ThreatExpert Report: W32.Rontokbro@mm, Virus.Win32.Virut.ce, W32/Virut.n.gen, W32/Scribble-B..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 4 October 2010, 05:13:03
Processing time: 17 min 34 sec
Submitted sample:

File MD5: 0x40EF6F51908EC700A8824E738E4C9120
File SHA-1: 0x1B0824081EB0172D92B36CC176039AB5CCAF3466
Filesize: 122,880 bytes
Alias:

W32.Rontokbro@mm [Symantec]
Virus.Win32.Virut.ce [Kaspersky Lab]
W32/Virut.n.gen [McAfee]
W32/Scribble-B [Sophos]
Worm:Win32/Brontok.E@mm [Microsoft]
Email-Worm.Win32.Brontok [Ikarus]
Win32/Virut.F [AhnLab]

Summary of the findings:

What's been found	Severity Level
Capability to send out email message(s) with the built-in SMTP client engine.
Hosts file modification that may block access to the security web sites.
Produces outbound traffic.
Downloads/requests other files from Internet.
Modifies some system settings that may have negative impact on overall system security state.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
Spyware.Alexa	This is a toolbar installed on your Internet Explorer without warning that if you use it, you will be sending information to MSN and Alexa. If you don't use the toolbar, it is harmless. The general recommendation is to remove it.
Email-Worm.Brontok.Q	Email.Worm.Brontok.Q is an email worm that propagates by sending itself to email contacts harvested from an infected machine. This worm employs several anti-removal tactics that will cause a system reboot when triggered.
Trojan-PWS.QQPass	Trojan.PWSteal.QQPass is a trojan that will steal usernames and passwords and then send to an attacker.
Trojan-PWS.Lineage	Trojan.PWSteal.Lineage is a group of password stealing Trojans that attempt to steal passwords associated with the game called "Lineage" or "Lineage II", and send it to the creator of the Trojan.

Attention! The following threat categories were identified:

Threat Category	Description
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A virus capable to modify other files by infecting, prepending, or overwriting them them with its own body
	A network-aware worm that attempts to replicate across the existing network(s)
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%UserProfile%\aaaaaaaa~.exe %System%\aaaaaaaa~.exe	48,640 bytes	MD5: 0xAFD0915C1AAD721CAEE982A8A8B6E289 SHA-1: 0x205E3149FEAE3D494CE390859A4A080DE04E5AB8	Trojan Horse [Symantec] Backdoor.Win32.Protector.fd [Kaspersky Lab] Mal/Generic-L [Sophos] Trojan:Win32/Meredrop [Microsoft] Win-Trojan/Seint.48640.D [AhnLab]
2	%AppData%\FlexibleSoft\drvwincrt34\msftcore.dat	769 bytes	MD5: 0xB961B75968F415EE9CAD9A316E3DAE61 SHA-1: 0xC954A0A6C38F6C47ABAA2CE70908CA91D69A68A3	(not available)
3	%AppData%\FlexibleSoft\drvwincrt34\msftcore.dll	108,032 bytes	MD5: 0xC687F1CDD86B27663E31F7961C34C0F3 SHA-1: 0x98191C7766D39C7E582C124F7E71333C2D76B82E	(not available)
4	%AppData%\FlexibleSoft\drvwincrt34\msftdm.exe %AppData%\FlexibleSoft\drvwincrt34\msftdm32.exe	2,560 bytes	MD5: 0x93C19DF7781E8C2DAE5CB8DFAB60860B SHA-1: 0xF7642B2F2DCF1DB31B1B0082F5AF2CC760EBDD3D	(not available)
5	%AppData%\FlexibleSoft\drvwincrt34\msfteml.dll	90,112 bytes	MD5: 0xC92746EDEBAC8DC73D9DE7A5F529899F SHA-1: 0x759B1ADF07CF934662C1990B4A630D264DD736B1	Backdoor.Win32.Agent.baew [Kaspersky Lab]
6	%AppData%\FlexibleSoft\drvwincrt34\msftldr.dll	59,392 bytes	MD5: 0xC9F471E3BCC053823B1C1EB1777AE940 SHA-1: 0x398A127907B8868E2F3B0C2E0AF3C35AFA0D5AD0	(not available)
7	%AppData%\FlexibleSoft\drvwincrt34\msftmod.dat %Windir%\Temp\msftmod.dat	24 bytes	MD5: 0xE21F42C8E892BCB102B45FD92AE946F2 SHA-1: 0x018C9F80A4F603C12E0F7014FA8C77116434BA09	(not available)
8	%AppData%\FlexibleSoft\drvwincrt34\msftstp.exe	51,200 bytes	MD5: 0xC593561A05351B81D250C1B17A126356 SHA-1: 0xB161F495F06B8961A5767FF2FDCE9AA03D850E26	W32.Virut.CF [Symantec] Virus.Win32.Virut.ce [Kaspersky Lab] W32/Virut.n.gen [McAfee] Virus:Win32/Virut.BN [Microsoft] Virus.Win32.Virut [Ikarus] Win32/Virut.F [AhnLab]
9	%AppData%\FlexibleSoft\drvwincrt34\msfttcp.dll	37,888 bytes	MD5: 0x50A7C9F8A486C6CFBEEB95E8C9BCAD09 SHA-1: 0x9B1DA7B49BC99B1236F98B9F8BAFBFDD5A877F74	Trojan.Win32.Swizzor.xpc [Kaspersky Lab]
10	%AppData%\hotfix.exe %Windir%\Temp\nr4a3plml.exe	774,144 bytes	MD5: 0x7DA8316B8E407E2EFB2B079D5599B460 SHA-1: 0x0117E4E670AC5B84970B3A2DC8AB299ADC1492BB	W32.Virut.CF [Symantec] Virus.Win32.Virut.ce [Kaspersky Lab] W32/Virut.n.gen [McAfee] W32/Scribble-B [Sophos] Virus:Win32/Virut.BN [Microsoft] Virus.Win32.Virut [Ikarus] Win32/Virut.F [AhnLab]
11	%AppData%\srsf.bat	113 bytes	MD5: 0x4177610491D22631C0742BCC52B20699 SHA-1: 0xA78F88FA615F7502BF4F00AD44AEB28752C5BF73	(not available)
12	%AppData%\wiaservg.log	4 bytes	MD5: 0x7DCB4CE54F66026CC29F1323A21DEF0A SHA-1: 0x6E1187B216CF246961F8B320B31DD7A22915A77C	(not available)
13	%AppData%\Bron.tok.A12.em.bin	12,407 bytes	MD5: 0xC8FBD60C05C75CE591FB1B7DF4E28652 SHA-1: 0xFCF74622C265BF2FEF964E9F7234DE4A07646C45	(not available)
14	%AppData%\csrss.exe %AppData%\inetinfo.exe %AppData%\lsass.exe %AppData%\services.exe %AppData%\smss.exe %AppData%\winlogon.exe %Programs%\Startup\Empty.pif %Templates%\Brengkolang.com %Windir%\eksplorasi.exe %Windir%\ShellNew\sempalong.exe [file and pathname of the sample #1] %System%\%UserName%'s Setting.scr	122,880 bytes	MD5: 0x40EF6F51908EC700A8824E738E4C9120 SHA-1: 0x1B0824081EB0172D92B36CC176039AB5CCAF3466	W32.Rontokbro@mm [Symantec] Virus.Win32.Virut.ce [Kaspersky Lab] W32/Virut.n.gen [McAfee] W32/Scribble-B [Sophos] Worm:Win32/Brontok.E@mm [Microsoft] Email-Worm.Win32.Brontok [Ikarus] Win32/Virut.F [AhnLab]
15	%AppData%\ListHost12.txt	12,407 bytes	MD5: 0x7BD78E0790F3EA1F7CE1AFE3F8353996 SHA-1: 0x2C05EF2909C1923E75D189C323A5129EA332DB4D	(not available)
16	%AppData%\Update.12.Bron.Tok.bin	12,407 bytes	MD5: 0x058413FE844DA929D366A24018B2C0DA SHA-1: 0xA197A1CEE54E7739ADABF914B57E5F026A6395B7	(not available)
17	%Temp%\pauel2.exe	58,368 bytes	MD5: 0x2DA433B555E147E7E94F8B3B520DC1B7 SHA-1: 0xE45776C52A53A56AC534BA67B737CEE8FDF7DF76	W32.Virut.CF [Symantec] Virus.Win32.Virut.ce [Kaspersky Lab] W32/Virut.n.gen [McAfee] W32/Scribble-B [Sophos] Virus:Win32/Virut.BN [Microsoft] Virus.Win32.Virut [Ikarus] Win32/Virut.F [AhnLab]
18	%Temp%\ydut.exe	58,368 bytes	MD5: 0x6CA90566D50089139507BB4162552C1B SHA-1: 0x307519DF9CCCB31C06C3099846BF898F86952859	W32.Virut.CF [Symantec] Virus.Win32.Virut.ce [Kaspersky Lab] W32/Virut.n.gen [McAfee] W32/Scribble-B [Sophos] Virus:Win32/Virut.BN [Microsoft] Virus.Win32.Virut [Ikarus] Win32/Virut.F [AhnLab]
19	%UserProfile%\oashdihasidhasuidhiasdhiashdiuasdhasd	1 bytes	MD5: 0x55A54008AD1BA589AA210D2629C1DF41 SHA-1: 0xBF8B4530D8D246DD74AC53A13471BBA17941DFF7	(not available)
20	%Programs%\Startup\WinUpdate.lnk	986 bytes	MD5: 0x468FCABC91572D2C9F7FE892CD34DB15 SHA-1: 0x4032CC12C5520EBB78CC8E4DFEE70794E05B876B	(not available)
21	%UserProfile%\wuaucldt.exe	32,512 bytes	MD5: 0x8A08A0E8C2827D6EEF0B01819E0F3249 SHA-1: 0x2F4822BF2479FDE7FD89675144843EBC4648E44B	TrojanDownloader:Win32/Cutwail.BA [Microsoft]
22	%ProgramFiles%\Internet Explorer\rasadhlp.dll %ProgramFiles%\Outlook Express\rasadhlp.dll	51,712 bytes	MD5: 0x7931354A5BDA8E461DE7CB52EF88651E SHA-1: 0x3B63AC875C839F6E850FCBECEE3260D6E07A1D22	Trojan.Gen [Symantec] Backdoor.Win32.Delf.woe [Kaspersky Lab] Mal/PWS-AT [Sophos] Trojan-Downloader.Win32.Delf [Ikarus]
23	%Windir%\41nej7q5n3a0bm5zifkzx65y.ini %Windir%\Temp\jfmwmcyhi.htm %Windir%\Temp\VRT2.tmp	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
24	%FontsDir%\mlog	5,671 bytes	MD5: 0x2B87286E4890370FE244A97BCF6617A6 SHA-1: 0xF5A5A979846618282039D1375EB8F26C73AC0FEE	(not available)
25	%FontsDir%\services.exe	77,824 bytes	MD5: 0xB898A4F61F81EA09AD16430D7085215D SHA-1: 0x0409889A90BE9047CC8B458124F6714543EE04A3	W32.Virut.CF [Symantec] Virus.Win32.Virut.ce [Kaspersky Lab] W32/Virut.n.gen [McAfee] W32/Scribble-B [Sophos] Virus:Win32/Virut.BN [Microsoft] Trojan-Spy.Win32.VB [Ikarus] Win32/Virut.F [AhnLab]
26	%Windir%\inf\vvt.pnf	24 bytes	MD5: 0xCA1215AE60918ECD7E9DD4D7E3387515 SHA-1: 0x60F773C743D7AB607D447B6C4FD91884C0D05745	(not available)
27	%Windir%\svc2.exe	262,144 bytes	MD5: 0xA58E3C5679FA5C51181F75D1E598F4A7 SHA-1: 0x1EFF512EEAB3B4BCC00829AA063EC6C01FC1CB19	W32.Virut.CF [Symantec] Virus.Win32.Virut.ce [Kaspersky Lab] W32/Virut.n.gen [McAfee] W32/Scribble-B [Sophos] Virus:Win32/Virut.BN [Microsoft] Backdoor.Win32.SubSeven.21.Muie.A [Ikarus] Win32/Virut.F [AhnLab]
28	%Windir%\svc3.exe %Windir%\Temp\kdzvwvyo.exe	262,144 bytes	MD5: 0x1C14DE582DBE3D19EC6780BD255BA343 SHA-1: 0xDA64CF2C86165C0ECED149A019DEA68386BDC386	W32.Virut.CF [Symantec] Virus.Win32.Virut.ce [Kaspersky Lab] W32/Virut.n.gen [McAfee] W32/Scribble-B [Sophos] Virus:Win32/Virut.BN [Microsoft] Backdoor.Win32.SubSeven.21.Muie.A [Ikarus] Win32/Virut.F [AhnLab]
29	%System%\3pebj5.log	2,942 bytes	MD5: 0x722CBCE96CABFE5D12D83D4EC4F1E7F7 SHA-1: 0x71E1971B33284DBE7E578D0461F1B1CFB38A473A	(not available)
30	%System%\comsats.sys	9 bytes	MD5: 0x391D075614145D8C2666413E95F2FDF5 SHA-1: 0x73CA848F30E43A22784C9CBD6EACEE017BE47275	(not available)
31	%System%\Install.txt	252 bytes	MD5: 0xF0FE0AAD6C95B309A43C4168C7947DD2 SHA-1: 0xFFFA0C89E3B5C795EA86A33836EC8AC40957837A	(not available)
32	%System%\msmrxgok.dll	36,865 bytes	MD5: 0xC3F7B7B23BE509F7F60EB1A036D82EEC SHA-1: 0x4CD359D9BB9C3807B318ADB7E2E4C977BB089A8F	Infostealer.Wowcraft [Symantec] Trojan-GameThief.Win32.OnLineGames.xegt [Kaspersky Lab] PWS-OnLineGames.il [McAfee] Mal/Behav-170 [Sophos] PWS:Win32/Frethog.MK [Microsoft]
33	%System%\nwcwks.dll	8,192 bytes	MD5: 0x6ECF985CB1A3F2D7F5525D55BCF4BB8B SHA-1: 0x240FF5600F273DA2475AA18003FCDA4E352FEA13	Generic.dx!txg [McAfee]
34	%System%\o2lazn.log	2,158 bytes	MD5: 0xC41B245505D7647EF2DC8C915445B3F1 SHA-1: 0x8EDBED5C222236F5AD52D2610982BEF25CF48537	(not available)
35	%System%\service.sys	40 bytes	MD5: 0xD02F7C795382C52220DEB7961FD042CD SHA-1: 0x16A452C7F9067808F98BD2D7019F76C65C3E1B6B	(not available)
36	%System%\szetyj67v.exe	155,648 bytes	MD5: 0x32C02D03AB6787BB418323CC90E8B88C SHA-1: 0x7F3904DF3CB9AD7CEE57FD6F0A67CA5127E492F4	W32.Virut.CF [Symantec] Virus.Win32.Virut.ce [Kaspersky Lab] W32/Virut.n.gen [McAfee] W32/Scribble-B [Sophos] Virus:Win32/Virut.BN [Microsoft] Virus.Win32.Delf [Ikarus] Win32/Virut.F [AhnLab]
37	%System%\szetyj67v.txt	2,987 bytes	MD5: 0x354988E633B0BE954A1D0B1C31DB1F3B SHA-1: 0x467421AED4BE80078522A39537D733F7663CD1A4	(not available)
38	%System%\szetyj67vx.exe %Windir%\Temp\c80mstsvl.exe	172,032 bytes	MD5: 0x9758375EB288CA07B0DA7705F8DEBC4C SHA-1: 0xF6613DD6637579BE94A61B124E6CDC83A8DF2A7F	W32.Virut.CF [Symantec] Virus.Win32.Virut.ce [Kaspersky Lab] W32/Virut.n.gen [McAfee] Virus:Win32/Virut.BN [Microsoft] Trojan-Downloader.Win32.VB.aqm [Ikarus] Win32/Virut.F [AhnLab]
39	%System%\updata.exe	38,400 bytes	MD5: 0xD12CDB83417719383B2E45CA86B9CBFF SHA-1: 0x39C63FC479EC03D28CD203C7A2A00880515658C8	W32.Virut.CF [Symantec] Virus.Win32.Virut.ce [Kaspersky Lab] W32/Virut.n.gen [McAfee] W32/Scribble-B [Sophos] Virus:Win32/Virut.BN [Microsoft] Trojan.Crypt [Ikarus] Win32/Virut.F [AhnLab]
40	%System%\userini.exe	49,152 bytes	MD5: 0xDF13B7627AFA324C6BB1513ABBD20F3A SHA-1: 0x90008525F9ABB499BBA4DE2500A2DCE98620D14A	(not available)
41	%System%\wuaucldt.exe	52,480 bytes	MD5: 0x4294F0AC69D52D3A37484305E3214428 SHA-1: 0x8E1218F30DFD191953C3C0A28E4C17E5DFA278BD	Virus.Win32.Virut.ce [Kaspersky Lab] W32/Virut.n.gen [McAfee] TrojanDownloader:Win32/Cutwail.BA [Microsoft] Virus.Win32.Virut [Ikarus] Win32/Virut.F [AhnLab]
42	%Windir%\Tasks\At1.job	406 bytes	MD5: 0x4CB006E425CCE8D04E83FEDDE1E8A12D SHA-1: 0xBE6FB88B158F88A3D0AE45B2E22ABF6F402D5E4A	(not available)
43	%Windir%\Temp\mjbpicmth.exe	232,960 bytes	MD5: 0xDA51ED5E2398322CECCD2F29736468AA SHA-1: 0x6428F6AE56890C9C2BD9596D48092DF9DC3279BD	W32.Virut.CF [Symantec] Virus.Win32.Virut.ce [Kaspersky Lab] W32/Virut.n.gen [McAfee] W32/Scribble-B [Sophos] Virus:Win32/Virut.BN [Microsoft] Virus.Win32.Virut [Ikarus] Win32/Virut.F [AhnLab]
44	%Windir%\Temp\msftcore.dat	670 bytes	MD5: 0x5C71ADAD2F870C6F84F24182104F755D SHA-1: 0xFE8E165AB86C1D2238812C22203A553B83F1456F	(not available)
45	%Windir%\Temp\msftcore.dll	54,512 bytes	MD5: 0xDD2A1DC1131D324D0E83EDA1A8EC7CBF SHA-1: 0x69044F7CF8A57035E66B5277167A75B49C996376	(not available)
46	%Windir%\Temp\msftdm.exe	22,528 bytes	MD5: 0x3E79DB5B4E15F50F7AE73148E112333B SHA-1: 0x28DFD0D1F00D736F46A5D53930573535B49E724C	W32.Virut.CF [Symantec] Virus.Win32.Virut.ce [Kaspersky Lab] W32/Virut.n.gen [McAfee] Virus:Win32/Virut.BN [Microsoft] Virus.Win32.Virut [Ikarus] Win32/Virut.F [AhnLab]
47	%Windir%\Temp\msftdm32.exe	22,528 bytes	MD5: 0xD1587B3C2CEDA04DF4D3798F0982E0E8 SHA-1: 0xEB68CE4F0639EB20FD6785C0A88D3FDA9F760C70	W32.Virut.CF [Symantec] Virus.Win32.Virut.ce [Kaspersky Lab] W32/Virut.n.gen [McAfee] Virus:Win32/Virut.BN [Microsoft] Virus.Win32.Virut [Ikarus] Win32/Virut.F [AhnLab]
48	%Windir%\Temp\msfteml.dll	46,844 bytes	MD5: 0xA62F7AB6D1E4E52E4FDD0CBA8001AA9F SHA-1: 0x8D59643DC102F4BD4FF21086DCC3B2FB2FC52EB3	Backdoor.Win32.Agent.baew [Kaspersky Lab]
49	%Windir%\Temp\msftldr.dll	29,900 bytes	MD5: 0xA88B2A785D05FDDE97E91B2943D0EDED SHA-1: 0xCB604BDFF4E964BE46BEE95DA626CBA2546095C6	(not available)
50	%Windir%\Temp\msftstp.exe	15,461 bytes	MD5: 0x46440FB9A29664E78F204594C8B3E9D2 SHA-1: 0x0B29AA54E35C92CF846B00C9739CBB4A263704CF	(not available)
51	%Windir%\Temp\msfttcp.dll	19,017 bytes	MD5: 0xD81681BF5C88BD5944FE74AFD0271B02 SHA-1: 0x96DBC371C9001FDEB891A1910409F335E1349454	Trojan.Win32.Swizzor.xpc [Kaspersky Lab]
52	%Windir%\Temp\mttsvbgl6.exe	57,556 bytes	MD5: 0x833BAF730AEA53A2C81817927252C426 SHA-1: 0x79E835B30364B34C105F5FC8C8ADEF315CDFE8E7	W32.Virut.CF [Symantec] Virus.Win32.Virut.ce [Kaspersky Lab] W32/Virut.n.gen [McAfee] Virus:Win32/Virut.BN [Microsoft] Virus.Win32.Virut [Ikarus] Win32/Virut.F [AhnLab]
53	%Windir%\Temp\ot6c4qnnm.exe	262,144 bytes	MD5: 0x65D4639CD603401749E4DB9C354F8D22 SHA-1: 0x70A1F7C9D8F5619E5AF08A38B37B120B9C440B7E	W32.Virut.CF [Symantec] Virus.Win32.Virut.ce [Kaspersky Lab] W32/Virut.n.gen [McAfee] W32/Scribble-B [Sophos] Virus:Win32/Virut.BN [Microsoft] Backdoor.Win32.SubSeven.21.Muie.A [Ikarus] Win32/Virut.F [AhnLab]
54	%Windir%\Temp\pauel2.exe	58,368 bytes	MD5: 0xFD6DFAD64C852D0A91715F1500122005 SHA-1: 0x79C06384290CE276DB878E9F440A070BE4672321	W32.Virut.CF [Symantec] Virus.Win32.Virut.ce [Kaspersky Lab] W32/Virut.n.gen [McAfee] W32/Scribble-B [Sophos] Virus:Win32/Virut.BN [Microsoft] Virus.Win32.Virut [Ikarus] Win32/Virut.F [AhnLab]
55	%Windir%\Temp\ydut.exe	58,368 bytes	MD5: 0x19A2F9CD40847F4A1D26FD75F3AED183 SHA-1: 0x7C11F675C7DF4FB3F3CEAFDE8DC35AC6A95B8EAF	W32.Virut.CF [Symantec] Virus.Win32.Virut.ce [Kaspersky Lab] W32/Virut.n.gen [McAfee] W32/Scribble-B [Sophos] Virus:Win32/Virut.BN [Microsoft] Virus.Win32.Virut [Ikarus] Win32/Virut.F [AhnLab]

