Gen.Variant.Kazy.423280_f626ea0823

by malwarelabrobot on August 18th, 2014 in Malware Descriptions.

UDS:DangerousObject.Multi.Generic (Kaspersky), Gen:Variant.Kazy.423280 (B) (Emsisoft), Gen:Variant.Kazy.423280 (AdAware), mzpefinder_pcap_file.YR, SearchProtectToolbar.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: f626ea0823df77d84c95b5002fbbabe5
SHA1: 939a154ab1c5e2dd75c1fa245e28660620ed66d1
SHA256: 1b69546bf9bf2175372af9ab5b0a987dc6bcd709d2c4d8c519f0085d319537bf
SSDeep: 384:ZtfgYHcxbRqyHtRV1GWkJDAZubr99YRuzD1blESrUhxEMO:zg7lQyHDKRESrUhxE3
Size: 16896 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2014-08-05 00:35:54
Analyzed on: WindowsXP SP3 32-bit


Summary:

Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Payload

No specific payload has been found.

Process activity

The Malware creates the following process(es):

nsq12.exe:2780
cltmngui.exe:2936
nsm16.exe:3528
CltMngSvc.exe:2852
CltMngSvc.exe:2840
cltmng.exe:2924
nsj4.exe:1052
nsj4.exe:588
nsqC.tmp:2596
nwi1xfrt.h3a.exe:1968

The Malware injects its code into the following process(es):

%original file name%.exe:1392

Mutexes

The following mutexes were created/opened:

ZonesLockedCacheCounterMutex
ZonesCacheCounterMutex
ZonesCounterMutex
RasPbFile
ShimCacheMutex

File activity

The process nsq12.exe:2780 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsl14.tmp\inetc.dll (30 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsl14.tmp\a.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl14.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb13.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl14.tmp\inetc.dll (0 bytes)

The process cltmngui.exe:2936 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect\UI\rep\UIRepository.dat (1057 bytes)

The process nsm16.exe:3528 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsr18.tmp\inetc.dll (30 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsh17.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr18.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr18.tmp\a.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr18.tmp\inetc.dll (0 bytes)

The process CltMngSvc.exe:2852 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Program Files%\SearchProtect\Main\rep\SystemRepository.dat (9 bytes)

The process cltmng.exe:2924 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect\SearchProtect\rep\UserSettings.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect\SearchProtect\rep\UserRepository.dat (1751 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect\SearchProtect\STG\Init_15.tmp (0 bytes)

The process nsj4.exe:1052 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsy7.tmp (11152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy8.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy8.tmp\StubUtils.dll (9320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqC.txt (71 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy8.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqC.tmp (434424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\SPSetup[1].exe (434424 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsy8.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inet.txt2_M167B4029-C0F6-4111-93DA-0055D3CC0504_{341A4053-076E-4F2B-818E-EE372394AF53} (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy8.tmp\StubUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqC.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy8.tmp\System.dll (0 bytes)

The process nsj4.exe:588 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\StubUtils.dll (9320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqA.tmp (11152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdD.txt (79 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsdD.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\StubUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inet.txt2_M167B4029-C0F6-4111-93DA-0055D3CC0504_{BC263492-E070-4AA7-B715-E0E9A2E4DEDC} (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp (0 bytes)

The process %original file name%.exe:1392 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nwi1xfrt.h3a.exe (18340 bytes)

The process nsqC.tmp:2596 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Program Files%\SearchProtect\UI\dialogs\Images\close-win-def.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\checkbox_checked.png (360 bytes)
%Program Files%\SearchProtect\UI\dialogs\settings\settings.js (11 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\bgUninstall.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\15.tmp (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\v.png (1 bytes)
%Program Files%\SearchProtect\SearchProtect\bin\SPVC64.dll (103387 bytes)
%Program Files%\SearchProtect\SearchProtect\bin\SPVC32.dll (287458 bytes)
%Program Files%\SearchProtect\EULA.txt (784 bytes)
%Program Files%\SearchProtect\UI\dialogs\protectionDS\protectionDS.html (2 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\Apply-onclick.png (2 bytes)
%Program Files%\SearchProtect\Main\bin\uninstall.exe (33747 bytes)
%Program Files%\SearchProtect\UI\dialogs\protectionDS\protectionDS.css (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect\SearchProtect\rep\UserRepository.dat (478 bytes)
%Program Files%\SearchProtect\UI\dialogs\uninstall\uninstall.css (5 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\menu-selected.png (3 bytes)
%Program Files%\SearchProtect\UI\dialogs\settings\defaults.js (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\radio-button2.png (886 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\btnSilver.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\libs\main.js (10 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\checkbox.png (378 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\btnClose.png (933 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuF.tmp (691196 bytes)
%Program Files%\SearchProtect\UI\dialogs\libs\json2.min.js (2 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\bgSettings.png (12 bytes)
%Program Files%\SearchProtect\SearchProtect\bin\SPTool64.exe (50351 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\hez-def.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\libs\defaults.js (983 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\hez.png (256 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\close-win-over-click.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\radio-button.png (859 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\bg.png (784 bytes)
%Program Files%\SearchProtect\UI\dialogs\uninstall\defaults.js (1 bytes)
%Program Files%\SearchProtect\UI\bin\cltmngui.exe (100378 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\gray-bg.png (2 bytes)
%Program Files%\SearchProtect\UI\dialogs\style.css (7 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\bgSettingsDS.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu10.tmp\SPtool.dll (81046 bytes)
%Program Files%\SearchProtect\Main\bin\CltMngSvc.exe (97773 bytes)
%Program Files%\SearchProtect\SearchProtect\bin\cltmng.exe (170836 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\bg-uninstall.png (11 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\info-icon.png (424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\browsers32.sdb (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\button-bg.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\icon-win.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq12.exe (5520 bytes)
%Program Files%\SearchProtect\UI\dialogs\uninstall\uninstall.js (5 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\radio-button-def.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\libs\SPDialogAPI.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm16.exe (5520 bytes)
%Program Files%\SearchProtect\UI\dialogs\settings.html (8 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\bgNotif.png (9 bytes)
%Program Files%\SearchProtect\UI\dialogs\protection\protection.html (2 bytes)
%Program Files%\SearchProtect\UI\dialogs\settings\settings.html (12 bytes)
%Program Files%\SearchProtect\UI\dialogs\protection\defaults.js (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\uninstall\uninstall.html (5 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\Settings-icon.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\bg-with-logo.png (1552 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\radio-button-selected.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\protectionDS\protectionDS.js (7 bytes)
%Program Files%\SearchProtect\UI\dialogs\protection\protection.js (7 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\menu-rollover.png (1 bytes)
%Program Files%\SearchProtect\Main\rep\SystemRepository.dat (2225 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\text-field.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\protection\protection.css (4 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\checkbox_def.png (274 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu10.tmp\inetc.dll (784 bytes)
%Program Files%\SearchProtect\UI\dialogs\libs\dialogUtils.js (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\btnBlue.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ct3326582[1] (763 bytes)
%Program Files%\SearchProtect\Main\bin\SPTool.dll (81732 bytes)
%Program Files%\SearchProtect\UI\dialogs\libs\jquery.1.7.1.min.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv11.tmp (763 bytes)
%Program Files%\SearchProtect\SearchProtect\bin\SPVC32Loader.dll (6584 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\Apply-default.png (2 bytes)
%Program Files%\SearchProtect\UI\dialogs\settings\settings.css (8 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\Apply-Rollover.png (2 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\hez-selected.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu10.tmp\System.dll (11 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\x.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Program Files%\SearchProtect\UI\dialogs\protectionDS\defaults.js (1 bytes)
%Program Files%\SearchProtect\SearchProtect\bin\SPVC64Loader.dll (8560 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsu10.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu10.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu10.tmp\SPtool.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu10.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoE.tmp (0 bytes)

The process nwi1xfrt.h3a.exe:1968 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsr3.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\downloadstub[1] (52 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp (7189 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.exe (11736 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp (52 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr3.tmp\MiniStubUtils.dll (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\spstub[1].exe (11736 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr3.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsr3.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inet.txt1_M167B4029-C0F6-4111-93DA-0055D3CC0504 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr3.tmp\MiniStubUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr3.tmp\inetc.dll (0 bytes)

Registry activity

The process nsq12.exe:2780 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsfB.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsl14.tmp\,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE 88 B0 69 D8 12 04 2E DF D8 7B 27 C2 EA 7B 36"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process cltmngui.exe:2936 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 21 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 2B 76 BB 6B 07 1F 0F CA E3 11 8D DA 6E B4 71"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process nsm16.exe:3528 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsfB.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsl14.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy8.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsr18.tmp\,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 22 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3F C9 A7 04 A3 86 5B 2E FA B5 DD A9 E6 95 4C 7D"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process CltMngSvc.exe:2852 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\LocalService\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\SearchProtect]
"TS" = "0"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F 1C 2E FD AB 70 4F 2D 82 50 13 13 4B 06 2B A4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\LocalService\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Malware deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"

The process CltMngSvc.exe:2840 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A D9 15 49 28 FB BC FA AE 6E 58 2E 6E B4 01 A9"

The process cltmng.exe:2924 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 20 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D 92 F0 A4 55 D6 DA 58 3A 66 20 00 63 A9 52 B4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process nsj4.exe:1052 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsfB.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsl14.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy8.tmp\,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "75 96 20 19 C0 CD E2 7F 47 2D B9 01 6B DE 98 BB"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process nsj4.exe:588 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsfB.tmp\,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 CF 54 A0 F9 2B 0D 83 08 A6 6E E1 CE AC 4A A7"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1392 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC A0 2E 94 F8 1E EC 9D 8A 2D DB 1A 19 86 67 7C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"nwi1xfrt.h3a.exe" = "Search Protect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process nsqC.tmp:2596 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsfB.tmp\,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\SearchProtect]
"SPID" = "SPF8B1E6B3-90B2-4DFC-8D8B-2A44AAB80E5A"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs" = "C:\PROGRA~1\SearchProtect\SearchProtect\bin\SPVC32Loader.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect]
"Publisher" = "Client Connect LTD"

[HKLM\SOFTWARE\SearchProtect]
"Environment" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect]
"UninstallString" = "C:\PROGRA~1\SearchProtect\Main\bin\uninstall.exe /S"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect]
"DisplayVersion" = "2.16.20.192"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\SearchProtect]
"InstallDir" = "C:\PROGRA~1\SearchProtect"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect]
"DisplayIcon" = "C:\PROGRA~1\SearchProtect\SearchProtect\bin\cltmng.exe"
"DisplayName" = "Search Protect"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "01 14 8D 8F 24 40 A2 67 32 75 FA 40 F7 CE 3C 88"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The Malware disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpUninstallCleanUp"

The process nwi1xfrt.h3a.exe:1968 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsfB.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsl14.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy8.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsr18.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsr3.tmp\,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 AF 0A C3 F5 35 C1 C8 AF 99 94 A2 DE 57 D4 58"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
02c162fd7706e887624dfcc410979355 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsm16.exe
02c162fd7706e887624dfcc410979355 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsq12.exe
81c1d94ffd2c170a86c4c0c7b183e9ef c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsqC.tmp
0b813086a3400aafa1639d08823fbd46 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nwi1xfrt.h3a.exe
a90faa6449a4beca4466564510991bb1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\spstub[1].exe
81c1d94ffd2c170a86c4c0c7b183e9ef c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\SPSetup[1].exe
49010923a074f8c93b0cbc10600187cd c:\Program Files\SearchProtect\Main\bin\CltMngSvc.exe
41ea3a902bcc76650664b8a10e4a1722 c:\Program Files\SearchProtect\Main\bin\SPTool.dll
75323751eb811da0bd13430d8cb81d83 c:\Program Files\SearchProtect\Main\bin\uninstall.exe
fe7292c8fc7d1a0314a26e253af2254d c:\Program Files\SearchProtect\SearchProtect\bin\SPTool64.exe
95d43017acf77911d801bbda1125d428 c:\Program Files\SearchProtect\SearchProtect\bin\SPVC32.dll
f303bf7e33c8e5ed667d751501981c63 c:\Program Files\SearchProtect\SearchProtect\bin\SPVC32Loader.dll
6c365122d30012d9316cd1dee0c005d4 c:\Program Files\SearchProtect\SearchProtect\bin\SPVC64.dll
9d0e94e14d5808cd42cf28b076f19fb1 c:\Program Files\SearchProtect\SearchProtect\bin\SPVC64Loader.dll
2875ed5399cd95ad378b35097311fb1e c:\Program Files\SearchProtect\SearchProtect\bin\cltmng.exe
fcd5525df15e9f59707ae0cbe0d636c2 c:\Program Files\SearchProtect\UI\bin\cltmngui.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: RegistryReader32_64
Product Version: 1.0.0.0
Legal Copyright: Copyright (c) 2014
Legal Trademarks:
Original Filename: 37_3834e6081a.exe
Internal Name: 37_3834e6081a.exe
File Version: 1.0.0.0
File Description: RegistryReader32_64
Comments:
Language: English (United Kingdom)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 8192 13892 14336 3.5587 6736519f3b730b3482156d2bb98c0b9d
.rsrc 24576 1400 1536 2.80562 fdd2ec17b48dc57f10426d6774541e81
.reloc 32768 12 512 0.056519 465f944cce555ad1612ddb16788bec74

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://e9287.g.akamaiedge.net/sp-downloader.exe
hxxp://jazz-1846647836.us-east-1.elb.amazonaws.com/
hxxp://e9287.g.akamaiedge.net/stub/spstub.exe
hxxp://sp-download.va.spccint.com/download/CarrierId/ct3326582/CarrierVersion/DEFAULT/CarrierType/ctid/Brand/SP
hxxp://e9287.g.akamaiedge.net/Installer/2.16.20.192/SPSetup.exe
hxxp://spms-download.va.spccint.com/download/CarrierId/ct3326582/CarrierVersion/DEFAULT/CarrierType/ctid/Brand/SP
hxxp://e3937.g.akamaiedge.net/spinstallersettings/2.16.20.192/test/ABTEST_SETTINGS_ID/carrierId/ct3326582
hxxp://sp-ip2location.va.spccint.com/ip/?client=sp
hxxp://a1015.g1.akamai.net/UP/settings/?ctid=CT3326582&UM=&c=UA&DUM=2
hxxp://stats.getprivate.net/index.php/api/offer-status 144.76.116.117
hxxp://sp-storage.spccinta.com/stub/spstub.exe 23.9.111.99
hxxp://sp-storage.spccinta.com/sp-downloader.exe 23.9.111.99
hxxp://orbtr-installer.databssint.com/ 54.225.157.67
hxxp://sp-settings.spccint.com/spinstallersettings/2.16.20.192/test/ABTEST_SETTINGS_ID/carrierId/ct3326582 23.7.71.61
hxxp://sp-storage.spccinta.com/Installer/2.16.20.192/SPSetup.exe 23.9.111.99
hxxp://c.api.seccint.com/UP/settings/?ctid=CT3326582&UM=&c=UA&DUM=2 199.117.103.136
hxxp://sp-download.spccint.com/download/CarrierId/ct3326582/CarrierVersion/DEFAULT/CarrierType/ctid/Brand/SP 199.101.114.124
hxxp://sp-ip2location.spccint.com/ip/?client=sp 199.101.114.209
hxxp://spms-download.spccint.com/download/CarrierId/ct3326582/CarrierVersion/DEFAULT/CarrierType/ctid/Brand/SP 199.101.115.231
hxxp://sp-alive-msg.databssint.com/ 54.225.157.67
hxxp://sp-usage.databssint.com/ 107.22.223.150
hxxp://sp-installer.databssint.com/ 107.22.223.150
servicemap.spccint.com 23.7.71.61
c-sp-download.spccint.com 23.201.24.11
sp-autoupdate.spccint.com 23.7.71.61


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers

Traffic

GET /download/CarrierId/ct3326582/CarrierVersion/DEFAULT/CarrierType/ctid/Brand/SP HTTP/1.1
Accept: application/sp-download-v2
User-Agent: NSIS_Inetc (Mozilla)
Host: spms-download.spccint.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 79
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Sun, 17 Aug 2014 17:57:35 GMT
"http:\/\/spms-storage.spccint.com\/Installer\/0.0.0.0\/OrbiterInstall
er.exe 1"HTTP/1.1 200 OK..Cache-Control: no-cache, no-store..Pragma: n
o-cache..Content-Length: 79..Content-Type: application/json; charset=u
tf-8..Expires: -1..Server: Microsoft-IIS/7.5..X-AspNet-Version: 4.0.30
319..X-Powered-By: ASP.NET..Date: Sun, 17 Aug 2014 17:57:35 GMT.."http
:\/\/spms-storage.spccint.com\/Installer\/0.0.0.0\/OrbiterInstaller.ex
e 1"..



POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: orbtr-installer.databssint.com
Content-Length: 695
Connection: Keep-Alive
Cache-Control: no-cache

{"event_type":"orbtr_Stub_Init", "installation_session_id":"M167B4029-C0F6-4111-93DA-0055D3CC0504", "environment":"", "command_line":"-carrier_type=ctid -carrier_id=ct3326582 -platform=all  -startpage=true -defaultsearch=true -sessionid=M167B4029-C0F6-4111-93DA-0055D3CC0504 -downloadlength=2391 -EXT_ISID=false -orbiter", "download_length": "2391", "carrier_ID": "ct3326582", "carrier_type": "ctid", "carrier_version": "DEFAULT", "brand": "ORBTR", "EXT_ISID":"false","machine_ID":"9EKT4KIHYP05AIWKCMQN9NQXBR0OGZGUDWSPEVZXPXWQ6S2TD6LRCPJLMTQCFHUBKY67AOEAOT3MNTQYLME8MG","installer_version":"2.4.3.0", "OS_name":"Microsoft Windows XP Professional Service Pack 3 (build 2600)", "OS_version":"5.1"}
HTTP/1.1 202 Accepted
Date: Sun, 17 Aug 2014 17:59:05 GMT
P3P: CP="NOI ADM DEV COM NAV OUR STP"
Server: Apache-Coyote/1.1
Content-Length: 0
Connection: keep-alive
HTTP/1.1 202 Accepted..Date: Sun, 17 Aug 2014 17:59:05 GMT..P3P: CP="N
OI ADM DEV COM NAV OUR STP"..Server: Apache-Coyote/1.1..Content-Length
: 0..Connection: keep-alive......


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: orbtr-installer.databssint.com
Content-Length: 895
Connection: Keep-Alive
Cache-Control: no-cache

{"event_type":"orbtr_Stub_DownloadComplete", "installation_session_id":"M167B4029-C0F6-4111-93DA-0055D3CC0504", "environment":"", "command_line":"-carrier_type=ctid -carrier_id=ct3326582 -platform=all  -startpage=true -defaultsearch=true -sessionid=M167B4029-C0F6-4111-93DA-0055D3CC0504 -downloadlength=2391 -EXT_ISID=false -orbiter", "download_length": "2391", "carrier_ID": "ct3326582", "carrier_type": "ctid", "carrier_version": "DEFAULT", "brand": "ORBTR", "EXT_ISID":"false","machine_ID":"9EKT4KIHYP05AIWKCMQN9NQXBR0OGZGUDWSPEVZXPXWQ6S2TD6LRCPJLMTQCFHUBKY67AOEAOT3MNTQYLME8MG","installer_version":"2.4.3.0","result":"success","reason":"50" , "log":"10#", "OS_name":"Microsoft Windows XP Professional Service Pack 3 (build 2600)", "OS_version":"5.1", "Installer_download_time_sec":"1", "Installer_url":"hXXp://spms-storage.spccint.com/Installer/0.0.0.0/OrbiterInstaller.exe", "ExtraData":""}
HTTP/1.1 202 Accepted
Date: Sun, 17 Aug 2014 17:59:06 GMT
P3P: CP="NOI ADM DEV COM NAV OUR STP"
Server: Apache-Coyote/1.1
Content-Length: 0
Connection: keep-alive
HTTP/1.1 202 Accepted..Date: Sun, 17 Aug 2014 17:59:06 GMT..P3P: CP="N
OI ADM DEV COM NAV OUR STP"..Server: Apache-Coyote/1.1..Content-Length
: 0..Connection: keep-alive......


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: orbtr-installer.databssint.com
Content-Length: 791
Connection: Keep-Alive
Cache-Control: no-cache

{"event_type":"orbtr_Stub_Complete", "installation_session_id":"M167B4029-C0F6-4111-93DA-0055D3CC0504", "environment":"", "command_line":"-carrier_type=ctid -carrier_id=ct3326582 -platform=all  -startpage=true -defaultsearch=true -sessionid=M167B4029-C0F6-4111-93DA-0055D3CC0504 -downloadlength=2391 -EXT_ISID=false -orbiter", "download_length": "2391", "carrier_ID": "ct3326582", "carrier_type": "ctid", "carrier_version": "DEFAULT", "brand": "ORBTR", "EXT_ISID":"false","machine_ID":"9EKT4KIHYP05AIWKCMQN9NQXBR0OGZGUDWSPEVZXPXWQ6S2TD6LRCPJLMTQCFHUBKY67AOEAOT3MNTQYLME8MG","installer_version":"2.4.3.0","result":"success","reason":"50" , "log":"10#16#", "OS_name":"Microsoft Windows XP Professional Service Pack 3 (build 2600)", "OS_version":"5.1", "Installer_time_sec":"1", "ExtraData":""}
HTTP/1.1 202 Accepted
Date: Sun, 17 Aug 2014 17:59:07 GMT
P3P: CP="NOI ADM DEV COM NAV OUR STP"
Server: Apache-Coyote/1.1
Content-Length: 0
Connection: keep-alive



GET /stub/spstub.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: sp-storage.spccinta.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Last-Modified: Sun, 17 Aug 2014 20:51:56 GMT
Accept-Ranges: bytes
ETag: "8089503af264c1568a46208aea546eff"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 177352
Date: Sun, 17 Aug 2014 17:59:01 GMT
Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........#yd.B.7.B.7
.B.7..z7.B.7..l7.B.7.B.7.B.7.:.7.B.7...7.B.7.:.7.B.7Rich.B.7..........
..............PE..L....q.N.................d.......B..K5............@.
.........................p!......~....................................
...........`!.0.......................................................
.....................................................text....c.......d
.................. ..`.rdata...............h..............@[email protected]...
[email protected]............................
...rsrc...0....`!.....................@..@............................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
...G..H.P.u..u..u...|[email protected][email protected].....@
..}[email protected]... M..........M........E...FQ.....NU..M
.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u
[email protected]}[email protected].}.j.W.E......E.......P
[email protected][email protected][email protected] [email protected]..
...@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..S..
...t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ.U.
<<< skipped >>>


GET /ip/?client=sp HTTP/1.1
User-Agent: SearchProtect;2.16.20.192;Microsoft Windows XP;SPF8B1E6B3-90B2-4DFC-8D8B-2A44AAB80E5A
Accept: */*
Host: sp-ip2location.spccint.com


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 181
Content-Type: application/json; charset=text/plain
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Sun, 17 Aug 2014 17:59:39 GMT
{"Location":{"City":"KHARKIV","Country":"UKRAINE","CountryCode":"UA","
IP":"193.138.244.231","Latitude":49.98081,"Longitude":36.25272,"Region
":"KHARKIVS'KA OBLAST'"},"Language":"uk"}HTTP/1.1 200 OK..Cache-Contro
l: private..Content-Length: 181..Content-Type: application/json; chars
et=text/plain..Server: Microsoft-IIS/7.5..X-AspNet-Version: 4.0.30319.
.X-Powered-By: ASP.NET..Date: Sun, 17 Aug 2014 17:59:39 GMT..{"Locatio
n":{"City":"KHARKIV","Country":"UKRAINE","CountryCode":"UA","IP":"193.
138.244.231","Latitude":49.98081,"Longitude":36.25272,"Region":"KHARKI
VS'KA OBLAST'"},"Language":"uk"}..



