MD5: 29137846a59db652c7b568a93622ae54
SHA1: fa8a41edaad84e1f364afb46eff0374c9fe093a6
SHA256: 26cc3bfe33096fc9456f134ac070cbe711485fa218b7a0e96f6a4f8b314b1761
SSDeep: 24576:LuJtbD0h3elu52V cGqnTUxcV6hAMbgkkBrmTiMAeL4iv8t:CJtbnucV crkAMbb6mTiMQt
Size: 1171958 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-05-11 23:03:36
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

net.exe:916
sc.exe:280
sc.exe:1996
net1.exe:1620
%original file name%.exe:1676
ytd.exe:972
regsvr32.exe:304
DC%original file name%.exe:484
setup.exe:1964
find.exe:804

The Trojan injects its code into the following process(es):

YTDownloader.exe:1272

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1676 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nse3.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse3.tmp\NK.lky (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse3.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse3.tmp\DC%original file name%.exe (365555 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse3.tmp\781F2EA07B0657F6 (33633 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse2.tmp (37398 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse3.tmp\D1989.dll (14 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nse3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse3.tmp\NK.lky (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse3.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse3.tmp\DC%original file name%.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse3.tmp\781F2EA07B0657F6 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse3.tmp\D1989.dll (0 bytes)

The process ytd.exe:972 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\setup.exe (2385467 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\D1958.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\NK.lky (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss5.tmp (229287 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\setup1.exe (214141 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\setup.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\setup1.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\NK.lky (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\D1958.dll (0 bytes)

The process DC%original file name%.exe:484 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Install_10067\ytd.exe (84575 bytes)

The process setup.exe:1964 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsr8.tmp\nsExec.dll (6 bytes)
%Program Files%\YTDownloader\libeay32.dll (28908 bytes)
%WinDir%\Tasks\YTDownloader.job (942 bytes)
%Program Files%\YTDownloader\rtmpdump.exe (13874 bytes)
%Program Files%\YTDownloader\YTDownloader.exe (43494 bytes)
%Program Files%\YTDownloader\DownloadAPI.dll (48908 bytes)
%Program Files%\YTDownloader\Unelevate.exe (2384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr8.tmp\System.dll (11 bytes)
%Program Files%\YTDownloader\YTD-icon-128x128.png (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr8.tmp\nsProcess.dll (4 bytes)
%Program Files%\YTDownloader\Updater.exe (17795 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr8.tmp\nsA.tmp (6 bytes)
%Program Files%\YTDownloader\download_ani.gif (9 bytes)
%Program Files%\YTDownloader\DownloadHelper.exe (10780 bytes)
%WinDir%\Tasks\SMupdate1.job (1158 bytes)
%Program Files%\YTDownloader\AniGIF.ocx (5702 bytes)
%Documents and Settings%\%current user%\Desktop\YTDownloader.lnk (1 bytes)
%Program Files%\YTDownloader\ssleay32.dll (3053 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr8.tmp\AccDownload.dll (10030 bytes)
%Program Files%\YTDownloader\convert_aniBW.gif (7 bytes)
%Program Files%\YTDownloader\sbmntr.sys (1188 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\YTDownloader\YTDownloader.lnk (1 bytes)
%Program Files%\Common Files\System\SysMenu.dll (18130 bytes)
%Program Files%\YTDownloader\YTDUninstall.exe (20217 bytes)
%Program Files%\YTDownloader\Download_completed.ico (1 bytes)
%Program Files%\YTDownloader\convert_ani.gif (762 bytes)
%Program Files%\YTDownloader\converter.exe (61968 bytes)
%WinDir%\Tasks\YTDownloaderUpd.job (912 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsr8.tmp\nsExec.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr8.tmp\nsProcess.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr8.tmp\nsA.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr8.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr8.tmp\AccDownload.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm7.tmp (0 bytes)

Registry activity

The process net.exe:916 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A 03 6F E7 22 0A 68 BC C9 E3 97 1C 9C 73 B5 7F"

The process sc.exe:280 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED 5A 36 CA F7 8E 74 59 B1 07 B6 9E 1E 25 28 76"

The process sc.exe:1996 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 86 43 3A A3 D1 FD 55 37 C1 19 0F 65 90 5E 7B"

The process net1.exe:1620 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 6E F8 25 08 FF E7 AD 23 73 EE 38 17 6F 31 85"

The process %original file name%.exe:1676 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 15 8A A9 02 C2 55 B4 F1 10 CD E0 9D 5B 7E 7A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process ytd.exe:972 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "88 AB A7 0B 1F C3 8D A4 40 ED 70 4B 74 4D 14 E2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process regsvr32.exe:304 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "53 14 69 11 A8 D4 72 24 F4 88 C6 DC AC A6 81 2C"

[HKCR\CLSID\{020B1D4B-5738-4C77-9E19-4F173DD9B486}]
"(Default)" = "SysMenuExt Class"

[HKCR\AppID\SysMenu.DLL]
"AppID" = "{D813D5BB-EBC7-45F9-B8A4-36A305168069}"

[HKCU\Software\Classes\*\ShellEx\ContextMenuHandlers\SysMenuExt]
"(Default)" = "{020B1D4B-5738-4C77-9E19-4F173DD9B486}"

[HKCR\CLSID\{020B1D4B-5738-4C77-9E19-4F173DD9B486}\InprocServer32]
"ThreadingModel" = "Apartment"
"(Default)" = "%Program Files%\Common Files\System\SysMenu.dll"

[HKCR\*\shellex\ContextMenuHandlers\SysMenuExt]
"(Default)" = "{020B1D4B-5738-4C77-9E19-4F173DD9B486}"

[HKCR\AppID\{D813D5BB-EBC7-45F9-B8A4-36A305168069}]
"(Default)" = "SysMenu"

The process DC%original file name%.exe:484 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MaxConnectionsPerServer" = "2"
"MaxConnectionsPer1_0Server" = "2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 D6 2E 9D 88 91 9B 64 46 10 EE C9 C4 59 18 04"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process setup.exe:1964 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\TypeLib\{82351433-9094-11D1-A24B-00A0C932C7DF}\1.5]
"(Default)" = "Animation GIF Control"

[HKLM\SOFTWARE\YTDownloader\Video Converter]
"ExeLocation" = "%Program Files%\YTDownloader\Converter.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCR\AniGIFPpg.AniGIFPpg]
"(Default)" = "AniGIFPpg Class"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsr8.tmp\AccDownload.dll,"

[HKCR\Interface\{82351440-9094-11D1-A24B-00A0C932C7DF}]
"(Default)" = "IAniGIF"

[HKCR\CLSID\{61AB12E1-A5FF-11D1-B2E9-444553540000}\InprocServer32]
"(Default)" = "%Program Files%\YTDownloader\AniGIF.ocx"

[HKCR\AniGIFCtrl.AniGIF\CurVer]
"(Default)" = "AniGIFCtrl.AniGIF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations]
"intl" = "http://www.fileextensionpro.com/redir.aspx?s=defytd1&LangID=x&Ext=%s"

[HKLM\SOFTWARE\YTDownloader]
"ExeLocation" = "%Program Files%\YTDownloader\YTDownloader.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\YTDownloader]
"UninstallString" = "%Program Files%\YTDownloader\YTDUninstall.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCR\CLSID\{82351441-9094-11D1-A24B-00A0C932C7DF}\InprocServer32]
"(Default)" = "%Program Files%\YTDownloader\AniGIF.ocx"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCR\CLSID\{82351441-9094-11D1-A24B-00A0C932C7DF}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations]
"Application" = "http://www.fileextensionpro.com/redir.aspx?s=defytd1&LangID=x&Ext=%s"

[HKCR\CLSID\{82351441-9094-11D1-A24B-00A0C932C7DF}]
"(Default)" = "Animation GIF Control"

[HKLM\SOFTWARE\YTDownloader\Video Converter]
"FFUseConverter" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\YTDownloader]
"Publisher" = "YTDownloader"

[HKCR\CLSID\{82351441-9094-11D1-A24B-00A0C932C7DF}\ToolboxBitmap32]
"(Default)" = "%Program Files%\YTDownloader\AniGIF.ocx, 1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCR\AniGIFPpg2.AniGIFPpg2.1]
"(Default)" = "AniGIFPpg2 Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\YTDownloader]
"Aff" = "defytd1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCR\AniGIFCtrl.AniGIF]
"(Default)" = "Animation GIF Control"

[HKCR\AniGIFPpg.AniGIFPpg.1]
"(Default)" = "AniGIFPpg Class"

[HKCR\Interface\{82351440-9094-11D1-A24B-00A0C932C7DF}\TypeLib]
"Version" = "1.5"
"(Default)" = "{82351433-9094-11D1-A24B-00A0C932C7DF}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\YTDownloader]
"Aff" = "defytd1"

[HKCR\AniGIFPpg.AniGIFPpg.1\CLSID]
"(Default)" = "{6DC82D15-92F2-11D1-A255-00A0C932C7DF}"

[HKCR\TypeLib\{82351433-9094-11D1-A24B-00A0C932C7DF}\1.5\0\win32]
"(Default)" = "%Program Files%\YTDownloader\AniGIF.ocx"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E 9E A1 B1 F0 02 DE 38 26 3E 88 E0 AD E4 F1 2A"

[HKCR\Interface\{5252AC41-94BB-11D1-B2E7-444553540000}\TypeLib]
"(Default)" = "{82351433-9094-11D1-A24B-00A0C932C7DF}"

[HKLM\SOFTWARE\YTDownloader]
"Version" = "1.0.3.9"

[HKLM\SOFTWARE\YTDownloader\Video Converter]
"Install" = "%Program Files%\YTDownloader\"

[HKCR\AniGIFPpg2.AniGIFPpg2.1\CLSID]
"(Default)" = "{61AB12E1-A5FF-11D1-B2E9-444553540000}"

[HKCR\CLSID\{82351441-9094-11D1-A24B-00A0C932C7DF}\Verb\0]
"(Default)" = "&Properties,0,2"

[HKCR\Interface\{5252AC41-94BB-11D1-B2E7-444553540000}\TypeLib]
"Version" = "1.5"

[HKCR\CLSID\{82351441-9094-11D1-A24B-00A0C932C7DF}\MiscStatus]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCR\Interface\{82351440-9094-11D1-A24B-00A0C932C7DF}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AniGIFPpg.AniGIFPpg\CurVer]
"(Default)" = "AniGIFPpg.AniGIFPpg.1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations]
"XMLLookup" = "http://www.fileextensionpro.com/redir.aspx?s=defytd1&LangID=x&Ext=%s&"

[HKCR\TypeLib\{82351433-9094-11D1-A24B-00A0C932C7DF}\1.5\FLAGS]
"(Default)" = "2"

[HKCU\Software\YTDownloader]
"Version" = "1.0.3.9"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\YTDownloader]
"DisplayIcon" = "%Program Files%\YTDownloader\YTDownloader.exe"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"net.exe" = "Net Command"

[HKCR\AniGIFPpg2.AniGIFPpg2\CurVer]
"(Default)" = "AniGIFPpg2.AniGIFPpg2.1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCR\CLSID\{82351441-9094-11D1-A24B-00A0C932C7DF}\TypeLib]
"(Default)" = "{82351433-9094-11D1-A24B-00A0C932C7DF}"

[HKCR\CLSID\{82351441-9094-11D1-A24B-00A0C932C7DF}\MiscStatus\1]
"(Default)" = "131473"

[HKCR\CLSID\{6DC82D15-92F2-11D1-A255-00A0C932C7DF}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\AniGIFPpg2.AniGIFPpg2]
"(Default)" = "AniGIFPpg2 Class"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCR\AniGIFCtrl.AniGIF\CLSID]
"(Default)" = "{82351441-9094-11D1-A24B-00A0C932C7DF}"

[HKCR\CLSID\{61AB12E1-A5FF-11D1-B2E9-444553540000}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{5252AC41-94BB-11D1-B2E7-444553540000}]
"(Default)" = "IAniGIFEvents"

[HKCR\Interface\{5252AC41-94BB-11D1-B2E7-444553540000}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\YTDownloader]
"DisplayName" = "YTDownloader"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCR\Interface\{82351440-9094-11D1-A24B-00A0C932C7DF}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{5252AC41-94BB-11D1-B2E7-444553540000}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\CLSID\{82351441-9094-11D1-A24B-00A0C932C7DF}\ProgID]
"(Default)" = "AniGIFCtrl.AniGIF"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCR\CLSID\{61AB12E1-A5FF-11D1-B2E9-444553540000}]
"(Default)" = "AniGIFPpg2 Class"

[HKCR\CLSID\{82351441-9094-11D1-A24B-00A0C932C7DF}\Version]
"(Default)" = "1.5"

[HKCR\CLSID\{82351441-9094-11D1-A24B-00A0C932C7DF}\Verb]
"(Default)" = ""

[HKCR\CLSID\{6DC82D15-92F2-11D1-A255-00A0C932C7DF}]
"(Default)" = "AniGIFPpg Class"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKCR\CLSID\{6DC82D15-92F2-11D1-A255-00A0C932C7DF}\InprocServer32]
"(Default)" = "%Program Files%\YTDownloader\AniGIF.ocx"

[HKCR\AniGIFCtrl.AniGIF\Insertable]
"(Default)" = ""

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"sc.exe" = "A tool to aid in developing services for WindowsNT"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\YTDownloader.exe]
"(Default)" = "%Program Files%\YTDownloader\YTDownloader.exe"

[HKCR\TypeLib\{82351433-9094-11D1-A24B-00A0C932C7DF}\1.5\HELPDIR]
"(Default)" = "%Program Files%\YTDownloader\"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"YTDownloader" = "%Program Files%\YTDownloader\YTDownloader.exe /boot"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YTDownloader" = "%Program Files%\YTDownloader\YTDownloader.exe /boot"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{82351441-9094-11D1-A24B-00A0C932C7DF}\Programmable]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
"MaxConnectionsPerServer"
"MaxConnectionsPer1_0Server"

The process YTDownloader.exe:1272 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\YTDownloader]
"UserId" = "{3A616D21-EE35-453F-B6DF-28AE30518C83}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "38 94 AD 00 A2 B2 22 97 C6 40 A7 86 5F 23 56 C8"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\YTDownloader]
"UserId" = "{3A616D21-EE35-453F-B6DF-28AE30518C83}"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process find.exe:804 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 FE 84 B0 88 22 AC 4E 7B A9 7E 30 54 02 DC C7"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version: 1.6.6697.308
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.6.6697.308
File Description:
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
0899f44ff3075456dde36ec53406b055

URLs

URL	IP
hxxp://d1cfk8e4o0c4u2.cloudfront.net/p.ashx?e=WL9usJOVMsMN1MB2JYZLYh2TgJGND6I1FOuh80Io0Y5XGmhmyGgv7tSDdIjv1GLxDyP8Uhm xN1D7 NBD6lt6/XGnodDMUnnxMxekHFSjz1gKkdlz1lRocVwJfcRD1hSQlC/zd7KOiMM2aYa6DxQ3JzxkjoOk 336drvT37EAEMzfaxy UcmgVeD6 h702lVnRSXiQoYHeeDYt44hxYDSrr7ONig86K71bKQFrMIrp LG8h0VDqQlRTSo whs6P83N7iu97gHnm69Z1cpY9ZfWQzM8iYn5gpD 4fcPjtTaMpqaEcw/N/GnEHwQiN IAIiaROhATmdCaSi0H1Fb/qmXEJOJ/v4dEIxiJSIxFfQwloOhUPDkG8iXVLGT11UXZSft6HdhHlMpZFtoh93IRGrMTQfYT78rW6o JhFVUwrL/KKMB ON7 S1TM8xmV4vn51tQUcd/Mb9Q9 jgxQV81SjU9ECJIYR gVBQ6tZIG/N4jqSSo1MlOlksgSmpM3ZI6	54.192.55.15
hxxp://d1cfk8e4o0c4u2.cloudfront.net/p.ashx?e=WL9usJOVMsMN1MB2JYZLYh2TgJGND6I1FOuh80Io0Y5XGmhmyGgv7tSDdIjv1GLxDyP8Uhm xN1D7 NBD6lt6/XGnodDMUnnxMxekHFSjz1gKkdlz1lRoVq4dUk9GnPsFAL52sIXt4U0qLzPw Pacn85/VVOVEM HReSOat uWftQNAasvl72Nd5jLtADn9g6qP9S531UPX/YHo5o9T6zS7iGdXF1I0rCsbt2RZNO3R0vfc4gGyylsTQfYT78rW6o JhFVUwrL/KKMB ON7 S1TM8xmV4vn51tQUcd/Mb9Q9 jgxQV81SjU9ECJIYR gVBQ6tZIG/N4jqSSo1MlOlksgSmpM3ZI6	54.192.55.15
hxxp://d1cfk8e4o0c4u2.cloudfront.net/t.ashx?e=WL9usJOVMsOEyHZoFFyrCNjAsLtQTvGI0/O0FfY/6t0oHZkq4q5PhSAvELRpepitC/ dZmzuxuj5lDnhnN785ikWnBSPkhjgLhu0b45kiT/jJX2BNWr5ZmwkqgaQEwGAs IILilpWF0klpIg/vGiFhQGw7w7bWmjz7d9KaLD84/d0InrHGn4CaR2deZjme0S	54.192.55.15
hxxp://d1cfk8e4o0c4u2.cloudfront.net/p.ashx?e=PcwT4QFtuPCzqpRpksQuKeidgQbJTNnNsAPUfDdnCMQ2fVsQFDtppEzdxKtV2DR5sjXc/AJnTaE/Hea5XI1RYL2I0JMbheXth/3HwzB5AGtYtrOl7BfDWA5Mtw6p9U5dKYX3Ti/i3YNxO48S9k5zx42nGtSBySjjX6ABQ4xl C6XAmRABUbmSYRA5W RLpwIoLj8WN7CI8UMxa2WeHrKRyBZCO2afqnMa6x3zkCgV6b4CcSts4/UjKHuMXIWCZm3VEJM29bKPct9pTKWYJ31dA==	54.192.55.15
hxxp://d1cfk8e4o0c4u2.cloudfront.net/p.ashx?e=PcwT4QFtuPCzqpRpksQuKeidgQbJTNnNsAPUfDdnCMQ2fVsQFDtppEzdxKtV2DR5sjXc/AJnTaE/Hea5XI1RYL2I0JMbheXth/3HwzB5AGtYtrOl7BfDWAeEuJy eF9fKYX3Ti/i3YOG9SIsJmG3UfDVXG8fnVsUkXiRAgddMCaMVoLWI3pNMYIaukc1i7BW6ysA rfm9WUSNqHBj4SO4yYSb1GEoROqZmAps8BVSXglgiOLNNBjEgBuh29JERPL	54.192.55.15
hxxp://d1cfk8e4o0c4u2.cloudfront.net/p.ashx?e=PcwT4QFtuPCzqpRpksQuKeidgQbJTNnNsAPUfDdnCMQ2fVsQFDtppEzdxKtV2DR5sjXc/AJnTaE/Hea5XI1RYL2I0JMbheXth/3HwzB5AGtYtrOl7BfDWJKvgNPDm5dkjgb6v7cXpPth71QQSR2eRlO8xmMRVWZOb7j5JAyiJ5DwvGnwcuiCjBHn3WtPO7Tk9NtefOTH4Uq4Bo4Z/9PuTtLZlh1VxYn0pbQ3Mz1HZ3rid52NAP26nQXge6CT6xQU	54.192.55.15
hxxp://d1cfk8e4o0c4u2.cloudfront.net/p.ashx?e=PcwT4QFtuPCzqpRpksQuKeidgQbJTNnNsAPUfDdnCMQ2fVsQFDtppEzdxKtV2DR5sjXc/AJnTaE/Hea5XI1RYL2I0JMbheXth/3HwzB5AGtYtrOl7BfDWFDwWd9hvLDxFAL52sIXt4XVoJPRVPVAkz3ZLnbsoZ9zX6ABQ4xl C6XAmRABUbmSYRA5W RLpwIoLj8WN7CI8UMxa2WeHrKRyBZCO2afqnMa6x3zkCgV6b4CcSts4/UjKHuMXIWCZm3VEJM29bKPct9pTKWYJ31dA==	54.192.55.15
hxxp://d1cfk8e4o0c4u2.cloudfront.net/p.ashx?e=PcwT4QFtuPCzqpRpksQuKeidgQbJTNnNsAPUfDdnCMQ2fVsQFDtppEzdxKtV2DR5sjXc/AJnTaE/Hea5XI1RYL2I0JMbheXth/3HwzB5AGtYtrOl7BfDWPa HuGTRyAEFAL52sIXt4Ua8Zp/ 13YC175vqqyfEnMnylXnslTRg848241y0s0/3gUxyF5wkLuxNB9hPvytbqj4mEVVTCsv8oowH443v5LVMzzGZXi fnW1BRx38xv1D36ODFBXzVKNT0QIkhhH6BUFDq1kgb83iOpJKjUyU6WSyBKakzdkjo=	54.192.55.15
hxxp://d1cfk8e4o0c4u2.cloudfront.net/p.ashx?e=PcwT4QFtuPCzqpRpksQuKeidgQbJTNnNsAPUfDdnCMQ2fVsQFDtppEzdxKtV2DR5sjXc/AJnTaE/Hea5XI1RYL2I0JMbheXth/3HwzB5AGtYtrOl7BfDWDz0zfD6NQ4eEwAaRG2pHiUPesst1ukiDgCtEn0QpjuXhJ1Bh5YeUQcklpIg/vGiFhQGw7w7bWmjz7d9KaLD84/d0InrHGn4CSSNrM4iVH1Iqd0uUswfQiRimgyLFyRmMmfDOy0tQ16fypu vyWEkjo3i5zcr4m1yJ5wZ1mD1iMg	54.192.55.15
hxxp://d1cfk8e4o0c4u2.cloudfront.net/p.ashx?e=PcwT4QFtuPCzqpRpksQuKeidgQbJTNnNsAPUfDdnCMQ2fVsQFDtppEzdxKtV2DR5sjXc/AJnTaE/Hea5XI1RYL2I0JMbheXth/3HwzB5AGtYtrOl7BfDWLqfIekNLhs5jgb6v7cXpPu93RkgrfPIdK/1bjUefs49JU1ySiay1sqdymVuPyjsZySWkiD 8aIWFAbDvDttaaPPt30posPzj93QiescafgJJI2sziJUfUip3S5SzB9CJGKaDIsXJGYyZ8M7LS1DXp/Km76/JYSSOjeLnNyvibXInnBnWYPWIyA=	54.192.55.15
hxxp://d1cfk8e4o0c4u2.cloudfront.net/p.ashx?e=PcwT4QFtuPCzqpRpksQuKeidgQbJTNnNsAPUfDdnCMQ2fVsQFDtppEzdxKtV2DR5sjXc/AJnTaE/Hea5XI1RYL2I0JMbheXth/3HwzB5AGtYtrOl7BfDWL9PKObAHk8Ms IILilpWF0oVqJUL9ojcMbrniShQ3GQLdA rHOtLvrw1VxvH51bFJF4kQIHXTAmjFaC1iN6TTGCGrpHNYuwVusrAPq35vVlEjahwY EjuMmEm9RhKETqmZgKbPAVUl4JYIjizTQYxIAbodvSRETyw==	54.192.55.15
hxxp://d1cfk8e4o0c4u2.cloudfront.net/p.ashx?e=PcwT4QFtuPCzqpRpksQuKeidgQbJTNnNsAPUfDdnCMQ2fVsQFDtppEzdxKtV2DR5sjXc/AJnTaE/Hea5XI1RYL2I0JMbheXth/3HwzB5AGtYtrOl7BfDWJR0WuEl7dbF0kOkPP/ lcpu8eAfWsOK5ZLOhm7KiO348MKRqZY TBH6dnj3H5nABo2ac9bD3MadSN58qZygCScEpVXMQzDInewhsAaqZyLDXfoxKwRpIg6jJ3KIwx8xNdj785qz30kYhcDgB1bEKuAsiJf2LuD1gnttEnNPrarXHkYMF1sFL98=	54.192.55.15
hxxp://d1cfk8e4o0c4u2.cloudfront.net/p.ashx?e=PcwT4QFtuPCzqpRpksQuKeidgQbJTNnNsAPUfDdnCMQ2fVsQFDtppEzdxKtV2DR5sjXc/AJnTaE/Hea5XI1RYL2I0JMbheXth/3HwzB5AGtYtrOl7BfDWI5PPWYBcW8Gs IILilpWF3nW9YwSk5gj28Va7JmIs/Bl13yhrpfYAMeIGfrzyWRyvy2gKbXyPPDXUoXAX2Uiz3W6sPFKrniCyxamEHwe AYLkxhdnC/RJrb4ZR 6izXtqnDUZD3eCjLyi7SKmc/IBy20dyWy qRxW8Z0xfsfWTqGyNtTx8B1oEVrVKlXJV57rQrS1fRu2prTG2sGEv8qBE=	54.192.55.15
hxxp://d1cfk8e4o0c4u2.cloudfront.net/p.ashx?e=WL9usJOVMsOEyHZoFFyrCNjAsLtQTvGI0/O0FfY/6t0oHZkq4q5PhSAvELRpepitC/ dZmzuxuj5lDnhnN785ikWnBSPkhjgLhu0b45kiT/XpciovEgse2DHUe356ADpreizXIw2lEXuAG0Hn6RhSl2loKLeLycAJJaSIP7xohYUBsO8O21po8 3fSmiw/OP3dCJ6xxp AmkdnXmY5ntEg==	54.192.55.15
hxxp://d1cfk8e4o0c4u2.cloudfront.net/p.ashx?e=WL9usJOVMsOEyHZoFFyrCNjAsLtQTvGI0/O0FfY/6t0oHZkq4q5PhSAvELRpepitC/ dZmzuxuj5lDnhnN785ikWnBSPkhjgLhu0b45kiT/XpciovEgse2DHUe356ADpreizXIw2lEUbPLm xNo0/Q2TwyUgITHw7M71aw1jTiwe4rptvpzkE7rdPSRwCrZGCcpIYc/YSz6Xbw9QoO9/zrRzhGRDOD7fjZpz1sPcxp1I3nypnKAJJwSlVcxDMMid7CGwBqpnIsMss0xdmNFlbg==	54.192.55.15
hxxp://d1cfk8e4o0c4u2.cloudfront.net/p.ashx?e=FmLXHIo2Uvb 62MRiZt5RXg9MZRqwSFLgDEcVfgp pZUqoyU5wu/FHgrNFMzt4cHVNjr MdHCgg5Mx0Q7JMpqLcOUM6NG7Lid/XCztdoPbKOm5eZ4cw1FBPrMwLm 2sRKYX3Ti/i3YNEqhMhLlqU 0COCGFuwZcChv/PiC3eG4oUVviRAos4otKOgpxEcX4mdulfay3 QHnrjkyflkSfc/1L97NjziqdG7jbLAgNmCU14 zZD gIMscnzZ8H2BKW	54.192.55.15
hxxp://d1cfk8e4o0c4u2.cloudfront.net/p.ashx?e=WL9usJOVMsOEyHZoFFyrCNjAsLtQTvGI0/O0FfY/6t0oHZkq4q5PhSAvELRpepitC/ dZmzuxuj5lDnhnN785ikWnBSPkhjgLhu0b45kiT/XpciovEgse2DHUe356ADpxRFQWZg5auASij6iR4hMLDZiH7tUU1aoxNB9hPvytbqj4mEVVTCsv8oowH443v5LVMzzGZXi fl6ZL2NeMWCfA==	54.192.55.15
hxxp://d1cfk8e4o0c4u2.cloudfront.net/p.ashx?e=M5cPy8d51cPYwLC7UE7xiNPztBX2P rdKB2ZKuKuT4UgLxC0aXqYrQv/nWZs7sbo ZQ54Zze/OYpFpwUj5IY4C4btG OZIk/mETyJyixTFVdn5IXPnT9 7PiCC4paVhdP91D/3KSFUVTvMZjEVVmTm 4 SQMoieQ8Lxp8HLogowR591rTzu05A==	54.192.55.15
hxxp://d1cfk8e4o0c4u2.cloudfront.net/p.ashx?e=2v0SNuZrMFyRcITdAqjv5v7rYxGJm3lFeD0xlGrBIUuAMRxV Cn6lg49NnWHhDotWxA4H76t7h snEMebxE8BC1VAldyGGh24u3oGHN86wMFedaS6HkvNpR90anDedSCpjurIyC9QLCNmnPWw9zGnUjefKmcoAknBKVVzEMwyJ3sIbAGqmciwyyzTF2Y0WVu	54.192.55.15
hxxp://d1cfk8e4o0c4u2.cloudfront.net/p.ashx?e=WL9usJOVMsOEyHZoFFyrCNjAsLtQTvGI0/O0FfY/6t0oHZkq4q5PhSAvELRpepitC/ dZmzuxuj5lDnhnN785ikWnBSPkhjgLhu0b45kiT8FwTBnjqtB6SJSQWKLfKoAjgb6v7cXpPth71QQSR2eRlO8xmMRVWZOb7j5JAyiJ5DwvGnwcuiCjBHn3WtPO7Tk	54.192.55.15
hxxp://d1cfk8e4o0c4u2.cloudfront.net/p.ashx?e=PcwT4QFtuPCzqpRpksQuKeidgQbJTNnNsAPUfDdnCMQ2fVsQFDtppEzdxKtV2DR5sjXc/AJnTaE/Hea5XI1RYL2I0JMbheXth/3HwzB5AGtYtrOl7BfDWKnmGGYVS7/B0JQd5HxgIXfmCWsTLnvD bTtF4P/Nzf4R5ehg170ggfw1VxvH51bFJF4kQIHXTAmjFaC1iN6TTGCGrpHNYuwVusrAPq35vVlEjahwY EjuMmEm9RhKETqmZgKbPAVUl4JYIjizTQYxIAbodvSRETyw==	54.192.55.15
hxxp://d1cfk8e4o0c4u2.cloudfront.net/p.ashx?e=2fVCHF6kf8jCiOnT8Um5ouidgQbJTNnNalcj1RnQPrw2fVsQFDtppEzdxKtV2DR5sjXc/AJnTaE/Hea5XI1RYL2I0JMbheXth/3HwzB5AGvVAezdf3aKUde3upwN8WEnBPEhRyyBD7DBycn/ z ABHdpazB264dVxNB9hPvytbqj4mEVVTCsv8oowH443v5LVMzzGZXi fnW1BRx38xv1D36ODFBXzVKNT0QIkhhH6BUFDq1kgb83iOpJKjUyU6WSyBKakzdkjo=	54.192.55.15
hxxp://s3-website-us-east-1.amazonaws.com/YTDownloaderFull.exe
hxxp://d1cfk8e4o0c4u2.cloudfront.net/p.ashx?e=4mC0vXGWFtoTEvwWndeMvNjAsLtQTvGIob8W7g4JmP0oHZkq4q5Phf DN4zpiDr184gNp9AlyFVbEDgfvq3uH6ycQx5vETwELVUCV3IYaHamORnDBzp0fjy wf5ge9G297Kvy9WMpSiz4gguKWlYXQ6ISG4/EOlW0UhyRqcS69JoTYruzFX zwb91USjiT0qLkxhdnC/RJrb4ZR 6izXtqnDUZD3eCjLyi7SKmc/IBy20dyWy qRxW8Z0xfsfWTqGyNtTx8B1oEVrVKlXJV57rQrS1fRu2prTG2sGEv8qBE=	54.192.55.15
hxxp://www.ytdownloader.com/app/ping.ashx?action=S_INSTALL&usid=1844237615-1960408961-1801674531&aff=defytd1&rnd=32437&v=1.0.3.9&url=&title=&pingtext=Files& protocol=&size=0&ref=&browser=	107.20.238.80
hxxp://d1cfk8e4o0c4u2.cloudfront.net/p.ashx?e=043Mckb8Lnhw7iCtSAyu//7rYxGJm3lFYZ2TXrGrLo6AMRxV Cn6llSqjJTnC78UeCs0UzO3hwdU2Ov4x0cKCDkzHRDskymotw5Qzo0bsuIuv3tl1Z4b4YXOg23g5 yPOzV4mKJhjCiOBvq/txek 2w3QD/hoj2EiE838kKFf1z4yRv0gpvvoa/1bjUefs49JU1ySiay1sqdymVuPyjsZ40oQa07NiSGCj VsqVAdN2URddPycjeHI2ac9bD3MadSN58qZygCScEpVXMQzDInewhsAaqZyLDXfoxKwRpIg6jJ3KIwx8xNdj785qz30kYhcDgB1bEKuAsiJf2LuD1gnttEnNPrarXHkYMF1sFL98=	54.192.55.15
hxxp://d1cfk8e4o0c4u2.cloudfront.net/p.ashx?e=043Mckb8Lnhw7iCtSAyu//7rYxGJm3lFYZ2TXrGrLo6AMRxV Cn6llSqjJTnC78UeCs0UzO3hwdU2Ov4x0cKCDkzHRDskymotw5Qzo0bsuIuv3tl1Z4b4fqozZtQ7Aql1cNdkeqH5v1GGDRZSzPReVlB8MlHWpnp8r3LyJmzPQXE0H2E /K1uqPiYRVVMKy/yijAfjje/ktUzPMZleL5 dbUFHHfzG/UPfo4MUFfNUo1PRAiSGEfoFQUOrWSBvzeI6kkqNTJTpZLIEpqTN2SOg==	54.192.55.15
hxxp://d1cfk8e4o0c4u2.cloudfront.net/p.ashx?e=/TVH52TeC6TYwLC7UE7xiNadB5qlqbxjKB2ZKuKuT4X/gzeM6Yg69fOIDafQJchVWxA4H76t7h snEMebxE8BC1VAldyGGh2tOflmY5yJPUUylR/HjWbOd2e5PDAg/ZO0JQd5HxgIXe7dwEpH50ejEUygQwn ymuY13dldRPNj7w1VxvH51bFJF4kQIHXTAmjFaC1iN6TTGCGrpHNYuwVusrAPq35vVlEjahwY EjuMmEm9RhKETqmZgKbPAVUl4JYIjizTQYxIAbodvSRETyw==	54.192.55.15
hxxp://rep.ytdownloader.com/app/ping.ashx?action=install&userid=&usid=1844237615-1960408961-1801674531&aff=defytd1&v=1.0.3.9&url=&title=&pingtext=MzI0MzcA&protocol=&size=0&ref=&browser=	54.197.238.106
hxxp://rep.ytdownloader.com/app/ping.ashx?action=start&userid={3A616D21-EE35-453F-B6DF-28AE30518C83}&usid=1844237615-1960408961-1801674531&aff=defytd1&v=1.0.3.9&url=&title=&pingtext=TWljcm9zb2Z0IFdpbmRvd3MgWFAgUHJvZmVzc2lvbmFsIFNlcnZpY2UgUGFjayAzIChidWlsZCAyNjAwKQA=&protocol=&size=0&ref=&browser=	54.197.238.106
hxxp://rep.ytdownloader.com/app/ping.ashx?action=start&userid={3A616D21-EE35-453F-B6DF-28AE30518C83}&usid=1844237615-1960408961-1801674531&aff=defytd1&v=1.0.3.9&url=&title=&pingtext=IGNvbnZlcnRlcjogMy4zLjEuMzsgZHJpdmVyOiBDOlxQcm9ncmFtIEZpbGVzXFlURG93bmxvYWRlclxzYm1udHIuc3lzIDEuMC4wLjI7IGhlbHBlcjogMS4wLjEuNTsgc2VydmljZTogMS4wLjEuNTsA&protocol=&size=0&ref=&browser=	54.197.238.106
hxxp://ytdownloader.s3-website-us-east-1.amazonaws.com/YTDownloaderFull.exe	176.32.98.241
hxxp://d1vw44q53d84jx.cloudfront.net/t.ashx?e=WL9usJOVMsOEyHZoFFyrCNjAsLtQTvGI0/O0FfY/6t0oHZkq4q5PhSAvELRpepitC/ dZmzuxuj5lDnhnN785ikWnBSPkhjgLhu0b45kiT/jJX2BNWr5ZmwkqgaQEwGAs IILilpWF0klpIg/vGiFhQGw7w7bWmjz7d9KaLD84/d0InrHGn4CaR2deZjme0S	54.230.52.98

