Gen.Variant.Zusy.97960_339ba7657a

by malwarelabrobot on August 27th, 2014 in Malware Descriptions.

Susp_Dropper (Kaspersky), Gen:Variant.Zusy.97960 (B) (Emsisoft), Gen:Variant.Zusy.97960 (AdAware)
Behaviour: Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
The sample has been submitted by Lavasoft customers.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 339ba7657a5d27939266a8f81b54d149
SHA1: f31f681993058d10fed73ca7111b0a683debdd1b
SHA256: 45cafcb6244ecac1594e41c2900f4d2e28ffdd36c0af3490e8fa60fee3fbf234
SSDeep: 6144:FIWbEGsxdTGzTb1P6LG/J9hS14sCIFQwaEyUNxYrYBei6CJYYbv:FISEGsx68LG/J9h1sQuxYrQUCJfv
Size: 335776 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-06-30 12:28:36
Analyzed on: WindowsXP SP3 32-bit


Summary:

Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Payload

No specific payload has been found.

Process activity

The Malware creates the following process(es):
No processes have been created.
The Malware injects its code into the following process(es):

%original file name%.exe:1876

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1876 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\style.css (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\butpause.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\bg_app[1].png (3072 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\position4A.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\position3C.css (638 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\screen-vafmusic.png (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\show.png (235 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\screen-zipper.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\config.dmc (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\screen-geaudioconverter.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\position3A.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\position3D.css (539 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\exe\options.html (965 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\screen-printpdf.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\exe\instalando.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\boton.jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\screen-vafplayer.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\position2A.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\base.css (265 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dfsD.tmp (1789 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\screen-gevideoconverter.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\position1A.css (421 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\less.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\safe[1].png (1521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\loading[1].css (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\box[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\progress.png (4 bytes)
%System%\wbem\Logs\wbemprox.log (228 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\check-close.png (243 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\loading[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\exe\close.html (384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\box[1].html (959 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\temp\templateDisplays.dfe (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\bg_app.png (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\exe\finish.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\screen-olivebrowser.png (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\jquery.min.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\bullet.gif (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\temp\Dockings.dfe (5572 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin.dmc (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\progress_small.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\doma[1].js (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\logo-win.jpg (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\check.png (398 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\exe\box.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\position2B.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\check.jpg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\more.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\butplay.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\screen-miul.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\percentage-bg.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\cross.jpg (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\hide.png (160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\position3B.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\secure[1].jpg (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\temp\templateStyle.dfe (45012 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\bullet-short.gif (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\position2C.css (578 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\exe\group.html (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\boton_xl.jpg (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\progress_small_bg.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\screen-ifish.png (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\exe\welcome.html (151 bytes)

Registry activity

The process %original file name%.exe:1876 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1404120516"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8B E6 EE A8 B5 30 A7 DF 96 E5 4F 46 EE 7A 4B FF"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
6a23beb2b76338c8f124532fdd2c652c c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\dfsD.tmp

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 753664 232448 5.54459 73ac987bcca216a0688e98e6bec6a755
.rsrc 757760 98304 96256 5.08144 4a72837e114b2fd8d4a4d016dc952cc2
.reloc 856064 512 512 0.188401 ca001c7c4d67f995b8191dc8eedfef0e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 267
eafe1e39c33971a09a5ec7e13967e527
a980e23295a69541ea9ba7061b0236a7
16abcee7c8a11ccc6835cd58e126b567
e70f76146ae7eca21410c0f793e72da0
06c75fb5e12c07af1e891b2e5188737f
fcdf0ebdb43128be4676080835d01611
ea4aae8bb91b86821dc8e4f6bf5a07a6
c7fe44f457570667ec5ffc0febd573a7
a8d59e7c57cc643c880b891a219247d1
a6b8839f5e994707d1d935a413219419
9eb917fadd5cb47c3b57d68bd6d180b0
7933b30caaadc22967593b6cd97c9dd7
78f685a0d33e4ece1f49ecbb486b2be8
728587b636403782ee1a3585a6f19cdf
55c3ad1e86c8805c4fc383a5d51b1304
4fa6473702766c3cf582f9e36211fe1b
38e39a65dd93a208376898977de6f2e4
dc5275dd539bfb20d8a27712a5205c8f
c9eb95f15a300f7d2f7e55deb35e2c91
a8ad95b8d3fb961b21c27bfd3eba19d1
75b18996b526fef819263b5c0b19af8e
718d4daab904112ade233981410e4d4d
57b43b2e8ac7459e69369aeb23fadb13
2486a52fd4c5ab7a175e14a9c8424ed4
e46501cb21d77a4ba1c27590811a4396
ce57a1672a712b99ce43ab108b824606

URLs

URL IP
hxxp://API-XML-1918203848.us-west-2.elb.amazonaws.com/index.php/apiLoading/1026.html
hxxp://staticrr.tgusrv.com/Loading/b111f3f2_loading_java-similar/box.html
hxxp://staticrr.tgusrv.com/Loading/b111f3f2_loading_java-similar/loading.css
hxxp://staticrr.tgusrv.com/sdb/doma.js
hxxp://staticrr.tgusrv.com/Loading/b111f3f2_loading_java-similar/images/bg_app.png
hxxp://staticrr.tgusrv.com/Loading/b111f3f2_loading_java-similar/images/safe.png
hxxp://staticrr.tgusrv.com/Loading/b111f3f2_loading_java-similar/images/secure.jpg
hxxp://staticrr.tgusrv.com/Loading/b111f3f2_loading_java-similar/images/loading.gif
hxxp://API-XML-1918203848.us-west-2.elb.amazonaws.com/index.php/api/361/JFileManager/638/1026/English/WW.xml
hxxp://staticrr.tgusrv.com//Styles/Templates/e9c1a9ca_Win_A_Banner_DeclineLink.zip
hxxp://staticrr.tgusrv.com//Displays/Templates/756e2734_Win_A_Banner-NoLink-DeclineLink-Java.zip
hxxp://staticrr.tgusrv.com//Docking/Docking.zip
hxxp://api.v2.secdls.com/index.php/api/361/JFileManager/638/1026/English/WW.xml 54.200.36.178
hxxp://staticrr.cloudbox106.com//Docking/Docking.zip 85.12.5.27
hxxp://api.v2.secdls.com/index.php/apiLoading/1026.html 54.200.36.178
hxxp://staticrr.safetydownload.net/Loading/b111f3f2_loading_java-similar/images/bg_app.png 85.12.5.27
hxxp://staticrr.safetydownload.net/Loading/b111f3f2_loading_java-similar/loading.css 85.12.5.27
hxxp://staticrr.cloudbox106.com//Displays/Templates/756e2734_Win_A_Banner-NoLink-DeclineLink-Java.zip 85.12.5.27
hxxp://staticrr.safetydownload.net/Loading/b111f3f2_loading_java-similar/box.html 85.12.5.27
hxxp://staticrr.safetydownload.net/Loading/b111f3f2_loading_java-similar/images/secure.jpg 85.12.5.27
hxxp://staticrr.safetydownload.net/Loading/b111f3f2_loading_java-similar/images/safe.png 85.12.5.27
hxxp://staticrr.safetydownload.net/Loading/b111f3f2_loading_java-similar/images/loading.gif 85.12.5.27
hxxp://staticrr.paleokits.net/sdb/doma.js 185.2.179.74
hxxp://staticrr.cloudbox106.com//Styles/Templates/e9c1a9ca_Win_A_Banner_DeclineLink.zip 85.12.5.27


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /Loading/b111f3f2_loading_java-similar/box.html HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: staticrr.safetydownload.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Tue, 22 Jul 2014 21:06:19 GMT
Content-Type: text/html
Last-Modified: Wed, 28 May 2014 17:14:38 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Content-Encoding: gzip
3bf.............UMs.6.=[...!..$.:..6..ZV&.ql5a.............v... ).#...
A"..o.o?.....&..g.p.$./.7.SB...O..]%W......2._..pe..Zq.....Z8W.3.4M...
.,Y..=z..7._..c.....Q.:|,....4............,..|H.y0....o1...,9%...dv..T
. .Y......X...[-V1.j.@. YW@I.}....c>.....Xp..:x....`L.C*'......P.0.
#...")..).,b*...ZJ...Z..`..G.C.....i?O?].....|.mfD...d.2.q'2c..K....P.
c6OY.K.~.t...o2.E.h..E...D .[Ls..%*....$....u~..R...N.......:...4....&
lt;.....@YG..(. .In1w^G.....{..^v.>.=.QT.N.Af....tk.9...IT..D...(^z
.....3..q....~wBvA( ..[,.......\.Y..1<..s...'P..F.X.gE...Z...>..
.7........xP'.j..t.F.xS..K.N.^.!.........W....K..*...gpuE.._..(...[.7.
.ZJ...Z...D(.L....D.. .r\E...i)}@...l..4d.............`!.Y.].....,..w.
.K<..r......>T.K...x...F...[.V.K..w.hq...U............_.{U..E...
..@w.U..F}..w.=vo..~.;.n7^...q..i.9...&....C.....O@|C....lz....(...$_.
.?(0..Q..#.....@........dLo...:O...1....6bY....i)....J...kg.e...s....
.5N[.2).....9n.V7!...M{...B.:?.qL.......ru%ttt4.p?e..&[.....G.-8.....i
.......0..HTTP/1.1 200 OK..Server: nginx..Date: Tue, 22 Jul 2014 21:06
:19 GMT..Content-Type: text/html..Last-Modified: Wed, 28 May 2014 17:1
4:38 GMT..Transfer-Encoding: chunked..Connection: keep-alive..Content-
Encoding: gzip..3bf.............UMs.6.=[...!..$.:..6..ZV&.ql5a........
.....v... ).#...A"..o.o?.....&..g.p.$./.7.SB...O..]%W......2._..pe..Zq
.....Z8W.3.4M....,Y..=z..7._..c.....Q.:|,....4............,..|H.y0....
o1...,9%...dv..T. .Y......X...[-V1.j.@. YW@I.}....c>.....Xp..:x....
`L.C*'......P.0.#...")..).,b*...ZJ...Z..`..G.C.....i?O?].....|.mfD

