Installer.Win32.InnoSetup.2_773173ee8a

by malwarelabrobot on August 18th, 2017 in Malware Descriptions.

Trojan.Win32.Generic!BT (VIPRE), Trojan.InstallCore.1903 (DrWeb), Application.AdInstall (A) (Emsisoft), Artemis!773173EE8A8E (McAfee), SMG.Heur!gen (Symantec), Win32:InstallCore-IF [PUP] (AVG), Win32:InstallCore-IF [PUP] (Avast), Installer.Win32.InnoSetup.2.FD, Trojan.Win32.Sasfis.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Installer, PUP

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 773173ee8a8e10f4296b28d84c80fb12
SHA1: ad5c85723a02193031b4bbf8d318354be2f05d27
SHA256: 84abd02b9283c6f1aa939422f799d3b34f463c71383b946bec23cb306b556fb4
SSDeep: 24576:laoYyXj4/ PNoM6dLcCWiNZjzwOQOO6SN58:ltBTJ6hcLY0OQObSN
Size: 1006024 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit

Summary:

Installer. An installation package.

Payload

No specific payload has been found.

Process activity

The Installer creates the following process(es):
No processes have been created.
The Installer injects its code into the following process(es):

%original file name%.exe:1908

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1908 makes changes in the file system.
The Installer creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\images\Resume_Button.png (681 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\images\Icon_Generic.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\locale\FI.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\locale\EL.locale (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\images\Close_Hover.png (653 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\images\BG.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in7EAD48DF\6D8C4654_stp.EXE (5620 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\locale\HI.locale (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\images\Quick_Specs.png (221 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\css\ie6_main.css (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\locale\NL.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\css\sdk-ui\images\button-bg.png (131 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000679FF.log (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\locale\KO.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in7EAD48DF\12978936_stp.CIS.part (735 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\locale\ID.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\locale\JA.locale (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\images\sponsored.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\locale\IT.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\images\ProgressBar.png (812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\csshover3.htc (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\locale\DA.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00067944.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\images\Color_Button_Hover.png (238 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\locale\CS.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\images\Close.png (674 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\css\main.css (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\bootstrap_32466.html (156 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\images\Color_Button.png (237 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\images\Pause_Button.png (493 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\locale\PT.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\css\sdk-ui\images\progress-bg.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\css\sdk-ui\button.css (417 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\form.bmp.Mask (244 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in7EAD48DF\12978936_stp.CIS (3902 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\images\Grey_Button_Hover.png (231 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\locale\NO.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\locale\DE.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\locale\ZH.locale (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\css\sdk-ui\progress-bar.css (506 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\locale\TH.locale (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\locale\RU.locale (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\locale\TR.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\locale\SV.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\images\Grey_Button.png (230 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\css\sdk-ui\images\progress-bg2.png (978 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\images\Loader.gif (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\images\Progress.png (104 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\css\sdk-ui\browse.css (337 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in7EAD48DF\12978936_stp\asgnd.json (6341 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\css\sdk-ui\checkbox.css (190 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\locale\ES.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\locale\PL.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\locale\FR.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in7EAD48DF\6D8C4654_stp.EXE.part (399 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\locale\EN.locale (4 bytes)

The Installer deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\bootstrap_32466.html (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000679FF.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00067944.log (0 bytes)

Registry activity

The process %original file name%.exe:1908 makes changes in the system registry.
The Installer creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "708992537"

[HKLM\SOFTWARE\Microsoft\Tracing\773173ee8a8e10f4296b28d84c80fb12_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\773173ee8a8e10f4296b28d84c80fb12_RASAPI32]
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\773173ee8a8e10f4296b28d84c80fb12_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\773173ee8a8e10f4296b28d84c80fb12_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\773173ee8a8e10f4296b28d84c80fb12_RASMANCS]
"FileTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\773173ee8a8e10f4296b28d84c80fb12_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\773173ee8a8e10f4296b28d84c80fb12_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\773173ee8a8e10f4296b28d84c80fb12_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\773173ee8a8e10f4296b28d84c80fb12_RASAPI32]
"EnableConsoleTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Installer deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

MD5	File path
2677d319a2f7736f4162137389b4154d	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\in7EAD48DF\6D8C4654_stp.EXE

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Cotuf
Product Name: Rof
Product Version: 4.1
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description: Rof Setup
Comments: This installation was built with Inno Setup.
Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
CODE	4096	40240	40448	4.66785	d3a73359580e9d327128c0efe9e6f6f0
DATA	45056	592	1024	1.90742	1ee71d84f1c77af85f1f5c278f880572
BSS	49152	3724	0	0	d41d8cd98f00b204e9800998ecf8427e
.idata	53248	2384	2560	3.07115	bb5485bf968b970e5ea81292af2acdba
.tls	57344	8	0	0	d41d8cd98f00b204e9800998ecf8427e
.rdata	61440	24	512	0.14174	9ba824905bf9c7922b6fc87a38b74366
.reloc	65536	2244	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	69632	11264	11264	3.11257	68a5b74c9ef4cc840869e9b8a0a3dc9f

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
e65520e6845ed10d74a5465ba2d5d85c

URLs

URL	IP
hxxp://rp.tomumafuf.com/?v=2.0&subver=6.21&pcrc=1164085220	54.171.164.13
hxxp://info.tomumafuf.com/?v=1.03&c=64b14d73&at=252775460&cntr=0	176.34.130.130
hxxp://rp.tomumafuf.com/?v=2.0&subver=6.21&pcrc=1847758208	54.171.164.13
hxxp://os.tomumafuf.com/SoftSuma_LQ_2/?v=6.0&c=1912339559&t=425430	54.171.59.189
hxxp://p-defr00.kxcdn.com/chrome/ChromeSetup.exe
hxxp://cdneu.softsumacdn.com/ofr/Solululadul/asgnd.cis	46.166.187.59
hxxp://cdnus.softsumacdn.com/ofr/Solululadul/asgnd.cis	199.58.87.151
hxxp://rp.Tomumafuf.com/?v=2.0&subver=6.21&pcrc=1847758208
hxxp://zesoft-58d.kxcdn.com/chrome/ChromeSetup.exe
hxxp://info.Tomumafuf.com/?v=1.03&c=64b14d73&at=252775460&cntr=0
hxxp://rp.Tomumafuf.com/?v=2.0&subver=6.21&pcrc=1164085220

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET MALWARE Win32/InstallCore Initial Install Activity 1
ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

HEAD /ofr/Solululadul/asgnd.cis HTTP/1.1

Accept: */*

Host: cdneu.softsumacdn.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)

Content-Length: 0

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: nginx/1.10.2

Date: Thu, 17 Aug 2017 00:02:34 GMT

Content-Type: application/octet-stream

Content-Length: 101029

Connection: keep-alive

x-amz-id-2: MQAHMTgy AoUs2Pf0sVmGohb7Z1VxxnCjAvto/1WHUcYF15gIKHTKIOoQrUs CBMTIklj8ItVnw=

x-amz-request-id: 75E78E979C6DB497

Last-Modified: Wed, 20 Jan 2016 14:38:52 GMT

ETag: "638ebcd93f900c3908f5dde6d8bc2d9f"

x-amz-meta-cb-modifiedtime: Wed, 20 Jan 2016 14:37:36 GMT

x-amz-version-id: ak82ScyXtEXeOWL8crBo3MgwwdwO6r.3

Accept-Ranges: bytes

HTTP/1.1 200 OK..Server: nginx/1.10.2..Date: Thu, 17 Aug 2017 00:02:34
 GMT..Content-Type: application/octet-stream..Content-Length: 101029..
Connection: keep-alive..x-amz-id-2: MQAHMTgy AoUs2Pf0sVmGohb7Z1VxxnCjA
vto/1WHUcYF15gIKHTKIOoQrUs CBMTIklj8ItVnw=..x-amz-request-id: 75E78E97
9C6DB497..Last-Modified: Wed, 20 Jan 2016 14:38:52 GMT..ETag: "638ebcd
93f900c3908f5dde6d8bc2d9f"..x-amz-meta-cb-modifiedtime: Wed, 20 Jan 20
16 14:37:36 GMT..x-amz-version-id: ak82ScyXtEXeOWL8crBo3MgwwdwO6r.3..A
ccept-Ranges: bytes......