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Possible Win32/Gapz MSIE 9 on Windows NT 5
ET POLICY Executable served from Amazon S3

Traffic

GET /p.ashx?e=WL9usJOVMsMN1MB2JYZLYh2TgJGND6I1FOuh80Io0Y5XGmhmyGgv7tSDdIjv1GLxDyP8Uhm xN1D7 NBD6lt6/XGnodDMUnnxMxekHFSjz1gKkdlz1lRoVq4dUk9GnPsFAL52sIXt4U0qLzPw Pacn85/VVOVEM HReSOat uWftQNAasvl72Nd5jLtADn9g6qP9S531UPX/YHo5o9T6zS7iGdXF1I0rCsbt2RZNO3R0vfc4gGyylsTQfYT78rW6o JhFVUwrL/KKMB ON7 S1TM8xmV4vn51tQUcd/Mb9Q9 jgxQV81SjU9ECJIYR gVBQ6tZIG/N4jqSSo1MlOlksgSmpM3ZI6 HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1; SBUA)

Host: d1cfk8e4o0c4u2.cloudfront.net

HTTP/1.1 200 OK

Content-Type: text/plain

Content-Length: 0

Connection: keep-alive

Cache-Control: private,no-cache, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 24 Sep 2014 19:44:40 GMT

X-Cache: Miss from cloudfront

Via: 1.1 a0aaf1abd7d78f63e60d1993fb2566d9.cloudfront.net (CloudFront)

X-Amz-Cf-Id: qYQlE47KDcp6jnEBzSIk-fdtsmd7QSjlYpYU_iP0Hxpp2PCpQeh5EQ==
....


GET /p.ashx?e=PcwT4QFtuPCzqpRpksQuKeidgQbJTNnNsAPUfDdnCMQ2fVsQFDtppEzdxKtV2DR5sjXc/AJnTaE/Hea5XI1RYL2I0JMbheXth/3HwzB5AGtYtrOl7BfDWAeEuJy eF9fKYX3Ti/i3YOG9SIsJmG3UfDVXG8fnVsUkXiRAgddMCaMVoLWI3pNMYIaukc1i7BW6ysA rfm9WUSNqHBj4SO4yYSb1GEoROqZmAps8BVSXglgiOLNNBjEgBuh29JERPL HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1; SBUA)

Host: d1cfk8e4o0c4u2.cloudfront.net

HTTP/1.1 200 OK

Content-Type: text/plain

Content-Length: 0

Connection: keep-alive

Cache-Control: private,no-cache, no-store

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 24 Sep 2014 19:44:50 GMT

X-Cache: Miss from cloudfront

Via: 1.1 a0aaf1abd7d78f63e60d1993fb2566d9.cloudfront.net (CloudFront)

X-Amz-Cf-Id: u1ZC65RqoLSCRLBa8WJWOruRkpcNSLDUvx83U9eEIqqGGcf-CbS4aA==
....


GET /p.ashx?e=PcwT4QFtuPCzqpRpksQuKeidgQbJTNnNsAPUfDdnCMQ2fVsQFDtppEzdxKtV2DR5sjXc/AJnTaE/Hea5XI1RYL2I0JMbheXth/3HwzB5AGtYtrOl7BfDWFDwWd9hvLDxFAL52sIXt4XVoJPRVPVAkz3ZLnbsoZ9zX6ABQ4xl C6XAmRABUbmSYRA5W RLpwIoLj8WN7CI8UMxa2WeHrKRyBZCO2afqnMa6x3zkCgV6b4CcSts4/UjKHuMXIWCZm3VEJM29bKPct9pTKWYJ31dA== HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1; SBUA)

Host: d1cfk8e4o0c4u2.cloudfront.net

HTTP/1.1 200 OK

Content-Type: text/plain

Content-Length: 0

Connection: keep-alive

Cache-Control: private,no-cache, no-store

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 24 Sep 2014 19:44:50 GMT

X-Cache: Miss from cloudfront

Via: 1.1 a0aaf1abd7d78f63e60d1993fb2566d9.cloudfront.net (CloudFront)

X-Amz-Cf-Id: EBG184fGRbKf7LS7A5Qwydmrtz6a0IYmdtNuO_1FXVAXcO4W9d-T7Q==
....


GET /p.ashx?e=PcwT4QFtuPCzqpRpksQuKeidgQbJTNnNsAPUfDdnCMQ2fVsQFDtppEzdxKtV2DR5sjXc/AJnTaE/Hea5XI1RYL2I0JMbheXth/3HwzB5AGtYtrOl7BfDWDz0zfD6NQ4eEwAaRG2pHiUPesst1ukiDgCtEn0QpjuXhJ1Bh5YeUQcklpIg/vGiFhQGw7w7bWmjz7d9KaLD84/d0InrHGn4CSSNrM4iVH1Iqd0uUswfQiRimgyLFyRmMmfDOy0tQ16fypu vyWEkjo3i5zcr4m1yJ5wZ1mD1iMg HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1; SBUA)

Host: d1cfk8e4o0c4u2.cloudfront.net

HTTP/1.1 200 OK

Content-Type: text/plain

Content-Length: 0

Connection: keep-alive

Cache-Control: private,no-cache, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 24 Sep 2014 19:44:40 GMT

X-Cache: Miss from cloudfront

Via: 1.1 a0aaf1abd7d78f63e60d1993fb2566d9.cloudfront.net (CloudFront)

X-Amz-Cf-Id: yCXA-JcnpHtlFH_Da5qCw3upqJNukdJpZUnmsn7wO5X1nOc8pYeNKA==
....


GET /p.ashx?e=PcwT4QFtuPCzqpRpksQuKeidgQbJTNnNsAPUfDdnCMQ2fVsQFDtppEzdxKtV2DR5sjXc/AJnTaE/Hea5XI1RYL2I0JMbheXth/3HwzB5AGtYtrOl7BfDWL9PKObAHk8Ms IILilpWF0oVqJUL9ojcMbrniShQ3GQLdA rHOtLvrw1VxvH51bFJF4kQIHXTAmjFaC1iN6TTGCGrpHNYuwVusrAPq35vVlEjahwY EjuMmEm9RhKETqmZgKbPAVUl4JYIjizTQYxIAbodvSRETyw== HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1; SBUA)

Host: d1cfk8e4o0c4u2.cloudfront.net

HTTP/1.1 200 OK

Content-Type: text/plain

Content-Length: 0

Connection: keep-alive

Cache-Control: private,no-cache, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 24 Sep 2014 19:44:41 GMT

X-Cache: Miss from cloudfront

Via: 1.1 a0aaf1abd7d78f63e60d1993fb2566d9.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 2pdDqjn6hJ0-nqVzzB1uW1ky8V4dQcQ3-oNN3tQvTISm876QaCIBCA==
....


GET /p.ashx?e=PcwT4QFtuPCzqpRpksQuKeidgQbJTNnNsAPUfDdnCMQ2fVsQFDtppEzdxKtV2DR5sjXc/AJnTaE/Hea5XI1RYL2I0JMbheXth/3HwzB5AGtYtrOl7BfDWJR0WuEl7dbF0kOkPP/ lcpu8eAfWsOK5ZLOhm7KiO348MKRqZY TBH6dnj3H5nABo2ac9bD3MadSN58qZygCScEpVXMQzDInewhsAaqZyLDXfoxKwRpIg6jJ3KIwx8xNdj785qz30kYhcDgB1bEKuAsiJf2LuD1gnttEnNPrarXHkYMF1sFL98= HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1; SBUA)

Host: d1cfk8e4o0c4u2.cloudfront.net

HTTP/1.1 200 OK

Content-Type: text/plain

Content-Length: 0

Connection: keep-alive

Cache-Control: private,no-cache, no-store

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 24 Sep 2014 19:44:50 GMT

X-Cache: Miss from cloudfront

Via: 1.1 a0aaf1abd7d78f63e60d1993fb2566d9.cloudfront.net (CloudFront)

X-Amz-Cf-Id: QmerIka5im25rRrGAs3X76FqiNKau5mIaW-5gG-EeP9CF474zoTycQ==
....


GET /p.ashx?e=WL9usJOVMsOEyHZoFFyrCNjAsLtQTvGI0/O0FfY/6t0oHZkq4q5PhSAvELRpepitC/ dZmzuxuj5lDnhnN785ikWnBSPkhjgLhu0b45kiT/XpciovEgse2DHUe356ADpreizXIw2lEXuAG0Hn6RhSl2loKLeLycAJJaSIP7xohYUBsO8O21po8 3fSmiw/OP3dCJ6xxp AmkdnXmY5ntEg== HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1; SBUA)

Host: d1cfk8e4o0c4u2.cloudfront.net

HTTP/1.1 200 OK

Content-Type: text/plain

Content-Length: 0

Connection: keep-alive

Cache-Control: private,no-cache, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 24 Sep 2014 19:44:41 GMT

X-Cache: Miss from cloudfront

Via: 1.1 a0aaf1abd7d78f63e60d1993fb2566d9.cloudfront.net (CloudFront)

X-Amz-Cf-Id: rR4nD3xkZuDyTVdT_njq-2ddHESr1woEULTgy_4QR87mkWHzYgvmzg==
....


GET /p.ashx?e=FmLXHIo2Uvb 62MRiZt5RXg9MZRqwSFLgDEcVfgp pZUqoyU5wu/FHgrNFMzt4cHVNjr MdHCgg5Mx0Q7JMpqLcOUM6NG7Lid/XCztdoPbKOm5eZ4cw1FBPrMwLm 2sRKYX3Ti/i3YNEqhMhLlqU 0COCGFuwZcChv/PiC3eG4oUVviRAos4otKOgpxEcX4mdulfay3 QHnrjkyflkSfc/1L97NjziqdG7jbLAgNmCU14 zZD gIMscnzZ8H2BKW HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1; SBUA)

Host: d1cfk8e4o0c4u2.cloudfront.net

HTTP/1.1 200 OK

Content-Type: text/plain

Content-Length: 0

Connection: keep-alive

Cache-Control: private,no-cache, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 24 Sep 2014 19:44:41 GMT

X-Cache: Miss from cloudfront

Via: 1.1 a0aaf1abd7d78f63e60d1993fb2566d9.cloudfront.net (CloudFront)

X-Amz-Cf-Id: fIT6k1g131tU6eK3EXadyUb-u5rvUf6UKYPW6XAW3PNrwcZNDO3MFg==
....


GET /p.ashx?e=M5cPy8d51cPYwLC7UE7xiNPztBX2P rdKB2ZKuKuT4UgLxC0aXqYrQv/nWZs7sbo ZQ54Zze/OYpFpwUj5IY4C4btG OZIk/mETyJyixTFVdn5IXPnT9 7PiCC4paVhdP91D/3KSFUVTvMZjEVVmTm 4 SQMoieQ8Lxp8HLogowR591rTzu05A== HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1; SBUA)

Host: d1cfk8e4o0c4u2.cloudfront.net

HTTP/1.1 200 OK

Content-Type: text/plain

Content-Length: 0

Connection: keep-alive

Cache-Control: private,no-cache, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 24 Sep 2014 19:44:41 GMT

X-Cache: Miss from cloudfront

Via: 1.1 a0aaf1abd7d78f63e60d1993fb2566d9.cloudfront.net (CloudFront)

X-Amz-Cf-Id: nmFRs7dNa7GbPWpfC0mMqpePDZrtzh0DalO4kcf7xa7SaMadxsr3jA==
....


GET /p.ashx?e=WL9usJOVMsOEyHZoFFyrCNjAsLtQTvGI0/O0FfY/6t0oHZkq4q5PhSAvELRpepitC/ dZmzuxuj5lDnhnN785ikWnBSPkhjgLhu0b45kiT8FwTBnjqtB6SJSQWKLfKoAjgb6v7cXpPth71QQSR2eRlO8xmMRVWZOb7j5JAyiJ5DwvGnwcuiCjBHn3WtPO7Tk HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1; SBUA)

Host: d1cfk8e4o0c4u2.cloudfront.net

HTTP/1.1 200 OK

Content-Type: text/plain

Content-Length: 0

Connection: keep-alive

Cache-Control: private,no-cache, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 24 Sep 2014 19:44:41 GMT

X-Cache: Miss from cloudfront

Via: 1.1 a0aaf1abd7d78f63e60d1993fb2566d9.cloudfront.net (CloudFront)

X-Amz-Cf-Id: x0ZRlFhl85jdumn4njSZziaLqbYppIwmmnmr66OHSdgoHB1FgMxpIg==
....


GET /p.ashx?e=2fVCHF6kf8jCiOnT8Um5ouidgQbJTNnNalcj1RnQPrw2fVsQFDtppEzdxKtV2DR5sjXc/AJnTaE/Hea5XI1RYL2I0JMbheXth/3HwzB5AGvVAezdf3aKUde3upwN8WEnBPEhRyyBD7DBycn/ z ABHdpazB264dVxNB9hPvytbqj4mEVVTCsv8oowH443v5LVMzzGZXi fnW1BRx38xv1D36ODFBXzVKNT0QIkhhH6BUFDq1kgb83iOpJKjUyU6WSyBKakzdkjo= HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1; SBUA)

Host: d1cfk8e4o0c4u2.cloudfront.net

HTTP/1.1 200 OK

Content-Type: text/plain

Content-Length: 0

Connection: keep-alive

Cache-Control: private,no-cache, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 24 Sep 2014 19:44:43 GMT

X-Cache: Miss from cloudfront

Via: 1.1 a0aaf1abd7d78f63e60d1993fb2566d9.cloudfront.net (CloudFront)

X-Amz-Cf-Id: xINEV_zxC2WQb8suy27Xj5xjQVNa9TX2lNPtnnjRVnS7gY7gzv4jaQ==
HTTP/1.1 200 OK..Content-Type: text/plain..Content-Length: 0..Connecti
on: keep-alive..Cache-Control: private,no-cache, no-store..Server: Mic
rosoft-IIS/8.5..X-AspNet-Version: 4.0.30319..X-Powered-By: ASP.NET..Da
te: Wed, 24 Sep 2014 19:44:43 GMT..X-Cache: Miss from cloudfront..Via:
 1.1 a0aaf1abd7d78f63e60d1993fb2566d9.cloudfront.net (CloudFront)..X-A
mz-Cf-Id: xINEV_zxC2WQb8suy27Xj5xjQVNa9TX2lNPtnnjRVnS7gY7gzv4jaQ==..font>....


GET /p.ashx?e=043Mckb8Lnhw7iCtSAyu//7rYxGJm3lFYZ2TXrGrLo6AMRxV Cn6llSqjJTnC78UeCs0UzO3hwdU2Ov4x0cKCDkzHRDskymotw5Qzo0bsuIuv3tl1Z4b4YXOg23g5 yPOzV4mKJhjCiOBvq/txek 2w3QD/hoj2EiE838kKFf1z4yRv0gpvvoa/1bjUefs49JU1ySiay1sqdymVuPyjsZ40oQa07NiSGCj VsqVAdN2URddPycjeHI2ac9bD3MadSN58qZygCScEpVXMQzDInewhsAaqZyLDXfoxKwRpIg6jJ3KIwx8xNdj785qz30kYhcDgB1bEKuAsiJf2LuD1gnttEnNPrarXHkYMF1sFL98= HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1; SBUA)

Host: d1cfk8e4o0c4u2.cloudfront.net

HTTP/1.1 200 OK

Content-Type: text/plain

Content-Length: 0

Connection: keep-alive

Cache-Control: private,no-cache, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 24 Sep 2014 19:45:33 GMT

X-Cache: Miss from cloudfront

Via: 1.1 a0aaf1abd7d78f63e60d1993fb2566d9.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 6kGNT6UiIC0fGMkZcl7aA8xwUZJYHAokVIkTewXyOkA_cBmlK8Ox8Q==
....