<<< skipped >>>

GET /Loading/b111f3f2_loading_java-similar/loading.css HTTP/1.1

Accept: */*
Referer: hXXp://staticrr.safetydownload.net/Loading/b111f3f2_loading_java-similar/box.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: staticrr.safetydownload.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Tue, 22 Jul 2014 21:06:20 GMT
Content-Type: text/css
Content-Length: 6234
Last-Modified: Wed, 28 May 2014 17:14:38 GMT
Connection: keep-alive
ETag: "5386197e-185a"
Accept-Ranges: bytes
/* CSS Document */../* CSS LOADING WIN */..article,aside,details,figca
ption,figure,..footer,header,hgroup,menu,nav,section {..display:block;
..}..p, h5, h4, h3, h2, h1, span, ul, li, form, input, textarea {...ma
rgin:0;...padding:0;..}..body {...margin:0 auto;...background-color:#f
ff;...width:670px;...height:410px;...color:#444;..}..a {...color:#0066
cc;..}...clear {...clear:both;..}../*********************//***********
**********//*********************//*********************//************
*********//*********************/...container {...width:670px;...heigh
t:410px;...margin:0 auto;...background:#eaeaea;...font-family:Arial, H
elvetica, sans-serif;...color:#444;...font-size:13px;..}...header {...
width:175px;...height:359px;...padding:0;...background:#eee url("image
s/bg_app.png") right no-repeat;...border-bottom:1px solid #c4c4c4;...p
osition:relative;...z-index:0;...float:left;...overflow:hidden;..}...h
eader h3 {...font-size:12px;...font-weight:bold;...margin:12px 10px 0
10px;...color:#fff;..}...header pre { font-family:Arial, Helvetica, sa
ns-serif !important;}...header h2 {...font-size:11px;...font-weight:no
rmal;...margin:3px 10px 0 10px;...color:#fff;...width:150px !important
;...float:left;...word-wrap: break-word;...font-family:Arial, Helvetic
a, sans-serif !important;..}...content {...width:485px;...height:349px
;...padding:5px;...border-bottom:1px solid #c4c4c4;...float:left;..}..
.buttons-in {...float: right;...width:150px;..}...buttons {...clear:bo
th;...width:660px;...height:27px;...padding:12px 5px 0;...border-t

<<< skipped >>>

GET /Loading/b111f3f2_loading_java-similar/images/bg_app.png HTTP/1.1

Accept: */*
Referer: hXXp://staticrr.safetydownload.net/Loading/b111f3f2_loading_java-similar/box.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: staticrr.safetydownload.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Tue, 22 Jul 2014 21:06:20 GMT
Content-Type: image/png
Content-Length: 20761
Last-Modified: Wed, 28 May 2014 17:14:38 GMT
Connection: keep-alive
ETag: "5386197e-5119"
Accept-Ranges: bytes
.PNG........IHDR.............d.......tEXtSoftware.Adobe ImageReadyq.e&
lt;...$iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
<rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS6 (Macintosh)" xmpMM:InstanceID="xmp.iid:9877AA79DEAB11E3BE9AC4
982E4C1D8B" xmpMM:DocumentID="xmp.did:9877AA7ADEAB11E3BE9AC4982E4C1D8B
"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9877AA77DEAB11E3
BE9AC4982E4C1D8B" stRef:documentID="xmp.did:9877AA78DEAB11E3BE9AC4982E
4C1D8B"/> </rdf:Description> </rdf:RDF> </x:xmpmeta&
gt; <?xpacket end="r"?>9.....M.IDATx..}.v...,...Zz.~......ry.D&l
t;R....L..]m..}m.")2........W...........#.......@.........=......$.AtJ
.f.C.{.hW....y.V...R.L^..K...m@......wi.....t.q3.?^nF..1...4..d..'...U
...E.q?........R:.X0.;'.|!..8....w.c<1J?O...v..p.p. ....z.]......?z
.......?H#....gB........x..Rl7.U.*.~[......X..BxP....DQ.uU......!...d,
....!R..xH..F#..J..)........~0...................U$.;>..U...j.p..(G
.....L.. ..TPW......D..........bQ.*.X@H.(.b...}..*.T...0ja.....J...=b.
......##K].....>&.....,..=...BA...2.........l...B.O..X.......R,.G..
...H.^............:....r...Z).B....B..!..O"..2.(.R.Z2K.....8H.8C.a

<<< skipped >>>

GET /Loading/b111f3f2_loading_java-similar/images/secure.jpg HTTP/1.1

Accept: */*
Referer: hXXp://staticrr.safetydownload.net/Loading/b111f3f2_loading_java-similar/box.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: staticrr.safetydownload.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Tue, 22 Jul 2014 21:06:20 GMT
Content-Type: image/jpeg
Content-Length: 19602
Last-Modified: Wed, 28 May 2014 17:14:38 GMT
Connection: keep-alive
ETag: "5386197e-4c92"
Accept-Ranges: bytes
......Exif..II*.................Ducky.......Q.....-hXXp://ns.adobe.com
/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?>
<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c01
1 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="h
ttp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rd
f:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http:
//ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/s
Type/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Macintosh)" x
mpMM:InstanceID="xmp.iid:9877AA7DDEAB11E3BE9AC4982E4C1D8B" xmpMM:Docum
entID="xmp.did:9877AA7EDEAB11E3BE9AC4982E4C1D8B"> <xmpMM:Derived
From stRef:instanceID="xmp.iid:9877AA7BDEAB11E3BE9AC4982E4C1D8B" stRef
:documentID="xmp.did:9877AA7CDEAB11E3BE9AC4982E4C1D8B"/> </rdf:D
escription> </rdf:RDF> </x:xmpmeta> <?xpacket end="r
"?>....Adobe.d.....................................................
......................................................................
........................:.............................................
...............................................!..1A.Q.".a.2B.s....T.q
.#34U...br.c$Dt5...R..S..ì...6...&......................1.!AQa...q..
2...."R..B3..#.r....b.....C$..............?..D}.|...@....,......&.3..
.`h.@.a..fA.*..AP..w@.%....Dn.F......1"..P.H`..@......@......@......@.
.....@......P.T&.8.........Y.W{.5UR.u....Z[@ .....n....7..[.[qM.`h....
..c.#....Ik.A..../v.4........!~..`.lsA...z[_j6&.y.......=.....nM..

<<< skipped >>>

GET /sdb/doma.js HTTP/1.1
Accept: */*
Referer: hXXp://staticrr.safetydownload.net/Loading/b111f3f2_loading_java-similar/box.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: staticrr.paleokits.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Tue, 22 Jul 2014 21:06:20 GMT
Content-Type: application/x-javascript
Content-Length: 2184
Last-Modified: Wed, 07 Aug 2013 11:37:26 GMT
Connection: keep-alive
ETag: "52023176-888"
Accept-Ranges: bytes
..   //muestra una capa y oculta otra..   function changeVisibility(ca
pamostrar,capaocultar) {.. div = document.getElementById(capamost
rar);.. div.style.display = "";.. div = document.getElementB
yId(capaocultar);.. div.style.display = "none";.. }.. // funcio
n para mostrar u ocultar el progreso de la instalacion separado por of
ertas.. function mostrardiv() {.. div = document.getElementById(
'multipleProgress');.. div.style.display = "";.. div = docum
ent.getElementById('ocultar');.. div.style.display = "";.. }..
function cerrar() {.. div = document.getElementById('multipleProg
ress');.. div.style.display='none';.. div = document.getElem
entById('ocultar');.. div.style.display='none';.. }.. // funcio
n para mostrar u ocultar el div de las toolbars instaladas en el finis
h.html.. function show() {.. div = document.getElementById('allo
ffers');.. div.style.display = "";.. div = document.getEleme
ntById('ocultar');.. div.style.display = "";.. }.. function hid
e() {.. div = document.getElementById('alloffers');.. div.st
yle.display='none';.. div = document.getElementById('ocultar');..
div.style.display='none';.. }.. //si el usuario no acepta el r
adiobutton no se habilita el boton de nex.. function acceptDeclineDis
ablenext().. {.. if(document.getElementById('Raccept').checked)
.. {.. document.getElementById('Bnext').disabled = false
;.. document.getElementById('Bnext').focus();.. }..

<<< skipped >>>

GET //Styles/Templates/e9c1a9ca_Win_A_Banner_DeclineLink.zip HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.cloudbox106.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Tue, 22 Jul 2014 21:06:32 GMT
Content-Type: application/zip
Content-Length: 344899
Last-Modified: Fri, 07 Mar 2014 11:17:00 GMT
Connection: keep-alive
ETag: "5319aaac-54343"
Accept-Ranges: bytes
PK.........YgD..l>9....c......style.css..ko......?....M-G.#q...m...
p.-..^...D.... ..w....S")JvrIp-b#.I.3...p.....\....,Z.PZ.......Q..._D.
,*.%h.K..a.*..r8......R.s]....<.*T............^.Sx?,QD....A..<._
..$.>_..|;<..`........#..!(s...:.....< VC..|].A.6.,.... X,p:u
..A.......!.......u...3.}.D...eIVL...9}...j9=;w..-..^,.i0.e.8..... j].
.,......,.S.k:....Q...Q1O.....1Jy......y..t...I.rX@.g)*@....J~. F....-
.U..,&.P......arr.>%.1..W..........l%..p.W..h.........LJ....<...
.m..U..........!H..vN`:s........D....{D4..e.i.........%..t...!~\......
F..^..Sgt...."...x...<.-.`...t..w..@..8....X.. (."=U.....(....(....
.JL-..@...=...W..1.p..2.j..y...rlK.l..{|D....s.%.2....3.\ 'H3.... ....
..'.....iu....D..D....D!..A.....Q....@..y(`>.3b0?;..1..CW... ..V.W.
gd.......R1..2.P.|.......^..p.."...5..L."mF.......R..8...[.PB..#]}F8-
.....%E.......F#.D.!....."..:.,.:R\Y...g>...R.u].....B...B....@C./.
DP.Zc.....g.d#i.2.A......af.D.4;.@~WW.......&..Srfk.8--.....n..s..b...
.d).......e..W.d......?l=...5...GG...G......$&..=.......tV.W....p...1.
.......p...xF. ..1..pL.sD....;......._,....3..,....a.....s<.L...<
;..`.....)9.4...x(...P2...w...e......a....wqIe...6.8.....5..mx.gD.1G..
...`.IA...>.X.<.... .~..b..dq..8.^...uN>.d..!...8*.2.W.. ...
..H.U........7. ...w..D.O_r.W....9....0.F..._..L.........V.VI5Y.s..sZ
]` #%Z..p ..Z .;olx.........M.C..^.....7.......p.....O.6.m.....zd.<
..G.,g...Y.j.|..TP...|...d2.r.....K.6......b....vu..|..s.. ... 7.....9
'.c..[...sD0C........F..,I..R....IcL._...I ...(ZB....LZ.m.2.....;h

<<< skipped >>>

GET //Displays/Templates/756e2734_Win_A_Banner-NoLink-DeclineLink-Java.zip HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.cloudbox106.com
Accept-Encoding: gzip, deflate


