HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Generic.19290791 (B) (Emsisoft), Trojan.Generic.19290791 (AdAware), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR, GenericEmailWorm.YR (Lavasoft MAS)Behaviour: Trojan, Worm, EmailWorm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 12e4023491001cc40a48838e974e5a75
SHA1: 4f973d51d7bcba9e7b3e9f827c05b9ebae9a9864
SHA256: 454a539933e0b46c098f36c98d6166a44c8704fdf6b2fa7c0c0a3c08df1e9d6a
SSDeep: 196608:7TsqXUc185OiGtjT9erfsa5tcuFNWfPil:fsqEcaOztn/otcuFYn0
Size: 6418432 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2016-10-12 17:13:25
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):
GoogleUpdate.exe:2880
GoogleUpdate.exe:3900
%original file name%.exe:2268
54.0.2840.71_54.0.2840.59_chrome_updater.exe:268
setup.exe:2620
setup.exe:1276
setup.exe:1904
regsvr32.exe:2332
regsvr32.exe:2472
regsvr32.exe:2336
regsvr32.exe:2456
regsvr32.exe:2424
regsvr32.exe:2304
regsvr32.exe:2436
regsvr32.exe:2412
regsvr32.exe:2400
regsvr32.exe:2416
regsvr32.exe:2372
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process GoogleUpdate.exe:3900 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Google\Update\Download\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}\54.0.2840.71\54.0.2840.71_54.0.2840.59_chrome_updater.exe (16158 bytes)
%Program Files%\Google\Update\Install\{4BE97E2F-B4A3-41A5-8B1D-EB58A7D5FCB4}\54.0.2840.71_54.0.2840.59_chrome_updater.exe (16304 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{7450580E-9D4A-43A0-ACBD-336C9A6D6735}-54.0.2840.71_54.0.2840.59_chrome_updater.exe (0 bytes)
The process %original file name%.exe:2268 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Data\dm.dll (9053 bytes)
The process 54.0.2840.71_54.0.2840.59_chrome_updater.exe:268 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\Temp\CR_869F3.tmp\setup.exe (49 bytes)
C:\Windows\Temp\CR_869F3.tmp\SETUP_PATCH.PACKED.7Z (3 bytes)
C:\Windows\Temp\CR_869F3.tmp\CHROME_PATCH.PACKED.7Z (2 bytes)
The Trojan deletes the following file(s):
C:\Windows\Temp\CR_869F3.tmp\setup.exe (0 bytes)
C:\Windows\Temp\CR_869F3.tmp (0 bytes)
C:\Windows\Temp\CR_869F3.tmp\CHROME_PATCH.PACKED.7Z (0 bytes)
The process setup.exe:2620 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\Temp\Crashpad\settings.dat (84 bytes)
The process setup.exe:1276 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\chrome_100_percent.pak (1160 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\hr.pak (618 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\ta.pak (1539 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\VisualElements\smalllogocanary.png (15 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\th.pak (1294 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\chrome.VisualElementsManifest.xml (411 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\default_apps\gmail.crx (48 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\default_apps\youtube.crx (47 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\el.pak (1169 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\es-419.pak (651 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\tr.pak (645 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\hi.pak (1333 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\ru.pak (1029 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\da.pak (596 bytes)
C:\Windows\Temp\Crashpad\settings.dat (80 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\cs.pak (662 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\chrome.exe (1846 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\ko.pak (659 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\de.pak (570 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\id.pak (586 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\pl.pak (652 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\chrome.dll (41963 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\54.0.2840.71.manifest (254 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\sv.pak (597 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\WidevineCdm\manifest.json (954 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\chrome.7z (279369 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\es.pak (660 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\ms.pak (504 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\wow_helper.exe (160 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\nb.pak (588 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576 (4 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\en-GB.pak (539 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\chrome_child.dll (53736 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\ro.pak (666 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\it.pak (636 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\hu.pak (692 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\pt-PT.pak (645 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\nl.pak (629 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\vi.pak (741 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\natives_blob.bin (702 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\WidevineCdm\_platform_specific\win_x86\widevinecdm.dll (54 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\fil.pak (667 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\uk.pak (1023 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\sr.pak (995 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk (6 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Installer\chrmstp.exe (24778 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\te.pak (1438 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\pt-BR.pak (636 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\icudtl.dat (59 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\chrome_patch.diff (52 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin (4 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\fake-bidi.pak (808 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\ar.pak (891 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\lt.pak (661 bytes)
%Program Files%\Google\Chrome\Application\SetupMetrics\8DCD.tmp (14 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\d3dcompiler_47.dll (52 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\ml.pak (1669 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\ca.pak (653 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\bg.pak (1077 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\gu.pak (1294 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\ja.pak (777 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\sl.pak (613 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\kn.pak (1488 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\zh-TW.pak (538 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\nacl64.exe (54 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\libegl.dll (187 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\fi.pak (612 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\resources.pak (2572 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\sk.pak (684 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\chrome_200_percent.pak (1742 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\bn.pak (1383 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\fr.pak (700 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\mr.pak (1317 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\fa.pak (930 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Installer\setup.exe (24778 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\am.pak (905 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\VisualElements\smalllogo.png (15 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll (441 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\default_apps\docs.crx (12 bytes)
C:\Users\Public\Desktop\Google Chrome.lnk (6 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\sw.pak (555 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\VisualElements\logo.png (37 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\snapshot_blob.bin (1375 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\chrome_watcher.dll (963 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\default_apps\external_extensions.json (5 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\et.pak (576 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\VisualElements\logocanary.png (46 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\zh-CN.pak (537 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\libglesv2.dll (50 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\chrome_elf.dll (758 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Extensions\external_extensions.json (103 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\he.pak (760 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\nacl_irt_x86_32.nexe (52 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\default_apps\drive.crx (53 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\en-US.pak (539 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\lv.pak (667 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\nacl_irt_x86_64.nexe (53 bytes)
%Program Files%\Google\Chrome\Temp (4 bytes)
%Program Files%\Google\Chrome\Application\chrome.exe (21970 bytes)
The Trojan deletes the following file(s):
%Program Files%\Google\Chrome\Application\54.0.2840.59\Installer\chrome.7z (0 bytes)
%Program Files%\Google\Chrome\Temp\scoped_dir_1276_16561 (0 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576 (0 bytes)
%Program Files%\Google\Chrome\Temp\scoped_dir_1276_11993\chrome.exe (0 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\chrome_patch.diff (0 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin (0 bytes)
%Program Files%\Google\Chrome\Temp (0 bytes)
%Program Files%\Google\Chrome\Temp\scoped_dir_1276_16561\chrome.VisualElementsManifest.xml (0 bytes)
%Program Files%\Google\Chrome\Temp\scoped_dir_1276_11993 (0 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\chrome.exe (0 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\wow_helper.exe (0 bytes)
The process setup.exe:1904 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\Temp\CR_869F3.tmp\setup.exe (1 bytes)
C:\Windows\Temp\Crashpad\settings.dat (80 bytes)
C:\Windows\Temp\scoped_dir1904_31361\setup_patch.diff (6 bytes)
The Trojan deletes the following file(s):
C:\Windows\Temp\scoped_dir1904_31361\setup_patch.diff (0 bytes)
C:\Windows\Temp\scoped_dir1904_31361 (0 bytes)
The process regsvr32.exe:2332 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Data\dm.dll (823 bytes)
The process regsvr32.exe:2336 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Data\dm.dll (823 bytes)
The process regsvr32.exe:2456 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Data\dm.dll (823 bytes)
The process regsvr32.exe:2424 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Data\dm.dll (823 bytes)
The process regsvr32.exe:2304 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Data\dm.dll (823 bytes)
The process regsvr32.exe:2436 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Data\dm.dll (823 bytes)
The process regsvr32.exe:2412 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Data\dm.dll (823 bytes)
The process regsvr32.exe:2400 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Data\dm.dll (823 bytes)
The process regsvr32.exe:2416 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Data\dm.dll (823 bytes)
The process regsvr32.exe:2372 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Data\dm.dll (823 bytes)
Registry activity
The process GoogleUpdate.exe:2880 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E\@%SystemRoot%\system32]
"dnsapi.dll,-103" = "Domain Name System (DNS) Server Trust"
[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E]
"LanguageList" = "en-US, en"
[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"
[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E\@%SystemRoot%\system32]
"qagentrt.dll,-10" = "System Health Authentication"
"p2pcollab.dll,-8042" = "Peer to Peer Trust"
"fveui.dll,-844" = "BitLocker Data Recovery Agent"
"fveui.dll,-843" = "BitLocker Drive Encryption"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"
The process GoogleUpdate.exe:3900 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\CurrentState]
"StateValue" = "7"
"InstallProgressPercent" = "4294967295"
[HKLM\SOFTWARE\Google\Update\PersistedPings\{790CEE4C-A10D-431B-B8F9-9BE1B3FF9E95}]
"PersistedPingTime" = "131221104743348753"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\CurrentState]
"DownloadTimeRemainingMs" = "4294967295"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"pv" = "54.0.2840.71"
"LastInstallerSuccessLaunchCmdLine" = "%Program Files%\Google\Chrome\Application\chrome.exe"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"StateValue" = "16"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"UpdateTime" = "1477636900"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\CurrentState]
"InstallTimeRemainingMs" = "4294967295"
[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\CurrentState]
"StateValue" = "16"
[HKLM\SOFTWARE\Google\Update\PersistedPings\{790CEE4C-A10D-431B-B8F9-9BE1B3FF9E95}]
"PersistedPingString" = "
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"
[HKLM\SOFTWARE\Google\Update]
"LastInstallerSuccessLaunchCmdLine" = "%Program Files%\Google\Chrome\Application\chrome.exe"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"LastCheckSuccess" = "1477636900"
"LastInstallerError" = "0"
[HKLM\SOFTWARE\Google\Update]
"LastInstallerResult" = "0"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\CurrentState]
"DownloadProgressPercent" = "0"
[HKLM\SOFTWARE\Google\Update]
"LastInstallerError" = "0"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"LastInstallerResult" = "0"?xml>
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Google\Update\PersistedPings\{790CEE4C-A10D-431B-B8F9-9BE1B3FF9E95}]
The Trojan deletes the following value(s) in system registry:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"LastInstallerResultUIString"
"UpdateAvailableCount"
[HKLM\SOFTWARE\Google\Update]
"old-uid"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"UpdateAvailableSince"
[HKLM\SOFTWARE\Google\Update]
"LastInstallerResultUIString"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"LastInstallerResult"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"LastInstallerExtraCode1"
"InstallerError"
[HKLM\SOFTWARE\Google\Update]
"LastInstallerError"
"uid"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"InstallerSuccessLaunchCmdLine"
"LastInstallerSuccessLaunchCmdLine"
"InstallerResult"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"LastInstallerError"
"iid"
[HKLM\SOFTWARE\Google\Update]
"LastInstallerSuccessLaunchCmdLine"
"LastInstallerExtraCode1"
"LastInstallerResult"
The process 54.0.2840.71_54.0.2840.59_chrome_updater.exe:268 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ap" = "-statsdef_1-multi-chrome-full"
The process setup.exe:1276 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"Publisher" = "Google Inc."
[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"InstallerError" = "2"
[HKLM\SOFTWARE\Google\Update\Clients\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
"Name" = "Google Chrome"
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
"IsInstalled" = "1"
"Localized Name" = "Google Chrome"
"Version" = "43,0,0,0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"NoModify" = "1"
[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"InstallerResult" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"DisplayIcon" = "%Program Files%\Google\Chrome\Application\chrome.exe,0"
[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"ap" = "-statsdef_1-multi-chrome-full"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"UninstallString" = "%Program Files%\Google\Chrome\Application\54.0.2840.71\Installer\setup.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"InstallLocation" = "%Program Files%\Google\Chrome\Application"
"VersionMinor" = "71"
"VersionMajor" = "2840"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"UninstallArguments" = " --uninstall --multi-install --system-level"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"Version" = "54.0.2840.71"
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
"(Default)" = "Google Chrome"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"UninstallString" = "%Program Files%\Google\Chrome\Application\54.0.2840.71\Installer\setup.exe --uninstall --multi-install --chrome --system-level"
[HKLM\SOFTWARE\Google\Update\Clients\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"Name" = "Google Chrome binaries"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"InstallerError" = "2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"NoRepair" = "1"
[HKLM\SOFTWARE\Google\Update\Clients\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Commands\on-os-upgrade]
"CommandLine" = "%Program Files%\Google\Chrome\Application\54.0.2840.71\Installer\setup.exe --on-os-upgrade --multi-install --chrome --system-level --verbose-logging"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"InstallerResult" = "0"
[HKLM\SOFTWARE\Google\Update\Clients\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Commands\on-os-upgrade]
"AutoRunOnOSUpgrade" = "1"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"InstallerProgress" = "21"
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
"StubPath" = "%Program Files%\Google\Chrome\Application\54.0.2840.71\Installer\chrmstp.exe --configure-user-settings --verbose-logging --system-level --multi-install --chrome"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"DisplayName" = "Google Chrome"
[HKLM\SOFTWARE\Google\Update\Clients\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
"pv" = "54.0.2840.71"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ap" = "-statsdef_1-multi-chrome"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"DisplayVersion" = "54.0.2840.71"
[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"UninstallArguments" = " --uninstall --multi-install --chrome --system-level"
"UninstallString" = "%Program Files%\Google\Chrome\Application\54.0.2840.71\Installer\setup.exe"
[HKLM\SOFTWARE\Google\Update\Clients\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"pv" = "54.0.2840.71"
The process setup.exe:1904 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"InstallerProgress" = "10"
The process regsvr32.exe:2332 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\dm.dmsoft\CLSID]
"(Default)" = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
"(Default)" = "dm.dmsoft"
[HKCR\dm.dmsoft]
"(Default)" = "dm.dmsoft"
[HKCR\dm.dmsoft\CurVer]
"(Default)" = "dm.dmsoft"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"(Default)" = "c:\Data\dm.dll"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
"(Default)" = "dm.dmsoft"
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
The process regsvr32.exe:2472 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\dm.dmsoft\CLSID]
"(Default)" = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
"(Default)" = "dm.dmsoft"
[HKCR\dm.dmsoft]
"(Default)" = "dm.dmsoft"
[HKCR\dm.dmsoft\CurVer]
"(Default)" = "dm.dmsoft"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"(Default)" = "c:\Data\dm.dll"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
"(Default)" = "dm.dmsoft"
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
The process regsvr32.exe:2336 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\dm.dmsoft\CLSID]
"(Default)" = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
"(Default)" = "dm.dmsoft"
[HKCR\dm.dmsoft]
"(Default)" = "dm.dmsoft"
[HKCR\dm.dmsoft\CurVer]
"(Default)" = "dm.dmsoft"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"(Default)" = "c:\Data\dm.dll"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
"(Default)" = "dm.dmsoft"
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
The process regsvr32.exe:2456 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\dm.dmsoft\CLSID]
"(Default)" = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
"(Default)" = "dm.dmsoft"
[HKCR\dm.dmsoft]
"(Default)" = "dm.dmsoft"
[HKCR\dm.dmsoft\CurVer]
"(Default)" = "dm.dmsoft"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"(Default)" = "c:\Data\dm.dll"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
"(Default)" = "dm.dmsoft"
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
The process regsvr32.exe:2424 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\dm.dmsoft\CLSID]
"(Default)" = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
"(Default)" = "dm.dmsoft"
[HKCR\dm.dmsoft]
"(Default)" = "dm.dmsoft"
[HKCR\dm.dmsoft\CurVer]
"(Default)" = "dm.dmsoft"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"(Default)" = "c:\Data\dm.dll"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
"(Default)" = "dm.dmsoft"
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
The process regsvr32.exe:2304 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\dm.dmsoft\CLSID]
"(Default)" = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
"(Default)" = "dm.dmsoft"
[HKCR\dm.dmsoft]
"(Default)" = "dm.dmsoft"
[HKCR\dm.dmsoft\CurVer]
"(Default)" = "dm.dmsoft"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"(Default)" = "c:\Data\dm.dll"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
"(Default)" = "dm.dmsoft"
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
The process regsvr32.exe:2436 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\dm.dmsoft\CLSID]
"(Default)" = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
"(Default)" = "dm.dmsoft"
[HKCR\dm.dmsoft]
"(Default)" = "dm.dmsoft"
[HKCR\dm.dmsoft\CurVer]
"(Default)" = "dm.dmsoft"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"(Default)" = "c:\Data\dm.dll"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
"(Default)" = "dm.dmsoft"
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
The process regsvr32.exe:2412 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\dm.dmsoft\CLSID]
"(Default)" = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
"(Default)" = "dm.dmsoft"
[HKCR\dm.dmsoft]
"(Default)" = "dm.dmsoft"
[HKCR\dm.dmsoft\CurVer]
"(Default)" = "dm.dmsoft"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"(Default)" = "c:\Data\dm.dll"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
"(Default)" = "dm.dmsoft"
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