GET /UP/settings/?ctid=CT3326582&UM=&c=UA&DUM=2 HTTP/1.1
User-Agent: SearchProtect;2.16.20.192;Microsoft Windows XP;SPF8B1E6B3-90B2-4DFC-8D8B-2A44AAB80E5A
Accept: */*
Host: c.api.seccint.com


HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 3.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Content-Length: 4229
Cache-Control: private, max-age=3600
Expires: Sun, 17 Aug 2014 18:59:40 GMT
Date: Sun, 17 Aug 2014 17:59:40 GMT
Connection: keep-alive
{"GeneralId":null,"Ctid":"CT3326582","ProviderId":2,"ProviderName":"Bi
ng","UserIP":"193.138.244.231","UserLanguage":"ru","ToolbarLanguage":"
en","EntityLanguage":"en","CountryShortCode":"UA","IsUserRTL":false,"I
sToolbarRTL":false,"IsEntityRTL":false,"ShowClientDialog":true,"HomePa
geUrl":"hXXp://VVV.trovi.com/?gd=&ctid=CT3326582&octid=EB_ORIGINAL_CTI
D&ISID=ISID_ID&SearchSource=55&CUI=SB_CUI&UM=6&UP=UP_ID","IsCustomized
Homepage":false,"HomePageButtonUrl":"hXXp://VVV.trovi.com/?gd=&ctid=CT
3326582&octid=EB_ORIGINAL_CTID&ISID=ISID_ID&SearchSource=55&CUI=SB_CUI
&UM=6&UP=UP_ID&SAT=HPB","UM":"","SearchDomain":"VVV.trovi.com","Toolba
rSearchBox":{"History":{"IsEnabled":true,"Position":1,"MaxAmount":5,"L
abel":{"Text":"History"}},"Verticals":[{"Name":"SearchImages","SearchU
rl":"hXXp://VVV.trovi.com/?gd=&ctid=CT3326582&octid=EB_ORIGINAL_CTID&I
SID=ISID_ID&SearchSource=67&SearchType=SearchImages&CUI=SB_CUI&UM=6&UP
=UP_ID&q=UCM_SEARCH_TERM","EmptySearchUrl":"hXXp://VVV.trovi.com/?gd=&
ctid=CT3326582&octid=EB_ORIGINAL_CTID&ISID=ISID_ID&SearchSource=67&Sea
rchType=SearchImages&CUI=SB_CUI&UM=6&UP=UP_ID"}],"EmptySearchUrl":"htt
p://VVV.trovi.com/?gd=&ctid=CT3326582&octid=EB_ORIGINAL_CTID&ISID=ISID
_ID&SearchSource=67&CUI=SB_CUI&UM=6&UP=UP_ID","SearchUrl":"hXXp://VVV.
trovi.com/Results.aspx?gd=&ctid=CT3326582&octid=EB_ORIGINAL_CTID&ISID=
ISID_ID&SearchSource=67&CUI=SB_CUI&UM=6&UP=UP_ID&q=UCM_SEARCH_TERM","S
uggest":{"SearchResultsUrl":"hXXp://VVV.trovi.com/Results.aspx?gd=&cti
d=CT3326582&octid=EB_ORIGINAL_CTID&ISID=ISID_ID&SearchSource=67&Su
<<< skipped >>>


GET /sp-downloader.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/20100101 Firefox/25.0
Host: sp-storage.spccinta.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Last-Modified: Sun, 17 Aug 2014 20:40:02 GMT
Accept-Ranges: bytes
ETag: "32b94cf0ed04298eaab31147eadd7760"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 145928
Date: Sun, 17 Aug 2014 17:58:57 GMT
Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........#yd.B.7.B.7
.B.7..z7.B.7..l7.B.7.B.7.B.7.:.7.B.7...7.B.7.:.7.B.7Rich.B.7..........
..............PE..L....q.N.................d.......B..K5............@.
.........................p......wA....................................
...........`..(...........8"..........................................
.....................................................text....c.......d
.................. ..`.rdata...............h..............@[email protected]...
[email protected]............................
...rsrc...(....`......................@..@............................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
...G..H.P.u..u..u...|[email protected][email protected].....@
..}[email protected]... M..........M........E...FQ.....NU..M
.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u
[email protected]}[email protected].}.j.W.E......E.......P
[email protected][email protected][email protected] [email protected]..
...@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..S..
...t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ.U.
<<< skipped >>>


POST /index.php/api/offer-status HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: stats.getprivate.net
Content-Length: 93
Expect: 100-continue
Connection: Close


HTTP/1.1 100 Continue
....




offer_id=37&offer_status=1&uuid=e7ce410a-9ebd-6dcd-a5c5-0ca79de2da61&s
creen_number=-1&src=upd

HTTP/1.1 200 OK


Server: nginx
Content-Type: application/json
Connection: close
X-Powered-By: PHP/5.4.4-14 deb7u8
Cache-Control: no-cache
Date: Sun, 17 Aug 2014 17:59:58 GMT
X-Frame-Options: SAMEORIGIN
Set-Cookie: laravel_session=eyJpdiI6InNSK3g1OTBpNDluY0hRK1VsK0ZDYnhDQURYTDMrSmdjVDFna2JodG11dnM9IiwidmFsdWUiOiJlZmtUcHZlVTdHUmhaRFwvdjlEU01qRDlIVUVFbWl4TDcxOUFlelU5QlFEUmRoT3pheXdrYmoxcFhKYWp1eThcL2JiSXFkcHQwblU0VmxJVkNDcUR4XC9jZz09IiwibWFjIjoiZjllZDViNmY4MDI5OTkyNTQ4ZWE1ZmEyNzNmMmI0NDY3NTJkYmJiYmI1NzM3MjI1ODI0NTFmZmZiMDNkOGJjOCJ9; expires=Sun, 17-Aug-2014 19:59:58 GMT; path=/; httponly
"OK"..



GET /spinstallersettings/2.16.20.192/test/ABTEST_SETTINGS_ID/carrierId/ct3326582 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: sp-settings.spccint.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Type: application/json; charset=text/plain
Last-Modified: Thu, 07 Aug 2014 07:47:35 GMT
ETag: "7ace2b0a2d45a9208d14608e8a3fea78"
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Content-Length: 763
Cache-Control: private, max-age=900
Expires: Sun, 17 Aug 2014 18:14:30 GMT
Date: Sun, 17 Aug 2014 17:59:30 GMT
Connection: keep-alive
{"InstallerSettings":{"CHExtension_Id":null,"CHExtension_LandingPage":
null,"CHExtension_Name":null,"DEFAULT_CMD":"-carrier_type=CTID -carrie
r_id=CT3331172 -Platform=all -startpage=true -defaultsearch=true -inst
all_time_revert=true","DUM":"2","InstallSPPDriver":null,"IsAUAllowedno
TB":"true","LOST_USERS":"false","PING":"false","SERVICE_LOST_USERS":nu
ll,"TbExternalAssetsEnable":"true","UNINSTALL_PING":"false"},"AbTestSe
ttings":{"Experiment":"","Variant":"","TestParameter":""},"CarrierSett
ings":{"CHExtensionMode":"false","v_env":"true","v_env_10":"true","v_e
nv_12":"false"},"signature":"PPJUtVBuf3mq4bSjHfCsPw0GVGgp99IghgIBJ9ghQ
yHjTCEGgcsEffb099GrCK7NwFnh16V1V6GO1QUTahcxWN9Saw2WlvY KWSHhWpPzWwBcHS
yChLzrmENQcLwfqx00VEJYOFQfuJlUaRc7cOOrUha8SZCLWiPBJ6S2ajhIuA="}HTTP/1.
1 200 OK..Content-Type: application/json; charset=text/plain..Last-Mod
ified: Thu, 07 Aug 2014 07:47:35 GMT..ETag: "7ace2b0a2d45a9208d14608e8
a3fea78"..Server: Microsoft-IIS/7.5..X-AspNet-Version: 4.0.30319..X-Po
wered-By: ASP.NET..Content-Length: 763..Cache-Control: private, max-ag
e=900..Expires: Sun, 17 Aug 2014 18:14:30 GMT..Date: Sun, 17 Aug 2014 
17:59:30 GMT..Connection: keep-alive..{"InstallerSettings":{"CHExtensi
on_Id":null,"CHExtension_LandingPage":null,"CHExtension_Name":null,"DE
FAULT_CMD":"-carrier_type=CTID -carrier_id=CT3331172 -Platform=all -st
artpage=true -defaultsearch=true -install_time_revert=true","DUM":"2",
"InstallSPPDriver":null,"IsAUAllowednoTB":"true","LOST_USERS":"false",
"PING":"false","SERVICE_LOST_USERS":null,"TbExternalAssetsEnable":
<<< skipped >>>


POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: sp-installer.databssint.com
Content-Length: 1080
Connection: Keep-Alive
Cache-Control: no-cache

{"event_type":"install_completed","SP_ID":"SPF8B1E6B3-90B2-4DFC-8D8B-2A44AAB80E5A","SP_version":"2.16.20.192","OS_name":"Microsoft Windows XP Professional Service Pack 3 (build 2600)","OS_version":"5.1","browser":"InternetExplorer","browser_version":"6.0.2900.5512","carrier_type":"ctid","carrier_ID":"CT3326582","carrier_version":"","carrier_userid":"","carrier_UM":"","machine_ID":"9EKT4KIHYP05AIWKCMQN9NQXBR0OGZGUDWSPEVZXPXWQ6S2TD6LRCPJLMTQCFHUBKY67AOEAOT3MNTQYLME8MG","hp_takeover":"true","other_takeover":"true","environment":"","sequence_timestamp":"1408298355903","profile_number":"1","user_number":"1", "installation_session_id":"M167B4029-C0F6-4111-93DA-0055D3CC0504", "download_length": 24359, "install_type": "install", "result": "success", "reason": "0","v_env_tests":{"10_ProcessesExists":"0","10_ModuleInjected":"0","10_FakeSPServiceParent":"0","12_ProcessesExists":"0","12_StatusKeyExists":"0"},"v_env_codes":{"10":"0","12":"0"},"channel_id": "", "brand": "SP" , "previous_brand":"", "brand_install_type":"cleanmachine","extra_info":"","Experiment":"","Variant":""}
HTTP/1.1 202 Accepted
Date: Sun, 17 Aug 2014 17:59:44 GMT
P3P: CP="NOI ADM DEV COM NAV OUR STP"
Server: Apache-Coyote/1.1
Content-Length: 0
Connection: keep-alive



POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: sp-installer.databssint.com
Content-Length: 969
Connection: Keep-Alive
Cache-Control: no-cache

{"event_type":"install_start","SP_ID":"SPF8B1E6B3-90B2-4DFC-8D8B-2A44AAB80E5A","SP_version":"2.16.20.192","OS_name":"Microsoft Windows XP Professional Service Pack 3 (build 2600)","OS_version":"5.1","browser":"InternetExplorer","browser_version":"6.0.2900.5512","carrier_type":"ctid","carrier_ID":"CT3326582","carrier_version":"","carrier_userid":"","carrier_UM":"","machine_ID":"9EKT4KIHYP05AIWKCMQN9NQXBR0OGZGUDWSPEVZXPXWQ6S2TD6LRCPJLMTQCFHUBKY67AOEAOT3MNTQYLME8MG","hp_takeover":"true","other_takeover":"true","environment":"","sequence_timestamp":"1408298345543","profile_number":"1","user_number":"1", "installation_session_id":"M167B4029-C0F6-4111-93DA-0055D3CC0504", "download_length": 24359, "install_type": "install", "result": "SP_RESULT", "reason": "SP_FAIL_REASON","v_env_tests":"V_ENV_TESTS_ALIAS","v_env_codes":"V_ENV_CODES_ALIAS","channel_id": "", "brand": "SP" , "previous_brand":"", "brand_install_type":"","extra_info":"","Experiment":"","Variant":""}
HTTP/1.1 202 Accepted
Date: Sun, 17 Aug 2014 17:59:34 GMT
P3P: CP="NOI ADM DEV COM NAV OUR STP"
Server: Apache-Coyote/1.1
Content-Length: 0
Connection: keep-alive



GET /download/CarrierId/ct3326582/CarrierVersion/DEFAULT/CarrierType/ctid/Brand/SP HTTP/1.1
Accept: application/sp-download-v2
User-Agent: NSIS_Inetc (Mozilla)
Host: sp-download.spccint.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Sun, 17 Aug 2014 17:59:04 GMT
Content-Length: 71
"http:\/\/sp-storage.spccinta.com\/Installer\/2.16.20.192\/SPSetup.exe
"HTTP/1.1 200 OK..Cache-Control: no-cache, no-store..Pragma: no-cache.
.Content-Type: application/json; charset=utf-8..Expires: -1..Server: M
icrosoft-IIS/7.5..X-AspNet-Version: 4.0.30319..X-Powered-By: ASP.NET..
Date: Sun, 17 Aug 2014 17:59:04 GMT..Content-Length: 71.."http:\/\/sp-
storage.spccinta.com\/Installer\/2.16.20.192\/SPSetup.exe"..



POST / HTTP/1.0
Content-Type: application/json
Accept: */*
Host: sp-usage.databssint.com
Content-Length: 417
Connection: Keep-Alive
Pragma: no-cache

{"SP_ID":"SPF8B1E6B3-90B2-4DFC-8D8B-2A44AAB80E5A","Experiment":"","Variant":"","oslocale":"","environment":"","OS_version":"5.1","OS_name":"Microsoft Windows XP","machine_ID":"9EKT4KIHYP05AIWKCMQN9NQXBR0OGZGUDWSPEVZXPXWQ6S2TD6LRCPJLMTQCFHUBKY67AOEAOT3MNTQYLME8MG","sequence_timestamp":"1408298348449","SP_version":"2.16.20.192","brand":"SP","action_type":"driver_first_enabled","result":"success","failure_reason":""}
HTTP/1.1 202 Accepted
Access-Control-Allow-Methods: GET,POST,HEAD,OPTIONS,PUT
Access-Control-Allow-Origin: *
Date: Sun, 17 Aug 2014 17:59:36 GMT
P3P: CP="NOI ADM DEV COM NAV OUR STP"
Server: Apache-Coyote/1.1
Content-Length: 0
Connection: keep-alive
HTTP/1.1 202 Accepted..Access-Control-Allow-Methods: GET,POST,HEAD,OPT
IONS,PUT..Access-Control-Allow-Origin: *..Date: Sun, 17 Aug 2014 17:59
:36 GMT..P3P: CP="NOI ADM DEV COM NAV OUR STP"..Server: Apache-Coyote/
1.1..Content-Length: 0..Connection: keep-alive..



POST / HTTP/1.1
Content-Type: application/json
Accept: */*
User-Agent: SearchProtect;2.16.20.192;Microsoft Windows XP;SPF8B1E6B3-90B2-4DFC-8D8B-2A44AAB80E5A
Host: sp-alive-msg.databssint.com
Content-Length: 461
Connection: Keep-Alive
Cache-Control: no-cache

{"SP_ID":"SPF8B1E6B3-90B2-4DFC-8D8B-2A44AAB80E5A","SP_version":"2.16.20.192","OS_name":"Microsoft Windows XP","OS_version":"5.1","install_date":"20140817","environment":"","machine_ID":"9EKT4KIHYP05AIWKCMQN9NQXBR0OGZGUDWSPEVZXPXWQ6S2TD6LRCPJLMTQCFHUBKY67AOEAOT3MNTQYLME8MG","Experiment":"","Variant":"","driver_enabled":"false","action_type":"alive","type":"","brand":"SP","carrier_ID":"ct3326582","browser":"InternetExplorer","browser_version":"6.0.2900.5512"}
HTTP/1.1 202 Accepted
Date: Sun, 17 Aug 2014 17:59:39 GMT
P3P: CP="NOI ADM DEV COM NAV OUR STP"
Server: Apache-Coyote/1.1
Content-Length: 0
Connection: keep-alive
HTTP/1.1 202 Accepted..Date: Sun, 17 Aug 2014 17:59:39 GMT..P3P: CP="N
OI ADM DEV COM NAV OUR STP"..Server: Apache-Coyote/1.1..Content-Length
: 0..Connection: keep-alive..



GET /Installer/2.16.20.192/SPSetup.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: sp-storage.spccinta.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Last-Modified: Sun, 17 Aug 2014 20:53:28 GMT
Accept-Ranges: bytes
ETag: "30fa0875de550a8d5c8d3bc251a75073"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 6837632
Date: Sun, 17 Aug 2014 17:59:05 GMT
Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........#yd.B.7.B.7
.B.7..z7.B.7..l7.B.7.B.7.B.7.:.7.B.7...7.B.7.:.7.B.7Rich.B.7..........
..............PE..L....q.N.................d.......B..K5............@.
......................... *.....5.h...................................
............(..y...........=h.........................................
.....................................................text....c.......d
.................. ..`.rdata...............h..............@[email protected]...
[email protected]....!...........................
...rsrc....y....(..z..................@..@............................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
...G..H.P.u..u..u...|[email protected][email protected].....@
..}[email protected]... M..........M........E...FQ.....NU..M
.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u
[email protected]}[email protected].}.j.W.E......E.......P
[email protected][email protected][email protected] [email protected]..
...@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..S..
...t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ.U.
<<< skipped >>>


POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: sp-installer.databssint.com
Content-Length: 677
Connection: Keep-Alive
Cache-Control: no-cache

{"event_type":"Stub_Init", "installation_session_id":"M167B4029-C0F6-4111-93DA-0055D3CC0504", "environment":"", "command_line":"-carrier_type=ctid -carrier_id=ct3326582 -platform=all  -startpage=true -defaultsearch=true -sessionid=M167B4029-C0F6-4111-93DA-0055D3CC0504 -downloadlength=2391 -EXT_ISID=false", "download_length": "2391", "carrier_ID": "ct3326582", "carrier_type": "ctid", "carrier_version": "DEFAULT", "brand": "SP", "EXT_ISID":"false","machine_ID":"9EKT4KIHYP05AIWKCMQN9NQXBR0OGZGUDWSPEVZXPXWQ6S2TD6LRCPJLMTQCFHUBKY67AOEAOT3MNTQYLME8MG","installer_version":"2.4.3.0", "OS_name":"Microsoft Windows XP Professional Service Pack 3 (build 2600)", "OS_version":"5.1"}
HTTP/1.1 202 Accepted
Date: Sun, 17 Aug 2014 17:59:03 GMT
P3P: CP="NOI ADM DEV COM NAV OUR STP"
Server: Apache-Coyote/1.1
Content-Length: 0
Connection: keep-alive
HTTP/1.1 202 Accepted..Date: Sun, 17 Aug 2014 17:59:03 GMT..P3P: CP="N
OI ADM DEV COM NAV OUR STP"..Server: Apache-Coyote/1.1..Content-Length
: 0..Connection: keep-alive......


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: sp-installer.databssint.com
Content-Length: 875
Connection: Keep-Alive
Cache-Control: no-cache

{"event_type":"Stub_DownloadComplete", "installation_session_id":"M167B4029-C0F6-4111-93DA-0055D3CC0504", "environment":"", "command_line":"-carrier_type=ctid -carrier_id=ct3326582 -platform=all  -startpage=true -defaultsearch=true -sessionid=M167B4029-C0F6-4111-93DA-0055D3CC0504 -downloadlength=2391 -EXT_ISID=false", "download_length": "2391", "carrier_ID": "ct3326582", "carrier_type": "ctid", "carrier_version": "DEFAULT", "brand": "SP", "EXT_ISID":"false","machine_ID":"9EKT4KIHYP05AIWKCMQN9NQXBR0OGZGUDWSPEVZXPXWQ6S2TD6LRCPJLMTQCFHUBKY67AOEAOT3MNTQYLME8MG","installer_version":"2.4.3.0","result":"success","reason":"0" , "log":"10#6-0#", "OS_name":"Microsoft Windows XP Professional Service Pack 3 (build 2600)", "OS_version":"5.1", "Installer_download_time_sec":"25", "Installer_url":"hXXp://sp-storage.spccinta.com/Installer/2.16.20.192/SPSetup.exe", "ExtraData":""}
HTTP/1.1 202 Accepted
Date: Sun, 17 Aug 2014 17:59:28 GMT
P3P: CP="NOI ADM DEV COM NAV OUR STP"
Server: Apache-Coyote/1.1
Content-Length: 0
Connection: keep-alive
HTTP/1.1 202 Accepted..Date: Sun, 17 Aug 2014 17:59:28 GMT..P3P: CP="N
OI ADM DEV COM NAV OUR STP"..Server: Apache-Coyote/1.1..Content-Length
: 0..Connection: keep-alive......