HTTP/1.1 200 OK
Server: nginx
Date: Tue, 22 Jul 2014 21:06:33 GMT
Content-Type: application/zip
Content-Length: 7745
Last-Modified: Thu, 06 Mar 2014 16:11:23 GMT
Connection: keep-alive
ETag: "53189e2b-1e41"
Accept-Ranges: bytes
PK.........F.C.2..............close.html]PAN.0.</..09p }.f.x.G.M.."
8U.".=N.E .....L2>.....'..4d.:..p..v...E.n0 .a...^2D.....u>z.Q@.
.N.q[ryK....].c...)...E.f.F.K.#..e..D@6R.9s..EH..8.a.W........x-KN.S..
.A.....G.....f.....U.3M...77.~.....fB........Eiw..9t........z.~.PK....
......$C~...h...........finish.html.TM..0.=.R.....!...R.I..Jp.".8p....
1....4._......j.d%.y..<....#.P`.S%-p.:..'T.1._*.-W2.M..*H.Bi[L:..g^
Wa@g\r.../....."9....R4YÜ.4..@Fl.2*.5h${..& .pC..F`....He.....m..kJ.
-...R^\.......4Gz...)A.'..VB......~.Gm...O......Z.9..rS....~.;..Q.4...
.p..,..e..=...H.1K..p.C5/....~...fL.>.......'9.w.B.JXGA.m.k........
x. q..N.......~_.[..(P27~.e...jy..^.o....{..~ '..a..m....u=..G.h'..0tj
..ja.#....t_...z.3........o/.e..o.7.&Anm.."U.:....9s.......~D.D...2/..
vj]...P..t.|.|]o....7..\.6..>...O..: ..^i.:....j%...$.* 5g6O.W.....
r../_/.t..cd..N.L`.\....#t9..........s.z|..........d...NF@...q..,...0.
~....s.q...l.C..;....%........PK..........ZD...x.....(......group.html
.Zm..........}..@wN.4i...n^Z..k$v.~*..h.=.....m~W.A.Y.....].N.8......3
#.~x}.uv.nva.]_.}..mc...{....}..'wm. Uw../...M0......q.........nwO....
..|..._....../...zGf....~6<|h..uA.....arvx..Ww?SW.=.`U.......G.....
h..|J_..>......?|.#.qP?._.kn.....G........]g.B....#...}pc.y..c.X..W
y...(........=.....3......}.6.Sk.j...L...<....#/......Q.i..m....}.I
Y.O!:...^u..(..4.H,W...I,.......Nvt..1.5a.<z.t3...}..?.A.|..W..{...
......V...../..n..R/.............?a..Q}O...F.b.......v...O....L8=~..!h
G.Q..........R.O;b..S.Psu........GIi.Sx..^D......eo.p..4D.......;.

<<< skipped >>>

GET //Docking/Docking.zip HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: staticrr.cloudbox106.com
Accept-Encoding: gzip, deflate


HTTP/1.1 200 OK
Server: nginx
Date: Tue, 22 Jul 2014 21:06:33 GMT
Content-Type: application/zip
Content-Length: 37048
Last-Modified: Tue, 26 Nov 2013 13:00:11 GMT
Connection: keep-alive
ETag: "52949b5b-90b8"
Accept-Ranges: bytes
PK........1Q.A..T.............position1A.css.....0.D..W\.n....H.Q... .
~@l...Ii"*..k.......9..]..t.jp.../.......6.<7Th...5L....}..E.. ....
L.S...........V*...8.;r...,6..r..'.?WC......yX.'c............&.XHA...P
K........,g.B^P.]............position2A.css.S.N.0.}n..b.K...m$p^v.j%^.
..~..............!.RB....c.9s.L~f...[r.....y.x..\.V.7d.-..L..}o.3k....
.....Dp.....99....x...P)3....(..V........EL..I..B.G.A..{.y........en..
..<.&.l...[..~.U..'..7..sCC.....O.Z....H.J..G.p;...`.>.....-V ..
g6R.......qQ%.Ua....E.7>..o...W.....f..k.L.ME.....cTSF.....s|....#.
.%....| ..hBv...Lqf(..@.w=...~P$<p.E...y.u..........W.k0[...w.Z....
..fye.../...&Q.....c.q........1.0.g..ay......|.gI....W.4...GJ...R..e..
.;.....}b.5.3.^\...A[..O.FX..'5o.%r......F..:....PK.........H.@....Z..
.........position2B.css.Q.N.0.....D..a..Fp.1B............]....mA......
$=.|?=.uF.U.....[ot..~...9Ld.Y.......N.y`~................#.||..j)y.(/
..n.....^....45.....\.."..k$. ...0..@C'.$....Q..V.:k&.Z%.U ?.X.-..F..E
.Ra.<u..;($g...}.......Ah...)...L.*5.Q0(.M.v.....t`....ho..........
d/4.p...A.7.....Ee.$*J...S..r.=.<.... l..%.|!j..6..c"...%:.d.......
Hen.[xK...O./....U.}fuV..PK.........lMBjre.....B.......position2C.css.
....0....S...bL/....A...P}....h3%....nE.*..Y...}.]..FZ.m7s:.%..0MS...P
Im.g....7...U..,VK..}....c..c..-b.g.FS...(.P.x.0.\.?\.'TS...k.2!WG4...
..#G%l.. .'.{.....ix...B.}a..m..R.v......(.........,..#E.3'8.._....?..
.z.PK........VG.@! h.............position3A.css..Qo.0....S.:...-..R...
......}..N.f|..k...}6Ic.%.:x;.......TT.l....._..Y._]..r._.x..Ppq.C

<<< skipped >>>

GET /index.php/api/361/JFileManager/638/1026/English/WW.xml HTTP/1.1
Accept-Encoding: gzip, deflate,gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Host: api.v2.secdls.com
Connection: Close


HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Encoding: gzip
Content-Type: text/xml; charset=utf-8
Date: Tue, 22 Jul 2014 21:06:28 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Server: nginx
Set-Cookie: symfony=jeee4batlhtev1dhn6bhp42dt4; path=/
transfer-encoding: chunked
Connection: Close
f77..............ms......;...fG..s...d....w...f.....5{...$R6S......1..
..p#...i....&....6B......1$..|V.=k..w..1.......}...L..@..g;...?,..h...
....O.lonE...n..S.v..O....._....u{....Ig.......K......_...4......"#.TM
S./......Ru..&B.j`...M...........L............?f.F...R.QR.....3R(..*..
Q2i.4....K.&IH.5.....d..L.P..i...&P.Y.4..(...l.2.dY.....R..iJ&M.MM.R.
......?.Z......O.gF.-..%~..L...........0\....B t&...XS.>...;.,..%a
.-y...........H3...... .W.......[=g..j...Z}.v..wgT......,B2_......`&..
......AKW5.t...9..=.X.K|....q..=2.9........~w.......h/..Q.W.>.H..0.
....s"[....?..n.L.J ..&.i..~..^ ..y.....K ....4.H......%2#!.p.....J..l
../g.......[.3...Z}...{..93;.....6..96.vG.O.U..Mu..rN.........y...v...
%....c....n=.Y.....O.V...\..u.I.{xx8.b...~....l..[..M.../..Z$.........
.}...{k.......n...N..?.[MRf@{.7...J.Vw7.......5....U..\^....wO.d2c.%@.
..q.......Ou.=..EX.$...k.G;O...!M......w>..r....e...|%\N....o.L..-.
.....j_...5y.3L_J.......O.4}..v...{K.zV......IA.....Vh.....tXx...@.j.
M...I~......}.....S6-*J.~.../}o....b.... ...?."...fj=.}..Abk.@G......R
....xn.!.aMi.....W.P1..}..V<...X.^_:?..*......N...x... ...NW..s.._d
..._.v<l."...,y.4.Lf.g...F{g.....}.V..V.H...=m4qb......'>!np...2
J....S:)..3....?Dp.n......2.CT..M.x..tB...JY..%..hO.f E#.....<I~...
.<........G..l]!?.6.t......4.Oh&tyA...*|........>.g.O.$q....C.w.
}..r..k....yt.x.x...{.b.............O....$M.y?V....<s..M....P|O..*.
..Z,...........I.~.......AV.$...D...Z.?sg..P|.z>..a.Vi..6b{.......E
..4Q...'}.?: ......].t.H.K..M........;...0.e.g..x:.t..$ccz#......x

<<< skipped >>>

GET /Loading/b111f3f2_loading_java-similar/images/safe.png HTTP/1.1
Accept: */*
Referer: hXXp://staticrr.safetydownload.net/Loading/b111f3f2_loading_java-similar/box.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: staticrr.safetydownload.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Tue, 22 Jul 2014 21:06:20 GMT
Content-Type: image/png
Content-Length: 11629
Last-Modified: Wed, 28 May 2014 17:14:38 GMT
Connection: keep-alive
ETag: "5386197e-2d6d"
Accept-Ranges: bytes
.PNG........IHDR...H...U.............tEXtSoftware.Adobe ImageReadyq.e&
lt;...$iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
<rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS6 (Macintosh)" xmpMM:InstanceID="xmp.iid:97E89074DEAC11E3BE9AC4
982E4C1D8B" xmpMM:DocumentID="xmp.did:97E89075DEAC11E3BE9AC4982E4C1D8B
"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9877AA7FDEAB11E3
BE9AC4982E4C1D8B" stRef:documentID="xmp.did:9877AA80DEAB11E3BE9AC4982E
4C1D8B"/> </rdf:Description> </rdf:RDF> </x:xmpmeta&
gt; <?xpacket end="r"?>3V....).IDATx..|..\W...S.~9JO..J.e%[.mX.l
.c...,..Y....vg..f........C.v.,....D'<`.9...-Y.....^...o..:...,..6.
...;...........i#.c...g..S..w..H.3p.&|.G...a.h4..,....f..m#..... ..q..
...8....Q$........'.......>va.F......,..W.(z$..-Q.?.Fal..C.^.l.G.|.
.54.:.4.V...q...B.S..{..._f.....kk....l.Rix-.>./...=.>......o..#
.^M.~.i..2..`.v.h.......a... @.F.<.[....m...a.v.J..V:..I....4.lu<
;.....g..Z..\....h|)..O..g.`.".x5.....%.l.&.Qu .....Y.....(......S.G..
.....T...Jy..6........4q..9...L&S...T.eL......I.8f.)T.*.L..w..ua.....\
..}.p....yU.j/.U..'.n."...h.i..!p^.....6.....<.....h.a.QB....yB