GET /ofr/Solululadul/asgnd.cis HTTP/1.1

Range: bytes=0-101028

Accept: */*

Host: cdneu.softsumacdn.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)

Connection: Keep-Alive


HTTP/1.1 206 Partial Content

Server: nginx/1.10.2

Date: Thu, 17 Aug 2017 00:02:36 GMT

Content-Type: application/octet-stream

Content-Length: 101029

Connection: keep-alive

x-amz-id-2: MQAHMTgy AoUs2Pf0sVmGohb7Z1VxxnCjAvto/1WHUcYF15gIKHTKIOoQrUs CBMTIklj8ItVnw=

x-amz-request-id: 75E78E979C6DB497

Last-Modified: Wed, 20 Jan 2016 14:38:52 GMT

ETag: "638ebcd93f900c3908f5dde6d8bc2d9f"

x-amz-meta-cb-modifiedtime: Wed, 20 Jan 2016 14:37:36 GMT

x-amz-version-id: ak82ScyXtEXeOWL8crBo3MgwwdwO6r.3

Content-Range: bytes 0-101028/101029
CIS................?...............P..............M.U....$..q.X]....9u
..9u...#a!.s..2.....{8.u..i3.\...Q.....X..}.E..c.).........&`.......B&
gt;Zr..|...E....=..>.o.u..........=|....:._-@.6.d.b.......F'/.C^..t
...e%.s^.3..4..&..o)Y....UrU.R@.........i.%?...lW.-..g.'..KC...'..0E.m
.d.....x.#]...y..u...?.x.V[....o5.x..MQ\....nX.@.9r..iJ.8...L.E...c.4.
.6.x..@'..[..C(4.&.../A..i........e...`T..H. ........)....9(!.D..m...0
..e.,...~..<. ..L.}...................../...sC..#..}.... .......9.9
.....Ji..Xb.Yjk.../...6.@b...i..&....F....M..a....u..B..~_2....h.:nu..
..-..QiL.P|.LB.).....X..v5Z.$aP.".*...z.b5J..z....h.a>?n~h.$..;.V.'
i...2......Y..q^Z4..\....=`....o.M....~.....:u..^.....A@......k..b...Z
<.!..;......&y..!4...#..S.p;wb....@a...._.......At.5..pz........t.5
H.. 8.-..7...{.P.a;..ia..@.Ac.1.....T...,dmoE's;....5...B.7.vQ$9......
y{.j...F....|...9.u....M......1./.-t....dI#d..C9..Lg...../. .v.......1
T..60.2........#..B..............8.....y#~5A...~t...K...{a.|.z....~.*.
.b*.49k.2....>..]s...W...B.n....zK.,..Vk.....h...........w...".....
.I..XW[..}W...y0f..k.~..O6.97#Gk8.5(....Y.W..k...Lz....6fz.....)|.}../
h(8....0dzx.\........._..b...'..Y..w/*H..\.B...\.......1&..Vg..[..N(.Z
I.......G..[.x....0:.eJ.J~..)o..,....T...i..Z.Q......P!.J......_...F.1
er.8...#d...).......Z..im..F.i....%".o.....F.z.V..Q..K....R..W ./.".E.
.dR...y......'Tu....9U..$4."..wP...d9.....x$...W`....8....#u...1..\,.S
.:.kdU..[...,.a"....". P....!.V.K.Q"M.G.e....w!C..../..... m9J1..&I..z
&.2.I..-B.......{.=Ftm....6....A...3..=@t..67.-M.U.Z/..c..^W/Wo .h<<< skipped >>>

HEAD /chrome/ChromeSetup.exe HTTP/1.1

Accept: */*

Host: zesoft-58d.kxcdn.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)

Content-Length: 0

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: keycdn-engine

Date: Thu, 17 Aug 2017 00:02:33 GMT

Content-Type: application/octet-stream

Content-Length: 880784

Connection: keep-alive

Last-Modified: Wed, 28 Jan 2015 23:30:44 GMT

ETag: "54c97124-d7090"

Expires: Thu, 24 Aug 2017 00:02:33 GMT

Cache-Control: max-age=604800

X-Edge-Location: defr

Access-Control-Allow-Origin: *

Accept-Ranges: bytes

....

GET /chrome/ChromeSetup.exe HTTP/1.1

Range: bytes=0-880783

Accept: */*

Host: zesoft-58d.kxcdn.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)

Connection: Keep-Alive


HTTP/1.1 206 Partial Content

Server: keycdn-engine

Date: Thu, 17 Aug 2017 00:02:33 GMT

Content-Type: application/octet-stream

Content-Length: 880784

Connection: keep-alive

Last-Modified: Wed, 28 Jan 2015 23:30:44 GMT

ETag: "54c97124-d7090"

Expires: Thu, 24 Aug 2017 00:02:33 GMT

Cache-Control: max-age=604800

X-Edge-Location: defr

Access-Control-Allow-Origin: *

Content-Range: bytes 0-880783/880784
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......{..5?.|f?.|f
?.|f$..f0.|f$..fa.|f$..f..|f$..f9.|f6..f4.|f?.}fO.|f$..f>.|f?..f..|
f$..f>.|fRich?.|f........PE..L.....[T.....................^......)S
............@.................................]K....@.................
................D...x....`..$............8...8...p....................
......................@............................................tex
t............................... ..`.rdata...1.......2................
..@..@.data....,...0......................@....rsrc...$....`..........
............@..@.reloc.......p......."..............@..B..............
......................................................................
......................................................................
......................................................................
......................................................................
..................................................U..3..}.....j....j.j
.H........P..$.@..U...E...t,...t ...t..."t...Pt.h.@.......hW.....h....
..].U..V.u....u.....@...tAWP..(.@.....t%.u..u.....@......v.;.s.N....|O
.u.;.r.3..........#._^].U...E....@...j.P.u.....@...u.].P.u..E..{...YY]
.U..QSVW3...JA.S........E......<..u>.E....@S...Pj.V....@...t.P.E
.V.1.....YY..u..u....J....E.....u.3._^[.......H........J........P.R..U
..........3A.3..E.Vj.....d.@.WV......P....@.....l.@...t.h.@...R.......
....;u.r.hW...........P. b..Y;E.s.......P.u.S.0b..P.<....M.....<<< skipped >>>

POST /?v=1.03&c=64b14d73&at=252775460&cntr=0 HTTP/1.1

Accept: */*

Host: info.Tomumafuf.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)

Content-Length: 172

Cache-Control: no-cache

6l7GU7LYt04pVHc/00d7JsSAVXUjroMyp8BTlvY7e8CtqawQW m4aqa AiQxUKez9yAxn6kpz C4W7N14iAGqSJdjpK0kOt1dZZjkpuVvXLNvqKTmUabXzFgGCDU0kSo/3mn929EhXhn gvnEoJVVeznAPMkfyKj7/h7EK5FKHw=
HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Content-Type: text/plain; charset=utf-8