GET /p.ashx?e=/TVH52TeC6TYwLC7UE7xiNadB5qlqbxjKB2ZKuKuT4X/gzeM6Yg69fOIDafQJchVWxA4H76t7h snEMebxE8BC1VAldyGGh2tOflmY5yJPUUylR/HjWbOd2e5PDAg/ZO0JQd5HxgIXe7dwEpH50ejEUygQwn ymuY13dldRPNj7w1VxvH51bFJF4kQIHXTAmjFaC1iN6TTGCGrpHNYuwVusrAPq35vVlEjahwY EjuMmEm9RhKETqmZgKbPAVUl4JYIjizTQYxIAbodvSRETyw== HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1; SBUA)

Host: d1cfk8e4o0c4u2.cloudfront.net

HTTP/1.1 200 OK

Content-Type: text/plain

Content-Length: 0

Connection: keep-alive

Cache-Control: private,no-cache, no-store

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 24 Sep 2014 19:45:41 GMT

X-Cache: Miss from cloudfront

Via: 1.1 a0aaf1abd7d78f63e60d1993fb2566d9.cloudfront.net (CloudFront)

X-Amz-Cf-Id: yZZpOBCtkeixuXCqiR7ZBIR_G5HPcH99VPt74Lm5YlrlGeq5KDcI5w==

GET /app/ping.ashx?action=install&userid=&usid=1844237615-1960408961-1801674531&aff=defytd1&v=1.0.3.9&url=&title=&pingtext=MzI0MzcA&protocol=&size=0&ref=&browser= HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SBUA)

Host: rep.ytdownloader.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 0

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 24 Sep 2014 19:45:48 GMT
....

GET /app/ping.ashx?action=S_INSTALL&usid=1844237615-1960408961-1801674531&aff=defytd1&rnd=32437&v=1.0.3.9&url=&title=&pingtext=Files& protocol=&size=0&ref=&browser= HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SBUA)

Host: VVV.ytdownloader.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 0

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 24 Sep 2014 19:45:40 GMT
HTTP/1.1 200 OK..Cache-Control: private..Content-Length: 0..Server: Mi
crosoft-IIS/7.5..X-AspNet-Version: 4.0.30319..X-Powered-By: ASP.NET..D
ate: Wed, 24 Sep 2014 19:45:40 GMT..

GET /YTDownloaderFull.exe HTTP/1.1

Range: bytes=250000-499999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SBUA)

Host: ytdownloader.s3-website-us-east-1.amazonaws.com

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

x-amz-id-2: 0DC318Hj 3PSGMj0RJAL7cas0wqCLmLkPaWbLXbAnbPXn7bmsYQ9wEoydjcJO7qo

x-amz-request-id: 9490EEB3FBB0EDDC

Date: Wed, 24 Sep 2014 19:44:53 GMT

Last-Modified: Mon, 25 Aug 2014 16:47:23 GMT

ETag: "ae8756a8ca44cf937b238ec0dabf51c6"

Content-Range: bytes 250000-499999/6873072

Content-Type: application/octet-stream

Content-Length: 250000

Server: AmazonS3
.7G.....5.....T.e.s..<|.s.....2...N.....\....'....dK/.'.....U}....N
...L...UP.!.I..8..?;pO....>..<.....&hU.."jS........;.h......./..
.^;p.M..=. .... V7...U..._f...\6....)..uQ..{.L.V..:..5...;...h....%t1#
..........S$.....q,..5...@.>.T)1[>....s...O...-.c......M.w.^.]$.
.....H..]..x.i.*\.1.^k>e.F.1..3.V.. .\3|.!...<.....c..kux.2.j&..
R...G....a..ZQ...[....#m..... Et..*.l....r....;.1*.hBg.....C,c...It4z.
N$.&].;......MX8.........h.....{.z.....qTI..k.i .F9..f/.....t.|e./...B
|.w.......Z<[email protected]#_..]..q.........V.|.o^.1.O3....Vy..e..~...
?y.Fnrhl....m.w(._C..]K....7.......}O^2a..!S.A....\>FR.k.X)..#.BI..
Z#.z.R..Y%.|.a1.Fo....s..xH%.(.cP..$)..D..K`...T.p..........\.rw.3.\..
7..'!......k......->.\.....;!-..F..o.....Je..f.l.h........pF:@.N..X
A....g....].W..bK.....W.nb.G!\.....N.u.V..9....&....#~_.....u.W.......
...7L2.W.......'P...{1>..mF.f1.%,[email protected]%...m.y:K.../^..........
^=.....!!..9....6..P......-\.....,f.H=.......o...s..[kA"....J..K....?\
.E}X3.2..N......#.......`.0.ZO..}.=f..PM..|...w.'9i....R....y..g..j..H
.){...... ....~....rp.D....s...(.w)A..G8.......Gui$ ;..G.~ ..M#!.?T[..
J..]..i.hB....L...k......v .5f...Pob,G.Fd\#O.H`'_..nw.{..F...|%...KC..
G.-$6.7..i.}y....[..me......n.6.....{G...F.{........#. ...,....<.C.
.r.@..[[email protected].|....,.3..).r-76=...2.......s........~.V....7.
.J.\.Jzg..Z.vJ......MB..}Q.xL..nvwq....s9.......0o`.H....Q...?..h.:...
..}.l~....?.B>j..u.3.p.a..,..`......'....ox....ESxD...Hv6M.8G..d..U
F...b...v..L...n.6.h.Q..[R..Z7Y....8 I..a..5.~......].9.....?.AbXt
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1

Range: bytes=750000-999999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SBUA)

Host: ytdownloader.s3-website-us-east-1.amazonaws.com

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

x-amz-id-2: bmA1EaECsgfDzWJLNJm7E9F33p2oFfSSUccuq/oUAdr0BOSx6qcPt6Qsq0DJ2lfm

x-amz-request-id: 229D09ABB7DB126B

Date: Wed, 24 Sep 2014 19:44:56 GMT

Last-Modified: Mon, 25 Aug 2014 16:47:23 GMT

ETag: "ae8756a8ca44cf937b238ec0dabf51c6"

Content-Range: bytes 750000-999999/6873072

Content-Type: application/octet-stream

Content-Length: 250000

Server: AmazonS3
-.!=..?5..*X.E..>|....F1Yy.o.{...0.Ux.`..M...eW...5...tA%.....)V..k
.-....9...Vq..Z.....xVD..N......D..(......pw....wW..j.q....J......J.%.
.d.C%X.&.=.w..jW..x.v......D~J...C.5..|0..e...........s%.77...Y..&fd;B
T...c..i.;......e.....,=..u\\.%3}.%.G..ya1HB'..;...;....a....Q{...HP.Q
.%R...q...........!.....G......0-....~.)<.\m^....N:Q...w|..PS.t_.{.
[email protected].}V..1....<.I."...../[email protected]
.$%.....Fg......UB.../!..|{e......y..I.....^..h{m.P..{......jZ.p.|.4..
........Vy.............U.D.N.ku...Z....^.O.%...[.B@.=.J...F.........d.
g.........v(...0.2...2.f{....u-.0...^$..$o.d....)g..kx]....!..taE..).q
.(......>j..(....p....2.EtL$......v.|.5V..<..z..;.....f(#.nCJaV.
.n-.Y..W\S3...%h.z. .....Y..~..l.....Y. ..<O....-.........~.\......
....-.3.....4y %[email protected]............#..!<|...g.q@.].e(..k..$..Y
.....6S...o..)!.R...........O..P3.%[...s..|.6)G.A............9hCy.L...
.....6..lS...Z.._2.p..xt.}.......%..Sh..x.G.f._..#TZ.....R...5o.......
.."....].M.&...pHE..?..I.y....l.x....3M...[....2.......Nc...N.6.P..&..
...3...A......z.e.'...1v.e.. .=@\@..n......h..[.n][email protected].&.s.....
.<....."..)c..5....%.9.......2....3..v..$c<sW..*.......0.]#g....
[email protected].`;.N3S..Vo.4H.`.v...G..YJ...f....5.G6.[}
.3/......z....d......&.......l...C.C..[.....g=...8.|..k.1Vv.[.Y..c....
G.*...0.f.... .4K..J.o../n*...%...$.9-(g..e..H.7a.#.$.^.....y:-F.GduW.
.....>.*K9.......d..v...l..:_&A.....I)..q.3 e....<..p..w.y.....-
s....Vp8.^.A..&k.).N5d.........7..<.#....I.1...4...........b4V.
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1

Range: bytes=1250000-1499999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SBUA)

Host: ytdownloader.s3-website-us-east-1.amazonaws.com

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

x-amz-id-2: VVr2b6Rg5aH0r6ytORVutIGb5aizK6OKXFxAtHRsLOPJykApltUMHllRW0YWaTBA

x-amz-request-id: ADF671E5A51E69A3

Date: Wed, 24 Sep 2014 19:45:00 GMT

Last-Modified: Mon, 25 Aug 2014 16:47:23 GMT

ETag: "ae8756a8ca44cf937b238ec0dabf51c6"

Content-Range: bytes 1250000-1499999/6873072

Content-Type: application/octet-stream

Content-Length: 250000

Server: AmazonS3
[email protected]....}?.6..<a/..9{#y.$.qv.'.#...T.... }..Au..}...p.:..m.......
$w.,r.D6.......`Ux...........%e...R2...(t$..g..U.v..(.u-d.....-......o
 .........J..B.r...z.J....].g`....N.Vc...${[email protected].%.....
.oj...Z...T>*.P..XM........vm..O..`...-.i.......D......5..[N...r...
..j..../^...?..Y.....{...h(.......7.7..g.....E9..X.:.....*.o.,.A.0^..%
>.^.........u.....x.D.O.........;Z..3.*$..%.BY.sY....6..~C.6.$!.R..
..,.?......I.: ..OK"<i..M.I...21..WQ.qu.....).>hNc..W. o#8...K.Z
..3.T.z4.V....q..:..M....U..X]N.....v....u..TZVCE.h....m8...%..c...=..
/t*..m...F..**...r.`f.yLU._$.......i...4.L6b.Ov....8.w..Q.......=!y..Y
`.Uj{09..knM.(..:1B=/...M#.".r{.=..G.IEX..":Y.u.csP......,c.@,.O......
x.G.y.*i]%c......C1,.F.3j}.............L.]. ..u.ZN/.v.`V.bp........j.*
T,.\fZS.>.y...V..=...._.D..g.......f...z.....^.*0...;.A...pxD. ..X.
& .....C.._ ...B............&.Q.....8......]..e....a..Da..`.i.$.......
...{.<.LYW.g..o....t..L......-*l.......IPJ.............g8q.e...>
q......N6|t....:.}...H?.`K.......`[email protected].;.5.^|...[O.j. ..m.....
..S..'._..B...).[.S.Z~._4.s?>...x....n..!P..T&Z[...n......S.K!..p."
ynx..".s>.a.4k\....d0..#[email protected]..........)8......#T.....N}e...3.
.\...}.......1>@[email protected]. ....j/\.!t..[&..8.....
K/.i.m8......Ra.xa.~..aLx...$$$.....:y.84........ ..f.s....)..v.M. ...
r...j2.Zh...Z..P..l.._.....Bo.mV...sx.t....>j.y..7a.....-.#.......Z
.4Y...V....,...3Ho............A~..@)......E9...}.."<.2YB.R.-.~.j..Z
....K..}N&].[.....d.A..e6.,...o..)]..b/..4.......B.....Fv9....*...
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1

Range: bytes=1750000-1999999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SBUA)

Host: ytdownloader.s3-website-us-east-1.amazonaws.com

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

x-amz-id-2: 1VI993Y7o6acjJ59cP6Z0V97O9lboJhL29ZTePQoCteznrG4cmMfb83r5kmcEFuj

x-amz-request-id: B647F340A5FF8126

Date: Wed, 24 Sep 2014 19:45:03 GMT

Last-Modified: Mon, 25 Aug 2014 16:47:23 GMT

ETag: "ae8756a8ca44cf937b238ec0dabf51c6"

Content-Range: bytes 1750000-1999999/6873072

Content-Type: application/octet-stream

Content-Length: 250000

Server: AmazonS3
...n.QJ6.......~q.....^..p&e....U..2_-q!.......0g$'/.......=.6.4.|$..8
)!...,P.$..W.g.y..Rw|......Z....?........G.E.=........W'..0.....JU..|.
.4.N#...e...Q..|*.*@.........h......i..l.[m....V..s%O.~S..@...........
5G.a..0.n...pKE$........V4...Am..k;.^.....Ch..R.N...~.n1....]._#..~.d.
F....oy..j0[..f.F...u&.......I...!.......f.[D...]... #.............7.?
...L.c..#..].G67%.Y.r!...[.l8..w...(...f%!...o......?..m,[email protected]..(O
f5.\.oer0(.'.E...x...UJ......i...H..U...>.b?..aTH..}w*.|......s.!T.
.x....-.({......b..X..>U..#.#...SjE.v.kz<..H.`...[...z...z.pYZ..
...K..[......d..$.T|.?PrM.&.^....6. ^..&.t<R..].%...8.E..r..ZJ..sF.
...>.Z...F?B.......0#...@....}.&....v.pM..u.x).A. ......&..A..G'.].
......Y...ek.gL.....'.6.Y. . mFw.k...W.^._0..}G'.8. .I...Pm....;.:....
..?.Q.:.Dn..?.....!t$_.;d...t...i#....A.7cE..{L..9\...x..F.s.m.......K
U...%~7.....<.U{T.....i'#&QF3..[j.....'.q..]........3...8...O..M.E.
...<.....S....6.....gzf...}.af..p.../[email protected]&g
t;[email protected]..~........kHN.-.-..."x..../ ...AH.v......yY~.Xl..d..
V........~xQ.Z4......d...]m..!....s..Uzo....$f..hG.%,C>..\..{8D....
RB9.`.sWXb.......7..V~.r~..D..x.2..H.W..*.~......6\.}N...........%....
...SLj6.........kLO.|.P.3...c...=...S.D..(;.......Y3.S..yrP.........J.
j.....[..m.=....8.L..V#M...(..O...!.}..".{...I.....j&{).7.z.K..G...%;.
..<*..Dc.r'.]...i.|.h2Lu`$....w...\..E%\.L 6P.k...6..kn,mpRA`...*\.
n..5.....v...f..#w4...&......N{..[.........\p.R K......;D...7.@:.[{.G.
....n.0....X.!C&.......e....s.^..(O.x..f...{...J......~[..7B.7..0]
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1

Range: bytes=2250000-2499999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SBUA)

Host: ytdownloader.s3-website-us-east-1.amazonaws.com

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

x-amz-id-2: ZX8jhG8DZHyUPXUzWbffd7ywyTZ/tlZvy/m/Nw9Wk4cQx0iUwNPVTGUYkQi7bn28

x-amz-request-id: 7FA3712D6A6EA3FC

Date: Wed, 24 Sep 2014 19:45:07 GMT

Last-Modified: Mon, 25 Aug 2014 16:47:23 GMT

ETag: "ae8756a8ca44cf937b238ec0dabf51c6"

Content-Range: bytes 2250000-2499999/6873072

Content-Type: application/octet-stream

Content-Length: 250000

Server: AmazonS3
kG...aP.3.Vee...L...)[email protected].<&...#...._.m.|/V..L.......A;y.0.v:
BL...vk......(.!......c.....U...QC...}....;.~Qn....5w.h5..>U.b..mz.
P...KR. 1At.#..........r...r.,:.......k.,.z._..]<.B]...x...qr....}=
.....l..m ...]N...\.........J.4..e......L...).....I.._..6.,...........
p.j.W.K....>.X..8..DSN.\#.?.:....O.E.b.....8......H|....C..*?.../ .
W..Ba.x.>`).^..}e...N.2.../.....|....B.....iqD.......v...6....5....
......)..P..p4......\b.l6`P..~3..x.K......}m...Q...o..T.H.9.$.w..r.G..
....I.8.K....MC..{.....0 ..^u...x\..P.M..!..x;..v.c..`.}.S...6..WD....
c..r..m.<......4g...;....m6..@N.........}...76..d.L..C..5F.?......*
w.[.......p.h....B.K.."7.Hs..1..>*...m........'?u.......a4.:>r.&
lt;.....*......(.........z....9j.^...Bv..............0.3..x....8..Nc\4
....mF..w...(.|,y#.]h..tp*{..W^..L.R...m.V...$..V.i..4..p.5.W..i.g...4
b......rf`.?.i...e.vho[..XS..M.3..65M.o...Wr...~B.e...l..xr....Z2 .,7T
x....5....E...&.^.L:.$.C...].K.R.8...}.$2..!..p....".|^.?2.....<.mX
.4V...(jZ.w.c.OGt;{.....D..P...X:.oF.n..6....8.Y%.Y......t.Lv.q....u.B
.q.X............Dh.E.@KXh..,..{.I..4....../.....R.5.../.....[...7.zms.
......u..........\A=.4.u....G.<.b.J..:%.....p.x....K.}...l2se.h...&
.....y<|..D>SX.T...}..'..B....s..E.TSz.5..C...)3.(._....J..-...F
NM...F)vb..\......P.%...{[email protected]...%..3...#.;2...(.]....
....I..........88[....W......ld...K....w...C.1.sI7...@\J..."...j!/..bb
;..H[....OS...>c..~.6>...~.[..'Gvo.eW.........6.pU....~t...IP.^Z
.W.6A..?.....}...n......5.R..[.F...t9......./.LRo...,..D....?.....
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1

Range: bytes=2750000-2999999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SBUA)

Host: ytdownloader.s3-website-us-east-1.amazonaws.com

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

x-amz-id-2: 94Iw6Rb3AJg3sT XnmoML21apQH2hHcSU6pnk8ndXHyD yEDcof236ptVtSWCcr7

x-amz-request-id: 15D4B6D9BF7DCFA4

Date: Wed, 24 Sep 2014 19:45:10 GMT

Last-Modified: Mon, 25 Aug 2014 16:47:23 GMT

ETag: "ae8756a8ca44cf937b238ec0dabf51c6"

Content-Range: bytes 2750000-2999999/6873072

Content-Type: application/octet-stream

Content-Length: 250000

Server: AmazonS3
j2..O..{......k.D.X-...s;w.J.a...=...<.. ..t/.s/....3.(...:>h
._i..^._n......y.....^...E#....:.........~6)E...J.4..g.u..~w%..}..}=s8
[.|s......E.%.....,...W...!T|Q...|d..#TP,.]`y..i....... k...D....X,.g.
D....Dk.k..vM....@q....^.W..\..{L&.^...Fw.]m.......x...^5.Xw...4.B....
8......7eUfM.).*Fn...[.M;A)0c...I,L.f7.@a.....*.....i...|.."-.....`..a
..../.........r..C..V..Ws3.....<..OO..B|oT....f....!."...i..?.k.f..
&...&..'x../\...W.......f0.....h....,._a..tG.I..eV.....g..1b.1.?..Q,R.
..a..c..y..c{$.......P.Tej.D.._F.k..!.....Y.T.... _.'.........[.[...I.
...eBf....z.K...D...6.X....=*..f..n.S.b....)..b.......j.lAJ.......{...
.I.?.`.A.w.-....c>..x...F....D^..j.[.....W}.ZpU.....$/......{dTtk..
<;.k.@.....^.4z.W....j.......w..W.i%..oC.....^..;.,..YX....mJ......
..Cy.... .8..J..K...Pp9..Mit...O_X.s......R..?KH.$.....V[..#)4.R...r..
.....[8?.`c../I>y...c.............'.Bs..s?]].W}.*....\....m1C`V.I6.
.k.xe`.{$C.......)7..W.......K.;2...}[email protected]\..0......4.... L.
....mE....,..FH.m..{1qK....e1...~.e.F Y.e.f.>HdKE....D.p...^.(.V...
{..... 37{....a5.W.....*..^)...&.k...i/.......q...n...r./...f-.]!J1}.o
~.6...w...w;,....X.:.....t-..N..<..Hh.......b....,i'[email protected]\.
..Pv.bM..1...wP.....k.{d..qG.%'..0}>...n.u..}F.9#!*..U!..I..|pN..*.
tm\H...\.....eG..g..t5..Q......A..g/;.n.!e....5.N..4\......R...8..&._.
.].e...]@}..r..X..D.I.)[email protected]....]..8..0...Y.'@..&......3..q..l
..9.4[."i..G...1.\hXv..x...p......B...TWV[.{H..4../*..Ke.~.......f.k5.
....`.eG9q.Jc.|~:.....(....*...9-.<.u...4>.A(.....<......
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1

Range: bytes=3250000-3499999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SBUA)

Host: ytdownloader.s3-website-us-east-1.amazonaws.com

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

x-amz-id-2: kibxx4V/rca/ze5SlWFhnfWlKwF0yi4r5Bfw7mV9EMKOmBqZr9Egjylj36dMafpG

x-amz-request-id: 49C778CE8DA2E7FF

Date: Wed, 24 Sep 2014 19:45:13 GMT

Last-Modified: Mon, 25 Aug 2014 16:47:23 GMT

ETag: "ae8756a8ca44cf937b238ec0dabf51c6"

Content-Range: bytes 3250000-3499999/6873072

Content-Type: application/octet-stream

Content-Length: 250000

Server: AmazonS3
..q......c..*[email protected]........;...
?.P2^.[...YW......x......#&B9...A......V....8*>..0U....AFB...@.....
.>.u)i.).MS...[N...W...6PS...4...W.'[email protected]. ?....L..-
...ZW.....&.. .j..YA_V%&..%O*H......0m..5.i.#........<..Nk(@..0....
..8D{.../.....UV.C...w..%.1R......t..zI..^w..H.9&.b....]pXZT.M:.x...`}
.sA...........q.~.{.....RVg..~...`J..\B..*.W..;.CkER.[c..&..... ......
.S.$..X ...Y.1.B....2C.Z.$...m..M...r..'[email protected][email protected].{
H.n...B8j..R.%..s...*D....p".^.$.'.8..c......S..e...Di..Y.W.7\.....2..
...D.zA... Q.|....e...u 3.......{....)...o.e.....9.LA...c.x...#.._jY..
.........x... .<......m.E..7t&;[email protected]\.,'..~.....C}.#G.....0G
..i.}b.....=.$....#=..E..=9........dY..#%...UC...Q.....G.V..(..eDS u..
t.^J..IR.e.y...$..c0o)......:..z.g.V.~.G...w.!o...Wsc.f....wj...z..6..
wV...L.|.y....'...?;..Lm.'&........o.=...8F.....x,2..\..&k..]..k]o ...
g.<G91.i.p...%.T.., ..$........bIy....t.V.5.....e..s.......F..w\...
^.}q7..)...=q.`...._nmT*M.P.R....x..d..*1..J.U...R2EI}....*:..t..-a..z
| .a.&pz.`.(.. Zl.S."....9.F......M;.x..<dLE.. gU.r.[!.Oj.0..._....
k~U.1.6.K .G.~....y.h?.....9..q....R.....H....XIO.E.C8u..|Z..o.8...qD.
.A[..v.._...v....\]...w..uW...(&....Eo......(1..tr.b!..C0......^..L*..
<.Uc..z.K......e.......!(..L.....:..~....`..]......K...f)<e..}.&
lt;..I.....G.5.......\.9A.|.8...........6n.u. K>%"......c....iQ....
.L...%.hX....,[..t.A..Fl..?ba..O...;...1......-.M.B,.......q.6.....n..
....b&C.?...3UL.w`p....#,.k..{#T.K>...|<.\..mo.G..........Z:
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1

Range: bytes=3500000-3749999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SBUA)

Host: ytdownloader.s3-website-us-east-1.amazonaws.com

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

x-amz-id-2: mimlbgaJ3HzIaeLOzMECAk3D7pVd35NclBUqKqBYy9B4BxhOjxxZ9WgmOO1A0JdV

x-amz-request-id: 36B6E28CD770AA11

Date: Wed, 24 Sep 2014 19:45:16 GMT

Last-Modified: Mon, 25 Aug 2014 16:47:23 GMT

ETag: "ae8756a8ca44cf937b238ec0dabf51c6"

Content-Range: bytes 3500000-3749999/6873072

Content-Type: application/octet-stream

Content-Length: 250000

Server: AmazonS3
@(...jq../........v.S...a....!9...{[email protected]..<A;E....SrC...`..ae..
..yjT........lB..?.OE....<k.&.<.?.Ei..5..K...j....:...mP.-G.t.{X
j.....:....S....7M.J/.........",..&.JHL........CT..2E...p..d..A...U.X.
j...V...>.......[.. .....}7...h7..qk*..D...qQ........D....~'.d.T6.Y
...V.....[l....3.8:n..%].@|.kRQ...i.4.e$.T..........`@............c..Q
d@.|....'e.,..>)6...Ul...l.k[.W.W.q........i...Q.....6(..qD..Et.v .
.j..)........r..".....(.%U.......).'[email protected].`ek...:DP...p.....=).
.#/...._...R|(@..._5..]..P..1....H......Z...;N,6M..PV.h.....5|'..9..[.
.N7fAy..<u.882}G...\.}k..{..... ...{......!.6..xj..h..g^...x35}..73
*q....y.....9.v.]x..O\..<L6.!.Q.#.N..\.!..%.N2.:!.a.....gC....t~.u.
2l.......;Y".;.....*...*....eb...S~?.i.zV....V...U.>y...[.-9..`.N..
./.V.....r.?..-.........h....8"....2...3..|).P.^[.....Z....[ke.{......
.t......%.N...7C.%..1...-.....\g.5Q......DU0.............[..p..N...'..
.L.F....w.,....`.....0..@...).f.?1MR... &...C%2S "N....6.O......b.qd..
...&!.&...1V."n$..i......lC"y..P@[email protected]<o ...._6..I3.B.....tI..e.
..3.\..vNk:.Ny.-[.......Cb.....C.9q.W.Bh...k\Y..ZB.0.(.PM..>..V9l..
[email protected]....,.{/.......vh........
..._;2.."...t....$.F.q...Y...[e C.8..}........X.....^...._A.kY#%......
A...y[..............4.J^..7^...'....~Z.A. (.....9,...F.......d:...e..t
[email protected]*D.*....x.....YQ....#.*6.uAa.....: I.1/:G..3DJr.ov
......4..{..../.9...-..4~x^x....I..!!7.......U."....U..e.6m..x.".)..k.
.V.....Bz..vR..au^..J....*".#<l.......".$......".(.*.2;.?.J....
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1