The process regsvr32.exe:2400 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\dm.dmsoft\CLSID]
"(Default)" = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
"(Default)" = "dm.dmsoft"
[HKCR\dm.dmsoft]
"(Default)" = "dm.dmsoft"
[HKCR\dm.dmsoft\CurVer]
"(Default)" = "dm.dmsoft"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"(Default)" = "c:\Data\dm.dll"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
"(Default)" = "dm.dmsoft"
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
The process regsvr32.exe:2416 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\dm.dmsoft\CLSID]
"(Default)" = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
"(Default)" = "dm.dmsoft"
[HKCR\dm.dmsoft]
"(Default)" = "dm.dmsoft"
[HKCR\dm.dmsoft\CurVer]
"(Default)" = "dm.dmsoft"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"(Default)" = "c:\Data\dm.dll"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
"(Default)" = "dm.dmsoft"
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
The process regsvr32.exe:2372 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib]
"(Default)" = "{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}"
[HKCR\dm.dmsoft\CLSID]
"(Default)" = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"
[HKCR\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR]
"(Default)" = "c:\Data\"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
"(Default)" = "dm.dmsoft"
[HKCR\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\dm.dmsoft]
"(Default)" = "dm.dmsoft"
[HKCR\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}]
"(Default)" = "Idmsoft"
[HKCR\dm.dmsoft\CurVer]
"(Default)" = "dm.dmsoft"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"(Default)" = "c:\Data\dm.dll"
[HKCR\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32]
"(Default)" = "c:\Data\dm.dll"
[HKCR\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0]
"(Default)" = "Dm"
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
"(Default)" = "dm.dmsoft"
[HKCR\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib]
"Version" = "1.0"
Dropped PE files
MD5 | File path |
---|---|
c578b6820bda5689940560147c6e5ffc | c:\Data\dm.dll |
503a8048c5558c4bedb95f5d408280e7 | c:\Program Files\Google\Chrome\Application\54.0.2840.71\Installer\chrmstp.exe |
503a8048c5558c4bedb95f5d408280e7 | c:\Program Files\Google\Chrome\Application\54.0.2840.71\Installer\setup.exe |
6f4c70c96fedc4e0a79c49d75fb31819 | c:\Program Files\Google\Chrome\Application\54.0.2840.71\WidevineCdm\_platform_specific\win_x86\widevinecdm.dll |
01d6c4d58f79447c38992c6615548cff | c:\Program Files\Google\Chrome\Application\54.0.2840.71\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll |
00c36ae47c7e16937834705dda03ef7e | c:\Program Files\Google\Chrome\Application\54.0.2840.71\chrome.dll |
6848d69d5550119ed5e5df9b334b6537 | c:\Program Files\Google\Chrome\Application\54.0.2840.71\chrome_child.dll |
c4b3022907fb6c0748df860dde1e9ee9 | c:\Program Files\Google\Chrome\Application\54.0.2840.71\chrome_elf.dll |
3d341f7ee28b0bdf8b8cdca3b0ed97c0 | c:\Program Files\Google\Chrome\Application\54.0.2840.71\chrome_watcher.dll |
02e034cd47aa9a633f6aaef348dbbba0 | c:\Program Files\Google\Chrome\Application\54.0.2840.71\d3dcompiler_47.dll |
98a53cfa1945b99656db4332d89c9328 | c:\Program Files\Google\Chrome\Application\54.0.2840.71\libegl.dll |
d1df316e69e13e0911ed19c80e8500c8 | c:\Program Files\Google\Chrome\Application\54.0.2840.71\libglesv2.dll |
a99fb676e5eb1393bb241fde05843127 | c:\Program Files\Google\Chrome\Application\54.0.2840.71\nacl64.exe |
ab3d3d17ad0174384c0088d397388558 | c:\Program Files\Google\Update\Download\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}\54.0.2840.71\54.0.2840.71_54.0.2840.59_chrome_updater.exe |
ab3d3d17ad0174384c0088d397388558 | c:\Program Files\Google\Update\Install\{4BE97E2F-B4A3-41A5-8B1D-EB58A7D5FCB4}\54.0.2840.71_54.0.2840.59_chrome_updater.exe |
503a8048c5558c4bedb95f5d408280e7 | c:\Windows\Temp\CR_869F3.tmp\setup.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
GoogleUpdate.exe:2880
GoogleUpdate.exe:3900
%original file name%.exe:2268
54.0.2840.71_54.0.2840.59_chrome_updater.exe:268
setup.exe:2620
setup.exe:1276
setup.exe:1904
regsvr32.exe:2332
regsvr32.exe:2472
regsvr32.exe:2336
regsvr32.exe:2456
regsvr32.exe:2424
regsvr32.exe:2304
regsvr32.exe:2436
regsvr32.exe:2412
regsvr32.exe:2400
regsvr32.exe:2416
regsvr32.exe:2372 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Program Files%\Google\Update\Download\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}\54.0.2840.71\54.0.2840.71_54.0.2840.59_chrome_updater.exe (16158 bytes)
%Program Files%\Google\Update\Install\{4BE97E2F-B4A3-41A5-8B1D-EB58A7D5FCB4}\54.0.2840.71_54.0.2840.59_chrome_updater.exe (16304 bytes)
C:\Data\dm.dll (9053 bytes)
C:\Windows\Temp\CR_869F3.tmp\setup.exe (49 bytes)
C:\Windows\Temp\CR_869F3.tmp\SETUP_PATCH.PACKED.7Z (3 bytes)
C:\Windows\Temp\CR_869F3.tmp\CHROME_PATCH.PACKED.7Z (2 bytes)
C:\Windows\Temp\Crashpad\settings.dat (84 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\chrome_100_percent.pak (1160 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\hr.pak (618 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\ta.pak (1539 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\VisualElements\smalllogocanary.png (15 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\th.pak (1294 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\chrome.VisualElementsManifest.xml (411 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\default_apps\gmail.crx (48 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\default_apps\youtube.crx (47 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\el.pak (1169 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\es-419.pak (651 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\tr.pak (645 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\hi.pak (1333 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\ru.pak (1029 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\da.pak (596 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\cs.pak (662 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\chrome.exe (1846 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\ko.pak (659 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\de.pak (570 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\id.pak (586 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\pl.pak (652 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\chrome.dll (41963 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\54.0.2840.71.manifest (254 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\sv.pak (597 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\WidevineCdm\manifest.json (954 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\chrome.7z (279369 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\es.pak (660 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\ms.pak (504 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\wow_helper.exe (160 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\nb.pak (588 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\en-GB.pak (539 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\chrome_child.dll (53736 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\ro.pak (666 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\it.pak (636 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\hu.pak (692 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\pt-PT.pak (645 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\nl.pak (629 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\vi.pak (741 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\natives_blob.bin (702 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\WidevineCdm\_platform_specific\win_x86\widevinecdm.dll (54 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\fil.pak (667 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\uk.pak (1023 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\sr.pak (995 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk (6 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Installer\chrmstp.exe (24778 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\te.pak (1438 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\pt-BR.pak (636 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\icudtl.dat (59 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\chrome_patch.diff (52 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\fake-bidi.pak (808 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\ar.pak (891 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\lt.pak (661 bytes)
%Program Files%\Google\Chrome\Application\SetupMetrics\8DCD.tmp (14 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\d3dcompiler_47.dll (52 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\ml.pak (1669 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\ca.pak (653 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\bg.pak (1077 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\gu.pak (1294 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\ja.pak (777 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\sl.pak (613 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\kn.pak (1488 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\zh-TW.pak (538 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\nacl64.exe (54 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\libegl.dll (187 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\fi.pak (612 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\resources.pak (2572 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\sk.pak (684 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\chrome_200_percent.pak (1742 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\bn.pak (1383 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\fr.pak (700 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\mr.pak (1317 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\fa.pak (930 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Installer\setup.exe (24778 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\am.pak (905 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\VisualElements\smalllogo.png (15 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll (441 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\default_apps\docs.crx (12 bytes)
C:\Users\Public\Desktop\Google Chrome.lnk (6 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\sw.pak (555 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\VisualElements\logo.png (37 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\snapshot_blob.bin (1375 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\chrome_watcher.dll (963 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\default_apps\external_extensions.json (5 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\et.pak (576 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\VisualElements\logocanary.png (46 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\zh-CN.pak (537 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\libglesv2.dll (50 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\chrome_elf.dll (758 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Extensions\external_extensions.json (103 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\he.pak (760 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\nacl_irt_x86_32.nexe (52 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\default_apps\drive.crx (53 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\en-US.pak (539 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\lv.pak (667 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\nacl_irt_x86_64.nexe (53 bytes)
%Program Files%\Google\Chrome\Application\chrome.exe (21970 bytes)
C:\Windows\Temp\scoped_dir1904_31361\setup_patch.diff (6 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 1089674 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rdata | 1097728 | 5081452 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.data | 6180864 | 464330 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.vmp0 | 6647808 | 2231493 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.vmp1 | 8880128 | 6405936 | 6406144 | 5.54417 | d62ea37305934ff2d63a28fd97608e15 |
.rsrc | 15286272 | 5744 | 8192 | 2.96243 | f49c050333f381c65fff839236013a8f |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://redirector.gvt1.com/edgedl/release2/9liqmqrgqfa7ez02glv729167mt3kbx8m7ksxfuuazw7up69ddgu8ol2axd13ipv75z76n27nysxd400sfjvpanesqdmeqaa7ho/54.0.2840.71_54.0.2840.59_chrome_updater.exe | |
hxxp://r2.sn-2puapox-ig3l.gvt1.com/edgedl/release2/9liqmqrgqfa7ez02glv729167mt3kbx8m7ksxfuuazw7up69ddgu8ol2axd13ipv75z76n27nysxd400sfjvpanesqdmeqaa7ho/54.0.2840.71_54.0.2840.59_chrome_updater.exe?cms_redirect=yes&expire=1477651236&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig3l&ms=nvh&mt=1477636818&mv=m&pl=23&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=092925340ED87695D41054DED9F890C1204DB90A.7D8A8B629F13F3050C3324F862564D62A4FAFD59&key=cms1 | |
hxxp://r2---sn-2puapox-ig3l.gvt1.com/edgedl/release2/9liqmqrgqfa7ez02glv729167mt3kbx8m7ksxfuuazw7up69ddgu8ol2axd13ipv75z76n27nysxd400sfjvpanesqdmeqaa7ho/54.0.2840.71_54.0.2840.59_chrome_updater.exe?cms_redirect=yes&expire=1477651236&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig3l&ms=nvh&mt=1477636818&mv=m&pl=23&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=092925340ED87695D41054DED9F890C1204DB90A.7D8A8B629F13F3050C3324F862564D62A4FAFD59&key=cms1 | |
comroute.baibaoyun.com | 120.27.136.132 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
HEAD /edgedl/release2/9liqmqrgqfa7ez02glv729167mt3kbx8m7ksxfuuazw7up69ddgu8ol2axd13ipv75z76n27nysxd400sfjvpanesqdmeqaa7ho/54.0.2840.71_54.0.2840.59_chrome_updater.exe?cms_redirect=yes&expire=1477651236&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig3l&ms=nvh&mt=1477636818&mv=m&pl=23&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=092925340ED87695D41054DED9F890C1204DB90A.7D8A8B629F13F3050C3324F862564D62A4FAFD59&key=cms1 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
X-GoogleUpdate-Interactivity: bg
Host: r2---sn-2puapox-ig3l.gvt1.com
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 2377080
Content-Type: application/octet-stream
Etag: "1013e5"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Thu, 27 Oct 2016 07:27:47 GMT
Alt-Svc: quic=":443"; ma=2592000; v="36,35,34"
Last-Modified: Thu, 20 Oct 2016 09:56:47 GMT
Connection: keep-alive
HTTP/1.1 200 OK..Accept-Ranges: bytes..Content-Length: 2377080..Content-Type: application/octet-stream..Etag: "1013e5"..Server: downloads..Vary: *..X-Content-Type-Options: nosniff..X-Frame-Options: SAMEORIGIN..X-Xss-Protection: 1; mode=block..Date: Thu, 27 Oct 2016 07:27:47 GMT..Alt-Svc: quic=":443"; ma=2592000; v="36,35,34"..Last-Modified: Thu, 20 Oct 2016 09:56:47 GMT..Connection: keep-alive......
GET /edgedl/release2/9liqmqrgqfa7ez02glv729167mt3kbx8m7ksxfuuazw7up69ddgu8ol2axd13ipv75z76n27nysxd400sfjvpanesqdmeqaa7ho/54.0.2840.71_54.0.2840.59_chrome_updater.exe?cms_redirect=yes&expire=1477651236&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig3l&ms=nvh&mt=1477636818&mv=m&pl=23&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=092925340ED87695D41054DED9F890C1204DB90A.7D8A8B629F13F3050C3324F862564D62A4FAFD59&key=cms1 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Thu, 20 Oct 2016 09:56:47 GMT
Range: bytes=0-8695
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
X-GoogleUpdate-Interactivity: bg
Host: r2---sn-2puapox-ig3l.gvt1.com
HTTP/1.1 206 Partial Content
Accept-Ranges: bytes
Content-Length: 8696
Content-Type: application/octet-stream
Etag: "1013e5"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Thu, 27 Oct 2016 07:27:47 GMT
Alt-Svc: quic=":443"; ma=2592000; v="36,35,34"
Last-Modified: Thu, 20 Oct 2016 09:56:47 GMT
Content-Range: bytes 0-8695/2377080
Connection: keep-alive
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............v...v...v....}..v...v...v... ...v... ...v... m..v...v...v... ...v..Rich.v..........PE..L......X.........."......(....#.....X .......@....@..........................0$.......$...@..................................P..P....`..@.#...........#.xS... $.........8............................................P...............................text....'.......(.................. ..`.data........@......................@....idata..t....P.......,..............@..@.rsrc...@.#..`....#..4..............@..@.reloc....... $.......#.............@..B............................................................................................................................................................................................................................................................................................................................................................................ ... .-.-...=.".....". .-.-....."...D.:.P.A.I.(.A.;.;.F.A.;.;.;.B.A.).(.A.;.O.I.I.O.C.I.;.G.A.;.;.;.B.A.).(.A.;.;.F.A.;.;.;.S.Y.).(.A.;.O.I.I.O.C.I.;.G.A.;.;.;.S.Y.).(.A.;.O.I.I.O.C.I.;.G.A.;.;.;.C.O.).(.A.;.;.F.A.;.;.;.....).....t.m.p.....\...\.*...*.....*...*.....@...@.c.h.r.o.m.e._.......{.8.B.A.9.8.6.D.A.-.5.1.0.0.-.4.0.5.E.-.A.A.3.5.-.8.6.F.3.4.A.0.2.A.C.B.F.}.....{.8.A.6.9.D.3.4.5.-.D.5.6.4.-.4.6.3.c.-.A.F.F.1.-.A.6.9.D.9.E.5.3.0.F.9.6.}.....{.4.e.a.1.6.a.c.7.-.f.d.5.a.-.4.7.c.3.-.8.7.5.b.-.d.b.f.
<<< skipped >>>
GET /edgedl/release2/9liqmqrgqfa7ez02glv729167mt3kbx8m7ksxfuuazw7up69ddgu8ol2axd13ipv75z76n27nysxd400sfjvpanesqdmeqaa7ho/54.0.2840.71_54.0.2840.59_chrome_updater.exe?cms_redirect=yes&expire=1477651236&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig3l&ms=nvh&mt=1477636818&mv=m&pl=23&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=092925340ED87695D41054DED9F890C1204DB90A.7D8A8B629F13F3050C3324F862564D62A4FAFD59&key=cms1 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Thu, 20 Oct 2016 09:56:47 GMT
Range: bytes=8696-23281
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
X-GoogleUpdate-Interactivity: bg
Host: r2---sn-2puapox-ig3l.gvt1.com
HTTP/1.1 206 Partial Content
Accept-Ranges: bytes
Content-Length: 14586
Content-Type: application/octet-stream
Etag: "1013e5"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Thu, 27 Oct 2016 07:27:47 GMT
Alt-Svc: quic=":443"; ma=2592000; v="36,35,34"
Last-Modified: Thu, 20 Oct 2016 09:56:47 GMT
Content-Range: bytes 8696-23281/2377080
Connection: keep-alive
j..u..}...XP@...u'.E.P.u...dP@...t..u...PP@..E..M....x.....TP@..M...k....A..._..].U....,...SVW.u.3.f.E.f.........P@..}....$.@............~OSVP.o........t,.u.......VP..........t.S......VP..........u7.E..`....i..._^[..].VP.E.WP......M......t..E....M..H...h..@.......VP.0........t.h..@.......VP..........t.h..@.......VP............z....u.......VP............_...S......VP............F..... .......h..@.......VP................hp.@.......VP................h..@.......VP.i...............w ......VP.N..............S......VP.5....................PW.Z.........Pj..u..k....E.........U.........e..3.f.E.f.......E.P.u......YY..tuSW...........SP...@..M.W.......t....uM...u.3.f......V.4.@.......VP.....YY..u%V......SP.z........t.......PW.M..o...^_[.M........].U....\...SV.u.3..u........Y..u.........E..].P.0...Y..t}W3..,...h(.@.f.E.f............WP..........tE.u.......WP..........t.h..@.......WP..........t.SVj.......P...........u...xP@..._^[..].U..Q3.j..E..E.Ph..@.h..@.h..............t.f.}.0u.2.......].U....P...SV.u.3.WVf.E......f............SP............3...h..@.......SP.................}..E....P@.Ph{ @.h..@..u..u..u..}..u.....u...TP@..M...p....A........h....W.P...YY..u..E...p........h....3.V.}..,...YY........3.f......f......f......f............h....P.u..E.P...........@..E.....<.........P......h....P.)..............h..@.......h....P................h<.@.......h....P................h..@.......h....P................V......h....P................h..@.......h....P..........tvh`.@.......h....P.k........tYh..@.......h....P.N........t<
<<< skipped >>>
GET /edgedl/release2/9liqmqrgqfa7ez02glv729167mt3kbx8m7ksxfuuazw7up69ddgu8ol2axd13ipv75z76n27nysxd400sfjvpanesqdmeqaa7ho/54.0.2840.71_54.0.2840.59_chrome_updater.exe?cms_redirect=yes&expire=1477651236&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig3l&ms=nvh&mt=1477636818&mv=m&pl=23&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=092925340ED87695D41054DED9F890C1204DB90A.7D8A8B629F13F3050C3324F862564D62A4FAFD59&key=cms1 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Thu, 20 Oct 2016 09:56:47 GMT
Range: bytes=23282-38116
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
X-GoogleUpdate-Interactivity: bg
Host: r2---sn-2puapox-ig3l.gvt1.com
HTTP/1.1 206 Partial Content
Accept-Ranges: bytes
Content-Length: 14835
Content-Type: application/octet-stream
Etag: "1013e5"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Thu, 27 Oct 2016 07:27:47 GMT
Alt-Svc: quic=":443"; ma=2592000; v="36,35,34"
Last-Modified: Thu, 20 Oct 2016 09:56:47 GMT
Content-Range: bytes 23282-38116/2377080
Connection: keep-alive
.........d6..T..b..Irmi...{.....3...Rr).%..6^@..PW.c..-":(...sF...:.y[...B.....g...~a.W.t...?2......C.....:..d..7...qV^._..r-M....b..Y......W...m...r?..k[nw.S.....L.....#R..._.t....?....Vj..f.......o].&=U...\s.T5|.y..<...!..E/,.r2.?.w.u.[..'........K3.R......Sp...A.I.r..i.......12.$....>..dA.|`...7...;||.V.knAOk'f&..... .W..V..7...`1fFS9~<......Q>]8Wy.*..)...p/>:.X.G.].J........~..nUE=..uwI}..\.......DtG.<..#8.5M.O.$.1.N.....}..U...]...4.u.y..O0..L...nD...#. .8..Y..&mx.'..U..L..d..$$h..V.r.p..4.GZ......^..[.vF....^[B..Q2.8V...h...K...w........v5..Q=R..J....Y.g..jE|........d..-8........J.d.AN.\r...'..y$.Yf.H&.....=..afy^eC..t.1.Q.S._."Q10.w.$_.l..%O..m..... .t.Oc"W.W...~}...j ...R.2..]Jm....fa.f...F/..vP.......-Y..E09.5.i."..v?9....V5..3...7.w.K_....4..PG.......l..U..9..JM. .n.....L..KY..H.?.&....S....<H.aD..5...l....r.Dj.....g.......=..c.d.b..dO.$vO*Q'"..>.R...nO.>/Wx.!.....TJ_.yk...x&I....... kd......0.xi...>9........\UN.{.Q..Hh......f.E..|....e......v...2@.....T.k.1R..{.l^...W...6...B8....MR..S.(..H|..... ej.S3....).\...M..."$..y^.........I.r... D..2.....R..Va.G{p..)..u#7d$..(8.....Z..4.lJ.3k>..k.nz.|..Y..N........HjYq.A.'{....S>.-.p..\?...*."..x....U..h..%..?...tE7...}#./ .P..Ik......w.^.z7.o..`.F..g.U\..b.p......p..H..9.Qu....MH....K/~O..a".-..q..mXOi..$.m.......9..(I....@x3....wl.....L.j.Mx...Wq.OA.../..K......8..j..-.B.=.I.o.G.%z%.....f.6..(...w...gA...E.............X6....>....W..kx.].A.8......a..3.j./@[.Up$p..S..{U...-q9.;z9.O..-..Z.?.k..0...A. )t....s..G&..Em.^/.k.