<<< skipped >>>

GET /Loading/b111f3f2_loading_java-similar/images/loading.gif HTTP/1.1

Accept: */*
Referer: hXXp://staticrr.safetydownload.net/Loading/b111f3f2_loading_java-similar/box.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: staticrr.safetydownload.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Tue, 22 Jul 2014 21:06:20 GMT
Content-Type: image/gif
Content-Length: 2932
Last-Modified: Wed, 28 May 2014 17:14:38 GMT
Connection: keep-alive
ETag: "5386197e-b74"
Accept-Ranges: bytes
GIF89a.....{..........................................................
..................DDD..................nnn...............ddd.........b
bb.........HHH......$$$(((>>>...LLL...zzzfffjjj..............
....BBB...666rrr.........000............RRRxxx&&&VVV...^^^.........```
...<<<PPP\\\......ZZZ|||..."""...NNNvvvttt...888222hhhFFFXXXJ
JJ...,,,...444~~~***...@@@......TTTppp lll:::..................!..NE
TSCAPE2.0.....!..XMP DataXMP<?xpacket begin="..." id="W5M0MpCehiHzr
eSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adob
e XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rd
f:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <
rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/"
xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:xmpMM="hXXp://ns.ado
be.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/Res
ourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Macintosh)" xmp:Creat
eDate="2013-11-27T09:52:07Z" xmp:ModifyDate="2013-11-27T09:56:04" xmp:
MetadataDate="2013-11-27T09:56:04" dc:format="image/gif" xmpMM:Instanc
eID="xmp.iid:2A8B0E7D4F6E11E399F3F86D1245C6F9" xmpMM:DocumentID="xmp.d
id:2A8B0E7E4F6E11E399F3F86D1245C6F9"> <xmpMM:DerivedFrom stRef:i
nstanceID="xmp.iid:2A8B0E7B4F6E11E399F3F86D1245C6F9" stRef:documentID=
"xmp.did:2A8B0E7C4F6E11E399F3F86D1245C6F9"/> </rdf:Description&g
t; </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>......
..................................................................

<<< skipped >>>

GET /index.php/apiLoading/1026.html HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: api.v2.secdls.com
Connection: Keep-Alive


HTTP/1.1 301 Moved Permanently
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Date: Tue, 22 Jul 2014 21:06:19 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Location: hXXp://staticrr.safetydownload.net/Loading/b111f3f2_loading_java-similar/box.html
Pragma: no-cache
Server: nginx
Set-Cookie: symfony=tb41pntr6gqv6c72q4c50obcr5; path=/
Content-Length: 304
Connection: keep-alive
<html><head><meta http-equiv="refresh" content="0;url=h
ttp://staticrr.safetydownload.net/Loading/b111f3f2_loading_java-simila
r/box.html"/></head></html><html><head><
meta http-equiv="refresh" content="0;url=hXXp://staticrr.safetydownloa
d.net/Loading/b111f3f2_loading_java-similar/box.html"/></head>
;</html>HTTP/1.1 301 Moved Permanently..Cache-Control: no-store,
no-cache, must-revalidate, post-check=0, pre-check=0..Content-Type: t
ext/html; charset=utf-8..Date: Tue, 22 Jul 2014 21:06:19 GMT..Expires:
Thu, 19 Nov 1981 08:52:00 GMT..Location: hXXp://staticrr.safetydownlo
ad.net/Loading/b111f3f2_loading_java-similar/box.html..Pragma: no-cach
e..Server: nginx..Set-Cookie: symfony=tb41pntr6gqv6c72q4c50obcr5; path
=/..Content-Length: 304..Connection: keep-alive..<html><head&
gt;<meta http-equiv="refresh" content="0;url=hXXp://staticrr.safety
download.net/Loading/b111f3f2_loading_java-similar/box.html"/></
head></html><html><head><meta http-equiv="refr
esh" content="0;url=hXXp://staticrr.safetydownload.net/Loading/b111f3f
2_loading_java-similar/box.html"/></head></html>..

<<< skipped >>>

The Malware connects to the servers at the folowing location(s):

%original file name%.exe_1876:

.text
`.rsrc
.reloc
vSSSh
FTPjK
FtPj;
C.PjRV
U9f1Bpa2C9u46NjSZZD7Rqom7eRtApomywhK8GKRLftCwBJ0P6g5Zq9DU33wIQBnViGJGITtoWwM7W0FF0OEitwhxN0fMoi4NfRnD2wnKJIPxKxdDu5QtgbpS4fFaoxvax9I7W44UphNF4SNnbA9xJPTgzaJX1nwlmOaLZgRAb6e8xUXmCr8Xy8ASpBHVug2cVBspRby0GeYTkeeaoUTY530eh1MLMkH46oQQt3jryyRVqXLSGRpji4skPzXA35nvG4X5yxQuLBAHmeXuq3f45yVb6Fb4gSyCkvpw9Pujb4IuaTRM77y3ju1IcoJS6VoU1VsBHHSqwdknSyt0V8KRLLRNIWAQC0K2WnDpBpeAohHfkOZO4T67lGiqdO3UhbXFCsAF4eyG4jDDdMDAkvzv6CVCWSdLECbgKjhsTUlBLG0lBRy4R5sxdEWCknJzydKUTGBc9NQAj8UzLKaeti4JjNdfxPiFkWcH6fB4qw4do2ofTw0JnFfaeKvU8lWPgPH5Ci4ey9r6FtDs1FTiRXdgW8UvC9uw6ocARKO37CHjImFUhd2DCN7tLAjEyJMzP49qrdLr00lpp4HKD9nzg04trSYvbEYM3t4PE1bBoHlDPFBzztOPG1BAchZLBclVNWWVOiBlrTujkBqbks6SZjfc2DMxbAalvA02SQVq2DxXGsqL0XAigD5DRU3kFejqrSVNhuBwLAYWFqvf74GkRpYhHLh1H6FXB9jloi2oKXLZPn0d7dgRqoJb3NgGnKZP4avFhk0YbsJ3O9CtUd3EZYHnAhrKbwaa854koSXJzZhuLd3HnwnN9jnsz6oGMMbkYCx1sruLT6WgDJvYmhZe75zVpYVsEr7WY6GjPco6cL4dwhZZKztEX6m2cLMEFchC9arGdmitQlG3pKlAtUAOcMn3uvGXWwXEu9CrqTbiu0ij5eTbvin0pLgUwoFs7lHtxcJqh4kJTrulEd8pMEBOi7pT3R4bnSkitYW2FC3B7NgE5tcYvX0UzR35rflCZCnGGoTHkJuu5nuzacKa7Cno3K0QjcVu4N0lTH7RJEOWDGZmxE5pEkExo8M6xcyhYaArxiPDe2BDXBVxUOtGiBQSn04cpS3RL3guzafgzAz1Aq4zuoj4uR9g3tpDrwE3UsJ4drGb9KgRcYr66FRbI8w33aAfUMYd5FhiR9vdRi5ULsefctGWODu46kDGAmuQhGembWBdHeWXBMc0SGzczUC2VlzB3SZ0VErACjaBuaWzj2CuhNY3WsrwelB0x9jYo6b7uMxJG7Rz8cS2Sftq46dDm4v22sZwVY6bqXlFKRZ9bBxhc2pdUYiQxH9fTRPFC9bBoQv9qYVJRsJnhtZacVL7QpOSXgV3btHcz52vGqW6cJ8e8W7z1PCQxeV8cNle1jUeDbxVrc4mpRQlXCZqdzA9CwAp5tvCCb8G0ZlZFv3tjzSqLuNwVWaCSVMhKhZ8RBToSku8q9USGh0dNkNLQ8QQaGXfmeoxF4LLwiAVrlgdUvp2ixLeL7zyctLfsg9jGqS9L1lo2Iayc1c1ivroSgI2QsIdGuClm7HEMpqrlxld6bvlqT77YUBzR0ttsiRHfZmfuHpsNJh6xpiIbM9n7fIlXv0wWDVNaX8Iq468MvNOov8GCKVHpVc9Rpb6B4FkXD5KqKrhPbLMC37Cwu3mRnypV80b2aGRZC0Uzyp2sO2d1tFEEwUwRvFMHl6Tnz4D6CcI6ZcEy8uQHlON0GYG8xjd0kNMzHBuYPhzr6HOuq8TbZewHs2RLxFJs9RVlAe0G922eow38jmRzAbPe8eTSxYC7wofRzdTXoPTWaNW9aaW2yidrmhlxgwvamQh1Mk2dL86jz3eurTSwcKInlXFr2wQ2uSJtF5w0hTqAm42sd0fwN98Mi3aZKKiW2ZmANnOoXXXZmJedBAaeNucFhPgOXPjfeC9Z4e2D6iMIJtKM86yjJdjIXRt7h9AhNRUUJojwHGiERD5XfDP0raFbtBcmV5
lhYJZM6PHMrgApFIqW1jEbge0o8Ios8cjZq4QKSSAFpSr9dTcRRRIOUjaUTLOyBpOp6K9L2PeiS8WxW1koGGLqDFeh360hdcd9ebJx2nVemUBSd6w4AAnzDO74IKfkCRDNAPRibkJYmc0kLd4X9TWreYPNLPYsiLMFqXsypn2p0ymBXWsFPslS4mIL9dGvvrQLzv4XUG3VAH3tJdJG1tKYluKpEoXEWNJkbl9sWRIhQoNOPhWESrPp5zc54bGZwz8W8TsydqUjUDi7Q6KwBtWE8toLjdxVlTUrp1P5ZyABHFUJRp4xC4sskoRU6SEFqhiFHXXB4jXvTjPqEtLWuxFHzmbIZ3kEhbSJIpb4CCDtg7JbJAqNgSl2MKfvWoLa8snSAgRorRt14mACN9oXPGhu67XpeQ58R23KJ4y8yVFVhIIgW2LsrRGjgJdCoajTp68J8QdV4py4bwnyzQDmfMQ9wTEa06UxMVFkK8ifYZybsMiUwPcIH61iDEarWGH4EoZgfZXYrwK536Q5rmmLROGF7sepwaO2LvqU0whOP1Zwn5pGXf9Ku6n0SuiWVICrRRtHQ6e4eH5ZYjrbdHBraeIPizAgfP29OUQmzJGyxAYdnxIMSkVOwg0ZAFzp6ZLJj2iQiDew9yPMRonDzXy54nNH30V3krBHYo3uo2DogzO7Aoimr5ZjBPP5pLWsRkbryqOr7wGKjKCAtSzflGk9bGrnUPxPmrsXWxiBkZUBgVPEq2l4bOSxvbq18AGs81y2rON6K75vWS3q1W71DCNHI4CVhrCTtBCpwW3RU5LZL3DCb5jNTVRe3VzGH52rkvjVX3tQzvWHmchpIacHUuBbddIMLwkYduOpUROiMCoy8j10Oj8G2uH04hSUuRfcl8E2y1F0w4LrFqENfmQGzUTzZAzxF8LqLWTKEy4j26j8KQ85XxzTZcJYrsqoINvqFuQSH4jRsGNDLVYiBDKiJ2AIn5tliQLpL3Cpapy3nRAszgZroiJ0UGh4lCDqtIrG36xssUNL0VvDFaasFup4mgDhwLEq3cmC8a8F1H8EE7a9lOzlBlV9twuWDp5RpwSYI3EEbFA7vUAogD6SlsPTzlKP45scXThRT83NKaP0RtzJNHyPR0R2xvxLapXKrncUY1TadRcejYcgWbbwGMv7bpuxKrNunfJDqPVWXxL9XNTIsrZ8nAdO1e3p2XyahQpwQCLIIPXQitcvAvzl0SNFnI7FmGSAJvIDlmDb4Vi8N7fKRHYGxmjydUjiEfwc7wgXUIkn1yqfKP2pCxYORlcxljAAdva7tL6z8Ed32N97ZpJQ2erttNMXfcd9S6b5jTXkimSnoyYFDuN0fUPezQOP8jt5Bek6MeYfCyIPvee4ZhtVyn47r7FDfhl82WVkn1ql5emLNiift7kC4gmpuFM6zgesp9MruZJmgaK0hNE3B2OiN6GcP6sGnuWZ93vOF1VEx7v3FwhQbTFGB6PtDJLyHd9WoV0nr0xJhkvpnQ6OwzAQGUm1XsnGfDKLFi2jf4qJC12dsUd7MaJn646U0sYeet9zmTUfYWJBi0nP2iIcpq3e4xOKlhtWfmFi2D1I98i0BhfgQrLSSH8n36w69jz50y4CXJWt7aeDtpsEeyIbdPTxIS8waJW7LxHKS9sHerVSDF4OO12LKx2kOG3eKAtxog26RRVefb7V4b4dXuSiRkXzUwjVE0xVG1DLUuUM73DCA65Hyi1iKrq1gB4Q4WCgxzJFzf51NMcjcv9YBLwv9plpLMFszeSkBxeawzitnaE7pgYUCfosAghhnuX7O4UZk0qby1OsXITm4egfMqGW6GLWDQOcGs5vpWSP6lsFE7zkBX7yfSuxx82NpDISnMWENx6hvBjA8br9hAvQTq7Y7H8r4eADNKAcOeRBeNmBCtr6wJUrjV8UDRtQLjQsPS7OeX2LMN1XljDG6aOGvNUinPJ7Ua0474VUvN1JRiOF3lItnWTKEj6b7ZAyn41MX60ryS
LuGGfibLOhACEzycTXhNtlwk8ij1HBuwBa0az78YLwyBL0OSoNgq6b4A7wI69jdnXebDJyNVZtc7W5JiEAN3udAzgAcdzbZCslOH8Chq53JaHK9PZvYOOavBXjaY9kJV5OcQNjVyHCIX0Z2XFZd99QgWg9wZCsrUtXf3ItcPKzhmCIL7qmsjhJWpHpJNX66okXDcU9omC3ekTxoe9BBVs7AZtk00cr6os3xcHXRRR837fETlYivGHGPoLrdDSlyl7020alHlUTdudDTZBOc35zQVniBqUn8GJSaoM3lMLkWXkvzO2D1trmMNRsMPw9dRmcKwpoFqh2NIvhHyGAFiHkOi9YkTuUL9ORShVdzO8KlzJdrKVoi5E4jcyBxAeV6xrN3OyzNDb1k78pJ5KlyzbONgaovZkUzHrb33lQmHQK9qcqIUxB6UbJMP4GPLx7cQA3TfXnM481SAOweTQLBSXOGSyn8OaLjTIs0iHC6kZcVj0lbHC54VGUBRoR1WlOf5LQjpMRGpHr3KMAEOpFHLytewbiSmiA4Gcdz42OIfCVDo10fYnmHPhDHsMXnE8ughwxHIaKWL7BjNZZEkd4853pyJHzcexIUaQh9VvOy8LbyBQNbmTdV4RhEsOa0qC4jZKD5QK4ZXuBKtGZw3xZutWZtIMRhvXhGR1I0mSuMZn8JqHkVZO63MJZcVkwd2yEA8hp4USYfvpMItFhPL6iIwUgRpjpLlv34EuZeizyjhMmz0X0R4eJvp6dobHPKDm39vRe9PdGlH8BUIQ0BsHRhWIOHqLcKUXQ4S7jOlgUnJEtnn3HJ3OZ6nx2GzX6prb5MhBdkuJzFaxqgQFOJlic5AKyifMoyjF6IIRfWZwptou6ZhWZ3ixdi89lGc5fRubvEBRH9z46eAaOrs2su0ThloaLuQ9xFcj3ugDyuCWc91fUx7QOLKkKAqs10yMP9HAbrhukZD71eRhujpow9vV52IDdYLI60gcBAeDqNFYhMsSKuNa3LS8jR3WoCpMu6mkYtE5H6BG5s3T1VPxON5jvShcdvYiQt8HLV4r0SC7kmc1Xk4DX27RacYfmB1mitZMtwhg0yG6k89jQpowJ0quPAhJ3oId6aVth0Y4q1F8zSHTHCXOm3WEyXKnQ9nPR7d004fM8BgRur473xcAB40dnr5tpLnqO0rCOQ2MxkQVWfkg2Nut7XnzNDOATSWbhVW6j0MbXxb9rdktIUJpoH962oMcjRk1t8impOB3tjd9LIhJtu18jGWJV0e5oJ1gnkQs58d3tP5fDautgdTYZlSWlJAoVK5v4FdrSGbjrKlqpcrZYI3QpgGQfWsSER2f3pUdvZXlTjBoWacmKNznQogX8xl6nsPJSgw9snE9US7gOr4eTgi1rPyPj7e7N07GhAKCKFAW4eMzbjOjzEjrtDNvl3IGmRLYCdDLF7TmOdPwtCjsvBUSl9nOWprQ63KmDX67QcNCU7MpXrbTUqlU73NDZYZqPcqVDC2PS7G2f72085AXpkp42pVTA4NtkqokiQWAXUsviqREN3GvWv27xRY5nUpXtmRZTSRsi99E24WLHqfGxsHZyrWB10mdFFb5I1V5lomwFgpNlMY8R3wYqdQxsj7PL0ophYEvVx37GxlTCgL6ED1CAlnUQxxKFBVO29GxiDnu9zs2275lIbkh8WY6KUOy9sBeMG1CKoXbqHCLLCOhFjM3erci2NmQ97ODeQwvPj0zLgkjNJFciylAeEHqCVXgP9G3cuH4fsBwtmr8g2EsijHLVnzJjg34vTUMJrgtcK606Zh1mIkbgPGC6hd6BIhlXVq1R75tP61PuuxXMR57pOSDG2XFEK1CYXUKqgfhsPwjY0hMTpuUNk5jdWuYjzYeey1HKWHFMXPJrIOQUlVoqhY8C7hPSauqNNianUHfWVSu8vUX9TkukX2pBsQFLisZlc7JdgP47vBNaS9gnuQ9Z9fZU3I4dcDNC3j5xlU3epwZvpoTsKsrCt9l7hY