Range: bytes=4000000-4249999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SBUA)

Host: ytdownloader.s3-website-us-east-1.amazonaws.com

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

x-amz-id-2: soOAqQWpN3oRKEw2QyMDm7feBKl0kL2Nb4axs1gSUuZCW4Vj/a1qcP56U9PuecgS

x-amz-request-id: 8F445357748974B0

Date: Wed, 24 Sep 2014 19:45:18 GMT

Last-Modified: Mon, 25 Aug 2014 16:47:23 GMT

ETag: "ae8756a8ca44cf937b238ec0dabf51c6"

Content-Range: bytes 4000000-4249999/6873072

Content-Type: application/octet-stream

Content-Length: 250000

Server: AmazonS3
 ...7....<Y!..N.@_..u.)v..........M.b*../....J[. A>z........n..\
.....B8<..s..j*.HR.=....<...........X.....K.P...m_0.j.W.& ..>
....'.a.Y..0>...E6..Q..R:..B....L....z.:m..:.].H(...U..\~.H..7d....
35...\k.gFYG..p...zC."....}.v$..Et.).0.D.G........{X..p..&........@]..
..'.............w8`......^...S.x.l...\...h..y.g.............i......V..
<rA... 8/.9...A....c.....u..m9;.....e..]5..cV...O...4...z...s...u.B
. .._...W.O...M^H.....V".f[[email protected]... (R..7.[L......U.=`Aq3L.A...
...F^....Y.Hm.a.`..%.M.O...Q.B.].H..V..m...A..q.C<...]..(Z.Ek#.....
..P]P.C.WI.m.N....................c2Z.M.a."#../.h.G.CU.....]{......cl.
..z88.?...l.~.;I..x.A.3...tr...r..1T..l..^....#..z>...g............
H.E.a"...R..z....bC......0. XC.......{.(..^..... .......U-..4.....QXH6
.........y....4}.T.......i.....5i}..o.....C..nm}._..T...CJ .......-]..
Q..TNK.w.......k..`.......,.e.{.r....7.C....4.c(b.9...`-...Q..6.~.....
.o.b3..<O..u..Zn&.G.TFdrX.J..8vZHU.~... W...........#d...f......l..
..........C.][email protected].....^.h...{$;|...%.M*}g|.v...Q..^.D
M...[....8(i8.v...p2.9..G....j..P#s|..B.V.Ju..v.K...W.Ou?Ni.......d.|$
.. .{......].s..z..z.....}..j......`w...W.X~?.x...K.?k..!GK...f-....Y.
..9.Q....m'[email protected]...|.w.7.8nv.%....=.1 ..q......R.NO0...?.'...FuE.O
I.../A.....?.;....4..40.w]....|A.s..o...!Krv =......"a.%..[.N2...(...x
. .....:`........K...as...... .n.F....D..c.A.7.x.....Ft..-y.....)3r.;.
,.U.l.qD:.......t].....=....V.8FT./..x...p.O..a.}......^....!M@).n....
.".v7A...KH. Qsx....(t.}.....Y.... .`b..Y.;.[..^....v...... @f....
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1

Range: bytes=4500000-4749999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SBUA)

Host: ytdownloader.s3-website-us-east-1.amazonaws.com

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

x-amz-id-2: LMcioPPzVAoAXGqkN OZJ7FCm8YHIbTOgG1FeZ6jPpVLIHDaZpWBLTmd9c5 1XrU

x-amz-request-id: 51ED76B0FA3809D7

Date: Wed, 24 Sep 2014 19:45:21 GMT

Last-Modified: Mon, 25 Aug 2014 16:47:23 GMT

ETag: "ae8756a8ca44cf937b238ec0dabf51c6"

Content-Range: bytes 4500000-4749999/6873072

Content-Type: application/octet-stream

Content-Length: 250000

Server: AmazonS3
p.h....&..]|.... vI...@>.2....R<}q......9mG..,i..e..`. .y..6Q.?.
.......'......=E./.{..T6..hnP. ......S.....O.....4.u......~..k.|......
...*.....u&.._...i..7:I..<.cw.?[.q....1.g.pD..k.m..........X....../
....Z..3..U....(..M.....\!.E.=..$W...6*......0.&.N.T".E..n.. k.9w.. J.
Rcy..V.k...K.".5..TV.....]../#N1...l.|.P......;...{.....D.e..DxV..i.f.
2.j.]#.%.Q\...TM.xwy9.H=.(o..........vL..E.....!.(..#.DdU.!....o...R_.
T\'k.<.G..../C.{......  D=.V......(l.y..S.....$..AJq........G.>.
...e..^,.V..W.M...uf]Q....)...6..*..T....\.........Hk..X.]..U..F.."..B
mvey.vY...........R..?O.....b...>A..Tt.......c.Q.~.......cUY.P,....
*.&.Z...|.q.r!,l..L...... .A...... U.Vi..qT.....cU..|`%J..P_.z..l.s<
;..c.(q....$?-.5V.....c........z#HGU..6...5h..F.......^..7...k.......V
...zs.|1K.(N..Y.....,.7...YpD._...i......c..5R.E.O..u.d3.ob.~.8.'2./..
.}.A....Y...K...N......KF)...V0.#..w....{.H..^..&:1.q./..{...:..&.....
..(Hz...T.....C??...._71......N.1..A|8... .u...ruVg.......,........Y..
....`e..c.....sKl.......lB#...x..A....8."P...k....8k...S6.>w.....eZ
.\.'..5.......Q.c.X..S.*.&,...].M...k..F.a4&n.....X..q....}FQ....F..5.
..8...I.Hw....ym....U.U..g..7.&...%..#........g...g.G....\7W8zZh'..t=.
.....s.......i..~.:........F....Y..<q..,.1...J.."M...vEV....Dl...%.
*'f...q...-...kDCm.a..]64........Y...~x.x....&5...a=.q.Jv6.?.Q3.....h.
..F.\.Rd O....v5.?S..;?&.-..G..N......_.#...... H..[..7..Hq..X..g...V.
yR...."......bp.U>...F~C..Ol.R...".........5......ZR..T..lN.z.r..66
B..n.^.p.}..2...P&3. ....".}[email protected]...........\B.n9q
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1

Range: bytes=5000000-5249999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SBUA)

Host: ytdownloader.s3-website-us-east-1.amazonaws.com

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

x-amz-id-2: fpUH9FcSCdlMd6yTNZ1EJSGTxNY4qjKwDPSZpHXl70mgPsu1r XwhxveGwsJJ9hb

x-amz-request-id: BA43065B7F81D3C3

Date: Wed, 24 Sep 2014 19:45:24 GMT

Last-Modified: Mon, 25 Aug 2014 16:47:23 GMT

ETag: "ae8756a8ca44cf937b238ec0dabf51c6"

Content-Range: bytes 5000000-5249999/6873072

Content-Type: application/octet-stream

Content-Length: 250000

Server: AmazonS3
.L;. .5.......H,.....yV..j.......>...:..^.Z...YBs...,u{7.G...(...'.
.\-...........*...22U.&L!.V|.|.r.$ G/9.=.Z....1)7...w._...M..x6QjZ.k..
A..g... .0bo.........CZ.2..a......9..B..2..Q...a.`...k 4.y..~.<.../
,.M.v...*...E.....Pp..5.L.)...K....UwcB....L.Fj.}])?i..0.sIm.0...*J..!
...Rl.;....../.,.~..{V.E=......].y........%.<.........{...un.....0.
...4#.=4.....2......QM..h........r..}a.-... ..XE.fe.i2.d..0 .....5O...
S...r...~B...9..4\....^.C.....m.S.a..-S.c{p.v,......7....lt.}..vx..z.!
.z).L.h..X.Q.M.9/......Fro...X.@........{....."$.....T_4t.q.....7,.[.]
.i7d.Gw./....t......\.O..&d.[...yLE..|pf...m=d.I....m.iz6s.@..."@&u..u
..y"...V.tZ.. ..W.y...y.=.7.2....'7I6...F!oiO.k0Cg.9................8.
.Ou....ZT.I.#..j.C b.lQ.B...6.9V.~...8d<....>x.-.I....8<.....
. 8... s...E...$8E..v..u7u.m..k;7..).K....j.%.......6....(.nM...K`....
...)a.....}<..3.2;.c`....T....%j.F3.85...ReRR..;...]......2L?......
"..0...p...J~........Eu.o..,0(........*.}.9....sZ.v.. .0?..T.O ....x..
W......t.D.S.`Z....#]$&..5.p.{.).EFc...q.}p.....P.i....Q7m.C]#....4!,T
PN..N.Y.=...S....6....f...T.....W9..h..e.....JJ9.2,..tj....~...8..[i..
...&.tn.k./....U..U\\...'....>..kP.c.w..s......^b.rR....q.i.7.....m
..m.^wdz.....ww...0.`.=.0.....).Z?..n.eW..2<j..5.X.p!......Z.].Pv..
..{$_j>.Y.z.....l.m.Z....P...I.k9....]3.c3I.N.X..(...C...8..q.).9..
C..5..32.|..[........AM....pT~.-..9....m.P.j..._.:..j...9..u"'.O.Z.G..
`Z...I.`..y...h0.e%[email protected]/.. .h|..1xz..I.........SM.G-....vFL..x....
....0...1....%...-e3.x6..@{.....z...Z5.M.1.....).3..A..t#..v..}.f.
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1

Range: bytes=5500000-5749999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SBUA)

Host: ytdownloader.s3-website-us-east-1.amazonaws.com

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

x-amz-id-2: X7LWnGdntIyb2742wm3XuhISVcqN CCeIBuUoYC/OQeOsiEyCQcqypKPJ4NEYAKQ

x-amz-request-id: B2B7771B53EC13A3

Date: Wed, 24 Sep 2014 19:45:27 GMT

Last-Modified: Mon, 25 Aug 2014 16:47:23 GMT

ETag: "ae8756a8ca44cf937b238ec0dabf51c6"

Content-Range: bytes 5500000-5749999/6873072

Content-Type: application/octet-stream

Content-Length: 250000

Server: AmazonS3
O....q.......@<......*.Y.'.....`..t....qA. ...1.#qC..SL.....;..kH.(
~....F.%...iJw."@K...]m...K.....a.....;.......>......?....]...<.
z.,..Z8..Xi.,f..4Z..S..)=......k.U.).....d..p..5.J. ...Bp..H..[..4iY.&
gt;R.V...D. ..L...(u........$'.g!..uAH..M"....j.}....=..3^...>DX%e.
....!......E}.I:{..R...6.........].(m.....>..M....].U....{........V
.....<e....!4.........B>[email protected]...^[email protected].\%..(.
.hM.f..%&..3...JE.-x\T.6...&..Tc_...R.^.#I..VU.a"t..PU,..O...!.0l..{..
....$c..{'Q..%.*.v.&..[Jq8(...L&.......!!....8;...#iBh._.F>.."....~
........n.Sg0.'d....oT.~yg.. ..U{-V:x|.kfCI.......Vw8WS.......O5%o&1..
[email protected]..|.Vl..C....U...%.L.........U.7....Z...E..C..w8..%.\X./...H..N.
@........PQ........&..B...s........C...*.}...%O\...`>6LM...!....!..
Wb.Wrs....w..y ...N..A."f..b..vqo..J......]..TH..A.aq.....I..H.{II ?..
...ZVEH.u.h.i.p~.4..n..K6.\..0..({...U)SR!L6......tm.,.g....,.?H.-..8.
.....5#...c...qK..$U.Jf.O.....CKX...z.e...0D7?..Y.l....u..l......Z.H..
.u..Jp...X..F....'[email protected]_.#o...s.X.....s.^...8.. I..{....2.`..a.
p..P...19....([email protected]_*..~.....\.K.V..T...Z.f...L.H.*...H*..o...0."
.:.H........(.D...o......V1../U...i......oZ9.'.y..W.$-...*b.....X.....
...z......O...h..!2.s......5.xP....".@..,(.f.yP...q.9..R].7.g}.......U
.I2!Dt....4...!...^..PB..^.......=.J.X..0h.0^:..b.....M...! ..f.D|...d
... [email protected]"....h#..]F ..W........[.n...hXqS...9..
..I=(.....T.c........dY<_.f'F.yQ..M.tw..j...D<..;|........[.....
`..e......,.r..Ew...l. X.K.m..7...........A...TM....zG`y....M...*l
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1

Range: bytes=6000000-6249999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SBUA)

Host: ytdownloader.s3-website-us-east-1.amazonaws.com

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

x-amz-id-2: ZM2BEdQDugCBwJpWDJFiQUeAxV8JXrykeoEWKST4yQDi8YlBQ7EGvU1/UgDeux5P

x-amz-request-id: 4C4D87B9967373DA

Date: Wed, 24 Sep 2014 19:45:31 GMT

Last-Modified: Mon, 25 Aug 2014 16:47:23 GMT

ETag: "ae8756a8ca44cf937b238ec0dabf51c6"

Content-Range: bytes 6000000-6249999/6873072

Content-Type: application/octet-stream

Content-Length: 250000

Server: AmazonS3
.*..u..Y..._......!........F..(..........%.g...B..d...].'.......O.P...
9....m.....Q...]...$[...Y. ...g.KiO.....N8.h.......'...A............3.
....)b. .G.7Q.R.pX...L...|......L.1...^....L...o..e.O?>B`....E..s..
._...C..\....")...ge.u.^.WT;}....I....0.e0n.D..f:......IU....b^...3Yr.
g.Ud..Y.oc.......7.L...'"^. .......Kug..".9R.;.-.U~.P..([email protected]&
lt;)..v..f...n.>..F...F..XM.s..X..Q..&..w..-...2p....YU'>.......
..F#|..1...M;.MH.......`y.....h.4g..7...Rf.<p.k(......'@8.....1....
..6.^.>8`.yD...}.Y....y.M=d.W=sx....Ap.h`>.k.......".3..<|...
.c]c..2.._...c.9.O.K............aN....Z..Q....R....eU.. .z.....'..NF.F
.Y..I37.v<.Y8S.......]J.1..d?.....c.Q.'....fMy..]...!.9..'.S.b$.7..
..9.L...<......G..A.t.Y....S._.%.c..........V0.o... .Yt.].p."QzDG.I
.7..~....|.{..-W.F}F.k.d/...'o.o(R%O$j...7.X.w....Ix.p......I...'...&.
.J.'..h...;..6.05=..W...?..a7.R........8bt.S.S....01.qJ7..G...3$.....[
......L$.8...._I....V .!..]..<Tx.kj......{......j..%%....t.}....Gv.
..2`......S.fW...(.D......K...i..z....t..........].."7..[2P."...9K3...
p<..a. ....].{n.....Z.bU.............Td}........{.Rl.~..v.........B
....4.......Bq.........eB...x-.|.}.....b!e.g..?.. ..y..pt5%.QC....8?..
.c..m..ID....E.7.i.e......]..u.D.........{...x.L.'..y[q$.>I ..q.n..
.T.......u`~0.ZCl.N.#.<..K..n...KS.1..r..ju}.....[$`WI.f.V..SCd.f..
t.:. ...Oc[...l....O....%7..RW6...w2r......m"ceF...j....mV8..........B
 .y...t.D....#...e.....&..#..!..l>...6i$..1..q.!....\.T...:...G.Y..
4).... ..A.X.V..4.....,r.........T....W...r_.m.css7?.xb.<..,..r
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1

Range: bytes=6500000-6749999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SBUA)

Host: ytdownloader.s3-website-us-east-1.amazonaws.com

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

x-amz-id-2: sWf4rrrtXNmrPh fhN8yzbQvOp801sWjVfHtOS1eoakT2pcF2CxMgfcFk9IE0 vK

x-amz-request-id: 6FD016BE0753BF39

Date: Wed, 24 Sep 2014 19:45:34 GMT

Last-Modified: Mon, 25 Aug 2014 16:47:23 GMT

ETag: "ae8756a8ca44cf937b238ec0dabf51c6"

Content-Range: bytes 6500000-6749999/6873072

Content-Type: application/octet-stream

Content-Length: 250000

Server: AmazonS3
Z..o...d..{.{[email protected]:.....b..".....V....v....p.....;..?.'../g.....
o...\..W c.7.'..-s.......Y.....y.vmnA?...(..<......d.....7wJo.$W..k
..i....D...1....`.Q.t..... ...{.z........a.J.:.\K...%HlN~.Y'...~.^Hx..
.)..'[email protected]...$.e.kt0~.=..M.(.S/Y....M..!.(..x.%....]Y.'..
[email protected].........."..u .U..V./V.9.t....{w..#6 .....z.T.j..].;.
 .{a....I.\....-/....3.,7...3.G.n.S..^Mds.Obx\|...Nd.. ...O.|..V...p..
1.;[email protected]..'dD..x...;....^......po..mR..][email protected]..\>.
..j......J. .}.?m...:..M..~kz..31.^....t.76.....U.t..gPk..x%c_y:^<9
..."B..:v...~.).d=.w...>.#...2.;..|..f..._.............@...` ?l.$.]
X?dm.k..).\iQ....)..k.L.....?...@,uK6.#.X.Z%-E......Ie..rd..38.y.m..I.
.]n.b.*...e....o...B..._s....z.7\'.^...W...D....aW2.N........6DtQz.fR.
..7)=].S*i...{2d`.fO;..Qn....k..yl.P..j.m.>.l....B..z.h..@."`5.....
XA.f...T...I.....O.A.....TH..vH.....Y.../.gq.3.K>.J..N8o...L...B&x.
......CK.<.. .......K...XX...$0..<.IOrKh..k..wqi..B._..8..<q.
......w.F.X.}....&...];.....uS....D:..5.{...8...p.....3.]...F.7.....S.
..9.G....#.T.V..."....G.t..6...rK.A]....s.......'.q....L.....N.......,
....-.Z@e.]W.0.m.Z%..L...&1..Zkk...].c/...#.c........H..`ZM...........
.qn.-=]......Z.....G?.JR=*....a..3b3.....8....n..W."..`.tlG.e0....k..0
u6C$E.xF.f....Snz.*[email protected].%v....a...`I.W...".....$....P..{....|.7/
........B..XT..d...G..H..G...g).>...R....XFr..V..g{|.->..r{.....
..: ........n:....<7iq/.9...D{..=.a}..B.%.K.!......6:.Z"8...AqW.~..
).9n...'j.Q.....c..._..V..!{.....i..N,f?M.....b..I.cV...........J.
<<< skipped >>>

GET /app/ping.ashx?action=start&userid={3A616D21-EE35-453F-B6DF-28AE30518C83}&usid=1844237615-1960408961-1801674531&aff=defytd1&v=1.0.3.9&url=&title=&pingtext=TWljcm9zb2Z0IFdpbmRvd3MgWFAgUHJvZmVzc2lvbmFsIFNlcnZpY2UgUGFjayAzIChidWlsZCAyNjAwKQA=&protocol=&size=0&ref=&browser= HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SBUA)

Host: rep.ytdownloader.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 0

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 24 Sep 2014 19:45:48 GMT

GET /YTDownloaderFull.exe HTTP/1.1

Range: bytes=0-249999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SBUA)

Host: ytdownloader.s3-website-us-east-1.amazonaws.com

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

x-amz-id-2: LaIh1aAq8xj7LE orXLx79aEgeY8LH0/bQlXq/AeWAr5S/fYTHj8NRSlUgrMOLn6

x-amz-request-id: B34CBBB8D69376BB

Date: Wed, 24 Sep 2014 19:44:53 GMT

Last-Modified: Mon, 25 Aug 2014 16:47:23 GMT

ETag: "ae8756a8ca44cf937b238ec0dabf51c6"

Content-Range: bytes 0-249999/6873072

Content-Type: application/octet-stream

Content-Length: 250000

Server: AmazonS3
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..i
u..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L.....
oS.................\...........2.......p....@.........................
........?.h......................................s....................
..p.h..............................................................p..
.............................text....[.......\.................. ..`.r
data.......p.......`..............@[email protected]..........
[email protected][email protected]
..............@..@....................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected]@..e...E..E.P.u....r@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Tp@[email protected]
....E..9}[email protected].}.j.W.E......E.......@[email protected]..
[email protected]<[email protected] [email protected]...\r@._
^3.[.....L$...7B...Si.....VW.T.....tO.q.3.;5.7B.sB..i......D.......t.G
.....t...O..t .....u...3....3...F.....;5.7B.r._^[...U..QQ.U.SV..i.
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1

Range: bytes=500000-749999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SBUA)

Host: ytdownloader.s3-website-us-east-1.amazonaws.com

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

x-amz-id-2: N3K8Xwu5n4hELqgw2QQLjVFP qyCMydE1syc9re5NwBsx Xt4qf95m0ueyD2EmjV

x-amz-request-id: 4BCA7493D2BFA014

Date: Wed, 24 Sep 2014 19:44:55 GMT

Last-Modified: Mon, 25 Aug 2014 16:47:23 GMT

ETag: "ae8756a8ca44cf937b238ec0dabf51c6"

Content-Range: bytes 500000-749999/6873072

Content-Type: application/octet-stream

Content-Length: 250000

Server: AmazonS3
...Gy.}..A...<7S.G..:h...sP..../...P-.........".'.T.....-.......d..
......s..d.5$`..{..^p..u..K. .4(I#..9...S6.....BC.O..o....W..!....I..j
.@...&....E/@.z....f.s... ..........G.2..f....U6.................N.R..
.0-..%.P7.._.aN#....E...f.P..z.....g..07\t....tY(c=..y.....nj....U/u.V
...2y7...F...^.Rc....[m-DY....R& m........(..)..n=.....X..`..N.0^6...j
.w3{.|s.X..(.o.1....L.7l{..S./...;u.?#>.].....:....&....u.3..R.<
.......9...0G.^.Z.1.4#7g*8{....tID%|..}.*C./t<...kX..t.....?\7.&x .
.f..z....).Os..zh.t....0u aS.,........\.....N].p[A=.m..o.T7...Y......D
....N....A.,...t.3<........W.\:.f...6Z............H..m8Du..H.. ....
^ 2A.-i....l.._3x.e....a.?...W.r.^...X...nR.U.e....U...4.....N..:...:.
..O....[.P..G...'.....)..9ji...n.0P.. ....f....Nj..\.`O...T..s5.E.t...
..,-..U}........5......z.......9&Br.H..I.q..E.).9&E..7.....'K...Y....v
..jV... ....?.=!.sGi...i....3..T.:=%R.J.S. [email protected]
._..... ..UN<....n...m.J.r.9.{....*.....f.*..../C........tu.......Z
..........53.A....<.zr...B....o3...K.ON2....XA...........S2V.E^.b..
.8{.?.vQ.....4.A..gh...hd .....!iEA\T.H..7=h.......S.&....1.s..H......
.X.\R...^[email protected]_>!..d..........n~K..<..9H.X?\......!..4n.~..
..... ..s.E...N.N......H.c>V... k........Y.}. UT5UlfYW....u........
....|)9..wwXw.q]....[....0b.3_Lj.L~I...I..'.f.......lik.N.K.........3.
a@.~m..a..1.:..Aq4.."R........M...I......g..s!...~^..v.N.\...5t|.....i
........%..0...)./u.i.2...Vu..\~..$T.bH......F.x...Za].......t.;u..e..
...Pb...'...s.|v....W"VV........1..U......:.4..?....P.N.]qS7\Jjdp.
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1

Range: bytes=1000000-1249999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SBUA)

Host: ytdownloader.s3-website-us-east-1.amazonaws.com

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

x-amz-id-2: 0Xt4iWKlhWAV2Rb7Q0cuEmxdd3ZPr2xpqe/eP5Yye5coDvA3B1wPLM2F1etuTGyW

x-amz-request-id: 75677C61D074861B

Date: Wed, 24 Sep 2014 19:44:58 GMT

Last-Modified: Mon, 25 Aug 2014 16:47:23 GMT

ETag: "ae8756a8ca44cf937b238ec0dabf51c6"

