Backdoor.Win32.Caphaw_QKKBAL_c7eaad2852

by malwarelabrobot on July 27th, 2016 in Malware Descriptions.

Trojan.Win32.Crypt.ekm (Kaspersky), Win32.HLLM.Reset.493 (DrWeb), Trojan-FIQV!BC6C713511C1 (McAfee), Win32:Malware-gen (Avast), Backdoor.Win32.Farfli.FD, Trojan-Downloader.Win32.Karagany.1.FD, Trojan.Win32.Alureon.FD, mzpefinder_pcap_file.YR, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan, Backdoor, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: c7eaad28523b7779f03e73b9525a99ab
SHA1: a145f33f1327ccae9259a16585428b94e97a8a2a
SHA256: abc6b317823823e70e73bf6fccfbacd58cfb49dc7764acb0ef3c782334e6f95d
SSDeep: 3072:SBu5NoDxvM1GjiUfMvbhINwp5JvvoO5 kbF6lnc7uvP5OiBK oCP23zAc2WzKIQ7:SwoD1kG Uohr5JvAOZR6Nca35FBuNK57
Size: 218880 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2016-05-16 13:41:12
Analyzed on: WindowsXP SP3 32-bit


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

AdbeRdr1012_en_US.exe:2908
verclsid.exe:3340
verclsid.exe:3280
verclsid.exe:3208
U78n983:2324
MsiExec.exe:2132
MsiExec.exe:3836
MsiExec.exe:432
setup.exe:3420
Adobe_Updater.exe:3104
%original file name%.exe:1676
csslisog.exe:1780
csslisog.exe:3908

The Backdoor injects its code into the following process(es):

vmacthlp.exe:892
svchost.exe:1980
svchost.exe:1512
Explorer.EXE:532
services.exe:724
lsass.exe:736
svchost.exe:904
svchost.exe:988
wmiprvse.exe:1068
svchost.exe:1084
svchost.exe:1128
svchost.exe:1180
spoolsv.exe:1424
jqs.exe:1640

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process AdbeRdr1012_en_US.exe:2908 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AA1000000001}\Data1.cab (895790 bytes)
%Documents and Settings%\All Users\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AA1000000001}\Setup.ini (498 bytes)
%Documents and Settings%\All Users\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AA1000000001}\AcroRead.msi (15021 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\25109\config.bin (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\25109\RDC.bin (114531 bytes)
%Documents and Settings%\All Users\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AA1000000001}\setup.exe (9595 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AdobeSFX.log (6393 bytes)
%Documents and Settings%\All Users\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AA1000000001}\AdbeRdrUpd1012.msp (115622 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\25109\installer.bin (286043 bytes)
%Documents and Settings%\All Users\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AA1000000001}\ABCPY.INI (1 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\25109 (0 bytes)
%Documents and Settings%\All Users\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AA1000000001}\15833.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\25109\config.bin (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\25109\RDC.bin (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\25109\22395.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\25109\installer.bin (0 bytes)

The process U78n983:2324 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\csslisog.exe (1281 bytes)

The process MsiExec.exe:3836 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\~1B.tmp (968 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{AC76BA86-7AD7-1033-7B44-A93000000001}\FixTransforms.exe (422180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{AC76BA86-7AD7-1033-7B44-AA1000000001}\FixTransforms.exe (422180 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\{AC76BA86-7AD7-1033-7B44-AA1000000001}\FixTransforms.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~1B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{AC76BA86-7AD7-1033-7B44-AA1000000001} (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{AC76BA86-7AD7-1033-7B44-A93000000001} (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{AC76BA86-7AD7-1033-7B44-A93000000001}\FixTransforms.exe (0 bytes)
%System%\Elevation.tmp (0 bytes)

The process MsiExec.exe:432 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

C:\ (8 bytes)
%Documents and Settings%\%current user%\Favorites (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (8 bytes)
%Program Files%\Common Files\System\ado\msadrh15.dll.new (114 bytes)
%Program Files%\Common Files\System\directdb.dll.new (1202 bytes)
%Program Files%\Common Files\System\Ole DB\msdaosp.dll (2854 bytes)
%System%\dllcache\msdaenum.dll.new (8 bytes)
%Program Files%\Common Files\System\Ole DB\msdaps.dll (4038 bytes)
%Program Files%\Internet Explorer\Connection Wizard (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\Updater\updater.log (10010 bytes)
%Documents and Settings%\ALL USERS (4 bytes)
%Program Files%\Common Files\VMware\Drivers\scsi (4 bytes)
%System%\dllcache\msader15.dll.new (48 bytes)
%Program Files%\Common Files\VMware\Drivers\Virtual Printer\TPOG3\i386 (4 bytes)
%Documents and Settings%\All Users\Documents\My Music (4 bytes)
%Program Files%\Common Files\System\Ole DB\msdaora.dll (4646 bytes)
%System%\dllcache\dao360.dll (6722 bytes)
%Program Files%\Common Files\Microsoft Shared\Speech\sapi.dll (20934 bytes)
%Program Files%\Common Files\Java\JAVA UPDATE (4 bytes)
%Program Files%\Common Files\System\wab32.dll (11654 bytes)
%Program Files%\Internet Explorer\Connection Wizard\RCX16B.tmp (1429 bytes)
%System%\dllcache\msaddsr.dll (48 bytes)
%System%\dllcache\msdadc.dll (8 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0 (4 bytes)
%Program Files%\Internet Explorer\Connection Wizard\inetwiz.exe (2566 bytes)
%Program Files%\Common Files\System\msadc\msdarem.dll (4214 bytes)
%Program Files%\Common Files\System\ado\msjro.dll (4056 bytes)
%Documents and Settings%\%current user% (4 bytes)
%WinDir%\Temp\Perflib_Perfdata_668.dat (4 bytes)
%Program Files%\Common Files\Adobe\Acrobat\ActiveX (4 bytes)
%Program Files%\Common Files\System (44 bytes)
%System%\dllcache\msdasc.dll.new (8 bytes)
%Program Files%\Common Files\System\Ole DB\msdaora.dll.new (2562 bytes)
%Program Files%\Common Files\System\msadc\msdfmap.dll (2638 bytes)
%Documents and Settings%\All Users\Start Menu\Programs (4 bytes)
%Program Files%\Common Files\System\msadc (16 bytes)
%Program Files%\Common Files\System\Ole DB\msdatl3.dll.new (1202 bytes)
%Program Files%\Common Files\MSSoap\Binaries\Resources\1033\mssoapr.dll (23 bytes)
%Documents and Settings%\%current user%\SendTo (4 bytes)
%Program Files%\Common Files\System\Ole DB\sqloledb.dll (10886 bytes)
%Program Files%\Common Files\System\ado\msado15.dll (10134 bytes)
%Program Files%\Internet Explorer (12 bytes)
%WinDir%\Prefetch\PERL.EXE-28C02382.pf (1202 bytes)
%Program Files%\Adobe\Reader 10.0\Reader\PLUG_INS3D (4 bytes)
%Program Files%\Common Files\Microsoft Shared\DW (4 bytes)
%System%\dllcache\msadcor.dll.new (32 bytes)
%Program Files%\Internet Explorer\Connection Wizard\trialoc.dll (2566 bytes)
%WinDir% (288 bytes)
%Program Files%\Adobe\Reader 10.0\Reader (300 bytes)
%Program Files%\Common Files\System\Ole DB\msdatl3.dll (2854 bytes)
C:\$Directory (4 bytes)
%System%\dllcache (13576 bytes)
%Program Files%\Internet Explorer\IEXPLORE.EXE (2854 bytes)
%Program Files%\Common Files\System\msadc\msadcs.dll (2854 bytes)
C:\PROGRAM FILES (4 bytes)
%Program Files%\Common Files\System\msadc\msadco.dll.new (1346 bytes)
%Program Files%\Common Files\System\Ole DB\oledb32.dll (5488 bytes)
%Program Files%\Common Files\Microsoft Shared\Speech\sapisvr.exe (2638 bytes)
%System%\config (100 bytes)
%Documents and Settings%\All Users\Start Menu (4 bytes)
%WinDir%\Installer\$PatchCache$\Managed (4 bytes)
%Program Files%\Internet Explorer\Connection Wizard\icwhelp.dll (3552 bytes)
%Program Files%\Common Files\VMware\Drivers\vmxnet3 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data (8 bytes)
%Program Files%\Common Files\System\ado\msadomd.dll (5384 bytes)
%Program Files%\Common Files\System\msadc\msadds.dll (4952 bytes)
%Program Files%\Common Files\System\ado\msado15.dll.new (6722 bytes)
%Program Files%\Common Files\System\Ole DB\sqlxmlx.dll (4646 bytes)
%Program Files%\Common Files\MSSoap\Binaries\wisc10.dll (2566 bytes)
%Program Files%\Common Files\System\msadc\msdarem.dll.new (1202 bytes)
%System%\dllcache\fp4autl.dll (8370 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\mtjjyklc.log (4 bytes)
%System%\dllcache\msdaorar.dll (32 bytes)
%Program Files%\Internet Explorer\iedw.exe (2566 bytes)
%Program Files%\Common Files\MSSoap\Binaries\mssoap1.dll (6600 bytes)
%Program Files%\Internet Explorer\Connection Wizard\icwutil.dll (2854 bytes)
%System% (1840 bytes)
%System%\config\SysEvent.Evt (4000 bytes)
%Program Files%\COMMON FILES (12 bytes)
%Program Files%\Common Files\SpeechEngines\Microsoft\TTS\1033\spttseng.dll (25656 bytes)
%Program Files%\Internet Explorer\Connection Wizard\icwconn2.exe (4830 bytes)
%Program Files%\Common Files\Microsoft Shared (16 bytes)
%Documents and Settings%\%current user%\APPLICATION DATA (4 bytes)
%Program Files%\Common Files\Microsoft Shared\VGX\vgx.dll (15042 bytes)
%Program Files%\Common Files\System\ado\msadox.dll (4038 bytes)
%Program Files%\Common Files\System\Ole DB\msdaosp.dll.new (1202 bytes)
%Program Files%\Common Files\Microsoft Shared\OFFICE14\1033 (4 bytes)
%WinDir%\Prefetch (1152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~1B.tmp (676 bytes)
%Program Files%\Adobe\Reader 10.0\Reader\plug_ins (4 bytes)
%Program Files%\Common Files\System\ado (12 bytes)
%Program Files%\Common Files\System\msadc\msadco.dll (3608 bytes)
%Program Files%\Common Files\System\directdb.dll (2854 bytes)
%Program Files%\Common Files\System\msadc\msadcs.dll.new (106 bytes)
%Program Files%\Common Files\MSSoap\Binaries\wisc10.dll.new (56 bytes)
%Program Files%\Common Files\System\Ole DB\MSDAIPP.DLL (10886 bytes)
%Program Files%\Internet Explorer\Connection Wizard\icwconn1.exe (4646 bytes)
%Program Files%\Common Files\Microsoft Shared\OFFICE14 (4 bytes)
%Program Files%\Common Files\System\Ole DB\msdaps.dll.new (2562 bytes)
%Program Files%\Common Files\System\Ole DB\msdasql.dll (6918 bytes)
%Program Files%\Common Files\System\ado\msadox.dll.new (2562 bytes)
%Program Files%\Common Files\System\Ole DB (28 bytes)
%Program Files%\Common Files\SpeechEngines\Microsoft\spcommon.dll (4056 bytes)
%Program Files%\Common Files\System\msadc\msadce.dll (6726 bytes)
%WinDir%\Installer (96 bytes)
%Program Files%\Common Files\System\Ole DB\oledb32r.dll (65 bytes)
%Documents and Settings%\%current user%\Local Settings (12 bytes)
%WinDir%\inf (400 bytes)
%System%\dllcache\msdaer.dll.new (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\7fe17d887612.log (578 bytes)
%Program Files%\Common Files\System\ado\msador15.dll (2968 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Updater6\aumLib.log (1203 bytes)
%Program Files%\Common Files\System\msadc\msadcf.dll (2854 bytes)
%Program Files%\Common Files\System\msadc\msdaprst.dll.new (2562 bytes)
%Program Files%\Common Files\Microsoft Shared\Triedit\triedit.dll (1346 bytes)
%Program Files%\Adobe\Reader 10.0\Resource (4 bytes)
%Program Files%\Common Files\Microsoft Shared\MSInfo\msinfo32.exe (1440 bytes)
%System%\dllcache\mssoapr.dll (48 bytes)
%Program Files%\Common Files\System\msadc\msdaprst.dll (4038 bytes)
%Program Files%\Common Files\VMware\Drivers\VIDEO_XPDM (4 bytes)
%Program Files%\Common Files\VMware\Drivers\vmxnet (8 bytes)
%System%\dllcache\msdaprsr.dll.new (32 bytes)
%Program Files%\Internet Explorer\Connection Wizard\icwdl.dll (2566 bytes)
%Program Files%\Internet Explorer\HMMAPI.DLL (2566 bytes)
%System%\dllcache\msdasqlr.dll (32 bytes)
%Program Files%\Internet Explorer\Connection Wizard\isignup.exe (2566 bytes)
C:\Config.Msi (868 bytes)
%System%\dllcache\msdaremr.dll.new (32 bytes)
%Program Files%\Common Files\Microsoft Shared\Triedit\TRIEDIT.DLL (872 bytes)
%Program Files%\Common Files\System\Ole DB\RCX15F.tmp (3365 bytes)
%Program Files%\Common Files\System\ado\msadrh15.dll (2854 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\All Users\Application Data\Adobe\Updater6\AdobeESDGlobalApps.xml (0 bytes)

The process Adobe_Updater.exe:3104 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Updater6\AdobeUpdaterPrefs.dat (1088 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Updater6\aum.log (2309 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Updater6\AdobeUpdaterPrefs.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Updater6\crl (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Updater6\Data (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\ESD (0 bytes)

The process %original file name%.exe:1676 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\csslisog.exe (1281 bytes)

The process csslisog.exe:1780 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Start Menu\Programs\Startup\swegbgid.exe (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kqmtqgym\swegbgid.exe (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jyabgndb.exe (1281 bytes)

Registry activity

The process AdbeRdr1012_en_US.exe:2908 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C AD 33 32 65 81 C0 11 CF 1D 02 B9 FC 04 1B 9F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

The process verclsid.exe:3340 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 AD 5B 8E 8F 08 8A 56 5A A2 C0 B8 24 98 2B 75"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

The process verclsid.exe:3280 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 2A 12 F0 89 EF 9E 10 56 9A D8 C4 AC F5 E8 70"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

The process verclsid.exe:3208 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E 1E BA C0 23 75 76 DD FC E0 0D DC 37 44 18 53"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

The process U78n983:2324 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "23 43 A5 91 06 D5 EA EF 2F 5E B2 DB 95 CD 86 A2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

The process MsiExec.exe:2132 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB 76 12 1E 4B C6 63 FF F7 7E 96 B4 C5 FC D9 9C"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

The process MsiExec.exe:3836 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B5 B8 C3 9C 30 C0 68 40 67 F0 BD 3E C5 75 7A CA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Netscape\Netscape Navigator\Viewers]
"TYPE37" = "application/vnd.adobe.xdp"
"TYPE36" = "application/vnd.rmf"
"TYPE35" = "application/vnd.adobe.xfdf"
"TYPE34" = "application/vnd.fdf"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

The Backdoor deletes the following registry key(s):

[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-A93000000001}]
[HKLM\SOFTWARE\Adobe\Installer]
[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-AA1000000001}]

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Netscape\Netscape Navigator\Viewers]
"TYPE37"
"TYPE36"
"TYPE35"
"TYPE34"

The process MsiExec.exe:432 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Favorites" = "%Documents and Settings%\All Users\Favorites"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-AA1000000001}]
"SetupCacheExport" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"NetHood" = "%Documents and Settings%\%current user%\NetHood"

[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-A93000000001}]
"OriginalDatabase" = "%WinDir%\Installer\174e13.msi"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-AA1000000001}]
"reader" = "%Program Files%\Adobe\Reader 10.0\Reader\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-AA1000000001}]
"ProductName" = "Adobe Reader X (10.1.2)"

[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-A93000000001}]
"WindowsFolder" = "%WinDir%\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
"PrintHood" = "%Documents and Settings%\%current user%\PrintHood"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-A93000000001}]
"ProductName" = "Adobe Reader 9.3.4"
"DeleteUpdateFolder" = "Yes"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Administrative Tools" = "%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-AA1000000001}]
"AllUsers" = "1"

[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-A93000000001}]
"DefragResetProgress" = "No"

[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-AA1000000001}]
"DefragResetProgress" = "No"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-AA1000000001}]
"OriginalDatabase" = "%Documents and Settings%\All Users\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AA1000000001}\AcroRead.msi"

[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-A93000000001}]
"CACHE_DIR" = "%Program Files%\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A93000000001}\"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
"Administrative Tools" = ""
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-AA1000000001}]
"CACHE_DIR" = "%Program Files%\Adobe\Reader 10.0\Setup Files\{AC76BA86-7AD7-1033-7B44-AA1000000001}\"
"DeleteUpdateFolder" = "Yes"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"SendTo" = "%Documents and Settings%\%current user%\SendTo"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-A93000000001}]
"SetupCacheExport" = ""

[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-AA1000000001}]
"ALLUSERS_APPDATA_ADOBE" = "%Documents and Settings%\All Users\Application Data\Adobe\"
"ReinstallMode" = "omus"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-A93000000001}]
"plug_ins" = "%Program Files%\Adobe\Reader 9.0\Reader\plug_ins\"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 F8 D9 0B DA 36 40 B0 DB 1A 1B 2A C9 01 69 D3"

[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-AA1000000001}]
"ACTIVE_X" = "%Program Files%\Common Files\Adobe\Acrobat\ActiveX\"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-AA1000000001}]
"plug_ins" = "%Program Files%\Adobe\Reader 10.0\Reader\plug_ins\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files%\Common Files\Adobe\Acrobat\ActiveX,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCR\acrobat\shell\open\ddeexec\application]
"(Default)" = "AcroViewR10"

[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-A93000000001}]
"ReinstallMode" = "omus"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Recent" = "%Documents and Settings%\%current user%\Recent"

[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-AA1000000001}]
"WindowsFolder" = "%WinDir%\"

[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-A93000000001}]
"remove" = "ALL"

[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-AA1000000001}]
"DEFAULT_VERB" = "Read"
"ProductCode" = "{AC76BA86-7AD7-1033-7B44-AA1000000001}"

[HKLM\SOFTWARE\Adobe\Acrobat Reader\10.0\Installer\Optimization]
"DefragStatus" = "1"

[HKLM\SOFTWARE\Adobe\Installer\{AC76BA86-7AD7-1033-7B44-A93000000001}]
"AllUsers" = "1"

The Backdoor deletes the following value(s) in system registry:
The Backdoor disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Synchronizer"

The process setup.exe:3420 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD 6E CF 7C BF A4 24 AC 72 89 DD D2 77 28 D9 AF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

The process vmacthlp.exe:892 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%System%\config\systemprofile\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

The process Adobe_Updater.exe:3104 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E 1A 23 F9 3C 7A EE 5A 70 7F 88 93 DA 69 D1 F8"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass" = "Drive"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached]
"{67EA19A0-CCEF-11D0-8024-00C04FD75D13} {00000000-0000-0000-C000-000000000046} 0x401" = "01 00 00 00 7C 6C 9C 7C 42 DC F5 45 59 E7 D1 01"
"{40DD6E20-7C17-11CE-A804-00AA003CA9F6} {00000000-0000-0000-C000-000000000046} 0x401" = "01 00 00 00 E6 6F DD 77 DC 89 44 46 59 E7 D1 01"
"{ECF03A33-103D-11D2-854D-006008059367} {00000000-0000-0000-C000-000000000046} 0x401" = "01 00 00 00 E6 6F DD 77 3C 64 1E 46 59 E7 D1 01"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
"BaseClass" = "Drive"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
"BaseClass" = "Drive"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A]
"BaseClass" = "Drive"

The Backdoor deletes the following value(s) in system registry:
The Backdoor disables automatic startup of the application by deleting the following autorun value:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater6"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater6"

The process %original file name%.exe:1676 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AC 17 13 A6 BE 43 69 61 B0 D9 D3 F8 ED 8A 25 44"

The process csslisog.exe:1780 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 B8 CB 89 5E 20 DB A9 70 1C 42 6F 64 9F EE A8"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion]
"jfghdug_ooetvtgk" = "TRUE"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

"FirewallOverride" = "1"
"UacDisableNotify" = "1"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

The following service is disabled:

[HKLM\System\CurrentControlSet\Services\wuauserv]
"Start" = "4"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"SweGbgid" = "%Documents and Settings%\%current user%\Local Settings\Application Data\kqmtqgym\swegbgid.exe"

The following service is disabled:

[HKLM\System\CurrentControlSet\Services\wscsvc]
"Start" = "4"

Firewall notifications are disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"

The Backdoor deletes the following value(s) in system registry:
The Backdoor disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"

The process csslisog.exe:3908 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C 6F BA D6 9B 68 DC 11 CA D3 70 DE 08 65 4E 39"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

Dropped PE files

MD5 File path
020bc0a588b9685208985934b21af1a6 c:\Documents and Settings\All Users\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AA1000000001}\setup.exe
a8fd47ec1de9369f835bd707bd5f4ddb c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\AdbeRdr1012_en_US.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Backdoor installs the following user-mode hooks in USER32.dll:

TranslateMessage

The Backdoor installs the following user-mode hooks in WS2_32.dll:

WSASendTo
WSARecvFrom
WSASend
recv
WSARecv
send
closesocket
recvfrom
sendto

The Backdoor installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtResumeThread
NtQueryDirectoryFile

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 143360 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 147456 208896 206336 5.45775 38dcd0b41f462be95215c047d40da3e4
.rsrc 356352 4096 2560 2.65153 7512018f609f84d73448748b8bcf00d5

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://e4937.d.akamaiedge.net/get/flashplayer/current/licensing/win/install_flash_player_11_plugin_32bit.exe
hxxp://a1953.d.akamai.net/pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe
hxxp://e6845.dscb1.akamaiedge.net/pca3.crl
hxxp://e6845.dscb1.akamaiedge.net/CSC3-2009-2.crl
hxxp://ardownload.adobe.com/pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe 212.30.134.183
hxxp://crl.verisign.com/pca3.crl 23.37.37.163
hxxp://csc3-2009-2-crl.verisign.com/CSC3-2009-2.crl 23.37.37.163
hxxp://fpdownload.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_11_plugin_32bit.exe 2.16.186.8
google.com 216.58.209.174
gugendolik.com 188.93.211.67


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected

Traffic

GET /CSC3-2009-2.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: csc3-2009-2-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "a734771f14845f861a60ddbe6518dcb1:1469523919"
Last-Modified: Tue, 26 Jul 2016 09:05:19 GMT
Date: Tue, 26 Jul 2016 16:17:49 GMT
Transfer-Encoding:  chunked
Connection: keep-alive
Connection: Transfer-Encoding
Content-Type: application/pkix-crl
00006000..0.. 0......0...*.H........0..1.0...U....US1.0...U....VeriSig
n, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at htt
ps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signin
g 2009-2 CA..160726090003Z..160809090003Z0...0!.....V..t..'.F(z....121
202220203Z0!.... .;...9.7.......090826054212Z0!...\.)../F..^p..s...100
722072726Z0!......P....A.x......100708154305Z0!.......O#.`n.5j.9...100
930040708Z0!..../..8~p...h......091006052837Z0!.....(../L....--aK..091
029040207Z0!...aW.....B.!.0..t..090909121104Z0!...g,..4(vv....mJ_..100
514054218Z0!.....V.....(..-..p..090826162211Z0!....O..,J.N.n...Ly..091
[email protected]!.........}..Dt...!..090
922192227Z0!.......2l....7i..?..101109030426Z0!.....p%...l,AogP....100
523060224Z0!...,.P.C......*.....100303082219Z0!...NRPL.............100
413090225Z0!....1w....d.&..8....091026111702Z0!......F....e........090
608081352Z0!.....6..d6.7..4.....100924123027Z0!....$..*...s..&s....100
219210742Z0!......Q_.G..|.......091009145530Z0!........>..O...=72..
100616160934Z0!....Xlm$|".su.......090619194406Z0!......J)..E......C..
100922142243Z0!...D......u.y.Iy{k..101026130323Z0!...El...)>..W..&l
t;K...101004225456Z0!...p..wy.i.zc...X...091117001921Z0!.....,{..^....
......091203194409Z0!....B....d...*[email protected]!.......m. .V..
...~..101111134216Z0!...2.R.i.{..........091029071123Z0!...`F..q2..O.:
......100602074221Z0!...a{.-...@...'.....100723194022Z0!........fW.y.,
s.....101011182226Z0!....Um..}.8)........100324085953Z0!....,u.box
<<< skipped >>>


GET /pca3.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "6df834358a0bb5e934947d15c0372dc3:1466795723"
Last-Modified: Fri, 24 Jun 2016 19:15:23 GMT
Date: Tue, 26 Jul 2016 16:17:49 GMT
Content-Length: 933
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U
....Class 3 Public Primary Certification Authority..160623000000Z..160
930235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y
.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.....
..fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R
.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....
u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2..
..{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N
....* [email protected]!..Y......w
`G........070411175657Z0!..Z`[email protected].*q..080403172017Z0!..l....I..
.Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1
..7<.....e..010207211822Z0...*.H...............DA.............Q>
...#........H#......;....._.....v.W..@.:k[.#..,...:...DI. ,g... ..].w.
b.d.....1.p.s...];Bs..E.9>...l}....5].HTTP/1.1 200 OK..Server: Apac
he..ETag: "6df834358a0bb5e934947d15c0372dc3:1466795723"..Last-Modified
: Fri, 24 Jun 2016 19:15:23 GMT..Date: Tue, 26 Jul 2016 16:17:49 GMT..
Content-Length: 933..Connection: keep-alive..Content-Type: application
/pkix-crl..0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, 
Inc.1705..U....Class 3 Public Primary Certification Authority..1606230
00000Z..160930235959Z0..x0!...v....a_>..2......020924164823Z0!.....
A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!..
.`y..q.......fh...020923171400Z0!...?A....a.nF`.P....020923171548Z
<<< skipped >>>


GET /get/flashplayer/current/licensing/win/install_flash_player_11_plugin_32bit.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: fpdownload.macromedia.com
Connection: keep-alive


HTTP/1.1 404 Not Found
Server: Apache
Content-Length: 276
Content-Type: text/html; charset=iso-8859-1
Date: Tue, 26 Jul 2016 16:16:59 GMT
Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /ge
t/flashplayer/current/licensing/win/install_flash_player_11_plugin_32b
it.exe was not found on this server.</p>.</body></html&
gt;...



HEAD /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive


HTTP/1.1 200 OK
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Length: 53784984
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:00 GMT
Connection: keep-alive
....


GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=0-1048575


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:00 GMT
Content-Range: bytes 0-1048575/53784984
Content-Length: 1048576
Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...........L...L...
L...k...K...k...X...E.N.U...E.X.....E._.....R._.O.......O...L...\...E.
R.V...R.O.M...E.J.M...RichL...........................PE..L......O....
..................0......5............@..........................05...
..S.4.....................................Lz.......0..../...........4.
.............................................5..@....................y
[email protected]...@........................... ..`.rdata..
............................@[email protected]...@........$..................@.
...rsrc...../..0..../.................@..@............................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U..Q.M..E...\2D..M........
..M...........].......U..Q.M..E....P.M........].......U..Q.M..E..@...]
................U..Q.M..M.......E....t..M.Q..*......E...].......U..Q.M
..E..M.........]..........U..Q.M..E.........].............U..Q.M..E...
......].............U..Q.M..E.P.M.Q.U.R.M........?.....]............U.
.Q.M..E.P.M..............]....U..Q.M..M.......E....t..M.Q.p....E...]..
........U..Q.M..E... 3D...].............U..Q.M..M.......E....t..M.Q.U)
......E...].......U..Q.M..E.P.M..m....E...].......U..Q.M..E.P.M..m
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=1048576-2097151


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:01 GMT
Content-Range: bytes 1048576-2097151/53784984
Content-Length: 1048576
Connection: keep-alive
.m..t..9......L.(.t..Z.u<Ma$}.#....t*.cX.;L.E.Et$..8v3...,HP.d..B..
..w?W...`rv$.e.$.w{...{....A..H5<=...9...*=..g.O...;-../.Ayy.P.\..E
............!..L.....0..Xs....:5...G.....i....'.Y../iw............&..c
..G.59J.bNd.~....<[email protected]..'6..!....hY....U..5..I 
.......J........$l.hT..$....[C...<.z3......=.)l..D..4.f..?.e.S.....
.L.C.........6....B..S.Q....c..-.p..Y.......P....n...k|..D.P!_.F. C=B.
 .e.....^Q.Vu.....X...jV...B.........Aq..?)...v.d5..w..;.sc.WCO.< .
."....d.#..l..V^.. ..D5......^.u....%.l...zn.q..vY. R..C.....N{D&.p...
[email protected][email protected]...*.v....R.-hL.#.2Q..@....]`.
q....7....e..._#3...0.....sL....^r...r9....Mn..n....8....W.z.....O...c
.\F.a.x..n.~......=~.G...yv....P...V...."9....BNu.C.m..2...yN....!0v..
b.WB8scr.D.)...m..u......T...y........P.g..ov.).xA..4p.j....L..u...H..
.....6..w...._TAO.D......|..s,..}[email protected]...:..Z...1...F..BK>..h.d
H.(6?....'....B.>.......Z....Q..Z..6.3.'|..5t.7.K..h...hR\Vd...4'..
...........i..pN.s...z..]...I.....r.Z^.\..=........P...Y..A H..G6TRL..
..Q.[.......S2y...p~G.*.j....4.06y....I..............5..x..........I^&
lt;.9n?..2............r.i..iMHWz...0...s....U..3.f.#C.!....h]bm..fV.z.
..Aj....D...v.?...M(....O..P.,._y.N.....!.S....9.....z1.n6...~.W...D..
8..Y.Eo.<W...;CP..}&n. ..X.Z..W..m'...>[email protected] ........bpr.
...)i.c.;....c...........w....Q...Q..U..:>6A.WB.q... ,*D.m.>..5.
}..e.t.G..m.x]n,D...6..|..\.......#O.....c..O.7N..2..8..n`...BMN`..z.o
U.....K-@.%..).K*.S...h.r.......t[.5D. ian..7.O<rh ...E........
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=2097152-3145727


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:01 GMT
Content-Range: bytes 2097152-3145727/53784984
Content-Length: 1048576
Connection: keep-alive
..r.....\h.Q.E..e.\..|..JP.........*..s...[..L.)0........CO..."....tG.
...Q.y9%...J.........y./...~.R[....o...i..@YJhi.(.~Z.).2#Z...(...:o...
..S9.p...C?j.../j...q.._.0.Ctb7}.MCR.....yI...'~%.......m...c.a.i.....
[email protected]...!..H.NVD)....s...........f...F
..&.....8G......L..0.H..58h....'I.X{.4#%q>...&.f..%............<
..NJ`..Xmi.....z~J\.Er.l.:BSV..%..lq......*l.........K......d....W..s.
6..<X...nyO s-....x...J......)..n..$.d).;.3h....0?.(0...7HlO. .8.-.
..{.C5.9....3j..8..c.[.o.....q4..Au...I^...$Q...U .g...WY.......c. ...
./..wh.k_. .P.............v.\[email protected]_F.X2...].K.tbx9.}[email protected].
EO.nt.X.V0 ....<g.%E.......^W.at.....6q.#..?s.X.....J'yY..-. .QX|..
U.u.....q....E.DY....:h..ck..V....|.....P.`.$..`l..Qf.70...`j..../..}.
ER.Y.....E......BV.=R`$...`s....cg.2.mI7_....e... ..P.....?..Of.B...3.
..2n.O..<..J\;RQ...B8..W........B._.........Ap......#....Nk...o..L!
.e?....Ky..$P;Ez...$.....\ .W..l.....U.D\.!W.?...t...vv...I[....t..<
;^p..AQ.1hL;.....y.K.'..D..Y4".K...#v.......Ho..~.G....M..?qh... . ..7
..?U....BG.1..@<U|t`5Y.w...ef..$......^.r...c&....g>...y....g..b
f...".b.....p..b.]......0....!x.e#oy>..{x.Z..._.s..C..~..9P.u.P.{'v
..y.Y-.....up5FRm..._../.Wg...%r..u`.t......x.W6...9>.e.Q.9.Z....m.
..LD.C..=.l|...."...[....... .7.e.X.z......D......J9@. f.....bL$.d*H..
..w.......H.DM....J@...@..&/..#...........4..T...*@....o[.A.{.M.E..
f..Z....2.|...7.hz..&.s....("F.k..G.K.../.qY.oAT....J.r.~'.b.@`......^
...X....../.2*..\qQ6. ..Q...O...........M..M..8?...,......S.....G.
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=3145728-4194303


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:02 GMT
Content-Range: bytes 3145728-4194303/53784984
Content-Length: 1048576
Connection: keep-alive
hfYN.i.G.U*..eK.yn.,~.ym:.H....a. ...B..hcb...U..........G......27..C.
kFNZ.. .'.Q.....:<-......*..{/..........WV.I?....i..SI...U6..6.P...
q..)!...gDV=D*/...M....mJ{......V...%....UL...Q....[X.1..JI.....6Pm...
...x...y.>)..(P..q.......D.M..t..Z..@RL=......,....?.9........L....
.<^.1.v...3f..g.|...............b%.X..y..m.L....,.....r.]....[.....
?....j.!5Y....EMj..8....y.....u.AX5m^..t.N..}..9.O....}...\L.&Z.:J.5..
(f@. ..l.x!.jO....=...yz.aE..|[email protected]?$Eb..n......... .
.)..x|b8.."....)....Q.o.......#.-&A..6..@..'[email protected]'(..K..[.
&.A.........Z.......W../.%..Fj .e}A6.....>.l.....8Pi..od.....%IC.:C
i.7b..v....h....!x....."...6. ,.ES.5.6g....].k..`.X...$^.L.......M.K..
....?.....;.*.0.5.B..a......;..=*.\O.M.CQ....$.z..e..c.H....% .G.S...`
H?...\t.F.(<..$M..,)$.............%2.[.....^o.1.8`.{w ".. .H.......
..F..\1..c..f....D.4._.."...u....~O..>m^.ml...`Xg....^.S.r.......`.
...c .....A.U8i}....MsA..f.:z... >d.{m)....Fe..M.{N.;Q..&..........
h.}?...e...&....WI..^......8.....:[email protected].^b....z
.]v...e.x..F&<../@..&.c[.....G[..ke.#2..;<.q..:..77..)~.....?...
.....Ye.Z..?.....a...*...bQdG..e...a....lz.6.%jR.k"C....hK`......D-r..
.h--...R..j..gt........2..ozh/0...k&XWPZ7...._....)o>|.BQB.......q.
...M.B_.U.>).......S<....iZ.....`J..."..nm..q......./....D...d..
.<=.\...@!=yeK._?5.U.......5..kS.e....y.P.:.&i....9.Mp. ..8%..|.lM.
..2.9.... ..)qqC...h..u....3..>7...a...L....2.yU3.c.;..c..j...`(kV.
.....1!Z..%......7....#.Q%.. .n.R.@OWN0$67.1...I....Ew&.....Xpd..8
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=4194304-5242879


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:02 GMT
Content-Range: bytes 4194304-5242879/53784984
Content-Length: 1048576
Connection: keep-alive
.......;[email protected]..*BlZe.....4...'&
4N...7....."@.Ib. ..u4.8. .z.....O....w...S...^..-;.<He.Iq.X.ZV....
Z.. .u7.6.E..$...s|V...f .t....@. .v..K..^..p&..y....M....h..i.....O.;
,_..g....g......R0....p...yD......E|j.#...x....80...>.... .......~.
..{....A...Pgi..P/~r7.......M.....k..[......6..."#.....3...J.0..... :.
.q......kMF... . 0.?.zI=....E.....%.a.$..|T.i.........(...<...l....
....U.>.t...s.?..^..\3.l..].......P... .a...:s.A&....]Jf.CdS$.@q. .
...].%[....'k.G ./....d.Q....>...."..p....NJ..n[.,.gG..6.oMU...U..y
[email protected]...|..@..'. -......lB...-KU.....;.1....7tI....s.1.......8..M#k..4
i.8m.3Y...u..6.[.......i....N.V!..)....s.-.,..(....7..y...h.-.'..o..n.
...`O..U.k2.r..w0..`.....f.v*..;..l..f.&...K$n........u.f..vp...j.$.hj
.4..A..D..q.s...rI.....YA. ....R.>.^Y..y.CH6&.^=.............,.0...
.H;[email protected]?I.~|p...I..3u..?.aMe.]aU.v...I.[......2...(....O..l.n...y...
.s_.c.}...eF.*...;... [Cl..!..1........}B.}.8!...g.j........8.  .]..`.
.K.* ..M.q.....?......r...e.G.V'a...3.....<.l.......} .....J.$...h.
@..ES...0Uo. ..(....x..*^XZR?A."...R_.D..H...q....2....6....*m........
.. ..]...Fr..]...`ê..S...EG.. .GCO......}.......k.mDx.}.....:.k...C.
|VMrz.o..[.. ..g;.b...........2.u.....qp...<..{.....x....H.....*...
.E.. .........p........8`.S`.w|p...z.......-.ta..rt..z_....X....&{.4..
..A71...!.Y6:[email protected].....<.g/....Y........
3..F.C........xm71.q.U.x.D.`r.?}.:#...:O.N..G....P..T...w..|9...G...I.
@O..~-..b.'..aa"...'........rR0...-e.c.j$....=.#..:...../.P&"..$?.
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=5242880-6291455


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:03 GMT
Content-Range: bytes 5242880-6291455/53784984
Content-Length: 1048576
Connection: keep-alive
..........q0C..}......t..@[email protected].^.fF=...X"
....s.xj......=E........I....... ....l.2.3TL..SO.|...$.r72BT...x.C.Y.=
._.$...........s..r..!%..6_wwrP(.A.;.h.D.e.2.....q.......T.....^.]..N.
......LMwY...Y.L...Y.E......Y6\j.-._^f......(2....f.\1._.V.l7.}.;....Y
...&...wj.....~.\[email protected]`t.........=..A......o...5....y...;a.:h.....J
F..q..x..b..:.E.x..5a'........#.?...1.3.:.x.......i.c..E./0f....m.6...
yf.I.........6..).). .5f....[.Ne...U..2.o.i...2......Q....1.Ip;.{.....
.....)K.....<.#.. t>.UR..K.so.m.vUN?YU6]..........8.1.....<..
.<;`..s.4.@L.. ..HQ^....V........... .Q...eY....q...\K...|.(.]...W.
{@.....b]..!8t..J\wG.;._}....)..Sp.bW....2.....{..<nk.U...& .z.=..-
.....IZ.I.....L.=.].. ....wG.J....Q.......=.Q....g][email protected].,.b
a....B.d.B..k.......7v.DY..s..R..9c..w C...(=h....p...JV3$...*.`..f..1
[email protected]..%"<$..._Kk*n..5.n...k....oN4...M3(S..J.......m9U..T".,`a...
.t#.K.&3&...}.M=....p..0..b...e.[ddo-s.".a.s;........Z....OK..8P..v7qC
*.Q1.>b......U$...LDU~m..*....t.....b.....p\..J..,".!.r...;....9j.Y
.>.Cu.-V....Rs.F.J..%..2..l...q`I......:Vy.*[email protected]
.4<k.{-...B.x....M..l.s`...,.L.....-...l....k....{.;..4.<:r.U...
..q.BM.]K.6.R.c,9&#.l..~.P}Y.lofI...{.....&.....2..|....b.>..4...q.
..F...2Uq6R..gta.*8.V....^.o.(i.&].n.)..L.#d.xJ...}.o(.......)f.1..Q..
._U......7.J...a.._k~;.H.%...yYCeNg.T..2....._..c.i{Q /.5..X......O.V.
......... .GGD.....V....n8sm.TBO.7x....{_..d...L...s_d....D...",zdp...
U......$#b.M...q.u.........d.bL..g..h7.^.......:G....m..u[.>.*.
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=6291456-7340031


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:03 GMT
Content-Range: bytes 6291456-7340031/53784984
Content-Length: 1048576
Connection: keep-alive
.R...K.......B......V)kN..KM.<..D.x7h....1.....SWP...%D...d....[.B.
Y.....0..x6L.H.....&F._.D.A.e..o.....gf.......`eK.o{d......L...8f..;ae
..kNY2....<.........l..M.R.*.q.[....z...Hh..a...6..Q...7kJ..l[.$.`.
8..WqA.3)C.c.Su[[email protected]....?.a.`.....[[email protected].....?..
..........N..X. ...iT.#........WW.`[email protected]|....H..........6..x.....U..
.y%............9Z.`r#...i.......}@..4.[f ..pN..e...:..U.......X%......
_F....y..)...^......m...z.|.z.Q......k......7..{.1;..S... (.r..zh.{W.|
..&T.P-..........J.$.t..i.F..._....A( .k.;.<$.u"..m6.Q..d.5E.C.....
.>.4.........x.......w...;...J.g.......}..\I.>h.-OT,..I^...K!=..
.Z.5.3..................A..P../...1...bV...p...U....gl>..R<tF..s
}.................t.xZr...z..l.h.....CyX ?.~...9.....X.F9...=..&.*....
......Jp.._?N......k,T;r...k.D..#....f.....T..*..r..v....."[email protected]....
.......l...Q..Y6<.-.Q=.4.B...2.=/.#[email protected]
v.....n.0...&-...._HmL......6..al...)}q.H.x.....O.?...Y.=.i.[..28.v...
]3..r...V..i.km.gK............%........q..I>.1/M...e.._....O.G...^.
......~.......B^..U....K.........u.o..O.......[.....fZ.F........f#..".
.b....=....=Ts...h8.i.....~=.Y2=....1....T.&.c5RNf.U.F..},cX.mE&.....~
..0.,5..`..! Kd....J._g4..1...vo...Bc.."[email protected].
..#....d..x.B......a.S.. .gcd`h.m....N.kc<?..p..9jJ9x0...,U=...8>
;...:V..}T.7:...3......I..M....R.p.H..<......{j=%#_...t.v...A/B.(..
6l.3.].`........:..d.....x.s...aU...Z.A......l.{.^...P_..`...D...)J...
..&...2... .q.)..^.u;...p....qP....["O..'.....,J..O..Z^..P...4b...
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=7340032-8388607


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:03 GMT
Content-Range: bytes 7340032-8388607/53784984
Content-Length: 1048576
Connection: keep-alive
*.,[email protected][email protected]..@..'.........gH/....?....A>\....yuZ.;N..g.
...?...LIVMmdu....B...<.o......^b...tQ...~.(l.oS......|Q.[.._N..N..
Fu..BTr....).A.X.({..i.....R.h......R.*.....mI..W.;='.<.pEO6..w..m.
.....Ic.......WM..3..`..\5^^..y...}..a...5U:.Uq..T{..q.......*o.d....i
....Ob.3.`....<........e."A]u.1.6...F.L...H.....YI..do.D...........
Gn.D.....jl........0(.}.*.{.\....i..:...S9$.C&. G.?m......o.q.0..P....
$.....o....7G...d.;.<.....Q...0'\...R..........C/.E3..s../.w/......
......LB.q?.b...|..f....Z...gT...(..s.{.kt6F.mxE A" 8.O..D>o......D
...S.i.l...AL.=. i;(M...A.I.w.....7mB....>%........z....OL/J.%Re.]/
.k.#.....f....BOqt.oLw...^"..oI..V...7..1.I..^q.W0g....x@.............
8.se...F.*...WO.%.55b29c.:l..`QX._<[email protected]$........)..'7
.f.Z#.4....*N..l.....*S.........x.0.$s....&j..R.y.....X...;....*.f....
Y6.].w..v@*u!....d0...M......{.Ou.2..P.(.;e..5....:....-\...C.uR... v.
.-[...-..u...{^..*..#/."..C(....%...^..O.......!.x.......o....g).a...N
3Ju....rk....}......<.d6.....~,.../.9...9..L.........~NA..J.4Y.j...
f...]...._......1...2... l.U.G.R...EmE.&?VW.o.<>.%.fu..XZ...h...
(.#,....X1...............{i.....b.......&J.M..bA......H..f.xv..LweZ..0
[...Y.....S.....Qh.....JW..<.....Nf4n..nb}Y.n....x.$:J..>=....d.
i......B.M"..X.~ZU.}sa.....a..{...t.v".......9..A..:P....1h.&./ .X.P..
...^(..H.L.2...z"......%. ..F..LV;.}..C.n.~.j.. sS.._).is...P..i....q.
.4.4......,.".......6....TYP.o..(pDeiHZ. O...4.!75~.t.......e...Y.....
@.....:]d.Q.@..........=.!...*.|.^.Qx.\)..N.........8)l>....X;.
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=8388608-9437183


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:04 GMT
Content-Range: bytes 8388608-9437183/53784984
Content-Length: 1048576
Connection: keep-alive
9.........o....u{.y.Wicr.....o....k...u.[.*Y.-~Tp z.....O....PS.I#p{_.
..1.NF*A..>..W\...s>.?&Z..X..w..w......S!f...g.ZK..e2vi.5.0.o...
....p{._P.?...m.. 73v.v."...5R.e..4..GJ80..R"..dKE..v$.....]3E..KsV1.&
gt;...C9.;r^.G[..W.b~?#......d.Jd."[email protected]...%..R8.c O(..h.....
.q..'Ij...../ .n,H....m.Y.l. .R...".p.y.Z..O..x.D....O=.hj.L$...;)9...
.......W..,h..v^....s2>;0...s.......I.^...._......_........l0.pZ.P.
l.........Ge....oA..&.=...../.N...8...V....z...a..:#.!.Y.G.........1..
.....9J....u8....A..c.65.VG..\..n..|..}>@z....X7`..:.....)..;._.kAw
......<6...#..A.$-j...y..........G..U.....7.a-...i:....Nw..Ft.....I
a.O.\../...b,eg.I]..qJ.s.y.\....Sz...................Gd...(.zh.er.2;.]
..h...G.d.x.2........7....l:7=..UUm...X.. u."..Q...tp"...Vq..C........
..P...2.T...>.C.`..wk.J.qi..tr.,..._'r....U....<B.S.`.ayn=n....Z
{....Fv^..$..nX^#$[......>j.k[M......c.. q.....X.....`b.T...$.$...5
.N.).U'.T."....c./YH..v.I..:&......A0DrF........7..-...>~4{'.RI!..G
.^....C.k.....z...I...yiC_.......>.{....b8...|...........fIIf.`.b.5
.I......?......Q..Z....t5!8v.$..n...6..F....\.m.......\'.Y.?..b...H...
..$.?J.......R....Df0s.......H."..<.k.....{.Ak..../.qj..&..../.F4y.
..o..Jl..}.o..|.f....n.]Y.......-....I*p./..O9...G.(L?{...|.....^.;;.C
..."...g..$.....L..1R.'2f.jKUF9..........k..&'E.D...QY%p........?.{s.Y
V.\].K.R'.................L...<....e,UU..k. *.oi...LH .0.a.LQ.;.3..
..........c..O0T...P...S&B.~&gM...R.w...Z....bc.3.T5WV.....{g.$.."..k=
.RFU`.T....&...T.a4..,....$.f......GZ.0..d.<9....}<\..;.b...
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=9437184-10485759


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:04 GMT
Content-Range: bytes 9437184-10485759/53784984
Content-Length: 1048576
Connection: keep-alive
$9=........d..dZ.A.....$..."h.....e....V..'.~..9...{R.L2;L..}.l.'.$...
'..3..5ak.......J........L.:u.....'..5T...h64=........Kd.\.~..[.....7.
:..%Y...A...Q.Q......m.....x....!.I.x....$...Y.V..^..U%........h.*... 
-..y.M../..a...N....Iky.........a1..7i...do3.T..n.{..f?..;..C[]..@$.D=
..\..N...E1...n} p../.......VE./.c....9e.J`.b..S.].%....!...}m.Xk.....
].z.....w#..v...5.ez6o-gm...5. ......@...."3....E8......6....&.F..dk;t
s..x.<.0>.3Y.x...7..`..7......w........(?..`.G.3..l[))R.k?W...g.
..O\....oo....?p.G.]..;B.0 ....o&....~.G.Ua%t..C........$..{3..G......
<2..V....z.5pG...#[email protected]!.,..&@.)...?.8..b...c..
.....]N......s....v...*.pQ=c!..Zx....V...x..}.T..J...[.........n..=...
VO..?;..BO..!`'.c......i(S....W. ..._%...".d._Y.:...w.seU..z....6...qy
..W"@l..........(`g$3...}.}C].......x....Mq..n.....c.Sq...[..1I...]E..
0...0tn.s.U.&.x.."R)L.h..x0......S.%.i...-k.r.5...._R.....-tH12a...Cs.
..cC...}=i.Qi..*...$z......L.QI.N.x.......&G2$....T....b.-C./Y..}.wS..
e.4.U...1..J......&.(..........X.....e8......e.K.X}q).U....j.,.gqJJ .)
|..I5...17...9...;.sW.#T.O..pu.\6....r.l,|......k.-`....d.............
S...H.:[email protected]..,N......O.....5u..<...vf......|.....i.D
.......1..2 >./u.Z.U...kM..{t.... ....z..j...{.:..e6.5.D;<...h.a
....I|;.gW.......^.(..w.O.s ...l2.....A.. .......k.........'K..P}...z.
........#f"..5a......f..&V.4[{.Z.39M..T...QLp.rI=..i.x.D......z.j4....
]...=T.m....... '.y.tE&k. .|..E.....T......)..R..PU{G....do.Xt..#..[$.
...-..f.... .HP.....bU5I.>XDML..pD.K.I..q..*E.L..$(!...$Lb.4-O.
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=10485760-11534335


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:05 GMT
Content-Range: bytes 10485760-11534335/53784984
Content-Length: 1048576
Connection: keep-alive
.Y[..&....h r....T.!..3$.}.51.z.R....."..G..L...S..M..o.W.59d..E..,5-.
d.`.D...h.xK..L.&Y..(...p..$.....)..DHT..7.hqv}&.........$c...^....O..
i#..q..,.*.v....)_.....G..Th........y..m....''._7....b%...u..)Z....=.D
.T..N..$)A..>..d..{....e....S....{.GF.`..rr.js..Uz..E..\M.....4...E
...g..z..`..&q..*...PP..vD";m."U...7..Z..*H..2,_.Ur.L..{BdW.19.%3}.7.]
.w.a..)...MI.lw.(.%.t.K.."....u.DR..e....m'.W....:6..n..;*#,^{... ....
."..lv.t>lC.8.. .Z....M.[.vK0.s...^5.2A.....f..m..:H.K..0K:....l...
Of....fo.." ...DE..%.Le.*......|.7.....N..1.."BV.|.M.LIv.z....o..-...]
W~6.d.s..|x..pv...:n(..X][email protected]@......l/..A..2....b..aX.D..
......nzG.I...;..q...='....OF...>...#.u*_.9.{...4.Hq/.......w..fx..
...<.0/&U..#Y..U.3.>f....~......<.c....^...}.....'....Y..G..e
.......f...i..k.s.3.Ff...2?....]...$..Co8,...F..p|;.u.....N?...#..J.9.
X..<....(.e.R..$.Bd.w../..........$Ff..B.#]..X....?.._M..)..'..N.$.
Z&...&.9.n.j...}o...F.8..Bw...b.,.Fqk.....W.4.Y.....u...8......D2....I
}.6c3Gx....~..b..t....k..3.;...0..z...<O...7X.....f......c.M&..f..n
.......O.W...~Vu....d.F.....={.F.:g!t......"39j...^tS(. .V..am..~h.n.q
.F..`..<b..R....3.x8.j.F(...;t!.V....<._f..uS.{.M.:...JQ...c...0
..(.V.SsW..>..\..........b:}:..B.........r..\...#....^U....*h/.e..n
h<...}}..H.l...........1.2...Br.=.....a./.U.>..:3;.d....83.G...V
...p..j....3..\.q....c.2...!.`!Z......M.p%.Q:.....\.tJ.fOj..{...N.g.=.
...Y......u.......O<....0.<()..0....n.(.....~I..P.&K.|M..w.0.|J.
...).....`....8hO.u].r...!...A..7.U....._2..!%.._%.....1".m.o...,.
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=11534336-12582911


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:05 GMT
Content-Range: bytes 11534336-12582911/53784984
Content-Length: 1048576
Connection: keep-alive
X.:.....[g<.{A...N......[.,.v.[s..PS._.a......^a.C^Z..2..Y....7....
........._.r...wnQ2...&.v......[i.?..(.Rt...\.0....[.%.lm.........1^..
o#[email protected].&D..........F4D.$...W..mb...F.5..Ht.e,.G,....
MoP&....g (.}..`.m.~%.u B...Q.....9"tl.......;..";n"..I$).Z.{..5..'RSX
W9.g....tj.y.4..!/.Y.l..z..>_X..... .l.>%}VM.....I.Z.0..1cjQ ..s
.l...?...H......./bRi......U..l./....._...Fl..^*B .w.U.E...  ...H..n'.
.v..m...\7..Cg1.._MP8...v.........9)...s(_..lm..47........H=6...]9/W.5
1..)M......-... ...w$..z...[..C.....x.:IJ3.....P.9.a.=G....!.dxl#..8'z
...K....o(...y.......}.W..G.. .6.]6&6...?.........~. .x... N..T.|....;
"..X!..8..7.G.\...t..a..X(.|........AZS.YE.{....<...E]Vm?.>....e
...'...S.......Z....GzZ.F%.m....s....r1...).a.-^.nLE.-\.......[Q......
.... p<e.J..>.r .wR...n..V....0.y ....o[...F...|. .\v..D.Ip.Kx.D
.....Lc..D S.E..W&../b..`C.[.......m..k? .~...Gt...P.F...RO.C^.....~..
.."....B...P.]......T..k9_...'R.....z...QA.".Y......n....7.5...2...-@.
.^1wW..,.9|.I..95f]........v..3..>^.. .$..=.X...........Y.]..}N....
..j..)M........BQ....P/..D..|;.g.T.E.q....h../....:.....P.w...uj:\....
...nT.W..-E. .QTV..(`dH.............g...).SvREc...6.......L..n.......(
...^>5..5...R...oD....l.i.#..........h..V0....Q!.W.)i.Xe.....].....
N...Z..f..H........\o=...6.(/}...C ...Z..6...).).1..=.[...#..{\.....x*
.0.{........1/.&..x.m.mn....dPz4z....jL.R.....7.0....].?.3sI.....z$...
.6IG.H........0.).I.x.EG.....l.u.7?.d*..).TN!Z}d_...)..b.....*b...6u.a
.......:.x..a..eGu..<...'......g.K....G.....l.%..G3.._......|F9
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=12582912-13631487


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:06 GMT
Content-Range: bytes 12582912-13631487/53784984
Content-Length: 1048576
Connection: keep-alive
HTTP/1.1 206 Partial Content..Server: Apache..Last-Modified: Tue, 03 J
an 2012 17:57:35 GMT..ETag: "334b198-4b5a36f1841c0"..Accept-Ranges: by
tes..Content-Type: application/octet-stream..Date: Tue, 26 Jul 2016 16
:17:06 GMT..Content-Range: bytes 12582912-13631487/53784984..Content-L
ength: 1048576..Connection: keep-alive..,.(@.s...1.Lk..J..vA..j.p....&
gt;....%....z\.. .~..g...n8.Y[.........U..,..u.J.........d.0.W..T(.v..
.P..q..C..?8..u.....x#tL.A..Q.."....09.....^..Z.n!..)-3.../...../..F%.
,..~.>V..:...Z ....O...E....Y..8.[.......C ..WXt.j.k.9...YUZQU.K-.F
....h.\...ZD'[email protected]..>}A\..'.RH`&W.~C...M.;.eG. ..W.#q.cl2z...M
.Hb.F...Z.?.......'...........`..N..=........H.p........f.#.&,.|4ng...
@..\u....R...........u.....'....>.....ay..0...U.7"Q.........X......
...=.*..Rm...I-..e!.]..wxy"..^...t..v..5....4.=.=-.Q&.p..3 .8.....)...
....Z#... 6.....ix...1.r/. ./....cC.V....G.{....p...;jZJ...]...l.....@
@.)./g......y.....b.f......v..>.,........0.|(..,..`..p...........O.
f,..bH.1.p..n...m.ID..m....F....y..o...CJ|.E..p..U....5....]..I..d..v.
..5.f....-...4......<.5.0. w.J.gL';.'-.L.. .}..0Z.I.o.IIu...bw..P..
.P....T...!.....Ej..8......B-.A..]wl.zV..]..^.C....e^.. ............k"
J Piw..^.S.u%7..W.......R....v.....R.4>._&^..q.sA F...'.}.S......t)
.;.GjX....D..v.../.[...}...5y.-s.....D.gQb....8.z.Z.....=.W...r..o.8..
..v......No..i>......#..fGZ....:......B...........#....Y...Z*...>
;,]. ...R[H..K.*...T.-...8..d..R&./..4.C.,.'... .:...T.V|.."..|P*.~p..
..lS....>...`..4X.hA2V....vw.&).u&.8]vD7.O..#.xMS...)'....Ds.k.
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=13631488-14680063