Date: Thu, 17 Aug 2017 00:02:32 GMT

Content-Length: 1240

Connection: keep-alive

ImILWJLhu4GJ7hr 5Ax0F6eq4/I6Ih9HGbKIPDKFg2cXY3D6aVj1GT2AAPYpfXzl4s2AJY
M/LI1/r7OBlL24r lZ35jqvG1pU8Bn/009/nk0wneK9EkOZYuDa5Xn75iQ/07fVangOC6Z
6kZiYpTE8qXHA9Xx9bLsTEaKycHosjUQMe1HWvz5hcovDUXnc2pmBrxNbUPAA8/i3nTISS
E9HMI72tGr/D 3remHInc0YbwHv97BC0iIXs1s80qb2RWuLNK4m2sgiEnRNhLbQ30jpGW9
iQ yPWa2sRKEwKDW2I0ft/UgAzQdD6zbnvXxyvxZc39cKXMwYPMoXL84G1xRdFPaEoSQBU
9iC/xF6/PZEMdPQQQJUjeVqXmgvhVp06dWIRnbuRU3Bx8sjgcfkZbysO3iYWJJBVqebtVD
MYSZ0XEweUDHf590qjegUJME8LhF48jqeF6I C351EKPqxnnalFXpuWW5dwtNcf/Stiurh
GxmVk6rmK4EO MHrqsxir927iidxi3pAtInZlWMDMdpu8D6Rh6XvATBBCY0AHeC5qASyC8
habOaPxRN5Be Pdutq7sV392eOhbBEYz2WLOVmLoUbOqRjoueRsFHHAII7Mapw7fhM/ZGH
Mg7RjRtLpH2xhMbM6TV5VTIPnKRNlgMOqLz6j7tOF9Wpj3Ra7DMFdK4LbxEn1Bm7jAjdiO
92DK61eJACuO/jOBWkFGH3Ish5sa5FPlYRlBku7ZtAe8dvul7f6ETsMHRj/KhUU7f7njwU
Om3CKIdqvLhLeGBXIYQSvplPAUKx8yPtTagx6tGOrCt78FWO4j58WYJ/grhoWlGcmSnN13
3Vv8xTNmIO83mtI/tm5LUmJ2UaNx9JgFsMxbMQsSU0hed80IwZLqzZrabNR6VX45EPy4MY
JMBdVtQOMcTQyaTRPfa6/f6uB9IuH0TTeny/bn93HTgy/yaI/SfHuZEsZ/OfcDCbZCYMia
4pGucU9ZtkUhp5gu7oeLVw5qGHfZz/OJRNxjFc0TQABKS13TYUm3aW mdqlR lkJ71gCrH
ywfEUEevvheQwnes06EnllpivuwzCfV2F0u/L5AKHMRFX6Fi88fG38QK3yuj7Mpegl8oVS
gTqmAhuz8n9BVGnijTF2TVaTUmymKv/dkYHziKnQvu6kLvwqqN4eGCeFgxtzc0DJlcqbCR
MZt/2X18qBllIRLroP3AXE1JJeYKti4oMu2sqDR6/rVwsbsw==HTTP/1.1 200 OK..Acc
ess-Control-Allow-Origin: *..Content-Type: text/plain; charset=utf-8..
Date: Thu, 17 Aug 2017 00:02:32 GMT..Content-Length: 1240..Connection:
 keep-alive..ImILWJLhu4GJ7hr 5Ax0F6eq4/I6Ih9HGbKIPDKFg2cXY3D6aVj1GT2AA
PYpfXzl4s2AJYM/LI1/r7OBlL24r lZ35jqvG1pU8Bn/009/nk0wneK9EkOZYuDa5X

<<< skipped >>>

POST /?v=2.0&subver=6.21&pcrc=1164085220 HTTP/1.1

Accept: */*

Host: rp.Tomumafuf.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)

Content-Length: 2000

Cache-Control: no-cache

...3E.Q)_l.y...K.X.H...0..t:;7...VvcH1.

.......tn=l.$X..!~..Z.[N:V'ZDlR....P..ymh...".c....?.t:..2.{...T0.e

...7....!F.{.....$\S

\.9..}.~_......=.}
.1......f..
..Zqs I.:;....e}q.B...&..X....P......>.GO|E.j^k...7.U|r.....K..@J.........={.....0..=6.v.7...z....(...y.~.....{.BZ.....O.9.....s...v...zD(...r.c.,&.. ==...`.....|GV..K

...4.e..c&.7...X.5.Q.{j......B.b?&.z....q...p...G.........p.|S.s
...>.=.......9.u.c..a.~..HU.j%...{$.y=.\`.8i..'..h,c.8..)u.[.!\.]...&......*.|l.a......v..Z&}.rk.d....O8.5)...L.......z...h.....`b.......~..BJJ8g.A.....#...ct..~....10....n.H.(.......j.q..H....-....Ee.
..a...f...Mm.......*1...j.&.=U...}<X..A..i....A...'z....y.n._...u<...:.w:.'pa..Z.y.o.h|

|.."..>V..je.%..n^.!..}._...].e.X..Hf`.......2.6.Y.m9U..T.e.w..M..m...l..tZe.@...m.M.i._!...1.d..;.....@..>.......^.m.Ds...?'}..O......u. ...n...:.Qyn..t.{n.K....(~=.H.:....8,.....S......e...=1.c%.2e..vrv6..c....
.sUg.b'..;.r.......
..(..y~MC 
B@..

..3........z.bL;GG..e...uR..U,1...B@.r...G..`KBu....T.$9_.R..)E...Rp.".../F..<.....9y..."...e9Cmy...

..!K0H...[^:..l,..Mj[EB.v. R.Z..f...f.|.m.........a:.....I...*%RK{{ qy5>...'v...qt.T...nq.#.X5J.*.....o.F.8P].Y.P.......0|.I....ZPX............p....r..RNP...]`....^.i*,K....C.....O?nP.pe......[.w.v.B.W.Z..:y..(........K.g...)..'.....M..y..YBH..e\h....
HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Thu, 17 Aug 2017 00:02:32 GMT

Content-Length: 4

Connection: keep-alive

DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Thu
, 17 Aug 2017 00:02:32 GMT..Content-Length: 4..Connection: keep-alive.
.DONE....

POST /?v=2.0&subver=6.21&pcrc=1847758208 HTTP/1.1

Accept: */*

Host: rp.Tomumafuf.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)

Content-Length: 2432

Cache-Control: no-cache

...4.....>.K..~..zq.....r.s.=..c..o.0.z6|.d..Z......~N~.k..nU@.ue..0.7..Kz1z.s../....5....1..k.M...\....U....`GO.........&.b.... ...&.H....RA....:OF5_2.........m..\=.d..C.a..C.;...JU.... .o.....n..C?..U.u\...o.
....}.?...s.].3,.1...(...p.....y..|G.*'s=$F..5.0..>o5".......Z.^.i.^<...........Fb.....N.E..I`
xI..

...CZ...

....b.,.e}^...k|C.W.$..........FU!..'... G.....NF<..8..y".........6~T.Y.$%N.(SwgV...rY@.....[.&4)....$..\..3Y.............S.i.^R...M..of...%qYZMu......u...fB.:.).T........h... kUt..$.Q.........X..<...p....&;.......`....6..su.-O../$7.h.t*..............v.p.`m....
3.nm..... ..!..g..3o.......Bg.7.....=..<*..............D~..h7...K..j2RJa.3..!..]k..

.%.W1..U.....'.........O.......A}.#.U.('.vG.{>.....h.]m.&5.P.3.......Yw........{....h\.H....^..............EO.......3.....S....T..4..).5.L.~/...S......ny)..Q.............

...\.fF..o.k.e....Q-.Ng.V......

.....< .....L......O9~.X<..........E

.]......s.o.u..M>.._.X/.....o:.HI.)w.i..E...v.........K..=..~.uDv...n,..$..F%n..~|.f.|S.o.......U....sc..-...............4..Qa..n..U.m..z..p...i9..0.-...ji$X.K.3....W....l........jWsJ.t...s..aq..V....-.....Ig.......=.<..O..3`.H9..........t.j..kA..^....L.oqz..TH:G......3...-.
. ...D.a.f.t.....^zt.P.j...t.{J..8.i.C..Ib..,,......?P...KR.7...."O....d...C............(........D
HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Thu, 17 Aug 2017 00:02:33 GMT

Content-Length: 4

Connection: keep-alive

DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Thu
, 17 Aug 2017 00:02:33 GMT..Content-Length: 4..Connection: keep-alive.
.DONE..