Content-Range: bytes 1000000-1249999/6873072

Content-Type: application/octet-stream

Content-Length: 250000

Server: AmazonS3
]...2I..m.%..!...8..k.l-. ..4......T4U<"J....Ry....).....\.......?.
.BC...&....p..2(...c...EyP..W........*-$..x..Z".h..4FZZ...GU.......6.e
.[..4g.smC.\2E....h....OG. ....g.}...Vm...mg1..{b.$"[email protected].....&g
t;....9.....{....|.,.5.m..w..t......?..q^C].. ....,L;.......U...>\.
.l~`.|[email protected]^.....I."X.9.....4g...L23;..M.)G
^;..K......&..O../F.n`Ig..=.d..V?....bgC".92 ....4q._e.9..X..K.....4:u
..h.>...=.6..}.>.oJq..v...N....Ni r>D.."4>.w[..Q]B Zf^}..?
*[email protected]. .1.An.D..ym]..R9p.....b.;~..."wo..VY..,...!Y.....
(..:.|."....^...f..hxu...~.<9.S9..Y.*..8.I/...y!..\.D....e=..8%...i
.5iJ.%')V.W...2=,.........O...\h...N'>y..).....!.my5.V....I{.| z.5.
.f...a#....h......j....y.s..,.....)........a....v. ].#E..Ktz(.jGr.....
..xH.....h%....E.:..........O.S.V..%$...?.\..Y..c......NFB..L...r.RW..
.l.}.F.\.5pN..T.'H.-.(.............9....D.j...^.....BF)..03"...&[.....
$=.<..k...DY!....SS..M....&..{....@............ k..B..pk.$.OMdQ.~..
B..G|H...v..lU.Y.q>.?v.'.w....p..........}P..D..a....vO..........].
"...i.....P..VG..4..`..........8.y......(n.@[email protected]...
..v.6.LD.......W..{.w...x..!>..[.y...2..Tr.WvRm......*...i.&19.....
..=.7*H[..e..F'.C.E].)k.....l..u....)!p.....e...:\.I.......i.'.A7.y...
EH...L..3r..9.TP&0.C$....dj.s.....,V.e...8i.....l.....).M..g...2......
.>...f. O..?bJ..N.....X.I.g..Cz..W9ey..}7{.....E....M.W.]baBO`C4U;S
7.D>0B..tK([email protected]......%.Ev.G1.q;.:.%{
I..P....|...yg.G.......#..:[email protected]*.C.n.p:.L^.v.o.
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1

Range: bytes=1500000-1749999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SBUA)

Host: ytdownloader.s3-website-us-east-1.amazonaws.com

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

x-amz-id-2: z9Kp7F/4y coXIo5DH8aOrusgMJBGegKhvKFgrIQvdlokK5pdtuMPlwue/inF 0f

x-amz-request-id: 10B3D1686CDE14EE

Date: Wed, 24 Sep 2014 19:45:03 GMT

Last-Modified: Mon, 25 Aug 2014 16:47:23 GMT

ETag: "ae8756a8ca44cf937b238ec0dabf51c6"

Content-Range: bytes 1500000-1749999/6873072

Content-Type: application/octet-stream

Content-Length: 250000

Server: AmazonS3
.1..M_..<...$A.Y.&s..h..5..xq.b..F......Pg.._.C.;...]_.........R...
...G...Z./..{/J}.l>.c.[1_........]...;|.[..:.....BV.L.pQ..?>....
....E.~.l.2......U.....E.`hN......{..b.4..^.....\I8.............%Y....
....8...6.f.0hX..}d..5[.p...vg.D5.W`58y"#....{.r?...x\@.J0...!C....J.}
xJ..N~@.<.n.DX......8.....s..GF....F.......<..........Ygi......I
W..Op......s.@...?....?..5.>u..d........aj.!=%.tY`Dv..3..[..7.<.
...P.......F.j...e...............~Mnm.W.........NMo;..X.HoHk.ZNR..}.{P
.;.2....{b...!/FO..].......<A{.c..X.<...w.q8......e.(..4v.......
I.W......k....../.Oc.9..Z%(.....n."F..k..Air.]o$4~@.......}.......T3..
J'y...W.3.......J...]z.\Q.2.......1..p...S..x4.F.....F.!...z....VG.A~.
.7..Ojy.)..K.n..[7..=...wT.....u'.J.../C.F,..U...(.8..1.U@...?~~t..h..
..#..#.....R.......'...nV.$....pc...sp.H....2$8....2.r3.$NNF........T&
lt;#>.`....c......0....*r,W...<i...g/......g......|...1.1P......
.:. .G.(H...~2v.Y..=.a..OUFC.d|.X.T.=....e .Np*.?..l8re.b...{....0.m_i
k[...R.k..5.N......\............U..bq...#..#.Kw...mZ.w.u.c...S9j.R.z..
n....HH%.........U.........t .<j...u.......B.7...X..kO#..s.<.H.*
Vp.........UMv,./GX.....'..{.>.K/..'R...ux.....Mk..$.....0o:..y.;..
..U....m\(.r.-.4...1...2GA..k..../5U.`xIz..9..>.C.......I.`c%....z.
I.&."wa..N..r..O.../F...'..R..Etd.'.....,9fW..,6.R-......q1.sE.B!..E&l
t;..t...Ug. ...<...:"FMA.....5...I...`...'..i......2&cPS.......}.w.
.*..1...X.h..?..6...G...9.F..%....`~.75~.....cU..v|..T..8.w..m,.....MA
....4>...2..?..f.-...Z.....!?.a{...8.%.~r`...v...W...=...jr!u..
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1

Range: bytes=2000000-2249999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SBUA)

Host: ytdownloader.s3-website-us-east-1.amazonaws.com

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

x-amz-id-2: ubbWb9Bv18A81ZE9vA7wl2pbdWzz/6DalizNccV3eMkyLmJR9qniV8MtJ4E9DzXt

x-amz-request-id: DB123EDDA56778E7

Date: Wed, 24 Sep 2014 19:45:07 GMT

Last-Modified: Mon, 25 Aug 2014 16:47:23 GMT

ETag: "ae8756a8ca44cf937b238ec0dabf51c6"

Content-Range: bytes 2000000-2249999/6873072

Content-Type: application/octet-stream

Content-Length: 250000

Server: AmazonS3
O.k..3GN....Z/N.b.pu_Q.([email protected].(...]..C0z.p.*e..[._..h...a.d
.j..E..$.&.a...Y. ..=O.Y....D.m...I. `#er.B|[email protected] .%w...bu..
#.YC.}:F.$#...68...`..c1 ......*...G.... X.]t...LLc..mI).RV. .!)......
...%P..D.Z>m..r.%[email protected]*.,..#....oo9:.......@....|...
.......j.......t5I.q..f......_.f.....^...MYm.L....8.q4Xphm..OE....aV!.
Y.....D&.e.w.I..........^L...H..O..X1......A.....&.R.Hxe.....gj....k.z
......3.~..J.? .'..L........pKX.!.c.._...-..5.g_...^....(...X....}r...
l.....^=.._..g{.`..de......Q..D.............M........q..._..g0...R#S97
v.!2JK.b........#......IF.....*l.}......Zh...#.4Km....q..p.DR...p...X6
....kL... ..J.Ep.]. ....\K#}..$.w..f\.0...A.....)E %[email protected]..&
.E=.y*@m).....U^.g.....h........i..W.....X.'g..n..c.......=.<.....L
..[A....l.....$.o....=X..<......R.V.6...Uk.. .....)l..Qd.v^Q..j..']
...`.u.)..5..T..8...j....x...|J...F......[..Dz ...z...m.NK.s..0.t.....
.;..P...k..a.a...........-...#...!..?..p.......m..:Jx}k..]...N{..in4..
. .C1..(...w'.=(&.].....=........8.J....#.....s..o.'4<,...}.kL^.e?/
..V"....7./#.e..\U.k........ ..D5&.....=.g..i.=.w.._S..@...;Y........L
mFA*[email protected]..).2....T....].P.k....J;p.R^.W... ..9...uL.S\..D....c...
..y........E.....2.....y...>/.g....X..........o....d|...H.No.]a/...
......`3..=...eL!.!'...|j..x....b..D._7..|..P"". ....i....L..h.$......
#P.pA..%....... m../...O.....s.W,vf.M....nG7%..K.}.w.&...o....x:....).
.......R.u5...n.Qe.A6..M.h......l.{p.m>....M..K.fc../..f......_....
./....nN..}.}....p.z#.~..*...AI.`..Y..w..."[email protected]....|..~K
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1

Range: bytes=2500000-2749999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SBUA)

Host: ytdownloader.s3-website-us-east-1.amazonaws.com

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

x-amz-id-2: LilHz2J1YTmHQbSxSkpjzZVj3EKNLcnDyIIV7hdd3ygP2iZ7egvwkZOcyJ2o2b5f

x-amz-request-id: 2DF28BBBD8175076

Date: Wed, 24 Sep 2014 19:45:09 GMT

Last-Modified: Mon, 25 Aug 2014 16:47:23 GMT

ETag: "ae8756a8ca44cf937b238ec0dabf51c6"

Content-Range: bytes 2500000-2749999/6873072

Content-Type: application/octet-stream

Content-Length: 250000

Server: AmazonS3
..*.........$....4.k..$..5.......v....GK.U.$s....x..A.s..~..02]....6..
:..,..G".,....2nQ..b...n...WkUe~..<".....b.m....b....M...4...F.-d{.
.f}?...T.s.L..jF.2.e..C..=.f....U\. ...A.:..T.\..WZ/.../t...!_..<.^
./.1..z|H.m..$.*....g.$.Yp...K..7.n...".S-......B..!0.No..e.;.O._x...a
..B..I?3..N*K.._.."qZh./...... ...'4.GM....n...SJ..4..m.3.V.3.*.y?%!.N
N...........\f.).hw...!.k.h....o.'..0.7.v....{.&.zW...Y......G0 .6.y.L
...)s&4....I.?^pjt{...l...:[email protected].<..0.|.}]a"......3z..]......4
......6....UC.[.m..Hg,x...u....,w?q.z.q.:.4..X....qf.0Z...~...3.......
.N...2.p...ZV..=......P.V.H'|[email protected].!.....e..a.>...jK1...n..B.
.s.i..].ki..t..(.I....3..e."g ....`:J.anmU.....5..G......47S...y..e.n.
[jm...Sc....2.....Q....31......"..L......"[email protected].\d,....s...M[..$..
..t.....$0....... /._.......*.N~.h.g......H...r..I....s........:.._!..
.9.S.7...n..q..KG.Y........U.^.*...1......>q..Ir'.`....8...,=Ol....
j[B#x..qV.X9....2....?...h..kA..;5Q.c....H2.q..P{.82UX......3......:..
......1.W.,gf|.-C.v.l_.R}..s9O.Z..t...$..... ....Z7..n........H.(.....
..H...i..3l..S........p!D&..<.?=..N.......A.z....`.|.s.w...KBS.c.g.
.j..D.[.\.u....t.mkI..HC-.`@vX>>..*M0..4F..e$..h.....wj.$y.>.
... I....&}..f=SG...t([email protected]&..s
.4..wX:.................._)vz*'..2..[A...^>..U.._r.Y3.L.,...#O9.ax[
..[...w\.v.^g.....PN.....)...........la.e."..t.f......xG....(~..V..Z F
KX.......rE...... ..wZ.[... ?^...,.>[email protected]....|.$.8.BLTqg
x..q.N||_.P...%.."I;."...z...z6. f.@.'WS._(...C.,u....6.y.SP......
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1

Range: bytes=3000000-3249999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SBUA)

Host: ytdownloader.s3-website-us-east-1.amazonaws.com

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

x-amz-id-2: fKZPaD67uoHYtDjvpDPXl2O0LNsar16zsbVo5eRth/d LC2IO 2AGV 3YuSHpx14

x-amz-request-id: 0D5D96E23DB3DDD9

Date: Wed, 24 Sep 2014 19:45:13 GMT

Last-Modified: Mon, 25 Aug 2014 16:47:23 GMT

ETag: "ae8756a8ca44cf937b238ec0dabf51c6"

Content-Range: bytes 3000000-3249999/6873072

Content-Type: application/octet-stream

Content-Length: 250000

Server: AmazonS3
.........k4..Y.zC........&.R...,...P.P....qa....sC.?... ......v..C....
.....z...M..)\%...,...Z...../..._A#.N.....t...S.$0|...<.D...{...y..
y*..=C.=..q.rlK.U}j.....5......I.......eq5.oM0.y....[.H.....ga...P`...
W.c.#...e\h.3.L./[email protected]?P .FH.B.y.F...*R/...6..M..............em5.a
....e...;a....R .....&....F...E...q.'.Z.._..yX...CQ.F..gD.TN^......e..
..K...n.w......B.q...{...d.f...N............TX....qQAf..........o.y.{.
L..f9.F..C.W.;....L...".~Y?...........Vgr._"2=...|..v.h...@K(...[.d1.m
....A..B.B.pJd.X.2......F}.fk..`....#M.W......Xp...-..^........w#/....
...B...3......o.....).5P....`;.&....;oG..\...;..|p.k...S..[V.h....NY.k
.t............".a..*.......&.(.-......Q.............W.G.;.....3.PK...@
...|...n..h......\<.)..nQ{@.....|...GVFL...%.|7.....r...V..v...h...
..;l.......ve....MC..X...rA..6V./.p..v,.Q..:Y..U...........!......mTZC
..../[email protected]\<U.....&Q.R
6.\.....{.G.Qy.j0.ak.C..\...}j.;.%'.F.qQ...#M _z....G.....:d.{^F....Q.
 .W.....N.....%p..n..lq.Z..3.r..[t1vwv....]W._...z.....v..m..=.1....e.
,"...'.}8...W...b...Z-t.~...G#(5...S..?..[|.:U...v.]....WC.g..5*...9.I
.TY.3#.#.........S.P...<......C~..>...(.X?>'..v...8.{=....n..
,..M.\o.V..J.EL...-.R.....q....~....cy.T.$.3#.D.W.co....-e_...'.r./.c.
.D_.U.....d.#(.`....1x6..Y.8y...........X...t..[.........L.`.N.=?.o..g
.....L*.d.....S.......Y.....{$...2....Dt*... *.....)&...~..xn..}c.....
.D{..fn.....<|.gOB9k.w.%.......^..".7.....3. ........\.........'...
.......!.qN....#..<M....0..gE.c...5.A#...f...UI.3...j....R<x
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1

Range: bytes=3750000-3999999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SBUA)

Host: ytdownloader.s3-website-us-east-1.amazonaws.com

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

x-amz-id-2: BG3KzLqBnlThRWiYHKJ7Is5YHEK1z/O1TZ2xrvvy92rrTacfSn1KOqgWCMG/m2z1

x-amz-request-id: DF0EAFC02C14361F

Date: Wed, 24 Sep 2014 19:45:16 GMT

Last-Modified: Mon, 25 Aug 2014 16:47:23 GMT

ETag: "ae8756a8ca44cf937b238ec0dabf51c6"

Content-Range: bytes 3750000-3999999/6873072

Content-Type: application/octet-stream

Content-Length: 250000

Server: AmazonS3
...x..../.P....w...vi..E,... I...IB2.X..C....l.....].r%!Sk.V........r1
.0...M.g.w.R.D.#>[email protected]. ..........C..<..
....!....P ..J]$...8>..[..'.8!...~.....wzH.X.4L..\...\.pR.c.......e
..(.PU...... .T..M....\k.......S..}.y/.m...q...3c.....l.!..-yS..W.R..S
....]..6./6.....l..;..s:..En..f.c........h.[I...z.5;[email protected]?...m.
..3....,.jY^.Y.....%.....?..."]..."..P.........M.....W.?.9.....f..N.u.
[email protected]...@aX..<..tw....1k.;.....n0...xO..O..b.(.......
|. .....{.3[.....;....$c..L......p...Og....\J...(W.......'......-.K{..
[email protected].!l..OI'<...m......i........Y.S..=P.w.K_.7qo...sp...8.n
......F/O...V..PO.. .a.D..8.x.Q.&......}udu...p...l.....-.....h.L....4
..)x....IG.....6....Rf..q.m..T....7.j_..,....z........e_.zec.S~.8.n...
-N........q...'...9.......A*.%..tv.D....5{.,...5e.n*...R.0...n...^....
...C..X........#=u...=.K..D.IA..9..0....\$R.P.t... F.T....}j._.t..WM.t
zd.....mc.....>...0"..r;.^Z..[...,....4E.^d.......q...:[email protected]..
..9[@[email protected]........}.6..#g....A&.|....*.B.... ..p.Ky.......A8.R _50&
gt;..*..2C...]K..Y.W.Zy........=.'J (....#beY).9...YlU.6._.=.]...q.l..
....G.a...S....v..5..u-.5.....&.. .....y..rJ..T y&...>.;...\pI7....
YO.....y.*..`N......[3M.Y....U\.......F$.<.]..t..UV.... .q......y.,
..yH....I..d{Ja.].=.^[email protected].}>...F9.$...=<.
[P...g#)O....v/..)@.."............~..g..g~......;Y.......[..7x..q..A..
.&r....a.*nG#.q9.w....n...}9....?F...,...=.....%..@(=.>......C*V.nl
..X.........).lE...C.u.o.!$...Z_..Q.....,...t/.E..W...%..ZR.#.....
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1

Range: bytes=4250000-4499999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SBUA)

Host: ytdownloader.s3-website-us-east-1.amazonaws.com

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

x-amz-id-2: RTWTF Dg8tZEX3GWWhBuYCQr0yr3GYiLzaHF22 1Fs7RxfebfPXiGdhj8CpwDsgG

x-amz-request-id: D90BD33A87EAC3B7

Date: Wed, 24 Sep 2014 19:45:18 GMT

Last-Modified: Mon, 25 Aug 2014 16:47:23 GMT

ETag: "ae8756a8ca44cf937b238ec0dabf51c6"

Content-Range: bytes 4250000-4499999/6873072

Content-Type: application/octet-stream

Content-Length: 250000

Server: AmazonS3
j[q..8..&.i.[N...........I.S..,$Z......f:[email protected]~..`..&|.....v..
kXQ....KN z....".^w...E.v=.t.#.jb.''.C...3..E..Y..8..I3...[...J;g .<
;...B{.l..ij.O..........K...~.......Z..|...!.`.$.0.r..)Uno0......l..2.
$!s.fm-..U...6./.{w}.Wf...d...;r..!.......US..{[..V.....P=...x.Z..4...
..K.......".z\>.K.&7..5(...b..t..&...SI..Lt.Lj..1:-NA.e*D...Mu.....
.j'.V..4.pE.n.........g..C...I7..[..x1u>v.........G..hLD}.o2.....d.
....)I.......0K..;3y...)....s.5....H..vf'[email protected].).XWW..
q..w...2h.9..N.px.~..Y.Do;w..bJ.)VB..>..D.).......m20..A..i..[,.{.b
q.......XH.Z*..Eb...p..@;..2y..\..1...M.}.T.1........c.y.kq..........n
.=..'s.......s.9.$^.p.J....Y.t\..;r...n.c.w....8.c..^............5A...
.9R....9........Mz..P.y2..}[email protected]....`.S`.....ds....@..#l....`j...
......h=5.....{.R.q..Hw.=..m......)$..;..s..0..a.9.=Z.....h}jh.j...b..
.'t7...2.y2.R-.E.y.5..hO.}.>5.*...i....Ub.3/.U..|.b. \M....Cs.\\.[.
.....1.W..Q .X^R.@...\N...,^....3....2.E..&..L..@...||\g.. .S....`l...
...A.c{.r..itl.WP|3.X...0.Pf)g..F.].k...7..."...|J......m[..$^..=...r.
.-C........g............j.X.ciQb...b..s...K......_.,n.......7...K.7..&
v/[email protected]....]#...... ..}..L.G...v........K .TL..w._
l{.a!..$.....h.T..x...W...g.*.$..5....sm.........lw"(=...WT..G....fNfB
.F.m~...W.}6C...~...m...LS.,...0....S.?...i.Q...*[.E...#...z..6C..S.*.
...\.:...5...k0$..../^.....;.M..L.#D0.D........V...7...........=....k.
.q3..".Yh2..=....P..k...`\...T.(..I.8.V...).<..c<.z..&>....._
......$<...d..j.L..q.,|oMO........F.-Y...\....M...9....Y.!7....
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1

Range: bytes=4750000-4999999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SBUA)

Host: ytdownloader.s3-website-us-east-1.amazonaws.com

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

x-amz-id-2: 8E4p7I eJiYUofqHm hTni4SXPqkufLfbneq6pjqqVwz5buP2F70ZFzjeq989KVC

x-amz-request-id: ED0372CD31FB78E9

Date: Wed, 24 Sep 2014 19:45:22 GMT

Last-Modified: Mon, 25 Aug 2014 16:47:23 GMT

ETag: "ae8756a8ca44cf937b238ec0dabf51c6"

Content-Range: bytes 4750000-4999999/6873072

Content-Type: application/octet-stream

Content-Length: 250000

Server: AmazonS3
h.k1;....Y)-Hz.B..nm...4.2}...B7k\M..{.....M.V.. -.......3..%g........
.*....?.^I.]:'.U.0......g.Y.`...........t......o.`..}I.G ....Q1...f...
S&.....4..A.[:...IvX.3...^..9>.Avz.#.v...........\[[email protected]......^
.d:..?.....V.j.......;0O5}{.t6...._.V....N.U...(?K......ka.....I~..V.K
.....}.v...H.N...^.U.Q.Y..!.co..w.....m.L>.Q.`...|9..;*...>.....
.h...C|.......w.:......l.N..M..7=.K..\...*...|..n...7;!C..2Pc..oY[..jr
(.....l....f,....v.....)...%.....~*...|.tZ.l....fs...^..b...8..CM0.IO.
......f..............kx.i.y.?..o.s.`.......>....L7.@. ._.Z(l.......
v...H.A.m.......=....3uV....8........DH.{n-k).g7.).H.6GEt........)..["
....l.........Z.;j...N.r.P`F....!C...Q.-...#].........4.- z....q......
......x.M..3pA..cX#.Icc._..S.3.......f..%j..V..0,... N..J..}.v_.S..qE.
.....T.l......5....e.....6S.P .;..7.<#HYW..\.....e..;.*.G.2J.Y.y.Ug
...f.V..'.l,V.... .O..K......~.K.C.......Q]...A...q..;8/O..C...T...@._
..#`...N.5.......#..}.;Z9...t)@5. ..N.B.7>...,h.k..`.a6.z.....Z...z
.iP.7TT_.F*..Tu..s ../.... .:.p..I.|...al.J.....O.$..3...:.3rW.o......
.........|.Mh.i.:.T........A.B..X.Uk>.K.d..Yi.<.t...G .#6%...KQ.
y.....v.C.t....o .E.D.OeG..{...#...GQ.....8{..X...E ....v......../.ig:
......;..%^...L....?....&.......j.:.t.K..y......j.%.v...6.DrP_...u....
[email protected]".G>T.'..K....|...b..Z..j..R.T3...4..b..h.6ft. 
Ns3..F..0....._......X......>.h...:..p.........`..k..LB.:h..w..W9.J
~?.,.p'o..9..V..v.....-.H..En..(0N.....R.He..lVe...\......G.SB..bH..9g
.y..........M....&D..^.O_..Cv./r...f.vau.o.....?...1..y.cj.......p
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1

Range: bytes=5250000-5499999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SBUA)

Host: ytdownloader.s3-website-us-east-1.amazonaws.com

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

x-amz-id-2: di0nbS6QSmzOFBWmV/FtICzwGCE59c3prspF18jmjaX/jb4Zgt91sPrW eOEvnxb

x-amz-request-id: 5E0DBBC2A4962D31

Date: Wed, 24 Sep 2014 19:45:25 GMT

Last-Modified: Mon, 25 Aug 2014 16:47:23 GMT

ETag: "ae8756a8ca44cf937b238ec0dabf51c6"

Content-Range: bytes 5250000-5499999/6873072

Content-Type: application/octet-stream

Content-Length: 250000

Server: AmazonS3
y.<..87.u...8..r....{D..i......p$.D...z/.^.~S...D2..p=H..a.....<
..Y.~#/%..> ..%.l.2#\..S'o=.d...#....a.u0..>8.?..).L..,.>1]X/
....J.&.p.....~.3...g........v..=c....R.....L8>./.....G.0h....a...l
...w..Ga..mL{L..W...B...N....0w.!..A...=...">S...O.Tz....s....|..~0
h..o..!..z..K........ ML..P..|..s|......*..............j.`{1.....rX...
>..|7..V.H..C.....6.........\Nc7%"..%.s'.P=p.. ..C.0.Y..U..N....#`w
2....]t6..R.....tA..3...Y.e.#..|.CB..{...,-%...w%.. ..<......Xf..!.
kcq%f.N/.>M.....w#.....~.p.]..k.?m..VU0......%v[.?..o.6!.n6/...q.Q.
FK. A.H........lHE.v#..j&...V....z....3.-...9.^.....~R....Hg...>0s.
...........y.........wK.....XM2\B.k..K.'.Xt.^n.G....-`<.Z....M/W"q2
...a.Db....%.....nx."..#6f@......(..aKX...3.............([email protected]
h t.R.x..pm....h^.S..G...<......Y'..:..M%........4.~....w2A..7....&
gt;..i...nk..R.T/..%.`..r..yu...Z8m..HLFA.Zs..f....V.......=eXX{|M.".N
....TJ..i......3I9./9....YY...#.Nr9...U]4.>...@......$....5........
.......j...q.oR_..>..h...J./f..r...\(p..O.&!)..<Y. G".........zR
g....k.[D....p.Y.GC ...>..2xd:...=NG.....Q&.<.....%y..v&...*.e6.
....31.#..z.....)a......8d.c(Pt.<.^.7ro..l.....SWE.P.f.^..w..D.D..F
.!XBa...|..]3T....1_...C...T...L.|.M...<...n....-z....%!...-^p.....
~.E-..Z.~.].9>......Ua.z...z%[email protected]{...M..L....s...JI..K7l.
..M...6.e#"...M. ...}5!.....i..L.".........co|.!...M..u......]?..w2.(N
l.R. ..A...h...|Q{...`.....bT....[...7..u...V.(.vz.~...{.=.A|....x.*'k
iG...".<.........to...../B....o\.....y...k'.B.K.U.*.iX#.kf.....
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1

Range: bytes=5750000-5999999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SBUA)

Host: ytdownloader.s3-website-us-east-1.amazonaws.com

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

x-amz-id-2: OJrmEjHgU4jc OaQgBqwfbVUKiWSfX8uBS7pbuvYPt Tw6dTgWKD5rNN/6RDh3n/

x-amz-request-id: 0261173A4158F046

Date: Wed, 24 Sep 2014 19:45:29 GMT

Last-Modified: Mon, 25 Aug 2014 16:47:23 GMT

ETag: "ae8756a8ca44cf937b238ec0dabf51c6"