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: sp-installer.databssint.com
Content-Length: 782
Connection: Keep-Alive
Cache-Control: no-cache

{"event_type":"Stub_Complete", "installation_session_id":"M167B4029-C0F6-4111-93DA-0055D3CC0504", "environment":"", "command_line":"-carrier_type=ctid -carrier_id=ct3326582 -platform=all  -startpage=true -defaultsearch=true -sessionid=M167B4029-C0F6-4111-93DA-0055D3CC0504 -downloadlength=2391 -EXT_ISID=false", "download_length": "2391", "carrier_ID": "ct3326582", "carrier_type": "ctid", "carrier_version": "DEFAULT", "brand": "SP", "EXT_ISID":"false","machine_ID":"9EKT4KIHYP05AIWKCMQN9NQXBR0OGZGUDWSPEVZXPXWQ6S2TD6LRCPJLMTQCFHUBKY67AOEAOT3MNTQYLME8MG","installer_version":"2.4.3.0","result":"success","reason":"0" , "log":"10#6-0#8#9-0-0#", "OS_name":"Microsoft Windows XP Professional Service Pack 3 (build 2600)", "OS_version":"5.1", "Installer_time_sec":"16", "ExtraData":""}
HTTP/1.1 202 Accepted
Date: Sun, 17 Aug 2014 17:59:44 GMT
P3P: CP="NOI ADM DEV COM NAV OUR STP"
Server: Apache-Coyote/1.1
Content-Length: 0
Connection: keep-alive



POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: sp-installer.databssint.com
Content-Length: 417
Connection: Keep-Alive
Cache-Control: no-cache

{"event_type":"MiniStub_Init", "installation_session_id":"M167B4029-C0F6-4111-93DA-0055D3CC0504","environment":"", "command_line":"-carrier_type=ctid -carrier_id=ct3326582 -platform=all  -startpage=true -defaultsearch=true", "EXT_ISID":"false", "carrier_ID":"ct3326582", "machine_ID":"9EKT4KIHYP05AIWKCMQN9NQXBR0OGZGUDWSPEVZXPXWQ6S2TD6LRCPJLMTQCFHUBKY67AOEAOT3MNTQYLME8MG", "installer_version":"1.1.2.4", "origin":""}
HTTP/1.1 202 Accepted
Date: Sun, 17 Aug 2014 17:58:59 GMT
P3P: CP="NOI ADM DEV COM NAV OUR STP"
Server: Apache-Coyote/1.1
Content-Length: 0
Connection: keep-alive
HTTP/1.1 202 Accepted..Date: Sun, 17 Aug 2014 17:58:59 GMT..P3P: CP="N
OI ADM DEV COM NAV OUR STP"..Server: Apache-Coyote/1.1..Content-Length
: 0..Connection: keep-alive......


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: sp-installer.databssint.com
Content-Length: 457
Connection: Keep-Alive
Cache-Control: no-cache

{"event_type":"MiniStub_Complete", "installation_session_id":"M167B4029-C0F6-4111-93DA-0055D3CC0504","environment":"", "command_line":"-carrier_type=ctid -carrier_id=ct3326582 -platform=all  -startpage=true -defaultsearch=true", "EXT_ISID":"false", "carrier_ID":"ct3326582", "machine_ID":"9EKT4KIHYP05AIWKCMQN9NQXBR0OGZGUDWSPEVZXPXWQ6S2TD6LRCPJLMTQCFHUBKY67AOEAOT3MNTQYLME8MG", "installer_version":"1.1.2.4", "origin":"", "result":"success", "reason": "0" }
HTTP/1.1 202 Accepted
Date: Sun, 17 Aug 2014 17:59:44 GMT
P3P: CP="NOI ADM DEV COM NAV OUR STP"
Server: Apache-Coyote/1.1
Content-Length: 0
Connection: keep-alive
HTTP/1.1 202 Accepted..Date: Sun, 17 Aug 2014 17:59:44 GMT..P3P: CP="N
OI ADM DEV COM NAV OUR STP"..Server: Apache-Coyote/1.1..Content-Length
: 0..Connection: keep-alive..







The Malware connects to the servers at the folowing location(s):







CltMngSvc.exe_2852:




.text
`.rdata
@.data
.rsrc
@.reloc
.EKSWU
\$$;\$0|
DlSHA512 block transform for x86, CRYPTOGAMS by <[email protected]>
Camellia for x86 by <[email protected]>
AES for Intel AES-NI, CRYPTOGAMS by <[email protected]>
6-9'6-9'
$6.:$6.:
*?#1*?#1
>8$4,8$4,
AES for x86, CRYPTOGAMS by <[email protected]>
RC4 for x86, CRYPTOGAMS by <[email protected]>
Montgomery Multiplication for x86, CRYPTOGAMS by <[email protected]>
SHA1 block transform for x86, CRYPTOGAMS by <[email protected]>
SHA256 block transform for x86, CRYPTOGAMS by <[email protected]>
GHASH for x86, CRYPTOGAMS by <[email protected]>
GF(2^m) Multiplication for x86, CRYPTOGAMS by <[email protected]>
FtPS
[email protected]
t.JuG
PSSSSSSh
t.VVW
<1%u5
FTPj
tCPQ
,4,56,789
u.hLKe
j.Yf;
_tcPVj@
.PjRW
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
0123456789-
%b %d %H : %M : %S %Y
%m / %d / %y
%I : %M : %S %p
%d / %m / %y
boost thread: trying joining itself
Local\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flag
Visual C   CRT: Not enough memory to complete call to strerror.
Operation not permitted
Inappropriate I/O control operation
Broken pipe
operator
GetProcessWindowStation
kernel32.dll
left-curly-bracket
right-curly-bracket
RSA part of OpenSSL 1.0.1e 11 Feb 2013
SHA-512 part of OpenSSL 1.0.1e 11 Feb 2013
ssl_sess_cert
ssl_cert
evp_pkey
x509_pkey
%s(%d): OpenSSL internal error, assertion failed: %s
passed a null parameter
DSO support routines
x509 certificate routines
?456789:;<=
!"#$%&'()* ,-./0123
Big Number part of OpenSSL 1.0.1e 11 Feb 2013
pubkey
PEM part of OpenSSL 1.0.1e 11 Feb 2013
enc_key
key_enc_algor
cert
d.encrypted
d.digest
d.signed_and_enveloped
d.enveloped
d.sign
d.data
d.other
NETSCAPE_CERT_SEQUENCE
certs
X509_PUBKEY
public_key
.\crypto\asn1\x_pubkey.c
DSA part of OpenSSL 1.0.1e 11 Feb 2013
priv_key
pub_key
.\crypto\ec\ec_key.c
EC_PRIVATEKEY
publicKey
privateKey
value.implicitlyCA
value.parameters
value.named_curve
p.char_two
p.prime
p.ppBasis
p.tpBasis
p.onBasis
p.other
Any Extended Key Usage
anyExtendedKeyUsage
supportedAlgorithms
crossCertificatePair
certificateRevocationList
cACertificate
userCertificate
userPassword
supportedApplicationContext
Microsoft Local Key set
LocalKeySet
id-Gost28147-89-None-KeyMeshing
id-Gost28147-89-CryptoPro-KeyMeshing
password based MAC
id-PasswordBasedMAC
X509v3 Certificate Issuer
certificateIssuer
certicom-arc
Proxy Certificate Information
proxyCertInfo
Microsoft Smartcardlogin
msSmartcardLogin
joint-iso-itu-t
JOINT-ISO-ITU-T
set-rootKeyThumb
setAttr-Cert
setCext-cCertRequired
setCext-certType
setct-CertResTBE
setct-CertReqTBEX
setct-CertReqTBE
setct-AcqCardCodeMsgTBE
setct-CertInqReqTBS
setct-CertResData
setct-CertReqTBS
setct-CertReqData
setct-PCertResTBS
setct-PCertReqData
setct-AcqCardCodeMsg
certificate extensions
set-certExt
set-msgExt
id-ecPublicKey
id-cmc-confirmCertAcceptance
id-cmc-getCert
id-regInfo-certReq
id-regCtrl-protocolEncrKey
id-regCtrl-oldCertID
id-it-revPassphrase
id-it-keyPairParamRep
id-it-keyPairParamReq
id-it-unsupportedOIDs
id-it-caKeyUpdateInfo
id-it-encKeyPairTypes
id-it-signKeyPairTypes
id-it-caProtEncCert
id-mod-attribute-cert
id-mod-qualified-cert-93
id-mod-qualified-cert-88
id-smime-aa-ets-certCRLTimestamp
id-smime-aa-ets-certValues
id-smime-aa-ets-CertificateRefs
id-smime-aa-ets-otherSigCert
id-smime-aa-smimeEncryptCerts
id-smime-aa-signingCertificate
id-smime-aa-encrypKeyPref
id-smime-aa-msgSigDigest
id-smime-ct-publishCert
id-smime-mod-msg-v3
sdsiCertificate
x509Certificate
localKeyID
certBag
pkcs8ShroudedKeyBag
keyBag
pbeWithSHA1And2-KeyTripleDES-CBC
pbeWithSHA1And3-KeyTripleDES-CBC
TLS Web Client Authentication
TLS Web Server Authentication
X509v3 Extended Key Usage
extendedKeyUsage
X509v3 Authority Key Identifier
authorityKeyIdentifier
X509v3 Certificate Policies
certificatePolicies
X509v3 Private Key Usage Period
privateKeyUsagePeriod
X509v3 Key Usage
keyUsage
X509v3 Subject Key Identifier
subjectKeyIdentifier
Netscape Certificate Sequence
nsCertSequence
Netscape CA Policy Url
nsCaPolicyUrl
Netscape Renewal Url
nsRenewalUrl
Netscape CA Revocation Url
nsCaRevocationUrl
Netscape Revocation Url
nsRevocationUrl
Netscape Base Url
nsBaseUrl
Netscape Cert Type
nsCertType
Netscape Certificate Extension
nsCertExt
extendedCertificateAttributes
challengePassword
dhKeyAgreement
%'%1%=%C%K%O%s%
.%.-.3.7.9.?.W.[.o.y.
C%C'C3C7C9COCWCiC
RAND part of OpenSSL 1.0.1e 11 Feb 2013
You need to read the OpenSSL FAQ, hXXp://VVV.openssl.org/support/faq.html
lhash part of OpenSSL 1.0.1e 11 Feb 2013
Stack part of OpenSSL 1.0.1e 11 Feb 2013
Diffie-Hellman part of OpenSSL 1.0.1e 11 Feb 2013
value.single
value.set
EVP part of OpenSSL 1.0.1e 11 Feb 2013
name.relativename
name.fullname
certificateHold
Certificate Hold
cessationOfOperation
Cessation Of Operation
keyCompromise
Key Compromise
%*s%s:
%*sOnly Attribute Certificates
%*sOnly CA Certificates
%*sOnly User Certificates
ASN.1 part of OpenSSL 1.0.1e 11 Feb 2013
d.registeredID
d.iPAddress
d.uniformResourceIdentifier
d.ediPartyName
d.directoryName
d.dNSName
d.rfc822Name
d.otherName
AUTHORITY_KEYID
keyid
cert_info
PKCS8_PRIV_KEY_INFO
pkey
pkeyalg
EC part of OpenSSL 1.0.1e 11 Feb 2013
USER32.DLL
NETAPI32.DLL
KERNEL32.DLL
ADVAPI32.DLL
.\crypto\dh\dh_key.c
%s: (%d bit)
Public-Key
Private-Key
recommended-private-length: %d bits
public-key:
private-key:
PKCS#3 DH Public-Key
PKCS#3 DH Private-Key
Public-Key: (%d bit)
Private-Key: (%d bit)
SHA1 part of OpenSSL 1.0.1e 11 Feb 2013
SHA-256 part of OpenSSL 1.0.1e 11 Feb 2013
RIPE-MD160 part of OpenSSL 1.0.1e 11 Feb 2013
SHA part of OpenSSL 1.0.1e 11 Feb 2013
MD5 part of OpenSSL 1.0.1e 11 Feb 2013
MD4 part of OpenSSL 1.0.1e 11 Feb 2013
AES part of OpenSSL 1.0.1e 11 Feb 2013
CAST part of OpenSSL 1.0.1e 11 Feb 2013
Blowfish part of OpenSSL 1.0.1e 11 Feb 2013
:RC2 part of OpenSSL 1.0.1e 11 Feb 2013
.pp@0
aEÐ
 (#EÚ
ÚE<<0
IDEA part of OpenSSL 1.0.1e 11 Feb 2013
libdes part of OpenSSL 1.0.1e 11 Feb 2013
DES part of OpenSSL 1.0.1e 11 Feb 2013
\X
ddddddZ
ddddddZ
%d.%d.%d.%d
<unsupported>
IP Address:%d.%d.%d.%d
URI:%s
DNS:%s
email:%s
EdiPartyName:<unsupported>
X400Name:<unsupported>
othername:<unsupported>
%d.%d.%d.%d/%d.%d.%d.%d
X509_CERT_PAIR
X509_CERT_AUX
X.509 part of OpenSSL 1.0.1e 11 Feb 2013
x%s
%s - d:d:d%.*s %d%s
keylen <= sizeof key
EVP_CIPHER_key_length(cipher) <= (int)sizeof(md_tmp)
ECDSA part of OpenSSL 1.0.1e 11 Feb 2013
Basis Type: %s
Field Type: %s
ASN1 OID: %s
%s %s%lu (%s0x%lx)
'() ,-./:=?
Verifying - %s
%*sPolicy Text: %s
%*scrlUrl:
EXTENDED_KEY_USAGE
%*sZone: %s, User:
.\crypto\x509v3\v3_akey.c
d.usernotice
d.cpsuri
CERTIFICATEPOLICIES
%*sExplicit Text: %s
%*sNumber%s:
%*sOrganization: %s
%*sCPS: %s
PKEY_USAGE_PERIOD
keyCertSign
Certificate Sign
keyAgreement
Key Agreement
keyEncipherment
Key Encipherment
.\crypto\x509v3\v3_skey.c
CONF part of OpenSSL 1.0.1e 11 Feb 2013
PROXY_CERT_INFO_EXTENSION
hexkey
rsa_keygen_pubexp
rsa_keygen_bits
keylength
keyfunc
len>=0 && len<=(int)sizeof(ctx->key)
j <= (int)sizeof(ctx->key)
.\crypto\pkcs12\p12_key.c
d.receiptList
d.allOrFirstTier
d.compressedData
d.authenticatedData
d.encryptedData
d.digestedData
d.envelopedData
d.signedData
d.ori
d.pwri
d.kekri
d.kari
d.ktri
CMS_PasswordRecipientInfo
keyDerivationAlgorithm
keyIdentifier
CMS_KeyAgreeRecipientInfo
recipientEncryptedKeys
CMS_OriginatorIdentifierOrKey
d.originatorKey
CMS_OriginatorPublicKey
CMS_RecipientEncryptedKey
CMS_KeyAgreeRecipientIdentifier
d.rKeyId
CMS_RecipientKeyIdentifier
CMS_OtherKeyAttribute
keyAttr
keyAttrId
CMS_KeyTransRecipientInfo
encryptedKey
keyEncryptionAlgorithm
certificates
d.crl
d.subjectKeyIdentifier
d.issuerAndSerialNumber
CMS_CertificateChoices
d.v2AttrCert
d.v1AttrCert
d.extendedCertificate
d.certificate
CMS_OtherCertificateFormat
otherCert
otherCertFormat
crlUrl
certStatus
certId
OCSP_CERTSTATUS
value.unknown
value.revoked
value.good
value.byKey
value.byName
reqCert
OCSP_CERTID
issuerKeyHash
CONF_def part of OpenSSL 1.0.1e 11 Feb 2013
[[%s]]
[%s] %s=%s
ECDH part of OpenSSL 1.0.1e 11 Feb 2013
value.bag
value.safes
value.shkeybag
value.keybag
value.sdsicert
value.x509cert
value.other
%s.dll
!f%f#f
_(_>_6_ _
_ _>_4_:_0_)_:_-_
_:_)_:_1_ _
:_-_-_0_-_
]>]2]3]9](]4])]
]<].].]8])]
]9]4].]>]2] ]8]/]8]9]
F6F4F)F2F#FòF/F)F(F
F%F.F'F(F!F#F
;_:_9_>_*_3_ _
_:_>_-_<_7_
^0^5^0^1^)^0^
C:\Build\117\Search Protector\SP-2.16.20-Production\Sources\3rdParty\Boost\boost_1_55_0\boost/exception/detail/exception_ptr.hpp
{{{$1053}}}
{{{$1056}}}
{{{$1057}}}
{{{$631}}}
{{{$1058}}}
]8]<]/]>]5]}]
]/]2])]8]>])]2]/]}]
]/]<].]5]
{{{$1064}}}
{{{$1067}}}
{{{$1066}}}
{{{$1069}}}
{{{$1068}}}
{{{$1071}}}
{{{$1070}}}
{{{$1073}}}
{{{$1072}}}
{{{$1075}}}
{{{$1074}}}
{{{$1077}}}
{{{$1076}}}
{{{$1079}}}
{{{$1078}}}
{{{$1081}}}
{{{$1080}}}
{{{$1082}}}
{{{$1110}}}
{{{$1111}}}
{{{$1113}}}
{{{$1112}}}
{{{$1115}}}
{{{$1114}}}
{{{$1117}}}
{{{$1116}}}
{{{$1118}}}
{{{$1120}}}
{{{$1119}}}
{{{$1122}}}
{{{$1121}}}
{{{$1125}}}
{{{$1126}}}
{{{$1123}}}
{{{$1124}}}
{{{$1132}}}
{{{$1131}}}
{{{$1134}}}
{{{$1133}}}
{{{$1135}}}
{{{$1137}}}
{{{$1136}}}
{{{$1139}}}
{{{$1138}}}
{{{$1141}}}
{{{$1140}}}
{{{$138}}}
{{{$139}}}
{{{$140}}}
{{{$141}}}
{{{$143}}}
{{{$142}}}
{{{$145}}}
{{{$144}}}
{{{$146}}}
{{{$124}}}
{{{$125}}}
{{{$128}}}
{{{$129}}}
{{{$126}}}
{{{$127}}}
{{{$132}}}
{{{$133}}}
{{{$130}}}
{{{$131}}}
{{{$134}}}
{{{$135}}}
]3].])]<]1]1]8]9]
2_:_ _7_0_;_
/[3[)[>[:[?[
^;^,^(^7^=^;^~^;^&^7^-^*^-^~^<^ ^*^~^
^;^,^(^7^=^;^~^,^;^*^ ^,^0^;^:^~^;^,^,^1^,^~^
v%@%W%S%L%F%@%
%l%K%V%Q%D%I%I%
%v%@%W%S%L%F%@%
%f%W%@%D%Q%@%A%
%j%U%@%K%@%A%
\9\.\*\5\?\9\|\
{{{$478}}}
{{{$476}}}
{{{$466}}}
{{{$473}}}
,\0\=\(\:\3\.\1\
\3\3\(\/\(\.\=\,\9\.\|\
\9\;\5\/\(\9\.\
\.\3\ \/\9\.\
\5\:\9\(\5\1\9\
\*\9\2\(\|\>\.\3\ \/\9\.\|\
{{{$488}}}
{{{$489}}}
{{{$490}}}
{{{$491}}}
{{{$492}}}
{{{$493}}}
{{{$494}}}
{{{$501}}}
{{{$502}}}
{{{$499}}}
{{{$500}}}
{{{$503}}}
{{{$505}}}
{{{$504}}}
{{{$508}}}
{{{$509}}}
{{{$506}}}
{{{$507}}}
{{{$511}}}
{{{$512}}}
{{{$510}}}
{{{$513}}}
{{{$514}}}
{{{$515}}}
{{{$518}}}
{{{$516}}}
{{{$517}}}
{{{$519}}}
{{{$520}}}
{{{$521}}}
{{{$522}}}
{{{$523}}}
{{{$524}}}
{{{$525}}}
{{{$526}}}
{{{$527}}}
{{{$528}}}
{{{$616}}}
{{{$617}}}
{{{$614}}}
{{{$615}}}
{{{$618}}}
{{{$619}}}
C,CÇC4C"C1C&C
@/@&@4@7@!@2@%@
@/@:@)@,@,@!@
@/@:@)@,@,@!@`@
@)@2@%@&@/@8@
{{{$409}}}
{{{$407}}}
{{{$408}}}
{{{$410}}}
@%@!@2@#@(@
@(@/@2@4@
{{{$411}}}
{{{$413}}}
{{{$414}}}
{{{$415}}}
v%J%C%Q%R%D%W%@%y%d%U%U%a%D%Q%D%i%J%R%y%v%J%C%Q%R%D%W%@%y%v%H%D%W%Q%g%D%W%y%c%c%
7<.-8;)8><~
{{{$317}}}
{{{$318}}}
{{{$319}}}
{{{$339}}}
KEYWORDS
KEYWORD
{{{$362}}}
{{{$364}}}
{{{$363}}}
{{{$365}}}
]2]3]9](]4])]
]?].])]/]<]>])]4]2]3]
]<]$]8]/]
CREATE TABLE ItemTable (key TEXT UNIQUE ON CONFLICT REPLACE, value TEXT NOT NULL ON CONFLICT FAIL);
insert into ItemTable (key, value) VALUES ('%s', '%s');
4]>]2]3]
\1\=\;\9\
\(\=\(\9\
{{{$636}}}
{{{$635}}}
{{{$634}}}
5|1|=|;|9|#|/|(|=|(|9|#|;|9|2|9|.|=|0|5|&|9|#|.|9|/|9|=|0|#|(|3|#|=|)|8|5|(|
{{{$637}}}
C:\Build\117\Search Protector\SP-2.16.20-Production\Sources\3rdParty\google\gtest\gtest-1.6.0\include\gtest/internal/gtest-port.h
\StringFileInfo\xx\%s
Module %d
%d/%d/%d d:d:d
(more frames truncated from call stack report)
File Size: %-10d File Time: %s
Checksum: 0xx Time Stamp: 0xx
Image Base: 0xx Image Size: 0xx
FileDesc: %s
Product: %s
Company: %s
ProdVer: %d.%d.%d.%d
FileVer: %d.%d.%d.%d
Windows Vista
Windows Server 2008
Windows 8
Windows Server 2012
Windows 7
Windows Server 2008 R2
Windows 9
Web Edition
Windows Server 9
Windows XP
(build %d)
Windows 2000
Error occurred at %s.
This sample does not support this version of Windows.
%d processor(s), type %d.
Operating system: Could not Determine
Operating system: %s
%d MBytes paging file.
%d MBytes physical memory free.
%d%% memory in use.
%d MBytes user address space free.
Windows Storage Server 2003
Windows Server 2003 R2
Web Server Edition
%d MBytes user address space.
Windows Server 2003
Windows XP Professional x64 Edition
a Float Denormal Operand
Windows Home Server
a Float Invalid Operation
%d MBytes paging file free.
%d MBytes physical memory.
0xx:
EDI: 0xx ESI: 0xx EAX: 0xx
%s\CRASH_REPORT_%s.txt
EFlags: 0xx ESP: 0xx SegSs: 0xx
EIP: 0xx EBP: 0xx SegCs: 0xx
EBX: 0xx ECX: 0xx EDX: 0xx
%s caused %s (0xx)
in module %s at x:x.
%s location x caused an access violation.
%s\CRASH_DUMP_%s.dmp
===== [end of %s] =====
Error creating dump file, err=%d
Exception code is 0xX
Crash dump file: %s
Crash report file :%s
P%d_T%d_Dld_ld_ld_Tld_ld_ld
code: %x
code: %x, addr: %x, module: %s
00:00:00.
NtQueryKey
{{{$621}}}
{{{$620}}}
{{{$623}}}
{{{$622}}}
{{{$629}}}
{{{$628}}}
{{{$697}}}
{{{$696}}}
{{{$695}}}
{{{$698}}}
%s 0x%I64x %s [file:%s(%u)]
PTF://
hXXps://
hXXp://
[%u, 0xx] %s
wininet.dll
https
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
request HttpSendRequestA failed...
Content-Length: %u
response failed...last error %d
1.1.3
gen_codes: max_code %d
code %d bits %d->%d
bl code -
opt %lu(%lu) stat %lu(%lu) stored %lu lit %u dist %u
last_lit %u, last_dist %u, in %ld, out ~%ld(%ld%%)
{{{$722}}}
{{{$723}}}
{{{$724}}}
{{{$725}}}
{{{$728}}}
{{{$727}}}
{{{$726}}}
{{{$729}}}
{{{$730}}}
{{{$732}}}
{{{$731}}}
{{{$734}}}
{{{$733}}}
{{{$735}}}
{{{$738}}}
{{{$737}}}
{{{$736}}}
{{{$739}}}
{{{$740}}}
{{{$748}}}
{{{$747}}}
{{{$749}}}
{{{$752}}}
{{{$751}}}
%{{{$674}}}
{{{$673}}}
{{{$672}}}
SQLite format 3
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY_\
CREATE TABLE sqlite_master(
sql text
3.7.16
CREATE TEMP TABLE sqlite_temp_master(
{{{$102}}}
{{{$101}}}
{{{$103}}}
{{{$109}}}
{{{$108}}}
{{{$111}}}
{{{$110}}}
{{{$105}}}
{{{$104}}}
{{{$107}}}
{{{$106}}}
{{{$113}}}
{{{$112}}}
{{{$114}}}
{{{$117}}}
{{{$118}}}
{{{$115}}}
{{{$116}}}
{{{$121}}}
{{{$122}}}
{{{$119}}}
{{{$120}}}
{{{$123}}}
{{{$100}}}
{{{$691}}}
{{{$690}}}
{{{$693}}}
{{{$692}}}
{{{$687}}}
{{{$686}}}
{{{$689}}}
{{{$688}}}
boost::too_few_args: format-string referred to more arguments than were passed
boost::too_many_args: format-string referred to less arguments than were passed
{{{$137}}}
Content-Disposition: form-data; name="%s"
Content-Disposition: form-data; name="%s"; filename="%s"
_0_9_ _(_>_-_:_
_-_0_ _:_<_ _
SQLITE_
d-d-d d:d:d
d:d:d
d-d-d
failed to allocate %u bytes of memory
failed memory resize %u to %u bytes
922337203685477580
API call with %s database connection pointer
RowKey
GetProcessHeap
os_win.c:%d: (%d) %s(%s) - %s
delayed %dms for lock/sharing conflict
OsError 0x%x (%u)
%s-shm
%s\etilqs_
%s\%s
cannot limit WAL size: %s
Recovered %d frames from WAL file %s
invalid page number %d
2nd reference to page %d
%d of %d pages missing from overflow list starting at %d
failed to get page %d
Failed to read ptrmap key=%d
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
unable to get the page. error code=%d
btreeInitPage() returns error code %d
freelist leaf count too big on page %d
Page %d:
On page %d at right child:
On tree page %d cell %d:
Fragmentation of %d bytes reported as %d on page %d
Corruption detected in cell %d on page %d
Multiple uses for byte %d of page %d
Pointer map page %d is referenced
Outstanding page count goes from %d to %d during this analysis
Page %d is never used
unknown database %s
keyinfo(%d
%s(%d)
MJ collide: %s
-mjX9X
%s-mjXXXXXX9XXz
MJ delete: %s
foreign key constraint failed
unable to use function %s in the requested context
bind on a busy prepared statement: [%s]
zeroblob(%d)
cannot open savepoint - SQL statements in progress
no such savepoint: %s
abort at %d in [%s]: %s
constraint failed at %d in [%s]
cannot release savepoint - SQL statements in progress
cannot commit transaction - SQL statements in progress
sqlite_temp_master
sqlite_master
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
statement aborts at %d: [%s] %s
cannot change %s wal mode from within a transaction
database table is locked: %s
cannot open value of type %s
no such column: "%s"
foreign key
cannot open virtual table: %s
cannot open view: %s
indexed
cannot open %s column for writing
%s: %s.%s.%s
misuse of aliased aggregate %s
not authorized to use function: %s
%s: %s.%s
%s: %s
%r %s BY term out of range - should be between 1 and %d
too many terms in %s BY clause
too many SQL variables
too many columns in %s
Expression tree is too large (maximum depth %d)
variable number must be between ?1 and ?%d
EXECUTE %s%s SUBQUERY %d
misuse of aggregate: %s()
%.*s"%w"%s
%s%.*s"%w"
sqlite_rename_parent
sqlite_rename_table
sqlite_rename_trigger
sqlite_
%s OR name=%Q
type='trigger' AND (%s)
view %s may not be altered
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
table %s may not be altered
there is already another table or index with this name: %s
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
sqlite_sequence
Cannot add a PRIMARY KEY column
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
CREATE TABLE %Q.%s(%s)
sqlite_altertab_%s
sqlite_stat1
DELETE FROM %Q.%s WHERE %s=%Q
SELECT tbl,idx,stat FROM %Q.sqlite_stat1
invalid name: "%s"
database %s is already in use
too many attached databases - max %d
no such database: %s
cannot detach database %s
unable to open database: %s
sqlite_detach
sqlite_attach
database %s is locked
access to %s.%s.%s is prohibited
access to %s.%s is prohibited
%s %T cannot reference objects in database %s
object name reserved for internal use: %s
duplicate column name: %s
default value of column [%s] is not constant
there is already an index named %s
too many columns on %s
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
table "%s" has more than one primary key
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
CREATE TABLE %Q.sqlite_sequence(name,seq)
CREATE %s %.*s
view %s is circularly defined
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
sqlite_stat
sqlite_stat%d
DELETE FROM %Q.sqlite_sequence WHERE name=%Q
use DROP VIEW to delete view %s
foreign key on %s should reference only one column of table %T
table %s may not be dropped
use DROP TABLE to delete table %s
indexed columns are not unique
number of columns in foreign key does not match the number of columns in the referenced table
unknown column "%s" in foreign key definition
views may not be indexed
virtual tables may not be indexed
table %s may not be indexed
sqlite_autoindex_%s_%d
table %s has no column named %s
there is already a table named %s
index %s already exists
CREATE%s INDEX %.*s
no such index: %S
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
a JOIN clause is required before %s
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
no such collation sequence: %s
table %s may not be modified
unable to identify the object to be reindexed
cannot modify %s because it is a view
sqlite_source_id
sqlite_log
sqlite_version
sqlite_compileoption_used
sqlite_compileoption_get
foreign key mismatch - "%w" referencing "%w"
table %S has no column named %s
table %S has %d columns but %d values were supplied
%d values for %d columns
PRIMARY KEY must be unique
%s.%s may not be NULL
constraint %s failed
no entry point [%s] in shared library [%s]
error during initialization: %s
sqlite3_extension_init
unable to open shared library [%s]
automatic extension loading failed: %s
foreign_keys
foreign_key_list
foreign_key_check
*** in database %s ***
unsupported encoding: %s
malformed database schema (%s)
%s - %s
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
database schema is locked: %s
unsupported file format
a NATURAL join may not have an ON or USING clause
cannot have both ON and USING clauses in the same join
unknown or unsupported join type: %T %T%s%T
RIGHT and FULL OUTER JOINs are not currently supported
cannot join using column %s - column not present in both tables
USE TEMP B-TREE FOR %s
%s:%d
ORDER BY clause should come after %s not before
COMPOUND SUBQUERIES %d AND %d %s(%s)
%s.%s
SELECTs to the left and right of %s do not have the same number of result columns
no such index: %s
LIMIT clause should come after %s not before
%s.%s.%s
no such table: %s
sqlite_subquery_%p_
too many references to "%s": max 65535
SCAN TABLE %s %s%s(~%d rows)
sqlite3_get_table() called with two or more incompatible queries
cannot create INSTEAD OF trigger on table: %S
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
cannot create %s trigger on view: %S
-- TRIGGER %s
no such column: %s
no such trigger: %S
cannot VACUUM - SQL statements in progress
PRAGMA vacuum_db.synchronous=OFF
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
vtable constructor failed: %s
vtable constructor did not declare schema: %s
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
no such module: %s
table %s: xBestIndex returned an invalid plan
%s AS %s
%s SUBQUERY %d
%s TABLE %s
%s USING INTEGER PRIMARY KEY
%s (rowid=?)
%s USING %s%sINDEX%s%s%s
%s (rowid<?)
%s VIRTUAL TABLE INDEX %d:%s
%s (rowid>? AND rowid<?)
%s (rowid>?)
cannot use index: %s
%s (~%lld rows)
at most %d tables in a join
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
SQL logic error or missing database
unknown operation
large file support is disabled
unknown database: %s
no such %s mode: %s
%s mode not allowed: %s
database corruption at line %d of [%.10s]
no such vfs: %s
misuse at line %d of [%.10s]
cannot open file at line %d of [%.10s]
{{{$709}}}
{{{$710}}}
{{{$708}}}
C:\Build\117\Search Protector\SP-2.16.20-Production\Sources\SearchProtector\Dev\2.16.20\Output\Release_32\CltMngSvc.pdb
WTSAPI32.dll
USERENV.dll
KERNEL32.dll
USER32.dll
ReportEventW
ADVAPI32.dll
SHELL32.dll
ole32.dll
OLEAUT32.dll
I_RpcBindingInqTransportType
RPCRT4.dll
PSAPI.DLL
VERSION.dll
HttpOpenRequestA
HttpAddRequestHeadersA
HttpSendRequestW
HttpSendRequestA
HttpSendRequestExW
HttpEndRequestW
HttpQueryInfoA
WININET.dll
CryptMsgClose
CertGetNameStringW
CertFreeCertificateContext
CertFindCertificateInStore
CertCloseStore
CryptMsgGetParam
CRYPT32.dll
dbghelp.dll
GetCPInfo
RegCloseKey
RegOpenKeyExW
RegDeleteKeyW
RegEnumKeyExW
RegCreateKeyExW
RegNotifyChangeKeyValue
ReportEventA
zcÁ
C:\PROGRA~1\SearchProtect\
;74/, (%#
~{xrpfa\ZSM@;3-%U
function k(a) { return a < 10 ? "0"   a : a } function o(a) { p.lastIndex = 0; return p.test(a) ? '"'   a.replace(p, function (a) { var c = r[a]; return typeof c === "string" ? c : "\\u"   ("0000"   a.charCodeAt(0).toString(16)).slice(-4) })   '"' : '"'   a   '"' } function l(a, j) {
var c, d, h, m, g = e, f, b = j[a]; b && typeof b === "object" && typeof b.toJSON === "function" && (b = b.toJSON(a)); typeof i === "function" && (b = i.call(j, a, b)); switch (typeof b) {
e  = n; f = []; if (Object.prototype.toString.apply(b) === "[object Array]") { m = b.length; for (c = 0; c < m; c  = 1) f[c] = l(c, b) || "null"; h = f.length === 0 ? "[]" : e ? "[\n"   e   f.join(",\n"   e)   "\n"   g   "]" : "["   f.join(",")   "]"; e = g; return h } if (i && typeof i === "object") { m = i.length; for (c = 0; c < m; c  = 1) typeof i[c] === "string" && (d = i[c], (h = l(d, b)) && f.push(o(d)   (e ? ": " : ":")   h)) } else for (d in b) Object.prototype.hasOwnProperty.call(b, d) && (h = l(d, b)) && f.push(o(d)   (e ? ": " : ":")   h); h = f.length === 0 ? "{}" : e ? "{\n"   e   f.join(",\n"   e)   "\n"   g   "}" : "{"   f.join(",")  
} if (typeof Date.prototype.toJSON !== "function") Date.prototype.toJSON = function () { return isFinite(this.valueOf()) ? this.getUTCFullYear()   "-"   k(this.getUTCMonth()   1)   "-"   k(this.getUTCDate())   "T"   k(this.getUTCHours())   ":"   k(this.getUTCMinutes())   ":"   k(this.getUTCSeconds())   "Z" : null }, String.prototype.toJSON = Number.prototype.toJSON = Boolean.prototype.toJSON = function () { return this.valueOf() }; var q = /[\u0000\u00ad\u0600-\u0604\u070f\u17b4\u17b5\u200c-\u200f\u2028-\u202f\u2060-\u206f\ufeff\ufff0-\uffff]/g,
p = /[\\\"\x00-\x1f\x7f-\x9f\u00ad\u0600-\u0604\u070f\u17b4\u17b5\u200c-\u200f\u2028-\u202f\u2060-\u206f\ufeff\ufff0-\uffff]/g, e, n, r = { "\u0008": "\\b", "\t": "\\t", "\n": "\\n", "\u000c": "\\f", "\r": "\\r", '"': '\\"', "\\": "\\\\" }, i; if (typeof JSON.stringify !== "function") JSON.stringify = function (a, j, c) {
var d; n = e = ""; if (typeof c === "number") for (d = 0; d < c; d  = 1) n  = " "; else typeof c === "string" && (n = c); if ((i = j) && typeof j !== "function" && (typeof j !== "object" || typeof j.length !== "number")) throw Error("JSON.stringify"); return l("",
}; if (typeof JSON.parse !== "function") JSON.parse = function (a, e) {
function c(a, d) { var g, f, b = a[d]; if (b && typeof b === "object") for (g in b) Object.prototype.hasOwnProperty.call(b, g) && (f = c(b, g), f !== void 0 ? b[g] = f : delete b[g]); return e.call(a, d, b) } var d, a = String(a); q.lastIndex = 0; q.test(a) && (a = a.replace(q, function (a) { return "\\u"   ("0000"   a.charCodeAt(0).toString(16)).slice(-4) })); if (/^[\],:{}\s]*$/.test(a.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, "@").replace(/"[^"\\\n\r]*"|true|false|null|-?\d (?:\.\d*)?(?:[eE][ \-]?\d )?/g,
"]").replace(/(?:^|:|,)(?:\s*\[) /g, ""))) return d = eval("("   a   ")"), typeof e === "function" ? c({ "": d }, "") : d; throw new SyntaxError("JSON.parse");
ws.api = ws.api || {};
ws.api.FunctionsEnum = {
SET_KEY: 1,
GET_KEY: 2,
REMOVE_KEY: 3,
ws.api.StatusEnum = {
SP_RESULT_KEY_DOES_NOT_EXIST: -2,
ws.api.RESULT_TIMOUET = 3000;
ws.api.storage = ws.api.storage || {};
ws.api.storage.setKey =
function (pluginId, key, value, callback, options) {
if (typeof (pluginId) !== 'string' || pluginId === "" || typeof (key) !== 'string' || key === "" || typeof (callback) !== 'function') {
callback(ws.api.StatusEnum.SP_RESULT_INVALID_PARAMS);
// Construct an object which will be passed to the VC holding all the parameters
data.funcId = ws.api.FunctionsEnum.SET_KEY;
data.pluginId = pluginId;
data.key = key;
data.value = value;
data.options = options; // Currently not used - this is for future use, if we will want to add more parameters we will
var resultObj = JSON.parse(result);
callback(resultObj.status);
callback(ws.api.StatusEnum.SP_RESULT_SP_UNRESPONSIVE);
}, ws.api.RESULT_TIMOUET);
ws.internal.SendStringToVC(JSON.stringify(data), myCallback);
ws.api.storage.getKey =
function (pluginId, key, callback, options) {
data.funcId = ws.api.FunctionsEnum.GET_KEY;
var value = resultObj.value;
if (resultObj.status != ws.api.StatusEnum.SP_RESULT_SUCCESS) {
callback(resultObj.status, value);
callback(ws.api.StatusEnum.SP_RESULT_SP_UNRESPONSIVE, "");
ws.api.storage.removeKey =
data.funcId = ws.api.FunctionsEnum.REMOVE_KEY;
ws.api.system = ws.api.system || {};
ws.api.system.remove =
data.funcId = ws.api.FunctionsEnum.REMOVE;
data.shouldCallUninstaller = shouldCallUninstaller;
ws.internal = ws.internal || {};
if (ws.internal.injectedSP_PLUGIN_ID_SP_TASK_ID === undefined) {
ws.internal.injectedSP_PLUGIN_ID_SP_TASK_ID = true;
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
; ;$;(;,;0;4;8;<;
; ;$;(;,;0;4;
; <'<0<9<
11C1R1a1p1
7t7C7R7a7p7
<!=&=8=}=
5l6
7 8/8=8#9;9
5,5:5"6|6
1 1$1(1,1014181<1
2x3-4c6k6q6}6
223F3i3~3
;*</<9<|<
<"<&<*<5<
3"3&3*3.32363
6(7-737:7
1%2s2
7 7$7(7,7|7
4(5,5\5`5
4 4$4(4,404
?$?(?@?\?
>$>(>@>\>`>|>
14181\1`1
5 5$5(5,5054585<5
? ?$?(?,?0?4?8?<?@?
7$70787|7
2 2$2(2,20242
6$6,646<6
hmscoree.dll
Vkernel32.dll
combase.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
portuguese-brazilian
8.0.0.0-11.999.999.999
33.0.0.0-36.999.999.999
16.0.0.0-31.999.999.999
Failed to execute installer :
SPSetup.exe
}{{{$668}}}
{{{$669}}}
{{{$670}}}
}{{{$671}}}
{{{$668}}}
{{{$671}}}
%s (Error: %d)
{{{SP#Conduit::SearchProtector::Service::ServiceBase::ReportEventW#SP}}}
*.dmp
{{{$1062}}}
}{{{$670}}}
{{{$1129}}}
{{{$1130}}}
WindowsSessionManagerThread
}{{{$669}}}
J16.0.0.0-31.999.999.999
2.16.20.192
UserRepository.dat
SystemRepository.dat
UIRepository.dat
{{{$612}}}
 {{{$669}}}
36.0.0.0
32.0.0.0
{{{$296}}}
{{{$295}}}
{{{$299}}}
{{{$298}}}
{{{$301}}}
{{{$302}}}
Failed to set Url
{{{$309}}}
{{{$308}}}
{{{$310}}}
{{{$312}}}
{{{$311}}}
{{{$314}}}
{{{$315}}}
{{{$321}}}
{{{$322}}}
{{{$326}}}
{{{$330}}}
{{{$334}}}
{{{$335}}}
{{{$338}}}
{{{$337}}}
{{{$350}}}
{{{$349}}}
{{{$356}}}
{{{$355}}}
{{{$360}}}
{{{$359}}}
;chrome-extension_
_0.localstorage
{{{$257}}}
{{{$256}}}
{{{$260}}}
{{{$259}}}
{{{$385}}}
{{{$386}}}
{{{$383}}}
{{{$371}}}
{{{$372}}}
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_NLSTEXT
HKEY_PERFORMANCE_TEXT
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_USER_LOCAL_SETTINGS
{{{$712}}}
Yuser32.dll
ieframe.dll
Windows Server 2008
Windows Vista
Windows Server 2012
Windows 8
Windows Server 2008 R2
Windows 7
Windows 8.1
%x %x[%s] %I64x %x %x
{{{$703}}}
{{{$702}}}
SELECT * FROM __InstanceDeletionEvent WITHIN %1% WHERE TargetInstance ISA 'Win32_Process' And TargetInstance.Name = '%2%'
SELECT * FROM __InstanceCreationEvent WITHIN %1% WHERE TargetInstance ISA 'Win32_Process' And TargetInstance.Name = '%2%'
ntdll.dll
%s%s%s
Correct password required
{{{SP#Conduit::SearchProtector::Utils::WMIAgentJob::Join#SP}}}
{{{$720}}}
888816666554443
6666554443
!6666554443
O16.0.0.0-31.999.999.999
{{{$373}}}
{{{$375}}}
{{{$374}}}
{{{$630}}}
HIDispatch error #%d
IWindowsSessionManagerException
01234567
JRpcTransportException
N8.0.0.0-11.999.999.999
Kernel32.dll
C:\PROGRA~1\SearchProtect\Main\bin\CltMngSvc.exe

cltmng.exe_2924:




.text
`.rdata
@.data
.rsrc
@.reloc
.EKSWU
\$$;\$0|
DlSHA512 block transform for x86, CRYPTOGAMS by <[email protected]>
Camellia for x86 by <[email protected]>
AES for Intel AES-NI, CRYPTOGAMS by <[email protected]>
6-9'6-9'
$6.:$6.:
*?#1*?#1
>8$4,8$4,
AES for x86, CRYPTOGAMS by <[email protected]>
RC4 for x86, CRYPTOGAMS by <[email protected]>
Montgomery Multiplication for x86, CRYPTOGAMS by <[email protected]>
SHA1 block transform for x86, CRYPTOGAMS by <[email protected]>
SHA256 block transform for x86, CRYPTOGAMS by <[email protected]>
GHASH for x86, CRYPTOGAMS by <[email protected]>
GF(2^m) Multiplication for x86, CRYPTOGAMS by <[email protected]>
FtPS
[email protected]
t;j.Yf
j.Xf9
!\$0!\$4
<1%u5
FTPj
tCPQ
,4,56,789
hCRt
PSSSSSSh
 FTPj
F\ FTP
j.Yf;
_tcPVj@
.PjRW
r%f;M
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
0123456789-
%b %d %H : %M : %S %Y
%m / %d / %y
%I : %M : %S %p
%d / %m / %y
kernel32.dll
boost::filesystem::directory_iterator::operator  
The repeat operator "*" cannot start a regular expression.
The repeat operator "?" cannot start a regular expression.
The repeat operator " " cannot start a regular expression.
Found a closing repetition operator } with no corresponding {.
Can't terminate a sub-expression with an alternation operator |.
The \c and \C escape sequences are not supported by POSIX basic regular expressions: try the Perl syntax instead.
A regular expression can start with the alternation operator |.
Invalid alternation operators within (?...) block.
More than one alternation operator | was encountered inside a conditional expression.
Alternation operators are not allowed inside a DEFINE block.
A repetition operator cannot be applied to a zero-width assertion.
left-curly-bracket
right-curly-bracket
0123456789
Unmatched quantified repeat operator { or \{.
Invalid preceding regular expression prior to repetition operator.
boost thread: trying joining itself
Local\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flag
Visual C   CRT: Not enough memory to complete call to strerror.
Operation not permitted
Inappropriate I/O control operation
Broken pipe
operator
GetProcessWindowStation
CERTIFICATE REQUEST
NEW CERTIFICATE REQUEST
CERTIFICATE
PUBLIC KEY
RSA part of OpenSSL 1.0.1e 11 Feb 2013
SHA-512 part of OpenSSL 1.0.1e 11 Feb 2013
ssl_sess_cert
ssl_cert
evp_pkey
x509_pkey
%s(%d): OpenSSL internal error, assertion failed: %s
passed a null parameter
DSO support routines
x509 certificate routines
error:lX:%s:%s:%s
?456789:;<=
!"#$%&'()* ,-./0123
Big Number part of OpenSSL 1.0.1e 11 Feb 2013
pubkey
PEM part of OpenSSL 1.0.1e 11 Feb 2013
phrase is too short, needs to be at least %d chars
Enter PEM pass phrase:
TRUSTED CERTIFICATE
X509 CERTIFICATE
PRIVATE KEY
ENCRYPTED PRIVATE KEY
ANY PRIVATE KEY
enc_key
key_enc_algor
cert
d.encrypted
d.digest
d.signed_and_enveloped
d.enveloped
d.sign
d.data
d.other
NETSCAPE_CERT_SEQUENCE
certs
X509_PUBKEY
public_key
.\crypto\asn1\x_pubkey.c
DSA part of OpenSSL 1.0.1e 11 Feb 2013
priv_key
pub_key
.\crypto\ec\ec_key.c
EC_PRIVATEKEY
publicKey
privateKey
value.implicitlyCA
value.parameters
value.named_curve
p.char_two
p.prime
p.ppBasis
p.tpBasis
p.onBasis
p.other
Any Extended Key Usage
anyExtendedKeyUsage
supportedAlgorithms
crossCertificatePair
certificateRevocationList
cACertificate
userCertificate
userPassword
supportedApplicationContext
Microsoft Local Key set
LocalKeySet
id-Gost28147-89-None-KeyMeshing
id-Gost28147-89-CryptoPro-KeyMeshing
password based MAC
id-PasswordBasedMAC
X509v3 Certificate Issuer
certificateIssuer
certicom-arc
Proxy Certificate Information
proxyCertInfo
Microsoft Smartcardlogin
msSmartcardLogin
joint-iso-itu-t
JOINT-ISO-ITU-T
set-rootKeyThumb
setAttr-Cert
setCext-cCertRequired
setCext-certType
setct-CertResTBE
setct-CertReqTBEX
setct-CertReqTBE
setct-AcqCardCodeMsgTBE
setct-CertInqReqTBS
setct-CertResData
setct-CertReqTBS
setct-CertReqData
setct-PCertResTBS
setct-PCertReqData
setct-AcqCardCodeMsg
certificate extensions
set-certExt
set-msgExt
id-ecPublicKey
id-cmc-confirmCertAcceptance
id-cmc-getCert
id-regInfo-certReq
id-regCtrl-protocolEncrKey
id-regCtrl-oldCertID
id-it-revPassphrase
id-it-keyPairParamRep
id-it-keyPairParamReq
id-it-unsupportedOIDs
id-it-caKeyUpdateInfo
id-it-encKeyPairTypes
id-it-signKeyPairTypes
id-it-caProtEncCert
id-mod-attribute-cert
id-mod-qualified-cert-93
id-mod-qualified-cert-88
id-smime-aa-ets-certCRLTimestamp
id-smime-aa-ets-certValues
id-smime-aa-ets-CertificateRefs
id-smime-aa-ets-otherSigCert
id-smime-aa-smimeEncryptCerts
id-smime-aa-signingCertificate
id-smime-aa-encrypKeyPref
id-smime-aa-msgSigDigest
id-smime-ct-publishCert
id-smime-mod-msg-v3
sdsiCertificate
x509Certificate
localKeyID
certBag
pkcs8ShroudedKeyBag
keyBag
pbeWithSHA1And2-KeyTripleDES-CBC
pbeWithSHA1And3-KeyTripleDES-CBC
TLS Web Client Authentication
TLS Web Server Authentication
X509v3 Extended Key Usage
extendedKeyUsage
X509v3 Authority Key Identifier
authorityKeyIdentifier
X509v3 Certificate Policies
certificatePolicies
X509v3 Private Key Usage Period
privateKeyUsagePeriod
X509v3 Key Usage
keyUsage
X509v3 Subject Key Identifier
subjectKeyIdentifier
Netscape Certificate Sequence
nsCertSequence
Netscape CA Policy Url
nsCaPolicyUrl
Netscape Renewal Url
nsRenewalUrl
Netscape CA Revocation Url
nsCaRevocationUrl
Netscape Revocation Url
nsRevocationUrl
Netscape Base Url
nsBaseUrl
Netscape Cert Type
nsCertType
Netscape Certificate Extension
nsCertExt
extendedCertificateAttributes
challengePassword
dhKeyAgreement
%'%1%=%C%K%O%s%
.%.-.3.7.9.?.W.[.o.y.
C%C'C3C7C9COCWCiC
RAND part of OpenSSL 1.0.1e 11 Feb 2013
You need to read the OpenSSL FAQ, hXXp://VVV.openssl.org/support/faq.html
lhash part of OpenSSL 1.0.1e 11 Feb 2013
Stack part of OpenSSL 1.0.1e 11 Feb 2013
Diffie-Hellman part of OpenSSL 1.0.1e 11 Feb 2013
value.single
value.set
.\crypto\evp\evp_key.c
nkey <= EVP_MAX_KEY_LENGTH
EVP part of OpenSSL 1.0.1e 11 Feb 2013
name.relativename
name.fullname
certificateHold
Certificate Hold
cessationOfOperation
Cessation Of Operation
keyCompromise
Key Compromise
%*s%s:
%*sOnly Attribute Certificates
%*sOnly CA Certificates
%*sOnly User Certificates
ASN.1 part of OpenSSL 1.0.1e 11 Feb 2013
d.registeredID
d.iPAddress
d.uniformResourceIdentifier
d.ediPartyName
d.directoryName
d.dNSName
d.rfc822Name
d.otherName
AUTHORITY_KEYID
keyid
cert_info
PKCS8_PRIV_KEY_INFO
pkey
pkeyalg
EC part of OpenSSL 1.0.1e 11 Feb 2013
USER32.DLL
NETAPI32.DLL
KERNEL32.DLL
ADVAPI32.DLL
.\crypto\dh\dh_key.c
%s: (%d bit)
Public-Key
Private-Key
recommended-private-length: %d bits
public-key:
private-key:
PKCS#3 DH Public-Key
PKCS#3 DH Private-Key
Public-Key: (%d bit)
Private-Key: (%d bit)
SHA1 part of OpenSSL 1.0.1e 11 Feb 2013
SHA-256 part of OpenSSL 1.0.1e 11 Feb 2013
RIPE-MD160 part of OpenSSL 1.0.1e 11 Feb 2013
SHA part of OpenSSL 1.0.1e 11 Feb 2013
MD5 part of OpenSSL 1.0.1e 11 Feb 2013
MD4 part of OpenSSL 1.0.1e 11 Feb 2013
AES part of OpenSSL 1.0.1e 11 Feb 2013
CAST part of OpenSSL 1.0.1e 11 Feb 2013
Blowfish part of OpenSSL 1.0.1e 11 Feb 2013
:RC2 part of OpenSSL 1.0.1e 11 Feb 2013
.pp@0
aEÐ
 (#EÚ
ÚE<<0
IDEA part of OpenSSL 1.0.1e 11 Feb 2013
libdes part of OpenSSL 1.0.1e 11 Feb 2013
DES part of OpenSSL 1.0.1e 11 Feb 2013
\X
ddddddZ
ddddddZ
%d.%d.%d.%d
<unsupported>
IP Address:%d.%d.%d.%d
URI:%s
DNS:%s
email:%s
EdiPartyName:<unsupported>
X400Name:<unsupported>
othername:<unsupported>
%d.%d.%d.%d/%d.%d.%d.%d
X509_CERT_PAIR
X509_CERT_AUX
X.509 part of OpenSSL 1.0.1e 11 Feb 2013
x%s
%s - d:d:d%.*s %d%s
keylen <= sizeof key
EVP_CIPHER_key_length(cipher) <= (int)sizeof(md_tmp)
ECDSA part of OpenSSL 1.0.1e 11 Feb 2013
Basis Type: %s
Field Type: %s
ASN1 OID: %s
%s %s%lu (%s0x%lx)
'() ,-./:=?
%lu:%s:%s:%d:%s
Verifying - %s
%*sPolicy Text: %s
%*scrlUrl:
EXTENDED_KEY_USAGE
%*sZone: %s, User:
.\crypto\x509v3\v3_akey.c
d.usernotice
d.cpsuri
CERTIFICATEPOLICIES
%*sExplicit Text: %s
%*sNumber%s:
%*sOrganization: %s
%*sCPS: %s
PKEY_USAGE_PERIOD
keyCertSign
Certificate Sign
keyAgreement
Key Agreement
keyEncipherment
Key Encipherment
.\crypto\x509v3\v3_skey.c
CONF part of OpenSSL 1.0.1e 11 Feb 2013
PROXY_CERT_INFO_EXTENSION
hexkey
rsa_keygen_pubexp
rsa_keygen_bits
keylength
keyfunc
len>=0 && len<=(int)sizeof(ctx->key)
j <= (int)sizeof(ctx->key)
.\crypto\pkcs12\p12_key.c
d.receiptList
d.allOrFirstTier
d.compressedData
d.authenticatedData
d.encryptedData
d.digestedData
d.envelopedData
d.signedData
d.ori
d.pwri
d.kekri
d.kari
d.ktri
CMS_PasswordRecipientInfo
keyDerivationAlgorithm
keyIdentifier
CMS_KeyAgreeRecipientInfo
recipientEncryptedKeys
CMS_OriginatorIdentifierOrKey
d.originatorKey
CMS_OriginatorPublicKey
CMS_RecipientEncryptedKey
CMS_KeyAgreeRecipientIdentifier
d.rKeyId
CMS_RecipientKeyIdentifier
CMS_OtherKeyAttribute
keyAttr
keyAttrId
CMS_KeyTransRecipientInfo
encryptedKey
keyEncryptionAlgorithm
certificates
d.crl
d.subjectKeyIdentifier
d.issuerAndSerialNumber
CMS_CertificateChoices
d.v2AttrCert
d.v1AttrCert
d.extendedCertificate
d.certificate
CMS_OtherCertificateFormat
otherCert
otherCertFormat
crlUrl
certStatus
certId
OCSP_CERTSTATUS
value.unknown
value.revoked
value.good
value.byKey
value.byName
reqCert
OCSP_CERTID
issuerKeyHash
CONF_def part of OpenSSL 1.0.1e 11 Feb 2013
[[%s]]
[%s] %s=%s
ECDH part of OpenSSL 1.0.1e 11 Feb 2013
value.bag
value.safes
value.shkeybag
value.keybag
value.sdsicert
value.x509cert
value.other
%s.dll
C:\Build\117\Search Protector\SP-2.16.20-Production\Sources\3rdParty\Boost\boost_1_55_0\boost/exception/detail/exception_ptr.hpp
^0^5^0^1^)^0^
{{{$631}}}
{{{$764}}}
{{{$765}}}
{{{$766}}}
{{{$767}}}
{{{$770}}}
{{{$771}}}
!f%f#f
_(_>_6_ _
_ _>_4_:_0_)_:_-_
_:_)_:_1_ _
:_-_-_0_-_
]>]2]3]9](]4])]
]<].].]8])]
]9]4].]>]2] ]8]/]8]9]
F6F4F)F2F#FòF/F)F(F
F%F.F'F(F!F#F
;_:_9_>_*_3_ _
_:_>_-_<_7_
]3].])]<]1]1]8]9]
2_:_ _7_0_;_
/[3[)[>[:[?[
{{{$466}}}
{{{$473}}}
{{{$476}}}
{{{$478}}}
C,CÇC4C"C1C&C
@/@&@4@7@!@2@%@
@/@:@)@,@,@!@
@/@:@)@,@,@!@`@
@)@2@%@&@/@8@
{{{$407}}}
{{{$408}}}
{{{$409}}}
{{{$410}}}
@%@!@2@#@(@
@(@/@2@4@
{{{$411}}}
{{{$413}}}
{{{$414}}}
{{{$415}}}
v%J%C%Q%R%D%W%@%y%d%U%U%a%D%Q%D%i%J%R%y%v%J%C%Q%R%D%W%@%y%v%H%D%W%Q%g%D%W%y%c%c%
insert into ItemTable (key, value) VALUES ('%s', '%s');
CREATE TABLE ItemTable (key TEXT UNIQUE ON CONFLICT REPLACE, value TEXT NOT NULL ON CONFLICT FAIL);
7<.-8;)8><~
{{{$317}}}
{{{$318}}}
{{{$319}}}
{{{$339}}}
KEYWORDS
KEYWORD
{{{$362}}}
{{{$364}}}
{{{$363}}}
{{{$365}}}
]2]3]9](]4])]
]?].])]/]<]>])]4]2]3]
]<]$]8]/]
4]>]2]3]
(more frames truncated from call stack report)
\StringFileInfo\xx\%s
%d/%d/%d d:d:d
Module %d
Checksum: 0xx Time Stamp: 0xx
Image Base: 0xx Image Size: 0xx
File Size: %-10d File Time: %s
Product: %s
Company: %s
FileVer: %d.%d.%d.%d
FileDesc: %s
ProdVer: %d.%d.%d.%d
Windows Vista
Windows 7
Windows 8
Windows Server 2008
Windows 9
Windows Server 2008 R2
Web Edition
Windows XP
Windows Server 2012
Windows Server 9
Windows 2000
(build %d)
Error occurred at %s.
This sample does not support this version of Windows.
Operating system: Could not Determine
Operating system: %s
%d%% memory in use.
%d processor(s), type %d.
%d MBytes physical memory free.
%d MBytes paging file.
%d MBytes paging file free.
%d MBytes user address space free.
%d MBytes user address space.
Windows Server 2003 R2
Web Server Edition
a Float Denormal Operand
Windows Home Server
Windows Storage Server 2003
Windows Server 2003
Windows XP Professional x64 Edition
a Float Invalid Operation
0xx:
%s\CRASH_REPORT_%s.txt
%d MBytes physical memory.
EBX: 0xx ECX: 0xx EDX: 0xx
EDI: 0xx ESI: 0xx EAX: 0xx
EFlags: 0xx ESP: 0xx SegSs: 0xx
EIP: 0xx EBP: 0xx SegCs: 0xx
%s caused %s (0xx)
in module %s at x:x.
%s location x caused an access violation.
===== [end of %s] =====
Exception code is 0xX
Crash dump file: %s
Crash report file :%s
%s\CRASH_DUMP_%s.dmp
Error creating dump file, err=%d
P%d_T%d_Dld_ld_ld_Tld_ld_ld
code: %x, addr: %x, module: %s
code: %x
\1\=\;\9\
\(\=\(\9\
5|1|=|;|9|#|/|(|=|(|9|#|;|9|2|9|.|=|0|5|&|9|#|.|9|/|9|=|0|#|(|3|#|=|)|8|5|(|
{{{$635}}}
{{{$634}}}
{{{$636}}}
{{{$637}}}
C:\Build\117\Search Protector\SP-2.16.20-Production\Sources\3rdParty\google\gtest\gtest-1.6.0\include\gtest/internal/gtest-port.h
NtQueryKey
{{{$620}}}
{{{$622}}}
{{{$621}}}
{{{$623}}}
{{{$628}}}
{{{$629}}}
{{{$696}}}
{{{$695}}}
{{{$698}}}
{{{$697}}}
%s 0x%I64x %s [file:%s(%u)]
PTF://
hXXp://
hXXps://
wininet.dll
[%u, 0xx] %s
https
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
request HttpSendRequestA failed...
Content-Length: %u
response failed...last error %d
{{{$674}}}
{{{$672}}}
{{{$673}}}
{{{$773}}}
{{{$776}}}
{{{$774}}}
{{{$775}}}
{{{$936}}}
{{{$935}}}
{={={/{9{){
{{{$867}}}
{{{$868}}}
0c3c.cCc
C"C3CcC%C"C*C/C&C'CcC%C,C1CcC
]/]/]2]/]
]<]4]1]8]9]}]/]8])]/]4]8] ]4]3]:]}]>](]/]/]8]3])]}]<].].]8])]}]9]<])]<]}];]2]/]}]
{{{$779}}}
{{{$780}}}
_/_;_>_ _:_
_0_(_1_3_0_>_;_
{{{$966}}}
{{{$967}}}
D(DÐD"D D6D)D
s]sSs%s
[([:[<[>[
{{{$761}}}
{{{$760}}}
{{{$763}}}
{{{$762}}}
--4,5=,8'>.
--=,=,8'>"
##:" 3"6)0
##3"6)0,
##3!'3"55
::#;%4*;/0)9
::*;,0)5
((1) 8)="; 
((8)>";'
9 %2?,52? 6
22 3:"3'8!1
22"3$8!=
>>'?6.? 4-=
>>.? 4-1
>>.<:.?((
22 3-<"3'8!1
''>&7&1-4(
%/6%%<$=5$0/6&
44-5 :$5!>'7
4>'44$5$5">';
voc}XXs^VY_HnSSH||e}tl}ivo
//6.'?.:%<,
//?- ?.99
##3"3"6)0,
##:"3"5)00
#)0###)0###9
99 81)8,3*:
99)8,3*6
11(0.?!0$;"2
ovza@CLK@uWJU@WQ\ee|dmudpovfJKQ@]QeeudsovjGO@FQeeugassDIP@eoveeu
_3_*_8_6_1_
_ _>_ _:_
C&C%C"C6C/C7CcC
C"C1C1C*C&C1CcC%C,C1CcC
spx.params
spx.assets
0_ _7_:_-_
SQLite format 3
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY
CREATE TABLE sqlite_master(
sql text
3.7.16
CREATE TEMP TABLE sqlite_temp_master(
{{{$101}}}
{{{$105}}}
{{{$106}}}
{{{$107}}}
{{{$108}}}
{{{$102}}}
{{{$103}}}
{{{$104}}}
{{{$113}}}
{{{$109}}}
{{{$110}}}
{{{$111}}}
{{{$112}}}
{{{$100}}}
{{{$114}}}
{{{$115}}}
{{{$118}}}
{{{$119}}}
{{{$116}}}
{{{$117}}}
{{{$122}}}
{{{$123}}}
{{{$120}}}
{{{$121}}}
{{{$542}}}
{{{$543}}}
{{{$529}}}
{{{$530}}}
{{{$531}}}
{{{$532}}}
{{{$533}}}
{{{$538}}}
{{{$539}}}
\3\3\(\/\(\.\=\,\9\.\|\
\9\;\5\/\(\9\.\
\.\3\ \/\9\.\
\5\:\9\(\5\1\9\
\*\9\2\(\|\>\.\3\ \/\9\.\|\
{{{$541}}}
{{{$534}}}
{{{$535}}}
{{{$536}}}
{{{$537}}}
{{{$242}}}
{{{$243}}}
{{{$566}}}
{{{$565}}}
{{{$569}}}
{{{$570}}}
{{{$571}}}
{{{$567}}}
{{{$568}}}
{{{$573}}}
{{{$574}}}
{{{$575}}}
{{{$576}}}
{{{$572}}}
{{{$578}}}
{{{$579}}}
{{{$580}}}
{{{$577}}}
{{{$582}}}
{{{$583}}}
{{{$581}}}
{{{$585}}}
{{{$584}}}
{{{$588}}}
{{{$586}}}
{{{$587}}}
{{{$591}}}
{{{$592}}}
{{{$589}}}
{{{$595}}}
{{{$594}}}
{{{$598}}}
{{{$596}}}
{{{$597}}}
{{{$600}}}
{{{$601}}}
{{{$599}}}
{{{$603}}}
{{{$602}}}
{{{$606}}}
{{{$604}}}
{{{$605}}}
{{{$608}}}
{{{$609}}}
{{{$607}}}
{{{$611}}}
{{{$610}}}
,\0\=\(\:\3\.\1\
u%W%@%S%d%V%V%@%Q%a%D%Q%D%
{{{$510}}}
{{{$514}}}
{{{$511}}}
{{{$512}}}
{{{$513}}}
{{{$515}}}
{{{$518}}}
{{{$516}}}
{{{$517}}}
{{{$519}}}
{{{$520}}}
{{{$521}}}
{{{$522}}}
{{{$523}}}
{{{$524}}}
{{{$525}}}
{{{$526}}}
{{{$527}}}
{{{$528}}}
{{{$618}}}
{{{$619}}}
{{{$614}}}
{{{$615}}}
{{{$616}}}
{{{$617}}}
{{{$722}}}
{{{$724}}}
{{{$723}}}
{{{$725}}}
{{{$729}}}
{{{$727}}}
{{{$726}}}
{{{$728}}}
{{{$730}}}
{{{$731}}}
{{{$733}}}
{{{$732}}}
{{{$735}}}
{{{$734}}}
{{{$736}}}
{{{$740}}}
{{{$739}}}
{{{$738}}}
{{{$737}}}
{{{$747}}}
{{{$749}}}
{{{$748}}}
{{{$751}}}
{{{$752}}}
{{{$643}}}
{{{$648}}}
{{{$645}}}
{{{$644}}}
{{{$647}}}
{{{$646}}}
00:00:00.
1.1.3
gen_codes: max_code %d
code %d bits %d->%d
bl code -
last_lit %u, last_dist %u, in %ld, out ~%ld(%ld%%)
opt %lu(%lu) stat %lu(%lu) stored %lu lit %u dist %u
{{{$139}}}
{{{$138}}}
{{{$141}}}
{{{$140}}}
{{{$142}}}
{{{$144}}}
{{{$143}}}
{{{$146}}}
{{{$145}}}
{{{$124}}}
{{{$126}}}
{{{$125}}}
{{{$132}}}
{{{$131}}}
{{{$134}}}
{{{$133}}}
{{{$128}}}
{{{$127}}}
{{{$130}}}
{{{$129}}}
{{{$135}}}
boost::too_many_args: format-string referred to less arguments than were passed
boost::too_few_args: format-string referred to more arguments than were passed
Union operator has to be applied to node sets
Content-Disposition: form-data; name="%s"; filename="%s"
Content-Disposition: form-data; name="%s"
Conduit::SearchProtector::Utils::Singleton<class Conduit::SearchProtector::SPM::Services::LoginManager>::GetInstance
invalid map<K, T> key
%s[%d]: %s
SQLITE_ERROR
SQLITE_OK
SQLITE_PERM
SQLITE_INTERNAL
SQLITE_BUSY
SQLITE_ABORT
SQLITE_NOMEM
SQLITE_LOCKED
SQLITE_INTERRUPT
SQLITE_READONLY