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:06 GMT
Content-Range: bytes 13631488-14680063/53784984
Content-Length: 1048576
Connection: keep-alive
!#\..C.m......."`<M........Fb....1..>.<...#...xo/>...S.C..
.HA..D....H;..A...n.;....7,......-..B>q .j...;a..y. _\..zF...C&7...
.........A...e..iY...83..6=.....N.m'v.~.r.a.....^O.k.v1...r..5..[.Br..
...I..M ..h.*.1.9..H.v..{....WN.#T.u../bUk-...B.`..2^.[Q....5..D.....Z
M.W..q..@...."..Tg$,..Y{0.PD].....~...>B........K.QY31W:b...b...W(.
.;..Y.`....?.qLg.`..$...h....A...4.B..j.Jc...[&..0.|....SpO~...... ...
|.m.5f.....v.p..o.T..UZ.....v........>=/.$..cG..XQ..\R.rt=>.....
<...d2.q$......f...O.Wh_..F..... .....|.......>.2..8.L....<6.
. H.|.... .b..0.e)i..2.....p...HQ...ik=.....].....~..&..K.$.X........y
P...8..Q..hW..f_.......0c-....Tiz_A.....5.$..W*.lW.....;.I.D*.nT...*Mj
.OZ..|.T ........D.n...".........cv.p..0...Y*..s.........~..t\e .."8 .
AW..M`kB.K.3?B._...^~...%...,..>B...O{...2_....=V..ay.4...,.7{..X..
.}/P.c.......4..^[email protected][vmz..L.........v.I.cMz}hk..f...qP..if.z)...1
2....T..i..V....Lo.e...bHP|.R.^.W.0.............@`5g.P.w.?].y........#
._..l..(/J..@..."......_.Xo...MX...4..O.e.:.xV..r.i..DT....B.....I.F.8
....u.<-.........z9.'...$..?s>!..Z3?......Vb,Y.) e.....x..2..*..
dA\. .P..f.........3aI....b..j....VBc.%...XAir,..;.4.m9....<...|.G.
..iu.....f..SI...ot.`.Wc..X8Q....=...$>`....CQ.wO.B.%./'P.....*,].I
w...[._zp.a.........6....!.F.V.K.rT.S%O...]...q..s".... ......KQ......
K{u).P.P..F..M.H.Y~N.v....$,?a......X... .....z\Q.G.`.........7C.-;..M
...i..0.VR..}~.C...k4......Qv.Pt ...\...k.{... ...!N.._....d..$.....7.
.... HJMf...'_UI.US......p..z<.j.*..v ..Z.....b.....5#.......m.
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=14680064-15728639


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:07 GMT
Content-Range: bytes 14680064-15728639/53784984
Content-Length: 1048576
Connection: keep-alive
..j........'.... v.....r....x=.......p..u].79...)/..&...7.eR.U..37.h_.
w.g.6a..}...J...r..=...(.kI...u..b<.9..~.A....T...A.g...Ux.........
..'...s...M.\....8.....6..`......&....3@;.j....U`.....|..X..wVM~V....d
yj...xm..a.Y.........^..<l..-.....~t.mdL......C&5.`wcI....q.BL.g.58
.......W.w....... z.bu.7D....a...T&..7./2.r...Ch..G..9O....y........@.
>e.C..2<.....*[email protected]...:]..=.N.%.. =....[.
..I......X9<....L:).M.wzE..8.#.........K.....1....81-:R.p.....>.
4'|.H..9T.... ..9....\..6.!..z... ..E...>."....f....H.}....&...|..a
......VF.l.*.i...a..l,C..b..b..=.."..O..3..|.........jh...9.I.V...;.{.
z.rR.h.$U..#.....T.....9"lb.?FT.m..].c.}.. .r..Ql...,Ub.Q...)'-4I....`
{./[email protected]/.#..B.k......J_....=...?...WB...=..W..... ._OP.gR.I ...H.f
0I.uI......=..VV.. .....G]..:s...h..?....V......&.V.@...._.......9.S.!
...Bb....XJ..b.K.%.}.e.......2.....k..*..:..._]<r....3.............
 [email protected]^..JCJW...X S.1......,Z.xR .FB..mn[.....%n...H
;~..y......b.1. .g..5.B.G~.db.c............*9 b..."5..}.v..f.........z
.g.E..`Z-...l3?..0...@V(.[/.....T.&s.i....#.....g.Aay...o.0...........
.2.r8.....-.H.Gu-~p...7.R7...&.....zw... .k........... |.0C.pFy.hE....
>.\...._......MC..e....O @rU]...nk.C.5.K.-...9.i.B......}.j]...gX..
...,.K..|...........KF.Eg..i ..}..9O 2..<....$.9..'FU.8wY.Sa]Q>.
.&...@\......mjN.5.uC..T...V*.a..}.).....}...?......z.).|.a.B...>..
......z..z}.....L.w.$.6.....Fe...x.c.... ..r..U.....q<...b..:..x...
........\w.....2Bnv..a../.W....!..m...|Id.,G9v~`.P.....D..WT..0i~.
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=15728640-16777215


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:07 GMT
Content-Range: bytes 15728640-16777215/53784984
Content-Length: 1048576
Connection: keep-alive
..&......Ps.6..P...L.:.0..9...X..8.......v.(Rs.qf....'..u.V.........??
.D._.....w.B....G..Y*..6(....I%...24...MZ.BH..{=.....|.#.......|......
.v.3.........j..%....K.....=.&.4.....w.. o...../...BlG......a3U.{..$..
.{......y.z}rt.0.U.s.k.z.Q..([email protected].......,~#;.xQ..^E.....
.V... ...S%p....x./TF.^S......7..E.`.X....qR.px..\k...H......vcN.BUL..
...B/.2.......Q!.D..>......cD...z0..5.L7......m..s7x1q.x...J..>N
}.m.T...]..]&......^......8..*..J...n|..e.W_...C!M.N...g%_.V....J.....
......C........a. ......)UN...........r...&....L.C..."l.NHM....g...}..
.Q.#.......Ka6\.....\4....qa.5.I.RN....v.BMU.DY..mq..Mkn.~.;.3X.....*-
...<..@ ..M0f\["v.6.. ._..U.%3.@P=....D~.A;d.......-8..H..F...../.H
..........q.V.j..g.uuC..r........VGX....K.t...d..-.NHF!fA#.[F>.e...
.'..0.]%..&.q!\.a.....pU..\B....h...^^,.&./sxoT..'Z...;...~...v.>..
`._O......;..!=."F....B.s).F.....j.)K.h*.Gu..rc..#...".W`pt..:......,.
sHqW&0g\&..,3....5..{....#.f,_;.t..~.)do).de......O...3...<2.3.25&.
.....V.57.%.}oE.\Z...,?...b.}J...:..7j6...n.x6,5......dgh}.9...b.Y....
..?.MI4.Rj.....=.Z.t.b|..o.~4......I......m...Z..=..W{..q"'$.....L6.9.
@..2...Z...y/......R.....b.T.....N}..P..T..z.e.$.B.."t}....e.ol.J.....
.#.^.xms'h"[email protected]..'.]..{...1!...w.A..K.V.^.......J2.o.0{...C
.P..3.[.......,."$......M.yr...tN.......%..;.t.-....._........'....58.
rR.Z..1.^.9E..../{h..W..t...i..`X2>.}..D./.>...u>!O ?4...(E..
...s8KlJX......d...k.ULE..V../....b.a..Jv.w<.^...sp#z..j.. 0.....B`
0xin....W....D..J]n..Q#..V....i%U.Y-..v....J...:.p(T..s.....`$`my.
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=16777216-17825791


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:08 GMT
Content-Range: bytes 16777216-17825791/53784984
Content-Length: 1048576
Connection: keep-alive
...=....}..r.\.l...bt.....'z:..`...-!Q....?.!.l1......`....n.s...~] ..
.......n/...&....i...>.h.(Jf...r@..~.......)...... ...U....V..*.I..
;0..$..RoE...*....Y",9.>KN.........V.....H:.."..9...Q.r...d.=.`....
.}v...0#...?..q...p`...o..k\..;.It./..w...7.............U/.....r).%...
.i.....v6...'....R6n>t..%...4x_W%..w.!..H....4..%.l.....v.o.....d.@
>...w.8..2....9Q..B...D.d.....03..Yq.l.. .....b.eA.....0...*%'.5..d
...[.s.,.2.......[..[[email protected]..".p..nH.........G.8...mJ.rCt..H....
......Cn......x]0...!.})a)Y"Y.G....NV}..U....../2gv.e..l...._........:
.W8..k.Df..F.&...N...A..O2...~ua..x...8._o..5..j.3.e...P.N#.G..;:H....
...e.....`.o[......1...S.;9........w..U....pF......9....H.0b..........
...,..6.Iy......l<7..6...1....z.r......g.HJ<lou.."....5P....5...
.......oh.a:....D..~....u[..y[..\........ ./mJ?X.1.o0......F.I~E...j..
[email protected][email protected].  ...h.QK.5..x=k&..-M.^@f..c[u(.(z.J
....y.@1V... s.lR....].....as].1...T........!v..x=y.O.g...;..H......Q.
./....ZQ....z.....K...#[email protected][...O#...|uu.K...g.`...j...
{U.J.P_..j......y\.V.....V!.&.Ui..#.{2' .R..GZ.....=....&M..=y..ka....
.s.P. ./..tZ.../.b `m....d.M.R.Qkw.hN...Q....$.Jl.&xO...6..].Q.)7...&l
t;?.9.X$H ..Hw.......~...-hal.........G!..K....n..1.j.....l...H.Bn.>
;...-......o...Nw.`......_Ox...,"..0VH.Z......=..7J(Y..F...T.0.......Z
4............*./t..z_.'H.......4 ....'e.e.....l..p..C,..fs ....~...lr 
>.u...@.*Dj.......Q.:..z.A....x....<}......v.D .6^eL.......S...;
............L.....[..br.r^.......]r.d;\A.&.&:.....-mE..A{...'L..j.
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=17825792-18874367


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:08 GMT
Content-Range: bytes 17825792-18874367/53784984
Content-Length: 1048576
Connection: keep-alive
...J.!0...~.C.F...{w.R.h..Fr.X o....qf.YK.............r._.....<..].
.mVT....Ug...p.}....I...5\.0.................o.......v.qZ., ........t-
..KH...- (.\.....n...2..#.?..... M ~3......8t.G.&.... ..g.....3....=".
...7..M....F.=$...7......ZEwG....\...5..7k/......v..........8...H...i.
0...F3.....9..f9'......\..W2......Z.j.).g............._4M........! ...
Tof.@`..r.....g........<...KW....Q...a......J..<.".7M....r}.....
.s,......jLO.f.(1.F....pK....a4...C......_<-3........z..u9gf..^..D.
..T..a;.n.va..4..:....xi.2x..!8a..)}*.....J<T.e.d..bG..y.. .;.>.
A.n.>.Co.i.U0.j.L1o.`.V.Z.=[..UB.u.9.........._6.....`.....q.......
0......y..@.$..'H......W.&..F.`.-y.X.......Z..(..w.U.9EI....(Q..W ...e
........ .(.~c...E.1......ho..3-..O4..9hI.&.9V..c....in..d..%.....#%.&
lt;...K.2~..r9.plp6Zt.N/*....=.?9..n........uq=[^........2...........D
. ..S.z .........Va......_.g;8..AFtj.;|....[.f.c..U..8u.kp..,..X..f...
.qu.s. h.....!>#..F.._....0..[3T..%.....G.j..a.../bz>hcV.....3w.
..&(...>r<U..........U.........2wG.sr...L0<.D...../5,..M... o
*..!..'..(...........F..Bx.~:cjU.......o5...6.A$.Z....PTr..*I.......6.
..9.s.....f..,.@..[....\.X.!.`.q!S.l.m...q6..3...........\.|}....%$.6.
...S........76.F.#.....M%...l.....I,.O..R.../.N.,[email protected]=.Z.0~ .'.}..
Q.U..h......s.z....o.@..=.oJ....n.!..A......=...% .0..>.v...C.p..uN
..b..@4..*N..*..aHFe.g`..b.....V.#,*.._.......h.......:..B.....Fa...f.
....t.cN..2m..........?..E...u...>L...0..[?.....\_.o..5v..f.......F
d.p..v>.p.Y.O$.t.8..s....!...uDt...9../.s.Tg..o....b%.@>..'|
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=18874368-19922943


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:09 GMT
Content-Range: bytes 18874368-19922943/53784984
Content-Length: 1048576
Connection: keep-alive
..FU.N.a..m......k...(7...q.B.(23R9...T.m.R.....Mw...(..N.g.v..r...u.7
..,....wa.kdu......7...C.e4.E..SK).OX.Y.E4f[......a......J.....xh...._
...{...s3...%.S....\-.O."...#.....50oU.....*...x..U..3..k.m..G!.P.".m)
.=gL...b...5...6.y:.wQ .........8W...u.=i.N.l....p......!..E.}.~.2./..
..ObYf.U.....uZ....%.(mn.g ki]O.V 4=.c.(Y.R}..*Q.a.U..[..J...].....`..
...>....f_..c...S.#Q..w...Z)f)s.H.*.u.....h....j..~.q..L..?X.....G.
j.....m.r.......HT.w...c....4.........'.Iz..l._`a.q.D6....=..I..J..wCP
x..T....9..k0.......:..P....);)&.$.c..Ub.su..1..."5.Q.....**#....9..#;
....._Ra(/.}..~q....[.F.....n).......#...&..bG.BM.<....."jn....g#..
......a....qY....;z.).P.....i....|......C..'...X........R(.../........
! ......o..C...?.ae.P.qH9.F.B.........*g..kg.aT.[|....>-..!..;..rMQ
..B2\.WT..H.2h.6.Ap..!...4..=..o.69....Zy.....0.~....R)o.........M8...
... `c..t!....w$..s0.WT......{...F@..}....2.....z~..(.ks...y}.a..X..Gp
.J/bzg$:.Vr?k.\g.<...u..6.......g....4.2hq...Iq.......[./....>I.
.Sh..d*...hi..o\.m=......c...|x(..,X...7.[..0....6z..b/........i..X...
.....,v.Q..(*>i..Q.4-aH.t7..N.ourO[@gwL.(]#...vz.0..k...6....dLo.|.
:/..".%.R...fR.........s..kB.;.KyGfF.....~ .b....q..>..o=.r2d....55
.Z.7...dx2..BE..M,...4.j..t.h...`.G<az#.?.6..m.6..;[email protected]
C.....Q!....;..B......T...Q..f...8...q........I.{.7...$'.w!....H......
.4.......-oI..,,.l........Z.....-}r.v.i....%.=...Y..........x?..W7jK.&
lt;..;ER...)..U...!...............}a..S.....sI...W..X...2...}.......H.
......L#.N3...)P.C3o.z.1.V....V.......L.;r.$..x...dya.........J.P.
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=19922944-20971519


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:09 GMT
Content-Range: bytes 19922944-20971519/53784984
Content-Length: 1048576
Connection: keep-alive
.......=../..)Hy...}{.LrPj......f}[email protected]^/l.G. *fh._..f...3&W..
:!.h..d..S./.g.8H..u......k}........6.\....... ..4..u.<..1...&q....
. p.l<i..J...Gt....v|.i.9p...%..6....5O.^0ac1...{.$.....n>...4c.
D...LM...Q.......].r*........x......O.};u.YQL}.K.....`...'=.]Tg..7?...
s.....k....{J..}.k..L.T/.R...;..`K..AVW...9.q{......#.*_.#.."..r.:f'tg
.A.[Ad.{...#.jO....!}g$...L.t..M..$$ku..w.(`....P...6...}.a..,[email protected].
[email protected] xm\,.....(,t.T.D{...~2..4.Yp4......3...8...Nt.?.......~..
...H.< <...J..o3....#.....s..v......6=I%\.....g/<?....j.)r.a.
-..P...H......`3.'.......^[email protected].._.eJ8.l.#.l.4.q.....
.GW.w o3..H...L\.l.....!......'.......m(.....YE8.~...Pa.$..X.R.!p...~{
>~*.F..J..l{p..`...iP..IY.T.....v.....W.P..f,s...o...........\r..D.
.t#I...b:fP|(^T.. xi....v..k..^.....5..t..=5.2.............,.N..W|2...
. bS......4..?.t.....v...2..74m..]....b...|u9.....v..}.R..K.Up#...Zys5
Lz.........GX>[email protected]>...??.1y..Lv..t&..L3..
.4o.....W..3..JPM...(r..H.;...O.....M.w!..iY.*...'..j.<O6g.d.zt.2..
..X..kV...e.E#.....7U.4......"....... R.....C.. P.!..{...[.KmO.0.jh...
...?d%.h..~T......T..2.=UO...\U...Jq.dS.<HY....J..X(...p..3......mP
..r.p<)..*.!.L4e...i.5..A.>...K...V.$?..;.S.C........v{.Q.]...a.
|.`N..[..$.Z9...(Af.t.$!...-(..8....L1.pf.WG.[9K.2.zz....n.L.$.....(Od
.!ah.....!v.....4.6.X...j...Z..P....qzH.....c{.?J=?..aInz"._k...>/#
..z.0....}....;.?..o......X...O.$03...............)..)wl.Ge.>.. Uq%
...V&..E8v8.V4".R...P.......{%V.........~5(]...u.j.19|..9.k...5.3?
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=20971520-22020095


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:10 GMT
Content-Range: bytes 20971520-22020095/53784984
Content-Length: 1048576
Connection: keep-alive
................k.c|r$(.....~....*....c.}^.%..&.q*...JY....i`......R.#
..0M.vlop....3Eia.~e6......M..-z8l......6....|.M1&.. [email protected]...
p>.....[....[.N..8..U.. 1..a..D.6 ..|.`s........-O.6.([email protected]`
:A.}.2.>j.0.6..f..ZiH. G.........Z..|.........T...,.["[email protected]
.W.*L..}.....k......... W...i....H.h.?.._\<..F..T3.w[.........\z...
..p.Vg].NF..q#k.i...........D..9F....~i..M.M=;([email protected].
.....p....\[email protected].......".s............S...R.'$..A.
.8..p........?).w4.Zs.5. %|>..7Xt....o......Y[.G.u:....).zx.;H;.o]-
.$G.f.p.....%a...!A......%j..S"..?A..[.....<...u.0.v..l.!x.*.U.eXk.
\.8......S.....6..c...i1_T.v..Xv...*.VPoS"....Z.....V....]|.@V.....!..
......$f.2.E..AL........4..Z..x]/w...S........|.4o...^.0q...........6.
..9K_C?..&C....Z.0oKu.....O......[......)..e..........xM.M\.&.tv...5).
q`.......i..rl<.....F.H{..5a..9..?.'[email protected].(E..q*....0a_.
3..hDjc.E.`.t.:%. K....?.......{....H.7v.1...d.N..z.z?*....QV....:.|O4
[email protected]\.k....{!..--...l.j
.6...rO...$.}p9.me*.K._...F..*d.!1.X...N.P...?..0..^....Gnk..'.^.. ...
u. >.......f.[ ........U\..r...f..0...=.<.....p.*.gt..p'|....C.C
..i..J..0.A...........XE_l.g...R.....w.-N.?..[.. ..K.b.....V9&...N.A..
..8BJpGJ8....8.#...........**.z........#Eu...X;.b-..o\B.(.s..F.;....q5
.g.SM..Qa.......l......t.R>|S...%.u]U...%..$O.a..ffN.....(.|.....jw
.n.P.....s.gq...Q-B'.,.x.Q..8...<..Nz.#... .. .*.*..K.....h...[..!C
.O.y.T...DC..B...nv.a;...C.o3a..F..E.9A%[email protected]... X{O.L..V...
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=22020096-23068671


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:10 GMT
Content-Range: bytes 22020096-23068671/53784984
Content-Length: 1048576
Connection: keep-alive
....HR0...(.........|x..Bm$ ....>..u...,i..]...W!...&.~P..j...<;
....]@q}#Z..9qaf'.@^=J. ...Q.*...^'......./{.W.2. ...K.....>....9t.
......U;.b. ..G...H.?hC..8k{..x......D.C.6..-.-E.E.P..b.P..Ce.......UE
.Q...i.......S%..P.M...S....;...Rf...K.e..~.<].... .8.......|)....-
.8.}0_.....N....R.....E...G.L.9.?.0..O........8g..%.x..t...qE.R....{&l
t;...i.L..b.@.}..E..e........j|...w..j.."j.V..-<....'!0w......3Md..
C..*}.e.....'.d.Fi.pQ...L..ne..|u..f.!...........`..d...bv........'H..
h..*-r.f.0F.....U.%...3......#.(......,.;G...]}..x....^.-"....>.0&.
..A$6.T9..&m..p....%."?^5c.P.g.a..?uS...1. .A.._....AX.....=..7..$C.GO
._.'`L.:.q...l.J....cZ.... .]..H....~.....@.{r..`w..9H....p5.W........
Z.N9..W...?U..kQ{...o..Hm....?.\8..F._IKG..1Y.wk...KkX..A..X-?}.V.?...
..mVV..~9..5C..at.<...a..G..B,~.}...nA..C.)&.z..Q:..J..D`.H........
..pr......|....z..N.`..b.pN1...W..Y...S..Ew..)....:[.m..T........7..&.
k...y}.Bd.8.....C...I.%....g..R.bcM..E\...!M=....(.?p..2.L..x......:..
..)l.P...a..=.....g../\....[o.......).."..e.uVgY.U.......2..t.#t..3.o_
.gsE.V...~..3Um#....7 -]..U..7.*....I..>..]./{?.n.....v&.P......=\~
...7QP.<...4......<_w....t.5.....;.....W,v..%..l.{i.>RMEu.E.:
XO......i.....w<.c..a.*Y.......G3.1...~.E.7B......f.>..dB...;...
{.e.X...d....2.....i......z}..}...GXY......?.Y.........Q.....b..:..C..
.rN.m............"-...v.x..Q.....n....;..P.A1......L...U..\.... i.^...
.H=8...A..K0v<A>.Y{.?.......(-.. ...0y..=?.........D...Yy...N...
....T...%..hR ./W.. ..U..M....K.L..to....S.A..s(..o..0w..E.|.*#.P.
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=23068672-24117247


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:11 GMT
Content-Range: bytes 23068672-24117247/53784984
Content-Length: 1048576
Connection: keep-alive
.......U......W...........#..\....C..@|....ExQ.{[email protected].`s..zg...
%...c..3............l..Th...#.Y...n-..}a....6m...eWb....T.. G.J...e..u
W....[.!.0..L.....h.y]..J=#0|(..v).......N....}8.....<..83.6n._S..S
i.....4?....xqw.........!....i...gj.D.^.M........E{...c...z......t....
.y..t.Wfk/._.f....l...J3E.U_.....<.........Q.M.U<Ho..v.....g....
1z8...........93R.6....|..)....w.c........(..C..'c(..?X.f....D.t..a...
.7P.......$.Q.....<C>.V.L<.Q...x...~<....r..L...4.IJm.qBH#
m......Ht.;..@.%...r#........Tq.R.x.RG.I?<)@O.p|...v..<3.TN.<
.*. ..B.*|8E....x.....3.V..S....G.{.....4p.,.O...V...m1.... .M..a...n.
..x....9..=(.. ..#s>X.....@*(?.x]S.....C..7:Y.T....wy..f..@.[...X=.
.YX...~.nhe h.g.....G_.^...x.kB...Qm0Ol.q........R:p3.."....l...ue..J.
AaY...`|a,@.....6..z....tyU^..9qe.).^.........n..Y..=K.{..Z..}...{.?./
4wk..C.L.6..v:V....uZ<^.]....%.............N'..WJ..%>..&.../N.{F
..d....q*....h.....*E..yzn.6.]1Y.....-X.x..a.zn.?M .........f...p.t..=
 ........E.....^.E...m.2.. p.&..........F.S.....EZ...g....1.._....._".
....~.....8o.\u......O.XK?.T/....i5t.....K...',.....x..^h.*&..Zb.....)
...I.1.....BhF.....Dc.$....4.@...&j$..E..q.:..Ri..*....]...LO.....I...
X#..o.~...&."<..gcR.H.%.J.......#..z.....M..a.......Z..XomP<R?k^
...-T.C.....=1.3dD.. kp.C?|4.>..@....)~p..s....Va.Y..b.Z3*.,.......
.>v...:....z.S..L..V..5T.2G.;Pq.p...............@........!.........
.".M.%1'.....'..E{....ah....&.\:..O.D.. ..2"5..B8<.<S|[...A&)...
.R..T.........)u/...4`a0"0....".K#B.......'.Yu8.....Z..8?.B...d..'
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=24117248-25165823


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:11 GMT
Content-Range: bytes 24117248-25165823/53784984
Content-Length: 1048576
Connection: keep-alive
#....E.]......C..e.>.:..b`!GhP.....i,........1.....M.@#5.;.C.}89..W
..O..Q...f..>......_....G..c`{.......U.*....I.&N.W.......S..J....0.
..........av5..P.........1#..t..J..!./.|Dh.ug..\m..?......H..bX..K...C
."...z....}.8A 3."...w.#.......dc.Z..q7J5..C.>...G...vH.l..e..n...$
.l..Q.k.%':.......E.F...We8.0..*V...bdU.e..K.JQI.......}/.^..J..S.y.M.
.i...U.9fC,%/.u......hMu..../...$.;.....p...5.0.7]...j..*.?.z..-...%..
...t.s.}C-B_.y.).rpF}..]9...a...HU...6...G/.K.....}....f..[O.*2IK.e...
6.. .R...*K.p.E.......]..~.Wp.w...V.s.1..f.k...`....I..^$...V.8..z...E
{[...K.W...E...p.....e*.......A......PU_.'7..2Fn....M..._..h...5r.H.`.
,.....Cmf8..MZ...{A:...).X......VG.....a....s>.$.4.a...^C....#.....
o.A..d..V...S. (..TZ..F.nz).v...G....).2Z.O.OO..V..%...&.F..y)A.3l.0  
.V.;..n>.v ....o..o.T.f.F2.....*.....~u.`..kw..:....'P?qv.U..-.!...
...9.....%$gH..9E(%.....Qo.....?.%..b .....$......*..M..eF.`[email protected] ...
....o@...,.H.......=.f....[.lq......G..@?..Q..................z"~=k.&l
t;...&.B...c.....N..C.8....F.@M&s7....7`.J*......!.K]j..Ze.j0..7..u4..
...~...hV....*3k...5V...Y..X.\E.6....9...(W..b.E ...p......]&V..V.....
....*..J}(.. %..D...0^qS...c....D.....X%..L*o...'..x...UW...C.U.": 4..
.i..:%....(..u..n...k.!...y........N.J...{.<W.2....B_U:0...(I.SYu.$
.........qK.7.k.....W...Sn...{...v.b....6 .WP.m..l.....H6".7>.'....
.....`]...$wbi'.H...$e...%.Z....M.58}.a......N..|z`p...o..R.......tJ..
8...=.1../...n....!..>[email protected].."Z...OY.......X.......K".c..3%z'.:.
..:;C..<n~..p..Z...c.L=2 #S..."C. \...us.s.p..ce$bY...M......5.
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=25165824-26214399