GET /ofr/Solululadul/asgnd.cis HTTP/1.1

Accept: */*

Host: cdneu.softsumacdn.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx/1.10.2

Date: Thu, 17 Aug 2017 00:02:36 GMT

Content-Type: application/octet-stream

Content-Length: 101029

Connection: keep-alive

x-amz-id-2: MQAHMTgy AoUs2Pf0sVmGohb7Z1VxxnCjAvto/1WHUcYF15gIKHTKIOoQrUs CBMTIklj8ItVnw=

x-amz-request-id: 75E78E979C6DB497

Last-Modified: Wed, 20 Jan 2016 14:38:52 GMT

ETag: "638ebcd93f900c3908f5dde6d8bc2d9f"

x-amz-meta-cb-modifiedtime: Wed, 20 Jan 2016 14:37:36 GMT

x-amz-version-id: ak82ScyXtEXeOWL8crBo3MgwwdwO6r.3

Accept-Ranges: bytes
CIS................?...............P..............M.U....$..q.X]....9u
..9u...#a!.s..2.....{8.u..i3.\...Q.....X..}.E..c.).........&`.......B&
gt;Zr..|...E....=..>.o.u..........=|....:._-@.6.d.b.......F'/.C^..t
...e%.s^.3..4..&..o)Y....UrU.R@.........i.%?...lW.-..g.'..KC...'..0E.m
.d.....x.#]...y..u...?.x.V[....o5.x..MQ\....nX.@.9r..iJ.8...L.E...c.4.
.6.x..@'..[..C(4.&.../A..i........e...`T..H. ........)....9(!.D..m...0
..e.,...~..<. ..L.}...................../...sC..#..}.... .......9.9
.....Ji..Xb.Yjk.../...6.@b...i..&....F....M..a....u..B..~_2....h.:nu..
..-..QiL.P|.LB.).....X..v5Z.$aP.".*...z.b5J..z....h.a>?n~h.$..;.V.'
i...2......Y..q^Z4..\....=`....o.M....~.....:u..^.....A@......k..b...Z
<.!..;......&y..!4...#..S.p;wb....@a...._.......At.5..pz........t.5
H.. 8.-..7...{.P.a;..ia..@.Ac.1.....T...,dmoE's;....5...B.7.vQ$9......
y{.j...F....|...9.u....M......1./.-t....dI#d..C9..Lg...../. .v.......1
T..60.2........#..B..............8.....y#~5A...~t...K...{a.|.z....~.*.
.b*.49k.2....>..]s...W...B.n....zK.,..Vk.....h...........w...".....
.I..XW[..}W...y0f..k.~..O6.97#Gk8.5(....Y.W..k...Lz....6fz.....)|.}../
h(8....0dzx.\........._..b...'..Y..w/*H..\.B...\.......1&..Vg..[..N(.Z
I.......G..[.x....0:.eJ.J~..)o..,....T...i..Z.Q......P!.J......_...F.1
er.8...#d...).......Z..im..F.i....%".o.....F.z.V..Q..K....R..W ./.".E.
.dR...y......'Tu....9U..$4."..wP...d9.....x$...W`....8....#u...1..\,.S
.:.kdU..[...,.a"....". P....!.V.K.Q"M.G.e....w!C..../..... m9J1..&I..z
&.2.I..-B.......{.=Ftm....6....A...3..=@t..67.-M.U.Z/..c..^W/Wo .h<<< skipped >>>

POST /SoftSuma_LQ_2/?v=6.0&c=1912339559&t=425430 HTTP/1.1

Accept: */*

Host: os.tomumafuf.com

User-Agent: ICAS

Content-Length: 1392

Cache-Control: no-cache

.I..~...$$.........D....H.O....[.gp.G.aN.
......O,7$.2..%^....R D.5..a...LpI9..i

.eY.......R.U-r-.!t...2:X..BH......e.;.ug......b.5.I$...[.#CQN....C.Z. .......P .....3.1/.........@...2.8/.a...lY...$.......j.....w..1Dg..x.6Fn..P.E..f8R...U...}f...{.h...v....V.Ip..D..E7.<e..)......3

s.....%M41. A.....C.m.......p.....T..4p.21..h...._R...O.P...Mei..1..mR.P....3..'F3...{<.z.z......KC.N.lf..g.r..U....{ZO...v..7GB.LRM.m.e.......Tc ..{[..?|$e...o.....l.........8.=  .2.V8.....?.F..[D.....\.."....L..`.).4......`....<$wW.= .v..E........*v.............i.9../=A>o....N;..-..[......_..U...x..<.>..j..!.K..ev..\.v.....r.*.Cs....r.->..G.6%... .u..@..G....t.^?..G...S..........Q.y..........t...;..!^.XX..g....z...Y..W
..i.d..-..O..j......QiN..U.....P.@].*..Td.U..^-..b...-..h#6*?..-.......*`....}......f^......(&.U...v.._f...@,..Y.w.K?..~?./...:..F......r.f|2.S........2./.|.TGN.>.`.i..H......F..#3....9v..N..;..BLe............q.f...............K.l.T.*......_....x.....?{.u ..D.Qh3.9....',n[_.'.[(..n..X..........j....H..#!{....V..p........x%\G..U6_.qm...mT.2..,..=.H:6SH....S...x.2...Xo..o...".\.Xuo..I.A.&i@..Y:..K..7V.s.3D........6......

.J7..(.....B......a.".=..Y...E........d>...ha.P....!.{P.sbR..l.......

.....80..X....#.....MCS.....Y..P...'W.:.!i..Ci .'N...N

0ou8.{.$B..W.e$T
....]..'.....1.rq....Uu.W..O...KQ.,......
.|...x......t6\al...0
HTTP/1.1 200 OK

Cache-Control: no-cache

Content-Type: text/plain

Date: Thu, 17 Aug 2017 00:02:33 GMT

Expires: Thu, 01 Jan 1970 00:00:01 GMT

Server: nginx

X-ICSCT-CC: UA

X-ICSCT-GICSET: 13716

X-ICSCT-IP: 194.242.96.218

X-ICSCT-ISP: Pitline Ltd

X-ICSCT-ORGANIZATION: Pitline Ltd

X-ICSCT-SERVER-NAME: ads-slave-173-production-eu-west-1-i-05af3581e300bc38d

X-ICSCT-TIMESTAMP: 20170816190233310

X-ICSCT-VERSION: v1.7.3

X-ICSCT-XC: 1f3cfb072bc5ded412eb0f20eaa0b3fa349c056a

X-ICSCT-XS: 91bba9083b637bbb85f2bc525458ea3d2e0cb405

X-Powered-By: PHP/5.5.38

X-Robots-Tag: none

transfer-encoding: chunked

Connection: keep-alive
141d...f.........0....k.l............-........vB..7G.?...]U....}e./.9.
x.....(l.i.....3.]).6.1....6.RK.K.U=.@......Q.T...Q_......_...Y(..W...
.Q.3.g.n.:.^..f,.?...Hp/ ........%&@.7];6..2..X......n......u8z<N..
i........;..k...q..>..T.W..@!.,46.n.K.....g<.2......A..D/.....C.
@...sK....k ......, .....uKGb.`.....@LAC.....]..`Y.^..... .x..qc1.:j{.
U\.W!..|c.3,.!....h....NZ.793]V...Egw..Y....P....T.4.].J.......(<..
8..`.'.Q9J.@m.T.T......g<..s.-......}P..fK...)....a...j....P.E.*S..
Q.y.....%..d....TV...8..G...[.$!...#j.J..gj.......7VBY"..w6........2..
b.kw.(..C.<.X_...F.^.k.Wqg&m".n...wC..;..M.$.....(....G?/...../.f..
...ez..T...4...,.../x.Z...'t.7..-...z*/N..j.7,....Vt.R..]_.A~...w...*.
.#w.4p./cQ..{..q....r....s...."t.\=...a1.Z.%...".....x.. 3....q.&bk..b
1.M.W.......w..Lx.k..|r... .'....L.}...w....."b.i....5..z..(j......0lA
m@.m. exnP..s.w/{E.......30...8.r0.c.0.7n.j.......Z.p..r.t..5.. |.....
0u>;..;....h,..~.r>.W.......0...?..0.......R..S...&.j:.......f}c
w.L.....,.....R....e........uX..Q...}.......T...$9z.....g..z..'Kg..S .
x..7>.RP-AS.Dti..0z.J.U.PG.u....Su..5(...hv.Ky.W:._^v..k..p.?.o6..]
Z.....IP..YP. n9.E.q..........B..F...B. ...(G&N....I.!.....C%...n&V...
.....=z.... ...a...}.M.p.........@.X}.....GN|hI.....|@.....G.RB....AF.
......3.N...7.0.&....Y..:..).........7.PB>...B.;.....6.....(t...w0.
.\b..I...v........1l&.......]K`}...`.4.W.{..ZX......A....F:..W..n@f.v.
.1..T.^.5.R..c.AZn....:),&[........._.j.....(...V8:.....\,..S..... x.o
...=.4......t....N...I.b&M....B.T...qo....0... Rv...HGg4........B.<<< skipped >>>

GET /ofr/Solululadul/asgnd.cis HTTP/1.1

Range: bytes=0-101028

Accept: */*

Host: cdnus.softsumacdn.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)