SQLITE_CORRUPT
SQLITE_IOERR
SQLITE_FULL
SQLITE_NOTFOUND
SQLITE_PROTOCOL
SQLITE_CANTOPEN
SQLITE_SCHEMA
SQLITE_EMPTY
SQLITE_CONSTRAINT
SQLITE_TOOBIG
SQLITE_MISUSE
SQLITE_MISMATCH
SQLITE_AUTH
SQLITE_NOLFS
SQLITE_RANGE
SQLITE_FORMAT
SQLITE_DONE
SQLITE_ROW
CPPSQLITE_ERROR
SQLITE_
d-d-d d:d:d
d-d-d
d:d:d
failed memory resize %u to %u bytes
failed to allocate %u bytes of memory
922337203685477580
API call with %s database connection pointer
RowKey
GetProcessHeap
os_win.c:%d: (%d) %s(%s) - %s
OsError 0x%x (%u)
delayed %dms for lock/sharing conflict
%s-shm
%s\etilqs_
%s\%s
cannot limit WAL size: %s
Recovered %d frames from WAL file %s
invalid page number %d
Failed to read ptrmap key=%d
2nd reference to page %d
%d of %d pages missing from overflow list starting at %d
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
freelist leaf count too big on page %d
failed to get page %d
unable to get the page. error code=%d
Page %d:
On tree page %d cell %d:
btreeInitPage() returns error code %d
On page %d at right child:
Corruption detected in cell %d on page %d
Fragmentation of %d bytes reported as %d on page %d
Multiple uses for byte %d of page %d
Pointer map page %d is referenced
Page %d is never used
Outstanding page count goes from %d to %d during this analysis
unknown database %s
keyinfo(%d
%s(%d)
%s-mjXXXXXX9XXz
MJ collide: %s
MJ delete: %s
foreign key constraint failed
-mjX9X
unable to use function %s in the requested context
bind on a busy prepared statement: [%s]
zeroblob(%d)
abort at %d in [%s]: %s
cannot open savepoint - SQL statements in progress
constraint failed at %d in [%s]
cannot release savepoint - SQL statements in progress
no such savepoint: %s
cannot commit transaction - SQL statements in progress
sqlite_temp_master
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
sqlite_master
cannot change %s wal mode from within a transaction
statement aborts at %d: [%s] %s
database table is locked: %s
cannot open value of type %s
cannot open virtual table: %s
no such column: "%s"
cannot open view: %s
indexed
foreign key
cannot open %s column for writing
misuse of aliased aggregate %s
%s: %s.%s
%s: %s.%s.%s
not authorized to use function: %s
%s: %s
%r %s BY term out of range - should be between 1 and %d
too many terms in %s BY clause
Expression tree is too large (maximum depth %d)
too many SQL variables
variable number must be between ?1 and ?%d
too many columns in %s
EXECUTE %s%s SUBQUERY %d
misuse of aggregate: %s()
%.*s"%w"%s
sqlite_rename_table
%s%.*s"%w"
sqlite_rename_parent
sqlite_rename_trigger
%s OR name=%Q
type='trigger' AND (%s)
table %s may not be altered
sqlite_
view %s may not be altered
there is already another table or index with this name: %s
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
sqlite_sequence
Cannot add a PRIMARY KEY column
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
sqlite_altertab_%s
sqlite_stat1
DELETE FROM %Q.%s WHERE %s=%Q
CREATE TABLE %Q.%s(%s)
SELECT tbl,idx,stat FROM %Q.sqlite_stat1
too many attached databases - max %d
invalid name: "%s"
database %s is already in use
no such database: %s
unable to open database: %s
cannot detach database %s
sqlite_detach
database %s is locked
%s %T cannot reference objects in database %s
sqlite_attach
access to %s.%s.%s is prohibited
access to %s.%s is prohibited
object name reserved for internal use: %s
there is already an index named %s
duplicate column name: %s
too many columns on %s
table "%s" has more than one primary key
default value of column [%s] is not constant
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
CREATE %s %.*s
CREATE TABLE %Q.sqlite_sequence(name,seq)
view %s is circularly defined
sqlite_stat%d
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
DELETE FROM %Q.sqlite_sequence WHERE name=%Q
table %s may not be dropped
sqlite_stat
use DROP VIEW to delete view %s
use DROP TABLE to delete table %s
number of columns in foreign key does not match the number of columns in the referenced table
foreign key on %s should reference only one column of table %T
indexed columns are not unique
unknown column "%s" in foreign key definition
views may not be indexed
table %s may not be indexed
there is already a table named %s
virtual tables may not be indexed
sqlite_autoindex_%s_%d
index %s already exists
table %s has no column named %s
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
CREATE%s INDEX %.*s
no such index: %S
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
a JOIN clause is required before %s
no such collation sequence: %s
unable to identify the object to be reindexed
cannot modify %s because it is a view
table %s may not be modified
sqlite_source_id
sqlite_version
sqlite_compileoption_used
sqlite_log
sqlite_compileoption_get
foreign key mismatch - "%w" referencing "%w"
table %S has %d columns but %d values were supplied
table %S has no column named %s
%d values for %d columns
%s.%s may not be NULL
PRIMARY KEY must be unique
constraint %s failed
sqlite3_extension_init
no entry point [%s] in shared library [%s]
unable to open shared library [%s]
automatic extension loading failed: %s
error during initialization: %s
foreign_keys
foreign_key_list
foreign_key_check
*** in database %s ***
unsupported encoding: %s
malformed database schema (%s)
%s - %s
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
unsupported file format
database schema is locked: %s
unknown or unsupported join type: %T %T%s%T
a NATURAL join may not have an ON or USING clause
RIGHT and FULL OUTER JOINs are not currently supported
cannot join using column %s - column not present in both tables
cannot have both ON and USING clauses in the same join
USE TEMP B-TREE FOR %s
COMPOUND SUBQUERIES %d AND %d %s(%s)
%s:%d
%s.%s
LIMIT clause should come after %s not before
ORDER BY clause should come after %s not before
SELECTs to the left and right of %s do not have the same number of result columns
sqlite_subquery_%p_
no such index: %s
%s.%s.%s
too many references to "%s": max 65535
no such table: %s
SCAN TABLE %s %s%s(~%d rows)
sqlite3_get_table() called with two or more incompatible queries
cannot create INSTEAD OF trigger on table: %S
cannot create %s trigger on view: %S
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
-- TRIGGER %s
no such trigger: %S
no such column: %s
cannot VACUUM - SQL statements in progress
PRAGMA vacuum_db.synchronous=OFF
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
vtable constructor failed: %s
vtable constructor did not declare schema: %s
no such module: %s
table %s: xBestIndex returned an invalid plan
%s SUBQUERY %d
%s AS %s
%s TABLE %s
%s USING INTEGER PRIMARY KEY
%s USING %s%sINDEX%s%s%s
%s (rowid>? AND rowid<?)
%s (rowid=?)
%s (rowid<?)
%s (rowid>?)
%s (~%lld rows)
%s VIRTUAL TABLE INDEX %d:%s
cannot use index: %s
at most %d tables in a join
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
SQL logic error or missing database
unknown operation
large file support is disabled
unknown database: %s
no such %s mode: %s
no such vfs: %s
%s mode not allowed: %s
misuse at line %d of [%.10s]
database corruption at line %d of [%.10s]
cannot open file at line %d of [%.10s]
$@!@4@!@
K.K?K?K"K%K,KkK8K.K9K=K"K(K.KkK-K*K"K'K.K/KeKkK
6S%S6S=S'S
{{{$710}}}
{{{$708}}}
{{{$709}}}
{{{$137}}}
C:\Build\117\Search Protector\SP-2.16.20-Production\Sources\SearchProtector\Dev\2.16.20\Output\Release_32\cltmng.pdb
KERNEL32.dll
MsgWaitForMultipleObjects
USER32.dll
VERSION.dll
PSAPI.DLL
InternetCrackUrlW
HttpOpenRequestA
HttpAddRequestHeadersA
HttpSendRequestW
HttpSendRequestA
HttpSendRequestExW
HttpEndRequestW
HttpQueryInfoA
WININET.dll
dbghelp.dll
CryptMsgClose
CertGetNameStringW
CertFreeCertificateContext
CertFindCertificateInStore
CertCloseStore
CryptMsgGetParam
CRYPT32.dll
UrlUnescapeW
SHLWAPI.dll
CreateIoCompletionPort
GetCPInfo
RegCloseKey
RegOpenKeyExW
RegDeleteKeyW
RegEnumKeyExW
RegCreateKeyExW
RegQueryInfoKeyW
RegNotifyChangeKeyValue
ADVAPI32.dll
ShellExecuteExW
SHELL32.dll
ole32.dll
OLEAUT32.dll
ReportEventA
I_RpcBindingInqTransportType
RPCRT4.dll
zcÁ
%Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect\SearchProtect
function k(a) { return a < 10 ? "0"   a : a } function o(a) { p.lastIndex = 0; return p.test(a) ? '"'   a.replace(p, function (a) { var c = r[a]; return typeof c === "string" ? c : "\\u"   ("0000"   a.charCodeAt(0).toString(16)).slice(-4) })   '"' : '"'   a   '"' } function l(a, j) {
var c, d, h, m, g = e, f, b = j[a]; b && typeof b === "object" && typeof b.toJSON === "function" && (b = b.toJSON(a)); typeof i === "function" && (b = i.call(j, a, b)); switch (typeof b) {
e  = n; f = []; if (Object.prototype.toString.apply(b) === "[object Array]") { m = b.length; for (c = 0; c < m; c  = 1) f[c] = l(c, b) || "null"; h = f.length === 0 ? "[]" : e ? "[\n"   e   f.join(",\n"   e)   "\n"   g   "]" : "["   f.join(",")   "]"; e = g; return h } if (i && typeof i === "object") { m = i.length; for (c = 0; c < m; c  = 1) typeof i[c] === "string" && (d = i[c], (h = l(d, b)) && f.push(o(d)   (e ? ": " : ":")   h)) } else for (d in b) Object.prototype.hasOwnProperty.call(b, d) && (h = l(d, b)) && f.push(o(d)   (e ? ": " : ":")   h); h = f.length === 0 ? "{}" : e ? "{\n"   e   f.join(",\n"   e)   "\n"   g   "}" : "{"   f.join(",")  
} if (typeof Date.prototype.toJSON !== "function") Date.prototype.toJSON = function () { return isFinite(this.valueOf()) ? this.getUTCFullYear()   "-"   k(this.getUTCMonth()   1)   "-"   k(this.getUTCDate())   "T"   k(this.getUTCHours())   ":"   k(this.getUTCMinutes())   ":"   k(this.getUTCSeconds())   "Z" : null }, String.prototype.toJSON = Number.prototype.toJSON = Boolean.prototype.toJSON = function () { return this.valueOf() }; var q = /[\u0000\u00ad\u0600-\u0604\u070f\u17b4\u17b5\u200c-\u200f\u2028-\u202f\u2060-\u206f\ufeff\ufff0-\uffff]/g,
p = /[\\\"\x00-\x1f\x7f-\x9f\u00ad\u0600-\u0604\u070f\u17b4\u17b5\u200c-\u200f\u2028-\u202f\u2060-\u206f\ufeff\ufff0-\uffff]/g, e, n, r = { "\u0008": "\\b", "\t": "\\t", "\n": "\\n", "\u000c": "\\f", "\r": "\\r", '"': '\\"', "\\": "\\\\" }, i; if (typeof JSON.stringify !== "function") JSON.stringify = function (a, j, c) {
var d; n = e = ""; if (typeof c === "number") for (d = 0; d < c; d  = 1) n  = " "; else typeof c === "string" && (n = c); if ((i = j) && typeof j !== "function" && (typeof j !== "object" || typeof j.length !== "number")) throw Error("JSON.stringify"); return l("",
}; if (typeof JSON.parse !== "function") JSON.parse = function (a, e) {
function c(a, d) { var g, f, b = a[d]; if (b && typeof b === "object") for (g in b) Object.prototype.hasOwnProperty.call(b, g) && (f = c(b, g), f !== void 0 ? b[g] = f : delete b[g]); return e.call(a, d, b) } var d, a = String(a); q.lastIndex = 0; q.test(a) && (a = a.replace(q, function (a) { return "\\u"   ("0000"   a.charCodeAt(0).toString(16)).slice(-4) })); if (/^[\],:{}\s]*$/.test(a.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, "@").replace(/"[^"\\\n\r]*"|true|false|null|-?\d (?:\.\d*)?(?:[eE][ \-]?\d )?/g,
"]").replace(/(?:^|:|,)(?:\s*\[) /g, ""))) return d = eval("("   a   ")"), typeof e === "function" ? c({ "": d }, "") : d; throw new SyntaxError("JSON.parse");
ws.api = ws.api || {};
ws.api.FunctionsEnum = {
SET_KEY: 1,
GET_KEY: 2,
REMOVE_KEY: 3,
ws.api.StatusEnum = {
SP_RESULT_KEY_DOES_NOT_EXIST: -2,
ws.api.RESULT_TIMOUET = 3000;
ws.api.storage = ws.api.storage || {};
ws.api.storage.setKey =
function (pluginId, key, value, callback, options) {
if (typeof (pluginId) !== 'string' || pluginId === "" || typeof (key) !== 'string' || key === "" || typeof (callback) !== 'function') {
callback(ws.api.StatusEnum.SP_RESULT_INVALID_PARAMS);
// Construct an object which will be passed to the VC holding all the parameters
data.funcId = ws.api.FunctionsEnum.SET_KEY;
data.pluginId = pluginId;
data.key = key;
data.value = value;
data.options = options; // Currently not used - this is for future use, if we will want to add more parameters we will
var resultObj = JSON.parse(result);
callback(resultObj.status);
callback(ws.api.StatusEnum.SP_RESULT_SP_UNRESPONSIVE);
}, ws.api.RESULT_TIMOUET);
ws.internal.SendStringToVC(JSON.stringify(data), myCallback);
ws.api.storage.getKey =
function (pluginId, key, callback, options) {
data.funcId = ws.api.FunctionsEnum.GET_KEY;
var value = resultObj.value;
if (resultObj.status != ws.api.StatusEnum.SP_RESULT_SUCCESS) {
callback(resultObj.status, value);
callback(ws.api.StatusEnum.SP_RESULT_SP_UNRESPONSIVE, "");
ws.api.storage.removeKey =
data.funcId = ws.api.FunctionsEnum.REMOVE_KEY;
ws.api.system = ws.api.system || {};
ws.api.system.remove =
data.funcId = ws.api.FunctionsEnum.REMOVE;
data.shouldCallUninstaller = shouldCallUninstaller;
ws.internal = ws.internal || {};
if (ws.internal.injectedSP_PLUGIN_ID_SP_TASK_ID === undefined) {
ws.internal.injectedSP_PLUGIN_ID_SP_TASK_ID = true;
;74/, (%#
~{xrpfa\ZSM@;3-%U
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
; ;$;(;,;0;4;8;<;
7 7$7(7,707
1%2s2
14282<2@2
<1=3>=>??}?
: ;';0;9;
2-242g2n2}2
9”9C9R9a9p9
2$2C2R2a2p2
9%:1:7:<:[:
;"<@<^<|<
7"7)73787|7
;";&;*;.;5;
5#5'5 5/53575>5
; ;$;(;,;0;4;3=
:#<0< >->
<$<*<3<9<
; <3<]<|<
1-1A1U1i1}1
3 3$3(3,303
7084888<8@8
0 0$0(0,000
5#525?5`5
= =$=(=,=0=
626?6[6|6
9%9S9b9o9
9Ÿ9
1"2F2i2~2
: :$:#>3>
6d6C6N6X6b6l6v6
9 9$9(949
7 7$707@7
= =(=\=`=
0$1(1,1014181<1
2 2$2(2,2024282<2@2
; ;$;(;,;|=
4,484@4`4|4
7,787\7|7
=,=8=@=`=
1$1,181`1
=(=4=<=\=
mmscoree.dll
nkernel32.dll
combase.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
portuguese-brazilian
8.0.0.0-11.999.999.999
33.0.0.0-36.999.999.999
16.0.0.0-31.999.999.999
{{{$668}}}
{{{$669}}}
{{{$670}}}
{{{$671}}}
2.16.20.192
UserRepository.dat
SystemRepository.dat
UIRepository.dat
chrome-extension_
_0.localstorage
{{{$257}}}
;{{{$668}}}
{{{$256}}}
{{{$260}}}
{{{$259}}}
36.0.0.0
32.0.0.0
{{{$296}}}
{{{$295}}}
{{{$298}}}
{{{$299}}}
{{{$301}}}
{{{$302}}}
Failed to set Url
{{{$309}}}
{{{$312}}}
{{{$308}}}
{{{$311}}}
{{{$310}}}
{{{$314}}}
{{{$315}}}
{{{$321}}}
{{{$322}}}
{{{$327}}}
{{{$330}}}
{{{$334}}}
{{{$335}}}
{{{$337}}}
{{{$338}}}
{{{$349}}}
{{{$350}}}
{{{$356}}}
{{{$355}}}
{{{$360}}}
{{{$359}}}
{{{$383}}}
{{{$385}}}
{{{$386}}}
{{{$371}}}
{{{$372}}}
user32.dll
ieframe.dll
Windows Vista
Windows 7
Windows Server 2008
Windows 8
Windows Server 2008 R2
Windows 8.1
Windows Server 2012
%x %x[%s] %I64x %x %x
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_PERFORMANCE_TEXT
HKEY_PERFORMANCE_DATA
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_NLSTEXT
HKEY_DYN_DATA
HKEY_CURRENT_USER_LOCAL_SETTINGS
ntdll.dll
{{{$702}}}
{{{$703}}}
{{{$877}}}
{{{SP#Conduit::SearchProtector::SPM::SPMAssetsManager::MapAssets#SP}}}
{{{$897}}}
{{{SP#Conduit::SearchProtector::SPM::SPMAssetsManager::ExecuteAssetChangeAttemptDecision#SP}}}
SPSetup.exe
{{{SP#Conduit::SearchProtector::SPM::Services::LoginManager::CheckForCompetitors#SP}}}
{{{SP#Conduit::SearchProtector::SPM::Services::LoginManager::RequestService#SP}}}
{{{SP#Conduit::SearchProtector::SPM::Services::LoginManager::RequestServiceByBrowser#SP}}}
{{{SP#Conduit::SearchProtector::SPM::Services::LoginManager::HttpAsyncCallBack#SP}}}
hXXp://VVV.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Plugin Id: %s, Plugin Name: %s, Plugin version: %s
chrome.exe
%s\script_%d.dat
888816666554443
6666554443
!6666554443
{{{$540}}}
{{{$376}}}
{{{$377}}}
{{{$378}}}
{{{$373}}}
{{{$374}}}
{{{$375}}}
{{{$379}}}
{{{$612}}}
{{{$553}}}
{{{$554}}}
{{{$712}}}
{{{SP#Conduit::SearchProtector::Utils::WMIAgentJob::Join#SP}}}
{{{$720}}}
SELECT * FROM __InstanceCreationEvent WITHIN %1% WHERE TargetInstance ISA 'Win32_Process' And TargetInstance.Name = '%2%'
SELECT * FROM __InstanceDeletionEvent WITHIN %1% WHERE TargetInstance ISA 'Win32_Process' And TargetInstance.Name = '%2%'
%s%s%s
Correct password required
IDispatch error #%d
{{{$630}}}
\%s\%s.exe
01234567
{{{SP#Conduit::SearchProtector::Application::Services::ServiceManager::HttpAsyncCallBack#SP}}}
UserSettings.dat
{{{SP#Conduit::SearchProtector::Application::Services::ServiceHandler::HttpAsyncCallBack#SP}}}
e33.0.0.0-36.999.999.999
{{{$77}}}
{{{SP#Conduit::SearchProtector::Application::Services::TimerBasedServiceHandler::HttpAsyncCallBack#SP}}}
iRpcTransportException
C:\PROGRA~1\SearchProtect\SearchProtect\bin\cltmng.exe