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:12 GMT
Content-Range: bytes 25165824-26214399/53784984
Content-Length: 1048576
Connection: keep-alive
X..M.[].:WC....`.4.l...KU..Q. .E...S......;.-.Fc.......:.....&.....Y..
b......~4J.`.=gN&...g..............Ytd. ........G....k....E..<....=
...>..N.\....mG....R/J........S...y&..;.o...|.K..L.bB... ...T.][M .
.0....t.cJ%>P..%.(....e_...9.x.... ......9....@...!.k_..%........K.
.t..:..^.<..2. .%......ft....;4..*:.....<.jW..Qou/4.R..jKky...Y.
,{..}.(z..3!......4.Az....r.1i..qI..~.....iv!I..M`..m.'.T.J.. .6..;...
m/.l...b..C....T"S..#M..L..!C.{...TA=.......x..........ml...&.].8....k
9...]r ....Ov....(...e.'.Wet-j.pG.m;..)....;[email protected]....
..J[ [email protected].....!s....y%mW.|..Q..{[email protected]
q[..0!.....!.BMe.....Wh...9...M.q..............6.8w..6...Er...@..!.t..
[email protected]_..v.."n.O.z.V.m.Y,......[.7rw......h.F. .....:5S.>
`..M...M|...u..\.S..,..v../S. ..FE[..h.R..A....RU...>..s......Y.s_.
(.j).!..x..|}&d..H.=.g...........\......t).b.K....E...hho..K*6..9*....
.'F..!e.....x.. ....6...)~...t.........'E.-.N.6....Ar.. ...y.4.. Z....
...r...`Z.-...K....8y<.@....[..k..e...0..EdB.Ip.Q..2....T.o.tx..j.k
.D....Z!p.P.....H.t...%f..1.H.At^....*Oc.".mS6....j....B..#{yM\....../
g...R...T...M.l.=/..(.<.Y...q...E.B.:u.=_{.`..w.....*$..e...K.;.N.,
Y....._...9q....":)x.p..........rb..M........O.~A.4.B....W...}.q......
.<......$.xV.1......F5:..E.{c.<....b;N.$.....d.Tm.....mL.......z
.r...F.....W.....w....N7..k.^[email protected].@%....U2sz....j&r.......1..>f.
L.x...q.....%.R:[email protected]....
..|[email protected]'.i......IN....h..9m.D..h...-....R.....].H...
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=26214400-27262975


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:12 GMT
Content-Range: bytes 26214400-27262975/53784984
Content-Length: 1048576
Connection: keep-alive
.5...a.p....d1..!.....&J...(..3e...t....@1aQ..%M..$C...U...8.=........
z}.Nj.^..(V....S..$.:...gr.....A..^X8..q....z..........\)U..).Q.;uW;.N
.x..c...NE1b.......8.i...3....._.Rc.I>.0L.8H....OO......B.Z......NC
.....%|[.2...t..L..\C.ub..F_.Lf. ...K..I.`'.o...q&)2....FJ(..;p.-J_0.l
..f.0j...g.,........[....'.n5../@.&W.%.B.:87.....9...o..~8..Dx....i.WH
M...$.[.....\.c6.u>..@y...`[email protected]\T7P..M...O5.M.....j'6
F.P...F.HUG.;.;[email protected]?J
..W.!......I.?"QCf...\.......Oz;fT..1._....!......2.I.O..~).g....g...q
o.....m.>@O]..#G\..G#........t..(J...m.:0.N}...`'..%B..s.>......
.K..P.v.).E>.k{[email protected]}; f..<;.[.....{-...K..uv..D}.S.aN'....l.`
.4z.j...i....Z..p....c.....L<<?O.v-]...d.Q.4..{-..".....u1......
...G..PS.d..{..M..S.....F...de.&<.w...T.}.....!u.j8.7...:....9`.9..
....n.A.w.84l..SO.L. ..A...*..;...`oY..?C"0...o.n#...DU...KY...u.^...3
.....j...X.....=....z.x....?..v.9.Q>._to0.#.P..k..[.,..?......M....
........&D..P.....2...?..r\........1.e..H......o2M.3...I/.|.rIq..].>
;...K..._.....N.. .n.....l...j.5NF.....K.s`..IGE....zb;o.>~.4`.Gxp.
f..0u..Js...|..v.....m,,[email protected]...........[H\...r....*...Z.W..=....
.U.."j. &...p.....BL.....F...4.R.&.m.{..c3qH.'.@O&.7..Q1.\L..m.E...Ju.
.Q.E...>....:.......F).0'_....2.....AeUQ..?....7....7..IW..........
....J...N1Gd.M....V^.KK#T.,.....M..{.Y.4.-..=y0.eq......Pb............
.GW....8&YU......s....i..G.#,j ......#o..UCN..5f!.....l/....?.._:!....
.Bn.X..\.d.......E.w.....#....*....M.E-.c...../=.U\.PV..U.D9....^q
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=27262976-28311551


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:13 GMT
Content-Range: bytes 27262976-28311551/53784984
Content-Length: 1048576
Connection: keep-alive
..zj.N"lpKKO}.~D....6..Cv..q...K.j.#a.DT.a9..f..q...*5.......}1.uK....
.$..\=...f..^K.^[email protected]....
!nmd.\....J.[.....AT.-.n.{..%..k....TE~..x> . _`...z.57....k..wH...
....~.%a.._MW..uD..P..!S..X..7..T......6..;.([.b..E..zB...r.h=.`....L.
..F..=.(F..0'.T ..7.94P.z!!U..T.. ....F..|....1..U..^....._zg...v.D...
......7...ZN.Tb......1R..1......o.N*$D..J.6...V..3......\.N....._T.s..
.P.;.....?.8.s|.....!..7J........".....V.V..r.t.z.|4....Z6.i.........[
.......#..=...6...W.}...6!(.|....I.h.q_.h.........S!..].;].x31.x.m....
7....>..(...,.....F.. ...O...7.T.i......t...._HYsa........9..m.....
HFb."Y.Q.... y.t..#..Z..|.$....O.P....NiG....'.........{h:{.v....F$.Y.
[email protected]_.g.8.<3J..b..V...V.6h(*4B.....js.z.GX ..$....,.
....)......=....2..0..Or._.'..A...3e=X>c!.....]...Qa....{...*V.{...
.\....H.0.P8@\0......d......d6[..9.q.52.5...ö\wI.D.,i_n..`....T(....
MfVCU.F.....J.I.j.Hk.=.C.d).. *.;M\..v.g B..H.....DB.'.C..{$..4.c.$..$
B.{i.............B....=.. NT\...6.t...{....ImF..B(Gg.......$E.5.o..gi.
.?U.l..y.....Yz.o*.7..z0i..qW...C...;..}..w./..6&f...yW..O.H(\...}..K.
..]..o..v/V|. ..\2...3}$~).V...Q..$JJ..@........ .....Gj.S^~..M..v...m
........=...A.>.OMM...j.....O.@........}.....Oz2........mL..j......
...... ..1$...g.u..j.B-*>..z#b.=.......^z@$..... @...K.....|..-%.[.
y8eZ...QIb.W....M..n^.......@/.'........-l..&(.i..@%q..2..........U$l.
._..ha....PyiQ.....y....Ec........U.[`....h...H.)...{ .3..Z(.spQ.KL.&g
t;.....}.}.FSS..Xes......1o.x.~b{q.............}.9ego*V...;;.`.G..
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=28311552-29360127


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:13 GMT
Content-Range: bytes 28311552-29360127/53784984
Content-Length: 1048576
Connection: keep-alive
.*........dE',._V&..O7.y......#YB..:.....gO.%|...........)-M..AQvU1-.f
.ma".|e...,...B.4.c...{...f.....7.V`MB..Z..<..c..C.f..W..........~T
.j)pb;...W....."w..:i..........G.[|.......K..qO.|`.N..;...H .$.{.'....
.K2...&..8..XF>e..dW.....x.....&.}......B..Q....T..r)Y0..jW..F.p...
.gp..D..z.q....e...*...I..8.p.....t.....g.k.?./p.Ew....|..U..Z...KD...
.....m....8......8.0.i.^Z.A.8...8..n.#?.o...aIQ.H......A.v...V..6@....
..2~>....#....O<Zl._.!B.......`.yT ...#p.O}[email protected]..%
Lq.Y"X.*.][email protected];
[email protected]......~zt.....G....0..p..E.Q....=j..6;m.s......V
.*.....I...l*7w$oH)u...H........c..N...........8.....PO>?A.k....cX.
...IEf.....p....h5df..w..nX....Xg!/p7T.g2.[.;..`[email protected]%
..!..)G.Y.u .~....W".0M...0O..*..0....cv..,=4D...(&..iNHa../W.*.......
.;F2>..F.B.v[.>.NV.0..:#.[`vD...XB..2..W...y..H.?....7...X.z....
..2i......=.I.8..E..........4..-.......S..{...[.a.........j....W.E.O..
c..1...K,7..Y...3.].x.....|s.A6......<zw<....G........i..KI`...'
PW~F2.m.o]..........=.RW..tw.F...7...o.C...%$o.'.w..$...&..-.'...:....
....&....V.....bM..#9.;.,8..'.t7c..HK..*G...:.P. D.pB2q..x...3...O.t.;
.{......Kii..<Tz...a.wr<Vg..}.k.PV..)... :....\.[....(.s.Vx.z...
.J.c..c.b..B..0.h..6H.R.|@.]#..g.[......../d.I,f...?.ff.r=..m...I...&l
t;.........M..e$..e..&P.nK...q,..s.H.Q.t..~Lx.t...........}.'#.73..t.)
.k.w.}...>.=.......... y...: 1Y..C...`..........d......>y./....!
.....0.rE.....gu...wx(Z&..E.........?...P.H.O,.r...g..x.Bcg.<a.
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=29360128-30408703


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:14 GMT
Content-Range: bytes 29360128-30408703/53784984
Content-Length: 1048576
Connection: keep-alive
Oz.g^:N....;=.U...:R...No.n..rl.~........}$J:....e.F.....=...&p... .~.
..m..C...x.x....C.y.~.~l. .........!,@.>...v......*:...Na(j~../...a
...~6F.]....N1..e.DbQ.....z!....u..nU....6.pv.#[email protected] I.S...
...7..5S..[%...J..9S..q....s......6.[...l.. ....o...=.s...5.5....L~.g.
\..{...`......'.Z.C%........^....e......}Z.W..2O...3..V_..;.?7.:......
g...[fL....n..7u.UPZ.......<..<U... ...T.jqz.h2$..<........*.
..|65...w.C.^..O<..D5..Q.f.lk.....'...y.....p?.3....{..r.9..V. ..Y.
..S..|(5....>........)..a.....=X..#z.....rp*.d^RJ...0_..`......W..$
\...M.6~.T.....!=*.r.t...5?._.0O....0r.@.$.........>>......W0.]'
.D'...^..7.....N.l.l.5.iY..G.l.#.W#..].l...w5..;3f.n..\1..$....q..T.%.
....]C3..C@..;e.R.....]C.z.......)I........C.=.[K........y/b..).N.;{s.
......D.....X...|......9q.X...H....6%|.a?..n...'e..#...."..|M6..r.....
..0A...c......SK.Je.IW...\....-.U13#.iP..\......8.L.,..:....'.~..h.NdW
....W..{V..].r..E...e....>.U....m..w.F.w... .vAB..........L........
B..##..=.......J.&|..V?..... ........ .w..~..E....-.....,=C.Z...A....W
(.f.?pUS:....Rev...Z...Y.....c.;.Mg,.h...........Q.U...mIez...!..&.cs.
..HK.....{b.e..}...........W=b.B..<7.aIK..P..[...b.v../...`S...@...
.3.t...u\c$.^.......s.:!.. [email protected] -.g&
lt;Y.d.4.N-..Y.y.A..H...w./.....~.....U.6./.....&..........r.x[\.u!.W.
O..I..Q.>[.2..2T...n.x...t.........U.*.Wx/J.J.........J.j|.....H...
.....6.>..L....:e!f............h.;yz.,)[..*...w....;.....U.M.M.....
....K3d.ey.(M.....':.n...Bs.Z.R.....y......22fp........4A(^....O..
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=30408704-31457279


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:14 GMT
Content-Range: bytes 30408704-31457279/53784984
Content-Length: 1048576
Connection: keep-alive
...:p.x.N....O..P...>.qTJ.D.. [RSd'w .....=GZ...Am.Y.0nv.|"...e.F.*
l......\b.Y.&..A.@3.... ...x.F....xv....A.G....'oI..dN..3V`..5Sq.N..X.
a..........V4y.rR~.-I.g...zG.][email protected]#T.^...T~....?....#...ax.|..b
.....\-.....A..R................9~..e.jhr........./.5.N..h>.2X....p
.....pfb.....s.u../..<......X..}s.\tvU.,uS.x.$`.nW..'.JP....!...<
;..9G..~~Pp.<.........4.{..J>)....Y..o.AuN..#...}.e...RnN tg\o..
18.w...H....F . .wr.d......x.m.TD....4. I.X>R..........U.......N.t.
STPF......&....*q.-6%.R....-...X.U.D.....!7C>...;...1..Y.....L9.M..
..c...~..."....M...zl..`R...9.....=...HP.2._o..wIw..M$.}..6........]..
......s|K.#F...........{X..N_..\i>.-...2.B.g..[R:g.....oX..W..t..0.
......}./$).B...P.d...L..s....3.#...:.<.k.8M..){.....:k./.'~!...'.S
W.'..,.iJ.f.....{.yHn=.n.7r.....P *z'..4s.,..-S. ......9......N..m4..l
Y`...KG...A0J,RDlk...{?u3.Vq.ck....Y".zL.)G.3..nQR..@4.../.$q...D.....
.3..!1[."..;..o.8....@.{.,......C.S.x. ..i...q...B............V.3....3
.. ...5S.B>.mVE...Z.......4.N...$..M..R..m3.W.!..<`.B......dl...
M.h.$....u.....C?{q.\..KWo....R....T..t....uu...u..!!Q....?..(N.pJ....
F....1.......34..;!p.f..y..... o...T.2 ....u...... ]f.O9.}..i....*...f
...5..v..E,..<r..t].HzL....K<j8......|.E.M..:O..-..sV..]........
.<j..b.._...6...y..{W.HT7.Mr..t.k..t%}.G.....xC`...P..]..p^.*..DlO.
@o,vP..=.<....cQ..$...6......_.Z.....]....q...j(..:. f<~B.d....m
.*Wn.z0..F...?d{.m:.6.&.c.....$..lY.j.7...O.5m.B.6Z.3...F..=.\.C;.rF..
..l.....\[email protected]|.................\..;XP..R....;.W.v(.wS&j9/8T.
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=31457280-32505855


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:15 GMT
Content-Range: bytes 31457280-32505855/53784984
Content-Length: 1048576
Connection: keep-alive
9....b..9..U4VA...bY..,.....x_.......8........=.......pf.."...n.w..G..
.....7N.\"..R. .7(.{./ Lv..2..y.N...(..9.....c.9......8...n.~.S..".:I.
.p......c...O_...|[email protected]..&b.>..ZO.[......MT.qa.5...P.0.^
0..v......7ii..nz............1M..f..\....P}E.f.8.mi... It.:.....h6....
6x.y..N....a-..M....S..#...K7.^........U.`%o...!...v..c..x/F.h.n.....:
z.i.3..?...`..#;<..v.N....2.....?.'..B ..[..5..{..T...!...UkC..p.`.
@..l..........V.#`tJ...Wk...b....yJ...rHC ...w..).e......`..xk/.z...dG
.D.yd.(.[..y\>...iUX.1.....N.F..*[email protected].",..;..$...CR... >Y
...lE......d...C.Q5..j......Z=d#.u.6...........,......L...J".i........
....2l.G7W.J..ao..*.t.!.'..{[email protected]].%..t..
c..:.a..d..,`l..|..{E.J...P.m?.....z.s1`[email protected]["..
.......c.YF..%...8...LP_.'/z..{q..}.=fC}ji.....Q(B...p*..['P..L....J./
.t.9...T.78.5.....0...g..6...h.B.....7`.t... V........d.|.............
...?. Ys.k.....#...qB.<.k...B...#M.1&j...)v..$...l,.^....Qc........
qj.r.............qTw.....2........s......k.,.....,.h.!u....(...W../hV.
.>..{.h....j......]..]|.k..NP.Q.......@[email protected].}.q....3ca.!.r.J
..W.y ...\EJE.1h6.$...v..a....&.C....6...T..K...^.4.....g..=:..|Tm.]..
....|%a.8.&....m...G.m/.d....M.<...R.........?..8.w........iQ:tx|..
(...\D-."...(.....g0#.$...r@^.`.:.......H.@....^.....w..}...d.P.3.nF..
..n;V^..lU!kH....D..UQ*...b....f^..&ff..QE.'..vd.....5%.m.m.^.trPC5qzT
...........5~...$k..w.J.....#.........F.n.......2.R.L&.jQK.ng{.:..6...
..V....\..q\......4.....:...X..D.}.A"s.......D..p.h...!>.%....o
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=32505856-33554431


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:15 GMT
Content-Range: bytes 32505856-33554431/53784984
Content-Length: 1048576
Connection: keep-alive
.g.f.....&b.x]t...L..F.Be....Z......FkS.B...a.....,$...x......aw..U.W.
..i~h....E....s....._...0..;x.-h$....s..OF....C....$.......1%...A..Pq.
......)T'..#.k.>...H..C.r...#...{.F.A.*.....;30& ...6........F-..9.
r.]....Z.S.qG..jOW....M,....V..!.. ....<.D..j..2Kt..V..0......Z.`U.
..m~Q....;._...^6'.g."..2=.h.3..)."..{..}..=.....F...=N...asF\#V....[.
YH.....yR.F.Z...KV..q.f...!....!....a......|...........4.b.%.....,P!.=
..b..LW.]...I?....=....r.)-..SOg....6.KTX...|E...Wr..g....Q"...m.....U
A..:.10.#p....-..L..F.h<d.....y....g.~O...hb...d.....>...2...R.X
.4......E".jc...k..~..... .&...U.d1.7|.....'......"`..x-.9mW..o.;.pj.t
.!.c.\.S.c.#...-....^...!..]_. 1#.'.y.A.|.%.[....|.J.c..Q..&....\~s6..
.z;.(.^;..$......BT...bh.:..x........Liw." $E.6..'? .n*...}.'..._#Z...
.hQ....cW.z...C]...@H...{5k.).c.P.A...*g........].I..ZB'..,....\..#^v.
.1.5J..8{.....#M.=..>....0.=,8..yV@:'SF.L...?t....L.........M.Ue..I
..!..c.}....i..1..;.g.r<1...........V5..U.?)@...31Q.Y....c..G..s...
dV!$.j......t..........U.y....Q......\.`.b..d.C~...PoaSs.|.....H `..q.
i.B...6...Z..V.{..r........<..F.....jH..."..G.........z1.v.....~~..
e. ...r~.y...3..?..;P>. ..l.Rtg....E.[.... -]#{.x..5..&...If..h..P.
....(....B...[..g.&-gE....x.4U... U).lT....G..,.{o....g.l0..lc...q.c%.
t)[.9D..4j.....G.....A0._?.E.M.*....lS.... LJf..e........"..0PzY.s.~..
.zQ5..R.#..:fN..[W..V:..W05..q.....|..l.?.M...0.=.I{Eo...)..6.>....
...$&H*fT.-DJ.R...I.3.q0...GZa...j#..W2...4.wYk..te..6#....2.y...J_.64
...i......Q.....i....4.Y[....q7..R.5.;..G1.....~..w..B......C.....
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=33554432-34603007


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:16 GMT
Content-Range: bytes 33554432-34603007/53784984
Content-Length: 1048576
Connection: keep-alive
.T..W..1.<.........D)...}>........X.....vW.C.V.P4g..cR...Jw...`.
$.X.oK..U...M.w5.t...5RK#e....&,u....wS.......w.B........d}e.H..U].s~.
.{d......T.z....8c....B..Z.kN#..o.. ......,......,s....CY.....J..E&.qy
........-.\.hc....oc.*.........G.c_.&.b!P.2..6G2.$..F[1.$Y..2L9..?.. .
..x..B.8..M..N.......B..6..M..$c.K..P ....iE.:...'9EN.....W. '..gj..).
.....6.6........*.B..k.....t*.......z...k.d.' y0.@.~u..yk6.<...`. #
..*M..a..qr...k.C.r.jI.....#.f..I..t..N^. .....0..oa......n.U.......b.
.XY..C.3.x$...`b.]M...dc .b[..X..'.,E.C....I\Y:.t.><..wyG.9.....
...l8..........._...5.hhR.K....J..q.....`..8Ml)]MY.u...Z7.#!..........
n..F...E.4/..H.#...#..0.a{.../E.icg.....)hiq/.[/.PW.F,.......O..as....
D/.^_....0c.\R.T q._0kr<q<A_... 0.P.u.e-."@.%i...p)B........]...
...}....K%....p...;.?..mHX....B.E|..y.../yW;.....8I.....z....p.@......
...(.7.'S.I... .7./.0....<..(...TK.6.h.A..$..?.Y.....s...%.%.~.E.Il
.[}.....y.O.03...W.......-.(r.=.G......S..Z.h..<.....o.....m.2.I.TX
.E..%..X..g.y.w......j... ..h#..lI.)6.Z.h.S.....0....sU.l...ME(...=/].
."...7.........U:....u...!.....Y........d.N...dP..D.mLP..\.o*.....}.Xb
..BV...F...bE..*..i.L^.0._Dn:......oY.%_!b..x....4!.Vl3.....^h.O..m.h"
...{.~m.....F.q...*.zL..1.B..5....]._v,y.B<;.\...'...e.FE...p..A.Fo
..Q.Dy.......e".;'./T....IA`.._&.b..v*G."_..rK..*q E.n<W.....0&.Dn.
.....E...n@..<...r...0q....=.......y]....\F..:..e.0..g...&.0......P
).....tXY.DHf..~...W.....\.s.M.....[c.VI/....phUF....X...B..........vq
.IL.,T>A...$w[.Bk.....<#...`.6..\.....=..(.jW...*.._c.S.....
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=34603008-35651583


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:16 GMT
Content-Range: bytes 34603008-35651583/53784984
Content-Length: 1048576
Connection: keep-alive
....T......<;...D...o.].y../.S...D.e.mw?..r..AI.9.3po.|T.n..;k...K|
..#..../.`.<...(..........K{[email protected]...(@.3
F..].4g..D..B.....e../6..e..Z.rN.......9...<.B.....(d...]$.:. H]...
.......*3...F..'..S.?.r......Us..iR..a5...>E.....7.&~.L8.k.g>.~.
...1.(....|.3"..G.y.E......nh.z...:..0..W!...3... .&....h.....7....S.I
.y&B/{X... <..y.j"Q..{...b1qSU....a.>P.(.=9l$,..v.......S.G./..X
.C.'3Lox..' .=..0..N;..l...K...E.Aq.d3}D../t..>...cY2Q7.K....a.k...
.Rb-..S. ..G...a..N....-=.%d...y..:...~[.7m7.Jn&..... uU.pZ*R.#..U".R,
.i.O ....."$T..F/.D.tF.<......;.Z......C...K..-.yJO....a1...7......
C.J.9g..G ..qT.4.E....g.3<.$.7..lt.f.0.K|.t... ^.I....5|..`&.......
x.M<.Z,K...h./.|.[4.o.k.....^.8..^^.............V_.. J..0.mG.EkM,${
..*..].D.O.Y..Y.u%|.h2..(`..G... .....P.]K...P...U.2O....^.cuY..f.Q...
.&.i..Bs.c.."|......6...;}...=...x.....X]..(.....L...Iy\.a..=7..r...k.
t[9.`.?7.4[...=..\..,.~L...!.>.2.*.1.E.....T..KnA...rC.Xf...a2..1S.
...y.El.....DVRl.R:.m`QjF:.1%..}Au. 4........0p.....e(..y...[.....7j..
.........7...2..I..R..<P..L..vH..F1.[..C...8w.e..3a.U?.D.....k]...S
pF.f.....x......I=.Naq......2./K...}.U....n].......L.M.#.o.V^G....Usf.
d\..!_.......N..b..U....m....}..eE..eq.%;..._.......4.V/.~.#...:.C."..
.j.........u..D.Vw...X...I...u. ...9...$=....-q...'^....I...$g...{e..j
.>.....f.d.|.........*.....|.H\.V....3._l-c...(Q.......bW.....&.:..
T......<....LH-.#9..\<...._k.c..|..._.&.......U.U<4.......{..
.....).._.....@]..M.....)".r..2.-$.X1....."..R0...qh....A..~.....~
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=35651584-36700159


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:18 GMT
Content-Range: bytes 35651584-36700159/53784984
Content-Length: 1048576
Connection: keep-alive
..-.n)...-...-$.jS.../.....E..-...b....f"zGH..Pz..X.}.N`.$iH.<...M~
.}..`.#.M..u.....{..d(5RZ;.~...$.........I.kH._.l.9..W.L.L9.2`M..Q...|
[email protected]%I..../.,.. .....8..v!.%...E.h;f.Mr.L;/.Zw.&.o
..V..P...7.=.....N..Bv..|.Q#W.~....:.?..^w.....a....k..;..~..U.....P.?
q*6\......*....Q.V.v.=.u.-`....]..W.F....<.bw ..Fp..oW%%......M7...
.....L...UM.5|[[email protected]<..&...3.;.pV........f.....3E.......V.
.X.........r.o..#/..v..H.. M..EBa.......g.oo.g.f...v.`.-....'SO.a .V..
..d.Q..5.G/.(..m.k..Dq..%........l....).Y.....:.`h.-..<!..,...R....
..*.....P.W.VT.... .....O..E.......JJ......U!.] .K.....<.n..N.n...;
[..y}[email protected].=v*2U..#..h9Ib6.....jL.JO...^..o...-83...
.9.W.........\..T'.L)..\};n.l.....R....E..G..PuFb. [email protected]....(..{d
...b.V;..C....*..'p.}.8...=F.:....y-...~LN.......z....)....c..U...h.N.
........y..q..cl........n....T{{[email protected].%o..@....=.3....'...,...q..F..)
.|.......q!..............c'...)wU...r.t...0....y.t.3v.h.. .P.wb)K...&l
t;..*Mx....".#...G.....;....=.x.3.-l....#r.._I.wb......f.....vs.x.....
_vi;e.Q.6....).J6....:Q.d.&.vu...........3.c.P....3.v../.X..*...X~..V.
.#....q[..N....].F......i..n..P@=..0......;."o.7Ou_.....f..P........c.
6..`.}.q.f....?Is......:...7.......3...y.....<{..7#\3-...[..a.....s
..N......v.E.j.p.O.....;H.........h...'O...h.\..N..o....s..<..x....
....`.......>.....B...F.v?....V#PLt./...|H..G...:.......\IO..6B....
 [email protected]|...../..s.....2Y...(........_..5..0Y..
.|n..v.z..........%XLv.4.......D..H..rd....0[.......0...v<.....
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=36700160-37748735


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:18 GMT
Content-Range: bytes 36700160-37748735/53784984
Content-Length: 1048576
Connection: keep-alive
.%{.=<._3x..>....vK.s.....Z.!......P...:.....Pq..;....z.Q,..../h
d?.Ba...B...^...I.Ie.....*.0..*.9........h.fjd..!....E..\ps....Y.... ~
.!=)p..T>..r..._...DX...M...~X.&......m...'Y...7.S?..........dl...\
.nH...x.N..E{........B...`......"R..:6D............=H.//?.B._F.#..T4..
eu...O..Bvm[||........H&.jeW.ZIMi ?.)y..*..nP;.sM.p....J..G..m....d..)
n8.9.... .z..@#.J=).W...R..c...-N.....EK....ZXS..7.0D..f.4.K..........
,{a..<s........_..[...j..2'.$......c....Y{.,'.....6....J%.<.v...
p....W.............4.!..&3.......o....E#..6&M...~...Y.m.u .C..~...futL
F...)Ds..A..g-.BJ.......W..yE.?M....z..b$.....Ft.....EY.H<........"
].t..".1..|#%..4..L_...@.=Y..p#...5...X...}.v._...........e........].-
s!...Cz4.fB4..h.E.n?M&...y.._..s..c.\...<...I...s.gG&.1n....=.....E
h._.........B.o...91>..;...{.Y].".z..A[..v.C...I....a.....c^.8^....
...k....h.h.E......=.oq.L..$b.u0T.-.D. .W.,.h...W...([email protected]%@.{..
......<.79...U.v.....N.._...A.y....X..../...M.9'/{<..GwY6.S....P
.2.......W...>......iM.........W.r.....m....s0....wN...}N.....X._..
./Nr..-..[. ....._..7..... .|....j.......v.Z...........:..lj..P2...$B.
.....27..7a.]q.'..(...wu.......N!2.4}...j...../B....>}:.9i..d......
..`..6...,..TR:.U.,_...M.{H.c.:.W.gM..-.k....}Z.....c.......%tp2......
.k....c.....<.`.`..x....d.....u...u....$..../C.j....^......3..(..}3
.B........g.6.{....&_.N.k.W.[[email protected].`...y..E5..........-...'?.P
R...w...~....r...`.!.c.....r..xL...fY.........._/.].)....z....e.}....M
%.......(...3.5.s.e=.x2..N%.\[email protected].{..3...\...).....L...
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=37748736-38797311