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
operator
ADVAPI32.DLL
GetProcessWindowStation
USER32.DLL
portuguese-brazilian
KERNEL32.dll
RegOpenKeyExW
ADVAPI32.dll
OLEAUT32.dll
mscoree.dll
GetProcessHeap
GetCPInfo
JQpRxmAGvMD9V8POG6llIXOxIwzbRYadqHl2HMZmdvnOsukS95EPnvwWb2ibXyYHMASoWWh3g8hnJafnlRcVtvZ5kz1ODYzPGQb1VVfSHQbl9jNn95sZ7e3z4e706msQTeqzMdWvZBS7R5vzL2kQX1mbzD8RYoWvyvC42oL6i79Fv6S9SIpdcL211oaiffGLPxIwDAGw6LxLi03e4LWTtkN036EAfdqm4bPGyuIJV9nJz85lFcAXbsDMe2kj5ep2ukRhlwPJdn8u6eB4bs4cMDlLIcBFkyNQUvoorYaiw1TYxNHeHIKzEkpnEX2FmZCrqAlALhBpzadf1NaxKWP4QGh6uPjurjcIXJW7CgDAhvaEgkw0XF5AkHLUtpg57g7q7Fsr1c5DsoXvGNZk6srxxOcafUmNAG423Q7hq3GAedYR4gjoKbb9eKI9jSN5tJV2ic1W4T5cW0suZuf8L8dzF5Xsh77IpKhEs6I1pwu0f8nnrokYNOuuOqshQ4inX69kfnR1YPzfwqqaNMRsoteGdgvZeDrmjINgsGlE03R5h2iy9sDemZ8E1Dg922Xuxm5YMkRhBmCuMiyl86ZW9n9uJjoZ4zKj3hffhk5gtjyOpi8GCllgL7wsmOSBA7lEgPKyzinbdqOnNSmUNa9ToEH6VW3DBEQw83HKHKgt7kcvtiODB8Xz8CpMhNMNpUJJhZKgYOIQy33EBJ8qoT7wMShRygJVJspVU7i54mW6NwVbgUueNepEPsnzR2SRfXgfNiTEAdvb6aTp7gLOVEhEcUgBTSncEf1ZqPx8vWjVa38j7thPuGY0LV2aJ2qAAgg9AF9olGz7RUTvvpD6LK1KTc4aYRvDGTv4X8SBt3EYh1i0bHOtytYZoFqyL9zEl5A7zZHwGcMSth3Tr6aAgVkOPLKt9jFybAFb7Tr87ak90qFupWuB62GOmSfVXyMVN3P2L1VIPcDgKkYygpenYeCj31ZoNGkIyzv6KMSxaWW4yAdcI4bkvlb0qLSxZHQ0G3ZCBMKyCuKOCCbcIQLen2NLxVLgeriU3anwvPR5tNSaKxxYKQYi5LNOqoePbEuklZVCoPQ39PVJjMaayXGyNgPO5GVbSE3bOFFPEXq96tzCuCFp1wzq9Ixf9be0YhZs2BY0YP2efqztRmtDbFkwfMcgiAQDSzlYEgK2OOAmDulSjdxWRKZs7DmpOGKtbXAUa0TF0oHNxwQBbx8FZ0v3SlZipLUmhJ5EUtgujDdn8F98B1UqHeDlBGbZaKqoDuGYBlQRrOwwXi5mm1Qy1EPcfUcorrtIqKunUmtuJKMKCW5IsYTzrlB7dhjxtqxhmdHbpAEY4Lv4rY5SqplnTv6fjwjNc6atmExyp4s2t5EQ0HPolBgeeky1hC23q0V8KbRXi0EiVwS3fn7PjvmhotUDcQScSkkGqXA3CwMt08P0D7LnxxQ9ZvBtNKiCiBALmlMsWdmWS2qpO4aeeEPuDkR5wgp2oklyIeOsvtBuNiDFpWMKB2BXejjo8va6huIgZHHWRa96sOnM2Yd8lnvMth9PJADCaOhtKwPRpZ2A3EFA6GwkrcV385WSI2nrHG5OH3cFivTvu5TZCYQ9o58zKc31h593KpB5ND0VavH9ovWZqs0BuXZHNDkkrWnhCvXDubf87492x9loqdLYfHIWz4sksQEniAH3IsEon1EAY7jOs64nSk6VYaWtuojHDIK0AePOXBEMtHxThvUvxoTtBK6xLpGg5F10WMXytf9qQuBqMcm8EXkpYryZirdH4xRYPH7FHvbrpDMgiPVIdHLhi3OmM5HlDnniiwg1WoZrTDIakakeJOWS0fcdrbLWTU3VLh6KEiFDMRtPuOcMUDMZBEsdtdKUMdH9JXyddJJAjsfiWwSN99bqhethhFDQfUFfnHQvw04PvVnPq3CXVoOeHIlUh1dum61og25r2P2uiDRQfAKndP50fBHPv6oFXKCy48Jx7l5fwt6e0EPQrZrGbajPvp56
@.reloc
X l.dlT
v2.0.50727
TheHostV.dll
System.Reflection
.cctor
kernel32.dll
System.Threading
.ctor
System.IO
System.Collections.Generic
orderCmd
isChromeInstalled
OperatingSystem
Firefox
Chrome
System.Xml
System.Collections
urllist
get_Urls
System.Globalization
Urls
System.Windows.Forms
WebBrowser
mappurl
System.ComponentModel
System.Collections.Specialized
System.Windows.Forms.Layout
System.Text.RegularExpressions
WebClient
System.Net
IWebProxy
System.Text
System.Drawing
RemoteProcess.Controls
webBrowser1
get_Url
set_Url
user32.dll
ISupportInitialize
instalarEXE
System.Diagnostics
WebRequest
HttpWebRequest
WebResponse
WebHeaderCollection
HttpStatusCode
HttpWebResponse
displayUrl
appUrl
appUrlNotNormalized
silentreport
reporturl
policyUrl
uninstallurl
ADWurl
AddUninstallUrls
IsValidUrl
RegistryKey
Microsoft.Win32
System.Security.Principal
checkkey
get_Checkkey
set_Checkkey
Checkkey
RegKey
NoRegKey
RemotoProces.Properties
System.Configuration
KERNEL32.DLL
lpKeyName
dictionaryurl
appurl
ProcessWindowStyle
FindExecutableA
FindExecutable
shell32.dll
urlConfig
templateUrl
dockungUrl
GratitudeUrl
AbortedUrl
SilentAbortUrl
domainurl
WebmasterId
System.Management
WindowsIdentity
WindowsPrincipal
WindowsBuiltInRole
CreateSubKey
EnumerateSubKeys
WOW64_32Key
WOW64_64Key
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
RegOpenKeyEx
Advapi32.dll
hKey
lpSubKey
RegCloseKey
advapi32.dll
GetRegKey64
inKeyName
GetRegKey32
in32or64key
StaticRegkey
Getkey
RegistryKeys
ScreenOperations
HijoInstalado
HttpRequestHeader
urlLoading
xmlUrl
trackUrl
staticUrl
keyword
get_UrlLoading
set_UrlLoading
get_XmlUrl
set_XmlUrl
get_TrackUrl
set_TrackUrl
get_StaticUrl
set_StaticUrl
get_Keyword
set_Keyword
UrlLoading
XmlUrl
TrackUrl
StaticUrl
Keyword
ExtendedWebClient
GetWebRequest
user32.DLL
wMsg
WebBrowserDocumentCompletedEventArgs
wbMain_PreviewKeyDown
PreviewKeyDownEventArgs
Keys
FormWindowState
WebBrowserReadyState
System.Net.Configuration
Microsoft.mshtml
Trackingurls
graphiteUrl
lastXmlurl
uninstallurls
checkurls
get_GraphiteUrl
set_GraphiteUrl
get_LastXmlurl
set_LastXmlurl
keystring
generateUrl
openUrl
sendByUDP
port
webtrack
System.Security.Cryptography
System.Net.Sockets
GraphiteUrl
LastXmlurl
urlXML
urlStatic
urlTracker
DownloadUrl
_downloadUrls
urls
System.IO.Compression
InvalidOperationException
apiurl
get_Apiurl
set_Apiurl
Apiurl
<PrivateImplementationDetails>{B5A74BFD-C62B-4AB3-8413-5D0E6C4D2AFC}
System.Resources
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.CodeDom.Compiler
RemoteProcess.Contact.resources
RemoteProcess.Controls.Banner.resources
RemoteProcess.Controls.Form1.resources
RemoteProcess.Debug.resources
RemoteProcess.MainForm.resources
Join
set_UseShellExecute
get_DefaultWebProxy
OpenSubKey
GetSubKeyNames
set_WindowStyle
WebException
set_WindowState
set_WebBrowserShortcutsEnabled
WebBrowserDocumentCompletedEventHandler
PreviewKeyDownEventHandler
add_PreviewKeyDown
set_IsInputKey
get_KeyCode
get_WindowState
get_ExecutablePath
set_TransparencyKey
set_AllowWebBrowserDrop
set_IsWebBrowserContextMenuEnabled
set_Key
get_Key
ConfuserEx v0.1.0-21-g8d974cf
7.7.6.7
KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator
11.0.0.0
...LXXX
4!%s)
w.AOd(
r].oz~
-v..vw// !
8~<310.*&-
8~<310.  -
8~<310. .-
?=<3213-
'$&$ .,,-#
(CS`)?Nj(>Lp(>LuŸx
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>
%sy5|l
rv2.0.50727
v4.0.30319
RemoteProcess.Program
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\dfsD.tmp
c:\%original file name%.exe