<<< skipped >>>
GET /edgedl/release2/9liqmqrgqfa7ez02glv729167mt3kbx8m7ksxfuuazw7up69ddgu8ol2axd13ipv75z76n27nysxd400sfjvpanesqdmeqaa7ho/54.0.2840.71_54.0.2840.59_chrome_updater.exe?cms_redirect=yes&expire=1477651236&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig3l&ms=nvh&mt=1477636818&mv=m&pl=23&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=092925340ED87695D41054DED9F890C1204DB90A.7D8A8B629F13F3050C3324F862564D62A4FAFD59&key=cms1 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Thu, 20 Oct 2016 09:56:47 GMT
Range: bytes=38117-58971
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
X-GoogleUpdate-Interactivity: bg
Host: r2---sn-2puapox-ig3l.gvt1.com
HTTP/1.1 206 Partial Content
Accept-Ranges: bytes
Content-Length: 20855
Content-Type: application/octet-stream
Etag: "1013e5"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Thu, 27 Oct 2016 07:27:47 GMT
Alt-Svc: quic=":443"; ma=2592000; v="36,35,34"
Last-Modified: Thu, 20 Oct 2016 09:56:47 GMT
Content-Range: bytes 38117-58971/2377080
Connection: keep-alive
.#o&._.x.....L.X.........O.!...K...MlF...[L.T..NQW...b.1..~.........^n.13... .9....&v..o..S..k._(.............i,.......o@....,?.D..K.......:..$.d...&.oi.....I>..C2.J......[T:(...q..U.....B....f*..q.`.......!...&8K.a;......#..........u.2#..=.JD.e.E@h8.A.7..`s...mP~.....w....5n.r ^e...a.J..y..........hQt8.....B...wt..}|T...#.|.wL*y.,.Ur1...p..)..........=*i.w.XW..m....=\..Z.|"b.S.z.:.k..Q&...&"(^....mg.....A....\.[.@.G...........S..VI...w...H ..J3..C......Z.N.f.=b..pwvGy......0.v.......(%E.... .....^p..G..;.s.`...I.8..!P|.7g.......}1.....X.:-..gt...f.....yP.[t.\..S4.n.....G..5..j...J...S.q....zA.b.~M.d..).c.^..pn`..3*....7#sw.......'...k.(..X.5.*...8Sx.'V..O.r...15VF..-.s..B.....2...O..3..97~@{...\...).......>...`.o .Q....B..Y..K.....7..D.h..u...a6o.!.*.........f2%B....%#LqKy.RH}.#Vb...:.._[}....@......N.<|[>s...q(z.......^.......t..{..q...D...t.T....._..q.'.t...4b.y...u........@...u)WX.7....?I.............cV..Dzu#.J.1.....$S..@];......*8..."._..D.t.?%i..'3..$.$......6.}.............JE....!..7"{0@...\.......=.{.....s..>1.?.e@........B.....?...B..."....<.L...(.._....?...y.F...6....q.9..|)....i.Pl.znd~q.4..NX8.....1`.g.?....dh..Q....I4T?.....{.qm....K.."v.S.qk...z...e...........H......\u.(.2y..d6.....k.t.Y}.Bl..np.f.."qL../#.|.0..*h.w......SP.d6..B.......A........j..ug\.QQ_..(.v{ggD#.I]...>tN.....2.7...B...7`.d..#..............a.kx.c.P8......<...B1V....2]NSi....?u.4%b.q(./.VU.bf.h}h|...D.CI.... ..f.E8...bT....k@n_.vVn..2...-.....).F...P...[..0.9..j.I~s_...i..m.F5..........a.m..}H....B...A...
<<< skipped >>>
GET /edgedl/release2/9liqmqrgqfa7ez02glv729167mt3kbx8m7ksxfuuazw7up69ddgu8ol2axd13ipv75z76n27nysxd400sfjvpanesqdmeqaa7ho/54.0.2840.71_54.0.2840.59_chrome_updater.exe?cms_redirect=yes&expire=1477651236&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig3l&ms=nvh&mt=1477636818&mv=m&pl=23&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=092925340ED87695D41054DED9F890C1204DB90A.7D8A8B629F13F3050C3324F862564D62A4FAFD59&key=cms1 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Thu, 20 Oct 2016 09:56:47 GMT
Range: bytes=58972-79579
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
X-GoogleUpdate-Interactivity: bg
Host: r2---sn-2puapox-ig3l.gvt1.com
HTTP/1.1 206 Partial Content
Accept-Ranges: bytes
Content-Length: 20608
Content-Type: application/octet-stream
Etag: "1013e5"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Thu, 27 Oct 2016 07:27:47 GMT
Alt-Svc: quic=":443"; ma=2592000; v="36,35,34"
Last-Modified: Thu, 20 Oct 2016 09:56:47 GMT
Content-Range: bytes 58972-79579/2377080
Connection: keep-alive
Ss^.$.5)p..DQ.a!6..g...E:VF.mM?dd@......]...i},........./h.1u.....>d..._.....I~...}x.(.R.[....M:.fR/z..C......D..uLd_.a...G.jt......;....'...zV.n.,..-......c.K..t..Xz......~.SI"."...n.2C.....Q....iD........mH.2........n.i|...7.lQN...j....3=...3i.}5gD@;<.....* ..nw..'.H.9.....}k........:.K..x......`~.~........e...|....K..o.25a.......m5.Q.v...\..x. .....4...^....Y^..2..J./...N.R7....AB} o.o'..x..l... K...o.gFn...G..:.......S.BN~E>.u.P.hm..k.:~f...3.l...J..Ff.\.Ik{)GA....-...9.H..T.R9J.w..cCy.b..G........'IbC...g.X.-...b.{....[...r.B.|..$..........?..q..n..q..!~.].Ea...._.5)...rS.EyX16..............lJ2....)..........X...WQ.../...Br"0..0...1>L....\\...E\...0.Jm...,^......k.V...~...`.^p.Ru.."68...1.u}Y...m....ID.>.!..w...T.|....9.F.`......O....[.N....)zG.`-#.......H8....hi....mYU..-.,.3*...x..!5.1..........vn.z..h]^.....q..._.....v^538.w...Yg....2.!<......M`.z.*...r.k..H.8RGt.:..S...!.@...b.a...........Pi .\.....!k..h..E.d..._&./..d....... .....v.~Wb....|O...T..^{ .U....N2......_.u..V......zX.5..j..J.........N......X...qo..~o.;....-T.a..s."......d...%...&).4....b...r.|Q.b..`...).`..>...!..o`......`...H.^.....L.,..9......Y......b...y=.....1......J.@..m.s......a...'m....KM.v..h....f.....Gq...:.. ......J...y.....-....>.a9.JQ:.........}U.h........1A.....C...s..\....4.E...5.)...us&}.....h..R.}9...!.....4I.n.3...I..~........Q..m....8q.....,UsGRk..%...*..r].B..>.r.B.bEb6.[&.F.b...r..l.=.B.BM[....pP. ..u.G..nBo...Fwc./@z...K..n.E.bz..q..d%t)..u.n....]I.o.(....,...HU..Ad..t?.DI7......3.\;9....>1
<<< skipped >>>
GET /edgedl/release2/9liqmqrgqfa7ez02glv729167mt3kbx8m7ksxfuuazw7up69ddgu8ol2axd13ipv75z76n27nysxd400sfjvpanesqdmeqaa7ho/54.0.2840.71_54.0.2840.59_chrome_updater.exe?cms_redirect=yes&expire=1477651236&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig3l&ms=nvh&mt=1477636818&mv=m&pl=23&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=092925340ED87695D41054DED9F890C1204DB90A.7D8A8B629F13F3050C3324F862564D62A4FAFD59&key=cms1 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Thu, 20 Oct 2016 09:56:47 GMT
Range: bytes=79580-123287
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
X-GoogleUpdate-Interactivity: bg
Host: r2---sn-2puapox-ig3l.gvt1.com
HTTP/1.1 206 Partial Content
Accept-Ranges: bytes
Content-Length: 43708
Content-Type: application/octet-stream
Etag: "1013e5"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Thu, 27 Oct 2016 07:27:47 GMT
Alt-Svc: quic=":443"; ma=2592000; v="36,35,34"
Last-Modified: Thu, 20 Oct 2016 09:56:47 GMT
Content-Range: bytes 79580-123287/2377080
Connection: keep-alive
/n.......8...G..v..0.U.i..~Q...P........o...u.....&...!.|M.......f..Dl.a..6.T...s h....X.......b.h.&a?....xpI.........Pxw[.I.....lZ..w...`nr.%X.....m........~....O..^...k.y2...v.Iz.H?Or..O.....Q.._.jXg\.....a.IBO..l..o....E.>_.98...7...}Dx).{.....#*..>je....h...}..Nl..}..g.f..M.'*....5.w[........aH......r.\o2.........1....{...-Lm....-..QA`q.......2.i.....Z ....0.5.e...F...h.C>......@m....l.r6...Yt..H5..R!..R./...xW..E.l.m.,.(...r::*..X...7..{..t......'.hS..._&e...Ia!.z.a)..a.N.mJrm.p,)...._...s..'...M............0&..J.Da.7Z..o&.].|S.WLC....M.\x!n.-#.]7.5...o....*...../=..0.YJ8....2.6T...n........Si..8W.U..}.....N....$...?. .Q4...23c\.G..j.^e.WS..D?rT..z.....4.......1j.C..$a.5..<.`...P..z.....d......&.m...]...|w$Y............?pR^........O._...I..1t..k....u....a..........T...ms.j1......#.3>?.GS.e...Gq..Qo.....P..M.~...o..?...$upy.......$......yf......B...H.8......9...j..JX.......S.8.*f.t..E.Er=.:;..y..ICz.U.......my..C.8.e.VhN=.B...N..j. .. 8.RJ....Y,.z_.w....<\..!......B.Be...H....z..r.u....%......Iec..7.'..{......^...A..(..o.'Ix.|....A.....$b5...3..f%`7.<g..g.<..[a.?8Ag.5.:...z.6'.....u...7..}R_......h:.o.....9....c.....q:.......4..................X.z..>a...2XN...,..Z.>..R....=La....{..Xt>>.o[e..V...U...E..N...&....Q\ Q.5K:.E.n.[./(..WG.C.Q<.%u,..s..k8.2..#...!YX.m(...kH2."..:.x.....3(....&&i.H7qepw:...E..#t..,6M........n....v&`.....BJ..r^....#0...A..z..e&7<B...u.._....WB..6...u..xP6eN...%...3..ebm#..e9.bTCN:..=.]?...N.....NO.j..p..Z.z.........N......_.2.yZ.....*..t....
<<< skipped >>>
GET /edgedl/release2/9liqmqrgqfa7ez02glv729167mt3kbx8m7ksxfuuazw7up69ddgu8ol2axd13ipv75z76n27nysxd400sfjvpanesqdmeqaa7ho/54.0.2840.71_54.0.2840.59_chrome_updater.exe?cms_redirect=yes&expire=1477651236&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig3l&ms=nvh&mt=1477636818&mv=m&pl=23&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=092925340ED87695D41054DED9F890C1204DB90A.7D8A8B629F13F3050C3324F862564D62A4FAFD59&key=cms1 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Thu, 20 Oct 2016 09:56:47 GMT
Range: bytes=123288-213184
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
X-GoogleUpdate-Interactivity: bg
Host: r2---sn-2puapox-ig3l.gvt1.com
HTTP/1.1 206 Partial Content
Accept-Ranges: bytes
Content-Length: 89897
Content-Type: application/octet-stream
Etag: "1013e5"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Thu, 27 Oct 2016 07:27:47 GMT
Alt-Svc: quic=":443"; ma=2592000; v="36,35,34"
Last-Modified: Thu, 20 Oct 2016 09:56:47 GMT
Content-Range: bytes 123288-213184/2377080
Connection: keep-alive
......r..#..?Zn..q...8.G).H..._.|..R.-8..k..Pf.G...K}!.4..(.D.U?.^.i.e..=7.......[G.pPOX.......G...0.Z.B.........oX.0......w.f...#.....f...@h3.~..H..^.&.......s.$.....q....o...|.......c...(.~..&.!...r...zhf.b....Q.....a&.\`...O.2....Ju.&}..E.9x.J.'....X._x..R..R-......p.~~.w.$.?L.i.:.]..@w..@...a..y;..I....*...GaB...d8oO.Lo.3....L..-.r...2W.....t.az...S.....P....x....X....u.M.....x.iX.L..$}..~9.o}.w.E`.y.-g....i/...<.q.h.d8..n..4...... .......B8....U..G.......E1k}.\o..?.mc.VuL~j,..._V....R.9.....O.,..K}....A>...C.@......h'....WE.z....}...A2......7..gj.{..._$.y#)E....xqJQ&..=....#..........s.z..#v... .....H:>..U.H....'......::.IW....f...@.|..u"-...:..4....{..3.)x..<....,H...j..c.....J.bk.0-s..|?'L$...;r..#..%..I.4<.....n...9S}C.z.#Z..<.5..=..?...0#f...'L_.R..,....5Mqk.`..!d...1..dmW...P....:.FNn..~i....r.>........;......2%.Y......)y.{.;\f.l.|.?...l...f....... ..G[...Fs.......5..C..........#..y..~......J.^.....j..k(.....%x0..Y..! .{....YY.*...W.dH*..H.&......#.5..XR..........-...$P...U(...q7..K8.....K.7...N.,..7.....JF..1i......Q. .*Zx........X..SGt@..j..y..zX.CX.OX.M/-.......0..2g.B.k....h..O.l.#.rd(..C..s...i.|.g...E3RB/..L]....;.9~..[!.p.g.Mu.....W.. ....hb....!M..mk'.-V.yv.ph'...?.vD3E.|.J.L'.0~.).m..u.*......{.._.*.N.....e....Xg<..6...0.".^.y.\..0Is..6|..V...R.........PN4..3....j./..=...$.5...B.Wt..M0NN\.Hk....*.V.W.e`b...e....;..V.v......-...."...}[....P...r...b.E...A..F6..:...@R..2.bL.....%M.;&..... .w...:....S......<d...H..md...^........lD'.w...&......,=Q.IzJ.o..)o...O......a. .