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:19 GMT
Content-Range: bytes 37748736-38797311/53784984
Content-Length: 1048576
Connection: keep-alive
.....yU.. ...:..u....Y...M/A..R.p7.x|F.f....7z9.......,..ui.,?...4....
.Y[F~...=$W.....t8.......y...7:...).i...%.....6...-.05.e....a..&b^....
D*]....I...jy...s.h.....%.Y.$._.v....F....2...... ...m.D.z.mX.NO..]../
./.zc..kp.].}@...Z......9..Q..B...y.....(.t?....G.....o........a.[3.%x
cG...5...C .>.p...\<..0.\........t......../......c..0......._.r.
.X.. ...q...$...,?a1..i.CWP......t.x...f...@j..)..k.b..#.WQ.*/.... ...
..97}.=.q.9.C.ooAc.|...?...B{.l..m....'w.P....?..."[...P... ..'.r....t
}[email protected]<(T.d........a....'Jy.zj.h...
.....sy8..$.,[email protected].=4.' (.>] H.:.;.Ug.g.G.....E@....=
k."X.R'.R.r..q....-.~...$...p.......E.......K4...#.8\.\........Q ..rK.
....Z@.........?.#K....$.u..W....N.6.'...=:....\[email protected]&,t..&
gt;lr%.F.K...........aa.I...L.;..15NK.....g.n'.Vs...~WS..wn.....Dq_y..
.E.'..".Y.'l.....{...s((... .4.!E.i=V7................e..T.Q..].V..V..
6......72......`....q....W.......r....{(...}I...E<?..*[email protected].
"B....|Y........#\.pK...V{d).A$..b ./M.?waq..u..$*CuC_Q..p........P,.@
.K....\op...&|......%...;...s.....*.;../[email protected]\......o....#Hib...*A.%.
.<9X{.0.K......f*...|.[...;....7.%,..{.ldyn...%vV.Bg.9.(...9O...Lt.
g..xO.....n.....Q...`|O....FR.>:IX.bV..zkZv'....`D.5.........b.....
._U.MM.x...6..._.k/..D<lC....!.~p..3.z..S.$3.....x..`W...WH.n....[]
"G....U..h..;.....p..?..z.?....5aU.HeJ.c.1T......C....p..z.3A.J.g..j..
......... ..........s$...U\..Sr.}........v(.P.g.a..)v....).g.9..v .hO.
..3]n..(.....'....I.:j&n.I..i...p.ew0._c.x..\..3E..O:.......KV~...
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=38797312-39845887


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:19 GMT
Content-Range: bytes 38797312-39845887/53784984
Content-Length: 1048576
Connection: keep-alive
.....jO..!...H.......R.....Id.>...D.[...d.l^...........X.!if..f.T..
....nr.../...IV........C..... [email protected].,.XC...%....
#.....fU....og.....4...w...6re...K.k..8.c;s.....T..C..|.;#<#G..2..9
.)...h.<..D. J.8................`..J..N....1Kp.....>Yhr.j.I.|..X
..b.`(.(..].... .;...5.g..LHu..3..-......7.....P...I.Qq..nBa....... ..
.....!@.(.K.P.k...'k....4.V.j..W..mx...E.i..~?..l.6..Mg^......dz{.E.H.
...8.I......`.....F..K......b.R...T.....V.X...}..7.=w.5Y.'...(2.R...R.
[email protected]...&.t..Y.[.G..._...>'..:...P..~^......7V=(.X....b..
C7.o/..=.L.P...]....j..F..|'.....:^.......V;p...E.}cZ6...B.o..E/....$.
..<...R..ro.Q.4.d...{O.....].a......~...8fP...i.P..B.7~1qN./1.s6..t
....`$....:[email protected]....... [email protected]$.r.C. R.'.....x\1...
...$.S..Z...>........Aj.&....J..I..4...[....:..v.....(...(.X.n..E.b
.0N..;...BDO.Dv...>4.t....$.].S..W..}..4........~..]./H. ..j{[email protected]
5.|.kx.........".>....]!P.k~..d...>.nK...h...Vw....%..65.sv.e...
...@..`|~.....-..f.!..b.u(. 3..9..J....v..-.a|.O............d.E. sJi..
...._U.[e.......x...~..$Gwa..K.x.l<s%.m...p..Z..........!C...[.....
..P..N......_..Y....u...E.5YA....?.H..[.2.........T...z....G.#...H>
K.#A_.r.5..sm:..fjP...s!h(.5ab..?.L....R.U....MF.Z..:h...X7~..........
MAd..RP\..8.6..........R.d.....i.X./.$Q.....u.....h...v|#7.'*sV....b. 
..#..7.?..!..'829.T...g.R...>....B.3..[...,C.X..s.sy.....h..I..t...
[email protected]....&....ng. ls.]J.........,x..d....X.C2V?.F. 2..d .7R.L. W ...2..
......J..Y.1..q.o.M..u.].u..a...A......Jn2m....*....v.w.E..U.=....
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=39845888-40894463


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:20 GMT
Content-Range: bytes 39845888-40894463/53784984
Content-Length: 1048576
Connection: keep-alive
O#*~...S......b..5?.(.=Ic>.G..&._..Ik{f...M...8...].G5....'o...3.d.
O..........k<.4.._..v.J.w......P0........ifZ1.{...1.f@.].6......A..
....id......_.......m.P2/........ ..[..3..F....5..XQ.D.P.4-...a.V..Q .
...2"p..x.......l...g.vf.H~4..:...Qf..LK.n...kd.>I|.~.U.....I......
[email protected]@...~.!....d.w..,...m.... ..9..x........^I..[9....
.]..J.....rq. x.Q....>.%..m1v.n.Sd.....$.Y.=l4bn...K.X&......P.....
......./2".D.....WB....%:/W..".F29.nF. ..aR..C;.2....VA......ug!.. ..6
.....7=k.]...0...I....29,.3..Cw.....[..G..(.......s$.......v..........
6.......r......}...^...~R-g.A.5}w.jl..>RG...UG..s..(.!o......z ..O2
...7..tr.9.q...-8...._r7.f^.B...).(..)...N...x.....]..L.x".*..B.U....P
....h|(...Q...5..]&^...IM..u.c.........8..."..~G...Q.n.JC..A.$H.u...Y.
N...^..T[.R...$\..x...D.g........L.|.:.4w.7..R.X......Y.....'.S#?ht.h.
.K.yn.......8{%.J{..,.Y?.....G.....B.a......f....r.....L.....e8.N..6..
........S..x.P.]...?.5..j....#.......UN.x..v....T(.r...eu.8.i..F..(.e.
LG.5Vp.......0.b3.zE9............n.H...|.........C|I..Cn..}...>....
..4...GW.......g.z\.[Q.uF\.O.(..v.Y.S........2Q...2........o...;.....A
...x.C.-...DQ=RF/P..(1(J`...?.l......B0.x.(........{,.n78...`BKyg.R.).
..k...^.......2..M]%@[email protected]^0.|.L..u5q<..t..
.;.K....".Y$..18.....4.........e..*....zy..H..)._ .0.R....]. ....n.._&
lt;q..K...0...!....V........Q.8!....S..H.S.Cc...C....H.D......m..=>
w.....p&.0...h6..p,.(|C..#E.?4........"...}.....=kjC7.......M.$.G33...
,..D..........v...&3......5*.)..W...8-K.\i...xb...~......h,.......
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=40894464-41943039


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:20 GMT
Content-Range: bytes 40894464-41943039/53784984
Content-Length: 1048576
Connection: keep-alive
....4..(d.J.Y{..L3.Y.ot..f.O..P{.c..QZNwp.r.Gc.>[email protected]@o.4.0Iu".
...3.B...l!...61.5N..@..~....>......L.%.0..m[W5.K5...]... g....{..a
..........`./6z.^..:[email protected]..:..Q|.._y:q................
Q=.i..&.....hC.w...u........0.....y.M...s"p....s.B5u)g..t5&5c...q...w.
....%..*.%..[..@....)R..y.)oci.g..QW....#E.....8.y.:...z..I.P...=..t..
..G{.a..5xD.&....= .I....Qi........G.....2.mA.Hq./.a...Pe.'..a.....k.i
..M.B.S...X..x.q..p %c~B......-......p.W......K.V..3`[email protected].....{{m
.d$Ak.|d........k.. .^Cp.."...0.&..7..bV..JV..^.......O...N....J..0O.e
[email protected]..:l.S..v^.....zK.i[..:G...5..E.(...e[[email protected].}...
....<am3E<I...6P..y.<.t.a..x*.j..9*../4..^.j.h..q.....n.'.U..
%.6E....6G!8'...O;m......3.....k?......O|..W..#..7........].w&:.(..0X.
.......i.'.....0...."p....}7....($.s..V..d.......&?A....Zj...^.}8...1.
7c....O..\)..dr..".R.`..LK..3...W8.b..h..!rC.lI./...f...29.1.....,o...
i..H.......o...t.YrN.../...?....Tc..7...Jh?...hQ.lu..H.........0.....Q
YF...:.G....... ....^.G...@.......&.|....p..Y>..C.P..F....z...9`(.t
......4..........9...(..V.......x.q;.2B...Ez....D.... ...O.....-.L.[q.
........ x..?..A.......;Cb..e...v0..../...0{......8.o.Bfq?..1B.Z..P...
.Rt.........(Y.............D.x....[....................=.. .`5...i....
.n.E.....*.j-l...2....z0l...7O........U3..KS.) .ys..9%..Wx.Z......... 
5.......6..... ...D...e..r.)......f....>..`.!B...AT.NWGf...T...c;p.
}.J......97....l.Pa*^w'!....-..s c.s...k.:.|/r*.......!6..4...2....^.O
wlz..7.r.....u..qS...A....{.$d.^...m)f.!o.5..j.fp..6...9m.J.61...M
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=41943040-42991615


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:20 GMT
Content-Range: bytes 41943040-42991615/53784984
Content-Length: 1048576
Connection: keep-alive
.......}..>.1.l.....l\..G.0?.=......!J*..b.5.4.-..L....J...J..hT..:
YC\%RfCI..p..A..md..f....6..[..^.Zor....s;o.p..s..N*a;..Z...C?.'.O....
 ...u `Dx O..Q...id.f'`._........U...5...]....u..w.3.._.M.....T.&..-ls
..S].m;....kB...|m.Y...hl-.....b..CF1...2..;.*Q......4E..q....Q1.f..#.
...k........@......|.W0...'...t.!.q.;...[N].....XQ.Z.G..Qio.|...[.1H..
.?O...nR....".v=yW)^.EZ...6...$.....;41o....z....W...x.>.".........
.r.=T..A>...%#GV.1....>j....rnI_.:C...T:..fh..)b...B...*.t.....j
... .~............e..MgRzHW.D#...m....8..xl..}!#.q.....@##...i.a.t.06^
.&-...*'v....YH.N.. 1.=F.M.....)..d...l%....uduspNj...........B/.If*2G
........=.....[.KV...s5._o.HyP..`..<-V.p.NI....{b...p.....L....0./.
..V......f.4ID../.;!...x(pV...f.....?zK.....hG...W.....g..[.8......F..
...J...Vn...#3...S.6V..A.OcY...N.)[email protected]".w.RZ...P.UU....~......v.
g.....Z...>$ .......q=.Y6]..Y...W.!...<LyF..~...YE..K~R...~F ...
./....c.f....Lyfz..i....,*.6.....h.~P...e.J....4.....[)......m.....`.~
..:...}>.H.q.-3..&Qh...Us.......5/..p..M8'..35|...E.V.\6=...;(....i
#xX..9H;R.0...pH...{.q.f....H.M.u).|.e.......a...#..svJ.u...K.....d..F
\..$W.`I.#...]1........@*.._t#.....z..r..7....\V5....{....<fF...4.'
o.... (...y.%i......(.g..9...W...UM4...q.#t.E...(.....H....qWOe..C.T..
C....%....9d..(....P..pz.........=HT=...4...J.}....R..J.r.Q..A. .b*...
....o.r......F.!6....`[email protected]..[.R.w.1^....I.%R..U
.\;7..8...w......D\.....>.l...e._.?.e...:..W.X.t.$a..cX...%....2G.{
..$.....m.._.I...{......{..I...r.*S...Y.4...}........nH....Rv.@..^
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=42991616-44040191


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:21 GMT
Content-Range: bytes 42991616-44040191/53784984
Content-Length: 1048576
Connection: keep-alive
xM.1#..`.Z...G...f:......N..X75...I....8..{....U..:..C3..vj.../.E.h...
[email protected]....`;@e}Q..Q..hQ|.N.......1Y.Y...@......$.i.Z...t...)....."..vQ
..c...B.~.. $.Q.}q:..6...%......>x.,V..U..u.x........M...z..uy.}.5.
....~.5..!.....0{7m...M.t...m.0&boHP,....b.b.....`.Ig.v4?..#.T..b.....
...'....M.....L.i.hV.q.. s...rw0.T.f`...6.....P.)....2..Pd. ..3.....:.
ty...WZ..x....?AiF?.;. ........e#.x|...z.o<....h..D.ZI...c........O
......o....w........>.QO.K....%#.....:*&.V...A<.k. ..#}.}....A..
.$D...q`............%.Y..e.vQ6.6R.w1...pH...f.`........?y...s.c(a.8...
....m...(_&..A_...|.I........Js..QT.6....~...Z...AA.|....K$...........
.....E.....`.as.........0....T....S`aZ.....W.h..yaN..w*..b3P.Z.xxq....
)O....}G.{,.d.*s$./.Dco#33...?n...J...Z}.*p.M.E..e...E4S`...m.{.......
...B.2...v.Z.......8......fB...pS.~?../ "..N.....\..u.X.....}....W...L
.....U.n........-l#.]l.j.._......?V...K.^..h$..j.f.}..<Y.3....t...B
."Q%,.w..;.X...6.....3;..hF.v{.Bm.jI..4r..8G.I.....%b..L..U.W.."..3.[.
.>-..J...7.>K.*.pF..'.t.... ...h..h>...`.H?(mf....{9..X}.... 
*...&V.....z...,........<.........g.hT2.[..;.G.9P.G.L.,wV.[..w.R~.^
.{.yC.N .BkA.{.OU.k....\....................IL.E.E.I.L..@Rh..>TM...
. .l%.>D.|..mO..M..<..=.z..&......$s..Y.......u.l..E...Z^.Q..w.G
. [email protected]..@.>9N..4.Yv...;D..j!N........"_......7...h
..jN..NhC.....,.a.E.Kdy<w1.m.......vM.y......g.y.T.X.....L.J.)...\4
L..YAQ.:k.........;..Z.G.$.K...[|...........42... .6..zZ..]....w......
.)..W7...j..:...w.*(P..s.s.d.r....b8Za..K....P..Q...X....>..7a*
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=44040192-45088767


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:22 GMT
Content-Range: bytes 44040192-45088767/53784984
Content-Length: 1048576
Connection: keep-alive
.BA..6..W.........#3.n.<p./.z..........Aw.?.PL..R.......vz...... DL
.%b..d..$....i.Q....N.L..su...v.3&"4...h ....~...'..P..C^.......[.c. l
6...f>d.tP.....(6cf.=..0V......1e..&......J.G.....K.....?.E.%.:rB..
530..X......_..za[.\V..vxV.......o_...q.(0SNsO&....b.Y.^]m6..Z.6....6.
.....(.* ....C..m..5...>.Z.\5B....X3-9.p.N...,...._j..4eE.....g./.x
...:a.Z1....c..s<..E~..(hJ}.S..H>~....{R.... Rw.4...r.6.K..$....
......1.MUE...^ ?..R.H...n.6...x.....d$2}Y..N.....e.j.y....#Z. ...9...
..~.....Jw..x.5Ko....).&iE.9J)...wJ...H.5.W.....4.....I.q_......d....1
 Qy.L0$L.3!FCS.... .Y..t ;.....^...Z%".,!..KdNQca.jK#^s.8....Gb. .._..
..ax...i....$.?.".ft.....E.e.)q...E..z..i.0.....5.6.D?.....%.$wQ.V.M..
...&..|.k]...^_ ./k.173......t..I..P......s.. ..../.u.....9.......,...
.......#[email protected]..=.Z^..O........{ ..9....p........ct%sV..1...
[email protected]...].j.2.L..|.<...4.I:t.....}L8..,..J.&WO........
`.o...I0.../........'&..n...KV.Y..J_M.}.U.B.}>g......~.=F.......?..
7N...y|...M.._.w......8GnD...9b.c.v .F..;.%?..C.F"<...0........Z.1.
i[..-....v}..B......<=...|..(...2....S. .U1. .....W,...o_5.Gs'<.
.2^:G..lp2....n ES.C.D.. <~.:.]..Vx.5/..2.M...spWMvo.s^.......L.u.\
(...Q=5\.t..!N~I..L.....z..._./.4Q....].s......].u... .H....r..=*...~.
&..E..H....Q.X..6..V.I.C....M..I.8 |5"...d.:. ...-N..':."....B..2N/7&g
t;."~....J..,............b....q....6p......w./.X.........Kt.3-..-..\n.
........$...>.v.Q. ......r.......5.hk.P8.yt..S....l..J..t...Z9.....
.d.o.}..../ B.>.a.' ..N....Q<.:R......_.b...".T.....=...0.,.
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=45088768-46137343


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:22 GMT
Content-Range: bytes 45088768-46137343/53784984
Content-Length: 1048576
Connection: keep-alive
d.:p..........S".B`..iS;...h ...w ).......UA..?..]r.L..\.Ml.ud.DL*..&B
....Qp.I.....:Pl.U..2..c..z8gf......C.3.......{..R..W.....pA..P..Vk.LX
......C...(R.l5..A...^..'y$.^....Tn...?s.H..^.m.1&....D5k.....f..D....
[email protected]..).{]].O.J..t..p..(*..-....). HX.G2S..NU.K........M...}.y..v...
..G\"\.z....C..:@4.......*..8..y.*....%..}..$....F..d3x.....,%zu...^.R
..\.?=.]..a..q.k....b..Q....p.v._S...Nh....4.....l....a'..-.mPE\X.V..u
..N..!u..~.#.{}....2~.Y O...*.R...?..:.l|Q.......g..x..\..ob..$&L...:U
a..3.......|Fp=3K.F.:.......Y,,.C..9xd|.S...Cdp..F.....z.|WQ`..7...^t.
........F.................5.............-..m8..M.YR.. . .;..y#o.f...|.
L.!..B..................V00.g..T..MHq!..I~..-..L.!.4...d.......&]..r..
.0*mN..[JR/...J.\... ..3.d..6..u....S....OYh..t` pYu...%..3...e.....JS
.....G?n.j...~9M...E.h...Z...n.......H..q%...!d..1...-.....1,..D.... .
..P...1...e.V.6........q&...~.r.[......s.e.........qr....mT}.Mn.....N!
9V.~2f.. R..I.z.........n;k.*\("#.7:.....8....'..kB.......--r......t.s
...Y.1..U.<...0.~!..h..nX.ED!.7_k[..4..... Hc.....7....p..k.<.A\
%D.(.q...^2.....;....6.>[email protected]..$6-..5.$...h...R......>.....%.2.%
...$..V...uG....Z;.k.Y\....:nG.Z....Mp.6..{.V...q.A..*...M.]:*:-^.n..E
l...j.mT.t.#..Y..>..........&.l.7........X1&.PS.#h....pq.....i.5@..
.4.nK.E.g{..Q.....YB*....5...CIp.....eD.LC...."....C6..>~m{...l....
.....2s.sH...9....c1.l......1.)....H.:....@iU.]s... .wp.s..[.\...eJ.Q\
.}[email protected]...@J.|im...F..Q&pE{|.La...$.t...W..Uq..X..
...8..|5.........P../=.....C}..B....I*....  ..wq.u..^&..H3n...z~..
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=46137344-47185919


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:23 GMT
Content-Range: bytes 46137344-47185919/53784984
Content-Length: 1048576
Connection: keep-alive
........c.. .F....vla...]}@.....W....x&0...>m....\.... ........B...
/..b@..#.02.F\.s...4.....O.!.....O...).5j.(]...6..ye.7...(X..J.j...l..
...x@4R..\1.,k:i9U.....]....7.}$.T.h.~....#...p....Jv.<6..."....y..
....,.=&?.....f!.5W}....(vgB.Z....g....b..-.c..D4d.K%.X..;...!...C.]..
...l..[ ....=-..e.J.....o...r9.k..%H.-.!.{....l.UT.VZ..=...pvG...^2..:
..X.j!m?..>.......U..25..'..3_..g.O.G......^s..C...............Vg..
.M.:.b... v.@.$UL.A.1.NT..3.z.i.OC.J.\.......s9{Q...;.......}..S...&..
.......L......|../m........h.A.0.l...;.........n..li.u...:.k.#Z..q...E
[email protected]..^....oH......>._.*|..koJ../[email protected]..&../..{2.
......G..2bK._..1c.H9P.w.KEt..._` i..Y0.Co...t]...!^t.h.{b,Vr.9&'iMEfZ
..4w\Y..H:.....d../.h.0q...t3..]...@W,k..=Y...V.....A.m..... O...M.P..
OB..K..........a.........\~..1.....c4Q...Yr....'.h.."nw....5RX.P.w&1..
..bdq.....M.TVK..2.K..&....2B...1...~.e...y[.T...._7:..~3".t...(......
..Z.GH.....3.......#W.e|;f.`..af....6Bo.ur2|.. ..5.o.;;.z.h....[....s.
.~......\X..N...v..;4......)G..-...Ik..V......4.Y~T.]IFE..J.m.Y...k...
.q.....I..f.q'.].]F.I.5....y.[..l-.?m.%.).........<]..V...?..T..L.7
.......e.V.U........p..'..oz..(..4...JK}.j........._.5h.[. E.!^.TfV.1f
......j.5`W.....` ..9.T...z9.........]...d^..$7L 8D5S...OCe.2.=H...N.a
x..}o..H*$.h......0L9N$Y.$......F....G..'t.i.c.;..h..(T....[xV....v/..
.A.#....E...V............TT...B.d\/.p.M0Va...'&.I.....t(...5......EI.b
|."...ib!w.....r.."......'.e.i..M..W.Q~.=.UF..&2...{t..0...&. 17....})
..*#."...c...K,w......F.(V.........F.#.d.E.p...j.Yw.KGs...dZ..A...
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=47185920-48234495


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:23 GMT
Content-Range: bytes 47185920-48234495/53784984
Content-Length: 1048576
Connection: keep-alive
......JV~.......x:.(..O0........Y.^.El..9l.f.......]...%....C.R......W
K......<...D-.>q|[email protected]'../O.....'D.....'M...?.V.2zo....d..w1..3
?.N....(d..fO<7.HZ.r..g.|.j.?.%.^..f.......9R.....OV..A..9....i....
.E.Y).C.B.3P.h..-.hj.Q..#....~.Dp}..Y......t.%t....=B.[....f..rC.V.B?.
JM...o....E..%...;.....z...z.J..Z..O.(...yLM...C...t...6..y;. ..~.....
Y.k.|..f"..Owy......>..n..Z.....#Q......=..&...3..9. 3...1C...G)..F
..#] ......i...Qn.B.1........._...}..Q!-...#(.j....,..H|X.i...".n...K.
......~...V..0r]JrR.\..C....4...C.o.p..v.....|nD..a]n.*i....lB....Hs0M
....l.l.r.D0.<..c.;dPxIB..`.^b.m.?F&....A.Ms..F.XE.......z..ux..`._
..F..2.z.l..VVh...T3oQ....H...w...;h.;[...r./.*....(....ZK8<.......
CKt...o..q.@@P....N9..Mz.1.':.kT(<.i.p....}.....1.yj.......c'/.....
&....G.......b.=..{...V.3......Fpo=.Y.gq................k..xT..=...ayu
..0m.[.K....K..N.z.....Z.[U#...C.H.....|.......K.i 6.Y.. [email protected]..
H..Z..j~.1.....0..6#......$uo...F........As.">*./.....1...N.4.a....
....&.mn.I.D.....y./.W....e.........Q!..yv..p2.Vp.g...n....a.z}Z`@.h.Z
B.:`2_....%A.0..]u.RD..>..8m..8.(.......a..../...\....c.N.L'.}a....
..S.I.a..#...O....~..$...._.....1.z.H.8'.......F...a...2... ......W.k.
h#.....9..c.(*....Kw/l ......n.'......s..8!c\..Z"UT(...^K9..G..\...M;.
*.Nh.V^a...._...z~.M)'o....a.aO.....>.r...X...$.....(.%.3..E./..^..
38......g...C..m...QL.....R......t.1.f.....;....4.^.... ...jK .F.B0...
..xM. ...3#........tE(...V- .......@..$....h.......7.SxO..#..=.;.....C
8...]...M...^[email protected]...<...m&... r[..%T...`9.e.kL.r*..t4........
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=48234496-49283071


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:24 GMT
Content-Range: bytes 48234496-49283071/53784984
Content-Length: 1048576
Connection: keep-alive
.&..H...... 8......1.'1q.T/p....j.].k.w.]...;.`....)....1.....O..V.../
..J.%..m..I.6..x&....it6..c .../\.8.....~/>7...z&c1.j........n..vc.
.(|.F..~.....$.;..F.5.(!.S9.U(....d.......HeD.$.,.....9 ..lhI/..i;?AB.
9.j0^\)w.#...J.[....f..P]..|..h:/....a.t...N.4....i.\.^*..aAV^FE......
o|v......;..1.y.*.le..\.....}{...c0.&>..(.=WB\D.,......H(j...Z..~..
..Q. Q_I.*V.!"A.[.i.|....^Z. ..(M..l..<.........3G....v....j^......
........ yA.re....N.C....R4@"{.....U.n....S...0.x.(k.o.}.PqEU.....W.H9
Z.\..Q.X. .n......l.........N..e2......A/|.0....!..V.7..........p.u.\.
. .35...VR...R...w'...H.89..K........T_...h....xur........8..$".....JL
..9..%O{P....B..&..~..H...M..g.`.....i.N..5..,...c...^B."....~ ].YD.M3
 .s...........!M..N..$I.e.Bn.L.x..,.?.....=..K.?I....F...6.........\$.
1Kn..`[email protected].... .3..6.n.....V...c.0.x.....W.[......'7....D..,
..^oz^...X.G<.p1.b.......Y.......Cy....43.5...4Y......._l....n\.'..
N..9...9c.2...lWX.c...l  .m.gT]..`..F....@./2...Eo.9....&m$A.r...s....
[email protected].|...4e..M..H4 .#o..y..uct.(...I..p....!..h..{.....H..N
.g8.....*.....J.^|.M.K.b.........r..#60...9....,.B.U.z.t.^&..../;T.q.z
..d>@.q.........a.._..<.5D...s.U .K.X..T..Z..PX.q!....F].b.vr.M.
.......T..Q...p.>..0.-..b.f.......y.8..b?.....:i7 ..L..'.w.Y.&3.-..
.eK...kR...#.gX4.*[d?)HA...y,.4.aS..Y..[.g.;n.H...f....6...=;j{....IM.
..W.i.JB.!g>...eW.....TQ<HD8..y.*......`..3....X.SuZ~_...$5.L9`.
..O..D...*.Yf...FD....Q..JK......!...(.W ..........,...:......l.x...=.
}.|....S#..O5F......N....p.. g......m...._&....#....a...=`.....D.4
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=49283072-50331647


