_updateadmin_combo_628.mht (8844 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaBridge.dll (1921 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BA41173F3FB1502C814D759E3B8A6FFF_80D945C561FF63F9F3DD59EE0F29FDE9 (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_8CA7164968F366C9A94AC8E71C4BDD9B (1504 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\json.lua (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\skin\res\common.js (3616 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabA44D.tmp (56 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SH2TVRCI\OfferScreenParameters.js (50 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\DownloadList.lua (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771 (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\wininet\compat.lua (392 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\LuaSocket\lua\mime.lua (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 (378 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8AD3.tmp\sandbox.lua (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsz86AE.tmp (6522 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso86BE.tmp\LuaBridge.dll (1921 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\BootstrapperApplicationData.xml (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\thm.xml (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.be\vcredist_x86.exe (58408 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\wixstdba.dll (2485 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\cabB3E1576D1FEFBB979E13B1A5379E0B16 (75717 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\logo.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_vcredist_x86_20141218152947.log (24538 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcRuntimeAdditional_x86 (2132 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\thm.wxl (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\license.rtf (327 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\cab54A5CABBE7274D8A22EB58060AAB7623 (11824 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcRuntimeMinimum_x86 (1712 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_vcredist_x86_20141218152947_1_vcRuntimeAdditional_x86.log (76054 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_vcredist_x86_20141218152947_0_vcRuntimeMinimum_x86.log (74578 bytes)
    C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm (1352 bytes)
    C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe (2321 bytes)
    

    4. 

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):
    

    [HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
    "{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}" = "C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe /burn.log.append C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_vcredist_x86_20141218152947.log /quiet ignored /burn.runonce"
    

    5. 

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    6. 

  6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
    7. 

  7. Reboot the computer.
    8. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
Average: 5 (1 vote)












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now