<<< skipped >>>
GET /edgedl/release2/9liqmqrgqfa7ez02glv729167mt3kbx8m7ksxfuuazw7up69ddgu8ol2axd13ipv75z76n27nysxd400sfjvpanesqdmeqaa7ho/54.0.2840.71_54.0.2840.59_chrome_updater.exe?cms_redirect=yes&expire=1477651236&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig3l&ms=nvh&mt=1477636818&mv=m&pl=23&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=092925340ED87695D41054DED9F890C1204DB90A.7D8A8B629F13F3050C3324F862564D62A4FAFD59&key=cms1 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Thu, 20 Oct 2016 09:56:47 GMT
Range: bytes=213185-395299
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
X-GoogleUpdate-Interactivity: bg
Host: r2---sn-2puapox-ig3l.gvt1.com
HTTP/1.1 206 Partial Content
Accept-Ranges: bytes
Content-Length: 182115
Content-Type: application/octet-stream
Etag: "1013e5"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Thu, 27 Oct 2016 07:27:47 GMT
Alt-Svc: quic=":443"; ma=2592000; v="36,35,34"
Last-Modified: Thu, 20 Oct 2016 09:56:47 GMT
Content-Range: bytes 213185-395299/2377080
Connection: keep-alive
...Q..4..At>.lT5../..v..vN~q@..h..5...c`D..J\.V.7..I..ZT.h.F..Vm.C....L...m..$s.....:..T........i....."....c.'.".r.u_...*...4...E,.j...N....0$...........;d.$..o.j"....._->~v.$...........!......O.p....<2...w.m.$..W.,Cp;h...h.. ...X0.#...YA.T.V0W.:F....T...j... ..<..[k.o.fI....=?.%..H.D..d.!9......g0...:.b.*.....BN..7}j.=(:..pU^?.O.psyD....o.`=A.>...}.@.....rkLI...vj.k.-..d....a..wC.l@$"4..V..'=E....Z..j...I ...PW.I.R7t..<K5..L...FvtJ.c.au.4.,.....x.1Z5..0.J.,..*....2.nj...H..;b. .o#.)5......S.V..;.}YB"..F........(.$..x...^u..S.7..o........^.r ^.....\.Q[(...Z.,.3....79...z^j..`u1...P."..av.B.....A.=.!...e.CQaN}...y.;OX.q..T......"..h.....1.aHi...m.n.;-0....E.D.rs.....e..._\l.i.E]:..{......8...W.x.. ....L..._}q.&....f{...T...........9.....C4...Yk......rEE.W....U._'...k<g.n.e!e./E{:3Ee...r..j.Bv0Rr.A`....2..e...6..C.=...<?p>...wW...)......N.]k*y..7.O....q..g..........#...........K..R.v..*..9.B....F..uy."{r.....,..R..n9....6.P.........l.ls..Cw......3F..F..S.tR'?...6......H.'..q.W...{....."...n..g}.}.:..z..IB.....,Y&L..6: I.y{.........~86..F.X...V...b7.%x.5._.T....@.....f).=.Re3(..........P.g'....a.LY..3....L.`.i.,..26......8.5......0w0w....|y....'../.P ....sOl...^.....C..O.....;.....$a.=a.k..M..7o3..Y.=.h..O.V.5.....I.B..........'?.I..b.V=5.s..cF.1^.. q..l..R#5...-.G...M.....b~....].FgP.Ifq&.....l....D ....x...@.4.m....{.|......s.H8%N.?....'.T...u.l0.4...MV....h..s.>...]..o.p6..C.bI.....N.......'0.66!........*.U.;a#..e';.../n.......-C.9......M4k!.PZ..sH..yF....V..a`....<..].D.....|.I
<<< skipped >>>
GET /edgedl/release2/9liqmqrgqfa7ez02glv729167mt3kbx8m7ksxfuuazw7up69ddgu8ol2axd13ipv75z76n27nysxd400sfjvpanesqdmeqaa7ho/54.0.2840.71_54.0.2840.59_chrome_updater.exe?cms_redirect=yes&expire=1477651236&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig3l&ms=nvh&mt=1477636818&mv=m&pl=23&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=092925340ED87695D41054DED9F890C1204DB90A.7D8A8B629F13F3050C3324F862564D62A4FAFD59&key=cms1 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Thu, 20 Oct 2016 09:56:47 GMT
Range: bytes=395300-761360
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
X-GoogleUpdate-Interactivity: bg
Host: r2---sn-2puapox-ig3l.gvt1.com
HTTP/1.1 206 Partial Content
Accept-Ranges: bytes
Content-Length: 366061
Content-Type: application/octet-stream
Etag: "1013e5"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Thu, 27 Oct 2016 07:27:47 GMT
Alt-Svc: quic=":443"; ma=2592000; v="36,35,34"
Last-Modified: Thu, 20 Oct 2016 09:56:47 GMT
Content-Range: bytes 395300-761360/2377080
Connection: keep-alive
:...t.P...|.........JeN.`#...G.p.3...o..s\.J...YG.G)L..V.~.W\\.K....w.......p<..x*4....].......;em..o..P&.....#!....E..<.a...Q2.H.J.....jP.8.z....z...xz....YS....~........OR}.m...<.4.n>.IE....Xx.......q....p........e..G..(W$3. ....Th.g..{....e...&.5..h.~..j.:....X...v.hH....&=e...7F..-Dbl>)#.d.bx.x.L_|.._S.4,...C..y..*...5T.....v..........uK.q..............[..q....M..n.o.....x.........riv..t.e;.^=Vu.....c..23"....44...&8....Ps..........D..U...5.C;<[I.).L.Z5..._n.,.(bd.]."..U..*}....>@.. .>/....,"!.m|}...'t. 3.^t....Et..O.J...h......,.6....`.>h........(q:.`P.....y.p.fuf..W|.....YR..,V.....xQ......../...tC.ug....~j.&sC=............F....'...~D............F.^.m.nL..-..G.[.I[..s.Eex)..`{.....v...7.../.>.-...U.o.m`...*..d_H...t."Vz(O......gR.!..o....t.......-.....w........F.(...Q...P.P.....z...X6-/..;...x..Q........i.l"p0.sP.._.Y.y....dh..R..o....!&..."u...kD...V..l..h......(CS.9(....O....Ed.N..f.... %./.r)......XI..(..b.j`!Xu...........V......F(.\..!_O...|.wz...7..i.>......V..O.. ....Z....e:(._K.X..#.l...W.=.....x.....M3..7.;/j.o.....@Rh..x..f.R.'as)rX...V.>..E..{........2.Sd..Z1m.>`"z~....Y 8..5.....qX4.?.d.........LHU.4.W.~h.>.......[.o.J...4.i.$W.J...gm.r.5...R$..#..-7...3.\m,..O..W}.|..c!..xn.Ld.3...$`.._B.Z.....;.,.r..._..E.]....n....K..5.n.'.</....Y...H~r...R...hOCn.....hM.SX...J{|dt.-..(1.....wuk.B...H..i..$ .D..U...g.....d..2.....|wCo...n..EO..\.\.:........9.A.....h.)..r...p.p.q...u.O{....*.xW...n..5..~.4?.......k....P$.F.j...F.K..../.....*.....4..:....G{......]..
<<< skipped >>>
GET /edgedl/release2/9liqmqrgqfa7ez02glv729167mt3kbx8m7ksxfuuazw7up69ddgu8ol2axd13ipv75z76n27nysxd400sfjvpanesqdmeqaa7ho/54.0.2840.71_54.0.2840.59_chrome_updater.exe?cms_redirect=yes&expire=1477651236&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig3l&ms=nvh&mt=1477636818&mv=m&pl=23&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=092925340ED87695D41054DED9F890C1204DB90A.7D8A8B629F13F3050C3324F862564D62A4FAFD59&key=cms1 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Thu, 20 Oct 2016 09:56:47 GMT
Range: bytes=761361-1493569
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
X-GoogleUpdate-Interactivity: bg
Host: r2---sn-2puapox-ig3l.gvt1.com
HTTP/1.1 206 Partial Content
Accept-Ranges: bytes
Content-Length: 732209
Content-Type: application/octet-stream
Etag: "1013e5"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Thu, 27 Oct 2016 07:27:47 GMT
Alt-Svc: quic=":443"; ma=2592000; v="36,35,34"
Last-Modified: Thu, 20 Oct 2016 09:56:47 GMT
Content-Range: bytes 761361-1493569/2377080
Connection: keep-alive
Xm..Dy.8.T....21..&...M....m.....I,....._......19.4.[\...B...;.e....d..d...& ..2.i@....I6..7.x..e|............[J.M.Z....b....O..b.h=4B...S.&...q....... ...4g.........L]..m...B.;..b.....!.l..L..Eo..B.r..k0..f.T.E.qo.uv.\.d.q".TV7...Z.z!.y/1....i..A......*...rr{G...Y.ybw.P...H...._..^W.x.~LC..!....d..'...I.....T...#.MG.n..........v......0...7.f.j8.Xmt.......d.....?...{.r#E.%`"....~.!..$%..:Lb..2.y.@..>.,.>Ue...WW.....Zt.^4.......iLb*...i$._`...j#....e...~......2...UI....H..a...28.....dako...'.[.W(M.Y.o.y....j..r-..N6..f..F..T...d....rz...fn.).ur..|..!r.U2?.G..*.}...k1t..Z^..a.g>.......w{..........?.(z.3,....m....%...9.....lxU.B|..........M.-.....:...".sz....6....9G.........=6..o..G.t...v.....M..\...K.Zl.T..l.I]..e1M.n.r.,...u.....A...6(]......z ....f..3.zi.Eq.\.3....^|.^...w.^..FD..P.L....'..G........N.......<....c4.f........R.....?a.aR....s.....kb.NH.f.>.8.. z.m.,..../..I..F..H....l.t...f... TY.:&..u.....}.R.....c.._4.O...f.U..Q.4.."x...T...$.<*FtL.L.....a.2x.....7.`m.b...f..Us....mU.u.A...K......Np0....q'.cE...8.b...im:.I'.\.u.`K..6...c....3Q.r....~..Oj^....Co-....;...R...0.....G.,..`T......=tjY.F.M......r?.....J.....:...&.P..."...`P..E..B.....5u.o.......Sh.>.@...-...v..!.O..#p8%...."...........[....&...H\. ..."..0..q. R..RZA..N.=nz....?..Ph.....)..cU..a..}...1..n5.h...... ..vv..Z.z....Y..6....0NAu:"{n.Gl....y..$.T.."...s......G...&J...s....k.9...$.4..W......'M5(......&.w.8j.!....[5.J...9.m..(..=.4....0....L...:J..\...s....Tvs..F.E1...?1>4q.T.!...EV....H...*cV.7.2...{.....H9.z....<.'$
<<< skipped >>>
GET /edgedl/release2/9liqmqrgqfa7ez02glv729167mt3kbx8m7ksxfuuazw7up69ddgu8ol2axd13ipv75z76n27nysxd400sfjvpanesqdmeqaa7ho/54.0.2840.71_54.0.2840.59_chrome_updater.exe?cms_redirect=yes&expire=1477651236&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig3l&ms=nvh&mt=1477636818&mv=m&pl=23&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=092925340ED87695D41054DED9F890C1204DB90A.7D8A8B629F13F3050C3324F862564D62A4FAFD59&key=cms1 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Thu, 20 Oct 2016 09:56:47 GMT
Range: bytes=1493570-2377079
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
X-GoogleUpdate-Interactivity: bg
Host: r2---sn-2puapox-ig3l.gvt1.com
HTTP/1.1 206 Partial Content
Accept-Ranges: bytes
Content-Length: 883510
Content-Type: application/octet-stream
Etag: "1013e5"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Thu, 27 Oct 2016 07:27:47 GMT
Alt-Svc: quic=":443"; ma=2592000; v="36,35,34"
Last-Modified: Thu, 20 Oct 2016 09:56:47 GMT
Content-Range: bytes 1493570-2377079/2377080
Connection: keep-alive
8....Y.....!......}I.r..4e.o....%x.'..}.`w.p...os...R..x..[....%@.xj%D..T.4W4C.a&.].q=...<s...K.R.....q........Yn........9......A.......d..O.#....m.../.........2Ox_..*;...%L...q...zFb......f]fOC.R.?.ex.3J.3B..e....=.u........aha.c..B..r...E.... 0G..E...=..v.3.n....t.zF8......X..).Fm[q..8......q..).K....~...W..s.cA..$K*.....#..*..n...a'....Z..(w'...!t........x0<.....2.. ....3...:.S.is.. .!u..H.L.....I..A^...H..8..?..A.sl.u.o....0.".............pC...;.Nk.>...3.Q.....*?...z)wlW..e.............$.....f.......R..g...O&..zU..9%U1..`.51.W.K%U....k.q?.L.....b........vkM/do0.%K.D..8..v#t.s........(.L.Q...4.....?......f...6..Kq.O...;<`e......a.....e%....|&.@.M.He.c......#)....T.F=]. |......{r.$p..~...B...#......^..........G...@....>.M......j......9'.t....g.e..S.....2XC.V.:N<=...4.cK..u.An.;.....8...oE... .eVK..9o$D.0..1wY.f.........5....Vj....n..<5y.}.M(.....o.?..RN.O.GZM....o._v.gA.L..u=I.E..2....`V..3k.._.......0H..s.btb..^6q..?<.~r....V.@o....=8MCE.N.......F{......d..Zz!;Wg-.Y....j...B.l.)?.J..|..{3...........F..!.P..P..K...B..r...%.j#,&.. ..!O.;{...Hux^...{Z9`......V.YWp.qG......L..={i...l......d.M.tl....v.k.....X....x..d.i..P.~72.B(..%J.....Wk.........l.".;.O5`{..-..H[J.sf.?..-.H{.....$y.....5.z]..{....4...I...|.k...?e...*.z.r....2j...4R'..;....|.%.`......{.V...1.TV-....l..n1...3..h....../..1[W....h.d,..3.5`. ..x.!.PJ...m.2.......:.5].......t".....9M.Q.:..?....u..?3.Q..yMt.Q......E.........4F ........IAdb.r/.!|....A..d/32w)...C....p........&%../.....c..>......j0.Q*1..]|....v..i....T%..T..,.
<<< skipped >>>
HEAD /edgedl/release2/9liqmqrgqfa7ez02glv729167mt3kbx8m7ksxfuuazw7up69ddgu8ol2axd13ipv75z76n27nysxd400sfjvpanesqdmeqaa7ho/54.0.2840.71_54.0.2840.59_chrome_updater.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
X-GoogleUpdate-Interactivity: bg
Host: redirector.gvt1.com
HTTP/1.1 302 Found
Date: Fri, 28 Oct 2016 06:40:36 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, must-revalidate
Location: hXXp://r2---sn-2puapox-ig3l.gvt1.com/edgedl/release2/9liqmqrgqfa7ez02glv729167mt3kbx8m7ksxfuuazw7up69ddgu8ol2axd13ipv75z76n27nysxd400sfjvpanesqdmeqaa7ho/54.0.2840.71_54.0.2840.59_chrome_updater.exe?cms_redirect=yes&expire=1477651236&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig3l&ms=nvh&mt=1477636818&mv=m&pl=23&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=092925340ED87695D41054DED9F890C1204DB90A.7D8A8B629F13F3050C3324F862564D62A4FAFD59&key=cms1
Content-Type: text/html; charset=UTF-8
Server: ClientMapServer
Content-Length: 734
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
HTTP/1.1 302 Found..Date: Fri, 28 Oct 2016 06:40:36 GMT..Pragma: no-cache..Expires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, must-revalidate..Location: hXXp://r2---sn-2puapox-ig3l.gvt1.com/edgedl/release2/9liqmqrgqfa7ez02glv729167mt3kbx8m7ksxfuuazw7up69ddgu8ol2axd13ipv75z76n27nysxd400sfjvpanesqdmeqaa7ho/54.0.2840.71_54.0.2840.59_chrome_updater.exe?cms_redirect=yes&expire=1477651236&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig3l&ms=nvh&mt=1477636818&mv=m&pl=23&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=092925340ED87695D41054DED9F890C1204DB90A.7D8A8B629F13F3050C3324F862564D62A4FAFD59&key=cms1..Content-Type: text/html; charset=UTF-8..Server: ClientMapServer..Content-Length: 734..X-XSS-Protection: 1; mode=block..X-Frame-Options: SAMEORIGIN..
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_2268:
.text
.text
`.rdata
`.rdata
@.data
@.data
.vmp0
.vmp0
`.vmp1
`.vmp1
`.rsrc
`.rsrc
t$(SSh
t$(SSh
~%UVW
~%UVW
u$SShe
u$SShe
Bv=kAv.SCv
Bv=kAv.SCv
wininet.dll
wininet.dll
ole32.dll
ole32.dll
oleaut32.dll
oleaut32.dll
kernel32.dll
kernel32.dll
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
{E5000198-4471-40e2-92BC-D0BA075BDBB2}
{E5000198-4471-40e2-92BC-D0BA075BDBB2}
\Data\ .exe
\Data\ .exe
.rsrc
.rsrc
^.WUh
^.WUh
P.Rl.
P.Rl.
%4HS2%S\p
%4HS2%S\p
\\%SH
\\%SH
*dY%F
*dY%F
5@\UWSSHh
5@\UWSSHh
VE;.WoXI
VE;.WoXI
^x`>x.ht
^x`>x.ht
@.Be$>;
@.Be$>;
%C:O@V
%C:O@V
QE;%x
QE;%x
,>.Ptm|t6
,>.Ptm|t6
.bKQ~
.bKQ~
WudP
WudP
DQW%uX
DQW%uX
]P.jV
]P.jV
burU.qj1[
burU.qj1[
.QJY|
.QJY|
7q.vD[NqS
7q.vD[NqS
.IY\p,A
.IY\p,A
UDpH
UDpH
#W"%c
#W"%c
.zor!
.zor!
.tb;M0^
.tb;M0^
4%d,k
4%d,k
?.wk)
?.wk)
z0%cx=n
z0%cx=n
]/m%C
]/m%C
Q6.ZgT
Q6.ZgT
=%X(>I'(
=%X(>I'(
>_.gsJ
>_.gsJ
$.CNH
$.CNH
C.kwFt
C.kwFt
T.Aga
T.Aga
tW#EBk%X
tW#EBk%X
.Xb?n
.Xb?n
<.hvdr>
<.hvdr>
p.Hx9
p.Hx9
%FrG.2?
%FrG.2?
W?2,%D!s0o
W?2,%D!s0o
G`.gr
G`.gr
.BMGU
.BMGU
.pV^uI
.pV^uI
%d&&'
%d&&'
''&%$$#""!!
''&%$$#""!!
N^NO.Os%
N^NO.Os%
_%*.*f I64
_%*.*f I64
SupportedException
SupportedException
tMsg|
tMsg|
MLZ.DLL7(
MLZ.DLL7(
?CmdT
?CmdT
/'.IN
/'.IN
.MSVCRTg
.MSVCRTg
.PAVMqL
.PAVMqL
(&07-034/)7
(&07-034/)7
f.DbIn
f.DbIn
s:%dW
s:%dW
Eh.dE
Eh.dE
keyw
keyw
2(%d-
2(%d-
0xX
0xX
.Nb~X
.Nb~X
gz0\.Kk
gz0\.Kk
zcÃ
zcÃ
ub%Dl*\
ub%Dl*\
KERNEL32.DLL
KERNEL32.DLL
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
comdlg32.dll
comdlg32.dll
GDI32.dll
GDI32.dll
OLEAUT32.dll
OLEAUT32.dll
oledlg.dll
oledlg.dll
SHELL32.dll
SHELL32.dll
USER32.dll
USER32.dll
WINMM.dll
WINMM.dll
WINSPOOL.DRV
WINSPOOL.DRV
WS2_32.dll
WS2_32.dll
RegCloseKey
RegCloseKey
ShellExecuteA
ShellExecuteA
J.jS]3
J.jS]3
n};%s
n};%s
)q4(.id
)q4(.id
y.Yc~
y.Yc~
vv.Xu
vv.Xu
>.iEBq
>.iEBq
.Ux2L
.Ux2L
u9.ND
u9.ND
;5sD%S
;5sD%S
V.Ev~
V.Ev~
Z.Ko@*
Z.Ko@*
1%u4=T
1%u4=T
3Z?xCdsQL
3Z?xCdsQL
fH%xJ"
fH%xJ"
U.Pds,
U.Pds,
%.X.