%original file name%.exe_1876_rwx_00401000_000B8000:

vSSSh
FTPjK
FtPj;
C.PjRV
U9f1Bpa2C9u46NjSZZD7Rqom7eRtApomywhK8GKRLftCwBJ0P6g5Zq9DU33wIQBnViGJGITtoWwM7W0FF0OEitwhxN0fMoi4NfRnD2wnKJIPxKxdDu5QtgbpS4fFaoxvax9I7W44UphNF4SNnbA9xJPTgzaJX1nwlmOaLZgRAb6e8xUXmCr8Xy8ASpBHVug2cVBspRby0GeYTkeeaoUTY530eh1MLMkH46oQQt3jryyRVqXLSGRpji4skPzXA35nvG4X5yxQuLBAHmeXuq3f45yVb6Fb4gSyCkvpw9Pujb4IuaTRM77y3ju1IcoJS6VoU1VsBHHSqwdknSyt0V8KRLLRNIWAQC0K2WnDpBpeAohHfkOZO4T67lGiqdO3UhbXFCsAF4eyG4jDDdMDAkvzv6CVCWSdLECbgKjhsTUlBLG0lBRy4R5sxdEWCknJzydKUTGBc9NQAj8UzLKaeti4JjNdfxPiFkWcH6fB4qw4do2ofTw0JnFfaeKvU8lWPgPH5Ci4ey9r6FtDs1FTiRXdgW8UvC9uw6ocARKO37CHjImFUhd2DCN7tLAjEyJMzP49qrdLr00lpp4HKD9nzg04trSYvbEYM3t4PE1bBoHlDPFBzztOPG1BAchZLBclVNWWVOiBlrTujkBqbks6SZjfc2DMxbAalvA02SQVq2DxXGsqL0XAigD5DRU3kFejqrSVNhuBwLAYWFqvf74GkRpYhHLh1H6FXB9jloi2oKXLZPn0d7dgRqoJb3NgGnKZP4avFhk0YbsJ3O9CtUd3EZYHnAhrKbwaa854koSXJzZhuLd3HnwnN9jnsz6oGMMbkYCx1sruLT6WgDJvYmhZe75zVpYVsEr7WY6GjPco6cL4dwhZZKztEX6m2cLMEFchC9arGdmitQlG3pKlAtUAOcMn3uvGXWwXEu9CrqTbiu0ij5eTbvin0pLgUwoFs7lHtxcJqh4kJTrulEd8pMEBOi7pT3R4bnSkitYW2FC3B7NgE5tcYvX0UzR35rflCZCnGGoTHkJuu5nuzacKa7Cno3K0QjcVu4N0lTH7RJEOWDGZmxE5pEkExo8M6xcyhYaArxiPDe2BDXBVxUOtGiBQSn04cpS3RL3guzafgzAz1Aq4zuoj4uR9g3tpDrwE3UsJ4drGb9KgRcYr66FRbI8w33aAfUMYd5FhiR9vdRi5ULsefctGWODu46kDGAmuQhGembWBdHeWXBMc0SGzczUC2VlzB3SZ0VErACjaBuaWzj2CuhNY3WsrwelB0x9jYo6b7uMxJG7Rz8cS2Sftq46dDm4v22sZwVY6bqXlFKRZ9bBxhc2pdUYiQxH9fTRPFC9bBoQv9qYVJRsJnhtZacVL7QpOSXgV3btHcz52vGqW6cJ8e8W7z1PCQxeV8cNle1jUeDbxVrc4mpRQlXCZqdzA9CwAp5tvCCb8G0ZlZFv3tjzSqLuNwVWaCSVMhKhZ8RBToSku8q9USGh0dNkNLQ8QQaGXfmeoxF4LLwiAVrlgdUvp2ixLeL7zyctLfsg9jGqS9L1lo2Iayc1c1ivroSgI2QsIdGuClm7HEMpqrlxld6bvlqT77YUBzR0ttsiRHfZmfuHpsNJh6xpiIbM9n7fIlXv0wWDVNaX8Iq468MvNOov8GCKVHpVc9Rpb6B4FkXD5KqKrhPbLMC37Cwu3mRnypV80b2aGRZC0Uzyp2sO2d1tFEEwUwRvFMHl6Tnz4D6CcI6ZcEy8uQHlON0GYG8xjd0kNMzHBuYPhzr6HOuq8TbZewHs2RLxFJs9RVlAe0G922eow38jmRzAbPe8eTSxYC7wofRzdTXoPTWaNW9aaW2yidrmhlxgwvamQh1Mk2dL86jz3eurTSwcKInlXFr2wQ2uSJtF5w0hTqAm42sd0fwN98Mi3aZKKiW2ZmANnOoXXXZmJedBAaeNucFhPgOXPjfeC9Z4e2D6iMIJtKM86yjJdjIXRt7h9AhNRUUJojwHGiERD5XfDP0raFbtBcmV5
lhYJZM6PHMrgApFIqW1jEbge0o8Ios8cjZq4QKSSAFpSr9dTcRRRIOUjaUTLOyBpOp6K9L2PeiS8WxW1koGGLqDFeh360hdcd9ebJx2nVemUBSd6w4AAnzDO74IKfkCRDNAPRibkJYmc0kLd4X9TWreYPNLPYsiLMFqXsypn2p0ymBXWsFPslS4mIL9dGvvrQLzv4XUG3VAH3tJdJG1tKYluKpEoXEWNJkbl9sWRIhQoNOPhWESrPp5zc54bGZwz8W8TsydqUjUDi7Q6KwBtWE8toLjdxVlTUrp1P5ZyABHFUJRp4xC4sskoRU6SEFqhiFHXXB4jXvTjPqEtLWuxFHzmbIZ3kEhbSJIpb4CCDtg7JbJAqNgSl2MKfvWoLa8snSAgRorRt14mACN9oXPGhu67XpeQ58R23KJ4y8yVFVhIIgW2LsrRGjgJdCoajTp68J8QdV4py4bwnyzQDmfMQ9wTEa06UxMVFkK8ifYZybsMiUwPcIH61iDEarWGH4EoZgfZXYrwK536Q5rmmLROGF7sepwaO2LvqU0whOP1Zwn5pGXf9Ku6n0SuiWVICrRRtHQ6e4eH5ZYjrbdHBraeIPizAgfP29OUQmzJGyxAYdnxIMSkVOwg0ZAFzp6ZLJj2iQiDew9yPMRonDzXy54nNH30V3krBHYo3uo2DogzO7Aoimr5ZjBPP5pLWsRkbryqOr7wGKjKCAtSzflGk9bGrnUPxPmrsXWxiBkZUBgVPEq2l4bOSxvbq18AGs81y2rON6K75vWS3q1W71DCNHI4CVhrCTtBCpwW3RU5LZL3DCb5jNTVRe3VzGH52rkvjVX3tQzvWHmchpIacHUuBbddIMLwkYduOpUROiMCoy8j10Oj8G2uH04hSUuRfcl8E2y1F0w4LrFqENfmQGzUTzZAzxF8LqLWTKEy4j26j8KQ85XxzTZcJYrsqoINvqFuQSH4jRsGNDLVYiBDKiJ2AIn5tliQLpL3Cpapy3nRAszgZroiJ0UGh4lCDqtIrG36xssUNL0VvDFaasFup4mgDhwLEq3cmC8a8F1H8EE7a9lOzlBlV9twuWDp5RpwSYI3EEbFA7vUAogD6SlsPTzlKP45scXThRT83NKaP0RtzJNHyPR0R2xvxLapXKrncUY1TadRcejYcgWbbwGMv7bpuxKrNunfJDqPVWXxL9XNTIsrZ8nAdO1e3p2XyahQpwQCLIIPXQitcvAvzl0SNFnI7FmGSAJvIDlmDb4Vi8N7fKRHYGxmjydUjiEfwc7wgXUIkn1yqfKP2pCxYORlcxljAAdva7tL6z8Ed32N97ZpJQ2erttNMXfcd9S6b5jTXkimSnoyYFDuN0fUPezQOP8jt5Bek6MeYfCyIPvee4ZhtVyn47r7FDfhl82WVkn1ql5emLNiift7kC4gmpuFM6zgesp9MruZJmgaK0hNE3B2OiN6GcP6sGnuWZ93vOF1VEx7v3FwhQbTFGB6PtDJLyHd9WoV0nr0xJhkvpnQ6OwzAQGUm1XsnGfDKLFi2jf4qJC12dsUd7MaJn646U0sYeet9zmTUfYWJBi0nP2iIcpq3e4xOKlhtWfmFi2D1I98i0BhfgQrLSSH8n36w69jz50y4CXJWt7aeDtpsEeyIbdPTxIS8waJW7LxHKS9sHerVSDF4OO12LKx2kOG3eKAtxog26RRVefb7V4b4dXuSiRkXzUwjVE0xVG1DLUuUM73DCA65Hyi1iKrq1gB4Q4WCgxzJFzf51NMcjcv9YBLwv9plpLMFszeSkBxeawzitnaE7pgYUCfosAghhnuX7O4UZk0qby1OsXITm4egfMqGW6GLWDQOcGs5vpWSP6lsFE7zkBX7yfSuxx82NpDISnMWENx6hvBjA8br9hAvQTq7Y7H8r4eADNKAcOeRBeNmBCtr6wJUrjV8UDRtQLjQsPS7OeX2LMN1XljDG6aOGvNUinPJ7Ua0474VUvN1JRiOF3lItnWTKEj6b7ZAyn41MX60ryS
LuGGfibLOhACEzycTXhNtlwk8ij1HBuwBa0az78YLwyBL0OSoNgq6b4A7wI69jdnXebDJyNVZtc7W5JiEAN3udAzgAcdzbZCslOH8Chq53JaHK9PZvYOOavBXjaY9kJV5OcQNjVyHCIX0Z2XFZd99QgWg9wZCsrUtXf3ItcPKzhmCIL7qmsjhJWpHpJNX66okXDcU9omC3ekTxoe9BBVs7AZtk00cr6os3xcHXRRR837fETlYivGHGPoLrdDSlyl7020alHlUTdudDTZBOc35zQVniBqUn8GJSaoM3lMLkWXkvzO2D1trmMNRsMPw9dRmcKwpoFqh2NIvhHyGAFiHkOi9YkTuUL9ORShVdzO8KlzJdrKVoi5E4jcyBxAeV6xrN3OyzNDb1k78pJ5KlyzbONgaovZkUzHrb33lQmHQK9qcqIUxB6UbJMP4GPLx7cQA3TfXnM481SAOweTQLBSXOGSyn8OaLjTIs0iHC6kZcVj0lbHC54VGUBRoR1WlOf5LQjpMRGpHr3KMAEOpFHLytewbiSmiA4Gcdz42OIfCVDo10fYnmHPhDHsMXnE8ughwxHIaKWL7BjNZZEkd4853pyJHzcexIUaQh9VvOy8LbyBQNbmTdV4RhEsOa0qC4jZKD5QK4ZXuBKtGZw3xZutWZtIMRhvXhGR1I0mSuMZn8JqHkVZO63MJZcVkwd2yEA8hp4USYfvpMItFhPL6iIwUgRpjpLlv34EuZeizyjhMmz0X0R4eJvp6dobHPKDm39vRe9PdGlH8BUIQ0BsHRhWIOHqLcKUXQ4S7jOlgUnJEtnn3HJ3OZ6nx2GzX6prb5MhBdkuJzFaxqgQFOJlic5AKyifMoyjF6IIRfWZwptou6ZhWZ3ixdi89lGc5fRubvEBRH9z46eAaOrs2su0ThloaLuQ9xFcj3ugDyuCWc91fUx7QOLKkKAqs10yMP9HAbrhukZD71eRhujpow9vV52IDdYLI60gcBAeDqNFYhMsSKuNa3LS8jR3WoCpMu6mkYtE5H6BG5s3T1VPxON5jvShcdvYiQt8HLV4r0SC7kmc1Xk4DX27RacYfmB1mitZMtwhg0yG6k89jQpowJ0quPAhJ3oId6aVth0Y4q1F8zSHTHCXOm3WEyXKnQ9nPR7d004fM8BgRur473xcAB40dnr5tpLnqO0rCOQ2MxkQVWfkg2Nut7XnzNDOATSWbhVW6j0MbXxb9rdktIUJpoH962oMcjRk1t8impOB3tjd9LIhJtu18jGWJV0e5oJ1gnkQs58d3tP5fDautgdTYZlSWlJAoVK5v4FdrSGbjrKlqpcrZYI3QpgGQfWsSER2f3pUdvZXlTjBoWacmKNznQogX8xl6nsPJSgw9snE9US7gOr4eTgi1rPyPj7e7N07GhAKCKFAW4eMzbjOjzEjrtDNvl3IGmRLYCdDLF7TmOdPwtCjsvBUSl9nOWprQ63KmDX67QcNCU7MpXrbTUqlU73NDZYZqPcqVDC2PS7G2f72085AXpkp42pVTA4NtkqokiQWAXUsviqREN3GvWv27xRY5nUpXtmRZTSRsi99E24WLHqfGxsHZyrWB10mdFFb5I1V5lomwFgpNlMY8R3wYqdQxsj7PL0ophYEvVx37GxlTCgL6ED1CAlnUQxxKFBVO29GxiDnu9zs2275lIbkh8WY6KUOy9sBeMG1CKoXbqHCLLCOhFjM3erci2NmQ97ODeQwvPj0zLgkjNJFciylAeEHqCVXgP9G3cuH4fsBwtmr8g2EsijHLVnzJjg34vTUMJrgtcK606Zh1mIkbgPGC6hd6BIhlXVq1R75tP61PuuxXMR57pOSDG2XFEK1CYXUKqgfhsPwjY0hMTpuUNk5jdWuYjzYeey1HKWHFMXPJrIOQUlVoqhY8C7hPSauqNNianUHfWVSu8vUX9TkukX2pBsQFLisZlc7JdgP47vBNaS9gnuQ9Z9fZU3I4dcDNC3j5xlU3epwZvpoTsKsrCt9l7hY
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
operator
ADVAPI32.DLL
GetProcessWindowStation
USER32.DLL
portuguese-brazilian
KERNEL32.dll
RegOpenKeyExW
ADVAPI32.dll
OLEAUT32.dll
mscoree.dll
GetProcessHeap
GetCPInfo
JQpRxmAGvMD9V8POG6llIXOxIwzbRYadqHl2HMZmdvnOsukS95EPnvwWb2ibXyYHMASoWWh3g8hnJafnlRcVtvZ5kz1ODYzPGQb1VVfSHQbl9jNn95sZ7e3z4e706msQTeqzMdWvZBS7R5vzL2kQX1mbzD8RYoWvyvC42oL6i79Fv6S9SIpdcL211oaiffGLPxIwDAGw6LxLi03e4LWTtkN036EAfdqm4bPGyuIJV9nJz85lFcAXbsDMe2kj5ep2ukRhlwPJdn8u6eB4bs4cMDlLIcBFkyNQUvoorYaiw1TYxNHeHIKzEkpnEX2FmZCrqAlALhBpzadf1NaxKWP4QGh6uPjurjcIXJW7CgDAhvaEgkw0XF5AkHLUtpg57g7q7Fsr1c5DsoXvGNZk6srxxOcafUmNAG423Q7hq3GAedYR4gjoKbb9eKI9jSN5tJV2ic1W4T5cW0suZuf8L8dzF5Xsh77IpKhEs6I1pwu0f8nnrokYNOuuOqshQ4inX69kfnR1YPzfwqqaNMRsoteGdgvZeDrmjINgsGlE03R5h2iy9sDemZ8E1Dg922Xuxm5YMkRhBmCuMiyl86ZW9n9uJjoZ4zKj3hffhk5gtjyOpi8GCllgL7wsmOSBA7lEgPKyzinbdqOnNSmUNa9ToEH6VW3DBEQw83HKHKgt7kcvtiODB8Xz8CpMhNMNpUJJhZKgYOIQy33EBJ8qoT7wMShRygJVJspVU7i54mW6NwVbgUueNepEPsnzR2SRfXgfNiTEAdvb6aTp7gLOVEhEcUgBTSncEf1ZqPx8vWjVa38j7thPuGY0LV2aJ2qAAgg9AF9olGz7RUTvvpD6LK1KTc4aYRvDGTv4X8SBt3EYh1i0bHOtytYZoFqyL9zEl5A7zZHwGcMSth3Tr6aAgVkOPLKt9jFybAFb7Tr87ak90qFupWuB62GOmSfVXyMVN3P2L1VIPcDgKkYygpenYeCj31ZoNGkIyzv6KMSxaWW4yAdcI4bkvlb0qLSxZHQ0G3ZCBMKyCuKOCCbcIQLen2NLxVLgeriU3anwvPR5tNSaKxxYKQYi5LNOqoePbEuklZVCoPQ39PVJjMaayXGyNgPO5GVbSE3bOFFPEXq96tzCuCFp1wzq9Ixf9be0YhZs2BY0YP2efqztRmtDbFkwfMcgiAQDSzlYEgK2OOAmDulSjdxWRKZs7DmpOGKtbXAUa0TF0oHNxwQBbx8FZ0v3SlZipLUmhJ5EUtgujDdn8F98B1UqHeDlBGbZaKqoDuGYBlQRrOwwXi5mm1Qy1EPcfUcorrtIqKunUmtuJKMKCW5IsYTzrlB7dhjxtqxhmdHbpAEY4Lv4rY5SqplnTv6fjwjNc6atmExyp4s2t5EQ0HPolBgeeky1hC23q0V8KbRXi0EiVwS3fn7PjvmhotUDcQScSkkGqXA3CwMt08P0D7LnxxQ9ZvBtNKiCiBALmlMsWdmWS2qpO4aeeEPuDkR5wgp2oklyIeOsvtBuNiDFpWMKB2BXejjo8va6huIgZHHWRa96sOnM2Yd8lnvMth9PJADCaOhtKwPRpZ2A3EFA6GwkrcV385WSI2nrHG5OH3cFivTvu5TZCYQ9o58zKc31h593KpB5ND0VavH9ovWZqs0BuXZHNDkkrWnhCvXDubf87492x9loqdLYfHIWz4sksQEniAH3IsEon1EAY7jOs64nSk6VYaWtuojHDIK0AePOXBEMtHxThvUvxoTtBK6xLpGg5F10WMXytf9qQuBqMcm8EXkpYryZirdH4xRYPH7FHvbrpDMgiPVIdHLhi3OmM5HlDnniiwg1WoZrTDIakakeJOWS0fcdrbLWTU3VLh6KEiFDMRtPuOcMUDMZBEsdtdKUMdH9JXyddJJAjsfiWwSN99bqhethhFDQfUFfnHQvw04PvVnPq3CXVoOeHIlUh1dum61og25r2P2uiDRQfAKndP50fBHPv6oFXKCy48Jx7l5fwt6e0EPQrZrGbajPvp56
.text
`.rsrc
@.reloc
X l.dlT
v2.0.50727
TheHostV.dll
System.Reflection
.cctor
kernel32.dll
System.Threading
.ctor
System.IO
System.Collections.Generic
orderCmd
isChromeInstalled
OperatingSystem
Firefox
Chrome
System.Xml
System.Collections
urllist
get_Urls
System.Globalization
Urls
System.Windows.Forms
WebBrowser
mappurl
System.ComponentModel
System.Collections.Specialized
System.Windows.Forms.Layout
System.Text.RegularExpressions
WebClient
System.Net
IWebProxy
System.Text
System.Drawing
RemoteProcess.Controls
webBrowser1
get_Url
set_Url
user32.dll
ISupportInitialize
instalarEXE
System.Diagnostics
WebRequest
HttpWebRequest
WebResponse
WebHeaderCollection
HttpStatusCode
HttpWebResponse
displayUrl
appUrl
appUrlNotNormalized
silentreport
reporturl
policyUrl
uninstallurl
ADWurl
AddUninstallUrls
IsValidUrl
RegistryKey
Microsoft.Win32
System.Security.Principal
checkkey
get_Checkkey
set_Checkkey
Checkkey
RegKey
NoRegKey
RemotoProces.Properties
System.Configuration
KERNEL32.DLL
lpKeyName
dictionaryurl
appurl
ProcessWindowStyle
FindExecutableA
FindExecutable
shell32.dll
urlConfig
templateUrl
dockungUrl
GratitudeUrl
AbortedUrl
SilentAbortUrl
domainurl
WebmasterId
System.Management
WindowsIdentity
WindowsPrincipal
WindowsBuiltInRole
CreateSubKey
EnumerateSubKeys
WOW64_32Key
WOW64_64Key
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
RegOpenKeyEx
Advapi32.dll
hKey
lpSubKey
RegCloseKey
advapi32.dll
GetRegKey64
inKeyName
GetRegKey32
in32or64key
StaticRegkey
Getkey
RegistryKeys
ScreenOperations
HijoInstalado
HttpRequestHeader
urlLoading
xmlUrl
trackUrl
staticUrl
keyword
get_UrlLoading
set_UrlLoading
get_XmlUrl
set_XmlUrl
get_TrackUrl
set_TrackUrl
get_StaticUrl
set_StaticUrl
get_Keyword
set_Keyword
UrlLoading
XmlUrl
TrackUrl
StaticUrl
Keyword
ExtendedWebClient
GetWebRequest
user32.DLL
wMsg
WebBrowserDocumentCompletedEventArgs
wbMain_PreviewKeyDown
PreviewKeyDownEventArgs
Keys
FormWindowState
WebBrowserReadyState
System.Net.Configuration
Microsoft.mshtml
Trackingurls
graphiteUrl
lastXmlurl
uninstallurls
checkurls
get_GraphiteUrl
set_GraphiteUrl
get_LastXmlurl
set_LastXmlurl
keystring
generateUrl
openUrl
sendByUDP
port
webtrack
System.Security.Cryptography
System.Net.Sockets
GraphiteUrl
LastXmlurl
urlXML
urlStatic
urlTracker
DownloadUrl
_downloadUrls
urls
System.IO.Compression
InvalidOperationException
apiurl
get_Apiurl
set_Apiurl
Apiurl
<PrivateImplementationDetails>{B5A74BFD-C62B-4AB3-8413-5D0E6C4D2AFC}
System.Resources
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.CodeDom.Compiler
RemoteProcess.Contact.resources
RemoteProcess.Controls.Banner.resources
RemoteProcess.Controls.Form1.resources
RemoteProcess.Debug.resources
RemoteProcess.MainForm.resources
Join
set_UseShellExecute
get_DefaultWebProxy
OpenSubKey
GetSubKeyNames
set_WindowStyle
WebException
set_WindowState
set_WebBrowserShortcutsEnabled
WebBrowserDocumentCompletedEventHandler
PreviewKeyDownEventHandler
add_PreviewKeyDown
set_IsInputKey
get_KeyCode
get_WindowState
get_ExecutablePath
set_TransparencyKey
set_AllowWebBrowserDrop
set_IsWebBrowserContextMenuEnabled
set_Key
get_Key
ConfuserEx v0.1.0-21-g8d974cf
7.7.6.7
KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator
11.0.0.0
...LXXX
rv2.0.50727
v4.0.30319
RemoteProcess.Program
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\dfsD.tmp
c:\%original file name%.exe