Notes:

%UserProfile% is a variable that specifies the current user's profile folder. By default, this is C:\Documents and Settings\[UserName] (Windows NT/2000/XP).
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
%Programs% is a variable that refers to the file system directory that contains the user's program groups. A typical path is C:\Documents and Settings\[UserName]\Start Menu\Programs.
%Templates% is a variable that refers to the file system directory that serves as a common repository for document templates. A typical path is C:\Documents and Settings\[UserName]\Templates.
%UserName% is a variable that refers to the current user name.
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%FontsDir% is a variable that refers to a virtual folder containing fonts. A typical path is C:\Windows\Fonts.

The following Alternate Data Stream was created in the system:

#	ADS name(s)	ADS Size	ADS Hash
1	%Windir%\explorer.exe:userini.exe	49,152 bytes	MD5: 0xDF13B7627AFA324C6BB1513ABBD20F3A SHA-1: 0x90008525F9ABB499BBA4DE2500A2DCE98620D14A

The following directories were created:

%AppData%\FlexibleSoft\drvwincrt34
%AppData%\Bron.tok-12-4
%AppData%\Ok-SendMail-Bron-tok
%Windir%\ShellNew

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	274,432 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDORSYS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tbsolute
HKEY_LOCAL_MACHINE\SOFTWARE\Alexa Internet
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NWCWORKSTATION
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NWCWORKSTATION\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NWCWORKSTATION
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NWCWORKSTATION\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NWCWorkstation
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NWCWorkstation\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NWCWorkstation\Security
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\New Windows
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\New Windows\Allow
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
HKEY_USERS\.DEFAULT\Software\Microsoft\IEAK
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Connection Wizard
HKEY_USERS\.DEFAULT\Software\MSoftware
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]

Use FormSuggest = "yes"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDORSYS]

CheckedValue = 0x00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]

xfo23b = "%Windir%\TEMP\pauel2.exe"
e5u1 = "%Windir%\TEMP\ydut.exe"
apps = "%FontsDir%\services.exe"
userini = "%System%\userini.exe"

so that pauel2.exe runs every time Windows starts

so that ydut.exe runs every time Windows starts

so that services.exe runs every time Windows starts

so that userini.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

Bron-Spizaetus = ""%Windir%\ShellNew\sempalong.exe""
aaaaaaaa~ = "%System%\aaaaaaaa~.exe"
wdvcnx = "RUNDLL32.EXE %System%\msmrxgok.dll,w"
szetyj67v = "%System%\szetyj67v.exe"
szetyj67vx = "%System%\szetyj67vx.exe"
userini = "%System%\userini.exe"
wuaucldt = "%System%\wuaucldt.exe"
Regedit32 = "%System%\regedit.exe"

so that sempalong.exe runs every time Windows starts

so that aaaaaaaa~.exe runs every time Windows starts

so that msmrxgok.dll runs every time Windows starts

so that szetyj67v.exe runs every time Windows starts

so that szetyj67vx.exe runs every time Windows starts

so that userini.exe runs every time Windows starts

so that wuaucldt.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tbsolute]

values = 2A 3D F7 67 64 67 67 67 63 67 67 67 98 98 67 67 DF 67 67 67 67 67 67 67 27 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 66 67 67 69 78 DD 69 67 D3 6E AA 46 DF 66 2B AA 46 33 0F 0E 14 47 1

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NWCWORKSTATION\0000]

Service = "NWCWorkstation"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Client Service for NetWare"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NWCWORKSTATION]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Parameters]

ServiceDll = "%System%\nwcwks.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation]

Type = 0x00000020
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%System%\svchost.exe -k netsvcs"
DisplayName = "Client Service for NetWare"
ObjectName = "LocalSystem"
Description = "Provides access to file and print resources on NetWare networks."