%.X.
Y.Yfg
Y.Yfg
#h7Y.JL|
#h7Y.JL|
d:W.iL)
d:W.iL)
Ã…Q!?
Ã…Q!?
O%U3@*
O%U3@*
5FJ.FU(
5FJ.FU(
N,Vj.Sa
N,Vj.Sa
4.idg8c
4.idg8c
bbF%U
bbF%U
uI.mY
uI.mY
.lDMF
.lDMF
A5.La
A5.La
P.rYe/G
P.rYe/G
&%sFn
&%sFn
.Ecg[
.Ecg[
rV%DS
rV%DS
AE.Nz
AE.Nz
X}%UNV
X}%UNV
k7.zUU
k7.zUU
|k.YHu
|k.YHu
[O.zqbgd
[O.zqbgd
g5Ni%C
g5Ni%C
01%Sd
01%Sd
(Pk.yf
(Pk.yf
0NE.Jz
0NE.Jz
>P;.JP
>P;.JP
^"U%S
^"U%S
.TS.>
.TS.>
0`%u.
0`%u.
&.pB=
&.pB=
xh.YR
xh.YR
U.Sl)}
U.Sl)}
me*%F
me*%F
D.wOz
D.wOz
%SW&H!Z>
%SW&H!Z>
.dYF]
.dYF]
ý'W
ý'W
-pRl}
-pRl}
.bt>
.bt>
ke%D_
ke%D_
0.OW8
0.OW8
.SsYS
.SsYS
;%S:a
;%S:a
Uc%s
Uc%s
n%fO4
n%fO4
%x$qeJH
%x$qeJH
B\.zS
B\.zS
GC.Ub5
GC.Ub5
@3^.%c
@3^.%c
.utV.
.utV.
w$%s8
w$%s8
.bXeZ
.bXeZ
(%Xv=z
(%Xv=z
7#.ce
7#.ce
&A.VMwx
&A.VMwx
%C}QN*po
%C}QN*po
.VBpooNr
.VBpooNr
C0[%d*SK
C0[%d*SK
{#.LJ~M9jG=
{#.LJ~M9jG=
:.Rk?i
:.Rk?i
MsW"-x}
MsW"-x}
#.Nu([
#.Nu([
f>'.nNj
f>'.nNj
:k.MP
:k.MP
.zPTC
.zPTC
.GR# ^
.GR# ^
) ]R%FM
) ]R%FM
.WvftOO
.WvftOO
w%S\s
w%S\s
5!.JV
5!.JV
U2_.tb>
U2_.tb>
N.UKbJr%'
N.UKbJr%'
hXXp://cgi.im.qq.com/cgi-bin/cgi_svrtime
hXXp://cgi.im.qq.com/cgi-bin/cgi_svrtime
https
https
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
http=
http=
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
hXXps://
hXXps://
hXXp://
hXXp://
hXXp://wpa.qq.com/msgrd?v=3&uin=346350253&site=qq&menu=yes
hXXp://wpa.qq.com/msgrd?v=3&uin=346350253&site=qq&menu=yes
windows
windows
dx.mouse.state.api|dx.mouse.position.lock.api
dx.mouse.state.api|dx.mouse.position.lock.api
\Data\dm.dll
\Data\dm.dll
!!"#$%&'())?
!!"#$%&'())?
%C%]uSj
%C%]uSj
Ha.QE
Ha.QE
xCmD$L
xCmD$L
s.Nd)
s.Nd)
A_%.ID,
A_%.ID,
n.Nn0 b
n.Nn0 b
.hh=@-
.hh=@-
T8.Sz
T8.Sz
.dTR0
.dTR0
.PWh=j
.PWh=j
nL.nP?
nL.nP?
webH
webH
NQt%F
NQt%F
.XV LV#
.XV LV#
PGPus(.Gz
PGPus(.Gz
.ROH=
.ROH=
]v%UO
]v%UO
uù u
uù u
0k00[ `.kh#
0k00[ `.kh#
.scwX
.scwX
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
CxImage 6.0.0
CxImage 6.0.0
deflate 1.2.3 Copyright 1995-200d
deflate 1.2.3 Copyright 1995-200d
a .WO
a .WO
e processors when executed
e processors when executed
>support g
>support g
X:
X:
UxTheme.dll
UxTheme.dll
;9HttpCli
;9HttpCli
7.PAVCExcep=^
7.PAVCExcep=^
.1.2600.441~
.1.2600.441~
PSAPI.DLLU%f
PSAPI.DLLU%f
%u%x-
%u%x-
88.185.3
88.185.3
20 4.49.
20 4.49.
0.4.10n
0.4.10n
129.6.15.29
129.6.15.29
202.120.
202.120.
\.\%c
\.\%c
g%s#$A
g%s#$A
"LuCBy%d
"LuCBy%d
./*.bmp
./*.bmp
log.tx
log.tx
cpublic.inject.type.54
cpublic.inject.type.54
LL keypadput
LL keypadput
k.ap*
k.ap*
.=.minmax
.=.minmax
x.cfake`?
x.cfake`?
defense.szX
defense.szX
.sel/O
.sel/O
on.Leve
on.Leve
mp7%ss
mp7%ss
tCPo
tCPo
wKeyboardD
wKeyboardD
Scsi%d:
Scsi%d:
H%d_%
H%d_%
1.2.24
1.2.24
%ct t
%ct t
: %s=
: %s=
= (%d/10
= (%d/10
gx=%f, gy
gx=%f, gy
%ld, pass
%ld, pass
xkey
xkey
'%ds=
'%ds=
3%u B
3%u B
orm.de6
orm.de6
`O%dhx%dv qV
`O%dhx%dv qV
FD=%u, "
FD=%u, "
'z %4u
'z %4u
iY;kUnkeY
iY;kUnkeY
%ld%c$
%ld%c$
-t.SSSj
-t.SSSj
MSVCRT
MSVCRT
ntoskrnl.exQ
ntoskrnl.exQ
8)939@9|9
8)939@9|9
#&$&@'!?
#&$&@'!?
9}%U}
9}%U}
3(Ãd
3(Ãd
6,?-.7?`
6,?-.7?`
SAPI.DLLK04e
SAPI.DLLK04e
506:6?6[
506:6?6[
8(83888?
8(83888?
>,?0?4?8?
>,?0?4?8?
.net4x7
.net4x7
.Crz03
.Crz03
hÕ@e
hÕ@e
:;.ofSb
:;.ofSb
R.of'z
R.of'z
B{.zS,y
B{.zS,y
6o.ob#
6o.ob#
Ftpf
Ftpf
PIpE
PIpE
.Sj_^
.Sj_^
.vCb'PK
.vCb'PK
WlCmd
WlCmd
l%u$}0
l%u$}0
Jy%s2;J
Jy%s2;J
x-d}X
x-d}X
_~.SO
_~.SO
'.Sj?
'.Sj?
.Increm
.Increm
WinExe&Copy
WinExe&Copy
.DIBi
.DIBi
uDPtoLPNq`n
uDPtoLPNq`n
fo@@UAE@XZ.on
fo@@UAE@XZ.on
ad.boa
ad.boa
.DD-?J8
.DD-?J8
1,//2/,/
1,//2/,/
7G#V%F
7G#V%F
(.text
(.text
@.tp0
@.tp0
{43C6DBBB-BEAD-4DFB-B6D2-52C5CDB5B70A} = s 'Dm'
{43C6DBBB-BEAD-4DFB-B6D2-52C5CDB5B70A} = s 'Dm'
'Dm.EXE'
'Dm.EXE'
val AppID = s {43C6DBBB-BEAD-4DFB-B6D2-52C5CDB5B70A}
val AppID = s {43C6DBBB-BEAD-4DFB-B6D2-52C5CDB5B70A}
dm.dmsoft = s 'dm.dmsoft'
dm.dmsoft = s 'dm.dmsoft'
CLSID = s '{26037A0E-7CBD-4FFF-9C63-56F2D0770214}'
CLSID = s '{26037A0E-7CBD-4FFF-9C63-56F2D0770214}'
CurVer = s 'dm.dmsoft'
CurVer = s 'dm.dmsoft'
ForceRemove {26037A0E-7CBD-4FFF-9C63-56F2D0770214} = s 'dm.dmsoft'
ForceRemove {26037A0E-7CBD-4FFF-9C63-56F2D0770214} = s 'dm.dmsoft'
ProgID = s 'dm.dmsoft'
ProgID = s 'dm.dmsoft'
stdole2.tlbWWW
stdole2.tlbWWW
~cmdWd
~cmdWd
KeyPress
KeyPress
.aKeyDownWd
.aKeyDownWd
MKeyUpWWWd
MKeyUpWWWd
ShowScrMsgWW
ShowScrMsgWW
msgWd
msgWd
SetShowErrorMsgW
SetShowErrorMsgW
>SGetWindowStateWW
>SGetWindowStateWW
U@SetWindowSizeWWWd
U@SetWindowSizeWWWd
SetWindowStateWWd
SetWindowStateWWd
iRSetKeypadDelayWWd
iRSetKeypadDelayWWd
BkeypadWW
BkeypadWW
SetExportDictWWWd
SetExportDictWWWd
keyWd
keyWd
FindWindowSuperW
FindWindowSuperW
qHKeyDownCharW
qHKeyDownCharW
pOkey_strWd
pOkey_strWd
KeyUpCharWWWd
KeyUpCharWWWd
KeyPressChard
KeyPressChard
KeyPressStrWd
KeyPressStrWd
EnableKeypadPatchWWWd
EnableKeypadPatchWWWd
=PEnableKeypadSyncd
=PEnableKeypadSyncd
EnableRealKeypadd
EnableRealKeypadd
GetKeyStateWd
GetKeyStateWd
[.ReadFiled
[.ReadFiled
WaitKeyW
WaitKeyW
!key_coded
!key_coded
joEnumWindowSuperW
joEnumWindowSuperW
urlW
urlW
=EnableKeypadMsgWd
=EnableKeypadMsgWd
EnableMouseMsgWWd
EnableMouseMsgWWd
method KeyPressWWW
method KeyPressWWW
method KeyDown
method KeyDown
method KeyUpWW
method KeyUpWW
method ShowScrMsgW
method ShowScrMsgW
method SetShowErrorMsg
method SetShowErrorMsg
method GetWindowStateW
method GetWindowStateW
method SetWindowSizeWW
method SetWindowSizeWW
method SetWindowStateW
method SetWindowStateW
method SetKeypadDelayW
method SetKeypadDelayW
method SetExportDictWW
method SetExportDictWW
method FindWindowSuper
method FindWindowSuper
method KeyDownChar
method KeyDownChar
method KeyUpCharWW
method KeyUpCharWW
method KeyPressCharWWW
method KeyPressCharWWW
method KeyPressStr
method KeyPressStr
method EnableKeypadPatchWW
method EnableKeypadPatchWW
method EnableKeypadSyncWWW
method EnableKeypadSyncWWW
method EnableRealKeypadWWW
method EnableRealKeypadWWW
method GetKeyState
method GetKeyState
method WaitKey
method WaitKey
method EnumWindowSuper
method EnumWindowSuper
method EnableKeypadMsg
method EnableKeypadMsg
method EnableMouseMsgW
method EnableMouseMsgW
IMM32.dll
IMM32.dll
MFC42.DLL
MFC42.DLL
MSVCRT.dll
MSVCRT.dll
VERSION.dll
VERSION.dll
dm.dll
dm.dll
"\Data\dm.dll /s
"\Data\dm.dll /s
hXXp://VVV.game2.cn/playGame/code/dtx
hXXp://VVV.game2.cn/playGame/code/dtx
&password=
&password=
op=login&usercode=
op=login&usercode=
hXXp://VVV.game2.cn/websiteAjax/
hXXp://VVV.game2.cn/websiteAjax/
&src=pcw_wan&from=pcw_wan&charset=utf-8&requestScema=https&o=sso&m=getToken&userName=
&src=pcw_wan&from=pcw_wan&charset=utf-8&requestScema=https&o=sso&m=getToken&userName=
hXXps://login.360.cn/?func=jQuery11210259506186048403_
hXXps://login.360.cn/?func=jQuery11210259506186048403_
&proxy=http://wan.360.cn/psp_jump.html&callback=QiUserJsonp615662574&func=QiUserJsonp615662574
&proxy=http://wan.360.cn/psp_jump.html&callback=QiUserJsonp615662574&func=QiUserJsonp615662574
src=pcw_wan&from=pcw_wan&charset=utf-8&requestScema=https&o=sso&m=login&lm=0&captFlag=1&rtype=data&validatelm=0&isKeepAlive=1&captchaApp=i360&userName=
src=pcw_wan&from=pcw_wan&charset=utf-8&requestScema=https&o=sso&m=login&lm=0&captFlag=1&rtype=data&validatelm=0&isKeepAlive=1&captchaApp=i360&userName=
hXXps://login.360.cn/
hXXps://login.360.cn/
hXXp://dtx.wan.360.cn/game_login.php?channel=521260009&src=newwan-syzt1-dtx&advid=521254815__dtx__S112&server_id=S
hXXp://dtx.wan.360.cn/game_login.php?channel=521260009&src=newwan-syzt1-dtx&advid=521254815__dtx__S112&server_id=S
hXXp://s1.dtx.g.1360.com/indexLogin.php?
hXXp://s1.dtx.g.1360.com/indexLogin.php?
1970-01-01 08:00:00
1970-01-01 08:00:00
hXXp://passport.51wan.com/login_index_theLogin_0.html
hXXp://passport.51wan.com/login_index_theLogin_0.html
hXXp://my.51wan.com/gamelogin_wd_serverList_dtx-2.html
hXXp://my.51wan.com/gamelogin_wd_serverList_dtx-2.html
-0-.html
-0-.html
hXXp://my.51wan.com/game_toolbar_0_dtx-
hXXp://my.51wan.com/game_toolbar_0_dtx-
hXXp://res.dtx.game2.com.cn/index/index51wan.html?
hXXp://res.dtx.game2.com.cn/index/index51wan.html?
UserLogin
UserLogin
hXXp://VVV.game2.cn/verifyCode.php
hXXp://VVV.game2.cn/verifyCode.php
hXXp://passport.360.cn/captcha.php?m=create&app=i360&scene=login&userip=+7+d1+hWWDPiXFBqruKw1g==&level=default&sign=706d82&r=1472615666&_=
hXXp://passport.360.cn/captcha.php?m=create&app=i360&scene=login&userip=+7+d1+hWWDPiXFBqruKw1g==&level=default&sign=706d82&r=1472615666&_=
hXXp://passport.51wan.com/verify.php?for=login
hXXp://passport.51wan.com/verify.php?for=login
hXXp://VVV.game2.cn/member/
hXXp://VVV.game2.cn/member/
&src=pcw_wan&from=pcw_wan&charset=utf-8&requestScema=http&o=sso&m=checkNeedCaptcha&account=
&src=pcw_wan&from=pcw_wan&charset=utf-8&requestScema=http&o=sso&m=checkNeedCaptcha&account=
hXXp://login.360.cn/?callback=jQuery1121004880054023122077_
hXXp://login.360.cn/?callback=jQuery1121004880054023122077_
hXXp://passport.51wan.com/login_index_needToValidate_0.html?jsoncallback=jQuery182016474190838213354_
hXXp://passport.51wan.com/login_index_needToValidate_0.html?jsoncallback=jQuery182016474190838213354_
hXXp://member.8090yxs.com/login.php?action=checkuser&username=
hXXp://member.8090yxs.com/login.php?action=checkuser&username=
hXXp://member.8090yxs.com/game/game.php?game=dtx&full=play_gamecode&client=pc&server=s
hXXp://member.8090yxs.com/game/game.php?game=dtx&full=play_gamecode&client=pc&server=s
return Math.floor((1 Math.random()) * 65536).toString(16).substring(1)
return Math.floor((1 Math.random()) * 65536).toString(16).substring(1)
&captcha=&autoLogin=1&client_id=1100&xd=http://wan.sogou.com/static/jump.html&token=
&captcha=&autoLogin=1&client_id=1100&xd=http://wan.sogou.com/static/jump.html&token=
hXXps://account.sogou.com/web/login
hXXps://account.sogou.com/web/login
hXXp://wan.sogou.com/play.do?gid=653&sid=
hXXp://wan.sogou.com/play.do?gid=653&sid=
hXXp://wan.sogou.com/clientplay.do?sid=
hXXp://wan.sogou.com/clientplay.do?sid=
hXXp://VVV.dahei.com/websiteAjax/op/login/
hXXp://VVV.dahei.com/websiteAjax/op/login/
hXXp://VVV.dahei.com/joinGame/code/dtx
hXXp://VVV.dahei.com/joinGame/code/dtx
hXXp://VVV.ao7.ufojoy.com/game/dtx.phtml
hXXp://VVV.ao7.ufojoy.com/game/dtx.phtml
form_submit_key_time
form_submit_key_time
form_submit_key_v1
form_submit_key_v1
form_submit_key_v2
form_submit_key_v2
&url=/game/dtx.phtml
&url=/game/dtx.phtml
&form_submit_key_v2=
&form_submit_key_v2=
&form_submit_key_v1=
&form_submit_key_v1=
&act=submit&form_submit_key_time=
&act=submit&form_submit_key_time=
hXXp://VVV.ao7.ufojoy.com/user/login.phtml
hXXp://VVV.ao7.ufojoy.com/user/login.phtml
VVV.ao7.ufojoy.com
VVV.ao7.ufojoy.com
hXXp://VVV.ao7.ufojoy.com/game/dtx/servers.phtml
hXXp://VVV.ao7.ufojoy.com/game/dtx/servers.phtml
.phtml
.phtml
hXXp://VVV.ao7.ufojoy.com/server/login/
hXXp://VVV.ao7.ufojoy.com/server/login/
http://res.dtx.game2.com.cn/index/indexufojoy.html?
http://res.dtx.game2.com.cn/index/indexufojoy.html?