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:24 GMT
Content-Range: bytes 49283072-50331647/53784984
Content-Length: 1048576
Connection: keep-alive
.....).~'...9j..y#(........i../..<....R...".:13..KS.. h-[".0..^.V..
2r....8...?.nl..c. 9..<ED)..-..2...7....u..f.V.......F..G..v.......
f).qlz$.;..."...7%.C.7......7H^*........kh].<.D}..|....Az....~.._z#
............lvP.-#...w#f...Np....[o. ..w&.c.X..0.....Z.....?z1s..~....
.H*2...}.........GE._....r.W....(L.c ....I...R..h............(........
.z.Wb..o...k.-LQi...~N....`yL... P.........u....!...... ..2.,..k.GN.:.
f.W.|Ul.K..k..2. ....[B..a..%.........C.nY.'%.>[email protected]`.Bd.)=.!...
d..=....#s0,..FG/...8.%..evf.b.li........M..i ......Y. .|v.....L.B.=..
.>o....7..:....wt.B..%...A....#.a....p......H.z*}..V...........l.U.
&.-....q.~H.?x..|.-.Q....h<=J...........e.M<z@=~\.J.......,s$..j
....-bz.....u25&..;Md.n.L.........q.......V .....h................v..'
.-vX.......as...:.k..I,I......1..)W.....'.P........j....%...o..|K....r
q kNI."...]....y7BO.2....59W.2%y8P.....T....2..G........,.....n.\.b...
/...X ...Tp...0.M.O..... ..}~..$.)..3C.i.O.x&\...W....1$H.&.........Q.
]=.X..)...Rp..^Z..}.&$ .B....p.4..K..w.d;..-.`..............'.^^.B.?.m
..[..I.......\?......./^.*..\f>....'-.......DXJ0_B..y&=?.....6~.m..
A..Kvb.&.?..k...&_u...'.....Q..&...3.xc,....Zn...........u..c.I....3..
..<..p.s..C.y...P....N..Go...-O..).x.......aql....k2.$.`.3;.... ..#
$.....vX..y..!..... ..._........h........i~.A..*.....H.A.y.n~J..k.r..\
 .G...#.Lv,.....!..o..c.-V.......v.jA".k)!..:`T.......zp.A.7.h.D.Am.r.
....C_..v@OW.../...8. p...?p.b.Q7(O79l.........I2l?........ra...85P...
si....y$..^..0:3(........E.n. .^.?D..m..9...Q.-^..l.L2..oC.`t.E...
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=50331648-51380223


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:25 GMT
Content-Range: bytes 50331648-51380223/53784984
Content-Length: 1048576
Connection: keep-alive
7..${w}........?...oc..2.c..|..)m`.2uC.R^Bn.&.U....../.A.4.....jne...4
B...2.i..}CB.8w.gnl.}..x.............pd..$L...X|@........m..Ag..k.....
.6...h......~..o...........S.....n.....a{]..<.....M......S.........
] ....i5]R..u.e.....F~."8...f..z. .&.)..=..7B..o.....x.h_.= . .f..fA.G
...L.=Kp..k..l...vM0Q.......>...4.?.....2.......p.<...a....a....
..F..K.(..........@.]z.....6./k_.";.<>.... .l^Y ......*K..w ....
'.a...{B.8....~.w..V#;...n!..46..Uy..7..&...H. ..%<......AG'..II...
.6x~.b.....{......{ ............z..k.kW.'L./0....c#..F..M.sKI..$..$(..
=O._].17...~)....Y...<9.t.y...8.........C.}.~...<./&...8.o(s.)Yo
....`..ct.w..Mg,3..N.........1..Ln...=...................".9.....M.r.F
..|..>._..n". ....?.n4Y4./}../.......;]m.EP/..T..`...{(..H.uu...e9;
.%.;..4.t..1...A...R....B.X_'.$.g....j.~.......6x........&,...6...b}..
.IlN.n^...!.........\..._..y0..n.....tP.i..|._.P.V..F..T.y.,...}k.....
*Jd.4\.s......d........"].2.n.....W.7.....m.o.b^.S....Wq0..0......'...
......>|.Pj.]...A.%c..2..!|..<~...k..lC5.u./.2.%]i..........p...
.k....)V......H.]2....J....Z/....X.FL..$...z4....../...g.Q..v.......Y.
.3.I....%)l.o..Zk,..=QUt..u.......`.../.J...:...Vv..0p..Q,bX9.j5......
..?....5.......j....Dfp.N.Z.{.....6_...(i.r............M..}u.....p.rS&
lt;[email protected]]..vvJ..d.>. &.L9....<..J.-.....^D....9wD..#.Y..".'
s.5..L...T&.`.....b.j.. '(4./.).........~.J.JQ.}O.y....O\..&r.....H...
s?l..W.m.......U/....*.m.a.i.6>.*......#.x.B*.|[email protected])..V.
...:5.......=..<=.L\.k..6....9.$...FZ..N....L0`sEb....,........
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=51380224-52428799


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:25 GMT
Content-Range: bytes 51380224-52428799/53784984
Content-Length: 1048576
Connection: keep-alive
m"...(....Vy........<c.........e..r}...H.A.5...I../.}D.`^;..I.d.t..
.K. ._{...,..M.......S.F .k.s..{QX....!?....>..i7..L.t..{vF=...k..P
.....M..d...........8S.E...Fyc..8..9.._.../..h6.U.]..q...pa........l..
.m\;....U.......O....2.~.J...S.B/..p2.5....rp.....Q..2...C...cYh..]Y.D
xy......8Jv.}....Wo?z*[email protected]......{.K....s..,R....%..t..89.m.{
.z.8.J.xl8.g$...\..=.I.?.....h..E.cqsH..?...*#.C...f....e.^g..p,,...ZF
.%!............%....=3?....l....Z..q..&7gwV.q4........N.....nP".Smu%./
....;.B........C..9P..__...D....P..R.....O..S\[email protected]...$
...n.......)....].=.-J...L >3...ep.w...;....U.3Z...%"...,h.m5.....I
#x.....S.B$.9....'.0O.`...<......~er.eNnrs.)..:c.......d"^SZ.{9...A
[email protected].......;...^....Lq.......P:........a...qFp'........J.
x..r7.._;....Hju....,...zC..jr.:|...&.........J.c.....%..E.|q...SD....
.HV....{yq-......[.........|f.z.S7.q.<K.....,.f......U....r...v...M
...........[...^*/E..T.9A....36.^zIU.O.D'..V..}@.~.m.3J:. .#...|*=%.1.
.&......\T.;...Z.$.{.\1...S.. )C.T.x.r.R.s..x.<W..x'(!L....R*..2._.
l..ar....m..~.....L... Qe:.KP...K..pQ...2....a..*>..i#.......63.tJ.
,.........v..q.rT&.h.UN...........V.k....C>.I.t..-..61.......mU...R
^7.80...y...x.P.$Ig.n9.8.;.... .~..,.. .k.i ....WU..'..au..*.....d.g..
.52....Q..LXV.,.*.......|.*.G.. .....$...K.=.<...z[......A....*....
.L...>g..>.#.#..N..F?....X.......=..g)p.....f.T. [email protected]
..'...R..l....kO...#2&%..bCa.y9.f......T............;7....=<R9Zp...
'[email protected].........`...n..3.....>.....N..$....7.s.|..d.YT.......@.
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=52428800-53477375


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:26 GMT
Content-Range: bytes 52428800-53477375/53784984
Content-Length: 1048576
Connection: keep-alive
....sn....". .[T.w.D.p.....T92B....G.RYy-...P.. r....o.p././K[8.g.[..C
.....u.f[..._Qs."d.Y.".*iVU......NRNUF.q...]..$*4, .qY!...L.....`.....
.rK.....f..@!.w.t.vG... ..C...g./..N.....\^.tAa.."..D..><4...Q..
8.D..VE. ......!7..\./6.....e...6.$o.U....e[....5n.....x..u..P..qj.x.Z
{.6.....Q..^4......EA....o.(.4.d..v.% ..C3.dA.,.W..n.}......y..[....Pn
h.........4.u........?.......*....$Z...\F...M..ZDVz...b7....s.........
.~`0T.L...."a.v..`.<.j5..m.x.x.2..nI..Sd..j%..:....n...0.I...Ht..&.
.....'..Y.x.Ah.h".Z..j."...3...!/y....u2:J.%.*W...E'.Y2..J...}. 4/;...
.....W._*X..j.R....T"..b5..^.....K\P..H.{.t..R......|..#...,S.wPJ...,.
(.OA..w..........=..!.d...mf..ah;...@.%...oD.e.z..pI.Ep.m-.`.>.A...
w%R..RY\..Id9....@..{.......P/`NQz.Hy.4.....%LF.e|X:.K.46......... ..j
..p....=.(d..1,.V..6.s]=...T....%.@...?I..dH..Nx... N....:.)=J../...K^
Gp...\...../l.tqu.....*>.....BW..Ta..9.Y......\s....9.....V.e@Y?.S.
......)....ii`.c_.. .*[email protected].;.v.`.O4...1...E..|^........4..?P...ft
..y.."a.....?.......:..n....L~...`-...........0.D...wK.I3S.[........MZ
Q0.[....~.[..UF-...&..E.@Y./......K..q.a..?.....'*....."...}QI.A....Y.
9....GrV|.G..e.>%...w...ib..}..v.....0..R.A....\.....4Z.(r.MG...N.\
$zU.......[,(.KS.T..;FQ.5.'.../...a.Y)..K....*[.x....wj.z..S.<.>
 ...q.i;[email protected].,!!.....n.x~o).....J"....\.
......E.....OH3..-R(ZSr....g\....k..=.....]_.>=..>...K...J.....S
... ....`..`[email protected]... 5..U..Q.f.gJ3&.B.Hd}....
.DSD:3[.{.U..._......2....4AN....B.y...lEGU,..*..n...'`9.....i..".
<<< skipped >>>

GET /pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe HTTP/1.1


Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Accept-Encoding: gzip, deflate
Host: ardownload.adobe.com
Connection: keep-alive
Range: bytes=53477376-53784983


HTTP/1.1 206 Partial Content
Server: Apache
Last-Modified: Tue, 03 Jan 2012 17:57:35 GMT
ETag: "334b198-4b5a36f1841c0"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Tue, 26 Jul 2016 16:17:26 GMT
Content-Range: bytes 53477376-53784983/53784984
Content-Length: 307608
Connection: keep-alive
i...h....."<6.W..~..-[..C....%9..(;.....C....]&"..6...=.)..dC......
....C...&.i....b..VX../$. shX....2...~.....B..b..Q..i....LUi...>6R.
v.ZSz...."...W..o.._. To.........Z.l.....l.-C.$k5eO.....c.|..s.)w%<
.6..g.C.....y....b..d..".C.............T:"..4.4...!...z h.Y g.....`\..
..>B0.............d.P..N...s....z.7.....D.K.yO.NF..>>....5...
..._..e.....p#..f...z.r<d.Em..n.....}O-......;G%)A..,..v..<.\.f.
....Ck%gN#.....{..J.....fd.h...*.....;..r.,%.k..'.._;.b...A.Eh.e..*$/ 
.......(.........G.^/...J.p..m...JN.QK.k.....i[DP.......(q..........t.
./.,...m..,..Tt.K..ueM.9..e./.tA.T....,.s..M....Q.c/...:.......E.g;...
.JVC7.1...~a.wK.p...aL..!.G...4.P.....Kw.....|....c.Fr....}.*.G...$'.W
....&j........0......\....GD:....x..:w..?.....f^5g....n*....VE.)a.^..h
...4..Ja.3(.dC.^.C...G..j.U..mY.z....BNN."/......o..X^4W.h...GZo*...iN
.ajN.0#....sb.......Kql...lG.'P.U.Z....x.8....hx...9{......G...i.z(.=.
MV...b[..<.'.....[.:.a.T.....@'......5..A..^.0u4=t.[.S...ef..%.f3..
.TP......"....~.G...r..bN....:S......u ..\....L.....6.@e.%cp.d...w.6.6
  I..//0...J....aB...,m..~..O.4=..~*4..}.x...W.6....hag{.w.~.D...s?...
L...y.^....q......F.o>.Dm~..G?F..[..Q......).#.&.E..`}.Xt.K...O;.{=
5;...^wp..A...w..6...Z..U7/...u..An...%....|.....:...,.:...G...`{jw?F.
G(.T)A...>......_.pz^w..^6G.b^q`.!........."...t.7J.........W./.Z3.
....c....#..........}....NpNi.v..y.E..zR..\N.tpJ}....e\...#.E....\..%.
&...a]/g/..$~..9....]i.:...!..P........,O..=..ZC............p..R.....%
....=..W.....$#>...:...7.V.E..L..w..U.X.....V/.....<[..Q..w_
<<< skipped >>>

The Backdoor connects to the servers at the folowing location(s):

svchost.exe_1980:

.text
`.data
.rsrc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
RPCRT4.dll
NETAPI32.dll
ole32.dll
ntdll.dll
RegCloseKey
RegOpenKeyExW
GetProcessHeap
NtOpenKey
svchost.pdb
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
Windows
Operating System
5.1.2600.5512

svchost.exe_1980_rwx_002B0000_00001000:

|C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\csslisog.exe

svchost.exe_1980_rwx_15190000_0003D000:

`.rsrc
.text
`.rdata
@.data
.reloc
Gh.logWj
h.logPj
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
PeekNamedPipe
SetNamedPipeHandleState
WaitNamedPipeA
kernel32.dll
ExitWindowsEx
user32.dll
RegCloseKey
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
advapi32.dll
modules.dll
GetWindowsDirectoryA
{X-X-X-X-XX}
ntdll.dll
shlwapi.dll
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
%CommonProgramFiles%
\/*.*
\\.\pipe\
VWRQRh.exe
h.exe
ws2_32.dll
RegCreateKeyExA
ShellExecuteA
gdi32.dll
ole32.dll
rmnsoft.dll
google.com:80
bing.com:80
yahoo.com:80
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Defender
Software\Microsoft\Windows\CurrentVersion\Policies
Software\Microsoft\Windows\CurrentVersion\Policies\Associations
Software\Microsoft\Windows\CurrentVersion\policies\system
\ SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
"ntdll.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion\Run
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Disposition: form-data; name="%s"
--%s--
%s /%s HTTP/1.1
Host: %s
User-Agent: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
gdiplus.dll
GdiplusShutdown
\\.\131D2408D44C4f47AC647AB96987D4D5
\Google\Chrome\User Data\Default\Cookies
\Google\Chrome\User Data\Default\Extension Cookies
%APPDATA%\Apple Computer\Safari\Cookies\Cookies.plist
%APPDATA%\Mozilla\Firefox\
%WinDir%\Application Data\Mozilla\Firefox\
profiles.ini
Profile%d
\cookies.txt
\cookies.sqlite
%APPDATA%\Opera\
\profile\cookies4.dat
\cookies4.dat
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Opera.exe
FireFox Cookies\Profile %d\cookies.txt
FireFox Cookies\Profile %d\cookies.sqlite
Chrome\Cookies
Chrome\Extension Cookies
Opera\Profile %d\cookies4.dat
Safari\Cookies.plist
1etexec
complete.dat
<"<(<.<4<:<@<
SRQVWh.exe
h.exeVj
h.exeh$~
tvh.exe
PSSSSSSh
More information: hXXp://VVV.ibsensoftware.com/
Advapi32.dll
RegDeleteKeyExA
com.%s.sdb
%s\cmd.%s.bat
start "" "%s"
"%%windir%%\%s\iscsicli.exe"
/q "%s"
\system32\sdbinst.exe"
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\{f48a0c57-7c48-461c-9957-ab255ddc986e}\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\iscsicli.exe\
\AppPatch\Custom\{f48a0c57-7c48-461c-9957-ab255ddc986e}.sdb
/q /u "%s"
SOFTWARE\Microsoft\Windows NT\CurrentVersion\
SOFTWARE\Microsoft\Updates\Windows XP\SP4
SOFTWARE\Microsoft\Updates\Windows XP\SP3
SOFTWARE\Microsoft\Updates\Windows XP\SP10
SOFTWARE\Microsoft\Updates\Windows XP\SP0
SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages
:Zone.Identifier:$DATA
:Zone.Identifier
svchost.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v svchost.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v consent.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v rundll32.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v spoolsv.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v explorer.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v rgjdu.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v afwqs.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions " /v *.tmp /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions " /v *.dll /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions " /v *.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v svchost.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v consent.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v rundll32.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v spoolsv.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v explorer.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v rgjdu.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v afwqs.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Extensions " /v *.tmp /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Extensions " /v *.dll /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Extensions " /v *.exe /t REG_DWORD /d 0
spoolsv.exe
..\p.exe
CheckBypassed ok
loader.exe
_CheckBypassed@0
|GetWindowsDirectoryA
\/{X-X-X-X-XX}
|ZwDelayExecution
%ProgramFiles%\Internet Explorer\iexplore.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE
http\shell\open\command
chrome.exe
opera.exe
cmd.exe
/C ""%s"" %s
/C ""%s""
user32.DLL
p.exe
Rapport
1onsent.exe
&.bAp
%Program Files%\Internet Explorer\iexplore.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\csslisog.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\p.exe
GetProcessHeap
RegEnumKeyA
RegOpenKeyA
ShellExecuteExA
SetWindowsHookExA
UnhookWindowsHook
EnumWindows
.rdata
.rsrc
PF8-.XU
O3$dS7"%U9
KERNEL32.DLL
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
2.1.0.3
iscsicli.exe
RedirectEXE
%temp%\..\..\LocalLow\cmd.%username%.bat
emsseces.exe

svchost.exe_1980_rwx_20010000_00001000:

.text
`.rdata
@.data
.reloc

svchost.exe_1512:

.text
`.data
.rsrc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
RPCRT4.dll
NETAPI32.dll
ole32.dll
ntdll.dll
RegCloseKey
RegOpenKeyExW
GetProcessHeap
NtOpenKey
svchost.pdb
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
Windows
Operating System
5.1.2600.5512

svchost.exe_1512_rwx_002B0000_00001000:

|C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\csslisog.exe

svchost.exe_1512_rwx_15190000_0003D000:

`.rsrc
.text
`.rdata
@.data
.reloc
Gh.logWj
h.logPj
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
PeekNamedPipe
SetNamedPipeHandleState
WaitNamedPipeA
kernel32.dll
ExitWindowsEx
user32.dll
RegCloseKey
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
advapi32.dll
modules.dll
GetWindowsDirectoryA
{X-X-X-X-XX}
ntdll.dll
shlwapi.dll
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
%CommonProgramFiles%
\/*.*
\\.\pipe\
VWRQRh.exe
h.exe
ws2_32.dll
RegCreateKeyExA
ShellExecuteA
gdi32.dll
ole32.dll
rmnsoft.dll
google.com:80
bing.com:80
yahoo.com:80
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Defender
Software\Microsoft\Windows\CurrentVersion\Policies
Software\Microsoft\Windows\CurrentVersion\Policies\Associations
Software\Microsoft\Windows\CurrentVersion\policies\system
\ SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
"ntdll.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion\Run
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Disposition: form-data; name="%s"
--%s--
%s /%s HTTP/1.1
Host: %s
User-Agent: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
gdiplus.dll
GdiplusShutdown
\\.\131D2408D44C4f47AC647AB96987D4D5
\Google\Chrome\User Data\Default\Cookies
\Google\Chrome\User Data\Default\Extension Cookies
%APPDATA%\Apple Computer\Safari\Cookies\Cookies.plist
%APPDATA%\Mozilla\Firefox\
%WinDir%\Application Data\Mozilla\Firefox\
profiles.ini
Profile%d
\cookies.txt
\cookies.sqlite
%APPDATA%\Opera\
\profile\cookies4.dat
\cookies4.dat
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Opera.exe
FireFox Cookies\Profile %d\cookies.txt
FireFox Cookies\Profile %d\cookies.sqlite
Chrome\Cookies
Chrome\Extension Cookies
Opera\Profile %d\cookies4.dat
Safari\Cookies.plist
1etexec
complete.dat
<"<(<.<4<:<@<
SRQVWh.exe
h.exeVj
h.exeh$~
tvh.exe
PSSSSSSh
More information: hXXp://VVV.ibsensoftware.com/
Advapi32.dll
RegDeleteKeyExA
com.%s.sdb
%s\cmd.%s.bat
start "" "%s"
"%%windir%%\%s\iscsicli.exe"
/q "%s"
\system32\sdbinst.exe"
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\{f48a0c57-7c48-461c-9957-ab255ddc986e}\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\iscsicli.exe\
\AppPatch\Custom\{f48a0c57-7c48-461c-9957-ab255ddc986e}.sdb
/q /u "%s"
SOFTWARE\Microsoft\Windows NT\CurrentVersion\
SOFTWARE\Microsoft\Updates\Windows XP\SP4
SOFTWARE\Microsoft\Updates\Windows XP\SP3
SOFTWARE\Microsoft\Updates\Windows XP\SP10
SOFTWARE\Microsoft\Updates\Windows XP\SP0
SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages
:Zone.Identifier:$DATA
:Zone.Identifier
svchost.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v svchost.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v consent.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v rundll32.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v spoolsv.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v explorer.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v rgjdu.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes " /v afwqs.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions " /v *.tmp /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions " /v *.dll /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions " /v *.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v svchost.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v consent.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v rundll32.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v spoolsv.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v explorer.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v rgjdu.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes " /v afwqs.exe /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Extensions " /v *.tmp /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Extensions " /v *.dll /t REG_DWORD /d 0
REG ADD "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Extensions " /v *.exe /t REG_DWORD /d 0
spoolsv.exe
..\p.exe
CheckBypassed ok
loader.exe
_CheckBypassed@0
|GetWindowsDirectoryA
\/{X-X-X-X-XX}
|ZwDelayExecution
%ProgramFiles%\Internet Explorer\iexplore.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE
http\shell\open\command
chrome.exe
opera.exe
cmd.exe
/C ""%s"" %s
/C ""%s""
user32.DLL
p.exe
Rapport
1onsent.exe
&.bAp
%Program Files%\Internet Explorer\iexplore.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\csslisog.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\p.exe
GetProcessHeap
RegEnumKeyA
RegOpenKeyA
ShellExecuteExA
SetWindowsHookExA
UnhookWindowsHook
EnumWindows
.rdata
.rsrc
PF8-.XU
O3$dS7"%U9
KERNEL32.DLL
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
2.1.0.3
iscsicli.exe
RedirectEXE
%temp%\..\..\LocalLow\cmd.%username%.bat
emsseces.exe

svchost.exe_1512_rwx_20010000_00001000:

.text
`.rdata
@.data
.reloc

svchost.exe_1512_rwx_20021000_0000D000:

Gh.logWj
h.logPj
h.exe
{X-X-X-X-XX}
\ SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
"ntdll.dll
kernel32.dll
shlwapi.dll
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
%CommonProgramFiles%
\/*.*
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion\Run
advapi32.dll
\AVG\AVG2013\avgui.exe
\AVAST Software\Avast\AvastUI.exe
\ESET\ESET NOD32 Antivirus\egui.exe
*.exe
\Bitdefender\Bitdefender 2013\seccenter.exe
\uiStub.exe
%Documents and Settings%\%current user%\Local Settings\Application Data\wyxhmtka.log
GetWindowsDirectoryA
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
ShellExecuteA
ExitWindowsEx
.text
.rdata
@.data
.reloc
{X-4
Windows\CurrentVersion\Un
api.SHD:
eKeyA
XM%S_O;

svchost.exe_1512_rwx_20031000_00011000:

Gh.logWj
h.logPj
{X-X-X-X-XX}
ntdll.dll
kernel32.dll
shlwapi.dll
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
%CommonProgramFiles%
\/*.*
advapi32.dll
wshell32.dll
\Google\Chrome\User Data\Default\Cookies
\Google\Chrome\User Data\Default\Extension Cookies
%APPDATA%\Apple Computer\Safari\Cookies\Cookies.plist
%APPDATA%\Mozilla\Firefox\
%WinDir%\Application Data\Mozilla\Firefox\
profiles.ini
Profile%d
\cookies.txt
\cookies.sqlite
%APPDATA%\Opera\
\profile\cookies4.dat
\cookies4.dat
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Opera.exe
FireFox Cookies\Profile %d\cookies.txt
FireFox Cookies\Profile %d\cookies.sqlite
Chrome\Cookies
Chrome\Extension Cookies
Opera\Profile %d\cookies4.dat
Safari\Cookies.plist
GetWindowsDirectoryA
RegQueryInfoKeyA
RegOpenKeyExA
RegEnumKeyExA
RegDeleteKeyA
RegCloseKey
ExitWindowsEx
.text
`.rdata
@.data
.reloc
{X-
eKeyA
s^.exe

svchost.exe_1512_rwx_20051000_00011000:

0WSSh
h.log
%USERPROFILE%
Kernel32.dll
%s %s %s: %s:%d
GetWindowsDirectoryA
GetProcessHeap
PeekNamedPipe
.text
`.rdata
@.data
.idata
.reloc
ernel32.dllS.
ls.EnW
m.div

svchost.exe_1512_rwx_20071000_000A0000:

i<%u-
.iniu>
.exeuZH
=.datuLh
Q=.bpsuLh
.xmluIh
t%SVP
.iniu
.prfu1
h.log
Q.Rjv
H.Qjv
#$%&'()* ,--
-4-4--567
s%j.Zf
j%Xf;
>%u[f
FtpControl
32bit FTP
LeapFtp
SoftFx FTP
ClassicFTP
WebSitePublisher
FtpExplorer
Core ftp
Coffee cup ftp
FFFtp
TurboFtp
SmartFtp
BulletproofFTP
FtpCommander
Cute FTP
WS FTP
Windows/Total commander
PTF://
Password
password
FtpIniName
\Ipswitch\WS_FTP Home\Sites
\Ipswitch\WS_FTP\Sites
\%.d.0
Quick.dat
port
sitemanager.xml
Port
Software\Microsoft\Windows\CurrentVersion\Uninstall
History.dat
Favorites.dat
\Frigate3\FtpSite.XML
\sites.xml
\FTPRush\RushSite.xml
SET PASS
NODE: TYPE = FTP
\BitKinex\bitkinex.ds
_Password
FtpUserName
FtpServer
FtpDirectory
FtpDescription
_FtpPassword
SELECT ServerName, Url, ServerUser, ServerPass, RemoteDir FROM "TServers"
SharedSettings.ccs
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
sites.dat
LeapFTP
HostPassword
\32BitFtp.ini
PassWord
%USERPROFILE%
Kernel32.dll
sql_trace
sqlite_version
sqlite_rename_trigger
sqlite_rename_table
RowKey
SQLite format 3
CREATE TABLE sqlite_master(
sql text
CREATE TEMP TABLE sqlite_temp_master(
ABORTABLEFTEMPORARYADDATABASELECTHENDEFAULTRANSACTIONATURALTERAISEACHECKEYAFTEREFERENCESCAPELSEXCEPTRIGGEREGEXPLAINITIALLYANALYZEXCLUSIVEXISTSTATEMENTANDEFERRABLEATTACHAVINGLOBEFOREIGNOREINDEXAUTOINCREMENTBEGINNERENAMEBETWEENOTNULLIKEBYCASCADEFERREDELETECASECASTCOLLATECOLUMNCOMMITCONFLICTCONSTRAINTERSECTCREATECROSSCURRENT_DATECURRENT_TIMESTAMPLANDESCDETACHDISTINCTDROPRAGMATCHFAILIMITFROMFULLGROUPDATEIFIMMEDIATEINSERTINSTEADINTOFFSETISNULLJOINORDEREPLACEOUTERESTRICTPRIMARYQUERYRIGHTROLLBACKROWHENUNIONUNIQUEUSINGVACUUMVALUESVIEWHEREVIRTUAL
f){-.gBsu1Z2^
3.3.14
Ad-d-d d:d:d
d:d:d
d-d-d
M@d
2147483647
%s\etilqs_
Outstanding page count goes from %d to %d during this analysis
Pointer map page %d is referenced
Page %d is never used
Unable to malloc %d bytes
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
Failed to read ptrmap key=%d
freelist leaf count too big on page %d
failed to get page %d
%d of %d pages missing from overflow list starting at %d
2nd reference to page %d
invalid page number %d
Fragmented space is %d byte reported as %d on page %d
Multiple uses for byte %d of page %d
Corruption detected in cell %d on page %d
On page %d at right child:
On tree page %d cell %d:
initPage() returns error code %d
unable to get the page. error code=%d
Page %d:
%s(%d)
keyinfo(%d
%s-mjX
Aunable to use function %s in the requested context
Unsupported module operation: xNext
Unsupported module operation: xColumn
Unsupported module operation: xRowid
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s
sqlite_master
sqlite_temp_master
transaction - SQL statements in progress
variable number must be between ?1 and ?%d
not authorized to use function: %s
ambiguous column name: %s
no such column: %s
%.*s%Q%s
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
UPDATE %Q.sqlite_sequence set name = %Q WHERE name = %Q
sqlite_sequence
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name, %d 18,10) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
table %s may not be altered
sqlite_
there is already another table or index with this name: %s
%s OR name=%Q
UPDATE %Q.%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d,length(sql)) WHERE type = 'table' AND name = %Q
Cannot add a PRIMARY KEY column
DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q
CREATE TABLE %Q.sqlite_stat1(tbl,idx,stat)
sqlite_stat1
SELECT idx, stat FROM %Q.sqlite_stat1
sqlite_detach
sqlite_attach
unable to open database: %s
database %s is already in use
too many attached databases - max %d
database %s is locked
cannot detach database %s
no such database: %s
%s %T cannot reference objects in database %s
access to %s.%s is prohibited
access to %s.%s.%s is prohibited
illegal return value (%d) from the authorization function - should be SQLITE_OK, SQLITE_IGNORE, or SQLITE_DENY
no such table: %s
no such table: %s.%s
object name reserved for internal use: %s
there is already an index named %s
duplicate column name: %s
default value of column [%s] is not constant
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
table "%s" has more than one primary key
CREATE TABLE %Q.sqlite_sequence(name,seq)
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#0, sql=%Q WHERE rowid=#1
CREATE %s %.*s
view %s is circularly defined
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
DELETE FROM %s.sqlite_sequence WHERE name=%Q
use DROP VIEW to delete view %s
use DROP TABLE to delete table %s
table %s may not be dropped
UPDATE %Q.%s SET rootpage=%d WHERE #0 AND rootpage=#0
unknown column "%s" in foreign key definition
number of columns in foreign key does not match the number of columns in the referenced table
foreign key on %s should reference only one column of table %T
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#0,%Q);
CREATE%s INDEX %.*s
table %s has no column named %s
sqlite_autoindex_
index %s already exists
there is already a table named %s
virtual tables may not be indexed
views may not be indexed
table %s may not be indexed
indexed columns are not unique
DELETE FROM %Q.%s WHERE name=%Q
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
no such index: %S
unable to identify the object to be reindexed
no such collation sequence: %s
cannot modify %s because it is a view
table %s may not be modified
table %S has no column named %s
%d values for %d columns
table %S has %d columns but %d values were supplied
PRIMARY KEY must be unique
error during initialization: %s
no entry point [%s] in shared library [%s]
unable to open shared library [%s]
sqlite3_extension_init
automatic extension loading failed: %s
unsupported encoding: %s
*** in database %s ***
foreign_key_list
SELECT name, rootpage, sql FROM '%q'.%s
unsupported file format
database schema is locked: %s
RIGHT and FULL OUTER JOINs are not currently supported
unknown or unsupported join type: %T%s%T%s%T
%z:%d
column%d
%s.%s
sqlite_subquery_%p_
cannot join using column %s - column not present in both tables
cannot have both ON and USING clauses in the same join
a NATURAL join may not have an ON or USING clause
%s BY column number %d out of range - should be between 1 and %d
SELECTs to the left and right of %s do not have the same number of result columns
LIMIT clause should come after %s not before
ORDER BY clause should come after %s not before
ORDER BY term number %d does not match any result column
ORDER BY position %d should be between 1 and %d
sqlite3_get_table() called with two or more incompatible queries
cannot create INSTEAD OF trigger on table: %S
cannot create %s trigger on view: %S
no such trigger: %S
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';'FROM sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21,100000000) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14,100000000) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14,100000000) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
PRAGMA vacuum_db.synchronous=OFF
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#1
no such module: %s
vtable constructor did not declare schema: %s
vtable constructor failed: %s
%z VIRTUAL TABLE INDEX %d:%s
%z USING PRIMARY KEY
%z WITH INDEX %s
%z AS %s
TABLE %s
B}Tat most %d tables in a join
incomplete SQL statement
kernel lacks large file support
SQL logic error or missing database
Invalid parameter passed to C runtime function.
SOFTWARE\Far2\SavedDialogHistory\FTPHost
SOFTWARE\Far2\Plugins\FTP\Hosts
\wcx_PTF.ini
Software\Ghisler\Windows Commander
CSMFTPItem
\sm.dat
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
\GlobalSCAPE\CuteFTP
\GlobalSCAPE\CuteFTP Pro
\GlobalSCAPE\CuteFTP Home
\GlobalSCAPE\CuteFTP Lite
\Quick.dat
\Sites.dat
<schema> <document name="FileZilla3"> <collection name="Servers"> <collection name="Server" type="mixed"> <text name="Host"/> <text name="Port"/> <text name="Protocol"/> <text name="Type"/> <text name="User"/> <text name="Pass"/> <text name="Logontype"/> <text name="TimezoneOffset"/> <text name="PasvMode"/> <text name="MaximumMultipleConnections"/> <text name="EncodingType"/> <text name="BypassProxy"/> <text name="Name"/> <text name="Comments"/> <text name="LocalDir"/> <text name="RemoteDir"/> <text name="SyncBrowsing"/> </collection> </collection> </document></schema>
<schema> <document name="FileZilla3"> <collection name="RecentServers"> <collection name="Server" type="mixed"> <text name="Host"/> <text name="Port"/> <text name="Protocol"/> <text name="Type"/> <text name="User"/> <text name="Pass"/> <text name="Logontype"/> <text name="TimezoneOffset"/> <text name="PasvMode"/> <text name="MaximumMultipleConnections"/> <text name="EncodingType"/> <text name="BypassProxy"/> </collection> </collection> </document></schema>
\FileZilla\sitemanager.xml
\FileZilla\recentservers.xml
\ftplist.txt
FTP Commander Pro
FTP Navigator
FTP Commander
FTP Commander Deluxe
Software\BFTP
\BulletProof Software\BulletProof FTP Client 2009
\BulletProof Software\BulletProof FTP Client
<schema> <document name="FavoriteItem"> <text name="Version"/> <text name="Name"/> <text name="Id"/> <text name="Protocol"/> <text name="Host"/> <text name="Port"/> <text name="User"/> <text name="Password"/> <text name="Path"/> <text name="Description"/> <collection name="Settings"> </collection> <collection name="Statistics"> </collection> </document></schema>
\SmartFTP\Client 2.0\Favorites
\SmartFTP
\TurboFTP
\addrbk.dat
Software\TurboFTP
Software\Sota\FFFTP
DefaultPassword
Software\Sota\FFFTP\Options
Software\FTPWare\COREFTP\Sites
<schema> <document name="FTPx10"> <text name="Name"/> <text name="Host"/> <text name="Login"/> <text name="Password"/> <text name="LocalPath"/> <text name="RemotePath"/> <text name="Description"/> <text name="Anonymous"/> <text name="Cache"/> <text name="Default"/> <text name="PasvMode"/> <text name="Retries"/> <text name="RetryDelay"/> <text name="Port"/> </document></schema>
</FTPx10>
<FTPx10>
\FTP Explorer\profiles.xml
<schema> <document name="Ftp"> <collection name="Item"> <attribute name="Name"/> <attribute name="Host"/> <attribute name="Home"/> <attribute name="User"/> <attribute name="Pass"/> <attribute name="Port"/> <attribute name="UserProxy"/> <attribute name="Passive"/> <attribute name="SecureType"/> <attribute name="UploadType"/> <attribute name="CodePage"/> <attribute name="SingleConnect"/> <attribute name="RequestPassword"/> </collection> </document></schema>
<schema> <document name="SITES"> <collection name="GROUP"> <attribute name="NAME"/> <collection name="SITE"> <attribute name="NAME"/> <collection name="CONNECT"> <attribute name="RETRYCOUNT"/> <attribute name="DELAY"/> <attribute name="FTPTIMEOUT"/> </collection> <text name="HOST"/> <text name="USER"/> <text name="PASS"/> <text name="RPATH"/> </collection> </collection> </document></schema>
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UltraFXP
<schema> <document name="SITES"> <collection name="GROUP"> <collection name="GROUP"> <attribute name="NAME"/> <collection name="SITE"> <attribute name="NAME"/> <attribute name="UID"/> <text name="HOST"/> <text name="SHORT"/> <text name="USER"/> <text name="PASS"/> <text name="RPATH"/> </collection> </collection> </collection> </document></schema>
Software\Cryer\WebSitePublisher
Software\NCH Software\ClassicFTP\FTPAccounts
Software\SoftX.org\FTPClient\Sites
Software\FTPClient\Sites
<schema><document name="ftpsites"> <collection name="site"> <attribute name="cfgflags"/> <attribute name="flags"/> <attribute name="flags2"/> <attribute name="indexmax"/> <attribute name="name"/> <attribute name="siteflags"/> <attribute name="type"/> <collection name="host"> <attribute name="comment"/> <attribute name="host"/> <attribute name="pass"/> <attribute name="port"/> <attribute name="user"/> </collection> <text name="dir"/> </collection></document></schema>
\GPSoftware\Directory Opus\ConfigFiles\PTF.oxc
Software\Dev Zero G\FTP Uploader\FTP Uploader
Software\South River Technologies\WebDrive\Connections
<schema> <document name="FTP"> <collection name="Site"> <attribute name="Type"/> <attribute name="Name"/> <attribute name="UID"/> <text name="Address"/> <text name="User"/> <text name="Pass"/> <text name="Drive"/> <text name="Port"/> <text name="ConnectAtRun"/> <text name="Anonymous"/> <text name="Passive"/> <text name="ConnectAtBoot"/> <text name="Encoding"/> <text name="SSL"/> <text name="WriteFtpLogs"/> <text name="FtpLogsPath"/> <text name="SessionsLimit"/> <text name="SessionsLimitNumber"/> <text name="FTPListA"/> <text name="ProxyType"/> <text name="ProxyAddress"/> <text name="ProxyPort"/> <text name="ProxyUser"/> <text name="ProxyPass"/> </collection> </document></schema>
klfhuw%$#%fgjlvf
</FTP>
<FTP>
\NetDrive\NDSites.ini
zcÁ
GetWindowsDirectoryA
GetProcessHeap
PeekNamedPipe
RegEnumKeyExA
RegOpenKeyA
RegCloseKey
.flat
.text
`.rdata
@.data
.idata
.asmdata
@.reloc
TPFk/dPipeG
;-keXE
 .ho"

svchost.exe_1512_rwx_20121000_0005D000:

t#WSSh
BrowserRealKeyStream
BrowserRealKeyPress
BrowserKeyPress
GetDocumentUrl
LoadUrl
ikey
!<>=*/&| -
0123456789
--%s--
Content-Disposition: form-data; name="%s"
Content-Disposition: form-data; name="%s"; filename="%s"
Content-Transfer-Encoding: %s
Content-Type: multipart/form-data, boundary=%s
Content-Type: application/x-www-form-urlencoded
Range: bytes=%d-
Range: bytes=%d-%d
https
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
%s%s%s
00000409
%CommonProgramFiles%
GetExeDirectory
GetExeFullPath
GetExeName
SetDownloadUrl
UrlEncode
DeleteUrlCache
SetUrlCookie
GetUrlCookie
KERNEL32.DLL
mscoree.dll
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
operator
kernel32.dll
GetProcessWindowStation
USER32.DLL
.?AVCMyWebBrowser@@
.?AVCSdkWebBrowser@@
IEScope%d
iexplore%d
zcÁ
%System%\svchost.exe
GetWindowsDirectoryA
GetCPInfo
GetProcessHeap
GetConsoleOutputCP
PeekNamedPipe
ShellExecuteA
UrlMkSetSessionOption
UrlMkGetSessionOption
SetWindowsHookExA
UnhookWindowsHookEx
LoadKeyboardLayoutA
VkKeyScanExA
keybd_event
DeleteUrlCacheEntry
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
HttpSendRequestA
HttpEndRequestA
GetUrlCacheEntryInfoA
InternetCrackUrlA
FindCloseUrlCache
HttpOpenRequestA
HttpAddRequestHeadersA
HttpSendRequestExA
xquuuuuRLMLMLMLMLMLM
.text
`.rdata
@.data
.rsrc
@.reloc

svchost.exe_1512_rwx_20181000_00036000:

Gh.logWj
h.logPj
tcPR
h.exe
user32.dll
kernel32.dll
|GetWindowsDirectoryA
{X-X-X-X-XX}
ntdll.dll
shlwapi.dll
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
?456789:;<=
!"#$%&'()* ,-./0123
ws2_32.dll
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Disposition: form-data; name="%s"
--%s--
%s /%s HTTP/1.1
Host: %s
User-Agent: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
advapi32.dll
%CommonProgramFiles%
\/*.*
winlogon.exe
csrss.exe
smss.exe
keyworddestination<
USER PASS
PORT
RapportGP.dll
csshiftjis
cswindows31j
iso_646.irv:1991
windows-1250
windows-1251
windows-1252
windows-1253
windows-1254
windows-1255
windows-1256
windows-1257
windows-1258
windows-874
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
HTTP/1.1
\\.\pipe\
gdiplus.dll
GdiplusShutdown
PTF://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
dnsapi.dll
wininet.dll
HttpOpenRequestA
HttpOpenRequestW
InternetOpenUrlA
InternetOpenUrlW
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
DeleteUrlCacheEntryW
HttpQueryInfoA
HttpQueryInfoW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersA
HttpAddRequestHeadersW
urlmon.dll
UrlMkGetSessionOption
nss3.dll
PR_OpenTCPSocket
nspr4.dll
hXXps://hXXp://TE
%Documents and Settings%\%current user%\Local Settings\Application Data\iwmikkry.log
%Documents and Settings%\%current user%\Local Settings\Application Data\ahigjltn.log
%Documents and Settings%\%current user%\Local Settings\Application Data\taywrdpm.log
%Documents and Settings%\%current user%\Local Settings\Application Data\vssqectp.log
%Documents and Settings%\%current user%\Local Settings\Application Data\klsckhjr.log
{49A21781-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
{49A21783-C39D-B603-C11E-00485360D01E}
PeekNamedPipe
SetNamedPipeHandleState
WaitNamedPipeA
DisconnectNamedPipe
CreateNamedPipeA
ConnectNamedPipe
RegCloseKey
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
ExitWindowsEx
GetKeyboardState
.text
`.rdata
@.data
.reloc
|75001234
PR_xTCPSh
wsock32.dll
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
keywords
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
set_url
WebFilters
WebDataFilters
WebFakes
|0123456789
gzipdeflateContent-Type: application/x-www-form-urlencoded
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Cookie: User-Agent-Session: Basic login: Basic password:

svchost.exe_1512_rwx_201C1000_0003F000:

\$0#\$83
\$4#\$,3
PSSh0G
G%F;0r
Single block msg
AES-CTR-128 (%s):
AES-CFB128-= (%s):
AES-CBC-= (%s):
passed
AES-ECB-= (%s):
ARC4 test #%d:
?456789:;<=
!"#$%&'()* ,-./0123
Unexpected error, return code = X
failed at %d
CAMELLIA-CTR-128 (%s):
CAMELLIA-CBC-= (%s):
CAMELLIA-ECB-= (%s):
-----BEGIN CERTIFICATE-----
gZUwgZIwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUtFrkpbPe0lL2udWmlQ/rPrzH
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
JczSfpRWLlbPznZg8OQh/VgCMA58N5DjOzTIK7sJJ5r 94ZBTCpgAMbF588f0NTR
-----END RSA PRIVATE KEY-----
lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
pgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTrlZvc/kFeF6babFtpzAK6
%s(d): %s
%s(d): %s() returned %d (0x%x)
%s(d): x:
%s(d): dumping '%s' (%d bytes)
%s(d):
%s(d): value of '%s' (%lu bits) is:
crt->rsa.E
crt->rsa.N
%s(d): %s #%d:
DES%c-CBC-= (%s):
DES%c-ECB-= (%s):
HMAC-MD5 test #%d:
MD5 test #%d:
RSA key validation:
HMAC-SHA-1 test #%d:
SHA-1 test #%d:
HMAC-SHA-%d test #%d:
SHA-%d test #%d:
p.il :
client hello, server name extension: %s
client hello, compress alg.: %d
client hello, compress len.: %d
client hello, add ciphersuite: -
client hello, got %d ciphersuites
client hello, session id len.: %d
client hello, max version: [%d:%d]
server hello, compress alg.: %d
server hello, chosen ciphersuite: %d
%s session has been resumed
ssl_derive_keys
server hello, session id len.: %d
server hello, chosen version: [%d:%d]
<= parse server key exchange
bad server key exchange message
<= skip parse server key exchange
=> parse server key exchange
<= parse certificate request
got %s certificate request
bad certificate request message
=> parse certificate request
<= write client key exchange
=> write client key exchange
<= skip write certificate verify
<= write certificate verify
got no private key
=> write certificate verify
invalid state %d
client state: %d
client hello v3, max. version: [%d:%d]
client hello v3, handshake len.: %d
client hello v3, handshake type: %d
client hello v3, protocol ver: [%d:%d]
client hello v3, message len.: %d
client hello v3, message type: %d
ciph_len: %d, sess_len: %d, chal_len: %d
client hello v2, max. version: [%d:%d]
client hello v2, message len.: %d
client hello v2, message type: %d
<= write certificate request
<= skip write certificate request
=> write certificate request
<= write server key exchange
<= skip write server key exchange
=> write server key exchange
<= parse client key exchange
bad client key exchange message
=> parse client key exchange
<= parse certificate verify
bad certificate verify message
<= skip parse certificate verify
=> parse certificate verify
server state: %d
before encrypt: msglen = %d, including %d bytes of IV and %d bytes of padding
before encrypt: msglen = %d, including %d bytes of padding
bad padding byte: should be x, but is x
bad padding length: is %d, should be no more than %d
msglen (%d) %% ivlen (%d) != 0
in_msglen (%d) < minlen (%d)
in_left: %d, nb_want: %d
message length: %d, out_left: %d
output record: msgtype = %d, version = [%d:%d], msglen = %d
got an alert message, type: [%d:%d]
input record: msgtype = %d, version = [%d:%d], msglen = %d
handshake message: msglen = %d, type = %d, hslen = %d
<= write certificate
certificate too large, %d > %d
own certificate
got no certificate to send
<= skip write certificate
=> write certificate
<= parse certificate
x509_verify_cert
x509parse_crt
peer certificate
malloc(%d bytes) failed
bad certificate message
TLSv1 client has no certificate
SSLv3 client has no certificate
<= skip parse certificate
=> parse certificate
<= derive keys
keylen: %d, minlen: %d, ivlen: %d, maclen: %d
ciphersuite %s is not available
key block
ciphersuite = %s
key expansion
=> derive keys
1.0.0
PolarSSL 1.0.0
M-----
------
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----
0xX=
X%s
%sRSA key size : %d bits
%ssigned using : RSA 
%sexpires on : d-d-d d:d:d
%sissued on : d-d-d d:d:d
%ssubject name :
%sissuer name :
%sserial number :
%scert. version : %d
TLS Web Client Authentication
TLS Web Server Authentication
%d.%d
revocation date: d-d-d d:d:d
%sserial number:
%sRevoked certificates:
%snext update : d-d-d d:d:d
%sthis update : d-d-d d:d:d
%sCRL version : %d
X.509 private key load:
X.509 certificate load:
XTEA test #%d:
Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX
System32\Macromed\Flash\mms.cfg
%SystemRoot%\
/get/flashplayer/current/licensing/win/install_flash_player_11_active_x_32bit.exe
/get/flashplayer/current/licensing/win/install_flash_player_11_plugin_32bit.exe
fpdownload.macromedia.com
\install_flash_player_11_plugin_32bit.exe
\install_flash_player_11_active_x_32bit.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ardownload.adobe.com
/pub/adobe/reader/win/10.x/10.1.2/en_US/AdbeRdr1012_en_US.exe
\AdbeRdr1012_en_US.exe
\Common Files\Java\Java Update\jucheck.exe
https
hXXp://VVV.oracle.com/technetwork/java/javase/downloads/jre-6u31-download-1501637.html
download.oracle.com
/otn-pub/java/jdk/6u31-b05/jre-6u31-windows-i586.exe
\jre-6u31-windows-i586-s.exe
%s=%s
Range: bytes=%d-%d
Cookie:%s
Cache-Control: %s
Connection: %s
Content-Length: %d
Host: %s
Accept-Encoding: %s
Content-Type: %s
User-Agent: %s
Accept-Language: %s
Referer: %s
Accept: %s
%s %s HTTP/1.1
Test Using Larger Than Block-Size Key - Hash Key First
Test Using Larger Than Block-Size Key and Larger Than One Block-Size Data
This is a test using a larger than block-size key and a larger than block-size data. The key needs to be hashed before being used by the HMAC algorithm.
gpw_e24=http://VVV.oracle.com/technetwork/java/javase/downloads/jre-6u31-download-1501637.html
s_sq=[[B]];
%s=%s;
GetProcessHeap
CreateIoCompletionPort
RegEnumKeyExA
RegOpenKeyA
RegCreateKeyExA
RegCloseKey
.text
`.rdata
@.data
.idata
.reloc

svchost.exe_1512_rwx_20211000_00357000:

L$.UQf
D$.UP
t%UWUj
%S"$ a
ADVAPI32.DLL
mscoree.dll
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
kernel32.dll
operator
GetProcessWindowStation
USER32.DLL
KERNEL32.DLL
.rsrc
.reloc
 -/*=<>()[]{}:,|&~#`;\
export
import
pmovsxdq%S
0123456789
$*)"-( .& !,'/%#4:92=80>6;1<7?53
- $!#/%) *.'&(",=;413?590:>7682<
{X-X-X-X-XX}
user32.dll
=%System%\svchost.exe
GetProcessHeap
GetWindowsDirectoryW
GetConsoleOutputCP
GetCPInfo
.text
`.rdata
@.data
%WinDir%

Explorer.EXE_532_rwx_20590000_00037000:

Gh.logWj
h.logPj
tcPR
h.exe
user32.dll
kernel32.dll
|GetWindowsDirectoryA
{X-X-X-X-XX}
ntdll.dll
shlwapi.dll
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
?456789:;<=
!"#$%&'()* ,-./0123
ws2_32.dll
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Disposition: form-data; name="%s"
--%s--
%s /%s HTTP/1.1
Host: %s
User-Agent: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
advapi32.dll
%CommonProgramFiles%
\/*.*
winlogon.exe
csrss.exe
smss.exe
keyworddestination<
USER PASS
PORT
RapportGP.dll
csshiftjis
cswindows31j
iso_646.irv:1991
windows-1250
windows-1251
windows-1252
windows-1253
windows-1254
windows-1255
windows-1256
windows-1257
windows-1258
windows-874
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
HTTP/1.1
\\.\pipe\
gdiplus.dll
GdiplusShutdown
PTF://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
dnsapi.dll
wininet.dll
HttpOpenRequestA
HttpOpenRequestW
InternetOpenUrlA
InternetOpenUrlW
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
QZ .QZ hSZ B^Z ']Z
DeleteUrlCacheEntryW
HttpQueryInfoA
HttpQueryInfoW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersA
HttpAddRequestHeadersW
wurlmon.dll
UrlMkGetSessionOption
nss3.dll
PR_OpenTCPSocket
nspr4.dll
hXXps://hXXp://TE
{49A21781-C39D-B603-C11E-00485360D01E}
%Documents and Settings%\%current user%\Local Settings\Application Data\iwmikkry.log
{49A21783-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
PeekNamedPipe
SetNamedPipeHandleState
WaitNamedPipeA
DisconnectNamedPipe
CreateNamedPipeA
ConnectNamedPipe
RegCloseKey
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
ExitWindowsEx
GetKeyboardState
.text
`.rdata
@.data
.reloc
|75001234
PR_xTCPSh
wsock32.dll
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
keywords
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
set_url
WebFilters
WebDataFilters
WebFakes
|0123456789
gzipdeflateContent-Type: application/x-www-form-urlencoded
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Cookie: User-Agent-Session: Basic login: Basic password:

services.exe_724_rwx_20210000_00037000:

Gh.logWj
h.logPj
tcPR
h.exe
user32.dll
kernel32.dll
|GetWindowsDirectoryA
{X-X-X-X-XX}
ntdll.dll
shlwapi.dll
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
?456789:;<=
!"#$%&'()* ,-./0123
ws2_32.dll
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Disposition: form-data; name="%s"
--%s--
%s /%s HTTP/1.1
Host: %s
User-Agent: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
advapi32.dll
%CommonProgramFiles%
\/*.*
winlogon.exe
csrss.exe
smss.exe
keyworddestination<
USER PASS
PORT
RapportGP.dll
csshiftjis
cswindows31j
iso_646.irv:1991
windows-1250
windows-1251
windows-1252
windows-1253
windows-1254
windows-1255
windows-1256
windows-1257
windows-1258
windows-874
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
HTTP/1.1
\\.\pipe\
gdiplus.dll
GdiplusShutdown
PTF://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
dnsapi.dll
wininet.dll
HttpOpenRequestA
HttpOpenRequestW
InternetOpenUrlA
InternetOpenUrlW
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
DeleteUrlCacheEntryW
HttpQueryInfoA
HttpQueryInfoW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersA
HttpAddRequestHeadersW
urlmon.dll
UrlMkGetSessionOption
nss3.dll
PR_OpenTCPSocket
nspr4.dll
hXXps://hXXp://TE
{49A21781-C39D-B603-C11E-00485360D01E}
%Documents and Settings%\LocalService\Local Settings\Application Data\iwmikkry.log
{49A21783-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
PeekNamedPipe
SetNamedPipeHandleState
WaitNamedPipeA
DisconnectNamedPipe
CreateNamedPipeA
ConnectNamedPipe
RegCloseKey
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
ExitWindowsEx
GetKeyboardState
.text
`.rdata
@.data
.reloc
|75001234
PR_xTCPSh
wsock32.dll
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
keywords
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
set_url
WebFilters
WebDataFilters
WebFakes
|0123456789
gzipdeflateContent-Type: application/x-www-form-urlencoded
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Cookie: User-Agent-Session: Basic login: Basic password:

lsass.exe_736_rwx_20590000_00037000:

Gh.logWj
h.logPj
tcPR
h.exe
user32.dll
kernel32.dll
|GetWindowsDirectoryA
{X-X-X-X-XX}
ntdll.dll
shlwapi.dll
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
?456789:;<=
!"#$%&'()* ,-./0123
ws2_32.dll
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Disposition: form-data; name="%s"
--%s--
%s /%s HTTP/1.1
Host: %s
User-Agent: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
advapi32.dll
%CommonProgramFiles%
\/*.*
winlogon.exe
csrss.exe
smss.exe
keyworddestination<
USER PASS
PORT
RapportGP.dll
csshiftjis
cswindows31j
iso_646.irv:1991
windows-1250
windows-1251
windows-1252
windows-1253
windows-1254
windows-1255
windows-1256
windows-1257
windows-1258
windows-874
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
HTTP/1.1
\\.\pipe\
gdiplus.dll
GdiplusShutdown
PTF://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
dnsapi.dll
wininet.dll
HttpOpenRequestA
HttpOpenRequestW
InternetOpenUrlA
InternetOpenUrlW
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
QZ .QZ hSZ B^Z ']Z
DeleteUrlCacheEntryW
HttpQueryInfoA
HttpQueryInfoW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersA
HttpAddRequestHeadersW
urlmon.dll
UrlMkGetSessionOption
nss3.dll
PR_OpenTCPSocket
nspr4.dll
hXXps://hXXp://TE
{49A21781-C39D-B603-C11E-00485360D01E}
%System%\config\systemprofile\Local Settings\Application Data\iwmikkry.log
{49A21783-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
PeekNamedPipe
SetNamedPipeHandleState
WaitNamedPipeA
DisconnectNamedPipe
CreateNamedPipeA
ConnectNamedPipe
RegCloseKey
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
ExitWindowsEx
GetKeyboardState
.text
`.rdata
@.data
.reloc
|75001234
PR_xTCPSh
wsock32.dll
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
keywords
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
set_url
WebFilters
WebDataFilters
WebFakes
|0123456789
gzipdeflateContent-Type: application/x-www-form-urlencoded
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Cookie: User-Agent-Session: Basic login: Basic password:

svchost.exe_904_rwx_20590000_00037000:

Gh.logWj
h.logPj
tcPR
h.exe
user32.dll
kernel32.dll
|GetWindowsDirectoryA
{X-X-X-X-XX}
ntdll.dll
shlwapi.dll
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
?456789:;<=
!"#$%&'()* ,-./0123
ws2_32.dll
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Disposition: form-data; name="%s"
--%s--
%s /%s HTTP/1.1
Host: %s
User-Agent: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
advapi32.dll
%CommonProgramFiles%
\/*.*
winlogon.exe
csrss.exe
smss.exe
keyworddestination<
USER PASS
PORT
RapportGP.dll
csshiftjis
cswindows31j
iso_646.irv:1991
windows-1250
windows-1251
windows-1252
windows-1253
windows-1254
windows-1255
windows-1256
windows-1257
windows-1258
windows-874
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
HTTP/1.1
\\.\pipe\
gdiplus.dll
GdiplusShutdown
PTF://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
dnsapi.dll
wininet.dll
HttpOpenRequestA
HttpOpenRequestW
InternetOpenUrlA
InternetOpenUrlW
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
QZ .QZ hSZ B^Z ']Z
DeleteUrlCacheEntryW
HttpQueryInfoA
HttpQueryInfoW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersA
HttpAddRequestHeadersW
urlmon.dll
UrlMkGetSessionOption
nss3.dll
PR_OpenTCPSocket
nspr4.dll
hXXps://hXXp://TE
{49A21781-C39D-B603-C11E-00485360D01E}
%System%\config\systemprofile\Local Settings\Application Data\iwmikkry.log
{49A21783-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
PeekNamedPipe
SetNamedPipeHandleState
WaitNamedPipeA
DisconnectNamedPipe
CreateNamedPipeA
ConnectNamedPipe
RegCloseKey
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
ExitWindowsEx
GetKeyboardState
.text
`.rdata
@.data
.reloc
|75001234
PR_xTCPSh
wsock32.dll
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
keywords
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
set_url
WebFilters
WebDataFilters
WebFakes
|0123456789
gzipdeflateContent-Type: application/x-www-form-urlencoded
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Cookie: User-Agent-Session: Basic login: Basic password:

svchost.exe_988_rwx_20590000_00037000:

Gh.logWj
h.logPj
tcPR
h.exe
user32.dll
kernel32.dll
|GetWindowsDirectoryA
{X-X-X-X-XX}
ntdll.dll
shlwapi.dll
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
?456789:;<=
!"#$%&'()* ,-./0123
ws2_32.dll
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Disposition: form-data; name="%s"
--%s--
%s /%s HTTP/1.1
Host: %s
User-Agent: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
advapi32.dll
%CommonProgramFiles%
\/*.*
winlogon.exe
csrss.exe
smss.exe
keyworddestination<
USER PASS
PORT
RapportGP.dll
csshiftjis
cswindows31j
iso_646.irv:1991
windows-1250
windows-1251
windows-1252
windows-1253
windows-1254
windows-1255
windows-1256
windows-1257
windows-1258
windows-874
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
HTTP/1.1
\\.\pipe\
gdiplus.dll
GdiplusShutdown
PTF://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
dnsapi.dll
wininet.dll
HttpOpenRequestA
HttpOpenRequestW
InternetOpenUrlA
InternetOpenUrlW
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
QZ .QZ hSZ B^Z ']Z
DeleteUrlCacheEntryW
HttpQueryInfoA
HttpQueryInfoW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersA
HttpAddRequestHeadersW
urlmon.dll
UrlMkGetSessionOption
nss3.dll
PR_OpenTCPSocket
nspr4.dll
hXXps://hXXp://TE
{49A21781-C39D-B603-C11E-00485360D01E}
%Documents and Settings%\NetworkService\Local Settings\Application Data\iwmikkry.log
{49A21783-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
PeekNamedPipe
SetNamedPipeHandleState
WaitNamedPipeA
DisconnectNamedPipe
CreateNamedPipeA
ConnectNamedPipe
RegCloseKey
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
ExitWindowsEx
GetKeyboardState
.text
`.rdata
@.data
.reloc
|75001234
PR_xTCPSh
wsock32.dll
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
keywords
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
set_url
WebFilters
WebDataFilters
WebFakes
|0123456789
gzipdeflateContent-Type: application/x-www-form-urlencoded
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Cookie: User-Agent-Session: Basic login: Basic password:

wmiprvse.exe_1068_rwx_20590000_00037000:

Gh.logWj
h.logPj
tcPR
h.exe
user32.dll
kernel32.dll
|GetWindowsDirectoryA
{X-X-X-X-XX}
ntdll.dll
shlwapi.dll
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
?456789:;<=
!"#$%&'()* ,-./0123
ws2_32.dll
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Disposition: form-data; name="%s"
--%s--
%s /%s HTTP/1.1
Host: %s
User-Agent: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
advapi32.dll
%CommonProgramFiles%
\/*.*
winlogon.exe
csrss.exe
smss.exe
keyworddestination<
USER PASS
PORT
RapportGP.dll
csshiftjis
cswindows31j
iso_646.irv:1991
windows-1250
windows-1251
windows-1252
windows-1253
windows-1254
windows-1255
windows-1256
windows-1257
windows-1258
windows-874
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
HTTP/1.1
\\.\pipe\
gdiplus.dll
GdiplusShutdown
PTF://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
dnsapi.dll
wininet.dll
HttpOpenRequestA
HttpOpenRequestW
InternetOpenUrlA
InternetOpenUrlW
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
QZ .QZ hSZ B^Z ']Z
DeleteUrlCacheEntryW
HttpQueryInfoA
HttpQueryInfoW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersA
HttpAddRequestHeadersW
urlmon.dll
UrlMkGetSessionOption
nss3.dll
PR_OpenTCPSocket
nspr4.dll
hXXps://hXXp://TE
{49A21781-C39D-B603-C11E-00485360D01E}
%System%\config\systemprofile\Local Settings\Application Data\iwmikkry.log
{49A21783-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
PeekNamedPipe
SetNamedPipeHandleState
WaitNamedPipeA
DisconnectNamedPipe
CreateNamedPipeA
ConnectNamedPipe
RegCloseKey
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
ExitWindowsEx
GetKeyboardState
.text
`.rdata
@.data
.reloc
|75001234
PR_xTCPSh
wsock32.dll
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
keywords
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
set_url
WebFilters
WebDataFilters
WebFakes
|0123456789
gzipdeflateContent-Type: application/x-www-form-urlencoded
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Cookie: User-Agent-Session: Basic login: Basic password:

svchost.exe_1084_rwx_20590000_00037000:

Gh.logWj
h.logPj
tcPR
h.exe
user32.dll
kernel32.dll
|GetWindowsDirectoryA
{X-X-X-X-XX}
ntdll.dll
shlwapi.dll
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
?456789:;<=
!"#$%&'()* ,-./0123
ws2_32.dll
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Disposition: form-data; name="%s"
--%s--
%s /%s HTTP/1.1
Host: %s
User-Agent: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
advapi32.dll
%CommonProgramFiles%
\/*.*
winlogon.exe
csrss.exe
smss.exe
keyworddestination<
USER PASS
PORT
RapportGP.dll
csshiftjis
cswindows31j
iso_646.irv:1991
windows-1250
windows-1251
windows-1252
windows-1253
windows-1254
windows-1255
windows-1256
windows-1257
windows-1258
windows-874
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
HTTP/1.1
\\.\pipe\
gdiplus.dll
GdiplusShutdown
PTF://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
dnsapi.dll
wininet.dll
HttpOpenRequestA
HttpOpenRequestW
InternetOpenUrlA
InternetOpenUrlW
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
QZ .QZ hSZ B^Z ']Z
DeleteUrlCacheEntryW
HttpQueryInfoA
HttpQueryInfoW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersA
HttpAddRequestHeadersW
wurlmon.dll
UrlMkGetSessionOption
nss3.dll
PR_OpenTCPSocket
nspr4.dll
hXXps://hXXp://TE
{49A21781-C39D-B603-C11E-00485360D01E}
%Documents and Settings%\NetworkService\Local Settings\Application Data\iwmikkry.log
{49A21783-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
PeekNamedPipe
SetNamedPipeHandleState
WaitNamedPipeA
DisconnectNamedPipe
CreateNamedPipeA
ConnectNamedPipe
RegCloseKey
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
ExitWindowsEx
GetKeyboardState
.text
`.rdata
@.data
.reloc
|75001234
PR_xTCPSh
wsock32.dll
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
keywords
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
set_url
WebFilters
WebDataFilters
WebFakes
|0123456789
gzipdeflateContent-Type: application/x-www-form-urlencoded
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Cookie: User-Agent-Session: Basic login: Basic password:

svchost.exe_1128_rwx_20590000_00037000:

Gh.logWj
h.logPj
tcPR
h.exe
user32.dll
kernel32.dll
|GetWindowsDirectoryA
{X-X-X-X-XX}
ntdll.dll
shlwapi.dll
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
?456789:;<=
!"#$%&'()* ,-./0123
ws2_32.dll
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Disposition: form-data; name="%s"
--%s--
%s /%s HTTP/1.1
Host: %s
User-Agent: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
advapi32.dll
%CommonProgramFiles%
\/*.*
winlogon.exe
csrss.exe
smss.exe
keyworddestination<
USER PASS
PORT
RapportGP.dll
csshiftjis
cswindows31j
iso_646.irv:1991
windows-1250
windows-1251
windows-1252
windows-1253
windows-1254
windows-1255
windows-1256
windows-1257
windows-1258
windows-874
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
HTTP/1.1
\\.\pipe\
gdiplus.dll
GdiplusShutdown
PTF://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
dnsapi.dll
wininet.dll
HttpOpenRequestA
HttpOpenRequestW
InternetOpenUrlA
InternetOpenUrlW
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
QZ .QZ hSZ B^Z ']Z
DeleteUrlCacheEntryW
HttpQueryInfoA
HttpQueryInfoW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersA
HttpAddRequestHeadersW
urlmon.dll
UrlMkGetSessionOption
nss3.dll
PR_OpenTCPSocket
nspr4.dll
hXXps://hXXp://TE
{49A21781-C39D-B603-C11E-00485360D01E}
%Documents and Settings%\NetworkService\Local Settings\Application Data\iwmikkry.log
{49A21783-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
PeekNamedPipe
SetNamedPipeHandleState
WaitNamedPipeA
DisconnectNamedPipe
CreateNamedPipeA
ConnectNamedPipe
RegCloseKey
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
ExitWindowsEx
GetKeyboardState
.text
`.rdata
@.data
.reloc
|75001234
PR_xTCPSh
wsock32.dll
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
keywords
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
set_url
WebFilters
WebDataFilters
WebFakes
|0123456789
gzipdeflateContent-Type: application/x-www-form-urlencoded
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Cookie: User-Agent-Session: Basic login: Basic password:

svchost.exe_1180_rwx_20590000_00037000:

Gh.logWj
h.logPj
tcPR
h.exe
user32.dll
kernel32.dll
|GetWindowsDirectoryA
{X-X-X-X-XX}
ntdll.dll
shlwapi.dll
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
?456789:;<=
!"#$%&'()* ,-./0123
ws2_32.dll
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Disposition: form-data; name="%s"
--%s--
%s /%s HTTP/1.1
Host: %s
User-Agent: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
advapi32.dll
%CommonProgramFiles%
\/*.*
winlogon.exe
csrss.exe
smss.exe
keyworddestination<
USER PASS
PORT
RapportGP.dll
csshiftjis
cswindows31j
iso_646.irv:1991
windows-1250
windows-1251
windows-1252
windows-1253
windows-1254
windows-1255
windows-1256
windows-1257
windows-1258
windows-874
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
HTTP/1.1
\\.\pipe\
gdiplus.dll
GdiplusShutdown
PTF://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
dnsapi.dll
wininet.dll
HttpOpenRequestA
HttpOpenRequestW
InternetOpenUrlA
InternetOpenUrlW
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
QZ .QZ hSZ B^Z ']Z
DeleteUrlCacheEntryW
HttpQueryInfoA
HttpQueryInfoW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersA
HttpAddRequestHeadersW
wurlmon.dll
UrlMkGetSessionOption
nss3.dll
PR_OpenTCPSocket
nspr4.dll
hXXps://hXXp://TE
{49A21781-C39D-B603-C11E-00485360D01E}
%Documents and Settings%\LocalService\Local Settings\Application Data\iwmikkry.log
{49A21783-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
PeekNamedPipe
SetNamedPipeHandleState
WaitNamedPipeA
DisconnectNamedPipe
CreateNamedPipeA
ConnectNamedPipe
RegCloseKey
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
ExitWindowsEx
GetKeyboardState
.text
`.rdata
@.data
.reloc
|75001234
PR_xTCPSh
wsock32.dll
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
keywords
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
set_url
WebFilters
WebDataFilters
WebFakes
|0123456789
gzipdeflateContent-Type: application/x-www-form-urlencoded
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Cookie: User-Agent-Session: Basic login: Basic password:

spoolsv.exe_1424_rwx_20590000_00037000:

Gh.logWj
h.logPj
tcPR
h.exe
user32.dll
kernel32.dll
|GetWindowsDirectoryA
{X-X-X-X-XX}
ntdll.dll
shlwapi.dll
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
?456789:;<=
!"#$%&'()* ,-./0123
ws2_32.dll
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Disposition: form-data; name="%s"
--%s--
%s /%s HTTP/1.1
Host: %s
User-Agent: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
advapi32.dll
%CommonProgramFiles%
\/*.*
winlogon.exe
csrss.exe
smss.exe
keyworddestination<
USER PASS
PORT
RapportGP.dll
csshiftjis
cswindows31j
iso_646.irv:1991
windows-1250
windows-1251
windows-1252
windows-1253
windows-1254
windows-1255
windows-1256
windows-1257
windows-1258
windows-874
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
HTTP/1.1
\\.\pipe\
gdiplus.dll
GdiplusShutdown
PTF://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
dnsapi.dll
wininet.dll
HttpOpenRequestA
HttpOpenRequestW
InternetOpenUrlA
InternetOpenUrlW
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
QZ .QZ hSZ B^Z ']Z
DeleteUrlCacheEntryW
HttpQueryInfoA
HttpQueryInfoW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersA
HttpAddRequestHeadersW
urlmon.dll
UrlMkGetSessionOption
nss3.dll
PR_OpenTCPSocket
nspr4.dll
hXXps://hXXp://TE
{49A21781-C39D-B603-C11E-00485360D01E}
%Documents and Settings%\LocalService\Local Settings\Application Data\iwmikkry.log
{49A21783-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
PeekNamedPipe
SetNamedPipeHandleState
WaitNamedPipeA
DisconnectNamedPipe
CreateNamedPipeA
ConnectNamedPipe
RegCloseKey
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
ExitWindowsEx
GetKeyboardState
.text
`.rdata
@.data
.reloc
|75001234
PR_xTCPSh
wsock32.dll
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
keywords
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
set_url
WebFilters
WebDataFilters
WebFakes
|0123456789
gzipdeflateContent-Type: application/x-www-form-urlencoded
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Cookie: User-Agent-Session: Basic login: Basic password:

jqs.exe_1640_rwx_20590000_00037000:

Gh.logWj
h.logPj
tcPR
h.exe
user32.dll
kernel32.dll
|GetWindowsDirectoryA
{X-X-X-X-XX}
ntdll.dll
shlwapi.dll
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
?456789:;<=
!"#$%&'()* ,-./0123
ws2_32.dll
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Disposition: form-data; name="%s"
--%s--
%s /%s HTTP/1.1
Host: %s
User-Agent: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
advapi32.dll
%CommonProgramFiles%
\/*.*
winlogon.exe
csrss.exe
smss.exe
keyworddestination<
USER PASS
PORT
RapportGP.dll
csshiftjis
cswindows31j
iso_646.irv:1991
windows-1250
windows-1251
windows-1252
windows-1253
windows-1254
windows-1255
windows-1256
windows-1257
windows-1258
windows-874
hostuser-agentoptionsgetheadpostputdeletetraceacceptaccept-charsetaccept-encodingaccept-languageauthorizationexpectfromhostif-modified-sinceif-matchif-none-matchif-rangeif-unmodifiedsincemax-forwardsproxy-authorizationrangerefererteuser-agent100101200201202203204205206300301302303304305306307400401402403404405406407408409410411412413414415416417500501502503504505accept-rangesageetaglocationproxy-authenticatepublicretry-afterservervarywarningwww-authenticateallowcontent-basecontent-encodingcache-controlconnectiondatetrailertransfer-encodingupgradeviawarningcontent-languagecontent-lengthcontent-locationcontent-md5content-rangecontent-typeetagexpireslast-modifiedset-cookieMondayTuesdayWednesdayThursdayFridaySaturdaySundayJanFebMarAprMayJunJulAugSepOctNovDecchunkedtext/htmlimage/pngimage/jpgimage/gifapplication/xmlapplication/xhtmltext/plainpublicmax-agecharset=iso-8859-1utf-8gzipdeflateHTTP/1.1statusversionurl
HTTP/1.1
\\.\pipe\
gdiplus.dll
GdiplusShutdown
PTF://%s:%s@%s:%d/
pop3://%s:%s@%s:%d/
dnsapi.dll
wininet.dll
HttpOpenRequestA
HttpOpenRequestW
InternetOpenUrlA
InternetOpenUrlW
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
QZ .QZ hSZ B^Z ']Z
DeleteUrlCacheEntryW
HttpQueryInfoA
HttpQueryInfoW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersA
HttpAddRequestHeadersW
urlmon.dll
UrlMkGetSessionOption
nss3.dll
PR_OpenTCPSocket
nspr4.dll
hXXps://hXXp://TE
{49A21781-C39D-B603-C11E-00485360D01E}
%Documents and Settings%\LocalService\Local Settings\Application Data\iwmikkry.log
{49A21783-C39D-B603-C11E-00485360D01E}
{49A21782-C39D-B603-C11E-00485360D01E}
PeekNamedPipe
SetNamedPipeHandleState
WaitNamedPipeA
DisconnectNamedPipe
CreateNamedPipeA
ConnectNamedPipe
RegCloseKey
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
ExitWindowsEx
GetKeyboardState
.text
`.rdata
@.data
.reloc
|75001234
PR_xTCPSh
wsock32.dll
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
keywords
alluniqcontrolexplicitASCIIUTF8UNICODE{keyword}
set_url
WebFilters
WebDataFilters
WebFakes
|0123456789
gzipdeflateContent-Type: application/x-www-form-urlencoded
Tdomain=google.ru&cookies=enabled&reason=1&auth=false
Cookie: User-Agent-Session: Basic login: Basic password:


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    AdbeRdr1012_en_US.exe:2908
    verclsid.exe:3340
    verclsid.exe:3280
    verclsid.exe:3208
    U78n983:2324
    MsiExec.exe:2132
    MsiExec.exe:3836
    MsiExec.exe:432
    setup.exe:3420
    Adobe_Updater.exe:3104
    %original file name%.exe:1676
    csslisog.exe:1780
    csslisog.exe:3908

  3. Delete the original Backdoor file.
  4. Delete or disinfect the following files created/modified by the Backdoor:

    %Documents and Settings%\All Users\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AA1000000001}\Data1.cab (895790 bytes)
    %Documents and Settings%\All Users\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AA1000000001}\Setup.ini (498 bytes)
    %Documents and Settings%\All Users\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AA1000000001}\AcroRead.msi (15021 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\25109\config.bin (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\25109\RDC.bin (114531 bytes)
    %Documents and Settings%\All Users\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AA1000000001}\setup.exe (9595 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AdobeSFX.log (6393 bytes)
    %Documents and Settings%\All Users\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AA1000000001}\AdbeRdrUpd1012.msp (115622 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\25109\installer.bin (286043 bytes)
    %Documents and Settings%\All Users\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AA1000000001}\ABCPY.INI (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\csslisog.exe (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\~1B.tmp (968 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{AC76BA86-7AD7-1033-7B44-A93000000001}\FixTransforms.exe (422180 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{AC76BA86-7AD7-1033-7B44-AA1000000001}\FixTransforms.exe (422180 bytes)
    %Documents and Settings%\%current user%\Favorites (4 bytes)
    %Program Files%\Common Files\System\ado\msadrh15.dll.new (114 bytes)
    %Program Files%\Common Files\System\directdb.dll.new (1202 bytes)
    %Program Files%\Common Files\System\Ole DB\msdaosp.dll (2854 bytes)
    %System%\dllcache\msdaenum.dll.new (8 bytes)
    %Program Files%\Common Files\System\Ole DB\msdaps.dll (4038 bytes)
    %Program Files%\Internet Explorer\Connection Wizard (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\Updater\updater.log (10010 bytes)
    %Documents and Settings%\ALL USERS (4 bytes)
    %Program Files%\Common Files\VMware\Drivers\scsi (4 bytes)
    %System%\dllcache\msader15.dll.new (48 bytes)
    %Program Files%\Common Files\VMware\Drivers\Virtual Printer\TPOG3\i386 (4 bytes)
    %Documents and Settings%\All Users\Documents\My Music (4 bytes)
    %Program Files%\Common Files\System\Ole DB\msdaora.dll (4646 bytes)
    %System%\dllcache\dao360.dll (6722 bytes)
    %Program Files%\Common Files\Microsoft Shared\Speech\sapi.dll (20934 bytes)
    %Program Files%\Common Files\Java\JAVA UPDATE (4 bytes)
    %Program Files%\Common Files\System\wab32.dll (11654 bytes)
    %Program Files%\Internet Explorer\Connection Wizard\RCX16B.tmp (1429 bytes)
    %System%\dllcache\msaddsr.dll (48 bytes)
    %System%\dllcache\msdadc.dll (8 bytes)
    %Program Files%\Common Files\Adobe\ARM\1.0 (4 bytes)
    %Program Files%\Internet Explorer\Connection Wizard\inetwiz.exe (2566 bytes)
    %Program Files%\Common Files\System\msadc\msdarem.dll (4214 bytes)
    %Program Files%\Common Files\System\ado\msjro.dll (4056 bytes)
    %WinDir%\Temp\Perflib_Perfdata_668.dat (4 bytes)
    %Program Files%\Common Files\Adobe\Acrobat\ActiveX (4 bytes)
    %System%\dllcache\msdasc.dll.new (8 bytes)
    %Program Files%\Common Files\System\Ole DB\msdaora.dll.new (2562 bytes)
    %Program Files%\Common Files\System\msadc\msdfmap.dll (2638 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs (4 bytes)
    %Program Files%\Common Files\System\Ole DB\msdatl3.dll.new (1202 bytes)
    %Program Files%\Common Files\MSSoap\Binaries\Resources\1033\mssoapr.dll (23 bytes)
    %Documents and Settings%\%current user%\SendTo (4 bytes)
    %Program Files%\Common Files\System\Ole DB\sqloledb.dll (10886 bytes)
    %Program Files%\Common Files\System\ado\msado15.dll (10134 bytes)
    %WinDir%\Prefetch\PERL.EXE-28C02382.pf (1202 bytes)
    %Program Files%\Adobe\Reader 10.0\Reader\PLUG_INS3D (4 bytes)
    %Program Files%\Common Files\Microsoft Shared\DW (4 bytes)
    %System%\dllcache\msadcor.dll.new (32 bytes)
    %Program Files%\Internet Explorer\Connection Wizard\trialoc.dll (2566 bytes)
    C:\$Directory (4 bytes)
    %Program Files%\Internet Explorer\IEXPLORE.EXE (2854 bytes)
    %Program Files%\Common Files\System\msadc\msadcs.dll (2854 bytes)
    C:\PROGRAM FILES (4 bytes)
    %Program Files%\Common Files\System\msadc\msadco.dll.new (1346 bytes)
    %Program Files%\Common Files\System\Ole DB\oledb32.dll (5488 bytes)
    %Program Files%\Common Files\Microsoft Shared\Speech\sapisvr.exe (2638 bytes)
    %System%\config (100 bytes)
    %WinDir%\Installer\$PatchCache$\Managed (4 bytes)
    %Program Files%\Internet Explorer\Connection Wizard\icwhelp.dll (3552 bytes)
    %Program Files%\Common Files\VMware\Drivers\vmxnet3 (4 bytes)
    %Program Files%\Common Files\System\ado\msadomd.dll (5384 bytes)
    %Program Files%\Common Files\System\msadc\msadds.dll (4952 bytes)
    %Program Files%\Common Files\System\ado\msado15.dll.new (6722 bytes)
    %Program Files%\Common Files\System\Ole DB\sqlxmlx.dll (4646 bytes)
    %Program Files%\Common Files\MSSoap\Binaries\wisc10.dll (2566 bytes)
    %Program Files%\Common Files\System\msadc\msdarem.dll.new (1202 bytes)
    %System%\dllcache\fp4autl.dll (8370 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\mtjjyklc.log (4 bytes)
    %System%\dllcache\msdaorar.dll (32 bytes)
    %Program Files%\Internet Explorer\iedw.exe (2566 bytes)
    %Program Files%\Common Files\MSSoap\Binaries\mssoap1.dll (6600 bytes)
    %Program Files%\Internet Explorer\Connection Wizard\icwutil.dll (2854 bytes)
    %System%\config\SysEvent.Evt (4000 bytes)
    %Program Files%\COMMON FILES (12 bytes)
    %Program Files%\Common Files\SpeechEngines\Microsoft\TTS\1033\spttseng.dll (25656 bytes)
    %Program Files%\Internet Explorer\Connection Wizard\icwconn2.exe (4830 bytes)
    %Documents and Settings%\%current user%\APPLICATION DATA (4 bytes)
    %Program Files%\Common Files\Microsoft Shared\VGX\vgx.dll (15042 bytes)
    %Program Files%\Common Files\System\ado\msadox.dll (4038 bytes)
    %Program Files%\Common Files\System\Ole DB\msdaosp.dll.new (1202 bytes)
    %Program Files%\Common Files\Microsoft Shared\OFFICE14\1033 (4 bytes)
    %Program Files%\Adobe\Reader 10.0\Reader\plug_ins (4 bytes)
    %Program Files%\Common Files\System\msadc\msadcs.dll.new (106 bytes)
    %Program Files%\Common Files\MSSoap\Binaries\wisc10.dll.new (56 bytes)
    %Program Files%\Common Files\System\Ole DB\MSDAIPP.DLL (10886 bytes)
    %Program Files%\Internet Explorer\Connection Wizard\icwconn1.exe (4646 bytes)
    %Program Files%\Common Files\System\Ole DB\msdaps.dll.new (2562 bytes)
    %Program Files%\Common Files\System\Ole DB\msdasql.dll (6918 bytes)
    %Program Files%\Common Files\System\ado\msadox.dll.new (2562 bytes)
    %Program Files%\Common Files\SpeechEngines\Microsoft\spcommon.dll (4056 bytes)
    %Program Files%\Common Files\System\msadc\msadce.dll (6726 bytes)
    %Program Files%\Common Files\System\Ole DB\oledb32r.dll (65 bytes)
    %WinDir%\inf (400 bytes)
    %System%\dllcache\msdaer.dll.new (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\7fe17d887612.log (578 bytes)
    %Program Files%\Common Files\System\ado\msador15.dll (2968 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Updater6\aumLib.log (1203 bytes)
    %Program Files%\Common Files\System\msadc\msadcf.dll (2854 bytes)
    %Program Files%\Common Files\System\msadc\msdaprst.dll.new (2562 bytes)
    %Program Files%\Common Files\Microsoft Shared\Triedit\triedit.dll (1346 bytes)
    %Program Files%\Adobe\Reader 10.0\Resource (4 bytes)
    %Program Files%\Common Files\Microsoft Shared\MSInfo\msinfo32.exe (1440 bytes)
    %System%\dllcache\mssoapr.dll (48 bytes)
    %Program Files%\Common Files\VMware\Drivers\VIDEO_XPDM (4 bytes)
    %System%\dllcache\msdaprsr.dll.new (32 bytes)
    %Program Files%\Internet Explorer\Connection Wizard\icwdl.dll (2566 bytes)
    %Program Files%\Internet Explorer\HMMAPI.DLL (2566 bytes)
    %System%\dllcache\msdasqlr.dll (32 bytes)
    %Program Files%\Internet Explorer\Connection Wizard\isignup.exe (2566 bytes)
    C:\Config.Msi (868 bytes)
    %System%\dllcache\msdaremr.dll.new (32 bytes)
    %Program Files%\Common Files\Microsoft Shared\Triedit\TRIEDIT.DLL (872 bytes)
    %Program Files%\Common Files\System\Ole DB\RCX15F.tmp (3365 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Updater6\AdobeUpdaterPrefs.dat (1088 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Updater6\aum.log (2309 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Startup\swegbgid.exe (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\kqmtqgym\swegbgid.exe (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jyabgndb.exe (1281 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "SweGbgid" = "%Documents and Settings%\%current user%\Local Settings\Application Data\kqmtqgym\swegbgid.exe"

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now