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NWCWORKSTATION\0000]

Service = "NWCWorkstation"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Client Service for NetWare"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NWCWORKSTATION]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NWCWorkstation\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NWCWorkstation\Parameters]

ServiceDll = "%System%\nwcwks.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NWCWorkstation]

Type = 0x00000020
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%System%\svchost.exe -k netsvcs"
DisplayName = "Client Service for NetWare"
ObjectName = "LocalSystem"
Description = "Provides access to file and print resources on NetWare networks."

[HKEY_USERS\.DEFAULT\Software\Microsoft]

OSVersion = "20630647"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]

DisableScriptDebuggerIE = "yes"
Error Dlg Displayed On Every Error = "no"
Play_Animations = "no"
Play_Background_Sounds = "no"
Display Inline Videos = "no"
FullScreen = "no"
Use FormSuggest = "yes"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\New Windows]

PopupMgr = "no"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar]

Locked = 0x00000001

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer]

UpdateHost = 00 50 5B BC 3B CE

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState]

Settings = 0C 00 02 00 0A 01 F8 75 60 00 00 00
FullPath = 0x00000000

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]

ProxyEnable = 0x00000000
WarnOnZoneCrossing = 0x00000000
WarnOnPostRedirect = 0x00000000
WarnonBadCertRecving = 0x00000000
WarnOnHTTPSToHTTPRedirect = 0x00000000
WarnOnPost = 0x00000000

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

aaaaaaaa~ = "%UserProfile%\aaaaaaaa~.exe"
NetLog2 = "%Windir%\svc2.exe"
NetLog3 = "%Windir%\svc3.exe"
wuaucldt = "%UserProfile%\wuaucldt.exe"

so that aaaaaaaa~.exe runs every time Windows starts

so that svc2.exe runs every time Windows starts

so that svc3.exe runs every time Windows starts

so that wuaucldt.exe runs every time Windows starts

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Windows]

win = "%FontsDir%\services.exe"
init = "%FontsDir%\services.exe"

so that services.exe runs every time Windows starts

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

Shell = "%AppData%\hotfix.exe"

so that hotfix.exe runs every time Windows starts

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Connection Wizard]

ShellNext = "http://flassesshop.com/default.pk?tsearch=retirement&search_button.x=14&search_button.y=5"
Completed = 01 00 00 00

[HKEY_USERS\.DEFAULT\Software\MSoftware]

Hidden = 01 00 00 00
InstallPath = "%UserProfile%\APPLIC~1\FLEXIB~1\DRVWIN~1"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International]

W2KLpk = 0x00000000

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

Use FormSuggest = "yes"
DisableScriptDebuggerIE = "yes"
Error Dlg Displayed On Every Error = "no"
Play_Animations = "no"
Play_Background_Sounds = "no"
Display Inline Videos = "no"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]

WarnOnZoneCrossing = 0x00000000
WarnOnPostRedirect = 0x00000000
WarnonBadCertRecving = 0x00000000
WarnOnHTTPSToHTTPRedirect = 0x00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

NoFolderOptions = 0x00000001

to remove the Folder Options item from all Windows Explorer menus and from Control Panel

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]

userini = "%System%\userini.exe"

so that userini.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

DisableRegistryTools = 0x00000001
DisableCMD = 0x00000000

to disable the Windows registry editors (Regedt32.exe and Regedit.exe)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

Tok-Cirrhatus = ""%AppData%\smss.exe""
userini = "%System%\userini.exe"

so that smss.exe runs every time Windows starts

so that userini.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]

win = "%FontsDir%\services.exe"
init = "%FontsDir%\services.exe"

so that services.exe runs every time Windows starts

Other details

Analysis of the file resources indicate the following possible countries of origin:

	Russian Federation
	China

The HOSTS file was updated with the following URL-to-IP mappings:

Yahoo! GeoCities: Get a web site with easy-to-use site building tools.
h1 { line-height:30px;height:30px; padding-left:15px; font-weight:bold;font-size:1.6em;color:#1f296a;}
#signin_text { background-color:#E2EBFF; }
.services li { margin-left:1.0em; padding-left:0.5em; background:url("http://l.yimg.com/a/lib/smbiz/i/geo_bullet_3x3_1.gif") no-repeat 0 0.5em; margin-bottom:0.5em;margin-left:1.5em;margin-right:0.5em;width:6em}
.services li {float:left; width:17em; font-size:116%;margin-top:0.8em}
.services {  font-size:116%; padding-bottom:20px }
.learnmore a {color:#2882DE;font-size:16px}
.image_web  {float:right; margin:15px 0 0 15px}
#side_bar {padding:0 20px 20px;}
#footer {text-align:center;margin-top:20px;margin-bottom:20px}
p {margin:20px;font-size:1em;}
h2 {margin:20px 0 0 20px;color:#1F296;font-weight:bold;font-size:1.25em;color:#1f296a;}
h3 {margin:20px;color:#1F296;font-weight:bold;font-size:1.15em;color:#1f296a;}
#webhostingup {padding:2em 0 1em;margin:0}
#webhostingup li {margin-top:2.0em;background:url("http://l.yimg.com/a/lib/smbiz/i/geo_bullet_3x3_1.gif") no-repeat 0  0.5em;margin-left:0 ;padding-left:15px}
#boxyahoourls {padding-bottom:20px;}
li.rule {border-top:solid 1px #DBE1E6;}
div#headerblock div{font-family:arial;}
#ygma{position:relative;z-index:99999;}
#ygma #ygma-search input{width:200px;}
#ygma #ygma-search{width:400px;}
New User? Sign UpSign In
Help
Get Yahoo! Toolbar
if(window.yzq_d==null)window.yzq_d=new Object();
window.yzq_d['0Qw4Atj8a20-']='&U=13hn349r9%2fN%3d0Qw4Atj8a20-%2fC%3d650008.13445975.13532322.12832737%2fD%3dHPRM2%2fB%3d5706923%2fV%3d1';
Yahoo!MailMy Yahoo!NewsFinanceSportsWeb Search
window.yzq_d['zgw4Atj8a20-']='&U=13gmetml2%2fN%3dzgw4Atj8a20-%2fC%3d650008.13654021.13693393.13153902%2fD%3dHEAD%2fB%3d5836006%2fV%3d1';
Sorry, the GeoCities web site you were trying to reach is no longer available.
GeoCities has closed, but there's a lot more to explore on Yahoo!
Visit one of these popular Yahoo! sites:
Yahoo! Mail
Web Hosting
News
Games
Sports
Movies
Finance
Maps
The GeoCities site you were looking for may have been preserved in the Internet Archive's Wayback Machine. To find out, visit Archive.org and enter the site's web address in the field provided.
Copyright © 2009 Yahoo! Inc. All rights reserved.
Privacy Policy -
Copyright Policy -
Guidelines</a
> -
Terms of Service
-

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
122.224.6.48	10167
122.224.6.48	255
173.192.153.178	80
222.186.13.51	80
64.208.241.48	80
64.208.241.65	80
68.142.213.151	80
68.180.221.254	80
69.64.147.243	80
69.64.154.211	80
72.30.190.105	80
74.125.45.102	80
222.170.127.203	85
222.170.127.203	88

The data identified by the following URLs was then requested from the remote web server:

http://exe2.perfectexe.com:255/list.php?c=81995D8A60D602AECF283A12B2F79140CF5673489CBE52FB4F7AEDB88238EBD2ECD2213C0572412F85FCC2581F5A3E1CEF15A0576F16D18BEB84&v=2&t=0.6480371
http://bb.iwillhavebigdick.com/kp.exe
http://sb.perfectexe.com/kv.exe?t=0.9873163
http://sb.perfectexe.com/cool.gif?t=0.7733271
http://sb.perfectexe.com/cs.gif?t=0.2081415
http://sb.perfectexe.com/sy3.gif?t=0.57008
http://sy2.perfectexe.com:85/state.php?action=install&m=
http://sy2.perfectexe.com:85/svc.php?ver=5.2.3790.3990&p=&a=&m=&ua=Mozilla/4.0%20(compatible;%20MSIE%206.0;%20Win32)&alex=
http://sy2.perfectexe.com:85/svc.php?ver=5.2.3790.3990&aid=MEM35701&v=1&p=174.133.89.72&a=US&m=&ua=Mozilla/4.0%20(compatible;%20MSIE%206.0;%20Win32)&alex=
http://sy2.perfectexe.com:85/svc.php?ver=5.2.3790.3990&aid=MEM35701&c=1&p=174.133.89.72&a=US&m=&ua=Mozilla/4.0%20(compatible;%20MSIE%206.0;%20Win32)&alex=
http://2b.perfectexe.com:88/banner.gif?t=0.9974481
http://us.js2.yimg.com/us.js.yimg.com/lib/smb/js/hosting/cp/js_source/whv2_001.js
http://i.nuseek.com/images/misc/blank.gif
http://i.nuseek.com/Images/Shared/relLinkBkg.gif
http://i.nuseek.com/images/Themes/T101/bullets/0004.gif
http://i.nuseek.com/images/Themes/T101/buttons/0004.gif
http://i.nuseek.com/Images/Shared/prev.gif
http://i.nuseek.com/Images/Shared/next.gif
http://www.solivitasales.com/?OVRAW=retirement&OVKEY=retirement&OVMTC=standard&OVADID=13617949521&OVKWID=307688529021&OVCAMPGID=535247521&OVADGRPID=1395822909&OVNDID=ND2
http://www.solivitasales.com/sitebuilder/images/yellowHousesRoofsPeople-759x89-762x89.jpg
http://www.solivitasales.com/clipart/images/sidebars/tanBarHouseShadowSoldSign.gif
http://www.solivitasales.com/clipart/images/sidebars/bigTanBarVertical.gif
http://www.solivitasales.com/sitebuilder/images/DSCF1253-213x128.jpg
http://www.solivitasales.com/sitebuilder/images/4340-231x118.jpg
http://www.solivitasales.com/sitebuilder/images/4341-234x120.jpg
http://www.solivitasales.com/sitebuilder/images/4342-222x113.jpg
http://www.solivitasales.com/sitebuilder/images/newnav-0-active-96187.png
http://www.solivitasales.com/sitebuilder/images/newnav-1-inactive-64859.png
http://www.solivitasales.com/sitebuilder/images/newnav-2-inactive-42109.png
http://www.solivitasales.com/sitebuilder/images/newnav-4-inactive-42328.png
http://www.solivitasales.com/sitebuilder/images/newnav-5-inactive-42421.png
http://www.solivitasales.com/sitebuilder/images/newnav-3-inactive-42218.png
http://www.solivitasales.com/sitebuilder/images/newnav-6-inactive-42515.png
http://www.solivitasales.com/sitebuilder/images/newnav-7-inactive-42625.png
http://www.solivitasales.com/sitebuilder/images/newnav-8-inactive-42734.png
http://www.solivitasales.com/sitebuilder/images/newnav-9-inactive-42843.png
http://www.solivitasales.com/sitebuilder/images/bus_card_village_solivita_copy5-788x499.jpg
http://www.solivitasales.com/images/map.jpg
http://visit.webhosting.yahoo.com/visit.gif?&r=&b=Microsoft%20Internet%20Explorer%204.0%20%28compatible%3B%20MSIE%206.0%3B%20Windows%20NT%205.1%3B%20SV1%3B%20.NET%20CLR%202.0.50727%29&s=640x480&o=Win32&c=32&j=true&v=1.2
http://flassesshop.com/default.pk?tsearch=retirement&search_button.x=14&search_button.y=5
http://flassesshop.com/flassesshop.com.js
http://flassesshop.com/c701556f-e4bb-4448-b2c1-606c82070556.ippi?g=c701556f-e4bb-4448-b2c1-606c82070556
http://search.dmtracker.com/tags/vs.js
http://search.dmtracker.com/images/zig.gif?Log=1&v=JT01.02&lt=0&t=books%20fiction%20sell%20children's%20textbooks%20at%20flassesshop.com&r=&l=en-us&ss=640*480&sc=32&jv=15&ct=lan&hp=n&vid=0.598558117961214
http://www.google-analytics.com/ga.js
http://ad.ghura.pl/rus.php
http://kdert.com/wmp/set.txt?t=0.4427606
http://kdert.com/kb3.txt
http://kdert.com/wmp/bqq2.txt
http://kdert.com/wmp/dmq4.txt
http://kdert.com/wmp/cdq3.txt
http://kdert.com/wmp/adq1.txt
http://kdddaber.com/sv/test.exe?t=0.6453974
http://streq.cn/in.cgi?ka2
http://bestkind.ru/list.php?c=BFA7B16642F4C8643BDCC4ECB2F7BE6FC45D2219ECCE4EE798AD603545FF4C75C4FAA7BA4F38CFA196EF5AC0F2B7F0D256ACF90EBFC6CE9F3145&v=2&t=0.7434198
http://www.geocities.com/sbllma5/IN12VLMLWHOX.txt
http://www.geocities.com/sbllma5/Host12.txt

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 10167:

There was an outbound traffic produced on port 80:

00000000 | 0100 0000 79C7 F01B 15C8 FC31 9520 3F19 | ....y......1. ?.
00000010 | 6F39 F5B7 7139 65D9 10AA F097 63F7 FC3C | o9..q9e.....c..<
00000020 | 0340 9215 C8FC 3196 203F 196D 39F6 B77D | .@....1. ?.m9..}
00000030 | 3953 D80C A764 B779 39F0 B715 C8FC 3194 | 9S...d.y9.....1.
00000040 | 203F 196D 39F8 B77D 3963 D20A AC59 D817 |  ?.m9..}9c...Y..
00000050 | 3963 0589 5415 C8FC 3197 203F 196D 39F7 | 9c..T...1. ?.m9.
00000060 | B77D 3966 D217 9D5F C579 3BF0 B779 15C8 | .}9f..._.y;..y..
00000070 | FC31 9620 3F19 6B39 F8B7 7B39 5CD3 0BAD | .1. ?.k9..{9\...
00000080 | 69C7 1C39 F1B7 15C8 FC31 9720 3F19 6D39 | i..9.....1. ?.m9
00000090 | F7B7 7D39 5CD3 0BAF 55C5 799D F0B7 7915 | ..}9\...U.y...y.
000000A0 | C8FC 31A6 203F 1960 39F7 B76A 3967 DE17 | ..1. ?.`9..j9g..
000000B0 | AF55 C579 3EF0 B779 3AF0 B779 61FA B779 | .U.y>..y:..ya..y
000000C0 | 3BF0 B779 39F1 B617 DFF0 3786 203F 19   | ;..y9.....7. ?.
00000000 | 4745 5420 2F63 7373 2F64 6273 746F 7265 | GET /css/dbstore
00000010 | 2E63 7373 3F64 6566 3D41 6B61 6D61 6925 | .css?def=Akamai%
00000020 | 3361 486F 7374 696E 6755 524C 2533 6468 | 3aHostingURL%3dh
00000030 | 7474 7025 3361 2532 6625 3266 692E 6E75 | ttp%3a%2f%2fi.nu
00000040 | 7365 656B 2E63 6F6D 2537 6350 6172 6B69 | seek.com%7cParki
00000050 | 6E67 2533 6153 6B69 6E50 6174 6825 3364 | ng%3aSkinPath%3d
00000060 | 2537 6342 6479 5374 796C 2533 6150 6167 | %7cBdyStyl%3aPag
00000070 | 6542 6163 6B67 726F 756E 6443 6F6C 6F72 | eBackgroundColor
00000080 | 2533 6425 3233 6666 6625 3763 4264 7953 | %3d%23fff%7cBdyS
00000090 | 7479 6C25 3361 466F 6E74 2533 6461 7269 | tyl%3aFont%3dari
000000A0 | 616C 2537 6342 6479 5374 796C 2533 6146 | al%7cBdyStyl%3aF
000000B0 | 6F6E 7453 697A 6525 3364 3132 2537 6342 | ontSize%3d12%7cB
000000C0 | 6479 5374 796C 2533 6146 6F6E 7443 6F6C | dyStyl%3aFontCol
000000D0 | 6F72 2533 6425 3233 3065 3566 6438 2537 | or%3d%230e5fd8%7
000000E0 | 6342 6479 5374 796C 2533 6150 7269 6D61 | cBdyStyl%3aPrima
000000F0 | 7279 436F 6C6F 7225 3364 2532 3331 3632 | ryColor%3d%23162
00000100 | 6434 3825 3763 4264 7953 7479 6C25 3361 | d48%7cBdyStyl%3a
00000110 | 5072 696D 6172 7943 6F6C 6F72 436F 6D70 | PrimaryColorComp
00000120 | 6C65 6D65 6E74 2533 6425 3233 6666 6625 | lement%3d%23fff%
00000130 | 3763 4264 7953 7479 6C25 3361 5365 636F | 7cBdyStyl%3aSeco
00000140 | 6E64 6172 7943 6F6C 6F72 2533 6425 3233 | ndaryColor%3d%23
00000150 | 3563 3639 3836 2537 6342 6479 5374 796C | 5c6986%7cBdyStyl
00000160 | 2533 6153 6563 6F6E 6461 7279 436F 6C6F | %3aSecondaryColo
00000170 | 7243 6F6D 706C 656D 656E 7425 3364 2532 | rComplement%3d%2
00000180 | 3363 6564 3264 6125 3763 4264 7953 7479 | 3ced2da%7cBdySty
00000190 | 6C25 3361 5465 7274 6961 7279 436F 6C6F | l%3aTertiaryColo
000001A0 | 7225 3364 2532 3366 3366 3366 3325 3763 | r%3d%23f3f3f3%7c
000001B0 | 4264 7953 7479 6C25 3361 5465 7274 6961 | BdyStyl%3aTertia
000001C0 | 7279 436F 6C6F 7243 6F6D 706C 656D 656E | ryColorComplemen
000001D0 | 7425 3364 2532 3334 6236 6162 3025 3763 | t%3d%234b6ab0%7c
000001E0 | 5067 4864 7225 3361 466F 6E74 5369 7A65 | PgHdr%3aFontSize
000001F0 | 2533 6431 3825 3763 5067 4864 7225 3361 | %3d18%7cPgHdr%3a
00000200 | 466F 6E74 2533 6456 6572 6461 6E61 2537 | Font%3dVerdana%7
00000210 | 6352 656C 4C69 6E6B 2533 6146 6F6E 7425 | cRelLink%3aFont%
00000220 | 3364 6172 6961 6C25 3763 5265 6C4C 696E | 3darial%7cRelLin
00000230 | 6B25 3361 466F 6E74 5369 7A65 2533 6431 | k%3aFontSize%3d1
00000240 | 3425 3763 5265 6C4C 696E 6B25 3361 466F | 4%7cRelLink%3aFo
00000250 | 6E74 436F 6C6F 7225 3364 2532 3334 6236 | ntColor%3d%234b6
00000260 | 6162 3025 3763 5265 6C4C 696E 6B25 3361 | ab0%7cRelLink%3a
00000270 | 486F 7665 7246 6F6E 7443 6F6C 6F72 2533 | HoverFontColor%3
00000280 | 6425 3233 3866 3162 3162 2537 6352 656C | d%238f1b1b%7cRel
00000290 | 4C69 6E6B 2533 6142 6163 6B67 726F 756E | Link%3aBackgroun
000002A0 | 6443 6F6C 6F72 2533 6425 3233 6636 6636 | dColor%3d%23f6f6
000002B0 | 6636 2537 6352 656C 4C69 6E6B 2533 6148 | f6%7cRelLink%3aH
000002C0 | 6F76 6572 4261 636B 6772 6F75 6E64 436F | overBackgroundCo
000002D0 | 6C6F 7225 3364 2532 3366 6666 2537 6352 | lor%3d%23fff%7cR
000002E0 | 656C 4C69 6E6B 2533 6144 6976 6964 6572 | elLink%3aDivider
000002F0 | 436F 6C6F 7225 3364 2532 3362 6563 3863 | Color%3d%23bec8c
00000300 | 6625 3763 5265 6C4C 696E 6B25 3361 496D | f%7cRelLink%3aIm
00000310 | 6167 6550 6174 6825 3364 2532 6669 6D61 | agePath%3d%2fima
00000320 | 6765 7325 3266 5468 656D 6573 2532 6654 | ges%2fThemes%2fT
00000330 | 3130 3125 3266 6275 6C6C 6574 7325 3266 | 101%2fbullets%2f
00000340 | 3030 3034 2E67 6966 2537 6352 656C 4C69 | 0004.gif%7cRelLi
00000350 | 6E6B 2533 6149 6D61 6765 5769 6474 6825 | nk%3aImageWidth%
00000360 | 3364 3130 2537 6352 656C 4C69 6E6B 2533 | 3d10%7cRelLink%3
00000370 | 6149 6D61 6765 4865 6967 6874 2533 6431 | aImageHeight%3d1
00000380 | 3025 3763 426F 7474 6F6D 4E61 7625 3361 | 0%7cBottomNav%3a
00000390 | 496D 6167 6550 6174 6825 3364 2532 6669 | ImagePath%3d%2fi
000003A0 | 6D61 6765 7325 3266 5468 656D 6573 2532 | mages%2fThemes%2
000003B0 | 6654 3130 3125 3266 6275 6C6C 6574 735F | fT101%2fbullets_
000003C0 | 3978 3925 3266 3030 3034 2E67 6966 2537 | 9x9%2f0004.gif%7
000003D0 | 6352 6573 756C 7425 3361 496D 6167 6550 | cResult%3aImageP
000003E0 | 6174 6825 3364 2532 6669 6D61 6765 7325 | ath%3d%2fimages%
000003F0 | 3266 5468 656D 6573 2532 6654 3130 3125 | 2fThemes%2fT101%
00000400 | 3266 6275 6C6C 6574 7325 3266 3030 3034 | 2fbullets%2f0004
00000410 | 2E67 6966 2537 6352 6573 756C 7425 3361 | .gif%7cResult%3a
00000420 | 4865 6164 6572 466F 6E74 2533 6461 7269 | HeaderFont%3dari
00000430 | 616C 2537 6352 6573 756C 7425 3361 4865 | al%7cResult%3aHe
00000440 | 6164 6572 466F 6E74 5369 7A65 2533 6431 | aderFontSize%3d1
00000450 | 3225 3763 5265 7375 6C74 2533 6148 6561 | 2%7cResult%3aHea
00000460 | 6465 7246 6F6E 7443 6F6C 6F72 2533 6425 | derFontColor%3d%
00000470 | 3233 3030 3025 3763 5265 7375 6C74 2533 | 23000%7cResult%3
00000480 | 6154 6974 6C65 466F 6E74 2533 6461 7269 | aTitleFont%3dari
00000490 | 616C 2537 6352 6573 756C 7425 3361 5469 | al%7cResult%3aTi
000004A0 | 746C 6546 6F6E 7453 697A 6525 3364 3136 | tleFontSize%3d16
000004B0 | 2537 6352 6573 756C 7425 3361 5469 746C | %7cResult%3aTitl
000004C0 | 6546 6F6E 7443 6F6C 6F72 2533 6425 3233 | eFontColor%3d%23