%original file name%.exe_1876_rwx_004CF000_00002000:

(CS`)?Nj(>Lp(>LuŸx
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>
kernel32.dll
ADVAPI32.dll
RegOpenKeyExW
OLEAUT32.dll
mscoree.dll
%sy5|l

%original file name%.exe_1876_rwx_00AA2000_00009000:

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\dfsD.tmp

%original file name%.exe_1876_rwx_02EDB000_00001000:

v2.0.50727

%original file name%.exe_1876_rwx_02F15000_00001000:

ntdll.dll

%original file name%.exe_1876_rwx_032B0000_00010000:

l.dlf


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Malware file.
  3. Delete or disinfect the following files created/modified by the Malware:

    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\style.css (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\butpause.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\bg_app[1].png (3072 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\position4A.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\position3C.css (638 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\screen-vafmusic.png (1552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\show.png (235 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\screen-zipper.png (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\config.dmc (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\screen-geaudioconverter.png (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\position3A.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\position3D.css (539 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\exe\options.html (965 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\screen-printpdf.png (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\exe\instalando.html (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\boton.jpg (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\screen-vafplayer.png (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\position2A.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\base.css (265 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\dfsD.tmp (1789 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\screen-gevideoconverter.png (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\position1A.css (421 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\less.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\safe[1].png (1521 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\loading[1].css (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\box[1].htm (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\progress.png (4 bytes)
    %System%\wbem\Logs\wbemprox.log (228 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\check-close.png (243 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\loading[1].gif (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\exe\close.html (384 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\box[1].html (959 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\temp\templateDisplays.dfe (196 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\bg_app.png (1856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\exe\finish.html (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\screen-olivebrowser.png (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\jquery.min.js (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\bullet.gif (58 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\temp\Dockings.dfe (5572 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin.dmc (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\progress_small.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\doma[1].js (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\logo-win.jpg (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\check.png (398 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\exe\box.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\position2B.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\check.jpg (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\more.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\butplay.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\screen-miul.png (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\percentage-bg.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\cross.jpg (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\hide.png (160 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\position3B.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\secure[1].jpg (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\temp\templateStyle.dfe (45012 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\bullet-short.gif (54 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\position2C.css (578 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\exe\group.html (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\boton_xl.jpg (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\progress_small_bg.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\screen-ifish.png (1552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\exe\welcome.html (151 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.