Connection: Keep-Alive


HTTP/1.1 206 Partial Content

Server: nginx/1.0.10

Date: Thu, 17 Aug 2017 00:02:35 GMT

Content-Type: application/octet-stream

Content-Length: 101029

Connection: keep-alive

x-amz-id-2: sVVw879Rw1z0U8R9/j v07WScKQK/sIYEvWMRFfijxkiF65X38cehO6jREX5W/K2cEtAjn70WeU=

x-amz-request-id: D36AFB311361DCAA

Last-Modified: Wed, 20 Jan 2016 14:38:52 GMT

ETag: "638ebcd93f900c3908f5dde6d8bc2d9f"

x-amz-meta-cb-modifiedtime: Wed, 20 Jan 2016 14:37:36 GMT

x-amz-version-id: ak82ScyXtEXeOWL8crBo3MgwwdwO6r.3

Content-Range: bytes 0-101028/101029
CIS................?...............P..............M.U....$..q.X]....9u
..9u...#a!.s..2.....{8.u..i3.\...Q.....X..}.E..c.).........&`.......B&
gt;Zr..|...E....=..>.o.u..........=|....:._-@.6.d.b.......F'/.C^..t
...e%.s^.3..4..&..o)Y....UrU.R@.........i.%?...lW.-..g.'..KC...'..0E.m
.d.....x.#]...y..u...?.x.V[....o5.x..MQ\....nX.@.9r..iJ.8...L.E...c.4.
.6.x..@'..[..C(4.&.../A..i........e...`T..H. ........)....9(!.D..m...0
..e.,...~..<. ..L.}...................../...sC..#..}.... .......9.9
.....Ji..Xb.Yjk.../...6.@b...i..&....F....M..a....u..B..~_2....h.:nu..
..-..QiL.P|.LB.).....X..v5Z.$aP.".*...z.b5J..z....h.a>?n~h.$..;.V.'
i...2......Y..q^Z4..\....=`....o.M....~.....:u..^.....A@......k..b...Z
<.!..;......&y..!4...#..S.p;wb....@a...._.......At.5..pz........t.5
H.. 8.-..7...{.P.a;..ia..@.Ac.1.....T...,dmoE's;....5...B.7.vQ$9......
y{.j...F....|...9.u....M......1./.-t....dI#d..C9..Lg...../. .v.......1
T..60.2........#..B..............8.....y#~5A...~t...K...{a.|.z....~.*.
.b*.49k.2....>..]s...W...B.n....zK.,..Vk.....h...........w...".....
.I..XW[..}W...y0f..k.~..O6.97#Gk8.5(....Y.W..k...Lz....6fz.....)|.}../
h(8....0dzx.\........._..b...'..Y..w/*H..\.B...\.......1&..Vg..[..N(.Z
I.......G..[.x....0:.eJ.J~..)o..,....T...i..Z.Q......P!.J......_...F.1
er.8...#d...).......Z..im..F.i....%".o.....F.z.V..Q..K....R..W ./.".E.
.dR...y......'Tu....9U..$4."..wP...d9.....x$...W`....8....#u...1..\,.S
.:.kdU..[...,.a"....". P....!.V.K.Q"M.G.e....w!C..../..... m9J1..&I..z
&.2.I..-B.......{.=Ftm....6....A...3..=@t..67.-M.U.Z/..c..^W/Wo .h<<< skipped >>>

The Installer connects to the servers at the folowing location(s):

%original file name%.exe_1908:

.idata

.rdata

P.reloc

P.rsrc

kernel32.dll

.DEFAULT\Control Panel\International

File I/O error %d

lzmadecompsmall: Compressed data is corrupted (%d)

lzmadecompsmall: %s

LzmaDecode failed (%d)

shell32.dll

/SUPPRESSMSGBOXES

/PASSWORD=password

Specifies the password to use.

For more detailed information, please visit hXXp://VVV.jrsoftware.org/ishelp/index.php?topic=setupcmdline

/SL5="$%x,%d,%d,

Inno Setup Setup Data (5.5.0)

Inno Setup Messages (5.5.3)

user32.dll

oleaut32.dll

advapi32.dll

RegOpenKeyExA

RegCloseKey

GetWindowsDirectoryA

MsgWaitForMultipleObjects

ExitWindowsEx

comctl32.dll

name="JR.Inno.Setup"

version="1.0.0.0"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<requestedExecutionLevel level="asInvoker" uiAccess="false"/>

<windowsSettings>

<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>

</windowsSettings>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

!'%s' is not a valid integer value('%s' is not a valid floating point value

'%s' is not a valid date

'%s' is not a valid time!'%s' is not a valid date and time

I/O error %d

Integer overflow Invalid floating point operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Operation aborted%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

External exception %x

%original file name%.exe_1908_rwx_00360000_0009D000:

.rsrc

kernel32.dllwGetLongPa

ORT_(_.SCK_LI

;.OVI

Keyl;

7.jicA

%s[%d]

%s_%d

.Xl0'

D.qCV*

.FDiag

Boross&%Dt`x

O7E(AL("%s",4),"

%U}H!

IA.ZZZI

.BWHi

on.XiS

HotkeysK<B

.CC[p

.Fjei

0J.WM

%x@`0

m=v.tT

-a.nm*

D8&%uG

tLcibD.ZP

jn^Io.ye0t

ToiZc.Xhj

%Dl!%F

,-\ T,/.Om

_^Cwxkosx,.vl,,

zpz.egz6

7\webqs

I.PPT

|1lnax.kbjqjfy`e

Rvbgi.cjhph

-I.dG

|9o.Fh

fkhb<7 Si_.huJz

%XH-e

].jlg

luYvT.whxyW?

1.2.3:d`

THttp

,M.DJ

oRhwbG.xO| O

ic6.fA

,0489999

yjl.hhp

mw.ll

d.vLO0V

.dsjeit/*`hj

.lnkk&h

f(,.hgzc[gkF=,V

l6.LF

CrTHop;

.ibJn

rPWR.DB

.po{)y'

v/<aZS.So

gM).qd

^.ex-

;`Q.Ro

'-iagt</.Vq

q.TkAi

S.hJQ

/.CWM`bku*

 WT.yg

(.yo@

5%sY@

3ß3$

"O.vR

6?0N2=.Lq

W]E).rG

nt.ihM`

Fc.Uv

*,.fdgj`$

J2t.cr

\).Yw

5/.jm

 %S/NC

@b0a.nB

Y]H.ifs

.Lb/[ynb4huO*bAe

ix.CBOPM

hy,.kle

>.Zg{

/.qVw,

ir1.FF

TPipeSl

JAC^@[SQWLHEM G.sw4

0Nm5(.mS

[URNDT].Lw/OFL[^\\[@IAJH-

A-_.pwY

%csFLh/

QsIE%f

LJ_.ge

ym^rk.Um_gt

Dlb.vok

@N3%x

IWeb

grfKey?6

CmdG

=.UtF

.mI2uj

'%s' (

9999$ (,

.ftp:

s.YwB<

[%s]rBN4

ki2.Bg@

un.jE

m%d;k

.1..WAHO9[Zcn

\EXE}/

&^M}.ja

XGOAJYDH8Y@BKCo.XlD

BLOKPERHCV.Zblfn

zgcEi.Tc/h(ZA*

f[VT*.lJ,e

0Lm,.uomy

!dMSGo

:=.zX

anldf.RW

IaER%S

e.HvwVty]

r.vY?U

I.HH8

.HEo*

2<3'.rB

%5u$%

o-F.Dwiyrcg

JS_>.NI

mjC.Oon1I

jehGbeags.qBhkk[l

NPIPE_DATA'

@C@NHL-N.PLNYCD_^.e

N/d %U

HMVH9>.PE

.CONTA

v=.vN3

*Wr.Eb

R.aLA

`.NrG

m.cV7

BLv.pW

lHwmTo.txJ@l

xEXE&

D.DLP

.TJNaWTw

?zfc.bzG

u-f.woaq1

]no^dun.Vx

.Mmzep

M@VNJPu.Ig

)hj.bR

I.XXPr

GUkszv.ra%!

Z>/.ory

.TFHAP

B(0K.mFa

.rH2O

.CWlr

_%C^s5aH^

-1S}F

;.ceT

).kQ}

;X%DS

}%xKO

0.Ftf^

j%f#M

6$67%CW

m-.ds

-s.Virtua

"$"!(&&$' )#

H.JXA

 /*-( ,'.-!