cltmngui.exe_2936:




.text
`.rdata
@.data
.rsrc
@.reloc
.EKSWU
\$$;\$0|
DlSHA512 block transform for x86, CRYPTOGAMS by <[email protected]>
Camellia for x86 by <[email protected]>
AES for Intel AES-NI, CRYPTOGAMS by <[email protected]>
6-9'6-9'
$6.:$6.:
*?#1*?#1
>8$4,8$4,
AES for x86, CRYPTOGAMS by <[email protected]>
RC4 for x86, CRYPTOGAMS by <[email protected]>
Montgomery Multiplication for x86, CRYPTOGAMS by <[email protected]>
SHA1 block transform for x86, CRYPTOGAMS by <[email protected]>
SHA256 block transform for x86, CRYPTOGAMS by <[email protected]>
GHASH for x86, CRYPTOGAMS by <[email protected]>
GF(2^m) Multiplication for x86, CRYPTOGAMS by <[email protected]>
FtPS
[email protected]
tcPVWQ
<1%u5
FTPj
tCPQ
,4,56,789
PSSSSSSh
j.Yf;
_tcPVj@
.PjRW
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
0123456789-
%b %d %H : %M : %S %Y
%m / %d / %y
%I : %M : %S %p
%d / %m / %y
kernel32.dll
left-curly-bracket
right-curly-bracket
boost thread: trying joining itself
Local\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flag
Visual C   CRT: Not enough memory to complete call to strerror.
Operation not permitted
Inappropriate I/O control operation
Broken pipe
GetProcessWindowStation
operator
CERTIFICATE REQUEST
NEW CERTIFICATE REQUEST
CERTIFICATE
PUBLIC KEY
RSA part of OpenSSL 1.0.1e 11 Feb 2013
SHA-512 part of OpenSSL 1.0.1e 11 Feb 2013
ssl_sess_cert
ssl_cert
evp_pkey
x509_pkey
%s(%d): OpenSSL internal error, assertion failed: %s
passed a null parameter
DSO support routines
x509 certificate routines
error:lX:%s:%s:%s
?456789:;<=
!"#$%&'()* ,-./0123
Big Number part of OpenSSL 1.0.1e 11 Feb 2013
pubkey
PEM part of OpenSSL 1.0.1e 11 Feb 2013
phrase is too short, needs to be at least %d chars
Enter PEM pass phrase:
TRUSTED CERTIFICATE
X509 CERTIFICATE
PRIVATE KEY
ENCRYPTED PRIVATE KEY
ANY PRIVATE KEY
enc_key
key_enc_algor
cert
d.encrypted
d.digest
d.signed_and_enveloped
d.enveloped
d.sign
d.data
d.other
NETSCAPE_CERT_SEQUENCE
certs
X509_PUBKEY
public_key
.\crypto\asn1\x_pubkey.c
DSA part of OpenSSL 1.0.1e 11 Feb 2013
priv_key
pub_key
.\crypto\ec\ec_key.c
EC_PRIVATEKEY
publicKey
privateKey
value.implicitlyCA
value.parameters
value.named_curve
p.char_two
p.prime
p.ppBasis
p.tpBasis
p.onBasis
p.other
Any Extended Key Usage
anyExtendedKeyUsage
supportedAlgorithms
crossCertificatePair
certificateRevocationList
cACertificate
userCertificate
userPassword
supportedApplicationContext
Microsoft Local Key set
LocalKeySet
id-Gost28147-89-None-KeyMeshing
id-Gost28147-89-CryptoPro-KeyMeshing
password based MAC
id-PasswordBasedMAC
X509v3 Certificate Issuer
certificateIssuer
certicom-arc
Proxy Certificate Information
proxyCertInfo
Microsoft Smartcardlogin
msSmartcardLogin
joint-iso-itu-t
JOINT-ISO-ITU-T
set-rootKeyThumb
setAttr-Cert
setCext-cCertRequired
setCext-certType
setct-CertResTBE
setct-CertReqTBEX
setct-CertReqTBE
setct-AcqCardCodeMsgTBE
setct-CertInqReqTBS
setct-CertResData
setct-CertReqTBS
setct-CertReqData
setct-PCertResTBS
setct-PCertReqData
setct-AcqCardCodeMsg
certificate extensions
set-certExt
set-msgExt
id-ecPublicKey
id-cmc-confirmCertAcceptance
id-cmc-getCert
id-regInfo-certReq
id-regCtrl-protocolEncrKey
id-regCtrl-oldCertID
id-it-revPassphrase
id-it-keyPairParamRep
id-it-keyPairParamReq
id-it-unsupportedOIDs
id-it-caKeyUpdateInfo
id-it-encKeyPairTypes
id-it-signKeyPairTypes
id-it-caProtEncCert
id-mod-attribute-cert
id-mod-qualified-cert-93
id-mod-qualified-cert-88
id-smime-aa-ets-certCRLTimestamp
id-smime-aa-ets-certValues
id-smime-aa-ets-CertificateRefs
id-smime-aa-ets-otherSigCert
id-smime-aa-smimeEncryptCerts
id-smime-aa-signingCertificate
id-smime-aa-encrypKeyPref
id-smime-aa-msgSigDigest
id-smime-ct-publishCert
id-smime-mod-msg-v3
sdsiCertificate
x509Certificate
localKeyID
certBag
pkcs8ShroudedKeyBag
keyBag
pbeWithSHA1And2-KeyTripleDES-CBC
pbeWithSHA1And3-KeyTripleDES-CBC
TLS Web Client Authentication
TLS Web Server Authentication
X509v3 Extended Key Usage
extendedKeyUsage
X509v3 Authority Key Identifier
authorityKeyIdentifier
X509v3 Certificate Policies
certificatePolicies
X509v3 Private Key Usage Period
privateKeyUsagePeriod
X509v3 Key Usage
keyUsage
X509v3 Subject Key Identifier
subjectKeyIdentifier
Netscape Certificate Sequence
nsCertSequence
Netscape CA Policy Url
nsCaPolicyUrl
Netscape Renewal Url
nsRenewalUrl
Netscape CA Revocation Url
nsCaRevocationUrl
Netscape Revocation Url
nsRevocationUrl
Netscape Base Url
nsBaseUrl
Netscape Cert Type
nsCertType
Netscape Certificate Extension
nsCertExt
extendedCertificateAttributes
challengePassword
dhKeyAgreement
%'%1%=%C%K%O%s%
.%.-.3.7.9.?.W.[.o.y.
C%C'C3C7C9COCWCiC
RAND part of OpenSSL 1.0.1e 11 Feb 2013
You need to read the OpenSSL FAQ, hXXp://VVV.openssl.org/support/faq.html
lhash part of OpenSSL 1.0.1e 11 Feb 2013
Stack part of OpenSSL 1.0.1e 11 Feb 2013
Diffie-Hellman part of OpenSSL 1.0.1e 11 Feb 2013
value.single
value.set
.\crypto\evp\evp_key.c
nkey <= EVP_MAX_KEY_LENGTH
EVP part of OpenSSL 1.0.1e 11 Feb 2013
name.relativename
name.fullname
certificateHold
Certificate Hold
cessationOfOperation
Cessation Of Operation
keyCompromise
Key Compromise
%*s%s:
%*sOnly Attribute Certificates
%*sOnly CA Certificates
%*sOnly User Certificates
ASN.1 part of OpenSSL 1.0.1e 11 Feb 2013
d.registeredID
d.iPAddress
d.uniformResourceIdentifier
d.ediPartyName
d.directoryName
d.dNSName
d.rfc822Name
d.otherName
AUTHORITY_KEYID
keyid
cert_info
PKCS8_PRIV_KEY_INFO
pkey
pkeyalg
EC part of OpenSSL 1.0.1e 11 Feb 2013
USER32.DLL
NETAPI32.DLL
KERNEL32.DLL
ADVAPI32.DLL
.\crypto\dh\dh_key.c
%s: (%d bit)
Public-Key
Private-Key
recommended-private-length: %d bits
public-key:
private-key:
PKCS#3 DH Public-Key
PKCS#3 DH Private-Key
Public-Key: (%d bit)
Private-Key: (%d bit)
SHA1 part of OpenSSL 1.0.1e 11 Feb 2013
SHA-256 part of OpenSSL 1.0.1e 11 Feb 2013
RIPE-MD160 part of OpenSSL 1.0.1e 11 Feb 2013
SHA part of OpenSSL 1.0.1e 11 Feb 2013
MD5 part of OpenSSL 1.0.1e 11 Feb 2013
MD4 part of OpenSSL 1.0.1e 11 Feb 2013
AES part of OpenSSL 1.0.1e 11 Feb 2013
CAST part of OpenSSL 1.0.1e 11 Feb 2013
Blowfish part of OpenSSL 1.0.1e 11 Feb 2013
:RC2 part of OpenSSL 1.0.1e 11 Feb 2013
.pp@0
aEÐ
 (#EÚ
ÚE<<0
IDEA part of OpenSSL 1.0.1e 11 Feb 2013
libdes part of OpenSSL 1.0.1e 11 Feb 2013
DES part of OpenSSL 1.0.1e 11 Feb 2013
\X
ddddddZ
ddddddZ
%d.%d.%d.%d
<unsupported>
IP Address:%d.%d.%d.%d
URI:%s
DNS:%s
email:%s
EdiPartyName:<unsupported>
X400Name:<unsupported>
othername:<unsupported>
%d.%d.%d.%d/%d.%d.%d.%d
X509_CERT_PAIR
X509_CERT_AUX
X.509 part of OpenSSL 1.0.1e 11 Feb 2013
x%s
%s - d:d:d%.*s %d%s
keylen <= sizeof key
EVP_CIPHER_key_length(cipher) <= (int)sizeof(md_tmp)
ECDSA part of OpenSSL 1.0.1e 11 Feb 2013
Basis Type: %s
Field Type: %s
ASN1 OID: %s
%s %s%lu (%s0x%lx)
'() ,-./:=?
%lu:%s:%s:%d:%s
Verifying - %s
%*sPolicy Text: %s
%*scrlUrl:
EXTENDED_KEY_USAGE
%*sZone: %s, User:
.\crypto\x509v3\v3_akey.c
d.usernotice
d.cpsuri
CERTIFICATEPOLICIES
%*sExplicit Text: %s
%*sNumber%s:
%*sOrganization: %s
%*sCPS: %s
PKEY_USAGE_PERIOD
keyCertSign
Certificate Sign
keyAgreement
Key Agreement
keyEncipherment
Key Encipherment
.\crypto\x509v3\v3_skey.c
CONF part of OpenSSL 1.0.1e 11 Feb 2013
PROXY_CERT_INFO_EXTENSION
hexkey
rsa_keygen_pubexp
rsa_keygen_bits
keylength
keyfunc
len>=0 && len<=(int)sizeof(ctx->key)
j <= (int)sizeof(ctx->key)
.\crypto\pkcs12\p12_key.c
d.receiptList
d.allOrFirstTier
d.compressedData
d.authenticatedData
d.encryptedData
d.digestedData
d.envelopedData
d.signedData
d.ori
d.pwri
d.kekri
d.kari
d.ktri
CMS_PasswordRecipientInfo
keyDerivationAlgorithm
keyIdentifier
CMS_KeyAgreeRecipientInfo
recipientEncryptedKeys
CMS_OriginatorIdentifierOrKey
d.originatorKey
CMS_OriginatorPublicKey
CMS_RecipientEncryptedKey
CMS_KeyAgreeRecipientIdentifier
d.rKeyId
CMS_RecipientKeyIdentifier
CMS_OtherKeyAttribute
keyAttr
keyAttrId
CMS_KeyTransRecipientInfo
encryptedKey
keyEncryptionAlgorithm
certificates
d.crl
d.subjectKeyIdentifier
d.issuerAndSerialNumber
CMS_CertificateChoices
d.v2AttrCert
d.v1AttrCert
d.extendedCertificate
d.certificate
CMS_OtherCertificateFormat
otherCert
otherCertFormat
crlUrl
certStatus
certId
OCSP_CERTSTATUS
value.unknown
value.revoked
value.good
value.byKey
value.byName
reqCert
OCSP_CERTID
issuerKeyHash
CONF_def part of OpenSSL 1.0.1e 11 Feb 2013
[[%s]]
[%s] %s=%s
ECDH part of OpenSSL 1.0.1e 11 Feb 2013
value.bag
value.safes
value.shkeybag
value.keybag
value.sdsicert
value.x509cert
value.other
%s.dll
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
:_-_-_0_-_
]>]2]3]9](]4])]
]<].].]8])]
]9]4].]>]2] ]8]/]8]9]
F6F4F)F2F#FòF/F)F(F
F%F.F'F(F!F#F
\2\7\2\3\ \2\
<_3_0_,_:_
*_1_6_1_,_ _>_3_3_
{{{$1283}}}
{{{$631}}}
{{{$1284}}}
C:\Build\117\Search Protector\SP-2.16.20-Production\Sources\3rdParty\Boost\boost_1_55_0\boost/exception/detail/exception_ptr.hpp
]3].])]<]1]1]8]9]
!f%f#f
_(_>_6_ _
_ _>_4_:_0_)_:_-_
_:_)_:_1_ _
;_:_9_>_*_3_ _
_:_>_-_<_7_
^0^5^0^1^)^0^
{{{$466}}}
{{{$473}}}
{{{$476}}}
{{{$478}}}
\StringFileInfo\xx\%s
(more frames truncated from call stack report)
%d/%d/%d d:d:d
Module %d
Image Base: 0xx Image Size: 0xx
Checksum: 0xx Time Stamp: 0xx
File Size: %-10d File Time: %s
Company: %s
Product: %s
FileDesc: %s
FileVer: %d.%d.%d.%d
ProdVer: %d.%d.%d.%d
Windows Vista
Windows Server 2008
Windows 7
Windows Server 2008 R2
Windows 8
Windows 9
Windows Server 2012
Web Edition
Windows Server 9
Windows XP
Windows 2000
(build %d)
This sample does not support this version of Windows.
Error occurred at %s.
Operating system: %s
Operating system: Could not Determine
%d processor(s), type %d.
%d%% memory in use.
%d MBytes physical memory free.
%d MBytes paging file.
%d MBytes paging file free.
%d MBytes user address space.
%d MBytes user address space free.
Web Server Edition
Windows Server 2003 R2
Windows Storage Server 2003
Windows Home Server
Windows XP Professional x64 Edition
Windows Server 2003
a Float Denormal Operand
a Float Invalid Operation
%d MBytes physical memory.
0xx:
EDI: 0xx ESI: 0xx EAX: 0xx
EBX: 0xx ECX: 0xx EDX: 0xx
EIP: 0xx EBP: 0xx SegCs: 0xx
EFlags: 0xx ESP: 0xx SegSs: 0xx
%s\CRASH_REPORT_%s.txt
%s caused %s (0xx)
in module %s at x:x.
%s location x caused an access violation.
===== [end of %s] =====
%s\CRASH_DUMP_%s.dmp
Error creating dump file, err=%d
Exception code is 0xX
Crash dump file: %s
Crash report file :%s
P%d_T%d_Dld_ld_ld_Tld_ld_ld
code: %x
code: %x, addr: %x, module: %s
\1\=\;\9\
\(\=\(\9\
5|1|=|;|9|#|/|(|=|(|9|#|;|9|2|9|.|=|0|5|&|9|#|.|9|/|9|=|0|#|(|3|#|=|)|8|5|(|
{{{$635}}}
{{{$634}}}
{{{$636}}}
{{{$637}}}
C:\Build\117\Search Protector\SP-2.16.20-Production\Sources\3rdParty\google\gtest\gtest-1.6.0\include\gtest/internal/gtest-port.h
%s 0x%I64x %s [file:%s(%u)]
{{{$104}}}
{{{$102}}}
{{{$103}}}
{{{$101}}}
{{{$111}}}
{{{$112}}}
{{{$109}}}
{{{$110}}}
{{{$107}}}
{{{$108}}}
{{{$105}}}
{{{$106}}}
{{{$113}}}
{{{$100}}}
{{{$117}}}
{{{$116}}}
{{{$115}}}
{{{$114}}}
{{{$121}}}
{{{$120}}}
{{{$119}}}
{{{$118}}}
{{{$123}}}
{{{$122}}}
{{{$530}}}
{{{$529}}}
{{{$531}}}
{{{$536}}}
{{{$535}}}
{{{$534}}}
{{{$533}}}
{{{$532}}}
{{{$541}}}
{{{$539}}}
{{{$538}}}
{{{$537}}}
{{{$543}}}
{{{$542}}}
{{{$488}}}
{{{$491}}}
{{{$490}}}
{{{$489}}}
{{{$494}}}
{{{$493}}}
{{{$492}}}
{{{$499}}}
{{{$503}}}
{{{$502}}}
{{{$501}}}
{{{$500}}}
{{{$509}}}
{{{$508}}}
{{{$507}}}
{{{$506}}}
{{{$505}}}
{{{$504}}}
{{{$565}}}
{{{$568}}}
{{{$567}}}
{{{$566}}}
{{{$572}}}
{{{$571}}}
{{{$570}}}
{{{$569}}}
{{{$577}}}
{{{$576}}}
{{{$575}}}
{{{$574}}}
{{{$573}}}
{{{$581}}}
{{{$580}}}
{{{$579}}}
{{{$578}}}
{{{$584}}}
{{{$583}}}
{{{$582}}}
{{{$587}}}
{{{$586}}}
{{{$585}}}
{{{$589}}}
{{{$588}}}
{{{$594}}}
{{{$592}}}
{{{$591}}}
{{{$597}}}
{{{$596}}}
{{{$595}}}
{{{$599}}}
{{{$598}}}
{{{$602}}}
{{{$601}}}
{{{$600}}}
{{{$605}}}
{{{$604}}}
{{{$603}}}
{{{$607}}}
{{{$606}}}
{{{$610}}}
{{{$609}}}
{{{$608}}}
{{{$611}}}
{{{$243}}}
{{{$242}}}
\3\3\(\/\(\.\=\,\9\.\|\
\9\;\5\/\(\9\.\
\.\3\ \/\9\.\
\5\:\9\(\5\1\9\
\*\9\2\(\|\>\.\3\ \/\9\.\|\
,\0\=\(\:\3\.\1\
4]>]2]3]
2_:_ _7_0_;_
/[3[)[>[:[?[
{{{$511}}}
{{{$510}}}
{{{$514}}}
{{{$513}}}
{{{$512}}}
{{{$515}}}
{{{$518}}}
{{{$517}}}
{{{$516}}}
{{{$520}}}
{{{$519}}}
{{{$524}}}
{{{$523}}}
{{{$522}}}
{{{$521}}}
{{{$526}}}
{{{$525}}}
{{{$528}}}
{{{$527}}}
{{{$618}}}
{{{$617}}}
{{{$616}}}
{{{$615}}}
{{{$614}}}
{{{$619}}}
C,CÇC4C"C1C&C
@/@&@4@7@!@2@%@
@/@:@)@,@,@!@
@/@:@)@,@,@!@`@
@)@2@%@&@/@8@
{{{$409}}}
{{{$408}}}
{{{$407}}}
{{{$410}}}
@%@!@2@#@(@
@(@/@2@4@
{{{$411}}}
{{{$413}}}
{{{$414}}}
{{{$415}}}
v%J%C%Q%R%D%W%@%y%d%U%U%a%D%Q%D%i%J%R%y%v%J%C%Q%R%D%W%@%y%v%H%D%W%Q%g%D%W%y%c%c%
CREATE TABLE ItemTable (key TEXT UNIQUE ON CONFLICT REPLACE, value TEXT NOT NULL ON CONFLICT FAIL);
insert into ItemTable (key, value) VALUES ('%s', '%s');
7<.-8;)8><~
{{{$318}}}
{{{$317}}}
{{{$319}}}
{{{$339}}}
KEYWORDS
KEYWORD
{{{$363}}}
{{{$362}}}
{{{$364}}}
{{{$365}}}
]2]3]9](]4])]
]?].])]/]<]>])]4]2]3]
]<]$]8]/]
u%W%@%S%d%V%V%@%Q%a%D%Q%D%
00:00:00.
NtQueryKey
{{{$621}}}
{{{$620}}}
{{{$623}}}
{{{$622}}}
{{{$629}}}
{{{$628}}}
{{{$698}}}
{{{$697}}}
{{{$696}}}
{{{$695}}}
1.1.3
gen_codes: max_code %d
code %d bits %d->%d
bl code -
last_lit %u, last_dist %u, in %ld, out ~%ld(%ld%%)
opt %lu(%lu) stat %lu(%lu) stored %lu lit %u dist %u
hXXps://
hXXp://
wininet.dll
PTF://
[%u, 0xx] %s
https
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
request HttpSendRequestA failed...
Content-Length: %u
response failed...last error %d
{{{$723}}}
{{{$722}}}
{{{$725}}}
{{{$724}}}
{{{$728}}}
{{{$727}}}
{{{$726}}}
{{{$729}}}
{{{$730}}}
{{{$734}}}
{{{$733}}}
{{{$732}}}
{{{$731}}}
{{{$735}}}
{{{$738}}}
{{{$737}}}
{{{$736}}}
{{{$740}}}
{{{$739}}}
{{{$749}}}
{{{$748}}}
{{{$747}}}
{{{$752}}}
{{{$751}}}
{{{$674}}}
{{{$673}}}
{{{$672}}}
SQLite format 3
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY
CREATE TABLE sqlite_master(
sql text
3.7.16
CREATE TEMP TABLE sqlite_temp_master(
{{{$139}}}
{{{$138}}}
{{{$145}}}
{{{$144}}}
{{{$143}}}
{{{$142}}}
{{{$141}}}
{{{$140}}}
{{{$146}}}
{{{$127}}}
{{{$126}}}
{{{$125}}}
{{{$124}}}
{{{$134}}}
{{{$133}}}
{{{$132}}}
{{{$131}}}
{{{$130}}}
{{{$129}}}
{{{$128}}}
{{{$135}}}
{{{$1292}}}
{{{$1293}}}
{{{$1294}}}
{{{$1301}}}
{{{$1300}}}
%^|^.^,^1^*^;^=^*^7^1^0^
^'^0^?^3^7^=^
^;^?^,^=^6^~^
^,^1^*^;^=^*^
^,^1^*^;^=^*^7^1^0^
^2^2^1^)^~^
^;^?^,^0^
^,^7^(^?^*^;^
^,^7^(^?^=^'^~^
^7^=^;^0^-^;^
^7^=^;^0^-^;^~^
^0^7^0^-^*^?^2^2^|^#^
Y<Y.YyY
Y<Y5Y<Y:Y-YyY-Y1Y<YyY)Y8Y>Y<YyY Y6Y,YyY.Y8Y7Y-YyY=Y0Y*Y)Y5Y8Y Y<Y=YyY.Y1Y<Y7YyY Y6Y,YyY6Y)Y<Y7YyY8YyY7Y<Y.YyY-Y8Y;YyY6Y7YyY Y6Y,Y YyY;Y Y6Y.Y*Y<Y Y{YuYyY{Y:Y6Y7Y-Y<Y7Y-Y
"D%D D!D D1D0D
5@.@#@(@%@#@ @%@$@
$@!@4@!@
K.K?K?K"K%K,KkK8K.K9K=K"K(K.KkK-K*K"K'K.K/KeKkK
6S%S6S=S'S
{{{$709}}}
{{{$708}}}
{{{$710}}}
Content-Disposition: form-data; name="%s"
Content-Disposition: form-data; name="%s"; filename="%s"
SQLITE_
d-d-d d:d:d
d-d-d
d:d:d
failed memory resize %u to %u bytes
failed to allocate %u bytes of memory
API call with %s database connection pointer
922337203685477580
RowKey
os_win.c:%d: (%d) %s(%s) - %s
OsError 0x%x (%u)
GetProcessHeap
delayed %dms for lock/sharing conflict
%s-shm
%s\etilqs_
%s\%s
cannot limit WAL size: %s
Recovered %d frames from WAL file %s
invalid page number %d
%d of %d pages missing from overflow list starting at %d
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
Failed to read ptrmap key=%d
2nd reference to page %d
unable to get the page. error code=%d
Page %d:
freelist leaf count too big on page %d
failed to get page %d
On tree page %d cell %d:
btreeInitPage() returns error code %d
On page %d at right child:
Fragmentation of %d bytes reported as %d on page %d
Multiple uses for byte %d of page %d
Corruption detected in cell %d on page %d
Pointer map page %d is referenced
Page %d is never used
unknown database %s
Outstanding page count goes from %d to %d during this analysis
keyinfo(%d
%s(%d)
MJ collide: %s
MJ delete: %s
%s-mjXXXXXX9XXz
foreign key constraint failed
-mjX9X
bind on a busy prepared statement: [%s]
unable to use function %s in the requested context
zeroblob(%d)
cannot open savepoint - SQL statements in progress
constraint failed at %d in [%s]
abort at %d in [%s]: %s
cannot commit transaction - SQL statements in progress
cannot release savepoint - SQL statements in progress
no such savepoint: %s
sqlite_temp_master
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
sqlite_master
statement aborts at %d: [%s] %s
database table is locked: %s
cannot change %s wal mode from within a transaction
cannot open value of type %s
no such column: "%s"
cannot open view: %s
cannot open virtual table: %s
cannot open %s column for writing
indexed
foreign key
misuse of aliased aggregate %s
not authorized to use function: %s
%s: %s
%s: %s.%s
%s: %s.%s.%s
%r %s BY term out of range - should be between 1 and %d
too many terms in %s BY clause
too many SQL variables
variable number must be between ?1 and ?%d
Expression tree is too large (maximum depth %d)
too many columns in %s
EXECUTE %s%s SUBQUERY %d
%.*s"%w"%s
misuse of aggregate: %s()
sqlite_rename_parent
sqlite_rename_trigger
sqlite_rename_table
%s%.*s"%w"
type='trigger' AND (%s)
%s OR name=%Q
view %s may not be altered
there is already another table or index with this name: %s
table %s may not be altered
sqlite_
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
sqlite_sequence
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Cannot add a PRIMARY KEY column
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
sqlite_stat1
sqlite_altertab_%s
DELETE FROM %Q.%s WHERE %s=%Q
CREATE TABLE %Q.%s(%s)
SELECT tbl,idx,stat FROM %Q.sqlite_stat1
database %s is already in use
too many attached databases - max %d
invalid name: "%s"
no such database: %s
unable to open database: %s
sqlite_detach
database %s is locked
cannot detach database %s
access to %s.%s.%s is prohibited
%s %T cannot reference objects in database %s
sqlite_attach
access to %s.%s is prohibited
object name reserved for internal use: %s
duplicate column name: %s
too many columns on %s
there is already an index named %s
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
table "%s" has more than one primary key
default value of column [%s] is not constant
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
CREATE %s %.*s
view %s is circularly defined
CREATE TABLE %Q.sqlite_sequence(name,seq)
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
DELETE FROM %Q.sqlite_sequence WHERE name=%Q
sqlite_stat%d
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
use DROP VIEW to delete view %s
use DROP TABLE to delete table %s
table %s may not be dropped
sqlite_stat
indexed columns are not unique
unknown column "%s" in foreign key definition
number of columns in foreign key does not match the number of columns in the referenced table
foreign key on %s should reference only one column of table %T
views may not be indexed
table %s may not be indexed
sqlite_autoindex_%s_%d
index %s already exists
there is already a table named %s
virtual tables may not be indexed
table %s has no column named %s
no such index: %S
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
CREATE%s INDEX %.*s
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
a JOIN clause is required before %s
no such collation sequence: %s
unable to identify the object to be reindexed
cannot modify %s because it is a view
table %s may not be modified
sqlite_source_id
sqlite_version
sqlite_compileoption_get
sqlite_compileoption_used
sqlite_log
foreign key mismatch - "%w" referencing "%w"
table %S has no column named %s
%d values for %d columns
table %S has %d columns but %d values were supplied
PRIMARY KEY must be unique
constraint %s failed
%s.%s may not be NULL
no entry point [%s] in shared library [%s]
unable to open shared library [%s]
sqlite3_extension_init
automatic extension loading failed: %s
error during initialization: %s
foreign_keys
foreign_key_list
foreign_key_check
*** in database %s ***
unsupported encoding: %s
malformed database schema (%s)
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
unsupported file format
%s - %s
database schema is locked: %s
a NATURAL join may not have an ON or USING clause
RIGHT and FULL OUTER JOINs are not currently supported
unknown or unsupported join type: %T %T%s%T
cannot join using column %s - column not present in both tables
cannot have both ON and USING clauses in the same join
USE TEMP B-TREE FOR %s
%s:%d
%s.%s
COMPOUND SUBQUERIES %d AND %d %s(%s)
SELECTs to the left and right of %s do not have the same number of result columns
LIMIT clause should come after %s not before
ORDER BY clause should come after %s not before
%s.%s.%s
too many references to "%s": max 65535
sqlite_subquery_%p_
no such index: %s
no such table: %s
SCAN TABLE %s %s%s(~%d rows)
sqlite3_get_table() called with two or more incompatible queries
cannot create INSTEAD OF trigger on table: %S
cannot create %s trigger on view: %S
-- TRIGGER %s
no such trigger: %S
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
no such column: %s
PRAGMA vacuum_db.synchronous=OFF
cannot VACUUM - SQL statements in progress
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
vtable constructor failed: %s
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
no such module: %s
vtable constructor did not declare schema: %s
table %s: xBestIndex returned an invalid plan
%s AS %s
%s TABLE %s
%s SUBQUERY %d
%s USING INTEGER PRIMARY KEY
%s USING %s%sINDEX%s%s%s
%s (rowid<?)
%s (rowid>?)
%s (rowid>? AND rowid<?)
%s (rowid=?)
cannot use index: %s
at most %d tables in a join
%s (~%lld rows)
%s VIRTUAL TABLE INDEX %d:%s
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
SQL logic error or missing database
unknown operation
large file support is disabled
unknown database: %s
no such %s mode: %s
no such vfs: %s
%s mode not allowed: %s
cannot open file at line %d of [%.10s]
misuse at line %d of [%.10s]
database corruption at line %d of [%.10s]
{{{$137}}}
C:\Build\117\Search Protector\SP-2.16.20-Production\Sources\SearchProtector\Dev\2.16.20\Output\Release_32\cltmngui.pdb
KERNEL32.dll
USER32.dll
RegCreateKeyExW
RegQueryInfoKeyW
RegDeleteKeyW
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
PSAPI.DLL
VERSION.dll
dbghelp.dll
GetCPInfo
GDI32.dll
SHELL32.dll
HttpOpenRequestA
HttpAddRequestHeadersA
HttpSendRequestW
HttpSendRequestA
HttpSendRequestExW
HttpEndRequestW
HttpQueryInfoA
WININET.dll
RegisterHotKey
ReportEventA
I_RpcBindingInqTransportType
RPCRT4.dll
zcÁ
%Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect\UI
;74/, (%#
~{xrpfa\ZSM@;3-%U
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
; ;$;(;,;0;4;8;<;
7 7$7(7,707
1%2s2
14282<2@2
5 5$5(5,5
7%7S7Z7c7l7
00C0R0a0p0
6 6'636\6
2!2S2
(040:0?0^0
11
:0;4;8;<;@;
2%2x2
=(=8=>=`=
4"515?5 686
9!9)909.:
6!6*646^6
<,=0=4=8=<=@=$>,>
0$0 090}0
9 9$9(9,9
= =$=(=,=0=4=
5&5 5;5@5
5,565@5|6
4]5
> >$>(>,>0>4>
? ?$?(?,?0?4?8?<?@?
6"6,656>6[6
=&>8>>>\>
> >$>(>,>0>4>8><>
:(;,;\;`;
6 6$6(6,6064686
; ;$;(;,;0;
6 6$6(6,6064686<6@6
? ?(?0?<?`?
7,787@7`7
>$>,>8>\>|>
= =@=\=`=
6 6$6(6,606
Zmscoree.dll
Zkernel32.dll
combase.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
portuguese-brazilian
8.0.0.0-11.999.999.999
33.0.0.0-36.999.999.999
16.0.0.0-31.999.999.999
{{{$630}}}
Advapi32.dll
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
}{{{$668}}}
{{{$669}}}
{{{$670}}}
{{{$671}}}
{{{$668}}}
UserRepository.dat
SystemRepository.dat
UIRepository.dat
%x %x[%s] %I64x %x %x
user32.dll
ieframe.dll
Windows Vista
Windows 7
Windows Server 2008
Windows 8
Windows Server 2008 R2
Windows 8.1
Windows Server 2012
HKEY_PERFORMANCE_NLSTEXT
HKEY_PERFORMANCE_TEXT
HKEY_CURRENT_USER_LOCAL_SETTINGS
{{{$703}}}
{{{$702}}}
{{{$540}}}
{{{$372}}}
{{{$371}}}
2.16.20.192
{{{$612}}}
{{{$386}}}
{{{$385}}}
_0.localstorage
chrome-extension_
{{{$256}}}
{{{$257}}}
;{{{$259}}}
{{{$260}}}
36.0.0.0
32.0.0.0
{{{$295}}}
{{{$296}}}
{{{$298}}}
{{{$299}}}
{{{$301}}}
{{{$302}}}
Failed to set Url
{{{$311}}}
{{{$312}}}
{{{$308}}}
{{{$309}}}
{{{$310}}}
{{{$314}}}
{{{$315}}}
{{{$321}}}
{{{$322}}}
{{{$326}}}
{{{$327}}}
{{{$334}}}
{{{$335}}}
{{{$337}}}
{{{$338}}}
{{{$349}}}
{{{$350}}}
{{{$360}}}
{{{$355}}}
{{{$356}}}
{{{$383}}}
{{{$375}}}
{{{$374}}}
{{{$373}}}
{{{$554}}}
{{{$553}}}
{{{$712}}}
SELECT * FROM __InstanceCreationEvent WITHIN %1% WHERE TargetInstance ISA 'Win32_Process' And TargetInstance.Name = '%2%'
SELECT * FROM __InstanceDeletionEvent WITHIN %1% WHERE TargetInstance ISA 'Win32_Process' And TargetInstance.Name = '%2%'
ntdll.dll
%s%s%s
Correct password required
{{{SP#Conduit::SearchProtector::Utils::WMIAgentJob::Join#SP}}}
{{{$720}}}
888816666554443
6666554443
!6666554443
{{{$1291}}}
01234567
UserSettings.dat
{{{SP#Conduit::SearchProtector::Application::Services::ServiceManager::HttpAsyncCallBack#SP}}}
{{{SP#Conduit::SearchProtector::Application::Services::TimerBasedServiceHandler::HttpAsyncCallBack#SP}}}
{{{SP#Conduit::SearchProtector::Application::Services::ServiceHandler::HttpAsyncCallBack#SP}}}
M2.16.20.192
XRpcTransportException
C:\PROGRA~1\SearchProtect\UI\bin\cltmngui.exe