@.reloc
@.reloc
RSSh C
RSSh C
T$
T$
D$
D$
~$)~()|$
~$)~()|$
3|$83|$0
3|$83|$0
3|$@3|$4
3|$@3|$4
|$43|$(#
|$43|$(#
.QZ^&
.QZ^&
xSSSh
xSSSh
FTPjKS
FTPjKS
FtPj;S
FtPj;S
C.PjRV
C.PjRV
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
portuguese-brazilian
portuguese-brazilian
operator
operator
GetProcessWindowStation
GetProcessWindowStation
CryptoMaterial: this object does not support precomputation
CryptoMaterial: this object does not support precomputation
GeneratableCryptoMaterial: this object does not support key/parameter generation
GeneratableCryptoMaterial: this object does not support key/parameter generation
: this object doesn't support resynchronization
: this object doesn't support resynchronization
StreamTransformation: this object doesn't support random access
StreamTransformation: this object doesn't support random access
(3-!0,1'8"5.*2$
(3-!0,1'8"5.*2$
120.26.81.103
120.26.81.103
//./%s
//./%s
XXXXXX
XXXXXX
%s|%s
%s|%s
Empty key
Empty key
[32m>>Connect select ret %d
[32m>>Connect select ret %d
..\t_baibaoyun\protocol\network\TSocket.cpp
..\t_baibaoyun\protocol\network\TSocket.cpp
[34m[%s %s %d]
[34m[%s %s %d]
[32m>>Connect field errno :%d err: %s
[32m>>Connect field errno :%d err: %s
[32m>>ret:%d,error:%d,len:%d,err:%s
[32m>>ret:%d,error:%d,len:%d,err:%s
num_key
num_key
hXXp://apicom.baibaoyun.com/cloudapi/GeneralExec?arg=
hXXp://apicom.baibaoyun.com/cloudapi/GeneralExec?arg=
[32m>>close g_sockClient %d
[32m>>close g_sockClient %d
..\t_baibaoyun\protocol\TLogin.cpp
..\t_baibaoyun\protocol\TLogin.cpp
TLogin::clearInfo
TLogin::clearInfo
ProcessPushMsg ret : %d
ProcessPushMsg ret : %d
[32m>>ProcessPushMsg is in
[32m>>ProcessPushMsg is in
TLogin::ProcessPushMsg
TLogin::ProcessPushMsg
TLogin::SimpleLogin
TLogin::SimpleLogin
%s TSocket::Connect err %d
%s TSocket::Connect err %d
TLogin::SimpleLogOut
TLogin::SimpleLogOut
TLogin::PushConnect
TLogin::PushConnect
%d.%d.%d.%d
%d.%d.%d.%d
KeySize
KeySize
: this object does't support a special last block
: this object does't support a special last block
NullRNG: NullRNG should only be passed to functions that don't need to generate random bytes
NullRNG: NullRNG should only be passed to functions that don't need to generate random bytes
: this object doesn't support multiple channels
: this object doesn't support multiple channels
is not a valid key length
is not a valid key length
InvertibleRSAFunction: computational error during private key operation
InvertibleRSAFunction: computational error during private key operation
for this key
for this key
: this key is too short to encrypt any messages
: this key is too short to encrypt any messages
for this public key
for this public key
EffectiveKeyLength
EffectiveKeyLength
RC2: effective key length parameter exceeds maximum
RC2: effective key length parameter exceeds maximum
?#%X.y
?#%X.y
E:\4.0\bbyPlugin\Release\t_baibaoyun_win32.pdb
E:\4.0\bbyPlugin\Release\t_baibaoyun_win32.pdb
KERNEL32.dll
KERNEL32.dll
IPHLPAPI.DLL
IPHLPAPI.DLL
InternetOpenUrlA
InternetOpenUrlA
WININET.dll
WININET.dll
GetCPInfo
GetCPInfo
GetProcessHeap
GetProcessHeap
t_baibaoyun_win32.dll
t_baibaoyun_win32.dll
generatersakey
generatersakey
generatersakeyW
generatersakeyW
login
login
loginW
loginW
msgcallback_login
msgcallback_login
msgcallback_loginW
msgcallback_loginW
msgcallback_loginex
msgcallback_loginex
msgcallback_loginexW
msgcallback_loginexW
msgcallback_push
msgcallback_push
msgcallback_pushW
msgcallback_pushW
.?AVPublicKeyAlgorithm@CryptoPP@@
.?AVPublicKeyAlgorithm@CryptoPP@@
.?AVPrivateKeyAlgorithm@CryptoPP@@
.?AVPrivateKeyAlgorithm@CryptoPP@@
.?AVPrivateKey@CryptoPP@@
.?AVPrivateKey@CryptoPP@@
.?AV?$ASN1CryptoMaterial@VPrivateKey@CryptoPP@@@CryptoPP@@
.?AV?$ASN1CryptoMaterial@VPrivateKey@CryptoPP@@@CryptoPP@@
.?AVPKCS8PrivateKey@CryptoPP@@
.?AVPKCS8PrivateKey@CryptoPP@@
.?AVPublicKey@CryptoPP@@
.?AVPublicKey@CryptoPP@@
.?AV?$ASN1CryptoMaterial@VPublicKey@CryptoPP@@@CryptoPP@@
.?AV?$ASN1CryptoMaterial@VPublicKey@CryptoPP@@@CryptoPP@@
.?AVX509PublicKey@CryptoPP@@
.?AVX509PublicKey@CryptoPP@@
.?AVHexEncoder@CryptoPP@@
.?AVHexEncoder@CryptoPP@@
.PAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@
.PAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@
.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URC6_Info@2@@CryptoPP@@V12@@CryptoPP@@
.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URC6_Info@2@@CryptoPP@@V12@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URC6_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URC6_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@
.?AV?$VariableKeyLength@$0BA@$0A@$0PP@$00$03$0A@@CryptoPP@@
.?AV?$VariableKeyLength@$0BA@$0A@$0PP@$00$03$0A@@CryptoPP@@
.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URC5_Info@2@@CryptoPP@@V12@@CryptoPP@@
.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URC5_Info@2@@CryptoPP@@V12@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URC5_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URC5_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@
.?AV?$VariableKeyLength@$0BA@$00$0IA@$00$03$0A@@CryptoPP@@
.?AV?$VariableKeyLength@$0BA@$00$0IA@$00$03$0A@@CryptoPP@@
.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URC2_Info@2@@CryptoPP@@V12@@CryptoPP@@
.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URC2_Info@2@@CryptoPP@@V12@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URC2_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URC2_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@
.?AV?$FixedKeyLength@$0BI@$03$0A@@CryptoPP@@
.?AV?$FixedKeyLength@$0BI@$03$0A@@CryptoPP@@
.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@UDES_EDE3_Info@2@@CryptoPP@@V12@@CryptoPP@@
.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@UDES_EDE3_Info@2@@CryptoPP@@V12@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@UDES_EDE3_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@UDES_EDE3_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@
.?AV?$VariableKeyLength@$0BA@$03$0DI@$00$03$0A@@CryptoPP@@
.?AV?$VariableKeyLength@$0BA@$03$0DI@$00$03$0A@@CryptoPP@@
.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@UBlowfish_Info@2@@CryptoPP@@V12@@CryptoPP@@
.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@UBlowfish_Info@2@@CryptoPP@@V12@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@UBlowfish_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@UBlowfish_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@
.?AV?$VariableKeyLength@$0BA@$0BA@$0CA@$07$03$0A@@CryptoPP@@
.?AV?$VariableKeyLength@$0BA@$0BA@$0CA@$07$03$0A@@CryptoPP@@
.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URijndael_Info@2@@CryptoPP@@V12@@CryptoPP@@
.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URijndael_Info@2@@CryptoPP@@V12@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URijndael_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URijndael_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@
.?AV?$FixedKeyLength@$0BA@$03$0A@@CryptoPP@@
.?AV?$FixedKeyLength@$0BA@$03$0A@@CryptoPP@@
.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@UTEA_Info@2@@CryptoPP@@V12@@CryptoPP@@
.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@UTEA_Info@2@@CryptoPP@@V12@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@UTEA_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@UTEA_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@
.?AVSimpleKeyingInterface@CryptoPP@@
.?AVSimpleKeyingInterface@CryptoPP@@
comroute.baibaoyun.com
comroute.baibaoyun.com
.?AUNoChannelSupport@BufferedTransformation@CryptoPP@@
.?AUNoChannelSupport@BufferedTransformation@CryptoPP@@
.?AVInvalidKeyLength@CryptoPP@@
.?AVInvalidKeyLength@CryptoPP@@
.PAVRSAFunction@CryptoPP@@
.PAVRSAFunction@CryptoPP@@
.PAVInvertibleRSAFunction@CryptoPP@@
.PAVInvertibleRSAFunction@CryptoPP@@
.PBVPrimeSelector@CryptoPP@@
.PBVPrimeSelector@CryptoPP@@
.PB_W
.PB_W
.PAV?$basic_istream@DU?$char_traits@D@std@@@std@@
.PAV?$basic_istream@DU?$char_traits@D@std@@@std@@
.PAV?$basic_ostream@DU?$char_traits@D@std@@@std@@
.PAV?$basic_ostream@DU?$char_traits@D@std@@@std@@
45
45
00x0
00x0
9&939&:6:
9&939&:6:
2%2*2/242>2
2%2*2/242>2
5_5K5X5a5
5_5K5X5a5
8Â8K8X8a8
8Â8K8X8a8
6$6)6.646;6
6$6)6.646;6
6o7U7y7
6o7U7y7
0!1)11282
0!1)11282
6$71757?7
6$71757?7
6$6(6.6:6
6$6(6.6:6
= =$=(=,=
= =$=(=,=
5$5*505?5
5$5*505?5
6!6(6-6;6
6!6(6-6;6
2 2$2(2,20242
2 2$2(2,20242
1.0.0.0
1.0.0.0
CCmdTarget
CCmdTarget
CNotSupportedException
CNotSupportedException
commctrl_DragListMsg
commctrl_DragListMsg
COMCTL32.DLL
COMCTL32.DLL
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
user32.dll
user32.dll
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
SetWindowsHookExA
SetWindowsHookExA
GetKeyState
GetKeyState
UnhookWindowsHookEx
UnhookWindowsHookEx
!Win32 .DLL.
!Win32 .DLL.
.MPRESS1
.MPRESS1
.MPRESS2>
.MPRESS2>
>%Crc{
>%Crc{
f7.ST
f7.ST
Ah&`%xw
Ah&`%xw
-Qwg}W
-Qwg}W
.Rg^5
.Rg^5
ra(%X
ra(%X
-RL}tAWq
-RL}tAWq
3r.DU
3r.DU
!A
!A
#.jK$
#.jK$
.If//
.If//
i5v.dU`
i5v.dU`
wfd%C
wfd%C
.seH9
.seH9
H7\Ûy
H7\Ûy
%dWA4
%dWA4
.WmO.
.WmO.
Q.HX)
Q.HX)
ÜU2
ÜU2
.ubwO%
.ubwO%
?.MK9
?.MK9
d.DHb
d.DHb
.jtv,
.jtv,
Jnx&%D
Jnx&%D
%d{u2
%d{u2
msgcallback_autologinW
msgcallback_autologinW
msgcallback_autologin
msgcallback_autologin
shell32.dll
shell32.dll
program internal error number is %d.
program internal error number is %d.
:"%s"
:"%s"
:"%s".
:"%s".
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.PAVCException@@
.PAVCException@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.exe "
.exe "
repass
repass
UserChangePass
UserChangePass
dm.dmsoft
dm.dmsoft
SetKeypadDelay
SetKeypadDelay
SetShowErrorMsg
SetShowErrorMsg
SetWindowState
SetWindowState
,(!73!73!73!73!73!73!73!73!73 @;
,(!73!73!73!73!73!73!73!73!73 @;
.comment {color:green}
.comment {color:green}
.jS.T
.jS.T
SiX^@=65.eB
SiX^@=65.eB
;.APi
;.APi
A%x*>l
A%x*>l
@%S&)
@%S&)
;%DuH
;%DuH
LSc
LSc
A$(d%cn
A$(d%cn
8.jPs
8.jPs
.jJX[
.jJX[
*e.NaJ
*e.NaJ
pY-|þ
pY-|þ
.YrVUp\
.YrVUp\
diTXtXML:com.adobe.xmp
diTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
~.agAV
~.agAV
.nn-!*
.nn-!*
.tkyt
.tkyt
G:\^(
G:\^(
.RhcD
.RhcD
o.vH|
o.vH|
?h(%do
?h(%do
=7%f__
=7%f__
SOCrt
SOCrt
htu%d
htu%d
=VR^.uzL
=VR^.uzL
%fPa4
%fPa4
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
!.RNi
!.RNi
%x_Xj
%x_Xj
GO#.Dx
GO#.Dx
Z>%0S_
Z>%0S_
Mm.gS
Mm.gS
(j.AKt
(j.AKt
`8.zNx:
`8.zNx:
%cK8R
%cK8R
@9u[%ul
@9u[%ul
.hr''y
.hr''y
_h@A%s
_h@A%s
.yqh(t
.yqh(t
E%X[-
E%X[-
\`!%C[8
\`!%C[8
!%D&&
!%D&&
TW%U8
TW%U8
.mN`SH
.mN`SH
.VX1P5
.VX1P5
i4
i4
X(U%Ui
X(U%Ui
.xQCO
.xQCO
usSh:Zq
usSh:Zq
D-o.OF
D-o.OF
eN%6u
eN%6u
.LI[P
.LI[P
123456789
123456789
00003333
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
1.2.18
1.2.18
F%*.*f
F%*.*f
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
_Wb.eM3
_Wb.eM3
iphlpapi.dll
iphlpapi.dll
SHLWAPI.dll
SHLWAPI.dll
MPR.dll
MPR.dll
WSOCK32.dll
WSOCK32.dll
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.prn)|*.prn|
(*.*)|*.*||
(*.*)|*.*||
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
Advapi32.dll
Advapi32.dll
User32.dll
User32.dll
Gdi32.dll
Gdi32.dll
Kernel32.dll
Kernel32.dll
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
: %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
%s:%d
%s:%d
1.6.9
1.6.9
unsupported zlib version
unsupported zlib version
png_read_image: unsupported transformation
png_read_image: unsupported transformation
out.prn
out.prn
%d.%d
%d.%d
%d / %d
%d / %d
%d/%d
%d/%d
Bogus message code %d
Bogus message code %d
libpng error: %s
libpng error: %s
libpng warning: %s
libpng warning: %s
1.1.3
1.1.3
bad keyword
bad keyword
libpng does not support gamma background rgb_to_gray
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
Palette is NULL in indexed image
(%d-%d):
(%d-%d):
%ld%c
%ld%c
msscript.ocx
msscript.ocx
Y%dY%dX%dX%dHeight%dHeight%dWidth%dWidth%dRECT(%d, %d)-(%d, %d)RECT(%d, %d)-(%d, %d)Styles0xXStyles0xXControl ID%dControl ID%dHandle0xXHandle0xX%s |
%s |
burlywood
burlywood
\winhlp32.exe
\winhlp32.exe
VVV.dywt.com.cn
VVV.dywt.com.cn
index.dat
index.dat
desktop.ini
desktop.ini
\StringFileInfo\%s\Comments
\StringFileInfo\%s\Comments
\StringFileInfo\%s\ProductVersion
\StringFileInfo\%s\ProductVersion
\StringFileInfo\%s\ProductName
\StringFileInfo\%s\ProductName
\StringFileInfo\%s\OriginalFilename
\StringFileInfo\%s\OriginalFilename
\StringFileInfo\%s\LegalTrademarks
\StringFileInfo\%s\LegalTrademarks
\StringFileInfo\%s\LegalCopyright
\StringFileInfo\%s\LegalCopyright
\StringFileInfo\%s\InternalName
\StringFileInfo\%s\InternalName
\StringFileInfo\%s\FileDescription
\StringFileInfo\%s\FileDescription
\StringFileInfo\%s\CompanyName
\StringFileInfo\%s\CompanyName
\StringFileInfo\%s\FileVersion
\StringFileInfo\%s\FileVersion
000%x
000%x
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
HTTP/1.0
%s
%s
Reply-To: %s
Reply-To: %s
From: %s
From: %s
To: %s
To: %s
Subject: %s
Subject: %s
Date: %s
Date: %s
Cc: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
%a, %d %b %Y %H:%M:%S
SMTP
SMTP
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
(*.avi)|*.avi
(*.avi)|*.avi
WPFT532.CNV
WPFT532.CNV
WPFT632.CNV
WPFT632.CNV
EXCEL32.CNV
EXCEL32.CNV
write32.wpc
write32.wpc
Windows Write
Windows Write
mswrd632.wpc
mswrd632.wpc
Word for Windows 6.0
Word for Windows 6.0
wword5.cnv
wword5.cnv
Word for Windows 5.0
Word for Windows 5.0
mswrd832.cnv
mswrd832.cnv
mswrd632.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
Word 6.0/95 for Windows & Macintosh
html32.cnv
html32.cnv
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
.PAVCArchiveException@@
.PAVCArchiveException@@
c:\%original file name%.exe
c:\%original file name%.exe
.gWSdtb
.gWSdtb
w=kAv.SCvs
w=kAv.SCvs
Please contact the application's support team for more information.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
USER32.DLL
USER32.DLL
sice.sys
sice.sys
siwvid.sys
siwvid.sys
ntice.sys
ntice.sys
iceext.sys
iceext.sys
syser.sys
syser.sys
sbiedll.dll
sbiedll.dll
3%d-%d-%d
3%d-%d-%d
winhttp.dll
winhttp.dll
activation.php?code=
activation.php?code=
deactivation.php?hash=
deactivation.php?hash=
xaK%f.
xaK%f.
0r\%u
0r\%u
y}8Url
y}8Url
1.Xr}0
1.Xr}0
.YS:`
.YS:`
.sM )
.sM )
K.HrW
K.HrW
/("T.di8T
/("T.di8T
.Npnr
.Npnr
*.xgd-
*.xgd-
=f%SKf
=f%SKf
.Ta/.\
.Ta/.\
o{%CUi
o{%CUi
.cF2sQ2
.cF2sQ2
WÄe
WÄe
.bo%q
.bo%q
_.hL*)
_.hL*)
.ySfN
.ySfN
%Xcj|
%Xcj|
)\.YH
)\.YH
}.zsj
}.zsj
bA.vuW)RZ
bA.vuW)RZ
eb.ge
eb.ge
F.VmH
F.VmH
Gc.RKJ
Gc.RKJ
.ocx?=!
.ocx?=!