*/.)*72-7)

#-**(-#,

.PMDF<7I

ZP.re=

KERNEL32.DLL

advapi32.dll

comctl32.dll

comdlg32.dll

gdi32.dll

mpr.dll

ole32.dll

oleaut32.dll

shell32.dll

URLMON.DLL

user32.dll

version.dll

HtmlUIInstallerSADLL.dll

%original file name%.exe_1908_rwx_00405000_00001000:

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($

%original file name%.exe_1908_rwx_012E0000_000F6000:

.idata

.edata

P.reloc

P.rsrc

kernel32.dll

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

.Qfbir*Segr

.wjq'k

TIQSVKZE^Ywebfmv^Mrbyjs^ZTV

qeþ

ok.QT

x.iWm

&-KeyJ*x

P9.md

XL.Ag

x Vjsqr.Lwy

H%.nv}

.Tscv

uTsbdre.Sc

PCRtVHs

y2k.Mq

i.GxO

7.WGR

%UQ#%*

.gvr"

23.qN)s

}.PHR

=yK

].JlC

?.QM3

U.GO9

}^.LmX

.xI<rIP[

t%x-7

hrhg_C-3%xeagcp4

.XDMAJRN]

^:.Ky1

_a%S\

B.oKQ

zozku%s4

k%fVS0L Z

UM%saF7

urlj

xy.QY

vi.SXO

%U-=<

?\J\A%sR

c<*.XS

|%Xkk

Weby^

<=69:;<46=>

>4<2:?|]

Lq

fg1.bY

%C((@

uj.gk

ejp%D

^iqchu]N%Sc

DSxP%f

-WW}r

I.Qhhtm

"v%ftvyyc

Yk%udw

>-j}Y

B6.gN

OQ.SU

,HnvP.Gf

.vvqDT

to/<*[.CD

kWdzV.GZ

..Wjk

'Umh(%X

<#tG%S

%dpCIK

etkcmd

3v%s}G

^C%3s

V.ER)$

%S I\ Y

K.la@

EV%SE

Pw.Tv

.ZvRmLRY

f.iAvfx

.yw8^

w.oL;

6.vLC

IvXi%u

/1 )'9%S

.lKb3

&X.pB

z.yz3

\V.Uq

9(.At

.dOND

~x.Ff

.OpM1a

Y%sr$B|

.OEoQ

Qqa\%x

L%u>4

d).gW'

#1ô

user32.dll

GetKeyboardType

advapi32.dll

RegOpenKeyExA

RegCloseKey

oleaut32.dll

GetCPInfo

GenericLoader.dll

4 4$4,474

KWindows

jf.PU*

!.xKJPqK

a%c&-I

Krv.dY

my%DP

V6x.nC

%uAcT^

3.tS%

4w.zK

,W?S%.%S]b
q|Õn}:
g]ZkS.Di4
a.epa
Lx_.MR
8%fl4B
v.dgj- CWb
AM%dwq
%FpV}
k%u/%
tr.IP
.WQK f
P.CW6
&YYKYIZS.YYKNN
YYOPLIZE*YYLI*YYIA&YYZESZB.YYBET#GZEWOEVPNBGC
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation

%original file name%.exe_1908_rwx_014E1000_0015C000:


kernel32.dll
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
.Owner
EInvalidGraphicOperation
USER32.DLL
comctl32.dll
UrlMon
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
TKeyEvent
TKeyPressEvent
HelpKeyword
crSQLWait
%s (%s)
IMM32.DLL
AutoHotkeys
AutoHotkeys$
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
OnKeyDown
OnKeyPress@
OnKeyUp
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
A`bng`@ikc-4,uUxlxs-4,Ht.HA
Vh-0,Cd`jiVhlxwd-0,tLcibD.ZP
TThreadExecuter
TScanAllWindowsCallBackData
Portuguese
ZkkdDocjn^g-4,o.ye
^ioM-3,iiziGmwItI.cG
\h-2,Jfal\`dgxj-4.DZ
,-\ T,/.Om
@gfj V,he-2 V,meaeo-3,jho-3,j V,jeju`,--0 V,krfuzy5 V.ua
hcl.sf
Cwxkosx,.vl,,oa`i-2,q S-3,kej-4,zpz,,egz6,. P.g,2
-2,tu-4,asqjj Q,gv,.NV/hnw/,,INJW^FZ\S@AZ^P\KSY\agqxos`S,,: U,nmb`-12 Q,af-1,df-0,bx U,z`e`-2-. S,MDKXZL[SWJ@UZZ]DWS]nc-0,y`wjRVjx856=@naj,,/.p N
webqskv`T-Y
oj-2,`ac<<*kcb.jo
ak-2,`ob<< T,jcb.je
IN]JVN]K]KJ]B]F^UF@@]\v-2,ujbRBjazsnc^s`lkr-1,`-1,].jl
7Teah P,Ckh`-3,fkgo-2,7*NNYO.uh
1.2.3
THttpTimeOutThread
THttpCallBackShell
Gx-21,\igh]ixyj-42,M.DJ
A`qjz``-0,ZkdkNgij.pc
Kcqjpc`-0,Aaj-1,gEdafa`.pM
Jmvgknm Q,2,,<,./accwcxgeni5 W,O_GB R,=>)27,.Pkbjhu-4-.,IV,,8)37,.Spejblx Q,2,,< W.g W
Uh%sU
Ecezcb-4 S,Tmeic6.fA
Bc/K-33,`-1.jG
Jbhblnrefc V,H-0,bv-1,li.AT
Uju-0,c-2 W,Ht-2,h-4.Rq
Ijv-1,h-0,jm Q,Jq-1,n-2,/,.u`l,.lnmw Q,ll`oj`zh`m-2 Q,xjzi`vz Q,kbz`.^l
Q-0,iznjib Q,`u,.tgu-0,qyi-1,ulb.a-F
Ob-4,/dcdzfe, kh-3,`/r-2,jld.vL
V-1,ns-4-.,hx V,lmdeehea,.mdhi Q,hi`onezhdh-2f.a
ebP-3,dLfnda`-4,`yj-4.PL
Efqem,.wb-1,k T,bu,.wnr,.pd<,.-i.a
,.fivzjfa,.`a U,jjad-0,cs?,.W.y
Ogl-02,wo`i S,Kov S,ea`mcmzji`,.Qg`if V-3,oqgc P -,(.a,>
Ehvbbi T,z V,tfbcdw,.dbpz V,tl-0,tdf,.dfpkb W,l` V,Kb-2,r*Nabnegcc/,.ahj`a W,wa V,ufb-4 W,l` V,tl-0,tdf-2 V,ubzct,-.^,v
Gj`f)jh S,fp-1 S-0,`-4,vlvzp)d-1,f)uopzl`d)l` S,Ywa-0,p U,Clm`,.,.)v-0,py`mw`ki S,`koa`igwp U,zl)aatgiabm U,hqfh,.`-1,w-1,fgq,.plwxf-0,),.w-01,gmn U,omfqff-0 U,FFHA,.qlt-0,fzq,.wf U,cbb`,.p-1,wk,->Y
Kdaf V,ag-4,higib U-1,`t`il V,vmmkv(-1,i U,jm V,czg-1,`f(,.hgzc U-1,`gk(-=,V
Fk-1,tg-22,om,.zromb V,jgzeaxltkj), ,.zfi,.c-1,ef,.ji``lezgfh-2-.,jtko-2,cj,.-3,ozffsz,.hhw,.mgzo)tkmloxkm(,.Ifo`i)ra,.-0,c-2,zhtz,.-2,nk,.miy`eioj W,( P,i.i
Ebs-1,dtrgn W,uzldm,.inumbqc-1,hc VS -,sia,-ki`j W,qgyoi-0,y W,hkz W,eacicmyni` SW,Aadia,.yh V-1,htro-4,s V,zeb V,jbphbbfb PS,).a-2
Cfba,.Kd`-3 W,nwmb-00,ghe5,..v-3
[ofye`h,-ja-2--,mbc,-oaacim-0,dc`-1--,xa/n`a-1,h,, V.Zg
 UPWR.Dg
N`jn V,/egf/gddaah-3,fkey/eyo/gge-1,ao T-i.u
,.bvu,.be QC.Y
,- S,(yvvacc/ijeff,-ei-1,hv/-0,aajx S.So
Mnlgkc R,vk-3,wa-20 R,miamvkk,. T,czqp,.mg T,ga R,@axlhanf T,c`fa P,B.y
Zj-20,ej,.-1,m-30,k-00-.,goaa-1,mk R .,ez-2,z(mk,.aa,.^iz-2,k(bajm Q.is
^j-10,c-2,fak/-0,gi/k`-0,ac`mkj-2-,,i-2,`a/_ny-1,j/a`kj R.zw
Fft`n-2 Q,Cd-3 Q,hlbd,.sks-2,lao,.,-.\`
 S .,gv*jgclk-1,`dz,.qbo` U,y-03,ue-1,z`n,. V,^.e
Bo-0,jjt,.I`w,.gnizehi-2 T,TUBw,- W,lqu W,zld W-2,m-0,b,.mr W,ghmbiem=,.Nq
Q]byc/n-4,t`y,-bzn,-r`, dh-13,k`fhdca-4--,bfxf V-10,lej W -,iagt</.Vq
Wpmzgom`c W,@asihaeca-1 T,bv-1,ku T,mkca,.bukc> W._,t
[c-0,pki,.gfoawfxkpmh,.cf,,kpzc-1-.,(oafm6,.,..C
//Y-1,o5,,.gn
 V,5 U,`n` U,aj,.fbcb`g/akov,.cq`c U,nngk S,karmcadg/aw S,n-3,u S-0,fwfnj T,5.j
5,,-3,yo-3,y7,..XI
Pjk T,wg-1,rap,.`vm-3,taf,.gkl`agvgkj RV,haq-2 T,`cze T,pkgakxa` R,zlel,.vas-0,awvk`,-,,N T
Yjs-1,bjqko/Kox-0,*Cdknhbjc,.cjfjn-2,=,..bv
Wik W,pn-0,u`d,.cld-2 W,mnz W,k`xb S,soidd,.tvq-3,hqu,.* S,hiilskc S,soidd,.ufp-0,bpu P-3 C
 U,D(,.btkyG-4,>,.._,e
Exz,-ek,.`o`a-4,s,-yeoc,.Kfx-2,ecci,-ib`conzdec,.ikyo Q,*`k`*-4,k-14,h-2,yoi4,-.YU
]DKizHi-4,exc-1,Hc`hk-3.GI
L_LCUNTF, KHC.op
0.0.0.0
3?:96=>?59:;.ZQ
6?0N2=.Lq
;768>1-80
cabinet.dll
\fgejnhg,.Dhr,.f-3- ,z`b, -2,gbyz,..8y
M-3,pxahg,-Xhn-2-,,klahhq,-e-3 S,db,-v-3,i,-at,,lmbxef-4-,2,qbohp-3 P -,w-4,udmj,,lmbxef-4-,,bmh,, U,byxhn-2,x7 S.NW
000000000000
 ;7.Q,>N-Y,[ T,Tc.Uv
, /@zs-4,Kacj2,..cr
,./Z-1,n5/.jm
HhluHmad,.slr,.auu-1,enuk`,-g-1,k` Q,MM^,-,.vhr-0,hy; M,N
Y]H.if
d-3,tdcQqdc.Lb
TUninstallExecuter
)hix.CB
Y^`acxziagKphh-01,hy,.kle,.jh, mzhjzmi, afar,.gchk V-C.8
Ehnj^smekrq<,.jg-4,3b N
1,,`ir1.FF
 W,Ivgs,,Xokyk4 W.iB
TPipeServer
TPipeObject
TPipeServerListener
TPipeClientU
isrPipe
CJ[hx.Xu
@ggh,-O`uygbjht,.Retkgi V,kt-4,i-1 VU,nm
 T,5 W.Rx
_.Wo*BC-T5p7d.V-b,
Actnddf/exn-0,a-2,c-21--,@zfinj(-4,g-1,xbl-1,m,-*ffkm5(.mS
NAER_[URNDT].Lw
Ifq`afgjdga,.O-1,hjalu,.ihro,-hrzhdvz,-gi P -.a-R
Ea-0,xmcdi-3,/Ioo`-2,bx/Fmaj(odnfkik(huaiaeli``v(j-3,`e6,,.Cw
Vjfegl`,.cs`ms-4,lah, wkr-3,w`co U,lgo U,K-3,bqMio`4 V.`1
LJ_.ge
fxk S,Cym^rk.Um
Zndfkhb,-lnnaok, ,-o-2,ubx5 W.Ru
D-1,dgskhh`,.thn`rrfbm V,n`rru-0,brnaou W,hhjba.b
ole32.dll
olepro32.dll
IWebBrowser
IWebBrowserApp
IWebBrowser2
TEWBWindowSetResizable
TEWBWindowSetLeft
TEWBWindowSetTop
TEWBWindowSetWidth
TEWBWindowSetHeight
bstrUrlContext
bstrUrl
OnWindowSetResizableH
OnWindowSetLeft
OnWindowSetTop
OnWindowSetWidth
OnWindowSetHeight0
grfKeyState
TComTargetExecEvent
CmdGroup
nCmdID
nCmdexecopt
hhctrl.ocx
URLMON.DLL
SHDOCLC.DLL
rcmDefault
rcmDebug
DontExecuteScripts
DontExecuteJava
DontExecuteActiveX
DisableUrlIfEncodingUTF8
EnableUrlIfEncodingUTF8
CheckFontSupportsCodePage
DisableSubmitUrlInUTF8
EnableSubmitUrlInUTF8
lpMsg
PMsg
pguidCmdGroup
TTranslateUrlEvent
pchURLIn
ppchURLOut
CmdID
pszUrl
pszUrlContext
szPassWord
ErrorUrl
OptionKeyPath
OverrideOptionKeyPath
OnTranslateUrl
OnCommandExec
'%s' is not supported.
TMsgEvent
TKeyEventEx
Port
Password
poPortrait
OnKeyDown,
0.750000
3333333
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)(
This object does not support this method (
Unsupported type for Parameter with Index %d
Method call unsuccessful. Object: %s, Method: %s, Exception: %s , Source: %s.
Uh.jZ
Uh.yZ
hXXp://
hXXps://
eiOnKeyDown
eiOnKeyPress
eiOnKeyUp
OnKeyPress
Handler with EventID = %s already exists.
Error on IConnectionPoint.Advise
Source don't have connection point for [%s]
KV,.nw``-4 Q,fogmgohj U-43,dpko; U.9,Q
MAPI32.DLL
LeftPopup
YR-0,xh]izn.cQ
2.1.0.0
This exe was created with an old version of HtmlAppMaker.
-0,cnyzgcEi.Tc
https
Sf[.t,T*.lJ,e
Iii,-Mrz-2 U,tk-1,pc-2,y U,no-3 U,rg``b,.bpr P.Y,e
Iinli V,sm,.uomy V,sjk V,Wpaaug-2,u W,datj,, W,n
,,`-3.XW
MSGALL
irsoMsgDialog
irsoJoinPath
irsoGetCmdLineParam
irsoGetCmdLineCount
irsoGetCmdLineIndexOf
irsoGetCmdLineParamValue
irsoGetCmdLineAll
irsoRegCreateKey
irsoRegCreateKeyTree
irsoRegDeleteKey
irsoIsRegKeyExists
irsoRegListKeyValues
irsoRegListKeyKeys
irsoRegSearchKeyKeys
irsoRegCopyKey
irsoGetRegKeyInfo
irsoHttpGetData
irsoHttpGetDataInThread
irsoLibraryExecuteProc
irsoLibraryExecuteProcW
irsoLibraryExecuteProcWithResult
!irsoLibraryExecuteProcWithResultW
irsoExecute
irsoExecuteDllInProcess
irsoSaveExecuteUsingCMD
irsoIsMutexExists
irsoCreatePipeServer
irsoStopPipeServer
irsoSendDataToPipeServer
irsoSetDebugLogUrl
irsoGetDebugLogUrl
irsoGetWebBrowserHandle
irsoGetCurExeCheckSum
irsoGetExeInjection
TExecArgs@
iubnyybRolkanldf.RW
.hhc\
b-1,[-1,e.Hv
.html
H-4,njBdi-2,o-4,r.vY
[zhhi)ec-30,heo-2,db,.ddrffe V ,,`sua[daGz@v-3,@ouzhmjkm S,a-S
-4,fhxXahcxgw.rg
gghYcjrf.ae
jehGbeags.qB
PIPE_DATA
PIPE
LNYCD_^.eP
HMVH9>.PE
[iinzx-13,)i`s-0,u,.ulaaqlh4 W,Axck\E,.E-0,cytl-3-.,hkfkd-2- 2 W,@I9 W,ombkkmml)-40,wyc-1,s)e-2 W,gcy W,lboeeij)-3.D
Qaflhj W,zk/cgwneba/sfa/OzicRG T,Muas-1,b-1 T,`edals)w/NK3/aohceogd WST,jnzlju,.MJ W,xa-1,naj/n-2 T-0,ha T,chy T,`u,.j`s,.eyfghneba Q.bo
Zcdxk, hy,.j Q,xklhyzyx*fjba,.-4,n*-3,yd-1,keu*F-4,lf[B Q,H-1,dvyky Q,eladiz,,r*GN6*hjmfljba,. VQ,lobmoj, ue,.ydga-2,d*g-4 QR,F@DSQGNIOG^GOHIC@N( T-V.9
Janko`h/o`/-1,rkncrf/bijj SV-02,c<,..za
-3,1 T-1,`-4,b-4,w37 P,abov=.vN
Fcjjcbl,.l-3,dc*-441,cbl P.fE
CI([onJ-3,e-00,ix,,lci^mbnAgho,,a-4,*bgx*;( T.CE
THtmlUIExeAppU
>,-Bbp,-hhw-3,dja,-c-4,k` U,ljbqea-4 U,dj-3,qljn`7 T.PO
HtmlUIExeApp
Rd`ahoi U,ld-2,v`fk U,un,.juikw Q,h`vu``fd;,.^ A
Plkwa S-2 U,ejaqla-1 U,mj-2,qejm` T,v-0,kjm`b( T,zmmw,.uvkm`ww,.rmhb U,ghava*^D
Oihpfbu T,gitpoida,.ni T,ZBUIGIFPK W,tpo`b T,gt W,g-0,uua`sk-2-.,urj`nic RW,dk`snj-0,nic P,)G-3
ung`.Nr
HtmlUiExeApp
gbo`dhfm.cV
^a-2,vmvzC-4,Ejoej4 R,YEM R,ew,.fewo``aj,.,,e-2,qyiglk T-3,pcgkq-4 T,fc-4 T,ofam` R-1,vgtehkeiw RR,ok`vej-0,g,,sgvdk-0,v,,vkqxe-1,veji,,,.L
Hmeckh,,-0,a,,-3,jcczj,.xdj,.,.V``i R,Fjib-0,gjej-1-.-,,Nbx_-01,imb.wI
irsoExecutePackage
irsoReportPackageError
irsoReportPackageSkip
irsoReportPackageQuit
irsoReportPackageSuccess
irsoReportPackageInfo
irsoGetPackageFilenameFromHttp
irsoGetPackageExecExitCode
irsoGetPackageExecResult
irsoGetPackageDwnldUrls
irsoSetPackageRelProgressShare
irsoGetFireFoxEXE
irsoGetIEEXE
irsoGetChromeEXE
irsoGetOperaEXE
irsoGetFireFoxVer
irsoGetChromeVer
irsoGetOperaVer
irsoUninstallAddExeCmd
irsoUninstallAddOpenBrowserCmd
irsoUninstallAddRegistryKey
irsoUninstallExecute
irsoReportStart
irsoReportInfo
irsoSetExclusiveExec
isroSetReportUrl
-11,jycmjaOaahDgvyc-11.Pg
zfc.bz
]no^dun.Vx
M`aigh/`xj-22,gkj/-3,n-2,nc-1,/iazak,. W,y.zy
\fuj-1,w U,P\O U,qah`k,.nlvcbqff,-U>
\GCAPMA][.oj
TcUlue.PL
W`mmqzeon,.wvamaff P,4.]
z`o1caig2,.hf5b Q,0cfh)914`,,34`6;ia2f=ae-3,L1
e-1,f.Cw
Jfafzjcd,.wef,.Tlwmkhq,.admoqt,- P -,=>
-0,ilCcbd.LG
)h-4,k.bR
^exmaa-3-.,oeebl`,,zf T-4,zhvx R,)tm-1,hi-4-.,hvi,.dm-42,`jk P.g,I
Ydvef`p V,j`nczlla,.lvukid<,.b^
Ukszv.ra
[eckbn R-2,a, kgg-4,khbbxl,.blzzjneky R,N[B,,-G.9
FbghLbtaYhe.AU
Jnma W,jv-2,h-2,>/.or
1.2.1
inflate 1.2.1 Copyright 1995-2003 Mark Adler
deflate 1.2.1 Copyright 1995-2003 Jean-loup Gailly
?456789:;<=
!"#$%&'()* ,-./0123
TBv}.Bv
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
B(0K.mFa
.rH2O
_%C^s5aH^
-1S}F
;.ceT
).kQ}
;X%DS
}%xKO
GetProcessHeap
GetCPInfo
RegQueryInfoKeyA
RegOpenKeyExA
RegFlushKey
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
RegCloseKey
SetViewportOrgEx
UnhookWindowsHookEx
SetWindowsHookExA
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
GetAsyncKeyState
EnumWindows
EnumThreadWindows
EnumChildWindows
ActivateKeyboardLayout
GetKeyboardType
"$ %),'8
38000=344
4? 3!0 3!6
&W!%D)*
H.JXA
1 0 .'7(2':
- /*-( ,'.-!$$$&'('/*) ,*/.)*72-7)
&)"%&$&'&",,/- '
944(@32%2u8
.PMDF<7I
2222444424
.idata
.edata
P.reloc
P.rsrc
 /*-( ,'.-!
*/.)*72-7)
#-**(-#,
ZP.re=
SOFTWARE\Microsoft\Windows NT\CurrentVersion
errorUrl
\bin\SubWCRev.exe
Please login as administrator and try again.
OLE error %.8x%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s
Clipboard does not support Icons/Menu '%s' is already being used by another form
No help found for %s#No context-sensitive help installed$No topic-based help system installed
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Metafile is not valid!Cannot change the size of an icon Invalid operation on TOleGraphic
Unsupported clipboard format
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file %s
Cannot open file %s
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
!'%s' is not a valid integer value('%s' is not a valid floating point value
'%s' is not a valid GUID value
I/O error %d
Integer overflow Invalid floating point operation