Content-Range: bytes 5750000-5999999/6873072

Content-Type: application/octet-stream

Content-Length: 250000

Server: AmazonS3
.....s}..r.....j.....{D.....=hk.6#..q..l.N....g2 .D._..~.;.Z>u]8..{
...8..@.;.....V3.r..|..x.....mQ....9 .~.~.z.] .y,..<......%|~Mb.o..
......B.......{...B..% &C...........7.l...c.~.g..ko..,.C..I..<%!=..
...}..N...../M.. 8M......'...r.F4....E/..E...^....w.!].w....r.v.y:^...
...$.4.%..%[email protected].#.?Nm[.;....z...AZ.
...I..<4.F-xH....|...%...s ...2....K.d#Mg.A.$i.....-...Hb.b..6}.1.o
..3-v....W,.u.y.-tg.-=.o.B.4.."7..mI.....z-..~F4(..y..q.^y......h)....
..V.FP.@[..u...... .eT.......z..c.......{j`...`r..Q.Y....i.........J*.
M....)..,...5..L.0=.|.........j.....9~...}yN..`G..9.......%...u..(.$..
 )^.n.........H4...*..[....]...De}.. .3b...9G..v.E<o...L..=...,.B.H
.........uH.P%e..D.R..1...j......7.X..5..O=.H..8.AG?..b...6$Y...6?....
..(..Q1..<..B........5..N.......#.:...h.6./..>.....8..6wT.7..j.T
.p..7v..G......a......A....e2.S....:r.[........g-...^..^.l..6..o..J...
 ...D.3.9..l...'.....j.....B...s.$.t1.........G...o..Zh.q"...."Jk.....
....2.'..M/ev..V"...h..G...UH.a...7aU.{/@[..'X.21>..!(p1*.*6..G.z.#
.g....Sz~.'...D.@........[lh..c?PdP9...2....,.....;.l...'}....~...GcF.
c.j..o-O....]..(.h.*........iR.......i.8e.Z,...onV.9....U .."...H9.1..
.|..JG/W.4....UZ(_ .."[email protected].?`....*..Z..|.
.#w..b.2......p...i.q..#.1.m]=......6..u....m'tWc........H.\&R...!....
b.W....5v..k..n...0.?.6!....%..C...G}....g..6.d1>.."....5Hve.,....&
lt;......v.d.......f;........p...33..ccuiV....].=...Q;...X;\a. ...{...
...k.`........q._......[...f......S?$t..`.U....U"4c..u.6e..[.c...!
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1

Range: bytes=6250000-6499999

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SBUA)

Host: ytdownloader.s3-website-us-east-1.amazonaws.com

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

x-amz-id-2: hIbLKfMjU/Ubd5mlUtiKSVnA42bbVcylvOSurQROx/jmi2v6JuP/pIO6uLYQcbo9

x-amz-request-id: 01DF0C5AED7F0D45

Date: Wed, 24 Sep 2014 19:45:33 GMT

Last-Modified: Mon, 25 Aug 2014 16:47:23 GMT

ETag: "ae8756a8ca44cf937b238ec0dabf51c6"

Content-Range: bytes 6250000-6499999/6873072

Content-Type: application/octet-stream

Content-Length: 250000

Server: AmazonS3
.j.....,.....?}.1d}.-.Ez7.,!.w...r..HP$../........../.!..z.*..U....O]:
..t.F.iI.a..{!uVci(.4V.s.. [.c.3}V..#...0........).je..O..i...v....<
;.0..E..}......:.(...]..@:.}...I...@.._......;#.d.(y.q..S.Q........!..
.uCBI"....o......c.]l7L..'es9....RG.T.t. .;.N..q.\SN..%.....Q........O
V...../....!..J.F.^[email protected].._.....vr..j..Eb. .....4.Y... .,.
...W.{.!.M..0......./Yg./.>b..i.7..q......c..Sq8.R..ME..}...AR.....
.i..h.7....i5..J..3d....bn..d...yS|...A......XJ..9M'.O'_...<Wi.JZ
"...N.(........2..?tX....E(.a...`...?....f..k.C...d3..k#.......s5.....
[....t...Y...G.......?...M~P._.... O6.UB.....bY.*\..(...M....G.?{l.A..
....m.N.|&...*.f..H'.........|....0...F.............([email protected]...%..
..q.....`.......s...0Ab}.KW..|0..o.cOy..g...].R83.@../..W..&W].9...u{.
qc..r..........8......,[email protected]..."kx)...s6..2.{
i.............:rw.p....g.G.....aNW6.$e.0.... ..8...cg......y......i&&g
t;..."..CRv]c.;[email protected]{DR?aV 15./.)Y]4...2.u...K.X.$
.G..`..%.."...lp.C.G.../06...1..;........~w.d.G4)..M.nM. rm..5...9...y
[email protected].....\..v.....h..4..E....[s4.Lm.Sh_.#..-.....E.R.
.....ee..$....e.....!..]......h }:....> ....iY.......(...[....T.;p}
.;1f.`,-.N2..eT....A.&.d.S.....0.o...W..3.K.c...........D.8R...V....q.
6.....r:..,C.nfSbx.y.lO.)...H...6a.....{.P%y .......,?...ak9.K*xTZ....
......X:......}.._..l.{..i.....S[@....7X..5".j.#....,..n.?n.:.|..t.R].
...M..P......_...c....sL.VfU....\..S....\......p....._...8>(.g...^.
.02."Yk ....?....\..D)...F..k...y..".......S...e....r.)..<.9...
<<< skipped >>>

GET /YTDownloaderFull.exe HTTP/1.1

Range: bytes=6750000-6873071

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SBUA)

Host: ytdownloader.s3-website-us-east-1.amazonaws.com

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

x-amz-id-2: clMogHu6md8W5Sz3XYqYag9ftd7A3h0DYIPbz/dX/ufeTJWOyp8A/Ccku4UHsKsx

x-amz-request-id: 8D0C01643176EA98

Date: Wed, 24 Sep 2014 19:45:35 GMT

Last-Modified: Mon, 25 Aug 2014 16:47:23 GMT

ETag: "ae8756a8ca44cf937b238ec0dabf51c6"

Content-Range: bytes 6750000-6873071/6873072

Content-Type: application/octet-stream

Content-Length: 123072

Server: AmazonS3
.S.....1...-.....1......a...:g....I$...'........w..ieJ?.!<..j.q....
>Z?YZ.....-.\..&c5....R....J:........=.d=.us%..(...!\..D....xsW.t..
D...v...@...|...j.$..y*m.N.b|)...../..<..$a.. ...O......F7....*e.|3
Qs.$.rw..%GUm.....c....^pb..v........Y.n/...T'|.wf.....oN.1.S...tGd}.(
[email protected].`G.J.Mp.{..<....`.:..D...|.....h..../
....F.6.. ..i.....a.2j.V......A>...=."...k...37..O"~9*.....>-19.
C.;..}........J.@....".-..V..O...|!.NC..7d.U.~%.8..N.s.e.=]....!0p~...
...'eT.(..}.7T.7)M.d.O)[...OA...#........|.......k.....A.;.XD...1...gi
!.V.A/.g.. Ywx...il..s..mW.h...'%..bQ..........hpc..g......q7..3......
.....nQ..Y.I..$.&....n.D.q.....T.g....S.1...}Sd.'.~....0..*.....-.]...
g/|...\H...@>d..^..8w? }..Aw.....V..yV%Wd..(.u...0.5A....KB....m.`.
...V.......Z.^..B.....9....%........Ea......$.G.:5.... .....Y..@?.T..3
.dll.7`.......).Y..../..&..B{...9)...wQ.......u._X....@.....{.|.G...3)
-...Q........SxN.M.nQ..........X..C.; ..0k.IS{...mZ.F.U.a.K.....3.!d..
f......a.G.Y...../.......uOv.5.....,.0.1-eJ..9A:3.?.u..R# .e...3.A....
.fW8...H.~...~`X[...?...0DKGWt......S....r..........O.....H..1..YI..Ii
9..T5.NY.-...).Vc..;r...?d..-!....;"4/...^h.I.. ...*#..U/6...N.,.b..N.
...:N...i..0.r1.s..?3[..uE..q...jl.P.f 0Gc....n..o.!.l.J~...'.8......k
._B=..cp.]..._....c\;W..#.Agh._]...?$8..H=<P|.|U...6.O......;.I...&
._y...H.4...x.]...,{#..,.u..n|......r..5..F...%.....-.\.;..O...Pc3....
...G.W.X.6fP...,>PK....q......\......Oa.........h.[.g.\M_JvI.>..
....'..>y..V/J....Q^NV.iw.{...W...IC...S76<[email protected]. ..D
<<< skipped >>>

GET /p.ashx?e=WL9usJOVMsMN1MB2JYZLYh2TgJGND6I1FOuh80Io0Y5XGmhmyGgv7tSDdIjv1GLxDyP8Uhm xN1D7 NBD6lt6/XGnodDMUnnxMxekHFSjz1gKkdlz1lRocVwJfcRD1hSQlC/zd7KOiMM2aYa6DxQ3JzxkjoOk 336drvT37EAEMzfaxy UcmgVeD6 h702lVnRSXiQoYHeeDYt44hxYDSrr7ONig86K71bKQFrMIrp LG8h0VDqQlRTSo whs6P83N7iu97gHnm69Z1cpY9ZfWQzM8iYn5gpD 4fcPjtTaMpqaEcw/N/GnEHwQiN IAIiaROhATmdCaSi0H1Fb/qmXEJOJ/v4dEIxiJSIxFfQwloOhUPDkG8iXVLGT11UXZSft6HdhHlMpZFtoh93IRGrMTQfYT78rW6o JhFVUwrL/KKMB ON7 S1TM8xmV4vn51tQUcd/Mb9Q9 jgxQV81SjU9ECJIYR gVBQ6tZIG/N4jqSSo1MlOlksgSmpM3ZI6 HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1; SBUA)

Host: d1cfk8e4o0c4u2.cloudfront.net

HTTP/1.1 200 OK

Content-Type: text/plain

Content-Length: 0

Connection: keep-alive

Cache-Control: private,no-cache, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 24 Sep 2014 19:44:40 GMT

X-Cache: Miss from cloudfront

Via: 1.1 5e710c2328f7a654bdb9327f17330ed9.cloudfront.net (CloudFront)

X-Amz-Cf-Id: P6l4rLRAxCys586r4qcX-kLliVyhozugGAjJnyBHJnrnkqHNsmaCeg==
....


GET /p.ashx?e=PcwT4QFtuPCzqpRpksQuKeidgQbJTNnNsAPUfDdnCMQ2fVsQFDtppEzdxKtV2DR5sjXc/AJnTaE/Hea5XI1RYL2I0JMbheXth/3HwzB5AGtYtrOl7BfDWA5Mtw6p9U5dKYX3Ti/i3YNxO48S9k5zx42nGtSBySjjX6ABQ4xl C6XAmRABUbmSYRA5W RLpwIoLj8WN7CI8UMxa2WeHrKRyBZCO2afqnMa6x3zkCgV6b4CcSts4/UjKHuMXIWCZm3VEJM29bKPct9pTKWYJ31dA== HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1; SBUA)

Host: d1cfk8e4o0c4u2.cloudfront.net

HTTP/1.1 200 OK

Content-Type: text/plain

Content-Length: 0

Connection: keep-alive

Cache-Control: private,no-cache, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 24 Sep 2014 19:44:40 GMT

X-Cache: Miss from cloudfront

Via: 1.1 5e710c2328f7a654bdb9327f17330ed9.cloudfront.net (CloudFront)

X-Amz-Cf-Id: lNrshCAYnLJzTYb7I_G5SHUIPLsEXGU9LD1uIHxSI9zQUtdM9teq1g==
....


GET /p.ashx?e=PcwT4QFtuPCzqpRpksQuKeidgQbJTNnNsAPUfDdnCMQ2fVsQFDtppEzdxKtV2DR5sjXc/AJnTaE/Hea5XI1RYL2I0JMbheXth/3HwzB5AGtYtrOl7BfDWJKvgNPDm5dkjgb6v7cXpPth71QQSR2eRlO8xmMRVWZOb7j5JAyiJ5DwvGnwcuiCjBHn3WtPO7Tk9NtefOTH4Uq4Bo4Z/9PuTtLZlh1VxYn0pbQ3Mz1HZ3rid52NAP26nQXge6CT6xQU HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1; SBUA)

Host: d1cfk8e4o0c4u2.cloudfront.net

HTTP/1.1 200 OK

Content-Type: text/plain

Content-Length: 0

Connection: keep-alive

Cache-Control: private,no-cache, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 24 Sep 2014 19:44:40 GMT

X-Cache: Miss from cloudfront

Via: 1.1 5e710c2328f7a654bdb9327f17330ed9.cloudfront.net (CloudFront)

X-Amz-Cf-Id: iS3Fo2pl4IbwSiA4bGc4CzLbTVhqVU2ofncbYXVmsRQYhLMparkSDA==
....


GET /p.ashx?e=PcwT4QFtuPCzqpRpksQuKeidgQbJTNnNsAPUfDdnCMQ2fVsQFDtppEzdxKtV2DR5sjXc/AJnTaE/Hea5XI1RYL2I0JMbheXth/3HwzB5AGtYtrOl7BfDWPa HuGTRyAEFAL52sIXt4Ua8Zp/ 13YC175vqqyfEnMnylXnslTRg848241y0s0/3gUxyF5wkLuxNB9hPvytbqj4mEVVTCsv8oowH443v5LVMzzGZXi fnW1BRx38xv1D36ODFBXzVKNT0QIkhhH6BUFDq1kgb83iOpJKjUyU6WSyBKakzdkjo= HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1; SBUA)

Host: d1cfk8e4o0c4u2.cloudfront.net

HTTP/1.1 200 OK

Content-Type: text/plain

Content-Length: 0

Connection: keep-alive

Cache-Control: private,no-cache, no-store

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 24 Sep 2014 19:44:50 GMT

X-Cache: Miss from cloudfront

Via: 1.1 5e710c2328f7a654bdb9327f17330ed9.cloudfront.net (CloudFront)

X-Amz-Cf-Id: XJpZoGIYvFFt7IF6eFx7l7_8GU3qOndscE4Ju71yYJJFasXMhuOqng==
....


GET /p.ashx?e=PcwT4QFtuPCzqpRpksQuKeidgQbJTNnNsAPUfDdnCMQ2fVsQFDtppEzdxKtV2DR5sjXc/AJnTaE/Hea5XI1RYL2I0JMbheXth/3HwzB5AGtYtrOl7BfDWLqfIekNLhs5jgb6v7cXpPu93RkgrfPIdK/1bjUefs49JU1ySiay1sqdymVuPyjsZySWkiD 8aIWFAbDvDttaaPPt30posPzj93QiescafgJJI2sziJUfUip3S5SzB9CJGKaDIsXJGYyZ8M7LS1DXp/Km76/JYSSOjeLnNyvibXInnBnWYPWIyA= HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1; SBUA)

Host: d1cfk8e4o0c4u2.cloudfront.net

HTTP/1.1 200 OK

Content-Type: text/plain

Content-Length: 0

Connection: keep-alive

Cache-Control: private,no-cache, no-store

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 24 Sep 2014 19:44:50 GMT

X-Cache: Miss from cloudfront

Via: 1.1 5e710c2328f7a654bdb9327f17330ed9.cloudfront.net (CloudFront)

X-Amz-Cf-Id: Lfug-OzDQPXaDuUOBIFKY4hQcx3j6H6SLQ0IiFehHiB4x3NDn6PbSg==
....


GET /p.ashx?e=PcwT4QFtuPCzqpRpksQuKeidgQbJTNnNsAPUfDdnCMQ2fVsQFDtppEzdxKtV2DR5sjXc/AJnTaE/Hea5XI1RYL2I0JMbheXth/3HwzB5AGtYtrOl7BfDWI5PPWYBcW8Gs IILilpWF3nW9YwSk5gj28Va7JmIs/Bl13yhrpfYAMeIGfrzyWRyvy2gKbXyPPDXUoXAX2Uiz3W6sPFKrniCyxamEHwe AYLkxhdnC/RJrb4ZR 6izXtqnDUZD3eCjLyi7SKmc/IBy20dyWy qRxW8Z0xfsfWTqGyNtTx8B1oEVrVKlXJV57rQrS1fRu2prTG2sGEv8qBE= HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1; SBUA)

Host: d1cfk8e4o0c4u2.cloudfront.net

HTTP/1.1 200 OK

Content-Type: text/plain

Content-Length: 0

Connection: keep-alive

Cache-Control: private,no-cache, no-store

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 24 Sep 2014 19:44:50 GMT

X-Cache: Miss from cloudfront

Via: 1.1 5e710c2328f7a654bdb9327f17330ed9.cloudfront.net (CloudFront)

X-Amz-Cf-Id: aZrINqGM_0hPQ2tp755OBZpenK0TNE3b_0AEMuIcv5NFli3qWK9V6Q==
....


GET /p.ashx?e=WL9usJOVMsOEyHZoFFyrCNjAsLtQTvGI0/O0FfY/6t0oHZkq4q5PhSAvELRpepitC/ dZmzuxuj5lDnhnN785ikWnBSPkhjgLhu0b45kiT/XpciovEgse2DHUe356ADpreizXIw2lEUbPLm xNo0/Q2TwyUgITHw7M71aw1jTiwe4rptvpzkE7rdPSRwCrZGCcpIYc/YSz6Xbw9QoO9/zrRzhGRDOD7fjZpz1sPcxp1I3nypnKAJJwSlVcxDMMid7CGwBqpnIsMss0xdmNFlbg== HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1; SBUA)

Host: d1cfk8e4o0c4u2.cloudfront.net

HTTP/1.1 200 OK

Content-Type: text/plain

Content-Length: 0

Connection: keep-alive

Cache-Control: private,no-cache, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 24 Sep 2014 19:44:41 GMT

X-Cache: Miss from cloudfront

Via: 1.1 5e710c2328f7a654bdb9327f17330ed9.cloudfront.net (CloudFront)

X-Amz-Cf-Id: wkvEEmolZ1Op5JOBXIGMJtwEMOM5MHAxUbfIbpxLnjQVOv6UbF0cmQ==
....


GET /p.ashx?e=WL9usJOVMsOEyHZoFFyrCNjAsLtQTvGI0/O0FfY/6t0oHZkq4q5PhSAvELRpepitC/ dZmzuxuj5lDnhnN785ikWnBSPkhjgLhu0b45kiT/XpciovEgse2DHUe356ADpxRFQWZg5auASij6iR4hMLDZiH7tUU1aoxNB9hPvytbqj4mEVVTCsv8oowH443v5LVMzzGZXi fl6ZL2NeMWCfA== HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1; SBUA)

Host: d1cfk8e4o0c4u2.cloudfront.net

HTTP/1.1 200 OK

Content-Type: text/plain

Content-Length: 0

Connection: keep-alive

Cache-Control: private,no-cache, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 24 Sep 2014 19:44:41 GMT

X-Cache: Miss from cloudfront

Via: 1.1 5e710c2328f7a654bdb9327f17330ed9.cloudfront.net (CloudFront)

X-Amz-Cf-Id: -JvvvOOxm4qEcxecNpzAho59MpDBrL32ZMUVibtelaPmp54e16pZDQ==
....


GET /p.ashx?e=2v0SNuZrMFyRcITdAqjv5v7rYxGJm3lFeD0xlGrBIUuAMRxV Cn6lg49NnWHhDotWxA4H76t7h snEMebxE8BC1VAldyGGh24u3oGHN86wMFedaS6HkvNpR90anDedSCpjurIyC9QLCNmnPWw9zGnUjefKmcoAknBKVVzEMwyJ3sIbAGqmciwyyzTF2Y0WVu HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1; SBUA)

Host: d1cfk8e4o0c4u2.cloudfront.net

HTTP/1.1 200 OK

Content-Type: text/plain

Content-Length: 0

Connection: keep-alive

Cache-Control: private,no-cache, no-store

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 24 Sep 2014 19:44:51 GMT

X-Cache: Miss from cloudfront

Via: 1.1 5e710c2328f7a654bdb9327f17330ed9.cloudfront.net (CloudFront)

X-Amz-Cf-Id: CqBg1PKEUqI3li9X4kNYicO3e7V0fcOkFs0rACeUeUEtP4b77cTMrg==
....


GET /p.ashx?e=PcwT4QFtuPCzqpRpksQuKeidgQbJTNnNsAPUfDdnCMQ2fVsQFDtppEzdxKtV2DR5sjXc/AJnTaE/Hea5XI1RYL2I0JMbheXth/3HwzB5AGtYtrOl7BfDWKnmGGYVS7/B0JQd5HxgIXfmCWsTLnvD bTtF4P/Nzf4R5ehg170ggfw1VxvH51bFJF4kQIHXTAmjFaC1iN6TTGCGrpHNYuwVusrAPq35vVlEjahwY EjuMmEm9RhKETqmZgKbPAVUl4JYIjizTQYxIAbodvSRETyw== HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1; SBUA)

Host: d1cfk8e4o0c4u2.cloudfront.net

HTTP/1.1 200 OK

Content-Type: text/plain

Content-Length: 0

Connection: keep-alive

Cache-Control: private,no-cache, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 24 Sep 2014 19:44:41 GMT

X-Cache: Miss from cloudfront

Via: 1.1 5e710c2328f7a654bdb9327f17330ed9.cloudfront.net (CloudFront)

X-Amz-Cf-Id: AUoYaTqhN1LCzmiPn_PWpLmw7VulOWvNG4U114nNJHjDMx6-5tdmlQ==
HTTP/1.1 200 OK..Content-Type: text/plain..Content-Length: 0..Connecti
on: keep-alive..Cache-Control: private,no-cache, no-store..Server: Mic
rosoft-IIS/8.5..X-AspNet-Version: 4.0.30319..X-Powered-By: ASP.NET..Da
te: Wed, 24 Sep 2014 19:44:41 GMT..X-Cache: Miss from cloudfront..Via:
 1.1 5e710c2328f7a654bdb9327f17330ed9.cloudfront.net (CloudFront)..X-A
mz-Cf-Id: AUoYaTqhN1LCzmiPn_PWpLmw7VulOWvNG4U114nNJHjDMx6-5tdmlQ==..font>....


GET /p.ashx?e=4mC0vXGWFtoTEvwWndeMvNjAsLtQTvGIob8W7g4JmP0oHZkq4q5Phf DN4zpiDr184gNp9AlyFVbEDgfvq3uH6ycQx5vETwELVUCV3IYaHamORnDBzp0fjy wf5ge9G297Kvy9WMpSiz4gguKWlYXQ6ISG4/EOlW0UhyRqcS69JoTYruzFX zwb91USjiT0qLkxhdnC/RJrb4ZR 6izXtqnDUZD3eCjLyi7SKmc/IBy20dyWy qRxW8Z0xfsfWTqGyNtTx8B1oEVrVKlXJV57rQrS1fRu2prTG2sGEv8qBE= HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1; SBUA)

Host: d1cfk8e4o0c4u2.cloudfront.net

HTTP/1.1 200 OK

Content-Type: text/plain

Content-Length: 0

Connection: keep-alive

Cache-Control: private,no-cache, no-store

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 24 Sep 2014 19:44:53 GMT

X-Cache: Miss from cloudfront

Via: 1.1 5e710c2328f7a654bdb9327f17330ed9.cloudfront.net (CloudFront)

X-Amz-Cf-Id: tTgAPpGjntYBnHcHXq9PB_tnQt-mwWiwKHrRRhjCeaEoGFHAx8rYTw==
HTTP/1.1 200 OK..Content-Type: text/plain..Content-Length: 0..Connecti
on: keep-alive..Cache-Control: private,no-cache, no-store..Server: Mic
rosoft-IIS/7.5..X-AspNet-Version: 4.0.30319..X-Powered-By: ASP.NET..Da
te: Wed, 24 Sep 2014 19:44:53 GMT..X-Cache: Miss from cloudfront..Via:
 1.1 5e710c2328f7a654bdb9327f17330ed9.cloudfront.net (CloudFront)..X-A
mz-Cf-Id: tTgAPpGjntYBnHcHXq9PB_tnQt-mwWiwKHrRRhjCeaEoGFHAx8rYTw==..font>....


GET /p.ashx?e=043Mckb8Lnhw7iCtSAyu//7rYxGJm3lFYZ2TXrGrLo6AMRxV Cn6llSqjJTnC78UeCs0UzO3hwdU2Ov4x0cKCDkzHRDskymotw5Qzo0bsuIuv3tl1Z4b4fqozZtQ7Aql1cNdkeqH5v1GGDRZSzPReVlB8MlHWpnp8r3LyJmzPQXE0H2E /K1uqPiYRVVMKy/yijAfjje/ktUzPMZleL5 dbUFHHfzG/UPfo4MUFfNUo1PRAiSGEfoFQUOrWSBvzeI6kkqNTJTpZLIEpqTN2SOg== HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1; SBUA)

Host: d1cfk8e4o0c4u2.cloudfront.net

HTTP/1.1 200 OK

Content-Type: text/plain

Content-Length: 0

Connection: keep-alive

Cache-Control: private,no-cache, no-store

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Wed, 24 Sep 2014 19:45:41 GMT

X-Cache: Miss from cloudfront

Via: 1.1 5e710c2328f7a654bdb9327f17330ed9.cloudfront.net (CloudFront)

X-Amz-Cf-Id: Jn2Vxudt61wF32SOC-PVjMVqeXLVivgcd7H536JDnzL9NIkJTmPVow==
HTTP/1.1 200 OK..Content-Type: text/plain..Content-Length: 0..Connecti
on: keep-alive..Cache-Control: private,no-cache, no-store..Server: Mic
rosoft-IIS/7.5..X-AspNet-Version: 4.0.30319..X-Powered-By: ASP.NET..Da
te: Wed, 24 Sep 2014 19:45:41 GMT..X-Cache: Miss from cloudfront..Via:
 1.1 5e710c2328f7a654bdb9327f17330ed9.cloudfront.net (CloudFront)..X-A
mz-Cf-Id: Jn2Vxudt61wF32SOC-PVjMVqeXLVivgcd7H536JDnzL9NIkJTmPVow==..