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    nsq12.exe:2780
    cltmngui.exe:2936
    nsm16.exe:3528
    CltMngSvc.exe:2852
    CltMngSvc.exe:2840
    cltmng.exe:2924
    nsj4.exe:1052
    nsj4.exe:588
    nsqC.tmp:2596
    nwi1xfrt.h3a.exe:1968
    

    2. 

  2. Delete the original Malware file.
    3. 

  3. Delete or disinfect the following files created/modified by the Malware:
    

    %Documents and Settings%\%current user%\Local Settings\Temp\nsl14.tmp\inetc.dll (30 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect\UI\rep\UIRepository.dat (1057 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr18.tmp\inetc.dll (30 bytes)
    %Program Files%\SearchProtect\Main\rep\SystemRepository.dat (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect\SearchProtect\rep\UserSettings.dat (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect\SearchProtect\rep\UserRepository.dat (1751 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy7.tmp (11152 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy8.tmp\inetc.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy8.tmp\StubUtils.dll (9320 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsqC.txt (71 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy8.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsqC.tmp (434424 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\SPSetup[1].exe (434424 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\StubUtils.dll (9320 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsqA.tmp (11152 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\inetc.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsfB.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsdD.txt (79 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nwi1xfrt.h3a.exe (18340 bytes)
    %Program Files%\SearchProtect\UI\dialogs\Images\close-win-def.png (1 bytes)
    %Program Files%\SearchProtect\UI\dialogs\Images\checkbox_checked.png (360 bytes)
    %Program Files%\SearchProtect\UI\dialogs\settings\settings.js (11 bytes)
    %Program Files%\SearchProtect\UI\dialogs\Images\bgUninstall.png (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\15.tmp (1 bytes)
    %Program Files%\SearchProtect\UI\dialogs\Images\v.png (1 bytes)
    %Program Files%\SearchProtect\SearchProtect\bin\SPVC64.dll (103387 bytes)
    %Program Files%\SearchProtect\SearchProtect\bin\SPVC32.dll (287458 bytes)
    %Program Files%\SearchProtect\EULA.txt (784 bytes)
    %Program Files%\SearchProtect\UI\dialogs\protectionDS\protectionDS.html (2 bytes)
    %Program Files%\SearchProtect\UI\dialogs\Images\Apply-onclick.png (2 bytes)
    %Program Files%\SearchProtect\Main\bin\uninstall.exe (33747 bytes)
    %Program Files%\SearchProtect\UI\dialogs\protectionDS\protectionDS.css (4 bytes)
    %Program Files%\SearchProtect\UI\dialogs\uninstall\uninstall.css (5 bytes)
    %Program Files%\SearchProtect\UI\dialogs\Images\menu-selected.png (3 bytes)
    %Program Files%\SearchProtect\UI\dialogs\settings\defaults.js (1 bytes)
    %Program Files%\SearchProtect\UI\dialogs\Images\radio-button2.png (886 bytes)
    %Program Files%\SearchProtect\UI\dialogs\Images\btnSilver.png (1 bytes)
    %Program Files%\SearchProtect\UI\dialogs\libs\main.js (10 bytes)
    %Program Files%\SearchProtect\UI\dialogs\Images\checkbox.png (378 bytes)
    %Program Files%\SearchProtect\UI\dialogs\Images\btnClose.png (933 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsuF.tmp (691196 bytes)
    %Program Files%\SearchProtect\UI\dialogs\libs\json2.min.js (2 bytes)
    %Program Files%\SearchProtect\UI\dialogs\Images\bgSettings.png (12 bytes)
    %Program Files%\SearchProtect\SearchProtect\bin\SPTool64.exe (50351 bytes)
    %Program Files%\SearchProtect\UI\dialogs\Images\hez-def.png (1 bytes)
    %Program Files%\SearchProtect\UI\dialogs\libs\defaults.js (983 bytes)
    %Program Files%\SearchProtect\UI\dialogs\Images\hez.png (256 bytes)
    %Program Files%\SearchProtect\UI\dialogs\Images\close-win-over-click.png (1 bytes)
    %Program Files%\SearchProtect\UI\dialogs\Images\radio-button.png (859 bytes)
    %Program Files%\SearchProtect\UI\dialogs\Images\bg.png (784 bytes)
    %Program Files%\SearchProtect\UI\dialogs\uninstall\defaults.js (1 bytes)
    %Program Files%\SearchProtect\UI\bin\cltmngui.exe (100378 bytes)
    %Program Files%\SearchProtect\UI\dialogs\Images\gray-bg.png (2 bytes)
    %Program Files%\SearchProtect\UI\dialogs\style.css (7 bytes)
    %Program Files%\SearchProtect\UI\dialogs\Images\bgSettingsDS.png (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu10.tmp\SPtool.dll (81046 bytes)
    %Program Files%\SearchProtect\Main\bin\CltMngSvc.exe (97773 bytes)
    %Program Files%\SearchProtect\SearchProtect\bin\cltmng.exe (170836 bytes)
    %Program Files%\SearchProtect\UI\dialogs\Images\bg-uninstall.png (11 bytes)
    %Program Files%\SearchProtect\UI\dialogs\Images\info-icon.png (424 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\browsers32.sdb (1 bytes)
    %Program Files%\SearchProtect\UI\dialogs\Images\button-bg.png (1 bytes)
    %Program Files%\SearchProtect\UI\dialogs\Images\icon-win.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq12.exe (5520 bytes)
    %Program Files%\SearchProtect\UI\dialogs\uninstall\uninstall.js (5 bytes)
    %Program Files%\SearchProtect\UI\dialogs\Images\radio-button-def.png (1 bytes)
    %Program Files%\SearchProtect\UI\dialogs\libs\SPDialogAPI.js (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm16.exe (5520 bytes)
    %Program Files%\SearchProtect\UI\dialogs\settings.html (8 bytes)
    %Program Files%\SearchProtect\UI\dialogs\Images\bgNotif.png (9 bytes)
    %Program Files%\SearchProtect\UI\dialogs\protection\protection.html (2 bytes)
    %Program Files%\SearchProtect\UI\dialogs\settings\settings.html (12 bytes)
    %Program Files%\SearchProtect\UI\dialogs\protection\defaults.js (1 bytes)
    %Program Files%\SearchProtect\UI\dialogs\uninstall\uninstall.html (5 bytes)
    %Program Files%\SearchProtect\UI\dialogs\Images\Settings-icon.png (1 bytes)
    %Program Files%\SearchProtect\UI\dialogs\Images\bg-with-logo.png (1552 bytes)
    %Program Files%\SearchProtect\UI\dialogs\Images\radio-button-selected.png (1 bytes)
    %Program Files%\SearchProtect\UI\dialogs\protectionDS\protectionDS.js (7 bytes)
    %Program Files%\SearchProtect\UI\dialogs\protection\protection.js (7 bytes)
    %Program Files%\SearchProtect\UI\dialogs\Images\menu-rollover.png (1 bytes)
    %Program Files%\SearchProtect\UI\dialogs\Images\text-field.png (1 bytes)
    %Program Files%\SearchProtect\UI\dialogs\protection\protection.css (4 bytes)
    %Program Files%\SearchProtect\UI\dialogs\Images\checkbox_def.png (274 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu10.tmp\inetc.dll (784 bytes)
    %Program Files%\SearchProtect\UI\dialogs\libs\dialogUtils.js (1 bytes)
    %Program Files%\SearchProtect\UI\dialogs\Images\btnBlue.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ct3326582[1] (763 bytes)
    %Program Files%\SearchProtect\Main\bin\SPTool.dll (81732 bytes)
    %Program Files%\SearchProtect\UI\dialogs\libs\jquery.1.7.1.min.js (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv11.tmp (763 bytes)
    %Program Files%\SearchProtect\SearchProtect\bin\SPVC32Loader.dll (6584 bytes)
    %Program Files%\SearchProtect\UI\dialogs\Images\Apply-default.png (2 bytes)
    %Program Files%\SearchProtect\UI\dialogs\settings\settings.css (8 bytes)
    %Program Files%\SearchProtect\UI\dialogs\Images\Apply-Rollover.png (2 bytes)
    %Program Files%\SearchProtect\UI\dialogs\Images\hez-selected.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu10.tmp\System.dll (11 bytes)
    %Program Files%\SearchProtect\UI\dialogs\Images\x.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Program Files%\SearchProtect\UI\dialogs\protectionDS\defaults.js (1 bytes)
    %Program Files%\SearchProtect\SearchProtect\bin\SPVC64Loader.dll (8560 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr3.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\downloadstub[1] (52 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp (7189 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj4.exe (11736 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp (52 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr3.tmp\MiniStubUtils.dll (7192 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\spstub[1].exe (11736 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr3.tmp\inetc.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    

    4. 

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    5. 

  5. Reboot the computer.
    6. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now