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
Delete the original Installer file.
Delete or disinfect the following files created/modified by the Installer:

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\images\Resume_Button.png (681 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\images\Icon_Generic.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\locale\FI.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\locale\EL.locale (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\images\Close_Hover.png (653 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\images\BG.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in7EAD48DF\6D8C4654_stp.EXE (5620 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\locale\HI.locale (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\images\Quick_Specs.png (221 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\css\ie6_main.css (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\locale\NL.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\css\sdk-ui\images\button-bg.png (131 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000679FF.log (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\locale\KO.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in7EAD48DF\12978936_stp.CIS.part (735 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\locale\ID.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\locale\JA.locale (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\images\sponsored.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\locale\IT.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\images\ProgressBar.png (812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\csshover3.htc (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\locale\DA.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00067944.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\images\Color_Button_Hover.png (238 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\locale\CS.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\images\Close.png (674 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\css\main.css (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\bootstrap_32466.html (156 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\images\Color_Button.png (237 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\images\Pause_Button.png (493 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\locale\PT.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\css\sdk-ui\images\progress-bg.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\css\sdk-ui\button.css (417 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\form.bmp.Mask (244 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\images\Grey_Button_Hover.png (231 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\locale\NO.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\locale\DE.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\locale\ZH.locale (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\css\sdk-ui\progress-bar.css (506 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\locale\TH.locale (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\locale\RU.locale (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\locale\TR.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\locale\SV.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\images\Grey_Button.png (230 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\css\sdk-ui\images\progress-bg2.png (978 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\images\Loader.gif (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\images\Progress.png (104 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\css\sdk-ui\browse.css (337 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in7EAD48DF\12978936_stp\asgnd.json (6341 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\css\sdk-ui\checkbox.css (190 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\locale\ES.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\locale\PL.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\locale\FR.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in7EAD48DF\6D8C4654_stp.EXE.part (399 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42426020948\locale\EN.locale (4 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.