GET /t.ashx?e=WL9usJOVMsOEyHZoFFyrCNjAsLtQTvGI0/O0FfY/6t0oHZkq4q5PhSAvELRpepitC/ dZmzuxuj5lDnhnN785ikWnBSPkhjgLhu0b45kiT/jJX2BNWr5ZmwkqgaQEwGAs IILilpWF0klpIg/vGiFhQGw7w7bWmjz7d9KaLD84/d0InrHGn4CaR2deZjme0S HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1; SBUA)

Host: d1vw44q53d84jx.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/html; charset=utf-8

Content-Length: 13

Connection: keep-alive

Cache-Control: private,no-cache, no-store

Server: Microsoft-IIS/7.5

X-AspNet-Version: 2.0.50727

X-Powered-By: ASP.NET

Date: Wed, 24 Sep 2014 19:44:49 GMT

X-Cache: Miss from cloudfront

Via: 1.1 e38cc5225928e342fd529950846af297.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 7JpnlEhLdvTrANEl5hEn2te3UZvRVMrEhVnQq8JdNP27HulSRU98KQ==
abfgshdgfjhsk....


GET /t.ashx?e=WL9usJOVMsOEyHZoFFyrCNjAsLtQTvGI0/O0FfY/6t0oHZkq4q5PhSAvELRpepitC/ dZmzuxuj5lDnhnN785ikWnBSPkhjgLhu0b45kiT/jJX2BNWr5ZmwkqgaQEwGAs IILilpWF0klpIg/vGiFhQGw7w7bWmjz7d9KaLD84/d0InrHGn4CaR2deZjme0S HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1; SBUA)

Host: d1vw44q53d84jx.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/html; charset=utf-8

Content-Length: 13

Connection: keep-alive

Cache-Control: private,no-cache, no-store

Server: Microsoft-IIS/7.5

X-AspNet-Version: 2.0.50727

X-Powered-By: ASP.NET

Date: Wed, 24 Sep 2014 19:44:49 GMT

X-Cache: Miss from cloudfront

Via: 1.1 e38cc5225928e342fd529950846af297.cloudfront.net (CloudFront)

X-Amz-Cf-Id: RFyJCHJHXXyoJ_vvBkYYaOHVhvNuo2Na3wpp-zLYfPtpEdz869tRpw==
abfgshdgfjhsk....


GET /t.ashx?e=WL9usJOVMsOEyHZoFFyrCNjAsLtQTvGI0/O0FfY/6t0oHZkq4q5PhSAvELRpepitC/ dZmzuxuj5lDnhnN785ikWnBSPkhjgLhu0b45kiT/jJX2BNWr5ZmwkqgaQEwGAs IILilpWF0klpIg/vGiFhQGw7w7bWmjz7d9KaLD84/d0InrHGn4CaR2deZjme0S HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1; SBUA)

Host: d1vw44q53d84jx.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/html; charset=utf-8

Content-Length: 13

Connection: keep-alive

Cache-Control: private,no-cache, no-store

Server: Microsoft-IIS/7.5

X-AspNet-Version: 2.0.50727

X-Powered-By: ASP.NET

Date: Wed, 24 Sep 2014 19:44:49 GMT

X-Cache: Miss from cloudfront

Via: 1.1 e38cc5225928e342fd529950846af297.cloudfront.net (CloudFront)

X-Amz-Cf-Id: r7I_zqLA_GcFm6uCwVIhZ2CihsMFALX-KFrt9E1kfvee6Tzx8XabMg==
abfgshdgfjhskHTTP/1.1 200 OK..Content-Type: text/html; charset=utf-8..
Content-Length: 13..Connection: keep-alive..Cache-Control: private,no-
cache, no-store..Server: Microsoft-IIS/7.5..X-AspNet-Version: 2.0.5072
7..X-Powered-By: ASP.NET..Date: Wed, 24 Sep 2014 19:44:49 GMT..X-Cache
: Miss from cloudfront..Via: 1.1 e38cc5225928e342fd529950846af297.clou
dfront.net (CloudFront)..X-Amz-Cf-Id: r7I_zqLA_GcFm6uCwVIhZ2CihsMFALX-
KFrt9E1kfvee6Tzx8XabMg==..abfgshdgfjhsk..

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.idata

.rsrc

@.reloc

SSShh

WSSh(

SPSSh,

.tMHtJH

F><.tN<[tJ<\tF<*tB<|t><^t:<$t6

FTPQ

tL<%u@

9>t.hx

;NTu^SSh

xSSSh

FTPjKS

FtPj;S

C.PjRV

1.3.6.1.4.1.311.2.1.12

1.2.840.113549.1.9.5

1.2.840.113549.1.9.6

CRtmpParser::GetFieldDataString

CRtmpParser::GetFieldDataNumber

NetStream.Play.Reset

NetStream.Unpause.Notify

NetStream.Pause.Notify

NetStream.Seek.Notify

NetStream.Play.Stop

NetStream.Play.Failed

NetStream.Failed

()$^.* ?[]|\-{},:=!

video/WebM

"url_encoded_fmt_stream_map": "(.*?)"

rtmpe%3Dyes

url_encoded_fmt_stream_map=

%s, string reference, index: %d, not supported, ignoring!

%s - AMF3 unknown/unsupported datatype 0xx, @%p

AMF3_DATE reference: %d, not supported!

Property: <%s%s>

timestamp: %.2f, UTC offset: %d

INVALID TYPE 0xx

Property: <%sSTRICT_ARRAY>

Property: <%sECMA_ARRAY>

Property: <%sOBJECT>

AMF_Encode - failed to encode property in index %d

%s, invalid type. %d

%s, failed to decode AMF3 property!

Member: %s

Class name: %s, externalizable: %d, dynamic: %d, classMembers: %d

Class reference: %d

Object reference, index: %d

%s: Empty buffer/no buffer pointer!

%s - unknown datatype 0xx, @%p

AMF_TYPED_OBJECT not supported!

AMF_REFERENCE not supported!

%s: Name size out of range: namesize (%d) > len (%d) - 2

%s: Not enough data for decoding with name, less than 4 bytes!

HTTP/1

%s, Setting socket timeout to %ds failed!

%s, No SSL/TLS support

HTTP_get

If-Modified-Since: %s

GET %s HTTP/1.0

User-Agent: %s

Host: %s

Mozilla/5.0

%s, d %s %d d:d:d GMT

size: x

date: %s

ctim: %s

url: %.*s

%s: couldn't open %s for writing, errno %d (%s)

%s: couldn't contact swfurl %s (HTTP error %d)

%s: swfurl %s not found

%s: connection lost while downloading swfurl %s

1.1.4

%s%s\.swfinfo

%s: %s

hXXp://

[[IMPORT]]

No application or playpath in URL!

Invalid port number!

No hostname in URL!

Parsed protocol: %d

RTMP URL: No :// in url!

NetConnection.confStream

NetStream.Publish.Start

NetStream.Play.UnpublishNotify

NetStream.Play.PublishNotify

NetStream.Play.Complete

NetStream.Play.Start

NetConnection.Connect.InvalidApp

NetStream.Play.StreamNotFound

NetStream.Authenticate.UsherToken

Publisher password

pubPasswd

Key for SecureToken response

Justin.tv authentication token

URL to player SWF file

swfUrl

URL of played media's web page

pageUrl

URL to played stream

tcUrl

DH public key does not fulfill y^q mod p = 1

DH public key must be at most p-2

DH public key must be at least 2

RC4 In Key:

RC4 Out Key:

%s: Couldn't calculate correct DH offset (got %d), exiting!

%s: Couldn't calculate correct digest offset (got %d), exiting

%s: Couldn't calculate DH offset (got %d), exiting!

%s: Couldn't calculate digest offset (got %d), exiting!

RTMP PACKET: packet type: 0xx. channel: 0xx. info 1: %d info 2: %d. Body size: %u. body: 0xx

Connecting via SOCKS proxy: %s:%d

SWFSize : %u

live : %s

StopTime : %d msec

StartTime : %d msec

flashVer : %s

NetStream.Authenticate.UsherToken : %s

subscribepath : %s

auth : %s

pageUrl : %s

swfUrl : %s

tcUrl : %s

Playpath : %s

Port : %d

Protocol : %s

s %-7s %s

Unknown option %s

%s://%.*s:%d/%.*s

Problem accessing the DNS. (addr: %s)

%s, error

%s, Authentication failed: unknown auth mode: %s

%s, Authentication failed

%s, new app: %.*s tcUrl: %.*s playpath: %s

&nonce=%s&cnonce=%s&nc=%s&response=%s

%s, md5(%s:%s:%s:%s:%s:%s) =>

%s, md5(%s:/%.*s) =>

%s, md5(%s:%s:%s) =>

%s, pubToken1: %s

?%s&user=%s

%s, Authentication failed: no such user

%s, Authentication failed: wrong password

%s, pubToken2: %s

&challenge=%s&response=%s&opaque=%s

%s, b64(md5_2) = %s

%s, b64(%d) = %s

%s, b64(md5_1) = %s

%s, md5(%s%s%s) =>

%s, par:"%s" = val:"%s"

%s, need to set pubUser & pubPasswd for publisher auth

%s, wrong pubUser & pubPasswd for publisher auth

%-22.*s%s

%s, error decoding meta data packet

%s, received: chunk size change to %d

%s: server BW = %d

%s: client BW = %d %d

%s, recv returned %d. GetSockError(): %d (%s)

POST /%s%s/%d HTTP/1.1

Host: %.*s:%d

Content-length: %d

HTTP/1.1 200

%s, RTMP send error %d (%d bytes)

%s: fd=%d, size=%d

Invoking %s

sanity failed!! trying to send header of type: 0xx.

%s, failed to allocate packet

FCSubscribe: %s

UsherToken: %s

%s, %d, pauseTime=%d

%s, seekTime=%d, stopTime=%d, sending play: %s

sending ctrl. type: 0xx

%s: Ignoring SWFVerification request, use --swfVfy!

%s: SWFVerification Type %d request not supported! Patches welcome...

%s, SWFVerification ping received:

%s, Stream Begin %d

%s, Stream EOF %d

%s, Stream Dry %d

%s, Stream IsRecorded %d

%s, Ping %d

%s, Stream BufferEmpty %d

%s, Stream BufferReady %d

%s, Stream xx %d

%s, received ctrl. type: %d, len: %d

%s, RTMP socket closed by peer

%s, No valid HTTP response found

%s, failed to read RTMP packet body. len: %u

%s, failed to read extended timestamp

%s, failed to read RTMP packet header. type: %x

%s, m_nChannel: %0x

%s, failed to read RTMP packet header 3nd byte

%s, failed to read RTMP packet header 2nd byte

%s, failed to read RTMP packet header

%s: fd=%d

%s: client signature does not match!

%s: Handshaking finished....

%s: Genuine Adobe Flash Media Server

%s: Server not genuine Adobe!

%s: Signature calculated:

%s: Digest key:

%s: Server sent signature:

%s: Wait, did the server just refuse signed authentication?

%s: Client signature calculated:

%s: Calculated digest key from secure key and server digest:

%s: Secret key:

%s: Wrong secret key position!

%s: Server DH public key offset: %d

%s: FMS Version : %d.%d.%d.%d

%s: Server Uptime : %d

%s: Type mismatch: client sent %d, server answered %d

%s: Type Answer : X

%s: Initial client digest:

%s: Client digest offset: %d

%s: Couldn't write public key!

%s: Couldn't generate Diffie-Hellmann public key!

%s: DH pubkey position: %d

%s: Couldn't initialize Diffie-Hellmann!

%s: Client type: X

%s: Genuine Adobe Flash Player

%s: Client not genuine Adobe!

%s: Client sent signature:

%s: 2nd handshake:

%s: Sending handshake response:

%s: Server signature calculated:

%s: Client DH public key offset: %d

%s: Player Version: %d.%d.%d.%d

%s: Client Uptime : %d

%s: Initial server digest:

%s: Server digest offset: %d

%s: Unknown version x

%s: Type Requested : X

%s, RTMP connect failed.

%s, handshaked

%s, handshake failed.

%s, ... connected, handshaking

%s, Could not connect for handshake

%s, no SSL/TLS support

%s, SOCKS returned error code %d

%s, failed to create socket. Error: %d

%s, SOCKS negotiation failed.

%s ... SOCKS negotiation

%s, failed to connect socket. %d (%s)

Closing connection: %s

%s, onStatus: %s

trying to connect with redirected url

%s, error description: %s

%s, received error for method call <%s>

%s, received result id %f without matching request

%s, received result for method call <%s>

%s, server invoking <%s>

%s, error decoding invoke packet

%s, Sanity failed. no string method in invoke packet

%s, flex shared object, size %u bytes, not supported, ignoring

%s, flex message, size %u bytes, not fully supported

%s, received: notify %u bytes

%s, shared object, not supported, ignoring

%s, received: invoke %u bytes

%s, unknown packet type received: 0xx

%s, flex stream send, size %u bytes, not supported, ignoring

%s, received: bytes read report

Wrong data size (%u), stream corrupted, aborting!

Couldn't find the seeked keyframe in this chunk!

First packet does not contain keyframe, all timestamps are smaller than the keyframe timestamp; probably the resume seek failed?

FLV Stream: Keyframe doesn't match!

Found keyframe with resume-keyframe timestamp!

Checked keyframe successfully!

ignoring too small audio packet: size: %d

ignoring too small video packet: size: %d

Got Play.Complete or Play.Stop from server. Assuming stream is complete

%s: Failed to close listening socket, error %d

Caught signal: %d, cleaning up, just a second...

-c, --cert cert RTMPS cert

-k, --key key RTMPS key

-p, --port port Overrides the port in the rtmp url

%s, _beginthread failed with %d

Unknown command '%c', ignoring

-o %s

-j "%s"

-p "%s"

-W "%s"

-f "%s"

-a "%s"

-r "%s"

%s, client invoking <%s>

%s, received packet type X, size %u bytes

%s: accept failed

%s: processed request

%s: accepted connection from %s

%s, listen failed

%s, TCP bind failed for port number: %d

%s, couldn't create socket

chrome.exe iexplore.exe firefox.exe Safari.exe WebKit2WebProcess.exe opera.exe

._-$,;~()

.mpeg

video/webm

.webm

.xslt

.json

audio/x-mpegurl

.torrent

.jpeg

.shtml

.shtm

.html

url_rewrite_patterns

ssl_certificate

listening_ports

index.html,index.htm,index.cgi,index.shtml,index.php,index.lp

**.shtml$|**.shtm$

mydomain.com

**.cgi$|**.pl$|**.php$

SSL_CTX_use_certificate_chain_file

SSL_CTX_set_default_passwd_cb

SSL_CTX_use_certificate_file

SSL_CTX_use_PrivateKey_file

%s %s:

[
0lu] [error] [client %s]

%.*s%s

%d-%3s-%d %d:%d:%d

%*3s, %d %3s %d %d:%d:%d

%d %3s %d %d:%d:%d

%d/%3s/%d %d:%d:%d

%[^:]:%[^:]:%s

HTTP/1.1 401 Unauthorized

WWW-Authenticate: Digest qop="auth", realm="%s", nonce="%lu"

%s:%s:%s

%s.tmp

<tr><td><a href="%s%s%s">%s%s</a></td><td> %s</td><td>  %s</td></tr>

%d-%b-%Y %H:%M

**.htpasswd$

%s%c%s

%a, %d %b %Y %H:%M:%S GMT

HTTP/

%s: CGI env buffer truncated for [%s]

HTTP_%s=%s

REMOTE_USER=%s

PERLLIB=%s

SystemDrive=%s

SYSTEMROOT=%s

COMSPEC=%s

PATH_INFO=%s

PATH=%s

CONTENT_LENGTH=%s

QUERY_STRING=%s

CONTENT_TYPE=%s

HTTPS=%s

PATH_TRANSLATED=%s

SCRIPT_FILENAME=%s

SCRIPT_NAME=%.*s%s

REQUEST_URI=%s

REMOTE_PORT=%d

REMOTE_ADDR=%s

REQUEST_METHOD=%s

SERVER_PORT=%d

SERVER_PROTOCOL=HTTP/1.1

DOCUMENT_ROOT=%s

SERVER_ROOT=%s

SERVER_NAME=%s

Cannot SSI #exec: [%s]: %s

Bad SSI #exec: [%s]

HTTP/1.1 200 OK

<d:response><d:href>%s</d:href><d:propstat><d:prop><d:resourcetype>%s</d:resourcetype><d:getcontentlength>%I64d</d:getcontentlength><d:getlastmodified>%s</d:getlastmodified></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat></d:response>

HTTP/1.1 207 Multi-Status

%d.%d.%d.%d%n

%d.%d.%d.%d/%d%n

%lf%c

%s/%s

boundary=™s

HTTP/1.1 302 Found

Location: hXXps://%s:%d%s

24[^:]

%d.%d.%d.%d:%d%n

Cannot add SSL socket, is -ssl_certificate option set?

%s: %.*s: invalid port spec. Expecting list of: %s

[IP_ADDRESS:]PORT[s|p]

%s: cannot bind to %.*s: %s

set_ports_option

%s - %s [%s] "%s %s HTTP/%s" %d %I64d

%d/%b/%Y:%H:%M:%S %z

%s: subnet must be [ |-]x.x.x.x[/x]

Cannot open %s: %s

calloc(): %s

connect(%s:%d): %s

socket(): %s

gethostbyname(%s): %s

%s: %s is not allowed to connect

HTTP/1.1 %d %s

Content-Length: %d

Connection: %s

Error %d: %s

%s: CreateProcess(%s): %ld

%s%s%s\%s

%.*s%c%s

.htpasswd

fopen(%s): %s

%s: cannot open %s: %s

<tr><td><a href="%s%s">%s</a></td><td> %s</td><td>  %s</td></tr>

<html><head><title>Index of %s</title><style>th {text-align: left;}</style></head><body><h1>Index of %s</h1><pre><table cellpadding="0"><tr><th><a href="?n%c">Name</a></th><th><a href="?d%c">Modified</a></th><th><a href="?s%c">Size</a></th></tr><tr><td colspan="3"><hr></td></tr>

Error: opendir(%s): %s

Date: %s

Last-Modified: %s

Etag: %s

HTTP/1.1 100 Continue

Cannot create CGI pipe: %s

fopen: %s

CGI program sent malformed or too big (>%u bytes) HTTP headers: [%.*s]

Cannot spawn CGI process [%s]: %s

put_dir(%s): %s

HTTP/1.1 %d OK

Bad SSI #include: [%s]

Cannot open SSI #include: [%s]: fopen(%s): %s

%s: SSI tag is too large

%s: unknown SSI command: "%s"

SSI #include level is too deep (%s)

Method %s is not implemented

HTTP/1.1 301 Moved Permanently

Location: %s/

remove(%s): %s

Bad HTTP version

Bad HTTP version: [%s]

Invalid URI: [%s]

%s: option value cannot be NULL

Invalid option: %s

warning: %s: duplicate option

Hello from mongoose! Remote port: %d

HttpSendRequestW failed with error code

HttpOpenRequestW failed with error code

RegOpenKeyTransactedW

RegCreateKeyTransactedW

RegDeleteKeyTransactedW

RegDeleteKeyExW

1.2.5

inflate 1.2.5 Copyright 1995-2010 Mark Adler

Visual C   CRT: Not enough memory to complete call to strerror.

cmd.exe

Broken pipe

Inappropriate I/O control operation

Operation not permitted

portuguese-brazilian

operator

GetProcessWindowStation

C:\BUILDS\Build_YTDownloader\Client\WFP\exe\RemoteRelease\YTDownloader.pdb

.?AVCHttp@@

<>"#{}|\^~[]`' ?&

.?AVCRtmpe@@

.?AV?$IBaseInterface@VIKeysBank@@@@

.?AVIKeysBank@@

.?AV?$CBaseInterface@VCKeysBank@@VIKeysBank@@@@

.?AVCKeysBank@@

.?AVCRtmpDataProperty@@

.?AVCRtmpPacket@@

.?AVCRtmpParser@@

.?AVChromeBrowserWindow@@

.?AVFirefoxBrowserWindow@@

.?AVOperaBrowserWindow@@

HTTP://

.?AVHttpParser@@

.?AVCHttpDownload@@

zcÁ

WinExec

CreatePipe

KERNEL32.dll

MsgWaitForMultipleObjectsEx

EnumChildWindows

USER32.dll

GDI32.dll

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegDeleteKeyW

RegOpenKeyW

RegEnumKeyW

RegNotifyChangeKeyValue

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

ShellExecuteExW

ShellExecuteW

SHELL32.dll

ole32.dll

OLEAUT32.dll

COMCTL32.dll

WS2_32.dll

LIBEAY32.dll

HttpEndRequestW

HttpQueryInfoW

HttpSendRequestW

HttpSendRequestExW

HttpAddRequestHeadersW

HttpOpenRequestW

WININET.dll

VERSION.dll

CertGetNameStringW

CertFreeCertificateContext

CryptMsgClose

CertCloseStore

CertFindCertificateInStore

CryptMsgGetParam

CRYPT32.dll

PSAPI.DLL

IsValidURL

urlmon.dll

GdiplusShutdown

gdiplus.dll

GetCPInfo

GetProcessHeap

nnn%XXX

pppaSSS

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

<assemblyIdentity type="Win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>

4O4d4

1)222#3:3

5"5&5*5.52565:5>5)6

11C1Q1a1z1

3"3&3*3.323-4

< <$<(<,<

?$?(?,?0?4?8?<?@?

0(0/04080<0]0

0&1,1014181

0(1.171>1`1

1.151@1{2

1%2S2

< ?$?(?,?0?4?8?<?

7%8u8

= =$=(=,=0=4=8=<=@=

:$:(:0:4:8;<;

= =$=,=0=

: :$:(:0:4:

? ?$?(?0?4?8?

4$4,444<4

1$1,141<1\1|1

=$=0=8=`=

7$70787`7

1$1,141<1

HTTP/1.0

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SBUA)

HTTP/1.1

Content-Disposition: form-data; name="%s"

XXX

Content-Type: multipart/form-data; boundary=%s

SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy

Windows CE

Windows 7

Windows Vista

Windows 2003 Server

Windows XP

Windows 2000

Windows NT

Windows Me

Windows 98

Windows 95

%sLow\%s\

%C:\Users\Public\Documents\%s\%s\

%s\%s\%s\

%s\Application Data\%s\%s\

[CEventsThread::SetTimeoutResolution] From: %d -> To: %d

[CEventsThread::WaitForMultipleEvents] Released on Signaled: %d ms

[CEventsThread::WaitForMultipleEvents] Released on Timeout: %d ms

[CEventsThread::WaitForMultipleEvents] ___Error MsgWaitForMultipleObjectsEx. LE: %d

[CEventsThread::WaitForMultipleEvents] TID=%X

[CEventsThread::CreateNamedEvent] OpenEvent. LE: %d

[CEventsThread::CreateNamedEvent] ___Error OpenEvent: LE: %d

[CEventsThread::CreateNamedEvent] ___Error CreateEvent. LE: %d. Try OpenEvent...

[CEventsThread::Start - Leave] TID=%X

[CEventsThread::Start] ___Error - Failed to create thread: %X

[CEventsThread::Stop - Leave] TID=%X

[CEventsThread::Stop - Enter] TID=%X

[CEventsThread::CallProcessTimeoutRoutines] ___Error Invalid Event Entry: %d, Timeout: %d

[CEventsThread::AlertEvent] ___Error SetEvent failed: %d

[CEventsThread::AlertEvent] ___Error Invalid Event Entry: %d

[CEventsThread::AlertEvent] ___Error Not found Event: %d

[CEventsThread::SetGlobalEvent] ___Error Invalid Event Entry: %d

[CEventsThread::SetGlobalEvent] ___Error Not found Event: %d

[CEventsThread::SetGlobalEvent] Event: %d

[CEventsThread::ResetEvent] ___Error ResetEvent failed: %d

[CEventsThread::ResetEvent] ___Error Invalid Event Entry: %d

[CEventsThread::ResetEvent] ___Error Not found Event: %d

[CEventsThread::ResetEvent] Event: %d

[CEventsThread::CallProcessEventRoutines] ___Error Invalid Event Entry: %d

[CEventsThread::CallProcessEventRoutines] ___Error Invalid Event Index: %d

[CEventsThread::WaitEvent] TID=%X

[CEventsThread::RemoveEvent] ___Error CloseHandle failed: %d

[CEventsThread::RemoveEvent] ___Error Invalid Event Entry: %d

[CEventsThread::RemoveEvent] ___Error Not found Event: %d

[CEventsThread::RemoveEvent] Event: %d

[CEventsThread::Cleanup] ___Error CloseHandle(0x%p) failed: %d

[CEventsThread::Cleanup] Closing Handle: %d

[CEventsThread::Work] TID=%X - Exit !!!