000004D0 | 3030 6325 3763 5265 7375 6C74 2533 6141 | 00c%7cResult%3aA
000004E0 | 6273 7472 6163 7446 6F6E 7425 3364 6172 | bstractFont%3dar
000004F0 | 6961 6C25 3763 5265 7375 6C74 2533 6141 | ial%7cResult%3aA
00000500 | 6273 7472 6163 7446 6F6E 7453 697A 6525 | bstractFontSize%
00000510 | 3364 3132 2537 6352 6573 756C 7425 3361 | 3d12%7cResult%3a
00000520 | 4162 7374 7261 6374 466F 6E74 436F 6C6F | AbstractFontColo
00000530 | 7225 3364 2532 3330 3030 2537 6352 6573 | r%3d%23000%7cRes
00000540 | 756C 7425 3361 5552 4C46 6F6E 7425 3364 | ult%3aURLFont%3d
00000550 | 6172 6961 6C25 3763 5265 7375 6C74 2533 | arial%7cResult%3
00000560 | 6155 524C 466F 6E74 5369 7A65 2533 6431 | aURLFontSize%3d1
00000570 | 3225 3763 5265 7375 6C74 2533 6155 524C | 2%7cResult%3aURL
00000580 | 466F 6E74 436F 6C6F 7225 3364 2532 3330 | FontColor%3d%230
00000590 | 3038 3030 3025 3763 5265 7375 6C74 2533 | 08000%7cResult%3
000005A0 | 6153 6964 6562 6172 426F 7264 6572 436F | aSidebarBorderCo
000005B0 | 6C6F 7225 3364 2532 3363 6363 2537 6353 | lor%3d%23ccc%7cS
000005C0 | 7263 6842 6F78 2533 6149 6D61 6765 5061 | rchBox%3aImagePa
000005D0 | 7468 2533 6425 3266 696D 6167 6573 2532 | th%3d%2fimages%2
000005E0 | 6654 6865 6D65 7325 3266 5431 3031 2532 | fThemes%2fT101%2
000005F0 | 6662 7574 746F 6E73 2532 6630 3030 342E | fbuttons%2f0004.
00000600 | 6769 6625 3763 5372 6368 426F 7825 3361 | gif%7cSrchBox%3a
00000610 | 496D 6167 6557 6964 7468 2533 6436 3025 | ImageWidth%3d60%
00000620 | 3763 5372 6368 426F 7825 3361 496D 6167 | 7cSrchBox%3aImag
00000630 | 6548 6569 6768 7425 3364 3232 2537 6353 | eHeight%3d22%7cS
00000640 | 7263 6842 6F78 2533 6141 6C69 676E 2533 | rchBox%3aAlign%3
00000650 | 6472 6967 6874 2537 6353 6561 7263 684C | dright%7cSearchL
00000660 | 696E 6B47 726F 7570 2533 6148 6F76 6572 | inkGroup%3aHover
00000670 | 4C69 6E6B 436F 6C6F 7225 3364 2532 3366 | LinkColor%3d%23f
00000680 | 6639 2537 6355 7372 4375 7374 2533 6146 | f9%7cUsrCust%3aF
00000690 | 6F6E 7454 7970 6525 3364 7665 7264 616E | ontType%3dverdan
000006A0 | 6125 3763 5573 7243 7573 7425 3361 466F | a%7cUsrCust%3aFo
000006B0 | 6E74 5369 7A65 2533 6431 3125 3763 5573 | ntSize%3d11%7cUs
000006C0 | 7243 7573 7425 3361 466F 6E74 436F 6C6F | rCust%3aFontColo
000006D0 | 7225 3364 2532 3336 3636 2537 6355 7372 | r%3d%23666%7cUsr
000006E0 | 4375 7374 2533 614C 696E 6B43 6F6C 6F72 | Cust%3aLinkColor
000006F0 | 2533 6425 3233 3065 3566 6438 2663 7373 | %3d%230e5fd8&css
00000700 | 6964 3D31 3136 2048 5454 502F 312E 300D | id=116 HTTP/1.0.
00000710 | 0A41 6363 6570 743A 202A 2F2A 0D0A 5265 | .Accept: */*..Re
00000720 | 6665 7265 723A 2068 7474 703A 2F2F 666C | ferer: http://fl
00000730 | 6173 7365 7373 686F 702E 636F 6D2F 6465 | assesshop.com/de
00000740 | 6661 756C 742E 706B 3F74 7365 6172 6368 | fault.pk?tsearch
00000750 | 3D72 6574 6972 656D 656E 7426 7365 6172 | =retirement&sear
00000760 | 6368 5F62 7574 746F 6E2E 783D 3134 2673 | ch_button.x=14&s
00000770 | 6561 7263 685F 6275 7474 6F6E 2E79 3D35 | earch_button.y=5
00000780 | 0D0A 5573 6572 2D41 6765 6E74 3A20 4D6F | ..User-Agent: Mo
00000790 | 7A69 6C6C 612F 342E 3020 2863 6F6D 7061 | zilla/4.0 (compa
000007A0 | 7469 626C 653B 204D 5349 4520 362E 303B | tible; MSIE 6.0;
000007B0 | 2057 696E 646F 7773 204E 5420 352E 313B |  Windows NT 5.1;
000007C0 | 2053 5631 3B20 2E4E 4554 2043 4C52 2032 |  SV1; .NET CLR 2
000007D0 | 2E30 2E35 3037 3237 290D 0A48 6F73 743A | .0.50727)..Host:
000007E0 | 2066 6C61 7373 6573 7368 6F70 2E63 6F6D |  flassesshop.com
000007F0 | 0D0A 436F 6E6E 6563 7469 6F6E 3A20 4B65 | ..Connection: Ke
00000800 | 6570 2D41 6C69 7665 0D0A 436F 6F6B 6965 | ep-Alive..Cookie
00000810 | 3A20 5365 7373 696F 6E49 443D 3662 6335 | : SessionID=6bc5
00000820 | 3065 3662 2D32 3665 382D 3461 3233 2D39 | 0e6b-26e8-4a23-9
00000830 | 3465 302D 3036 6664 3132 3761 6665 3761 | 4e0-06fd127afe7a
00000840 | 3B20 5669 7369 746F 7249 443D 3838 3863 | ; VisitorID=888c
00000850 | 3834 3461 2D31 3636 322D 3464 3661 2D62 | 844a-1662-4d6a-b
00000860 | 3465 362D 6639 3637 6366 3639 3539 3233 | 4e6-f967cf695923
00000870 | 2645 7870 3D31 302F 342F 3230 3133 2033 | &Exp=10/4/2013 3
00000880 | 3A31 343A 3236 2041 4D3B 2079 6168 6F6F | :14:26 AM; yahoo
00000890 | 546F 6B65 6E3D 7173 3D30 366F 454E 7961 | Token=qs=06oENya
000008A0 | 345A 4731 5953 3676 4F4C 4A77 704C 6946 | 4ZG1YS6vOLJwpLiF
000008B0 | 646A 4739 385F 4536 4B36 4232 3876 6E57 | djG98_E6K6B28vnW
000008C0 | 5556 6550 5F54 6259 506F 524D 7441 6D44 | UVeP_TbYPoRMtAmD
000008D0 | 354D 5961 2D76 6C4F 7756 4734 4866 3242 | 5MYa-vlOwVG4Hf2B
000008E0 | 5742 785F 7A77 6532 3276 3570 656A 6B66 | WBx_zwe22v5pejkf
000008F0 | 2D4D 3075 4547 3659 7139 396E 6D47 3864 | -M0uEG6Yq99nmG8d
00000900 | 4F79 3964 396F 596F 5241 6431 326E 7857 | Oy9d9oYoRAd12nxW
00000910 | 3078 4F51 6452 7143 4873 7050 614B 6236 | 0xOQdRqCHspPaKb6
00000920 | 4361 6831 4B34 3873 6A7A 3648 7731 7830 | Cah1K48sjz6Hw1x0
00000930 | 6C41 6156 4551 6744 6348 3975 7975 6C67 | lAaVEQgDcH9uyulg
00000940 | 2D48 5071 7645 4D47 474F 4E39 7267 4845 | -HPqvEMGGON9rgHE
00000950 | 5730 3862 6467 2E2C 5954 307A 0D0A 0D0A | W08bdg.,YT0z....
00000960 | 4745 5420 2F66 6F72 7761 7264 3330 322E | GET /forward302.
00000970 | 6173 7078 3F6E 6570 633D 6557 7044 5065 | aspx?nepc=eWpDPe
00000980 | 446B 436E 3725 3266 5041 576A 4A44 4848 | DkCn7%2fPAWjJDHH
00000990 | 6936 704B 444E 5041 3334 7438 7648 576C | i6pKDNPA34t8vHWl
000009A0 | 6D68 7849 7925 3262 5A77 3664 334A 4B48 | mhxIy%2bZw6d3JKH
000009B0 | 2532 6276 626F 684B 4D55 5669 4C56 7743 | %2bvbohKMUViLVwC
000009C0 | 4B4A 3277 4B4F 6D4D 636C 4A69 5A36 3046 | KJ2wKOmMclJiZ60F
000009D0 | 4161 764D 4561 4C43 7A55 4733 3452 4F32 | AavMEaLCzUG34RO2
000009E0 | 3373 5A65 3125 3262 596E 3070 6125 3266 | 3sZe1%2bYn0pa%2f
000009F0 | 3875 497A 3877 6C65 5836 715A 3562 7657 | 8uIz8wleX6qZ5bvW
00000A00 | 6243 6E57 4D68 4E59 6371 6939 5A75 3255 | bCnWMhNYcqi9Zu2U
00000A10 | 4E45 7525 3262 3170 314F 4F7A 6766 786D | NEu%2b1p1OOzgfxm
00000A20 | 6231 6C69 7859 7136 6430 4353 6E63 446E | b1lixYq6d0CSncDn
00000A30 | 654B 6846 4738 5930 754C 4E53 6835 2532 | eKhFG8Y0uLNSh5%2
00000A40 | 6655 704D 5066 4F70 6655 786F 4F41 3772 | fUpMPfOpfUxoOA7r
00000A50 | 4965 6372 4879 4546 484B 7570 6448 4153 | IecrHyEFHKupdHAS
00000A60 | 3170 5937 584E 6748 5174 3169 4F46 6348 | 1pY7XNgHQt1iOFcH