.Yu_9
.Yu_9
k#%Dw
k#%Dw
.vzFb
.vzFb
Ãfu
Ãfu
.oqs$
.oqs$
/.tFt
/.tFt
.KL }
.KL }
.hT!~
.hT!~
/R.QQ
/R.QQ
T"r"sQLC
T"r"sQLC
.Iq%?
.Iq%?
%6scA
%6scA
!M%CV
!M%CV
5%oZ%D"85
5%oZ%D"85
P%SDQ
P%SDQ
e.QM`P
e.QM`P
.WJr}G
.WJr}G
yZA1:&%f
yZA1:&%f
MExE
MExE
a%xbO
a%xbO
1"g%u1
1"g%u1
Su\B2e.Mz
Su\B2e.Mz
}s[#.zm
}s[#.zm
4TÛe
4TÛe
à Ue.ed
à Ue.ed
ZExEY
ZExEY
.Xk1{
.Xk1{
q.WH#4s
q.WH#4s
f%C]f
f%C]f
}.yht
}.yht
UDpI
UDpI
[.rX*$57`
[.rX*$57`
%Xh*bZ
%Xh*bZ
t'MZ5.MY
t'MZ5.MY
$.cf;
$.cf;
V.hY|
V.hY|
%F T
%F T
uTU%X
uTU%X
fR%C-
fR%C-
Fq.rI
Fq.rI
%1xHv}
%1xHv}
l.zFJ
l.zFJ
K.iHAL
K.iHAL
=.Kw
=.Kw
[.Ip6
[.Ip6
.wa4s
.wa4s
e%D%p
e%D%p
.mg2j
.mg2j
%S6r]Z
%S6r]Z
w@u%d
w@u%d
R.ZQ#
R.ZQ#
aH.mbR
aH.mbR
f#.fa
f#.fa
Sshn@y
Sshn@y
u%Sye
u%Sye
4.Fyo
4.Fyo
f%f f
f%f f
0s.Ds8
0s.Ds8
*.odB
*.odB
.ao !
.ao !
0O1S%
0O1S%
K4UDp
K4UDp
\pVv%D
\pVv%D
l:\gB
l:\gB
vq6Q%x'5Qi
vq6Q%x'5Qi
%snWY
%snWY
8.Ã
8.Ã
7.Je2
7.Je2
gZf%xN
gZf%xN
vJh
.EOz/6
.Ns};6
.fy_#
b?.Xf;
e.HA6
0|pT%s)R
Pk.tTP
%f*1YCT
W.kiG
.eQO|
[7X:5%X
c:\Zj
%XRmkDC
OG>.vG
Pj{=;.qA%U4zsZt&.zd%fs13fMPM.Og@]-nC}SHfTP.eX.V%\%Dt.iFOm.wGerW#y}%uLrv?F%X)*.*!;.9 l/Jg%F%cz`7U.HT0U;m%dkE%Sph'].PY.V'muc.Wu.fC*S!Jw;q.nYV.oS4.YzZRmoQ{%C-.rcR$0@.FPk.fx(x}.jN~45%fo#r=e>%F%sS}ZW#d.fc>-%U@k]B.xPtUd[.fOd.DE.|%US:OIS2%FQC.pk]FFI%UB0,_r0#.aaw5.db.~%sSN"g
vJh
.EOz/6
.Ns};6
.fy_#
b?.Xf;
e.HA6
0|pT%s)R
Pk.tTP
%f*1YCT
W.kiG
.eQO|
[7X:5%X
c:\Zj
%XRmkDC
OG>.vG
Pj{=;.qA%U4zsZt&.zd%fs13fMPM.Og@]-nC}SHfTP.eX.V%\%Dt.iFOm.wGerW#y}%uLrv?F%X)*.*!;.9 l/Jg%F%cz`7U.HT0U;m%dkE%Sph'].PY.V'muc.Wu.fC*S!Jw;q.nYV.oS4.YzZRmoQ{%C-.rcR$0@.FPk.fx(x}.jN~45%fo#r=e>%F%sS}ZW#d.fc>-%U@k]B.xPtUd[.fOd.DE.|%US:OIS2%FQC.pk]FFI%UB0,_r0#.aaw5.db.~%sSN"g
=.LyJ
=.LyJ
HO.aP
HO.aP
_.fW{
_.fW{
%U(x;
%U(x;
u 9.VN
u 9.VN
%u8Nr
%u8Nr
%XoLH
%XoLH
A{%Dy
A{%Dy
;%f~.bc
;%f~.bc
W.xN_
W.xN_
2;q%C
2;q%C
Z.ag(
Z.ag(
,H.bD
,H.bD
Y.cWXM&A!3
Y.cWXM&A!3
jk.eI
jk.eI
V.UzK
V.UzK
o%sA4
o%sA4
0}#:su.tG1
0}#:su.tG1
4VE%CK
4VE%CK
w;)vË
w;)vË
CrtJ^
CrtJ^
~.NiU
~.NiU
\s.Oz
\s.Oz
.CVo(
.CVo(
.bG77
.bG77
g^4.oz
g^4.oz
%U[=o
%U[=o
46f
46f
. Fl%C
. Fl%C
*Rs%S
*Rs%S
~.drL`FGJ
~.drL`FGJ
i.Zp:
i.Zp:
1s.%f%
1s.%f%
Oyy.sHv
Oyy.sHv
wHh&).Pcm
wHh&).Pcm
X}B%F
X}B%F
5.Klf
5.Klf
58%xK
58%xK
b.GTVE^\
b.GTVE^\
GvW0%7s
GvW0%7s
3.Lz*
3.Lz*
r/.LM
r/.LM
DTw:%S
DTw:%S
.SJQi
.SJQi
.eVvc
.eVvc
.Fg.y
.Fg.y
HrM.Jx
HrM.Jx
T..Hv
T..Hv
.yz]S
.yz]S
hhK%x
hhK%x
=5'.gn
=5'.gn
.GHg|B
.GHg|B
=UuRl;B
=UuRl;B
&%Dv`
&%Dv`
,V%x`
,V%x`
;z`%U
;z`%U
.Qz. nn
.Qz. nn
Zz%F\j
Zz%F\j
X.HPk)
X.HPk)
iQ.fS
iQ.fS
Z%C\@-
Z%C\@-
u7<.vb>
u7<.vb>
RQ%fJU
RQ%fJU
6.lT,R2
6.lT,R2
;.nnD
;.nnD
^T.us
^T.us
H-M
H-M
Bdy%f%
Bdy%f%
%F `[
%F `[
f.Scm
f.Scm
1O$#.FJ(
1O$#.FJ(
.qGUV
.qGUV
GmHOy.ui
GmHOy.ui
[Hm%sc
[Hm%sc
;.ci,
;.ci,
.qid`'
.qid`'
1.WKJL
1.WKJL
ZI#.enB*
ZI#.enB*
t=%fN
t=%fN
Z9{I%F
Z9{I%F
.vry=!\B
.vry=!\B
.vr@:
.vr@:
wEBT9oO
wEBT9oO
.xkH_/
.xkH_/
l^.Ba
l^.Ba
urLb?
urLb?
L6.inXh
L6.inXh
kUdp
kUdp
Ufr].sW
Ufr].sW
%fyEmfb^
%fyEmfb^
@sp~%c
@sp~%c
%cw#
%cw#
@H,.Ki
@H,.Ki
v4,H.nsT=
v4,H.nsT=
YN.wc
YN.wc
key4,
key4,
]2ÿ4
]2ÿ4
MSg."
MSg."
%X~$_C
%X~$_C
rmSG*9
rmSG*9
N/G^w%Cn
N/G^w%Cn
N.eq=
N.eq=
S%xmT@
S%xmT@
(|y.JRqMS
(|y.JRqMS
.nW:CI
.nW:CI
.Hl[}
.Hl[}
'.Oz3
'.Oz3
L%x(H
L%x(H
}`xG".sE
}`xG".sE
.xWH&r
.xWH&r
D%D:u
D%D:u
w).OD
w).OD
n)f%D
n)f%D
N\.Nz
N\.Nz
STr%US]X&
STr%US]X&
h%uIEO
h%uIEO
Vn.cMro"
Vn.cMro"
Meb
Meb
PLme.fD
PLme.fD
{r.aPo
{r.aPo
U-%dTT
U-%dTT
.vh|R8
.vh|R8
.FV!]
.FV!]
Mo .Wk
Mo .Wk
"lH@.aX
"lH@.aX
c
c
b.LAs
b.LAs
r#.eO0d
r#.eO0d
òf/w
òf/w
9.Qw_1
9.Qw_1
x%S?n
x%S?n
Oy.kOb
Oy.kOb
9.Bq[
9.Bq[
w .aj
w .aj
.LNewz5R
.LNewz5R
dfTpH
dfTpH
.yNct
.yNct
?0SQl
?0SQl
^%dH]
^%dH]
.AJgM
.AJgM
{QU&%C
{QU&%C
P.pL.A
P.pL.A
HLb.BR
HLb.BR
G.
G.
.pPVL
.pPVL
0n%sFx3N0
0n%sFx3N0
R
R
4.FW|
4.FW|
%S5H2
%S5H2
TJ.Cn@
TJ.Cn@
0_%Um&
0_%Um&
Ru.vF
Ru.vF
,g%u |aY
,g%u |aY
E3BSqLW
E3BSqLW
%xsJ9w
%xsJ9w
.REuN
.REuN
AVIFIL32.dll
AVIFIL32.dll
=~9M%S
=~9M%S
p.Tc~
p.Tc~
AiU5%uR
AiU5%uR
%s~dU
%s~dU
v.Wr?tR
v.Wr?tR
OM%U@l7
OM%U@l7
hmÖ
hmÖ
;5%sFSZ
;5%sFSZ
.Ju2$uL
.Ju2$uL
.MDQL
.MDQL
LC.AS
LC.AS
vA.fa9~ge
vA.fa9~ge
bkEY@
bkEY@
ZMn%U
ZMn%U
.JG;C
.JG;C
b.xON
b.xON
FiÌ
FiÌ
I%.Hc
I%.Hc
pv%7ucC[IV
pv%7ucC[IV
.ûZ
.ûZ
u.vs'
u.vs'
.WMHk
.WMHk
@%UeB
@%UeB
.DvOt';mA[
.DvOt';mA[
c%f~y
c%f~y
C.wfA5
C.wfA5
XJS9{.mC=
XJS9{.mC=
ZCü
ZCü
6%Xi6
6%Xi6
urly
urly
.SYh`p
.SYh`p
%dMQR/s
%dMQR/s
.WfG`
.WfG`
x.rTO
x.rTO
.yIOo
.yIOo
y#.eR
y#.eR
xi.iE
xi.iE
%6s6"M
%6s6"M
-7}?^
-7}?^
""%s
""%s
.Iep0
.Iep0
?.Lj
?.Lj
i.QlL
i.QlL
%A-9g}
%A-9g}
Fa-L}
Fa-L}
tqp.yze
tqp.yze
%FnyK_&2
%FnyK_&2
z#%DR
z#%DR
.sI|u
.sI|u
.kse/
.kse/
!Q.jG
!Q.jG
R.WYc
R.WYc
pB.nCf5
pB.nCf5
kT8,`ps%f
kT8,`ps%f
..wYv
..wYv
o#.%f
o#.%f
Ekv-T
Ekv-T
h2EW%Dm
h2EW%Dm
SC.NJ
SC.NJ
,}.lM
,}.lM
z.Yrn
z.Yrn
8].yR
8].yR
6.jZ{
6.jZ{
qkP*-b}
qkP*-b}
=%U%3w
=%U%3w
E.YB~|
E.YB~|
Q.eW4
Q.eW4
|.HJ,H4
|.HJ,H4
OkD%s
OkD%s
KG%s3
KG%s3
m.QZ
m.QZ
u99.wF
u99.wF
.BS'A
.BS'A
%C'0'n
%C'0'n
%sBqW
%sBqW
%fgG'
%fgG'
CØa
CØa
:.vN8
:.vN8
/L.cY)
/L.cY)
`.kaZ
`.kaZ
p\6%U_
p\6%U_
.loMX
.loMX
C_].HzX
C_].HzX
J.JB=?KC
J.JB=?KC
w<.qzn>
w<.qzn>
.OJNNG
.OJNNG
33}
33}
_o,.gQ_w!
_o,.gQ_w!
.TkX2
.TkX2
'*[.aQ
'*[.aQ
,h]q%c
,h]q%c
z3%Xt
z3%Xt
|:&%d
|:&%d
EG.vzf
EG.vzf
-fd}/
-fd}/
,/%fyf
,/%fyf
DAÜ
DAÜ
v).zY#
v).zY#
8U.uy
8U.uy
id%s{=
id%s{=
d}%F>c&
d}%F>c&
&f.pA
&f.pA
n%st|
n%st|
~.bgQ
~.bgQ
rO.Naz
rO.Naz
%u?XF"
%u?XF"
X`.zP
X`.zP
5Y2.wD
5Y2.wD
=.Qfo
=.Qfo
9-.AoD7\
9-.AoD7\
]%.SR
]%.SR
z;S:.sR*
z;S:.sR*
(E.Qi&sBqF
(E.Qi&sBqF
.aAeB
.aAeB
d..sp
d..sp
"|.wh
"|.wh
.Wehe
.Wehe
W.gp_
W.gp_
~.SO#gLZyz
~.SO#gLZyz
'A.qO
'A.qO
.tQJ:
.tQJ:
Qcc0.Ds?
Qcc0.Ds?
%xOtw
%xOtw
Ã’BC
Ã’BC
.Co7\
.Co7\
Z.Vl>e
Z.Vl>e
-8}[*
-8}[*
B2%xE:
B2%xE:
5%u!Ob
5%u!Ob
v %fk
v %fk
@%xTo7IM
@%xTo7IM
.BVy}
.BVy}
.WZhM
.WZhM
tx9.txM
tx9.txM
L.ol4
L.ol4
4Jb.wI
4Jb.wI
Pm.wE
Pm.wE
Q^Js%C
Q^Js%C
o.hsMah`
o.hsMah`
JF*6.qo
JF*6.qo
cP`Ù
cP`Ù
Keyv
Keyv
m.ufw
m.ufw
.kA"e
.kA"e
.egj2
.egj2
.QkQ y6
.QkQ y6
cFTP
cFTP
Z:\6!
Z:\6!
cS.jE
cS.jE
.iFi]
.iFi]
%u
%u
)#%U=
)#%U=
!G.etF
!G.etF
wcrT
wcrT
n.fWF
n.fWF
.iie=
.iie=
0il&?.nW
0il&?.nW
.dl-O
.dl-O
J.GI$
J.GI$
.Iv*4
.Iv*4
9S
9S
.-rmXw}d
.-rmXw}d
%uX~#p{h
%uX~#p{h
.pJdl_
.pJdl_
Ê?"y
Ê?"y
&.rZD
&.rZD
.sk~e
.sk~e
~X.XO
~X.XO
.mtu"
.mtu"
a&i%cy
a&i%cy
*L%SD
*L%SD
j/{.JcV
j/{.JcV
uDP\>
uDP\>
dD|.dpQ
dD|.dpQ
.Zc{~
.Zc{~
Bq%X{4
Bq%X{4
yP.lxzA
yP.lxzA
Jw.mD
Jw.mD
kf)%s
kf)%s
%fLuF
%fLuF
{-Û
{-Û
m0.vBO
m0.vBO
7V.Sf,-
7V.Sf,-
zexe
zexe
.md@8ae
.md@8ae
.Gw )
.Gw )
.cc/O
.cc/O
!>] ]\]:
!>] ]\]:
\}%xb
\}%xb
9p%ulh
9p%ulh
%DGBWF
%DGBWF
^WO%X
^WO%X
.hA[N
.hA[N
[%XKj
[%XKj
{%S|I
{%S|I
.TG0n
.TG0n
jmsg
jmsg
'2.yu
'2.yu
.Lz7hP
.Lz7hP
-%f{L
-%f{L
.EB'T]
.EB'T]
p.OEN
p.OEN
%SL/qc)te
%SL/qc)te
d0%X1
d0%X1
5xK%c
5xK%c
!.bt6M$
!.bt6M$
0 %uP
0 %uP
%d:I2q
%d:I2q
o'%Se
o'%Se
.uf\m
.uf\m
.YBL8
.YBL8
-N}#_
-N}#_
Niru.fVL6
Niru.fVL6
.qoKXXLa R>
.qoKXXLa R>
C%fSo
C%fSo
_G.my
_G.my
q!`W]niq}-f}/
q!`W]niq}-f}/
S.fG
S.fG
NT.WO
NT.WO
|Rag
|Rag
%@/)}]25
%@/)}]25
8%x)>
8%x)>
:.yi:
:.yi:
4b.Uy
4b.Uy
m.PHg=
m.PHg=
%uUQis
%uUQis
gOT.gx
gOT.gx
/.mdeOB$6
/.mdeOB$6
w@n@/.cG2
w@n@/.cG2
}O.tg
}O.tg
.lB(o|
.lB(o|
N.aI4'
N.aI4'
%Dp 9
%Dp 9
1CRt3\
1CRt3\
A|4URl
A|4URl
HTUDP
HTUDP
W.iiJ
W.iiJ
.NXoj
.NXoj
>9I%X
>9I%X
Lss.gh
Lss.gh
dß|
dß|
%s4xe
%s4xe
.pnP4
.pnP4
iDq1b.jM
iDq1b.jM
).GRBsQJ .
).GRBsQJ .
4.Cj==
4.Cj==
%XPof
%XPof
`T.cl
`T.cl
.mGsn
.mGsn
Z.lrC*86W
Z.lrC*86W
p`.TB
p`.TB
{.McZ3
{.McZ3
EX.oC
EX.oC
C^.QN
C^.QN
.VkKJ[=?