[CEventsThread::Work] WAIT_ABANDONED - %d

[CEventsThread::Work] TID=%X

[CEventsThread::AddEvent] ___Warning event handle already exists %d

[CEventsThread::AddEvent] ___Error invalid event handle %d

ConfigDB.dll

config.xml

%%X

<d/d/%d d:d:d::d 0x%X>

[SbTracer::RegisterOnConfigurationChange] ___Error: %d, RegNotifyChangeKeyValue

[SbTracer::RegisterOnConfigurationChange] ___Error: %d, RegOpenKeyEx

[SbTracer::RecursiveCreateDirectory] Directory: %s

[SbTracer::RecursiveCreateDirectory] ___Error - CreateDirectory: %s

[SbTracer::RecursiveCreateDirectory] ___Error - Directory: %s

[SbTracer::FormatFilePath] Log Path: %s

[SbTracer::FormatFilePath] ___Error - RecursiveCreateDirectory: %s

[SbTracer::FormatFilePath] ___Warning - No Log folder: %s

[SbTracer::FormatFilePath] ___Error - GetModuleFileName: %s

\StringFileInfo\x\%s

[SbTracer::ReadConfiguration] Trace Max Size: %d

[SbTracer::ReadConfiguration] Trace Time Stamp: %d

[SbTracer::ReadConfiguration] Trace Time Limit: %d

[SbTracer::ReadConfiguration] Trace Backup: %d

[SbTracer::ReadConfiguration] Trace Destination: %d

[SbTracer::ReadConfiguration] Trace Level: %d

[SbTracer::BackupTraceFile] %s

[SbTracer::OpenTraceFile] Done %s

[SbTracer::OpenTraceFile] ___Error: %d, File: %s

[SbTracer::WriteTraceLine] !!! OVERFLOW or FORMAT ERROR !!! - (%d) %s

CertGetNameString failed.

CryptDecodeObject failed with %x

CertFindCertificateInStore failed with %x

MoreInfo Link : %s

Publisher Link : %s

Program Name : %s

CryptMsgGetParam failed with %x

CryptQueryObject failed with %x

user32.dll

WININET.DLL

kernel32.dll

d/d/%d d:d:d::d

%d.%d.%d.%d

[CUtils::GoToURL] ___Error WinExec url = %s, defBrowser = %s, err = %d

"%s" "%s"

"%s" %s

[CUtils::GetDAPExeLocation] ___Error read DAP location from %s

[CUtils::GetDAPExeLocation] Name: %s

[CUtils::GetDAPPipeName] ___Error read DAP Pipe Name from %s

[CUtils::GetDAPPipeName] Name: %s

PipeName

[CUtils::GetDAPWindowName] ___Error read DAP Window Name from %s

[CUtils::GetDAPWindowName] Name: %s

[CIEDownloadAcceleratorEngine::CallDAP] ___Error CreateProcess: %s, Parameters: %s. LE: %d

[CClientRtmpe::HandShake] ___Error DiffieHellman - GetPublicKey

[CClientRtmpe::HandShake] ___Error Keys Bank was unable to generate a pubic key

[CClientRtmpe::operator =] Key Out: %p

[CClientRtmpe::operator =] Key In:

[CClientRtmpe::operator =]

[CClientRtmpe::OnHandshake] Step 3 - update the keystreams

[CClientRtmpe::OnHandshake] ___Error Step 3 - ___Error ComputeSharedSecretKey

[CClientRtmpe::OnHandshake] Step 3 - ComputeSharedSecretKey

[CClientRtmpe::OnHandshake] Step 2 - Client version: %x

[CClientRtmpe::OnHandshake] Step 2 - Client up time: %d

[CClientRtmpe::OnHandshake] Step 2 - Protocol: %d

[CKeysBank::Work] Exit...

[CKeysBank::Work] Enter...

[CKeysBank::Start]

[CKeysBank::Stop]

[CKeysBank::GetPublicKey] Remove Key, Total: %d

[CKeysBank::GenerateKey] Add Key, Total: %d

[CKeysBank::GenerateKey] ___Error DiffieHellman.GenerateKey

[CKeysBank::GenerateKey] ___Error DiffieHellman.Init

[CRtmpe::operator =] Key Out: %p

[CRtmpe::operator =] Key In:

[CRtmpe::operator =]

[CRtmpe::Initialize] Cache Writer: %p

[CRtmpe::ParseHeader] Protocol - RTMPE

[CRtmpe::ParseHeader] Protocol - RTMP

[CRtmpe::ParseHeader]

[CRtmpe::ParseData] Got all %d/%d bytes

[CRtmpe::ParseData] ___Warning - wait for all packet data to arraive (%d/%d)

[CRtmpe::ParseData]

[CRtmpe::Encrypt] Encryped %d bytes, Key: %p

[CRtmpe::Decrypt] Decrypted %d bytes, Key: %p

[CRtmpe::ParseBuffer] Analyze Next Packet...

[CRtmpe::HandShake] Step 1: Complete

[CRtmpe::HandShake] ___Error Step 1: Writing client signature to server

[CRtmpe::HandShake] ___Error Step 1: DiffieHellman - GetPublicKey

[CRtmpe::HandShake] ___Error Keys Bank was unable to generate a pubic key

[CRtmpe::HandShake] Step 1: Start...

[CRtmpe::UpdateBuffer] Analyzed %d/%d bytes

[CRtmpe::UpdateBuffer] Handshake already completed

[CRtmpe::UpdateBuffer] Analyzing %d bytes...

[CRtmpStream::OnHandShake] ___Error - Unknown step

[CRtmpe::OnHandshake] Step 3 - Complete

[CRtmpe::OnHandshake] Step 3 - update the keystreams

[CRtmpe::OnHandshake] Step 3 - InitRC4Encryption

[CRtmpe::OnHandshake] ___Error Step 3: m_DiffieHellman - ComputeSharedSecretKey

[CRtmpe::OnHandshake] Step 3 - ComputeSharedSecretKey

[CRtmpe::OnHandshake] ___Error Step 3: Writing client response

[CRtmpe::OnHandshake] Step 3: Start...

[CRtmpe::OnHandshake] ___Error Step 2: *** Server response validation ***

[CRtmpe::OnHandshake] ___Warning - server version

[CRtmpe::OnHandshake] ___Error Step 2: Reading server response

[CRtmpe::OnHandshake] ___Error Step 2: *** Server signature validation ***

[CRtmpe::OnHandshake] Step 2 - Server version: %x

[CRtmpe::OnHandshake] Step 2 - Server up time: %d

[CRtmpe::OnHandshake] ___Error Step 2: Reading server signature

[CRtmpe::OnHandshake] Step 2 - Protocol: %d

[CRtmpe::OnHandshake] Step 2: Start...

[CRtmpPacket::Reset]

[CRtmpPacket::DumpHeader] Info Field: %d

[CRtmpPacket::DumpHeader] Packet Type: %d

[CRtmpPacket::DumpHeader] Packet Length: %d

[CRtmpPacket::DumpHeader] Absolute Time: %d

[CRtmpPacket::DumpHeader] Time: %d

[CRtmpPacket::DumpHeader] Channel: %d

[CRtmpPacket::DumpHeader] Header Type: %d

[CRtmpPacket::DumpHeader] Header Size: %d

[CRtmpPacket::DumpHeader] Header Byte: 0x%.02X

[CRtmpPacket::ParseHandshakeHeader] ___Error - Header already parsed

[CRtmpPacket::ParseFlvHeader] Absolute Time: %d

[CRtmpPacket::ParseFlvHeader] Packet Length: %d

[CRtmpPacket::ParseFlvHeader] Packet Type: %d

[CRtmpPacket::ParseFlvHeader] Channel: %d

[CRtmpPacket::ParseFlvHeader] Header Type: %d

[CRtmpPacket::ParseFlvHeader] Header Size: %d

[CRtmpPacket::ParseFlvHeader] ___Warning - %d/%d header bytes

[CRtmpPacket::ParseFlvHeader] ___Error - No bytes to analyze

[CRtmpPacket::ParseFlvHeader] ___Error - Header already parsed

[CRtmpPacket::AppendData] Appended: %d (Total: %d/%d)

[CRtmpPacket::AppendData] ___Error - out of memory

[CRtmpPacket::AppendData] ___Warning - no bytes to append

[CRtmpPacket::Allocate] Allocated %d (Total: %d)

[CRtmpPacket::ParseHeader] ___Error - Channel: %d > 9

[CRtmpPacket::ParseHeader] Extended Time: %d

[CRtmpPacket::ParseHeader] Info Field: %d

[CRtmpPacket::ParseHeader] ___Warning - Packet Length: %d > 1M

[CRtmpPacket::ParseHeader] Packet Type: %d

[CRtmpPacket::ParseHeader] Packet Size: %d

[CRtmpPacket::ParseHeader] Time: %d

[CRtmpPacket::ParseHeader] Channel: %d

[CRtmpPacket::ParseHeader] Header Type: %d

[CRtmpPacket::ParseHeader] Header Size: %d

[CRtmpPacket::ParseHeader] Header Byte: 0x%.02X

[CRtmpPacket::ParseHeader] ___Warning - %d/%d header bytes

[CRtmpPacket::ParseHeader] ___Error - No bytes to analyze

[CRtmpPacket::ParseHeader] ___Error - Header already parsed

[CRtmpParser::Stop]

[CRtmpParser::ProcessData] ___Error - Unknown Packet Type: %d, Offset: %d

[CRtmpParser::ProcessData] Analyze Data: %d bytes

[CRtmpParser::ProcessData] ___Warning - Packet not ready for Data Processing

[CRtmpParser::OnHandshake] Step 4: Complete

[CRtmpParser::OnHandshake] Step 3: Complete

[CRtmpParser::OnHandshake] Step 2 - Server version: %d.%d.%d.%d

[CRtmpParser::OnHandshake] Step 2 - Server up time: %d

[CRtmpParser::OnHandshake] Step 1 - Client version: %d.%d.%d.%d

[CRtmpParser::OnHandshake] Step 1 - Client up time: %d

[CRtmpParser::OnHandshake] Protocol State: %d

[CRtmpParser::OnAudio]

[CRtmpParser::OnVideo]

[CRtmpParser::OnFLV]

[CRtmpParser::OnData]

[CRtmpParser::SetTimeStartPosition] Time: %d

[CRtmpParser::SetTimeEndPosition] Time: %d

[CRtmpParser::Close]

[CRtmpParser::OnError]

[CRtmpParser::SetAbsoluteTime] Client Absolute Time: %d (Max: %d)

[CRtmpParser::SetAbsoluteTime] Server Absolute Time: %d (Max: %d)

[CRtmpParser::Sync - %p]

[CRtmpParser::ParseFlvHeader]

[CRtmpParser::ParseData] Accumulated all %d/%d bytes

[CRtmpParser::ParseData] Chunk not ready

[CRtmpParser::ParseData] Going to append %d bytes

[CRtmpParser::ParseData] Got all %d/%d bytes

[CRtmpParser::ParseData] ___Warning - wait for all packet data to arraive (%d/%d)

[CRtmpParser::ParseData] ___Warning no data

[CRtmpParser::ParseData]

[CRtmpParser::ParseDataType] ___Error - Unknown Data Type: %d, Offset: %d

[CRtmpParser::ParseDataType] Date %f %d (Offset: %d)

[CRtmpParser::ParseDataType] Static Array %d (Offset: %d)

[CRtmpParser::ParseDataType] EOF Object (Offset: %d)

[CRtmpParser::ParseDataType] ECMA Array %d (Offset: %d)

[CRtmpParser::ParseDataType] Object (Offset: %d)

[CRtmpParser::OnChangeChunkSize] %d -> %d

[CRtmpParser::OnChangeChunkSize]

[CRtmpParser::OnReadBytes] Bytes read: %d

[CRtmpParser::OnReadBytes]

[CRtmpParser::OnMetadata]

[CRtmpParser::Reset - %p]

[CRtmpParser::ReadObject] ___Error %s - %d (Offset: %d) - Unknown Data Type

[CRtmpParser::ReadObject] EOF Object (Offset: %d)

[CRtmpParser::ReadObject] %s - Long String: %s (Offset: %d)

[CRtmpParser::ReadObject] %s - Date: %g (Offset: %d)

[CRtmpParser::ReadObject] %s - Static Array: %d (Offset: %d)

[CRtmpParser::ReadObject] %s - ECMA Array: %d (Offset: %d)

[CRtmpParser::ReadObject] %s - NULL (Offset: %d)

[CRtmpParser::ReadObject] %s - Object (Offset: %d)

[CRtmpParser::ReadObject] %s - String: %s (Offset: %d)

[CRtmpParser::ReadObject] %s - Boolean: %s (Offset: %d)

[CRtmpParser::ReadObject] %s - Numeric: %g (Offset: %d)

[CRtmpParser::ParseHandshakeHeader] Protocol - RTMPE

[CRtmpParser::ParseHandshakeHeader] Protocol - RTMP

[CRtmpParser::ParseHandshakeHeader]

[CRtmpParser::ParseHeader] Absolute Time: %d

[CRtmpParser::ParseHeader] New Time: %d

[CRtmpParser::ParseHeader] New Absolute Time: %d

[CRtmpParser::ParseHeader] _Prev Packet - Info Field: %d

[CRtmpParser::ParseHeader] _Prev Packet - Buffer Bytes: %d

[CRtmpParser::ParseHeader] _Prev Packet - Buffer Length: %d

[CRtmpParser::ParseHeader] _Prev Packet - Buffer: %p

[CRtmpParser::ParseHeader] _Prev Packet - Packet Type: %d

[CRtmpParser::ParseHeader] _Prev Packet - Packet Size: %d

[CRtmpParser::ParseHeader] _Prev Packet - Absolute Time: %d

[CRtmpParser::ParseHeader] _Prev Packet - Time: %d

[CRtmpParser::ParseHeader] _Prev Packet - Original Header Size: %d

[CRtmpParser::ParseHeader]

[CRtmpParser::UpdateBufferFromServer] Analyzed no bytes

[CRtmpParser::UpdateBufferFromServer] Analyzed %d/%d, Write: %d, Discard: %d

[CRtmpParser::UpdateBufferFromServer] Analyze Next Buffer... (Left: %d)

[CRtmpParser::UpdateBufferFromServer] Decrypt %d/%d bytes

[CRtmpParser::UpdateBufferFromServer] *** Data file Ended at Absolute Time: %d ***

[CRtmpParser::UpdateBufferFromServer] *** Data file Started at Absolute Time: %d ***

[CRtmpParser::UpdateBufferFromServer] Parser was stopped - discard the rest of the data!

[CRtmpParser::UpdateBufferFromServer] Decrypt %d bytes

[CRtmpParser::UpdateBufferFromServer] Parser was stopped - discard all data!

[CRtmpParser::UpdateBufferFromServer] Analyzing %d bytes...

[CRtmpParser::UpdateBufferFromClient] Analyzed %d/%d, Write: %d, Discard: %d

[CRtmpParser::UpdateBufferFromClient] Encrypt %d bytes

[CRtmpParser::UpdateBufferFromClient] Decrypt %d/%d bytes

[CRtmpParser::ParseBuffer] Analyze Next Packet... (Left: %d)

[CRtmpParser::UpdateBufferFromClient] Decrypt %d bytes

[CRtmpParser::UpdateBufferFromClient] ___Warning - Wait for the server handshake to complete...

[CRtmpParser::UpdateBufferFromClient] Analyzed no bytes

[CRtmpParser::UpdateBufferFromClient] Analyzing %d bytes...

[CRtmpParser::operator = %p] <= %p

[CRtmpParser::ParseFlvBuffer] Analyze Next FLV Buffer...

[CRtmpParser::AddDownloadFlowCommand] Method: %s -> Command: %s, Param: %d

[CRtmpParser::OnPing] SWFVerification

[CRtmpParser::OnPing] Time: %d

[CRtmpParser::OnPing] -- Unknown %d --

[CRtmpParser::OnPing] Stream buffer ready %d

[CRtmpParser::OnPing] Pause time: %d

[CRtmpParser::OnPing] Stream buffer empty %d

[CRtmpParser::OnPing] Pong %d

[CRtmpParser::OnPing] Stream is recorded %d

[CRtmpParser::OnPing] Ping %d

[CRtmpParser::OnPing] Stream dry %d

[CRtmpParser::OnPing] Stream EOF %d

[CRtmpParser::OnPing] Stream begin %d

[CRtmpParser::OnPing] Type: %d

[CRtmpParser::OnPing]

[CRtmpParser::OnServerBW] Server Bandwidth: %d

[CRtmpParser::OnServerBW]

[CRtmpParser::OnClientBW] Client Bandwidth: %d

[CRtmpParser::OnClientBW]

[CRtmpParser::OnInvoke] ___Error - Unknown Invokde method: %s

[CRtmpParser::OnInvoke] setBandwidthLimit( %g, %g )

[CRtmpParser::OnInvoke] getStats

[CRtmpParser::OnInvoke] secureTokenResponse: Token = %s

[CRtmpParser::OnInvoke] closeStream: StreamID = %g

[CRtmpParser::OnInvoke] deleteStream: StreamID = %g

[CRtmpParser::OnInvoke] releaseStream: PlayPath = %s

[CRtmpParser::OnInvoke] startStream: PlayPath = %s

[CRtmpParser::OnInvoke] createStream: StreamID = %g

[CRtmpParser::OnInvoke] %s( '%s', '%s', '%s' )

[CRtmpParser::OnInvoke] %s( '%s', '%s' )

[CRtmpParser::OnInvoke] seek( '%d' )

[CRtmpParser::OnInvoke] %s( '%d', '%g' )

[CRtmpParser::OnInvoke] %s( '%s' ), PacketInfo: %d

[CRtmpParser::OnInvoke] onStatus - code: %s, level: %s

[CRtmpParser::OnInvoke] _error - code: %s, level: %s

[CRtmpParser::OnInvoke] %s( '%s' )

[CRtmpParser::OnInvoke] _result createStream: StreamID = %g

[CRtmpParser::OnInvoke] _result connect - AMF3

[CRtmpParser::OnInvoke] _result connect: %s

[CRtmpParser::OnInvoke] _result for Method: %s

[CRtmpParser::OnInvoke] Method: %s

[CRtmpParser::OnInvoke]

Download Helper SendMsgToBtn, url: %s

Could not find converter registry key, %ws

Could not create process, error %x, proc %ws

RegContentType%d

RegRawData%d

RegProtocol%d

RegAgent%d

RegCookie%d

1.0.1.0

RegFileName%d

RegUrl

RegURL%d

%ws_%d.log

- Mozilla Firefox

- Windows Internet Explorer

opera

firefox

chrome

OPERA

opera.exe

safari.exe

firefox.exe

iexplore.exe

chrome.exe

explorer.exe

Google Chrome

Chrome_WidgetWin_1

Firefox

FirefoxBrowserWindow Found browser window, 0x%x

FirefoxBrowserWindow Found button window, 0x%x

IE9BrowserWindow Found browser window, 0x%x

IE9BrowserWindow Found button window, 0x%x

OperaBrowserWindow Found browser window, 0x%x

OperaBrowserWindow Found button window, 0x%x

Opera

SafariBrowserWindow Found browser window, 0x%x

SafariBrowserWindow Found button window, 0x%x

hXXp://VVV.youtube.com/watch?v=

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.79 Safari/537.1

YTParser url not valid %ws

SBMonitor.log

Error no signature found at %s

GetVideoUrlAndSizeFromWatchPage Could not extract url_encoded_fmt_stream_map params.

GetVideoUrlAndSizeFromWatchPage

YTParser could not find valid url, not downloading

hXXp://VVV.youtube.com/get_video_info?video_id=

GetVideoUrlAndSizeFromVideoInfo

Failed processing urls from watch page.

reportLevel

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

(build %d)

Windows 2000

Windows XP

Web Edition

Windows Server 2003,

Windows XP Professional x64 Edition

Windows Home Server

Windows Storage Server 2003

Windows Server 2003 R2,

Web Server Edition

Windows Server 2008 R2

Windows 8

Windows 7

Windows Server 2008

Windows Vista

{X-hX-hX-XX-XXXXXX}

sbmntr.sys

Converter.exe

DownloadHelper.exe

HELPEREXELOCATION

YTDownloader.exe

MONITOREXELOCATION

hXXp://VVV.ytdownloader.com/feedback/

Driver - %ws: %x

\\.\SBMonitor

net.exe

Driver installed, NOT loaded: %s

Driver installed, loaded from %s

Software\Opera Software\

%programFiles%\Opera\opera.exe

Apple Application Support\WebKit2WebProcess.exe

Safari.exe

%programFiles%\Safari\Safari.exe

%programFiles%\Mozilla Firefox\firefox.exe

IEXPLORE.EXE

%programFiles%\Internet Explorer\iexplore.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\

%LOCALAPPDATA%\Google\Chrome\Application\chrome.exe

converter.exe

webm

[CMonitor::AddAppIdToDriver]___Error: Could not add App Ids (%x).

Same as one of buttons PID %d

Same as our PID %d

[CMonitor::EnableMonitoring]___Error: Could not enable monitoring device (%x).

___Error: Could not open device (%u).

-pid %d -size %s -sizeBytes %I64d -type %s -url %s -cookie %s -referer %s -host %s -useragent %s -resolution %s -protocol http

CMonitor::BuildParams Already created similar url, %ws

CMonitor::BuildParams Button exists for similar url, %ws

youtube.com

-pid %d -size %I64d -sizeBytes %I64d -type %s -url %s -cookie %s -referer %s -host %s -ads %s -useragent %s -protocol http

-pid %d -rawdata %s -protocol rtmp -duration %s -resolution %s

Fwpuclnt.dll

https

Not application/octet-stream video and the size is bigger than %d, %d

Not application/octet-stream video and the size is smaller than %d

Not FLV video and the size is smaller than %d

vid2.ak.dmcdn.net

CHttpMonitor::SameYoutubeVideo Same params page id = %s, itag = %s

CHttpMonitor::SameYoutubeVideo DASH same params page id = %s, itag = %s

CHttpMonitor::SameYoutubeVideo Same watch page %s

HTTP_Version_String

[HttpParser::ParseLine] ___Error: The field separator was not found in the line:

VVV.google.com

Global\{9DA0BEED-7248-450a-B27C-C0409BDC377D}

YTD-icon-128x128.png

Advapi32.dll

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

%saction=%s&userid=%s&usid=%s&aff=%s&v=%s&url=%s&title=%s&pingtext=%s&protocol=%s&size=%I64d&ref=%s&browser=%s

hXXp://rep.ytdownloader.com/app/ping.ashx?

%s%s%s

[RtmpDownloader::CreateProcessStdoutPipe] ___Error SetHandleInformation: %d

[RtmpDownloader::CreateProcessStdoutPipe] ___Error CreatePipe: %d

[RtmpDownloader::CreateProcessStdoutPipe] ___Error StdOut CloseHandle: %d

rtmpdump.exe

[RtmpDownloader::ReadFromPipe] --- Download Ends ---

[RtmpDownloader::ReadFromPipe] --- Download Begins ---

[RtmpDownloader::RunCommandLine] ___Error CreateProcess: %s. LE: %d

Error : failed to run FFmpeg - %d

[RtmpDownloader::RunCommandLine] ___Error CreateProcessStdoutPipe

Failed to run update (%x).

Trying to execute an update.

CUpdater::parseUpdateXML Set report level to %ws

REPORT

CMDLINE

%sid=%d_r=%lld_err=%d

%suserid=%s&aff=%s&v=%s

hXXp://VVV.ytdownloader.com/app/update.ashx?

mscoree.dll

KERNEL32.DLL

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

ADVAPI32.DLL

WUSER32.DLL

<>"#%{}|\^~[]`' ?&

%Program Files%\YTDownloader\YTDownloader.exe

1.0.3.9

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   net.exe:916
   sc.exe:280
   sc.exe:1996
   net1.exe:1620
   %original file name%.exe:1676
   ytd.exe:972
   regsvr32.exe:304
   DC%original file name%.exe:484
   setup.exe:1964
   find.exe:804

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\nse3.tmp (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nse3.tmp\NK.lky (16 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nse3.tmp\System.dll (11 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nse3.tmp\DC%original file name%.exe (365555 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nse3.tmp\781F2EA07B0657F6 (33633 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nse2.tmp (37398 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nse3.tmp\D1989.dll (14 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\setup.exe (2385467 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\D1958.dll (14 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\NK.lky (16 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nss5.tmp (229287 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\setup1.exe (214141 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\Install_10067\ytd.exe (84575 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsr8.tmp\nsExec.dll (6 bytes)
   %Program Files%\YTDownloader\libeay32.dll (28908 bytes)
   %WinDir%\Tasks\YTDownloader.job (942 bytes)
   %Program Files%\YTDownloader\rtmpdump.exe (13874 bytes)
   %Program Files%\YTDownloader\YTDownloader.exe (43494 bytes)
   %Program Files%\YTDownloader\DownloadAPI.dll (48908 bytes)
   %Program Files%\YTDownloader\Unelevate.exe (2384 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsr8.tmp\System.dll (11 bytes)
   %Program Files%\YTDownloader\YTD-icon-128x128.png (8 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsr8.tmp\nsProcess.dll (4 bytes)
   %Program Files%\YTDownloader\Updater.exe (17795 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsr8.tmp\nsA.tmp (6 bytes)
   %Program Files%\YTDownloader\download_ani.gif (9 bytes)
   %Program Files%\YTDownloader\DownloadHelper.exe (10780 bytes)
   %WinDir%\Tasks\SMupdate1.job (1158 bytes)
   %Program Files%\YTDownloader\AniGIF.ocx (5702 bytes)
   %Documents and Settings%\%current user%\Desktop\YTDownloader.lnk (1 bytes)
   %Program Files%\YTDownloader\ssleay32.dll (3053 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsr8.tmp\AccDownload.dll (10030 bytes)
   %Program Files%\YTDownloader\convert_aniBW.gif (7 bytes)
   %Program Files%\YTDownloader\sbmntr.sys (1188 bytes)
   %Documents and Settings%\%current user%\Start Menu\Programs\YTDownloader\YTDownloader.lnk (1 bytes)
   %Program Files%\Common Files\System\SysMenu.dll (18130 bytes)
   %Program Files%\YTDownloader\YTDUninstall.exe (20217 bytes)
   %Program Files%\YTDownloader\Download_completed.ico (1 bytes)
   %Program Files%\YTDownloader\convert_ani.gif (762 bytes)
   %Program Files%\YTDownloader\converter.exe (61968 bytes)
   %WinDir%\Tasks\YTDownloaderUpd.job (912 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "YTDownloader" = "%Program Files%\YTDownloader\YTDownloader.exe /boot"
   
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "YTDownloader" = "%Program Files%\YTDownloader\YTDownloader.exe /boot"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.