00000A70 | 4343 7077 3978 4251 4B51 3645 314F 4E35 | CCpw9xBQKQ6E1ON5
00000A80 | 4559 3447 5654 2532 6651 5038 6254 5942 | EY4GVT%2fQP8bTYB
00000A90 | 5137 4733 654B 4A63 4148 5730 6465 3941 | Q7G3eKJcAHW0de9A
00000AA0 | 6268 4A4D 664A 3356 4748 4459 426D 686C | bhJMfJ3VGHDYBmhl
00000AB0 | 7533 3633 4C7A 796D 3050 6662 7263 6C69 | u363Lzym0Pfbrcli
00000AC0 | 5965 4D56 526C 7943 4B33 2532 6278 4A66 | YeMVRlyCK3%2bxJf
00000AD0 | 4548 7049 5934 3247 6446 4E50 5958 4E36 | EHpIY42GdFNPYXN6
00000AE0 | 6F45 7A36 2532 664F 6C66 614C 315A 3867 | oEz6%2fOlfaL1Z8g
00000AF0 | 366E 4F56 5354 657A 5941 415A 514B 5964 | 6nOVSTezYAAZQKYd
00000B00 | 4F47 7575 4F51 5536 704D 6371 6563 4346 | OGuuOQU6pMcqecCF
00000B10 | 7466 524E 6A32 4A7A 4276 3563 3671 5555 | tfRNj2JzBv5c6qUU
00000B20 | 5367 6748 444A 7569 5866 3379 324A 6255 | SggHDJuiXf3y2JbU
00000B30 | 5933 4272 764E 4930 6A4E 5A72 4D51 6D62 | Y3BrvNI0jNZrMQmb
00000B40 | 4F65 3457 4635 4766 5733 4D73 6E42 2532 | Oe4WF5GfW3MsnB%2
00000B50 | 664A 3471 7533 4E6C 3578 7045 6970 436C | fJ4qu3Nl5xpEipCl
00000B60 | 557A 7673 7A65 5A79 5065 3379 7356 6645 | UzvszeZyPe3ysVfE
00000B70 | 6441 4A43 544E 4D77 6F6E 7177 7734 5879 | dAJCTNMwonqww4Xy
00000B80 | 5361 674B 3541 6331 2532 627A 5267 6854 | SagK5Ac1%2bzRghT
00000B90 | 3137 6544 794F 316D 5870 706A 7873 3577 | 17eDyO1mXppjxs5w
00000BA0 | 596E 7252 324F 4F69 6E5A 624C 5268 7649 | YnrR2OOinZbLRhvI
00000BB0 | 6652 6659 3638 364B 3151 5430 6970 4131 | fRfY686K1QT0ipA1
00000BC0 | 5847 346F 5861 7347 3976 5845 6675 3847 | XG4oXasG9vXEfu8G
00000BD0 | 5864 7370 384E 3466 7033 4E38 5955 4975 | Xdsp8N4fp3N8YUIu
00000BE0 | 6D6C 4465 5547 766C 4776 7225 3266 3931 | mlDeUGvlGvr%2f91
00000BF0 | 6457 536E 3665 4178 4E31 4E71 515A 5767 | dWSn6eAxN1NqQZWg
00000C00 | 4571 7A6F 7354 6F25 3266 6875 3075 6650 | EqzosTo%2fhu0ufP
00000C10 | 4B57 334F 6679 4265 4875 656C 5655 3825 | KW3OfyBeHuelVU8%
00000C20 | 3266 3069 326E 6950 4C31 786A 4430 6663 | 2f0i2niPL1xjD0fc
00000C30 | 3579 4A38 4D37 6E33 5566 5938 7848 6F35 | 5yJ8M7n3UfY8xHo5
00000C40 | 7254 6F43 3047 3725 3262 7438 566A 4A6F | rToC0G7%2bt8VjJo
00000C50 | 4968 5335 4B71 526E 464E 5076 6266 576C | IhS5KqRnFNPvbfWl
00000C60 | 4138 7042 3267 636D 5234 4838 7173 7325 | A8pB2gcmR4H8qss%
00000C70 | 3266 476F 4253 4A54 4664 4B73 6762 4C67 | 2fGoBSJTFdKsgbLg
00000C80 | 6A66 6934 4463 3661 4D50 2532 6225 3262 | jfi4Dc6aMP%2b%2b
00000C90 | 5569 367A 4353 7745 596C 5056 6E33 4B68 | Ui6zCSwEYlPVn3Kh
00000CA0 | 4770 396A 584B 7967 7A45 576E 574A 7138 | Gp9jXKygzEWnWJq8
00000CB0 | 3565 6F75 3668 424C 4E42 467A 7476 7964 | 5eou6hBLNBFztvyd
00000CC0 | 6334 4469 6679 7A32 3058 506A 545A 485A | c4Difyz20XPjTZHZ
00000CD0 | 697A 3134 716F 5956 454C 5877 557A 6F51 | iz14qoYVELXwUzoQ
00000CE0 | 706F 3364 3647 6271 734A 3173 4657 7758 | po3d6GbqsJ1sFWwX
00000CF0 | 5367 6F7A 6A79 2532 666E 6151 627A 5271 | Sgozjy%2fnaQbzRq
00000D00 | 306B 534C 6362 4E6F 7036 3263 6C6D 6659 | 0kSLcbNop62clmfY
00000D10 | 4435 6A6A 6951 6E58 7434 5475 4C41 3479 | D5jjiQnXt4TuLA4y
00000D20 | 616D 346C 3341 774C 5447 4E45 6E70 4858 | am4l3AwLTGNEnpHX
00000D30 | 336B 7177 6F76 6177 6E25 3266 3475 3872 | 3kqwovawn%2f4u8r
00000D40 | 5A47 4766 5648 3368 4E4E 6E45 6532 4C41 | ZGGfVH3hNNnEe2LA
00000D50 | 436E 6C64 646C 5A6B 4B66 6958 6825 3262 | CnlddlZkKfiXh%2b
00000D60 | 496E 3361 7050 5939 6A6A 3654 6F4D 6968 | In3apPY9jj6ToMih
00000D70 | 636B 536B 6134 3475 2532 6649 4767 3667 | ckSka44u%2fIGg6g
00000D80 | 5A59 5579 586D 584F 5378 6530 6A52 6C57 | ZYUyXmXOSxe0jRlW
00000D90 | 4975 7077 6466 4348 5554 434D 5258 4461 | IupwdfCHUTCMRXDa
00000DA0 | 3158 3664 7043 4150 7437 5076 4268 4245 | 1X6dpCAPt7PvBhBE
00000DB0 | 4F6F 5376 6D42 315A 444B 4F25 3262 6876 | OoSvmB1ZDKO%2bhv
00000DC0 | 384E 5852 5951 776C 6574 7176 6752 734B | 8NXRYQwletqvgRsK
00000DD0 | 6F77 4577 7541 3742 5025 3266 4E62 494F | owEwuA7BP%2fNbIO
00000DE0 | 4725 3262 5644 714A 745A 3350 6730 564C | G%2bVDqJtZ3Pg0VL
00000DF0 | 5543 5A37 6A71 5574 574D 6350 4747 3559 | UCZ7jqUtWMcPGG5Y
00000E00 | 4B61 5965 6A76 5458 6579 5546 6374 706B | KaYejvTXeyUFctpk
00000E10 | 4332 6D34 496D 4B4C 6D53 6953 4372 4B76 | C2m4ImKLmSiSCrKv
00000E20 | 4B61 4843 6B75 6430 4762 384E 5655 474A | KaHCkud0Gb8NVUGJ
00000E30 | 7A69 6461 6A4B 556E 3559 4A6A 304F 5A59 | zidajKUn5YJj0OZY
00000E40 | 2532 6275 7064 704C 6F36 6F4E 6656 4F51 | %2bupdpLo6oNfVOQ
00000E50 | 3148 7264 6131 7359 674C 3967 4C6E 4D75 | 1Hrda1sYgL9gLnMu
00000E60 | 615A 4B52 4E54 766F 5967 6E50 676F 5033 | aZKRNTvoYgnPgoP3
00000E70 | 5266 3550 6546 7031 7973 3674 4174 6F66 | Rf5PeFp1ys6tAtof
00000E80 | 7A66 674E 547A 6943 5A25 3266 5A51 4A6D | zfgNTziCZ%2fZQJm
00000E90 | 3952 3058 5074 5953 774E 716D 4E34 3541 | 9R0XPtYSwNqmN45A
00000EA0 | 697A 4B66 3731 305A 5674 7642 4944 5456 | izKf710ZVtvBIDTV
00000EB0 | 454A 3769 5A74 4E69 7038 6A25 3266 6C50 | EJ7iZtNip8j%2flP
00000EC0 | 5643 7445 704E 5347 565A 746D 6E72 596F | VCtEpNSGVZtmnrYo
00000ED0 | 2532 6638 7376 697A 3736 3178 6C66 2532 | %2f8sviz761xlf%2
00000EE0 | 6669 3451 2532 6667 4833 3242 6F6F 6B64 | fi4Q%2fgH32Bookd
00000EF0 | 5166 7A50 674E 596E 7534 4A58 6A39 6C44 | QfzPgNYnu4JXj9lD
00000F00 | 3555 746D 4F73 694F 494A 6E62 336B 5241 | 5UtmOsiOIJnb3kRA
00000F10 | 4830 6D6C 686F 6341 4465 4261 5978 6E6F | H0mlhocADeBaYxno
00000F20 | 684C 425A 6D48 2532 624B 4A53 7357 6F41 | hLBZmH%2bKJSsWoA
00000F30 | 5652 7442 2532 6659 567A 4734 4B62 5736 | VRtB%2fYVzG4KbW6
00000F40 | 6170 7144 2532 627A 6747 7954 7A67 5959 | apqD%2bzgGyTzgYY
00000F50 | 7167 7971 2532 6252 4179 5573 3545 5841 | qgyq%2bRAyUs5EXA
00000F60 | 5025 3266 4674 3678 7A66 6566 7451 6F25 | P%2fFt6xzfeftQo%
00000F70 | 3364 2048 5454 502F 312E 300D 0A41 6363 | 3d HTTP/1.0..Acc
00000F80 | 6570 743A 2069 6D61 6765 2F67 6966 2C20 | ept: image/gif,
00000F90 | 696D 6167 652F 782D 7862 6974 6D61 702C | image/x-xbitmap,
00000FA0 | 2069 6D61 6765 2F6A 7065 672C 2069 6D61 |  image/jpeg, ima
00000FB0 | 6765 2F70 6A70 6567 2C20 6170 706C 6963 | ge/pjpeg, applic
00000FC0 | 6174 696F 6E2F 782D 7368 6F63 6B77 6176 | ation/x-shockwav
00000FD0 | 652D 666C 6173 682C 202A 2F2A 0D0A 5573 | e-flash, */*..Us
00000FE0 | 6572 2D41 6765 6E74 3A20 4D6F 7A69 6C6C | er-Agent: Mozill
00000FF0 | 612F 342E 3020 2863 6F6D 7061 7469 626C | a/4.0 (compatibl

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.