.VkKJ[=?
il.Dr
il.Dr
N.cOE
N.cOE
L4ZS%F
L4ZS%F
-L.dUeb
-L.dUeb
9.Ww0
9.Ww0
k.Uf-S
k.Uf-S
&X.jj
&X.jj
FQ.PJ'>l
FQ.PJ'>l
.gGK~
.gGK~
%FY3$
%FY3$
9d%4uW
9d%4uW
Z>a.bgL
Z>a.bgL
.FKG0
.FKG0
Zc.CK
Zc.CK
.UJ%k
.UJ%k
K\.QP`
K\.QP`
.Hp~e
.Hp~e
[%.jE
[%.jE
L.Zo`K
L.Zo`K
.vXbR}k
.vXbR}k
%sOT8]
%sOT8]
=.ejg
=.ejg
C3x(%Dg
C3x(%Dg
%XKSc
%XKSc
$GL.Tw4
$GL.Tw4
G.rY4d
G.rY4d
uRLoW
uRLoW
Fzlgo%U
Fzlgo%U
.WIfX
.WIfX
c]B%C
c]B%C
h(.EI
h(.EI
m>.WDU
m>.WDU
h.did|
h.did|
On%1X
On%1X
.pqvU
.pqvU
2y.Am
2y.Am
.z.FY
.z.FY
z_.SaS
z_.SaS
t].eX}
t].eX}
.qT},i
.qT},i
}BL.Ebu
}BL.Ebu
v*;.LS
v*;.LS
V$
V$
SsHK@
SsHK@
Kr\.RW
Kr\.RW
%S^I&
%S^I&
A7_T.nf
A7_T.nf
sV<.ex>
sV<.ex>
.^.Mm
.^.Mm
S.Ua'm'
S.Ua'm'
U.It
U.It
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
o .yR
o .yR
LhXXp://pki-crl.symauth.com/ca_219679623e6b4fa507d638cbeba72ecb/LatestCRL.crl07
LhXXp://pki-crl.symauth.com/ca_219679623e6b4fa507d638cbeba72ecb/LatestCRL.crl07
hXXp://pki-ocsp.symauth.com0
hXXp://pki-ocsp.symauth.com0
ehXXp://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.crl0
ehXXp://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.crl0
h.lUh
h.lUh
RWTSAPI32.dll
RWTSAPI32.dll
5%FR*
5%FR*
.ZTD@w1
.ZTD@w1
MSVFW32.dll
MSVFW32.dll
Udpo
Udpo
xH`
xH`
7.bD $l
7.bD $l
.LwvE=
.LwvE=
qzq%u
qzq%u
RKERNEL32.dll
RKERNEL32.dll
RGDI32.dll
RGDI32.dll
RASAPI32.dll
RASAPI32.dll
3.uQ)m
3.uQ)m
n.tFtX
n.tFtX
Dh==e.Ht
Dh==e.Ht
3, 1233, 0, 0
3, 1233, 0, 0
mscoree.dll
mscoree.dll
nKERNEL32.DLL
nKERNEL32.DLL
WUSER32.DLL
WUSER32.DLL
%s_tmp
%s_tmp
errcode : %d,
errcode : %d,
1.0.0.2
1.0.0.2
Error at hooking API "%S"
Error at hooking API "%S"
Dumping first %d bytes:
Dumping first %d bytes:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Cannot %s server %s
Cannot %s server %s
Error: 0x%X
Error: 0x%X
The procedure entry point %s could not be located in the module %s
The procedure entry point %s could not be located in the module %s
Cannot load file %s
Cannot load file %s
Error: %d
Error: %d
WMIADAP.EXE_1812:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
ADVAPI32.dll
ADVAPI32.dll
ntdll.DLL
ntdll.DLL
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
msvcrt.dll
msvcrt.dll
wbemcomn.dll
wbemcomn.dll
OLEAUT32.dll
OLEAUT32.dll
ole32.dll
ole32.dll
loadperf.dll
loadperf.dll
FEw.AEw]FEw
FEw.AEw]FEw
`.bik
`.bik
PSSSSSSh
PSSSSSSh
WMIADAP.exe
WMIADAP.exe
?CloseSubKey@CRegistry@@AAEXXZ
?CloseSubKey@CRegistry@@AAEXXZ
?CreateOpen@CRegistry@@QAEJPAUHKEY__@@PBGPAGKKPAU_SECURITY_ATTRIBUTES@@PAK@Z
?CreateOpen@CRegistry@@QAEJPAUHKEY__@@PBGPAGKKPAU_SECURITY_ATTRIBUTES@@PAK@Z
?DeleteCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBG@Z
?DeleteCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBG@Z
?DeleteCurrentKeyValue@CRegistry@@QAEKPBG@Z
?DeleteCurrentKeyValue@CRegistry@@QAEKPBG@Z
?DeleteKey@CRegistry@@QAEJPAVCHString@@@Z
?DeleteKey@CRegistry@@QAEJPAVCHString@@@Z
?GetCurrentBinaryKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGPAEPAK@Z
?GetCurrentBinaryKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGPAEPAK@Z
?GetCurrentBinaryKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z
?GetCurrentBinaryKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z
?GetCurrentBinaryKeyValue@CRegistry@@QAEKPBGPAEPAK@Z
?GetCurrentBinaryKeyValue@CRegistry@@QAEKPBGPAEPAK@Z
?GetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAK@Z
?GetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAK@Z
?GetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHString@@@Z
?GetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHString@@@Z
?GetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHStringArray@@@Z
?GetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHStringArray@@@Z
?GetCurrentKeyValue@CRegistry@@QAEKPBGAAK@Z
?GetCurrentKeyValue@CRegistry@@QAEKPBGAAK@Z
?GetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z
?GetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z
?GetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHStringArray@@@Z
?GetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHStringArray@@@Z
?GetCurrentRawKeyValue@CRegistry@@AAEKPAUHKEY__@@PBGPAXPAK3@Z
?GetCurrentRawKeyValue@CRegistry@@AAEKPAUHKEY__@@PBGPAXPAK3@Z
?GetCurrentRawSubKeyValue@CRegistry@@AAEKPBGPAXPAK2@Z
?GetCurrentRawSubKeyValue@CRegistry@@AAEKPBGPAXPAK2@Z
?GetCurrentSubKeyCount@CRegistry@@QAEKXZ
?GetCurrentSubKeyCount@CRegistry@@QAEKXZ
?GetCurrentSubKeyName@CRegistry@@QAEKAAVCHString@@@Z
?GetCurrentSubKeyName@CRegistry@@QAEKAAVCHString@@@Z
?GetCurrentSubKeyPath@CRegistry@@QAEKAAVCHString@@@Z
?GetCurrentSubKeyPath@CRegistry@@QAEKAAVCHString@@@Z
?GetCurrentSubKeyValue@CRegistry@@QAEKPBGAAK@Z
?GetCurrentSubKeyValue@CRegistry@@QAEKPBGAAK@Z
?GetCurrentSubKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z
?GetCurrentSubKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z
?GetCurrentSubKeyValue@CRegistry@@QAEKPBGPAXPAK@Z
?GetCurrentSubKeyValue@CRegistry@@QAEKPBGPAXPAK@Z
?GetLongestSubKeySize@CRegistry@@QAEKXZ
?GetLongestSubKeySize@CRegistry@@QAEKXZ
?GethKey@CRegistry@@QAEPAUHKEY__@@XZ
?GethKey@CRegistry@@QAEPAUHKEY__@@XZ
?LocateKeyByNameOrValueName@CRegistrySearch@@QAEHPAUHKEY__@@PBG1PAPBGKAAVCHString@@3@Z
?LocateKeyByNameOrValueName@CRegistrySearch@@QAEHPAUHKEY__@@PBG1PAPBGKAAVCHString@@3@Z
?NextSubKey@CRegistry@@QAEKXZ
?NextSubKey@CRegistry@@QAEKXZ
?Open@CRegistry@@QAEJPAUHKEY__@@PBGK@Z
?Open@CRegistry@@QAEJPAUHKEY__@@PBGK@Z
?OpenAndEnumerateSubKeys@CRegistry@@QAEJPAUHKEY__@@PBGK@Z
?OpenAndEnumerateSubKeys@CRegistry@@QAEJPAUHKEY__@@PBGK@Z
?OpenLocalMachineKeyAndReadValue@CRegistry@@QAEJPBG0AAVCHString@@@Z
?OpenLocalMachineKeyAndReadValue@CRegistry@@QAEJPBG0AAVCHString@@@Z
?OpenSubKey@CRegistry@@AAEKXZ
?OpenSubKey@CRegistry@@AAEKXZ
?RewindSubKeys@CRegistry@@QAEXXZ
?RewindSubKeys@CRegistry@@QAEXXZ
?SearchAndBuildList@CRegistrySearch@@QAEHVCHString@@AAVCHPtrArray@@00HPAUHKEY__@@@Z
?SearchAndBuildList@CRegistrySearch@@QAEHVCHString@@AAVCHPtrArray@@00HPAUHKEY__@@@Z
?SetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAK@Z
?SetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAK@Z
?SetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHString@@@Z
?SetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHString@@@Z
?SetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHStringArray@@@Z
?SetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHStringArray@@@Z
?SetCurrentKeyValue@CRegistry@@QAEKPBGAAK@Z
?SetCurrentKeyValue@CRegistry@@QAEKPBGAAK@Z
?SetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z
?SetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z
?SetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHStringArray@@@Z
?SetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHStringArray@@@Z
?SetCurrentKeyValueExpand@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHString@@@Z
?SetCurrentKeyValueExpand@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHString@@@Z
?myRegCreateKeyEx@CRegistry@@AAEJPAUHKEY__@@PBGKPAGKKQAU_SECURITY_ATTRIBUTES@@PAPAU2@PAK@Z
?myRegCreateKeyEx@CRegistry@@AAEJPAUHKEY__@@PBGKPAGKKQAU_SECURITY_ATTRIBUTES@@PAPAU2@PAK@Z
?myRegDeleteKey@CRegistry@@AAEJPAUHKEY__@@PBG@Z
?myRegDeleteKey@CRegistry@@AAEJPAUHKEY__@@PBG@Z
?myRegDeleteValue@CRegistry@@AAEJPAUHKEY__@@PBG@Z
?myRegDeleteValue@CRegistry@@AAEJPAUHKEY__@@PBG@Z
?myRegEnumKey@CRegistry@@AAEJPAUHKEY__@@KPAGK@Z
?myRegEnumKey@CRegistry@@AAEJPAUHKEY__@@KPAGK@Z
?myRegEnumValue@CRegistry@@AAEJPAUHKEY__@@KPAGPAK22PAE2@Z
?myRegEnumValue@CRegistry@@AAEJPAUHKEY__@@KPAGPAK22PAE2@Z
?myRegOpenKeyEx@CRegistry@@AAEJPAUHKEY__@@PBGKKPAPAU2@@Z
?myRegOpenKeyEx@CRegistry@@AAEJPAUHKEY__@@PBGKKPAPAU2@@Z
?myRegQueryInfoKey@CRegistry@@AAEJPAUHKEY__@@PAGPAK22222222PAU_FILETIME@@@Z
?myRegQueryInfoKey@CRegistry@@AAEJPAUHKEY__@@PAGPAK22222222PAU_FILETIME@@@Z
?myRegQueryValueEx@CRegistry@@AAEJPAUHKEY__@@PBGPAK2PAE2@Z
?myRegQueryValueEx@CRegistry@@AAEJPAUHKEY__@@PBGPAK2PAE2@Z
?myRegSetValueEx@CRegistry@@AAEJPAUHKEY__@@PBGKKPBEK@Z
?myRegSetValueEx@CRegistry@@AAEJPAUHKEY__@@PBGKKPBEK@Z
QSSh0
QSSh0
Invalid parameter passed to C runtime function.
Invalid parameter passed to C runtime function.
ntdll.dll
ntdll.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyExW
RegEnumKeyW
RegEnumKeyW
RegDeleteKeyW
RegDeleteKeyW
RegQueryInfoKeyW
RegQueryInfoKeyW
_amsg_exit
_amsg_exit
_acmdln
_acmdln
?Report@CEventLog@@QAEHGKVCInsertionString@@000000000@Z
?Report@CEventLog@@QAEHGKVCInsertionString@@000000000@Z
WMIADAP.pdb
WMIADAP.pdb
5m6z6
5m6z6
%s_x
%s_x
%s_x_
%s_x_
Global\WMI_SysEvent_Semaphore_%d
Global\WMI_SysEvent_Semaphore_%d
WinMSGWMIADAP
WinMSGWMIADAP
\\.\root\cimv2
\\.\root\cimv2
WMIADAP Msg window
WMIADAP Msg window
\\.\root\wmi
\\.\root\wmi
PSAPI.DLL
PSAPI.DLL
x=%s
x=%s
Describes all the counters supported via WMI Hi-Performance providers
Describes all the counters supported via WMI Hi-Performance providers
_new.ini
_new.ini
xx %s%s.ini
xx %s%s.ini
xx %s
xx %s
\\.\ROOT\cimv2:__ClassProviderRegistration.provider="\\\\.\\root\\cimv2:__Win32Provider.Name=\"WmiPerfClass\""
\\.\ROOT\cimv2:__ClassProviderRegistration.provider="\\\\.\\root\\cimv2:__Win32Provider.Name=\"WmiPerfClass\""
WmiApRes.dll
WmiApRes.dll
%s\%s
%s\%s
6.1.7600.16385 (win7_rtm.090713-1255)
6.1.7600.16385 (win7_rtm.090713-1255)
wmicookr.dll
wmicookr.dll
Windows
Windows
Operating System
Operating System
6.1.7600.16385
6.1.7600.16385
SearchProtocolHost.exe_2528:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
ADVAPI32.dll
ADVAPI32.dll
ntdll.DLL
ntdll.DLL
KERNEL32.dll
KERNEL32.dll
msvcrt.dll
msvcrt.dll
USER32.dll
USER32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
TQUERY.DLL
TQUERY.DLL
MSSHooks.dll
MSSHooks.dll
IMM32.dll
IMM32.dll
SHLWAPI.dll
SHLWAPI.dll
SrchCollatorCatalogInfo
SrchCollatorCatalogInfo
SrchDSSLogin
SrchDSSLogin
SrchDSSPortManager
SrchDSSPortManager
SrchPHHttp
SrchPHHttp
SrchIndexerQuery
SrchIndexerQuery
SrchIndexerProperties
SrchIndexerProperties
SrchIndexerPlugin
SrchIndexerPlugin
SrchIndexerClient
SrchIndexerClient
SrchIndexerSchema
SrchIndexerSchema
Msidle.dll
Msidle.dll
Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default
Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default
pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty
pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty
d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx
d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
RegDeleteKeyW
RegDeleteKeyW
RegDeleteKeyExW
RegDeleteKeyExW
8%uiP
8%uiP
Invalid parameter passed to C runtime function.
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
0xx=
0xx=
%s(%d)
%s(%d)
tid="0x%x"
tid="0x%x"
pid="0x%x"
pid="0x%x"
tagname="%s"
tagname="%s"
tagid="0x%x"
tagid="0x%x"
el="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
time="d/d/d d:d:d.d"
logname="%s"
logname="%s"
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
SHELL32.dll
SHELL32.dll
PROPSYS.dll
PROPSYS.dll
ntdll.dll
ntdll.dll
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
RegOpenKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegEnumKeyExW
RegEnumKeyExW
ReportEventW
ReportEventW
_amsg_exit
_amsg_exit
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
SearchProtocolHost.pdb
SearchProtocolHost.pdb
2 2(20282|2
2 2(20282|2
4%5S5
4%5S5
Software\Microsoft\Windows Search
Software\Microsoft\Windows Search
https
https
kernel32.dll
kernel32.dll
msTracer.dll
msTracer.dll
msfte.dll
msfte.dll
lX-X-X-XX-XXXXXX
lX-X-X-XX-XXXXXX
SOFTWARE\Microsoft\Windows Search
SOFTWARE\Microsoft\Windows Search
tquery.dll
tquery.dll
%s\%s
%s\%s
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
Windows Search Service
Windows Search Service
0xx%p%S%d
0xx%p%S%d
advapi32.dll
advapi32.dll
WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll
WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll
winhttp.dll
winhttp.dll
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
Software\Microsoft\Windows Search\Tracing\EventThrottleState
%S(%d)
%S(%d)
tagname="%S"
tagname="%S"
logname="%S"
logname="%S"
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s.mui
.\%s\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
%s\%s\%s.mui
Microsoft Windows Search Protocol Host
Microsoft Windows Search Protocol Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchProtocolHost.exe
SearchProtocolHost.exe
Windows
Windows
7.00.7601.17610
7.00.7601.17610
SearchFilterHost.exe_2176:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
ADVAPI32.dll
ADVAPI32.dll
ntdll.DLL
ntdll.DLL
KERNEL32.dll
KERNEL32.dll
msvcrt.dll
msvcrt.dll
USER32.dll
USER32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
TQUERY.DLL
TQUERY.DLL
IMM32.dll
IMM32.dll
MSSHooks.dll
MSSHooks.dll
mscoree.dll
mscoree.dll
SHLWAPI.dll
SHLWAPI.dll
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
RegDeleteKeyW
RegDeleteKeyW
RegDeleteKeyExW
RegDeleteKeyExW
8%uiP
8%uiP
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
Invalid parameter passed to C runtime function.
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
RegOpenKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegEnumKeyExW
RegEnumKeyExW
ReportEventW
ReportEventW
_amsg_exit
_amsg_exit
SearchFilterHost.pdb
SearchFilterHost.pdb
version="5.1.0.0"
version="5.1.0.0"
name="Microsoft.Windows.Search.MSSFH"
name="Microsoft.Windows.Search.MSSFH"
3 3(30383|3
3 3(30383|3
kernel32.dll
kernel32.dll
Software\Microsoft\Windows Search
Software\Microsoft\Windows Search
SOFTWARE\Microsoft\Windows Search
SOFTWARE\Microsoft\Windows Search
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
Windows Search Service
Windows Search Service
tquery.dll
tquery.dll
advapi32.dll
advapi32.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
0xx%p%S%d
0xx%p%S%d
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
Software\Microsoft\Windows Search\Tracing\EventThrottleState
0xx=
0xx=
%S(%d)
%S(%d)
tid="0x%x"
tid="0x%x"
pid="0x%x"
pid="0x%x"
tagname="%S"
tagname="%S"
tagid="0x%x"
tagid="0x%x"
el="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
time="d/d/d d:d:d.d"
logname="%S"
logname="%S"
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s.mui
.\%s\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
%s\%s\%s.mui
%s\%s
%s\%s
winhttp.dll
winhttp.dll
Microsoft Windows Search Filter Host
Microsoft Windows Search Filter Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchFilterHost.exe
SearchFilterHost.exe
Windows
Windows
7.00.7601.17610
7.00.7601.17610